@meshxdata/fops 0.1.36 → 0.1.38

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks.js

@@ -148,7 +148,7 @@ function resolveFluxConfig(clusterName, opts) {
   return {
     fluxRepo: opts?.fluxRepo ?? tracked?.flux?.repo ?? az.fluxRepo ?? project?.fluxRepo ?? AKS_DEFAULTS.fluxRepo,
     fluxOwner: opts?.fluxOwner ?? tracked?.flux?.owner ?? az.fluxOwner ?? project?.fluxOwner ?? AKS_DEFAULTS.fluxOwner,
-    fluxPath: opts?.fluxPath || tracked?.flux?.path || az.fluxPath || project?.fluxPath || AKS_DEFAULTS.fluxPath,
+    fluxPath: opts?.fluxPath || tracked?.flux?.path || az.fluxPath || project?.fluxPath || `clusters/${clusterName}`,
     fluxBranch: opts?.fluxBranch ?? tracked?.flux?.branch ?? az.fluxBranch ?? project?.fluxBranch ?? AKS_DEFAULTS.fluxBranch,
   };
 }
@@ -182,6 +182,107 @@ function requireCluster(name) {
   };
 }
 
+// ── Flux local-repo scaffolding ───────────────────────────────────────────────
+
+/**
+ * Auto-detect the local flux repo clone.
+ * Searches common relative paths from the project root and CWD.
+ */
+function findFluxLocalRepo() {
+  const state = readState();
+  const projectRoot = state.azure?.projectRoot || state.projectRoot;
+
+  const candidates = [];
+  if (projectRoot) {
+    candidates.push(path.resolve(projectRoot, "..", "flux"));
+    candidates.push(path.resolve(projectRoot, "flux"));
+  }
+  candidates.push(path.resolve("../flux"));
+  candidates.push(path.resolve("../../flux"));
+
+  for (const p of candidates) {
+    if (fs.existsSync(path.join(p, "clusters"))) return p;
+  }
+  return null;
+}
+
+/**
+ * Resolve the bundled cluster template directory shipped with the CLI.
+ */
+function resolveClusterTemplate() {
+  const thisDir = path.dirname(fileURLToPath(import.meta.url));
+  return path.resolve(thisDir, "..", "templates", "cluster");
+}
+
+/**
+ * Scaffold a new cluster directory in the local flux repo from the bundled
+ * template, substituting {{CLUSTER_NAME}} and {{OVERLAY}} placeholders.
+ * Then commits and pushes the change.
+ */
+async function scaffoldFluxCluster(execa, { clusterName, fluxLocalRepo, overlay }) {
+  const templateDir = resolveClusterTemplate();
+  const destDir = path.join(fluxLocalRepo, "clusters", clusterName);
+
+  if (!fs.existsSync(templateDir)) {
+    console.log(WARN(`  ⚠ Cluster template not found at ${templateDir}`));
+    return false;
+  }
+
+  if (fs.existsSync(destDir)) {
+    console.log(OK(`  ✓ Cluster directory already exists: clusters/${clusterName}`));
+    return true;
+  }
+
+  const vars = {
+    "{{CLUSTER_NAME}}": clusterName,
+    "{{OVERLAY}}": overlay || "demo-azure",
+  };
+
+  hint("Scaffolding Flux cluster manifests…");
+
+  function copyDir(src, dest) {
+    fs.mkdirSync(dest, { recursive: true });
+    for (const entry of fs.readdirSync(src, { withFileTypes: true })) {
+      const srcPath = path.join(src, entry.name);
+      const destPath = path.join(dest, entry.name);
+      if (entry.isDirectory()) {
+        copyDir(srcPath, destPath);
+      } else {
+        let content = fs.readFileSync(srcPath, "utf8");
+        for (const [k, v] of Object.entries(vars)) {
+          content = content.replaceAll(k, v);
+        }
+        fs.writeFileSync(destPath, content);
+      }
+    }
+  }
+
+  copyDir(templateDir, destDir);
+  console.log(OK(`  ✓ Cluster directory created: clusters/${clusterName}`));
+
+  // List remaining placeholders
+  const remaining = [];
+  for (const line of fs.readFileSync(path.join(destDir, "kustomization.yaml"), "utf8").split("\n")) {
+    const m = line.match(/\{\{(\w+)\}\}/g);
+    if (m) remaining.push(...m);
+  }
+
+  // Git add + commit + push
+  hint("Committing and pushing to flux repo…");
+  try {
+    await execa("git", ["-C", fluxLocalRepo, "add", `clusters/${clusterName}`], { timeout: 15000 });
+    await execa("git", ["-C", fluxLocalRepo, "commit", "-m", `Add cluster ${clusterName}`], { timeout: 15000 });
+    await execa("git", ["-C", fluxLocalRepo, "push"], { timeout: 60000 });
+    console.log(OK(`  ✓ Pushed clusters/${clusterName} to flux repo`));
+  } catch (err) {
+    const msg = (err.stderr || err.message || "").split("\n")[0];
+    console.log(WARN(`  ⚠ Git push failed: ${msg}`));
+    hint(`Manually commit and push clusters/${clusterName} in the flux repo`);
+  }
+
+  return true;
+}
+
 // ── Flux helpers ──────────────────────────────────────────────────────────────
 
 async function ensureFluxCli(execa) {
@@ -244,6 +345,18 @@ export async function aksUp(opts = {}) {
   if (exists === 0) {
     console.log(WARN(`\n  Cluster "${clusterName}" already exists — reconciling…`));
 
+    // Scaffold cluster directory if it doesn't exist yet
+    if (!opts.noFlux) {
+      const fluxLocalRepo = opts.fluxLocalRepo || findFluxLocalRepo();
+      if (fluxLocalRepo) {
+        await scaffoldFluxCluster(execa, {
+          clusterName,
+          fluxLocalRepo,
+          overlay: opts.overlay,
+        });
+      }
+    }
+
     const maxPods = opts.maxPods || 110;
     const ctx = { execa, clusterName, rg, sub, opts, minCount, maxCount, maxPods };
     await reconcileCluster(ctx);
@@ -347,7 +460,22 @@ export async function aksUp(opts = {}) {
   const fluxRepo = opts.fluxRepo ?? AKS_DEFAULTS.fluxRepo;
   const fluxOwner = opts.fluxOwner ?? AKS_DEFAULTS.fluxOwner;
   const fluxBranch = opts.fluxBranch ?? AKS_DEFAULTS.fluxBranch;
-  const fluxPath = opts.fluxPath || AKS_DEFAULTS.fluxPath;
+  const fluxPath = opts.fluxPath || `clusters/${clusterName}`;
+
+  // Scaffold cluster directory in the flux repo before bootstrapping
+  if (!opts.noFlux) {
+    const fluxLocalRepo = opts.fluxLocalRepo || findFluxLocalRepo();
+    if (fluxLocalRepo) {
+      await scaffoldFluxCluster(execa, {
+        clusterName,
+        fluxLocalRepo,
+        templateCluster: opts.templateCluster,
+      });
+    } else {
+      console.log(WARN("  ⚠ Local flux repo not found — skipping cluster scaffolding."));
+      hint("Pass --flux-local-repo <path> or clone meshxdata/flux next to foundation-compose.");
+    }
+  }
 
   if (opts.noFlux) {
     console.log("");

package/src/plugins/bundled/fops-plugin-azure/lib/azure-auth.js

@@ -0,0 +1,497 @@
+/**
+ * Auth chain and landscape-fetch utilities for the Azure plugin.
+ * Extracted from index.js to keep the top-level plugin file small.
+ */
+import crypto from "node:crypto";
+import fs from "node:fs";
+import os from "node:os";
+import pathMod from "node:path";
+import chalk from "chalk";
+
+export function hashContent(text) {
+  return crypto.createHash("sha256").update(text).digest("hex").slice(0, 16);
+}
+
+/**
+ * Resolve Foundation credentials from env → ~/.fops.json → .env files.
+ * Returns { bearerToken } or { user, password } or null.
+ */
+export function resolveFoundationCreds() {
+  if (process.env.BEARER_TOKEN?.trim()) return { bearerToken: process.env.BEARER_TOKEN.trim() };
+  if (process.env.QA_USERNAME?.trim() && process.env.QA_PASSWORD)
+    return { user: process.env.QA_USERNAME.trim(), password: process.env.QA_PASSWORD };
+  try {
+    const raw = JSON.parse(fs.readFileSync(pathMod.join(os.homedir(), ".fops.json"), "utf8"));
+    const cfg = raw?.plugins?.entries?.["fops-plugin-foundation"]?.config || {};
+    if (cfg.bearerToken?.trim()) return { bearerToken: cfg.bearerToken.trim() };
+    if (cfg.user?.trim() && cfg.password) return { user: cfg.user.trim(), password: cfg.password };
+  } catch { /* no fops.json */ }
+
+  // Fall back to .env files for credentials
+  const envCandidates = [pathMod.resolve(".env"), pathMod.resolve("..", ".env")];
+  try {
+    const raw = JSON.parse(fs.readFileSync(pathMod.join(os.homedir(), ".fops.json"), "utf8"));
+    if (raw?.projectRoot) envCandidates.unshift(pathMod.join(raw.projectRoot, ".env"));
+  } catch { /* ignore */ }
+  for (const ep of envCandidates) {
+    try {
+      const lines = fs.readFileSync(ep, "utf8").split("\n");
+      const get = (k) => {
+        const ln = lines.find((l) => l.startsWith(`${k}=`));
+        return ln ? ln.slice(k.length + 1).trim().replace(/^["']|["']$/g, "") : "";
+      };
+      const user = get("QA_USERNAME") || get("FOUNDATION_USERNAME");
+      const pass = get("QA_PASSWORD") || get("FOUNDATION_PASSWORD");
+      if (user && pass) return { user, password: pass };
+    } catch { /* try next */ }
+  }
+  return null;
+}
+
+// VMs use Traefik with self-signed certs — skip TLS verification for VM API calls.
+let _tlsWarningSuppressed = false;
+export function suppressTlsWarning() {
+  if (_tlsWarningSuppressed) return;
+  _tlsWarningSuppressed = true;
+  const origEmit = process.emitWarning;
+  process.emitWarning = (warning, ...args) => {
+    if (typeof warning === "string" && warning.includes("NODE_TLS_REJECT_UNAUTHORIZED")) return;
+    return origEmit.call(process, warning, ...args);
+  };
+}
+
+export async function vmFetch(url, opts = {}) {
+  suppressTlsWarning();
+  const prev = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
+  process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
+  try {
+    return await fetch(url, { signal: AbortSignal.timeout(10_000), ...opts });
+  } finally {
+    if (prev === undefined) delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
+    else process.env.NODE_TLS_REJECT_UNAUTHORIZED = prev;
+  }
+}
+
+/**
+ * Resolve Auth0 config from ~/.fops.json → .env files.
+ * Returns { domain, clientId, clientSecret, audience } or null.
+ */
+export function resolveAuth0Config() {
+  try {
+    const raw = JSON.parse(fs.readFileSync(pathMod.join(os.homedir(), ".fops.json"), "utf8"));
+    const a0 = raw?.plugins?.entries?.["fops-plugin-foundation"]?.config?.auth0;
+    if (a0?.domain && a0?.clientId) return a0;
+
+    const projectRoot = raw?.projectRoot || "";
+    const envCandidates = [
+      ...(projectRoot ? [pathMod.join(projectRoot, ".env")] : []),
+      pathMod.resolve(".env"),
+      pathMod.resolve("..", ".env"),
+    ];
+    for (const ep of envCandidates) {
+      try {
+        const lines = fs.readFileSync(ep, "utf8").split("\n");
+        const get = (k) => {
+          const ln = lines.find((l) => l.startsWith(`${k}=`));
+          return ln ? ln.slice(k.length + 1).trim().replace(/^["']|["']$/g, "") : "";
+        };
+        const domain = get("MX_AUTH0_DOMAIN") || get("AUTH0_DOMAIN");
+        const clientId = get("MX_AUTH0_CLIENT_ID") || get("AUTH0_CLIENT_ID");
+        const clientSecret = get("MX_AUTH0_CLIENT_SECRET") || get("AUTH0_CLIENT_SECRET");
+        const audience = get("MX_AUTH0_AUDIENCE") || get("AUTH0_AUDIENCE");
+        if (domain && clientId) return { domain, clientId, clientSecret, audience };
+      } catch { /* try next */ }
+    }
+  } catch { /* no fops.json */ }
+  return null;
+}
+
+/**
+ * Authenticate against a remote VM's Foundation API and return a bearer token.
+ * Tries the backend /iam/login first, then falls back to Auth0 ROPC.
+ */
+export async function authenticateVm(vmUrl, ip, creds) {
+  if (creds.bearerToken) return creds.bearerToken;
+
+  const hasDomain = vmUrl && !vmUrl.match(/^https?:\/\/\d+\.\d+\.\d+\.\d+/);
+  const apiUrls = hasDomain
+    ? [`${vmUrl}/api`, ...(ip ? [`http://${ip}:9001/api`] : [])]
+    : [`${vmUrl}/api`, `https://${ip}:3002/api`, `http://${ip}:9001/api`];
+
+  for (const apiBase of apiUrls) {
+    try {
+      const resp = await vmFetch(`${apiBase}/iam/login`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ user: creds.user, password: creds.password }),
+      });
+      if (resp.ok) {
+        const data = await resp.json();
+        const token = data.access_token || data.token;
+        if (token) return token;
+      }
+    } catch { /* try next URL */ }
+  }
+
+  // Auth0 ROPC fallback
+  const auth0 = resolveAuth0Config();
+  if (auth0 && creds.user && creds.password) {
+    try {
+      const body = {
+        grant_type: "password",
+        client_id: auth0.clientId,
+        username: creds.user,
+        password: creds.password,
+        scope: "openid",
+      };
+      if (auth0.clientSecret) body.client_secret = auth0.clientSecret;
+      if (auth0.audience) body.audience = auth0.audience;
+
+      const resp = await fetch(`https://${auth0.domain}/oauth/token`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(body),
+        signal: AbortSignal.timeout(10_000),
+      });
+      if (resp.ok) {
+        const data = await resp.json();
+        if (data.access_token) return data.access_token;
+      }
+    } catch { /* auth0 fallback failed */ }
+  }
+
+  return null;
+}
+
+export function isJwt(token) {
+  return token && token.split(".").length === 3;
+}
+
+/**
+ * Resolve a valid JWT bearer token for a remote VM/cluster.
+ * Auth chain: local bearer → pre-auth /iam/login → Auth0 ROPC → SSH fetch from VM.
+ * Returns { bearerToken, user, password, useTokenMode } or throws.
+ */
+export async function resolveRemoteAuth(opts = {}) {
+  const {
+    apiUrl, ip, vmState, execaFn: execa, sshCmd: ssh,
+    knockForVm: knock, suppressTlsWarning: suppressTls,
+  } = opts;
+  const log = opts.log || console.log;
+
+  const creds = resolveFoundationCreds();
+  let qaUser = creds?.user || process.env.QA_USERNAME || process.env.FOUNDATION_USERNAME || "operator@local";
+  let qaPass = creds?.password || process.env.QA_PASSWORD || process.env.FOUNDATION_PASSWORD || "";
+  let bearerToken = creds?.bearerToken || "";
+
+  // 1) Use local bearer if it's a valid JWT
+  if (bearerToken && isJwt(bearerToken)) {
+    return { bearerToken, qaUser, qaPass, useTokenMode: true };
+  }
+  bearerToken = "";
+
+  // 2) Pre-auth against the backend /iam/login
+  if (qaUser && qaPass && apiUrl) {
+    try {
+      if (suppressTls) suppressTls();
+      const prev = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
+      process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
+      try {
+        const resp = await fetch(`${apiUrl}/iam/login`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ username: qaUser, password: qaPass }),
+          signal: AbortSignal.timeout(10_000),
+        });
+        if (resp.ok) {
+          const data = await resp.json();
+          bearerToken = data.access_token || data.token || "";
+          if (bearerToken) {
+            log(chalk.green(`  ✓ Authenticated as ${qaUser}`));
+            return { bearerToken, qaUser, qaPass, useTokenMode: true };
+          }
+        } else {
+          log(chalk.dim(`  Local creds rejected: HTTP ${resp.status}`));
+        }
+      } finally {
+        if (prev === undefined) delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
+        else process.env.NODE_TLS_REJECT_UNAUTHORIZED = prev;
+      }
+    } catch (e) {
+      log(chalk.dim(`  Pre-auth failed: ${e.cause?.code || e.message}`));
+    }
+  }
+
+  // 3) Auth0 ROPC with local config
+  if (qaUser && qaPass) {
+    const auth0Cfg = resolveAuth0Config();
+    if (auth0Cfg) {
+      try {
+        log(chalk.dim(`  Trying Auth0 ROPC (${auth0Cfg.domain})…`));
+        const body = {
+          grant_type: "password", client_id: auth0Cfg.clientId,
+          username: qaUser, password: qaPass, scope: "openid",
+        };
+        if (auth0Cfg.clientSecret) body.client_secret = auth0Cfg.clientSecret;
+        if (auth0Cfg.audience) body.audience = auth0Cfg.audience;
+        const resp = await fetch(`https://${auth0Cfg.domain}/oauth/token`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify(body),
+          signal: AbortSignal.timeout(10_000),
+        });
+        if (resp.ok) {
+          const data = await resp.json();
+          if (data.access_token) {
+            // Validate the token against the target API before committing to it.
+            // Local Auth0 config may have a different audience than the remote VM expects.
+            let tokenValid = true;
+            if (apiUrl) {
+              try {
+                const prev = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
+                process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
+                try {
+                  const check = await fetch(`${apiUrl}/iam/me`, {
+                    headers: { Authorization: `Bearer ${data.access_token}` },
+                    signal: AbortSignal.timeout(8_000),
+                  });
+                  if (check.status === 401 || check.status === 403) {
+                    tokenValid = false;
+                    log(chalk.dim(`  Auth0 token rejected by API (wrong audience) — trying SSH fallback…`));
+                  }
+                } finally {
+                  if (prev === undefined) delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
+                  else process.env.NODE_TLS_REJECT_UNAUTHORIZED = prev;
+                }
+              } catch { /* network error — assume token is OK */ }
+            }
+            if (tokenValid) {
+              log(chalk.green(`  ✓ Authenticated as ${qaUser} via Auth0`));
+              return { bearerToken: data.access_token, qaUser, qaPass, useTokenMode: true };
+            }
+          }
+        } else {
+          log(chalk.dim(`  Auth0 rejected: HTTP ${resp.status}`));
+        }
+      } catch (e) {
+        log(chalk.dim(`  Auth0 failed: ${e.message}`));
+      }
+    }
+  }
+
+  // 4) SSH fallback — fetch credentials from VM and authenticate
+  if (ip && ssh && execa) {
+    if (knock && vmState) await knock(vmState);
+    log(chalk.dim("  Fetching credentials from remote VM…"));
+    try {
+      const sshUser = vmState?.adminUser || "azureuser";
+      const { stdout } = await ssh(
+        execa, ip, sshUser,
+        "grep -E '^(BEARER_TOKEN|QA_USERNAME|QA_PASSWORD|MX_AUTH0_DOMAIN|MX_AUTH0_CLIENT_ID|MX_AUTH0_CLIENT_SECRET|MX_AUTH0_AUDIENCE)=' /opt/foundation-compose/.env | head -20",
+        15_000,
+      );
+      const remoteEnv = {};
+      for (const line of (stdout || "").split("\n")) {
+        const m = line.match(/^([A-Z_]+)=(.*)$/);
+        if (m) remoteEnv[m[1]] = m[2].trim().replace(/^["']|["']$/g, "");
+      }
+
+      const remoteToken = remoteEnv.BEARER_TOKEN;
+      if (remoteToken && isJwt(remoteToken)) {
+        log(chalk.green("  ✓ Got JWT bearer token from VM"));
+        return { bearerToken: remoteToken, qaUser, qaPass, useTokenMode: true };
+      }
+
+      if (remoteEnv.MX_AUTH0_DOMAIN && remoteEnv.MX_AUTH0_CLIENT_ID) {
+        const user = remoteEnv.QA_USERNAME || qaUser;
+        const pass = remoteEnv.QA_PASSWORD || qaPass;
+        if (user && pass) {
+          log(chalk.dim(`  Authenticating as ${user} via VM's Auth0…`));
+          const body = {
+            grant_type: "password", client_id: remoteEnv.MX_AUTH0_CLIENT_ID,
+            username: user, password: pass, scope: "openid",
+          };
+          if (remoteEnv.MX_AUTH0_CLIENT_SECRET) body.client_secret = remoteEnv.MX_AUTH0_CLIENT_SECRET;
+          if (remoteEnv.MX_AUTH0_AUDIENCE) body.audience = remoteEnv.MX_AUTH0_AUDIENCE;
+          try {
+            const resp = await fetch(`https://${remoteEnv.MX_AUTH0_DOMAIN}/oauth/token`, {
+              method: "POST",
+              headers: { "Content-Type": "application/json" },
+              body: JSON.stringify(body),
+              signal: AbortSignal.timeout(10_000),
+            });
+            if (resp.ok) {
+              const data = await resp.json();
+              if (data.access_token) {
+                log(chalk.green(`  ✓ Authenticated via VM's Auth0`));
+                return { bearerToken: data.access_token, qaUser: user, qaPass: pass, useTokenMode: true };
+              }
+            }
+          } catch (e) {
+            log(chalk.dim(`  VM Auth0 login failed: ${e.message}`));
+          }
+        }
+      }
+
+      if (remoteToken) {
+        log(chalk.yellow("  ⚠ Using non-JWT token from VM (may cause 401)"));
+        return { bearerToken: remoteToken, qaUser, qaPass, useTokenMode: true };
+      }
+    } catch (e) {
+      log(chalk.dim(`  SSH credential fetch failed: ${e.message}`));
+    }
+  }
+
+  return { bearerToken: "", qaUser, qaPass, useTokenMode: false };
+}
+
+/**
+ * Fetch landscape entities from a remote VM's Foundation API.
+ * Returns embeddable chunks tagged with the VM name.
+ */
+export async function fetchRemoteLandscape(vmName, vmUrl, ip, token, log) {
+  const hasDomain = vmUrl && !vmUrl.match(/^https?:\/\/\d+\.\d+\.\d+\.\d+/);
+  const apiBase = hasDomain ? `${vmUrl}/api` : `http://${ip}:9001/api`;
+  const headers = { Authorization: `Bearer ${token}`, "x-org": "root" };
+
+  let authRejected = 0;
+  const fetchJson = async (path) => {
+    const resp = await vmFetch(`${apiBase}${path}`, { headers, signal: AbortSignal.timeout(15_000) });
+    if (resp.status === 401 || resp.status === 403) { authRejected++; return null; }
+    if (!resp.ok) return null;
+    return resp.json();
+  };
+
+  const [meshRes, dpRes, dsRes, dSysRes] = await Promise.all([
+    fetchJson("/data/mesh/list?per_page=100").catch(() => null),
+    fetchJson("/data/data_product/list?per_page=200").catch(() => null),
+    fetchJson("/data/data_source/list?per_page=200").catch(() => null),
+    fetchJson("/data/data_system/list?per_page=100").catch(() => null),
+  ]);
+
+  if (authRejected >= 4) {
+    const err = new Error("token rejected by all endpoints");
+    err.code = "AUTH_REJECTED";
+    throw err;
+  }
+
+  const { parseListResponse } = await import("../fops-plugin-foundation/lib/api-spec.js");
+  const chunks = [];
+
+  for (const m of parseListResponse(meshRes)) {
+    const text = [`Mesh: ${m.name} (VM: ${vmName})`, m.label ? `Label: ${m.label}` : null, m.description ? `Description: ${m.description}` : null, m.purpose ? `Purpose: ${m.purpose}` : null, `Identifier: ${m.identifier}`, `VM: ${vmName}`].filter(Boolean).join("\n");
+    chunks.push({ title: `vm/${vmName}/mesh/${m.name}`, content: text, metadata: { resourceType: "remote-landscape", entityType: "mesh", vm: vmName, identifier: m.identifier, fileHash: hashContent(text) } });
+  }
+  for (const p of parseListResponse(dpRes)) {
+    const text = [`Data Product: ${p.name} (VM: ${vmName})`, p.label ? `Label: ${p.label}` : null, p.description ? `Description: ${p.description}` : null, p.data_product_type ? `Type: ${p.data_product_type}` : null, `Identifier: ${p.identifier}`, p.host_mesh_identifier ? `Mesh: ${p.host_mesh_identifier}` : null, p.state?.code ? `State: ${p.state.code} (healthy: ${p.state.healthy})` : null, `VM: ${vmName}`].filter(Boolean).join("\n");
+    chunks.push({ title: `vm/${vmName}/product/${p.name}`, content: text, metadata: { resourceType: "remote-landscape", entityType: "data_product", vm: vmName, identifier: p.identifier, fileHash: hashContent(text) } });
+  }
+  for (const s of parseListResponse(dsRes)) {
+    const text = [`Data Source: ${s.name} (VM: ${vmName})`, s.label ? `Label: ${s.label}` : null, s.description ? `Description: ${s.description}` : null, `Identifier: ${s.identifier}`, s.state?.code ? `State: ${s.state.code} (healthy: ${s.state.healthy})` : null, `VM: ${vmName}`].filter(Boolean).join("\n");
+    chunks.push({ title: `vm/${vmName}/source/${s.name}`, content: text, metadata: { resourceType: "remote-landscape", entityType: "data_source", vm: vmName, identifier: s.identifier, fileHash: hashContent(text) } });
+  }
+  for (const sys of parseListResponse(dSysRes)) {
+    const text = [`Data System: ${sys.name} (VM: ${vmName})`, sys.label ? `Label: ${sys.label}` : null, sys.description ? `Description: ${sys.description}` : null, `Identifier: ${sys.identifier}`, `VM: ${vmName}`].filter(Boolean).join("\n");
+    chunks.push({ title: `vm/${vmName}/system/${sys.name}`, content: text, metadata: { resourceType: "remote-landscape", entityType: "data_system", vm: vmName, identifier: sys.identifier, fileHash: hashContent(text) } });
+  }
+
+  const meshCount = parseListResponse(meshRes).length;
+  const prodCount = parseListResponse(dpRes).length;
+  const srcCount = parseListResponse(dsRes).length;
+  const sysCount = parseListResponse(dSysRes).length;
+  log(`    azure/${vmName}: ${meshCount} meshes, ${prodCount} products, ${srcCount} sources, ${sysCount} systems`);
+
+  return chunks;
+}
+
+/**
+ * Fetch remote landscape by SSHing into the VM and curling localhost:9001 directly,
+ * bypassing Traefik/OAuth. Used when the HTTPS endpoint rejects credentials.
+ */
+export async function fetchLandscapeViaSsh(vmName, ip, creds, log) {
+  const { lazyExeca, sshCmd, knockForVm, DEFAULTS } = await import("./azure.js");
+  const execa = await lazyExeca();
+  const user = DEFAULTS.adminUser;
+
+  try { await knockForVm({ publicIp: ip, vmName }); } catch {}
+
+  const ssh = (cmd, timeout = 15000) => sshCmd(execa, ip, user, cmd, timeout);
+
+  const loginPayload = JSON.stringify({ user: creds.user, password: creds.password });
+  const { stdout: loginOut, exitCode: loginExit } = await ssh(
+    `curl -sf -X POST http://localhost:9001/api/iam/login -H 'Content-Type: application/json' -d '${loginPayload.replace(/'/g, "'\\''")}'`,
+    15000,
+  );
+
+  if (loginExit !== 0 || !loginOut?.trim()) {
+    log(`    azure/${vmName}: SSH auth failed (exit ${loginExit})`);
+    return [];
+  }
+
+  let token;
+  try {
+    const data = JSON.parse(loginOut.trim());
+    token = data.access_token || data.token;
+  } catch {
+    log(`    azure/${vmName}: SSH auth returned invalid JSON`);
+    return [];
+  }
+  if (!token) {
+    log(`    azure/${vmName}: SSH auth returned no token`);
+    return [];
+  }
+
+  const authHeader = `Authorization: Bearer ${token}`;
+  const { stdout: dataOut, exitCode: dataExit } = await ssh(
+    [
+      `curl -sf -H '${authHeader}' -H 'x-org: root' 'http://localhost:9001/api/data/mesh/list?per_page=100'`,
+      `echo '___SEP___'`,
+      `curl -sf -H '${authHeader}' -H 'x-org: root' 'http://localhost:9001/api/data/data_product/list?per_page=200'`,
+      `echo '___SEP___'`,
+      `curl -sf -H '${authHeader}' -H 'x-org: root' 'http://localhost:9001/api/data/data_source/list?per_page=200'`,
+      `echo '___SEP___'`,
+      `curl -sf -H '${authHeader}' -H 'x-org: root' 'http://localhost:9001/api/data/data_system/list?per_page=100'`,
+    ].join(" && "),
+    30000,
+  );
+
+  if (dataExit !== 0 || !dataOut?.trim()) {
+    log(`    azure/${vmName}: SSH landscape fetch failed (exit ${dataExit})`);
+    return [];
+  }
+
+  const parts = dataOut.split("___SEP___");
+  const parseJson = (s) => { try { return JSON.parse(s.trim()); } catch { return null; } };
+  const meshRes = parseJson(parts[0] || "");
+  const dpRes = parseJson(parts[1] || "");
+  const dsRes = parseJson(parts[2] || "");
+  const dSysRes = parseJson(parts[3] || "");
+
+  const { parseListResponse } = await import("../fops-plugin-foundation/lib/api-spec.js");
+  const chunks = [];
+
+  for (const m of parseListResponse(meshRes)) {
+    const text = [`Mesh: ${m.name} (VM: ${vmName})`, m.label ? `Label: ${m.label}` : null, m.description ? `Description: ${m.description}` : null, m.purpose ? `Purpose: ${m.purpose}` : null, `Identifier: ${m.identifier}`, `VM: ${vmName}`].filter(Boolean).join("\n");
+    chunks.push({ title: `vm/${vmName}/mesh/${m.name}`, content: text, metadata: { resourceType: "remote-landscape", entityType: "mesh", vm: vmName, identifier: m.identifier, fileHash: hashContent(text) } });
+  }
+  for (const p of parseListResponse(dpRes)) {
+    const text = [`Data Product: ${p.name} (VM: ${vmName})`, p.label ? `Label: ${p.label}` : null, p.description ? `Description: ${p.description}` : null, p.data_product_type ? `Type: ${p.data_product_type}` : null, `Identifier: ${p.identifier}`, p.host_mesh_identifier ? `Mesh: ${p.host_mesh_identifier}` : null, p.state?.code ? `State: ${p.state.code} (healthy: ${p.state.healthy})` : null, `VM: ${vmName}`].filter(Boolean).join("\n");
+    chunks.push({ title: `vm/${vmName}/product/${p.name}`, content: text, metadata: { resourceType: "remote-landscape", entityType: "data_product", vm: vmName, identifier: p.identifier, fileHash: hashContent(text) } });
+  }
+  for (const s of parseListResponse(dsRes)) {
+    const text = [`Data Source: ${s.name} (VM: ${vmName})`, s.label ? `Label: ${s.label}` : null, s.description ? `Description: ${s.description}` : null, `Identifier: ${s.identifier}`, s.state?.code ? `State: ${s.state.code} (healthy: ${s.state.healthy})` : null, `VM: ${vmName}`].filter(Boolean).join("\n");
+    chunks.push({ title: `vm/${vmName}/source/${s.name}`, content: text, metadata: { resourceType: "remote-landscape", entityType: "data_source", vm: vmName, identifier: s.identifier, fileHash: hashContent(text) } });
+  }
+  for (const sys of parseListResponse(dSysRes)) {
+    const text = [`Data System: ${sys.name} (VM: ${vmName})`, sys.label ? `Label: ${sys.label}` : null, sys.description ? `Description: ${sys.description}` : null, `Identifier: ${sys.identifier}`, `VM: ${vmName}`].filter(Boolean).join("\n");
+    chunks.push({ title: `vm/${vmName}/system/${sys.name}`, content: text, metadata: { resourceType: "remote-landscape", entityType: "data_system", vm: vmName, identifier: sys.identifier, fileHash: hashContent(text) } });
+  }
+
+  const meshCount = parseListResponse(meshRes).length;
+  const prodCount = parseListResponse(dpRes).length;
+  const srcCount = parseListResponse(dsRes).length;
+  const sysCount = parseListResponse(dSysRes).length;
+  log(`    azure/${vmName}: ${meshCount} meshes, ${prodCount} products, ${srcCount} sources, ${sysCount} systems (via SSH)`);
+
+  return chunks;
+}