fix: correct package cleanup commands in netupgrade

Use apt-get autoremove --purge instead of a separate empty purge step, and pass the CLI yes flag through to apk upgrade so the logged commands match actual behavior.

bin/netupgrade

@@ -219,8 +219,8 @@ runCmd() { # $1=host $2=name $3=cmd
 					ERROR=1
 				fi
 				echo "" | tee -a "${LOGFILENAME}"
-				echo "apt-get ${YESARG} autoremove" | tee -a "${LOGFILENAME}"
+				echo "apt-get ${YESARG} autoremove --purge" | tee -a "${LOGFILENAME}"
-				runSSH "${HOST}" apt-get ${YESARG} autoremove | tee -a "${LOGFILENAME}"
+				runSSH "${HOST}" apt-get ${YESARG} autoremove --purge | tee -a "${LOGFILENAME}"
 				echo "" | tee -a "${LOGFILENAME}"
 				echo "apt-get ${YESARG} autoclean" | tee -a "${LOGFILENAME}"
 				runSSH "${HOST}" apt-get ${YESARG} autoclean | tee -a "${LOGFILENAME}"
@@ -228,9 +228,6 @@ runCmd() { # $1=host $2=name $3=cmd
 				echo "apt-get ${YESARG} clean" | tee -a "${LOGFILENAME}"
 				runSSH "${HOST}" apt-get ${YESARG} clean | tee -a "${LOGFILENAME}"
 				echo "" | tee -a "${LOGFILENAME}"
-				echo "apt-get ${YESARG} purge" | tee -a "${LOGFILENAME}"
-				runSSH "${HOST}" apt-get ${YESARG} purge | tee -a "${LOGFILENAME}"
-				echo "" | tee -a "${LOGFILENAME}"
 			fi
 		;;
 		yum)
@@ -293,8 +290,8 @@ runCmd() { # $1=host $2=name $3=cmd
 			if ! runSSH "${HOST}" apk update | tee -a "${LOGFILENAME}"; then
 				ERROR=1
 			fi
-			echo "apk upgrade" | tee -a "${LOGFILENAME}"
+			echo "apk upgrade ${YESARG}" | tee -a "${LOGFILENAME}"
-			if ! runSSH "${HOST}" apk upgrade | tee -a "${LOGFILENAME}"; then
+			if ! runSSH "${HOST}" apk upgrade ${YESARG} | tee -a "${LOGFILENAME}"; then
 				ERROR=1
 			fi
 		;;

state.md

@@ -90,7 +90,6 @@ Supported action types currently include:
 
 ### Short term
 - Tackle the next hardening work as small, reviewable commits instead of one broad patch
-- Review package-manager cleanup steps that look incorrect or misleading, such as `apt-get purge` without arguments and the current `apk` `-y` handling
 - Review the remaining quoting-sensitive areas, especially around remote shell command construction
 
 ### Medium term
@@ -121,6 +120,8 @@ Supported action types currently include:
 - `whiptail` checklist defaults are now passed explicitly as `ON`/`OFF`, and selected items are parsed through a dedicated helper instead of relying on raw shell word splitting
 - The CLI help and README now clarify that `-f` preselects all nodes in the interactive checklist
 - Log summary generation no longer uses `sed -i` interpolation; the script now writes a temporary file with the summary header plus the existing log content and replaces the original log atomically
+- The `apk` action now applies `-y` to `apk upgrade` when the CLI `-y` flag is set, making its behavior consistent with the documented intent for supported package managers
+- The `apt` action now uses `apt-get autoremove --purge` and no longer runs `apt-get purge` without arguments, which makes the cleanup step more meaningful and avoids a misleading command in the log
 
 ## Change guidance
 - Preserve backward compatibility for existing config files where possible