@meshxdata/fops 0.1.36 → 0.1.38

package/src/plugins/bundled/fops-plugin-azure/index.js

@@ -1,2879 +1,45 @@
-import crypto from "node:crypto";
-import { spawnSync } from "node:child_process";
-import fs from "node:fs";
-import os from "node:os";
-import pathMod from "node:path";
-import { pathToFileURL } from "node:url";
-import chalk from "chalk";
-
-function hashContent(text) {
-  return crypto.createHash("sha256").update(text).digest("hex").slice(0, 16);
-}
-
-const AZURE_UP_LOCK_PATH = pathMod.join(os.tmpdir(), "fops-azure-up.lock");
-
-function acquireAzureUpLock() {
-  const tryAcquire = () => {
-    try {
-      const fd = fs.openSync(AZURE_UP_LOCK_PATH, "wx");
-      fs.writeFileSync(fd, `${process.pid}\n${Date.now()}`, "utf8");
-      fs.closeSync(fd);
-      return true;
-    } catch (e) {
-      if (e.code !== "EEXIST") throw e;
-      return false;
-    }
-  };
-  if (tryAcquire()) return;
-  try {
-    const content = fs.readFileSync(AZURE_UP_LOCK_PATH, "utf8");
-    const [pidLine] = content.split("\n");
-    const pid = parseInt(pidLine, 10);
-    if (pid && process.kill(pid, 0)) {
-      console.error(chalk.red(`\n  Another fops azure up is running (PID ${pid}). Wait for it to finish.`));
-      console.error(chalk.dim(`  Or remove the lock if that process died: rm ${AZURE_UP_LOCK_PATH}\n`));
-      process.exit(1);
-    }
-  } catch { /* pid check failed or file gone */ }
-  fs.unlinkSync(AZURE_UP_LOCK_PATH);
-  if (!tryAcquire()) {
-    console.error(chalk.red("\n  Could not acquire fops azure up lock. Remove if stale: " + AZURE_UP_LOCK_PATH + "\n"));
-    process.exit(1);
-  }
-}
-
-function releaseAzureUpLock() {
-  try { fs.unlinkSync(AZURE_UP_LOCK_PATH); } catch { /* ignore */ }
-}
-
-/**
- * Resolve Foundation credentials from env → .env → ~/.fops.json.
- * Returns { bearerToken } or { user, password } or null.
- */
-function resolveFoundationCreds() {
-  if (process.env.BEARER_TOKEN?.trim()) return { bearerToken: process.env.BEARER_TOKEN.trim() };
-  if (process.env.QA_USERNAME?.trim() && process.env.QA_PASSWORD)
-    return { user: process.env.QA_USERNAME.trim(), password: process.env.QA_PASSWORD };
-  try {
-    const raw = JSON.parse(fs.readFileSync(pathMod.join(os.homedir(), ".fops.json"), "utf8"));
-    const cfg = raw?.plugins?.entries?.["fops-plugin-foundation"]?.config || {};
-    if (cfg.bearerToken?.trim()) return { bearerToken: cfg.bearerToken.trim() };
-    if (cfg.user?.trim() && cfg.password) return { user: cfg.user.trim(), password: cfg.password };
-  } catch { /* no fops.json */ }
-  return null;
-}
-
-import { parsePytestSummary, parsePytestDurations } from "./lib/pytest-parse.js";
-
-// VMs use Traefik with self-signed certs — skip TLS verification for VM API calls.
-// Suppress the NODE_TLS_REJECT_UNAUTHORIZED warning once.
-let _tlsWarningSuppressed = false;
-function suppressTlsWarning() {
-  if (_tlsWarningSuppressed) return;
-  _tlsWarningSuppressed = true;
-  const origEmit = process.emitWarning;
-  process.emitWarning = (warning, ...args) => {
-    if (typeof warning === "string" && warning.includes("NODE_TLS_REJECT_UNAUTHORIZED")) return;
-    return origEmit.call(process, warning, ...args);
-  };
-}
-
-async function vmFetch(url, opts = {}) {
-  suppressTlsWarning();
-  const prev = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
-  process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
-  try {
-    return await fetch(url, { signal: AbortSignal.timeout(10_000), ...opts });
-  } finally {
-    if (prev === undefined) delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
-    else process.env.NODE_TLS_REJECT_UNAUTHORIZED = prev;
-  }
-}
-
-/**
- * Resolve Auth0 config from ~/.fops.json → .env files.
- * Returns { domain, clientId, clientSecret, audience } or null.
- */
-function resolveAuth0Config() {
-  try {
-    const raw = JSON.parse(fs.readFileSync(pathMod.join(os.homedir(), ".fops.json"), "utf8"));
-    const a0 = raw?.plugins?.entries?.["fops-plugin-foundation"]?.config?.auth0;
-    if (a0?.domain && a0?.clientId) return a0;
-
-    const projectRoot = raw?.projectRoot || "";
-    const envCandidates = [
-      ...(projectRoot ? [pathMod.join(projectRoot, ".env")] : []),
-      pathMod.resolve(".env"),
-      pathMod.resolve("..", ".env"),
-    ];
-    for (const ep of envCandidates) {
-      try {
-        const lines = fs.readFileSync(ep, "utf8").split("\n");
-        const get = (k) => {
-          const ln = lines.find((l) => l.startsWith(`${k}=`));
-          return ln ? ln.slice(k.length + 1).trim().replace(/^["']|["']$/g, "") : "";
-        };
-        const domain = get("MX_AUTH0_DOMAIN") || get("AUTH0_DOMAIN");
-        const clientId = get("MX_AUTH0_CLIENT_ID") || get("AUTH0_CLIENT_ID");
-        const clientSecret = get("MX_AUTH0_CLIENT_SECRET") || get("AUTH0_CLIENT_SECRET");
-        const audience = get("MX_AUTH0_AUDIENCE") || get("AUTH0_AUDIENCE");
-        if (domain && clientId) return { domain, clientId, clientSecret, audience };
-      } catch { /* try next */ }
-    }
-  } catch { /* no fops.json */ }
-  return null;
-}
-
-/**
- * Authenticate against a remote VM's Foundation API and return a bearer token.
- * Tries the backend /iam/login first, then falls back to Auth0 ROPC.
- */
-async function authenticateVm(vmUrl, ip, creds) {
-  if (creds.bearerToken) return creds.bearerToken;
-
-  const hasDomain = vmUrl && !vmUrl.match(/^https?:\/\/\d+\.\d+\.\d+\.\d+/);
-  const apiUrls = hasDomain
-    ? [`${vmUrl}/api`, ...(ip ? [`http://${ip}:9001/api`] : [])]
-    : [`${vmUrl}/api`, `https://${ip}:3002/api`, `http://${ip}:9001/api`];
-
-  for (const apiBase of apiUrls) {
-    try {
-      const resp = await vmFetch(`${apiBase}/iam/login`, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ user: creds.user, password: creds.password }),
-      });
-      if (resp.ok) {
-        const data = await resp.json();
-        const token = data.access_token || data.token;
-        if (token) return token;
-      }
-    } catch { /* try next URL */ }
-  }
-
-  // Auth0 ROPC fallback for VMs that delegate auth to Auth0
-  const auth0 = resolveAuth0Config();
-  if (auth0 && creds.user && creds.password) {
-    try {
-      const body = {
-        grant_type: "password",
-        client_id: auth0.clientId,
-        username: creds.user,
-        password: creds.password,
-        scope: "openid",
-      };
-      if (auth0.clientSecret) body.client_secret = auth0.clientSecret;
-      if (auth0.audience) body.audience = auth0.audience;
-
-      const resp = await fetch(`https://${auth0.domain}/oauth/token`, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify(body),
-        signal: AbortSignal.timeout(10_000),
-      });
-      if (resp.ok) {
-        const data = await resp.json();
-        if (data.access_token) return data.access_token;
-      }
-    } catch { /* auth0 fallback failed */ }
-  }
-
-  return null;
-}
-
-function isJwt(token) {
-  return token && token.split(".").length === 3;
-}
-
-/**
- * Resolve a valid JWT bearer token for a remote VM/cluster.
- * Auth chain: local bearer → pre-auth /iam/login → Auth0 ROPC → SSH fetch from VM.
- * Returns { bearerToken, user, password, useTokenMode } or throws.
- */
-async function resolveRemoteAuth(opts = {}) {
-  const {
-    apiUrl, ip, vmState, execaFn: execa, sshCmd: ssh,
-    knockForVm: knock, suppressTlsWarning: suppressTls,
-  } = opts;
-  const log = opts.log || console.log;
-
-  const creds = resolveFoundationCreds();
-  let qaUser = creds?.user || process.env.QA_USERNAME || process.env.FOUNDATION_USERNAME || "operator@local";
-  let qaPass = creds?.password || process.env.QA_PASSWORD || "";
-  let bearerToken = creds?.bearerToken || "";
-  let useTokenMode = false;
-
-  // 1) Use local bearer if it's a valid JWT
-  if (bearerToken && isJwt(bearerToken)) {
-    return { bearerToken, qaUser, qaPass, useTokenMode: true };
-  }
-  bearerToken = "";
-
-  // 2) Pre-auth against the backend /iam/login
-  if (qaUser && qaPass && apiUrl) {
-    try {
-      if (suppressTls) suppressTls();
-      const prev = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
-      process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
-      try {
-        const resp = await fetch(`${apiUrl}/iam/login`, {
-          method: "POST",
-          headers: { "Content-Type": "application/json" },
-          body: JSON.stringify({ username: qaUser, password: qaPass }),
-          signal: AbortSignal.timeout(10_000),
-        });
-        if (resp.ok) {
-          const data = await resp.json();
-          bearerToken = data.access_token || data.token || "";
-          if (bearerToken) {
-            log(chalk.green(`  ✓ Authenticated as ${qaUser}`));
-            return { bearerToken, qaUser, qaPass, useTokenMode: true };
-          }
-        } else {
-          log(chalk.dim(`  Local creds rejected: HTTP ${resp.status}`));
-        }
-      } finally {
-        if (prev === undefined) delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
-        else process.env.NODE_TLS_REJECT_UNAUTHORIZED = prev;
-      }
-    } catch (e) {
-      log(chalk.dim(`  Pre-auth failed: ${e.cause?.code || e.message}`));
-    }
-  }
-
-  // 3) Auth0 ROPC with local config
-  if (qaUser && qaPass) {
-    const auth0Cfg = resolveAuth0Config();
-    if (auth0Cfg) {
-      try {
-        log(chalk.dim(`  Trying Auth0 ROPC (${auth0Cfg.domain})…`));
-        const body = {
-          grant_type: "password", client_id: auth0Cfg.clientId,
-          username: qaUser, password: qaPass, scope: "openid",
-        };
-        if (auth0Cfg.clientSecret) body.client_secret = auth0Cfg.clientSecret;
-        if (auth0Cfg.audience) body.audience = auth0Cfg.audience;
-        const resp = await fetch(`https://${auth0Cfg.domain}/oauth/token`, {
-          method: "POST",
-          headers: { "Content-Type": "application/json" },
-          body: JSON.stringify(body),
-          signal: AbortSignal.timeout(10_000),
-        });
-        if (resp.ok) {
-          const data = await resp.json();
-          if (data.access_token) {
-            log(chalk.green(`  ✓ Authenticated as ${qaUser} via Auth0`));
-            return { bearerToken: data.access_token, qaUser, qaPass, useTokenMode: true };
-          }
-        } else {
-          log(chalk.dim(`  Auth0 rejected: HTTP ${resp.status}`));
-        }
-      } catch (e) {
-        log(chalk.dim(`  Auth0 failed: ${e.message}`));
-      }
-    }
-  }
-
-  // 4) SSH fallback — fetch credentials from VM and authenticate
-  if (ip && ssh && execa) {
-    if (knock && vmState) await knock(vmState);
-    log(chalk.dim("  Fetching credentials from remote VM…"));
-    try {
-      const sshUser = vmState?.adminUser || "azureuser";
-      const { stdout } = await ssh(
-        execa, ip, sshUser,
-        "grep -E '^(BEARER_TOKEN|QA_USERNAME|QA_PASSWORD|MX_AUTH0_DOMAIN|MX_AUTH0_CLIENT_ID|MX_AUTH0_CLIENT_SECRET|MX_AUTH0_AUDIENCE)=' /opt/foundation-compose/.env | head -20",
-        15_000,
-      );
-      const remoteEnv = {};
-      for (const line of (stdout || "").split("\n")) {
-        const m = line.match(/^([A-Z_]+)=(.*)$/);
-        if (m) remoteEnv[m[1]] = m[2].trim().replace(/^["']|["']$/g, "");
-      }
-
-      const remoteToken = remoteEnv.BEARER_TOKEN;
-      if (remoteToken && isJwt(remoteToken)) {
-        log(chalk.green("  ✓ Got JWT bearer token from VM"));
-        return { bearerToken: remoteToken, qaUser, qaPass, useTokenMode: true };
-      }
-
-      if (remoteEnv.MX_AUTH0_DOMAIN && remoteEnv.MX_AUTH0_CLIENT_ID) {
-        const user = remoteEnv.QA_USERNAME || qaUser;
-        const pass = remoteEnv.QA_PASSWORD || qaPass;
-        if (user && pass) {
-          log(chalk.dim(`  Authenticating as ${user} via VM's Auth0…`));
-          const body = {
-            grant_type: "password", client_id: remoteEnv.MX_AUTH0_CLIENT_ID,
-            username: user, password: pass, scope: "openid",
-          };
-          if (remoteEnv.MX_AUTH0_CLIENT_SECRET) body.client_secret = remoteEnv.MX_AUTH0_CLIENT_SECRET;
-          if (remoteEnv.MX_AUTH0_AUDIENCE) body.audience = remoteEnv.MX_AUTH0_AUDIENCE;
-          try {
-            const resp = await fetch(`https://${remoteEnv.MX_AUTH0_DOMAIN}/oauth/token`, {
-              method: "POST",
-              headers: { "Content-Type": "application/json" },
-              body: JSON.stringify(body),
-              signal: AbortSignal.timeout(10_000),
-            });
-            if (resp.ok) {
-              const data = await resp.json();
-              if (data.access_token) {
-                log(chalk.green(`  ✓ Authenticated via VM's Auth0`));
-                return { bearerToken: data.access_token, qaUser: user, qaPass: pass, useTokenMode: true };
-              }
-            }
-          } catch (e) {
-            log(chalk.dim(`  VM Auth0 login failed: ${e.message}`));
-          }
-        }
-      }
-
-      if (remoteToken) {
-        log(chalk.yellow("  ⚠ Using non-JWT token from VM (may cause 401)"));
-        return { bearerToken: remoteToken, qaUser, qaPass, useTokenMode: true };
-      }
-    } catch (e) {
-      log(chalk.dim(`  SSH credential fetch failed: ${e.message}`));
-    }
-  }
-
-  return { bearerToken: "", qaUser, qaPass, useTokenMode: false };
-}
-
-/**
- * Fetch landscape entities (meshes, products, sources, systems) from a remote
- * VM's Foundation API. Returns embeddable chunks tagged with the VM name.
- */
-async function fetchRemoteLandscape(vmName, vmUrl, ip, token, log) {
-  const hasDomain = vmUrl && !vmUrl.match(/^https?:\/\/\d+\.\d+\.\d+\.\d+/);
-  const apiBase = hasDomain ? `${vmUrl}/api` : `http://${ip}:9001/api`;
-  const headers = { Authorization: `Bearer ${token}`, "x-org": "root" };
-
-  let authRejected = 0;
-  const fetchJson = async (path) => {
-    const resp = await vmFetch(`${apiBase}${path}`, {
-      headers,
-      signal: AbortSignal.timeout(15_000),
-    });
-    if (resp.status === 401 || resp.status === 403) { authRejected++; return null; }
-    if (!resp.ok) return null;
-    return resp.json();
-  };
-
-  const [meshRes, dpRes, dsRes, dSysRes] = await Promise.all([
-    fetchJson("/data/mesh/list?per_page=100").catch(() => null),
-    fetchJson("/data/data_product/list?per_page=200").catch(() => null),
-    fetchJson("/data/data_source/list?per_page=200").catch(() => null),
-    fetchJson("/data/data_system/list?per_page=100").catch(() => null),
-  ]);
-
-  // If all 4 endpoints rejected the token, signal the caller to try SSH
-  if (authRejected >= 4) {
-    const err = new Error("token rejected by all endpoints");
-    err.code = "AUTH_REJECTED";
-    throw err;
-  }
-
-  const { parseListResponse } = await import("../fops-plugin-foundation/lib/api-spec.js");
-
-  const chunks = [];
-
-  for (const m of parseListResponse(meshRes)) {
-    const text = [`Mesh: ${m.name} (VM: ${vmName})`, m.label ? `Label: ${m.label}` : null, m.description ? `Description: ${m.description}` : null, m.purpose ? `Purpose: ${m.purpose}` : null, `Identifier: ${m.identifier}`, `VM: ${vmName}`].filter(Boolean).join("\n");
-    chunks.push({ title: `vm/${vmName}/mesh/${m.name}`, content: text, metadata: { resourceType: "remote-landscape", entityType: "mesh", vm: vmName, identifier: m.identifier, fileHash: hashContent(text) } });
-  }
-
-  for (const p of parseListResponse(dpRes)) {
-    const text = [`Data Product: ${p.name} (VM: ${vmName})`, p.label ? `Label: ${p.label}` : null, p.description ? `Description: ${p.description}` : null, p.data_product_type ? `Type: ${p.data_product_type}` : null, `Identifier: ${p.identifier}`, p.host_mesh_identifier ? `Mesh: ${p.host_mesh_identifier}` : null, p.state?.code ? `State: ${p.state.code} (healthy: ${p.state.healthy})` : null, `VM: ${vmName}`].filter(Boolean).join("\n");
-    chunks.push({ title: `vm/${vmName}/product/${p.name}`, content: text, metadata: { resourceType: "remote-landscape", entityType: "data_product", vm: vmName, identifier: p.identifier, fileHash: hashContent(text) } });
-  }
-
-  for (const s of parseListResponse(dsRes)) {
-    const text = [`Data Source: ${s.name} (VM: ${vmName})`, s.label ? `Label: ${s.label}` : null, s.description ? `Description: ${s.description}` : null, `Identifier: ${s.identifier}`, s.state?.code ? `State: ${s.state.code} (healthy: ${s.state.healthy})` : null, `VM: ${vmName}`].filter(Boolean).join("\n");
-    chunks.push({ title: `vm/${vmName}/source/${s.name}`, content: text, metadata: { resourceType: "remote-landscape", entityType: "data_source", vm: vmName, identifier: s.identifier, fileHash: hashContent(text) } });
-  }
-
-  for (const sys of parseListResponse(dSysRes)) {
-    const text = [`Data System: ${sys.name} (VM: ${vmName})`, sys.label ? `Label: ${sys.label}` : null, sys.description ? `Description: ${sys.description}` : null, `Identifier: ${sys.identifier}`, `VM: ${vmName}`].filter(Boolean).join("\n");
-    chunks.push({ title: `vm/${vmName}/system/${sys.name}`, content: text, metadata: { resourceType: "remote-landscape", entityType: "data_system", vm: vmName, identifier: sys.identifier, fileHash: hashContent(text) } });
-  }
-
-  const meshCount = entities(meshRes).length;
-  const prodCount = parseListResponse(dpRes).length;
-  const srcCount = parseListResponse(dsRes).length;
-  const sysCount = parseListResponse(dSysRes).length;
-  log(`    azure/${vmName}: ${meshCount} meshes, ${prodCount} products, ${srcCount} sources, ${sysCount} systems`);
-
-  return chunks;
-}
-
 /**
- * Fetch remote landscape data by SSHing into the VM and curling localhost:9001
- * directly, bypassing traefik/OAuth. Falls back to this when authenticateVm
- * returns null because the HTTPS endpoint rejects credentials.
+ * Azure plugin orchestrator.
+ * Delegates command registration to domain-focused modules in lib/commands/.
  */
-async function fetchLandscapeViaSsh(vmName, ip, creds, log) {
-  const { lazyExeca, sshCmd, knockForVm, DEFAULTS } = await import("./lib/azure.js");
-  const execa = await lazyExeca();
-  const user = DEFAULTS.adminUser;
-
-  try {
-    await knockForVm({ publicIp: ip, vmName });
-  } catch {}
-
-  const ssh = (cmd, timeout = 15000) => sshCmd(execa, ip, user, cmd, timeout);
-
-  // Authenticate via localhost:9001 on the VM
-  const loginPayload = JSON.stringify({ user: creds.user, password: creds.password });
-  const { stdout: loginOut, exitCode: loginExit } = await ssh(
-    `curl -sf -X POST http://localhost:9001/api/iam/login -H 'Content-Type: application/json' -d '${loginPayload.replace(/'/g, "'\\''")}'`,
-    15000,
-  );
-
-  if (loginExit !== 0 || !loginOut?.trim()) {
-    log(`    azure/${vmName}: SSH auth failed (exit ${loginExit})`);
-    return [];
-  }
-
-  let token;
-  try {
-    const data = JSON.parse(loginOut.trim());
-    token = data.access_token || data.token;
-  } catch {
-    log(`    azure/${vmName}: SSH auth returned invalid JSON`);
-    return [];
-  }
-  if (!token) {
-    log(`    azure/${vmName}: SSH auth returned no token`);
-    return [];
-  }
-
-  // Fetch all landscape entities in one SSH call to minimize round-trips
-  const authHeader = `Authorization: Bearer ${token}`;
-  const { stdout: dataOut, exitCode: dataExit } = await ssh(
-    [
-      `curl -sf -H '${authHeader}' -H 'x-org: root' 'http://localhost:9001/api/data/mesh/list?per_page=100'`,
-      `echo '___SEP___'`,
-      `curl -sf -H '${authHeader}' -H 'x-org: root' 'http://localhost:9001/api/data/data_product/list?per_page=200'`,
-      `echo '___SEP___'`,
-      `curl -sf -H '${authHeader}' -H 'x-org: root' 'http://localhost:9001/api/data/data_source/list?per_page=200'`,
-      `echo '___SEP___'`,
-      `curl -sf -H '${authHeader}' -H 'x-org: root' 'http://localhost:9001/api/data/data_system/list?per_page=100'`,
-    ].join(" && "),
-    30000,
-  );
-
-  if (dataExit !== 0 || !dataOut?.trim()) {
-    log(`    azure/${vmName}: SSH landscape fetch failed (exit ${dataExit})`);
-    return [];
-  }
-
-  const parts = dataOut.split("___SEP___");
-  const parseJson = (s) => { try { return JSON.parse(s.trim()); } catch { return null; } };
-  const meshRes = parseJson(parts[0] || "");
-  const dpRes = parseJson(parts[1] || "");
-  const dsRes = parseJson(parts[2] || "");
-  const dSysRes = parseJson(parts[3] || "");
-  const { parseListResponse } = await import("../fops-plugin-foundation/lib/api-spec.js");
-
-  const chunks = [];
-
-  for (const m of parseListResponse(meshRes)) {
-    const text = [`Mesh: ${m.name} (VM: ${vmName})`, m.label ? `Label: ${m.label}` : null, m.description ? `Description: ${m.description}` : null, m.purpose ? `Purpose: ${m.purpose}` : null, `Identifier: ${m.identifier}`, `VM: ${vmName}`].filter(Boolean).join("\n");
-    chunks.push({ title: `vm/${vmName}/mesh/${m.name}`, content: text, metadata: { resourceType: "remote-landscape", entityType: "mesh", vm: vmName, identifier: m.identifier, fileHash: hashContent(text) } });
-  }
-
-  for (const p of parseListResponse(dpRes)) {
-    const text = [`Data Product: ${p.name} (VM: ${vmName})`, p.label ? `Label: ${p.label}` : null, p.description ? `Description: ${p.description}` : null, p.data_product_type ? `Type: ${p.data_product_type}` : null, `Identifier: ${p.identifier}`, p.host_mesh_identifier ? `Mesh: ${p.host_mesh_identifier}` : null, p.state?.code ? `State: ${p.state.code} (healthy: ${p.state.healthy})` : null, `VM: ${vmName}`].filter(Boolean).join("\n");
-    chunks.push({ title: `vm/${vmName}/product/${p.name}`, content: text, metadata: { resourceType: "remote-landscape", entityType: "data_product", vm: vmName, identifier: p.identifier, fileHash: hashContent(text) } });
-  }
-
-  for (const s of parseListResponse(dsRes)) {
-    const text = [`Data Source: ${s.name} (VM: ${vmName})`, s.label ? `Label: ${s.label}` : null, s.description ? `Description: ${s.description}` : null, `Identifier: ${s.identifier}`, s.state?.code ? `State: ${s.state.code} (healthy: ${s.state.healthy})` : null, `VM: ${vmName}`].filter(Boolean).join("\n");
-    chunks.push({ title: `vm/${vmName}/source/${s.name}`, content: text, metadata: { resourceType: "remote-landscape", entityType: "data_source", vm: vmName, identifier: s.identifier, fileHash: hashContent(text) } });
-  }
-
-  for (const sys of parseListResponse(dSysRes)) {
-    const text = [`Data System: ${sys.name} (VM: ${vmName})`, sys.label ? `Label: ${sys.label}` : null, sys.description ? `Description: ${sys.description}` : null, `Identifier: ${sys.identifier}`, `VM: ${vmName}`].filter(Boolean).join("\n");
-    chunks.push({ title: `vm/${vmName}/system/${sys.name}`, content: text, metadata: { resourceType: "remote-landscape", entityType: "data_system", vm: vmName, identifier: sys.identifier, fileHash: hashContent(text) } });
-  }
-
-  const meshCount = entities(meshRes).length;
-  const prodCount = parseListResponse(dpRes).length;
-  const srcCount = parseListResponse(dsRes).length;
-  const sysCount = parseListResponse(dSysRes).length;
-  log(`    azure/${vmName}: ${meshCount} meshes, ${prodCount} products, ${srcCount} sources, ${sysCount} systems (via SSH)`);
+import chalk from "chalk";
 
