underpost 3.1.3 → 3.2.2

package/src/cli/deploy.js

@@ -132,22 +132,16 @@ class UnderpostDeploy {
         cmd = [
           `npm install -g npm@11.2.0`,
           `npm install -g underpost`,
-          `underpost secret underpost --create-from-file /etc/config/.env.${env}`,
+          `underpost secret underpost --create-from-env`,
           `underpost start --build --run ${deployId} ${env}`,
         ];
       const packageJson = JSON.parse(fs.readFileSync('./package.json', 'utf8'));
-      if (!volumes)
-        volumes = [
-          {
-            volumeMountPath: '/etc/config',
-            volumeName: 'config-volume',
-            configMap: 'underpost-config',
-          },
-        ];
+      if (!volumes) volumes = [];
       const confVolume = fs.existsSync(`./engine-private/conf/${deployId}/conf.volume.json`)
         ? JSON.parse(fs.readFileSync(`./engine-private/conf/${deployId}/conf.volume.json`, 'utf8'))
         : [];
       volumes = volumes.concat(confVolume);
+      const containerImage = image ? image : `localhost/rockylinux9-underpost:v${packageJson.version}`;
       return `apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -155,6 +149,7 @@ metadata:
   namespace: ${namespace ? namespace : 'default'}
   labels:
     app: ${deployId}-${env}-${suffix}
+    deploy-id: ${deployId}-${env}
 spec:
   replicas: ${replicas}
   selector:
@@ -164,10 +159,14 @@ spec:
     metadata:
       labels:
         app: ${deployId}-${env}-${suffix}
+        deploy-id: ${deployId}-${env}
     spec:
       containers:
         - name: ${deployId}-${env}-${suffix}
-          image: ${image ? image : `localhost/rockylinux9-underpost:v${packageJson.version}`}
+          image: ${containerImage}
+          envFrom:
+            - secretRef:
+                name: underpost-config
 ${
   resources
     ? `          resources:
@@ -183,13 +182,17 @@ ${
             - /bin/sh
             - -c
             - >
-              ${cmd.join(` && `)}
+              ${cmd.join(' &&\n              ')}
 
-${Underpost.deploy
-  .volumeFactory(volumes.map((v) => ((v.version = `${deployId}-${env}-${suffix}`), v)))
-  .render.split(`\n`)
-  .map((l) => '    ' + l)
-  .join(`\n`)}
+${
+  volumes.length > 0
+    ? Underpost.deploy
+        .volumeFactory(volumes.map((v) => ((v.version = `${deployId}-${env}-${suffix}`), v)))
+        .render.split(`\n`)
+        .map((l) => '    ' + l)
+        .join(`\n`)
+    : ''
+}
 ---
 apiVersion: v1
 kind: Service
@@ -260,6 +263,14 @@ ${Underpost.deploy
         }
         fs.writeFileSync(`./engine-private/conf/${deployId}/build/${env}/deployment.yaml`, deploymentYamlParts, 'utf8');
 
