@meshxdata/fops 0.1.37 → 0.1.39

package/src/commands/lifecycle.js

@@ -527,21 +527,21 @@ async function runUp(program, registry, opts) {
 
   if (opts.url) {
     publicUrl = opts.url.replace(/\/+$/, "");
-    if (/^FOUNDATION_PUBLIC_URL=/m.test(envContent)) {
-      envContent = envContent.replace(/^FOUNDATION_PUBLIC_URL=.*/m, `FOUNDATION_PUBLIC_URL=${publicUrl}`);
-    } else {
+    // Only write if not already set in .env — leave the repo's value untouched
+    if (!/^FOUNDATION_PUBLIC_URL=/m.test(envContent)) {
       envContent = envContent.trimEnd() + `\nFOUNDATION_PUBLIC_URL=${publicUrl}\n`;
+      fs.writeFileSync(envPath, envContent);
+      console.log(chalk.dim(`  FOUNDATION_PUBLIC_URL=${publicUrl} written to .env`));
     }
-    fs.writeFileSync(envPath, envContent);
-    console.log(chalk.dim(`  FOUNDATION_PUBLIC_URL=${publicUrl} written to .env`));
   } else {
-    // Local: ensure compose uses localhost and no remote URL / no traefik
-    if (/^FOUNDATION_PUBLIC_URL=/m.test(envContent)) {
-      envContent = envContent.replace(/^FOUNDATION_PUBLIC_URL=.*/m, `FOUNDATION_PUBLIC_URL=${localBaseUrl}`);
-    } else {
+    // Local: only inject localhost fallback if not already set
+    if (!/^FOUNDATION_PUBLIC_URL=/m.test(envContent)) {
       envContent = envContent.trimEnd() + `\nFOUNDATION_PUBLIC_URL=${localBaseUrl}\n`;
+      fs.writeFileSync(envPath, envContent);
     }
-    fs.writeFileSync(envPath, envContent);
+    // Read the actual value from .env for profile resolution below
+    const existingUrl = envContent.match(/^FOUNDATION_PUBLIC_URL=(.+)$/m)?.[1]?.trim();
+    if (existingUrl && existingUrl !== localBaseUrl) publicUrl = existingUrl;
   }
 
   // Resolve profiles: local up = no traefik; --url with 443 = traefik
@@ -1284,7 +1284,28 @@ async function runUp(program, registry, opts) {
     const forwardOut = createBufferWritable("out");
     const forwardErr = createBufferWritable("err");
 
+    // Detect env misalignment: if FOUNDATION_PUBLIC_URL in .env differs from what's
+    // running in containers, force-recreate so services pick up the new value.
+    let forceRecreate = false;
+    try {
+      const envPublicUrl = (envContent.match(/^FOUNDATION_PUBLIC_URL=(.+)$/m)?.[1] || "").trim();
+      if (envPublicUrl) {
+        const { stdout: inspectOut } = await execa("docker", [
+          "inspect", "--format", "{{range .Config.Env}}{{println .}}{{end}}",
+          "foundation-compose-foundation-frontend-1",
+        ], { reject: false, cwd: root });
+        const runningUrl = (inspectOut || "").split("\n")
+          .find(l => l.startsWith("FOUNDATION_PUBLIC_URL="))
+          ?.slice("FOUNDATION_PUBLIC_URL=".length).trim();
+        if (runningUrl && runningUrl !== envPublicUrl) {
+          console.error(chalk.dim(`  ↻ FOUNDATION_PUBLIC_URL mismatch (${runningUrl} → ${envPublicUrl}) — recreating affected services`));
+          forceRecreate = true;
+        }
+      }
+    } catch { /* best-effort */ }
+
     const upArgs = ["compose", ...effectiveProfileArgs, "--progress", "plain", "up", "-d", "--remove-orphans"];
+    if (forceRecreate) upArgs.push("--force-recreate");
     if (serviceList.length > 0) upArgs.push(...serviceList);
     const upProc = execa("docker", upArgs, {
       cwd: root,

package/src/doctor.js

@@ -11,6 +11,20 @@ import { rootDir } from "./project.js";
 import { wslExec, wslHomedir, wslFileExists, wslReadFile, wslCmdVersion } from "./wsl.js";
 import { getInquirer } from "./lazy.js";
 
