underpost 3.2.9 → 3.2.10

package/src/cli/index.js

@@ -242,6 +242,7 @@ program
   .command('cluster')
   .argument('[pod-name]', 'Optional: Filters information by a specific pod name.')
   .option('--reset', `Deletes all clusters and prunes all related data and caches.`)
+  .option('--reset-mongodb', `Performs a hard cleanup of only MongoDB-related resources (StatefulSet, PVCs/PVs, Secrets, ConfigMaps, caches) without restarting the whole node.`)
   .option('--mariadb', 'Initializes the cluster with a MariaDB statefulset.')
   .option('--mysql', 'Initializes the cluster with a MySQL statefulset.')
   .option('--mongodb', 'Initializes the cluster with a MongoDB statefulset.')
@@ -346,6 +347,10 @@ program
     '--pull-bundle',
     'Explicitly pull the pre-built client bundle from Cloudinary inside the container. Use together with --skip-full-build.',
   )
+  .option(
+    '--image-pull-policy <policy>',
+    'Override container imagePullPolicy in the generated deployment manifest (Always, IfNotPresent, Never). Defaults to Never for localhost/ images and IfNotPresent otherwise.',
+  )
   .description('Manages application deployments, defaulting to deploying development pods.')
   .action(Underpost.deploy.callback);
 
@@ -670,8 +675,8 @@ program
   .option(
     '--host-aliases <host-aliases>',
     'Adds entries to the Pod /etc/hosts via hostAliases. ' +
-      'Format: semicolon-separated entries of "ip=hostname1,hostname2" ' +
-      '(e.g., "127.0.0.1=foo.local,bar.local;10.1.2.3=foo.remote,bar.remote").',
+    'Format: semicolon-separated entries of "ip=hostname1,hostname2" ' +
+    '(e.g., "127.0.0.1=foo.local,bar.local;10.1.2.3=foo.remote,bar.remote").',
   )
   .option('--copy', 'Copies the runner output to the clipboard (supported by: generate-pass, template-deploy-local).')
   .option(
@@ -688,7 +693,7 @@ program
 program
   .command('lxd')
   .option('--init', 'Initializes LXD on the current machine via preseed.')
-  .option('--reset', 'Removes the LXD snap and purges all data.')
+  .option('--reset', 'SAFE complete reset: cleans all VMs (proxy devices first), profiles, networks, then removes LXD snap.')
   .option('--install', 'Installs the LXD snap.')
   .option('--dev', 'Use local paths instead of the global npm installation.')
   .option('--create-virtual-network', 'Creates the lxdbr0 bridge network.')
@@ -697,7 +702,7 @@ program
   .option('--control', 'Initialize the target VM as a K3s control plane node.')
   .option('--worker', 'Initialize the target VM as a K3s worker node.')
   .option('--create-vm <vm-name>', 'Copy the LXC launch command for a new K3s VM to the clipboard.')
-  .option('--delete-vm <vm-name>', 'Stop and delete the specified VM.')
+  .option('--delete-vm <vm-name>', 'SAFELY stop and delete VM (removes proxy devices first, then stops, then deletes). Safe to re-run.')
   .option('--init-vm <vm-name>', 'Run k3s-node-setup.sh on the specified VM (use with --control or --worker).')
   .option('--info-vm <vm-name>', 'Display full configuration and status for the specified VM.')
   .option('--test <vm-name>', 'Run connectivity and health checks on the specified VM.')
@@ -705,13 +710,11 @@ program
   .option(
     '--join-node <nodes>',
     'Join a K3s worker to a control plane. Standalone format: "workerName,controlName". ' +
-      'When used with --init-vm --worker, provide just the control node name for auto-join.',
+    'When used with --init-vm --worker, provide just the control node name for auto-join.',
   )
   .option('--expose <vm-name:ports>', 'Proxy host ports to a VM (e.g., "k3s-control:80,443").')
   .option('--delete-expose <vm-name:ports>', 'Remove proxied ports from a VM (e.g., "k3s-control:80,443").')
-  .option('--workflow-id <workflow-id>', 'Workflow ID to execute via runWorkflow.')
-  .option('--vm-id <vm-name>', 'Target VM name for workflow execution.')
-  .option('--deploy-id <deploy-id>', 'Deployment ID context for workflow execution.')
+  .option('--bootstrap-engine <vm-name>', 'Replicate /home/dd/engine source into the VM after init completes.')
   .option('--namespace <namespace>', 'Kubernetes namespace context (defaults to "default").')
   .description('Manages LXD virtual machines as K3s nodes (control plane or workers).')
   .action(Underpost.lxd.callback);
@@ -814,7 +817,7 @@ program
   .option(
     '--ci-push <deploy-id>',
     'Local equivalent of engine-*.ci.yml: builds dd-{deploy-id} and pushes to the engine-{deploy-id} repository. ' +
-      'Accepts the suffix (e.g., "cyberia"), "dd-cyberia", or "engine-cyberia".',
+    'Accepts the suffix (e.g., "cyberia"), "dd-cyberia", or "engine-cyberia".',
   )
   .option(
     '--message <message>',
@@ -824,6 +827,10 @@ program
     '--pwa-build',
     'Runs the pwa-microservices-template update flow: always re-clones, syncs engine sources, installs, builds, and pushes.',
   )
+  .option(
+    '--dry-run',
+    'For --build: previews version-bump changes (per-file substitution counts) without writing files or running downstream commands.',
+  )
   .description('Release orchestrator for building new versions and deploying releases of the Underpost CLI.')
   .action(async (version, options) => {
     if (options.build) return Underpost.release.build(version, options);

package/src/cli/ipfs.js

@@ -131,12 +131,10 @@ class UnderpostIPFS {
       // Apply UDP buffer sysctl on every Kind node so QUIC (used by IPFS) can reach the
       // recommended 7.5 MB buffer size. Kind nodes are containers and do NOT inherit the
       // host sysctl values, so this must be set via docker exec on each node directly.
-      if (!options.kubeadm && !options.k3s) {
-        logger.info('Applying UDP buffer sysctl on Kind nodes');
-        shellExec(
-          `for node in $(kind get nodes); do docker exec $node sysctl -w net.core.rmem_max=7500000 net.core.wmem_max=7500000; done`,
-        );
-      }
+      shellExec(
+        `sudo sysctl -w net.core.rmem_max=7500000
+sudo sysctl -w net.core.wmem_max=7500000`,
+      );
 
       shellExec(`kubectl apply -f ${underpostRoot}/manifests/ipfs/storage-class.yaml`);
       shellExec(`kubectl apply -k ${underpostRoot}/manifests/ipfs -n ${options.namespace}`);

package/src/cli/kubectl.js

@@ -47,9 +47,12 @@ class UnderpostKubectl {
      * @memberof UnderpostKubectl
      */
     get(deployId, kindType = 'pods', namespace = '') {
+      // Existence-check style: a missing kubectl context, a non-existent
+      // namespace, or no pods matching the filter must return an empty
+      // list (not throw). silentOnError keeps the legacy contract.
       const raw = shellExec(
         `sudo kubectl get ${kindType}${namespace ? ` -n ${namespace}` : ` --all-namespaces`} -o wide`,
-        { stdout: true, disableLog: true, silent: true },
+        { stdout: true, disableLog: true, silent: true, silentOnError: true },
       );
 
       const heads = raw

package/src/cli/lxd.js

@@ -2,6 +2,28 @@
  * LXD module for managing LXD virtual machines as K3s nodes.
  * @module src/cli/lxd.js
  * @namespace UnderpostLxd
+ *
+ * ### Proxy Device Safety
+ *
+ * Proxy devices (created by `--expose`) attach LXD proxy devices to VMs. If you
+ * stop + delete a VM without removing proxy devices first, LXD may crash or
+ * leave stale NAT rules in iptables. Both `_safeDeleteVm()` and reset() now
+ * enumerate and remove proxy devices before stopping/deleting VMs.
+ *
+ * ### Idempotency
+ *
+ * Every destructive operation (deleteVm, reset) is safe to re-run. If a VM is
+ * already gone, proxy device removal is silently skipped. If the LXD snap is
+ * already removed, reset continues gracefully.
+ *
+ * ### Lifecycle
+ *
+ * - `--reset` is the only complete teardown path: cleans ALL VMs, profiles,
+ *   networks, and finally the LXD snap itself.
+ * - `--delete-vm` is a single-VM teardown that removes proxy devices first.
+ * - `--init-vm` handles OS + K3s setup. Engine replication is a separate step
+ *   via `--bootstrap-engine`.
+ * - `--bootstrap-engine` replicates /home/dd/engine into the VM after init.
  */
 
 import { getNpmRootPath } from '../server/conf.js';
@@ -13,40 +35,33 @@ import Underpost from '../index.js';
 
 const logger = loggerFactory(import.meta);
 
-/**
- * @class UnderpostLxd
- * @description Provides a set of static methods to interact with LXD,
- * encapsulating common LXD operations for VM management and network testing.
- * @memberof UnderpostLxd
- */
 class UnderpostLxd {
   static API = {
     /**
      * @method callback
-     * @description Main entry point for LXD VM operations. Each VM is a K3s node (control or worker).
+     * @description Main entry point for all LXD CLI operations.
      * @param {object} options
      * @param {boolean} [options.init=false] - Initialize LXD via preseed.
-     * @param {boolean} [options.reset=false] - Remove LXD snap and purge data.
+     * @param {boolean} [options.reset=false] - Complete safe reset: cleans all VMs
+     *   (proxy devices removed first), profiles, networks, then removes LXD snap.
      * @param {boolean} [options.dev=false] - Use local paths instead of npm global.
      * @param {boolean} [options.install=false] - Install LXD snap.
      * @param {boolean} [options.createVirtualNetwork=false] - Create lxdbr0 bridge network.
-     * @param {string} [options.ipv4Address='10.250.250.1/24'] - IPv4 address/CIDR for the lxdbr0 bridge network.
+     * @param {string} [options.ipv4Address='10.250.250.1/24'] - IPv4 address/CIDR for lxdbr0.
      * @param {boolean} [options.createAdminProfile=false] - Create admin-profile for VMs.
-     * @param {boolean} [options.control=false] - Initialize VM as K3s control plane node.
-     * @param {boolean} [options.worker=false] - Initialize VM as K3s worker node.
-     * @param {string} [options.initVm=''] - VM name to initialize as a K3s node.
-     * @param {string} [options.deleteVm=''] - VM name to stop and delete.
-     * @param {string} [options.createVm=''] - VM name to create (copies launch command to clipboard).
+     * @param {boolean} [options.control=false] - Initialize VM as K3s control plane.
+     * @param {boolean} [options.worker=false] - Initialize VM as K3s worker.
+     * @param {string} [options.initVm=''] - VM name to initialize as K3s node.
+     * @param {string} [options.deleteVm=''] - VM name to safely stop and delete
+     *   (removes proxy devices first).
+     * @param {string} [options.createVm=''] - VM name to create (copies command to clipboard).
      * @param {string} [options.infoVm=''] - VM name to inspect.
-     * @param {string} [options.rootSize=''] - Root disk size in GiB for new VMs (e.g. '32').
-     * @param {string} [options.joinNode=''] - Join format: 'workerName,controlName' (standalone join). When used with --init-vm --worker, just the control node name.
+     * @param {string} [options.rootSize=''] - Root disk size in GiB for new VMs.
+     * @param {string} [options.joinNode=''] - Join format: 'workerName,controlName'.
      * @param {string} [options.expose=''] - Expose VM ports to host: 'vmName:port1,port2'.
      * @param {string} [options.deleteExpose=''] - Remove exposed ports: 'vmName:port1,port2'.
-     * @param {string} [options.test=''] - VM name to run connectivity and health checks on.
-     * @param {string} [options.workflowId=''] - Workflow ID for runWorkflow.
-     * @param {string} [options.vmId=''] - VM name for workflow execution.
-     * @param {string} [options.deployId=''] - Deployment ID for workflow context.
-     * @param {string} [options.namespace=''] - Kubernetes namespace context.
+     * @param {string} [options.test=''] - VM name for connectivity and health checks.
+     * @param {string} [options.bootstrapEngine=''] - VM name to replicate /home/dd/engine into.
      * @memberof UnderpostLxd
      */
     async callback(
@@ -69,22 +84,58 @@ class UnderpostLxd {
         expose: '',
         deleteExpose: '',
         test: '',
-        workflowId: '',
-        vmId: '',
-        deployId: '',
-        namespace: '',
+        bootstrapEngine: '',
       },
     ) {
       const npmRoot = getNpmRootPath();
       const underpostRoot = options?.dev === true ? '.' : `${npmRoot}/underpost`;
 
+      // =====================================================================
+      // RESET: Complete, safe teardown of all LXD state
+      // =====================================================================
       if (options.reset === true) {
-        shellExec(`sudo systemctl stop snap.lxd.daemon`);
-        shellExec(`sudo snap remove lxd --purge`);
+        logger.info('=== SAFE LXD RESET ===');
+        logger.info('Phase 1/5: Enumerating all VMs and removing proxy devices...');
+        const vmList = UnderpostLxd._listVms();
+        for (const vmName of vmList) {
+          UnderpostLxd._removeProxyDevices(vmName);
+        }
+
+        logger.info('Phase 2/5: Stopping all VMs gracefully...');
+        for (const vmName of vmList) {
+          logger.info(`  Stopping VM: ${vmName}`);
+          shellExec(`lxc stop ${vmName} --timeout 30 2>/dev/null || true`, { silent: true, silentOnError: true });
+        }
+
+        logger.info('Phase 3/5: Deleting all VMs...');
+        for (const vmName of vmList) {
+          logger.info(`  Deleting VM: ${vmName}`);
+          shellExec(`lxc delete ${vmName} --force 2>/dev/null || true`, { silent: true, silentOnError: true });
+        }
+
+        logger.info('Phase 4/5: Removing admin-profile and network...');
+        shellExec(`lxc profile delete admin-profile 2>/dev/null || true`, { silent: true, silentOnError: true });
+        shellExec(`lxc network delete lxdbr0 2>/dev/null || true`, { silent: true, silentOnError: true });
+
+        logger.info('Phase 5/5: Stopping LXD snap daemon and purging snap...');
+        shellExec(`sudo systemctl stop snap.lxd.daemon 2>/dev/null || true`, { silent: true, silentOnError: true });
+        shellExec(`sudo snap remove lxd --purge 2>/dev/null || true`, { silent: true, silentOnError: true });
+
+        logger.info('=== LXD RESET COMPLETE ===');
+        logger.info('All VMs, proxy devices, profiles, networks, and the LXD snap have been removed.');
+        return;
       }
 
-      if (options.install === true) shellExec(`sudo snap install lxd`);
+      // =====================================================================
+      // INSTALL
+      // =====================================================================
+      if (options.install === true) {
+        shellExec(`sudo snap install lxd`);
+      }
 
+      // =====================================================================
+      // INIT (LXD preseed)
+      // =====================================================================
       if (options.init === true) {
         shellExec(`sudo systemctl start snap.lxd.daemon`);
         shellExec(`sudo systemctl status snap.lxd.daemon`);
@@ -95,6 +146,9 @@ class UnderpostLxd {
         shellExec(`lxc cluster list`);
       }
 
+      // =====================================================================
+      // CREATE VIRTUAL NETWORK
+      // =====================================================================
       if (options.createVirtualNetwork === true) {
         const ipv4Address = options.ipv4Address ? options.ipv4Address : '10.250.250.1/24';
         shellExec(`lxc network create lxdbr0 \
@@ -104,6 +158,9 @@ ipv4.dhcp=true \
 ipv6.address=none`);
       }
 
+      // =====================================================================
+      // CREATE ADMIN PROFILE
+      // =====================================================================
       if (options.createAdminProfile === true) {
         const existingProfiles = await new Promise((resolve) => {
           shellExec(`lxc profile show admin-profile`, {
@@ -120,25 +177,28 @@ ipv6.address=none`);
         }
       }
 
+      // =====================================================================
+      // DELETE VM (safe: removes proxy devices first)
+      // =====================================================================
       if (options.deleteVm) {
         const vmName = options.deleteVm;
-        logger.info(`Stopping VM: ${vmName}`);
-        shellExec(`lxc stop ${vmName}`);
-        logger.info(`Deleting VM: ${vmName}`);
-        shellExec(`lxc delete ${vmName}`);
-        logger.info(`VM ${vmName} deleted.`);
+        UnderpostLxd._safeDeleteVm(vmName);
       }
 
+      // =====================================================================
+      // CREATE VM (copy launch command to clipboard)
+      // =====================================================================
       if (options.createVm) {
         pbcopy(
-          `lxc launch images:rockylinux/9 ${
-            options.createVm
-          } --vm --target lxd-node1 -c limits.cpu=2 -c limits.memory=4GB --profile admin-profile -d root,size=${
-            options.rootSize ? options.rootSize + 'GiB' : '32GiB'
+          `lxc launch images:rockylinux/9 ${options.createVm
+          } --vm --target lxd-node1 -c limits.cpu=2 -c limits.memory=4GB --profile admin-profile -d root,size=${options.rootSize ? options.rootSize + 'GiB' : '32GiB'
           }`,
         );
       }
 
+      // =====================================================================
+      // INIT VM (OS setup + K3s role, no engine push)
+      // =====================================================================
       if (options.initVm) {
         const vmName = options.initVm;
         const lxdSetupPath = `${underpostRoot}/scripts/lxd-vm-setup.sh`;
@@ -147,10 +207,8 @@ ipv6.address=none`);
         // Step 1: OS base setup (disk, packages, kernel modules)
         shellExec(`cat ${lxdSetupPath} | lxc exec ${vmName} -- bash`);
 
-        // Step 2: Push engine source from host to VM
-        await Underpost.lxd.runWorkflow({ workflowId: 'engine', vmName, dev: options.dev });
-
-        // Step 3: K3s role setup (installs Node, npm deps, then k3s via node bin --dev)
+        // Step 2: K3s role setup (installs Node, npm deps, then k3s via underpost CLI)
+        // Engine source replication is a separate step via --bootstrap-engine.
         if (options.worker === true) {
           if (options.joinNode) {
             const controlNode = options.joinNode.includes(',') ? options.joinNode.split(',').pop() : options.joinNode;
@@ -174,16 +232,52 @@ ipv6.address=none`);
         }
       }
 
-      if (options.workflowId) {
-        await Underpost.lxd.runWorkflow({
-          workflowId: options.workflowId,
-          vmName: options.vmId,
-          deployId: options.deployId,
-          dev: options.dev,
-        });
+      // =====================================================================
+      // BOOTSTRAP ENGINE: Replicate /home/dd/engine into a VM
+      // =====================================================================
+      if (options.bootstrapEngine) {
+        const vmName = options.bootstrapEngine;
+        logger.info(`Bootstrapping engine source into VM: ${vmName}...`);
+
+        const includesFile = `/tmp/lxd-push-${vmName}-${Date.now()}.txt`;
+        const srcPath = `/home/dd/engine`;
+        const files = await new Promise((resolve) =>
+          walk({ path: srcPath, ignoreFiles: ['.gitignore'], includeEmpty: false, follow: false }, (_, result) =>
+            resolve(result),
+          ),
+        );
+        fs.writeFileSync(includesFile, files.join('\n'));
+        shellExec(`lxc exec ${vmName} -- bash -c 'rm -rf /home/dd/engine && mkdir -p /home/dd/engine'`);
+        shellExec(`tar -C ${srcPath} -cf - --files-from=${includesFile} | lxc exec ${vmName} -- tar -C /home/dd/engine -xf -`);
+        fs.removeSync(includesFile);
+
+        // Also push engine-private if it exists
+        const privateSrcPath = `/home/dd/engine/engine-private`;
+        if (fs.existsSync(privateSrcPath)) {
+          const privateFiles = await new Promise((resolve) =>
+            walk(
+              {
+                path: privateSrcPath,
+                ignoreFiles: ['/home/dd/engine/.gitignore', '.gitignore'],
+                includeEmpty: false,
+                follow: false,
+              },
+              (_, result) => resolve(result),
+            ),
+          );
+          const privateIncludes = `/tmp/lxd-push-${vmName}-private-${Date.now()}.txt`;
+          fs.writeFileSync(privateIncludes, privateFiles.join('\n'));
+          shellExec(`lxc exec ${vmName} -- bash -c 'rm -rf /home/dd/engine/engine-private && mkdir -p /home/dd/engine/engine-private'`);
+          shellExec(`tar -C ${privateSrcPath} -cf - --files-from=${privateIncludes} | lxc exec ${vmName} -- tar -C /home/dd/engine/engine-private -xf -`);
+          fs.removeSync(privateIncludes);
+        }
+
+        logger.info(`Engine source bootstrapped into ${vmName}:/home/dd/engine`);
       }
 
-      // Standalone join: --join-node workerName,controlName (without --init-vm)
+      // =====================================================================
+      // STANDALONE JOIN
+      // =====================================================================
       if (options.joinNode && !options.initVm) {
         const [workerNode, controlNode] = options.joinNode.split(',');
         const k3sToken = shellExec(
@@ -201,6 +295,9 @@ ipv6.address=none`);
         logger.info(`Worker ${workerNode} joined successfully.`);
       }
 
+      // =====================================================================
+      // INFO VM
+      // =====================================================================
       if (options.infoVm) {
         shellExec(`lxc config show ${options.infoVm}`);
         shellExec(`lxc info --show-log ${options.infoVm}`);
@@ -208,6 +305,9 @@ ipv6.address=none`);
         shellExec(`lxc list ${options.infoVm}`);
       }
 
+      // =====================================================================
+      // EXPOSE (proxy host ports to VM)
+      // =====================================================================
       if (options.expose) {
         const [vmName, ports] = options.expose.split(':');
         const protocols = ['tcp'];
@@ -232,6 +332,9 @@ ipv6.address=none`);
         }
       }
 
+      // =====================================================================
+      // DELETE EXPOSE
+      // =====================================================================
       if (options.deleteExpose) {
         const [vmName, ports] = options.deleteExpose.split(':');
         const protocols = ['tcp'];
@@ -242,6 +345,9 @@ ipv6.address=none`);
         }
       }
 
+      // =====================================================================
+      // TEST (connectivity and health checks)
+      // =====================================================================
       if (options.test) {
         const vmName = options.test;
         const vmIp = shellExec(
@@ -264,93 +370,69 @@ ipv6.address=none`);
         shellExec(`lxc exec ${vmName} -- bash -c 'sudo k3s kubectl get nodes'`);
       }
     },
+  };
 
-    /**
-     * @method pushDirectory
-     * @description Pushes a host directory into a VM using ignore-walk (respecting .gitignore)
-     * and a tar pipe. Skips gitignored paths (e.g. node_modules, .git, build artifacts).
-     * @param {object} params
-     * @param {string} params.srcPath - Absolute path of the source directory on the host.
-     * @param {string} params.vmName - Target LXD VM name.
-     * @param {string} params.destPath - Absolute path of the destination directory inside the VM.
-     * @param {string[]} [params.ignoreFiles=['.gitignore']] - Ignore-file names to respect during walk.
-     * @returns {Promise<void>}
-     * @memberof UnderpostLxd
-     */
-    async pushDirectory({ srcPath, vmName, destPath, ignoreFiles }) {
-      const includesFile = `/tmp/lxd-push-${vmName}-${Date.now()}.txt`;
-      if (!ignoreFiles) ignoreFiles = ['.gitignore'];
-      // Collect non-ignored files via ignore-walk
-      const files = await new Promise((resolve) =>
-        walk(
-          {
-            path: srcPath,
-            ignoreFiles,
-            includeEmpty: false,
-            follow: false,
-          },
-          (_, result) => resolve(result),
-        ),
-      );
-
-      // Write relative paths (one per line) to a temp includes file
-      fs.writeFileSync(includesFile, files.join('\n'));
-      logger.info(`lxd pushDirectory: ${files.length} files collected`, { srcPath, vmName, destPath, includesFile });
-
-      // Reset destination directory inside the VM
-      shellExec(`lxc exec ${vmName} -- bash -c 'rm -rf ${destPath} && mkdir -p ${destPath}'`);
-
-      // Stream tar archive from host into VM
-      shellExec(
-        `tar -C ${srcPath} -cf - --files-from=${includesFile} | lxc exec ${vmName} -- tar -C ${destPath} -xf -`,
-      );
-
-      // Clean up temp includes file
-      fs.removeSync(includesFile);
-    },
+  // =====================================================================
+  // PRIVATE HELPERS
+  // =====================================================================
 
-    /**
-     * @method runWorkflow
-     * @description Executes predefined workflows on LXD VMs.
-     * @param {object} params
-     * @param {string} params.workflowId - Workflow ID to execute.
-     * @param {string} params.vmName - Target VM name.
-     * @param {string} [params.deployId] - Deployment identifier.
-     * @param {boolean} [params.dev=false] - Use local paths.
-     * @memberof UnderpostLxd
-     */
-    async runWorkflow({ workflowId, vmName, deployId, dev }) {
-      switch (workflowId) {
-        case 'engine': {
-          await Underpost.lxd.pushDirectory({
-            srcPath: `/home/dd/engine`,
-            vmName,
-            destPath: `/home/dd/engine`,
-          });
-          await Underpost.lxd.pushDirectory({
-            srcPath: `/home/dd/engine/engine-private`,
-            vmName,
-            destPath: `/home/dd/engine/engine-private`,
-            ignoreFiles: ['/home/dd/engine/.gitignore', '.gitignore'],
-          });
-          break;
-        }
-        case 'engine-recursive-push': {
-          const enginePath = '/home/dd/engine';
-          shellExec(`lxc exec ${vmName} -- bash -c 'rm -rf ${enginePath}'`);
-          shellExec(`lxc exec ${vmName} -- bash -c 'mkdir -p /home/dd'`);
-          shellExec(`lxc file push ${enginePath} ${vmName}/home/dd --recursive`);
-          break;
-        }
-        case 'dev-reset': {
-          shellExec(
-            `lxc exec ${vmName} -- bash -lc 'cd /home/dd/engine && node bin cluster --dev --reset --k3s && node bin cluster --dev --k3s'`,
-          );
-          break;
-        }
-      }
-    },
-  };
+  /**
+   * Lists all LXD VM (virtual-machine) instance names.
+   * @returns {string[]} Array of VM names.
+   * @private
+   */
+  static _listVms() {
+    const raw = shellExec(
+      `lxc list --format json | jq -r '.[] | select(.type=="virtual-machine") | .name // empty' 2>/dev/null || true`,
+      { stdout: true, silent: true, silentOnError: true },
+    ).trim();
+    if (!raw) return [];
+    return raw.split('\n').filter((n) => n.length > 0);
+  }
+
+  /**
+   * Enumerates and removes all proxy devices attached to a VM.
+   * Proxy devices are named with the pattern <vmName>-<protocol>-port-<port>.
+   * Fails silently if the VM or device is already gone (idempotent).
+   * @param {string} vmName - The VM name to clean proxy devices from.
+   * @private
+   */
+  static _removeProxyDevices(vmName) {
+    logger.info(`  Removing proxy devices from ${vmName}...`);
+    const devicesRaw = shellExec(
+      `lxc config device list ${vmName} 2>/dev/null | grep -E "^${vmName}-tcp-port-" || true`,
+      { stdout: true, silent: true, silentOnError: true },
+    ).trim();
+    if (!devicesRaw) {
+      logger.info(`  No proxy devices found on ${vmName}.`);
+      return;
+    }
+    for (const deviceName of devicesRaw.split('\n')) {
+      const name = deviceName.trim();
+      if (!name) continue;
+      logger.info(`    Removing device: ${name}`);
+      shellExec(`lxc config device remove ${vmName} ${name} 2>/dev/null || true`, {
+        silent: true,
+        silentOnError: true,
+      });
+    }
+  }
+
+  /**
+   * Safely deletes a single VM: removes proxy devices first, then stops and deletes.
+   * Idempotent: safe to re-run if VM is already gone.
+   * @param {string} vmName - The VM name to delete.
+   * @private
+   */
+  static _safeDeleteVm(vmName) {
+    logger.info(`Safely deleting VM: ${vmName}`);
+    UnderpostLxd._removeProxyDevices(vmName);
+    logger.info(`  Stopping VM: ${vmName}`);
+    shellExec(`lxc stop ${vmName} --timeout 30 2>/dev/null || true`, { silent: true, silentOnError: true });
+    logger.info(`  Deleting VM: ${vmName}`);
+    shellExec(`lxc delete ${vmName} --force 2>/dev/null || true`, { silent: true, silentOnError: true });
+    logger.info(`VM ${vmName} safely deleted.`);
+  }
 }
 
-export default UnderpostLxd;
+export default UnderpostLxd;