+        Underpost.deploy.buildGrpcServiceManifest({
+          deployId,
+          env,
+          confServer,
+          namespace: options.namespace,
+          traffic: options.traffic && typeof options.traffic === 'string' ? options.traffic.split(',') : ['blue'],
+        });
+
         const confVolume = fs.existsSync(`./engine-private/conf/${deployId}/conf.volume.json`)
           ? JSON.parse(fs.readFileSync(`./engine-private/conf/${deployId}/conf.volume.json`, 'utf8'))
           : [];
@@ -369,6 +380,67 @@ ${Underpost.deploy
         }
       }
     },
+    /**
+     * Builds and writes a gRPC ClusterIP service YAML for a deployment.
+     * Scans conf.server.json for gRPC ports and emits grpc-service.yaml under
+     * `engine-private/conf/<deployId>/build/<env>/`. The selector always uses the
+     * explicit `app: <deployId>-<env>-<traffic>` label to target only the active
+     * colour (blue or green).
+     * @param {string} deployId - Deployment ID.
+     * @param {string} env - Environment ('development' or 'production').
+     * @param {object} confServer - Parsed conf.server.json content.
+     * @param {string} [namespace='default'] - Kubernetes namespace.
+     * @param {string[]} [traffic=['blue']] - Active traffic colour(s) ('blue', 'green', or both).
+     * @param {string|null} [host=null] - Specific host to scan for gRPC ports. If null, all hosts are scanned.
+     * @returns {string|null} - Path to the written YAML file, or null if no gRPC ports found.
+     * @memberof UnderpostDeploy
+     */
+    buildGrpcServiceManifest({ deployId, env, confServer, namespace = 'default', traffic = ['blue'], host = null }) {
+      const grpcPorts = new Set();
+      const hostsToScan = host ? [host] : Object.keys(confServer);
+      for (const h of hostsToScan) {
+        if (!confServer[h]) continue;
+        for (const path of Object.keys(confServer[h])) {
+          const grpc = confServer[h][path].grpc;
+          if (grpc && grpc.port) grpcPorts.add(parseInt(grpc.port));
+        }
+      }
+      if (grpcPorts.size === 0) return null;
+      const grpcPortsList = [...grpcPorts]
+        .map(
+          (port) => `    - name: grpc-${port}
+      protocol: TCP
+      port: ${port}
+      targetPort: ${port}`,
+        )
+        .join('\n');
+      let grpcServiceYaml = '';
+      for (const color of traffic) {
+        const grpcServiceName = `${deployId}-grpc-service-${env}-${color}`;
+        const selectorYaml = `app: ${deployId}-${env}-${color}`;
+        grpcServiceYaml += `---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ${grpcServiceName}
+  namespace: ${namespace}
+  labels:
+    app: ${grpcServiceName}
+spec:
+  type: ClusterIP
+  selector:
+    ${selectorYaml}
+  ports:
+${grpcPortsList}
+`;
+        logger.info(
+          `gRPC ClusterIP service YAML written: ${grpcServiceName} (selector: ${selectorYaml}, ports: ${[...grpcPorts].join(', ')})`,
+        );
+      }
+      const yamlPath = `./engine-private/conf/${deployId}/build/${env}/grpc-service.yaml`;
+      fs.writeFileSync(yamlPath, grpcServiceYaml, 'utf8');
+      return yamlPath;
+    },
     /**
      * Builds a Certificate resource for a host using cert-manager.
      * @param {string} host - Hostname for which the certificate is being built.
@@ -478,6 +550,10 @@ spec:
      * @param {string} [options.kindType] - Type of Kubernetes resource to retrieve information for.
      * @param {number} [options.port] - Port number for exposing the deployment.
      * @param {string} [options.cmd] - Custom initialization command for deploymentYamlPartsFactory (comma-separated commands).
+     * @param {boolean} [options.k3s] - Whether to use k3s cluster context.
+     * @param {boolean} [options.kubeadm] - Whether to use kubeadm cluster context.
+     * @param {boolean} [options.kind] - Whether to use kind cluster context.
+     * @param {boolean} [options.gitClean] - Whether to run git clean on volume mount paths before copying.
      * @returns {Promise<void>} - Promise that resolves when the deployment process is complete.
      * @memberof UnderpostDeploy
      */
@@ -515,6 +591,10 @@ spec:
         port: 0,
         exposePort: 0,
         cmd: '',
+        k3s: false,
+        kubeadm: false,
+        kind: false,
+        gitClean: false,
       },
     ) {
       const namespace = options.namespace ? options.namespace : 'default';
@@ -553,7 +633,7 @@ EOF`);
             env,
             traffic: Underpost.deploy.getCurrentTraffic(deployId, { namespace }),
             router: await Underpost.deploy.routerFactory(deployId, env),
-            pods: await Underpost.deploy.get(deployId),
+            pods: await Underpost.kubectl.get(deployId),
             instances,
           });
         }
@@ -595,7 +675,7 @@ EOF`);
         if (!deployId) continue;
         if (options.expose === true) {
           const kindType = options.kindType ? options.kindType : 'svc';
-          const svc = Underpost.deploy.get(deployId, kindType)[0];
+          const svc = Underpost.kubectl.get(deployId, kindType)[0];
           const port = options.exposePort
             ? parseInt(options.exposePort)
             : options.port
@@ -634,6 +714,8 @@ EOF`);
                   version,
                   namespace,
                   nodeName: options.node ? options.node : env === 'development' ? 'kind-worker' : os.hostname(),
+                  clusterContext: options.k3s ? 'k3s' : options.kubeadm ? 'kubeadm' : 'kind',
+                  gitClean: options.gitClean || false,
                 });
           }
 
