underpost 3.2.9 → 3.2.11

package/src/cli/repository.js

@@ -924,8 +924,6 @@ class UnderpostRepository {
       shellExec(`cd ${privateRepoPath} && underpost pull . ${process.env.GITHUB_USERNAME}/${privateRepoName}`, {
         silent: true,
       });
-      shellExec(`underpost run secret`);
-      shellExec(`underpost run underpost-config`);
       const packageJsonDeploy = JSON.parse(fs.readFileSync(`./engine-private/conf/${deployId}/package.json`, 'utf8'));
       const packageJsonEngine = JSON.parse(fs.readFileSync(`./package.json`, 'utf8'));
       if (packageJsonDeploy.version !== packageJsonEngine.version) {
@@ -1008,11 +1006,14 @@ Prevent build private config repo.`,
             const host = 'default.net';
             const path = '/';
             DefaultConf.server[host][path].valkey = {
-              port: 6379,
-              host: 'valkey-service.default.svc.cluster.local',
+              port: 'env:VALKEY_PORT:int:6379',
+              host: 'env:VALKEY_HOST:127.0.0.1',
             };
-            // mongodb-0.mongodb-service
-            DefaultConf.server[host][path].db.host = 'mongodb://mongodb-service:27017';
+            DefaultConf.server[host][path].db.host = 'env:DB_HOST:mongodb://127.0.0.1:27017';
+            DefaultConf.server[host][path].db.replicaSet = 'env:DB_REPLICA_SET:rs0';
+            DefaultConf.server[host][path].db.authSource = 'env:DB_AUTH_SOURCE:admin';
+            DefaultConf.server[host][path].db.user = 'env:DB_USER:';
+            DefaultConf.server[host][path].db.password = 'env:DB_PASSWORD:';
             defaultConf = true;
             break;
           }
@@ -1048,9 +1049,9 @@ Prevent build private config repo.`,
      */
     clean(options = { paths: [''] }) {
       for (const path of options.paths) {
-        shellExec(`cd ${path} && git reset`, { silent: true });
-        shellExec(`cd ${path} && git checkout .`, { silent: true });
-        shellExec(`cd ${path} && git clean -f -d`, { silent: true });
+        shellExec(`cd ${path} && git reset`, { silentOnError: true, silent: true, disableLog: true });
+        shellExec(`cd ${path} && git checkout .`, { silentOnError: true, silent: true, disableLog: true });
+        shellExec(`cd ${path} && git clean -f -d`, { silentOnError: true, silent: true, disableLog: true });
       }
     },
 
@@ -1104,7 +1105,7 @@ Prevent build private config repo.`,
 
       try {
         // Fetch directory contents recursively
-        const copiedFiles = await this._fetchAndCopyGitHubDirectory({
+        const copiedFiles = await this.fetchAndCopyGitHubDirectory({
           apiUrl,
           targetPath,
           basePath: directoryPath,
@@ -1140,7 +1141,7 @@ Prevent build private config repo.`,
      * @returns {Promise<array>} Array of copied file paths.
      * @memberof UnderpostRepository
      */
-    async _fetchAndCopyGitHubDirectory(options) {
+    async fetchAndCopyGitHubDirectory(options) {
       const { apiUrl, targetPath, basePath, branch } = options;
       const copiedFiles = [];
 
@@ -1175,14 +1176,12 @@ Prevent build private config repo.`,
 
       logger.info(`Found ${contents.length} items in directory: ${basePath}`);
 
-      // Process each item in the directory
       for (const item of contents) {
         const itemTargetPath = `${targetPath}/${item.name}`;
 
         if (item.type === 'file') {
           logger.info(`Downloading file: ${item.path}`);
 
-          // Download file content
           const fileResponse = await fetch(item.download_url);
           if (!fileResponse.ok) {
             logger.error(`Failed to download: ${item.download_url}`);
@@ -1192,16 +1191,14 @@ Prevent build private config repo.`,
           const fileContent = await fileResponse.text();
           fs.writeFileSync(itemTargetPath, fileContent);
 
-          logger.info(`✓ Saved: ${itemTargetPath}`);
+          logger.info(`Saved: ${itemTargetPath}`);
           copiedFiles.push(itemTargetPath);
         } else if (item.type === 'dir') {
-          logger.info(`📁 Processing directory: ${item.path}`);
+          logger.info(`Processing directory: ${item.path}`);
 
