@meshxdata/fops 0.1.36 → 0.1.38

package/CHANGELOG.md

@@ -1,3 +1,210 @@
+## [0.1.38] - 2026-03-10
+
+- callback url for localhost (821fb94)
+- disable 4 scaffolding plugin by default. (bfb2b76)
+- jaccard improvements (b7494a0)
+- refactor azure plugin (68dfef4)
+- refactor azure plugin (b24a008)
+- fix trino catalog missing (4928a55)
+- v36 bump and changelog generation on openai (37a0440)
+- v36 bump and changelog generation on openai (a3b02d9)
+- bump (a990058)
+- status bar fix and new plugin for ttyd (27dde1e)
+- file demo and tray (1a3e704)
+- electron app (59ad0bb)
+- compose and fops file plugin (1cf0e81)
+- bump (346ffc1)
+- localhost replaced by 127.0.0.1 (82b9f30)
+- .29 (587b0e1)
+- improve up down and bootstrap script (b79ebaf)
+- checksum (22c8086)
+- checksum (96b434f)
+- checksum (15ed3c0)
+- checksum (8a6543a)
+- bump embed trino linksg (8440504)
+- bump data (765ffd9)
+- bump (cb8b232)
+- broken tests (c532229)
+- release 0.1.18, preflight checks (d902249)
+- fix compute display bug (d10f5d9)
+- cleanup packer files (6330f18)
+- plan mode (cb36a8a)
+- bump to 0.1.16 - agent ui (41ac1a2)
+- bump to 0.1.15 - agent ui (4ebe2e1)
+- bump to 0.1.14 (6c3a7fa)
+- bump to 0.1.13 (8db570f)
+- release 0.1.12 (c1c79e5)
+- bump (11aa3b0)
+- git keep and bump tui (be1678e)
+- skills, index, rrf, compacted context (100k > 10k) (7b2fffd)
+- cloudflare and token consumption, graphs indexing (0ad9eec)
+- bump storage default (22c83ba)
+- storage fix (68a22a0)
+- skills update (7f56500)
+- v9 bump (3864446)
+- bump (c95eedc)
+- rrf (dbf8c95)
+- feat: warning when running predictions (95e8c52)
+- feat: support for local predictions (45cf26b)
+- feat: wip support for predictions + mlflow (3457052)
+- add Reciprocal Rank Fusion (RRF) to knowledge and skill retrieval (61549bc)
+- validate CSV headers in compute_run readiness check (a8c7a43)
+- fix corrupted Iceberg metadata: probe tables + force cleanup on re-apply (50578af)
+- enforce: never use foundation_apply to fix broken products (2e049bf)
+- update SKILL.md with complete tool reference for knowledge retrieval (30b1924)
+- add storage read, input DP table probe, and compute_run improvements (34e6c4c)
+- skills update (1220385)
+- skills update (bb66958)
+- some tui improvement andd tools apply overwrite (e90c35c)
+- skills update (e9227a1)
+- skills update (669c4b3)
+- fix plugin pre-flight checks (f741743)
+- increase agent context (6479aaa)
+- skills and init sql fixes (5fce35e)
+- checksum (3518b56)
+- penging job limit (a139861)
+- checksum (575d28c)
+- bump (92049ba)
+- fix bug per tab status (0a33657)
+- fix bug per tab status (50457c6)
+- checksumming (0ad842e)
+- shot af mardkwon overlapping (51f63b9)
+- add spark dockerfile for multiarch builds (95abbd1)
+- fix plugin initialization (16b9782)
+- split index.js (50902a2)
+- cloudflare cidr (cc4e021)
+- cloduflare restrictions (2f6ba2d)
+- sequential start (86b496e)
+- sequential start (4930fe1)
+- sequential start (353f014)
+- qa tests (2dc6a1a)
+- bump sha for .85 (dc2edfe)
+- preserve env on sudo (7831227)
+- bump sha for .84 (6c052f9)
+- non interactive for azure vms (0aa8a2f)
+- keep .env if present (d072450)
+- bump (7a8e732)
+- ensure opa is on compose if not set (f4a5228)
+- checksum bump (a2ccc20)
+- netrc defensive checks (a0b0ccc)
+- netrc defensive checks (ae37403)
+- checksum (ec45d11)
+- update sync and fix up (7f9af72)
+- expand test for azure and add new per app tag support (388a168)
+- checksum on update (44005fc)
+- cleanup for later (15e5313)
+- cleanup for later (11c9597)
+- switch branch feature (822fecc)
+- add pull (d1c19ab)
+- Bump hono from 4.11.9 to 4.12.0 in /operator-cli (ad25144)
+- tests (f180a9a)
+- cleanup (39c49a3)
+- registry (7b7126a)
+- reconcile kafka (832d0db)
+- gh login bug (025886c)
+- cleanup (bb96cab)
+- strip envs from process (2421180)
+- force use of gh creds not tokens in envs var (fff7787)
+- resolve import between npm installs and npm link (79522e1)
+- fix gh scope and azure states (afd846c)
+- refactoring (da50352)
+- split fops repo (d447638)
+- aks (b791f8f)
+- refactor azure (67d3bad)
+- wildcard (391f023)
+- azure plugin (c074074)
+- zap (d7e6e7f)
+- fix knock (cf89c05)
+- azure (4adec98)
+- Bump tar from 7.5.7 to 7.5.9 in /operator-cli (e41e98e)
+- azure stack index.js split (de12272)
+- Bump ajv from 8.17.1 to 8.18.0 in /operator-cli (76da21f)
+- packer (9665fbc)
+- remove stack api (db0fd4d)
+- packer cleanup (fe1bf14)
+- force refresh token (3a3d7e2)
+- provision shell (2ad505f)
+- azure vm management (91dcb31)
+- azure specific (2b0cca8)
+- azure packer (12175b8)
+- init hashed pwd (db8523c)
+- packer (5b5c7c4)
+- doctor for azure vm (ed524fa)
+- packer and 1pwd (c6d053e)
+- split big index.js (dc85a1b)
+- kafka volume update (21815ec)
+- fix openai azure tools confirmation and flow (0118cd1)
+- nighly fixx, test fix (5e0d04f)
+- open ai training (cdc494a)
+- openai integration in azure (1ca1475)
+- ci (672cea9)
+- refresh ghcr creds (4220c48)
+- cleaned up version (1a0074f)
+- traefik on ghcr and templates (8e31a05)
+- apply fcl (e78911f)
+- demo landscape (dd205fe)
+- smarter login and schema (1af514f)
+- no down before up unless something broke (56b1132)
+- dai, reconcile failed containers (12907fa)
+- reconcile dead container (7da75e4)
+- defensive around storage buckets dir (b98871d)
+- defensive around storage buckets dir (e86e132)
+- gear in for multiarch (bf3fa3e)
+- up autofix (99c7f89)
+- autofix stale containers on up (43c7d0f)
+- shared sessions fix (5de1359)
+- share sessions between ui and tui (8321391)
+- fix chat view display details (e263996)
+- fix chat view display details (9babdda)
+- tui up fixes (86e9f17)
+- fix commands init (442538b)
+- enable k3s profile (b2dcfc8)
+- test up till job creation (656d388)
+- tui fixes (0599779)
+- cleanup (27731f0)
+- train (90bf559)
+- training (f809bf6)
+- training (ba2b836)
+- training (6fc5267)
+- training (4af8ac9)
+- fix build script (bd82836)
+- infra test (5b79815)
+- infra test (3a0ac05)
+- infra test (e5c67b5)
+- tests (ae7b621)
+- tests (c09ae6a)
+- update tui (4784153)
+- training (0a5a330)
+- tui (df4dd4a)
+- pkg builds (4dc9993)
+- also source env for creds (9a17d8f)
+- fcl support (e8a5743)
+- fcl support (8d6b6cd)
+- fcl support (cb76a4a)
+- bump package (df2ee85)
+
+# Changelog
+
+All notable changes to @meshxdata/fops (Foundation Operator CLI) are documented here.
+
+## [0.1.37] - 2026-03-06
+
+- **Azure plugin & VM management:** Major refactor of the Azure plugin with improved VM lifecycle management, non-interactive VM support, better state handling, and expanded test coverage. Includes Azure-specific fixes, token refresh improvements, and enhanced preflight checks.
+
+- **Agent & retrieval improvements:** Added Reciprocal Rank Fusion (RRF) to knowledge and skill retrieval, improved Jaccard scoring, expanded agent context, and reduced context size (100k → 10k) via compaction. Various skills updates and documentation improvements for knowledge tools.
+
+- **Predictions & ML:** Introduced support for local predictions, added prediction warnings, and early MLflow integration work.
+
+- **CLI & TUI improvements:** Fixed multiple TUI/UI issues (status per tab, chat display, compute display), improved `up/down/bootstrap` flows, added plan mode, preserved environment variables with `sudo`, and enhanced sequential startup and container reconciliation.
+
+- **Docker & multi-arch:** Added multi-arch Spark Dockerfile, improved multi-arch support, ensured OPA inclusion in compose, and replaced `localhost` with `127.0.0.1` for better compatibility.
+
+- **Storage, compute & data reliability:** Improved `compute_run` readiness checks (CSV header validation, table probes), added storage read enhancements, strengthened checksum handling, fixed corrupted Iceberg metadata cleanup, and improved storage defaults and defensive checks.
+
+- **Plugins & integrations:** Added TTYD plugin, improved compose/fops file plugin, GitHub login and credential handling fixes, Cloudflare CIDR updates, Kafka reconciliation improvements, and registry enhancements.
+
+- **Maintenance & deps:** Dependency bumps (e.g., tar, ajv, hono), test fixes and expansions, repo splits/refactors, packer cleanup, and general stability improvements.
+
 ## [0.1.36] - 2026-03-05
 
 - **Azure & Cloud Enhancements**

package/fops.mjs

@@ -37,6 +37,19 @@ function loadProjectEnv() {
         }
         process.env[key] = value;
       }
+      // Save the directory of the found .env as projectRoot so future runs from any
+      // directory (e.g. ~) can find credentials via findProjectRoot() in client.js.
+      try {
+        const home = process.env.HOME || process.env.USERPROFILE || "";
+        const fopsJsonPath = path.join(home, ".fops.json");
+        const foundRoot = path.dirname(envPath);
+        let cfg = {};
+        try { cfg = JSON.parse(fs.readFileSync(fopsJsonPath, "utf8")); } catch {}
+        if (cfg.projectRoot !== foundRoot) {
+          cfg.projectRoot = foundRoot;
+          fs.writeFileSync(fopsJsonPath, JSON.stringify(cfg, null, 2) + "\n");
+        }
+      } catch { /* non-fatal */ }
       break; // use the first .env found
     } catch { /* ignore read errors */ }
   }
@@ -48,15 +61,32 @@ loadProjectEnv();
 // whenever ONNX was loaded; otherwise it uses regular process.exit.
 const _realExit = process.exit.bind(process);
 function safeExit(code) {
-  // Defer hard exit when native addons (ONNX, better-sqlite3) were used so C++ destructors
-  // don't run during exit and trigger mutex/abort.
-  if (globalThis.__onnxLoaded || globalThis.__onnxDone || globalThis.__sqliteStoreUsed) {
-    process.exitCode = code;
+  if (globalThis.__exitScheduled) return;
+  globalThis.__exitScheduled = true;
+
+  process.exitCode = code ?? 0;
+
+  if (globalThis.__onnxLoaded) {
+    // ONNX C++ destructors call abort() — bypass them with SIGKILL.
+    try { fs.closeSync(2); } catch {}
     globalThis.__onnxDone = true;
-    globalThis.__sqliteStoreUsed = false;
+    if (code === 0 || code == null) {
+      // Unref'd: let event loop drain naturally; SIGKILL only if handles linger.
+      setTimeout(() => process.kill(process.pid, "SIGKILL"), 400).unref();
+    } else {
+      // Ref'd: ensure we exit even if event loop is stuck.
+      setTimeout(() => process.kill(process.pid, "SIGKILL"), 100);
+    }
     return;
   }
-  _realExit(code);
+
+  // ONNX was never loaded — safe to exit normally without SIGKILL.
+  // Use reallyExit to bypass lingering handles (Ink, MCP) without crashing.
+  if (typeof process.reallyExit === "function") {
+    process.reallyExit(code ?? 0);
+  } else {
+    _realExit(code ?? 0);
+  }
 }
 // Intercept all process.exit() calls so plugin code (which can't import safeExit)
 // also avoids the ONNX C++ destructor abort.
@@ -141,16 +171,9 @@ program.parseAsync().then(() => {
   // Without this, commands hang because MCP connections / ink refs keep the event loop alive.
   const code = typeof process.exitCode === "number" ? process.exitCode : 0;
   setTimeout(() => {
-    if (globalThis.__onnxDone) return;
+    if (globalThis.__exitScheduled) return;
     safeExit(code);
   }, 200);
-
-  // Fallback: if ONNX native handles keep the event loop alive after safeExit
-  // set the exit code, force-terminate via SIGKILL (avoids atexit / C++ destructor crash).
-  // The timer is unref'd so it won't itself prevent a clean exit.
-  if (globalThis.__onnxLoaded || globalThis.__onnxDone) {
-    setTimeout(() => process.kill(process.pid, "SIGKILL"), 300).unref();
-  }
 }).catch((err) => {
   console.error("Command failed:", err?.message || err);
   if (err?.stack) console.error(err.stack);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meshxdata/fops",
-  "version": "0.1.36",
+  "version": "0.1.38",
   "description": "CLI to install and manage data mesh platforms",
   "keywords": [
     "fops",

package/src/agent/llm.js

@@ -309,6 +309,8 @@ let _responsesApiFallback = false;
 function isResponsesApiFormatError(err) {
   if (!err) return false;
   const status = err.status ?? err.error?.status ?? err.code;
+  // 404 = Responses API route doesn't exist on this Azure endpoint/api-version
+  if (status === 404 || status === "404") return true;
   if (status !== 400 && status !== "400") return false;
   const msg = [err.message, err.error?.message, err.body?.error?.message].filter(Boolean).join(" ");
   return /Responses API|moved to ['"]input['"]|unknown parameter|'input' is required|'instructions' is not/i.test(msg);

package/src/auth/azure.js

@@ -0,0 +1,92 @@
+import chalk from "chalk";
+import { getInquirer } from "../lazy.js";
+
+async function getExeca() {
+  const { execa } = await import("execa");
+  return execa;
+}
+
+async function checkAzInstalled(execa) {
+  try {
+    await execa("az", ["--version"], { timeout: 10000, reject: true });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function getAzAccount(execa) {
+  try {
+    const { stdout } = await execa("az", ["account", "show", "--output", "json"], { timeout: 15000 });
+    return JSON.parse(stdout);
+  } catch {
+    return null;
+  }
+}
+
+export async function runAzureLogin() {
+  const execa = await getExeca();
+
+  const installed = await checkAzInstalled(execa);
+  if (!installed) {
+    console.log(chalk.red("\n  Azure CLI (az) is not installed."));
+    console.log(chalk.dim("  Install it from: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli"));
+    if (process.platform === "darwin") {
+      console.log(chalk.dim("  macOS: brew install azure-cli"));
+    } else if (process.platform === "linux") {
+      console.log(chalk.dim("  Linux: curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash"));
+    }
+    console.log("");
+    return false;
+  }
+
+  const account = await getAzAccount(execa);
+  if (account) {
+    console.log("");
+    console.log(chalk.bold.cyan("  Azure CLI — Current Session"));
+    console.log("");
+    console.log(chalk.green(`  ✓ Logged in as: ${account.user?.name || account.user?.type || "unknown"}`));
+    console.log(chalk.dim(`  Subscription:   ${account.name} (${account.id})`));
+    console.log(chalk.dim(`  Tenant:         ${account.tenantId}`));
+    console.log("");
+
+    const { relogin } = await (await getInquirer()).prompt([{
+      type: "confirm",
+      name: "relogin",
+      message: "Re-authenticate (switch account or refresh session)?",
+      default: false,
+    }]);
+
+    if (!relogin) {
+      console.log(chalk.dim("Keeping existing Azure session.\n"));
+      return true;
+    }
+
+    await execa("az", ["logout"], { reject: false, timeout: 10000 });
+  }
+
+  console.log("");
+  console.log(chalk.bold.cyan("  Azure Login"));
+  console.log(chalk.dim("  This will open your browser for interactive sign-in."));
+  console.log("");
+
+  const { exitCode } = await execa("az", ["login"], {
+    stdio: "inherit",
+    timeout: 300000,
+    reject: false,
+  });
+
+  if (exitCode !== 0) {
+    console.log(chalk.red("\n  Azure login failed or was cancelled.\n"));
+    return false;
+  }
+
+  const newAccount = await getAzAccount(execa);
+  if (newAccount) {
+    console.log(chalk.green(`\n  ✓ Azure login successful!`));
+    console.log(chalk.dim(`  Logged in as: ${newAccount.user?.name || newAccount.user?.type}`));
+    console.log(chalk.dim(`  Subscription: ${newAccount.name} (${newAccount.id})\n`));
+  }
+
+  return true;
+}

package/src/auth/cloudflare.js

@@ -0,0 +1,125 @@
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import chalk from "chalk";
+import { openBrowser } from "./login.js";
+import { getInquirer } from "../lazy.js";
+
+const CF_TOKENS_URL = "https://dash.cloudflare.com/profile/api-tokens";
+const FOPS_CONFIG_PATH = path.join(os.homedir(), ".fops.json");
+
+function readFopsConfig() {
+  try {
+    if (fs.existsSync(FOPS_CONFIG_PATH)) {
+      return JSON.parse(fs.readFileSync(FOPS_CONFIG_PATH, "utf8"));
+    }
+  } catch {}
+  return {};
+}
+
+function saveFopsConfig(config) {
+  fs.writeFileSync(FOPS_CONFIG_PATH, JSON.stringify(config, null, 2) + "\n", { mode: 0o600 });
+}
+
+export function resolveCloudflareApiToken() {
+  if (process.env.CLOUDFLARE_API_TOKEN?.trim()) return process.env.CLOUDFLARE_API_TOKEN.trim();
+  if (process.env.CF_API_TOKEN?.trim()) return process.env.CF_API_TOKEN.trim();
+  try {
+    const config = readFopsConfig();
+    const token = config.cloudflare?.apiToken?.trim();
+    if (token) return token;
+  } catch {}
+  return null;
+}
+
+function saveCloudflareToken(token) {
+  const config = readFopsConfig();
+  config.cloudflare = { ...config.cloudflare, apiToken: token.trim() };
+  saveFopsConfig(config);
+}
+
+async function validateCloudflareToken(token) {
+  try {
+    const res = await fetch("https://api.cloudflare.com/client/v4/user/tokens/verify", {
+      headers: { Authorization: `Bearer ${token}` },
+    });
+    const json = await res.json();
+    if (json.success) {
+      return { valid: true, status: json.result?.status };
+    }
+    const msg = (json.errors || []).map((e) => e.message).join("; ");
+    return { valid: false, error: msg || `Cloudflare API returned ${res.status}.` };
+  } catch (err) {
+    return { valid: false, error: `Could not reach Cloudflare API: ${err.message}` };
+  }
+}
+
+export async function runCloudflareLogin() {
+  const existing = resolveCloudflareApiToken();
+  if (existing) {
+    const masked = existing.slice(0, 8) + "..." + existing.slice(-4);
+    const { overwrite } = await (await getInquirer()).prompt([{
+      type: "confirm",
+      name: "overwrite",
+      message: `Already have a Cloudflare API token (${masked}). Replace it?`,
+      default: false,
+    }]);
+    if (!overwrite) {
+      console.log(chalk.dim("Keeping existing Cloudflare token."));
+      return true;
+    }
+  }
+
+  console.log("");
+  console.log(chalk.bold.cyan("  Cloudflare API Token Setup"));
+  console.log("");
+  console.log(chalk.white("  To connect Foundation to Cloudflare, you need an API token."));
+  console.log(chalk.white("  Here's how to get one:\n"));
+  console.log(chalk.dim("  1. Go to ") + chalk.cyan(CF_TOKENS_URL));
+  console.log(chalk.dim("  2. Click ") + chalk.white('"Create Token"'));
+  console.log(chalk.dim("  3. Use the ") + chalk.white('"Edit zone DNS"') + chalk.dim(" template (or create a custom token)"));
+  console.log(chalk.dim("  4. Copy the token and paste it below"));
+  console.log("");
+
+  const { openIt } = await (await getInquirer()).prompt([{
+    type: "confirm",
+    name: "openIt",
+    message: "Open Cloudflare API tokens page in your browser?",
+    default: true,
+  }]);
+
+  if (openIt) {
+    const opened = openBrowser(CF_TOKENS_URL);
+    if (!opened) {
+      console.log(chalk.yellow("\n  Could not open browser. Visit: " + CF_TOKENS_URL + "\n"));
+    } else {
+      console.log("");
+    }
+  }
+
+  const { token } = await (await getInquirer()).prompt([{
+    type: "password",
+    name: "token",
+    message: "Paste your Cloudflare API token:",
+    mask: "*",
+    validate: (v) => {
+      if (!v?.trim()) return "API token is required.";
+      return true;
+    },
+  }]);
+
+  console.log(chalk.dim("\n  Validating token..."));
+  const result = await validateCloudflareToken(token.trim());
+
+  if (!result.valid) {
+    console.log(chalk.red(`\n  ${result.error}`));
+    console.log(chalk.dim("  Check the token and try again with: fops login cloudflare\n"));
+    return false;
+  }
+
+  saveCloudflareToken(token);
+  console.log(chalk.green(`\n  Cloudflare login successful!`));
+  if (result.status) console.log(chalk.dim(`  Token status: ${result.status}`));
+  console.log(chalk.dim("  Token saved to ~/.fops.json\n"));
+  return true;
+}

package/src/auth/index.js

@@ -4,3 +4,5 @@ export { authHelp, offerClaudeLogin, runLogin } from "./login.js";
 export { runOAuthLogin } from "./oauth.js";
 export { runCodaLogin, resolveCodaApiToken } from "./coda.js";
 export { runLinearLogin, resolveLinearApiKey } from "./linear.js";
+export { runCloudflareLogin, resolveCloudflareApiToken } from "./cloudflare.js";
+export { runAzureLogin } from "./azure.js";

package/src/commands/index.js

@@ -15,20 +15,24 @@ export function registerCommands(program, registry) {
 
   program
     .command("login")
-    .description("Authenticate with services (Claude, Coda, Linear)")
-    .argument("[service]", "Service to login to: claude (default), coda, or linear")
+    .description("Authenticate with services (Claude, Coda, Linear, Cloudflare, Azure)")
+    .argument("[service]", "Service to login to: claude (default), coda, linear, cloudflare, or azure")
     .option("--no-browser", "Paste API key in terminal instead of OAuth")
     .action(async (service, opts) => {
-      const { runLogin, runCodaLogin, runLinearLogin } = await import("../auth/index.js");
+      const { runLogin, runCodaLogin, runLinearLogin, runCloudflareLogin, runAzureLogin } = await import("../auth/index.js");
       const target = (service || "claude").toLowerCase();
       if (target === "coda") {
         await runCodaLogin();
       } else if (target === "linear") {
         await runLinearLogin();
+      } else if (target === "cloudflare" || target === "cf") {
+        await runCloudflareLogin();
+      } else if (target === "azure" || target === "az") {
+        await runAzureLogin();
       } else if (target === "claude") {
         await runLogin({ browser: opts.browser });
       } else {
-        console.error(chalk.red(`Unknown service "${target}". Use: claude, coda, linear`));
+        console.error(chalk.red(`Unknown service "${target}". Use: claude, coda, linear, cloudflare, azure`));
         process.exit(1);
       }
     });

package/src/commands/lifecycle.js

@@ -527,21 +527,21 @@ async function runUp(program, registry, opts) {
 
   if (opts.url) {
     publicUrl = opts.url.replace(/\/+$/, "");
-    if (/^FOUNDATION_PUBLIC_URL=/m.test(envContent)) {
-      envContent = envContent.replace(/^FOUNDATION_PUBLIC_URL=.*/m, `FOUNDATION_PUBLIC_URL=${publicUrl}`);
-    } else {
+    // Only write if not already set in .env — leave the repo's value untouched
+    if (!/^FOUNDATION_PUBLIC_URL=/m.test(envContent)) {
       envContent = envContent.trimEnd() + `\nFOUNDATION_PUBLIC_URL=${publicUrl}\n`;
+      fs.writeFileSync(envPath, envContent);
+      console.log(chalk.dim(`  FOUNDATION_PUBLIC_URL=${publicUrl} written to .env`));
     }
-    fs.writeFileSync(envPath, envContent);
-    console.log(chalk.dim(`  FOUNDATION_PUBLIC_URL=${publicUrl} written to .env`));
   } else {
-    // Local: ensure compose uses localhost and no remote URL / no traefik
-    if (/^FOUNDATION_PUBLIC_URL=/m.test(envContent)) {
-      envContent = envContent.replace(/^FOUNDATION_PUBLIC_URL=.*/m, `FOUNDATION_PUBLIC_URL=${localBaseUrl}`);
-    } else {
+    // Local: only inject localhost fallback if not already set
+    if (!/^FOUNDATION_PUBLIC_URL=/m.test(envContent)) {
       envContent = envContent.trimEnd() + `\nFOUNDATION_PUBLIC_URL=${localBaseUrl}\n`;
+      fs.writeFileSync(envPath, envContent);
     }
-    fs.writeFileSync(envPath, envContent);
+    // Read the actual value from .env for profile resolution below
+    const existingUrl = envContent.match(/^FOUNDATION_PUBLIC_URL=(.+)$/m)?.[1]?.trim();
+    if (existingUrl && existingUrl !== localBaseUrl) publicUrl = existingUrl;
   }
 
   // Resolve profiles: local up = no traefik; --url with 443 = traefik
@@ -1284,7 +1284,28 @@ async function runUp(program, registry, opts) {
     const forwardOut = createBufferWritable("out");
     const forwardErr = createBufferWritable("err");
 
+    // Detect env misalignment: if FOUNDATION_PUBLIC_URL in .env differs from what's
+    // running in containers, force-recreate so services pick up the new value.
+    let forceRecreate = false;
+    try {
+      const envPublicUrl = (envContent.match(/^FOUNDATION_PUBLIC_URL=(.+)$/m)?.[1] || "").trim();
+      if (envPublicUrl) {
+        const { stdout: inspectOut } = await execa("docker", [
+          "inspect", "--format", "{{range .Config.Env}}{{println .}}{{end}}",
+          "foundation-compose-foundation-frontend-1",
+        ], { reject: false, cwd: root });
+        const runningUrl = (inspectOut || "").split("\n")
+          .find(l => l.startsWith("FOUNDATION_PUBLIC_URL="))
+          ?.slice("FOUNDATION_PUBLIC_URL=".length).trim();
+        if (runningUrl && runningUrl !== envPublicUrl) {
+          console.error(chalk.dim(`  ↻ FOUNDATION_PUBLIC_URL mismatch (${runningUrl} → ${envPublicUrl}) — recreating affected services`));
+          forceRecreate = true;
+        }
+      }
+    } catch { /* best-effort */ }
+
     const upArgs = ["compose", ...effectiveProfileArgs, "--progress", "plain", "up", "-d", "--remove-orphans"];
+    if (forceRecreate) upArgs.push("--force-recreate");
     if (serviceList.length > 0) upArgs.push(...serviceList);
     const upProc = execa("docker", upArgs, {
       cwd: root,