npm - @meshxdata/fops - Versions diffs - 0.1.40 → 0.1.41 - Mend

@meshxdata/fops 0.1.40 → 0.1.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (45) hide show

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks.js CHANGED Viewed

@@ -148,7 +148,7 @@ function resolveFluxConfig(clusterName, opts) {
   return {
     fluxRepo: opts?.fluxRepo ?? tracked?.flux?.repo ?? az.fluxRepo ?? project?.fluxRepo ?? AKS_DEFAULTS.fluxRepo,
     fluxOwner: opts?.fluxOwner ?? tracked?.flux?.owner ?? az.fluxOwner ?? project?.fluxOwner ?? AKS_DEFAULTS.fluxOwner,
-    fluxPath: opts?.fluxPath || tracked?.flux?.path || az.fluxPath || project?.fluxPath || `clusters/${clusterName}`,
+    fluxPath: opts?.fluxPath || tracked?.flux?.path || az.fluxPath || project?.fluxPath || AKS_DEFAULTS.fluxPath,
     fluxBranch: opts?.fluxBranch ?? tracked?.flux?.branch ?? az.fluxBranch ?? project?.fluxBranch ?? AKS_DEFAULTS.fluxBranch,
   };
 }
@@ -182,107 +182,6 @@ function requireCluster(name) {
   };
 }
-// ── Flux local-repo scaffolding ───────────────────────────────────────────────
-/**
- * Auto-detect the local flux repo clone.
- * Searches common relative paths from the project root and CWD.
- */
-function findFluxLocalRepo() {
-  const state = readState();
-  const projectRoot = state.azure?.projectRoot || state.projectRoot;
-  const candidates = [];
-  if (projectRoot) {
-    candidates.push(path.resolve(projectRoot, "..", "flux"));
-    candidates.push(path.resolve(projectRoot, "flux"));
-  }
-  candidates.push(path.resolve("../flux"));
-  candidates.push(path.resolve("../../flux"));
-  for (const p of candidates) {
-    if (fs.existsSync(path.join(p, "clusters"))) return p;
-  }
-  return null;
-}
-/**
- * Resolve the bundled cluster template directory shipped with the CLI.
- */
-function resolveClusterTemplate() {
-  const thisDir = path.dirname(fileURLToPath(import.meta.url));
-  return path.resolve(thisDir, "..", "templates", "cluster");
-}
-/**
- * Scaffold a new cluster directory in the local flux repo from the bundled
- * template, substituting {{CLUSTER_NAME}} and {{OVERLAY}} placeholders.
- * Then commits and pushes the change.
- */
-async function scaffoldFluxCluster(execa, { clusterName, fluxLocalRepo, overlay }) {
-  const templateDir = resolveClusterTemplate();
-  const destDir = path.join(fluxLocalRepo, "clusters", clusterName);
-  if (!fs.existsSync(templateDir)) {
-    console.log(WARN(`  ⚠ Cluster template not found at ${templateDir}`));
-    return false;
-  }
-  if (fs.existsSync(destDir)) {
-    console.log(OK(`  ✓ Cluster directory already exists: clusters/${clusterName}`));
-    return true;
-  }
-  const vars = {
-    "{{CLUSTER_NAME}}": clusterName,
-    "{{OVERLAY}}": overlay || "demo-azure",
-  };
-  hint("Scaffolding Flux cluster manifests…");
-  function copyDir(src, dest) {
-    fs.mkdirSync(dest, { recursive: true });
-    for (const entry of fs.readdirSync(src, { withFileTypes: true })) {
-      const srcPath = path.join(src, entry.name);
-      const destPath = path.join(dest, entry.name);
-      if (entry.isDirectory()) {