@@ -652,8 +734,11 @@ EOF`);
             : `manifests/deployment/${deployId}-${env}`;
 
         if (!options.remove) {
-          if (!options.disableUpdateDeployment)
+          if (!options.disableUpdateDeployment) {
             shellExec(`sudo kubectl apply -f ./${manifestsPath}/deployment.yaml -n ${namespace}`);
+            const grpcServicePath = `./${manifestsPath}/grpc-service.yaml`;
+            if (fs.existsSync(grpcServicePath)) shellExec(`sudo kubectl apply -f ${grpcServicePath} -n ${namespace}`);
+          }
           if (!options.disableUpdateProxy)
             shellExec(`sudo kubectl apply -f ./${manifestsPath}/proxy.yaml -n ${namespace}`);
 
@@ -671,65 +756,6 @@ EOF`);
 ` + renderHosts,
         );
     },
-    /**
-     * Retrieves information about a deployment.
-     * @param {string} deployId - Deployment ID for which information is being retrieved.
-     * @param {string} kindType - Type of Kubernetes resource to retrieve information for (e.g. 'pods').
-     * @param {string} namespace - Kubernetes namespace to retrieve information from.
-     * @returns {Array<object>} - Array of objects containing information about the deployment.
-     * @memberof UnderpostDeploy
-     */
-    get(deployId, kindType = 'pods', namespace = '') {
-      const raw = shellExec(
-        `sudo kubectl get ${kindType}${namespace ? ` -n ${namespace}` : ` --all-namespaces`} -o wide`,
-        {
-          stdout: true,
-          disableLog: true,
-          silent: true,
-        },
-      );
-
-      const heads = raw
-        .split(`\n`)[0]
-        .split(' ')
-        .filter((_r) => _r.trim());
-
-      const pods = raw
-        .split(`\n`)
-        .filter((r) => (deployId ? r.match(deployId) : r.trim() && !r.match('NAME')))
-        .map((r) => r.split(' ').filter((_r) => _r.trim()));
-
-      const result = [];
-
-      for (const row of pods) {
-        const pod = {};
-        let index = -1;
-        for (const head of heads) {
-          index++;
-          pod[head] = row[index];
-        }
-        result.push(pod);
-      }
-
-      return result;
-    },
-
-    /**
-     * Checks if a container file exists in a pod.
-     * @param {object} options - Options for the check.
-     * @param {string} options.podName - Name of the pod to check.
-     * @param {string} options.path - Path to the container file to check.
-     * @returns {boolean} - True if the container file exists, false otherwise.
-     * @memberof UnderpostDeploy
-     */
-    existsContainerFile({ podName, path }) {
-      const result = shellExec(`kubectl exec ${podName} -- test -f ${path} && echo "true" || echo "false"`, {
-        stdout: true,
-        disableLog: true,
-        silent: true,
-      }).trim();
-      return result === 'true';
-    },
     /**
      * Checks the status of a deployment.
      * @param {string} deployId - Deployment ID for which the status is being checked.
@@ -742,7 +768,7 @@ EOF`);
      */
     async checkDeploymentReadyStatus(deployId, env, traffic, ignoresNames = [], namespace = 'default') {
       const cmd = `underpost config get container-status`;
-      const pods = Underpost.deploy.get(`${deployId}-${env}-${traffic}`, 'pods', namespace);
+      const pods = Underpost.kubectl.get(`${deployId}-${env}-${traffic}`, 'pods', namespace);
       const readyPods = [];
       const notReadyPods = [];
       for (const pod of pods) {
@@ -768,15 +794,16 @@ EOF`);
       };
     },
     /**
-     * Creates a configmap for a deployment.
-     * @param {string} env - Environment for which the configmap is being created.
-     * @param {string} [namespace='default'] - Kubernetes namespace for the configmap.
+     * Creates a Kubernetes Secret for a deployment (replaces configMap for secret data).
+     * Secrets are mounted as tmpfs (never written to node disk) and support RBAC restrictions.
+     * @param {string} env - Environment for which the secret is being created.
+     * @param {string} [namespace='default'] - Kubernetes namespace for the secret.
      * @memberof UnderpostDeploy
      */
     configMap(env, namespace = 'default') {
-      shellExec(`kubectl delete configmap underpost-config -n ${namespace} --ignore-not-found`);
+      shellExec(`kubectl delete secret underpost-config -n ${namespace} --ignore-not-found`);
       shellExec(
-        `kubectl create configmap underpost-config --from-file=/home/dd/engine/engine-private/conf/dd-cron/.env.${env} --dry-run=client -o yaml | kubectl apply -f - -n ${namespace}`,
+        `kubectl create secret generic underpost-config --from-env-file=/home/dd/engine/engine-private/conf/dd-cron/.env.${env} --dry-run=client -o yaml | kubectl apply -f - -n ${namespace}`,
       );
     },
     /**
@@ -814,6 +841,9 @@ EOF`);
 
