underpost 3.2.0 → 3.2.3

package/src/cli/deploy.js

@@ -132,22 +132,16 @@ class UnderpostDeploy {
         cmd = [
           `npm install -g npm@11.2.0`,
           `npm install -g underpost`,
-          `underpost secret underpost --create-from-file /etc/config/.env.${env}`,
+          `underpost secret underpost --create-from-env`,
           `underpost start --build --run ${deployId} ${env}`,
         ];
       const packageJson = JSON.parse(fs.readFileSync('./package.json', 'utf8'));
-      if (!volumes)
-        volumes = [
-          {
-            volumeMountPath: '/etc/config',
-            volumeName: 'config-volume',
-            configMap: 'underpost-config',
-          },
-        ];
+      if (!volumes) volumes = [];
       const confVolume = fs.existsSync(`./engine-private/conf/${deployId}/conf.volume.json`)
         ? JSON.parse(fs.readFileSync(`./engine-private/conf/${deployId}/conf.volume.json`, 'utf8'))
         : [];
       volumes = volumes.concat(confVolume);
+      const containerImage = image ? image : `localhost/rockylinux9-underpost:v${packageJson.version}`;
       return `apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -169,7 +163,10 @@ spec:
     spec:
       containers:
         - name: ${deployId}-${env}-${suffix}
-          image: ${image ? image : `localhost/rockylinux9-underpost:v${packageJson.version}`}
+          image: ${containerImage}
+          envFrom:
+            - secretRef:
+                name: underpost-config
 ${
   resources
     ? `          resources:
@@ -185,13 +182,17 @@ ${
             - /bin/sh
             - -c
             - >
-              ${cmd.join(` && `)}
+              ${cmd.join(' &&\n              ')}
 
-${Underpost.deploy
-  .volumeFactory(volumes.map((v) => ((v.version = `${deployId}-${env}-${suffix}`), v)))
-  .render.split(`\n`)
-  .map((l) => '    ' + l)
-  .join(`\n`)}
+${
+  volumes.length > 0
+    ? Underpost.deploy
+        .volumeFactory(volumes.map((v) => ((v.version = `${deployId}-${env}-${suffix}`), v)))
+        .render.split(`\n`)
+        .map((l) => '    ' + l)
+        .join(`\n`)
+    : ''
+}
 ---
 apiVersion: v1
 kind: Service
@@ -793,15 +794,16 @@ EOF`);
       };
     },
     /**
-     * Creates a configmap for a deployment.
-     * @param {string} env - Environment for which the configmap is being created.
-     * @param {string} [namespace='default'] - Kubernetes namespace for the configmap.
+     * Creates a Kubernetes Secret for a deployment (replaces configMap for secret data).
+     * Secrets are mounted as tmpfs (never written to node disk) and support RBAC restrictions.
+     * @param {string} env - Environment for which the secret is being created.
+     * @param {string} [namespace='default'] - Kubernetes namespace for the secret.
      * @memberof UnderpostDeploy
      */
     configMap(env, namespace = 'default') {
-      shellExec(`kubectl delete configmap underpost-config -n ${namespace} --ignore-not-found`);
+      shellExec(`kubectl delete secret underpost-config -n ${namespace} --ignore-not-found`);
       shellExec(
-        `kubectl create configmap underpost-config --from-file=/home/dd/engine/engine-private/conf/dd-cron/.env.${env} --dry-run=client -o yaml | kubectl apply -f - -n ${namespace}`,
+        `kubectl create secret generic underpost-config --from-env-file=/home/dd/engine/engine-private/conf/dd-cron/.env.${env} --dry-run=client -o yaml | kubectl apply -f - -n ${namespace}`,
       );
     },
     /**
@@ -920,6 +922,8 @@ EOF
      * @param {string} volume.volumeType - Type of the volume (e.g. 'Directory').
      * @param {string|null} volume.claimName - Name of the persistent volume claim (if applicable).
      * @param {string|null} volume.configMap - Name of the config map (if applicable).
+     * @param {string|null} volume.secret - Name of the Kubernetes Secret (if applicable). Mounts as readOnly.
+     * @param {boolean} [volume.emptyDir=false] - If true, uses an emptyDir volume (writable tmpfs).
      * @returns {object} - Object containing the rendered volume mounts and volumes.
      * @memberof UnderpostDeploy
      */
@@ -941,7 +945,17 @@ EOF
       let _volumes = `
   volumes:`;
       volumes.map((volumeData) => {
-        let { volumeName, volumeMountPath, volumeHostPath, volumeType, claimName, configMap, version } = volumeData;
+        let {
+          volumeName,
+          volumeMountPath,
+          volumeHostPath,
+          volumeType,
+          claimName,
+          configMap,
+          secret,
+          emptyDir,
+          version,
+        } = volumeData;
         if (version) {
           volumeName = `${volumeName}-${version}`;
           claimName = claimName ? `${claimName}-${version}` : null;
@@ -949,18 +963,23 @@ EOF
         _volumeMounts += `
         - name: ${volumeName}
           mountPath: ${volumeMountPath}
-`;
+${secret ? `          readOnly: true\n` : ''}`;
 
