npm - k3s-deployer - Versions diffs - 0.1.0 - Mend

k3s-deployer 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/index.cjs +1 -0
package/index.d.ts +193 -0
package/index.mjs +4 -0
package/package.json +47 -0
package/src/bootstrap/index.cjs +211 -0
package/src/detect/index.cjs +461 -0
package/src/dns/cloudflare.cjs +163 -0
package/src/execute/index.cjs +386 -0
package/src/index.cjs +67 -0
package/src/mobile/index.cjs +1093 -0
package/src/mobile/web-android-emulator-adapter.cjs +701 -0
package/src/plan/index.cjs +200 -0
package/src/runtime/index.cjs +16 -0
package/src/runtime/local-runner.cjs +69 -0
package/src/runtime/ssh-runner.cjs +206 -0
package/src/shared/source.cjs +145 -0
package/src/shared/utils.cjs +104 -0
package/src/templates/dockerfile.cjs +114 -0
package/src/templates/manifests.cjs +291 -0

package/src/mobile/web-android-emulator-adapter.cjs ADDED Viewed

@@ -0,0 +1,701 @@
+'use strict';
+const path = require('node:path');
+const crypto = require('node:crypto');
+const { upsertCloudflareDnsRecord } = require('../dns/cloudflare.cjs');
+/* ────────────────────────────────────────────────────────────────────────────
+ *  redroid + scrcpy-web adapter
+ *
+ *  Runs Android natively on ARM64 via redroid (no emulation).
+ *  Uses a scrcpy + noVNC sidecar for browser-based display.
+ *
+ *  Flow:
+ *    1. Load binder kernel module (init container)
+ *    2. Start redroid container (native ARM64 Android)
+ *    3. Start display sidecar (scrcpy → Xvfb → x11vnc → noVNC)
+ *    4. Install APK via adb
+ *    5. Browser preview via noVNC
+ * ──────────────────────────────────────────────────────────────────────────── */
+const REDROID_IMAGE = 'docker.io/redroid/redroid:12.0.0-latest';
+const DISPLAY_DOCKERFILE = `FROM ubuntu:22.04
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get install -y --no-install-recommends \\
+    scrcpy xvfb x11vnc adb wget curl ca-certificates procps python3 iproute2 && \\
+    SCRCPY_SERVER=\$(find /usr -name "scrcpy-server" -type f 2>/dev/null | head -1) && \\
+    if [ -z "\$SCRCPY_SERVER" ]; then \\
+      wget -qO /usr/share/scrcpy/scrcpy-server https://github.com/nickolay/scrcpy-server-mirror/releases/download/v1.21/scrcpy-server-v1.21.jar || true; \\
+    fi && \\
+    mkdir -p /opt/noVNC/utils/websockify && \\
+    wget -qO- https://github.com/novnc/noVNC/archive/refs/heads/master.tar.gz | tar xz --strip-components=1 -C /opt/noVNC && \\
+    wget -qO- https://github.com/novnc/websockify/archive/refs/heads/master.tar.gz | tar xz --strip-components=1 -C /opt/noVNC/utils/websockify && \\
+    rm -rf /var/lib/apt/lists/*
+COPY entrypoint.sh /entrypoint.sh
+COPY health-check.sh /health-check.sh
+RUN chmod +x /entrypoint.sh /health-check.sh
+EXPOSE 6080
+ENTRYPOINT ["/entrypoint.sh"]
+`;
+const DISPLAY_ENTRYPOINT = `#!/usr/bin/env bash
+set -euo pipefail
+cleanup() {
+  pkill -f scrcpy || true
+  pkill -f x11vnc || true
+  pkill -f Xvfb || true
+  pkill -f novnc_proxy || true
+}
+trap cleanup SIGINT SIGTERM EXIT
+export DISPLAY=:99
+echo "[display] Starting Xvfb"
+Xvfb :99 -screen 0 720x1280x24 -ac +extension GLX +render -noreset &
+sleep 1
+echo "[display] Starting x11vnc"
+x11vnc -display :99 -forever -shared -nopw -rfbport 5900 -listen 0.0.0.0 -xkb &
+echo "[display] Starting noVNC on port 6080"
+/opt/noVNC/utils/novnc_proxy --vnc 127.0.0.1:5900 --listen 6080 &
+sleep 1
+echo "[display] Starting network routing fix loop"
+(while true; do ip rule del from all unreachable 2>/dev/null || true; sleep 2; done) &
+echo "[display] Waiting for Android (adb)..."