       shellExec(`sudo kubectl apply -f ./engine-private/conf/${deployId}/build/${env}/proxy.yaml -n ${namespace}`);
 
+      const grpcServicePath = `./engine-private/conf/${deployId}/build/${env}/grpc-service.yaml`;
+      if (fs.existsSync(grpcServicePath)) shellExec(`kubectl apply -f ${grpcServicePath} -n ${namespace}`);
+
       Underpost.env.set(`${deployId}-${env}-traffic`, targetTraffic);
     },
 
@@ -829,6 +859,8 @@ EOF`);
      * @param {string} options.version - Version of the deployment.
      * @param {string} options.namespace - Kubernetes namespace for the deployment.
      * @param {string} options.nodeName - Node name for the deployment.
+     * @param {string} [options.clusterContext='kind'] - Cluster context type ('kind', 'kubeadm', or 'k3s').
+     * @param {boolean} [options.gitClean=false] - Whether to run git clean on volumeMountPath before copying.
      * @memberof UnderpostDeploy
      */
     deployVolume(
@@ -839,6 +871,8 @@ EOF`);
         version: '',
         namespace: '',
         nodeName: '',
+        clusterContext: 'kind',
+        gitClean: false,
       },
     ) {
       if (!volume.claimName) {
@@ -846,19 +880,26 @@ EOF`);
         return;
       }
       const { deployId, env, version, namespace } = options;
+      const clusterContext = options.clusterContext || 'kind';
       const pvcId = `${volume.claimName}-${deployId}-${env}-${version}`;
       const pvId = `${volume.claimName.replace('pvc-', 'pv-')}-${deployId}-${env}-${version}`;
       const rootVolumeHostPath = `/home/dd/engine/volume/${pvId}`;
+      if (options.gitClean && volume.volumeMountPath) {
+        Underpost.repo.clean({ paths: [volume.volumeMountPath] });
+      }
       if (options.nodeName) {
         if (!fs.existsSync(rootVolumeHostPath)) fs.mkdirSync(rootVolumeHostPath, { recursive: true });
         fs.copySync(volume.volumeMountPath, rootVolumeHostPath);
-      } else {
+      } else if (clusterContext === 'kind') {
         shellExec(`docker exec -i kind-worker bash -c "mkdir -p ${rootVolumeHostPath}"`);
         // shellExec(`docker cp ${volume.volumeMountPath} kind-worker:${rootVolumeHostPath}`);
         shellExec(`tar -C ${volume.volumeMountPath} -c . | docker cp - kind-worker:${rootVolumeHostPath}`);
         shellExec(
           `docker exec -i kind-worker bash -c "chown -R 1000:1000 ${rootVolumeHostPath}; chmod -R 755 ${rootVolumeHostPath}"`,
         );
+      } else {
+        if (!fs.existsSync(rootVolumeHostPath)) fs.mkdirSync(rootVolumeHostPath, { recursive: true });
+        fs.copySync(volume.volumeMountPath, rootVolumeHostPath);
       }
       shellExec(`kubectl delete pvc ${pvcId} -n ${namespace} --ignore-not-found`);
       shellExec(`kubectl delete pv ${pvId} --ignore-not-found`);
@@ -881,6 +922,8 @@ EOF
      * @param {string} volume.volumeType - Type of the volume (e.g. 'Directory').
      * @param {string|null} volume.claimName - Name of the persistent volume claim (if applicable).
      * @param {string|null} volume.configMap - Name of the config map (if applicable).
+     * @param {string|null} volume.secret - Name of the Kubernetes Secret (if applicable). Mounts as readOnly.
+     * @param {boolean} [volume.emptyDir=false] - If true, uses an emptyDir volume (writable tmpfs).
      * @returns {object} - Object containing the rendered volume mounts and volumes.
      * @memberof UnderpostDeploy
      */
@@ -902,7 +945,17 @@ EOF
       let _volumes = `
   volumes:`;
       volumes.map((volumeData) => {
-        let { volumeName, volumeMountPath, volumeHostPath, volumeType, claimName, configMap, version } = volumeData;
+        let {
+          volumeName,
+          volumeMountPath,
+          volumeHostPath,
+          volumeType,
+          claimName,
+          configMap,
+          secret,
+          emptyDir,
+          version,
+        } = volumeData;
         if (version) {
           volumeName = `${volumeName}-${version}`;
           claimName = claimName ? `${claimName}-${version}` : null;
@@ -910,18 +963,23 @@ EOF
         _volumeMounts += `
         - name: ${volumeName}
           mountPath: ${volumeMountPath}
-`;
+${secret ? `          readOnly: true\n` : ''}`;
 