+// Check if sudo is available without a password (cached credentials or NOPASSWD)
+let _sudoOk = null;
+async function canSudo() {
+  if (_sudoOk !== null) return _sudoOk;
+  if (process.platform === "win32") { _sudoOk = false; return false; }
+  try {
+    const { exitCode } = await execa("sudo", ["-n", "true"], { reject: false, timeout: 5000 });
+    _sudoOk = exitCode === 0;
+  } catch { _sudoOk = false; }
+  return _sudoOk;
+}
+
+
+
 const KEY_PORTS = {
   5432: "Postgres",
   9092: "Kafka",
@@ -246,6 +260,7 @@ export async function runDoctor(opts = {}, registry = null) {
                   console.log(chalk.green(`  ✓ Removed ${b}`));
                 } catch (err) {
                   if (err.code === "EACCES") {
+                    if (!(await canSudo())) throw new Error(`Permission denied removing ${b} — sudo not available`);
                     console.log(chalk.cyan(`  ▶ sudo rm ${b}`));
                     await execa("sudo", ["rm", b], { stdio: "inherit", timeout: 10000 });
                   } else {
@@ -379,6 +394,7 @@ export async function runDoctor(opts = {}, registry = null) {
           console.log(chalk.cyan('  ▶ start "" "Docker Desktop"'));
           await execa("cmd", ["/c", "start", "", "Docker Desktop"], { timeout: 10000 });
         } else {
+          if (!(await canSudo())) throw new Error("sudo not available — start Docker manually: sudo systemctl start docker");
           console.log(chalk.cyan("  ▶ sudo systemctl start docker"));
           await execa("sudo", ["systemctl", "start", "docker"], { stdio: "inherit", timeout: 30000 });
           return;
@@ -447,6 +463,7 @@ export async function runDoctor(opts = {}, registry = null) {
         console.log(chalk.cyan('  ▶ start "" "Docker Desktop"'));
         await execa("cmd", ["/c", "start", "", "Docker Desktop"], { timeout: 10000 });
       } else {
+        if (!(await canSudo())) throw new Error("sudo not available — install Docker manually: curl -fsSL https://get.docker.com | sudo sh");
         console.log(chalk.cyan("  ▶ curl -fsSL https://get.docker.com | sudo sh"));
         await execa("sh", ["-c", "curl -fsSL https://get.docker.com | sudo sh"], {
           stdio: "inherit", timeout: 300_000,
@@ -497,6 +514,7 @@ export async function runDoctor(opts = {}, registry = null) {
         await execa("winget", ["install", "Git.Git", "--accept-source-agreements", "--accept-package-agreements"], { stdio: "inherit", timeout: 300_000 });
       }
     } else {
+      if (!(await canSudo())) throw new Error("sudo not available — install git manually");
       console.log(chalk.cyan("  ▶ sudo apt-get install -y git"));
       await execa("sudo", ["apt-get", "install", "-y", "git"], { stdio: "inherit", timeout: 300_000 });
     }
@@ -540,6 +558,7 @@ export async function runDoctor(opts = {}, registry = null) {
       console.log(chalk.cyan("  ▶ brew install npm"));
       await execa("brew", ["install", "npm"], { stdio: "inherit", timeout: 300_000 });
     } else if (process.platform === "linux" || (process.platform === "win32" && useWsl)) {
+      if (!(await canSudo())) throw new Error("sudo not available — install npm manually");
       console.log(chalk.cyan("  ▶ sudo apt-get install -y npm"));
       await run("sudo", ["apt-get", "install", "-y", "npm"], { stdio: "inherit", timeout: 300_000 });
     } else {
@@ -573,9 +592,8 @@ export async function runDoctor(opts = {}, registry = null) {
       await execa("brew", ["install", "--cask", "1password-cli"], { stdio: "inherit", timeout: 300_000 });
     } else if (process.platform === "win32") {
       if (useWsl) {
+        if (!(await canSudo())) throw new Error("sudo not available — install 1Password CLI manually");
         console.log(chalk.cyan("  ▶ [WSL] Installing 1Password CLI via apt…"));
-        // Authenticate sudo upfront so the long install chain doesn't hang at a password prompt
-        await run("sudo", ["-v"], { stdio: "inherit", timeout: 30_000 });
         await run("sh", ["-c", [
           "curl -sS https://downloads.1password.com/linux/keys/1password.asc | sudo gpg --batch --yes --dearmor --output /usr/share/keyrings/1password-archive-keyring.gpg",
           '&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/1password-archive-keyring.gpg] https://downloads.1password.com/linux/debian/$(dpkg --print-architecture) stable main" | sudo tee /etc/apt/sources.list.d/1password.list',
@@ -591,9 +609,8 @@ export async function runDoctor(opts = {}, registry = null) {
       }
     } else {
       // Linux — install via 1Password apt repository
-      // Authenticate sudo upfront so the long install chain doesn't hang at a password prompt
+      if (!(await canSudo())) throw new Error("sudo not available — install 1Password CLI manually");
       console.log(chalk.cyan("  ▶ Installing 1Password CLI via apt…"));
-      await execa("sudo", ["-v"], { stdio: "inherit", timeout: 30_000 });
       await execa("sh", ["-c", [
         "curl -sS https://downloads.1password.com/linux/keys/1password.asc | sudo gpg --batch --yes --dearmor --output /usr/share/keyrings/1password-archive-keyring.gpg",
         '&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/1password-archive-keyring.gpg] https://downloads.1password.com/linux/debian/$(dpkg --print-architecture) stable main" | sudo tee /etc/apt/sources.list.d/1password.list',
@@ -607,6 +624,7 @@ export async function runDoctor(opts = {}, registry = null) {
 
   // GitHub CLI
   const installGhLinux = async (runner = execa) => {
+    if (!(await canSudo())) throw new Error("sudo not available — install gh manually: https://cli.github.com");
     console.log(chalk.cyan("  ▶ Installing gh via apt…"));
     await runner("sh", ["-c", [
       "type -p curl >/dev/null || (sudo apt update && sudo apt install curl -y)",
@@ -948,7 +966,11 @@ export async function runDoctor(opts = {}, registry = null) {
         }
       }
     } else if (ghcrLoggedIn) {
-      fail("Docker logged into ghcr.io but pull access denied", "token may lack read:packages or write:packages scope", ghcrFixFn);
+      fail(
+        "Docker logged into ghcr.io but pull access denied",
+        "Docker has a stale token — fix: echo $(gh auth token) | docker login ghcr.io -u x-access-token --password-stdin",
+        ghcrFixFn,
+      );
     } else {
       fail("Docker not logged into ghcr.io", "needed to pull/push private images", ghcrFixFn);
     }

package/src/plugins/bundled/fops-plugin-1password/index.js

@@ -99,6 +99,10 @@ export function register(api) {
         } else if (synced > 0) {
           const files = synced === 1 ? ".env" : `${synced} .env files`;
           console.log(chalk.green(`  ✓ ${totalSecrets} secret(s) synced → ${files}`));
+          // Update one-shot marker so auto-sync on next `fops up` is skipped
+          const markerDir = path.join(root, ".fops");
+          if (!fs.existsSync(markerDir)) fs.mkdirSync(markerDir, { recursive: true });
+          fs.writeFileSync(path.join(markerDir, ".1p-synced"), new Date().toISOString() + "\n");
         } else {
           console.log(chalk.dim("  Nothing to sync."));
         }
@@ -181,13 +185,18 @@ export function register(api) {
     },
   });
 
-  // ── Hook: before:up — auto-sync secrets ────────────
+  // ── Hook: before:up — one-shot auto-sync secrets ───
   api.registerHook("before:up", async () => {
     if (!config.autoSync) return;
 
     const root = findRoot();
     if (!root) return;
 
+    // One-shot: skip if secrets were already synced once
+    const markerDir = path.join(root, ".fops");
+    const markerPath = path.join(markerDir, ".1p-synced");
+    if (fs.existsSync(markerPath)) return;
+
     const templates = discoverTemplates(root);
     if (templates.length === 0) return;
 
@@ -212,6 +221,9 @@ export function register(api) {
     } else if (synced > 0) {
       const files = synced === 1 ? ".env" : `${synced} .env files`;
       console.log(chalk.green(`  ✓ ${totalSecrets} secret(s) synced → ${files}`));
+      // Mark as done so subsequent `fops up` calls skip auto-sync
+      if (!fs.existsSync(markerDir)) fs.mkdirSync(markerDir, { recursive: true });
+      fs.writeFileSync(markerPath, new Date().toISOString() + "\n");
     }
   });
 

package/src/plugins/bundled/fops-plugin-azure/index.js

@@ -138,8 +138,10 @@ export async function register(api) {
           } else if (process.platform === "linux") {
             const { exitCode } = await execa("which", ["apt-get"], { reject: false });
             if (exitCode !== 0) throw new Error("apt-get not found — use https://learn.microsoft.com/en-us/cli/azure/install-azure-cli for your distro");
-            await execa("sudo", ["apt-get", "update"], { stdio: "inherit", timeout: 120000 });
-            await execa("sudo", ["apt-get", "install", "-y", "azure-cli"], { stdio: "inherit", timeout: 120000 });
+            // Check sudo is available before attempting install
+            const sudoCheck = await execa("sudo", ["-n", "true"], { reject: false, timeout: 5000 });
+            if (sudoCheck.exitCode !== 0) throw new Error("sudo not available — install Azure CLI manually: curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash");
+            await execa("sudo", ["sh", "-c", "curl -sL https://aka.ms/InstallAzureCLIDeb | bash"], { stdio: "inherit", timeout: 300000 });
           } else {
             throw new Error("Auto-install only on macOS and Linux — use the Microsoft install link");
           }

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks.js

@@ -148,7 +148,7 @@ function resolveFluxConfig(clusterName, opts) {
   return {
     fluxRepo: opts?.fluxRepo ?? tracked?.flux?.repo ?? az.fluxRepo ?? project?.fluxRepo ?? AKS_DEFAULTS.fluxRepo,
     fluxOwner: opts?.fluxOwner ?? tracked?.flux?.owner ?? az.fluxOwner ?? project?.fluxOwner ?? AKS_DEFAULTS.fluxOwner,
-    fluxPath: opts?.fluxPath || tracked?.flux?.path || az.fluxPath || project?.fluxPath || AKS_DEFAULTS.fluxPath,
+    fluxPath: opts?.fluxPath || tracked?.flux?.path || az.fluxPath || project?.fluxPath || `clusters/${clusterName}`,
     fluxBranch: opts?.fluxBranch ?? tracked?.flux?.branch ?? az.fluxBranch ?? project?.fluxBranch ?? AKS_DEFAULTS.fluxBranch,
   };
 }
@@ -182,6 +182,107 @@ function requireCluster(name) {
   };
 }
 
+// ── Flux local-repo scaffolding ───────────────────────────────────────────────
+
+/**
+ * Auto-detect the local flux repo clone.
+ * Searches common relative paths from the project root and CWD.
+ */
+function findFluxLocalRepo() {
+  const state = readState();
+  const projectRoot = state.azure?.projectRoot || state.projectRoot;
+
+  const candidates = [];
+  if (projectRoot) {
+    candidates.push(path.resolve(projectRoot, "..", "flux"));
+    candidates.push(path.resolve(projectRoot, "flux"));
+  }
+  candidates.push(path.resolve("../flux"));
+  candidates.push(path.resolve("../../flux"));
+
+  for (const p of candidates) {
+    if (fs.existsSync(path.join(p, "clusters"))) return p;
+  }
+  return null;
+}
+
+/**
+ * Resolve the bundled cluster template directory shipped with the CLI.
+ */
+function resolveClusterTemplate() {
+  const thisDir = path.dirname(fileURLToPath(import.meta.url));
+  return path.resolve(thisDir, "..", "templates", "cluster");
+}
+
+/**
+ * Scaffold a new cluster directory in the local flux repo from the bundled
+ * template, substituting {{CLUSTER_NAME}} and {{OVERLAY}} placeholders.
+ * Then commits and pushes the change.
+ */
+async function scaffoldFluxCluster(execa, { clusterName, fluxLocalRepo, overlay }) {
+  const templateDir = resolveClusterTemplate();
+  const destDir = path.join(fluxLocalRepo, "clusters", clusterName);
+
+  if (!fs.existsSync(templateDir)) {
+    console.log(WARN(`  ⚠ Cluster template not found at ${templateDir}`));
+    return false;
+  }
+
+  if (fs.existsSync(destDir)) {
+    console.log(OK(`  ✓ Cluster directory already exists: clusters/${clusterName}`));
+    return true;
+  }
+
+  const vars = {
+    "{{CLUSTER_NAME}}": clusterName,
+    "{{OVERLAY}}": overlay || "demo-azure",
+  };
+
+  hint("Scaffolding Flux cluster manifests…");
+
+  function copyDir(src, dest) {
+    fs.mkdirSync(dest, { recursive: true });
+    for (const entry of fs.readdirSync(src, { withFileTypes: true })) {
+      const srcPath = path.join(src, entry.name);
+      const destPath = path.join(dest, entry.name);
+      if (entry.isDirectory()) {
+        copyDir(srcPath, destPath);
+      } else {
+        let content = fs.readFileSync(srcPath, "utf8");
+        for (const [k, v] of Object.entries(vars)) {
+          content = content.replaceAll(k, v);
+        }
+        fs.writeFileSync(destPath, content);
+      }
+    }
+  }
+
+  copyDir(templateDir, destDir);
+  console.log(OK(`  ✓ Cluster directory created: clusters/${clusterName}`));
+
+  // List remaining placeholders
+  const remaining = [];
+  for (const line of fs.readFileSync(path.join(destDir, "kustomization.yaml"), "utf8").split("\n")) {
+    const m = line.match(/\{\{(\w+)\}\}/g);
+    if (m) remaining.push(...m);
+  }
+
+  // Git add + commit + push
+  hint("Committing and pushing to flux repo…");
+  try {
+    await execa("git", ["-C", fluxLocalRepo, "add", `clusters/${clusterName}`], { timeout: 15000 });
+    await execa("git", ["-C", fluxLocalRepo, "commit", "-m", `Add cluster ${clusterName}`], { timeout: 15000 });
+    await execa("git", ["-C", fluxLocalRepo, "push"], { timeout: 60000 });
+    console.log(OK(`  ✓ Pushed clusters/${clusterName} to flux repo`));
+  } catch (err) {
+    const msg = (err.stderr || err.message || "").split("\n")[0];
+    console.log(WARN(`  ⚠ Git push failed: ${msg}`));
+    hint(`Manually commit and push clusters/${clusterName} in the flux repo`);
+  }
+
+  return true;
+}
+
 // ── Flux helpers ──────────────────────────────────────────────────────────────
 
 async function ensureFluxCli(execa) {
@@ -244,6 +345,18 @@ export async function aksUp(opts = {}) {
   if (exists === 0) {
     console.log(WARN(`\n  Cluster "${clusterName}" already exists — reconciling…`));
 
