underpost 3.2.21 → 3.2.22

package/CHANGELOG.md

@@ -1,6 +1,43 @@
 # Changelog
 
-## 2026-06-06
+## 2026-06-07
+
+### repository
+
+- Add safe repo config in pullSourceRepo ([4325c1ba7](https://github.com/underpostnet/engine/commit/4325c1ba736b4e2fa64f0570dc5bedb9b33e351f))
+
+### docs
+
+- Restore runtimeConfig docs logic ([819792d1d](https://github.com/underpostnet/engine/commit/819792d1de4e20e490c7bdffca66f794ef810868))
+- Enhance favicon resolution logic in buildJsDocs function to handle missing files ([4b4b6cca2](https://github.com/underpostnet/engine/commit/4b4b6cca2b31f1b41c1e893e58a3bb94b67c4f26))
+- Fix favicon path resolution in buildJsDocs function to handle missing files ([a572ffaf8](https://github.com/underpostnet/engine/commit/a572ffaf88de3e07b0c90fb485f57e9032d4e5bb))
+- Update favicon path in buildJsDocs function to use publicClientId for dynamic resolution ([d839d6a02](https://github.com/underpostnet/engine/commit/d839d6a02b6a49a2aa6923ce5392ff4509c36f43))
+
+### monitor
+
+- Add support for custom image names in deployment scripts ([2d4ddf731](https://github.com/underpostnet/engine/commit/2d4ddf731565e45e90b7e105ce17e6a56862e17f))
+- Enhance transport handling in UnderpostMonitor: Default to exec, add opt-in for http ([eebe7ef03](https://github.com/underpostnet/engine/commit/eebe7ef0318e3bbe2533e31701bba7af9483e73c))
+- Refactor test-monitor script: Enhance deployment modes and flag parsing ([07b65b004](https://github.com/underpostnet/engine/commit/07b65b0040d34883f67ebf6d9fa61872ff4c81f2))
+- Enhance runtime status handling with exec transport and kubernetes gate ([135773938](https://github.com/underpostnet/engine/commit/135773938dcbd4e466e09afea73ccc8994a6509e))
+
+### deploy
+
+- Refactor deployment commands to use dynamic node names and update MongoDB flag in run command ([b6a1dc9c7](https://github.com/underpostnet/engine/commit/b6a1dc9c751a09fd677d9778b252d967a08225cb))
+
+### cli-start
+
+- Add error handling for deployment build/init process in UnderpostStartUp class ([6c7d7e056](https://github.com/underpostnet/engine/commit/6c7d7e0568903f89a0a3a06683b726e4f34fa843))
+- Add support for private test repositories in build and monitor scripts ([23837d02b](https://github.com/underpostnet/engine/commit/23837d02b6a250ecc420e903a095d5be397494bb))
+
+### ipfs
+
+- Refactor IPFS API URL functions to include container check for development environment ([61e3fcd1e](https://github.com/underpostnet/engine/commit/61e3fcd1e08b9ec43dca29a151a4309f2a44f276))
+
+### client-core
+
+- Fix bug Panel component; when the user writes markdown content but uploads missing reload md file ([f91da9780](https://github.com/underpostnet/engine/commit/f91da97807b991bf9c6b8693c9c97bb8365df6f4))
+
+## New release v:3.2.21 (2026-06-06)
 
 ### release
 

package/CLI-HELP.md

@@ -1,6 +1,6 @@
 ## Underpost CLI
 
-> underpost ci/cd cli v3.2.21
+> underpost ci/cd cli v3.2.22
 
 **Usage:** `underpost [options] [command]`
 
@@ -132,6 +132,7 @@ Initiates application servers, build pipelines, or other defined services based
 | `--skip-pull-base` | Skips cloning repositories, uses current workspace code directly. |
 | `--skip-full-build` | Skips the full client bundle build during deployment. |
 | `--pull-bundle` | Downloads the pre-built client bundle from Cloudinary via pull-bundle before starting. Use together with --skip-full-build to skip the local build entirely. |
+| `--private-test-repo` | During --build, clone the private test source repo (engine-test-<id>) instead of the production engine-<id> repo. |
 | `-h, --help` | display help for command |
 