         _volumes += `
     - name: ${volumeName}
  ${
-   configMap
-     ? `     configMap:
+   emptyDir
+     ? `     emptyDir: {}`
+     : secret
+       ? `     secret:
+        secretName: ${secret}`
+       : configMap
+         ? `     configMap:
         name: ${configMap}`
-     : claimName
-       ? `     persistentVolumeClaim:
+         : claimName
+           ? `     persistentVolumeClaim:
         claimName: ${claimName}`
-       : `     hostPath:
+           : `     hostPath:
         path: ${volumeHostPath}
         type: ${volumeType}
 `
@@ -1041,7 +1099,7 @@ ${renderHosts}`,
     async monitorReadyRunner(deployId, env, targetTraffic, ignorePods = [], namespace = 'default', outLogType = '') {
       let checkStatusIteration = 0;
       const checkStatusIterationMsDelay = 1000;
-      const maxIterations = 500;
+      const maxIterations = 3000;
       const deploymentId = `${deployId}-${env}-${targetTraffic}`;
       const iteratorTag = `[${deploymentId}]`;
       logger.info('Deployment init', { deployId, env, targetTraffic, checkStatusIterationMsDelay, namespace });

package/src/cli/env.js

@@ -12,6 +12,19 @@ import { pbcopy } from '../server/process.js';
 
 const logger = loggerFactory(import.meta);
 
+/**
+ * Guards an env file path against stale directory artifacts.
+ * Removes the path if it exists as a directory (e.g. `.env/` created by a previous EISDIR bug).
+ * @param {string} envPath - The path to the environment file.
+ * @memberof UnderpostEnv
+ */
+const guardEnvPath = (envPath) => {
+  if (fs.existsSync(envPath) && !fs.statSync(envPath).isFile()) {
+    logger.warn(`Removing stale directory at env path: ${envPath}`);
+    fs.removeSync(envPath);
+  }
+};
+
 /**
  * @class UnderpostRootEnv
  * @description Manages the environment variables of the underpost root.
@@ -31,6 +44,7 @@ class UnderpostRootEnv {
      */
     set(key, value, options = { deployId: '', build: false }) {
       const _set = (envPath, key, value) => {
+        guardEnvPath(envPath);
         let env = {};
         if (fs.existsSync(envPath)) env = dotenv.parse(fs.readFileSync(envPath, 'utf8'));
         env[key] = value;
@@ -48,6 +62,7 @@ class UnderpostRootEnv {
         return;
       }
       const exeRootPath = `${getNpmRootPath()}/underpost`;
+      fs.ensureDirSync(exeRootPath);
       const envPath = `${exeRootPath}/.env`;
       _set(envPath, key, value);
     },
@@ -60,6 +75,7 @@ class UnderpostRootEnv {
     delete(key) {
       const exeRootPath = `${getNpmRootPath()}/underpost`;
       const envPath = `${exeRootPath}/.env`;
+      guardEnvPath(envPath);
       let env = {};
       if (fs.existsSync(envPath)) env = dotenv.parse(fs.readFileSync(envPath, 'utf8'));
       delete env[key];
@@ -101,6 +117,7 @@ class UnderpostRootEnv {
     list(key, value, options = {}) {
       const exeRootPath = `${getNpmRootPath()}/underpost`;
       const envPath = `${exeRootPath}/.env`;
+      guardEnvPath(envPath);
       if (!fs.existsSync(envPath)) {
         logger.warn(`Empty environment variables`);
         return {};
@@ -140,3 +157,5 @@ class UnderpostRootEnv {
 }
 
