@better-openclaw/core 1.0.25 → 1.0.26

package/src/generators/skills.ts

@@ -535,6 +535,148 @@ curl -X POST http://{{STEEL_HOST}}:{{STEEL_PORT}}/v1/scrape \\
 - Proxy support and IP rotation
 - Auto CAPTCHA solving
 - Puppeteer/Playwright/Selenium compatible
+`,
+
+	"code-sandbox": `---
+name: code-sandbox
+description: "Execute code safely in an isolated OpenSandbox container"
+metadata:
+  openclaw:
+    emoji: "📦"
+---
+
+# Code Sandbox
+
+Execute code safely in an isolated OpenSandbox container.
+
+## Description
+
+This skill provides secure, containerized code execution for AI agents. Code runs in ephemeral Docker containers with resource limits, network isolation, and automatic cleanup.
+
+## Connection Details
+
+- **Host:** \`{{OPENSANDBOX_HOST}}\`
+- **Port:** \`{{OPENSANDBOX_PORT}}\`
+- **Auth:** API key (auto-configured)
+
+## Supported Languages
+
+- Python 3.12
+- JavaScript / TypeScript (Node.js 22)
+- Java 21
+- Go 1.24
+- Bash
+
+## Available Actions
+
+### execute_code
+
+Run a code snippet in a fresh sandbox.
+
+**Parameters:**
+- \`language\` (required): Programming language ("python", "javascript", "typescript", "java", "go", "bash")
+- \`code\` (required): The code to execute
+- \`timeout_seconds\` (optional): Max execution time (default: 60, max: 300)
+
+**Returns:** stdout, stderr, exit_code, execution_time_ms
+
+### execute_shell
+
+Run a shell command in an existing or new sandbox.
+
+**Parameters:**
+- \`command\` (required): Shell command to execute
+- \`sandbox_id\` (optional): Reuse an existing sandbox (for multi-step workflows)
+- \`background\` (optional): Run in background (default: false)
+
+**Returns:** stdout, stderr, exit_code
+
+### upload_file
+
+Upload a file to a sandbox for processing.
+
+**Parameters:**
+- \`sandbox_id\` (required): Target sandbox
+- \`path\` (required): Destination path inside sandbox
+- \`content\` (required): File content (text or base64 for binary)
+
+### download_file
+
+Download a file from a sandbox.
+
+**Parameters:**
+- \`sandbox_id\` (required): Source sandbox
+- \`path\` (required): File path inside sandbox
+
+**Returns:** File content
+
+### list_sandboxes
+
+List active sandboxes on this instance.
+
+**Returns:** Array of { id, status, image, created_at, expires_at }
+
+### terminate_sandbox
+
+Terminate a running sandbox immediately.
+
+**Parameters:**
+- \`sandbox_id\` (required): Sandbox to terminate
+
+### create_desktop
+
+Create a GUI desktop sandbox with VNC access (for Homespace live preview).
+
+**Parameters:**
+- \`image\` (optional): Desktop image (default: "opensandbox/desktop:latest", also: "opensandbox/chrome:latest", "opensandbox/vscode:latest")
+- \`resolution\` (optional): Screen resolution (default: "1280x800x24")
+
+**Returns:** sandbox_id, vnc_endpoint (port 5900), novnc_url (port 6080 WebSocket), devtools_url (port 9222, chrome only)
+
+### get_preview_url
+
+Get the browser-accessible noVNC URL for an existing desktop sandbox.
+
+**Parameters:**
+- \`sandbox_id\` (required): Desktop sandbox ID
+
+**Returns:** novnc_url (embeddable in iframe), vnc_endpoint, status
+
+## Examples
+
+### Run Python code
+
+\`\`\`bash
+curl -X POST http://{{OPENSANDBOX_HOST}}:{{OPENSANDBOX_PORT}}/v1/sandboxes \\
+  -H "Authorization: Bearer $OPENSANDBOX_API_KEY" \\
+  -H "Content-Type: application/json" \\
+  -d '{"image": "opensandbox/code-interpreter:python"}'
+\`\`\`
+
+### Execute code in a sandbox
+
+\`\`\`bash
+curl -X POST http://{{OPENSANDBOX_HOST}}:{{OPENSANDBOX_PORT}}/v1/sandboxes/{id}/code \\
+  -H "Authorization: Bearer $OPENSANDBOX_API_KEY" \\
+  -H "Content-Type: application/json" \\
+  -d '{"language": "python", "code": "print(42 * 42)"}'
+\`\`\`
+
+## Configuration
+
+- **Default timeout:** 60 seconds
+- **Max concurrent sandboxes:** Determined by VPS RAM
+- **Idle cleanup:** Sandboxes with no activity for 30 minutes are auto-terminated
+- **Network:** Bridge mode (isolated from host services)
+- **Security:** gVisor runtime, capability dropping, PID limits
+
+## Limitations
+
+- No persistent storage between sandbox sessions (ephemeral by design)
+- No GPU access (CPU-only execution)
+- No outbound network access by default (egress blocked)
+- Max 512 PIDs per sandbox (fork bomb protection)
+- Memory capped per sandbox (default 512MB)
 `,
 };
 

