@meshxdata/fops 0.1.40 → 0.1.42

package/CHANGELOG.md

@@ -1,194 +1,11 @@
-## [0.1.40] - 2026-03-10
-
-- callback url for localhost (821fb94)
-- disable 4 scaffolding plugin by default. (bfb2b76)
-- jaccard improvements (b7494a0)
-- refactor azure plugin (68dfef4)
-- refactor azure plugin (b24a008)
-- fix trino catalog missing (4928a55)
-- v36 bump and changelog generation on openai (37a0440)
-- v36 bump and changelog generation on openai (a3b02d9)
-- bump (a990058)
-- status bar fix and new plugin for ttyd (27dde1e)
-- file demo and tray (1a3e704)
-- electron app (59ad0bb)
-- compose and fops file plugin (1cf0e81)
-- bump (346ffc1)
-- localhost replaced by 127.0.0.1 (82b9f30)
-- .29 (587b0e1)
-- improve up down and bootstrap script (b79ebaf)
-- checksum (22c8086)
-- checksum (96b434f)
-- checksum (15ed3c0)
-- checksum (8a6543a)
-- bump embed trino linksg (8440504)
-- bump data (765ffd9)
-- bump (cb8b232)
-- broken tests (c532229)
-- release 0.1.18, preflight checks (d902249)
-- fix compute display bug (d10f5d9)
-- cleanup packer files (6330f18)
-- plan mode (cb36a8a)
-- bump to 0.1.16 - agent ui (41ac1a2)
-- bump to 0.1.15 - agent ui (4ebe2e1)
-- bump to 0.1.14 (6c3a7fa)
-- bump to 0.1.13 (8db570f)
-- release 0.1.12 (c1c79e5)
-- bump (11aa3b0)
-- git keep and bump tui (be1678e)
-- skills, index, rrf, compacted context (100k > 10k) (7b2fffd)
-- cloudflare and token consumption, graphs indexing (0ad9eec)
-- bump storage default (22c83ba)
-- storage fix (68a22a0)
-- skills update (7f56500)
-- v9 bump (3864446)
-- bump (c95eedc)
-- rrf (dbf8c95)
-- feat: warning when running predictions (95e8c52)
-- feat: support for local predictions (45cf26b)
-- feat: wip support for predictions + mlflow (3457052)
-- add Reciprocal Rank Fusion (RRF) to knowledge and skill retrieval (61549bc)
-- validate CSV headers in compute_run readiness check (a8c7a43)
-- fix corrupted Iceberg metadata: probe tables + force cleanup on re-apply (50578af)
-- enforce: never use foundation_apply to fix broken products (2e049bf)
-- update SKILL.md with complete tool reference for knowledge retrieval (30b1924)
-- add storage read, input DP table probe, and compute_run improvements (34e6c4c)
-- skills update (1220385)
-- skills update (bb66958)
-- some tui improvement andd tools apply overwrite (e90c35c)
-- skills update (e9227a1)
-- skills update (669c4b3)
-- fix plugin pre-flight checks (f741743)
-- increase agent context (6479aaa)
-- skills and init sql fixes (5fce35e)
-- checksum (3518b56)
-- penging job limit (a139861)
-- checksum (575d28c)
-- bump (92049ba)
-- fix bug per tab status (0a33657)
-- fix bug per tab status (50457c6)
-- checksumming (0ad842e)
-- shot af mardkwon overlapping (51f63b9)
-- add spark dockerfile for multiarch builds (95abbd1)
-- fix plugin initialization (16b9782)
-- split index.js (50902a2)
-- cloudflare cidr (cc4e021)
-- cloduflare restrictions (2f6ba2d)
-- sequential start (86b496e)
-- sequential start (4930fe1)
-- sequential start (353f014)
-- qa tests (2dc6a1a)
-- bump sha for .85 (dc2edfe)
-- preserve env on sudo (7831227)
-- bump sha for .84 (6c052f9)
-- non interactive for azure vms (0aa8a2f)
-- keep .env if present (d072450)