 export default UnderpostRootEnv;
+
+export { guardEnvPath };

package/src/cli/fs.js

@@ -101,13 +101,16 @@ class UnderpostFileStorage {
         }
       }
       if (options.pull === true) {
+        let pullSkipCount = 0;
         for (const _path of Object.keys(storage)) {
           if (!fs.existsSync(_path) || options.force === true) {
             if (options.force === true && fs.existsSync(_path)) fs.removeSync(_path);
             await Underpost.fs.pull(_path, options);
-          } else logger.warn(`Pull path already exists`, _path);
+          } else pullSkipCount++;
         }
-        shellExec(`cd ${path} && git init && git add . && git commit -m "Base pull state"`);
+        if (pullSkipCount > 0) logger.warn(`Pull skipped ${pullSkipCount} files that already exist`);
+        Underpost.repo.initLocalRepo({ path });
+        shellExec(`cd ${path} && git add . && git commit -m "Base pull state"`);
       } else {
         const files =
           options.git === true ? Underpost.repo.getChangedFiles(path) : await fs.readdir(path, { recursive: true });

package/src/cli/index.js

@@ -87,7 +87,7 @@ program
   .argument(`[commit-type]`, `The type of commit to perform. Options: ${Object.keys(commitData).join(', ')}.`)
   .argument(`[module-tag]`, 'Optional: Sets a specific module tag for the commit.')
   .argument(`[message]`, 'Optional: Provides an additional custom message for the commit.')
-  .option(`--log <latest-n>`, 'Shows commit history from the specified number of latest n path commits.')
+  .option(`--log [latest-n]`, 'Shows commit history from the specified number of latest n path commits.')
   .option('--last-msg <latest-n>', 'Displays the last n commit message.')
   .option('--empty', 'Allows committing with empty files.')
   .option('--copy', 'Copies the generated commit message to the clipboard.')
@@ -108,7 +108,14 @@ program
     '--changelog-no-hash',
     'Excludes commit hashes from the generated changelog entries (used with --changelog-build).',
   )
+  .option('--unpush', 'With --log, automatically sets range to unpushed commits ahead of remote.')
   .option('-b', 'Shows the current Git branch name.')
+  .option('-p [branch]', 'Shows the reflog for the specified branch.')
+  .option('--bc <commit-hash>', 'Shows branches that contain the specified commit.')
+  .option(
+    '--is-remote-repo <url-repo>',
+    'Checks whether a remote Git repository URL is reachable. Prints true or false.',
+  )
   .description('Manages commits to a GitHub repository, supporting various commit types and options.')
   .action(Underpost.repo.commit);
 