package/src/schema.ts

@@ -475,6 +475,8 @@ export const AddonStackResultSchema = z.object({
 	}),
 	/** Port mapping for reverse proxy configuration. */
 	proxyRoutes: z.array(ProxyRouteSchema),
+	/** Additional files to write alongside compose (e.g. sandbox.toml). Keyed by filename. */
+	additionalFiles: z.record(z.string(), z.string()).default({}),
 	/** Metadata. */
 	metadata: z.object({
 		serviceCount: z.number(),
@@ -484,6 +486,11 @@ export const AddonStackResultSchema = z.object({
 		skippedServices: z.array(SkippedServiceSchema),
 		generatedSecretKeys: z.array(z.string()),
 		portAssignments: z.record(z.string(), z.number()),
+		/** Docker images to pre-pull during cloud-init, grouped by priority. */
+		prePullImages: z.array(z.object({
+			image: z.string(),
+			priority: z.union([z.literal(1), z.literal(2), z.literal(3)]),
+		})).default([]),
 	}),
 	/** Warnings (non-fatal issues). */
 	warnings: z.array(z.string()),

package/src/services/definitions/burnlink.ts

@@ -0,0 +1,142 @@
+import type { ServiceDefinition } from "../../types.js";
+
+export const burnlinkDefinition: ServiceDefinition = {
+	id: "burnlink",
+	name: "BurnLink",
+	description:
+		"Privacy-first, zero-knowledge file sharing with end-to-end browser-side AES-256-GCM encryption, one-time downloads, view-once mode, and brute-force protection.",
+	category: "storage",
+	icon: "🔥",
+
+	image: "diopisemou/burnlink",
+	imageTag: "latest",
+	ports: [
+		{
+			host: 3250,
+			container: 3000,
+			description: "BurnLink web interface",
+			exposed: true,
+		},
+	],
+	volumes: [],
+	environment: [
+		{
+			key: "PORT",
+			defaultValue: "3000",
+			secret: false,
+			description: "Server listen port",
+			required: false,
+		},
+		{
+			key: "SUPABASE_URL",
+			defaultValue: "",
+			secret: false,
+			description: "Supabase project URL for metadata storage",
+			required: true,
+		},
+		{
+			key: "SUPABASE_SERVICE_ROLE_KEY",
+			defaultValue: "",
+			secret: true,
+			description: "Supabase service role key",
+			required: true,
+		},
+		{
+			key: "R2_ACCOUNT_ID",
+			defaultValue: "",
+			secret: false,
+			description: "Cloudflare R2 account ID (or MinIO endpoint for self-hosted)",
+			required: true,
+		},
+		{
+			key: "R2_ACCESS_KEY_ID",
+			defaultValue: "",
+			secret: true,
+			description: "S3-compatible storage access key",
+			required: true,
+		},
+		{
+			key: "R2_SECRET_ACCESS_KEY",
+			defaultValue: "",
+			secret: true,
+			description: "S3-compatible storage secret key",
+			required: true,
+		},
+		{
+			key: "R2_BUCKET_NAME",
+			defaultValue: "burnlink",
+			secret: false,
+			description: "Storage bucket name for encrypted files",
+			required: true,
+		},
+		{
+			key: "CANONICAL_BASE_URL",
+			defaultValue: "",
+			secret: false,
+			description: "Public URL for share links (e.g., https://burn.example.com)",
+			required: false,
+		},
+		{
+			key: "MAX_UPLOAD_BYTES",
+			defaultValue: "1073741824",
+			secret: false,
+			description: "Max file upload size in bytes (default 1 GB)",
+			required: false,
+		},
+		{
+			key: "NODE_ENV",
+			defaultValue: "production",
+			secret: false,
+			description: "Node environment (production enables rate limiting)",
+			required: false,
+		},
+	],
+	healthcheck: {
+		test: "wget -q --spider http://localhost:3000/ || exit 1",
+		interval: "30s",
+		timeout: "10s",
+		retries: 3,
+		startPeriod: "15s",
+	},
+	dependsOn: [],
+	restartPolicy: "unless-stopped",
+	networks: ["openclaw-network"],
+
+	skills: [],
+	openclawEnvVars: [
+		{
+			key: "BURNLINK_HOST",
+			defaultValue: "burnlink",
+			secret: false,
+			description: "BurnLink hostname",
+			required: false,
+		},
+		{
+			key: "BURNLINK_PORT",
+			defaultValue: "3000",
+			secret: false,
+			description: "BurnLink internal port",
+			required: false,
+		},
+	],
+
+	docsUrl: "https://github.com/diopisemou/BurnLink",
+	tags: ["file-sharing", "encryption", "privacy", "zero-knowledge", "self-destruct"],
+	maturity: "beta",
+
+	requires: [],
+	recommends: ["supabase", "minio"],
+	conflictsWith: [],
+
+	minMemoryMB: 128,
+	gpuRequired: false,
+	capDropCompatible: true,
+	proxyPath: "/burnlink",
+	envQuirks: [
+		{
+			key: "R2_SECRET_ACCESS_KEY",
+			issue: "min_length" as const,
+			fix: { type: "generate_base64url" as const, minBytes: 24 },
+		},
+	],
+};