+for i in \$(seq 1 180); do
+  if adb connect 127.0.0.1:5555 2>/dev/null | grep -Eq "connected to|already connected to"; then
+    BOOT=\$(adb -s 127.0.0.1:5555 shell getprop sys.boot_completed 2>/dev/null | tr -d '\\r' || true)
+    DEV_BOOT=\$(adb -s 127.0.0.1:5555 shell getprop dev.bootcomplete 2>/dev/null | tr -d '\\r' || true)
+    BOOT_ANIM=\$(adb -s 127.0.0.1:5555 shell getprop init.svc.bootanim 2>/dev/null | tr -d '\\r' || true)
+    if [ "\$BOOT" = "1" ] || [ "\$DEV_BOOT" = "1" ] || [ "\$BOOT_ANIM" = "stopped" ]; then
+      echo "[display] Android boot_completed=1"
+      break
+    fi
+  fi
+  sleep 3
+done
+echo "[display] Provisioning device..."
+adb -s 127.0.0.1:5555 shell settings put global device_provisioned 1 2>/dev/null || true
+adb -s 127.0.0.1:5555 shell settings put secure user_setup_complete 1 2>/dev/null || true
+adb -s 127.0.0.1:5555 shell locksettings set-disabled true 2>/dev/null || true
+adb -s 127.0.0.1:5555 shell wm dismiss-keyguard 2>/dev/null || true
+adb -s 127.0.0.1:5555 shell input keyevent 82 2>/dev/null || true
+echo "[display] Waiting for user unlock (RUNNING_UNLOCKED)..."
+echo "[display] Note: vold deadlock will be broken by deployer via kubectl exec"
+for i in \$(seq 1 120); do
+  USER_STATE=\$(adb -s 127.0.0.1:5555 shell "am get-started-user-state 0" 2>/dev/null | grep -o "RUNNING_[A-Z_]*" || true)
+  if [ "\$USER_STATE" = "RUNNING_UNLOCKED" ]; then
+    echo "[display] User 0 is RUNNING_UNLOCKED"
+    break
+  fi
+  if [ \$((i % 30)) -eq 0 ]; then
+    echo "[display] User state: \$USER_STATE (attempt \$i/120)"
+  fi
+  sleep 2
+done
+echo "[display] Android is ready (state: \$USER_STATE)"
+echo "[display] Starting scrcpy supervisor loop"
+SCRCPY_SERVER_PATH=\$(find /usr -name "scrcpy-server" -type f 2>/dev/null | head -1)
+if [ -n "\$SCRCPY_SERVER_PATH" ]; then
+  export SCRCPY_SERVER_PATH
+fi
+while true; do
+  if adb connect 127.0.0.1:5555 2>/dev/null | grep -Eq "connected to|already connected to"; then
+    BOOT=\$(adb -s 127.0.0.1:5555 shell getprop sys.boot_completed 2>/dev/null | tr -d '\\r' || true)
+    DEV_BOOT=\$(adb -s 127.0.0.1:5555 shell getprop dev.bootcomplete 2>/dev/null | tr -d '\\r' || true)
+    BOOT_ANIM=\$(adb -s 127.0.0.1:5555 shell getprop init.svc.bootanim 2>/dev/null | tr -d '\\r' || true)
+    if [ "\$BOOT" = "1" ] || [ "\$DEV_BOOT" = "1" ] || [ "\$BOOT_ANIM" = "stopped" ]; then
+      echo "[display] Launching scrcpy..."
