feat: add cloudron-app-packaging subagent for custom app development

[marcusquinn]

Summary

• Add comprehensive cloudron-app-packaging.md subagent with guidance for packaging custom applications for Cloudron deployment
• Add cloudron-package-helper.sh script with scaffold, validate, build, and test commands
• Update subagent-index.toon to include new subagent and script

Features

Subagent (cloudron-app-packaging.md)

• Decision trees for base image selection (cloudron/base vs official images vs Alpine)
• Addon selection guide with environment variable mappings for all Cloudron addons
• Filesystem permissions documentation (read-only /app/code, writable /app/data, /run, /tmp)
• Symlink dance pattern for apps that expect to write to /app/code paths
• start.sh architecture with complete template covering all phases (init, symlinks, config injection, migrations, process launch)
• Framework-specific patterns for PHP, Node.js, Python, Go, nginx, Apache
• Multi-process support with supervisord configuration
• Anti-patterns to avoid (writing to /app/code, running as root, missing exec, etc.)
• Development workflow with cloudron CLI commands
• Validation checklist for testing packages

Helper Script (cloudron-package-helper.sh)

• init [name] - Initialize new Cloudron app package with templates
• scaffold <type> - Generate boilerplate for php, node, python, go, static
• validate - Validate CloudronManifest.json
• build - Build Docker image
• install <location> - Install app on Cloudron
• update [app] - Build and update installed app
• logs/exec/debug - Debugging commands
• test - Show validation checklist
• status - Show current package status

Context

Based on:

• Official Cloudron packaging docs: https://docs.cloudron.io/packaging/
• Community discussion: https://forum.cloudron.io/topic/14939/packaging-applications-for-cloudron-using-ai
• Context7 Cloudron documentation

Testing

• ShellCheck passes on new script
• Subagent follows existing aidevops patterns
• subagent-index.toon updated with correct counts

Summary by CodeRabbit

• New Features

  • Added a command-line packaging tool with commands for initializing, validating, building, installing, updating, and debugging Cloudron applications.
  • Included boilerplate scaffolding for PHP, Node.js, Python, Go, and static site applications.

• Documentation

  • Added comprehensive packaging guide covering manifest configuration, Dockerfile patterns, environment setup, health checks, and deployment workflows.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[gemini-code-assist]

Summary of Changes

Hello @marcusquinn, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the developer experience for creating and managing custom applications on the Cloudron platform. By providing both an extensive guide and an automated helper script, it aims to standardize packaging practices, reduce common errors, and accelerate the development and deployment cycle for Cloudron applications. The changes offer clear instructions and tools for developers to efficiently integrate their applications with Cloudron's ecosystem.

Highlights

• New Cloudron App Packaging Subagent: A comprehensive Markdown document, cloudron-app-packaging.md, has been added. It provides detailed guidance for packaging custom applications for Cloudron deployment, covering decision trees for base images and addons, filesystem permissions, start.sh architecture, framework-specific patterns, and anti-patterns to avoid.
• New Cloudron Package Helper Script: A new shell script, cloudron-package-helper.sh, has been introduced. This script streamlines the Cloudron app packaging workflow by offering commands for initializing new app packages, scaffolding boilerplate code for various languages (PHP, Node.js, Python, Go, Static), validating CloudronManifest.json, building Docker images, installing/updating apps, viewing logs, executing commands, debugging, and running a validation checklist.
• Index Updates: The subagent-index.toon file has been updated to correctly include the newly added cloudron-app-packaging subagent and the cloudron-package-helper.sh script, ensuring they are discoverable within the system.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Warning

Rate limit exceeded

@marcusquinn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 16 minutes and 41 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Introduces a comprehensive Cloudron app packaging CLI tool with 13 commands for initializing, validating, building, and managing Cloudron applications, complemented by detailed deployment documentation and registry index updates registering the new automation components.