         _volumes += `
     - name: ${volumeName}
  ${
-   configMap
-     ? `     configMap:
+   emptyDir
+     ? `     emptyDir: {}`
+     : secret
+       ? `     secret:
+        secretName: ${secret}`
+       : configMap
+         ? `     configMap:
         name: ${configMap}`
-     : claimName
-       ? `     persistentVolumeClaim:
+         : claimName
+           ? `     persistentVolumeClaim:
         claimName: ${claimName}`
-       : `     hostPath:
+           : `     hostPath:
         path: ${volumeHostPath}
         type: ${volumeType}
 `

package/src/cli/env.js

@@ -12,6 +12,19 @@ import { pbcopy } from '../server/process.js';
 
 const logger = loggerFactory(import.meta);
 
+/**
+ * Guards an env file path against stale directory artifacts.
+ * Removes the path if it exists as a directory (e.g. `.env/` created by a previous EISDIR bug).
+ * @param {string} envPath - The path to the environment file.
+ * @memberof UnderpostEnv
+ */
+const guardEnvPath = (envPath) => {
+  if (fs.existsSync(envPath) && !fs.statSync(envPath).isFile()) {
+    logger.warn(`Removing stale directory at env path: ${envPath}`);
+    fs.removeSync(envPath);
+  }
+};
+
 /**
  * @class UnderpostRootEnv
  * @description Manages the environment variables of the underpost root.
@@ -31,6 +44,7 @@ class UnderpostRootEnv {
      */
     set(key, value, options = { deployId: '', build: false }) {
       const _set = (envPath, key, value) => {
+        guardEnvPath(envPath);
         let env = {};
         if (fs.existsSync(envPath)) env = dotenv.parse(fs.readFileSync(envPath, 'utf8'));
         env[key] = value;
@@ -61,6 +75,7 @@ class UnderpostRootEnv {
     delete(key) {
       const exeRootPath = `${getNpmRootPath()}/underpost`;
       const envPath = `${exeRootPath}/.env`;
+      guardEnvPath(envPath);
       let env = {};
       if (fs.existsSync(envPath)) env = dotenv.parse(fs.readFileSync(envPath, 'utf8'));
       delete env[key];
@@ -102,6 +117,7 @@ class UnderpostRootEnv {
     list(key, value, options = {}) {
       const exeRootPath = `${getNpmRootPath()}/underpost`;
       const envPath = `${exeRootPath}/.env`;
+      guardEnvPath(envPath);
       if (!fs.existsSync(envPath)) {
         logger.warn(`Empty environment variables`);
         return {};
@@ -137,7 +153,19 @@ class UnderpostRootEnv {
       const envPath = `${exeRootPath}/.env`;
       fs.removeSync(envPath);
     },
+    /**
+     * @method isInsideContainer
+     * @description Detects whether the current process is running inside a container.
+     * Checks for Kubernetes service injection or Docker's .dockerenv marker.
+     * @returns {boolean} True if running inside a container.
+     * @memberof UnderpostEnv
+     */
+    isInsideContainer() {
+      return !!process.env.KUBERNETES_SERVICE_HOST || fs.existsSync('/.dockerenv');
+    },
   };
 }
 
 export default UnderpostRootEnv;
+
+export { guardEnvPath };

package/src/cli/fs.js

@@ -101,12 +101,14 @@ class UnderpostFileStorage {
         }
       }
       if (options.pull === true) {
+        let pullSkipCount = 0;
         for (const _path of Object.keys(storage)) {
           if (!fs.existsSync(_path) || options.force === true) {
             if (options.force === true && fs.existsSync(_path)) fs.removeSync(_path);
             await Underpost.fs.pull(_path, options);
-          } else logger.warn(`Pull path already exists`, _path);
+          } else pullSkipCount++;
         }
+        if (pullSkipCount > 0) logger.warn(`Pull skipped ${pullSkipCount} files that already exist`);
         Underpost.repo.initLocalRepo({ path });
         shellExec(`cd ${path} && git add . && git commit -m "Base pull state"`);
       } else {