+    // Scaffold cluster directory if it doesn't exist yet
+    if (!opts.noFlux) {
+      const fluxLocalRepo = opts.fluxLocalRepo || findFluxLocalRepo();
+      if (fluxLocalRepo) {
+        await scaffoldFluxCluster(execa, {
+          clusterName,
+          fluxLocalRepo,
+          overlay: opts.overlay,
+        });
+      }
+    }
+
     const maxPods = opts.maxPods || 110;
     const ctx = { execa, clusterName, rg, sub, opts, minCount, maxCount, maxPods };
     await reconcileCluster(ctx);
@@ -347,7 +460,22 @@ export async function aksUp(opts = {}) {
   const fluxRepo = opts.fluxRepo ?? AKS_DEFAULTS.fluxRepo;
   const fluxOwner = opts.fluxOwner ?? AKS_DEFAULTS.fluxOwner;
   const fluxBranch = opts.fluxBranch ?? AKS_DEFAULTS.fluxBranch;
-  const fluxPath = opts.fluxPath || AKS_DEFAULTS.fluxPath;
+  const fluxPath = opts.fluxPath || `clusters/${clusterName}`;
+
+  // Scaffold cluster directory in the flux repo before bootstrapping
+  if (!opts.noFlux) {
+    const fluxLocalRepo = opts.fluxLocalRepo || findFluxLocalRepo();
+    if (fluxLocalRepo) {
+      await scaffoldFluxCluster(execa, {
+        clusterName,
+        fluxLocalRepo,
+        templateCluster: opts.templateCluster,
+      });
+    } else {
+      console.log(WARN("  ⚠ Local flux repo not found — skipping cluster scaffolding."));
+      hint("Pass --flux-local-repo <path> or clone meshxdata/flux next to foundation-compose.");
+    }
+  }
 
   if (opts.noFlux) {
     console.log("");

package/src/plugins/bundled/fops-plugin-azure/lib/azure-auth.js

@@ -13,7 +13,7 @@ export function hashContent(text) {
 }
 
 /**
- * Resolve Foundation credentials from env → .env → ~/.fops.json.
+ * Resolve Foundation credentials from env → ~/.fops.json → .env files.
  * Returns { bearerToken } or { user, password } or null.
  */
 export function resolveFoundationCreds() {
@@ -26,6 +26,25 @@ export function resolveFoundationCreds() {
     if (cfg.bearerToken?.trim()) return { bearerToken: cfg.bearerToken.trim() };
     if (cfg.user?.trim() && cfg.password) return { user: cfg.user.trim(), password: cfg.password };
   } catch { /* no fops.json */ }
+
+  // Fall back to .env files for credentials
+  const envCandidates = [pathMod.resolve(".env"), pathMod.resolve("..", ".env")];
+  try {
+    const raw = JSON.parse(fs.readFileSync(pathMod.join(os.homedir(), ".fops.json"), "utf8"));
+    if (raw?.projectRoot) envCandidates.unshift(pathMod.join(raw.projectRoot, ".env"));
+  } catch { /* ignore */ }
+  for (const ep of envCandidates) {
+    try {
+      const lines = fs.readFileSync(ep, "utf8").split("\n");
+      const get = (k) => {
+        const ln = lines.find((l) => l.startsWith(`${k}=`));
+        return ln ? ln.slice(k.length + 1).trim().replace(/^["']|["']$/g, "") : "";
+      };
+      const user = get("QA_USERNAME") || get("FOUNDATION_USERNAME");
+      const pass = get("QA_PASSWORD") || get("FOUNDATION_PASSWORD");
+      if (user && pass) return { user, password: pass };
+    } catch { /* try next */ }
+  }
   return null;
 }
 