package/src/services/definitions/hindsight.ts

@@ -0,0 +1,131 @@
+import type { ServiceDefinition } from "../../types.js";
+
+export const hindsightDefinition: ServiceDefinition = {
+	id: "hindsight",
+	name: "Hindsight",
+	description:
+		"Open-source agent memory system with Retain/Recall/Reflect operations, multi-strategy retrieval (semantic, keyword, graph, temporal), and MCP server support.",
+	category: "ai",
+	icon: "🧠",
+
+	image: "ghcr.io/vectorize-io/hindsight",
+	imageTag: "latest",
+	ports: [
+		{
+			host: 8889,
+			container: 8888,
+			description: "Hindsight API and MCP endpoint",
+			exposed: true,
+		},
+		{
+			host: 9998,
+			container: 9999,
+			description: "Hindsight admin web UI",
+			exposed: true,
+		},
+	],
+	volumes: [
+		{
+			name: "hindsight-data",
+			containerPath: "/home/hindsight/.pg0",
+			description: "Embedded PostgreSQL data (used when no external DB configured)",
+		},
+	],
+	environment: [
+		{
+			key: "HINDSIGHT_API_LLM_PROVIDER",
+			defaultValue: "openai",
+			secret: false,
+			description: "LLM provider (openai, anthropic, gemini, groq, ollama, lmstudio)",
+			required: true,
+		},
+		{
+			key: "HINDSIGHT_API_LLM_API_KEY",
+			defaultValue: "",
+			secret: true,
+			description: "API key for the configured LLM provider",
+			required: true,
+		},
+		{
+			key: "HINDSIGHT_API_LLM_MODEL",
+			defaultValue: "o3-mini",
+			secret: false,
+			description: "LLM model to use for memory operations (e.g., o3-mini, claude-sonnet-4-20250514)",
+			required: true,
+		},
+		{
+			key: "HINDSIGHT_API_DATABASE_URL",
+			defaultValue: "postgresql://hindsight:${HINDSIGHT_DB_PASSWORD}@postgresql:5432/hindsight",
+			secret: false,
+			description: "PostgreSQL connection string (leave empty to use embedded pg0 for dev)",
+			required: false,
+		},
+		{
+			key: "HINDSIGHT_API_MCP_ENABLED",
+			defaultValue: "true",
+			secret: false,
+			description: "Enable MCP server for agent tool integration",
+			required: false,
+		},
+		{
+			key: "HINDSIGHT_API_SKIP_LLM_VERIFICATION",
+			defaultValue: "false",
+			secret: false,
+			description: "Skip LLM connection verification on startup",
+			required: false,
+		},
+	],
+	healthcheck: {
+		test: "wget -q --spider http://localhost:8888/metrics || exit 1",
+		interval: "30s",
+		timeout: "10s",
+		retries: 5,
+		startPeriod: "30s",
+	},
+	dependsOn: [],
+	restartPolicy: "unless-stopped",
+	networks: ["openclaw-network"],
+
+	skills: [],
+	openclawEnvVars: [
+		{
+			key: "HINDSIGHT_HOST",
+			defaultValue: "hindsight",
+			secret: false,
+			description: "Hindsight hostname for agent memory operations",
+			required: false,
+		},
+		{
+			key: "HINDSIGHT_API_PORT",
+			defaultValue: "8888",
+			secret: false,
+			description: "Hindsight API port",
+			required: false,
+		},
+	],
+
+	docsUrl: "https://hindsight.vectorize.io/",
+	tags: ["agent-memory", "mcp", "recall", "knowledge-graph", "semantic-search"],
+	maturity: "beta",
+
+	requires: ["postgresql"],
+	recommends: ["ollama"],
+	conflictsWith: [],
+
+	minMemoryMB: 512,
+	gpuRequired: false,
+	capDropCompatible: true,
+	proxyPath: "/hindsight",
+	envQuirks: [
+		{
+			key: "HINDSIGHT_API_LLM_API_KEY",
+			issue: "min_length" as const,
+			fix: { type: "generate_base64url" as const, minBytes: 16 },
+		},
+		{
+			key: "HINDSIGHT_API_DATABASE_URL",
+			issue: "must_sync" as const,
+			fix: { type: "sync_with" as const, syncKey: "HINDSIGHT_DB_PASSWORD" },
+		},
+	],
+};