package/src/cli/index.js

@@ -337,10 +337,14 @@ program
   .argument('<platform>', `The secret management platform. Options: ${Object.keys(Underpost.secret).join(', ')}.`)
   .option('--init', 'Initializes the secrets platform environment.')
   .option('--create-from-file <path-env-file>', 'Creates secrets from a specified environment file.')
+  .option('--create-from-env', 'Creates secrets from container environment variables (envFrom: secretRef).')
+  .option('--global-clean', 'Removes all filesystem traces of secrets (engine-private, .env, conf cache).')
   .option('--list', 'Lists all available secrets for the platform.')
   .description(`Manages secrets for various platforms.`)
   .action((...args) => {
+    if (args[1].globalClean) return Underpost.secret.globalSecretClean();
     if (args[1].createFromFile) return Underpost.secret[args[0]].createFromEnvFile(args[1].createFromFile);
+    if (args[1].createFromEnv) return Underpost.secret[args[0]].createFromContainerEnv();
     if (args[1].list) return Underpost.secret[args[0]].list();
     if (args[1].init) return Underpost.secret[args[0]].init();
   });
@@ -423,6 +427,7 @@ program
   .option('--kubeadm', 'Enables the kubeadm context for database operations.')
   .option('--kind', 'Enables the kind context for database operations.')
   .option('--k3s', 'Enables the k3s context for database operations.')
+  .option('--repo-backup', 'Backs up repositories (git commit+push) inside deployment pods via kubectl exec.')
   .description(
     'Manages database operations with support for MariaDB and MongoDB, including import/export, multi-pod targeting, and Git integration.',
   )
@@ -439,6 +444,7 @@ program
   .option('--instances', 'Apply to instance data collection')
   .option('--generate', 'Generate cluster metadata')
   .option('--itc', 'Apply under container execution context')
+  .option('--dev', 'Sets the development cli context')
   .description('Manages cluster metadata operations, including import and export.')
   .action(Underpost.db.clusterMetadataBackupCallback);
 
@@ -468,7 +474,6 @@ program
     '--create-job-now',
     'After applying manifests, immediately create a Job from each CronJob (requires --apply).',
   )
-  .option('--ssh', 'Execute backup commands via SSH on the remote node instead of locally.')
   .description('Manages cron jobs: execute jobs directly or generate and apply K8s CronJob manifests.')
   .action(Underpost.cron.callback);
 