-        copyDir(srcPath, destPath);
-      } else {
-        let content = fs.readFileSync(srcPath, "utf8");
-        for (const [k, v] of Object.entries(vars)) {
-          content = content.replaceAll(k, v);
-        }
-        fs.writeFileSync(destPath, content);
-      }
-    }
-  }
-  copyDir(templateDir, destDir);
-  console.log(OK(`  ✓ Cluster directory created: clusters/${clusterName}`));
-  // List remaining placeholders
-  const remaining = [];
-  for (const line of fs.readFileSync(path.join(destDir, "kustomization.yaml"), "utf8").split("\n")) {
-    const m = line.match(/\{\{(\w+)\}\}/g);
-    if (m) remaining.push(...m);
-  }
-  // Git add + commit + push
-  hint("Committing and pushing to flux repo…");
-  try {
-    await execa("git", ["-C", fluxLocalRepo, "add", `clusters/${clusterName}`], { timeout: 15000 });
-    await execa("git", ["-C", fluxLocalRepo, "commit", "-m", `Add cluster ${clusterName}`], { timeout: 15000 });
-    await execa("git", ["-C", fluxLocalRepo, "push"], { timeout: 60000 });
-    console.log(OK(`  ✓ Pushed clusters/${clusterName} to flux repo`));
-  } catch (err) {
-    const msg = (err.stderr || err.message || "").split("\n")[0];
-    console.log(WARN(`  ⚠ Git push failed: ${msg}`));
-    hint(`Manually commit and push clusters/${clusterName} in the flux repo`);
-  }
-  return true;
-}
 // ── Flux helpers ──────────────────────────────────────────────────────────────
 async function ensureFluxCli(execa) {
@@ -345,18 +244,6 @@ export async function aksUp(opts = {}) {
   if (exists === 0) {
     console.log(WARN(`\n  Cluster "${clusterName}" already exists — reconciling…`));
-    // Scaffold cluster directory if it doesn't exist yet
-    if (!opts.noFlux) {
-      const fluxLocalRepo = opts.fluxLocalRepo || findFluxLocalRepo();
-      if (fluxLocalRepo) {
-        await scaffoldFluxCluster(execa, {
-          clusterName,
-          fluxLocalRepo,
-          overlay: opts.overlay,
-        });
-      }
-    }
     const maxPods = opts.maxPods || 110;
     const ctx = { execa, clusterName, rg, sub, opts, minCount, maxCount, maxPods };
     await reconcileCluster(ctx);
@@ -460,22 +347,7 @@ export async function aksUp(opts = {}) {
   const fluxRepo = opts.fluxRepo ?? AKS_DEFAULTS.fluxRepo;
   const fluxOwner = opts.fluxOwner ?? AKS_DEFAULTS.fluxOwner;
   const fluxBranch = opts.fluxBranch ?? AKS_DEFAULTS.fluxBranch;
-  const fluxPath = opts.fluxPath || `clusters/${clusterName}`;
-  // Scaffold cluster directory in the flux repo before bootstrapping
-  if (!opts.noFlux) {
-    const fluxLocalRepo = opts.fluxLocalRepo || findFluxLocalRepo();
-    if (fluxLocalRepo) {
-      await scaffoldFluxCluster(execa, {
-        clusterName,
-        fluxLocalRepo,
-        templateCluster: opts.templateCluster,
-      });
-    } else {
-      console.log(WARN("  ⚠ Local flux repo not found — skipping cluster scaffolding."));
-      hint("Pass --flux-local-repo <path> or clone meshxdata/flux next to foundation-compose.");
-    }
-  }
+  const fluxPath = opts.fluxPath || AKS_DEFAULTS.fluxPath;
   if (opts.noFlux) {
     console.log("");