package/src/services/definitions/index.ts

@@ -11,6 +11,7 @@ export { axolotlDefinition } from "./axolotl.js";
 export { baserowDefinition } from "./baserow.js";
 export { beszelDefinition } from "./beszel.js";
 export { browserlessDefinition } from "./browserless.js";
+export { burnlinkDefinition } from "./burnlink.js";
 export { caddyDefinition } from "./caddy.js";
 export { calComDefinition } from "./cal-com.js";
 export { calibreWebDefinition } from "./calibre-web.js";
@@ -58,6 +59,7 @@ export { grafanaDefinition } from "./grafana.js";
 export { graylogDefinition } from "./graylog.js";
 export { headscaleDefinition } from "./headscale.js";
 export { hedgedocDefinition } from "./hedgedoc.js";
+export { hindsightDefinition } from "./hindsight.js";
 export { hexstrikeDefinition } from "./hexstrike.js";
 export { heyformDefinition } from "./heyform.js";
 export { homeassistantDefinition } from "./homeassistant.js";
@@ -115,6 +117,7 @@ export { openWebuiDefinition } from "./open-webui.js";
 export { opencodeDefinition } from "./opencode.js";
 export { openhandsDefinition } from "./openhands.js";
 export { openpanelDefinition } from "./openpanel.js";
+export { opensandboxDefinition } from "./opensandbox.js";
 export { opensearchDefinition } from "./opensearch.js";
 export { outlineDefinition } from "./outline.js";
 export { paperlessNgxDefinition } from "./paperless-ngx.js";
@@ -201,6 +204,7 @@ import { axolotlDefinition } from "./axolotl.js";
 import { baserowDefinition } from "./baserow.js";
 import { beszelDefinition } from "./beszel.js";
 import { browserlessDefinition } from "./browserless.js";
+import { burnlinkDefinition } from "./burnlink.js";
 import { caddyDefinition } from "./caddy.js";
 import { calComDefinition } from "./cal-com.js";
 import { calibreWebDefinition } from "./calibre-web.js";
@@ -248,6 +252,7 @@ import { grafanaDefinition } from "./grafana.js";
 import { graylogDefinition } from "./graylog.js";
 import { headscaleDefinition } from "./headscale.js";
 import { hedgedocDefinition } from "./hedgedoc.js";
+import { hindsightDefinition } from "./hindsight.js";
 import { hexstrikeDefinition } from "./hexstrike.js";
 import { heyformDefinition } from "./heyform.js";
 import { homeassistantDefinition } from "./homeassistant.js";
@@ -305,6 +310,7 @@ import { openWebuiDefinition } from "./open-webui.js";
 import { opencodeDefinition } from "./opencode.js";
 import { openhandsDefinition } from "./openhands.js";
 import { openpanelDefinition } from "./openpanel.js";
+import { opensandboxDefinition } from "./opensandbox.js";
 import { opensearchDefinition } from "./opensearch.js";
 import { outlineDefinition } from "./outline.js";
 import { paperlessNgxDefinition } from "./paperless-ngx.js";
@@ -561,6 +567,10 @@ export const allServiceDefinitions: ServiceDefinition[] = [
 	vikunjaDefinition,
 	wireguardDefinition,
 	woodpeckerCiDefinition,
+	// ── New Integrations ────────────────────────────────────────────────────
+	hindsightDefinition,
+	burnlinkDefinition,
+	opensandboxDefinition,
 	// ── SaaS Boilerplates ────────────────────────────────────────────────────
 	openSaasDefinition,
 	apptensionSaasDefinition,