-  return chunks;
-}
+import {
+  hashContent,
+  resolveFoundationCreds,
+  resolveAuth0Config,
+  authenticateVm,
+  vmFetch,
+  fetchRemoteLandscape,
+  fetchLandscapeViaSsh,
+} from "./lib/azure-auth.js";
+
+import { registerVmCommands } from "./lib/commands/vm-cmds.js";
+import { registerFleetCommands } from "./lib/commands/fleet-cmds.js";
+import { registerTestCommands } from "./lib/commands/test-cmds.js";
+import { registerInfraCommands } from "./lib/commands/infra-cmds.js";
 
 export { resolveFoundationCreds, resolveAuth0Config, authenticateVm, vmFetch };
 
 export async function register(api) {
-  // ── Command: fops azure ──────────────────────────────
+  // ── Commands ──────────────────────────────────────────────────────────
+
   api.registerCommand((program, registry) => {
     const azure = program
       .command("azure")
       .description("Manage Foundation on Azure (VMs & AKS clusters)");
 
-    azure
-      .command("doctor [name]")
-      .description("Run doctor locally, or on VM if name given (e.g. fops azure doctor my-vm)")
-      .option("--fix", "Apply suggested fixes where possible", false)
-      .action(async (name, opts) => {
-        if (name) {
-          const {
-            lazyExeca, ensureAzCli, ensureAzAuth,
-            requireVmState, knockForVm, DEFAULTS, resolvePublicIp,
-          } = await import("./lib/azure.js");
-          const { closeKnock } = await import("./lib/port-knock.js");
-          const { sshCmd } = await import("./lib/azure.js");
-          const vmName = opts.vmName || name;
-          const execa = await lazyExeca();
-          await ensureAzCli(execa);
-          await ensureAzAuth(execa);
-          const state = requireVmState(vmName);
-          const ip = await resolvePublicIp(execa, state.resourceGroup, state.vmName, state.publicIp);
-          const user = DEFAULTS.adminUser;
-          if (!ip) {
-            console.error(chalk.red("\n  No IP address. Is the VM running? Try: fops azure start\n"));
-            process.exit(1);
-          }
-          await knockForVm(state);
-          const ssh = (cmd, timeout) => sshCmd(execa, ip, user, cmd, timeout);
-          const fixFlag = opts.fix ? " --fix" : "";
-          console.log(chalk.cyan(`\n  Running fops doctor on "${state.vmName}" (${ip})…\n`));
-          const { MUX_OPTS } = await import("./lib/azure.js");
-          const { exitCode } = await execa("ssh", [
-            ...MUX_OPTS(ip, user),
-            `${user}@${ip}`,
-            `cd /opt/foundation-compose && fops doctor${fixFlag}`,
-          ], {
-            timeout: 120000,
-            reject: false,
-            stdio: "inherit",
-          });
-          await closeKnock(ssh, { quiet: true });
-          if (exitCode !== 0) process.exitCode = 1;
-          return;
-        }
-        const doctorPath = api.getCliPath?.("src", "doctor.js");
-        const mod = doctorPath
-          ? await import(pathToFileURL(doctorPath).href)
-          : await import("../../../doctor.js");
-        await mod.runDoctor({ fix: opts.fix }, registry ?? null);
-      });
-
-    azure
-      .command("packer")
-      .description("Build the Foundation platform image with Packer")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .option("--github-token <token>", "GitHub PAT for cloning private repos (default: $GITHUB_TOKEN)")
-      .option("--branch <branch>", "Git branch to bake into the image (default: main)")
-      .option("--fops-version <version>", "fops npm version to install (default: latest)")
-      .option("--location <region>", "Azure region for the build VM (default: from pkrvars)")
-      .option("--vm-size <size>", "Build VM size (default: from pkrvars)")
-      .option("--image-name <name>", "Output image name (default: foundation-platform)")
-      .option("--force", "Replace existing image if it already exists")
-      .action(async (opts) => {
-        const { azureBuild } = await import("./lib/azure.js");
-        await azureBuild({
-          githubToken: opts.githubToken,
-          branch: opts.branch,
-          fopsVersion: opts.fopsVersion,
-          location: opts.location,
-          vmSize: opts.vmSize,
-          imageName: opts.imageName,
-          force: opts.force,
-        });
-      });
-
-    const marketplace = azure
-      .command("marketplace")
-      .description("Prepare Azure VM image artifacts for Marketplace publishing");
-
-    marketplace
-      .command("image <vmName>")
-      .description("Create a Marketplace-ready managed image from a safe clone of a source VM (source VM unchanged)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .option("--source-rg <name>", "Resource group containing the source VM")
-      .option("--resource-group <name>", "Working RG for snapshot/clone/image (default: source RG)")
-      .option("--clone-vm-name <name>", "Temporary clone VM name")
-      .option("--clone-vm-size <size>", "Temporary clone VM size (default: source VM size)")
-      .option("--admin-user <name>", "Admin username for temporary clone VM (default: azureuser)")
-      .option("--snapshot-name <name>", "Snapshot name override")
-      .option("--disk-name <name>", "Managed disk name override")
-      .option("--image-name <name>", "Output managed image artifact name")
-      .option("--keep-staging", "Keep temporary clone resources (VM/disk/snapshot)")
-      .option("--gallery-name <name>", "Optional: publish to Azure Compute Gallery")
-      .option("--image-definition <name>", "Gallery image definition name (default: <offer>-<sku>)")
-      .option("--publisher <name>", "Required with --gallery-name")
-      .option("--offer <name>", "Required with --gallery-name")
-      .option("--sku <name>", "Required with --gallery-name")
-      .option("--version <version>", "Required with --gallery-name (e.g. 1.0.0)")
-      .option("--target-region <region>", "Target region for gallery image version (default: source VM region)")
-      .action(async (vmName, opts) => {
-        const { marketplaceImageFromVm } = await import("./lib/azure.js");
-        await marketplaceImageFromVm({
-          vmName,
-          profile: opts.profile,
-          sourceRg: opts.sourceRg,
-          resourceGroup: opts.resourceGroup,
-          cloneVmName: opts.cloneVmName,
-          cloneVmSize: opts.cloneVmSize,
-          adminUser: opts.adminUser,
-          snapshotName: opts.snapshotName,
-          diskName: opts.diskName,
-          imageName: opts.imageName,
-          keepStaging: opts.keepStaging,
-          galleryName: opts.galleryName,
-          imageDefinition: opts.imageDefinition,
-          publisher: opts.publisher,
-          offer: opts.offer,
-          sku: opts.sku,
-          version: opts.version,
-          targetRegion: opts.targetRegion,
-        });
-      });
-
-    azure
-      .command("up [name] [branch]")
-      .description("Provision / reconcile Azure VMs, or run 'fops up <component> <branch>' on remote (e.g. fops azure up backend FOU-2072)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .option("--vm-name <name>", "VM name (default: foundation-test-vm) or target VM for remote up")
-      .option("--vm-size <size>", "VM size (default: Standard_D8s_v3)")
-      .option("--location <region>", "Azure region (default: uaenorth)")
-      .option("--image <urn>", "Custom image URN or managed image ID (default: Ubuntu 24.04 LTS)")
-      .option("--branch <branch>", "Git branch to clone (default: main)")
-      .option("--fops-version <version>", "fops npm version to install (default: latest)")
-      .option("--url <url>", "Public URL override (default: https://<name>.meshx.app)")
-      .option("--github-token <token>", "GitHub PAT for .netrc + GHCR auth (default: $GITHUB_TOKEN)")
-      .option("--cf-token <token>", "Cloudflare API token for DNS (default: $CLOUDFLARE_API_TOKEN)")
-      .option("--wait-mode <mode>", "URL readiness mode: http-any (default) or http-2xx", "http-any")
-      .option("--no-knock", "Skip port-knock setup — SSH stays open to all")
-      .option("--k3s", "Include k3s Kubernetes services")
-      .option("--traefik", "Include traefik reverse proxy (auto-enabled for DNS URLs)")
-      .option("--dai", "Also start DAI services (implies --k3s)")
-      .option("--resource-group <name>", "Resource group for the VM (default: FOUNDATION-VM-RG or AZURE_RESOURCE_GROUP)")
-      .option("--update", "Run fops update (git pull, npm install, image pull) before starting services")
-      .action(async (name, branch, opts) => {
-        if (opts.dai) opts.k3s = true;
-        // Two args: run "fops up <component> <branch>" on remote VM (same as local fops up backend FOU-2072)
-        if (name && branch) {
-          const { azureRunUp } = await import("./lib/azure.js");
-          await azureRunUp({
-            vmName: opts.vmName,
-            component: name,
-            branch,
-            url: opts.url,
-            k3s: opts.k3s,
-            traefik: opts.traefik,
-            dai: opts.dai,
-            update: opts.update,
-          });
-          return;
-        }
-        acquireAzureUpLock();
-        try {
-          const vmName = opts.vmName || name;
-          const sharedOpts = {
-            vmSize: opts.vmSize, location: opts.location,
-            image: opts.image, branch: opts.branch, fopsVersion: opts.fopsVersion,
-            url: opts.url, githubToken: opts.githubToken, cfToken: opts.cfToken,
-            profile: opts.profile, knock: opts.knock, k3s: opts.k3s, traefik: opts.traefik, dai: opts.dai,
-            resourceGroup: opts.resourceGroup, waitMode: opts.waitMode,
-          };
-          if (vmName) {
-            const { azureUp } = await import("./lib/azure.js");
-            await azureUp({ ...sharedOpts, vmName });
-          } else {
-            const { azureUpAll } = await import("./lib/azure.js");
-            await azureUpAll(sharedOpts);
-          }
-        } finally {
-          releaseAzureUpLock();
-        }
-      });
-
-    azure
-      .command("list")
-      .description("List all tracked Azure VMs and AKS clusters (cached)")
-      .option("--live", "Force live probe (skip cache)")
-      .option("--verbose", "Show sync progress")
-      .option("--cost", "Show estimated cost per resource (queries Azure Cost Management)")
-      .option("--days <days>", "Days to look back for cost (default: 30)", "30")
-      .option("--versions", "Show service image version matrix")
-      .action(async (opts) => {
-        const { azureList } = await import("./lib/azure.js");
-        await azureList({ live: opts.live, verbose: opts.verbose, cost: opts.cost, days: parseInt(opts.days), versions: opts.versions });
-      });
-
-    azure
-      .command("index")
-      .description("Index Azure VMs and AKS clusters into local cache")
-      .action(async () => {
-        const { azureSync } = await import("./lib/azure-sync.js");
-        await azureSync();
-      });
-
-    const azureEmbed = azure
-      .command("embed")
-      .description("Manage Azure semantic indexing/search in local embeddings");
-
-    azureEmbed
-      .command("index [name]")
-      .description("Index Azure inventory and embeddings (equivalent to: azure index + embed index --source azure)")
-      .option("--force", "Force re-embedding even when chunks are unchanged")
-      .action(async (name, opts) => {
-        const { azureSync } = await import("./lib/azure-sync.js");
-        await azureSync();
-        const cliPath = process.argv[1];
-        if (!cliPath) {
-          console.error(chalk.red("Could not resolve CLI entrypoint to run embeddings index."));
-          process.exitCode = 1;
-          return;
-        }
-        const args = [cliPath, "embed", "index", "--source", "azure"];
-        if (opts.force) args.push("--force");
-        const env = { ...process.env };
-        if (name) env.__FOPS_AZURE_EMBED_VM = name;
-        const child = spawnSync(process.execPath, args, { stdio: "inherit", env });
-        if (child.error) throw child.error;
-        if (typeof child.status === "number" && child.status !== 0) process.exitCode = child.status;
-        if (child.signal) process.exitCode = 1;
-      });
-
-    azureEmbed
-      .command("search <query>")
-      .description("Semantic search over Azure VMs and AKS in the local embeddings index")
-      .option("-k, --top-k <k>", "Number of results", "5")
-      .action(async (query, opts) => {
-        const searchSvc = typeof api.getService === "function" ? api.getService("embeddings:search") : null;
-        if (!searchSvc?.search) {
-          console.error(chalk.red("\n  Embeddings plugin not available. Run: fops embed index (and fops azure index).\n"));
-          process.exitCode = 1;
-          return;
-        }
-        try {
-          const topK = parseInt(opts.topK, 10) || 5;
-          const results = await searchSvc.search(query, { source: "azure", topK });
-          if (results.length === 0) {
-            console.log("No Azure results. Index first:  fops azure embed index");
-            return;
-          }
-          for (const r of results) {
-            console.log(`\n${chalk.cyan(`[${r.source}]`)} ${chalk.bold(r.title)} ${chalk.dim(`(score: ${Number(r.score).toFixed(3)})`)}`);
-            console.log(chalk.dim((r.content || "").slice(0, 200) + ((r.content || "").length > 200 ? "..." : "")));
-          }
-        } catch (err) {
-          console.error(chalk.red(err?.message || String(err)));
-          process.exitCode = 1;
-        }
-      });
-
-    azure
-      .command("select [name]")
-      .description("Set the active VM (interactive picker when no name given)")
-      .action(async (name) => {
-        const { listVms, readState, saveState, migrateAzureState } = await import("./lib/azure-state.js");
-        const { activeVm, vms } = listVms();
-        const vmNames = Object.keys(vms);
-        if (vmNames.length === 0) {
-          console.error(chalk.red("\n  No tracked VMs. Provision one first: fops azure up --vm-name <name>\n"));
-          process.exit(1);
-        }
-        let selected = name;
-        if (!selected) {
-          if (vmNames.length === 1) {
-            selected = vmNames[0];
-          } else {
-            const { default: inquirer } = await import("inquirer");
-            const answer = await inquirer.prompt([{
-              type: "list",
-              name: "vm",
-              message: "Select active VM:",
-              choices: vmNames.map(n => ({
-                name: n === activeVm ? `${n} ${chalk.dim("(current)")}` : n,
-                value: n,
-              })),
-              default: activeVm,
-            }]);
-            selected = answer.vm;
-          }
-        }
-        if (!vms[selected]) {
-          console.error(chalk.red(`\n  VM "${selected}" not found. Tracked VMs: ${vmNames.join(", ")}\n`));
-          process.exit(1);
-        }
-        if (selected === activeVm) {
-          console.log(chalk.dim(`\n  "${selected}" is already the active VM.\n`));
-          return;
-        }
-        const state = readState();
-        const az = migrateAzureState(state.azure);
-        az.activeVm = selected;
-        state.azure = az;
-        saveState(state);
-        const vm = vms[selected];
-        const url = vm.publicIp ? `https://${vm.domain || selected + ".meshx.app"}` : "";
-        console.log(chalk.green(`\n  ✓ Active VM → ${chalk.bold(selected)}`));
-        if (url) console.log(chalk.dim(`    ${url}`));
-        console.log();
-      });
-
-    azure
-      .command("down [name]")
-      .description("Destroy the Azure VM and all associated resources")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .option("--vm-name <name>", "Target VM (default: active VM)")
-      .option("--cf-token <token>", "Cloudflare API token for DNS cleanup (default: $CLOUDFLARE_API_TOKEN)")
-      .action(async (name, opts) => {
-        const { azureDown } = await import("./lib/azure.js");
-        await azureDown({ vmName: opts.vmName || name, profile: opts.profile, cfToken: opts.cfToken });
-      });
-
-    azure
-      .command("stop [name]")
-      .description("Stop (deallocate) the VM — no compute charges, disk preserved")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .option("--vm-name <name>", "Target VM (default: active VM)")
-      .action(async (name, opts) => {
-        const { azureStop } = await import("./lib/azure.js");
-        await azureStop({ vmName: opts.vmName || name, profile: opts.profile });
-      });
-
-    azure
-      .command("resize [name]")
-      .description("Scale the VM up (or down) to the next size in its family")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .option("--vm-name <name>", "Target VM (default: active VM)")
-      .option("--size <size>", "Explicit target size (e.g. Standard_D8s_v3) — skips auto-detection")
-      .option("--down", "Scale down instead of up")
-      .option("--github-token <token>", "GitHub PAT for .netrc + GHCR auth (default: $GITHUB_TOKEN)")
-      .option("--k3s", "Include k3s Kubernetes services")
-      .option("--traefik", "Include traefik reverse proxy (auto-enabled for DNS URLs)")
-      .option("--dai", "Also start DAI services (implies --k3s)")
-      .action(async (name, opts) => {
-        if (opts.dai) opts.k3s = true;
-        const { azureResize } = await import("./lib/azure.js");
-        await azureResize({ vmName: opts.vmName || name, size: opts.size, down: opts.down, githubToken: opts.githubToken, profile: opts.profile, k3s: opts.k3s, traefik: opts.traefik, dai: opts.dai });
-      });
-
-    azure
-      .command("start [name]")
-      .description("Start a stopped VM and reconfigure Foundation URL")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .option("--vm-name <name>", "Target VM (default: active VM)")
-      .option("--url <url>", "Public URL override")
-      .option("--github-token <token>", "GitHub PAT for .netrc + GHCR auth (default: $GITHUB_TOKEN)")
-      .option("--cf-token <token>", "Cloudflare API token for DNS (default: $CLOUDFLARE_API_TOKEN)")
-      .option("--k3s", "Include k3s Kubernetes services")
-      .option("--traefik", "Include traefik reverse proxy (auto-enabled for DNS URLs)")
-      .option("--dai", "Also start DAI services (implies --k3s)")
-      .action(async (name, opts) => {
-        if (opts.dai) opts.k3s = true;
-        const { azureStart } = await import("./lib/azure.js");