+      scrcpy --serial 127.0.0.1:5555 --max-fps 30 --bit-rate 4M --window-x 0 --window-y 0 --window-width 720 --window-height 1280 --window-borderless 2>&1 || true
+      echo "[display] scrcpy exited, retrying in 3s"
+    else
+      echo "[display] Android not fully booted yet (sys.boot_completed=\$BOOT, dev.bootcomplete=\$DEV_BOOT, bootanim=\$BOOT_ANIM)"
+    fi
+  else
+    echo "[display] adb connect not ready yet"
+  fi
+  sleep 3
+done
+`;
+const HEALTH_CHECK = `#!/usr/bin/env bash
+set -euo pipefail
+MODE="\${1:-ready}"
+if [ "\$MODE" = "startup" ]; then
+  pgrep -f "Xvfb" >/dev/null
+  pgrep -f "x11vnc" >/dev/null
+  exit 0
+fi
+curl -fsS --max-time 3 "http://127.0.0.1:6080/vnc.html" >/dev/null
+adb start-server >/dev/null 2>&1 || true
+adb connect 127.0.0.1:5555 >/dev/null 2>&1 || true
+BOOT=\$(adb -s 127.0.0.1:5555 shell getprop sys.boot_completed 2>/dev/null | tr -d '\\r' || true)
+DEV_BOOT=\$(adb -s 127.0.0.1:5555 shell getprop dev.bootcomplete 2>/dev/null | tr -d '\\r' || true)
+BOOT_ANIM=\$(adb -s 127.0.0.1:5555 shell getprop init.svc.bootanim 2>/dev/null | tr -d '\\r' || true)
+[ "\$BOOT" = "1" ] || [ "\$DEV_BOOT" = "1" ] || [ "\$BOOT_ANIM" = "stopped" ]
+`;
+const NOVNC_PORT = 6080;
+function generateManifests(namespace, displayImage, domain, emulatorName) {
+  const core = [];
+  const ingress = [];
+  core.push(`apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ${emulatorName}
+  namespace: ${namespace}
+spec:
+  replicas: 1
+  progressDeadlineSeconds: 1800
+  selector:
+    matchLabels:
+      app: ${emulatorName}
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: ${emulatorName}
+    spec:
+      hostPID: true
+      initContainers:
+        - name: load-binder
+          image: busybox:latest
+          command:
+            - sh
+            - -c
+            - |
+              set -e
+              nsenter --target 1 --mount --uts --ipc --net -- sh -c '
+                modprobe binder_linux devices=binder,hwbinder,vndbinder 2>/dev/null || true
+                if ! mountpoint -q /dev/binderfs; then
+                  mkdir -p /dev/binderfs
+                  mount -t binder binder /dev/binderfs || true
+                fi
+                # Create binder devices in host namespace
+                for dev in binder hwbinder vndbinder; do
+                  if [ ! -e /dev/binderfs/$dev ]; then
+                    ln -sf /dev/$dev /dev/binderfs/$dev 2>/dev/null || true
+                  fi
+                done
+                ls -la /dev/binderfs/ 2>/dev/null || true
+                ls -la /dev/binder* 2>/dev/null || true
+              '
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - name: host-lib-modules
+              mountPath: /lib/modules
+              readOnly: true
+      containers:
+        - name: redroid
+          image: ${REDROID_IMAGE}
+          securityContext:
+            privileged: true
+          args:
+            - androidboot.redroid_gpu_mode=auto
+            - androidboot.redroid_gpu_node=/dev/dri/renderD128
+            - androidboot.use_memfd=true
+            - androidboot.redroid_width=720
+            - androidboot.redroid_height=1280
+            - androidboot.redroid_fps=30
+            - androidboot.redroid_dex2oat_threads=1
+            - ro.crypto.state=unencrypted
+            - ro.crypto.type=none
+            - ro.setupwizard.mode=DISABLED
+            - ro.lockscreen.disable=1
+            - ro.hw_timeout_multiplier=50
+          resources:
+            requests:
+              memory: "2Gi"
+              cpu: "1"
+            limits:
+              memory: "4Gi"
+              cpu: "4"
+          ports:
+            - containerPort: 5555
+              name: adb
+          volumeMounts:
+            - name: redroid-data
+              mountPath: /data
+        - name: display
+          image: ${displayImage}
+          imagePullPolicy: Always
+          securityContext:
+            capabilities:
+              add: ["NET_ADMIN"]
+          ports:
+            - containerPort: ${NOVNC_PORT}
+              name: novnc
+          startupProbe:
+            exec:
+              command: ["/health-check.sh", "startup"]
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            timeoutSeconds: 10
+            failureThreshold: 60
+          readinessProbe:
+            exec:
+              command: ["/health-check.sh", "ready"]
+            periodSeconds: 15
+            timeoutSeconds: 10
+            failureThreshold: 5
+          livenessProbe:
+            exec:
+              command: ["/health-check.sh", "startup"]
+            initialDelaySeconds: 60
+            periodSeconds: 30
+            timeoutSeconds: 10
+            failureThreshold: 10
+      volumes:
+        - name: redroid-data
+          emptyDir:
+            sizeLimit: 10Gi
+        - name: host-lib-modules
+          hostPath:
+            path: /lib/modules
+            type: Directory`);
+  core.push(`apiVersion: v1
+kind: Service
+metadata:
+  name: ${emulatorName}
+  namespace: ${namespace}
+spec:
+  selector:
+    app: ${emulatorName}
+  ports:
+    - protocol: TCP
+      port: ${NOVNC_PORT}
+      targetPort: ${NOVNC_PORT}
+      name: novnc`);
+  if (domain) {
+    ingress.push(`apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ${emulatorName}
+  namespace: ${namespace}
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+    nginx.ingress.kubernetes.io/app-root: "/vnc_lite.html?autoconnect=true&resize=scale&scaleViewport=true"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
+    nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - ${domain}
+      secretName: ${emulatorName}-tls
+  rules:
+    - host: ${domain}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: ${emulatorName}
+                port:
+                  number: ${NOVNC_PORT}`);
+  }
+  return { core: core.join('\n---\n'), ingress: ingress.length ? ingress.join('\n---\n') : null };
+}
+function createWebAndroidEmulatorAdapter(adapterOptions = {}) {
+  const namespace  = adapterOptions.namespace   || 'default';
+  const domain     = adapterOptions.domain      || null;
+  const registryHost = adapterOptions.registryHost || 'localhost:5000';
+  const cloudflareDns = adapterOptions.cloudflareDns || null;
+  const parsedRolloutTimeout = Number(adapterOptions.rolloutTimeoutSeconds);
+  const rolloutTimeoutSeconds = Number.isFinite(parsedRolloutTimeout) && parsedRolloutTimeout >= 60
+    ? Math.floor(parsedRolloutTimeout)
+    : 1800;
+  const previewUrl = adapterOptions.previewUrl ||
+    (domain
+      ? `https://${domain}/vnc.html?autoconnect=true&resize=scale`
+      : `http://localhost:${NOVNC_PORT}/vnc.html?autoconnect=true&resize=scale`);
+  return {
+    async start({ runner, workspacePath, artifactPath, applicationId, onLog, projectSlug, domain: projectDomain, cloudflareDns: projectCloudflareDns }) {
+      const emit = async (msg) => { if (onLog) await onLog(msg); };
+      const buildDir = path.posix.join(workspacePath, '.web-android-emulator');
+      const emulatorName = projectSlug || 'android';
+      const effectiveDomain = projectDomain || domain;
+      const effectiveCloudflareDns = projectCloudflareDns || cloudflareDns;
+      /* ── 1. Build display sidecar image ──────────────────────────────── */
+      const buildHash = crypto.createHash('sha256')
+        .update(DISPLAY_DOCKERFILE)
+        .update(DISPLAY_ENTRYPOINT)
+        .update(HEALTH_CHECK)
+        .digest('hex')
+        .slice(0, 12);
+      const imageTag = `redroid-display:${buildHash}`;
+      const registryImage = `${registryHost}/${imageTag}`;
+      const checkResult = await runner.run(
+        `docker images -q ${imageTag} 2>/dev/null || sudo docker images -q ${imageTag} 2>/dev/null`,
+        { allowFailure: true },
+      );
+      const imageExists = checkResult.stdout.trim().length > 0;
+      if (!imageExists) {
+        await emit('[redroid] Building display sidecar image...');
+        await runner.run(`mkdir -p ${buildDir}/scripts`);
+        await runner.writeBase64File(
+          path.posix.join(buildDir, 'Dockerfile'),
+          Buffer.from(DISPLAY_DOCKERFILE).toString('base64'),
+        );