-- bump (7a8e732)
-- ensure opa is on compose if not set (f4a5228)
-- checksum bump (a2ccc20)
-- netrc defensive checks (a0b0ccc)
-- netrc defensive checks (ae37403)
-- checksum (ec45d11)
-- update sync and fix up (7f9af72)
-- expand test for azure and add new per app tag support (388a168)
-- checksum on update (44005fc)
-- cleanup for later (15e5313)
-- cleanup for later (11c9597)
-- switch branch feature (822fecc)
-- add pull (d1c19ab)
-- Bump hono from 4.11.9 to 4.12.0 in /operator-cli (ad25144)
-- tests (f180a9a)
-- cleanup (39c49a3)
-- registry (7b7126a)
-- reconcile kafka (832d0db)
-- gh login bug (025886c)
-- cleanup (bb96cab)
-- strip envs from process (2421180)
-- force use of gh creds not tokens in envs var (fff7787)
-- resolve import between npm installs and npm link (79522e1)
-- fix gh scope and azure states (afd846c)
-- refactoring (da50352)
-- split fops repo (d447638)
-- aks (b791f8f)
-- refactor azure (67d3bad)
-- wildcard (391f023)
-- azure plugin (c074074)
-- zap (d7e6e7f)
-- fix knock (cf89c05)
-- azure (4adec98)
-- Bump tar from 7.5.7 to 7.5.9 in /operator-cli (e41e98e)
-- azure stack index.js split (de12272)
-- Bump ajv from 8.17.1 to 8.18.0 in /operator-cli (76da21f)
-- packer (9665fbc)
-- remove stack api (db0fd4d)
-- packer cleanup (fe1bf14)
-- force refresh token (3a3d7e2)
-- provision shell (2ad505f)
-- azure vm management (91dcb31)
-- azure specific (2b0cca8)
-- azure packer (12175b8)
-- init hashed pwd (db8523c)
-- packer (5b5c7c4)
-- doctor for azure vm (ed524fa)
-- packer and 1pwd (c6d053e)
-- split big index.js (dc85a1b)
-- kafka volume update (21815ec)
-- fix openai azure tools confirmation and flow (0118cd1)
-- nighly fixx, test fix (5e0d04f)
-- open ai training (cdc494a)
-- openai integration in azure (1ca1475)
-- ci (672cea9)
-- refresh ghcr creds (4220c48)
-- cleaned up version (1a0074f)
-- traefik on ghcr and templates (8e31a05)
-- apply fcl (e78911f)
-- demo landscape (dd205fe)
-- smarter login and schema (1af514f)
-- no down before up unless something broke (56b1132)
-- dai, reconcile failed containers (12907fa)
-- reconcile dead container (7da75e4)
-- defensive around storage buckets dir (b98871d)
-- defensive around storage buckets dir (e86e132)
-- gear in for multiarch (bf3fa3e)
-- up autofix (99c7f89)
-- autofix stale containers on up (43c7d0f)
-- shared sessions fix (5de1359)
-- share sessions between ui and tui (8321391)
-- fix chat view display details (e263996)
-- fix chat view display details (9babdda)
-- tui up fixes (86e9f17)
-- fix commands init (442538b)
-- enable k3s profile (b2dcfc8)
-- test up till job creation (656d388)
-- tui fixes (0599779)
-- cleanup (27731f0)
-- train (90bf559)
-- training (f809bf6)
-- training (ba2b836)
-- training (6fc5267)
-- training (4af8ac9)
-- fix build script (bd82836)
-- infra test (5b79815)
-- infra test (3a0ac05)
-- infra test (e5c67b5)
-- tests (ae7b621)
-- tests (c09ae6a)
-- update tui (4784153)
-- training (0a5a330)
-- tui (df4dd4a)
-- pkg builds (4dc9993)
-- also source env for creds (9a17d8f)
-- fcl support (e8a5743)
-- fcl support (8d6b6cd)
-- fcl support (cb76a4a)
-- bump package (df2ee85)
-
 # Changelog
 
