underpost 3.2.14 → 3.2.22

package/src/cli/env.js

@@ -95,10 +95,7 @@ class UnderpostRootEnv {
     get(key, value, options = { plain: false, disableLog: false, copy: false }) {
       const exeRootPath = `${getNpmRootPath()}/underpost`;
       const envPath = `${exeRootPath}/.env`;
-      if (!fs.existsSync(envPath) || !fs.statSync(envPath).isFile()) {
-        logger.warn(`Empty environment variables`);
-        return undefined;
-      }
+      if (!fs.existsSync(envPath) || !fs.statSync(envPath).isFile()) return undefined;
       const env = dotenv.parse(fs.readFileSync(envPath, 'utf8'));
       if (!options.disableLog)
         options?.plain === true ? console.log(env[key]) : logger.info(`${key}(${typeof env[key]})`, env[key]);

package/src/cli/index.js

@@ -70,6 +70,10 @@ program
     '--pull-bundle',
     'Downloads the pre-built client bundle from Cloudinary via pull-bundle before starting. Use together with --skip-full-build to skip the local build entirely.',
   )
+  .option(
+    '--private-test-repo',
+    'During --build, clone the private test source repo (engine-test-<id>) instead of the production engine-<id> repo.',
+  )
   .action(Underpost.start.callback)
   .description('Initiates application servers, build pipelines, or other defined services based on the deployment ID.');
 
@@ -124,6 +128,10 @@ program
     '--is-remote-repo <url-repo>',
     'Checks whether a remote Git repository URL is reachable. Prints true or false.',
   )
+  .option(
+    '--has-changes',
+    'Prints "1" if there are staged or unstaged git changes in the repository, empty string otherwise.',
+  )
   .description('Manages commits to a GitHub repository, supporting various commit types and options.')
   .action(Underpost.repo.commit);
 
@@ -315,6 +323,12 @@ program
   .option('--expose', 'Exposes services matching the provided deployment ID list.')
   .option('--cert', 'Resets TLS/SSL certificate secrets for deployments.')
   .option('--cert-hosts <hosts>', 'Resets TLS/SSL certificate secrets for specified hosts.')
+  .option(
+    '--self-signed',
+    'Use a pre-created self-signed TLS secret (kubernetes.io/tls) instead of cert-manager. ' +
+      'The secret must already exist in the namespace with the same name as the host. ' +
+      'Enables TLS in the Contour HTTPProxy virtualhost without requiring a production ClusterIssuer.',
+  )
   .option('--node <node>', 'Sets optional node for deployment operations.')
   .option(
     '--build-manifest',
@@ -332,6 +346,8 @@ program
   .option('--retry-count <count>', 'Sets HTTPProxy per-route retry count (e.g., 3).')
   .option('--retry-per-try-timeout <duration>', 'Sets HTTPProxy retry per-try timeout (e.g., "150ms").')
   .option('--disable-update-deployment', 'Disables updates to deployments.')
+  .option('--disable-runtime-probes', 'Omits the internal-status HTTP probes from generated deployment manifests.')
+  .option('--tcp-probes', 'Generates legacy TCP socket probes instead of HTTP internal-status probes (migration).')
   .option('--disable-update-proxy', 'Disables updates to proxies.')
   .option('--disable-deployment-proxy', 'Disables proxies of deployments.')
   .option('--disable-update-volume', 'Disables updates to volume mounts during deployment.')
@@ -351,6 +367,14 @@ program
     '--expose-port <port>',
     'Sets the local:remote port to expose when --expose is active (overrides auto-detected service port).',
   )
+  .option(
+    '--expose-local-port <port>',
+    'Sets a different local port for --expose (e.g. 80) while keeping the remote service port. Useful for /etc/hosts local access without specifying a port in the browser.',
+  )
+  .option(
+    '--local-proxy',
+    'Forward all service TCP ports locally and start the Node.js path-routing proxy. Enables full path-based routing (e.g. /wp alongside /) without needing --expose-local-port. Requires --expose.',
+  )
   .option('--cmd <cmd>', 'Custom initialization command for deployment (comma-separated commands).')
   .option(
     '--skip-full-build',
@@ -364,6 +388,12 @@ program
     '--image-pull-policy <policy>',
     'Override container imagePullPolicy in the generated deployment manifest (Always, IfNotPresent, Never). Defaults to Never for localhost/ images and IfNotPresent otherwise.',
   )
+  .option(
+    '--tls',
+    'Enables TLS for the local proxy started by --expose --local-proxy. ' +
+      'The proxy will serve HTTPS on port 443 using self-signed certificates resolved from the local SSL store. ' +
+      'Use together with --expose and --local-proxy.',
+  )
   .description('Manages application deployments, defaulting to deploying development pods.')
   .action(Underpost.deploy.callback);
 
@@ -701,6 +731,10 @@ program
     'Explicitly download the pre-built client bundle from Cloudinary inside the container (supported by: sync, template-deploy). Use together with --skip-full-build.',
   )
   .option('--remove', 'Remove/teardown resources')
+  .option(
+    '--test',
+    'Enables test/generic-purpose mode for the runner (e.g. use self-signed TLS instead of cert-manager).',
+  )
   .description('Runs specified scripts using various runners.')
   .action(Underpost.run.callback);
 
@@ -889,6 +923,19 @@ program
     '--dry-run',
     'For --build: previews version-bump changes (per-file substitution counts) without writing files or running downstream commands.',
   )
+  .option(
+    '--mongo-host <host>',
+    'For --build: override DB_HOST in the template .env.example for the smoke test (e.g., "192.168.1.82:27017").',
+  )
+  .option('--mongo-user <user>', 'For --build: override DB_USER in the template .env.example for the smoke test.')
+  .option(
+    '--mongo-password <password>',
+    'For --build: override DB_PASSWORD in the template .env.example for the smoke test.',
+  )
+  .option(
+    '--valkey-host <host>',
+    'For --build: override VALKEY_HOST in the template .env.example for the smoke test (e.g., "192.168.1.82").',
+  )
   .description('Release orchestrator for building new versions and deploying releases of the Underpost CLI.')
   .action(async (version, options) => {
     if (options.build) return Underpost.release.build(version, options);

package/src/cli/monitor.js

@@ -10,11 +10,19 @@ import {
   loadConfServerJson,
   loadCronDeployEnv,
   etcHostFactory,
+  deployRangePortFactory,
 } from '../server/conf.js';
 import { loggerFactory } from '../server/logger.js';
 import { timer } from '../client/components/core/CommonJs.js';
+import {
+  RUNTIME_STATUS,
+  INTERNAL_STATUS_PATH,
+  normalizeContainerStatus,
+  deployStatusPort,
+} from '../server/runtime-status.js';
 import axios from 'axios';
 import fs from 'fs-extra';
+import net from 'node:net';
 import { shellExec } from '../server/process.js';
 import Underpost from '../index.js';
 
@@ -328,62 +336,230 @@ class UnderpostMonitor {
       };
     },
     /**
-     * Monitors the ready status of a deployment.
+     * Resolves a free ephemeral TCP port on the loopback interface, used as the
+     * local end of the `kubectl port-forward` tunnel so it never collides with
+     * host-local services.
+     * @returns {Promise<number>}
+     * @memberof UnderpostMonitor
+     */
+    findFreePort() {
+      return new Promise((resolve) => {
+        const srv = net.createServer();
+        srv.once('error', () => resolve(20000 + Math.floor(Math.random() * 20000)));
+        srv.listen(0, '127.0.0.1', () => {
+          const { port } = srv.address();
+          srv.close(() => resolve(port));
+        });
+      });
+    },
+    /**
+     * Resolves the deployment's internal status port (Phase-2 transport target).
+     *
+     * Canonical value is `fromPort - 1` from the deployment router — the exact
+     * port `buildManifest` injects into the pod (UNDERPOST_INTERNAL_PORT) and
+     * uses for the probes — so the tunnel target always matches the in-pod bind.
+     * `UNDERPOST_INTERNAL_PORT` overrides; ambient resolution is the last resort.
+     *
+     * @param {string} deployId
+     * @param {string} env
+     * @returns {Promise<number>}
+     * @memberof UnderpostMonitor
+     */
+    async deployInternalPort(deployId, env) {
+      const override = parseInt(process.env.UNDERPOST_INTERNAL_PORT);
+      if (!Number.isNaN(override)) return override;
+      try {
+        const router = await Underpost.deploy.routerFactory(deployId, env);
+        const { fromPort } = deployRangePortFactory(router);
+        if (Number.isFinite(fromPort) && fromPort > 0) return fromPort - 1;
+      } catch (_) {
+        /* fall through to ambient resolution */
+      }
+      return deployStatusPort(deployId, env) ?? 3000;
+    },
+    /**
+     * Reads Phase-2 runtime status from a single pod using the selected transport.
+     *
+     *   - `exec` (default): `kubectl exec … underpost config get container-status`
+     *     reads the env-file value. Synchronous, no background process — required
+     *     for custom instances (cyberia-server/client) and the safe choice for
+     *     CI/SSH. See `Deploy custom instance to K8S.md`.
+     *   - `http`: port-forward to the in-pod `/_internal/status` endpoint served
+     *     by the `underpost start` launcher (dd-* runtime deploys). Opt-in.
      *
-     * Ready signal:
-     *   The orchestrator gate is the Kubernetes pod Ready condition. When the
-     *   container's `readinessProbe` succeeds, kubelet flips
-     *   `status.conditions[Ready]` to True and `checkDeploymentReadyStatus`
-     *   returns the pod in `readyPods`. This is the only required signal — see
-     *   `src/client/public/nexodev/docs/references/Deploy custom instance to K8S.md`.
+     * Transport failures are reported as `{ ok: false }` and must never be read
+     * as success — they are retried, not promoted.
+     *
+     * @param {string} podName
+     * @param {string} namespace
+     * @param {number} internalPort
+     * @param {('http'|'exec')} [transport='exec']
+     * @returns {Promise<{ok: boolean, status?: (string|null), transportError?: string}>}
+     * @memberof UnderpostMonitor
+     */
+    async readRuntimeStatus(podName, namespace, internalPort, transport = 'exec') {
+      return transport === 'exec'
+        ? Underpost.monitor.readRuntimeStatusViaExec(podName, namespace)
+        : Underpost.monitor.readRuntimeStatusViaHttp(podName, namespace, internalPort);
+    },
+    /**
+     * Phase-2 read over `kubectl exec` (env-file transport). Works for any pod
+     * whose image bakes the underpost CLI — notably custom instances that stamp
+     * `container-status` from `lifecycle.postStart`/`preStop` hooks.
+     * @param {string} podName
+     * @param {string} namespace
+     * @returns {{ok: boolean, status?: (string|null), transportError?: string}}
+     * @memberof UnderpostMonitor
+     */
+    readRuntimeStatusViaExec(podName, namespace) {
+      try {
+        const raw = shellExec(
+          `sudo kubectl exec ${podName} -n ${namespace} -- sh -c 'underpost config get container-status --plain'`,
+          { silent: true, disableLog: true, stdout: true, silentOnError: true },
+        );
+        const status = normalizeContainerStatus(raw ? raw.toString().trim() : '');
+        return status === undefined ? { ok: false, transportError: 'empty_status' } : { ok: true, status };
+      } catch (error) {
+        return { ok: false, transportError: error?.code || error?.message || 'exec_failed' };
+      }
+    },
+    /**
+     * Phase-2 read over `kubectl port-forward` + HTTP `/_internal/status`.
      *
-     * Container-status:
-     *   `underpost config get container-status` is read from each pod for both
-     *   the display column and as a second ready gate alongside the K8S Ready
-     *   condition. Both must be satisfied before the monitor exits:
-     *     1. K8S readinessProbe (TCP socket) — ensures the port is bound.
-     *     2. container-status == `<deploy>-<env>-running-deployment` — ensures
-     *        the application has completed its own startup sequence.
-     *   Early-abort on `error` container-status remains in effect: a failing
-     *   runtime keeps its pod alive (not Ready) with `container-status=error`,
-     *   so this `exec`-read surfaces the failure and the monitor aborts —
-     *   failing the CD runner instead of waiting out the full timeout.
+     * The local side of the tunnel MUST be an ephemeral free port: pinning it to
+     * internalPort collides with any host-local service on that number (e.g. a
+     * dev runtime on the same machine as the cluster), making port-forward fail
+     * to bind and every read return a false transport error.
+     *
+     * @param {string} podName
+     * @param {string} namespace
+     * @param {number} internalPort
+     * @returns {Promise<{ok: boolean, status?: (string|null), transportError?: string}>}
+     * @memberof UnderpostMonitor
+     */
+    async readRuntimeStatusViaHttp(podName, namespace, internalPort) {
+      const override = parseInt(process.env.UNDERPOST_PF_LOCAL_PORT);
+      const localPort = Number.isNaN(override) ? await Underpost.monitor.findFreePort() : override;
+      const url = `http://127.0.0.1:${localPort}${INTERNAL_STATUS_PATH}`;
+      let portForward;
+      try {
+        // `exec` makes the tracked child the sudo/kubectl process (so kill
+        // reaches it); stdio is redirected to /dev/null so the tunnel never
+        // inherits — and therefore never holds open — a CI/SSH session's pipes,
+        // which would hang the job after a successful deploy.
+        portForward = shellExec(
+          `exec sudo kubectl port-forward pod/${podName} ${localPort}:${internalPort} -n ${namespace} </dev/null >/dev/null 2>&1`,
+          { async: true, silent: true, disableLog: true, silentOnError: true },
+        );
+      } catch (_) {
+        portForward = undefined;
+      }
+      try {
+        let lastError;
+        const attempts = parseInt(process.env.UNDERPOST_PF_ATTEMPTS) || 20;
+        for (let attempt = 0; attempt < attempts; attempt++) {
+          try {
+            const res = await axios.get(url, { timeout: 2500 });
+            const raw = res?.data?.status ?? null;
+            return { ok: true, status: normalizeContainerStatus(raw) ?? raw, payload: res.data };
+          } catch (error) {
+            lastError = error;
+            await timer(350);
+          }
+        }
+        return { ok: false, transportError: lastError?.code || lastError?.message || 'transport_failed' };
+      } finally {
+        if (portForward && typeof portForward.kill === 'function') {
+          try {
+            portForward.kill('SIGTERM');
+          } catch (_) {
+            /* tunnel already gone */
+          }
+        }
+      }
+    },
+    /**
+     * Monitors a deployment to terminal readiness using a deterministic
+     * two-phase state machine.
+     *
+     *   Phase 1 (Kubernetes): pod `Ready` condition via `checkDeploymentReadyStatus`.
+     *   Phase 2 (Runtime):    `container-status`, read via the selected transport.
+     *
+     * Two deployment shapes are supported via `options`:
+     *   - `runtime` gate (default, dd-* deploys): the `underpost start` launcher
+     *     stamps `running-deployment`. Success requires K8S Ready AND every pod
+     *     reporting `running-deployment`.
+     *   - `kubernetes` gate (custom instances, e.g. cyberia): the runtime is a
+     *     bare binary; K8S `readinessProbe` (TCP) IS the running signal and
+     *     `container-status` is stamped to `initializing`/`stopping` by lifecycle
+     *     hooks. Success requires K8S Ready; the status read is used only for
+     *     fast `error` detection and display.
+     *
+     * Phase-2 transport defaults to `exec` (`kubectl exec`, no background
+     * process). The `http` transport (`kubectl port-forward` → `/_internal/status`)
+     * is opt-in via `options.statusTransport='http'` or
+     * `UNDERPOST_STATUS_TRANSPORT=http`; it must not be used in CI/SSH sessions
+     * where a stray tunnel can hang the job.
+     *
+     * Contract (both shapes):
+     *   - Runtime readiness is never declared before Kubernetes readiness.
+     *   - An explicit runtime `error` (or a fatal pod status) transitions
+     *     immediately to `failed` (throw → CD exit 1).
+     *   - Transport failures never count as success and never advance state.
+     *   - `timeout` is a distinct terminal state from `failed`.
+     *   - Every transition emits a structured, secret-free event.
      *
      * @param {string} deployId - Deployment ID for which the ready status is being monitored.
      * @param {string} env - Environment for which the ready status is being monitored.
      * @param {string} targetTraffic - Target traffic status for the deployment.
      * @param {Array<string>} ignorePods - List of pod names to ignore.
      * @param {string} [namespace='default'] - Kubernetes namespace for the deployment.
+     * @param {object} [options] - Monitoring shape.
+     * @param {('runtime'|'kubernetes')} [options.readyGate='runtime'] - Running-signal owner.
+     * @param {('http'|'exec')} [options.statusTransport='http'] - Phase-2 read transport.
      * @returns {object} - Object containing the ready status of the deployment.
      * @memberof UnderpostMonitor
      */
-    async monitorReadyRunner(deployId, env, targetTraffic, ignorePods = [], namespace = 'default') {
-      const delayMs = 1000;
-      const maxIterations = 3000;
+    async monitorReadyRunner(deployId, env, targetTraffic, ignorePods = [], namespace = 'default', options = {}) {
+      const delayMs = parseInt(process.env.UNDERPOST_MONITOR_DELAY_MS) || 1000;
+      const maxIterations = parseInt(process.env.UNDERPOST_MONITOR_MAX_ITERATIONS) || 3000;
       const deploymentId = `${deployId}-${env}-${targetTraffic}`;
-      const expectedContainerStatus = `${deployId}-${env}-running-deployment`;
       const tag = `[${deploymentId}]`;
-      const containerStatusDefault = 'waiting for status';
-
-      logger.info('Deployment init', { deployId, env, targetTraffic, namespace });
+      const expectedStatus = RUNTIME_STATUS.RUNNING;
+      const readyGate = options.readyGate === 'kubernetes' ? 'kubernetes' : 'runtime';
+      // Default to `exec`: a single synchronous `kubectl exec` read leaves no
+      // background process behind. The `http` transport spawns `kubectl
+      // port-forward` children that, if orphaned, inherit a CI/SSH session's
+      // stdio and hang the job after a successful deploy — opt in explicitly.
+      const statusTransport =
+        (options.statusTransport || process.env.UNDERPOST_STATUS_TRANSPORT) === 'http' ? 'http' : 'exec';
+      const internalPort =
+        statusTransport === 'http' ? await Underpost.monitor.deployInternalPort(deployId, env) : null;
+      const podErrorStates = ['error', 'crashloopbackoff', 'oomkilled', 'imagepullbackoff', 'errimagepull'];
+
+      const emit = (state, status) =>
+        logger.info('deploy-monitor', {
+          deployId: deploymentId,
+          phase: state.startsWith('runtime') ? 'runtime' : 'kubernetes',
+          state,
+          status: status ?? null,
+          timestamp: new Date().toISOString(),
+        });
+
+      logger.info('Deployment init', {
+        deployId,
+        env,
+        targetTraffic,
+        namespace,
+        internalPort,
+        readyGate,
+        statusTransport,
+      });
+      emit('pending');
 
-      const podStatusCache = new Map();
+      const runtimeStatusCache = new Map();
       const advancedPods = new Set();
 
-      const readContainerStatus = (podName) => {
-        try {
-          const raw = shellExec(
-            `sudo kubectl exec ${podName} -n ${namespace} -- sh -c 'underpost config get container-status --plain'`,
-            { silent: true, disableLog: true, stdout: true, silentOnError: true },
-          );
-          const val = raw ? raw.toString().trim() : '';
-          return val && val !== 'undefined' ? val : containerStatusDefault;
-        } catch (_) {
-          // exec failed (e.g. pod not yet running) — preserve last known value
-          return podStatusCache.get(podName) || containerStatusDefault;
-        }
-      };
-
       for (let i = 0; i < maxIterations; i++) {
         const result = await Underpost.monitor.checkDeploymentReadyStatus(
           deployId,
@@ -392,39 +568,62 @@ class UnderpostMonitor {
           ignorePods,
           namespace,
         );
-
         const allPods = [...result.readyPods, ...result.notReadyPods];
 
+        if (allPods.length === 0) {
+          emit('pending');
+          await timer(delayMs);
+          continue;
+        }
+        emit('pod_scheduled');
+
+        // Phase 1 fatal: a Kubernetes-level pod failure is terminal (failed,
+        // not timeout) — fail the CD runner immediately instead of waiting out
+        // the full window.
         for (const pod of allPods) {
-          if (!pod?.NAME) continue;
           const podStatus = (pod.STATUS || '').toLowerCase().trim();
-          if (
-            ['error', 'crashloopbackoff', 'oomkilled', 'imagepullbackoff', 'errimagepull'].find((s) =>
-              podStatus.match(s),
-            )
-          )
+          if (podErrorStates.find((s) => podStatus.includes(s)))
             throw new Error(`Pod ${pod.NAME} has error pod status: ${pod.STATUS}`);
-          const status = readContainerStatus(pod.NAME);
-          if (status === 'error') throw new Error(`Pod ${pod.NAME} has error container-status`);
-          if (advancedPods.has(pod.NAME) && status === containerStatusDefault)
-            throw new Error(`Pod ${pod.NAME} container-status regressed to default — pod likely restarted`);
-          if (status !== containerStatusDefault) advancedPods.add(pod.NAME);
-          podStatusCache.set(pod.NAME, status);
         }
 
-        const allPodsK8sReady = allPods.length > 0 && result.notReadyPods.length === 0;
+        const allPodsK8sReady = result.notReadyPods.length === 0;
+        if (allPodsK8sReady) emit('pod_ready');
 
-        const allPodsStatusReady =
-          allPods.length > 0 && allPods.every((pod) => podStatusCache.get(pod.NAME) === expectedContainerStatus);
+        // Phase 2: runtime status via the selected transport. Transport failures
+        // neither advance state nor count as success; explicit `error` is terminal.
+        let allRuntimeRead = true;
+        for (const pod of allPods) {
+          if (!pod?.NAME) continue;
+          const read = await Underpost.monitor.readRuntimeStatus(pod.NAME, namespace, internalPort, statusTransport);
+          if (!read.ok) {
+            allRuntimeRead = false;
+            emit('runtime_booting', `transport:${read.transportError}`);
+            continue;
+          }
+          const status = read.status;
+          if (status === RUNTIME_STATUS.ERROR) throw new Error(`Pod ${pod.NAME} reported runtime status=error`);
+          // Regression (advanced → empty/build) means a pod restarted. Under the
+          // kubernetes gate the runtime never advances past `initializing`, so
+          // only treat a drop to empty/build as a regression there.
+          if (advancedPods.has(pod.NAME) && (!status || status === RUNTIME_STATUS.BUILD))
+            throw new Error(`Pod ${pod.NAME} runtime status regressed (${status ?? 'empty'}) — pod likely restarted`);
+          if (status && status !== RUNTIME_STATUS.BUILD) advancedPods.add(pod.NAME);
+          runtimeStatusCache.set(pod.NAME, status);
+          emit('runtime_booting', status);
+        }
+
+        // Under the kubernetes gate the readinessProbe is the running signal, so
+        // K8S Ready alone confirms Phase 2; the status read above is kept only
+        // for `error` fast-fail and display.
+        const allRuntimeReady =
+          readyGate === 'kubernetes'
+            ? true
+            : allRuntimeRead && allPods.every((pod) => runtimeStatusCache.get(pod.NAME) === expectedStatus);
 
-        // Print snapshot for every pod — annotate when container-status hasn't caught
-        // up to the K8S Ready condition yet.
         for (const pod of allPods) {
-          const status = podStatusCache.get(pod.NAME) || containerStatusDefault;
+          const status = runtimeStatusCache.get(pod.NAME) || 'waiting for status';
           const podStatus = pod.STATUS || 'Unknown';
-          const statusMatchesExpected = status === expectedContainerStatus;
-          const statusDisplay = statusMatchesExpected ? status : `${status} (pending)`;
-
+          const statusDisplay = status === expectedStatus ? status : `${status} (pending)`;
           console.log(
             'Target pod:',
             pod.NAME[pod.NAME.includes('green') ? 'bgGreen' : 'bgBlue'].bold.black,
@@ -435,22 +634,20 @@ class UnderpostMonitor {
           );
         }
 
-        // Both K8S readinessProbe AND container-status must be satisfied before
-        // declaring the deployment ready. The TCP probe ensures the port is bound;
-        // container-status == running-deployment ensures the application has
-        // completed its own startup sequence so traffic is not switched prematurely.
-        if (allPodsK8sReady && allPodsStatusReady) {
-          logger.info(`${tag} | All pods Ready (K8S readinessProbe satisfied)`);
+        // Terminal success requires both phases. runtime_ready cannot precede
+        // Kubernetes readiness.
+        if (allPodsK8sReady && allRuntimeReady) {
+          const readySignal = readyGate === 'kubernetes' ? 'K8S readinessProbe' : `runtime ${expectedStatus}`;
+          emit('runtime_ready', readyGate === 'kubernetes' ? 'k8s-ready' : expectedStatus);
+          logger.info(`${tag} | Deployment ready (K8S Ready + ${readySignal})`);
           return result;
         }
 
         await timer(delayMs);
-
-        if ((i + 1) % 10 === 0) {
-          logger.info(`${tag} | In progress... iteration ${i + 1}`);
-        }
+        if ((i + 1) % 10 === 0) logger.info(`${tag} | In progress... iteration ${i + 1}`);
       }
 