 ---
@@ -888,6 +889,7 @@ Runs specified scripts using various runners.
 | `--skip-full-build` | Skip client bundle rebuild; triggers pull-bundle in container startup (supported by: sync, template-deploy). |
 | `--pull-bundle` | Explicitly download the pre-built client bundle from Cloudinary inside the container (supported by: sync, template-deploy). Use together with --skip-full-build. |
 | `--remove` | Remove/teardown resources |
+| `--test` | Enables test/generic-purpose mode for the runner (e.g. use self-signed TLS instead of cert-manager). |
 | `-h, --help` | display help for command |
 
 ---

package/README.md

@@ -16,7 +16,7 @@
 
 <div align="center">
 
-[![Node.js CI](https://github.com/underpostnet/engine/actions/workflows/docker-image.ci.yml/badge.svg?branch=master)](https://github.com/underpostnet/engine/actions/workflows/docker-image.ci.yml) [![Test](https://github.com/underpostnet/engine/actions/workflows/coverall.ci.yml/badge.svg?branch=master)](https://github.com/underpostnet/engine/actions/workflows/coverall.ci.yml) [![Downloads](https://img.shields.io/npm/dm/underpost.svg)](https://www.npmjs.com/package/underpost) [![](https://data.jsdelivr.com/v1/package/npm/underpost/badge)](https://www.jsdelivr.com/package/npm/underpost) [![Socket Badge](https://socket.dev/api/badge/npm/package/underpost/3.2.21)](https://socket.dev/npm/package/underpost/overview/3.2.21) [![Coverage Status](https://coveralls.io/repos/github/underpostnet/engine/badge.svg?branch=master)](https://coveralls.io/github/underpostnet/engine?branch=master) [![Version](https://img.shields.io/npm/v/underpost.svg)](https://www.npmjs.org/package/underpost) [![License](https://img.shields.io/npm/l/underpost.svg)](https://www.npmjs.com/package/underpost)
+[![Node.js CI](https://github.com/underpostnet/engine/actions/workflows/docker-image.ci.yml/badge.svg?branch=master)](https://github.com/underpostnet/engine/actions/workflows/docker-image.ci.yml) [![Test](https://github.com/underpostnet/engine/actions/workflows/coverall.ci.yml/badge.svg?branch=master)](https://github.com/underpostnet/engine/actions/workflows/coverall.ci.yml) [![Downloads](https://img.shields.io/npm/dm/underpost.svg)](https://www.npmjs.com/package/underpost) [![](https://data.jsdelivr.com/v1/package/npm/underpost/badge)](https://www.jsdelivr.com/package/npm/underpost) [![Socket Badge](https://socket.dev/api/badge/npm/package/underpost/3.2.22)](https://socket.dev/npm/package/underpost/overview/3.2.22) [![Coverage Status](https://coveralls.io/repos/github/underpostnet/engine/badge.svg?branch=master)](https://coveralls.io/github/underpostnet/engine?branch=master) [![Version](https://img.shields.io/npm/v/underpost.svg)](https://www.npmjs.org/package/underpost) [![License](https://img.shields.io/npm/l/underpost.svg)](https://www.npmjs.com/package/underpost)
 
 </div>
 
@@ -88,7 +88,7 @@ npm run dev
 <!-- cli-index-start -->
 ## Underpost CLI
 
-> underpost ci/cd cli v3.2.21
+> underpost ci/cd cli v3.2.22
 
 **Usage:** `underpost [options] [command]`
 

package/bin/build.js

@@ -11,6 +11,7 @@ import {
   syncPrivateConf,
   syncDeployIdSources,
   buildTemplate,
+  updatePrivateEngineTestRepo,
 } from '../src/server/conf.js';
 import { loadDeployCatalog } from '../src/server/catalog.js';
 import UnderpostRepository from '../src/cli/repository.js';
@@ -191,6 +192,11 @@ program
     '--no-template-rebuild',
     'Skip the from-scratch base template reconstruction before assembly (assemble onto the existing template).',
   )
+  .option(
+    '--update-private',
+    'After assembling each deploy id, publish it to its private test source repo (underpostnet/engine-test-<id>) for isolated test deploys.',
+    false,
+  )
   .action(async (confName, env, options) => {
     const deployList = resolveDeployList(confName);
     logger.info('Build repository', { confName, basePath, deployList, conf: !!options.conf });
@@ -207,7 +213,12 @@ program
     // build run leaks into this one. Opt out with --no-template-rebuild.
     if (options.templateRebuild) await buildTemplate({ toPath: basePath });
 
-    for (const deployId of deployList) await buildDeployTemplate(deployId);
+    for (const deployId of deployList) {
+      await buildDeployTemplate(deployId);
+      // Publish the just-assembled tree to the deploy id's private test repo so a
+      // pod started with `--private-test-repo` clones this work-in-progress source.
+      if (options.updatePrivate) await updatePrivateEngineTestRepo(deployId);
+    }
   });
 
 await program.parseAsync();

package/manifests/cronjobs/dd-cron/dd-cron-backup.yaml

@@ -23,7 +23,7 @@ spec:
         spec:
           containers:
             - name: dd-cron-backup
-              image: underpost/underpost-engine:v3.2.21
+              image: underpost/underpost-engine:v3.2.22
               command:
                 - /bin/sh
                 - -c

package/manifests/cronjobs/dd-cron/dd-cron-dns.yaml

@@ -23,7 +23,7 @@ spec:
         spec:
           containers:
             - name: dd-cron-dns
-              image: underpost/underpost-engine:v3.2.21
+              image: underpost/underpost-engine:v3.2.22
               command:
                 - /bin/sh
                 - -c

package/manifests/deployment/dd-default-development/deployment.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
         - name: dd-default-development-blue
-          image: underpost/underpost-engine:v3.2.21
+          image: underpost/underpost-engine:v3.2.22
           #          resources:
           #            requests:
           #              memory: "124Ki"
@@ -98,7 +98,7 @@ spec:
     spec:
       containers:
         - name: dd-default-development-green
-          image: underpost/underpost-engine:v3.2.21
+          image: underpost/underpost-engine:v3.2.22
           #          resources:
           #            requests:
           #              memory: "124Ki"

package/package.json

@@ -2,7 +2,7 @@
     "type": "module",
     "main": "src/index.js",
     "name": "underpost",
-    "version": "3.2.21",
+    "version": "3.2.22",
     "description": "Underpost Platform — end-to-end CI/CD and application-delivery toolchain CLI. Covers bare metal, Kubernetes, K3s, kubeadm, LXD, container/image orchestration, secrets, databases, cron jobs, monitoring, SSH, runners, PWA + Workbox delivery, and release orchestration. Extensible via downstream CLIs.",
     "scripts": {
         "start": "node --max-old-space-size=8192 src/server",

package/scripts/test-monitor.sh

@@ -1,86 +1,250 @@
-
 #!/usr/bin/env bash
+#
+# test-monitor.sh — end-to-end deploy + two-phase monitor smoke test.
+#
+# Two deployment shapes are supported (see
+# src/client/public/nexodev/docs/references/Deploy-Monitor-PRD.md and
+# 'Deploy custom instance to K8S.md'):
+#
+#   --mode runtime   `underpost start` deploy (e.g. dd-test). Monitored with the
+#                    HTTP gate: /_internal/ready probes + port-forward status.
+#   --mode instance  Custom instances from conf.instances.json (e.g. cyberia
+#                    mmo-server / mmo-client). Monitored with the kubernetes gate
+#                    (TCP readinessProbe) + exec status transport.
+#
+# Every variable in the DEFAULTS block below is overridable with a flag of the
+# same name (--env, --deploy-id, …). Run with --help for the full list.
+#
 set -euo pipefail
 
-ENV=development
-DEPLOY_ID=dd-test
-IMAGE=underpost/wp:v3.2.14
-USE_CERT=false           # Set to true to use --cert, false to use --disable-update-proxy
-USE_PULL_BUNDLE=false     # Set to true to include --pull-bundle in start command, false to omit it
-USE_TLS=false            # Set to true to generate self-signed certs and expose via HTTPS
-VERSIONS=green
-
-# Parse --tls flag from script arguments
-for arg in "$@"; do
-    case $arg in
-        --tls) USE_TLS=true ;;
-    esac
-done
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+ENGINE_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)"
+cd "$ENGINE_DIR"
+
+# ─────────────────────────── DEFAULTS (all overridable) ───────────────────────────
+MODE=runtime                                  # runtime | instance
+ENV=development                               # development | production
+DEPLOY_ID=dd-test                             # deploy id (instance mode: parent of conf.instances.json)
+INSTANCE_IDS=                                 # instance mode: csv of ids (default: all in conf.instances.json)
+IMAGE=underpost/wp:v3.2.14                    # runtime mode image (instance mode reads image from conf)
+VERSIONS=green                                # csv of blue/green versions
+REPLICAS=1                                    # replicas per deployment
+NAMESPACE=default                             # k8s namespace
+CLUSTER=                                      # kind | kubeadm | k3s | "" (auto/none)
+TIMEOUT_RESPONSE=300000ms                     # HTTPProxy per-route response timeout
+TEMPLATE_REPO=underpostnet/pwa-microservices-template-private  # runtime mode link repo
+ENVOY_NAMESPACE=projectcontour                # ingress namespace (instance TLS exposure)
+ENVOY_SERVICE=envoy                           # ingress service (instance TLS exposure)
+HTTPS_PORT=443                                # local https port for instance TLS exposure
+
+USE_CERT=false                                # runtime: pass --cert to the proxy step
+USE_PULL_BUNDLE=false                         # runtime: include --pull-bundle in the start cmd
+USE_TLS=false                                 # generate self-signed certs + expose over HTTPS
+USE_TEST_REPO=false                           # runtime: publish src to engine-test-<id> + pod clones it (--private-test-repo)
+DO_BUILD_TEMPLATE=true                        # run `node bin/build.template --update-private`
+DO_CLUSTER_MANIFESTS=true                     # run `node bin run build-cluster-deployment-manifests`
+DO_EXPOSE=true                                # expose locally after deploy + monitor
+
+usage() {
+  cat <<'EOF'
+Usage: scripts/test-monitor.sh [flags]
+
+Modes:
+  --mode <runtime|instance>     Deployment shape to test (default: runtime)
+
+Common (every default is overridable):
+  --env <development|production>
+  --deploy-id <id>
+  --instance-ids <csv>          instance mode only; default = all ids in conf.instances.json
+  --image <image>               runtime mode only
+  --versions <csv>              e.g. green or blue,green
+  --replicas <n>
+  --namespace <ns>
+  --cluster <kind|kubeadm|k3s|none>
+  --timeout-response <dur>      e.g. 300000ms
+  --template-repo <owner/repo>  runtime mode link repo
+  --envoy-namespace <ns>        instance TLS exposure ingress namespace
+  --envoy-service <name>        instance TLS exposure ingress service
+  --https-port <port>           local https port for instance TLS exposure
+
+Toggles (use --x / --no-x):
+  --tls | --no-tls              self-signed certs + HTTPS exposure (default: off)
+  --cert | --no-cert            runtime proxy --cert (default: off)
+  --pull-bundle | --no-pull-bundle   runtime start --pull-bundle (default: off)
+  --test-repo | --no-test-repo  runtime: publish src to engine-test-<id> and have the
+                                pod clone it via --private-test-repo (default: off)
+  --expose | --no-expose        local exposure after monitor (default: on)
+  --build-template | --no-build-template       sync private template (default: on)
+  --cluster-manifests | --no-cluster-manifests  rebuild cluster manifests (default: on)
 
-# Optional to concat in link cmd:
-# underpost secret underpost --create-from-env
+  -h, --help
 
-LINK_CMD="cd /home/dd,underpost clone underpostnet/pwa-microservices-template-private,cd /home/dd/pwa-microservices-template-private,npm install,npm link"
-PROXY_FLAG=""
+Examples:
+  # Runtime deploy (default), no TLS
+  scripts/test-monitor.sh
+
+  # Runtime deploy over HTTPS
+  scripts/test-monitor.sh --tls
+
+  # Runtime deploy from a work-in-progress test source repo (engine-test-<id>)
+  scripts/test-monitor.sh --test-repo
+
+  # Cyberia instances (both), dev on kind, no TLS
+  scripts/test-monitor.sh --mode instance --deploy-id dd-cyberia --cluster kind
+
+  # Only the mmo-server instance, production, over HTTPS
+  scripts/test-monitor.sh --mode instance --deploy-id dd-cyberia \
+    --instance-ids mmo-server --env production --cluster kubeadm --tls
+EOF
+}
+
+# ─────────────────────────── flag parsing ───────────────────────────
+# Supports `--key value` and `--key=value` for value flags, plus --x/--no-x toggles.
+needval() { [[ $# -ge 2 ]] || { echo "Missing value for $1" >&2; exit 1; }; }
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --mode) needval "$@"; MODE="$2"; shift 2;;            --mode=*) MODE="${1#*=}"; shift;;
+    --env) needval "$@"; ENV="$2"; shift 2;;              --env=*) ENV="${1#*=}"; shift;;
+    --deploy-id) needval "$@"; DEPLOY_ID="$2"; shift 2;;  --deploy-id=*) DEPLOY_ID="${1#*=}"; shift;;
+    --instance-ids) needval "$@"; INSTANCE_IDS="$2"; shift 2;; --instance-ids=*) INSTANCE_IDS="${1#*=}"; shift;;
+    --image) needval "$@"; IMAGE="$2"; shift 2;;          --image=*) IMAGE="${1#*=}"; shift;;
+    --versions) needval "$@"; VERSIONS="$2"; shift 2;;    --versions=*) VERSIONS="${1#*=}"; shift;;
+    --replicas) needval "$@"; REPLICAS="$2"; shift 2;;    --replicas=*) REPLICAS="${1#*=}"; shift;;
+    --namespace) needval "$@"; NAMESPACE="$2"; shift 2;;  --namespace=*) NAMESPACE="${1#*=}"; shift;;
+    --cluster) needval "$@"; CLUSTER="$2"; shift 2;;      --cluster=*) CLUSTER="${1#*=}"; shift;;
+    --timeout-response) needval "$@"; TIMEOUT_RESPONSE="$2"; shift 2;; --timeout-response=*) TIMEOUT_RESPONSE="${1#*=}"; shift;;
+    --template-repo) needval "$@"; TEMPLATE_REPO="$2"; shift 2;; --template-repo=*) TEMPLATE_REPO="${1#*=}"; shift;;
+    --envoy-namespace) needval "$@"; ENVOY_NAMESPACE="$2"; shift 2;; --envoy-namespace=*) ENVOY_NAMESPACE="${1#*=}"; shift;;
+    --envoy-service) needval "$@"; ENVOY_SERVICE="$2"; shift 2;; --envoy-service=*) ENVOY_SERVICE="${1#*=}"; shift;;
+    --https-port) needval "$@"; HTTPS_PORT="$2"; shift 2;; --https-port=*) HTTPS_PORT="${1#*=}"; shift;;
+    --tls) USE_TLS=true; shift;;                          --no-tls) USE_TLS=false; shift;;
+    --cert) USE_CERT=true; shift;;                        --no-cert) USE_CERT=false; shift;;
+    --pull-bundle) USE_PULL_BUNDLE=true; shift;;          --no-pull-bundle) USE_PULL_BUNDLE=false; shift;;
+    --test-repo) USE_TEST_REPO=true; shift;;              --no-test-repo) USE_TEST_REPO=false; shift;;
+    --expose) DO_EXPOSE=true; shift;;                     --no-expose) DO_EXPOSE=false; shift;;
+    --build-template) DO_BUILD_TEMPLATE=true; shift;;     --no-build-template) DO_BUILD_TEMPLATE=false; shift;;
+    --cluster-manifests) DO_CLUSTER_MANIFESTS=true; shift;; --no-cluster-manifests) DO_CLUSTER_MANIFESTS=false; shift;;
+    -h|--help) usage; exit 0;;
+    *) echo "Unknown flag: $1" >&2; usage; exit 1;;
+  esac
+done
+
+# ─────────────────────────── derived flags ───────────────────────────
 CLUSTER_FLAG=""
-EXPOSE_FLAGS=""
-
-node bin run build-cluster-deployment-manifests
-node bin/build.template --update-private
-
-if [ "$USE_PULL_BUNDLE" = true ]; then
-    DEPLOY_CMD="$LINK_CMD,underpost start --build --run --pull-bundle $DEPLOY_ID $ENV"
-else
-    DEPLOY_CMD="$LINK_CMD,underpost start --build --run $DEPLOY_ID $ENV"
-fi
-
-if [ "$USE_CERT" = true ]; then
-    PROXY_FLAG="--cert"
-fi
-
-if [ "$USE_TLS" = true ]; then
-    PROXY_FLAG="--self-signed"
-fi
-
-node bin deploy $DEPLOY_ID $ENV $CLUSTER_FLAG --sync --build-manifest --image $IMAGE --timeout-response 300000ms --versions $VERSIONS --replicas 1 --cmd "$DEPLOY_CMD"
-node bin deploy $DEPLOY_ID $ENV $CLUSTER_FLAG --disable-update-proxy $PROXY_FLAG
-node bin monitor $DEPLOY_ID $ENV --ready-deployment --promote --timeout-response 300000ms --versions $VERSIONS --replicas 1
-
-node bin run etc-hosts --deploy-id $DEPLOY_ID
-
-# Generate self-signed TLS certs and create k8s TLS secrets for all hosts
-if [ "$USE_TLS" = true ]; then
-    SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-    ENGINE_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)"
-    SSL_BASE="${ENGINE_DIR}/engine-private/ssl"
-    NAMESPACE=default
-    
-    # Extract hosts from conf.server.json
-    HOSTS=$(node -e "
-      const conf = require('./engine-private/conf/${DEPLOY_ID}/conf.server.json');
-      console.log(Object.keys(conf).join(' '));
-    ")
-    
-    for HOST in $HOSTS; do
-        CERT_DIR="${SSL_BASE}/${HOST}"
-        mkdir -p "$CERT_DIR"
-        
-        # Regenerate self-signed cert (idempotent — overwrites existing files)
-        bash "${SCRIPT_DIR}/ssl.sh" "$CERT_DIR" "$HOST"
-        
-        NAME_SAFE="${HOST//[^a-zA-Z0-9_.-]/_}"
-        CERT_FILE="${CERT_DIR}/${NAME_SAFE}.pem"
-        KEY_FILE="${CERT_DIR}/${NAME_SAFE}-key.pem"
-        
-        # Create / replace k8s TLS secret (name matches host, as referenced by HTTPProxy)
-        kubectl delete secret "$HOST" -n "$NAMESPACE" --ignore-not-found
-        kubectl create secret tls "$HOST" \
-        --cert="$CERT_FILE" \
-        --key="$KEY_FILE" \
-        -n "$NAMESPACE"
+case "$CLUSTER" in
+  kind)    CLUSTER_FLAG="--kind";;
+  kubeadm) CLUSTER_FLAG="--kubeadm";;
+  k3s)     CLUSTER_FLAG="--k3s";;
+  ""|none) CLUSTER_FLAG="";;
+  *) echo "Unknown --cluster: $CLUSTER (expected kind|kubeadm|k3s|none)" >&2; exit 1;;
+esac
+DEV_FLAG=""; [ "$ENV" = development ] && DEV_FLAG="--dev"
+INSTANCES_CONF="./engine-private/conf/${DEPLOY_ID}/conf.instances.json"
+SERVER_CONF="./engine-private/conf/${DEPLOY_ID}/conf.server.json"
+
+echo "[test-monitor] mode=$MODE env=$ENV deploy=$DEPLOY_ID cluster=${CLUSTER:-none} tls=$USE_TLS test-repo=$USE_TEST_REPO expose=$DO_EXPOSE"
+
+# ─────────────────────────── shared helpers ───────────────────────────
+
+# setup_tls_secrets <host> [<host> …] — regenerate self-signed certs and create
+# the per-host k8s TLS secret the HTTPProxy references (name == host).
+setup_tls_secrets() {
+  local ssl_base="${ENGINE_DIR}/engine-private/ssl"
+  for host in "$@"; do
+    local cert_dir="${ssl_base}/${host}"
+    mkdir -p "$cert_dir"
+    bash "${SCRIPT_DIR}/ssl.sh" "$cert_dir" "$host"
+    local name_safe="${host//[^a-zA-Z0-9_.-]/_}"
+    kubectl delete secret "$host" -n "$NAMESPACE" --ignore-not-found
+    kubectl create secret tls "$host" \
+      --cert="${cert_dir}/${name_safe}.pem" \
+      --key="${cert_dir}/${name_safe}-key.pem" \
+      -n "$NAMESPACE"
+  done
+}
+
+# hosts_from <conf.json> — unique hosts declared in a conf.server.json or conf.instances.json.
+hosts_from() {
+  node -e "
+    const c = require('$1');
+    const hosts = Array.isArray(c) ? c.map(i => i.host) : Object.keys(c);
+    console.log([...new Set(hosts)].join(' '));
+  "
+}
+
+# ─────────────────────────── pre-steps ───────────────────────────
+[ "$DO_CLUSTER_MANIFESTS" = true ] && node bin run build-cluster-deployment-manifests
+[ "$DO_BUILD_TEMPLATE" = true ] && node bin/build.template --update-private
+
+# ─────────────────────────── runtime mode ───────────────────────────
+run_runtime_mode() {
+  local link_cmd="cd /home/dd,underpost clone ${TEMPLATE_REPO},cd /home/dd/${TEMPLATE_REPO##*/},npm install,npm link"
+  local deploy_cmd proxy_flag="" expose_flags="" start_flags=""
+
+  # Publish the local engine src to underpostnet/engine-test-<id> so the pod
+  # (started with --private-test-repo) clones this work-in-progress source.
+  [ "$USE_TEST_REPO" = true ] && node bin/build "$DEPLOY_ID" --update-private
+
+  [ "$USE_PULL_BUNDLE" = true ] && start_flags="${start_flags} --pull-bundle"
+  [ "$USE_TEST_REPO" = true ] && start_flags="${start_flags} --private-test-repo"
+  deploy_cmd="${link_cmd},underpost start --build --run${start_flags} ${DEPLOY_ID} ${ENV}"
+
+  [ "$USE_CERT" = true ] && proxy_flag="--cert"
+  [ "$USE_TLS" = true ] && proxy_flag="--self-signed"
+
+  node bin deploy "$DEPLOY_ID" "$ENV" $CLUSTER_FLAG --sync --build-manifest \
+    --image "$IMAGE" --timeout-response "$TIMEOUT_RESPONSE" --versions "$VERSIONS" --replicas "$REPLICAS" --cmd "$deploy_cmd"
+  node bin deploy "$DEPLOY_ID" "$ENV" $CLUSTER_FLAG --disable-update-proxy $proxy_flag
+  node bin monitor "$DEPLOY_ID" "$ENV" --ready-deployment --promote \
+    --timeout-response "$TIMEOUT_RESPONSE" --versions "$VERSIONS" --replicas "$REPLICAS"
+
+  node bin run etc-hosts --deploy-id "$DEPLOY_ID"
+
+  if [ "$USE_TLS" = true ]; then
+    setup_tls_secrets $(hosts_from "$SERVER_CONF")
+    expose_flags="--tls"
+  fi
+  [ "$DO_EXPOSE" = true ] && node bin deploy --expose --local-proxy "$DEPLOY_ID" "$ENV" $expose_flags
+}
+
+# ─────────────────────────── instance mode ───────────────────────────
+run_instance_mode() {
+  [ -f "$INSTANCES_CONF" ] || { echo "Missing $INSTANCES_CONF" >&2; exit 1; }
+  if [ -z "$INSTANCE_IDS" ]; then
+    INSTANCE_IDS=$(node -e "console.log(require('$INSTANCES_CONF').map(i=>i.id).join(','))")
+  fi
+  local tls_flag=""; [ "$USE_TLS" = true ] && tls_flag="--tls --test"
+
+  # `run instance` builds/pulls the image, applies the manifest, monitors with the
+  # kubernetes gate (TCP readinessProbe) + exec status, then promotes traffic.
+  IFS=',' read -ra ids <<< "$INSTANCE_IDS"
+  for id in "${ids[@]}"; do
+    [ -n "$id" ] || continue
+    echo "[test-monitor] deploying instance ${DEPLOY_ID},${id}"
+    node bin run instance "${DEPLOY_ID},${id},${REPLICAS}" \
+      $DEV_FLAG $CLUSTER_FLAG --namespace "$NAMESPACE" --etc-hosts $tls_flag \
+      ${IMAGE:+--image-name "$IMAGE"}
+  done
+
+  [ "$DO_EXPOSE" = true ] || return 0
+  if [ "$USE_TLS" = true ]; then
+    # Instances are routed by the Contour ingress; port-forward Envoy so the
+    # HTTPProxy host routing (server/client.cyberiaonline.com) works locally.
+    echo "[test-monitor] exposing HTTPS via ${ENVOY_NAMESPACE}/${ENVOY_SERVICE} on :${HTTPS_PORT}"
+    sudo kubectl port-forward -n "$ENVOY_NAMESPACE" "svc/${ENVOY_SERVICE}" "${HTTPS_PORT}:443" &
+  else
+    # Plain HTTP: port-forward each instance service port directly.
+    for id in "${ids[@]}"; do
+      [ -n "$id" ] || continue
+      node bin deploy --expose "${DEPLOY_ID}-${id}" "$ENV" --namespace "$NAMESPACE" || true
     done
-    
-    EXPOSE_FLAGS="--tls"
-fi
+  fi
+}
+
+case "$MODE" in
+  runtime)  run_runtime_mode;;
+  instance) run_instance_mode;;
+  *) echo "Unknown --mode: $MODE (expected runtime|instance)" >&2; exit 1;;
+esac
 