 All notable changes to @meshxdata/fops (Foundation Operator CLI) are documented here.
 
-## [0.1.39] - 2026-03-10
+## [0.1.42] - 2026-03-11
 
+- Mlflow and azure plugin fix (176881f)
+- fix lifecycle (a2cb9e7)
 - callback url for localhost (821fb94)
 - disable 4 scaffolding plugin by default. (bfb2b76)
 - jaccard improvements (b7494a0)
@@ -369,11 +186,10 @@ All notable changes to @meshxdata/fops (Foundation Operator CLI) are documented
 - also source env for creds (9a17d8f)
 - fcl support (e8a5743)
 - fcl support (8d6b6cd)
-- fcl support (cb76a4a)
-- bump package (df2ee85)
 
-## [0.1.38] - 2026-03-10
+## [0.1.41] - 2026-03-11
 
+- fix lifecycle (a2cb9e7)
 - callback url for localhost (821fb94)
 - disable 4 scaffolding plugin by default. (bfb2b76)
 - jaccard improvements (b7494a0)
@@ -555,7 +371,6 @@ All notable changes to @meshxdata/fops (Foundation Operator CLI) are documented
 - fcl support (e8a5743)
 - fcl support (8d6b6cd)
 - fcl support (cb76a4a)
-- bump package (df2ee85)
 
 # Changelog
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meshxdata/fops",
-  "version": "0.1.40",
+  "version": "0.1.42",
   "description": "CLI to install and manage data mesh platforms",
   "keywords": [
     "fops",

package/src/agent/llm.js

@@ -309,8 +309,6 @@ let _responsesApiFallback = false;
 function isResponsesApiFormatError(err) {
   if (!err) return false;
   const status = err.status ?? err.error?.status ?? err.code;
-  // 404 = Responses API route doesn't exist on this Azure endpoint/api-version
-  if (status === 404 || status === "404") return true;
   if (status !== 400 && status !== "400") return false;
   const msg = [err.message, err.error?.message, err.body?.error?.message].filter(Boolean).join(" ");
   return /Responses API|moved to ['"]input['"]|unknown parameter|'input' is required|'instructions' is not/i.test(msg);

package/src/doctor.js

@@ -11,20 +11,6 @@ import { rootDir } from "./project.js";
 import { wslExec, wslHomedir, wslFileExists, wslReadFile, wslCmdVersion } from "./wsl.js";
 import { getInquirer } from "./lazy.js";
 