+        await runner.writeBase64File(
+          path.posix.join(buildDir, 'entrypoint.sh'),
+          Buffer.from(DISPLAY_ENTRYPOINT).toString('base64'),
+        );
+        await runner.writeBase64File(
+          path.posix.join(buildDir, 'health-check.sh'),
+          Buffer.from(HEALTH_CHECK).toString('base64'),
+        );
+        await runner.run(`chmod +x ${buildDir}/entrypoint.sh ${buildDir}/health-check.sh`);
+        let lastOutputAt = Date.now();
+        const heartbeat = setInterval(async () => {
+          const s = Math.floor((Date.now() - lastOutputAt) / 1000);
+          if (s >= 30) await emit(`[redroid] still building... (${s}s)`);
+        }, 30 * 1000);
+        const track = (line) => { lastOutputAt = Date.now(); return emit(line); };
+        try {
+          await runner.run(
+            `docker build --provenance=false --sbom=false -t ${imageTag} ${buildDir} || sudo docker build --provenance=false --sbom=false -t ${imageTag} ${buildDir}`,
+            { onStdout: track, onStderr: track, timeoutMs: 30 * 60 * 1000 },
+          );
+        } finally {
+          clearInterval(heartbeat);
+        }
+        await emit('[redroid] Display sidecar built');
+      } else {
+        await emit('[redroid] Display sidecar image exists, skipping build');
+      }
+      /* ── 2. Push display sidecar ─────────────────────────────────────── */
+      await emit(`[redroid] Pushing display sidecar to ${registryImage}...`);
+      await runner.run(
+        `(docker tag ${imageTag} ${registryImage} && docker push ${registryImage}) || (sudo docker tag ${imageTag} ${registryImage} && sudo docker push ${registryImage})`,
+        { onStdout: emit, onStderr: emit },
+      );
+      await emit('[redroid] Image pushed');
+      /* ── 3. Ensure redroid image is available on nodes ───────────────── */
+      await emit('[redroid] Pre-pulling redroid image on nodes...');
+      try {
+        await runner.run(
+          `sudo k3s ctr -n k8s.io images pull ${REDROID_IMAGE}`,
+          { onStdout: emit, onStderr: emit, timeoutMs: 10 * 60 * 1000 },
+        );
+      } catch (err) {
+        await emit(`[redroid] Pre-pull skipped (non-fatal): ${err.message || err}. Kubelet will pull the image when scheduling the pod.`);
+      }
+      /* ── 4. Apply k8s manifests ──────────────────────────────────────── */
+      await emit('[redroid] Deleting existing resources (clean restart)...');
+      await runner.run(
+        `kubectl delete deployment ${emulatorName} -n ${namespace} --ignore-not-found=true 2>/dev/null || sudo kubectl delete deployment ${emulatorName} -n ${namespace} --ignore-not-found=true 2>/dev/null || true`,
+        { allowFailure: true, onStdout: emit, onStderr: emit },
+      );
+      await runner.run(
+        `kubectl delete ingress ${emulatorName} -n ${namespace} --ignore-not-found=true 2>/dev/null || sudo kubectl delete ingress ${emulatorName} -n ${namespace} --ignore-not-found=true 2>/dev/null || true`,
+        { allowFailure: true, onStdout: emit, onStderr: emit },
+      );
+      await emit('[redroid] Applying Kubernetes manifests...');
+      const manifests = generateManifests(namespace, registryImage, effectiveDomain, emulatorName);
+      const corePath = path.posix.join(buildDir, 'k8s-emulator-core.yaml');
+      await runner.writeBase64File(corePath, Buffer.from(manifests.core).toString('base64'));
+      await runner.run(
+        `kubectl apply -f ${corePath} || sudo kubectl apply -f ${corePath}`,
+        { onStdout: emit, onStderr: emit },
+      );
+      if (manifests.ingress) {
+        const ingressPath = path.posix.join(buildDir, 'k8s-emulator-ingress.yaml');
+        await runner.writeBase64File(ingressPath, Buffer.from(manifests.ingress).toString('base64'));
+        try {
+          await runner.run(
+            `kubectl apply -f ${ingressPath} || sudo kubectl apply -f ${ingressPath}`,
+            { onStdout: emit, onStderr: emit },
+          );
+        } catch (err) {
+          await emit(`[redroid] Ingress creation failed (non-fatal): ${err.message || err}`);
+        }
+      }
