@meshxdata/fops 0.0.4 → 0.0.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meshxdata/fops",
-  "version": "0.0.4",
+  "version": "0.0.5",
   "description": "CLI to install and manage Foundation data mesh platforms",
   "keywords": [
     "foundation",
@@ -26,6 +26,7 @@
   },
   "dependencies": {
     "@anthropic-ai/claude-code": "^1.0.0",
+    "@meshxdata/fops": "^0.0.4",
     "boxen": "^8.0.1",
     "chalk": "^5.3.0",
     "commander": "^12.0.0",

package/src/commands/index.js

@@ -273,6 +273,24 @@ export function registerCommands(program, registry) {
     .command("plugin")
     .description("Manage fops plugins");
 
+  // Helper: read/write plugin enabled state in ~/.fops.json
+  const fopsConfigPath = path.join(os.homedir(), ".fops.json");
+  const readFopsConfig = () => {
+    try { return fs.existsSync(fopsConfigPath) ? JSON.parse(fs.readFileSync(fopsConfigPath, "utf8")) : {}; } catch { return {}; }
+  };
+  const setPluginEnabled = (id, enabled) => {
+    const cfg = readFopsConfig();
+    if (!cfg.plugins) cfg.plugins = {};
+    if (!cfg.plugins.entries) cfg.plugins.entries = {};
+    if (!cfg.plugins.entries[id]) cfg.plugins.entries[id] = {};
+    cfg.plugins.entries[id].enabled = enabled;
+    fs.writeFileSync(fopsConfigPath, JSON.stringify(cfg, null, 2) + "\n");
+  };
+  const isPluginEnabled = (id) => {
+    const cfg = readFopsConfig();
+    return cfg?.plugins?.entries?.[id]?.enabled !== false;
+  };
+
   pluginCmd
     .command("list")
     .description("List installed plugins with status")
@@ -284,8 +302,11 @@ export function registerCommands(program, registry) {
       }
       console.log(chalk.bold.cyan("\n  Installed Plugins\n"));
       for (const p of registry.plugins) {
+        const enabled = isPluginEnabled(p.id);
+        const dot = enabled ? chalk.green("●") : chalk.red("○");
+        const status = enabled ? "" : chalk.red(" (disabled)");
         const source = chalk.dim(`(${p.source})`);
-        console.log(`  ${chalk.green("●")} ${chalk.bold(p.name)} ${chalk.dim("v" + p.version)} ${source}`);
+        console.log(`  ${dot} ${chalk.bold(p.name)} ${chalk.dim("v" + p.version)} ${source}${status}`);
         console.log(chalk.dim(`    id: ${p.id}  path: ${p.path}`));
       }
       console.log("");
@@ -338,4 +359,30 @@ export function registerCommands(program, registry) {
       fs.rmSync(pluginDir, { recursive: true, force: true });
       console.log(chalk.green(`  ✓ Removed plugin "${id}"`));
     });
+
+  pluginCmd
+    .command("enable <id>")
+    .description("Enable a plugin")
+    .action(async (id) => {
+      const found = registry.plugins.find((p) => p.id === id);
+      if (!found) {
+        console.error(chalk.red(`Plugin "${id}" not found. Run: fops plugin list`));
+        process.exit(1);
+      }
+      setPluginEnabled(id, true);
+      console.log(chalk.green(`  ✓ Enabled plugin "${id}". Restart fops to apply.`));
+    });
+
+  pluginCmd
+    .command("disable <id>")
+    .description("Disable a plugin without removing it")
+    .action(async (id) => {
+      const found = registry.plugins.find((p) => p.id === id);
+      if (!found) {
+        console.error(chalk.red(`Plugin "${id}" not found. Run: fops plugin list`));
+        process.exit(1);
+      }
+      setPluginEnabled(id, false);
+      console.log(chalk.yellow(`  ○ Disabled plugin "${id}". Restart fops to apply.`));
+    });
 }

package/src/doctor.js

@@ -6,8 +6,8 @@ import path from "node:path";
 import chalk from "chalk";
 import { execa } from "execa";
 import { rootDir } from "./project.js";
+import inquirer from "inquirer";
 import { detectEcrRegistry, detectAwsSsoProfiles, fixAwsSso, fixEcr } from "./setup/aws.js";
-import { confirm } from "./ui/index.js";
 
 const KEY_PORTS = {
   5432: "Postgres",
@@ -34,6 +34,25 @@ async function checkPort(port) {
   });
 }
 