package/src/cli/repository.js

@@ -1423,6 +1423,153 @@ Prevent build private config repo.`,
         return false;
       }
     },
+
+    /**
+     * Runtime-type → in-pod site-root directory resolver.
+     * Maps each known runtime to the filesystem path where its repository lives inside the container.
+     * @param {string} runtime - The runtime identifier (e.g. 'wp').
+     * @param {string} host - The virtual-host name.
+     * @returns {string|null} Absolute path inside the pod, or null if the runtime has no known mapping.
+     * @memberof UnderpostRepository
+     */
+    runtimeSiteRoot(runtime, host) {
+      const runtimePaths = {
+        wp: `/opt/lampp/htdocs/wp/${host}`,
+      };
+      return runtimePaths[runtime] || null;
+    },
+
+    /**
+     * Backs up all repositories defined in a deployment's conf.server.json by executing
+     * git commit+push inside the running deployment pod via `kubectl exec`.
+     *
+     * Scans every `server[host][path]` entry for a `repository` field. For each match
+     * the runtime-specific site root is resolved and a git backup script is executed
+     * inside the pod. GITHUB_TOKEN and GITHUB_USERNAME are injected as ephemeral
+     * environment variables in the exec command — never persisted to the pod filesystem.
+     *
+     * @param {object} opts
+     * @param {string}  opts.deployId   - Deployment ID (used to read conf.server.json and find pods).
+     * @param {string}  [opts.namespace='default'] - Kubernetes namespace.
+     * @param {string}  [opts.env='production'] - Deployment environment.
+     * @returns {void}
+     * @memberof UnderpostRepository
+     */
+    backupPodRepositories({ deployId, namespace = 'default', env = 'production' }) {
+      const confServer = readConfJson(deployId, 'server', { resolve: true });
+      const githubToken = process.env.GITHUB_TOKEN || '';
+      const githubUsername = process.env.GITHUB_USERNAME || 'underpostnet';
+
+      if (!githubToken) {
+        logger.warn('backupPodRepositories: GITHUB_TOKEN not available — git push will fail');
+      }
+
+      // Resolve the active blue/green traffic colour so we target the correct pod
+      const traffic = Underpost.deploy.getCurrentTraffic(deployId, { namespace });
+      if (!traffic) {
+        logger.warn(`backupPodRepositories: could not resolve current traffic for ${deployId} — skipping`);
+        return;
+      }
+
+      // Find a running pod that matches the active traffic colour
+      const pods = Underpost.kubectl.get(`${deployId}-${env}-${traffic}`, 'pods', namespace);
+      const runningPod = pods.find((p) => p.STATUS === 'Running');
+      if (!runningPod) {
+        logger.warn(`backupPodRepositories: no running ${traffic} pod found for ${deployId} in namespace ${namespace}`);
+        return;
+      }
+      const podName = runningPod.NAME;
+
+      for (const host of Object.keys(confServer)) {
+        for (const routePath of Object.keys(confServer[host])) {
+          const entry = confServer[host][routePath];
+          if (!entry.repository) continue;
+
+          const siteRoot = Underpost.repo.runtimeSiteRoot(entry.runtime, host);
+          if (!siteRoot) {
+            logger.warn(`backupPodRepositories: no site-root mapping for runtime '${entry.runtime}' (${host})`);
+            continue;
+          }
+
+          const repoName = entry.repository.split('/').pop().split('.')[0];
+
+          // Build the backup script — secrets are injected as env vars in the exec,
+          // never written to filesystem. The shell process inherits them ephemerally.
+          const backupScript = [
+            `export GITHUB_TOKEN='${githubToken.replace(/'/g, "'\\''")}'`,
+            `export GITHUB_USERNAME='${githubUsername.replace(/'/g, "'\\''")}'`,
+            `git config --global --add safe.directory '${siteRoot}' 2>/dev/null || true`,
+            `cd '${siteRoot}' && git add -A && git commit -m 'backup $(date -u +%Y-%m-%dT%H:%M:%SZ)' || true`,
+            `cd '${siteRoot}' && underpost push . ${githubUsername}/${repoName}`,
+            `cd /home/dd/engine && node bin secret underpost --global-clean`,
+          ].join(' && ');
+
+          try {
+            logger.info(`backupPodRepositories: backing up ${host} (${entry.runtime}) in pod ${podName}`);
+            Underpost.kubectl.exec({ podName, namespace, command: backupScript });
+            logger.info(`backupPodRepositories: git push done for ${host}`);
+          } catch (err) {
+            logger.error(`backupPodRepositories: backup failed for ${host}`, err.message);
+          }
+        }
+      }
+    },
+
+    /**
+     * Clones the deploy-specific private repository into `./engine-private`
+     * when it does not already exist on disk.  Returns `{ ephemeral: true }`
+     * If `./engine-private` already exists, the call is a no-op unless
+     * `options.force` is `true`, in which case the directory is removed and
+     * re-cloned.
+     *
+     * @param {string} [deployId] - Deploy ID (e.g. `dd-core`) used to derive
+     *        the repo name `engine-{component}-private`.  Falls back to
+     *        `process.env.DEFAULT_DEPLOY_ID`.  When neither is available the
+     *        default repo name `engine-private` is used.
+     * @param {object} [options]
+     * @param {boolean} [options.force=false] - Remove existing `engine-private`
+     *        and re-clone.
+     * @memberof UnderpostRepository
+     */
+    privateEngineRepoFactory(deployId, options = { force: false }) {
+      if (fs.existsSync('./engine-private') && !options.force) return;
+
+      if (options.force && fs.existsSync('./engine-private')) {
+        fs.removeSync('./engine-private');
+        logger.info('engine-private removed (force re-clone)');
+      }
+
+      const effectiveDeployId = deployId || process.env.DEFAULT_DEPLOY_ID;
+
+      const username = process.env.GITHUB_USERNAME;
+      if (!username) {
+        throw new Error('privateEngineRepoFactory: GITHUB_USERNAME not set');
+      }
+
+      const repoName = effectiveDeployId ? `engine-${effectiveDeployId.split('-')[1]}-private` : 'engine-private';
+      logger.info(`engine-private missing — cloning ${username}/${repoName}`);
+      shellExec(`underpost clone ${username}/${repoName}`);
+      if (!fs.existsSync(`./${repoName}`)) {
+        throw new Error(`privateEngineRepoFactory: clone failed for ${username}/${repoName}`);
+      }
+      if (repoName !== 'engine-private') shellExec(`mv ./${repoName} ./engine-private`);
+    },
+
+    /**
+     * Removes the ephemeral `engine-private/` clone created by
+     * `privateEngineRepoFactory()`.  No-op if the directory does not exist.
+     * @memberof UnderpostRepository
+     */
+    cleanupPrivateEngineRepo() {
+      if (fs.existsSync('./engine-private')) {
+        fs.removeSync('./engine-private');
+        logger.info('engine-private ephemeral clone removed');
+      }
+      if (fs.existsSync('/home/dd/engine-private')) {
+        fs.removeSync('/home/dd/engine-private');
+        logger.info('engine-private in /home/dd removed');
+      }
+    },
   };
 }
 

