docs: ingest Cloudron 9.1 official AI skills and update docs

[marcusquinn]

Summary

• Import 3 official Cloudron AI skills from git.cloudron.io/docs/skills (upstream commit b247b124): app packaging, app publishing, and server ops
• Update cloudron.md with Cloudron 9.1 features: custom app build & deploy, community packages, passkey/FIDO2 auth, OIDC CLI login, MongoDB 8, Redis 8.4, Node.js 24.x, ACME ARI, backup integrity verification
• Register all 3 skills in skill-sources.json for update monitoring (GitLab source — manual update check until GitLab API support added)
• Add skills to subagent-index.toon deployment section

Files Changed

File	Change
.agents/tools/deployment/cloudron-app-packaging-skill.md	NEW: upstream packaging skill with 9.1 build methods
.agents/tools/deployment/cloudron-app-packaging-skill/manifest-ref.md	NEW: manifest field reference (from upstream)
.agents/tools/deployment/cloudron-app-packaging-skill/addons-ref.md	NEW: addon env var reference (from upstream)
.agents/tools/deployment/cloudron-app-publishing-skill.md	NEW: publishing/community packages skill
.agents/tools/deployment/cloudron-server-ops-skill.md	NEW: CLI server ops skill
.agents/services/hosting/cloudron.md	Updated: 9.1 features, skill cross-references
.agents/configs/skill-sources.json	Updated: 3 new skill registrations
.agents/subagent-index.toon	Updated: deployment section with new skills

Notes

• Upstream skills use OpenSkills format frontmatter — preserved as-is with aidevops wrapper frontmatter added
• Existing native Cloudron subagents (cloudron.md, cloudron-app-packaging.md) remain primary entry points; imported skills complement with authoritative upstream content
• The -skill.md suffix convention distinguishes imported skills from native subagents

Summary by CodeRabbit

• New Features

  • Added Cloudron 9.1 support: passkey auth, OIDC CLI login, custom app build/deploy, community packages.
  • Introduced app packaging, publishing, and server-ops skills and expanded subagent catalog.

• Documentation

  • Comprehensive guides for packaging, manifest fields, addon reference, and publishing workflow.
  • Detailed server-operations CLI reference with multi-server and CI/CD examples; updated quick-reference and "What's New" overview.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the platform's documentation and capabilities by integrating the latest Cloudron 9.1 features and official AI skills. It provides updated guides for app development, deployment, and server management, ensuring users have access to comprehensive and up-to-date resources for leveraging Cloudron's advanced functionalities.

Highlights

• Cloudron 9.1 Feature Integration: Incorporated new features from Cloudron 9.1, including custom app build/deploy, community packages, passkey/FIDO2 authentication, OIDC CLI login, updated addon versions (MongoDB 8, Redis 8.4, Node.js 24.x), ACME ARI support, and improved backup/event logging.
• Official Cloudron AI Skills Ingestion: Added three new official Cloudron AI skills: app packaging, app publishing, and server operations, directly imported from the upstream git.cloudron.io/docs/skills repository.
• Skill Registration and Indexing: Registered the newly imported skills in skill-sources.json for update monitoring and integrated them into the subagent-index.toon deployment section to ensure discoverability and proper subagent functionality.

Changelog

• .agents/configs/skill-sources.json
  • Added new entries for cloudron-app-packaging, cloudron-app-publishing, and cloudron-server-ops skills, including their upstream URLs, commit hashes, local paths, and notes.
• .agents/services/hosting/cloudron.md
  • Updated the "Quick Reference" section to reflect Cloudron 9.1 authentication methods and added links to new CLI, packaging, and publishing skills.
  • Introduced a new "What's New in 9.1" section detailing custom app build/deploy, community packages, passkey auth, OIDC CLI login, addon upgrades, ACME ARI, backup integrity verification, and improved progress/event reporting.
  • Updated "App Ecosystem" and "Security" characteristics to mention community packages and passkey authentication.
  • Added a "Related Skills and Subagents" section, linking to the newly integrated Cloudron skills and existing helper scripts.
• .agents/subagent-index.toon
  • Updated the TOON:subagents count from 58 to 62.
  • Modified the tools/deployment/ entry to include cloudron-app-packaging-skill, cloudron-app-publishing-skill, and cloudron-server-ops-skill in its key_files list.
• .agents/tools/deployment/cloudron-app-packaging-skill.md
  • Added a new skill document detailing official Cloudron app packaging, including build methods (on-server, local Docker, build service), Dockerfile patterns, start.sh conventions, writable directories, logging, multiple processes, memory-aware worker count, manifest essentials, and addon overview.
• .agents/tools/deployment/cloudron-app-packaging-skill/addons-ref.md
  • Added a new reference document providing full environment variable and option details for Cloudron addons like localstorage, mysql, postgresql, mongodb, redis, ldap, oidc, sendmail, recvmail, email, proxyauth, scheduler, tls, turn, and docker.
• .agents/tools/deployment/cloudron-app-packaging-skill/manifest-ref.md
  • Added a new reference document detailing all fields for CloudronManifest.json, covering required fields, ports, addons, metadata, behavior, post-install options, and versioning.
• .agents/tools/deployment/cloudron-app-publishing-skill.md
  • Added a new skill document explaining Cloudron app publishing via CloudronVersions.json version catalogs, including prerequisites, workflow, initialization, build commands, versions commands, distribution methods, and community packages.
• .agents/tools/deployment/cloudron-server-ops-skill.md
  • Added a new skill document outlining Cloudron server operations using the cloudron CLI, covering setup, app targeting, listing/inspection, app lifecycle, run state, logs, shell/exec, debug mode, file transfer, environment variables, configuration, backups, utilities, CI/CD integration, global options, and common workflows.

Activity

• No human activity has been recorded on this pull request since its creation.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 24fbb86 and 0a170d9.

📒 Files selected for processing (3)

• .agents/subagent-index.toon
• .agents/tools/deployment/cloudron-app-packaging-skill/addons-ref.md
• .agents/tools/deployment/cloudron-server-ops-skill.md

---

Walkthrough

This PR registers three new Cloudron skills, adds comprehensive packaging/publishing/server-ops documentation, updates the subagent index, and revises the Cloudron hosting doc to reflect 9.1 features and related skills.

Changes

Cohort / File(s)	Summary
Skill Registry & Index .agents/configs/skill-sources.json, .agents/subagent-index.toon	Added three Cloudron skill entries to the skill-sources registry and bumped the subagent index (58 → 59) with new metadata entries.
Cloudron Service Documentation .agents/services/hosting/cloudron.md	Updated hosting doc for Cloudron 9.1: new "What's New in 9.1", revised quick reference (auth/CLI/packaging/publishing), provider overview, and a "Related Skills and Subagents" table.
Cloudron App Packaging (docs) .agents/tools/deployment/cloudron-app-packaging-skill.md, .agents/tools/deployment/cloudron-app-packaging-skill/addons-ref.md, .agents/tools/deployment/cloudron-app-packaging-skill/manifest-ref.md	Added comprehensive packaging guide, addons reference (env/opts for ~14 addons), and full CloudronManifest.json field reference with examples and constraints.
Cloudron App Publishing (docs) .agents/tools/deployment/cloudron-app-publishing-skill.md	Added publishing guide for CloudronVersions.json-based catalogs: init/build/publish workflows, version commands, distribution methods, and community package guidance.
Cloudron Server Ops (docs) .agents/tools/deployment/cloudron-server-ops-skill.md	Added server operations skill covering CLI setup/auth (OIDC/9.1+), multi-server workflows, and an extensive command reference (listing, deploy, build, logs, backups, CI/CD integration, etc.).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• t1278: Interactive Skill Discovery & Management CLI (aidevops skills) #2030 — Adds skill-helper CLI and reads skill metadata/subagent index; directly complements these new skill entries and index updates.
• feat(cloudron): add git.cloudron.io as comprehensive reference source #249 — Updates Cloudron packaging documentation and references; overlaps with the new packaging docs added here.
• feat: add cloudron-app-packaging subagent for custom app development #190 — Previously added cloudron-app-packaging subagent and related docs; closely related to the packaging skill changes.

Suggested labels

needs-review

Poem

🌥️ Three Cloudron skills arrive today,
Pack, publish, manage — show the way.
Docs laid out, the index grows,
CLI and manifests in tidy rows,
DevOps dance — deploy and play! 🚀

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: ingestion of three official Cloudron 9.1 AI skills and documentation updates for Cloudron 9.1 features.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/cloudron-91-skills-ingestion

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 109 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sun Mar 1 16:09:34 UTC 2026: Code review monitoring started
Sun Mar 1 16:09:35 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 109

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 109
• VULNERABILITIES: 0

Generated on: Sun Mar 1 16:09:37 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.agents/tools/deployment/cloudron-server-ops-skill.md (1)

190-196: Use a placeholder token in CI/CD examples to avoid secret-like literals.

Replace the hardcoded token-looking value with a placeholder (e.g., <api-token>) to reduce copy/paste risk and secret-scanner noise.

Suggested patch

 cloudron update \
   --server my.example.com \
-  --token 001e7174c4cbad2272 \
+  --token <api-token> \
   --app blog.example.com \
   --image username/image:tag

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/tools/deployment/cloudron-server-ops-skill.md around lines 190 -
196, Replace the hardcoded token-like literal in the Cloudron CLI example by
using a non-secret placeholder to avoid accidental secret exposure; specifically
update the example command that uses the --token flag (the snippet showing
"cloudron update ... --token 001e7174c4cbad2272 ...") to use a placeholder such
as <api-token> or <token> instead of the numeric-looking value so copy/paste
from docs/CI won't leak secrets or trigger scanners.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.agents/subagent-index.toon:
- Line 26: The TOON header declares subagents[62] but the block actually
contains 59 entries; update the TOON header declaration from subagents[62] to
subagents[59] (the header token to change is the TOON comment line containing
"subagents[62]") so the declared cardinality matches the actual rows and
prevents the parser failure.

In @.agents/tools/deployment/cloudron-app-packaging-skill/addons-ref.md:
- Line 20: The markdown has multiple unlabeled fenced code blocks that trigger
MD040; update each fence that lists environment variables to include a language
tag (use "text") so the opening backticks become ```text; specifically edit the
blocks containing the env names such as CLOUDRON_MYSQL_URL,
CLOUDRON_POSTGRESQL_URL, CLOUDRON_MONGODB_URL, CLOUDRON_REDIS_URL,
CLOUDRON_LDAP_SERVER, CLOUDRON_OIDC_PROVIDER_NAME, CLOUDRON_MAIL_SMTP_SERVER,
CLOUDRON_MAIL_IMAP_SERVER, CLOUDRON_EMAIL_SMTP_SERVER, CLOUDRON_TURN_SERVER and
the final CLOUDRON_DOCKER_HOST block (and the other occurrences noted) to start
with ```text to satisfy the lint gate.

---

Nitpick comments:
In @.agents/tools/deployment/cloudron-server-ops-skill.md:
- Around line 190-196: Replace the hardcoded token-like literal in the Cloudron
CLI example by using a non-secret placeholder to avoid accidental secret
exposure; specifically update the example command that uses the --token flag
(the snippet showing "cloudron update ... --token 001e7174c4cbad2272 ...") to
use a placeholder such as <api-token> or <token> instead of the numeric-looking
value so copy/paste from docs/CI won't leak secrets or trigger scanners.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7c4e4e4 and 24fbb86.

📒 Files selected for processing (8)

• .agents/configs/skill-sources.json
• .agents/services/hosting/cloudron.md
• .agents/subagent-index.toon
• .agents/tools/deployment/cloudron-app-packaging-skill.md
• .agents/tools/deployment/cloudron-app-packaging-skill/addons-ref.md
• .agents/tools/deployment/cloudron-app-packaging-skill/manifest-ref.md
• .agents/tools/deployment/cloudron-app-publishing-skill.md
• .agents/tools/deployment/cloudron-server-ops-skill.md

[gemini-code-assist]

Code Review

This pull request introduces new documentation and AI skills for Cloudron 9.1. The changes are well-structured and comprehensive, adding valuable information about new features and improving the existing documentation. I've identified a few minor issues related to data consistency in configuration files and a security best practice in a documentation example, which has been highlighted with a security review type and a reference to secure coding practices. Overall, this is a great contribution to keep the documentation up-to-date.

[gemini-code-assist]

The imported_at timestamps for the new Cloudron skills are set to a future date (2026-03-01). Semantically, imported_at should reflect the actual date of import. Using a future date can be misleading and may cause unexpected behavior in time-based logic. Please consider using the actual import timestamps for these entries.

[gemini-code-assist]

The subagent count has been increased from 58 to 62, an increment of 4. However, this pull request seems to add 3 new skills to an existing subagent entry, without adding new subagent lines. Please verify if the count [62] is correct. If it's a manual count of subagent entries (lines), it seems it should not have changed.

[gemini-code-assist]

The provided mysql debug command exposes the password as a command-line argument, which is insecure as it can be seen in the process list by other users on the system. For better security, consider using an environment variable, similar to the postgresql example:

MYSQL_PWD=$CLOUDRON_MYSQL_PASSWORD mysql --user=$CLOUDRON_MYSQL_USERNAME --host=$CLOUDRON_MYSQL_HOST $CLOUDRON_MYSQL_DATABASE

Suggested change

	Debug: `cloudron exec` then `mysql --user=$CLOUDRON_MYSQL_USERNAME --password=$CLOUDRON_MYSQL_PASSWORD --host=$CLOUDRON_MYSQL_HOST $CLOUDRON_MYSQL_DATABASE`
	Debug: cloudron exec then MYSQL_PWD=$CLOUDRON_MYSQL_PASSWORD mysql --user=$CLOUDRON_MYSQL_USERNAME --host=$CLOUDRON_MYSQL_HOST $CLOUDRON_MYSQL_DATABASE

References

1. When documenting security practices, explicitly emphasize the preference for secure tools (e.g., gopass) over less secure alternatives (e.g., plaintext files), even if the alternatives are permitted with restrictions. This comment highlights a security vulnerability (password exposure) and suggests a more secure method (environment variables).

[marcusquinn]

Fixed all 3 CodeRabbit issues:

• subagent-index.toon: TOON header cardinality corrected subagents[62] → subagents[59]
• cloudron-server-ops-skill.md: replaced hardcoded token 001e7174c4cbad2272 with <api-token> placeholder
• addons-ref.md: added text language tag to all 11 unlabeled fenced code blocks (MD040)

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 109 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sun Mar 1 16:16:31 UTC 2026: Code review monitoring started
Sun Mar 1 16:16:31 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 109

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 109
• VULNERABILITIES: 0

Generated on: Sun Mar 1 16:16:34 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud