@meshxdata/fops 0.1.36 → 0.1.38

package/src/plugins/bundled/fops-plugin-azure/lib/azure-provision.js

@@ -8,7 +8,7 @@ import {
   DEFAULTS, DIM, OK, WARN, ERR,
   banner, hint, kvLine,
   resolvePublicIp, subArgs, buildTags, fetchMyIp,
-  sshCmd, waitForSsh, fopsUpCmd, buildPublicUrl,
+  sshCmd, waitForSsh, closeMux, fopsUpCmd, buildPublicUrl,
   runReconcilers, ensureOpenAiNetworkAccess,
   reconcileOk, RECONCILE_LABEL_WIDTH,
 } from "./azure-helpers.js";
@@ -80,7 +80,7 @@ export async function configureVm(execa, ip, user, publicUrl, { githubToken, k3s
 
   console.log(chalk.dim("  Configuring VM..."));
 
-  // Batch: sshd tuning + docker group + ownership + public URL — single SSH round-trip
+  // Batch: sshd tuning + docker group + ownership — single SSH round-trip
   const setupBatch = [
     // Speed up SSH: accept forwarded env vars, disable DNS reverse lookup
     `sudo grep -q '^AcceptEnv.*BEARER_TOKEN' /etc/ssh/sshd_config 2>/dev/null || {`,
@@ -91,22 +91,10 @@ export async function configureVm(execa, ip, user, publicUrl, { githubToken, k3s
     `}`,
     `sudo usermod -aG docker ${user} 2>/dev/null; true`,
     "sudo chown -R azureuser:azureuser /opt/foundation-compose 2>/dev/null; true",
-    `cd /opt/foundation-compose`,
-    `sed -i -e '$a\\' .env 2>/dev/null || true`,
-    `if grep -q '^FOUNDATION_PUBLIC_URL=' .env 2>/dev/null; then`,
-    `  sed -i 's|^FOUNDATION_PUBLIC_URL=.*|FOUNDATION_PUBLIC_URL=${publicUrl}|' .env;`,
-    `else`,
-    `  echo 'FOUNDATION_PUBLIC_URL=${publicUrl}' >> .env;`,
-    `fi`,
-    // Persist COMPOSE_PROFILES so k3s/watcher/traefik start on manual restarts too
-    `if grep -q '^COMPOSE_PROFILES=' .env 2>/dev/null; then`,
-    `  sed -i 's|^COMPOSE_PROFILES=.*|COMPOSE_PROFILES=k3s,traefik${dai ? ",dai" : ""}|' .env;`,
-    `else`,
-    `  echo 'COMPOSE_PROFILES=k3s,traefik${dai ? ",dai" : ""}' >> .env;`,
-    `fi`,
+    // Only inject FOUNDATION_PUBLIC_URL if not already set — never overwrite
+    `cd /opt/foundation-compose && grep -q '^FOUNDATION_PUBLIC_URL=' .env 2>/dev/null || echo 'FOUNDATION_PUBLIC_URL=${publicUrl}' >> .env`,
   ].join("\n");
   await ssh(setupBatch);
-  console.log(chalk.green(`  ✓ FOUNDATION_PUBLIC_URL=${publicUrl}`));
 
   let ghcrOk = false;
   if (githubToken) {
@@ -448,7 +436,36 @@ async function vmReconcileNetworking(ctx) {
         }
       }
     } else {
-      console.log(chalk.yellow("  ⚠ No public IP attached to NIC"));
+      // No public IP attached — create one and attach it
+      const pipName = `${vmName}PublicIP`;
+      console.log(chalk.dim(`  ↻ ${"Public IP".padEnd(RECONCILE_LABEL_WIDTH)} — creating ${pipName}…`));
+      const { exitCode: createCode } = await execa("az", [
+        "network", "public-ip", "create", "-g", rg, "-n", pipName,
+        "--sku", "Standard", "--allocation-method", "Static", "--output", "none",
+        ...subArgs(sub),
+      ], { reject: false, timeout: 30000 });
+      if (createCode === 0) {
+        const { exitCode: attachCode } = await execa("az", [
+          "network", "nic", "ip-config", "update",
+          "-g", rg, "--nic-name", ctx.nicName, "-n", "ipconfig1",
+          "--public-ip-address", pipName, "--output", "none",
+          ...subArgs(sub),
+        ], { reject: false, timeout: 30000 });
+        if (attachCode === 0) {
+          const { stdout: newPipJson } = await execa("az", [
+            "network", "public-ip", "show", "-g", rg, "-n", pipName, "--output", "json",
+            ...subArgs(sub),
+          ], { reject: false, timeout: 15000 });
+          try {
+            ctx.ip = JSON.parse(newPipJson).ipAddress || "";
+          } catch {}
+          reconcileOk("Public IP", ctx.ip ? `${ctx.ip} (created)` : `${pipName} (created)`);
+        } else {
+          console.log(chalk.yellow(`  ⚠ Created ${pipName} but could not attach to NIC`));
+        }
+      } else {
+        console.log(chalk.yellow(`  ⚠ Could not create public IP — VM will have no public IP`));
+      }
     }
 
     const nsgId = nic.networkSecurityGroup?.id || "";
@@ -560,6 +577,7 @@ async function vmReconcileNsg(ctx) {
       ...subArgs(sub),
     ], { reject: false, timeout: 30000 });
     reconcileOk("SSH (22)", source);
+    ctx.operatorIpChanged = true;
   } else if (sshSource && !sshHasMyIp) {
     // Add our IP to existing admin IPs
     const merged = [...new Set([...sshCurrentSources, sshSource])];
@@ -573,6 +591,7 @@ async function vmReconcileNsg(ctx) {
       ...subArgs(sub),
     ], { reject: false, timeout: 30000 });
     reconcileOk("SSH (22)", merged.join(", "));
+    ctx.operatorIpChanged = true;
   } else {
     reconcileOk("SSH (22)", sshCurrentSources.join(", ") || "*");
   }
@@ -1026,14 +1045,46 @@ async function removeSshBypassViaRunCommand(execa, rg, vmName, sourceCidr, sub)
 // ── Step: SSH reachability ───────────────────────────────────────────────────
 
 async function vmReconcileSsh(ctx) {
-  const { execa, ip, adminUser, knockSequence, port, desiredUrl, vmName, rg, sub } = ctx;
+  const { execa, ip, adminUser, port, desiredUrl, vmName, rg, sub } = ctx;
   console.log(chalk.dim("  Checking SSH..."));
-  const maxWaitFirst = 90000;
+
+  // Always fetch the knock sequence fresh from the Azure VM tag — local state can drift
+  // after state recovery or manual changes, causing knocks with the wrong sequence.
+  let knockSequence = ctx.knockSequence;
+  if (rg) {
+    try {
+      const { stdout: tagRaw } = await execa("az", [
+        "vm", "show", "-g", rg, "-n", vmName,
+        "--query", "tags.fopsKnock", "-o", "tsv", ...subArgs(sub),
+      ], { timeout: 15000, reject: false });
+      const raw = (tagRaw || "").trim().replace(/[()]/g, "");
+      if (raw) {
+        const fresh = raw.split(/[-,]/).map((s) => parseInt(s.trim(), 10)).filter((n) => Number.isInteger(n) && n > 0);
+        if (fresh.length >= 2) {
+          if (!knockSequence?.length || fresh.some((v, i) => v !== knockSequence[i])) {
+            console.log(chalk.dim("  Syncing knock sequence from Azure tag..."));
+            knockSequence = fresh;
+            ctx.knockSequence = fresh;
+            writeVmState(vmName, { knockSequence: fresh });
+          }
+        }
+      }
+    } catch { /* best-effort */ }
+  }
+
+  // Close any stale mux master before probing. ControlPersist=600 keeps the SSH master
+  // alive for 10 min, but if the VM rebooted its underlying TCP is broken — every probe
+  // through the stale mux fails even after a successful knock. A fresh connect fixes it.
+  await closeMux(execa, ip, adminUser);
+  // When Run Command is available (rg set), use a short knock probe then fall through to
+  // Run Command rather than burning 2+ minutes on knock retries.
+  const canRunCommand = knockSequence?.length && rg;
+  const maxWaitFirst = canRunCommand ? 20000 : 90000;
   if (knockSequence?.length) {
     await performKnock(ip, knockSequence, { quiet: true });
   }
   let sshReady = await waitForSsh(execa, ip, adminUser, maxWaitFirst);
-  if (!sshReady && knockSequence?.length) {
+  if (!sshReady && knockSequence?.length && !canRunCommand) {
     console.log(chalk.dim("  Re-sending knock and retrying SSH..."));
     await performKnock(ip, knockSequence, { quiet: true });
     await new Promise((r) => setTimeout(r, 5000));
@@ -1056,15 +1107,44 @@ async function vmReconcileSsh(ctx) {
     }
   }
   if (!sshReady) {
-    console.log(chalk.yellow("  ⚠ SSH not reachable — VM may still be booting. Skipping in-guest checks."));
-    if (knockSequence?.length) {
-      console.log(chalk.dim("  If knock is enabled, the stored sequence may not match the VM (e.g. after state recovery)."));
-      console.log(chalk.dim("  Try: fops azure knock open " + ctx.vmName + "  then immediately  fops azure ssh " + ctx.vmName));
-      console.log(chalk.dim("  Or remove knock: fops azure knock disable " + ctx.vmName));
+    // Verify actual VM power state via Azure CLI — the earlier instance-view may be stale
+    if (rg) {
+      try {
+        const { stdout: showJson } = await execa("az", [
+          "vm", "show", "--resource-group", rg, "--name", vmName,
+          "--show-details", "--output", "json", ...subArgs(sub),
+        ], { timeout: 20000, reject: false });
+        const vmDetails = JSON.parse(showJson || "{}");
+        const powerState = vmDetails?.powerState || "";
+        if (powerState && !powerState.includes("running")) {
+          console.log(chalk.yellow(`  ⚠ Azure reports VM power state: ${chalk.bold(powerState)} — starting VM...`));
+          await execa("az", [
+            "vm", "start", "--resource-group", rg, "--name", vmName, "--output", "none",
+            ...subArgs(sub),
+          ], { timeout: 300000 });
+          reconcileOk("VM", "started");
+          // Give the VM a moment then retry SSH once more
+          await new Promise((r) => setTimeout(r, 10000));
+          if (knockSequence?.length) await performKnock(ip, knockSequence, { quiet: true });
+          sshReady = await waitForSsh(execa, ip, adminUser, 60000);
+        } else if (powerState) {
+          console.log(chalk.dim(`  Azure VM power state: ${powerState}`));
+        }
+      } catch {
+        // best-effort
+      }
+    }
+    if (!sshReady) {
+      console.log(chalk.yellow("  ⚠ SSH not reachable — VM may still be booting. Skipping in-guest checks."));
+      if (knockSequence?.length) {
+        console.log(chalk.dim("  If knock is enabled, the stored sequence may not match the VM (e.g. after state recovery)."));
+        console.log(chalk.dim("  Try: fops azure knock open " + ctx.vmName + "  then immediately  fops azure ssh " + ctx.vmName));
+        console.log(chalk.dim("  Or remove knock: fops azure knock disable " + ctx.vmName));
+      }
+      ctx.publicUrl = desiredUrl || buildPublicUrl(ip, port);
+      ctx.done = true;
+      return;
     }
-    ctx.publicUrl = desiredUrl || buildPublicUrl(ip, port);
-    ctx.done = true;
-    return;
   }
   reconcileOk("SSH", "reachable");
 }
@@ -1081,8 +1161,25 @@ async function vmReconcileKnock(ctx) {
   );
   const knockdRunning = knockdCheck?.trim() === "active";
 
-  if (knockdRunning && ctx.knockSequence?.length) {
-    reconcileOk("Port knocking", "active");
+  // Read the authoritative sequence from knockd.conf on the VM
+  const { stdout: knockConfOut } = await ssh(
+    "grep -m1 'sequence' /etc/knockd.conf 2>/dev/null | sed 's/.*sequence[[:space:]]*=[[:space:]]*//'", 8000,
+  );
+  const vmKnockSeq = (knockConfOut || "").trim()
+    .split(",").map((s) => parseInt(s.trim(), 10)).filter((n) => Number.isInteger(n) && n > 0);
+
+  if (knockdRunning && vmKnockSeq.length >= 2) {
+    // Reconcile: keep tag + local state in sync with knockd.conf
+    const local = ctx.knockSequence;
+    const seqDiffers = !local?.length || local.length !== vmKnockSeq.length || local.some((v, i) => v !== vmKnockSeq[i]);
+    if (seqDiffers) {
+      console.log(chalk.dim(`  ↻ ${"Port knocking".padEnd(RECONCILE_LABEL_WIDTH)} — sequence drift detected, syncing…`));
+      writeVmState(vmName, { knockSequence: vmKnockSeq });
+      const { setVmKnockTag } = await import("./azure-helpers.js");
+      await setVmKnockTag(execa, ctx.rg, vmName, vmKnockSeq, ctx.sub);
+      ctx.knockSequence = vmKnockSeq;
+    }
+    reconcileOk("Port knocking", `active [${vmKnockSeq.join(", ")}]`);
   } else if (!knockdRunning) {
     console.log(chalk.dim("  Setting up port knocking (after post-start + UI reachable)..."));
     const knockSeq = generateKnockSequence();
@@ -1092,8 +1189,7 @@ async function vmReconcileKnock(ctx) {
     await setVmKnockTag(execa, ctx.rg, vmName, knockSeq, ctx.sub);
     ctx.knockSequence = knockSeq;
   } else {
-    console.log(chalk.yellow("  ⚠ knockd active on VM but no local knock sequence stored"));
-    console.log(chalk.dim("    To re-create: fops azure knock disable && fops azure up"));
+    console.log(chalk.yellow("  ⚠ knockd active on VM but could not read sequence from knockd.conf"));
   }
 
   if (ctx.knockSequence?.length) {
@@ -1590,10 +1686,8 @@ export async function provisionVm(execa, ip, adminUser, { githubToken, branch =
   }
 
   await runScript("Cloning foundation-compose", [
-    "cp /opt/foundation-compose/.env /tmp/.env.fops-backup 2>/dev/null || true",
     "rm -rf /opt/foundation-compose",
     `git clone --branch ${branch} --depth 1 --recurse-submodules https://github.com/meshxdata/foundation-compose.git /opt/foundation-compose`,
-    "if [ -f /tmp/.env.fops-backup ]; then cp /tmp/.env.fops-backup /opt/foundation-compose/.env; rm -f /tmp/.env.fops-backup; else cp /opt/foundation-compose/.env.example /opt/foundation-compose/.env; fi",
     "mkdir -p /opt/foundation-compose/credentials",
     "touch /opt/foundation-compose/credentials/kubeconfig.yaml",
     `chown -R ${adminUser}:${adminUser} /opt/foundation-compose`,

package/src/plugins/bundled/fops-plugin-azure/lib/azure-shared-cache.js

@@ -22,7 +22,7 @@ import { readState, listVms } from "./azure-state.js";
 //   fops_by       = alessio                  (who synced)
 
 const TAG_PREFIX = "fops_";
-const TAG_MAX_AGE_MS = 10 * 60 * 1000; // 10 minutes — tags are cheaper to check
+const TAG_MAX_AGE_MS = 20 * 60 * 1000; // 20 minutes — tags are cheaper to check
 
 // ── Write: publish probe results as tags on a VM ─────────────────────────────
 

package/src/plugins/bundled/fops-plugin-azure/lib/azure-sync.js

@@ -12,7 +12,7 @@ import {
 // Stored in ~/.fops.json under azure.cache:
 //   { updatedAt, vms: { <name>: { ... } }, clusters: { <name>: { ... } } }
 
-const CACHE_MAX_AGE_MS = 5 * 60 * 1000; // 5 minutes
+const CACHE_MAX_AGE_MS = 15 * 60 * 1000; // 15 minutes
 
 // Short keys for the 6 tracked Foundation services
 const SVC_MAP = {
@@ -169,16 +169,16 @@ async function syncVms(execa) {
 
       // After a knock, iptables rule needs a moment to propagate; first SSH needs full handshake.
       // Brief delay then retry once to avoid false "unreachable" (e.g. uaenorth latency).
-      await new Promise((r) => setTimeout(r, 800));
+      await new Promise((r) => setTimeout(r, 400));
       let sshOk = false;
       for (let attempt = 0; attempt < 2; attempt++) {
         const { exitCode: sshCode } = await execa("ssh", [
           ...MUX_OPTS(vm.publicIp, DEFAULTS.adminUser),
           "-o", "BatchMode=yes",
           `${DEFAULTS.adminUser}@${vm.publicIp}`, "echo ok",
-        ], { timeout: 15000, reject: false }).catch(() => ({ exitCode: 1 }));
+        ], { timeout: 8000, reject: false }).catch(() => ({ exitCode: 1 }));
         if (sshCode === 0) { sshOk = true; break; }
-        if (attempt === 0) await new Promise((r) => setTimeout(r, 2000));
+        if (attempt === 0) await new Promise((r) => setTimeout(r, 1000));
       }
 
       if (!sshOk) {

package/src/plugins/bundled/fops-plugin-azure/lib/azure.js

@@ -27,7 +27,7 @@ export {
   managedImageId, resolvePublicIp,
   resolveGithubToken, verifyGithubToken,
   sshCmd, closeMux, MUX_OPTS, muxSocketPath, waitForSsh,
-  knockForVm, fopsUpCmd,
+  knockForVm, ensureKnockSequence, fopsUpCmd,
   runReconcilers, ensureOpenAiNetworkAccess,
 } from "./azure-helpers.js";
 
@@ -46,7 +46,7 @@ export {
 
 // ── VM operations ────────────────────────────────────────────────────────────
 export {
-  azureStatus, azureTrinoStatus, azureSsh, azurePortForward, azureSshAdminAdd, azureVmCheck, azureAgent, azureOpenAiDebugVm,
+  azureStatus, azureTrinoStatus, azureSsh, azureSshWhitelistMe, azurePortForward, azureSshAdminAdd, azureVmCheck, azureAgent, azureOpenAiDebugVm,
   azureDeploy, azurePull, azureDeployVersion, azureRunUp, azureConfig, azureConfigVersions, azureUpdate,
   azureLogs, azureGrantAdmin, azureContext,
   azureList, azureApply,

package/src/plugins/bundled/fops-plugin-azure/lib/commands/fleet-cmds.js

@@ -0,0 +1,254 @@
+/**
+ * Fleet management, swarm, audit, snapshot/restore commands.
+ * All operations target multiple Azure VMs or the swarm cluster.
+ */
+import chalk from "chalk";
+
+export function registerFleetCommands(azure) {
+  // ── Fleet management ───────────────────────────────────────────────────
+
+  azure
+    .command("exec <command>")
+    .description("Run a command on all tracked VMs in parallel")
+    .option("--vm-name <name>", "Target a specific VM instead of all")
+    .option("--timeout <seconds>", "Per-VM command timeout (default: 120)", "120")
+    .option("--quiet", "Show only summary, not command output")
+    .action(async (command, opts) => {
+      const { fleetExec } = await import("../azure-fleet.js");
+      await fleetExec(command, { vmName: opts.vmName, timeout: Number(opts.timeout), quiet: opts.quiet });
+    });
+
+  azure
+    .command("diff")
+    .description("Compare configuration across all VMs — detect drift")
+    .option("--vm-name <name>", "Target a specific VM instead of all")
+    .action(async (opts) => {
+      const { fleetDiff } = await import("../azure-fleet.js");
+      await fleetDiff({ vmName: opts.vmName });
+    });
+
+  azure
+    .command("rollout")
+    .description("Rolling deploy: pull, restart, health-check across VMs in batches")
+    .option("--vm-name <name>", "Target a specific VM instead of all")
+    .option("--batch <size>", "Number of VMs to deploy in parallel per batch (default: 1)", "1")
+    .option("--branch <branch>", "Git branch to deploy (default: main)")
+    .option("--health-timeout <seconds>", "Seconds to wait for healthy after restart (default: 120)", "120")
+    .option("--force", "Continue rolling out even if a batch fails")
+    .action(async (opts) => {
+      const { fleetRollout } = await import("../azure-fleet.js");
+      await fleetRollout({
+        vmName: opts.vmName, batch: Number(opts.batch), branch: opts.branch,
+        healthTimeout: Number(opts.healthTimeout), force: opts.force,
+      });
+    });
+
+  azure
+    .command("sync")
+    .description("Push local config files to all VMs")
+    .option("--vm-name <name>", "Target a specific VM instead of all")
+    .option("--files <files>", "Comma-separated list of files to sync (default: docker-compose.yaml,.env)", "docker-compose.yaml,.env")
+    .option("--restart", "Run fops up after syncing files")
+    .action(async (opts) => {
+      const { fleetSync } = await import("../azure-fleet.js");
+      await fleetSync({ vmName: opts.vmName, files: opts.files.split(","), restart: opts.restart });
+    });
+
+  azure
+    .command("health")
+    .description("Deep health report across all VMs — containers, disk, memory, load")
+    .option("--vm-name <name>", "Target a specific VM instead of all")
+    .action(async (opts) => {
+      const { fleetHealth } = await import("../azure-fleet.js");
+      await fleetHealth({ vmName: opts.vmName });
+    });
+
+  azure
+    .command("snapshot [name]")
+    .description("Create Azure disk snapshots of all (or one) tracked VMs")
+    .option("--vm-name <name>", "Target a specific VM instead of all")
+    .option("--tag <tag>", "Snapshot tag/label (default: ISO timestamp)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (name, opts) => {
+      const { fleetSnapshot } = await import("../azure-fleet.js");
+      await fleetSnapshot({ vmName: opts.vmName || name, tag: opts.tag, profile: opts.profile });
+    });
+
+  azure
+    .command("restore <name>")
+    .description("Restore a VM from an Azure disk snapshot")
+    .option("--snapshot <name>", "Snapshot name to restore from (omit to list available)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .option("--yes", "Skip confirmation prompt")
+    .action(async (name, opts) => {
+      const { fleetRestore } = await import("../azure-fleet.js");
+      await fleetRestore({ vmName: name, snapshot: opts.snapshot, profile: opts.profile, yes: opts.yes });
+    });
+
+  // ── Audit subcommands ──────────────────────────────────────────────────
+
+  const audit = azure
+    .command("audit")
+    .description("Security & compliance audit across Azure resources");
+
+  audit
+    .command("all", { isDefault: true })
+    .description("Run all audit checks (VMs, AKS, storage encryption)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .option("--vm-name <name>", "Limit VM audit to a specific VM")
+    .option("--cluster <name>", "Limit AKS audit to a specific cluster")
+    .option("--account <name>", "Limit storage audit to a specific account")
+    .option("--verbose", "Show info-level suggestions alongside warnings")
+    .action(async (opts) => {
+      const { auditAll } = await import("../azure-audit.js");
+      await auditAll({ profile: opts.profile, vmName: opts.vmName, clusterName: opts.cluster, account: opts.account, verbose: opts.verbose });
+    });
+
+  audit
+    .command("vm [vmName]")
+    .description("Audit VM security — disk encryption, NSG rules, managed identity, patching")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .option("--vm-name <name>", "Audit a specific VM (default: all tracked)")
+    .option("--verbose", "Show info-level suggestions alongside warnings")
+    .action(async (vmName, opts) => {
+      const { auditVms } = await import("../azure-audit.js");
+      await auditVms({ profile: opts.profile, vmName: opts.vmName || vmName, verbose: opts.verbose });
+    });
+
+  audit
+    .command("aks [clusterName]")
+    .description("Audit AKS cluster security — RBAC, network policy, auto-upgrade, Defender")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .option("--verbose", "Show info-level suggestions alongside warnings")
+    .action(async (clusterName, opts) => {
+      const { auditAks } = await import("../azure-audit.js");
+      await auditAks({ profile: opts.profile, clusterName, verbose: opts.verbose });
+    });
+
+  audit
+    .command("storage")
+    .description("Audit storage account encryption & security posture")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .option("--account <name>", "Audit a specific storage account (default: all)")
+    .option("--verbose", "Show info-level suggestions alongside warnings")
+    .action(async (opts) => {
+      const { auditStorage } = await import("../azure-audit.js");
+      await auditStorage({ profile: opts.profile, account: opts.account, verbose: opts.verbose });
+    });
+
+  audit
+    .command("sessions [vmName]")
+    .description("View SSH session recordings across the fleet")
+    .option("--session <id>", "Read a specific session by ID")
+    .option("--live", "Show only active (live) sessions")
+    .option("--cloud", "Read from blob storage instead of SSH")
+    .option("--push", "Push collected sessions to blob storage")
+    .option("--last <n>", "Show only the last N sessions", "50")
+    .option("--tail <n>", "When reading a session, show only the last N lines")
+    .action(async (vmName, opts) => {
+      const { fleetAudit } = await import("../azure-fleet.js");
+      await fleetAudit({
+        vmName,
+        session: opts.session,
+        live: opts.live,
+        cloud: opts.cloud,
+        push: opts.push,
+        last: Number(opts.last),
+        tail: opts.tail ? Number(opts.tail) : undefined,
+      });
+    });
+
+  audit
+    .command("zap [vmName]")
+    .description("Run an authenticated OWASP ZAP DAST scan against a VM's frontend")
+    .option("--vm-name <name>", "Target VM (default: active)")
+    .option("--target <url>", "Override target URL (default: https://<vm>.meshx.app)")
+    .option("--output <dir>", "Directory for JSON report (default: cwd)")
+    .option("--spider-minutes <n>", "Spider duration in minutes (default: 3)", "3")
+    .option("--ajax-minutes <n>", "Ajax spider duration in minutes (default: 3)", "3")
+    .option("--active-scan-minutes <n>", "Active scan rule timeout in minutes (default: 5)", "5")
+    .option("--max-minutes <n>", "Overall scan timeout in minutes (default: 20)", "20")
+    .option("--verbose", "Show fix suggestions for each finding")
+    .option("--aggressive", "Pentest mode: Penetration Tester policy, longer crawl/scan")
+    .action(async (vmName, opts) => {
+      const { auditZap } = await import("../azure-audit.js");
+      await auditZap({
+        vmName: opts.vmName || vmName,
+        target: opts.target,
+        output: opts.output,
+        spiderMinutes: opts.aggressive ? undefined : (opts.spiderMinutes ? Number(opts.spiderMinutes) : undefined),
+        ajaxMinutes: opts.aggressive ? undefined : (opts.ajaxMinutes ? Number(opts.ajaxMinutes) : undefined),
+        activeScanMinutes: opts.aggressive ? undefined : (opts.activeScanMinutes ? Number(opts.activeScanMinutes) : undefined),
+        maxMinutes: opts.aggressive ? undefined : (opts.maxMinutes ? Number(opts.maxMinutes) : undefined),
+        verbose: opts.verbose,
+        aggressive: opts.aggressive,
+      });
+    });
+
+  // ── Swarm subcommands ──────────────────────────────────────────────────
+
+  const swarm = azure
+    .command("swarm")
+    .description("Docker Swarm cluster management");
+
+  swarm
+    .command("init <vmName>")
+    .description("Initialize Docker Swarm on a VM (single-node manager)")
+    .option("--stack", "Also deploy the compose stack as swarm services")
+    .action(async (vmName, opts) => {
+      const { swarmInit } = await import("../azure-fleet.js");
+      await swarmInit({ vmName, stack: opts.stack });
+    });
+
+  swarm
+    .command("join <vmName>")
+    .description("Join a VM as a worker to an existing swarm (auto-creates the VM if it doesn't exist)")
+    .requiredOption("--manager <name>", "Manager VM to join")
+    .option("--as-manager", "Join as a manager instead of worker")
+    .option("--vm-size <size>", "VM size when auto-creating (default: inherited from manager)")
+    .option("--location <region>", "Azure region when auto-creating (default: inherited from manager)")
+    .option("--image <urn>", "Custom image URN when auto-creating")
+    .option("--url <url>", "Public URL override when auto-creating")
+    .option("--profile <subscription>", "Azure subscription when auto-creating")
+    .action(async (vmName, opts) => {
+      const { swarmJoin } = await import("../azure-fleet.js");
+      await swarmJoin({
+        vmName, manager: opts.manager, asManager: opts.asManager,
+        vmSize: opts.vmSize, location: opts.location,
+        image: opts.image, url: opts.url, profile: opts.profile,
+      });
+    });
+
+  swarm
+    .command("status [vmName]")
+    .description("Show swarm node and service status")
+    .action(async (vmName) => {
+      const { swarmStatus } = await import("../azure-fleet.js");
+      await swarmStatus({ vmName });
+    });
+
+  swarm
+    .command("promote <vmName>")
+    .description("Promote a swarm worker to manager")
+    .action(async (vmName) => {
+      const { swarmPromote } = await import("../azure-fleet.js");
+      await swarmPromote({ vmName });
+    });
+
+  swarm
+    .command("deploy [vmName]")
+    .description("Deploy the compose stack as swarm services (or update existing)")
+    .action(async (vmName) => {
+      const { swarmDeploy } = await import("../azure-fleet.js");
+      await swarmDeploy({ vmName });
+    });
+
+  swarm
+    .command("leave <vmName>")
+    .description("Remove a VM from the swarm")
+    .option("--force", "Force leave (required for managers)")
+    .action(async (vmName, opts) => {
+      const { swarmLeave } = await import("../azure-fleet.js");
+      await swarmLeave({ vmName, force: opts.force });
+    });
+}