package/src/plugins/bundled/fops-plugin-azure/lib/azure-auth.js CHANGED Viewed

@@ -13,7 +13,7 @@ export function hashContent(text) {
 }
 /**
- * Resolve Foundation credentials from env → ~/.fops.json → .env files.
+ * Resolve Foundation credentials from env → .env → ~/.fops.json.
  * Returns { bearerToken } or { user, password } or null.
  */
 export function resolveFoundationCreds() {
@@ -26,25 +26,6 @@ export function resolveFoundationCreds() {
     if (cfg.bearerToken?.trim()) return { bearerToken: cfg.bearerToken.trim() };
     if (cfg.user?.trim() && cfg.password) return { user: cfg.user.trim(), password: cfg.password };
   } catch { /* no fops.json */ }
-  // Fall back to .env files for credentials
-  const envCandidates = [pathMod.resolve(".env"), pathMod.resolve("..", ".env")];
-  try {
-    const raw = JSON.parse(fs.readFileSync(pathMod.join(os.homedir(), ".fops.json"), "utf8"));
-    if (raw?.projectRoot) envCandidates.unshift(pathMod.join(raw.projectRoot, ".env"));
-  } catch { /* ignore */ }
-  for (const ep of envCandidates) {
-    try {
-      const lines = fs.readFileSync(ep, "utf8").split("\n");
-      const get = (k) => {
-        const ln = lines.find((l) => l.startsWith(`${k}=`));
-        return ln ? ln.slice(k.length + 1).trim().replace(/^["']|["']$/g, "") : "";
-      };
-      const user = get("QA_USERNAME") || get("FOUNDATION_USERNAME");
-      const pass = get("QA_PASSWORD") || get("FOUNDATION_PASSWORD");
-      if (user && pass) return { user, password: pass };
-    } catch { /* try next */ }
-  }
   return null;
 }
@@ -60,44 +41,12 @@ export function suppressTlsWarning() {
   };
 }
-/**
- * Resolve Cloudflare Access service-token headers from env or .env files.
- * Returns { "CF-Access-Client-Id": ..., "CF-Access-Client-Secret": ... } or {}.
- */
-let _cfAccessHeaders;
-export function resolveCfAccessHeaders() {
-  if (_cfAccessHeaders !== undefined) return _cfAccessHeaders;
-  let id = process.env.CF_ACCESS_CLIENT_ID || "";
-  let secret = process.env.CF_ACCESS_CLIENT_SECRET || "";
-  if (!id) {
-    // Try .env files
-    const candidates = [pathMod.resolve(".env"), pathMod.resolve("..", ".env")];
-    try {
-      const raw = JSON.parse(fs.readFileSync(pathMod.join(os.homedir(), ".fops.json"), "utf8"));
-      if (raw?.projectRoot) candidates.unshift(pathMod.join(raw.projectRoot, ".env"));
-    } catch {}
-    for (const ep of candidates) {
-      try {
-        const lines = fs.readFileSync(ep, "utf8").split("\n");
-        const get = (k) => { const ln = lines.find((l) => l.startsWith(`${k}=`)); return ln ? ln.slice(k.length + 1).trim().replace(/^["']|["']$/g, "") : ""; };
-        id = id || get("CF_ACCESS_CLIENT_ID");
-        secret = secret || get("CF_ACCESS_CLIENT_SECRET");
-        if (id && secret) break;
-      } catch {}
-    }
-  }
-  _cfAccessHeaders = id && secret ? { "CF-Access-Client-Id": id, "CF-Access-Client-Secret": secret } : {};
-  return _cfAccessHeaders;
-}
 export async function vmFetch(url, opts = {}) {
   suppressTlsWarning();
   const prev = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
   process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
   try {
-    const cfHeaders = resolveCfAccessHeaders();
-    const headers = { ...cfHeaders, ...(opts.headers || {}) };
-    return await fetch(url, { signal: AbortSignal.timeout(10_000), ...opts, headers });
+    return await fetch(url, { signal: AbortSignal.timeout(10_000), ...opts });
   } finally {
     if (prev === undefined) delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
     else process.env.NODE_TLS_REJECT_UNAUTHORIZED = prev;
@@ -213,7 +162,7 @@ export async function resolveRemoteAuth(opts = {}) {
   const creds = resolveFoundationCreds();
   let qaUser = creds?.user || process.env.QA_USERNAME || process.env.FOUNDATION_USERNAME || "operator@local";
-  let qaPass = creds?.password || process.env.QA_PASSWORD || process.env.FOUNDATION_PASSWORD || "";
+  let qaPass = creds?.password || process.env.QA_PASSWORD || "";
   let bearerToken = creds?.bearerToken || "";
   // 1) Use local bearer if it's a valid JWT
@@ -223,13 +172,6 @@ export async function resolveRemoteAuth(opts = {}) {
   bearerToken = "";
   // 2) Pre-auth against the backend /iam/login
-  const cfHeaders = resolveCfAccessHeaders();
-  const cfKeys = Object.keys(cfHeaders);
-  if (cfKeys.length) {
-    log(chalk.dim(`  CF Access headers: ${cfKeys.join(", ")} (id=${cfHeaders["CF-Access-Client-Id"]?.slice(0, 8)}…)`));
-  } else {
-    log(chalk.yellow("  ⚠ No CF Access service token found (set CF_ACCESS_CLIENT_ID + CF_ACCESS_CLIENT_SECRET)"));
-  }
   if (qaUser && qaPass && apiUrl) {
     try {
       if (suppressTls) suppressTls();
@@ -238,8 +180,8 @@ export async function resolveRemoteAuth(opts = {}) {
       try {
         const resp = await fetch(`${apiUrl}/iam/login`, {
           method: "POST",
-          headers: { "Content-Type": "application/json", ...cfHeaders },
-          body: JSON.stringify({ user: qaUser, password: qaPass }),
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ username: qaUser, password: qaPass }),
           signal: AbortSignal.timeout(10_000),
         });
         if (resp.ok) {
@@ -250,9 +192,7 @@ export async function resolveRemoteAuth(opts = {}) {
             return { bearerToken, qaUser, qaPass, useTokenMode: true };
           }
         } else {
-          const body = await resp.text().catch(() => "");
-          log(chalk.dim(`  Local creds rejected: HTTP ${resp.status} (user=${qaUser})`));
-          if (body) log(chalk.dim(`  Response: ${body.slice(0, 200)}`));
+          log(chalk.dim(`  Local creds rejected: HTTP ${resp.status}`));
         }
       } finally {
         if (prev === undefined) delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
@@ -284,8 +224,32 @@ export async function resolveRemoteAuth(opts = {}) {
         if (resp.ok) {
           const data = await resp.json();
           if (data.access_token) {
-            log(chalk.green(`  ✓ Authenticated as ${qaUser} via Auth0`));
-            return { bearerToken: data.access_token, qaUser, qaPass, useTokenMode: true };
+            // Validate the token against the target API before committing to it.
+            // Local Auth0 config may have a different audience than the remote VM expects.
+            let tokenValid = true;
+            if (apiUrl) {
+              try {
+                const prev = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
+                process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
+                try {
+                  const check = await fetch(`${apiUrl}/iam/me`, {
+                    headers: { Authorization: `Bearer ${data.access_token}` },
+                    signal: AbortSignal.timeout(8_000),
+                  });
+                  if (check.status === 401 || check.status === 403) {
+                    tokenValid = false;
+                    log(chalk.dim(`  Auth0 token rejected by API (wrong audience) — trying SSH fallback…`));
+                  }
+                } finally {
+                  if (prev === undefined) delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
+                  else process.env.NODE_TLS_REJECT_UNAUTHORIZED = prev;
+                }
+              } catch { /* network error — assume token is OK */ }
+            }
+            if (tokenValid) {
+              log(chalk.green(`  ✓ Authenticated as ${qaUser} via Auth0`));
+              return { bearerToken: data.access_token, qaUser, qaPass, useTokenMode: true };
+            }
           }
         } else {
           log(chalk.dim(`  Auth0 rejected: HTTP ${resp.status}`));

package/src/plugins/bundled/fops-plugin-azure/lib/azure-helpers.js CHANGED Viewed

@@ -275,15 +275,7 @@ export async function ensureAzAuth(execa, { subscription, throwOnMissing = false
     if (subscription) args.push("--subscription", subscription);
     const { stdout } = await execa("az", args, { timeout: 15000 });
     return JSON.parse(stdout);
-  } catch (err) {
-    if (isAzSessionExpiredError(err)) {
-      const { suggested } = parseAzReloginHint(err);
-      const msg = `Azure session expired (MFA). Run:\n  ${suggested.replace(/\n/g, "\n  ")}`;
-      if (throwOnMissing) throw new Error(msg);
-      console.error(chalk.yellow(`\n  Azure session expired (MFA or token refresh required).`));
-      console.error(chalk.cyan(`  Run: ${suggested.split("\n")[0]}\n`));
-      process.exit(1);
-    }
+  } catch {
     const msg = "Not logged in to Azure. Run: az login";
     if (throwOnMissing) throw new Error(msg);
     console.error(chalk.red("\n  Not logged in to Azure. Run: az login\n"));
@@ -455,61 +447,7 @@ async function refreshTokenViaGh(execa, missingScopes) {
 }
 export async function verifyGithubToken(token) {
-  if (!token) {
-    // No token anywhere — try gh CLI auth
-    const execa = await lazyExeca();
-    try {
-      const { stdout: ghToken, exitCode } = await execa("gh", ["auth", "token", "-h", "github.com"], { timeout: 10000, reject: false });
-      const existing = (ghToken || "").trim();
-      if (exitCode === 0 && existing) {
-        console.log(chalk.cyan("  No token in env/netrc — using gh CLI token"));
-        token = existing;
-      }
-    } catch { /* gh not installed or not authed */ }
-    if (!token) {
-      // Still no token — offer interactive gh auth login
-      console.log(chalk.yellow("\n  ⚠ No GitHub token found (checked --github-token, $GITHUB_TOKEN, ~/.netrc, gh CLI)"));
-      try {
-        const { exitCode: ghExists } = await execa("which", ["gh"], { reject: false, timeout: 5000 });
-        if (ghExists === 0) {
-          console.log(chalk.cyan("  ▶ Running gh auth login…\n"));
-          const { exitCode: loginExit } = await execa("gh", ["auth", "login", "-h", "github.com", "-s", "write:packages,repo"], { stdio: "inherit", reject: false, timeout: 300000 });
-          if (loginExit === 0) {
-            const { stdout: newToken } = await execa("gh", ["auth", "token", "-h", "github.com"], { timeout: 10000 });
-            token = (newToken || "").trim();
-            if (token) {
-              // Sync to .netrc for future use
-              const netrcPath = path.join(os.homedir(), ".netrc");
-              const entry = `machine github.com login x-access-token password ${token}`;
-              try {
-                let content = "";
-                try { content = fs.readFileSync(netrcPath, "utf8"); } catch {}
-                if (/^machine\s+github\.com\b/m.test(content)) {
-                  content = content.replace(
-                    /machine\s+github\.com\b[^\n]*(\n\s*(login|password)\s+[^\n]*)*/gm,
-                    entry,
-                  );
-                } else {
-                  content = content.trimEnd() + (content ? "\n" : "") + entry + "\n";
-                }
-                fs.writeFileSync(netrcPath, content, { mode: 0o600 });
-                console.log(chalk.green("  ✓ ~/.netrc updated"));
-              } catch {}
-            }
-          }
-        } else {
-          console.log(chalk.dim("  Install gh CLI to authenticate: https://cli.github.com"));
-        }
-      } catch {}
-      if (!token) {
-        console.error(chalk.red("  ✗ GitHub authentication required — GHCR pulls will fail without a token."));
-        console.error(chalk.dim("  Set $GITHUB_TOKEN, run gh auth login, or pass --github-token.\n"));
-        process.exit(1);
-      }
-    }
-  }
+  if (!token) return { token, login: undefined };
   const execa = await lazyExeca();
   try {
     let res = await fetch("https://api.github.com/user", {

package/src/plugins/bundled/fops-plugin-azure/lib/azure-ops.js CHANGED Viewed

@@ -2369,6 +2369,31 @@ export async function azureList(opts = {}) {
   let aksClusters = (fullState.azure || {}).clusters || {};
   let hasAks = Object.keys(aksClusters).length > 0;
+  // Always try to discover VMs from Azure (tag managed=fops) so we re-add any that were
+  // lost from local state (e.g. state file reset or edited).
+  try {
+    const execa = await lazyExeca();
+    await ensureAzCli(execa);
+    await ensureAzAuth(execa, { subscription: opts.subscription });
+    const found = await discoverVmsFromAzure(execa, { quiet: true, subscription: opts.subscription });
+    if (found > 0) {
+      console.log(OK(`  ✓ Re-discovered ${found} VM(s) from Azure`) + DIM(" (tag managed=fops)\n"));
+      ({ activeVm, vms } = listVms());
+      vmNames = Object.keys(vms);
+      fullState = readState();
+      aksClusters = (fullState.azure || {}).clusters || {};
+      hasAks = Object.keys(aksClusters).length > 0;
+    }
+  } catch { /* az not available or not authenticated */ }
+  if (vmNames.length === 0 && !hasAks) {
+    banner("Azure VMs");
+    hint("No VMs or clusters found in Azure.");
+    hint("Create a VM:       fops azure up <name>");
+    hint("Create a cluster:  fops azure aks up <name>\n");
+    return;
+  }
   // Use cache if fresh, otherwise try shared tags, then fall back to full sync
   const forceLive = opts.live;
   let cache = readCache();
@@ -2389,37 +2414,13 @@ export async function azureList(opts = {}) {
       } catch { /* tag read failed, fall through to full sync */ }
     }
-    // Discovery + full sync only when all caches are stale
     if (!fresh) {
-      try {
-        const execa = await lazyExeca();
-        await ensureAzCli(execa);
-        await ensureAzAuth(execa, { subscription: opts.subscription });
-        const found = await discoverVmsFromAzure(execa, { quiet: true, subscription: opts.subscription });
-        if (found > 0) {
-          console.log(OK(`  ✓ Re-discovered ${found} VM(s) from Azure`) + DIM(" (tag managed=fops)\n"));
-          ({ activeVm, vms } = listVms());
-          vmNames = Object.keys(vms);
-          fullState = readState();
-          aksClusters = (fullState.azure || {}).clusters || {};
-          hasAks = Object.keys(aksClusters).length > 0;
-        }
-      } catch { /* az not available or not authenticated */ }
       await azureSync({ quiet: !opts.verbose });
       cache = readCache();
       cacheSource = "live";
     }
   }
-  if (vmNames.length === 0 && !hasAks) {
-    banner("Azure VMs");
-    hint("No VMs or clusters found in Azure.");
-    hint("Create a VM:       fops azure up <name>");
-    hint("Create a cluster:  fops azure aks up <name>\n");
-    return;
-  }
   const cachedVms = cache?.vms || {};
   const cachedClusters = cache?.clusters || {};
   const cacheTime = cache?.updatedAt;
@@ -3273,7 +3274,7 @@ export async function azureSshWhitelistMe(opts = {}) {
   const merged = [...new Set([...currentSources.filter(s => s && s !== "*" && s !== "Internet"), myCidr])];
   console.log(chalk.yellow(`  ↻ Adding ${myCidr} to SSH rule on ${nsgName} (${currentSources.length} existing)...`));
-  const { exitCode: updateCode, stderr: updateStderr } = await execa("az", [
+  const { exitCode: updateCode } = await execa("az", [
     "network", "nsg", "rule", "create", "-g", rg, "--nsg-name", nsgName,
     "-n", sshRule?.name || "allow-ssh", "--priority", String(sshRule?.priority || 1000),
     "--destination-port-ranges", "22", "--access", "Allow",
@@ -3283,17 +3284,8 @@ export async function azureSshWhitelistMe(opts = {}) {
   ], { reject: false, timeout: 30000 });
   if (updateCode !== 0) {
-    console.error(ERR(`\n  Failed to update NSG rule on ${nsgName}`));
-    const msg = (updateStderr || "").trim();
-    if (msg.includes("AADSTS") || msg.includes("Interactive authentication")) {
-      console.error(ERR("  Azure session expired — run: az login"));
-    } else if (msg.includes("AuthorizationFailed")) {
-      console.error(ERR("  Insufficient permissions to update NSG rules in this subscription."));
-    } else if (msg) {
-      console.error(DIM(`  ${msg.split("\n")[0]}`));
-    }
-    console.error("");
-    return;
+    console.error(ERR(`\n  Failed to update NSG rule on ${nsgName}\n`));
+    process.exit(1);
   }
   console.log(OK(`\n  ✓ SSH (22) whitelisted for ${myCidr} on ${vmName} (${nsgName})\n`));
   console.log(`  Sources: ${merged.join(", ")}\n`);

package/src/plugins/bundled/fops-plugin-azure/lib/azure-shared-cache.js CHANGED Viewed

@@ -22,7 +22,7 @@ import { readState, listVms } from "./azure-state.js";
 //   fops_by       = alessio                  (who synced)
 const TAG_PREFIX = "fops_";
-const TAG_MAX_AGE_MS = 20 * 60 * 1000; // 20 minutes — tags are cheaper to check
+const TAG_MAX_AGE_MS = 10 * 60 * 1000; // 10 minutes — tags are cheaper to check
 // ── Write: publish probe results as tags on a VM ─────────────────────────────

package/src/plugins/bundled/fops-plugin-azure/lib/azure-sync.js CHANGED Viewed

@@ -12,7 +12,7 @@ import {
 // Stored in ~/.fops.json under azure.cache:
 //   { updatedAt, vms: { <name>: { ... } }, clusters: { <name>: { ... } } }
-const CACHE_MAX_AGE_MS = 15 * 60 * 1000; // 15 minutes
+const CACHE_MAX_AGE_MS = 5 * 60 * 1000; // 5 minutes
 // Short keys for the 6 tracked Foundation services
 const SVC_MAP = {
@@ -169,16 +169,16 @@ async function syncVms(execa) {
       // After a knock, iptables rule needs a moment to propagate; first SSH needs full handshake.
       // Brief delay then retry once to avoid false "unreachable" (e.g. uaenorth latency).
-      await new Promise((r) => setTimeout(r, 400));
+      await new Promise((r) => setTimeout(r, 800));
       let sshOk = false;
       for (let attempt = 0; attempt < 2; attempt++) {
         const { exitCode: sshCode } = await execa("ssh", [
           ...MUX_OPTS(vm.publicIp, DEFAULTS.adminUser),
           "-o", "BatchMode=yes",
           `${DEFAULTS.adminUser}@${vm.publicIp}`, "echo ok",
-        ], { timeout: 8000, reject: false }).catch(() => ({ exitCode: 1 }));
+        ], { timeout: 15000, reject: false }).catch(() => ({ exitCode: 1 }));
         if (sshCode === 0) { sshOk = true; break; }
-        if (attempt === 0) await new Promise((r) => setTimeout(r, 1000));
+        if (attempt === 0) await new Promise((r) => setTimeout(r, 2000));
       }
       if (!sshOk) {

package/src/plugins/bundled/fops-plugin-azure/lib/azure-vm-lifecycle.js CHANGED Viewed

@@ -257,6 +257,10 @@ export async function azureUp(opts = {}) {
   if (!publicIp) { console.error(ERR("  VM created but no public IP assigned.")); process.exit(1); }
   console.log(OK(`  ✓ VM created — ${publicIp}`));
+  // Persist IP immediately so it's never lost if later steps fail or user Ctrl+C's
+  const publicUrl = opts.url || defaultUrl;
+  writeVmState(vmName, { resourceGroup: rg, location, publicIp, publicUrl, subscriptionId: subId, createdAt: new Date().toISOString() });
   hint("Enabling accelerated networking…");
   const nicName = `${vmName}VMNic`;
   const dealloc = await execa("az", ["vm", "deallocate", "-g", rg, "-n", vmName, "--output", "none", ...subArgs(sub)], { reject: false, timeout: 120000 });
@@ -361,9 +365,6 @@ export async function azureUp(opts = {}) {
   ], { reject: false, timeout: 30000 });
   console.log(OK("  ✓ Knock port range open"));
-  const publicUrl = opts.url || defaultUrl;
-  writeVmState(vmName, { resourceGroup: rg, location, publicIp, publicUrl, subscriptionId: subId, createdAt: new Date().toISOString() });
   // Save SSH key to 1Password if available
   try {
     const { opWhoami, opEnsureVault, opSaveSSHKey } = await import("../../fops-plugin-1password/lib/op.js");
@@ -393,6 +394,12 @@ export async function azureUp(opts = {}) {
   await syncDns(cfToken, publicUrl, publicIp);
   await ensureOpenAiNetworkAccess(execa, publicIp, sub);
+  // Print IP/URL prominently before the long SSH wait so users don't miss it
+  console.log("");
+  kvLine("IP",  ACCENT(publicIp));
+  kvLine("URL", ACCENT(publicUrl));
+  console.log("");
   console.log(chalk.magenta("  ✻") + " " + DIM("Waiting for SSH…"));
   const sshMaxWait = 300000;
   let ready = await waitForSsh(execa, publicIp, adminUser, sshMaxWait);

package/src/plugins/bundled/fops-plugin-azure/lib/commands/infra-cmds.js CHANGED Viewed

@@ -508,8 +508,6 @@ export function registerInfraCommands(azure) {
     .option("--github-token <token>", "GitHub PAT for Flux + GHCR pull (default: $GITHUB_TOKEN)")
     .option("--no-flux", "Skip Flux bootstrap")
     .option("--no-postgres", "Skip Postgres Flexible Server provisioning")
-    .option("--flux-local-repo <path>", "Path to local flux repo clone (auto-detected if omitted)")
-    .option("--overlay <name>", "App overlay name in flux repo (default: demo-azure)")
     .option("--dai", "Include DAI (Dashboards AI) workloads")
     .action(async (name, opts) => {
       const { aksUp } = await import("../azure-aks.js");
@@ -526,8 +524,6 @@ export function registerInfraCommands(azure) {
         githubToken: opts.githubToken,
         noFlux: opts.flux === false,
         noPostgres: opts.postgres === false,
-        fluxLocalRepo: opts.fluxLocalRepo,
-        overlay: opts.overlay,
         dai: opts.dai === true,
       });
     });

package/src/plugins/bundled/fops-plugin-azure/lib/commands/test-cmds.js CHANGED Viewed

@@ -78,20 +78,6 @@ export function registerTestCommands(azure) {
           : content + `\n${key}=${value}`;
       };
-      // Resolve CF Access service token for Cloudflare-proxied endpoints
-      let cfClientId = process.env.CF_ACCESS_CLIENT_ID || "";
-      let cfClientSecret = process.env.CF_ACCESS_CLIENT_SECRET || "";
-      if (!cfClientId) {
-        // Try reading from the compose .env
-        try {
-          const composeDotEnv = await fsp.readFile(path.join(root, ".env"), "utf8");
-          const idMatch = composeDotEnv.match(/^CF_ACCESS_CLIENT_ID=(.+)$/m);
-          const secretMatch = composeDotEnv.match(/^CF_ACCESS_CLIENT_SECRET=(.+)$/m);
-          if (idMatch) cfClientId = idMatch[1].trim();
-          if (secretMatch) cfClientSecret = secretMatch[1].trim();
-        } catch { /* .env may not exist */ }
-      }
       envContent = setVar(envContent, "API_URL", apiUrl);
       envContent = setVar(envContent, "DEV_API_URL", apiUrl);
       envContent = setVar(envContent, "LIVE_API_URL", apiUrl);
@@ -107,10 +93,6 @@ export function registerTestCommands(azure) {
         envContent = setVar(envContent, "BEARER_TOKEN", bearerToken);
         envContent = setVar(envContent, "TOKEN_AUTH0", bearerToken);
       }
-      if (cfClientId && cfClientSecret) {
-        envContent = setVar(envContent, "CF_ACCESS_CLIENT_ID", cfClientId);
-        envContent = setVar(envContent, "CF_ACCESS_CLIENT_SECRET", cfClientSecret);
-      }
       await fsp.writeFile(envPath, envContent);
       console.log(chalk.green(`  ✓ Configured QA .env → ${apiUrl}`));
@@ -172,10 +154,6 @@ export function registerTestCommands(azure) {
         testEnv.BEARER_TOKEN = bearerToken;
         testEnv.TOKEN_AUTH0 = bearerToken;
       }
-      if (cfClientId && cfClientSecret) {
-        testEnv.CF_ACCESS_CLIENT_ID = cfClientId;
-        testEnv.CF_ACCESS_CLIENT_SECRET = cfClientSecret;
-      }
       const startMs = Date.now();
       const proc = execaFn(

package/src/plugins/bundled/fops-plugin-azure/lib/commands/vm-cmds.js CHANGED Viewed

@@ -171,6 +171,36 @@ export function registerVmCommands(azure, api, registry) {
       await azureList({ live: opts.live, verbose: opts.verbose, cost: opts.cost, days: parseInt(opts.days), versions: opts.versions });
     });
+  // ── ip ─────────────────────────────────────────────────────────────────
+  azure
+    .command("ip [name]")
+    .description("Print the public IP (and URL) of a VM — quick lookup")
+    .option("--resolve", "Query Azure for the current IP (ignores cached)")
+    .action(async (name, opts) => {
+      const { requireVmState } = await import("../azure-state.js");
+      const state = requireVmState(name);
+      let ip = state.publicIp;
+      if (opts.resolve) {
+        const { lazyExeca, ensureAzCli, ensureAzAuth, resolvePublicIp, subArgs } = await import("../azure.js");
+        const { writeVmState } = await import("../azure-state.js");
+        const execa = await lazyExeca();
+        await ensureAzCli(execa);
+        await ensureAzAuth(execa);
+        ip = await resolvePublicIp(execa, state.resourceGroup, state.vmName, state.publicIp);
+        if (ip && ip !== state.publicIp) {
+          writeVmState(state.vmName, { publicIp: ip });
+        }
+      }
+      if (!ip) {
+        console.error(chalk.red("\n  No IP address found. Is the VM running? Try: fops azure start\n"));
+        process.exit(1);
+      }
+      console.log(ip);
+      if (state.publicUrl) console.log(chalk.dim(state.publicUrl));
+    });
   // ── select ───────────────────────────────────────────────────────────────
   azure
     .command("select [name]")