-// Check if sudo is available without a password (cached credentials or NOPASSWD)
-let _sudoOk = null;
-async function canSudo() {
-  if (_sudoOk !== null) return _sudoOk;
-  if (process.platform === "win32") { _sudoOk = false; return false; }
-  try {
-    const { exitCode } = await execa("sudo", ["-n", "true"], { reject: false, timeout: 5000 });
-    _sudoOk = exitCode === 0;
-  } catch { _sudoOk = false; }
-  return _sudoOk;
-}
-
-
-
 const KEY_PORTS = {
   5432: "Postgres",
   9092: "Kafka",
@@ -260,7 +246,6 @@ export async function runDoctor(opts = {}, registry = null) {
                   console.log(chalk.green(`  ✓ Removed ${b}`));
                 } catch (err) {
                   if (err.code === "EACCES") {
-                    if (!(await canSudo())) throw new Error(`Permission denied removing ${b} — sudo not available`);
                     console.log(chalk.cyan(`  ▶ sudo rm ${b}`));
                     await execa("sudo", ["rm", b], { stdio: "inherit", timeout: 10000 });
                   } else {
@@ -394,7 +379,6 @@ export async function runDoctor(opts = {}, registry = null) {
           console.log(chalk.cyan('  ▶ start "" "Docker Desktop"'));
           await execa("cmd", ["/c", "start", "", "Docker Desktop"], { timeout: 10000 });
         } else {
-          if (!(await canSudo())) throw new Error("sudo not available — start Docker manually: sudo systemctl start docker");
           console.log(chalk.cyan("  ▶ sudo systemctl start docker"));
           await execa("sudo", ["systemctl", "start", "docker"], { stdio: "inherit", timeout: 30000 });
           return;
@@ -463,7 +447,6 @@ export async function runDoctor(opts = {}, registry = null) {
         console.log(chalk.cyan('  ▶ start "" "Docker Desktop"'));
         await execa("cmd", ["/c", "start", "", "Docker Desktop"], { timeout: 10000 });
       } else {
-        if (!(await canSudo())) throw new Error("sudo not available — install Docker manually: curl -fsSL https://get.docker.com | sudo sh");
         console.log(chalk.cyan("  ▶ curl -fsSL https://get.docker.com | sudo sh"));
         await execa("sh", ["-c", "curl -fsSL https://get.docker.com | sudo sh"], {
           stdio: "inherit", timeout: 300_000,
@@ -514,7 +497,6 @@ export async function runDoctor(opts = {}, registry = null) {
         await execa("winget", ["install", "Git.Git", "--accept-source-agreements", "--accept-package-agreements"], { stdio: "inherit", timeout: 300_000 });
       }
     } else {
-      if (!(await canSudo())) throw new Error("sudo not available — install git manually");
       console.log(chalk.cyan("  ▶ sudo apt-get install -y git"));
       await execa("sudo", ["apt-get", "install", "-y", "git"], { stdio: "inherit", timeout: 300_000 });
     }
@@ -558,7 +540,6 @@ export async function runDoctor(opts = {}, registry = null) {
       console.log(chalk.cyan("  ▶ brew install npm"));
       await execa("brew", ["install", "npm"], { stdio: "inherit", timeout: 300_000 });
     } else if (process.platform === "linux" || (process.platform === "win32" && useWsl)) {
-      if (!(await canSudo())) throw new Error("sudo not available — install npm manually");
       console.log(chalk.cyan("  ▶ sudo apt-get install -y npm"));
       await run("sudo", ["apt-get", "install", "-y", "npm"], { stdio: "inherit", timeout: 300_000 });
     } else {
@@ -592,8 +573,9 @@ export async function runDoctor(opts = {}, registry = null) {
       await execa("brew", ["install", "--cask", "1password-cli"], { stdio: "inherit", timeout: 300_000 });
     } else if (process.platform === "win32") {
       if (useWsl) {
-        if (!(await canSudo())) throw new Error("sudo not available — install 1Password CLI manually");
         console.log(chalk.cyan("  ▶ [WSL] Installing 1Password CLI via apt…"));
+        // Authenticate sudo upfront so the long install chain doesn't hang at a password prompt
+        await run("sudo", ["-v"], { stdio: "inherit", timeout: 30_000 });
         await run("sh", ["-c", [
           "curl -sS https://downloads.1password.com/linux/keys/1password.asc | sudo gpg --batch --yes --dearmor --output /usr/share/keyrings/1password-archive-keyring.gpg",
           '&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/1password-archive-keyring.gpg] https://downloads.1password.com/linux/debian/$(dpkg --print-architecture) stable main" | sudo tee /etc/apt/sources.list.d/1password.list',
@@ -609,8 +591,9 @@ export async function runDoctor(opts = {}, registry = null) {
       }
     } else {
       // Linux — install via 1Password apt repository
-      if (!(await canSudo())) throw new Error("sudo not available — install 1Password CLI manually");
+      // Authenticate sudo upfront so the long install chain doesn't hang at a password prompt
       console.log(chalk.cyan("  ▶ Installing 1Password CLI via apt…"));
+      await execa("sudo", ["-v"], { stdio: "inherit", timeout: 30_000 });
       await execa("sh", ["-c", [
         "curl -sS https://downloads.1password.com/linux/keys/1password.asc | sudo gpg --batch --yes --dearmor --output /usr/share/keyrings/1password-archive-keyring.gpg",
         '&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/1password-archive-keyring.gpg] https://downloads.1password.com/linux/debian/$(dpkg --print-architecture) stable main" | sudo tee /etc/apt/sources.list.d/1password.list',
@@ -624,7 +607,6 @@ export async function runDoctor(opts = {}, registry = null) {
 
   // GitHub CLI
   const installGhLinux = async (runner = execa) => {
-    if (!(await canSudo())) throw new Error("sudo not available — install gh manually: https://cli.github.com");
     console.log(chalk.cyan("  ▶ Installing gh via apt…"));
     await runner("sh", ["-c", [
       "type -p curl >/dev/null || (sudo apt update && sudo apt install curl -y)",
@@ -873,26 +855,7 @@ export async function runDoctor(opts = {}, registry = null) {
       console.log(chalk.green("  ✓ write:packages and repo scopes added"));
     };
 
-    // Double-check: if hasWritePackages came from netrc fallback, verify the gh CLI token too
-    let ghCliHasPackages = hasWritePackages;
     if (hasWritePackages) {
-      try {
-        const { stdout: tkOut, exitCode: tkExit } = await runGh(["auth", "token"], { timeout: 5000, reject: false });
-        if (tkExit === 0 && tkOut?.trim()) {
-          const { status, scopes } = await ghApiGetWithScopes(tkOut.trim());
-          if (status === 200 && scopes && !scopes.includes("write:packages") && !scopes.includes("read:packages")) {
-            ghCliHasPackages = false;
-          }
-        }
-      } catch {}
-    }
-    if (hasWritePackages && !ghCliHasPackages) {
-      warn(
-        "gh CLI token missing packages scope",
-        "netrc token has it, but gh auth token does not — run: gh auth refresh -h github.com -s write:packages",
-        ghcrRefreshFn,
-      );
-    } else if (hasWritePackages) {
       ok("gh token has write:packages scope");
     } else {
       fail(
@@ -936,63 +899,32 @@ export async function runDoctor(opts = {}, registry = null) {
     }
 
     const ghcrFixFn = async () => {
-      // Find a token with packages scope — prefer gh CLI token, fall back to netrc
-      let ghToken = null;
+      // Ensure write:packages scope is present (implies read:packages)
+      if (!hasWritePackages) {
+        console.log(chalk.cyan("  ▶ gh auth refresh -h github.com -s write:packages -s repo"));
+        console.log(chalk.dim("    (gh CLI will ask for device code auth, then optionally Git credential setup)"));
+        await runGh(["auth", "refresh", "-h", "github.com", "-s", "write:packages", "-s", "repo"], {
+          stdio: "inherit", timeout: 120_000,
+        });
+      }
 
-      // 1) Try gh CLI token
+      // Get fresh token and login to ghcr.io
+      let ghToken = null;
       try {
         const { stdout, exitCode } = await runGh(["auth", "token"], { timeout: 5000, reject: false });
-        if (exitCode === 0 && stdout?.trim()) {
-          const t = stdout.trim();
-          const { status, scopes } = await ghApiGetWithScopes(t);
-          if (status === 200 && scopes?.includes("write:packages")) {
-            ghToken = t;
-          } else if (status === 200) {
-            // gh token works but lacks packages scope — refresh it
-            console.log(chalk.yellow("  gh CLI token missing write:packages — refreshing…"));
-            console.log(chalk.cyan("  ▶ gh auth refresh -h github.com -s write:packages -s repo"));
-            const { exitCode: refExit } = await runGh(["auth", "refresh", "-h", "github.com", "-s", "write:packages", "-s", "repo"], {
-              stdio: "inherit", timeout: 120_000, reject: false,
-            });
-            if (refExit === 0) {
-              const { stdout: fresh } = await runGh(["auth", "token"], { timeout: 5000, reject: false });
-              if (fresh?.trim()) ghToken = fresh.trim();
-            }
-          }
-        }
+        if (exitCode === 0 && stdout?.trim()) ghToken = stdout.trim();
       } catch {}
 
-      // 2) Fall back to netrc token if gh CLI token doesn't have the right scopes
-      if (!ghToken) {
-        try {
-          const content = await readFile(netrcPath);
-          const netrcToken = readNetrcToken(content, "github.com");
-          if (netrcToken) {
-            const { status, scopes } = await ghApiGetWithScopes(netrcToken);
-            if (status === 200 && (scopes?.includes("write:packages") || scopes?.includes("read:packages"))) {
-              console.log(chalk.cyan("  Using netrc token (has packages scope)"));
-              ghToken = netrcToken;
-            }
-          }
-        } catch {}
-      }
-
       if (ghToken) {
-        console.log(chalk.cyan("  ▶ Logging into ghcr.io…"));
-        // Login for both current user and root (Docker daemon runs as root)
+        console.log(chalk.cyan("  ▶ Logging into ghcr.io using gh auth token…"));
         await run("sh", ["-c", `echo ${ghToken} | docker login ghcr.io -u x-access-token --password-stdin`], {
           stdio: "inherit", timeout: 15000,
         });
-        try {
-          await execa("sh", ["-c", `echo ${ghToken} | sudo docker login ghcr.io -u x-access-token --password-stdin`], {
-            timeout: 15000, stdio: "pipe",
-          });
-        } catch { /* root login best-effort */ }
       } else {
-        console.log(chalk.yellow("  No token with packages scope found."));
-        console.log(chalk.dim("  Run: gh auth refresh -h github.com -s write:packages -s repo"));
-        console.log(chalk.dim("  Then: echo $(gh auth token) | docker login ghcr.io -u x-access-token --password-stdin"));
-        throw new Error("No token with packages scope — refresh gh auth or create a PAT with write:packages");
+        console.log(chalk.yellow("  gh CLI not authenticated — manual login required."));
+        console.log(chalk.dim("  Create a PAT at https://github.com/settings/tokens with write:packages scope, then run:"));
+        console.log(chalk.dim("  docker login ghcr.io -u <your-username>"));
+        throw new Error("Manual GHCR login required");
       }
     };
 