-        await azureStart({ vmName: opts.vmName || name, url: opts.url, githubToken: opts.githubToken, cfToken: opts.cfToken, profile: opts.profile, k3s: opts.k3s, traefik: opts.traefik, dai: opts.dai });
-      });
-
-    azure
-      .command("status [name]")
-      .description("Show VM state and Foundation service health")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .option("--vm-name <name>", "Target VM (default: active VM)")
-      .action(async (name, opts) => {
-        const { azureStatus } = await import("./lib/azure.js");
-        await azureStatus({ vmName: opts.vmName || name, profile: opts.profile });
-      });
-
-    azure
-      .command("trino-status [name]")
-      .description("Check Trino container and engine status on the VM (for bootstrap debugging)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .option("--vm-name <name>", "Target VM (default: active VM)")
-      .action(async (name, opts) => {
-        const { azureTrinoStatus } = await import("./lib/azure.js");
-        await azureTrinoStatus({ vmName: opts.vmName || name, profile: opts.profile });
-      });
-
-    azure
-      .command("terraform [name]")
-      .description("Generate Terraform HCL for the VM and its resources (VNet, NSG, IP, disk encryption)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .option("--vm-name <name>", "Target VM (default: active VM)")
-      .option("--output <file>", "Write HCL to a file instead of stdout")
-      .action(async (name, opts) => {
-        const { vmTerraform } = await import("./lib/azure.js");
-        await vmTerraform({ vmName: opts.vmName || name, profile: opts.profile, output: opts.output });
-      });
-
-    const ssh = azure
-      .command("ssh")
-      .description("SSH access and admin key management");
-
-    ssh
-      .command("connect [name]", { isDefault: true })
-      .description("Open an interactive SSH session to the VM")
-      .option("--vm-name <name>", "Target VM (default: active VM)")
-      .action(async (name, opts) => {
-        const { azureSsh } = await import("./lib/azure.js");
-        await azureSsh({ vmName: opts.vmName || name });
-      });
-
-    const sshAdmin = ssh
-      .command("admin")
-      .description("Manage admin SSH keys across all VMs");
-
-    sshAdmin
-      .command("add <pubKey>")
-      .description("Add a public SSH key to all tracked VMs")
-      .action(async (pubKey) => {
-        const { azureSshAdminAdd } = await import("./lib/azure.js");
-        await azureSshAdminAdd({ pubKey });
-      });
-
-    azure
-      .command("port <remotePort>")
-      .description("Forward a remote VM port to localhost (SSH tunnel)")
-      .option("--vm-name <name>", "Target VM (default: active VM)")
-      .option("--local-port <port>", "Local port (default: same as remote port)")
-      .action(async (remotePort, opts) => {
-        const { azurePortForward } = await import("./lib/azure.js");
-        await azurePortForward({ vmName: opts.vmName, remotePort: Number(remotePort), localPort: opts.localPort ? Number(opts.localPort) : undefined });
-      });
-
-    azure
-      .command("agent [vmName]")
-      .description("Run fops agent TUI on the remote VM via SSH (vmName = VM name; use --agent for agent name)")
-      .option("--vm-name <name>", "Target VM (default: active VM)")
-      .option("--agent <name>", "Agent to run (default: foundation)", "foundation")
-      .option("-m, --message <text>", "Single-turn message instead of TUI")
-      .option("--classic", "Use classic terminal REPL instead of TUI")
-      .option("--model <id>", "Model override (e.g. claude-sonnet-4-20250514)")
-      .action(async (vmName, opts) => {
-        const { azureAgent } = await import("./lib/azure.js");
-        await azureAgent({ vmName: opts.vmName || vmName, agent: opts.agent, message: opts.message, classic: opts.classic, model: opts.model });
-      });
-
-    const knock = azure
-      .command("knock")
-      .description("Perform port-knock sequence to temporarily open SSH");
-
-    knock
-      .command("open [name]", { isDefault: true })
-      .description("Send the knock sequence — opens SSH for ~5 min")
-      .option("--vm-name <name>", "Target VM (default: active VM)")
-      .action(async (name, opts) => {
-        const { azureKnock } = await import("./lib/azure.js");
-        await azureKnock({ vmName: opts.vmName || name });
-      });
-
-    knock
-      .command("close [name]")
-      .description("Re-lock ports — revoke current knock, require a fresh one")
-      .option("--vm-name <name>", "Target VM (default: active VM)")
-      .action(async (name, opts) => {
-        const { azureKnockClose } = await import("./lib/azure.js");
-        await azureKnockClose({ vmName: opts.vmName || name });
-      });
-
-    knock
-      .command("disable [name]")
-      .description("Remove port knocking — restore open SSH access")
-      .option("--vm-name <name>", "Target VM (default: active VM)")
-      .action(async (name, opts) => {
-        const { azureKnockDisable } = await import("./lib/azure.js");
-        await azureKnockDisable({ vmName: opts.vmName || name });
-      });
-
-    knock
-      .command("verify [name]")
-      .description("Diagnose port-knock setup: check knockd, iptables rules, sequence match")
-      .option("--vm-name <name>", "Target VM (default: all VMs)")
-      .action(async (name, opts) => {
-        const { azureKnockVerify } = await import("./lib/azure.js");
-        await azureKnockVerify({ vmName: opts.vmName || name });
-      });
-
-    knock
-      .command("fix [name]")
-      .description("Re-setup port knocking with correct iptables rules on all (or one) VM")
-      .option("--vm-name <name>", "Target VM (default: all VMs)")
-      .action(async (name, opts) => {
-        const { azureKnockFix } = await import("./lib/azure.js");
-        await azureKnockFix({ vmName: opts.vmName || name });
-      });
-
-    const deploy = azure
-      .command("deploy")
-      .description("Deploy code, images, or specific component versions");
-
-    deploy
-      .command("stack [name]", { isDefault: true })
-      .description("Pull latest code, images, and restart Foundation on the VM")
-      .option("--vm-name <name>", "Target VM (default: active VM)")
-      .option("--branch <branch>", "Git branch to deploy (default: main)")
-      .option("--url <url>", "Public URL override")
-      .option("--github-token <token>", "GitHub PAT for .netrc + GHCR auth (default: $GITHUB_TOKEN)")
-      .option("--k3s", "Include k3s Kubernetes services")
-      .option("--traefik", "Include traefik reverse proxy (auto-enabled for DNS URLs)")
-      .option("--dai", "Also start DAI services (implies --k3s)")
-      .action(async (name, opts) => {
-        if (opts.dai) opts.k3s = true;
-        const { azureDeploy } = await import("./lib/azure.js");
-        await azureDeploy({ vmName: opts.vmName || name, branch: opts.branch, url: opts.url, githubToken: opts.githubToken, k3s: opts.k3s, traefik: opts.traefik, dai: opts.dai });
-      });
-
-    deploy
-      .command("version <component> <tag>")
-      .description("Set a component to a specific image tag, pull, and restart")
-      .option("--vm-name <name>", "Target a specific VM")
-      .option("--all", "Deploy to all tracked VMs")
-      .option("--aks", "Also deploy to AKS clusters")
-      .option("--aks-cluster <name>", "Target a specific AKS cluster")
-      .option("--no-restart", "Pull image but don't restart the service")
-      .action(async (component, tag, opts) => {
-        const { azureDeployVersion } = await import("./lib/azure.js");
-        await azureDeployVersion({
-          component, tag,
-          vmName: opts.vmName,
-          all: opts.all,
-          aks: opts.aks,
-          aksCluster: opts.aksCluster,
-          noPull: !opts.restart,
-        });
-      });
-
-    const config = azure
-      .command("config")
-      .description("Manage feature flags and component versions on the remote VM");
-
-    config
-      .command("flags [name]", { isDefault: true })
-      .description("Toggle MX_FF_* feature flags")
-      .option("--vm-name <name>", "Target VM (default: active VM)")
-      .action(async (name, opts) => {
-        const { azureConfig } = await import("./lib/azure.js");
-        await azureConfig({ vmName: opts.vmName || name });
-      });
-
-    config
-      .command("versions [name]")
-      .description("Set image tags per Foundation component (backend, frontend, watcher, scheduler, storage)")
-      .option("--vm-name <name>", "Target VM (default: active VM)")
-      .action(async (name, opts) => {
-        const { azureConfigVersions } = await import("./lib/azure.js");
-        await azureConfigVersions({ vmName: opts.vmName || name });
-      });
-
-    azure
-      .command("update [names...]")
-      .description("Run fops update on tracked VMs in parallel (no args = all VMs, or list VM names)")
-      .option("--vm-name <name>", "Target a specific VM (alternative to positional names)")
-      .option("--github-token <token>", "GitHub PAT for git pull on VM when repo is private (default: $GITHUB_TOKEN)")
-      .option("--up", "After update, run fops up to restart services")
-      .action(async (names, opts) => {
-        const { azureUpdate } = await import("./lib/azure.js");
-        const list = Array.isArray(names) ? names.filter(Boolean) : (names ? [names] : []);
-        await azureUpdate({
-          vmName: opts.vmName,
-          vmNames: list.length ? list : undefined,
-          githubToken: opts.githubToken,
-          up: opts.up,
-        });
-      });
-
-    azure
-      .command("apply <file>")
-      .description("Apply a landscape file (FCL/HCL/YAML) to the remote VM's Foundation")
-      .option("--vm-name <name>", "Target VM (default: active VM)")
-      .option("--dry-run", "Preview changes without creating entities")
-      .action(async (file, opts) => {
-        const { azureApply } = await import("./lib/azure.js");
-        await azureApply(file, { vmName: opts.vmName, dryRun: opts.dryRun });
-      });
-
-    azure
-      .command("download [name]")
-      .description("Pull all container images on a VM (docker compose pull)")
-      .option("--vm-name <name>", "Target VM (default: active VM)")
-      .action(async (name, opts) => {
-        const { lazyExeca, requireVmState, sshCmd, knockForVm } = await import("./lib/azure.js");
-        const execa = await lazyExeca();
-        const state = requireVmState(opts.vmName || name);
-        const ip = state.ip || state.publicIp;
-        const user = state.adminUser || "azureuser";
-        if (!ip) {
-          console.log(chalk.red(`  ✗ No IP found for VM "${state.vmName}". Run: fops azure audit ${state.vmName}`));
-          return;
-        }
-        await knockForVm(state);
-        console.log(chalk.cyan(`  Pulling images on ${state.vmName || name} (${ip})…`));
-        const { stdout, stderr, exitCode } = await sshCmd(
-          execa, ip, user,
-          "cd /opt/foundation-compose && make download",
-          600000,
-        );
-        if (stdout) console.log(stdout);
-        if (exitCode !== 0) {
-          console.log(chalk.yellow(`  ⚠ download exited with code ${exitCode}`));
-          if (stderr) console.log(chalk.dim(stderr.split("\n").slice(-5).join("\n")));
-        } else {
-          console.log(chalk.green(`  ✓ Images pulled on ${state.vmName || name}`));
-        }
-      });
-
-    azure
-      .command("pull [name]")
-      .description("Pull latest git code on a VM (no restart)")
-      .option("--vm-name <name>", "Target VM (default: active VM)")
-      .option("--branch <branch>", "Git branch to pull (default: current branch)")
-      .option("--github-token <token>", "GitHub PAT for private repos (default: $GITHUB_TOKEN)")
-      .action(async (name, opts) => {
-        const { azurePull } = await import("./lib/azure.js");
-        await azurePull({
-          vmName: opts.vmName || name,
-          branch: opts.branch,
-          githubToken: opts.githubToken,
-        });
-      });
-
-    azure
-      .command("vm check [name]")
-      .description("Diagnose VM: show config versions and run make download with full output (for image-pull failures)")
-      .option("--vm-name <name>", "Target VM (default: active VM)")
-      .action(async (name, opts) => {
-        const { azureVmCheck } = await import("./lib/azure.js");
-        await azureVmCheck({ vmName: opts.vmName || name });
-      });
-
-    // ── Fleet management ─────────────────────────────────────────────────
-
-    azure
-      .command("exec <command>")
-      .description("Run a command on all tracked VMs in parallel")
-      .option("--vm-name <name>", "Target a specific VM instead of all")
-      .option("--timeout <seconds>", "Per-VM command timeout (default: 120)", "120")
-      .option("--quiet", "Show only summary, not command output")
-      .action(async (command, opts) => {
-        const { fleetExec } = await import("./lib/azure-fleet.js");
-        await fleetExec(command, { vmName: opts.vmName, timeout: Number(opts.timeout), quiet: opts.quiet });
-      });
-
-    azure
-      .command("diff")
-      .description("Compare configuration across all VMs — detect drift")
-      .option("--vm-name <name>", "Target a specific VM instead of all")
-      .action(async (opts) => {
-        const { fleetDiff } = await import("./lib/azure-fleet.js");
-        await fleetDiff({ vmName: opts.vmName });
-      });
-
-    azure
-      .command("rollout")
-      .description("Rolling deploy: pull, restart, health-check across VMs in batches")
-      .option("--vm-name <name>", "Target a specific VM instead of all")
-      .option("--batch <size>", "Number of VMs to deploy in parallel per batch (default: 1)", "1")
-      .option("--branch <branch>", "Git branch to deploy (default: main)")
-      .option("--health-timeout <seconds>", "Seconds to wait for healthy after restart (default: 120)", "120")
-      .option("--force", "Continue rolling out even if a batch fails")
-      .action(async (opts) => {
-        const { fleetRollout } = await import("./lib/azure-fleet.js");
-        await fleetRollout({
-          vmName: opts.vmName, batch: Number(opts.batch), branch: opts.branch,
-          healthTimeout: Number(opts.healthTimeout), force: opts.force,
-        });
-      });
-
-    azure
-      .command("sync")
-      .description("Push local config files to all VMs")
-      .option("--vm-name <name>", "Target a specific VM instead of all")
-      .option("--files <files>", "Comma-separated list of files to sync (default: docker-compose.yaml,.env)", "docker-compose.yaml,.env")
-      .option("--restart", "Run fops up after syncing files")
-      .action(async (opts) => {
-        const { fleetSync } = await import("./lib/azure-fleet.js");
-        await fleetSync({ vmName: opts.vmName, files: opts.files.split(","), restart: opts.restart });
-      });
-
-    azure
-      .command("health")
-      .description("Deep health report across all VMs — containers, disk, memory, load")
-      .option("--vm-name <name>", "Target a specific VM instead of all")
-      .action(async (opts) => {
-        const { fleetHealth } = await import("./lib/azure-fleet.js");
-        await fleetHealth({ vmName: opts.vmName });
-      });
-
-    azure
-      .command("bootstrap [name]")
-      .description("Run `fops bootstrap` on a VM (create demo data mesh)")
-      .option("--vm-name <name>", "Target VM (default: active)")
-      .action(async (name, opts) => {
-        const vmName = opts.vmName || name;
-        const {
-          lazyExeca, ensureAzCli, ensureAzAuth,
-          requireVmState, sshCmd, knockForVm, DEFAULTS,
-        } = await import("./lib/azure.js");
-        const { closeKnock } = await import("./lib/port-knock.js");
-        const fs = await import("node:fs");
-        const os = await import("node:os");
-        const pathMod = await import("node:path");
-        const execa = await lazyExeca();
-        await ensureAzCli(execa);
-        await ensureAzAuth(execa);
-        const state = requireVmState(vmName);
-        const ip = state.publicIp;
-        const user = DEFAULTS.adminUser;
-
-        if (!ip) {
-          console.error(chalk.red("\n  No IP address. Is the VM running? Try: fops azure start\n"));
-          process.exit(1);
-        }
-
-        // Load project root .env so credentials are available (same as fops bootstrap)
-        let projectRoot = null;
-        try {
-          const fopsPath = pathMod.join(os.homedir(), ".fops.json");
-          const raw = JSON.parse(fs.readFileSync(fopsPath, "utf8"));
-          if (raw?.projectRoot && fs.existsSync(pathMod.join(raw.projectRoot, ".env"))) projectRoot = raw.projectRoot;
-        } catch {}
-        if (!projectRoot) {
-          let dir = pathMod.resolve(process.cwd());
-          for (;;) {
-            if (fs.existsSync(pathMod.join(dir, "docker-compose.yaml")) && fs.existsSync(pathMod.join(dir, "Makefile"))) {
-              projectRoot = dir;
-              break;
-            }
-            const parent = pathMod.dirname(dir);
-            if (parent === dir) break;
-            dir = parent;
-          }
-        }
-        if (projectRoot) {
-          const { loadEnvFromFile } = await import("./lib/azure-helpers.js");
-          const loaded = loadEnvFromFile(pathMod.join(projectRoot, ".env"));
-          for (const [k, v] of Object.entries(loaded)) {
-            if (process.env[k] === undefined) process.env[k] = v;
-          }
-        }
-
-        // Resolve local credentials: env → .env (project root) → ~/.fops.json
-        let qaUser = "", qaPass = "", bearerToken = "";
-        if (process.env.BEARER_TOKEN?.trim()) {
-          bearerToken = process.env.BEARER_TOKEN.trim();
-        } else if (process.env.QA_USERNAME?.trim() && process.env.QA_PASSWORD) {
-          qaUser = process.env.QA_USERNAME.trim();
-          qaPass = process.env.QA_PASSWORD;
-        }
-        if (!bearerToken && !qaUser) {
-          try {
-            const fopsPath = pathMod.join(os.homedir(), ".fops.json");
-            const raw = JSON.parse(fs.readFileSync(fopsPath, "utf8"));
-            const cfg = raw?.plugins?.entries?.["fops-plugin-foundation"]?.config || {};
-            if (cfg.bearerToken?.trim()) {
-              bearerToken = cfg.bearerToken.trim();