@@ -308,6 +315,9 @@ program
     'Retrieves current network traffic data from resource deployments and the host machine network configuration.',
   )
   .option('--kubeadm', 'Enables the kubeadm context for deployment operations.')
+  .option('--k3s', 'Enables the k3s context for deployment operations.')
+  .option('--kind', 'Enables the kind context for deployment operations.')
+  .option('--git-clean', 'Runs git clean on volume mount paths before copying.')
   .option('--etc-hosts', 'Enables the etc-hosts context for deployment operations.')
   .option('--restore-hosts', 'Restores default `/etc/hosts` entries.')
   .option('--disable-update-underpost-config', 'Disables updates to Underpost configuration during deployment.')
@@ -327,10 +337,12 @@ program
   .argument('<platform>', `The secret management platform. Options: ${Object.keys(Underpost.secret).join(', ')}.`)
   .option('--init', 'Initializes the secrets platform environment.')
   .option('--create-from-file <path-env-file>', 'Creates secrets from a specified environment file.')
+  .option('--create-from-env', 'Creates secrets from container environment variables (envFrom: secretRef).')
   .option('--list', 'Lists all available secrets for the platform.')
   .description(`Manages secrets for various platforms.`)
   .action((...args) => {
     if (args[1].createFromFile) return Underpost.secret[args[0]].createFromEnvFile(args[1].createFromFile);
+    if (args[1].createFromEnv) return Underpost.secret[args[0]].createFromContainerEnv();
     if (args[1].list) return Underpost.secret[args[0]].list();
     if (args[1].init) return Underpost.secret[args[0]].init();
   });
@@ -413,6 +425,7 @@ program
   .option('--kubeadm', 'Enables the kubeadm context for database operations.')
   .option('--kind', 'Enables the kind context for database operations.')
   .option('--k3s', 'Enables the k3s context for database operations.')
+  .option('--repo-backup', 'Backs up repositories (git commit+push) inside deployment pods via kubectl exec.')
   .description(
     'Manages database operations with support for MariaDB and MongoDB, including import/export, multi-pod targeting, and Git integration.',
   )
@@ -458,7 +471,6 @@ program
     '--create-job-now',
     'After applying manifests, immediately create a Job from each CronJob (requires --apply).',
   )
-  .option('--ssh', 'Execute backup commands via SSH on the remote node instead of locally.')
   .description('Manages cron jobs: execute jobs directly or generate and apply K8s CronJob manifests.')
   .action(Underpost.cron.callback);
 
@@ -597,6 +609,7 @@ program
   .option('--kubeadm', 'Sets the kubeadm cluster context for the runner execution.')
   .option('--k3s', 'Sets the k3s cluster context for the runner execution.')
   .option('--kind', 'Sets the kind cluster context for the runner execution.')
+  .option('--git-clean', 'Runs git clean on volume mount paths before copying.')
   .option('--log-type <log-type>', 'Sets the log type for the runner execution.')
   .option('--deploy-id <deploy-id>', 'Sets deploy id context for the runner execution.')
   .option('--user <user>', 'Sets user context for the runner execution.')
@@ -640,6 +653,7 @@ program
       'Format: semicolon-separated entries of "ip=hostname1,hostname2" ' +
       '(e.g., "127.0.0.1=foo.local,bar.local;10.1.2.3=foo.remote,bar.remote").',
   )
+  .option('--copy', 'Copies the runner output to the clipboard (supported by: generate-pass, template-deploy-local).')
   .description('Runs specified scripts using various runners.')
   .action(Underpost.run.callback);
 
@@ -764,4 +778,33 @@ program
   )
   .action(Underpost.baremetal.callback);
 
+program
+  .command('release')
+  .argument('[version]', 'The new version string to set (e.g., "3.1.4"). Defaults to current version.')
+  .option('--build', 'Builds a new version: tests template, bumps versions, rebuilds manifests and configs.')
+  .option('--deploy', 'Deploys the release: syncs secrets, commits, and pushes to remote repositories.')
+  .option(
+    '--ci-push <deploy-id>',
+    'Local equivalent of engine-*.ci.yml: builds dd-{deploy-id} and pushes to the engine-{deploy-id} repository. ' +
+      'Accepts the suffix (e.g., "cyberia"), "dd-cyberia", or "engine-cyberia".',
+  )
+  .option(
+    '--message <message>',
+    'Commit message for --ci-push or --pwa-build (defaults to last commit of the engine repository).',
+  )
+  .option(
+    '--pwa-build',
+    'Runs the pwa-microservices-template update flow: always re-clones, syncs engine sources, installs, builds, and pushes.',
+  )
+  .description('Release orchestrator for building new versions and deploying releases of the Underpost CLI.')
+  .action(async (version, options) => {
+    if (options.build) return Underpost.release.build(version, options);
+    if (options.deploy) return Underpost.release.deploy(version, options);
+    if (options.ciPush) return Underpost.release.ci(options.ciPush, options.message, options);
+    if (options.pwaBuild) return Underpost.release.pwa(options.message, options);
+    console.log(
+      'Please specify --build, --deploy, --ci-push, or --pwa-build. Use "underpost release --help" for details.',
+    );
+  });
+
 export { program };