+/**
+ * Ensure Homebrew is available (macOS). Installs if missing.
+ * Returns true if brew is usable after the call.
+ */
+async function ensureBrew() {
+  try { await execa("brew", ["--version"]); return true; } catch {}
+  console.log(chalk.cyan("  ▶ Installing Homebrew…"));
+  try {
+    await execa("bash", ["-c", 'NONINTERACTIVE=1 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"'], {
+      stdio: "inherit", timeout: 300_000,
+    });
+    const brewPaths = ["/opt/homebrew/bin/brew", "/usr/local/bin/brew"];
+    for (const bp of brewPaths) {
+      if (fs.existsSync(bp)) { process.env.PATH = path.dirname(bp) + ":" + process.env.PATH; break; }
+    }
+    return true;
+  } catch { return false; }
+}
+
 async function cmdVersion(cmd, args = ["--version"]) {
   try {
     const { stdout } = await execa(cmd, args, { reject: false, timeout: 5000 });
@@ -98,19 +117,21 @@ export async function runDoctor(opts = {}, registry = null) {
   let failed = 0;
 
   const fixes = []; // collect fix actions to run at the end
+  const fixFns = new Set(); // deduplicate by function reference
 
   const ok = (name, detail) => {
     console.log(chalk.green("  ✓ ") + name + (detail ? chalk.dim(` — ${detail}`) : ""));
     passed++;
   };
-  const warn = (name, detail) => {
+  const warn = (name, detail, fixFn) => {
     console.log(chalk.yellow("  ⚠ ") + name + (detail ? chalk.dim(` — ${detail}`) : ""));
     warned++;
+    if (fixFn && !fixFns.has(fixFn)) { fixes.push({ name, fn: fixFn }); fixFns.add(fixFn); }
   };
   const fail = (name, detail, fixFn) => {
     console.log(chalk.red("  ✗ ") + name + (detail ? chalk.dim(` — ${detail}`) : ""));
     failed++;
-    if (fixFn) fixes.push({ name, fn: fixFn });
+    if (fixFn && !fixFns.has(fixFn)) { fixes.push({ name, fn: fixFn }); fixFns.add(fixFn); }
   };
 
   // ── Prerequisites ──────────────────────────────────
@@ -235,7 +256,20 @@ export async function runDoctor(opts = {}, registry = null) {
   // Git
   const gitVer = await cmdVersion("git");
   if (gitVer) ok("Git available", gitVer);
-  else fail("Git not found", "install git");
+  else fail("Git not found", "install git", async () => {
+    if (process.platform === "darwin") {
+      if (!(await ensureBrew())) throw new Error("Homebrew required");
+      console.log(chalk.cyan("  ▶ brew install git"));
+      await execa("brew", ["install", "git"], { stdio: "inherit", timeout: 300_000 });
+    } else if (process.platform === "win32") {
+      if (!hasWinget) throw new Error("winget required");
+      console.log(chalk.cyan("  ▶ winget install Git.Git"));
+      await execa("winget", ["install", "Git.Git", "--accept-source-agreements", "--accept-package-agreements"], { stdio: "inherit", timeout: 300_000 });
+    } else {
+      console.log(chalk.cyan("  ▶ sudo apt-get install -y git"));
+      await execa("sudo", ["apt-get", "install", "-y", "git"], { stdio: "inherit", timeout: 300_000 });
+    }
+  });
 
   // Node.js version
   const nodeVer = process.versions.node;
@@ -246,28 +280,121 @@ export async function runDoctor(opts = {}, registry = null) {
   // Claude CLI (bundled as a dependency)
   const claudeVer = await cmdVersion("claude");
   if (claudeVer) ok("Claude CLI", claudeVer);
-  else fail("Claude CLI not found", "run: npm install (included as a dependency)");
+  else fail("Claude CLI not found", "included as a dependency", async () => {
+    console.log(chalk.cyan("  ▶ npm install"));
+    await execa("npm", ["install"], { stdio: "inherit", timeout: 300_000 });
+  });
 
   // AWS CLI (optional)
   const awsVer = await cmdVersion("aws");
   if (awsVer) ok("AWS CLI", awsVer);
-  else warn("AWS CLI not found", "optional — needed for ECR login");
+  else warn("AWS CLI not found", "needed for ECR login", async () => {
+    if (process.platform === "darwin") {
+      if (!(await ensureBrew())) throw new Error("Homebrew required");
+      console.log(chalk.cyan("  ▶ brew install awscli"));
+      await execa("brew", ["install", "awscli"], { stdio: "inherit", timeout: 300_000 });
+    } else if (process.platform === "win32") {
+      if (!hasWinget) throw new Error("winget required");
+      console.log(chalk.cyan("  ▶ winget install Amazon.AWSCLI"));
+      await execa("winget", ["install", "Amazon.AWSCLI", "--accept-source-agreements", "--accept-package-agreements"], { stdio: "inherit", timeout: 300_000 });
+    } else {
+      console.log(chalk.cyan("  ▶ curl + unzip install"));
+      await execa("sh", ["-c", 'curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o /tmp/awscliv2.zip && unzip -qo /tmp/awscliv2.zip -d /tmp && sudo /tmp/aws/install'], {
+        stdio: "inherit", timeout: 300_000,
+      });
+    }
+  });
+
+  // 1Password CLI (optional — needed for secret sync)
+  const opVer = await cmdVersion("op");
+  if (opVer) ok("1Password CLI (op)", opVer);
+  else warn("1Password CLI (op) not installed", "needed for secret sync", async () => {
+    if (process.platform === "darwin") {
+      if (!(await ensureBrew())) throw new Error("Homebrew required");
+      console.log(chalk.cyan("  ▶ brew install --cask 1password-cli"));
+      await execa("brew", ["install", "--cask", "1password-cli"], { stdio: "inherit", timeout: 300_000 });
+    } else if (process.platform === "win32") {
+      if (!hasWinget) throw new Error("winget required");
+      console.log(chalk.cyan("  ▶ winget install AgileBits.1Password.CLI"));
+      await execa("winget", ["install", "AgileBits.1Password.CLI", "--accept-source-agreements", "--accept-package-agreements"], { stdio: "inherit", timeout: 300_000 });
+    } else {
+      console.log(chalk.dim("  Install manually: https://developer.1password.com/docs/cli/get-started/#install"));
+    }
+  });
 
-  // ~/.netrc GitHub credentials (optional — validate against API + repo access)
+  // GitHub CLI
+  const ghVer = await cmdVersion("gh");
+  if (ghVer) ok("GitHub CLI (gh)", ghVer);
+  else warn("GitHub CLI (gh) not installed", "needed for auth", async () => {
+    if (process.platform === "darwin") {
+      if (!(await ensureBrew())) throw new Error("Homebrew required");
+      console.log(chalk.cyan("  ▶ brew install gh"));
+      await execa("brew", ["install", "gh"], { stdio: "inherit", timeout: 300_000 });
+    } else if (process.platform === "win32") {
+      if (!hasWinget) throw new Error("winget required");
+      console.log(chalk.cyan("  ▶ winget install GitHub.cli"));
+      await execa("winget", ["install", "GitHub.cli", "--accept-source-agreements", "--accept-package-agreements"], { stdio: "inherit", timeout: 300_000 });
+    } else {
+      console.log(chalk.dim("  Install: https://cli.github.com/"));
+    }
+  });
+
+  // ~/.netrc GitHub credentials (required for private repo access)
   const netrcPath = path.join(os.homedir(), ".netrc");
+  const netrcFixFn = async () => {
+    // Install gh if missing
+    let hasGh = false;
+    try { await execa("gh", ["--version"]); hasGh = true; } catch {}
+    if (!hasGh) {
+      if (process.platform === "darwin") {
+        if (!(await ensureBrew())) throw new Error("Homebrew required to install gh");
+        console.log(chalk.cyan("  ▶ brew install gh"));
+        await execa("brew", ["install", "gh"], { stdio: "inherit", timeout: 300_000 });
+        hasGh = true;
+      } else if (process.platform === "win32") {
+        console.log(chalk.cyan("  ▶ winget install GitHub.cli"));
+        await execa("winget", ["install", "GitHub.cli", "--accept-source-agreements", "--accept-package-agreements"], { stdio: "inherit", timeout: 300_000 });
+        hasGh = true;
+      }
+    }
+    // Authenticate via gh
+    console.log(chalk.cyan("\n  ▶ gh auth login -p https -h github.com -w"));
+    await execa("gh", ["auth", "login", "-p", "https", "-h", "github.com", "-w"], {
+      stdio: "inherit", timeout: 120_000,
+    });
+    console.log(chalk.cyan("  ▶ gh auth setup-git"));
+    await execa("gh", ["auth", "setup-git"], { stdio: "inherit", timeout: 10_000 }).catch(() => {});
+    // Extract token and write to .netrc for tools that need it directly
+    try {
+      const { stdout: ghToken } = await execa("gh", ["auth", "token"], { timeout: 5000 });
+      const { stdout: ghUser } = await execa("gh", ["api", "/user", "--jq", ".login"], { timeout: 10000 });
+      if (ghToken?.trim() && ghUser?.trim()) {
+        const entry = `machine github.com\nlogin ${ghUser.trim()}\npassword ${ghToken.trim()}\n`;
+        if (fs.existsSync(netrcPath)) {
+          const content = fs.readFileSync(netrcPath, "utf8");
+          if (!content.includes("github.com")) {
+            fs.appendFileSync(netrcPath, "\n" + entry);
+          }
+        } else {
+          fs.writeFileSync(netrcPath, entry, { mode: 0o600 });
+        }
+        console.log(chalk.green("  ✓ ~/.netrc updated with GitHub credentials"));
+      }
+    } catch {}
+  };
   if (fs.existsSync(netrcPath)) {
     try {
       const content = fs.readFileSync(netrcPath, "utf8");
       if (!content.includes("github.com")) {
-        warn("~/.netrc exists but no github.com entry");
+        fail("~/.netrc exists but no github.com entry", "needed for private repos", netrcFixFn);
       } else {
         const token = readNetrcToken(content, "github.com");
         if (!token) {
-          warn("~/.netrc has github.com but no password/token");
+          fail("~/.netrc has github.com but no password/token", "add token", netrcFixFn);
         } else {
           const userRes = await ghApiGet("/user", token);
           if (userRes.status !== 200) {
-            fail("~/.netrc GitHub token invalid or expired", "regenerate at github.com/settings/tokens");
+            fail("~/.netrc GitHub token invalid or expired", "regenerate at github.com/settings/tokens", netrcFixFn);
           } else {
             const login = userRes.body.login || "authenticated";
             ok("~/.netrc GitHub credentials", `authenticated as ${login}`);
@@ -283,10 +410,10 @@ export async function runDoctor(opts = {}, registry = null) {
         }
       }
     } catch {
-      warn("~/.netrc not readable");
+      fail("~/.netrc not readable", "check file permissions", netrcFixFn);
     }
   } else {
-    warn("~/.netrc not found", "optional — used for private repo access");
+    fail("~/.netrc not found", "needed for private repo access", netrcFixFn);
   }
 
   // ~/.fops.json config (optional)
@@ -324,7 +451,7 @@ export async function runDoctor(opts = {}, registry = null) {
       }
     }
   } else {
-    warn("~/.aws/config not found", "optional — needed for ECR");
+    warn("~/.aws/config not found", "needed for ECR", fixAwsSso);
   }
 
   // Validate ECR access if project references ECR images
@@ -332,7 +459,7 @@ export async function runDoctor(opts = {}, registry = null) {
   if (ecrInfo) {
     const ecrUrl = `${ecrInfo.accountId}.dkr.ecr.${ecrInfo.region}.amazonaws.com`;
     if (!awsSessionValid) {
-      fail(`ECR registry ${ecrUrl}`, "fix AWS session first", () => fixEcr(ecrInfo));
+      fail(`ECR registry ${ecrUrl}`, "fix AWS session first");
     } else {
       // Check we can get an ECR login password (same call the actual login uses)
       const ssoProfiles = detectAwsSsoProfiles();
@@ -644,8 +771,12 @@ export async function runDoctor(opts = {}, registry = null) {
   if (failed) parts.push(chalk.red(`${failed} failed`));
   console.log("  " + parts.join(chalk.dim(" · ")));
 
-  if (failed > 0 && fixes.length > 0) {
-    const shouldFix = opts.fix || await confirm(`\n  Fix ${fixes.length} issue(s) automatically?`, true);
+  if (fixes.length > 0) {
+    let shouldFix = opts.fix;
+    if (!shouldFix) {
+      const { ans } = await inquirer.prompt([{ type: "confirm", name: "ans", message: `Fix ${fixes.length} issue(s) automatically?`, default: true }]);
+      shouldFix = ans;
+    }
     if (shouldFix) {
       console.log("");
       for (const fix of fixes) {
@@ -658,7 +789,7 @@ export async function runDoctor(opts = {}, registry = null) {
         }
       }
       console.log(chalk.dim("  Run fops doctor again to verify.\n"));
-    } else {
+    } else if (failed > 0) {
       console.log("");
       process.exit(1);
     }

package/src/setup/aws.js

@@ -1,7 +1,6 @@
 import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
-import readline from "node:readline";
 import chalk from "chalk";
 import { execa } from "execa";
 import inquirer from "inquirer";
@@ -138,20 +137,6 @@ export function detectAwsSsoProfiles() {
   return profiles;
 }
 
-/**
- * Simple readline prompt helper.
- */
-function ask(question, defaultVal) {
-  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
-  const suffix = defaultVal ? chalk.dim(` (${defaultVal})`) : "";
-  return new Promise((resolve) => {
-    rl.question(`  ${question}${suffix}: `, (answer) => {
-      rl.close();
-      resolve(answer.trim() || defaultVal || "");
-    });
-  });
-}
-
 /**
  * Check if ~/.aws/config has an sso-session block with sso_start_url.
  * If not, prompt user for the values and write them.
@@ -166,38 +151,35 @@ export async function ensureSsoConfig() {
   console.log(chalk.cyan("\n  AWS SSO is not configured. Let's set it up.\n"));
   console.log(chalk.dim("  You can find these values in your AWS SSO portal.\n"));
 
-  const sessionName = await ask("SSO session name", "meshx");
-  const startUrl = await ask("SSO start URL");
-  const ssoRegion = await ask("SSO region", "us-east-1");
-  const accountId = await ask("AWS account ID");
-  const roleName = await ask("SSO role name", "AdministratorAccess");
-  const region = await ask("Default region", ssoRegion);
-  const profileName = await ask("Profile name", "dev");
-
-  if (!startUrl || !accountId) {
-    throw new Error("SSO start URL and account ID are required");
-  }
+  const answers = await inquirer.prompt([
+    { type: "input", name: "sessionName", message: "SSO session name:", default: "me-central-1" },
+    { type: "input", name: "startUrl", message: "SSO start URL:", validate: (v) => v?.trim() ? true : "Required." },
+    { type: "input", name: "ssoRegion", message: "SSO region:", default: "us-east-1" },
+    { type: "input", name: "accountId", message: "AWS account ID:", validate: (v) => /^\d{12}$/.test(v?.trim()) ? true : "Must be 12 digits." },
+    { type: "input", name: "roleName", message: "SSO role name:", default: "AdministratorAccess" },
+    { type: "input", name: "profileName", message: "Profile name:", default: "dev" },
+    { type: "input", name: "region", message: "Default region:", default: (a) => a.ssoRegion },
+  ]);
 
   // Ensure ~/.aws directory exists
   const awsDir = path.join(os.homedir(), ".aws");
   if (!fs.existsSync(awsDir)) fs.mkdirSync(awsDir, { mode: 0o700 });
 
-  const block = `
-[sso-session ${sessionName}]
-sso_start_url = ${startUrl}
-sso_region = ${ssoRegion}
+  const block = `[sso-session ${answers.sessionName.trim()}]
+sso_start_url = ${answers.startUrl.trim()}
+sso_region = ${answers.ssoRegion.trim()}
 sso_registration_scopes = sso:account:access
 
-[profile ${profileName}]
-sso_session = ${sessionName}
-sso_account_id = ${accountId}
-sso_role_name = ${roleName}
-region = ${region}
+[profile ${answers.profileName.trim()}]
+sso_session = ${answers.sessionName.trim()}
+sso_account_id = ${answers.accountId.trim()}
+sso_role_name = ${answers.roleName.trim()}
+region = ${answers.region.trim()}
 output = json
 `;
 
-  fs.appendFileSync(configPath, block);
-  console.log(chalk.green(`\n  ✓ Written to ~/.aws/config (profile: ${profileName})`));
+  fs.writeFileSync(configPath, block);
+  console.log(chalk.green(`\n  ✓ Written to ~/.aws/config (profile: ${answers.profileName.trim()})`));
 }
 
 /**
@@ -220,13 +202,44 @@ export async function fixAwsSso() {
   let ttyFd;
   try { ttyFd = fs.openSync("/dev/tty", "r"); } catch { ttyFd = null; }
 
-  await execa("aws", ["sso", "login", "--profile", profile.name], {
+  const { exitCode } = await execa("aws", ["sso", "login", "--profile", profile.name], {
     stdio: [ttyFd ?? "inherit", "inherit", "inherit"],
     reject: false,
     timeout: 120_000,
   });
 
   if (ttyFd !== null) fs.closeSync(ttyFd);
+
+  if (exitCode !== 0) {
+    // SSO login failed — likely bad config. Remove it and re-run setup.
+    console.log(chalk.yellow("  SSO login failed — re-running setup with new values...\n"));
+    const configPath = path.join(os.homedir(), ".aws", "config");
+    if (fs.existsSync(configPath)) fs.unlinkSync(configPath);
+    await ensureSsoConfig();
+
+    const retryProfiles = detectAwsSsoProfiles();
+    if (retryProfiles.length === 0) {
+      throw new Error("No SSO profiles found after config — check ~/.aws/config");
+    }
+
+    const retryProfile = retryProfiles[0];
+    console.log(chalk.cyan(`  ▶ aws sso login --profile ${retryProfile.name}`));
+
+    let retryTtyFd;
+    try { retryTtyFd = fs.openSync("/dev/tty", "r"); } catch { retryTtyFd = null; }
+
+    const { exitCode: retryCode } = await execa("aws", ["sso", "login", "--profile", retryProfile.name], {
+      stdio: [retryTtyFd ?? "inherit", "inherit", "inherit"],
+      reject: false,
+      timeout: 120_000,
+    });
+
+    if (retryTtyFd !== null) fs.closeSync(retryTtyFd);
+
+    if (retryCode !== 0) {
+      throw new Error("SSO login failed. Check your SSO start URL and region in ~/.aws/config");
+    }
+  }
 }
 
 /**

package/src/setup/wizard.js

@@ -8,6 +8,60 @@ import { isFoundationRoot, findComposeRootUp } from "../project.js";
 import { discoverPlugins } from "../plugins/discovery.js";
 import { validateManifest } from "../plugins/manifest.js";
 import { runSetup, CLONE_BRANCH } from "./setup.js";
+import { confirm } from "../ui/index.js";
+
+/**
+ * Ensure Homebrew is available (macOS). Installs if missing.
+ */
+async function ensureBrew() {
+  try { await execa("brew", ["--version"]); return true; } catch {}
+  console.log(chalk.cyan("  ▶ Installing Homebrew…"));
+  try {
+    await execa("bash", ["-c", 'NONINTERACTIVE=1 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"'], {
+      stdio: "inherit", timeout: 300_000,
+    });
+    const brewPaths = ["/opt/homebrew/bin/brew", "/usr/local/bin/brew"];
+    for (const bp of brewPaths) {
+      if (fs.existsSync(bp)) { process.env.PATH = path.dirname(bp) + ":" + process.env.PATH; break; }
+    }
+    return true;
+  } catch { return false; }
+}
+
+/**
+ * Try to install a missing tool. Returns true if installed successfully.
+ */
+async function installTool(name, { brew, brewCask, winget, apt, npm: npmPkg } = {}) {
+  const shouldInstall = await confirm(`  Install ${name}?`, true);
+  if (!shouldInstall) return false;
+  try {
+    if (process.platform === "darwin" && (brew || brewCask)) {
+      if (!(await ensureBrew())) { console.log(chalk.red("  Homebrew required")); return false; }
+      const cmd = brewCask ? ["install", "--cask", brewCask] : ["install", brew];
+      console.log(chalk.cyan(`  ▶ brew ${cmd.join(" ")}`));
+      await execa("brew", cmd, { stdio: "inherit", timeout: 300_000 });
+      return true;
+    }
+    if (process.platform === "win32" && winget) {
+      console.log(chalk.cyan(`  ▶ winget install ${winget}`));
+      await execa("winget", ["install", winget, "--accept-source-agreements", "--accept-package-agreements"], { stdio: "inherit", timeout: 300_000 });
+      return true;
+    }
+    if (process.platform === "linux" && apt) {
+      console.log(chalk.cyan(`  ▶ sudo apt-get install -y ${apt}`));
+      await execa("sudo", ["apt-get", "install", "-y", apt], { stdio: "inherit", timeout: 300_000 });
+      return true;
+    }
+    if (npmPkg) {
+      console.log(chalk.cyan(`  ▶ npm install`));
+      await execa("npm", ["install"], { stdio: "inherit", timeout: 300_000 });
+      return true;
+    }
+  } catch (err) {
+    console.log(chalk.red(`  Failed to install ${name}: ${err.message}`));
+  }
+  return false;
+}
 
 export async function runInitWizard() {
   const cwd = process.cwd();
@@ -30,19 +84,64 @@ export async function runInitWizard() {
       projectRoot = foundUp;
     }
     if (!projectRoot) {
-      let hasGit = false, hasDocker = false, hasAws = false, hasClaude = false;
-      try { await execa("git", ["--version"]); hasGit = true; } catch {}
+      // ── Check prerequisites and offer to install missing ones ──
+      const getVer = async (cmd, args = ["--version"]) => {
+        try { const { stdout } = await execa(cmd, args, { reject: false, timeout: 5000 }); return stdout?.split("\n")[0]?.trim() || null; } catch { return null; }
+      };
+
+      let hasGit = !!(await getVer("git"));
+      let hasDocker = false;
       try { await execa("docker", ["info"], { timeout: 5000 }); hasDocker = true; } catch {}
-      try { await execa("aws", ["--version"]); hasAws = true; } catch {}
-      try { await execa("claude", ["--version"]); hasClaude = true; } catch {}
+      let hasAws = !!(await getVer("aws"));
+      let hasClaude = !!(await getVer("claude"));
+      let hasOp = !!(await getVer("op"));
+
       console.log(chalk.cyan("  Prerequisites\n"));
-      console.log(hasGit ? chalk.green("  ✓ Git") : chalk.red("  ✗ Git — install git first"));
-      console.log(hasDocker ? chalk.green("  ✓ Docker") : chalk.red("  ✗ Docker — install and start Docker Desktop"));
-      console.log(hasClaude ? chalk.green("  ✓ Claude CLI") : chalk.red("  ✗ Claude CLI — run: npm install (included as a dependency)"));
-      console.log(hasAws ? chalk.green("  ✓ AWS CLI") : chalk.yellow("  ⚠ AWS CLI — install for ECR image pulls (brew install awscli)"));
+
+      // Git
+      if (hasGit) console.log(chalk.green("  ✓ Git"));
+      else {
+        console.log(chalk.red("  ✗ Git"));
+        hasGit = await installTool("Git", { brew: "git", winget: "Git.Git", apt: "git" });
+      }
+
+      // Docker
+      if (hasDocker) console.log(chalk.green("  ✓ Docker"));
+      else {
+        console.log(chalk.red("  ✗ Docker"));
+        hasDocker = await installTool("Docker Desktop", { brewCask: "docker", winget: "Docker.DockerDesktop" });
+        if (hasDocker && process.platform === "darwin") {
+          console.log(chalk.cyan("  ▶ open -a Docker"));
+          await execa("open", ["-a", "Docker"], { timeout: 10000 }).catch(() => {});
+        }
+      }
+
+      // Claude CLI
+      if (hasClaude) console.log(chalk.green("  ✓ Claude CLI"));
+      else {
+        console.log(chalk.red("  ✗ Claude CLI"));
+        hasClaude = await installTool("Claude CLI", { npm: true });
+      }
+
+      // AWS CLI (optional)
+      if (hasAws) console.log(chalk.green("  ✓ AWS CLI"));
+      else {
+        console.log(chalk.yellow("  ⚠ AWS CLI") + chalk.dim(" — needed for ECR image pulls"));
+        hasAws = await installTool("AWS CLI", { brew: "awscli", winget: "Amazon.AWSCLI" });
+      }
+
+      // 1Password CLI (optional)
+      if (hasOp) console.log(chalk.green("  ✓ 1Password CLI"));
+      else {
+        console.log(chalk.yellow("  ⚠ 1Password CLI") + chalk.dim(" — needed for secret sync"));
+        hasOp = await installTool("1Password CLI", { brewCask: "1password-cli", winget: "AgileBits.1Password.CLI" });
+      }
+
+      // GitHub credentials
       const netrcPath = path.join(os.homedir(), ".netrc");
       const hasNetrc = fs.existsSync(netrcPath) && fs.readFileSync(netrcPath, "utf8").includes("machine github.com");
       console.log(hasNetrc ? chalk.green("  ✓ GitHub credentials (~/.netrc)") : chalk.yellow("  ⚠ GitHub credentials — add to ~/.netrc (needed for private submodules)"));
+
       // Cursor IDE (only when cursor plugin is installed)
       const cursorPluginDir = path.join(os.homedir(), ".fops", "plugins", "cursor");
       if (fs.existsSync(cursorPluginDir)) {
@@ -51,13 +150,27 @@ export async function runInitWizard() {
           const { stdout } = await execa("cursor", ["--version"]);
           cursorVer = (stdout || "").split("\n")[0].trim();
         } catch {}
-        console.log(cursorVer
-          ? chalk.green("  ✓ Cursor IDE") + chalk.dim(` — ${cursorVer}`)
-          : chalk.yellow("  ⚠ Cursor IDE — install from cursor.com, then: Cmd+Shift+P → 'Install cursor command'"));
+
+        if (cursorVer) {
+          console.log(chalk.green("  ✓ Cursor IDE") + chalk.dim(` — ${cursorVer}`));
+        } else {
+          // Check if Cursor app is installed even without CLI command
+          const appInstalled = process.platform === "darwin"
+            ? fs.existsSync("/Applications/Cursor.app")
+            : process.platform === "win32"
+              ? fs.existsSync(path.join(os.homedir(), "AppData", "Local", "Programs", "Cursor", "Cursor.exe"))
+              : false;
+          if (appInstalled) {
+            console.log(chalk.green("  ✓ Cursor IDE") + chalk.dim(" — app installed (CLI not in PATH — Cmd+Shift+P → 'Install cursor command' to enable)"));
+          } else {
+            console.log(chalk.yellow("  ⚠ Cursor IDE — install from cursor.com, then: Cmd+Shift+P → 'Install cursor command'"));
+          }
+        }
       }
+
       console.log("");
       if (!hasGit || !hasDocker || !hasClaude) {
-        console.log(chalk.red("Fix the missing prerequisites above, then run fops init again.\n"));
+        console.log(chalk.red("  Required tools are still missing. Install them and run fops init again.\n"));
         process.exit(1);
       }
       const choices = [