-          // Create subdirectory
           fs.mkdirSync(itemTargetPath, { recursive: true });
 
-          // Recursively process subdirectory
-          const subFiles = await this._fetchAndCopyGitHubDirectory({
+          const subFiles = await this.fetchAndCopyGitHubDirectory({
             apiUrl: item.url,
             targetPath: itemTargetPath,
             basePath: item.path,
@@ -1209,7 +1206,7 @@ Prevent build private config repo.`,
           });
 
           copiedFiles.push(...subFiles);
-          logger.info(`✓ Completed directory: ${item.path} (${subFiles.length} files)`);
+          logger.info(`Completed directory: ${item.path} (${subFiles.length} files)`);
         } else {
           logger.warn(`Skipping unknown item type '${item.type}': ${item.path}`);
         }
@@ -1295,7 +1292,7 @@ Prevent build private config repo.`,
     },
     /**
      * Checks whether a remote Git repository URL is reachable.
-     * Uses `git ls-remote` with `|| true` so the process always exits 0.
+     * Uses `silentOnError` so a non-reachable remote returns false instead of throwing.
      * Injects `GITHUB_TOKEN` into GitHub HTTPS URLs when available.
      * @param {string} url - Full HTTPS clone URL to test (e.g. "https://github.com/org/repo.git").
      * @returns {boolean} `true` when the remote responded with at least one ref hash.
@@ -1305,10 +1302,11 @@ Prevent build private config repo.`,
       if (!url) return false;
       const authUrl = Underpost.repo.resolveAuthUrl(url);
       // GIT_TERMINAL_PROMPT=0 prevents git from hanging on credential prompts inside containers.
-      const raw = shellExec(`GIT_TERMINAL_PROMPT=0 git ls-remote "${authUrl}" HEAD 2>&1 || true`, {
+      const raw = shellExec(`GIT_TERMINAL_PROMPT=0 git ls-remote "${authUrl}" HEAD 2>&1`, {
         stdout: true,
         silent: true,
         disableLog: true,
+        silentOnError: true,
       });
       logger.info('isRemoteRepo', { url, raw: (raw || '').slice(0, 120) });
       return typeof raw === 'string' && /^[0-9a-f]{40}\t/m.test(raw);
@@ -1380,11 +1378,12 @@ Prevent build private config repo.`,
       }
       shellExec(`cd "${repoPath}" && git config user.name '${gitUsername}'`);
       shellExec(`cd "${repoPath}" && git config user.email '${gitEmail}'`);
-
+      shellExec(`cd "${repoPath}" && git config core.filemode false`);
       if (origin) {
-        const currentRemote = shellExec(`cd "${repoPath}" && git remote get-url origin 2>/dev/null || true`, {
+        const currentRemote = shellExec(`cd "${repoPath}" && git remote get-url origin`, {
           stdout: true,
           silent: true,
+          silentOnError: true,
         }).trim();
         if (!currentRemote) {
           shellExec(`cd "${repoPath}" && git remote add origin "${origin}"`);
@@ -1608,6 +1607,52 @@ Prevent build private config repo.`,
         logger.info('engine-private in /home/dd removed');
       }
     },
+
+    /**
+     * Resolves the GitHub repository for a given instance runtime by scanning
+     * every `conf.instances.json` listed in `./engine-private/deploy/dd.router`.
+     *
+     * Resolution order:
+     *  1. If `runtime` is falsy, returns `${GITHUB_USERNAME}/engine`.
+     *  2. Iterates each deploy ID found in `dd.router` and looks for an instance
+     *     whose `runtime` field matches the supplied value.
+     *  3. When a match is found, returns `instance.metadata.repository`.
+     *  4. Falls back to `${GITHUB_USERNAME}/engine` when no match is found.
+     *
+     * @param {string} [runtime=''] - The runtime identifier to look up (e.g. `'cyberia-server'`, `'cyberia-client'`).
+     * @returns {string} The resolved `owner/repo` string.
+     * @memberof UnderpostRepository
+     */
+    resolveInstanceRepo(runtime = '') {
+      const fallback = `${process.env.GITHUB_USERNAME}/engine`;
+      if (!runtime) return fallback;
+      const ddRouter = './engine-private/deploy/dd.router';
+      const deployIds = fs.existsSync(ddRouter)
+        ? fs
+            .readFileSync(ddRouter, 'utf8')
+            .split(',')
+            .map((s) => s.trim())
+            .filter(Boolean)
+        : [];
+      for (const deployId of deployIds) {
+        const confPath = `./engine-private/conf/${deployId}/conf.instances.json`;
+        if (!fs.existsSync(confPath)) continue;
+        try {
+          const instances = JSON.parse(fs.readFileSync(confPath, 'utf8'));
+          const match = instances.find((i) => i && i.runtime === runtime);
+          if (match && match.metadata && match.metadata.repository) {
+            logger.info(`[resolveInstanceRepo] resolved from ${confPath}`, {
+              runtime,
+              repo: match.metadata.repository,
+            });
+            return match.metadata.repository;
+          }
+        } catch (err) {
+          logger.warn(`[resolveInstanceRepo] failed to parse ${confPath}: ${err.message}`);
+        }
+      }
+      return fallback;
+    },
   };
 }
 

