underpost 3.2.8 → 3.2.9

package/src/cli/cluster.js

@@ -172,9 +172,19 @@ class UnderpostCluster {
           const podNetworkCidr = options.podNetworkCidr || '192.168.0.0/16';
           const controlPlaneEndpoint = options.controlPlaneEndpoint || `${os.hostname()}:6443`;
 
-          // Initialize kubeadm control plane
+          // Initialize kubeadm control plane.
+          // Use CRI-O socket when available, otherwise fall back to containerd.
+          const crioSocket = 'unix:///var/run/crio/crio.sock';
+          const containerdSocket = 'unix:///run/containerd/containerd.sock';
+          const criSocket =
+            shellExec(`test -S /var/run/crio/crio.sock && echo crio || echo containerd`, {
+              stdout: true,
+              silent: true,
+            }).trim() === 'crio'
+              ? crioSocket
+              : containerdSocket;
           shellExec(
-            `sudo kubeadm init --pod-network-cidr=${podNetworkCidr} --control-plane-endpoint="${controlPlaneEndpoint}"`,
+            `sudo kubeadm init --pod-network-cidr=${podNetworkCidr} --control-plane-endpoint="${controlPlaneEndpoint}" --cri-socket=${criSocket}`,
           );
           // Configure kubectl for the current user
           Underpost.cluster.chown('kubeadm'); // Pass 'kubeadm' to chown
@@ -389,8 +399,17 @@ EOF
         );
         shellExec(`rm -f ${tarPath}`);
       } else if (options.kubeadm || options.k3s) {
-        // Kubeadm / K3s: use crictl to pull directly into containerd
-        shellExec(`sudo crictl pull ${image}`);
+        // Kubeadm / K3s: use crictl to pull directly into the active CRI runtime.
+        // crictl is not in sudo's secure_path; pass full PATH through env.
+        // Point crictl at CRI-O when the socket exists, otherwise fall back to containerd.
+        const criSock =
+          shellExec(`test -S /var/run/crio/crio.sock && echo crio || echo containerd`, {
+            stdout: true,
+            silent: true,
+          }).trim() === 'crio'
+            ? 'unix:///var/run/crio/crio.sock'
+            : 'unix:///run/containerd/containerd.sock';
+        shellExec(`sudo env PATH="$PATH:/usr/local/bin:/usr/bin" crictl --runtime-endpoint ${criSock} pull ${image}`);
       }
     },
 
@@ -453,12 +472,11 @@ net.ipv4.ip_forward = 1' | sudo tee ${iptableConfPath}`,
       shellExec(`sudo sysctl -w fs.inotify.max_queued_events=2099999999`);
 
       // shellExec(`sudo sysctl --system`); // Apply sysctl changes immediately
-      // Apply NAT iptables rules.
+      // Apply NAT iptables rules and configure firewalld for Kubernetes.
+      // nat-iptables.sh enables firewalld and opens all required ports; do NOT stop it
+      // afterwards — keeping firewalld running with these rules is required for
+      // multi-machine kubeadm inter-node communication.
       shellExec(`${underpostRoot}/scripts/nat-iptables.sh`, { silent: true });
-
-      // Disable firewalld (common cause of network issues in Kubernetes)
-      shellExec(`sudo systemctl stop firewalld`); // Stop if running
-      shellExec(`sudo systemctl disable firewalld`); // Disable from starting on boot
     },
 
     /**
@@ -575,8 +593,10 @@ net.ipv4.ip_forward = 1' | sudo tee ${iptableConfPath}`,
         shellExec('sudo systemctl stop kubelet');
         shellExec('sudo systemctl stop docker');
         shellExec('sudo systemctl stop podman');
-        // Safely unmount pod filesystems to avoid errors.
-        shellExec('sudo umount -f /var/lib/kubelet/pods/*/*');
+        // Lazy-unmount all kubelet pod mounts to avoid 'Device or resource busy' on rm.
+        shellExec(
+          `sudo sh -c 'findmnt --raw --noheadings -o TARGET | grep /var/lib/kubelet | sort -r | xargs -r umount -l' 2>/dev/null || true`,
+        );
 
         // Phase 3: Execute official uninstallation commands (type-specific)
         const clusterType = options.clusterType || 'kind';
@@ -584,6 +604,14 @@ net.ipv4.ip_forward = 1' | sudo tee ${iptableConfPath}`,
           `Phase 3/7: Executing official reset/uninstallation commands for cluster type: '${clusterType}'...`,
         );
         if (clusterType === 'kubeadm') {
+          // Kill control plane processes that hold ports (6443, 10257, 10259, 2379, 2380)
+          // so the next `kubeadm init` does not fail with [ERROR Port-xxxx].
+          logger.info('  -> Stopping and killing control plane containers and processes...');
+          shellExec('sudo crictl rm -a -f 2>/dev/null || true');
+          shellExec('sudo crictl rmp -a -f 2>/dev/null || true');
+          shellExec('sudo systemctl stop etcd 2>/dev/null || true');
+          for (const port of [6443, 10259, 10257, 2379, 2380])
+            shellExec(`sudo fuser -k ${port}/tcp 2>/dev/null || true`);
           logger.info('  -> Executing kubeadm reset...');
           shellExec('sudo kubeadm reset --force');
         } else if (clusterType === 'k3s') {
@@ -600,7 +628,12 @@ net.ipv4.ip_forward = 1' | sudo tee ${iptableConfPath}`,
         // Remove any leftover configurations and data.
         shellExec('sudo rm -rf /etc/kubernetes/*');
         shellExec('sudo rm -rf /etc/cni/net.d/*');
+        // Second-pass lazy umount before rm to clear any remaining busy mounts.
+        shellExec(
+          `sudo sh -c 'findmnt --raw --noheadings -o TARGET | grep /var/lib/kubelet | sort -r | xargs -r umount -l' 2>/dev/null || true`,
+        );
         shellExec('sudo rm -rf /var/lib/kubelet/*');
+        shellExec('sudo rm -rf /var/lib/etcd');
         shellExec('sudo rm -rf /var/lib/cni/*');
         shellExec('sudo rm -rf /var/lib/docker/*');
         shellExec('sudo rm -rf /var/lib/containerd/*');
@@ -613,11 +646,14 @@ net.ipv4.ip_forward = 1' | sudo tee ${iptableConfPath}`,
         // Remove iptables rules and CNI network interfaces.
         shellExec('sudo iptables -F');
         shellExec('sudo iptables -t nat -F');
-        shellExec('sudo ip link del cni0');
-        shellExec('sudo ip link del flannel.1');
+        shellExec('sudo ip link del cni0 2>/dev/null || true');
+        shellExec('sudo ip link del flannel.1 2>/dev/null || true');
+        shellExec('sudo ip link del vxlan.calico 2>/dev/null || true');
+        shellExec('sudo ip link del tunl0 2>/dev/null || true');
 
         logger.info('Phase 6/7: Clean up images');
-        shellExec(`podman rmi $(podman images -qa) --force`);
+        shellExec('sudo podman rmi --all --force 2>/dev/null || true');
+        shellExec('sudo crictl rmi --prune 2>/dev/null || true');
 
         // Phase 6: Reload daemon and finalize
         logger.info('Phase 7/7: Reloading the system daemon and finalizing...');
@@ -687,6 +723,9 @@ net.ipv4.ip_forward = 1' | sudo tee ${iptableConfPath}`,
       // Install Podman
       shellExec(`sudo dnf -y install podman`);
 
+      // Install CRI-O (required for kubeadm with CRI-O socket)
+      shellExec(`node bin run install-crio`);
+
       // Install Kind (Kubernetes in Docker)
       shellExec(`[ $(uname -m) = ${archData.name} ] && curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.29.0/kind-linux-${archData.alias}
 chmod +x ./kind
@@ -744,6 +783,14 @@ EOF`);
       console.log('Removing Podman...');
       shellExec(`sudo dnf -y remove podman`);
 
+      // Remove CRI-O
+      console.log('Removing CRI-O...');
+      shellExec(`sudo systemctl stop crio 2>/dev/null || true`);
+      shellExec(`sudo systemctl disable crio 2>/dev/null || true`);
+      shellExec(`sudo dnf -y remove cri-o`);
+      shellExec(`sudo rm -f /etc/yum.repos.d/cri-o.repo`);
+      shellExec(`sudo rm -f /etc/crictl.yaml`);
+
       // Remove Kubeadm, Kubelet, and Kubectl
       console.log('Removing Kubernetes tools...');
       shellExec(`sudo yum remove -y kubelet kubeadm kubectl`);

package/src/cli/db.js

@@ -839,6 +839,8 @@ class UnderpostDB {
                 pods: podsToProcess.map((p) => p.NAME),
               });
 
+              let exportSucceeded = false;
+
               // Process each pod
               for (const pod of podsToProcess) {
                 logger.info('Processing pod', { podName: pod.NAME, node: pod.NODE, status: pod.STATUS });
@@ -871,7 +873,7 @@ class UnderpostDB {
 
                     if (options.export === true) {
                       const outputPath = options.outPath || toNewSqlPath;
-                      await Underpost.db._exportMariaDB({
+                      const success = await Underpost.db._exportMariaDB({
                         pod,
                         namespace,
                         dbName,
@@ -879,6 +881,7 @@ class UnderpostDB {
                         password,
                         outputPath,
                       });
+                      exportSucceeded = exportSucceeded || success;
                     }
                     break;
                   }
@@ -909,13 +912,14 @@ class UnderpostDB {
 
                     if (options.export === true) {
                       const outputPath = options.outPath || toNewBsonPath;
-                      Underpost.db._exportMongoDB({
+                      const success = Underpost.db._exportMongoDB({
                         pod,
                         namespace,
                         dbName,
                         outputPath,
                         collections: options.collections,
                       });
+                      exportSucceeded = exportSucceeded || success;
                     }
                     break;
                   }
@@ -926,6 +930,10 @@ class UnderpostDB {
                 }
               }
 
+              if (options.export === true && exportSucceeded === true) {
+                Underpost.db._enforceBackupRetention(`../${repoName}/${hostFolder}`);
+              }
+
               // Mark this host+path combination as processed
               processedHostPaths.add(hostPathKey);
             }
@@ -948,6 +956,43 @@ class UnderpostDB {
         throw error;
       }
     },
+    /**
+     * Helper: Removes old timestamp backup folders and keeps only the newest ones.
+     * @method _enforceBackupRetention
+     * @memberof UnderpostDB
+     * @param {string} backupDir - Path to host-folder backup directory.
+     * @param {number} [maxRetention=MAX_BACKUP_RETENTION] - Maximum folders to keep.
+     * @return {number} Number of removed backup folders.
+     */
+    _enforceBackupRetention(backupDir, maxRetention = MAX_BACKUP_RETENTION) {
+      try {
+        if (!fs.existsSync(backupDir)) return 0;
+
+        const timestamps = fs
+          .readdirSync(backupDir)
+          .filter((entry) => /^\d+$/.test(entry))
+          .sort((a, b) => parseInt(b, 10) - parseInt(a, 10));
+
+        if (timestamps.length <= maxRetention) return 0;
+
+        const staleTimestamps = timestamps.slice(maxRetention);
+        staleTimestamps.forEach((timestamp) => {
+          fs.removeSync(`${backupDir}/${timestamp}`);
+        });
+
+        logger.info('Pruned old backup timestamp folders', {
+          backupDir,
+          kept: maxRetention,
+          removed: staleTimestamps.length,
+          removedTimestamps: staleTimestamps,
+        });
+
+        return staleTimestamps.length;
+      } catch (error) {
+        logger.error('Failed to enforce backup retention', { backupDir, maxRetention, error: error.message });
+        return 0;
+      }
+    },
 
