@meshxdata/fops 0.1.38 → 0.1.40

package/CHANGELOG.md

@@ -1,3 +1,377 @@
+## [0.1.40] - 2026-03-10
+
+- callback url for localhost (821fb94)
+- disable 4 scaffolding plugin by default. (bfb2b76)
+- jaccard improvements (b7494a0)
+- refactor azure plugin (68dfef4)
+- refactor azure plugin (b24a008)
+- fix trino catalog missing (4928a55)
+- v36 bump and changelog generation on openai (37a0440)
+- v36 bump and changelog generation on openai (a3b02d9)
+- bump (a990058)
+- status bar fix and new plugin for ttyd (27dde1e)
+- file demo and tray (1a3e704)
+- electron app (59ad0bb)
+- compose and fops file plugin (1cf0e81)
+- bump (346ffc1)
+- localhost replaced by 127.0.0.1 (82b9f30)
+- .29 (587b0e1)
+- improve up down and bootstrap script (b79ebaf)
+- checksum (22c8086)
+- checksum (96b434f)
+- checksum (15ed3c0)
+- checksum (8a6543a)
+- bump embed trino linksg (8440504)
+- bump data (765ffd9)
+- bump (cb8b232)
+- broken tests (c532229)
+- release 0.1.18, preflight checks (d902249)
+- fix compute display bug (d10f5d9)
+- cleanup packer files (6330f18)
+- plan mode (cb36a8a)
+- bump to 0.1.16 - agent ui (41ac1a2)
+- bump to 0.1.15 - agent ui (4ebe2e1)
+- bump to 0.1.14 (6c3a7fa)
+- bump to 0.1.13 (8db570f)
+- release 0.1.12 (c1c79e5)
+- bump (11aa3b0)
+- git keep and bump tui (be1678e)
+- skills, index, rrf, compacted context (100k > 10k) (7b2fffd)
+- cloudflare and token consumption, graphs indexing (0ad9eec)
+- bump storage default (22c83ba)
+- storage fix (68a22a0)
+- skills update (7f56500)
+- v9 bump (3864446)
+- bump (c95eedc)
+- rrf (dbf8c95)
+- feat: warning when running predictions (95e8c52)
+- feat: support for local predictions (45cf26b)
+- feat: wip support for predictions + mlflow (3457052)
+- add Reciprocal Rank Fusion (RRF) to knowledge and skill retrieval (61549bc)
+- validate CSV headers in compute_run readiness check (a8c7a43)
+- fix corrupted Iceberg metadata: probe tables + force cleanup on re-apply (50578af)
+- enforce: never use foundation_apply to fix broken products (2e049bf)
+- update SKILL.md with complete tool reference for knowledge retrieval (30b1924)
+- add storage read, input DP table probe, and compute_run improvements (34e6c4c)
+- skills update (1220385)
+- skills update (bb66958)
+- some tui improvement andd tools apply overwrite (e90c35c)
+- skills update (e9227a1)
+- skills update (669c4b3)
+- fix plugin pre-flight checks (f741743)
+- increase agent context (6479aaa)
+- skills and init sql fixes (5fce35e)
+- checksum (3518b56)
+- penging job limit (a139861)
+- checksum (575d28c)
+- bump (92049ba)
+- fix bug per tab status (0a33657)
+- fix bug per tab status (50457c6)
+- checksumming (0ad842e)
+- shot af mardkwon overlapping (51f63b9)
+- add spark dockerfile for multiarch builds (95abbd1)
+- fix plugin initialization (16b9782)
+- split index.js (50902a2)
+- cloudflare cidr (cc4e021)
+- cloduflare restrictions (2f6ba2d)
+- sequential start (86b496e)
+- sequential start (4930fe1)
+- sequential start (353f014)
+- qa tests (2dc6a1a)
+- bump sha for .85 (dc2edfe)
+- preserve env on sudo (7831227)
+- bump sha for .84 (6c052f9)
+- non interactive for azure vms (0aa8a2f)
+- keep .env if present (d072450)
+- bump (7a8e732)
+- ensure opa is on compose if not set (f4a5228)
+- checksum bump (a2ccc20)
+- netrc defensive checks (a0b0ccc)
+- netrc defensive checks (ae37403)
+- checksum (ec45d11)
+- update sync and fix up (7f9af72)
+- expand test for azure and add new per app tag support (388a168)
+- checksum on update (44005fc)
+- cleanup for later (15e5313)
+- cleanup for later (11c9597)
+- switch branch feature (822fecc)
+- add pull (d1c19ab)
+- Bump hono from 4.11.9 to 4.12.0 in /operator-cli (ad25144)
+- tests (f180a9a)
+- cleanup (39c49a3)
+- registry (7b7126a)
+- reconcile kafka (832d0db)
+- gh login bug (025886c)
+- cleanup (bb96cab)
+- strip envs from process (2421180)
+- force use of gh creds not tokens in envs var (fff7787)
+- resolve import between npm installs and npm link (79522e1)
+- fix gh scope and azure states (afd846c)
+- refactoring (da50352)
+- split fops repo (d447638)
+- aks (b791f8f)
+- refactor azure (67d3bad)
+- wildcard (391f023)
+- azure plugin (c074074)
+- zap (d7e6e7f)
+- fix knock (cf89c05)
+- azure (4adec98)
+- Bump tar from 7.5.7 to 7.5.9 in /operator-cli (e41e98e)
+- azure stack index.js split (de12272)
+- Bump ajv from 8.17.1 to 8.18.0 in /operator-cli (76da21f)
+- packer (9665fbc)
+- remove stack api (db0fd4d)
+- packer cleanup (fe1bf14)
+- force refresh token (3a3d7e2)
+- provision shell (2ad505f)
+- azure vm management (91dcb31)
+- azure specific (2b0cca8)
+- azure packer (12175b8)
+- init hashed pwd (db8523c)
+- packer (5b5c7c4)
+- doctor for azure vm (ed524fa)
+- packer and 1pwd (c6d053e)
+- split big index.js (dc85a1b)
+- kafka volume update (21815ec)
+- fix openai azure tools confirmation and flow (0118cd1)
+- nighly fixx, test fix (5e0d04f)
+- open ai training (cdc494a)
+- openai integration in azure (1ca1475)
+- ci (672cea9)
+- refresh ghcr creds (4220c48)
+- cleaned up version (1a0074f)
+- traefik on ghcr and templates (8e31a05)
+- apply fcl (e78911f)
+- demo landscape (dd205fe)
+- smarter login and schema (1af514f)
+- no down before up unless something broke (56b1132)
+- dai, reconcile failed containers (12907fa)
+- reconcile dead container (7da75e4)
+- defensive around storage buckets dir (b98871d)
+- defensive around storage buckets dir (e86e132)
+- gear in for multiarch (bf3fa3e)
+- up autofix (99c7f89)
+- autofix stale containers on up (43c7d0f)
+- shared sessions fix (5de1359)
+- share sessions between ui and tui (8321391)
+- fix chat view display details (e263996)
+- fix chat view display details (9babdda)
+- tui up fixes (86e9f17)
+- fix commands init (442538b)
+- enable k3s profile (b2dcfc8)
+- test up till job creation (656d388)
+- tui fixes (0599779)
+- cleanup (27731f0)
+- train (90bf559)
+- training (f809bf6)
+- training (ba2b836)
+- training (6fc5267)
+- training (4af8ac9)
+- fix build script (bd82836)
+- infra test (5b79815)
+- infra test (3a0ac05)
+- infra test (e5c67b5)
+- tests (ae7b621)
+- tests (c09ae6a)
+- update tui (4784153)
+- training (0a5a330)
+- tui (df4dd4a)
+- pkg builds (4dc9993)
+- also source env for creds (9a17d8f)
+- fcl support (e8a5743)
+- fcl support (8d6b6cd)
+- fcl support (cb76a4a)
+- bump package (df2ee85)
+
+# Changelog
+
+All notable changes to @meshxdata/fops (Foundation Operator CLI) are documented here.
+
+## [0.1.39] - 2026-03-10
+
+- callback url for localhost (821fb94)
+- disable 4 scaffolding plugin by default. (bfb2b76)
+- jaccard improvements (b7494a0)
+- refactor azure plugin (68dfef4)
+- refactor azure plugin (b24a008)
+- fix trino catalog missing (4928a55)
+- v36 bump and changelog generation on openai (37a0440)
+- v36 bump and changelog generation on openai (a3b02d9)
+- bump (a990058)
+- status bar fix and new plugin for ttyd (27dde1e)
+- file demo and tray (1a3e704)
+- electron app (59ad0bb)
+- compose and fops file plugin (1cf0e81)
+- bump (346ffc1)
+- localhost replaced by 127.0.0.1 (82b9f30)
+- .29 (587b0e1)
+- improve up down and bootstrap script (b79ebaf)
+- checksum (22c8086)
+- checksum (96b434f)
+- checksum (15ed3c0)
+- checksum (8a6543a)
+- bump embed trino linksg (8440504)
+- bump data (765ffd9)
+- bump (cb8b232)
+- broken tests (c532229)
+- release 0.1.18, preflight checks (d902249)
+- fix compute display bug (d10f5d9)
+- cleanup packer files (6330f18)
+- plan mode (cb36a8a)
+- bump to 0.1.16 - agent ui (41ac1a2)
+- bump to 0.1.15 - agent ui (4ebe2e1)
+- bump to 0.1.14 (6c3a7fa)
+- bump to 0.1.13 (8db570f)
+- release 0.1.12 (c1c79e5)
+- bump (11aa3b0)
+- git keep and bump tui (be1678e)
+- skills, index, rrf, compacted context (100k > 10k) (7b2fffd)
+- cloudflare and token consumption, graphs indexing (0ad9eec)
+- bump storage default (22c83ba)
+- storage fix (68a22a0)
+- skills update (7f56500)
+- v9 bump (3864446)
+- bump (c95eedc)
+- rrf (dbf8c95)
+- feat: warning when running predictions (95e8c52)
+- feat: support for local predictions (45cf26b)
+- feat: wip support for predictions + mlflow (3457052)
+- add Reciprocal Rank Fusion (RRF) to knowledge and skill retrieval (61549bc)
+- validate CSV headers in compute_run readiness check (a8c7a43)
+- fix corrupted Iceberg metadata: probe tables + force cleanup on re-apply (50578af)
+- enforce: never use foundation_apply to fix broken products (2e049bf)
+- update SKILL.md with complete tool reference for knowledge retrieval (30b1924)