package/src/cli/run.js

@@ -10,6 +10,8 @@ import {
   awaitDeployMonitor,
   buildKindPorts,
   Config,
+  cronDeployIdResolve,
+  etcHostFactory,
   getNpmRootPath,
   isDeployRunnerContext,
   loadConfServerJson,
@@ -24,6 +26,7 @@ import { range, setPad, timer } from '../client/components/core/CommonJs.js';
 import os from 'os';
 import Underpost from '../index.js';
 import dotenv from 'dotenv';
+import { MongoBootstrap } from '../db/mongo/MongoBootstrap.js';
 
 const waitForPort = (port, host = '127.0.0.1', { maxAttempts = 30, interval = 2000 } = {}) =>
   new Promise((resolve, reject) => {
@@ -97,6 +100,7 @@ const logger = loggerFactory(import.meta);
  * @property {string} deployId - The deployment ID.
  * @property {string} instanceId - The instance ID.
  * @property {string} user - The user to run as.
+ * @property {string} group - The group to use.
  * @property {string} pid - The process ID.
  * @property {boolean} disablePrivateConfUpdate - Whether to disable private configuration updates.
  * @property {string} monitorStatus - The monitor status option.
@@ -114,6 +118,7 @@ const logger = loggerFactory(import.meta);
  * @property {boolean} copy - Whether to copy the command to the clipboard instead of executing it.
  * @property {boolean} skipFullBuild - Whether to skip the full client bundle build during deployment (supported by: sync, template-deploy).
  * @property {boolean} pullBundle - Whether to pull the bundle before running. Use together with --skip-full-build to skip the local build entirely (supported by: sync, template-deploy).
+ * @property {boolean} remove - Whether to remove/teardown resources instead of creating them (e.g. delete-expose for k3s proxy devices in dev-cluster).
  * @memberof UnderpostRun
  */
 const DEFAULT_OPTION = {
@@ -165,6 +170,7 @@ const DEFAULT_OPTION = {
   deployId: '',
   instanceId: '',
   user: '',
+  group: '',
   pid: '',
   disablePrivateConfUpdate: false,
   monitorStatus: '',
@@ -180,6 +186,7 @@ const DEFAULT_OPTION = {
   copy: false,
   skipFullBuild: false,
   pullBundle: false,
+  remove: false,
 };
 
 /**
@@ -209,28 +216,39 @@ class UnderpostRun {
     'dev-cluster': (path, options = DEFAULT_OPTION) => {
       const baseCommand = options.dev ? 'node bin' : 'underpost';
       const mongoHosts = ['mongodb-0.mongodb-service'];
+      let primaryMongoHost = 'mongodb-0.mongodb-service';
       if (!options.expose) {
         shellExec(`${baseCommand} cluster${options.dev ? ' --dev' : ''} --reset`);
         shellExec(`${baseCommand} cluster${options.dev ? ' --dev' : ''}`);
 