+      /* ── 4b. Sync Cloudflare DNS for emulator domain ─────────────────── */
+      if (effectiveDomain && effectiveCloudflareDns && effectiveCloudflareDns.targetIp) {
+        const emulatorDomain = effectiveDomain;
+        try {
+          await emit(`[redroid] Syncing Cloudflare DNS for ${emulatorDomain}...`);
+          await upsertCloudflareDnsRecord({ ...effectiveCloudflareDns, domain: emulatorDomain });
+          await emit(`[redroid] DNS synced: ${emulatorDomain} -> ${effectiveCloudflareDns.targetIp}`);
+        } catch (err) {
+          await emit(`[redroid] DNS sync failed for ${emulatorDomain}: ${err.message || err}`);
+        }
+      }
+      /* ── 5. Wait for rollout ─────────────────────────────────────────── */
+      await emit('[redroid] Waiting for pod (Android boot + display)...');
+      let lastRolloutAt = Date.now();
+      const rolloutHB = setInterval(async () => {
+        const s = Math.floor((Date.now() - lastRolloutAt) / 1000);
+        if (s >= 30) await emit(`[redroid] still waiting... (${s}s)`);
+      }, 30 * 1000);
+      const trackRollout = (line) => { lastRolloutAt = Date.now(); return emit(line); };
+      try {
+        await runner.run(
+          `kubectl rollout status deployment/${emulatorName} -n ${namespace} --timeout=${rolloutTimeoutSeconds}s || sudo kubectl rollout status deployment/${emulatorName} -n ${namespace} --timeout=${rolloutTimeoutSeconds}s`,
+          { onStdout: trackRollout, onStderr: trackRollout, timeoutMs: (rolloutTimeoutSeconds + 20) * 1000 },
+        );
+      } catch (rolloutError) {
+        await emit('[redroid] Rollout command failed. Verifying real pod readiness before aborting...');
+        const readinessProbeResult = await runner.run(
+          `kubectl get deployment ${emulatorName} -n ${namespace} -o jsonpath='{.status.readyReplicas}/{.status.updatedReplicas}/{.status.replicas}' 2>/dev/null || sudo kubectl get deployment ${emulatorName} -n ${namespace} -o jsonpath='{.status.readyReplicas}/{.status.updatedReplicas}/{.status.replicas}'`,
+          { allowFailure: true },
+        );
+        const readinessText = (readinessProbeResult.stdout || '').trim().replace(/'/g, '');
+        const [readyRaw, updatedRaw, replicasRaw] = readinessText.split('/');
+        const readyReplicas = Number(readyRaw || 0);
+        const updatedReplicas = Number(updatedRaw || 0);
+        const desiredReplicas = Number(replicasRaw || 0);
+        if (
+          Number.isFinite(readyReplicas) &&
+          Number.isFinite(updatedReplicas) &&
+          Number.isFinite(desiredReplicas) &&
+          desiredReplicas > 0 &&
+          readyReplicas >= 1 &&
+          updatedReplicas >= 1
+        ) {
+          await emit(
+            `[redroid] Rollout status command failed but deployment is ready (${readyReplicas}/${desiredReplicas}). Continuing...`,
+          );
+        } else {
+          await emit('[redroid] Rollout failed. Collecting diagnostics...');
+          for (const cmd of [
+            `kubectl get pods -n ${namespace} -l app=${emulatorName} -o wide`,
+            `kubectl describe pod -n ${namespace} -l app=${emulatorName}`,
+            `kubectl logs -n ${namespace} -l app=${emulatorName} -c redroid --tail=50`,
+            `kubectl logs -n ${namespace} -l app=${emulatorName} -c display --tail=50`,
+          ]) {
+            await runner.run(`${cmd} || sudo ${cmd}`, { allowFailure: true, onStdout: emit, onStderr: emit });
+          }
+          throw rolloutError;
+        }
+      } finally {
+        clearInterval(rolloutHB);
+      }
+      await emit('[redroid] Pod is ready');
+      /* ── 5.5. Fix Android policy routing ────────────────────────────── */
+      {
+        const fixPodResult = await runner.run(
+          `kubectl get pod -n ${namespace} -l app=${emulatorName} -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || sudo kubectl get pod -n ${namespace} -l app=${emulatorName} -o jsonpath='{.items[0].metadata.name}'`,
+        );
+        const fixPodName = fixPodResult.stdout.trim().replace(/'/g, '');
+        if (fixPodName) {
