underpost 3.2.9 → 3.2.10

package/src/api/user/user.service.js

@@ -1,3 +1,12 @@
+/**
+ * User service module for handling user account operations.
+ * Provides REST API handlers for authentication, registration, profile management,
+ * email verification, password recovery, and guest user lifecycle management.
+ *
+ * @module src/api/user/user.service.js
+ * @namespace UserService
+ */
+
 import { loggerFactory } from '../../server/logger.js';
 import { DataQuery } from '../../server/data-query.js';
 import {
@@ -15,21 +24,40 @@ import { MailerProvider } from '../../mailer/MailerProvider.js';
 import { CoreWsEmitter } from '../../ws/core/core.ws.emit.js';
 import { CoreWsMailerChannel } from '../../ws/core/channels/core.ws.mailer.js';
 import validator from 'validator';
-import { DataBaseProvider } from '../../db/DataBaseProvider.js';
+import { DataBaseProviderService } from '../../db/DataBaseProvider.js';
 import { FileFactory, FileCleanup } from '../file/file.service.js';
 import { UserDto } from './user.model.js';
 import { timer } from '../../client/components/core/CommonJs.js';
 import { GuestService } from './guest.service.js';
+import { resolveHostKeyContext } from '../../server/conf.js';
 
 const logger = loggerFactory(import.meta);
 
-const UserService = {
-  post: async (req, res, options) => {
-    /** @type {import('./user.model.js').UserModel} */
-    const User = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.User;
-
+/**
+ * User Service for handling REST API user operations.
+ * Manages authentication, registration, profile CRUD, email verification,
+ * password recovery, session management, and guest user lifecycle.
+ * @namespace UserService
+ */
+class UserService {
+  /**
+   * POST - Create or authenticate users.
+   * Supports authentication, guest account creation, email verification,
+   * and password recovery email sending.
+   * @async
+   * @function post
+   * @memberof UserService
+   * @param {Object} req - Express request object.
+   * @param {Object} res - Express response object.
+   * @param {Object} options - Request options containing host and path.
+   * @returns {Promise<Object>} User data with auth token, or status message.
+   * @throws {Error} If authentication fails, email is invalid, or email send error.
+   */
+  static post = async (req, res, options) => {
     /** @type {import('../file/file.model.js').FileModel} */
-    const File = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.File;
+    const File = DataBaseProviderService.getModel('File', options);
+    /** @type {import('./user.model.js').UserModel} */
+    const User = DataBaseProviderService.getModel('User', options);
 
     if (req.params.id === 'recover-verify-email') {
       const user = await User.findOne({
@@ -44,11 +72,10 @@ const UserService = {
 
       const token = jwtSign({ email: req.body.email }, options, 15);
       const payloadToken = jwtSign({ email: req.body.email }, options, 15);
-      const id = `${options.host}${options.path}`;
+      const id = resolveHostKeyContext(options);
       const translate = MailerProvider.instance[id].translateTemplates.recoverEmail;
-      const recoverUrl = `${process.env.NODE_ENV === 'development' ? 'http://' : 'https://'}${req.body.hostname}${
-        req.body.proxyPath
-      }recover?payload=${payloadToken}`;
+      const recoverUrl = `${process.env.NODE_ENV === 'development' ? 'http://' : 'https://'}${req.body.hostname}${req.body.proxyPath
+        }recover?payload=${payloadToken}`;
       const sendResult = await MailerProvider.send({
         id,
         sendOptions: {
@@ -81,7 +108,7 @@ const UserService = {
       if (!validator.isEmail(req.body.email)) throw { message: 'invalid email' };
 
       const token = jwtSign({ email: req.body.email }, options, 15);
-      const id = `${options.host}${options.path}`;
+      const id = resolveHostKeyContext(options);
       const user = await User.findById(req.auth.user._id);
 
       if (user.emailConfirmed) throw new Error('email already confirmed');
@@ -130,10 +157,9 @@ const UserService = {
         });
         const getMinutesRemaining = () => (-1 * user.failedLoginAttempts - new Date().getTime()) / (1000 * 60);
         const accountLocketMessage = () =>
-          `Account locked. Please try again in: ${
-            getMinutesRemaining() < 1
-              ? `${(getMinutesRemaining() * 60).toFixed(0)} s`
-              : `${getMinutesRemaining().toFixed(0)} min`
+          `Account locked. Please try again in: ${getMinutesRemaining() < 1
+            ? `${(getMinutesRemaining() * 60).toFixed(0)} s`
+            : `${getMinutesRemaining().toFixed(0)} min`
           }.`;
 
         if (user) {
@@ -231,13 +257,27 @@ const UserService = {
       default:
         return await createUserAndSession(req, res, User, options);
     }
-  },
-  get: async (req, res, options) => {
-    /** @type {import('./user.model.js').UserModel} */
-    const User = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.User;
-
+  };
+
+  /**
+   * GET - Retrieve user data.
+   * Supports public profile lookup by username, asset retrieval,
+   * email lookup, password recovery flow, email verification,
+   * admin user listing, authentication refresh, and profile retrieval.
+   * @async
+   * @function get
+   * @memberof UserService
+   * @param {Object} req - Express request object.
+   * @param {Object} res - Express response object.
+   * @param {Object} options - Request options containing host and path.
+   * @returns {Promise<Object>} User data with optional session token.
+   * @throws {Error} If user not found, profile is private, or token invalid.
+   */
+  static get = async (req, res, options) => {
     /** @type {import('../file/file.model.js').FileModel} */
-    const File = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.File;
+    const File = DataBaseProviderService.getModel('File', options);
+    /** @type {import('./user.model.js').UserModel} */
+    const User = DataBaseProviderService.getModel('User', options);
 
     if (req.path.startsWith('/u/')) {
       // First lookup user by username
@@ -309,7 +349,7 @@ const UserService = {
         {
           const user = await User.findByIdAndUpdate(_id, { emailConfirmed: true }, { runValidators: true });
         }
-        const userWsId = CoreWsMailerChannel.getUserWsId(`${options.host}${options.path}`, user._id.toString());
+        const userWsId = CoreWsMailerChannel.getUserWsId(resolveHostKeyContext(options), user._id.toString());
         if (userWsId && CoreWsMailerChannel.client[userWsId]) {
           CoreWsEmitter.emit(CoreWsMailerChannel.channel, CoreWsMailerChannel.client[userWsId], {
             status: 'email-confirmed',
@@ -384,10 +424,23 @@ const UserService = {
         }
       }
     }
-  },
-  delete: async (req, res, options) => {
+  };
+
+  /**
+   * DELETE - Remove user accounts or log out sessions.
+   * Supports admin bulk deletion, user self-deletion, and session logout.
+   * @async
+   * @function delete
+   * @memberof UserService
+   * @param {Object} req - Express request object.
+   * @param {Object} res - Express response object.
+   * @param {Object} options - Request options containing host and path.
+   * @returns {Promise<Object>} Deleted user data or logout status message.
+   * @throws {Error} If logout fails, user not found, or token invalid.
+   */
+  static delete = async (req, res, options) => {
     /** @type {import('./user.model.js').UserModel} */
-    const User = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.User;
+    const User = DataBaseProviderService.getModel('User', options);
 
     if (req.params.id === 'logout') {
       const result = await logoutSession(User, req, res);
@@ -417,13 +470,25 @@ const UserService = {
         }
       }
     }
-  },
-  put: async (req, res, options) => {
-    /** @type {import('./user.model.js').UserModel} */
-    const User = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.User;
-
+  };
+
+  /**
+   * PUT - Update user data.
+   * Supports profile image upload, password recovery, and profile field updates.
+   * @async
+   * @function put
+   * @memberof UserService
+   * @param {Object} req - Express request object.
+   * @param {Object} res - Express response object.
+   * @param {Object} options - Request options containing host and path.
+   * @returns {Promise<Object>} Updated user data.
+   * @throws {Error} If user not found, token invalid, or invalid file.
+   */
+  static put = async (req, res, options) => {
     /** @type {import('../file/file.model.js').FileModel} */
-    const File = DataBaseProvider.instance[`${options.host}${options.path}`].mongoose.models.File;
+    const File = DataBaseProviderService.getModel('File', options);
+    /** @type {import('./user.model.js').UserModel} */
+    const User = DataBaseProviderService.getModel('User', options);
 
     // req.path | req.baseUrl
 
@@ -511,7 +576,7 @@ const UserService = {
         }
       }
     }
-  },
-};
+  };
+}
 
-export { UserService };
+export { UserService };

package/src/cli/baremetal.js

@@ -356,7 +356,7 @@ class UnderpostBaremetal {
 
         // Build phase (skip if upload-only mode)
         if (options.packerMaasImageBuild) {
-          if (shellExec('packer version').code !== 0) {
+          if (shellExec('packer version', { silentOnError: true }).code !== 0) {
             throw new Error('Packer is not installed. Please install Packer to proceed.');
           }
 
@@ -424,7 +424,9 @@ rm -rf ${artifacts.join(' ')}`);
         const uploadCmd = `${uploadScript} ${process.env.MAAS_ADMIN_USERNAME} "${workflow.maas.name}" "${workflow.maas.title}" "${workflow.maas.architecture}" "${workflow.maas.base_image}" "${workflow.maas.filetype}" "${tarballPath}"`;
 
         logger.info(`Uploading to MAAS using: ${uploadScript}`);
-        const uploadResult = shellExec(uploadCmd);
+        // silentOnError: caller logs stdout/stderr structure on failure
+        // before throwing its own, more informative error.
+        const uploadResult = shellExec(uploadCmd, { silentOnError: true });
         if (uploadResult.code !== 0) {
           logger.error(`Upload failed with exit code: ${uploadResult.code}`);
           if (uploadResult.stdout) {
@@ -2895,9 +2897,16 @@ EOF`);
           for (const mountPath of mounts[mountCmd]) {
             const hostMountPath = `${process.env.NFS_EXPORT_PATH}/${hostname}${mountPath}`;
             // Check if the path is already mounted using `mountpoint` command.
-            const isPathMounted = !shellExec(`mountpoint ${hostMountPath}`, { silent: true, stdout: true }).match(
-              'not a mountpoint',
-            );
+            // `mountpoint` exits 1 when the path is not a mountpoint — silentOnError
+            // prevents ShellExecError so we can inspect stdout/stderr for the string.
+            const mountpointOut = shellExec(`mountpoint ${hostMountPath}`, {
+              silent: true,
+              stdout: true,
+              silentOnError: true,
+            });
+            const isPathMounted = typeof mountpointOut === 'string' && mountpointOut.length > 0
+              ? !mountpointOut.match('not a mountpoint') && !mountpointOut.match('No such file')
+              : false;
 
             if (isPathMounted) {
               logger.warn('Nfs path already mounted', mountPath);
@@ -3041,10 +3050,10 @@ udp-port = 32766
         // Check both /usr/local/bin (compiled) and system paths
         let qemuAarch64Path = null;
 
-        if (shellExec('test -x /usr/local/bin/qemu-system-aarch64').code === 0) {
+        if (shellExec('test -x /usr/local/bin/qemu-system-aarch64', { silentOnError: true }).code === 0) {
           qemuAarch64Path = '/usr/local/bin/qemu-system-aarch64';
-        } else if (shellExec('which qemu-system-aarch64').code === 0) {
-          qemuAarch64Path = shellExec('which qemu-system-aarch64').stdout.trim();
+        } else if (shellExec('which qemu-system-aarch64', { silentOnError: true }).code === 0) {
+          qemuAarch64Path = shellExec('which qemu-system-aarch64', { stdout: true }).trim();
         }
 
         if (!qemuAarch64Path) {
@@ -3070,10 +3079,10 @@ udp-port = 32766
         // Check both /usr/local/bin (compiled) and system paths
         let qemuX86Path = null;
 
-        if (shellExec('test -x /usr/local/bin/qemu-system-x86_64').code === 0) {
+        if (shellExec('test -x /usr/local/bin/qemu-system-x86_64', { silentOnError: true }).code === 0) {
           qemuX86Path = '/usr/local/bin/qemu-system-x86_64';
-        } else if (shellExec('which qemu-system-x86_64').code === 0) {
-          qemuX86Path = shellExec('which qemu-system-x86_64').stdout.trim();
+        } else if (shellExec('which qemu-system-x86_64', { silentOnError: true }).code === 0) {
+          qemuX86Path = shellExec('which qemu-system-x86_64', { stdout: true }).trim();
         }
 
         if (!qemuX86Path) {

package/src/cli/cluster.js

@@ -7,6 +7,8 @@
 import { getNpmRootPath } from '../server/conf.js';
 import { loggerFactory } from '../server/logger.js';
 import { shellExec } from '../server/process.js';
+import { MONGODB_DEFAULT_REPLICA_COUNT } from '../db/mongo/MongooseDB.js';
+import { MongoBootstrap } from '../db/mongo/MongoBootstrap.js';
 import os from 'os';
 import fs from 'fs-extra';
 import Underpost from '../index.js';
@@ -22,6 +24,7 @@ const logger = loggerFactory(import.meta);
  */
 class UnderpostCluster {
   static API = {
+
     /**
      * @method init
      * @description Initializes and configures the Kubernetes cluster based on provided options.
@@ -41,6 +44,7 @@ class UnderpostCluster {
      * @param {boolean} [options.certManager=false] - Deploy Cert-Manager for certificate management.
      * @param {boolean} [options.listPods=false] - List Kubernetes pods.
      * @param {boolean} [options.reset=false] - Perform a comprehensive reset of Kubernetes and container environments.
+     * @param {boolean} [options.resetMongodb=false] - Perform a targeted reset of MongoDB components without restarting the entire cluster.
      * @param {boolean} [options.dev=false] - Run in development mode (adjusts paths).
      * @param {string} [options.nsUse=''] - Set the current kubectl namespace (creates namespace if it doesn't exist).
      * @param {string} [options.namespace='default'] - Kubernetes namespace for cluster operations.
@@ -78,6 +82,7 @@ class UnderpostCluster {
         certManager: false,
         listPods: false,
         reset: false,
+        resetMongodb: false,
         dev: false,
         nsUse: '',
         namespace: 'default',
@@ -120,6 +125,7 @@ class UnderpostCluster {
         const namespaceExists = shellExec(`kubectl get namespace ${options.nsUse} --ignore-not-found -o name`, {
           stdout: true,
           silent: true,
+          silentOnError: true,
         }).trim();
 
         if (!namespaceExists) {
@@ -145,6 +151,16 @@ class UnderpostCluster {
         });
       }
 
+      // Targeted MongoDB-only reset (does not restart the whole node)
+      if (options.resetMongodb) {
+        const clusterType = options.k3s ? 'k3s' : options.kubeadm ? 'kubeadm' : 'kind';
+        return await MongoBootstrap.reset({
+          namespace: options.namespace,
+          clusterType,
+          underpostRoot,
+        });
+      }
+
       // Check if a cluster (Kind, Kubeadm, or K3s) is already initialized
       const alreadyKubeadmCluster = Underpost.kubectl.get('calico-kube-controllers')[0];
       const alreadyKindCluster = Underpost.kubectl.get('kube-apiserver-kind-control-plane')[0];
@@ -208,15 +224,40 @@ class UnderpostCluster {
             `kubectl apply -f https://cdn.jsdelivr.net/gh/rancher/local-path-provisioner@master/deploy/local-path-storage.yaml`,
           );
         } else {
-          // Kind cluster initialization (if not using kubeadm or k3s)
+          // Kind cluster initialization (default for development)
           logger.info('Initializing Kind cluster...');
-          shellExec(
-            `cd ${underpostRoot}/manifests && kind create cluster --config kind-config${
-              options.dev ? '-dev' : ''
-            }.yaml`,
-          );
+          const devReplicaCount = Math.max(Number(options.replicas) || MONGODB_DEFAULT_REPLICA_COUNT, 3);
+          shellExec(`sudo mkdir -p /data/mongodb`);
+          for (let index = 0; index < devReplicaCount; index++) {
+            shellExec(`sudo mkdir -p /data/mongodb/v${index}`);
+          }
+          const kindCreateCmd = `cd ${underpostRoot}/manifests && kind create cluster --config kind-config-dev.yaml`;
+          try {
+            shellExec(kindCreateCmd);
+          } catch (error) {
+            const kindCreateErrText = `${error?.message || ''}\n${error?.stderr || ''}`;
+            if (kindCreateErrText.includes('all predefined address pools have been fully subnetted')) {
+              logger.warn('Docker address pool exhausted while creating Kind cluster. Running cleanup and retrying once...');
+              Underpost.cluster.recoverKindDockerNetworks();
+              try {
+                shellExec(kindCreateCmd);
+              } catch (retryError) {
+                const retryErrText = `${retryError?.message || ''}\n${retryError?.stderr || ''}`;
+                if (retryErrText.includes('all predefined address pools have been fully subnetted')) {
+                  logger.warn('Kind retry still failed from pool exhaustion. Applying Docker daemon address-pool config and retrying once more...');
+                  Underpost.cluster.ensureDockerDefaultAddressPools();
+                  shellExec(kindCreateCmd);
+                } else {
+                  throw retryError;
+                }
+              }
+            } else {
+              throw error;
+            }
+          }
           Underpost.cluster.chown('kind'); // Pass 'kind' to chown
         }
+        Underpost.cluster.natSetup({ underpostRoot });
       }
 
       // --- Optional Component Deployments (Databases, Ingress, Cert-Manager) ---
@@ -317,33 +358,16 @@ EOF
           );
         }
       } else if (options.mongodb) {
-        if (options.pullImage) Underpost.cluster.pullImage('mongo:latest', options);
-        shellExec(
-          `sudo kubectl create secret generic mongodb-keyfile --from-file=/home/dd/engine/engine-private/mongodb-keyfile --dry-run=client -o yaml | kubectl apply -f - -n ${options.namespace}`,
-        );
-        shellExec(
-          `sudo kubectl create secret generic mongodb-secret --from-file=username=/home/dd/engine/engine-private/mongodb-username --from-file=password=/home/dd/engine/engine-private/mongodb-password --dry-run=client -o yaml | kubectl apply -f - -n ${options.namespace}`,
-        );
-        shellExec(`kubectl delete statefulset mongodb -n ${options.namespace} --ignore-not-found`);
-        shellExec(`kubectl apply -f ${underpostRoot}/manifests/mongodb/storage-class.yaml -n ${options.namespace}`);
-        shellExec(`kubectl apply -k ${underpostRoot}/manifests/mongodb -n ${options.namespace}`);
-
-        const successInstance = await Underpost.test.statusMonitor('mongodb-0', 'Running', 'pods', 1000, 60 * 10);
-
-        if (successInstance) {
-          if (!options.mongoDbHost) options.mongoDbHost = 'mongodb-0.mongodb-service';
-          const mongoConfig = {
-            _id: 'rs0',
-            members: options.mongoDbHost.split(',').map((host, index) => ({ _id: index, host: `${host}:27017` })),
-          };
-
-          shellExec(
-            `sudo kubectl exec -i mongodb-0 -- mongosh --quiet --json=relaxed \
-        --eval 'use admin' \
-        --eval 'rs.initiate(${JSON.stringify(mongoConfig)})' \
-        --eval 'rs.status()'`,
-          );
-        }
+        const clusterType = options.k3s ? 'k3s' : options.kubeadm ? 'kubeadm' : 'kind';
+        await MongoBootstrap.initReplicaSet({
+          namespace: options.namespace,
+          replicaCount: Number(options.replicas) || MONGODB_DEFAULT_REPLICA_COUNT,
+          mongoDbHost: options.mongoDbHost || '',
+          pullImage: options.pullImage,
+          reset: options.reset,
+          clusterType,
+          underpostRoot,
+        });
       }
 
       if (options.contour) {
@@ -419,7 +443,8 @@ EOF
      * This method ensures proper SELinux, Docker, Containerd, and Sysctl settings
      * are applied for a healthy Kubernetes environment. It explicitly avoids
      * iptables flushing commands to prevent conflicts with Kubernetes' own network management.
-     * @param {string} underpostRoot - The root directory of the underpost project.
+     * @param {object} [options] - Configuration options for host setup.
+     * @param {string} [options.underpostRoot] - The root path of the underpost project, used for locating scripts if needed.
      * @memberof UnderpostCluster
      */
     config(options = { underpostRoot: '.' }) {
@@ -451,6 +476,27 @@ EOF
       // Reload systemd daemon to pick up new unit files/changes
       shellExec(`sudo systemctl daemon-reload`);
 
+      // Increase inotify limits
+      shellExec(`sudo sysctl -w fs.inotify.max_user_watches=2099999999`);
+      shellExec(`sudo sysctl -w fs.inotify.max_user_instances=2099999999`);
+      shellExec(`sudo sysctl -w fs.inotify.max_queued_events=2099999999`);
+
+    },
+
+    /**
+     * @method natSetup
+     * @description Configures NAT and iptables settings for Kubernetes networking.
+     * This method enables necessary sysctl settings for bridge networking and applies iptables rules
+     * required for Kubernetes cluster communication. It is designed to work with kubeadm and k3s clusters, ensuring that
+     * traffic through Linux bridges is processed by iptables, which is crucial for CNI plugins to function correctly.
+     * The method also applies NAT iptables rules and configures firewalld for Kubernetes, which is required for multi-machine kubeadm inter-node communication.
+     * Note: This method should be called after the cluster is initialized and before deploying any workloads that require network communication.
+     * @param {object} [options] - Configuration options for NAT setup.
+     * @param {string} [options.underpostRoot] - The root path of the underpost project, used to locate the nat-iptables.sh script.
+     * @memberof UnderpostCluster
+     */
+    natSetup(options = { underpostRoot: '.' }) {
+      const { underpostRoot } = options;
       // Enable bridge-nf-call-iptables for Kubernetes networking
       // This ensures traffic through Linux bridges is processed by iptables (crucial for CNI)
       for (const iptableConfPath of [
@@ -465,12 +511,6 @@ net.bridge.bridge-nf-call-arptables = 1
 net.ipv4.ip_forward = 1' | sudo tee ${iptableConfPath}`,
           { silent: true },
         );
-
-      // Increase inotify limits
-      shellExec(`sudo sysctl -w fs.inotify.max_user_watches=2099999999`);
-      shellExec(`sudo sysctl -w fs.inotify.max_user_instances=2099999999`);
-      shellExec(`sudo sysctl -w fs.inotify.max_queued_events=2099999999`);
-
       // shellExec(`sudo sysctl --system`); // Apply sysctl changes immediately
       // Apply NAT iptables rules and configure firewalld for Kubernetes.
       // nat-iptables.sh enables firewalld and opens all required ports; do NOT stop it
@@ -553,6 +593,10 @@ net.ipv4.ip_forward = 1' | sudo tee ${iptableConfPath}`,
         // Phase 1: Clean up Persistent Volumes with hostPath
         // This targets data created by Kubernetes Persistent Volumes that use hostPath.
         logger.info('Phase 1/7: Cleaning Kubernetes hostPath volumes...');
+        if ((options.clusterType || 'kind') === 'kind') {
+          logger.info('  -> Kind detected: cleaning node-local MongoDB hostPath directories...');
+          Underpost.cluster.cleanKindMongoHostPaths({ basePath: '/data/mongodb', replicaCount: 3 });
+        }
         if (options.removeVolumeHostPaths)
           try {
             const pvListJson = shellExec(`kubectl get pv -o json || echo '{"items":[]}'`, {
@@ -595,7 +639,8 @@ net.ipv4.ip_forward = 1' | sudo tee ${iptableConfPath}`,
         shellExec('sudo systemctl stop podman');
         // Lazy-unmount all kubelet pod mounts to avoid 'Device or resource busy' on rm.
         shellExec(
-          `sudo sh -c 'findmnt --raw --noheadings -o TARGET | grep /var/lib/kubelet | sort -r | xargs -r umount -l' 2>/dev/null || true`,
+          `sudo sh -c 'findmnt --raw --noheadings -o TARGET | grep /var/lib/kubelet | sort -r | xargs -r umount -l'`,
+          { silentOnError: true },
         );
 
         // Phase 3: Execute official uninstallation commands (type-specific)
@@ -607,11 +652,11 @@ net.ipv4.ip_forward = 1' | sudo tee ${iptableConfPath}`,
           // Kill control plane processes that hold ports (6443, 10257, 10259, 2379, 2380)
           // so the next `kubeadm init` does not fail with [ERROR Port-xxxx].
           logger.info('  -> Stopping and killing control plane containers and processes...');
-          shellExec('sudo crictl rm -a -f 2>/dev/null || true');
-          shellExec('sudo crictl rmp -a -f 2>/dev/null || true');
-          shellExec('sudo systemctl stop etcd 2>/dev/null || true');
+          shellExec('sudo crictl rm -a -f', { silentOnError: true });
+          shellExec('sudo crictl rmp -a -f', { silentOnError: true });
+          shellExec('sudo systemctl stop etcd', { silentOnError: true });
           for (const port of [6443, 10259, 10257, 2379, 2380])
-            shellExec(`sudo fuser -k ${port}/tcp 2>/dev/null || true`);
+            shellExec(`sudo fuser -k ${port}/tcp`, { silentOnError: true });
           logger.info('  -> Executing kubeadm reset...');
           shellExec('sudo kubeadm reset --force');
         } else if (clusterType === 'k3s') {
@@ -620,7 +665,13 @@ net.ipv4.ip_forward = 1' | sudo tee ${iptableConfPath}`,
         } else {
           // Default: kind
           logger.info('  -> Deleting Kind clusters...');
-          shellExec('kind get clusters | xargs -r -t -n1 kind delete cluster');
+          shellExec(`clusters=$(kind get clusters)
+if [ -n "$clusters" ]; then
+  for c in $clusters; do
+    echo "Deleting cluster: $c"
+    kind delete cluster --name "$c"
+  done
+fi`);
         }
 
         // Phase 4: File system cleanup
@@ -630,7 +681,8 @@ net.ipv4.ip_forward = 1' | sudo tee ${iptableConfPath}`,
         shellExec('sudo rm -rf /etc/cni/net.d/*');
         // Second-pass lazy umount before rm to clear any remaining busy mounts.
         shellExec(
-          `sudo sh -c 'findmnt --raw --noheadings -o TARGET | grep /var/lib/kubelet | sort -r | xargs -r umount -l' 2>/dev/null || true`,
+          `sudo sh -c 'findmnt --raw --noheadings -o TARGET | grep /var/lib/kubelet | sort -r | xargs -r umount -l'`,
+          { silentOnError: true },
         );
         shellExec('sudo rm -rf /var/lib/kubelet/*');
         shellExec('sudo rm -rf /var/lib/etcd');
@@ -646,14 +698,14 @@ net.ipv4.ip_forward = 1' | sudo tee ${iptableConfPath}`,
         // Remove iptables rules and CNI network interfaces.
         shellExec('sudo iptables -F');
         shellExec('sudo iptables -t nat -F');
-        shellExec('sudo ip link del cni0 2>/dev/null || true');
-        shellExec('sudo ip link del flannel.1 2>/dev/null || true');
-        shellExec('sudo ip link del vxlan.calico 2>/dev/null || true');
-        shellExec('sudo ip link del tunl0 2>/dev/null || true');
+        shellExec('sudo ip link del cni0', { silentOnError: true });
+        shellExec('sudo ip link del flannel.1', { silentOnError: true });
+        shellExec('sudo ip link del vxlan.calico', { silentOnError: true });
+        shellExec('sudo ip link del tunl0', { silentOnError: true });
 
         logger.info('Phase 6/7: Clean up images');
-        shellExec('sudo podman rmi --all --force 2>/dev/null || true');
-        shellExec('sudo crictl rmi --prune 2>/dev/null || true');
+        shellExec('sudo podman rmi --all --force', { silentOnError: true });
+        shellExec('sudo crictl rmi --prune', { silentOnError: true });
 
         // Phase 6: Reload daemon and finalize
         logger.info('Phase 7/7: Reloading the system daemon and finalizing...');
@@ -785,8 +837,8 @@ EOF`);
 
       // Remove CRI-O
       console.log('Removing CRI-O...');
-      shellExec(`sudo systemctl stop crio 2>/dev/null || true`);
-      shellExec(`sudo systemctl disable crio 2>/dev/null || true`);
+      shellExec('sudo systemctl stop crio', { silentOnError: true });
+      shellExec('sudo systemctl disable crio', { silentOnError: true });
       shellExec(`sudo dnf -y remove cri-o`);
       shellExec(`sudo rm -f /etc/yum.repos.d/cri-o.repo`);
       shellExec(`sudo rm -f /etc/crictl.yaml`);
@@ -827,6 +879,95 @@ EOF`);
 
       console.log('Uninstall process completed.');
     },
+
+    /**
+    * @method cleanKindMongoHostPaths
+    * @description Best-effort cleanup of MongoDB hostPath directories inside Kind node containers.
+    * This prevents stale replica/auth state when hostPath data lives in node-local container filesystems.
+    * @param {object} [options]
+    * @param {string} [options.basePath='/data/mongodb'] - Node-internal base path for MongoDB data.
+    * @param {number} [options.replicaCount=3] - Number of replica ordinal directories (v0..vN-1).
+    * @memberof UnderpostCluster
+    */
+    cleanKindMongoHostPaths(options = { basePath: '/data/mongodb', replicaCount: 3 }) {
+      const basePath = options.basePath || '/data/mongodb';
+      const replicaCount = Math.max(Number(options.replicaCount) || 3, 1);
+      const nodesRaw = shellExec('kind get nodes', {
+        stdout: true,
+        silent: true,
+        silentOnError: true,
+      });
+      const nodes = nodesRaw
+        .split('\n')
+        .map((node) => node.trim())
+        .filter((node) => !!node);
+
+      if (nodes.length === 0) {
+        logger.info('No Kind nodes detected for node-local MongoDB hostPath cleanup.');
+        return;
+      }
+
+      for (const node of nodes) {
+        logger.info(
+          `Cleaning Kind node-local MongoDB paths '${basePath}/v0..v${replicaCount - 1}' on node '${node}'...`,
+        );
+        const prepareReplicaDirsCmd = Array.from(
+          { length: replicaCount },
+          (_, index) => `mkdir -p ${basePath}/v${index}; rm -rf ${basePath}/v${index}/*;`,
+        ).join(' ');
+        const verifyReplicaDirsCmd = Array.from(
+          { length: replicaCount },
+          (_, index) => `test -d ${basePath}/v${index};`,
+        ).join(' ');
+        shellExec(
+          `sudo docker exec ${node} sh -lc 'mkdir -p ${basePath}; ${prepareReplicaDirsCmd}'`,
+          { silentOnError: true },
+        );
+        shellExec(`sudo docker exec ${node} sh -lc '${verifyReplicaDirsCmd}'`);
+      }
+    },
+
+    /**
+     * @method recoverKindDockerNetworks
+     * @description Best-effort cleanup of stale Kind Docker resources when Docker bridge
+     * address pools are exhausted and new networks cannot be allocated.
+     * @memberof UnderpostCluster
+     */
+    recoverKindDockerNetworks() {
+      logger.warn('Attempting Docker network recovery for Kind (address pool exhaustion detected)...');
+      shellExec(`sudo docker ps -aq --filter label=io.x-k8s.kind.cluster | xargs -r sudo docker rm -f`, {
+        silentOnError: true,
+      });
+      shellExec(`sudo docker network ls -q --filter label=io.x-k8s.kind.cluster | xargs -r sudo docker network rm`, {
+        silentOnError: true,
+      });
+      shellExec(`sudo docker network rm kind`, { silentOnError: true });
+      shellExec(`sudo docker network prune -f`, { silentOnError: true });
+    },
+
+    /**
+     * @method ensureDockerDefaultAddressPools
+     * @description Writes a sane Docker default-address-pools config to reduce
+     * Kind network allocation failures on hosts with exhausted predefined pools.
+     * @memberof UnderpostCluster
+     */
+    ensureDockerDefaultAddressPools() {
+      logger.warn('Applying Docker default-address-pools workaround for Kind network creation...');
+      shellExec(`cat <<'EOF' | sudo tee /etc/docker/daemon.json
+{
+  "default-address-pools": [
+    {"base": "172.17.0.0/16", "size": 24},
+    {"base": "172.18.0.0/16", "size": 24},
+    {"base": "172.19.0.0/16", "size": 24},
+    {"base": "172.20.0.0/14", "size": 24},
+    {"base": "172.24.0.0/14", "size": 24}
+  ]
+}
+EOF`);
+      shellExec('sudo systemctl restart docker');
+      shellExec('sudo docker network prune -f', { silentOnError: true });
+    },
+
   };
 }
 export default UnderpostCluster;