     /**
      * Creates cluster metadata for the specified deployment.

package/src/cli/deploy.js

@@ -125,17 +125,39 @@ class UnderpostDeploy {
      * @param {string} namespace - Kubernetes namespace for the deployment.
      * @param {Array<object>} volumes - Volume configurations for the deployment.
      * @param {Array<string>} cmd - Command to run in the deployment container.
+     * @param {boolean} skipFullBuild - Whether to skip the full client bundle build during deployment.
+     * @param {boolean} pullBundle - Whether to pull the pre-built client bundle from Cloudinary before starting. Use together with skipFullBuild to skip the local build entirely.
      * @returns {string} - YAML deployment configuration for the specified deployment.
      * @memberof UnderpostDeploy
      */
-    deploymentYamlPartsFactory({ deployId, env, suffix, resources, replicas, image, namespace, volumes, cmd }) {
+    deploymentYamlPartsFactory({
+      deployId,
+      env,
+      suffix,
+      resources,
+      replicas,
+      image,
+      namespace,
+      volumes,
+      cmd,
+      skipFullBuild,
+      pullBundle,
+    }) {
       if (!cmd)
-        cmd = [
-          // `npm install -g npm@11.2.0`,
-          // `npm install -g underpost`,
-          `underpost secret underpost --create-from-env`,
-          `underpost start --build --run ${deployId} ${env}`,
-        ];
+        cmd =
+          pullBundle || skipFullBuild
+            ? [
+                // When pullBundle (or skipFullBuild) is set the container pulls the pre-built client
+                // bundle from Cloudinary (push-bundle must have been run on the dev machine beforehand).
+                `underpost secret underpost --create-from-env`,
+                `underpost start --build --run --pull-bundle --skip-full-build ${deployId} ${env}`,
+              ]
+            : [
+                // `npm install -g npm@11.2.0`,
+                // `npm install -g underpost`,
+                `underpost secret underpost --create-from-env`,
+                `underpost start --build --run ${deployId} ${env}`,
+              ];
       const packageJson = JSON.parse(fs.readFileSync('./package.json', 'utf8'));
       if (!volumes) volumes = [];
       const confVolume = fs.existsSync(`./engine-private/conf/${deployId}/conf.volume.json`)
@@ -224,6 +246,8 @@ spec:
      * @param {string} [options.retryPerTryTimeout] - Retry per-try timeout setting for the deployment.
      * @param {boolean} [options.disableDeploymentProxy] - Whether to disable deployment proxy.
      * @param {string} [options.traffic] - Traffic status for the deployment.
+     * @param {boolean} [options.skipFullBuild] - Whether to skip the full client bundle build; forwarded to deploymentYamlPartsFactory to generate a pull-bundle startup command.
+     * @param {boolean} [options.pullBundle] - Whether to pull the pre-built client bundle from Cloudinary; forwarded to deploymentYamlPartsFactory. Use together with skipFullBuild.
      * @returns {Promise<void>} - Promise that resolves when the manifest is built.
      * @memberof UnderpostDeploy
      */
@@ -260,6 +284,8 @@ ${Underpost.deploy
     image,
     namespace: options.namespace,
     cmd: options.cmd ? options.cmd.split(',').map((c) => c.trim()) : undefined,
+    skipFullBuild: options.skipFullBuild,
+    pullBundle: options.pullBundle,
   })
   .replace('{{ports}}', buildKindPorts(fromPort, toPort))}
 `;
@@ -553,10 +579,13 @@ spec:
      * @param {string} [options.kindType] - Type of Kubernetes resource to retrieve information for.
      * @param {number} [options.port] - Port number for exposing the deployment.
      * @param {string} [options.cmd] - Custom initialization command for deploymentYamlPartsFactory (comma-separated commands).
+     * @param {number} [options.exposePort] - Local:remote port override when --expose is active (overrides auto-detected service port).
      * @param {boolean} [options.k3s] - Whether to use k3s cluster context.
      * @param {boolean} [options.kubeadm] - Whether to use kubeadm cluster context.
      * @param {boolean} [options.kind] - Whether to use kind cluster context.
      * @param {boolean} [options.gitClean] - Whether to run git clean on volume mount paths before copying.
+     * @param {boolean} [options.skipFullBuild] - Whether to skip the full client bundle build; passed through to buildManifest/deploymentYamlPartsFactory.
+     * @param {boolean} [options.pullBundle] - Whether to pull the pre-built client bundle from Cloudinary; passed through to buildManifest/deploymentYamlPartsFactory. Use together with skipFullBuild.
      * @returns {Promise<void>} - Promise that resolves when the deployment process is complete.
      * @memberof UnderpostDeploy
      */