+          await emit('[redroid] Fixing Android network policy routing...');
+          await runner.run(
+            `kubectl exec -n ${namespace} ${fixPodName} -c redroid -- ip rule del from all unreachable 2>/dev/null || sudo kubectl exec -n ${namespace} ${fixPodName} -c redroid -- ip rule del from all unreachable 2>/dev/null || true`,
+            { allowFailure: true, onStdout: emit, onStderr: emit },
+          );
+          await emit('[redroid] Network routing fixed');
+        }
+      }
+      /* ── 6. Install APK ──────────────────────────────────────────────── */
+      if (artifactPath) {
+        const podResult = await runner.run(
+          `kubectl get pod -n ${namespace} -l app=${emulatorName} -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || sudo kubectl get pod -n ${namespace} -l app=${emulatorName} -o jsonpath='{.items[0].metadata.name}'`,
+        );
+        const podName = podResult.stdout.trim().replace(/'/g, '');
+        if (!podName) throw new Error('[redroid] No pod found');
+        await emit(`[redroid] Copying APK to pod ${podName}...`);
+        await runner.run(
+          `kubectl cp "${artifactPath}" "${namespace}/${podName}:/tmp/app.apk" -c display || sudo kubectl cp "${artifactPath}" "${namespace}/${podName}:/tmp/app.apk" -c display`,
+        );
+        const apkCheck = await runner.run(
+          `kubectl exec -n ${namespace} ${podName} -c display -- sh -c 'test -s /tmp/app.apk && echo OK || echo MISSING' || sudo kubectl exec -n ${namespace} ${podName} -c display -- sh -c 'test -s /tmp/app.apk && echo OK || echo MISSING'`,
+          { allowFailure: true },
+        );
+        if (!apkCheck.stdout.includes('OK')) {
+          await emit('[redroid] APK not found after kubectl cp. Retrying via stream copy...');
+          await runner.run(
+            `cat "${artifactPath}" | kubectl exec -i -n ${namespace} ${podName} -c display -- sh -c 'cat > /tmp/app.apk' || cat "${artifactPath}" | sudo kubectl exec -i -n ${namespace} ${podName} -c display -- sh -c 'cat > /tmp/app.apk'`,
+          );
+          const apkCheckAfterStream = await runner.run(
+            `kubectl exec -n ${namespace} ${podName} -c display -- sh -c 'test -s /tmp/app.apk && echo OK || echo MISSING' || sudo kubectl exec -n ${namespace} ${podName} -c display -- sh -c 'test -s /tmp/app.apk && echo OK || echo MISSING'`,
+            { allowFailure: true },
+          );
+          if (!apkCheckAfterStream.stdout.includes('OK')) {
+            throw new Error('[redroid] Failed to stage APK at /tmp/app.apk inside display container');
+          }
+        }
+        /* Wait for boot, kill vold to break prepareUserStorage deadlock, wait for RUNNING_UNLOCKED */
+        await emit('[redroid] Waiting for Android boot...');
+        await runner.run(
+          `for i in $(seq 1 120); do
+  BOOT=$(kubectl exec -n ${namespace} ${podName} -c redroid -- getprop sys.boot_completed 2>/dev/null | tr -d "\\r" || true);
+  if [ "$BOOT" = "1" ]; then echo "Boot complete"; break; fi;
+  if [ $((i % 20)) -eq 0 ]; then echo "Waiting for boot... ($i/120)"; fi;
+  sleep 3;
+done`,
+          { onStdout: emit, onStderr: emit, timeoutMs: 8 * 60 * 1000 },
+        );
+        await emit('[redroid] Breaking vold deadlock (kill -9 vold in redroid container)...');
+        await runner.run(
+          `kubectl exec -n ${namespace} ${podName} -c redroid -- sh -c 'kill -9 $(pidof vold)' || true`,
+          { onStdout: emit, onStderr: emit, allowFailure: true },
+        );
+        await emit('[redroid] Waiting for RUNNING_UNLOCKED...');
+        await runner.run(
+          `READY=0;
+for i in $(seq 1 60); do
+  USER_STATE=$(kubectl exec -n ${namespace} ${podName} -c redroid -- am get-started-user-state 0 2>/dev/null | grep -o "RUNNING_[A-Z_]*" || true);
+  if [ "$USER_STATE" = "RUNNING_UNLOCKED" ]; then
+    echo "User 0 RUNNING_UNLOCKED";
+    READY=1;
+    break;
+  fi;
+  if [ $((i % 10)) -eq 0 ]; then
+    echo "User state=$USER_STATE ($i/60), re-killing vold...";
+    kubectl exec -n ${namespace} ${podName} -c redroid -- sh -c 'kill -9 $(pidof vold)' 2>/dev/null || true;
+  fi;
+  sleep 2;
+done;
+if [ "$READY" -ne 1 ]; then
+  echo "WARNING: User not fully unlocked, attempting install anyway...";
+fi;
+echo "Verifying PM is responsive...";
+timeout 10 kubectl exec -n ${namespace} ${podName} -c redroid -- pm path android 2>/dev/null && echo "PM OK" || echo "PM check failed"`,
+          { onStdout: emit, onStderr: emit, timeoutMs: 8 * 60 * 1000 },
+        );
+        await emit('[redroid] Installing APK...');
+        await runner.run(
+          `kubectl exec -n ${namespace} ${podName} -c display -- sh -c '
+MAX_RETRIES=12;
+for attempt in $(seq 1 $MAX_RETRIES); do
+  echo "Install attempt $attempt/$MAX_RETRIES";
+  if [ ! -s /tmp/app.apk ]; then
+    echo "APK file missing in display container: /tmp/app.apk";
+    exit 1;
+  fi;
+  adb connect 127.0.0.1:5555 >/dev/null 2>&1 || true;
+  if ! adb -s 127.0.0.1:5555 shell service check package 2>/dev/null | grep -q "found"; then
+    echo "Package manager service unavailable; waiting 10s";
+    sleep 10;
+    continue;
+  fi;
+  RESULT=$(adb -s 127.0.0.1:5555 install -r -d -g /tmp/app.apk 2>&1 || true);
+  echo "$RESULT";
+  if echo "$RESULT" | grep -q "Success"; then
+    echo "APK installed successfully";
+    sleep 3;
+    echo "Verifying activities...";
+    adb -s 127.0.0.1:5555 shell cmd package resolve-activity --brief -c android.intent.category.LAUNCHER ${applicationId ? applicationId.replace(/[^a-zA-Z0-9._]/g, '') : ''} 2>/dev/null || true;
+    exit 0;
+  fi;
+  if [ "$attempt" -lt "$MAX_RETRIES" ]; then
+    echo "Retrying in 10s...";
+    sleep 10;
+  fi;
+done;
+echo "APK install failed after $MAX_RETRIES attempts";
+exit 1'`,
+          { onStdout: emit, onStderr: emit, timeoutMs: 16 * 60 * 1000 },
+        );
+        if (applicationId) {
+          const launchAppId = applicationId.replace(/[^a-zA-Z0-9._]/g, '');
+          await emit('[redroid] Waiting for ActivityManager...');
+          await runner.run(
+            `kubectl exec -n ${namespace} ${podName} -c display -- sh -c '
+for i in $(seq 1 120); do
+  if adb -s 127.0.0.1:5555 shell service check activity 2>/dev/null | grep -q "found"; then
+    if adb -s 127.0.0.1:5555 shell cmd activity get-current-user >/dev/null 2>&1 || adb -s 127.0.0.1:5555 shell am stack list >/dev/null 2>&1; then
+      echo "ActivityManager is ready";
+      exit 0;
+    fi;
+  fi;
+  echo "Waiting for ActivityManager... ($i/120)";
+  sleep 2;
+done;
+echo "ActivityManager is not ready yet";
+exit 1'`,
+            { onStdout: emit, onStderr: emit, timeoutMs: 8 * 60 * 1000 },
+          );
+          await emit(`[redroid] Launching ${launchAppId}...`);
+          await runner.run(
+            `kubectl exec -n ${namespace} ${podName} -c display -- sh -c '
+APP_ID='"'"'${launchAppId}'"'"';
+for i in $(seq 1 10); do
+  ACT=$(adb -s 127.0.0.1:5555 shell cmd package resolve-activity --brief -c android.intent.category.LAUNCHER "$APP_ID" 2>/dev/null | tr -d "\\r" | tail -n 1 || true);
+  if echo "$ACT" | grep -q "/"; then
+    RESULT=$(adb -s 127.0.0.1:5555 shell am start -W -n "$ACT" 2>&1 || true);
+    echo "$RESULT";
+    if echo "$RESULT" | grep -Eq "Status: ok|Activity:"; then
+      echo "App launched successfully via am start";
+      exit 0;
+    fi;
+  fi;
+  RESULT=$(adb -s 127.0.0.1:5555 shell monkey -p "$APP_ID" -c android.intent.category.LAUNCHER 1 2>&1 || true);
+  echo "$RESULT";
+  if echo "$RESULT" | grep -q "Events injected"; then
+    echo "App launched successfully via monkey";
+    exit 0;
+  fi;
+  echo "Retry launch ($i/10)...";
+  sleep 6;
+done;
+echo "Launch retries exhausted";
+exit 0'`,
+            { allowFailure: true, onStdout: emit, onStderr: emit, timeoutMs: 4 * 60 * 1000 },
+          );
+        }
+      }
+      const projectPreviewUrl = effectiveDomain
+        ? `https://${effectiveDomain}/vnc.html?autoconnect=true&resize=scale`
+        : previewUrl;
+      await emit(`[redroid] Preview ready: ${projectPreviewUrl}`);
+      return { url: projectPreviewUrl };
+    },
+  };
+}
+module.exports = { createWebAndroidEmulatorAdapter };