+      emit('timeout');
       logger.error(`${tag} | Deployment timeout after ${maxIterations} iterations`);
       throw new Error(
         `monitorReadyRunner timeout: ${deploymentId} did not become Ready within ${maxIterations}*${delayMs}ms`,

package/src/cli/release.js

@@ -264,18 +264,29 @@ const ISOLATED_ENV = 'env -i HOME="$HOME" PATH="$PATH" USER="$USER" LOGNAME="$LO
  *
  * @returns {boolean} true when the template started cleanly, false otherwise.
  */
-async function buildAndTestTemplate() {
+async function buildAndTestTemplate(opts = {}) {
   killDevServers();
   Underpost.repo.clean({ paths: ['/home/dd/engine', '/home/dd/engine/engine-private '] });
   shellExec(`node bin pull . ${process.env.GITHUB_USERNAME}/engine`);
+  fs.removeSync(TEMPLATE_PATH);
   shellExec(`npm run build:template`);
   shellExec(`node bin run shared-dir ${TEMPLATE_PATH}`);
 
+  const upsertEnvVar = (content, key, value) => {
+    const re = new RegExp(`^(${key}=).*`, 'm');
+    if (re.test(content)) return content.replace(re, `$1${value}`);
+    return `${content.trimEnd()}\n${key}=${value}\n`;
+  };
+
   const dhcpHostIp = Dns.getLocalIPv4Address();
   logger.info(`DHCP host IP for template test: ${dhcpHostIp}`);
   let envContent = fs.readFileSync(`${TEMPLATE_PATH}/.env.example`, 'utf8');
   if (dhcpHostIp) envContent = envContent.replace(/127\.0\.0\.1/g, dhcpHostIp);
-  envContent = envContent.replace(/^ENABLE_FILE_LOGS=.*/m, 'ENABLE_FILE_LOGS=true');
+  envContent = upsertEnvVar(envContent, 'ENABLE_FILE_LOGS', 'true');
+  if (opts.mongoHost) envContent = upsertEnvVar(envContent, 'DB_HOST', opts.mongoHost);
+  if (opts.mongoUser) envContent = upsertEnvVar(envContent, 'DB_USER', opts.mongoUser);
+  if (opts.mongoPassword) envContent = upsertEnvVar(envContent, 'DB_PASSWORD', opts.mongoPassword);
+  if (opts.valkeyHost) envContent = upsertEnvVar(envContent, 'VALKEY_HOST', opts.valkeyHost);
   // fs.writeFileSync(`${TEMPLATE_PATH}/.env`, envContent, 'utf8');
   fs.writeFileSync(`${TEMPLATE_PATH}/.env.example`, envContent, 'utf8');
   shellExec(`cd ${TEMPLATE_PATH} && npm install`);
@@ -337,7 +348,12 @@ class UnderpostRelease {
      *
      * @method build
      * @param {string} [newVersion] - The new version string to set. Defaults to current version if not provided.
-     * @param {{dryRun?: boolean}} [options] - Commander options. `--dry-run` previews changes.
+     * @param {{dryRun?: boolean, mongoHost?: string, mongoUser?: string, mongoPassword?: string, valkeyHost?: string}} [options] - Commander options.
+     *   `--dry-run` previews changes without writing files.
+     *   `--mongo-host` overrides `DB_HOST` in the template `.env.example` smoke test.
+     *   `--mongo-user` overrides `DB_USER` in the template `.env.example` smoke test.
+     *   `--mongo-password` overrides `DB_PASSWORD` in the template `.env.example` smoke test.
+     *   `--valkey-host` overrides `VALKEY_HOST` in the template `.env.example` smoke test.
      * @memberof UnderpostRelease
      */
     async build(newVersion, options = {}) {
@@ -352,7 +368,7 @@ class UnderpostRelease {
       logger.info(`Release build — bumping ${version} → ${newVersion}${dryRun ? ' (dry-run)' : ''}`);
 
       if (!dryRun) {
-        const templateOk = await buildAndTestTemplate();
+        const templateOk = await buildAndTestTemplate(options);
         if (!templateOk) return;
       }
 