Changes

Cohort / File(s)	Summary
New Cloudron Packaging CLI \.agent/scripts/cloudron-package-helper.sh	862-line Bash CLI tool with 13 commands: init, validate, build, install, update, logs, exec, debug, test, scaffold, status, help. Includes colorized logging, environment validation, CloudronManifest.json field validation (id, title, version, manifestVersion, httpPort, healthCheckPath), boilerplate generation (start.sh, Dockerfile, .gitignore), and framework-specific scaffolds (PHP, Node.js, Python, Go, static).
Registry & Index Updates \.agent/subagent-index.toon	Bumped index identifiers: TOON:subagents [33]→[34], TOON:scripts [22]→[23]. Added cloudron-app-packaging subagent entry under tools/deployment and cloudron-package-helper.sh script entry.
Packaging Documentation \.agent/tools/deployment/cloudron-app-packaging.md	800-line reference guide covering workflow, golden rules, file structure, base image selection, process models, filesystem permissions, manifest templates, health checks, Dockerfile patterns, start.sh architecture, environment variables for addons (PostgreSQL, MySQL, Redis, Sendmail, LDAP, OIDC), development workflow, validation checklist, and publishing to Cloudron App Store.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

---

☁️ Cloudron workflows, now automated with grace,
Scaffold and validate at lightning pace,
Dockerfiles bloom from templates so clean,
Build, test, and deploy—your app's a machine! 🚀

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 68.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes the main change: introducing a new Cloudron app packaging subagent for custom application development, which aligns with the primary additions (subagent doc, helper script, and index updates).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 468 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sun Jan 25 01:33:53 UTC 2026: Code review monitoring started
Sun Jan 25 01:33:54 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 468
Sun Jan 25 01:33:54 UTC 2026: Qlty - 0 issues found, auto-formatting applied
Sun Jan 25 01:33:56 UTC 2026: Codacy analysis completed with auto-fixes
Sun Jan 25 01:33:57 UTC 2026: Applied 1 automatic fixes

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 468
• VULNERABILITIES: 0

Generated on: Sun Jan 25 01:35:19 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive subagent for Cloudron app packaging, including a detailed guide and a powerful helper script. The additions are well-structured and provide significant value for developers packaging applications for Cloudron. The script is robust and covers the entire development workflow, from initialization to testing. The documentation is thorough and provides excellent patterns and anti-patterns.

My review includes a few suggestions to enhance the robustness of the helper script and improve consistency between the script's templates and the documentation. Specifically, I've recommended adding confirmation prompts to prevent accidental file overwrites in the scaffolding commands and aligning the PHP scaffold template with the best practices outlined in the guide.

[gemini-code-assist]

The scaffold commands, including this one, overwrite existing files like Dockerfile and start.sh without confirmation. This can lead to accidental data loss if a user has already made customizations. It's highly recommended to add a confirmation prompt before overwriting any files.

This can be done by adding a check at the beginning of this function, and similarly for scaffold_node, scaffold_python, scaffold_go, and scaffold_static.

Example implementation:

if [[ -f "Dockerfile" || -f "start.sh" ]]; then
    log_warn "This will overwrite existing Dockerfile and start.sh"
    read -rp "Continue? [y/N] " confirm
    if ! [[ "$confirm" =~ ^[Yy]$ ]]; then
        log_info "Scaffold cancelled."
        return 0
    fi
fi

[gemini-code-assist]

The Dockerfile template for the PHP scaffold only preserves the config directory. However, the corresponding start.sh template also creates a symlink for a storage directory. To be consistent and prevent potential loss of default data, you should also move the storage directory to /app/code/defaults.

This aligns with the 'Symlink Dance' pattern described in cloudron-app-packaging.md.

Suggested change

	RUN mkdir -p /app/code/defaults && \
	mv /app/code/config /app/code/defaults/config 2>/dev/null || true
	RUN mkdir -p /app/code/defaults && \
	mv /app/code/config /app/code/defaults/config 2>/dev/null || true && \
	mv /app/code/storage /app/code/defaults/storage 2>/dev/null || true

[gemini-code-assist]

The start.sh template for the PHP scaffold only copies default files for the config directory on first run. Since the storage directory is also part of the symlink dance for many PHP apps (like Laravel, etc.), you should also copy its default contents to ensure consistency.

Suggested change

	# First-run initialization
	if [[ "$FIRST_RUN" == "true" ]]; then
	cp -rn /app/code/defaults/config/* /app/data/config/ 2>/dev/null || true
	fi
	# First-run initialization
	if [[ "$FIRST_RUN" == "true" ]]; then
	cp -rn /app/code/defaults/config/* /app/data/config/ 2>/dev/null || true
	cp -rn /app/code/defaults/storage/* /app/data/storage/ 2>/dev/null || true
	fi

[gemini-code-assist]

The mv commands in this Dockerfile example can cause the build to fail if the config or storage directories do not exist in the application code. It's safer to make these commands optional, as done in the helper script's templates. This makes the pattern more robust and applicable to a wider range of applications.