-            } else if (cfg.user?.trim() && cfg.password) {
-              qaUser = cfg.user.trim();
-              qaPass = cfg.password;
-            }
-          } catch { /* no fops.json */ }
-        }
-
-        if (!bearerToken && !qaUser) {
-          console.error(chalk.red("\n  No Foundation credentials found locally."));
-          console.error(chalk.dim("  Set BEARER_TOKEN or QA_USERNAME/QA_PASSWORD in env, .env, or ~/.fops.json\n"));
-          process.exit(1);
-        }
-
-        // Pre-authenticate against the VM's API to get a bearer token
-        const vmUrl = state.publicUrl || `https://${ip}`;
-        let credsRejected = false; // true when the remote API explicitly returned 401
-        if (!bearerToken && qaUser) {
-          console.log(chalk.dim(`  Pre-authenticating against ${vmUrl}…`));
-
-          // When we have a domain-based public URL, only try that — direct
-          // IP:port fallbacks are firewalled on remote VMs and just waste time.
-          const hasDomain = state.publicUrl && !state.publicUrl.match(/^https?:\/\/\d+\.\d+\.\d+\.\d+/);
-          const apiUrls = hasDomain
-            ? [`${vmUrl}/api`]
-            : [`${vmUrl}/api`, `https://${ip}:3002/api`, `http://${ip}:9001/api`];
-
-          for (const apiBase of apiUrls) {
-            try {
-              const resp = await fetch(`${apiBase}/iam/login`, {
-                method: "POST",
-                headers: { "Content-Type": "application/json" },
-                body: JSON.stringify({ username: qaUser, password: qaPass }),
-                signal: AbortSignal.timeout(10000),
-              });
-              if (resp.ok) {
-                const data = await resp.json();
-                bearerToken = data.access_token || data.token || "";
-                if (bearerToken) {
-                  console.log(chalk.green(`  ✓ Authenticated as ${qaUser} via ${apiBase}`));
-                  break;
-                }
-              } else {
-                console.log(chalk.dim(`  ${apiBase}: HTTP ${resp.status}`));
-                if (resp.status === 401) credsRejected = true;
-              }
-            } catch (e) {
-              console.log(chalk.dim(`  ${apiBase}: ${e.cause?.code || e.message || "unreachable"}`));
-            }
-          }
-
-          // Auth0 ROPC fallback — works when the backend's /iam/login rejects
-          // local credentials but Auth0 accepts them directly.
-          if (!bearerToken) {
-            const auth0Cfg = resolveAuth0Config();
-            if (auth0Cfg) {
-              try {
-                console.log(chalk.dim(`  Trying Auth0 ROPC fallback (${auth0Cfg.domain})…`));
-                const body = {
-                  grant_type: "password",
-                  client_id: auth0Cfg.clientId,
-                  username: qaUser,
-                  password: qaPass,
-                  scope: "openid",
-                };
-                if (auth0Cfg.clientSecret) body.client_secret = auth0Cfg.clientSecret;
-                if (auth0Cfg.audience) body.audience = auth0Cfg.audience;
-
-                const resp = await fetch(`https://${auth0Cfg.domain}/oauth/token`, {
-                  method: "POST",
-                  headers: { "Content-Type": "application/json" },
-                  body: JSON.stringify(body),
-                  signal: AbortSignal.timeout(10000),
-                });
-                if (resp.ok) {
-                  const data = await resp.json();
-                  bearerToken = data.access_token || "";
-                  if (bearerToken) {
-                    credsRejected = false;
-                    console.log(chalk.green(`  ✓ Authenticated as ${qaUser} via Auth0`));
-                  }
-                } else {
-                  console.log(chalk.dim(`  Auth0: HTTP ${resp.status}`));
-                }
-              } catch (e) {
-                console.log(chalk.dim(`  Auth0 fallback: ${e.message || "failed"}`));
-              }
-            }
-          }
-        }
-
-        // If the remote API explicitly rejected credentials (401), don't forward
-        // the same wrong user/pass to the VM — they'll fail there too.
-        if (credsRejected && !bearerToken) {
-          console.error(chalk.red("\n  Credentials rejected by the remote API (HTTP 401)."));
-          console.error(chalk.dim("  The password for " + qaUser + " does not match this environment's Keycloak."));
-          console.error(chalk.dim("  Fix: set the correct password in ~/.fops.json or pass BEARER_TOKEN directly.\n"));
-          console.error(chalk.dim("  Hint: ssh into the VM and check the Keycloak password:"));
-          console.error(chalk.dim("    fops azure ssh " + (state.vmName || "") + '\n'));
-          process.exit(1);
-        }
-
-        // Build env exports — prefer bearer token over user/pass
-        const creds = {};
-        if (bearerToken) {
-          creds.BEARER_TOKEN = bearerToken;
-        } else if (qaUser) {
-          creds.QA_USERNAME = qaUser;
-          creds.QA_PASSWORD = qaPass;
-        }
-
-        if (!creds.BEARER_TOKEN && !creds.QA_USERNAME) {
-          console.error(chalk.red("\n  Could not authenticate against the VM's API."));
-          console.error(chalk.dim("  Check that the VM is running (fops azure status) and credentials are valid.\n"));
-          process.exit(1);
-        }
-
-        // Vars to persist to VM .env (bootstrap Python script loads .env and needs these)
-        const vmEnv = { ...creds };
-        if (process.env.AUTH0_EMAIL?.trim()) {
-          vmEnv.AUTH0_EMAIL = process.env.AUTH0_EMAIL.trim();
-        }
-
-        await knockForVm(state);
-        const ssh = (cmd, timeout, sshEnv) => sshCmd(execa, ip, user, cmd, timeout, { env: sshEnv });
-
-        // Persist credentials and AUTH0_EMAIL to the VM's .env so the Python script picks them up
-        const sedParts = ["sed -i '/^BEARER_TOKEN=/d;/^QA_USERNAME=/d;/^QA_PASSWORD=/d;/^AUTH0_EMAIL=/d' .env 2>/dev/null || true"];
-        for (const [k, v] of Object.entries(vmEnv)) {
-          const escaped = String(v).replace(/'/g, "'\\''");
-          sedParts.push(`echo '${k}=${escaped}' >> .env`);
-        }
-        await ssh(`cd /opt/foundation-compose && ${sedParts.join(" && ")}`, 15000, vmEnv);
-
-        console.log(chalk.cyan(`\n  Running fops bootstrap on "${state.vmName}"…\n`));
-        // Stream output in real-time. Use login shell so PATH has fops; fallback to common paths if not found.
-        const { MUX_OPTS } = await import("./lib/azure.js");
-        const bootstrapEnv = vmEnv ? { ...process.env, ...vmEnv } : undefined;
-        const remoteCmd = "cd /opt/foundation-compose && (fops bootstrap --yes || /usr/local/bin/fops bootstrap --yes || /usr/bin/fops bootstrap --yes)";
-        const { exitCode } = await execa("ssh", [
-          ...MUX_OPTS(ip, user),
-          `${user}@${ip}`,
-          remoteCmd,
-        ], {
-          timeout: 600000,
-          reject: false,
-          stdout: ["inherit"],
-          stderr: ["inherit"],
-          env: bootstrapEnv,
-        });
-
-        if (state.knockSequence?.length) await closeKnock(ssh, { quiet: true });
-
-        if (exitCode === 0) {
-          console.log(chalk.green("\n  ✓ Bootstrap complete on VM\n"));
-        } else {
-          const normalized = exitCode === 255 || exitCode === -1 ? 1 : exitCode;
-          console.error(chalk.red(`\n  Bootstrap failed (exit ${normalized}).\n`));
-          process.exitCode = 1;
-        }
-      });
-
-    const test = azure
-      .command("test")
-      .description("Run and manage QA test results");
-
-    test
-      .command("run [name]", { isDefault: true })
-      .description("Run QA automation tests locally against a remote VM")
-      .option("--vm-name <name>", "Target VM (default: active)")
-      .action(async (name, opts) => {
-        const { requireVmState, knockForVm } = await import("./lib/azure.js");
-        const { resolveCliSrc } = await import("./lib/azure-helpers.js");
-        const { rootDir } = await import(resolveCliSrc("project.js"));
-        const fsp = await import("node:fs/promises");
-        const path = await import("node:path");
-
-        const state = requireVmState(opts.vmName || name);
-        const ip = state.publicIp;
-        if (!ip) {
-          console.error(chalk.red("\n  No IP address. Is the VM running? Try: fops azure start\n"));
-          process.exit(1);
-        }
-
-        const root = rootDir();
-        if (!root) {
-          console.error(chalk.red("\n  Foundation project root not found. Run from the compose repo or set FOUNDATION_ROOT.\n"));
-          process.exit(1);
-        }
-
-        const qaDir = path.join(root, "foundation-qa-automation");
-        try {
-          await fsp.access(qaDir);
-        } catch {
-          console.error(chalk.red("\n  foundation-qa-automation/ not found in project root."));
-          console.error(chalk.dim("  Run: git submodule update --init\n"));
-          process.exit(1);
-        }
-
-        const vmUrl = state.publicUrl || `https://${ip}`;
-        const apiUrl = `${vmUrl}/api`;
-        const { execa: execaFn } = await import("execa");
-        const { sshCmd, MUX_OPTS } = await import("./lib/azure.js");
-
-        console.log(chalk.dim(`  Authenticating against ${vmUrl}…`));
-        const auth = await resolveRemoteAuth({
-          apiUrl, ip, vmState: state,
-          execaFn, sshCmd, knockForVm, suppressTlsWarning,
-        });
-        let { bearerToken, qaUser, qaPass, useTokenMode } = auth;
-
-        if (!bearerToken && !qaUser) {
-          console.error(chalk.red("\n  No credentials found (local or remote)."));
-          console.error(chalk.dim("  Set BEARER_TOKEN or QA_USERNAME/QA_PASSWORD, or ensure the VM has Auth0 configured in .env\n"));
-          process.exit(1);
-        }
-
-        // Write .env pointed at the remote VM
-        const envPath = path.join(qaDir, ".env");
-        const examplePath = path.join(qaDir, ".env.example");
-        let envContent;
-        try {
-          envContent = await fsp.readFile(examplePath, "utf8");
-        } catch {
-          envContent = await fsp.readFile(envPath, "utf8").catch(() => "");
-        }
-
-        const setVar = (content, key, value) => {
-          const re = new RegExp(`^${key}=.*`, "m");
-          return re.test(content)
-            ? content.replace(re, `${key}=${value}`)
-            : content + `\n${key}=${value}`;
-        };
-
-        envContent = setVar(envContent, "API_URL", apiUrl);
-        envContent = setVar(envContent, "DEV_API_URL", apiUrl);
-        envContent = setVar(envContent, "LIVE_API_URL", apiUrl);
-        envContent = setVar(envContent, "QA_USERNAME", qaUser);
-        envContent = setVar(envContent, "QA_PASSWORD", qaPass);
-        envContent = setVar(envContent, "QA_X_ACCOUNT", "root");
-        envContent = setVar(envContent, "ADMIN_USERNAME", qaUser);
-        envContent = setVar(envContent, "ADMIN_PASSWORD", qaPass);
-        envContent = setVar(envContent, "ADMIN_X_ACCOUNT", "root");
-        envContent = setVar(envContent, "OWNER_EMAIL", qaUser);
-        envContent = setVar(envContent, "OWNER_NAME", "Foundation Operator");
-        if (bearerToken) {
-          envContent = setVar(envContent, "BEARER_TOKEN", bearerToken);
-          envContent = setVar(envContent, "TOKEN_AUTH0", bearerToken);
-        }
-
-        await fsp.writeFile(envPath, envContent);
-        console.log(chalk.green(`  ✓ Configured QA .env → ${apiUrl}`));
-
-        // Ensure venv + deps
-        try {
-          await fsp.access(path.join(qaDir, "venv"));
-        } catch {
-          console.log(chalk.cyan("  Setting up QA automation environment…"));
-          await execaFn("python3", ["-m", "venv", "venv"], { cwd: qaDir, stdio: "inherit" });
-          await execaFn("bash", ["-c", "source venv/bin/activate && pip install -r requirements.txt && playwright install"], { cwd: qaDir, stdio: "inherit" });
-        }
-
-        // Knock to ensure VM is reachable
-        await knockForVm(state);
-
-        const authMode = useTokenMode ? "bearer token (--use-token)" : `user/pass (${qaUser})`;
-        console.log(chalk.cyan(`\n  Running QA tests against ${state.vmName} (${vmUrl}) [${authMode}]…\n`));
-        const pytestArgsList = [
-          "tests/",
-          "--env", "staging",
-          "--role", "FOUNDATION_ADMIN",
-          "--numprocesses=0",
-          "-v",
-          "--durations=0",
-          "--html=./playwright-report/report.html",
-          "--self-contained-html",
-          "--ignore=tests/e2e/landscape",
-          "--ignore=tests/e2e/procedures",
-          "--ignore=tests/e2e/upload_file_s3",
-          "--ignore=tests/roles",
-          "--ignore=tests/unit/data_product/test_data_product_consumers_v2.py",
-          "--ignore=tests/unit/data_product/test_data_product_query.py",
-          "--ignore=tests/unit/data_product/test_data_product_quality_v2.py",
-          "--ignore=tests/unit/data_product/test_data_product_schema_v2.py",
-        ];
-        if (useTokenMode) pytestArgsList.push("--use-token");
-        const pytestArgs = pytestArgsList.join(" ");
-
-        const testEnv = {
-          ...process.env,
-          API_URL: apiUrl,
-          DEV_API_URL: apiUrl,
-          LIVE_API_URL: apiUrl,
-          ROLE_NAME: "FOUNDATION_ADMIN",
-          QA_USERNAME: qaUser,
-          QA_PASSWORD: qaPass,
-          CDO_USERNAME: qaUser,
-          CDO_PASSWORD: qaPass,
-          ADMIN_USERNAME: qaUser,
-          ADMIN_PASSWORD: qaPass,
-          QA_X_ACCOUNT: "root",
-          ADMIN_X_ACCOUNT: "root",
-          CDO_X_ACCOUNT: "root",
-          OWNER_EMAIL: qaUser,
-          OWNER_NAME: "Foundation Operator",
-        };
-        if (bearerToken) {
-          testEnv.BEARER_TOKEN = bearerToken;
-          testEnv.TOKEN_AUTH0 = bearerToken;
-        }
-
-        const startMs = Date.now();
-        const proc = execaFn(
-          "bash",
-          ["-c", `source venv/bin/activate && pytest ${pytestArgs}`],
-          { cwd: qaDir, timeout: 600_000, reject: false, env: testEnv },
-        );
-        let captured = "";
-        proc.stdout?.on("data", (d) => { const s = d.toString(); captured += s; process.stdout.write(s); });
-        proc.stderr?.on("data", (d) => { const s = d.toString(); captured += s; process.stderr.write(s); });
-        const { exitCode } = await proc;
-        const wallSec = Math.round((Date.now() - startMs) / 1000);
-
-        const counts = parsePytestSummary(captured);
-        const timing = parsePytestDurations(captured);
-        const { writeVmState } = await import("./lib/azure-state.js");
-        const qaResult = {
-          passed: exitCode === 0,
-          exitCode,
-          at: new Date().toISOString(),
-          ...(counts.passed != null && { numPassed: counts.passed }),
-          ...(counts.failed != null && { numFailed: counts.failed }),
-          ...(counts.error != null && { numErrors: counts.error }),
-          ...(counts.errors != null && { numErrors: counts.errors }),
-          ...(counts.skipped != null && { numSkipped: counts.skipped }),
-          durationSec: counts.durationSec || wallSec,
-          ...(timing && { timing }),
-        };
-        writeVmState(state.vmName, { qa: qaResult });
-
-        if (exitCode === 0) {
-          console.log(chalk.green("\n  ✓ QA tests passed\n"));
-        } else {
-          console.error(chalk.red(`\n  QA tests failed (exit ${exitCode}).`));
-          console.error(chalk.dim(`  Report: ${path.join(qaDir, "playwright-report", "report.html")}\n`));
-          process.exitCode = 1;
-        }
-
-        try {
-          const { resultsPush } = await import("./lib/azure-results.js");
-          const enriched = { ...qaResult };
-          try {
-            const gitExeca = (await import("execa")).execa;
-            const { stdout: branch } = await gitExeca("git", ["rev-parse", "--abbrev-ref", "HEAD"], { cwd: qaDir, reject: false, timeout: 5000 });
-            const { stdout: sha } = await gitExeca("git", ["rev-parse", "--short", "HEAD"], { cwd: qaDir, reject: false, timeout: 5000 });
-            if (branch?.trim()) enriched.branch = branch.trim();
-            if (sha?.trim()) enriched.sha = sha.trim();
-          } catch {}
-          await resultsPush(state.vmName, enriched, { quiet: false });
-        } catch (pushErr) {
-          console.log(chalk.dim(`  (Result push skipped: ${pushErr.message})`));
-        }
-      });
-
-    test
-      .command("setup")
-      .description("Configure the Azure Blob Storage account for test results")
-      .option("--account <name>", "Storage account name")
-      .action(async (opts) => {
-        const { resultsSetup } = await import("./lib/azure-results.js");
-        await resultsSetup({ account: opts.account });
-      });
-
-    test
-      .command("list [target]")
-      .description("List stored test results across VMs (optionally filter by name)")
-      .option("--last <n>", "Number of results to show", "20")
-      .action(async (target, opts) => {
-        const { resultsList } = await import("./lib/azure-results.js");
-        await resultsList({ target, last: parseInt(opts.last) });
-      });
-
-    test
-      .command("show <target>")
-      .description("Show details of the latest test result for a VM/cluster")
-      .option("--run <id>", "Show a specific run by timestamp")
-      .action(async (target, opts) => {
-        const { resultsShow } = await import("./lib/azure-results.js");
-        await resultsShow({ target, run: opts.run });
-      });
-
-    test
-      .command("compare [target]")
-      .description("Compare test runs across time — detect regressions and improvements")
-      .option("--last <n>", "Number of runs to compare", "10")
-      .action(async (target, opts) => {
-        const { resultsCompare } = await import("./lib/azure-results.js");
-        await resultsCompare({ target, last: parseInt(opts.last) });
-      });
-
-    test
-      .command("push [target]")
-      .description("Push local QA results to blob storage (default: all VMs with results)")
-      .action(async (target) => {
-        const { readVmState, listVms } = await import("./lib/azure-state.js");
-        const { resultsPush } = await import("./lib/azure-results.js");
-
-        const targets = [];
-        if (target) {
-          targets.push(target);
-        } else {
-          const { activeVm, vms } = listVms();
-          const names = Object.keys(vms);
-          if (names.length === 0) {
-            console.log(chalk.dim("\n  No VMs tracked.\n"));
-            return;
-          }
-          for (const name of names) {
-            const st = readVmState(name);
-            if (st?.qa) targets.push(name);
-          }
-          if (targets.length === 0) {
-            console.log(chalk.dim("\n  No local QA results found. Run tests first: fops azure test <vm>\n"));
-            return;
-          }
-        }
-
-        let pushed = 0;
-        for (const t of targets) {
-          const state = readVmState(t);
-          if (!state?.qa) {
-            console.log(chalk.dim(`  ${t}: no local QA result — skipped`));
-            continue;
-          }
-          await resultsPush(t, state.qa);
-          pushed++;
-        }
-        if (pushed === 0) {
-          console.log(chalk.dim("\n  No results to push.\n"));
-        }
-      });
-
-    azure
-      .command("scan [name]")
-      .description("Scan stack container images for CVEs using Trivy (same as fops scan)")
-      .option("--severity <levels>", "Comma-separated severity filter (default: CRITICAL,HIGH)", "CRITICAL,HIGH")
-      .option("--json", "Output raw JSON instead of table")
-      .option("--fix", "Show only vulnerabilities with a fix available")
-      .option("--service <name>", "Scan a specific compose service's image")
-      .action(async (name, opts) => {
-        const { resolveCliSrc } = await import("./lib/azure-helpers.js");
-        const { rootDir } = await import(resolveCliSrc("project.js"));
-        const root = rootDir();
-        if (!root) {
-          console.error(chalk.red("\n  Foundation project root not found. Run from the compose repo or set FOUNDATION_ROOT.\n"));
-          process.exit(1);
-        }
-        const { runScan } = await import(resolveCliSrc("commands/lifecycle.js"));
-        await runScan(root, {
-          severity: opts.severity,
-          json: opts.json,
-          fix: opts.fix,
-          service: opts.service,
-        });
-      });
-
-    azure
-      .command("snapshot [name]")
-      .description("Create Azure disk snapshots of all (or one) tracked VMs")
-      .option("--vm-name <name>", "Target a specific VM instead of all")
-      .option("--tag <tag>", "Snapshot tag/label (default: ISO timestamp)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (name, opts) => {
-        const { fleetSnapshot } = await import("./lib/azure-fleet.js");
-        await fleetSnapshot({ vmName: opts.vmName || name, tag: opts.tag, profile: opts.profile });
-      });
-
-    const audit = azure
-      .command("audit")
-      .description("Security & compliance audit across Azure resources");
-
-    audit
-      .command("all", { isDefault: true })
-      .description("Run all audit checks (VMs, AKS, storage encryption)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .option("--vm-name <name>", "Limit VM audit to a specific VM")
-      .option("--cluster <name>", "Limit AKS audit to a specific cluster")
-      .option("--account <name>", "Limit storage audit to a specific account")
-      .option("--verbose", "Show info-level suggestions alongside warnings")
-      .action(async (opts) => {
-        const { auditAll } = await import("./lib/azure-audit.js");
-        await auditAll({ profile: opts.profile, vmName: opts.vmName, clusterName: opts.cluster, account: opts.account, verbose: opts.verbose });
-      });
-
-    audit
-      .command("vm [vmName]")
-      .description("Audit VM security — disk encryption, NSG rules, managed identity, patching")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .option("--vm-name <name>", "Audit a specific VM (default: all tracked)")
-      .option("--verbose", "Show info-level suggestions alongside warnings")
-      .action(async (vmName, opts) => {
-        const { auditVms } = await import("./lib/azure-audit.js");
-        await auditVms({ profile: opts.profile, vmName: opts.vmName || vmName, verbose: opts.verbose });
-      });
-
-    audit
-      .command("aks [clusterName]")
-      .description("Audit AKS cluster security — RBAC, network policy, auto-upgrade, Defender")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .option("--verbose", "Show info-level suggestions alongside warnings")
-      .action(async (clusterName, opts) => {
-        const { auditAks } = await import("./lib/azure-audit.js");
-        await auditAks({ profile: opts.profile, clusterName, verbose: opts.verbose });
-      });
-
-    audit
-      .command("storage")
-      .description("Audit storage account encryption & security posture")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .option("--account <name>", "Audit a specific storage account (default: all)")
-      .option("--verbose", "Show info-level suggestions alongside warnings")
-      .action(async (opts) => {
-        const { auditStorage } = await import("./lib/azure-audit.js");
-        await auditStorage({ profile: opts.profile, account: opts.account, verbose: opts.verbose });
-      });
-
-    audit
-      .command("sessions [vmName]")
-      .description("View SSH session recordings across the fleet")
-      .option("--session <id>", "Read a specific session by ID")
-      .option("--live", "Show only active (live) sessions")
-      .option("--cloud", "Read from blob storage instead of SSH")
-      .option("--push", "Push collected sessions to blob storage")
-      .option("--last <n>", "Show only the last N sessions", "50")
-      .option("--tail <n>", "When reading a session, show only the last N lines")
-      .action(async (vmName, opts) => {
-        const { fleetAudit } = await import("./lib/azure-fleet.js");
-        await fleetAudit({
-          vmName,
-          session: opts.session,
-          live: opts.live,
-          cloud: opts.cloud,
-          push: opts.push,
-          last: Number(opts.last),
-          tail: opts.tail ? Number(opts.tail) : undefined,
-        });
-      });
-
-    audit
-      .command("zap [vmName]")
-      .description("Run an authenticated OWASP ZAP DAST scan against a VM's frontend")
-      .option("--vm-name <name>", "Target VM (default: active)")
-      .option("--target <url>", "Override target URL (default: https://<vm>.meshx.app)")
-      .option("--output <dir>", "Directory for JSON report (default: cwd)")
-      .option("--spider-minutes <n>", "Spider duration in minutes (default: 3)", "3")
-      .option("--ajax-minutes <n>", "Ajax spider duration in minutes (default: 3)", "3")
-      .option("--active-scan-minutes <n>", "Active scan rule timeout in minutes (default: 5)", "5")
-      .option("--max-minutes <n>", "Overall scan timeout in minutes (default: 20)", "20")
-      .option("--verbose", "Show fix suggestions for each finding")
-      .option("--aggressive", "Pentest mode: Penetration Tester policy, longer crawl/scan")
-      .action(async (vmName, opts) => {
-        const { auditZap } = await import("./lib/azure-audit.js");
-        await auditZap({
-          vmName: opts.vmName || vmName,
-          target: opts.target,
-          output: opts.output,
-          spiderMinutes: opts.aggressive ? undefined : (opts.spiderMinutes ? Number(opts.spiderMinutes) : undefined),
-          ajaxMinutes: opts.aggressive ? undefined : (opts.ajaxMinutes ? Number(opts.ajaxMinutes) : undefined),
-          activeScanMinutes: opts.aggressive ? undefined : (opts.activeScanMinutes ? Number(opts.activeScanMinutes) : undefined),
-          maxMinutes: opts.aggressive ? undefined : (opts.maxMinutes ? Number(opts.maxMinutes) : undefined),
-          verbose: opts.verbose,
-          aggressive: opts.aggressive,
-        });
-      });
-
-    azure
-      .command("restore <name>")
-      .description("Restore a VM from an Azure disk snapshot")
-      .option("--snapshot <name>", "Snapshot name to restore from (omit to list available)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .option("--yes", "Skip confirmation prompt")
-      .action(async (name, opts) => {
-        const { fleetRestore } = await import("./lib/azure-fleet.js");
-        await fleetRestore({ vmName: name, snapshot: opts.snapshot, profile: opts.profile, yes: opts.yes });
-      });
-
-    // ── Swarm subcommands ───────────────────────────────────────────
-
-    const swarm = azure
-      .command("swarm")
-      .description("Docker Swarm cluster management");
-
-    swarm
-      .command("init <vmName>")
-      .description("Initialize Docker Swarm on a VM (single-node manager)")
-      .option("--stack", "Also deploy the compose stack as swarm services")
-      .action(async (vmName, opts) => {
-        const { swarmInit } = await import("./lib/azure-fleet.js");
-        await swarmInit({ vmName, stack: opts.stack });
-      });
-
-    swarm
-      .command("join <vmName>")
-      .description("Join a VM as a worker to an existing swarm (auto-creates the VM if it doesn't exist)")
-      .requiredOption("--manager <name>", "Manager VM to join")
-      .option("--as-manager", "Join as a manager instead of worker")
-      .option("--vm-size <size>", "VM size when auto-creating (default: inherited from manager)")
-      .option("--location <region>", "Azure region when auto-creating (default: inherited from manager)")
-      .option("--image <urn>", "Custom image URN when auto-creating")
-      .option("--url <url>", "Public URL override when auto-creating")
-      .option("--profile <subscription>", "Azure subscription when auto-creating")
-      .action(async (vmName, opts) => {
-        const { swarmJoin } = await import("./lib/azure-fleet.js");
-        await swarmJoin({
-          vmName, manager: opts.manager, asManager: opts.asManager,
-          vmSize: opts.vmSize, location: opts.location,
-          image: opts.image, url: opts.url, profile: opts.profile,
-        });
-      });
-
-    swarm
-      .command("status [vmName]")
-      .description("Show swarm node and service status")
-      .action(async (vmName) => {
-        const { swarmStatus } = await import("./lib/azure-fleet.js");
-        await swarmStatus({ vmName });
-      });
-
-    swarm
-      .command("promote <vmName>")
-      .description("Promote a swarm worker to manager")
-      .action(async (vmName) => {
-        const { swarmPromote } = await import("./lib/azure-fleet.js");
-        await swarmPromote({ vmName });
-      });
-
-    swarm
-      .command("deploy [vmName]")
-      .description("Deploy the compose stack as swarm services (or update existing)")
-      .action(async (vmName) => {
-        const { swarmDeploy } = await import("./lib/azure-fleet.js");
-        await swarmDeploy({ vmName });
-      });
-
-    swarm
-      .command("leave <vmName>")
-      .description("Remove a VM from the swarm")
-      .option("--force", "Force leave (required for managers)")
-      .action(async (vmName, opts) => {
-        const { swarmLeave } = await import("./lib/azure-fleet.js");
-        await swarmLeave({ vmName, force: opts.force });
-      });
-
-    // ── Other VM commands ─────────────────────────────────────────────
-
-    azure
-      .command("logs [name] [service]")
-      .description("Tail Foundation logs from the VM (service 'up' = tail /tmp/fops-up.log)")
-      .option("--vm-name <name>", "Target VM (default: active VM)")
-      .action(async (name, service, opts) => {
-        const { azureLogs } = await import("./lib/azure.js");
-        await azureLogs(service, { vmName: opts.vmName || name });
-      });
-
-    azure
-      .command("context [name]")
-      .description("Set local Docker CLI to talk to the remote VM via SSH")
-      .option("--vm-name <name>", "Target VM (default: active VM)")
-      .option("--reset", "Switch back to the default Docker context")
-      .action(async (name, opts) => {
-        const { azureContext } = await import("./lib/azure.js");
-        await azureContext({ vmName: opts.vmName || name, reset: opts.reset });
-      });
-
-    azure
-      .command("kubectl <name>")
-      .description("Generate / merge kubeconfig for an AKS cluster")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .option("--admin", "Get admin credentials (cluster-admin role)")
-      .action(async (name, opts) => {
-        const { aksKubeconfig } = await import("./lib/azure-aks.js");
-        await aksKubeconfig({ clusterName: name, profile: opts.profile, admin: opts.admin });
-      });
-
-    const grant = azure
-      .command("grant")
-      .description("Grant roles to users on the VM");
-
-    grant
-      .command("admin [name]")
-      .description("Grant Foundation Admin role to users on the VM")
-      .option("--vm-name <name>", "Target VM (default: active VM)")
-      .option("--username <email>", "Grant to a specific user by email")
-      .option("--auth0-sub <sub>", "Grant to a specific Auth0 subject")
-      .action(async (name, opts) => {
-        const { azureGrantAdmin } = await import("./lib/azure.js");
-        await azureGrantAdmin({ vmName: opts.vmName || name, username: opts.username, auth0Sub: opts.auth0Sub });
-      });
-
-    azure
-      .command("cost")
-      .description("Show current Azure costs by service")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .option("--days <days>", "Days to look back (default: 30)", "30")
-      .action(async (opts) => {
-        const { azureCost } = await import("./lib/azure.js");
-        await azureCost({ profile: opts.profile, days: opts.days });
-      });
-
-    azure
-      .command("subscriptions")
-      .description("List available Azure subscriptions")
-      .action(async () => {
-        const { azureSubscriptions } = await import("./lib/azure.js");
-        await azureSubscriptions();
-      });
-
-    // ── Storage (blob management) ────────────────────────────────────────
-    const storage = azure
-      .command("storage")
-      .description("Manage Azure Blob Storage accounts, containers, and blobs");
-
-    storage
-      .command("accounts")
-      .description("List storage accounts")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (opts) => {
-        const { storageList } = await import("./lib/azure-storage.js");
-        await storageList({ profile: opts.profile });
-      });
-
-    storage
-      .command("create <name>")
-      .description("Create a new storage account")
-      .option("--resource-group <name>", "Resource group (lists available if omitted)")
-      .requiredOption("--location <region>", "Azure region (e.g. eastus, westeurope, uaenorth)")
-      .option("--sku <sku>", "Replication SKU (default: Standard_LRS)", "Standard_LRS")
-      .option("--kind <kind>", "Account kind (default: StorageV2)", "StorageV2")
-      .option("--infra-encryption", "Enable infrastructure (double) encryption")
-      .option("--tags <tags>", "Space-separated tags: key1=val1 key2=val2")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (name, opts) => {
-        const { storageCreate } = await import("./lib/azure-storage.js");
-        await storageCreate({
-          name, resourceGroup: opts.resourceGroup, location: opts.location,
-          sku: opts.sku, kind: opts.kind, infraEncryption: opts.infraEncryption,
-          tags: opts.tags, profile: opts.profile,
-        });
-      });
-
-    const containers = storage
-      .command("container")
-      .description("Manage blob containers");
-
-    containers
-      .command("list")
-      .description("List containers in a storage account")
-      .option("--account <name>", "Storage account (auto-detected if only one)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (opts) => {
-        const { containerList } = await import("./lib/azure-storage.js");
-        await containerList({ account: opts.account, profile: opts.profile });
-      });
-
-    containers
-      .command("create <name>")
-      .description("Create a new container")
-      .option("--account <name>", "Storage account (auto-detected if only one)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (name, opts) => {
-        const { containerCreate } = await import("./lib/azure-storage.js");
-        await containerCreate({ account: opts.account, name, profile: opts.profile });
-      });
-
-    containers
-      .command("delete <name>")
-      .description("Delete a container (asks for confirmation)")
-      .option("--account <name>", "Storage account (auto-detected if only one)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (name, opts) => {
-        const { containerDelete } = await import("./lib/azure-storage.js");
-        await containerDelete({ account: opts.account, name, profile: opts.profile });
-      });
-
-    const blob = storage
-      .command("blob")
-      .description("Manage blobs in a container");
-
-    blob
-      .command("list")
-      .description("List blobs in a container")
-      .option("--account <name>", "Storage account (auto-detected if only one)")
-      .requiredOption("--container <name>", "Container name")
-      .option("--prefix <prefix>", "Filter by blob name prefix")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (opts) => {
-        const { blobList } = await import("./lib/azure-storage.js");
-        await blobList({ account: opts.account, container: opts.container, prefix: opts.prefix, profile: opts.profile });
-      });
-
-    blob
-      .command("upload <file>")
-      .description("Upload a file as a blob")
-      .option("--account <name>", "Storage account (auto-detected if only one)")
-      .requiredOption("--container <name>", "Container name")
-      .option("--name <blob-name>", "Blob name (default: filename)")
-      .option("--overwrite", "Overwrite existing blob")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (file, opts) => {
-        const { blobUpload } = await import("./lib/azure-storage.js");
-        await blobUpload({ account: opts.account, container: opts.container, file, name: opts.name, overwrite: opts.overwrite, profile: opts.profile });
-      });
-
-    blob
-      .command("download <name>")
-      .description("Download a blob to a local file")
-      .option("--account <name>", "Storage account (auto-detected if only one)")
-      .requiredOption("--container <name>", "Container name")
-      .option("--dest <path>", "Local destination path (default: blob filename)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (name, opts) => {
-        const { blobDownload } = await import("./lib/azure-storage.js");
-        await blobDownload({ account: opts.account, container: opts.container, name, dest: opts.dest, profile: opts.profile });
-      });
-
-    blob
-      .command("delete <name>")
-      .description("Delete a blob (asks for confirmation)")
-      .option("--account <name>", "Storage account (auto-detected if only one)")
-      .requiredOption("--container <name>", "Container name")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (name, opts) => {
-        const { blobDelete } = await import("./lib/azure-storage.js");
-        await blobDelete({ account: opts.account, container: opts.container, name, profile: opts.profile });
-      });
-
-    blob
-      .command("url <name>")
-      .description("Generate a temporary SAS URL for a blob")
-      .option("--account <name>", "Storage account (auto-detected if only one)")
-      .requiredOption("--container <name>", "Container name")
-      .option("--expiry <hours>", "Link expiry in hours (default: 24)", "24")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (name, opts) => {
-        const { blobUrl } = await import("./lib/azure-storage.js");
-        await blobUrl({ account: opts.account, container: opts.container, name, expiry: opts.expiry, profile: opts.profile });
-      });
-
-    // ── Encryption ─────────────────────────────────────────────────────
-    const encryption = storage
-      .command("encryption")
-      .description("Show or configure storage account encryption settings");
-
-    encryption
-      .command("show", { isDefault: true })
-      .description("Show encryption posture for a storage account")
-      .option("--account <name>", "Storage account (auto-detected if only one)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (opts) => {
-        const { storageEncryption } = await import("./lib/azure-storage.js");
-        await storageEncryption({ account: opts.account, profile: opts.profile });
-      });
-
-    encryption
-      .command("configure")
-      .description("Configure encryption and security settings")
-      .option("--account <name>", "Storage account (auto-detected if only one)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .option("--https-only", "Enforce HTTPS-only traffic")
-      .option("--min-tls <version>", "Minimum TLS version (TLS1_0, TLS1_1, TLS1_2)")
-      .option("--disable-shared-key", "Disable shared key auth (force AAD-only)")
-      .option("--enable-shared-key", "Re-enable shared key auth")
-      .option("--cmk", "Use customer-managed key (requires --key-vault, --key-name)")
-      .option("--key-vault <uri>", "Key Vault URI for CMK")
-      .option("--key-name <name>", "Key name in Key Vault")
-      .option("--key-version <version>", "Key version (default: latest)")
-      .option("--microsoft-keys", "Revert to Microsoft-managed keys")
-      .option("--infra-encryption", "Check/recommend infrastructure (double) encryption")
-      .option("--soft-delete <days>", "Enable blob soft delete (0 to disable)")
-      .option("--versioning", "Enable blob versioning")
-      .option("--no-versioning", "Disable blob versioning")
-      .option("--disable-blob-public", "Block anonymous read access on all containers")
-      .option("--deny-public-access", "Firewall: deny all networks except allowed IPs/VNets")
-      .option("--allow-public-access", "Firewall: allow all networks (remove restriction)")
-      .action(async (opts) => {
-        const { storageEncryptionConfigure } = await import("./lib/azure-storage.js");
-        await storageEncryptionConfigure({
-          account: opts.account, profile: opts.profile,
-          httpsOnly: opts.httpsOnly, minTls: opts.minTls,
-          disableSharedKey: opts.disableSharedKey, enableSharedKey: opts.enableSharedKey,
-          cmk: opts.cmk, keyVault: opts.keyVault, keyName: opts.keyName, keyVersion: opts.keyVersion,
-          microsoftKeys: opts.microsoftKeys, infraEncryption: opts.infraEncryption,
-          softDelete: opts.softDelete, versioning: opts.versioning,
-          disableBlobPublic: opts.disableBlobPublic,
-          denyPublicAccess: opts.denyPublicAccess, allowPublicAccess: opts.allowPublicAccess,
-        });
-      });
-
-    // ── Azure OpenAI (Cognitive Services) ───────────────────────────────
-    const openai = azure
-      .command("openai")
-      .description("Create/list Azure OpenAI resources (e.g. in uaenorth so VMs can use them)");
-
-    openai
-      .command("list", { isDefault: true })
-      .description("List Azure OpenAI resources in the subscription")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (opts) => {
-        const { openaiList } = await import("./lib/azure-openai.js");
-        await openaiList({ profile: opts.profile });
-      });
-
-    openai
-      .command("create <name>")
-      .description("Create an Azure OpenAI resource in a region (default: uaenorth)")
-      .requiredOption("--resource-group <name>", "Resource group (create with: az group create --name <name> --location uaenorth)")
-      .option("--location <region>", "Azure region (default: uaenorth)", "uaenorth")
-      .option("--sku <sku>", "SKU (default: S0)", "S0")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (name, opts) => {
-        const { openaiCreate } = await import("./lib/azure-openai.js");
-        await openaiCreate({
-          name,
-          resourceGroup: opts.resourceGroup,
-          location: opts.location,
-          sku: opts.sku,
-          profile: opts.profile,
-        });
-      });
-
-    openai
-      .command("allowlist-me")
-      .description("Add an IP to Azure OpenAI resource allowlists (uses az cli)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .option("--all", "Allowlist on every OpenAI/AIServices resource across all subscriptions")
-      .option("--name <resource>", "Target a specific Azure OpenAI resource by name")
-      .option("--resource-group <rg>", "Resource group (auto-detected if omitted)")
-      .option("--ip <address>", "IP address to allowlist (auto-detected if omitted)")
-      .action(async (opts) => {
-        const { openaiAllowlistMe } = await import("./lib/azure-openai.js");
-        await openaiAllowlistMe({
-          profile: opts.profile,
-          all: opts.all,
-          name: opts.name,
-          resourceGroup: opts.resourceGroup,
-          ip: opts.ip,
-        });
-      });
-
-    openai
-      .command("debug-vm [vmName] [run]")
-      .description("Run a single agent request on the VM with DEBUG=1 to capture Azure OpenAI connection errors")
-      .option("--vm-name <name>", "Target VM (default: active VM)")
-      .option("--agent <name>", "Agent name (default: foundation)", "foundation")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (vmName, _run, opts) => {
-        const name = vmName === "run" ? undefined : (vmName || opts.vmName);
-        const { azureOpenAiDebugVm } = await import("./lib/azure.js");
-        await azureOpenAiDebugVm({
-          vmName: name,
-          agent: opts.agent,
-          profile: opts.profile,
-        });
-      });
-
-    // ── Key Vault ────────────────────────────────────────────────────────
-    const keyvault = azure
-      .command("keyvault")
-      .description("Manage Azure Key Vaults and secrets");
-
-    keyvault
-      .command("list", { isDefault: true })
-      .description("List Key Vaults in the subscription")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (opts) => {
-        const { keyvaultList } = await import("./lib/azure-keyvault.js");
-        await keyvaultList({ profile: opts.profile });
-      });
-
-    keyvault
-      .command("show")
-      .description("Show Key Vault details and object counts")
-      .option("--vault <name>", "Key Vault name (auto-detected if only one)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (opts) => {
-        const { keyvaultShow } = await import("./lib/azure-keyvault.js");
-        await keyvaultShow({ vault: opts.vault, profile: opts.profile });
-      });
-
-    keyvault
-      .command("create <name>")
-      .description("Create a new Key Vault")
-      .option("--resource-group <name>", "Resource group (lists available if omitted)")
-      .requiredOption("--location <region>", "Azure region (e.g. eastus, westeurope, uaenorth)")
-      .option("--sku <sku>", "SKU: standard or premium (default: standard)", "standard")
-      .option("--enable-purge-protection", "Enable purge protection (irreversible)")
-      .option("--retention-days <days>", "Soft-delete retention days (default: 90)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (name, opts) => {
-        const { keyvaultCreate } = await import("./lib/azure-keyvault.js");
-        await keyvaultCreate({
-          name, resourceGroup: opts.resourceGroup, location: opts.location,
-          sku: opts.sku, enablePurgeProtection: opts.enablePurgeProtection,
-          retentionDays: opts.retentionDays, profile: opts.profile,
-        });
-      });
-
-    keyvault
-      .command("delete")
-      .description("Delete a Key Vault (soft-delete)")
-      .option("--vault <name>", "Key Vault name (auto-detected if only one)")
-      .option("--purge", "Permanently purge after deletion (requires purge protection off)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (opts) => {
-        const { keyvaultDelete } = await import("./lib/azure-keyvault.js");
-        await keyvaultDelete({ vault: opts.vault, purge: opts.purge, profile: opts.profile });
-      });
-
-    keyvault
-      .command("sync")
-      .description("Pull secrets from Key Vault into .env files (reads .env.keyvault templates)")
-      .option("--vault <name>", "Override default vault for all references")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (opts) => {
-        const { keyvaultSync } = await import("./lib/azure-keyvault.js");
-        await keyvaultSync({ vault: opts.vault, profile: opts.profile });
-      });
-
-    keyvault
-      .command("setup")
-      .description("Interactive setup: pick vault, set auto-sync, scaffold .env.keyvault templates")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (opts) => {
-        const { keyvaultSetup } = await import("./lib/azure-keyvault.js");
-        await keyvaultSetup({ profile: opts.profile });
-      });
-
-    keyvault
-      .command("status")
-      .description("Show Key Vault sync status: auth, config, discovered templates")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (opts) => {
-        const { keyvaultStatus } = await import("./lib/azure-keyvault.js");
-        await keyvaultStatus({ profile: opts.profile });
-      });
-
-    const kvSecret = keyvault
-      .command("secret")
-      .description("Manage secrets in a Key Vault");
-
-    kvSecret
-      .command("list", { isDefault: true })
-      .description("List secrets in a Key Vault")
-      .option("--vault <name>", "Key Vault name (auto-detected if only one)")
-      .option("--include-managed", "Include managed (certificate-linked) secrets")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (opts) => {
-        const { secretList } = await import("./lib/azure-keyvault.js");
-        await secretList({ vault: opts.vault, includeManaged: opts.includeManaged, profile: opts.profile });
-      });
-
-    kvSecret
-      .command("show <name>")
-      .description("Show secret metadata (add --show-value to reveal)")
-      .option("--vault <name>", "Key Vault name (auto-detected if only one)")
-      .option("--version <version>", "Specific secret version (default: latest)")
-      .option("--show-value", "Display the secret value")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (name, opts) => {
-        const { secretShow } = await import("./lib/azure-keyvault.js");
-        await secretShow({ vault: opts.vault, name, version: opts.version, showValue: opts.showValue, profile: opts.profile });
-      });
-
-    kvSecret
-      .command("set <name>")
-      .description("Set a secret value (creates or updates)")
-      .option("--vault <name>", "Key Vault name (auto-detected if only one)")
-      .option("--value <value>", "Secret value (use --file for binary/large)")
-      .option("--file <path>", "Read secret value from a file")
-      .option("--content-type <type>", "Content type (e.g. text/plain, application/json)")
-      .option("--expires <datetime>", "Expiration date (ISO 8601)")
-      .option("--disabled", "Create the secret in disabled state")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (name, opts) => {
-        const { secretSet } = await import("./lib/azure-keyvault.js");
-        await secretSet({
-          vault: opts.vault, name, value: opts.value, file: opts.file,
-          contentType: opts.contentType, expires: opts.expires,
-          disabled: opts.disabled, profile: opts.profile,
-        });
-      });
-
-    kvSecret
-      .command("delete <name>")
-      .description("Delete a secret (soft-delete, recoverable)")
-      .option("--vault <name>", "Key Vault name (auto-detected if only one)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (name, opts) => {
-        const { secretDelete } = await import("./lib/azure-keyvault.js");
-        await secretDelete({ vault: opts.vault, name, profile: opts.profile });
-      });
-
-    const kvKey = keyvault
-      .command("key")
-      .description("Manage cryptographic keys in a Key Vault");
-
-    kvKey
-      .command("list", { isDefault: true })
-      .description("List keys in a Key Vault")
-      .option("--vault <name>", "Key Vault name (auto-detected if only one)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (opts) => {
-        const { keyList } = await import("./lib/azure-keyvault.js");
-        await keyList({ vault: opts.vault, profile: opts.profile });
-      });
-
-    kvKey
-      .command("show <name>")
-      .description("Show key details and rotation policy")
-      .option("--vault <name>", "Key Vault name (auto-detected if only one)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (name, opts) => {
-        const { keyShow } = await import("./lib/azure-keyvault.js");
-        await keyShow({ vault: opts.vault, name, profile: opts.profile });
-      });
-
-    kvKey
-      .command("create <name>")
-      .description("Create a key with optional auto-rotation policy")
-      .option("--vault <name>", "Key Vault name (auto-detected if only one)")
-      .option("--type <kty>", "Key type: RSA, RSA-HSM, EC, EC-HSM, oct, oct-HSM (default: RSA)", "RSA")
-      .option("--size <bits>", "RSA key size: 2048, 3072, 4096 (default: 2048)", "2048")
-      .option("--curve <curve>", "EC curve: P-256, P-384, P-521 (default: P-256)")
-      .option("--ops <operations>", "Space-separated key operations (encrypt decrypt sign verify wrapKey unwrapKey)")
-      .option("--rotate-every <duration>", "Auto-rotation interval as ISO 8601 duration (e.g. P90D, P6M, P1Y)")
-      .option("--expires-in <duration>", "Key expiry as ISO 8601 duration (e.g. P1Y, P2Y)")
-      .option("--notify-before <duration>", "Notify before expiry (default: P30D)")
-      .option("--disabled", "Create the key in disabled state")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (name, opts) => {
-        const { keyCreate } = await import("./lib/azure-keyvault.js");
-        await keyCreate({
-          vault: opts.vault, name, type: opts.type, size: opts.size,
-          curve: opts.curve, ops: opts.ops, rotateEvery: opts.rotateEvery,
-          expiresIn: opts.expiresIn, notifyBefore: opts.notifyBefore,
-          disabled: opts.disabled, profile: opts.profile,
-        });
-      });
-
-    kvKey
-      .command("rotate <name>")
-      .description("Rotate a key on-demand (creates a new version)")
-      .option("--vault <name>", "Key Vault name (auto-detected if only one)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (name, opts) => {
-        const { keyRotate } = await import("./lib/azure-keyvault.js");
-        await keyRotate({ vault: opts.vault, name, profile: opts.profile });
-      });
-
-    const kvRotationPolicy = kvKey
-      .command("rotation-policy")
-      .description("Manage key auto-rotation policy");
-
-    kvRotationPolicy
-      .command("show <name>")
-      .description("Show the rotation policy for a key")
-      .option("--vault <name>", "Key Vault name (auto-detected if only one)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (name, opts) => {
-        const { keyRotationPolicyShow } = await import("./lib/azure-keyvault.js");
-        await keyRotationPolicyShow({ vault: opts.vault, name, profile: opts.profile });
-      });
-
-    kvRotationPolicy
-      .command("set <name>")
-      .description("Set auto-rotation policy for a key")
-      .option("--vault <name>", "Key Vault name (auto-detected if only one)")
-      .requiredOption("--rotate-every <duration>", "Rotation interval (ISO 8601: P30D, P90D, P6M, P1Y)")
-      .option("--expires-in <duration>", "Key expiry duration (ISO 8601: P1Y, P2Y)")
-      .option("--notify-before <duration>", "Notify before expiry (default: P30D)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (name, opts) => {
-        const { keyRotationPolicySet } = await import("./lib/azure-keyvault.js");
-        await keyRotationPolicySet({
-          vault: opts.vault, name, rotateEvery: opts.rotateEvery,
-          expiresIn: opts.expiresIn, notifyBefore: opts.notifyBefore,
-          profile: opts.profile,
-        });
-      });
-
-    // ── AKS (Azure Kubernetes Service) ──────────────────────────────────
-    const aks = azure
-      .command("aks")
-      .description("Manage Foundation on AKS clusters (bootstrapped via Flux)");
-
-    aks
-      .command("up [name]")
-      .description("Create an AKS cluster, create GHCR pull secret, and bootstrap Flux (meshxdata/flux)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .option("--location <region>", "Azure region (default: uaenorth)")
-      .option("--node-count <count>", "Initial node count (default: 3)")
-      .option("--min-count <count>", "Autoscaler min nodes (default: 1)")
-      .option("--max-count <count>", "Autoscaler max nodes (default: 5)")
-      .option("--node-vm-size <size>", "Node VM size (default: Standard_D8s_v3)")
-      .option("--kubernetes-version <version>", "K8s version (default: 1.30)")
-      .option("--tier <tier>", "AKS tier: free | standard | premium (default: standard)")
-      .option("--network-plugin <plugin>", "Network plugin: azure | kubenet (default: azure)")
-      .option("--max-pods <count>", "Max pods per node (default: 110)")
-      .option("--resource-group <name>", "Resource group (default: foundation-aks-rg)")
-      .option("--flux-repo <repo>", "GitHub repo for Flux (default: flux)")
-      .option("--flux-owner <owner>", "GitHub owner/org for Flux (default: meshxdata)")
-      .option("--flux-path <path>", "Path in repo for cluster manifests (default: clusters/<name>)")
-      .option("--flux-branch <branch>", "Git branch for Flux (default: main)")
-      .option("--github-token <token>", "GitHub PAT for Flux + GHCR pull (default: $GITHUB_TOKEN)")
-      .option("--no-flux", "Skip Flux bootstrap")
-      .option("--no-postgres", "Skip Postgres Flexible Server provisioning")
-
-      .option("--dai", "Include DAI (Dashboards AI) workloads")
-      .action(async (name, opts) => {
-        const { aksUp } = await import("./lib/azure-aks.js");
-        await aksUp({
-          clusterName: name, profile: opts.profile, location: opts.location,
-          nodeCount: opts.nodeCount ? Number(opts.nodeCount) : undefined,
-          minCount: opts.minCount ? Number(opts.minCount) : undefined,
-          maxCount: opts.maxCount ? Number(opts.maxCount) : undefined,
-          nodeVmSize: opts.nodeVmSize, kubernetesVersion: opts.kubernetesVersion,
-          tier: opts.tier, networkPlugin: opts.networkPlugin, maxPods: opts.maxPods ? Number(opts.maxPods) : undefined,
-          resourceGroup: opts.resourceGroup,
-          fluxRepo: opts.fluxRepo, fluxOwner: opts.fluxOwner,
-          fluxPath: opts.fluxPath, fluxBranch: opts.fluxBranch,
-          githubToken: opts.githubToken,
-
-          noFlux: opts.flux === false,
-          noPostgres: opts.postgres === false,
-          dai: opts.dai === true,
-        });
-      });
-
-    aks
-      .command("down [name]")
-      .description("Destroy the AKS cluster and all workloads")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .option("--yes", "Skip confirmation prompt")
-      .action(async (name, opts) => {
-        const { aksDown } = await import("./lib/azure-aks.js");
-        await aksDown({ clusterName: name, profile: opts.profile, yes: opts.yes });
-      });
-
-    aks
-      .command("list")
-      .description("List all tracked AKS clusters")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (opts) => {
-        const { aksList } = await import("./lib/azure-aks.js");
-        await aksList({ profile: opts.profile });
-      });
-
-    aks
-      .command("status [name]")
-      .description("Show cluster state, node pools, and Flux health")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (name, opts) => {
-        const { aksStatus } = await import("./lib/azure-aks.js");
-        await aksStatus({ clusterName: name, profile: opts.profile });
-      });
-
-    const aksConfig = aks
-      .command("config")
-      .description("Manage service versions on the AKS cluster");
-
-    aksConfig
-      .command("versions [name]", { isDefault: true })
-      .description("Show Foundation service image tags running on the cluster")
-      .action(async (name) => {
-        const { aksConfigVersions } = await import("./lib/azure-aks.js");
-        await aksConfigVersions({ clusterName: name });
-      });
-
-    aks
-      .command("terraform [name]")
-      .description("Generate Terraform HCL for the AKS cluster and its resources")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .option("--output <file>", "Write HCL to a file instead of stdout")
-      .action(async (name, opts) => {
-        const { aksTerraform } = await import("./lib/azure-aks.js");
-        await aksTerraform({ clusterName: name, profile: opts.profile, output: opts.output });
-      });
-
-    aks
-      .command("test [name]")
-      .description("Run QA automation tests locally against an AKS cluster")
-      .action(async (name) => {
-        const { readClusterState, writeClusterState, clusterDomain } = await import("./lib/azure-aks.js");
-        const { resolveCliSrc } = await import("./lib/azure-helpers.js");
-        const { rootDir } = await import(resolveCliSrc("project.js"));
-        const fsp = await import("node:fs/promises");
-        const path = await import("node:path");
-
-        const cluster = readClusterState(name);
-        if (!cluster?.clusterName) {
-          console.error(chalk.red(`\n  No AKS cluster tracked: "${name || "(none active)"}"`));
-          console.error(chalk.dim("  Create one:  fops azure aks up <name>\n"));
-          process.exit(1);
-        }
-
-        const domain = cluster.domain || clusterDomain(cluster.clusterName);
-        const baseUrl = `https://${domain}`;
-        const apiUrl = `${baseUrl}/api`;
-
-        const root = rootDir();
-        if (!root) {
-          console.error(chalk.red("\n  Foundation project root not found. Run from the compose repo or set FOUNDATION_ROOT.\n"));
-          process.exit(1);
-        }
-
-        const qaDir = path.join(root, "foundation-qa-automation");
-        try { await fsp.access(qaDir); } catch {
-          console.error(chalk.red("\n  foundation-qa-automation/ not found in project root."));
-          console.error(chalk.dim("  Run: git submodule update --init\n"));
-          process.exit(1);
-        }
-
-        const { execa: execaFn } = await import("execa");
-
-        // For AKS: use a tracked VM for SSH fallback
-        const { listVms: lv, sshCmd: sc, knockForVm: kfv } = await import("./lib/azure.js");
-        const { vms: allVms } = lv();
-        const vmEntry = Object.entries(allVms).find(([, v]) => v.publicIp);
-
-        console.log(chalk.dim(`  Authenticating against ${apiUrl}…`));
-        const auth = await resolveRemoteAuth({
-          apiUrl,
-          ip: vmEntry?.[1]?.publicIp,
-          vmState: vmEntry?.[1],
-          execaFn, sshCmd: sc, knockForVm: kfv, suppressTlsWarning,
-        });
-        let { bearerToken, qaUser, qaPass, useTokenMode } = auth;
-
-        if (!bearerToken && !qaUser) {
-          console.error(chalk.red("\n  No credentials found (local or remote)."));
-          console.error(chalk.dim("  Set BEARER_TOKEN or QA_USERNAME/QA_PASSWORD in env or ~/.fops.json\n"));
-          process.exit(1);
-        }
-
-        // Write QA .env
-        const envPath = path.join(qaDir, ".env");
-        const examplePath = path.join(qaDir, ".env.example");
-        let envContent;
-        try { envContent = await fsp.readFile(examplePath, "utf8"); } catch {
-          envContent = await fsp.readFile(envPath, "utf8").catch(() => "");
-        }
-        const setVar = (content, key, value) => {
-          const re = new RegExp(`^${key}=.*`, "m");
-          return re.test(content) ? content.replace(re, `${key}=${value}`) : content + `\n${key}=${value}`;
-        };
-        envContent = setVar(envContent, "API_URL", apiUrl);
-        envContent = setVar(envContent, "DEV_API_URL", apiUrl);
-        envContent = setVar(envContent, "LIVE_API_URL", apiUrl);
-        envContent = setVar(envContent, "QA_USERNAME", qaUser);
-        envContent = setVar(envContent, "QA_PASSWORD", qaPass);
-        envContent = setVar(envContent, "QA_X_ACCOUNT", "root");
-        envContent = setVar(envContent, "ADMIN_USERNAME", qaUser);
-        envContent = setVar(envContent, "ADMIN_PASSWORD", qaPass);
-        envContent = setVar(envContent, "ADMIN_X_ACCOUNT", "root");
-        envContent = setVar(envContent, "CDO_USERNAME", qaUser);
-        envContent = setVar(envContent, "CDO_PASSWORD", qaPass);
-        envContent = setVar(envContent, "CDO_X_ACCOUNT", "root");
-        envContent = setVar(envContent, "OWNER_EMAIL", qaUser);
-        envContent = setVar(envContent, "OWNER_NAME", "Foundation Operator");
-        if (bearerToken) {
-          envContent = setVar(envContent, "BEARER_TOKEN", bearerToken);
-          envContent = setVar(envContent, "TOKEN_AUTH0", bearerToken);
-        }
-        await fsp.writeFile(envPath, envContent);
-        console.log(chalk.green(`  ✓ Configured QA .env → ${apiUrl}`));
-
-        // Ensure venv + deps
-        try { await fsp.access(path.join(qaDir, "venv")); } catch {
-          console.log(chalk.cyan("  Setting up QA automation environment…"));
-          await execaFn("python3", ["-m", "venv", "venv"], { cwd: qaDir, stdio: "inherit" });
-          await execaFn("bash", ["-c", "source venv/bin/activate && pip install -r requirements.txt && playwright install"], { cwd: qaDir, stdio: "inherit" });
-        }
-
-        const authMode = useTokenMode ? "bearer token (--use-token)" : `user/pass (${qaUser})`;
-        console.log(chalk.cyan(`\n  Running QA tests against AKS ${cluster.clusterName} (${baseUrl}) [${authMode}]…\n`));
-        const pytestArgsList = [
-          "tests/",
-          "--env", "staging",
-          "--role", "FOUNDATION_ADMIN",
-          "--numprocesses=0",
-          "-v",
-          "--durations=0",
-          "--html=./playwright-report/report.html",
-          "--self-contained-html",
-          "--ignore=tests/e2e/landscape",
-          "--ignore=tests/e2e/procedures",
-          "--ignore=tests/e2e/upload_file_s3",
-          "--ignore=tests/roles",
-          "--ignore=tests/unit/data_product/test_data_product_consumers_v2.py",
-          "--ignore=tests/unit/data_product/test_data_product_query.py",
-          "--ignore=tests/unit/data_product/test_data_product_quality_v2.py",
-          "--ignore=tests/unit/data_product/test_data_product_schema_v2.py",
-        ];
-        if (useTokenMode) pytestArgsList.push("--use-token");
-        const pytestArgs = pytestArgsList.join(" ");
-
-        const testEnv = {
-          ...process.env,
-          API_URL: apiUrl,
-          DEV_API_URL: apiUrl,
-          LIVE_API_URL: apiUrl,
-          ROLE_NAME: "FOUNDATION_ADMIN",
-          QA_USERNAME: qaUser,
-          QA_PASSWORD: qaPass,
-          ADMIN_USERNAME: qaUser,
-          ADMIN_PASSWORD: qaPass,
-          QA_X_ACCOUNT: "root",
-          ADMIN_X_ACCOUNT: "root",
-          CDO_USERNAME: qaUser,
-          CDO_PASSWORD: qaPass,
-          CDO_X_ACCOUNT: "root",
-          OWNER_EMAIL: qaUser,
-          OWNER_NAME: "Foundation Operator",
-        };
-        if (bearerToken) {
-          testEnv.BEARER_TOKEN = bearerToken;
-          testEnv.TOKEN_AUTH0 = bearerToken;
-        }
-
-        const aksStartMs = Date.now();
-        const aksProc = execaFn(
-          "bash",
-          ["-c", `source venv/bin/activate && pytest ${pytestArgs}`],
-          { cwd: qaDir, timeout: 600_000, reject: false, env: testEnv },
-        );
-        let aksCaptured = "";
-        aksProc.stdout?.on("data", (d) => { const s = d.toString(); aksCaptured += s; process.stdout.write(s); });
-        aksProc.stderr?.on("data", (d) => { const s = d.toString(); aksCaptured += s; process.stderr.write(s); });
-        const { exitCode } = await aksProc;
-        const aksWallSec = Math.round((Date.now() - aksStartMs) / 1000);
-
-        const aksCounts = parsePytestSummary(aksCaptured);
-        const aksTiming = parsePytestDurations(aksCaptured);
-        const qaResult = {
-          passed: exitCode === 0,
-          exitCode,
-          at: new Date().toISOString(),
-          ...(aksCounts.passed != null && { numPassed: aksCounts.passed }),
-          ...(aksCounts.failed != null && { numFailed: aksCounts.failed }),
-          ...(aksCounts.error != null && { numErrors: aksCounts.error }),
-          ...(aksCounts.errors != null && { numErrors: aksCounts.errors }),
-          ...(aksCounts.skipped != null && { numSkipped: aksCounts.skipped }),
-          durationSec: aksCounts.durationSec || aksWallSec,
-          ...(aksTiming && { timing: aksTiming }),
-        };
-        writeClusterState(cluster.clusterName, { qa: qaResult });
-
-        if (exitCode === 0) {
-          console.log(chalk.green("\n  ✓ QA tests passed\n"));
-        } else {
-          console.error(chalk.red(`\n  QA tests failed (exit ${exitCode}).`));
-          console.error(chalk.dim(`  Report: ${path.join(qaDir, "playwright-report", "report.html")}\n`));
-          process.exitCode = 1;
-        }
-
-        try {
-          const { resultsPush } = await import("./lib/azure-results.js");
-          await resultsPush(cluster.clusterName, qaResult, { quiet: false });
-        } catch (pushErr) {
-          console.log(chalk.dim(`  (Result push skipped: ${pushErr.message})`));
-        }
-      });
-
-    aks
-      .command("kubeconfig [name]")
-      .description("Merge cluster kubeconfig into ~/.kube/config")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .option("--admin", "Get admin credentials (cluster-admin role)")
-      .action(async (name, opts) => {
-        const { aksKubeconfig } = await import("./lib/azure-aks.js");
-        await aksKubeconfig({ clusterName: name, profile: opts.profile, admin: opts.admin });
-      });
-
-    aks
-      .command("bootstrap [clusterName]")
-      .description("Create demo data mesh on the cluster (same as fops bootstrap, targeting AKS backend)")
-      .option("--api-url <url>", "Foundation backend API URL (e.g. https://foundation.example.com/api)")
-      .option("--yes", "Use credentials from env or ~/.fops.json, skip prompt")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (clusterName, opts) => {
-        const { aksDataBootstrap } = await import("./lib/azure-aks.js");
-        await aksDataBootstrap({
-          clusterName,
-          profile: opts.profile,
-          apiUrl: opts.apiUrl,
-          yes: opts.yes,
-        });
-      });
-
-    // ── Node pool management ─────────────────────────────────────────────
-    const nodePool = aks
-      .command("node-pool")
-      .description("Manage AKS node pools");
-
-    nodePool
-      .command("add [clusterName]")
-      .description("Add a node pool to the cluster")
-      .requiredOption("--pool-name <name>", "Node pool name")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .option("--node-count <count>", "Node count (default: 3)")
-      .option("--node-vm-size <size>", "VM size (default: Standard_D8s_v3)")
-      .option("--mode <mode>", "Pool mode: System | User")
-      .option("--labels <labels>", "Node labels (key=value pairs)")
-      .option("--taints <taints>", "Node taints (key=value:effect)")
-      .option("--max-pods <count>", "Max pods per node")
-      .action(async (clusterName, opts) => {
-        const { aksNodePoolAdd } = await import("./lib/azure-aks.js");
-        await aksNodePoolAdd({
-          clusterName, profile: opts.profile, poolName: opts.poolName,
-          nodeCount: opts.nodeCount ? Number(opts.nodeCount) : undefined,
-          nodeVmSize: opts.nodeVmSize, mode: opts.mode,
-          labels: opts.labels, taints: opts.taints,
-          maxPods: opts.maxPods ? Number(opts.maxPods) : undefined,
-        });
-      });
-
-    nodePool
-      .command("remove [clusterName]")
-      .description("Remove a node pool from the cluster")
-      .requiredOption("--pool-name <name>", "Node pool name to remove")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (clusterName, opts) => {
-        const { aksNodePoolRemove } = await import("./lib/azure-aks.js");
-        await aksNodePoolRemove({ clusterName, profile: opts.profile, poolName: opts.poolName });
-      });
-
-    // ── Flux subcommands ─────────────────────────────────────────────────
-    const flux = aks
-      .command("flux")
-      .description("Manage Flux GitOps on the AKS cluster");
-
-    flux
-      .command("init <clusterName>")
-      .description("Scaffold cluster manifests from the Foundation Flux template")
-      .requiredOption("--flux-repo <path>", "Path to local flux repo clone")
-      .option("--overlay <name>", "Overlay name for app kustomizations (default: <name>-azure)")
-      .option("--namespace <ns>", "Kubernetes namespace for the tenant (default: velora)")
-      .option("--postgres-host <host>", "Postgres hostname")
-      .option("--acr-username <user>", "ACR pull username")
-      .option("--acr-password <pass>", "ACR pull password")
-      .action(async (clusterName, opts) => {
-        const { aksFluxInit } = await import("./lib/azure-aks.js");
-        await aksFluxInit({
-          clusterName, fluxRepo: opts.fluxRepo,
-          overlay: opts.overlay, namespace: opts.namespace,
-          postgresHost: opts.postgresHost,
-          acrUsername: opts.acrUsername, acrPassword: opts.acrPassword,
-        });
-      });
-
-    flux
-      .command("bootstrap [clusterName]")
-      .description("Bootstrap Flux on the cluster with a GitHub repo")
-      .requiredOption("--flux-repo <repo>", "GitHub repo name")
-      .requiredOption("--flux-owner <owner>", "GitHub owner/org")
-      .option("--flux-path <path>", "Path in repo for cluster manifests (default: clusters/<name>)")
-      .option("--flux-branch <branch>", "Git branch (default: main)")
-      .option("--github-token <token>", "GitHub PAT (default: $GITHUB_TOKEN)")
-      .option("--profile <subscription>", "Azure subscription name or ID")
-      .action(async (clusterName, opts) => {
-        const { aksFluxBootstrap } = await import("./lib/azure-aks.js");
-        await aksFluxBootstrap({
-          clusterName, profile: opts.profile,
-          repo: opts.fluxRepo, owner: opts.fluxOwner,
-          path: opts.fluxPath, branch: opts.fluxBranch,
-          githubToken: opts.githubToken,
-        });
-      });
-
-    flux
-      .command("status [clusterName]")
-      .description("Show Flux sources, kustomizations, and helm releases")
-      .action(async (clusterName) => {
-        const { aksFluxStatus } = await import("./lib/azure-aks.js");
-        await aksFluxStatus({ clusterName });
-      });
-
-    flux
-      .command("reconcile [clusterName]")
-      .description("Trigger a Flux reconciliation (pull + apply)")
-      .option("--source <name>", "Git source name (default: flux-system)")
-      .action(async (clusterName, opts) => {
-        const { aksFluxReconcile } = await import("./lib/azure-aks.js");
-        await aksFluxReconcile({ clusterName, source: opts.source });
-      });
+    registerVmCommands(azure, api, registry);
+    registerFleetCommands(azure);
+    registerTestCommands(azure);
+    registerInfraCommands(azure);
   });
 
-  // ── Cost optimization agent tools ──────────────────────────────────────
+  // ── Cost agent tools + agent ───────────────────────────────────────────
+
   const { registerCostTools } = await import("./lib/azure-cost.js");
   await registerCostTools(api);
 
-  // ── Cost agent ─────────────────────────────────────────────────────────
   api.registerAgent({
     name: "azure",
     description: "Azure cost optimization — finds waste, checks utilization, enforces budgets",
@@ -2901,11 +67,11 @@ export async function register(api) {
     ].join("\n"),
   });
 
-  // ── Security agent tools ──────────────────────────────────────────────
+  // ── Security agent tools + agent ───────────────────────────────────────
+
   const { registerSecurityTools } = await import("./lib/azure-security.js");
   await registerSecurityTools(api);
 
-  // ── Security agent ────────────────────────────────────────────────────
   api.registerAgent({
     name: "azure-security",
     description: "Azure security assessment — audits VMs, AKS, storage, and runs OWASP ZAP DAST scans",
@@ -2943,7 +109,8 @@ export async function register(api) {
     ].join("\n"),
   });
 
-  // ── Doctor check ───────────────────────────────────
+  // ── Doctor checks ──────────────────────────────────────────────────────
+
   api.registerDoctorCheck({
     name: "Azure CLI",
     fn: async (ok, warn) => {
@@ -2982,7 +149,6 @@ export async function register(api) {
     },
   });
 
-  // ── Doctor checks (AKS prereqs) ────────────────────
   api.registerDoctorCheck({
     name: "kubectl",
     fn: async (ok, warn) => {
@@ -3020,7 +186,8 @@ export async function register(api) {
     },
   });
 
-  // ── Hook: before:up — auto-sync Key Vault secrets ──
+  // ── Hook: before:up — auto-sync Key Vault secrets ─────────────────────
+
   api.registerHook("before:up", async () => {
     const { readKeyvaultConfig, discoverKeyvaultTemplates, syncSecrets } = await import("./lib/azure-keyvault.js");
     const cfg = readKeyvaultConfig();
@@ -3044,7 +211,6 @@ export async function register(api) {
     const templates = discoverKeyvaultTemplates(root);
     if (templates.length === 0) return;
 
-    // Quick check: is az cli even logged in?
     try {
       const { execa } = await import("execa");
       await execa("az", ["account", "show", "--output", "none"], { timeout: 10000 });
@@ -3060,15 +226,15 @@ export async function register(api) {
     }
   });
 
-  // ── Knowledge source ───────────────────────────────
+  // ── Knowledge source ───────────────────────────────────────────────────
+
   api.registerKnowledgeSource({
     name: "Azure VM & AKS Management",
     description: "Provision and manage Foundation on Azure VMs and AKS clusters",
     search(query) {
       const keywords = ["azure", "vm", "cloud", "provision", "deploy", "resize", "deallocate", "ssh", "az cli", "cost", "subscription", "spend", "fleet", "rollout", "snapshot", "drift", "sync", "health", "audit", "security", "compliance", "encryption", "aks", "kubernetes", "k8s", "flux", "gitops", "cluster", "node pool", "kubeconfig", "helm"];
       const q = query.toLowerCase();
-      const match = keywords.some((kw) => q.includes(kw));
-      if (!match) return [];
+      if (!keywords.some((kw) => q.includes(kw))) return [];
 
       return [
         {
@@ -3157,23 +323,12 @@ export async function register(api) {
             "  ISO 8601 durations: P30D = 30 days, P90D = 90 days, P6M = 6 months, P1Y = 1 year",
             "",
             "### Key Vault Secret Sync (.env.keyvault)",
-            "Inject secrets from Azure Key Vault into `.env` files using `kv://` references (mirrors the 1Password plugin).",
+            "Inject secrets from Azure Key Vault into `.env` files using `kv://` references.",
             "",
             "- `fops azure keyvault setup` — Interactive wizard: pick vault, set auto-sync, scaffold `.env.keyvault` templates",
             "- `fops azure keyvault sync` — Pull secrets from Key Vault → merge into `.env` files",
             "- `fops azure keyvault status` — Show auth, config, discovered templates",
             "",
-            "**Template format (`.env.keyvault`):**",
-            "```",
-            "# KEY=kv://<vault>/<secret-name>",
-            "BEARER_TOKEN=kv://my-vault/bearer-token",
-            "DB_PASSWORD=kv://my-vault/db-password",
-            "S3_SECRET_KEY=kv://my-vault/s3-secret-key",
-            "```",
-            "",
-            "When `autoSync: true` in config, secrets sync automatically before `fops up`.",
-            "Config stored in `~/.fops.json` under `plugins.entries.fops-plugin-azure.config.keyvault`.",
-            "",
             "### Audit & Compliance",
             "- `fops azure audit` — Run all security checks (VMs, AKS, storage encryption)",
             "- `fops azure audit vm [name]` — Audit VM security (disk encryption, NSG, managed identity, patching)",
@@ -3184,7 +339,6 @@ export async function register(api) {
             "- `fops azure audit zap [vmName]` — Authenticated OWASP ZAP DAST scan against a VM's frontend",
             "  Options: --target <url>, --spider-minutes, --ajax-minutes, --active-scan-minutes, --max-minutes",
             "- `fops azure audit sessions [vmName]` — View SSH session recordings across the fleet",
-            "  All audit commands support --verbose to show info-level suggestions",
             "",
             "### Fleet Management",
             "- `fops azure exec <command>` — Run a command on all VMs in parallel",
@@ -3234,7 +388,8 @@ export async function register(api) {
     },
   });
 
-  // ── Embed index source ──────────────────────────────
+  // ── Embed index source ─────────────────────────────────────────────────
+
   api.registerIndexSource({
     name: "azure",
     async fn(_root, log = () => {}) {
@@ -3288,7 +443,7 @@ export async function register(api) {
         });
       }
 
-      // ── Security audit findings ──────────────────────────
+      // ── Security audit findings ──────────────────────────────────────
       try {
         const { auditVms, auditAks, auditStorage } = await import("./lib/azure-audit.js");
 
@@ -3321,7 +476,7 @@ export async function register(api) {
         }
       } catch { /* audit not available or failed */ }
 
-      // ── ZAP scan results ──────────────────────────────────
+      // ── ZAP scan results ─────────────────────────────────────────────
       try {
         const fsp = await import("node:fs/promises");
         const pathMod = await import("node:path");
@@ -3364,9 +519,7 @@ export async function register(api) {
         }
       } catch { /* no reports or fs error */ }
 
-      // ── Remote landscape (data mesh data from running VMs) ─────
-      // Try HTTPS first; if the VM has an OAuth gateway (traefik) that blocks
-      // /iam/login, fall back to SSH + curl against localhost:9001 on the VM.
+      // ── Remote landscape (data mesh data from running VMs) ────────────
       const targetVm = process.env.__FOPS_AZURE_EMBED_VM;
       const upVms = Object.entries(cache.vms || {})
         .filter(([name, vm]) => (vm.status === "up" || vm.status === "degraded") && (!targetVm || name === targetVm));
@@ -3384,7 +537,6 @@ export async function register(api) {
               } catch (err) {
                 log(`    azure/${name}: HTTPS landscape error — ${err.message}`);
               }
-              // HTTPS auth failed — fall back to SSH tunnel
               if (vm.publicIp && creds.user && creds.password) {
                 try {
                   log(`    azure/${name}: falling back to SSH…`);
@@ -3393,21 +545,17 @@ export async function register(api) {
                   log(`    azure/${name}: SSH landscape error — ${sshErr.message}`);
                 }
               }
-              log(`    azure/${name}: auth failed via HTTPS and SSH, skipping landscape`);
               return [];
-            }),
+            })
           );
           for (const r of landscapeResults) {
-            if (r.status === "fulfilled") chunks.push(...r.value);
+            if (r.status === "fulfilled" && Array.isArray(r.value)) {
+              chunks.push(...r.value);
+            }
           }
-        } else {
-          log("    azure: no Foundation credentials, skipping remote landscape");
         }
       }
 
-      const auditCount = chunks.filter(c => c.metadata?.resourceType?.startsWith("security") || c.metadata?.resourceType === "zap-scan").length;
-      const landscapeCount = chunks.filter(c => c.metadata?.resourceType === "remote-landscape").length;
-      log(`    azure: ${Object.keys(cache.vms || {}).length} VMs, ${Object.keys(cache.clusters || {}).length} clusters, ${auditCount} security chunks, ${landscapeCount} landscape entities`);
       return chunks;
     },
   });