@@ -390,8 +406,7 @@ class UnderpostRelease {
       shellExec(`node bin/deploy cli-docs ${version} ${newVersion}`);
       shellExec(`node bin/deploy update-dependencies`);
       shellExec(`node bin/build dd`);
-      shellExec(`node bin deploy --build-manifest --sync --info-router --replicas 1 dd production`);
-      shellExec(`node bin deploy --build-manifest --sync --info-router --replicas 1 dd development`);
+      shellExec(`node bin run build-cluster-deployment-manifests`);
       shellExec(`node bin new --default-conf --conf-workflow-id template`);
       shellExec(`sudo rm -rf ./engine-private/conf/dd-default`);
       shellExec(`node bin new --deploy-id dd-default`);

package/src/cli/repository.js

@@ -8,6 +8,7 @@ import dotenv from 'dotenv';
 import { commitData } from '../client/components/core/CommonJs.js';
 import { pbcopy, shellCd, shellExec } from '../server/process.js';
 import { actionInitLog, loggerFactory } from '../server/logger.js';
+import path from 'path';
 import fs from 'fs-extra';
 import {
   getNpmRootPath,
@@ -133,10 +134,21 @@ class UnderpostRepository {
         p: undefined,
         bc: '',
         isRemoteRepo: '',
+        hasChanges: false,
       },
     ) {
       if (!repoPath) repoPath = '.';
 
+      if (options.hasChanges) {
+        const status = shellExec(`cd ${repoPath} && git status --porcelain`, {
+          stdout: true,
+          silent: true,
+          disableLog: true,
+        }).trim();
+        process.stdout.write(status ? '1' : '');
+        return;
+      }
+
       if (options.isRemoteRepo) {
         const accessible = Underpost.repo.isRemoteRepo(options.isRemoteRepo);
         console.log(accessible);
@@ -608,7 +620,8 @@ class UnderpostRepository {
             const npmRoot = getNpmRootPath();
             const underpostRoot = options?.dev === true ? '.' : `${npmRoot}/underpost`;
             const destFolder = `./${projectName}`;
-            logger.info('build app', { destFolder });
+            const deployId = projectName.startsWith('dd-') ? projectName : `dd-${projectName}`;
+            logger.info('build app', { destFolder, deployId });
             if (fs.existsSync(destFolder)) fs.removeSync(destFolder);
             fs.mkdirSync(destFolder, { recursive: true });
             if (!options.dev) {
@@ -621,8 +634,9 @@ class UnderpostRepository {
               UnderpostRepository.API.initLocalRepo({ path: destFolder });
               shellExec(`cd ${destFolder} && git add . && git commit -m "Base template implementation"`);
             }
-            shellExec(`cd ${destFolder} && npm run build`);
-            shellExec(`cd ${destFolder} && npm run dev`);
+            shellExec(`cd ${destFolder} && node bin new --deploy-id ${deployId} --default-conf`);
+            shellExec(`cd ${destFolder} && node bin client ${deployId}`);
+            shellExec(`cd ${destFolder} && DEPLOY_ID=${deployId} npm run dev`);
           }
           return resolve(true);
         } catch (error) {
@@ -1380,8 +1394,9 @@ Prevent build private config repo.`,
       const gitEmail = process.env.GITHUB_EMAIL || `development@underpost.net`;
 
       if (!fs.existsSync(`${repoPath}/.git`)) {
-        shellExec(`cd "${repoPath}" && git init`);
+        shellExec(`mkdir -p "${repoPath}" && git init "${repoPath}"`);
       }
+
       shellExec(`cd "${repoPath}" && git config user.name '${gitUsername}'`);
       shellExec(`cd "${repoPath}" && git config user.email '${gitEmail}'`);
       shellExec(`cd "${repoPath}" && git config core.filemode false`);
@@ -1724,6 +1739,8 @@ Prevent build private config repo.`,
       if (!fs.existsSync(repoPath)) {
         shellExec(`cd .. && underpost clone ${gitUri}`, { silent: true });
       } else {
+        const repoAbsPath = path.resolve(repoPath);
+        shellExec(`git config --global --add safe.directory '${repoAbsPath}'`);
         shellExec(`cd ${repoPath} && git checkout . && git clean -f -d && underpost pull . ${gitUri}`, {
           silent: true,
         });