package/src/cli/run.js

@@ -1781,7 +1781,7 @@ EOF
         : [
             `npm install -g npm@11.2.0`,
             `npm install -g underpost`,
-            `${baseCommand} secret underpost --create-from-file /etc/config/.env.${env}`,
+            `${baseCommand} secret underpost --create-from-env`,
             `${baseCommand} start --build --run ${deployId} ${env}`,
           ];
       shellExec(`node bin run sync${baseClusterCommand} --deploy-id-cron-jobs none dd-test --cmd "${cmd}"`);

package/src/cli/secrets.js

@@ -8,6 +8,10 @@ import { shellExec } from '../server/process.js';
 import fs from 'fs-extra';
 import dotenv from 'dotenv';
 import Underpost from '../index.js';
+import { loadConf } from '../server/conf.js';
+import { loggerFactory } from '../server/logger.js';
+
+const logger = loggerFactory(import.meta);
 
 /**
  * @class UnderpostSecret
@@ -23,11 +27,80 @@ class UnderpostSecret {
      */
     underpost: {
       createFromEnvFile(envPath) {
+        Underpost.env.clean();
         const envObj = dotenv.parse(fs.readFileSync(envPath, 'utf8'));
         for (const key of Object.keys(envObj)) {
           Underpost.env.set(key, envObj[key]);
         }
       },
+      /** Reads application secrets from process.env (injected via envFrom: secretRef)
+       *  and writes them to the underpost .env file, filtering out known system and
+       *  Kubernetes-injected environment variables. Replaces the fragile shell-based
+       *  `printenv | grep -vE` pattern with a maintainable Node.js blocklist.
+       */
+      createFromContainerEnv() {
+        Underpost.env.clean();
+        const systemKeys = new Set([
+          'HOME',
+          'HOSTNAME',
+          'PATH',
+          'TERM',
+          'SHLVL',
+          'PWD',
+          '_',
+          'LANG',
+          'LANGUAGE',
+          'LC_ALL',
+          'container',
+          'SHELL',
+          'USER',
+          'LOGNAME',
+          'MAIL',
+          'OLDPWD',
+          'LESSOPEN',
+          'LESSCLOSE',
+          'LS_COLORS',
+          'DISPLAY',
+          'COLORTERM',
+          'EDITOR',
+          'VISUAL',
+          'TERM_PROGRAM',
+          'TERM_PROGRAM_VERSION',
+          'SSH_AUTH_SOCK',
+          'SSH_CLIENT',
+          'SSH_CONNECTION',
+          'SSH_TTY',
+          'XDG_SESSION_ID',
+          'XDG_RUNTIME_DIR',
+          'XDG_DATA_DIRS',
+          'XDG_CONFIG_DIRS',
+          'DBUS_SESSION_BUS_ADDRESS',
+          'GPG_AGENT_INFO',
+          'WINDOWID',
+          'DESKTOP_SESSION',
+          'SESSION_MANAGER',
+          'XAUTHORITY',
+          'WAYLAND_DISPLAY',
+          'which_declare',
+        ]);
+        const systemKeyPrefixes = ['KUBERNETES_', 'npm_', 'NODE_'];
+        for (const [key, value] of Object.entries(process.env)) {
+          if (systemKeys.has(key)) continue;
+          if (systemKeyPrefixes.some((prefix) => key.startsWith(prefix))) continue;
+          Underpost.env.set(key, value);
+        }
+      },
+    },
+
+    /**
+     * Removes all filesystem traces of secrets after deployment startup.
+     * Centralizes the defense-in-depth cleanup performed
+     * @memberof UnderpostSecret
+     */
+    globalSecretClean() {
+      loadConf('clean');
+      Underpost.repo.cleanupPrivateEngineRepo();
+      Underpost.env.clean();
     },
   };
 }