+- add storage read, input DP table probe, and compute_run improvements (34e6c4c)
+- skills update (1220385)
+- skills update (bb66958)
+- some tui improvement andd tools apply overwrite (e90c35c)
+- skills update (e9227a1)
+- skills update (669c4b3)
+- fix plugin pre-flight checks (f741743)
+- increase agent context (6479aaa)
+- skills and init sql fixes (5fce35e)
+- checksum (3518b56)
+- penging job limit (a139861)
+- checksum (575d28c)
+- bump (92049ba)
+- fix bug per tab status (0a33657)
+- fix bug per tab status (50457c6)
+- checksumming (0ad842e)
+- shot af mardkwon overlapping (51f63b9)
+- add spark dockerfile for multiarch builds (95abbd1)
+- fix plugin initialization (16b9782)
+- split index.js (50902a2)
+- cloudflare cidr (cc4e021)
+- cloduflare restrictions (2f6ba2d)
+- sequential start (86b496e)
+- sequential start (4930fe1)
+- sequential start (353f014)
+- qa tests (2dc6a1a)
+- bump sha for .85 (dc2edfe)
+- preserve env on sudo (7831227)
+- bump sha for .84 (6c052f9)
+- non interactive for azure vms (0aa8a2f)
+- keep .env if present (d072450)
+- bump (7a8e732)
+- ensure opa is on compose if not set (f4a5228)
+- checksum bump (a2ccc20)
+- netrc defensive checks (a0b0ccc)
+- netrc defensive checks (ae37403)
+- checksum (ec45d11)
+- update sync and fix up (7f9af72)
+- expand test for azure and add new per app tag support (388a168)
+- checksum on update (44005fc)
+- cleanup for later (15e5313)
+- cleanup for later (11c9597)
+- switch branch feature (822fecc)
+- add pull (d1c19ab)
+- Bump hono from 4.11.9 to 4.12.0 in /operator-cli (ad25144)
+- tests (f180a9a)
+- cleanup (39c49a3)
+- registry (7b7126a)
+- reconcile kafka (832d0db)
+- gh login bug (025886c)
+- cleanup (bb96cab)
+- strip envs from process (2421180)
+- force use of gh creds not tokens in envs var (fff7787)
+- resolve import between npm installs and npm link (79522e1)
+- fix gh scope and azure states (afd846c)
+- refactoring (da50352)
+- split fops repo (d447638)
+- aks (b791f8f)
+- refactor azure (67d3bad)
+- wildcard (391f023)
+- azure plugin (c074074)
+- zap (d7e6e7f)
+- fix knock (cf89c05)
+- azure (4adec98)
+- Bump tar from 7.5.7 to 7.5.9 in /operator-cli (e41e98e)
+- azure stack index.js split (de12272)
+- Bump ajv from 8.17.1 to 8.18.0 in /operator-cli (76da21f)
+- packer (9665fbc)
+- remove stack api (db0fd4d)
+- packer cleanup (fe1bf14)
+- force refresh token (3a3d7e2)
+- provision shell (2ad505f)
+- azure vm management (91dcb31)
+- azure specific (2b0cca8)
+- azure packer (12175b8)
+- init hashed pwd (db8523c)
+- packer (5b5c7c4)
+- doctor for azure vm (ed524fa)
+- packer and 1pwd (c6d053e)
+- split big index.js (dc85a1b)
+- kafka volume update (21815ec)
+- fix openai azure tools confirmation and flow (0118cd1)
+- nighly fixx, test fix (5e0d04f)
+- open ai training (cdc494a)
+- openai integration in azure (1ca1475)
+- ci (672cea9)
+- refresh ghcr creds (4220c48)
+- cleaned up version (1a0074f)
+- traefik on ghcr and templates (8e31a05)
+- apply fcl (e78911f)
+- demo landscape (dd205fe)
+- smarter login and schema (1af514f)
+- no down before up unless something broke (56b1132)
+- dai, reconcile failed containers (12907fa)
+- reconcile dead container (7da75e4)
+- defensive around storage buckets dir (b98871d)
+- defensive around storage buckets dir (e86e132)
+- gear in for multiarch (bf3fa3e)
+- up autofix (99c7f89)
+- autofix stale containers on up (43c7d0f)
+- shared sessions fix (5de1359)
+- share sessions between ui and tui (8321391)
+- fix chat view display details (e263996)
+- fix chat view display details (9babdda)
+- tui up fixes (86e9f17)
+- fix commands init (442538b)
+- enable k3s profile (b2dcfc8)
+- test up till job creation (656d388)
+- tui fixes (0599779)
+- cleanup (27731f0)
+- train (90bf559)
+- training (f809bf6)
+- training (ba2b836)
+- training (6fc5267)
+- training (4af8ac9)
+- fix build script (bd82836)
+- infra test (5b79815)
+- infra test (3a0ac05)
+- infra test (e5c67b5)
+- tests (ae7b621)
+- tests (c09ae6a)
+- update tui (4784153)
+- training (0a5a330)
+- tui (df4dd4a)
+- pkg builds (4dc9993)
+- also source env for creds (9a17d8f)
+- fcl support (e8a5743)
+- fcl support (8d6b6cd)
+- fcl support (cb76a4a)
+- bump package (df2ee85)
+
 ## [0.1.38] - 2026-03-10
 