package/src/cli/fs.js

@@ -150,8 +150,12 @@ class UnderpostFileStorage {
           } else pullSkipCount++;
         }
         if (pullSkipCount > 0) logger.warn(`Pull skipped ${pullSkipCount} files that already exist`);
-        Underpost.repo.initLocalRepo({ path });
-        shellExec(`cd ${path} && git add . && git commit -m "Base pull state"`);
+        // Only run git init/commit when the caller explicitly requests git tracking (--git flag).
+        // For bundle pulls into ./build the git step is unwanted and would error on a non-repo path.
+        if (options.git === true) {
+          Underpost.repo.initLocalRepo({ path });
+          shellExec(`cd ${path} && git add . && git commit -m "Base pull state"`);
+        }
       } else {
         const files =
           options.git === true ? Underpost.repo.getChangedFiles(path) : await fs.readdir(path, { recursive: true });
@@ -203,11 +207,13 @@ class UnderpostFileStorage {
      * @description Uploads a file to Cloudinary.
      * @param {string} path - The path to the file to upload.
      * @param {object} [options] - An object containing options for the upload.
-     * @param {boolean} [options.force=false] - Flag to force file operations.
+     * @param {string} [options.deployId=''] - The identifier for the deployment (used to locate the storage config file).
+     * @param {boolean} [options.force=false] - Flag to force file operations (overwrites existing remote asset).
      * @param {string} [options.storageFilePath=''] - The path to the storage configuration file.
      * @returns {Promise<object>} A promise that resolves to the upload result.
      * @memberof UnderpostFileStorage
      */
+
     async upload(
       path,
       options = { rm: false, recursive: false, deployId: '', force: false, pull: false, storageFilePath: '' },
@@ -235,6 +241,7 @@ class UnderpostFileStorage {
      * @param {string} path - The path to the file to pull.
      * @param {object} [options] - Pull options.
      * @param {boolean} [options.omitUnzip=false] - If true, do not extract zip and keep downloaded zip file.
+     * @param {boolean} [options.force=false] - If true, re-download even if the local zip already exists.
      * @returns {Promise<void>} A promise that resolves when the file is pulled.
      * @memberof UnderpostFileStorage
      */
@@ -264,6 +271,13 @@ class UnderpostFileStorage {
       path = Underpost.fs.zip2File(zipPath);
       fs.removeSync(`${path}.zip`);
     },
+    /**
+     * @method delete
+     * @description Deletes a file from Cloudinary by its public ID.
+     * @param {string} path - The path (public ID) of the file to delete.
+     * @returns {Promise<object>} A promise that resolves to the Cloudinary delete result.
+     * @memberof UnderpostFileStorage
+     */
     async delete(path) {
       Underpost.fs.cloudinaryConfig();
       const deleteResult = await cloudinary.api

package/src/cli/index.js

@@ -66,6 +66,10 @@ program
   .option('--underpost-quickly-install', 'Uses Underpost Quickly Install for dependency installation.')
   .option('--skip-pull-base', 'Skips cloning repositories, uses current workspace code directly.')
   .option('--skip-full-build', 'Skips the full client bundle build during deployment.')
+  .option(
+    '--pull-bundle',
+    'Downloads the pre-built client bundle from Cloudinary via pull-bundle before starting. Use together with --skip-full-build to skip the local build entirely.',
+  )
   .action(Underpost.start.callback)
   .description('Initiates application servers, build pipelines, or other defined services based on the deployment ID.');
 
@@ -230,6 +234,7 @@ program
   .option('--ban-egress-clear', 'Clears all banned egress IP addresses.')
   .option('--ban-both-add', 'Adds IP addresses to both banned ingress and egress lists.')
   .option('--ban-both-remove', 'Removes IP addresses from both banned ingress and egress lists.')
+  .option('--mac', 'Prints the MAC address of the main network interface.')
   .description('Displays the current public machine IP addresses.')
   .action(Underpost.dns.ipDispatcher);
 
@@ -333,6 +338,14 @@ program
     'Sets the local:remote port to expose when --expose is active (overrides auto-detected service port).',
   )
   .option('--cmd <cmd>', 'Custom initialization command for deployment (comma-separated commands).')
+  .option(
+    '--skip-full-build',
+    'Skip client bundle rebuild; container will pull pre-built bundle via pull-bundle instead.',
+  )
+  .option(
+    '--pull-bundle',
+    'Explicitly pull the pre-built client bundle from Cloudinary inside the container. Use together with --skip-full-build.',
+  )
   .description('Manages application deployments, defaulting to deploying development pods.')
   .action(Underpost.deploy.callback);
 
@@ -661,6 +674,14 @@ program
       '(e.g., "127.0.0.1=foo.local,bar.local;10.1.2.3=foo.remote,bar.remote").',
   )
   .option('--copy', 'Copies the runner output to the clipboard (supported by: generate-pass, template-deploy-local).')
+  .option(
+    '--skip-full-build',
+    'Skip client bundle rebuild; triggers pull-bundle in container startup (supported by: sync, template-deploy).',
+  )
+  .option(
+    '--pull-bundle',
+    'Explicitly download the pre-built client bundle from Cloudinary inside the container (supported by: sync, template-deploy). Use together with --skip-full-build.',
+  )
   .description('Runs specified scripts using various runners.')
   .action(Underpost.run.callback);
 

package/src/cli/repository.js

@@ -401,6 +401,7 @@ class UnderpostRepository {
 
     /**
      * Retrieves the message of the last Git commit.
+     * @param {number} [skip=0] - Number of commits to skip from HEAD (0 = most recent).
      * @returns {string} The last commit message.
      * @memberof UnderpostRepository
      */
@@ -949,6 +950,7 @@ Prevent build private config repo.`,
     /**
      * Retrieves the Git commit history.
      * @param {number} [sinceCommit=1] - The number of recent commits to retrieve.
+     * @param {string} [repoPath='.'] - The path to the repository.
      * @returns {Array<{hash: string, message: string, files: string}>} An array of commit objects with hash, message, and files.
      * @memberof UnderpostRepository
      */
@@ -1270,19 +1272,10 @@ Prevent build private config repo.`,
     },
 
     /**
-     * Returns metadata about unpushed commits in a git repository.
-     * Fetches from origin, then counts commits ahead of the remote branch.
-     * @param {string} [repoPath='.'] - Path to the git repository.
-     * @param {number} [fallback=1] - Value to return as `count` when no unpushed commits are detected.
-     * @returns {{ count: number, branch: string, hasUnpushed: boolean }} Unpush metadata.
-     * @memberof UnderpostRepository
-     */
-    /**
-     * Checks whether a remote Git repository URL is reachable.
-     * Uses `git ls-remote` with `|| true` so the process always exits 0.
-     * Injects `GITHUB_TOKEN` into GitHub HTTPS URLs when available.
-     * @param {string} url - Full HTTPS clone URL to test (e.g. "https://github.com/org/repo.git").
-     * @returns {boolean} `true` when the remote responded with at least one ref hash.
+     * Resolves a Git remote URL, normalizing short-form owner/repo references to full
+     * GitHub HTTPS URLs and injecting GITHUB_TOKEN when available.
+     * @param {string} url - The repository URL or short-form (e.g. "owner/repo" or full HTTPS URL).
+     * @returns {string} The resolved (and optionally authenticated) HTTPS URL.
      * @memberof UnderpostRepository
      */
     resolveAuthUrl(url) {
@@ -1300,7 +1293,14 @@ Prevent build private config repo.`,
       }
       return normalized;
     },
-
+    /**
+     * Checks whether a remote Git repository URL is reachable.
+     * Uses `git ls-remote` with `|| true` so the process always exits 0.
+     * Injects `GITHUB_TOKEN` into GitHub HTTPS URLs when available.
+     * @param {string} url - Full HTTPS clone URL to test (e.g. "https://github.com/org/repo.git").
+     * @returns {boolean} `true` when the remote responded with at least one ref hash.
+     * @memberof UnderpostRepository
+     */
     isRemoteRepo(url) {
       if (!url) return false;
       const authUrl = Underpost.repo.resolveAuthUrl(url);
@@ -1314,6 +1314,14 @@ Prevent build private config repo.`,
       return typeof raw === 'string' && /^[0-9a-f]{40}\t/m.test(raw);
     },
 
+    /**
+     * Returns metadata about unpushed commits in a git repository.
+     * Fetches from origin, then counts commits ahead of the remote branch.
+     * @param {string} [repoPath='.'] - Path to the git repository.
+     * @param {number} [fallback=1] - Value to return as `count` when no unpushed commits are detected.
+     * @returns {{ count: number, branch: string, hasUnpushed: boolean }} Unpush metadata.
+     * @memberof UnderpostRepository
+     */
     getUnpushedCount(repoPath = '.', fallback = 1) {
       const branch = shellExec(`cd ${repoPath} && git branch --show-current`, {
         stdout: true,
@@ -1353,19 +1361,6 @@ Prevent build private config repo.`,
         .trim()
         .replaceAll('] - ', '] ');
     },
-
-    /**
-     * Manages a cron-backup Git repository: clone, pull, commit, or push.
-     * Resolves the repository path as `../<repoName>` relative to the CWD.
-     * Requires the `GITHUB_USERNAME` environment variable to be set.
-     * @param {object} params
-     * @param {string} params.repoName - Repository name (e.g. `engine-cyberia-cron-backups`).
-     * @param {'clone'|'pull'|'commit'|'push'} params.operation - Git operation to perform.
-     * @param {string} [params.message=''] - Commit message (used by the `commit` operation).
-     * @param {boolean} [params.forceClone=false] - Remove existing clone before re-cloning.
-     * @returns {boolean} `true` on success, `false` if GITHUB_USERNAME is unset or on error.
-     * @memberof UnderpostRepository
-     */
     /**
      * Initializes a git repository at the given path and configures user identity
      * from environment variables (`GITHUB_USERNAME` / `GITHUB_EMAIL`).
@@ -1398,7 +1393,18 @@ Prevent build private config repo.`,
         }
       }
     },
-
+    /**
+     * Manages a cron-backup Git repository: clone, pull, commit, or push.
+     * Resolves the repository path as `../<repoName>` relative to the CWD.
+     * Requires the `GITHUB_USERNAME` environment variable to be set.
+     * @param {object} params
+     * @param {string} params.repoName - Repository name (e.g. `engine-cyberia-cron-backups`).
+     * @param {'clone'|'pull'|'commit'|'push'} params.operation - Git operation to perform.
+     * @param {string} [params.message=''] - Commit message (used by the `commit` operation).
+     * @param {boolean} [params.forceClone=false] - Remove existing clone before re-cloning.
+     * @returns {boolean} `true` on success, `false` if GITHUB_USERNAME is unset or on error.
+     * @memberof UnderpostRepository
+     */
     manageBackupRepo({ repoName, operation, message = '', forceClone = false }) {
       try {
         const username = process.env.GITHUB_USERNAME;