Reef chain

[anukulpandey]

What is this PR about?

New PR of Reef Chain

This PR updates the Reef Chain templates to the new stable2512 deployment flow and switches all runtime-fetched scripts to the dedicated scripts repository:

• https://github.com/anukulpandey/dokploy-reef-chain-scripts

Included changes

• Updated reef-bootnode to fetch bootstrap/runtime scripts from the new scripts repo
• Updated reef-validator to fetch the validator startup script from the new scripts repo
• Updated reef-rpc to fetch the RPC startup script from the new scripts repo
• Updated reef-spec-gen to fetch the spec generator API and helper scripts from the new scripts repo
• Updated reef-dev-cluster to stop downloading the old Makefile-based workflow and instead use the new non-tmux cluster launcher script
• Exposed 8545 in reef-dev-cluster for bundled eth-rpc
• Added a new reef-faucet template
• Updated Reef metadata and Docker Hub links in meta.json
• Removed dependency on the old reef-dokploy-templates-v2 raw GitHub paths

Why this change

This aligns the Reef templates with the newer stable2512 chain workflow and centralizes all runtime scripts in a single dedicated repository so Dokploy services fetch a stable, maintained source at startup.

Checklist

Before submitting this PR, please make sure that:

• I have read the suggestions in the README.md file https://github.com/Dokploy/templates?tab=readme-ov-file#general-requirements-when-creating-a-template
• I have tested the template in my instance, so the maintainers don't spend time trying to figure out what's wrong.
• I have added tests that demonstrate that my correction works or that my new feature works.

Issues related (if applicable)

Close automatically the related issues using the keywords: closes #ISSUE_NUMBER

Screenshots or Videos

N/A

Greptile Summary

This PR updates all Reef Chain templates to the stable2512 workflow, centralizes runtime scripts in a dedicated external repository, and adds a new reef-faucet template. Several structural issues conflict with the project's Docker Compose conventions documented in AGENTS.md and need to be addressed before merging:

• Every template uses ports instead of the required expose, missing restart policy, and most lack the required version: \"3.8\" header.
• The reef-spec-gen service is named reef-spec-api, breaking the mandatory folder-name match and the domain config in its template.toml.
• Multiple template.toml files hardcode the same validator private-key seeds as default values (including FAUCET_SEED), violating the "never hardcode secrets" rule.
• All templates download startup scripts from the mutable main branch of an external repo without hash verification, creating a supply-chain risk.

Confidence Score: 3/5

Not safe to merge — multiple P1 violations of documented Dokploy conventions, a service naming mismatch that breaks domain routing, hardcoded validator private-key seeds, and unpinned external script downloads creating supply-chain exposure.

Five P1 findings are present: (1) all templates use ports instead of the mandatory expose, (2) none have a restart policy, (3) five templates omit version: "3.8" and one uses "3.9", (4) the reef-spec-gen service name mismatch will break its domain config, and (5) hardcoded default private-key seeds across four templates violate the no-secrets rule and introduce a real security risk on any default deployment.

All docker-compose.yml files (ports/restart/version), blueprints/reef-spec-gen/docker-compose.yml (service name), and all template.toml files that hardcode seed values (reef-bootnode, reef-dev-cluster, reef-validator, reef-faucet).

Vulnerabilities

• Hardcoded private-key seeds: reef-bootnode, reef-dev-cluster, reef-validator, and reef-faucet all ship the same three validator seeds as default template.toml values. A default deployment controls a live chain with publicly-known signing keys and a known faucet treasury key.
• Supply-chain risk via unpinned external scripts: Every template downloads shell/Python/JS scripts from anukulpandey/dokploy-reef-chain-scripts on the main branch at startup with no checksum validation. A compromised or modified push to that repo will silently affect all running deployments on next restart.

_{Reviews (1): Last reviewed commit: "Wire Reef templates to external scripts ..." | Re-trigger Greptile}

Greptile also left 6 inline comments on this PR.

_{(3/5) Reply to the agent's comments like "Can you suggest a fix for this @greptileai?" or ask follow-up questions!}

Context used:

• Context used - AGENTS.md (source)