package/src/client/components/core/DropDown.js

@@ -75,14 +75,22 @@ const DropDown = {
         console.log('DropDown onClick', this.value);
         if (options && options.resetOnClick) options.resetOnClick();
         if (options && options.type === 'checkbox') {
+          DropDown.Tokens[id].oncheckvalues = {};
+          DropDown.Tokens[id].value = [];
+          s(`.${id}`).value = [];
+          htmls(`.dropdown-current-${id}`, '');
           if (options.serviceProvider) {
-            DropDown.Tokens[id].oncheckvalues = {};
-            DropDown.Tokens[id].value = [];
-            htmls(`.dropdown-current-${id}`, '');
             htmls(`.${id}-render-container`, '');
           } else {
-            for (const opt of DropDown.Tokens[id].value) {
-              s(`.dropdown-option-${id}-${opt}`).click();
+            for (const optionData of options.data) {
+              if (optionData.value !== 'reset' && optionData.value !== 'close' && optionData.checked) {
+                optionData.checked = false;
+                const vd = optionData.value.trim().replaceAll(' ', '-');
+                if (ToggleSwitch.Tokens[`checkbox-role-${vd}`]) {
+                  const checkbox = s(`.checkbox-role-${vd}-checkbox`);
+                  if (checkbox && checkbox.checked) ToggleSwitch.Tokens[`checkbox-role-${vd}`].click();
+                }
+              }
             }
           }
         } else this.Tokens[id].value = undefined;

package/src/index.js

@@ -44,7 +44,7 @@ class Underpost {
    * @type {String}
    * @memberof Underpost
    */
-  static version = 'v3.2.0';
+  static version = 'v3.2.3';
 
   /**
    * Required Node.js major version

package/src/runtime/express/Dockerfile

@@ -30,6 +30,10 @@ RUN dnf clean all
 RUN node --version
 RUN npm --version
 
+# Create non-root user for secure container execution (cron jobs, init containers)
+# Deployment containers override to root via securityContext when npm install -g is needed
+RUN useradd -m -u 1000 -s /bin/bash dd
+
 # Set working directory
 WORKDIR /home/dd
 

package/src/runtime/lampp/Dockerfile

@@ -47,6 +47,10 @@ RUN dnf clean all
 RUN node --version
 RUN npm --version
 
+# Create non-root user for secure container execution (cron jobs, init containers)
+# Deployment containers override to root via securityContext when npm install -g is needed
+RUN useradd -m -u 1000 -s /bin/bash dd
+
 # Set working directory
 WORKDIR /home/dd
 

package/src/runtime/lampp/Lampp.js

@@ -239,13 +239,35 @@ Listen ${port}
   DocumentRoot "${documentRoot}"
   ServerName ${host}
   UseCanonicalName Off
+  ServerSignature Off
 
   <Directory "${documentRoot}">
-    Options Indexes FollowSymLinks MultiViews
+    Options FollowSymLinks MultiViews
     AllowOverride All
     Require all granted
   </Directory>
 
+  # Block access to .git directories and files
+  RedirectMatch 404 /\\.git
+
+  # Block access to hidden dotfiles (.env, .htpasswd, etc.)
+  <FilesMatch "^\\.(env|htpasswd|htaccess\\.bak|DS_Store)">
+    Require all denied
+  </FilesMatch>
+
+  # Block access to sensitive engine files
+  <FilesMatch "(wp-config\\.php\\.bak|wp-config-sample\\.php|\\.sql|\\.sql\\.gz)$">
+    Require all denied
+  </FilesMatch>
+
+  # Security headers
+  <IfModule mod_headers.c>
+    Header always set X-Content-Type-Options "nosniff"
+    Header always set X-Frame-Options "SAMEORIGIN"
+    Header always set Referrer-Policy "strict-origin-when-cross-origin"
+    Header always unset X-Powered-By
+  </IfModule>
+
   ${
     redirect
       ? `

package/src/runtime/wp/Dockerfile

@@ -53,6 +53,10 @@ RUN dnf clean all
 RUN node --version
 RUN npm --version
 
+# Create non-root user for secure container execution (cron jobs, init containers)
+# Deployment containers override to root via securityContext when npm install -g is needed
+RUN useradd -m -u 1000 -s /bin/bash dd
+
 # Set working directory
 WORKDIR /home/dd