package/src/services/definitions/opensandbox.ts

@@ -0,0 +1,156 @@
+import type { ServiceDefinition } from "../../types.js";
+
+export const opensandboxDefinition: ServiceDefinition = {
+	id: "opensandbox",
+	name: "OpenSandbox",
+	description:
+		"Secure containerized code execution for AI agents. Multi-language sandboxes (Python, JS/TS, Java, Go, Bash) with file operations, resource limits, and network isolation.",
+	category: "dev-tools",
+	icon: "📦",
+
+	image: "opensandbox/server",
+	imageTag: "v1.0.6",
+	ports: [
+		{
+			host: 8080,
+			container: 8080,
+			description: "OpenSandbox Lifecycle API (FastAPI)",
+			exposed: true,
+		},
+	],
+	volumes: [
+		{
+			name: "/var/run/docker.sock",
+			containerPath: "/var/run/docker.sock",
+			description:
+				"Docker socket (required for managing sandbox containers)",
+		},
+		{
+			name: "./sandbox.toml",
+			containerPath: "/root/.sandbox.toml:ro",
+			description: "OpenSandbox configuration file (read-only bind mount)",
+		},
+	],
+	environment: [
+		{
+			key: "OPEN_SANDBOX_API_KEY",
+			defaultValue: "",
+			secret: true,
+			description:
+				"API key for OpenSandbox lifecycle API authentication (min 32 chars)",
+			required: true,
+		},
+		{
+			key: "OPENSANDBOX_LOG_LEVEL",
+			defaultValue: "INFO",
+			secret: false,
+			description: "Log verbosity (DEBUG, INFO, WARNING, ERROR)",
+			required: false,
+		},
+		{
+			key: "OPENSANDBOX_RUNTIME_TYPE",
+			defaultValue: "docker",
+			secret: false,
+			description: "Runtime backend (always docker for VPS deployments)",
+			required: false,
+		},
+		{
+			key: "OPENSANDBOX_EXECD_IMAGE",
+			defaultValue: "opensandbox/execd:v1.0.6",
+			secret: false,
+			description:
+				"Execution daemon image injected into sandbox containers",
+			required: false,
+		},
+		{
+			key: "OPENSANDBOX_NETWORK_MODE",
+			defaultValue: "bridge",
+			secret: false,
+			description:
+				"Container networking mode (always bridge for isolation)",
+			required: false,
+		},
+		{
+			key: "OPENSANDBOX_PIDS_LIMIT",
+			defaultValue: "512",
+			secret: false,
+			description: "Max PIDs per sandbox (fork bomb protection)",
+			required: false,
+		},
+		{
+			key: "OPENSANDBOX_NO_NEW_PRIVILEGES",
+			defaultValue: "true",
+			secret: false,
+			description: "Security: prevent privilege escalation in sandboxes",
+			required: false,
+		},
+		{
+			key: "OPENSANDBOX_SECURE_RUNTIME",
+			defaultValue: "gvisor",
+			secret: false,
+			description: "Secure container runtime (gVisor for sandbox isolation)",
+			required: false,
+		},
+	],
+	healthcheck: {
+		test: "curl --fail http://localhost:8080/health || exit 1",
+		interval: "30s",
+		timeout: "10s",
+		retries: 3,
+		startPeriod: "15s",
+	},
+	dependsOn: [],
+	restartPolicy: "unless-stopped",
+	networks: ["openclaw-network"],
+
+	skills: [{ skillId: "code-sandbox", autoInstall: true }],
+	openclawEnvVars: [
+		{
+			key: "OPENSANDBOX_HOST",
+			defaultValue: "opensandbox",
+			secret: false,
+			description: "OpenSandbox hostname for OpenClaw",
+			required: true,
+		},
+		{
+			key: "OPENSANDBOX_PORT",
+			defaultValue: "8080",
+			secret: false,
+			description: "OpenSandbox port for OpenClaw",
+			required: true,
+		},
+		{
+			key: "OPENSANDBOX_API_KEY",
+			defaultValue: "${OPEN_SANDBOX_API_KEY}",
+			secret: true,
+			description: "OpenSandbox API key for OpenClaw",
+			required: true,
+		},
+	],
+
+	docsUrl: "https://github.com/anthropics/OpenSandbox",
+	tags: [
+		"sandbox",
+		"code-execution",
+		"security",
+		"ai-agent",
+		"isolation",
+	],
+	maturity: "stable",
+
+	requires: [],
+	recommends: [],
+	conflictsWith: [],
+
+	minMemoryMB: 768,
+	gpuRequired: false,
+	capDropCompatible: true,
+	proxyPath: "/sandbox",
+	envQuirks: [
+		{
+			key: "OPEN_SANDBOX_API_KEY",
+			issue: "min_length",
+			fix: { type: "generate_base64url", minBytes: 32 },
+		},
+	],
+};