@@ -41,12 +60,44 @@ export function suppressTlsWarning() {
   };
 }
 
+/**
+ * Resolve Cloudflare Access service-token headers from env or .env files.
+ * Returns { "CF-Access-Client-Id": ..., "CF-Access-Client-Secret": ... } or {}.
+ */
+let _cfAccessHeaders;
+export function resolveCfAccessHeaders() {
+  if (_cfAccessHeaders !== undefined) return _cfAccessHeaders;
+  let id = process.env.CF_ACCESS_CLIENT_ID || "";
+  let secret = process.env.CF_ACCESS_CLIENT_SECRET || "";
+  if (!id) {
+    // Try .env files
+    const candidates = [pathMod.resolve(".env"), pathMod.resolve("..", ".env")];
+    try {
+      const raw = JSON.parse(fs.readFileSync(pathMod.join(os.homedir(), ".fops.json"), "utf8"));
+      if (raw?.projectRoot) candidates.unshift(pathMod.join(raw.projectRoot, ".env"));
+    } catch {}
+    for (const ep of candidates) {
+      try {
+        const lines = fs.readFileSync(ep, "utf8").split("\n");
+        const get = (k) => { const ln = lines.find((l) => l.startsWith(`${k}=`)); return ln ? ln.slice(k.length + 1).trim().replace(/^["']|["']$/g, "") : ""; };
+        id = id || get("CF_ACCESS_CLIENT_ID");
+        secret = secret || get("CF_ACCESS_CLIENT_SECRET");
+        if (id && secret) break;
+      } catch {}
+    }
+  }
+  _cfAccessHeaders = id && secret ? { "CF-Access-Client-Id": id, "CF-Access-Client-Secret": secret } : {};
+  return _cfAccessHeaders;
+}
+
 export async function vmFetch(url, opts = {}) {
   suppressTlsWarning();
   const prev = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
   process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
   try {
-    return await fetch(url, { signal: AbortSignal.timeout(10_000), ...opts });
+    const cfHeaders = resolveCfAccessHeaders();
+    const headers = { ...cfHeaders, ...(opts.headers || {}) };
+    return await fetch(url, { signal: AbortSignal.timeout(10_000), ...opts, headers });
   } finally {
     if (prev === undefined) delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
     else process.env.NODE_TLS_REJECT_UNAUTHORIZED = prev;
@@ -162,7 +213,7 @@ export async function resolveRemoteAuth(opts = {}) {
 
   const creds = resolveFoundationCreds();
   let qaUser = creds?.user || process.env.QA_USERNAME || process.env.FOUNDATION_USERNAME || "operator@local";
-  let qaPass = creds?.password || process.env.QA_PASSWORD || "";
+  let qaPass = creds?.password || process.env.QA_PASSWORD || process.env.FOUNDATION_PASSWORD || "";
   let bearerToken = creds?.bearerToken || "";
 
   // 1) Use local bearer if it's a valid JWT
@@ -172,6 +223,13 @@ export async function resolveRemoteAuth(opts = {}) {
   bearerToken = "";
 
   // 2) Pre-auth against the backend /iam/login
+  const cfHeaders = resolveCfAccessHeaders();
+  const cfKeys = Object.keys(cfHeaders);
+  if (cfKeys.length) {
+    log(chalk.dim(`  CF Access headers: ${cfKeys.join(", ")} (id=${cfHeaders["CF-Access-Client-Id"]?.slice(0, 8)}…)`));
+  } else {
+    log(chalk.yellow("  ⚠ No CF Access service token found (set CF_ACCESS_CLIENT_ID + CF_ACCESS_CLIENT_SECRET)"));
+  }
   if (qaUser && qaPass && apiUrl) {
     try {
       if (suppressTls) suppressTls();
@@ -180,8 +238,8 @@ export async function resolveRemoteAuth(opts = {}) {
       try {
         const resp = await fetch(`${apiUrl}/iam/login`, {
           method: "POST",
-          headers: { "Content-Type": "application/json" },
-          body: JSON.stringify({ username: qaUser, password: qaPass }),
+          headers: { "Content-Type": "application/json", ...cfHeaders },
+          body: JSON.stringify({ user: qaUser, password: qaPass }),
           signal: AbortSignal.timeout(10_000),
         });
         if (resp.ok) {
@@ -192,7 +250,9 @@ export async function resolveRemoteAuth(opts = {}) {
             return { bearerToken, qaUser, qaPass, useTokenMode: true };
           }
         } else {
-          log(chalk.dim(`  Local creds rejected: HTTP ${resp.status}`));
+          const body = await resp.text().catch(() => "");
+          log(chalk.dim(`  Local creds rejected: HTTP ${resp.status} (user=${qaUser})`));
+          if (body) log(chalk.dim(`  Response: ${body.slice(0, 200)}`));
         }
       } finally {
         if (prev === undefined) delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;

package/src/plugins/bundled/fops-plugin-azure/lib/azure-helpers.js

@@ -275,7 +275,15 @@ export async function ensureAzAuth(execa, { subscription, throwOnMissing = false
     if (subscription) args.push("--subscription", subscription);
     const { stdout } = await execa("az", args, { timeout: 15000 });
     return JSON.parse(stdout);
-  } catch {
+  } catch (err) {
+    if (isAzSessionExpiredError(err)) {
+      const { suggested } = parseAzReloginHint(err);
+      const msg = `Azure session expired (MFA). Run:\n  ${suggested.replace(/\n/g, "\n  ")}`;
+      if (throwOnMissing) throw new Error(msg);
+      console.error(chalk.yellow(`\n  Azure session expired (MFA or token refresh required).`));
+      console.error(chalk.cyan(`  Run: ${suggested.split("\n")[0]}\n`));
+      process.exit(1);
+    }
     const msg = "Not logged in to Azure. Run: az login";
     if (throwOnMissing) throw new Error(msg);
     console.error(chalk.red("\n  Not logged in to Azure. Run: az login\n"));
@@ -447,7 +455,61 @@ async function refreshTokenViaGh(execa, missingScopes) {
 }
 
 export async function verifyGithubToken(token) {
-  if (!token) return { token, login: undefined };
+  if (!token) {
+    // No token anywhere — try gh CLI auth
+    const execa = await lazyExeca();
+    try {
+      const { stdout: ghToken, exitCode } = await execa("gh", ["auth", "token", "-h", "github.com"], { timeout: 10000, reject: false });
+      const existing = (ghToken || "").trim();
+      if (exitCode === 0 && existing) {
+        console.log(chalk.cyan("  No token in env/netrc — using gh CLI token"));
+        token = existing;
+      }
+    } catch { /* gh not installed or not authed */ }
+
+    if (!token) {
+      // Still no token — offer interactive gh auth login
+      console.log(chalk.yellow("\n  ⚠ No GitHub token found (checked --github-token, $GITHUB_TOKEN, ~/.netrc, gh CLI)"));
+      try {
+        const { exitCode: ghExists } = await execa("which", ["gh"], { reject: false, timeout: 5000 });
+        if (ghExists === 0) {
+          console.log(chalk.cyan("  ▶ Running gh auth login…\n"));
+          const { exitCode: loginExit } = await execa("gh", ["auth", "login", "-h", "github.com", "-s", "write:packages,repo"], { stdio: "inherit", reject: false, timeout: 300000 });
+          if (loginExit === 0) {
+            const { stdout: newToken } = await execa("gh", ["auth", "token", "-h", "github.com"], { timeout: 10000 });
+            token = (newToken || "").trim();
+            if (token) {
+              // Sync to .netrc for future use
+              const netrcPath = path.join(os.homedir(), ".netrc");
+              const entry = `machine github.com login x-access-token password ${token}`;
+              try {
+                let content = "";
+                try { content = fs.readFileSync(netrcPath, "utf8"); } catch {}
+                if (/^machine\s+github\.com\b/m.test(content)) {
+                  content = content.replace(
+                    /machine\s+github\.com\b[^\n]*(\n\s*(login|password)\s+[^\n]*)*/gm,
+                    entry,
+                  );
+                } else {
+                  content = content.trimEnd() + (content ? "\n" : "") + entry + "\n";
+                }
+                fs.writeFileSync(netrcPath, content, { mode: 0o600 });
+                console.log(chalk.green("  ✓ ~/.netrc updated"));
+              } catch {}
+            }
+          }
+        } else {
+          console.log(chalk.dim("  Install gh CLI to authenticate: https://cli.github.com"));
+        }
+      } catch {}
+
+      if (!token) {
+        console.error(chalk.red("  ✗ GitHub authentication required — GHCR pulls will fail without a token."));
+        console.error(chalk.dim("  Set $GITHUB_TOKEN, run gh auth login, or pass --github-token.\n"));
+        process.exit(1);
+      }
+    }
+  }
   const execa = await lazyExeca();
   try {
     let res = await fetch("https://api.github.com/user", {