Suggested change

	RUN mkdir -p /app/code/defaults && \
	mv /app/code/config /app/code/defaults/config && \
	mv /app/code/storage /app/code/defaults/storage
	RUN mkdir -p /app/code/defaults && \
	mv /app/code/config /app/code/defaults/config 2>/dev/null || true && \
	mv /app/code/storage /app/code/defaults/storage 2>/dev/null || true

[augmentcode]

🤖 Augment PR Summary

Summary: This PR adds Cloudron packaging support to aidevops by introducing a new deployment subagent and a helper script for common Cloudron CLI workflows.

Changes:

• Added .agent/tools/deployment/cloudron-app-packaging.md with a comprehensive Cloudron app packaging guide (filesystem model, decision trees, addon env vars, start.sh patterns, troubleshooting).
• Added .agent/scripts/cloudron-package-helper.sh to streamline Cloudron package init/validate/build/install/update/logs/exec/debug and to generate scaffolds for common stacks.
• Updated .agent/subagent-index.toon to register the new Cloudron subagent under deployment tools and to include the new helper script.
• Bumped subagent/script counts in the index to reflect the additions.

Technical Notes: The helper script runs with set -euo pipefail and wraps Cloudron CLI commands; scaffolds write Dockerfile/start.sh templates geared toward Cloudron’s read-only /app/code and persistent /app/data conventions.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 3 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

The generated Dockerfile template here uses a line-continuation (\) before a comment line, which will cause the shell to treat the rest of the RUN line (including && rm -rf ...) as commented out and can even make apt-get install run with no packages. This means the default Dockerfile produced by init may fail to build until edited.

_{🤖 Was this useful? React with 👍 or 👎}

[augmentcode]

cmd_validate/cmd_status rely on jq, but the script never checks that jq is installed; with set -euo pipefail this will exit abruptly with command not found. Consider a dependency check (similar to check_cloudron_cli) so users get a clear error message.

_{🤖 Was this useful? React with 👍 or 👎}

[augmentcode]

This check only validates that httpPort is numeric, but the error message says “positive integer” and it doesn’t reject 0 or out-of-range values. Tightening validation to 1..65535 would make validate more accurate.

_{🤖 Was this useful? React with 👍 or 👎}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.agent/scripts/cloudron-package-helper.sh:
- Around line 170-186: In cmd_validate the use of the arithmetic post-increment
((errors++)) can return a non-zero exit status under set -e and cause premature
script exit; replace each ((errors++)) with a safe increment using assignment
like errors=$((errors+1)) (this evaluates to a normal exit status), and apply
the same replacement for every other place in the script that increments the
errors variable (all occurrences of ((errors++)) in this file).
- Around line 170-235: The script uses jq in cmd_validate (and cmd_status) but
never verifies it exists; add a helper function check_jq that tests for jq
(e.g., command -v jq) and emits a clear log_error if missing and returns
non-zero, then call check_jq || return 1 at the start of cmd_validate and
cmd_status so the functions fail fast with a helpful message instead of
producing confusing errors; reference the symbols check_jq, cmd_validate, and
cmd_status when making the changes.

🧹 Nitpick comments (1)

.agent/tools/deployment/cloudron-app-packaging.md (1)

37-37: Minor: Markdown linting flags missing blank lines around fenced code blocks.

Static analysis reports MD031 violations at multiple locations. While this doesn't affect functionality, adding blank lines before/after code fences improves rendering consistency across Markdown processors.

Also applies to: 46-46, 138-138, 275-275, 321-321, 456-456, 750-750, 757-757, 764-764, 772-772, 779-779

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 468 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sun Jan 25 01:37:32 UTC 2026: Code review monitoring started
Sun Jan 25 01:37:32 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 468
Sun Jan 25 01:37:32 UTC 2026: Qlty - 0 issues found, auto-formatting applied
Sun Jan 25 01:37:34 UTC 2026: Codacy analysis completed with auto-fixes
Sun Jan 25 01:37:36 UTC 2026: Applied 1 automatic fixes

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 468
• VULNERABILITIES: 0

Generated on: Sun Jan 25 01:39:02 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
11 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 468 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sun Jan 25 01:41:01 UTC 2026: Code review monitoring started
Sun Jan 25 01:41:01 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 468
Sun Jan 25 01:41:02 UTC 2026: Qlty - 0 issues found, auto-formatting applied
Sun Jan 25 01:41:04 UTC 2026: Codacy analysis completed with auto-fixes
Sun Jan 25 01:41:05 UTC 2026: Applied 1 automatic fixes

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 468
• VULNERABILITIES: 0

Generated on: Sun Jan 25 01:42:26 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring