infra: container-only workflow (packaging image + scripts); README: add No Host Pollution policy

README.md

@@ -21,6 +21,31 @@ Single-branch, streamlined repository for container work at KNEL. The focus is C
 - Commit small, focused changes; push directly to `origin/main`.
 - No integration/feature branch dance; avoid long‑lived branches.
 
+## No Host Pollution (containers only)
+
+- Host requirements: `docker`, `git` (and optionally `tea`). Nothing else.
+- All packaging work runs inside the packaging container. Do not install build tools on the host.
+- Use the scripts provided:
+  - `scripts/packaging-up.sh` – build/run the packaging container (mounts repo, docker socket)
+  - `scripts/packaging-enter.sh` – open a shell inside the container
+  - `scripts/packaging-exec.sh <cmd>` – run a command inside the container
+  - `scripts/workspace-clone.sh` – run upstream clone inside the container
+  - `scripts/workspace-update.sh` – run upstream update inside the container
+
+The container image includes Docker CLI and Cloudron CLI, and accesses the host Docker via `/var/run/docker.sock`.
+
+Quick start:
+```
+# Start container
+scripts/packaging-up.sh
+
+# Enter container shell
+scripts/packaging-enter.sh
+
+# Clone upstreams inside container
+scripts/workspace-clone.sh
+```
+
 ## Add a new Cloudron package
 
 1) Create the package folder

docker/packaging/Dockerfile

@@ -0,0 +1,17 @@
+FROM docker:26-cli
+
+# Install tools needed for Cloudron packaging inside the container
+RUN apk add --no-cache \
+    bash git curl jq \
+    build-base \
+    nodejs npm \
+    openssh-client
+
+# Cloudron CLI (used for packaging commands)
+RUN npm i -g cloudron
+
+WORKDIR /workspace
+
+# Default command keeps the container running
+CMD ["sh", "-lc", "tail -f /dev/null"]
+

scripts/packaging-enter.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -euo pipefail
+NAME=${PACKAGING_CONTAINER_NAME:-tsys-cloudron-packaging}
+
+if ! docker ps --format '{{.Names}}' | grep -qx "$NAME"; then
+  scripts/packaging-up.sh >/dev/null
+fi
+
+exec docker exec -it "$NAME" bash
+

scripts/packaging-exec.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -euo pipefail
+NAME=${PACKAGING_CONTAINER_NAME:-tsys-cloudron-packaging}
+
+if [[ $# -lt 1 ]]; then
+  echo "Usage: scripts/packaging-exec.sh <command...>" >&2
+  exit 1
+fi
+
+if ! docker ps --format '{{.Names}}' | grep -qx "$NAME"; then
+  scripts/packaging-up.sh >/dev/null
+fi
+
+exec docker exec -it "$NAME" sh -lc "$*"
+

scripts/packaging-up.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+NAME=${PACKAGING_CONTAINER_NAME:-tsys-cloudron-packaging}
+IMAGE=${PACKAGING_IMAGE:-knel/packaging:latest}
+DOCKERFILE=${PACKAGING_DOCKERFILE:-docker/packaging/Dockerfile}
+
+if ! docker image inspect "$IMAGE" >/dev/null 2>&1; then
+  echo "Building packaging image: $IMAGE"
+  docker build -t "$IMAGE" -f "$DOCKERFILE" .
+fi
+
+if ! docker ps -a --format '{{.Names}}' | grep -qx "$NAME"; then
+  echo "Creating container: $NAME"
+  docker run -d \
+    --name "$NAME" \
+    -v "$PWD":/workspace \
+    -w /workspace \
+    -v /var/run/docker.sock:/var/run/docker.sock \
+    "$IMAGE"
+else
+  # Ensure it is running
+  if ! docker ps --format '{{.Names}}' | grep -qx "$NAME"; then
+    echo "Starting container: $NAME"
+    docker start "$NAME"
+  fi
+fi
+
+echo "Packaging container ready: $NAME (image: $IMAGE)"
+

scripts/workspace-clone.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Run the clone script inside the packaging container
+scripts/packaging-exec.sh "cd PackagingForCloudronWorkspace && chmod +x *.sh && ./UpstreamVendor-Clone.sh"
+

scripts/workspace-update.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Run the update script inside the packaging container
+scripts/packaging-exec.sh "cd PackagingForCloudronWorkspace && chmod +x *.sh && ./UpstreamVendor-Update.sh"
+