From e658d2f9a303aed81ba0a0b684e4910b66eba7d9 Mon Sep 17 00:00:00 2001
From: Romain ROCHAS <romainrochas69@gmail.com>
Date: Mon, 27 Apr 2026 16:24:03 +0700
Subject: [PATCH 1/7] fix(magic env) HEX secrets creating double the length of
 their name

---
 bootstrap/helpers/shared.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/bootstrap/helpers/shared.php b/bootstrap/helpers/shared.php
index 9f0f2cd73..d55a00a4c 100644
--- a/bootstrap/helpers/shared.php
+++ b/bootstrap/helpers/shared.php
@@ -1463,13 +1463,13 @@ function generateEnvValue(string $command, Service|Application|null $service = n
             $generatedValue = base64_encode(Str::random(32));
             break;
         case 'HEX_32':
-            $generatedValue = bin2hex(Str::random(32));
+            $generatedValue = bin2hex(Str::random(16));
             break;
         case 'HEX_64':
-            $generatedValue = bin2hex(Str::random(64));
+            $generatedValue = bin2hex(Str::random(32));
             break;
         case 'HEX_128':
-            $generatedValue = bin2hex(Str::random(128));
+            $generatedValue = bin2hex(Str::random(64));
             break;
         case 'USER':
             $generatedValue = Str::random(16);

From c6ac52dc38802a378272e982962072b944810543 Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Sat, 9 May 2026 14:49:39 +0200
Subject: [PATCH 2/7] fix(env): generate encoded secrets from raw random bytes

Use random_bytes before hex and base64 encoding so generated env values
match the expected decoded byte lengths. Add Pest coverage for HEX and
REALBASE64 magic variables.
---
 bootstrap/helpers/shared.php        | 12 ++++++------
 tests/Unit/GenerateEnvValueTest.php | 29 +++++++++++++++++++++++++++++
 2 files changed, 35 insertions(+), 6 deletions(-)
 create mode 100644 tests/Unit/GenerateEnvValueTest.php

diff --git a/bootstrap/helpers/shared.php b/bootstrap/helpers/shared.php
index 06c6f4d5c..860b550dd 100644
--- a/bootstrap/helpers/shared.php
+++ b/bootstrap/helpers/shared.php
@@ -1400,23 +1400,23 @@ function generateEnvValue(string $command, Service|Application|null $service = n
             break;
             // This is base64,
         case 'REALBASE64_64':
-            $generatedValue = base64_encode(Str::random(64));
+            $generatedValue = base64_encode(random_bytes(64));
             break;
         case 'REALBASE64_128':
-            $generatedValue = base64_encode(Str::random(128));
+            $generatedValue = base64_encode(random_bytes(128));
             break;
         case 'REALBASE64':
         case 'REALBASE64_32':
-            $generatedValue = base64_encode(Str::random(32));
+            $generatedValue = base64_encode(random_bytes(32));
             break;
         case 'HEX_32':
-            $generatedValue = bin2hex(Str::random(16));
+            $generatedValue = bin2hex(random_bytes(16));
             break;
         case 'HEX_64':
-            $generatedValue = bin2hex(Str::random(32));
+            $generatedValue = bin2hex(random_bytes(32));
             break;
         case 'HEX_128':
-            $generatedValue = bin2hex(Str::random(64));
+            $generatedValue = bin2hex(random_bytes(64));
             break;
         case 'USER':
             $generatedValue = Str::random(16);
diff --git a/tests/Unit/GenerateEnvValueTest.php b/tests/Unit/GenerateEnvValueTest.php
new file mode 100644
index 000000000..7e7755f4d
--- /dev/null
+++ b/tests/Unit/GenerateEnvValueTest.php
@@ -0,0 +1,29 @@
+<?php
+
+test('hex magic variables generate valid hex strings with expected lengths', function (string $command, int $expectedLength) {
+    $value = generateEnvValue($command);
+
+    expect($value)
+        ->toBeString()
+        ->toMatch('/^[0-9a-f]+$/');
+
+    expect(strlen($value))->toBe($expectedLength);
+})->with([
+    'HEX_32' => ['HEX_32', 32],
+    'HEX_64' => ['HEX_64', 64],
+    'HEX_128' => ['HEX_128', 128],
+]);
+
+test('real base64 magic variables generate valid base64 strings from expected byte lengths', function (string $command, int $expectedBytes) {
+    $value = generateEnvValue($command);
+    $decodedValue = base64_decode($value, true);
+
+    expect($value)->toBeString();
+    expect($decodedValue)->not->toBeFalse();
+    expect(strlen($decodedValue))->toBe($expectedBytes);
+})->with([
+    'REALBASE64' => ['REALBASE64', 32],
+    'REALBASE64_32' => ['REALBASE64_32', 32],
+    'REALBASE64_64' => ['REALBASE64_64', 64],
+    'REALBASE64_128' => ['REALBASE64_128', 128],
+]);

From 4ccb769e3367a8b070a9b882dd262cdf0b49e7ab Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sat, 9 May 2026 19:14:40 +0530
Subject: [PATCH 3/7] fix(service): set correct SERVICE_HEX magic env for
 Outline SECRET_KEY

---
 templates/compose/getoutline.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/compose/getoutline.yaml b/templates/compose/getoutline.yaml
index 7ce7774c1..712a262ec 100644
--- a/templates/compose/getoutline.yaml
+++ b/templates/compose/getoutline.yaml
@@ -18,7 +18,7 @@ services:
     environment:
       - SERVICE_URL_OUTLINE_3000
       - NODE_ENV=production
-      - SECRET_KEY=${SERVICE_HEX_32_OUTLINE}
+      - SECRET_KEY=${SERVICE_HEX_64_OUTLINE}
       - UTILS_SECRET=${SERVICE_PASSWORD_64_OUTLINE}
       - DATABASE_URL=postgres://${SERVICE_USER_POSTGRES}:${SERVICE_PASSWORD_64_POSTGRES}@postgres:5432/${POSTGRES_DATABASE:-outline}
       - REDIS_URL=redis://:${SERVICE_PASSWORD_64_REDIS}@redis:6379

From 13077db1d8d78c3fe093d3938e708aeabafb3a00 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sat, 9 May 2026 19:17:02 +0530
Subject: [PATCH 4/7] fix(service): set correct SERVICE_HEX magic env for
 bluesky-pds JWTSECRET and ROTATIONKEY

---
 templates/compose/bluesky-pds.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/compose/bluesky-pds.yaml b/templates/compose/bluesky-pds.yaml
index de764f08c..d3a7f1239 100644
--- a/templates/compose/bluesky-pds.yaml
+++ b/templates/compose/bluesky-pds.yaml
@@ -13,10 +13,10 @@ services:
     environment:
       - SERVICE_URL_PDS_3000
       - 'PDS_HOSTNAME=${SERVICE_FQDN_PDS}'
-      - 'PDS_JWT_SECRET=${SERVICE_HEX_32_JWTSECRET}'
+      - 'PDS_JWT_SECRET=${SERVICE_HEX_64_JWTSECRET}'
       - 'PDS_ADMIN_PASSWORD=${SERVICE_PASSWORD_ADMIN}'
       - 'PDS_ADMIN_EMAIL=${PDS_ADMIN_EMAIL}'
-      - 'PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX=${SERVICE_HEX_32_ROTATIONKEY}'
+      - 'PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX=${SERVICE_HEX_64_ROTATIONKEY}'
       - 'PDS_DATA_DIRECTORY=${PDS_DATA_DIRECTORY:-/pds}'
       - 'PDS_BLOBSTORE_DISK_LOCATION=${PDS_DATA_DIRECTORY:-/pds}/blocks'
       - 'PDS_BLOB_UPLOAD_LIMIT=${PDS_BLOB_UPLOAD_LIMIT:-104857600}'

From 02373e1b3e198f9cf23ddf086f0b27962e77e2fa Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sat, 9 May 2026 19:26:30 +0530
Subject: [PATCH 5/7] fix(service): set correct SERVICE_HEX magic env for
 Convex INSTANCE_SECRET

---
 templates/compose/convex.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/compose/convex.yaml b/templates/compose/convex.yaml
index e80cc4254..29d4144c3 100644
--- a/templates/compose/convex.yaml
+++ b/templates/compose/convex.yaml
@@ -13,7 +13,7 @@ services:
     environment:
       - SERVICE_URL_BACKEND_3210
       - INSTANCE_NAME=${INSTANCE_NAME:-self-hosted-convex}
-      - INSTANCE_SECRET=${SERVICE_HEX_32_SECRET}
+      - INSTANCE_SECRET=${SERVICE_HEX_64_SECRET}
       - CONVEX_RELEASE_VERSION_DEV=${CONVEX_RELEASE_VERSION_DEV:-}
       - ACTIONS_USER_TIMEOUT_SECS=${ACTIONS_USER_TIMEOUT_SECS:-}
       # URL of the Convex API as accessed by the client/frontend.

From 4453fec7cc7ffddc27c9a824c9d733778ae5c266 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sat, 9 May 2026 19:30:07 +0530
Subject: [PATCH 6/7] fix(service): set correct SERVICE_HEX magic env for
 homarr SECRET_ENCRYPTION_KEY

---
 templates/compose/homarr.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/templates/compose/homarr.yaml b/templates/compose/homarr.yaml
index 117fd8738..5934e9799 100644
--- a/templates/compose/homarr.yaml
+++ b/templates/compose/homarr.yaml
@@ -10,8 +10,7 @@ services:
     image: ghcr.io/homarr-labs/homarr:v1.40.0
     environment:
       - SERVICE_URL_HOMARR_7575
-      - SERVICE_HEX_32_HOMARR
-      - 'SECRET_ENCRYPTION_KEY=${SERVICE_HEX_32_HOMARR}'
+      - 'SECRET_ENCRYPTION_KEY=${SERVICE_HEX_64_HOMARR}'
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
       - ./homarr/appdata:/appdata

From 7c5dc8bae1eccdd5a675a0a5f35e394afb77abda Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Sat, 9 May 2026 19:35:15 +0530
Subject: [PATCH 7/7] fix(service): set correct SERVICE_HEX magic env for open
 archive ENCRYPTION_KEY and STORAGE_ENCRYPTION_KEY

---
 templates/compose/open-archiver.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/compose/open-archiver.yaml b/templates/compose/open-archiver.yaml
index f6a7ba9b0..49eda85ff 100644
--- a/templates/compose/open-archiver.yaml
+++ b/templates/compose/open-archiver.yaml
@@ -10,8 +10,8 @@ services:
     image: logiclabshq/open-archiver:latest
     environment:
       - SERVICE_URL_OPENARCHIVER_3000
-      - ENCRYPTION_KEY=${SERVICE_HEX_32_ENCRYPTIONKEY}
-      - STORAGE_ENCRYPTION_KEY=${SERVICE_HEX_32_STORAGEENCRYPTIONKEY}
+      - ENCRYPTION_KEY=${SERVICE_HEX_64_ENCRYPTIONKEY}
+      - STORAGE_ENCRYPTION_KEY=${SERVICE_HEX_64_STORAGEENCRYPTIONKEY}
       - PORT_BACKEND=${PORT_BACKEND:-4000}
       - PORT_FRONTEND=${PORT_FRONTEND:-3000}
       - NODE_ENV=${NODE_ENV:-production}