 - callback url for localhost (821fb94)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meshxdata/fops",
-  "version": "0.1.38",
+  "version": "0.1.40",
   "description": "CLI to install and manage data mesh platforms",
   "keywords": [
     "fops",

package/src/doctor.js

@@ -11,6 +11,20 @@ import { rootDir } from "./project.js";
 import { wslExec, wslHomedir, wslFileExists, wslReadFile, wslCmdVersion } from "./wsl.js";
 import { getInquirer } from "./lazy.js";
 
+// Check if sudo is available without a password (cached credentials or NOPASSWD)
+let _sudoOk = null;
+async function canSudo() {
+  if (_sudoOk !== null) return _sudoOk;
+  if (process.platform === "win32") { _sudoOk = false; return false; }
+  try {
+    const { exitCode } = await execa("sudo", ["-n", "true"], { reject: false, timeout: 5000 });
+    _sudoOk = exitCode === 0;
+  } catch { _sudoOk = false; }
+  return _sudoOk;
+}
+
+
+
 const KEY_PORTS = {
   5432: "Postgres",
   9092: "Kafka",
@@ -246,6 +260,7 @@ export async function runDoctor(opts = {}, registry = null) {
                   console.log(chalk.green(`  ✓ Removed ${b}`));
                 } catch (err) {
                   if (err.code === "EACCES") {
+                    if (!(await canSudo())) throw new Error(`Permission denied removing ${b} — sudo not available`);
                     console.log(chalk.cyan(`  ▶ sudo rm ${b}`));
                     await execa("sudo", ["rm", b], { stdio: "inherit", timeout: 10000 });
                   } else {
@@ -379,6 +394,7 @@ export async function runDoctor(opts = {}, registry = null) {
           console.log(chalk.cyan('  ▶ start "" "Docker Desktop"'));
           await execa("cmd", ["/c", "start", "", "Docker Desktop"], { timeout: 10000 });
         } else {
+          if (!(await canSudo())) throw new Error("sudo not available — start Docker manually: sudo systemctl start docker");
           console.log(chalk.cyan("  ▶ sudo systemctl start docker"));
           await execa("sudo", ["systemctl", "start", "docker"], { stdio: "inherit", timeout: 30000 });
           return;
@@ -447,6 +463,7 @@ export async function runDoctor(opts = {}, registry = null) {
         console.log(chalk.cyan('  ▶ start "" "Docker Desktop"'));
         await execa("cmd", ["/c", "start", "", "Docker Desktop"], { timeout: 10000 });
       } else {
+        if (!(await canSudo())) throw new Error("sudo not available — install Docker manually: curl -fsSL https://get.docker.com | sudo sh");
         console.log(chalk.cyan("  ▶ curl -fsSL https://get.docker.com | sudo sh"));
         await execa("sh", ["-c", "curl -fsSL https://get.docker.com | sudo sh"], {
           stdio: "inherit", timeout: 300_000,
@@ -497,6 +514,7 @@ export async function runDoctor(opts = {}, registry = null) {
         await execa("winget", ["install", "Git.Git", "--accept-source-agreements", "--accept-package-agreements"], { stdio: "inherit", timeout: 300_000 });
       }
     } else {
+      if (!(await canSudo())) throw new Error("sudo not available — install git manually");
       console.log(chalk.cyan("  ▶ sudo apt-get install -y git"));
       await execa("sudo", ["apt-get", "install", "-y", "git"], { stdio: "inherit", timeout: 300_000 });
     }
@@ -540,6 +558,7 @@ export async function runDoctor(opts = {}, registry = null) {
       console.log(chalk.cyan("  ▶ brew install npm"));
       await execa("brew", ["install", "npm"], { stdio: "inherit", timeout: 300_000 });
     } else if (process.platform === "linux" || (process.platform === "win32" && useWsl)) {
+      if (!(await canSudo())) throw new Error("sudo not available — install npm manually");
       console.log(chalk.cyan("  ▶ sudo apt-get install -y npm"));
       await run("sudo", ["apt-get", "install", "-y", "npm"], { stdio: "inherit", timeout: 300_000 });
     } else {
@@ -573,9 +592,8 @@ export async function runDoctor(opts = {}, registry = null) {
       await execa("brew", ["install", "--cask", "1password-cli"], { stdio: "inherit", timeout: 300_000 });
     } else if (process.platform === "win32") {
       if (useWsl) {
+        if (!(await canSudo())) throw new Error("sudo not available — install 1Password CLI manually");
         console.log(chalk.cyan("  ▶ [WSL] Installing 1Password CLI via apt…"));
-        // Authenticate sudo upfront so the long install chain doesn't hang at a password prompt
-        await run("sudo", ["-v"], { stdio: "inherit", timeout: 30_000 });
         await run("sh", ["-c", [
           "curl -sS https://downloads.1password.com/linux/keys/1password.asc | sudo gpg --batch --yes --dearmor --output /usr/share/keyrings/1password-archive-keyring.gpg",
           '&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/1password-archive-keyring.gpg] https://downloads.1password.com/linux/debian/$(dpkg --print-architecture) stable main" | sudo tee /etc/apt/sources.list.d/1password.list',
@@ -591,9 +609,8 @@ export async function runDoctor(opts = {}, registry = null) {
       }
     } else {
       // Linux — install via 1Password apt repository
-      // Authenticate sudo upfront so the long install chain doesn't hang at a password prompt
+      if (!(await canSudo())) throw new Error("sudo not available — install 1Password CLI manually");
       console.log(chalk.cyan("  ▶ Installing 1Password CLI via apt…"));
-      await execa("sudo", ["-v"], { stdio: "inherit", timeout: 30_000 });
       await execa("sh", ["-c", [
         "curl -sS https://downloads.1password.com/linux/keys/1password.asc | sudo gpg --batch --yes --dearmor --output /usr/share/keyrings/1password-archive-keyring.gpg",
         '&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/1password-archive-keyring.gpg] https://downloads.1password.com/linux/debian/$(dpkg --print-architecture) stable main" | sudo tee /etc/apt/sources.list.d/1password.list',
@@ -607,6 +624,7 @@ export async function runDoctor(opts = {}, registry = null) {
 
   // GitHub CLI
   const installGhLinux = async (runner = execa) => {
+    if (!(await canSudo())) throw new Error("sudo not available — install gh manually: https://cli.github.com");
     console.log(chalk.cyan("  ▶ Installing gh via apt…"));
     await runner("sh", ["-c", [
       "type -p curl >/dev/null || (sudo apt update && sudo apt install curl -y)",
@@ -855,7 +873,26 @@ export async function runDoctor(opts = {}, registry = null) {
       console.log(chalk.green("  ✓ write:packages and repo scopes added"));
     };
 
+    // Double-check: if hasWritePackages came from netrc fallback, verify the gh CLI token too
+    let ghCliHasPackages = hasWritePackages;
     if (hasWritePackages) {
+      try {
+        const { stdout: tkOut, exitCode: tkExit } = await runGh(["auth", "token"], { timeout: 5000, reject: false });
+        if (tkExit === 0 && tkOut?.trim()) {
+          const { status, scopes } = await ghApiGetWithScopes(tkOut.trim());
+          if (status === 200 && scopes && !scopes.includes("write:packages") && !scopes.includes("read:packages")) {
+            ghCliHasPackages = false;
+          }
+        }
+      } catch {}
+    }
+    if (hasWritePackages && !ghCliHasPackages) {
+      warn(
+        "gh CLI token missing packages scope",
+        "netrc token has it, but gh auth token does not — run: gh auth refresh -h github.com -s write:packages",
+        ghcrRefreshFn,
+      );
+    } else if (hasWritePackages) {
       ok("gh token has write:packages scope");
     } else {
       fail(
@@ -899,32 +936,63 @@ export async function runDoctor(opts = {}, registry = null) {
     }
 
     const ghcrFixFn = async () => {
-      // Ensure write:packages scope is present (implies read:packages)
-      if (!hasWritePackages) {
-        console.log(chalk.cyan("  ▶ gh auth refresh -h github.com -s write:packages -s repo"));
-        console.log(chalk.dim("    (gh CLI will ask for device code auth, then optionally Git credential setup)"));
-        await runGh(["auth", "refresh", "-h", "github.com", "-s", "write:packages", "-s", "repo"], {
-          stdio: "inherit", timeout: 120_000,
-        });
-      }
-
-      // Get fresh token and login to ghcr.io
+      // Find a token with packages scope — prefer gh CLI token, fall back to netrc
       let ghToken = null;
+
+      // 1) Try gh CLI token
       try {
         const { stdout, exitCode } = await runGh(["auth", "token"], { timeout: 5000, reject: false });
-        if (exitCode === 0 && stdout?.trim()) ghToken = stdout.trim();
+        if (exitCode === 0 && stdout?.trim()) {
+          const t = stdout.trim();
+          const { status, scopes } = await ghApiGetWithScopes(t);
+          if (status === 200 && scopes?.includes("write:packages")) {
+            ghToken = t;
+          } else if (status === 200) {
+            // gh token works but lacks packages scope — refresh it
+            console.log(chalk.yellow("  gh CLI token missing write:packages — refreshing…"));
+            console.log(chalk.cyan("  ▶ gh auth refresh -h github.com -s write:packages -s repo"));
+            const { exitCode: refExit } = await runGh(["auth", "refresh", "-h", "github.com", "-s", "write:packages", "-s", "repo"], {
+              stdio: "inherit", timeout: 120_000, reject: false,
+            });
+            if (refExit === 0) {
+              const { stdout: fresh } = await runGh(["auth", "token"], { timeout: 5000, reject: false });
+              if (fresh?.trim()) ghToken = fresh.trim();
+            }
+          }
+        }
       } catch {}
 
+      // 2) Fall back to netrc token if gh CLI token doesn't have the right scopes
+      if (!ghToken) {
+        try {
+          const content = await readFile(netrcPath);
+          const netrcToken = readNetrcToken(content, "github.com");
+          if (netrcToken) {
+            const { status, scopes } = await ghApiGetWithScopes(netrcToken);
+            if (status === 200 && (scopes?.includes("write:packages") || scopes?.includes("read:packages"))) {
+              console.log(chalk.cyan("  Using netrc token (has packages scope)"));
+              ghToken = netrcToken;
+            }
+          }
+        } catch {}
+      }
+
       if (ghToken) {
-        console.log(chalk.cyan("  ▶ Logging into ghcr.io using gh auth token…"));
+        console.log(chalk.cyan("  ▶ Logging into ghcr.io…"));
+        // Login for both current user and root (Docker daemon runs as root)
         await run("sh", ["-c", `echo ${ghToken} | docker login ghcr.io -u x-access-token --password-stdin`], {
           stdio: "inherit", timeout: 15000,
         });
+        try {
+          await execa("sh", ["-c", `echo ${ghToken} | sudo docker login ghcr.io -u x-access-token --password-stdin`], {
+            timeout: 15000, stdio: "pipe",
+          });
+        } catch { /* root login best-effort */ }
       } else {
-        console.log(chalk.yellow("  gh CLI not authenticated — manual login required."));
-        console.log(chalk.dim("  Create a PAT at https://github.com/settings/tokens with write:packages scope, then run:"));
-        console.log(chalk.dim("  docker login ghcr.io -u <your-username>"));
-        throw new Error("Manual GHCR login required");
+        console.log(chalk.yellow("  No token with packages scope found."));
+        console.log(chalk.dim("  Run: gh auth refresh -h github.com -s write:packages -s repo"));
+        console.log(chalk.dim("  Then: echo $(gh auth token) | docker login ghcr.io -u x-access-token --password-stdin"));
+        throw new Error("No token with packages scope — refresh gh auth or create a PAT with write:packages");
       }
     };
 
@@ -948,7 +1016,11 @@ export async function runDoctor(opts = {}, registry = null) {
         }
       }
     } else if (ghcrLoggedIn) {
-      fail("Docker logged into ghcr.io but pull access denied", "token may lack read:packages or write:packages scope", ghcrFixFn);
+      fail(
+        "Docker logged into ghcr.io but pull access denied",
+        "Docker has a stale token — fix: echo $(gh auth token) | docker login ghcr.io -u x-access-token --password-stdin",
+        ghcrFixFn,
+      );
     } else {
       fail("Docker not logged into ghcr.io", "needed to pull/push private images", ghcrFixFn);
     }

package/src/plugins/bundled/fops-plugin-1password/index.js

@@ -99,6 +99,10 @@ export function register(api) {
         } else if (synced > 0) {
           const files = synced === 1 ? ".env" : `${synced} .env files`;
           console.log(chalk.green(`  ✓ ${totalSecrets} secret(s) synced → ${files}`));
+          // Update one-shot marker so auto-sync on next `fops up` is skipped
+          const markerDir = path.join(root, ".fops");
+          if (!fs.existsSync(markerDir)) fs.mkdirSync(markerDir, { recursive: true });
+          fs.writeFileSync(path.join(markerDir, ".1p-synced"), new Date().toISOString() + "\n");
         } else {
           console.log(chalk.dim("  Nothing to sync."));
         }
@@ -181,13 +185,18 @@ export function register(api) {
     },
   });
 
-  // ── Hook: before:up — auto-sync secrets ────────────
+  // ── Hook: before:up — one-shot auto-sync secrets ───
   api.registerHook("before:up", async () => {
     if (!config.autoSync) return;
 
     const root = findRoot();
     if (!root) return;
 
+    // One-shot: skip if secrets were already synced once
+    const markerDir = path.join(root, ".fops");
+    const markerPath = path.join(markerDir, ".1p-synced");
+    if (fs.existsSync(markerPath)) return;
+
     const templates = discoverTemplates(root);
     if (templates.length === 0) return;
 
@@ -212,6 +221,9 @@ export function register(api) {
     } else if (synced > 0) {
       const files = synced === 1 ? ".env" : `${synced} .env files`;
       console.log(chalk.green(`  ✓ ${totalSecrets} secret(s) synced → ${files}`));
+      // Mark as done so subsequent `fops up` calls skip auto-sync
+      if (!fs.existsSync(markerDir)) fs.mkdirSync(markerDir, { recursive: true });
+      fs.writeFileSync(markerPath, new Date().toISOString() + "\n");
     }
   });
 

package/src/plugins/bundled/fops-plugin-azure/index.js

@@ -138,8 +138,10 @@ export async function register(api) {
           } else if (process.platform === "linux") {
             const { exitCode } = await execa("which", ["apt-get"], { reject: false });
             if (exitCode !== 0) throw new Error("apt-get not found — use https://learn.microsoft.com/en-us/cli/azure/install-azure-cli for your distro");
-            await execa("sudo", ["apt-get", "update"], { stdio: "inherit", timeout: 120000 });
-            await execa("sudo", ["apt-get", "install", "-y", "azure-cli"], { stdio: "inherit", timeout: 120000 });
+            // Check sudo is available before attempting install
+            const sudoCheck = await execa("sudo", ["-n", "true"], { reject: false, timeout: 5000 });
+            if (sudoCheck.exitCode !== 0) throw new Error("sudo not available — install Azure CLI manually: curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash");
+            await execa("sudo", ["sh", "-c", "curl -sL https://aka.ms/InstallAzureCLIDeb | bash"], { stdio: "inherit", timeout: 300000 });
           } else {
             throw new Error("Auto-install only on macOS and Linux — use the Microsoft install link");
           }

package/src/plugins/bundled/fops-plugin-azure/lib/azure-auth.js

@@ -60,12 +60,44 @@ export function suppressTlsWarning() {
   };
 }
 
+/**
+ * Resolve Cloudflare Access service-token headers from env or .env files.
+ * Returns { "CF-Access-Client-Id": ..., "CF-Access-Client-Secret": ... } or {}.
+ */
+let _cfAccessHeaders;
+export function resolveCfAccessHeaders() {
+  if (_cfAccessHeaders !== undefined) return _cfAccessHeaders;
+  let id = process.env.CF_ACCESS_CLIENT_ID || "";
+  let secret = process.env.CF_ACCESS_CLIENT_SECRET || "";
+  if (!id) {
+    // Try .env files
+    const candidates = [pathMod.resolve(".env"), pathMod.resolve("..", ".env")];
+    try {
+      const raw = JSON.parse(fs.readFileSync(pathMod.join(os.homedir(), ".fops.json"), "utf8"));
+      if (raw?.projectRoot) candidates.unshift(pathMod.join(raw.projectRoot, ".env"));
+    } catch {}
+    for (const ep of candidates) {
+      try {
+        const lines = fs.readFileSync(ep, "utf8").split("\n");
+        const get = (k) => { const ln = lines.find((l) => l.startsWith(`${k}=`)); return ln ? ln.slice(k.length + 1).trim().replace(/^["']|["']$/g, "") : ""; };
+        id = id || get("CF_ACCESS_CLIENT_ID");
+        secret = secret || get("CF_ACCESS_CLIENT_SECRET");
+        if (id && secret) break;
+      } catch {}
+    }
+  }
+  _cfAccessHeaders = id && secret ? { "CF-Access-Client-Id": id, "CF-Access-Client-Secret": secret } : {};
+  return _cfAccessHeaders;
+}
+
 export async function vmFetch(url, opts = {}) {
   suppressTlsWarning();
   const prev = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
   process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
   try {
-    return await fetch(url, { signal: AbortSignal.timeout(10_000), ...opts });
+    const cfHeaders = resolveCfAccessHeaders();
+    const headers = { ...cfHeaders, ...(opts.headers || {}) };
+    return await fetch(url, { signal: AbortSignal.timeout(10_000), ...opts, headers });
   } finally {
     if (prev === undefined) delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
     else process.env.NODE_TLS_REJECT_UNAUTHORIZED = prev;
@@ -191,6 +223,13 @@ export async function resolveRemoteAuth(opts = {}) {
   bearerToken = "";
 
   // 2) Pre-auth against the backend /iam/login
+  const cfHeaders = resolveCfAccessHeaders();
+  const cfKeys = Object.keys(cfHeaders);
+  if (cfKeys.length) {
+    log(chalk.dim(`  CF Access headers: ${cfKeys.join(", ")} (id=${cfHeaders["CF-Access-Client-Id"]?.slice(0, 8)}…)`));
+  } else {
+    log(chalk.yellow("  ⚠ No CF Access service token found (set CF_ACCESS_CLIENT_ID + CF_ACCESS_CLIENT_SECRET)"));
+  }
   if (qaUser && qaPass && apiUrl) {
     try {
       if (suppressTls) suppressTls();
@@ -199,8 +238,8 @@ export async function resolveRemoteAuth(opts = {}) {
       try {
         const resp = await fetch(`${apiUrl}/iam/login`, {
           method: "POST",
-          headers: { "Content-Type": "application/json" },
-          body: JSON.stringify({ username: qaUser, password: qaPass }),
+          headers: { "Content-Type": "application/json", ...cfHeaders },
+          body: JSON.stringify({ user: qaUser, password: qaPass }),
           signal: AbortSignal.timeout(10_000),
         });
         if (resp.ok) {
@@ -211,7 +250,9 @@ export async function resolveRemoteAuth(opts = {}) {
             return { bearerToken, qaUser, qaPass, useTokenMode: true };
           }
         } else {
-          log(chalk.dim(`  Local creds rejected: HTTP ${resp.status}`));
+          const body = await resp.text().catch(() => "");
+          log(chalk.dim(`  Local creds rejected: HTTP ${resp.status} (user=${qaUser})`));
+          if (body) log(chalk.dim(`  Response: ${body.slice(0, 200)}`));
         }
       } finally {
         if (prev === undefined) delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
@@ -243,32 +284,8 @@ export async function resolveRemoteAuth(opts = {}) {
         if (resp.ok) {
           const data = await resp.json();
           if (data.access_token) {
-            // Validate the token against the target API before committing to it.
-            // Local Auth0 config may have a different audience than the remote VM expects.
-            let tokenValid = true;
-            if (apiUrl) {
-              try {
-                const prev = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
-                process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
-                try {
-                  const check = await fetch(`${apiUrl}/iam/me`, {
-                    headers: { Authorization: `Bearer ${data.access_token}` },
-                    signal: AbortSignal.timeout(8_000),
-                  });
-                  if (check.status === 401 || check.status === 403) {
-                    tokenValid = false;
-                    log(chalk.dim(`  Auth0 token rejected by API (wrong audience) — trying SSH fallback…`));
-                  }
-                } finally {
-                  if (prev === undefined) delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
-                  else process.env.NODE_TLS_REJECT_UNAUTHORIZED = prev;
-                }
-              } catch { /* network error — assume token is OK */ }
-            }
-            if (tokenValid) {
-              log(chalk.green(`  ✓ Authenticated as ${qaUser} via Auth0`));
-              return { bearerToken: data.access_token, qaUser, qaPass, useTokenMode: true };
-            }
+            log(chalk.green(`  ✓ Authenticated as ${qaUser} via Auth0`));
+            return { bearerToken: data.access_token, qaUser, qaPass, useTokenMode: true };
           }
         } else {
           log(chalk.dim(`  Auth0 rejected: HTTP ${resp.status}`));

package/src/plugins/bundled/fops-plugin-azure/lib/azure-helpers.js

@@ -275,7 +275,15 @@ export async function ensureAzAuth(execa, { subscription, throwOnMissing = false
     if (subscription) args.push("--subscription", subscription);
     const { stdout } = await execa("az", args, { timeout: 15000 });
     return JSON.parse(stdout);
-  } catch {
+  } catch (err) {
+    if (isAzSessionExpiredError(err)) {
+      const { suggested } = parseAzReloginHint(err);
+      const msg = `Azure session expired (MFA). Run:\n  ${suggested.replace(/\n/g, "\n  ")}`;
+      if (throwOnMissing) throw new Error(msg);
+      console.error(chalk.yellow(`\n  Azure session expired (MFA or token refresh required).`));
+      console.error(chalk.cyan(`  Run: ${suggested.split("\n")[0]}\n`));
+      process.exit(1);
+    }
     const msg = "Not logged in to Azure. Run: az login";
     if (throwOnMissing) throw new Error(msg);
     console.error(chalk.red("\n  Not logged in to Azure. Run: az login\n"));
@@ -447,7 +455,61 @@ async function refreshTokenViaGh(execa, missingScopes) {
 }
 
 export async function verifyGithubToken(token) {
-  if (!token) return { token, login: undefined };
+  if (!token) {
+    // No token anywhere — try gh CLI auth
+    const execa = await lazyExeca();
+    try {
+      const { stdout: ghToken, exitCode } = await execa("gh", ["auth", "token", "-h", "github.com"], { timeout: 10000, reject: false });
+      const existing = (ghToken || "").trim();
+      if (exitCode === 0 && existing) {
+        console.log(chalk.cyan("  No token in env/netrc — using gh CLI token"));
+        token = existing;
+      }
+    } catch { /* gh not installed or not authed */ }
+
+    if (!token) {
+      // Still no token — offer interactive gh auth login
+      console.log(chalk.yellow("\n  ⚠ No GitHub token found (checked --github-token, $GITHUB_TOKEN, ~/.netrc, gh CLI)"));
+      try {
+        const { exitCode: ghExists } = await execa("which", ["gh"], { reject: false, timeout: 5000 });
+        if (ghExists === 0) {
+          console.log(chalk.cyan("  ▶ Running gh auth login…\n"));
+          const { exitCode: loginExit } = await execa("gh", ["auth", "login", "-h", "github.com", "-s", "write:packages,repo"], { stdio: "inherit", reject: false, timeout: 300000 });
+          if (loginExit === 0) {
+            const { stdout: newToken } = await execa("gh", ["auth", "token", "-h", "github.com"], { timeout: 10000 });
+            token = (newToken || "").trim();
+            if (token) {
+              // Sync to .netrc for future use
+              const netrcPath = path.join(os.homedir(), ".netrc");
+              const entry = `machine github.com login x-access-token password ${token}`;
+              try {
+                let content = "";
+                try { content = fs.readFileSync(netrcPath, "utf8"); } catch {}
+                if (/^machine\s+github\.com\b/m.test(content)) {
+                  content = content.replace(
+                    /machine\s+github\.com\b[^\n]*(\n\s*(login|password)\s+[^\n]*)*/gm,
+                    entry,
+                  );
+                } else {
+                  content = content.trimEnd() + (content ? "\n" : "") + entry + "\n";
+                }
+                fs.writeFileSync(netrcPath, content, { mode: 0o600 });
+                console.log(chalk.green("  ✓ ~/.netrc updated"));
+              } catch {}
+            }
+          }
+        } else {
+          console.log(chalk.dim("  Install gh CLI to authenticate: https://cli.github.com"));
+        }
+      } catch {}
+
+      if (!token) {
+        console.error(chalk.red("  ✗ GitHub authentication required — GHCR pulls will fail without a token."));
+        console.error(chalk.dim("  Set $GITHUB_TOKEN, run gh auth login, or pass --github-token.\n"));
+        process.exit(1);
+      }
+    }
+  }
   const execa = await lazyExeca();
   try {
     let res = await fetch("https://api.github.com/user", {

package/src/plugins/bundled/fops-plugin-azure/lib/azure-ops.js

@@ -3273,7 +3273,7 @@ export async function azureSshWhitelistMe(opts = {}) {
 
   const merged = [...new Set([...currentSources.filter(s => s && s !== "*" && s !== "Internet"), myCidr])];
   console.log(chalk.yellow(`  ↻ Adding ${myCidr} to SSH rule on ${nsgName} (${currentSources.length} existing)...`));
-  const { exitCode: updateCode } = await execa("az", [
+  const { exitCode: updateCode, stderr: updateStderr } = await execa("az", [
     "network", "nsg", "rule", "create", "-g", rg, "--nsg-name", nsgName,
     "-n", sshRule?.name || "allow-ssh", "--priority", String(sshRule?.priority || 1000),
     "--destination-port-ranges", "22", "--access", "Allow",
@@ -3283,8 +3283,17 @@ export async function azureSshWhitelistMe(opts = {}) {
   ], { reject: false, timeout: 30000 });
 
   if (updateCode !== 0) {
-    console.error(ERR(`\n  Failed to update NSG rule on ${nsgName}\n`));
-    process.exit(1);
+    console.error(ERR(`\n  Failed to update NSG rule on ${nsgName}`));
+    const msg = (updateStderr || "").trim();
+    if (msg.includes("AADSTS") || msg.includes("Interactive authentication")) {
+      console.error(ERR("  Azure session expired — run: az login"));
+    } else if (msg.includes("AuthorizationFailed")) {
+      console.error(ERR("  Insufficient permissions to update NSG rules in this subscription."));
+    } else if (msg) {
+      console.error(DIM(`  ${msg.split("\n")[0]}`));
+    }
+    console.error("");
+    return;
   }
   console.log(OK(`\n  ✓ SSH (22) whitelisted for ${myCidr} on ${vmName} (${nsgName})\n`));
   console.log(`  Sources: ${merged.join(", ")}\n`);

package/src/plugins/bundled/fops-plugin-azure/lib/commands/test-cmds.js

@@ -78,6 +78,20 @@ export function registerTestCommands(azure) {
           : content + `\n${key}=${value}`;
       };
 
+      // Resolve CF Access service token for Cloudflare-proxied endpoints
+      let cfClientId = process.env.CF_ACCESS_CLIENT_ID || "";
+      let cfClientSecret = process.env.CF_ACCESS_CLIENT_SECRET || "";
+      if (!cfClientId) {
+        // Try reading from the compose .env
+        try {
+          const composeDotEnv = await fsp.readFile(path.join(root, ".env"), "utf8");
+          const idMatch = composeDotEnv.match(/^CF_ACCESS_CLIENT_ID=(.+)$/m);
+          const secretMatch = composeDotEnv.match(/^CF_ACCESS_CLIENT_SECRET=(.+)$/m);
+          if (idMatch) cfClientId = idMatch[1].trim();
+          if (secretMatch) cfClientSecret = secretMatch[1].trim();
+        } catch { /* .env may not exist */ }
+      }
+
       envContent = setVar(envContent, "API_URL", apiUrl);
       envContent = setVar(envContent, "DEV_API_URL", apiUrl);
       envContent = setVar(envContent, "LIVE_API_URL", apiUrl);
@@ -93,6 +107,10 @@ export function registerTestCommands(azure) {
         envContent = setVar(envContent, "BEARER_TOKEN", bearerToken);
         envContent = setVar(envContent, "TOKEN_AUTH0", bearerToken);
       }
+      if (cfClientId && cfClientSecret) {
+        envContent = setVar(envContent, "CF_ACCESS_CLIENT_ID", cfClientId);
+        envContent = setVar(envContent, "CF_ACCESS_CLIENT_SECRET", cfClientSecret);
+      }
 
       await fsp.writeFile(envPath, envContent);
       console.log(chalk.green(`  ✓ Configured QA .env → ${apiUrl}`));
@@ -154,6 +172,10 @@ export function registerTestCommands(azure) {
         testEnv.BEARER_TOKEN = bearerToken;
         testEnv.TOKEN_AUTH0 = bearerToken;
       }
+      if (cfClientId && cfClientSecret) {
+        testEnv.CF_ACCESS_CLIENT_ID = cfClientId;
+        testEnv.CF_ACCESS_CLIENT_SECRET = cfClientSecret;
+      }
 
       const startMs = Date.now();
       const proc = execaFn(

package/src/plugins/bundled/fops-plugin-foundation/index.js

@@ -986,11 +986,24 @@ app.run()
       .option("--url <url>", "Override the backend API URL")
       .action(async (opts) => {
         const { spawn } = await import("node:child_process");
-        const { writeFileSync, existsSync, realpathSync, readFileSync } = await import("node:fs");
+        const { writeFileSync, existsSync, realpathSync, readFileSync, unlinkSync, mkdirSync } = await import("node:fs");
         const { tmpdir, homedir } = await import("node:os");
         const { join, dirname } = await import("node:path");
         const { findComposeRoot } = await import("./lib/tools-write.js");
 
+        // ── Singleton: kill any existing tray process ──────────────────────────
+        const pidDir = join(homedir(), ".fops");
+        const pidFile = join(pidDir, "tray.pid");
+        if (existsSync(pidFile)) {
+          try {
+            const oldPid = parseInt(readFileSync(pidFile, "utf8").trim(), 10);
+            if (oldPid) process.kill(oldPid, "SIGTERM");
+          } catch {
+            // process already gone — ignore
+          }
+          try { unlinkSync(pidFile); } catch {}
+        }
+
         const composeRoot = program._fopsRoot || findComposeRoot() || "";
 
         let apiUrl = opts.url || process.env.FOPS_API_URL || "http://127.0.0.1:9001";
@@ -1235,6 +1248,8 @@ $tray.Visible = $false
             env: trayEnv,
             windowsHide: true,
           });
+          if (!existsSync(pidDir)) mkdirSync(pidDir, { recursive: true });
+          writeFileSync(pidFile, String(winChild.pid));
           winChild.unref();
           return;
         }
@@ -1995,6 +2010,8 @@ app.run()
           detached: true,
           env: trayEnv,
         });
+        if (!existsSync(pidDir)) mkdirSync(pidDir, { recursive: true });
+        writeFileSync(pidFile, String(child.pid));
         child.unref();
       });
   });