         shellExec(
-          `${baseCommand} cluster${options.dev ? ' --dev' : ''} --mongodb --mongo-db-host ${mongoHosts.join(
+          `${baseCommand} cluster${options.dev ? ' --dev' : ''} --mongodb4 --service-host ${mongoHosts.join(
             ',',
           )} --pull-image`,
         );
         shellExec(`${baseCommand} cluster${options.dev ? ' --dev' : ''} --valkey --pull-image`);
       }
-
-      {
-        // Detect MongoDB primary pod using method
-        let primaryMongoHost = 'mongodb-0.mongodb-service';
+      if (options.k3s) {
+        if (options.remove) {
+          shellExec(`${baseCommand} lxd --delete-expose k3s-control:27017`);
+          shellExec(`${baseCommand} lxd --delete-expose k3s-control:6379`);
+        } else {
+          shellExec(`${baseCommand} lxd --expose k3s-control:27017 --node-port 32017`);
+          shellExec(`${baseCommand} lxd --expose k3s-control:6379 --node-port 32079`);
+        }
+        shellExec(`lxc config device show k3s-control`);
+      } else {
         try {
-          const primaryPodName = Underpost.db.getMongoPrimaryPodName({
-            namespace: options.namespace,
-            podName: 'mongodb-0',
-          });
-          // shellExec(`${baseCommand} deploy --expose --disable-update-underpost-config mongo`, { async: true });
-          shellExec(`kubectl port-forward -n ${options.namespace} pod/${primaryPodName} 27017:27017`, { async: true });
+          const primaryPodName =
+            MongoBootstrap.getPrimaryPodName({
+              namespace: options.namespace,
+              podName: 'mongodb-0',
+              disableAuth: options.dev,
+            }) || 'mongodb-0';
+          shellExec(
+            `${baseCommand} deploy --expose --namespace ${options.namespace} --disable-update-underpost-config mongo`,
+            { async: true },
+          );
           shellExec(
             `${baseCommand} deploy --expose --namespace ${options.namespace} --disable-update-underpost-config valkey`,
             { async: true },
@@ -241,10 +259,9 @@ class UnderpostRun {
             default: primaryMongoHost,
           });
         }
-
-        const hostListenResult = Underpost.deploy.etcHostFactory([primaryMongoHost]);
-        logger.info(hostListenResult.renderHosts);
       }
+      const hostListenResult = etcHostFactory([primaryMongoHost]);
+      logger.info(hostListenResult.renderHosts);
     },
 
     /**
@@ -505,14 +522,16 @@ class UnderpostRun {
     },
     /**
      * @method docker-image
-     * @description Dispatches the Docker image CI workflow (`docker-image.ci.yml`) for the `engine` repository via `workflow_dispatch`.
-     * @param {string} path - The input value, identifier, or path for the operation.
+     * @description Dispatches the Docker image CI workflow (`docker-image[.<runtime>].ci.yml`) via `workflow_dispatch`.
+     * Repository resolution is delegated to `Underpost.repo.resolveInstanceRepo(path)`.
+     * @param {string} path - Optional runtime / workflow suffix (e.g. `cyberia-server`, `cyberia-client`).
      * @param {Object} options - The default underpost runner options for customizing workflow
      * @memberof UnderpostRun
      */
     'docker-image': (path, options = DEFAULT_OPTION) => {
+      const repo = Underpost.repo.resolveInstanceRepo(path);
       Underpost.repo.dispatchWorkflow({
-        repo: `${process.env.GITHUB_USERNAME}/engine`,
+        repo,
         workflowFile: `docker-image${path ? `.${path}` : ''}.ci.yml`,
         ref: 'master',
         inputs: {},
@@ -527,6 +546,7 @@ class UnderpostRun {
      */
     clean: (path = '', options = DEFAULT_OPTION) => {
       Underpost.repo.clean({ paths: path ? path.split(',') : ['/home/dd/engine', '/home/dd/engine/engine-private'] });
+      if (options.dev) shellExec(`node bin run shared-dir ${path ? path : '/home/dd/engine'}`);
     },
     /**
      * @method pull
@@ -536,16 +556,14 @@ class UnderpostRun {
      * @memberof UnderpostRun
      */
     pull: (path, options = DEFAULT_OPTION) => {
+      // shellExec is fail-fast by default — any non-zero exit throws and
+      // propagates up to the workflow step. No per-call flag required.
       if (!fs.existsSync(`/home/dd`) || !fs.existsSync(`/home/dd/engine`)) {
         fs.mkdirSync(`/home/dd`, { recursive: true });
-        shellExec(`cd /home/dd && underpost clone ${process.env.GITHUB_USERNAME}/engine`, {
-          silent: true,
-        });
+        shellExec(`cd /home/dd && underpost clone ${process.env.GITHUB_USERNAME}/engine`, { silent: true });
       } else {
         shellExec(`underpost run clean`);
-        shellExec(`cd /home/dd/engine && underpost pull . ${process.env.GITHUB_USERNAME}/engine`, {
-          silent: true,
-        });
+        shellExec(`cd /home/dd/engine && underpost pull . ${process.env.GITHUB_USERNAME}/engine`, { silent: true });
       }
       if (!fs.existsSync(`/home/dd/engine/engine-private`))
         shellExec(`cd /home/dd/engine && underpost clone ${process.env.GITHUB_USERNAME}/engine-private`, {
@@ -554,9 +572,7 @@ class UnderpostRun {
       else
         shellExec(
           `cd /home/dd/engine/engine-private && underpost pull . ${process.env.GITHUB_USERNAME}/engine-private`,
-          {
-            silent: true,
-          },
+          { silent: true },
         );
     },
     /**
@@ -643,6 +659,11 @@ echo -e "[code]\nname=Visual Studio Code\nbaseurl=https://packages.microsoft.com
     /**
      * @method sync
      * @description Cleans up, and then runs a deployment synchronization command (`underpost deploy --kubeadm --build-manifest --sync...`) using parameters parsed from `path` (deployId, replicas, versions, image, node).
+     *
+     * Forwards `--image-pull-policy <policy>` to the underlying `deploy --build-manifest` invocation when `options.imagePullPolicy` is set,
+     * which then plumbs through `buildManifest` and `deploymentYamlPartsFactory` to override the container `imagePullPolicy` in the generated
+     * `deployment.yaml`. Useful when you want to force `Always` so the kubelet re-pulls a mutable tag on every rollout. Example:
+     *   `node bin run sync dd-core --kubeadm --image-pull-policy Always`
      * @param {string} path - The input value, identifier, or path for the operation (used as a comma-separated string containing deploy parameters).
      * @param {Object} options - The default underpost runner options for customizing workflow
      * @memberof UnderpostRun
@@ -700,13 +721,14 @@ echo -e "[code]\nname=Visual Studio Code\nbaseurl=https://packages.microsoft.com
 
       const skipFullBuildFlag = options.skipFullBuild ? ' --skip-full-build' : '';
       const pullBundleFlag = options.pullBundle ? ' --pull-bundle' : '';
+      const imagePullPolicyFlag = options.imagePullPolicy ? ` --image-pull-policy ${options.imagePullPolicy}` : '';
 
       shellExec(
         `${baseCommand} deploy${clusterFlag} --build-manifest --sync --info-router --replicas ${replicas} --node ${node}${
           image ? ` --image ${image}` : ''
         }${versions ? ` --versions ${versions}` : ''}${
           options.namespace ? ` --namespace ${options.namespace}` : ''
-        }${timeoutFlags}${cmdString}${gitCleanFlag}${skipFullBuildFlag}${pullBundleFlag} ${deployId} ${env}`,
+        }${timeoutFlags}${cmdString}${gitCleanFlag}${skipFullBuildFlag}${pullBundleFlag}${imagePullPolicyFlag} ${deployId} ${env}`,
       );
 
       if (isDeployRunnerContext(path, options)) {
@@ -717,7 +739,7 @@ echo -e "[code]\nname=Visual Studio Code\nbaseurl=https://packages.microsoft.com
         shellExec(
           `${baseCommand} deploy${clusterFlag}${cmdString} --replicas ${replicas} --disable-update-proxy ${deployId} ${env} --versions ${versions}${
             options.namespace ? ` --namespace ${options.namespace}` : ''
-          }${timeoutFlags}${gitCleanFlag}`,
+          }${timeoutFlags}${gitCleanFlag}${imagePullPolicyFlag}`,
         );
         if (!targetTraffic)
           targetTraffic = Underpost.deploy.getCurrentTraffic(deployId, { namespace: options.namespace });
@@ -1023,6 +1045,9 @@ EOF
           cmd: _cmd,
           volumes: _volumes,
           metadata: _metadata,
+          lifecycle: _lifecycle,
+          readinessProbe: _readinessProbe,
+          livenessProbe: _livenessProbe,
         } = instance;
         if (id !== _id) continue;
         const _deployId = `${deployId}-${_id}`;
@@ -1087,6 +1112,20 @@ EOF
           ),
         );
 
+        // Resolve env-scoped lifecycle/probe blocks: each can be either
+        //   { ...envObj }                        // shared shape
+        //   { development: {...}, production: {...} }   // env-specific
+        const pickEnv = (v) => (v && (v.development || v.production) ? v[env] : v);
+
+        // Convention: an instance config may place `imagePullPolicy` inside
+        // the env-scoped lifecycle block (alongside postStart/preStop).
+        // Extract it onto the container spec (where K8S expects it) and
+        // strip it from the lifecycle hash so the rendered YAML stays valid.
+        // CLI override (`--image-pull-policy`) wins over the conf value.
+        const { lifecycle: lifecycleForManifest, imagePullPolicy: lifecycleImagePullPolicy } =
+          Underpost.deploy.extractInstanceImagePullPolicy(pickEnv(_lifecycle));
+        const instanceImagePullPolicy = options.imagePullPolicy || lifecycleImagePullPolicy;
+
         let deploymentYaml = `---
 ${Underpost.deploy
   .deploymentYamlPartsFactory({
@@ -1099,6 +1138,11 @@ ${Underpost.deploy
     namespace: options.namespace,
     volumes: _volumes,
     cmd: resolvedCmd,
+    lifecycle: lifecycleForManifest,
+    readinessProbe: pickEnv(_readinessProbe),
+    livenessProbe: pickEnv(_livenessProbe),
+    containerPort: _toPort,
+    imagePullPolicy: instanceImagePullPolicy,
   })
   .replace('{{ports}}', buildKindPorts(_fromPort, _toPort))}
 `;
@@ -1130,7 +1174,7 @@ EOF
         );
       }
       if (options.etcHosts) {
-        const hostListenResult = Underpost.deploy.etcHostFactory(etcHosts);
+        const hostListenResult = etcHostFactory(etcHosts);
         logger.info(hostListenResult.renderHosts);
       }
     },
@@ -1187,14 +1231,34 @@ EOF
         volumes: _volumes,
         metadata: _metadata,
         runtime: _runtime,
+        lifecycle: _lifecycle,
+        readinessProbe: _readinessProbe,
+        livenessProbe: _livenessProbe,
       } = instance;
 
-      // Resolve Dockerfile source: use runtime-specific path when instance defines a runtime.
-      const dockerfileSourcePath = _runtime ? `src/runtime/${_runtime}/Dockerfile` : `${rootPath}/Dockerfile`;
-      if (fs.existsSync(dockerfileSourcePath)) {
+      // Resolve Dockerfile source. Dev/prod variant rules:
+      //   - When the instance defines a `runtime`, look under
+      //     `src/runtime/<runtime>/`. In `--dev` mode prefer `Dockerfile.dev`
+      //     when it exists, falling back to `Dockerfile`.
+      //   - When `runtime` is not set, look in the project root with the
+      //     same `.dev` → no-suffix precedence.
+      // Dockerfile.dev is a full Dockerfile (not an overlay) — each runtime
+      // owns the contract between its dev image and its prod image (debug
+      // build flags, extra tooling, default ports, etc.).
+      const dockerfileBase = _runtime ? `src/runtime/${_runtime}` : rootPath;
+      const dockerfileCandidates = options.dev
+        ? [`${dockerfileBase}/Dockerfile.dev`, `${dockerfileBase}/Dockerfile`]
+        : [`${dockerfileBase}/Dockerfile`];
+      const dockerfileSourcePath = dockerfileCandidates.find((p) => fs.existsSync(p));
+      if (dockerfileSourcePath) {
+        if (options.dev && !dockerfileSourcePath.endsWith('.dev')) {
+          logger.warn(
+            `[instance-build-manifest] --dev requested but no Dockerfile.dev present; falling back to ${dockerfileSourcePath}`,
+          );
+        }
         fs.copyFileSync(dockerfileSourcePath, dockerfileManifestPath);
       } else {
-        logger.warn(`[instance-build-manifest] Dockerfile not found at ${dockerfileSourcePath}`);
+        logger.warn(`[instance-build-manifest] Dockerfile not found; tried: ${dockerfileCandidates.join(', ')}`);
       }
 
       const _deployId = `${deployId}-${_id}`;
@@ -1239,6 +1303,17 @@ EOF
         ),
       );
 
+      // Env-aware lifecycle / probe selection. Each block may either be
+      // a single object (shared across envs) or `{ development, production }`.
+      const pickEnv = (v) => (v && (v.development || v.production) ? v[env] : v);
+
+      // Convention: an instance config may place `imagePullPolicy` inside
+      // the env-scoped lifecycle block (alongside postStart/preStop).
+      // Extract it onto the container spec and strip it from the lifecycle hash.
+      const { lifecycle: lifecycleForManifest, imagePullPolicy: lifecycleImagePullPolicy } =
+        Underpost.deploy.extractInstanceImagePullPolicy(pickEnv(_lifecycle));
+      const instanceImagePullPolicy = options.imagePullPolicy || lifecycleImagePullPolicy;
+
       const deploymentYaml =
         `---\n` +
         Underpost.deploy
@@ -1252,6 +1327,11 @@ EOF
             namespace: options.namespace,
             volumes: _volumes,
             cmd: resolvedCmd,
+            lifecycle: lifecycleForManifest,
+            readinessProbe: pickEnv(_readinessProbe),
+            livenessProbe: pickEnv(_livenessProbe),
+            containerPort: _toPort,
+            imagePullPolicy: instanceImagePullPolicy,
           })
           .replace('{{ports}}', buildKindPorts(_fromPort, _toPort));
 
@@ -1330,9 +1410,9 @@ EOF`);
       // crictl is in the kubernetes repo but excluded by default — install it explicitly
       shellExec(`sudo yum install -y cri-tools --disableexcludes=kubernetes`);
       // Ensure CRI-O uses systemd cgroup driver (matches kubelet default)
-      shellExec(
-        `sudo sed -i 's/^#\?cgroup_manager =.*/cgroup_manager = "systemd"/' /etc/crio/crio.conf 2>/dev/null || true`,
-      );
+      shellExec(`sudo sed -i 's/^#\?cgroup_manager =.*/cgroup_manager = "systemd"/' /etc/crio/crio.conf`, {
+        silentOnError: true,
+      });
       shellExec(`sudo systemctl enable --now crio`);
       logger.info('CRI-O installed and started.');
       // Write crictl config so all crictl calls default to the CRI-O socket
@@ -1466,7 +1546,8 @@ EOF`);
           `git config user.name '${username}' && ` +
           `git config user.email '${email}' && ` +
           `git config credential.interactive always &&` +
-          `git config pull.rebase false`,
+          `git config pull.rebase false && ` +
+          `git config core.filemode false`,
         {
           disableLog: true,
           silent: true,
@@ -1843,7 +1924,7 @@ EOF`);
         );
       } else logger.error(`Service pod ${podToMonitor} failed to start in time.`);
       if (options.etcHosts === true) {
-        const hostListenResult = Underpost.deploy.etcHostFactory([host]);
+        const hostListenResult = etcHostFactory([host]);
         logger.info(hostListenResult.renderHosts);
       }
     },
@@ -1861,7 +1942,7 @@ EOF`);
         const confServer = loadConfServerJson(`./engine-private/conf/${options.deployId}/conf.server.json`);
         hosts.push(...Object.keys(confServer));
       }
-      const hostListenResult = Underpost.deploy.etcHostFactory(hosts);
+      const hostListenResult = etcHostFactory(hosts);
       logger.info(hostListenResult.renderHosts);
     },
 
@@ -2180,15 +2261,26 @@ EOF`);
      * @memberof UnderpostRun
      */
     kill: (path = '', options = DEFAULT_OPTION) => {
-      if (options.pid) return shellExec(`sudo kill -9 ${options.pid}`);
+      if (options.pid)
+        return shellExec(`sudo kill -9 ${options.pid}`, {
+          silentOnError: true,
+        });
       for (const _path of path.split(',')) {
         if (_path.split('+')[1]) {
           let [port, sumPortOffSet] = _path.split('+');
           port = parseInt(port);
           sumPortOffSet = parseInt(sumPortOffSet);
           for (const sumPort of range(0, sumPortOffSet))
-            shellExec(`sudo kill -9 $(lsof -t -i:${parseInt(port) + parseInt(sumPort)})`);
-        } else shellExec(`sudo kill -9 $(lsof -t -i:${_path})`);
+            shellExec(
+              `PIDS=$(lsof -t -i:${parseInt(port) + parseInt(sumPort)}); [ -n "$PIDS" ] && sudo kill -9 $PIDS || true`,
+              {
+                silentOnError: true,
+              },
+            );
+        } else
+          shellExec(`PIDS=$(lsof -t -i:${_path}); [ -n "$PIDS" ] && sudo kill -9 $PIDS || true`, {
+            silentOnError: true,
+          });
       }
     },
     /**
@@ -2235,9 +2327,10 @@ EOF`);
      * @memberof UnderpostRun
      */
     secret: (path, options = DEFAULT_OPTION) => {
-      const secretPath = path ? path : `/home/dd/engine/engine-private/conf/dd-cron/.env.production`;
-      const command = `${options.dev ? 'node bin' : 'underpost'} secret underpost --create-from-file ${secretPath}`;
-      shellExec(command);
+      const cronDeployId = cronDeployIdResolve() || 'dd-cron';
+      Underpost.secret.underpost.createFromEnvFile(
+        `/home/dd/engine/engine-private/conf/${cronDeployId}/.env.${options.dev ? 'development' : 'production'}`,
+      );
     },
     /**
      * @method underpost-config
@@ -2545,6 +2638,57 @@ EOF`;
         }
       }
     },
+
+    /**
+     * @method monitor-ui
+     * @description Installs and enables the Cockpit KVM Dashboard (cockpit, cockpit-machines, libvirt)
+     * and opens the cockpit firewall service. With `--remove`, closes the firewall service instead.
+     * @param {string} path - Unused.
+     * @param {Object} options - The default underpost runner options for customizing workflow.
+     *   `options.remove` — when true, removes the cockpit firewall rule instead of adding it.
+     * @memberof UnderpostRun
+     */
+    'monitor-ui': (path, options = DEFAULT_OPTION) => {
+      if (options.remove) {
+        shellExec(`sudo firewall-cmd --zone=public --remove-service=cockpit --permanent`);
+        shellExec(`sudo firewall-cmd --reload`);
+        return;
+      }
+      shellExec(`sudo dnf install -y cockpit cockpit-machines libvirt`);
+      shellExec(`sudo systemctl enable --now cockpit.socket libvirtd`);
+      shellExec(`sudo firewall-cmd --permanent --add-service=cockpit`);
+      shellExec(`sudo firewall-cmd --reload`);
+    },
+
+    /**
+     * @method shared-dir
+     * @description Run once for initial shared-directory setup. Creates the group, adds the user,
+     * creates the directory, sets ownership, applies the SGID bit, and configures default ACLs so
+     * all future files inside the directory automatically inherit group write permissions.
+     * Use `reload-shared-dir` for subsequent permission repairs without recreating the group.
+     * @param {string} path - Target directory to set up (defaults to `/home/dd/engine`).
+     *   Customise via the `path` argument or leave empty to use the default.
+     * @param {Object} options - The default underpost runner options for customizing workflow.
+     *   Key fields: `options.user` (default `'admin'`), `options.group` (default `'engine-dev'`).
+     * @memberof UnderpostRun
+     */
+    'shared-dir': (path = '/home/dd/engine', options = DEFAULT_OPTION) => {
+      const dir = path || '/home/dd/engine';
+      const user = options.user || 'admin';
+      const group = options.group || 'engine-dev';
+
+      logger.info(`[setup-shared-dir] dir=${dir} user=${user} group=${group}`);
+
+      shellExec(`sudo groupadd ${group} 2>/dev/null || true`);
+      shellExec(`sudo usermod -aG ${group} ${user}`);
+      shellExec(`sudo mkdir -p ${dir}`);
+      shellExec(`sudo chown -R ${user}:${group} ${dir}`);
+      shellExec(`sudo chmod -R 2775 ${dir}`);
+      shellExec(`sudo setfacl -d -m g:${group}:rwx ${dir}`);
+      shellExec(`sudo setfacl -m g:${group}:rwx ${dir}`);
+
+      logger.info(`[setup-shared-dir] Shared directory setup complete: ${dir}`);
+    },
   };
 
   static API = {
@@ -2601,14 +2745,14 @@ EOF`;
         if (options.replicas === '' || options.replicas === null || options.replicas === undefined)
           options.replicas = 1;
         options.npmRoot = npmRoot;
-        logger.info('callback', { path, options });
+        logger.info(`Executing runner`, { runner, namespace: options.namespace });
         if (!Underpost.run.RUNNERS.includes(runner)) throw new Error(`Runner not found: ${runner}`);
         const result = await Underpost.run.CALL(runner, path, options);
         return result;
       } catch (error) {
         console.log(error);
         logger.error(error);
-        return null;
+        process.exit(1);
       }
     },
   };