-node bin deploy --expose --local-proxy $DEPLOY_ID $ENV $EXPOSE_FLAGS
+echo "[test-monitor] done (mode=$MODE tls=$USE_TLS)"

package/src/cli/deploy.js

@@ -1072,15 +1072,12 @@ EOF`);
       if (options.gitClean && volume.volumeMountPath) {
         Underpost.repo.clean({ paths: [volume.volumeMountPath] });
       }
-      if (options.nodeName) {
-        if (!fs.existsSync(rootVolumeHostPath)) fs.mkdirSync(rootVolumeHostPath, { recursive: true });
-        fs.copySync(volume.volumeMountPath, rootVolumeHostPath);
-      } else if (clusterContext === 'kind') {
-        shellExec(`docker exec -i kind-worker bash -c "mkdir -p ${rootVolumeHostPath}"`);
-        // shellExec(`docker cp ${volume.volumeMountPath} kind-worker:${rootVolumeHostPath}`);
-        shellExec(`tar -C ${volume.volumeMountPath} -c . | docker cp - kind-worker:${rootVolumeHostPath}`);
+      if (clusterContext === 'kind') {
+        const kindNode = options.nodeName || 'kind-worker';
+        shellExec(`docker exec -i ${kindNode} bash -c "mkdir -p ${rootVolumeHostPath}"`);
+        shellExec(`tar -C ${volume.volumeMountPath} -c . | docker cp - ${kindNode}:${rootVolumeHostPath}`);
         shellExec(
-          `docker exec -i kind-worker bash -c "chown -R 1000:1000 ${rootVolumeHostPath}; chmod -R 755 ${rootVolumeHostPath}"`,
+          `docker exec -i ${kindNode} bash -c "chown -R 1000:1000 ${rootVolumeHostPath}; chmod -R 755 ${rootVolumeHostPath}"`,
         );
       } else {
         if (!fs.existsSync(rootVolumeHostPath)) fs.mkdirSync(rootVolumeHostPath, { recursive: true });

package/src/cli/index.js

@@ -70,6 +70,10 @@ program
     '--pull-bundle',
     'Downloads the pre-built client bundle from Cloudinary via pull-bundle before starting. Use together with --skip-full-build to skip the local build entirely.',
   )
+  .option(
+    '--private-test-repo',
+    'During --build, clone the private test source repo (engine-test-<id>) instead of the production engine-<id> repo.',
+  )
   .action(Underpost.start.callback)
   .description('Initiates application servers, build pipelines, or other defined services based on the deployment ID.');
 
@@ -727,6 +731,10 @@ program
     'Explicitly download the pre-built client bundle from Cloudinary inside the container (supported by: sync, template-deploy). Use together with --skip-full-build.',
   )
   .option('--remove', 'Remove/teardown resources')
+  .option(
+    '--test',
+    'Enables test/generic-purpose mode for the runner (e.g. use self-signed TLS instead of cert-manager).',
+  )
   .description('Runs specified scripts using various runners.')
   .action(Underpost.run.callback);