@@ -1016,11 +948,7 @@ export async function runDoctor(opts = {}, registry = null) {
         }
       }
     } else if (ghcrLoggedIn) {
-      fail(
-        "Docker logged into ghcr.io but pull access denied",
-        "Docker has a stale token — fix: echo $(gh auth token) | docker login ghcr.io -u x-access-token --password-stdin",
-        ghcrFixFn,
-      );
+      fail("Docker logged into ghcr.io but pull access denied", "token may lack read:packages or write:packages scope", ghcrFixFn);
     } else {
       fail("Docker not logged into ghcr.io", "needed to pull/push private images", ghcrFixFn);
     }

package/src/plugins/bundled/fops-plugin-1password/index.js

@@ -99,10 +99,6 @@ export function register(api) {
         } else if (synced > 0) {
           const files = synced === 1 ? ".env" : `${synced} .env files`;
           console.log(chalk.green(`  ✓ ${totalSecrets} secret(s) synced → ${files}`));
-          // Update one-shot marker so auto-sync on next `fops up` is skipped
-          const markerDir = path.join(root, ".fops");
-          if (!fs.existsSync(markerDir)) fs.mkdirSync(markerDir, { recursive: true });
-          fs.writeFileSync(path.join(markerDir, ".1p-synced"), new Date().toISOString() + "\n");
         } else {
           console.log(chalk.dim("  Nothing to sync."));
         }
@@ -185,18 +181,13 @@ export function register(api) {
     },
   });
 
-  // ── Hook: before:up — one-shot auto-sync secrets ───
+  // ── Hook: before:up — auto-sync secrets ────────────
   api.registerHook("before:up", async () => {
     if (!config.autoSync) return;
 
     const root = findRoot();
     if (!root) return;
 
-    // One-shot: skip if secrets were already synced once
-    const markerDir = path.join(root, ".fops");
-    const markerPath = path.join(markerDir, ".1p-synced");
-    if (fs.existsSync(markerPath)) return;
-
     const templates = discoverTemplates(root);
     if (templates.length === 0) return;
 
@@ -221,9 +212,6 @@ export function register(api) {
     } else if (synced > 0) {
       const files = synced === 1 ? ".env" : `${synced} .env files`;
       console.log(chalk.green(`  ✓ ${totalSecrets} secret(s) synced → ${files}`));
-      // Mark as done so subsequent `fops up` calls skip auto-sync
-      if (!fs.existsSync(markerDir)) fs.mkdirSync(markerDir, { recursive: true });
-      fs.writeFileSync(markerPath, new Date().toISOString() + "\n");
     }
   });
 

package/src/plugins/bundled/fops-plugin-azure/index.js

@@ -138,10 +138,8 @@ export async function register(api) {
           } else if (process.platform === "linux") {
             const { exitCode } = await execa("which", ["apt-get"], { reject: false });
             if (exitCode !== 0) throw new Error("apt-get not found — use https://learn.microsoft.com/en-us/cli/azure/install-azure-cli for your distro");
-            // Check sudo is available before attempting install
-            const sudoCheck = await execa("sudo", ["-n", "true"], { reject: false, timeout: 5000 });
-            if (sudoCheck.exitCode !== 0) throw new Error("sudo not available — install Azure CLI manually: curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash");
-            await execa("sudo", ["sh", "-c", "curl -sL https://aka.ms/InstallAzureCLIDeb | bash"], { stdio: "inherit", timeout: 300000 });
+            await execa("sudo", ["apt-get", "update"], { stdio: "inherit", timeout: 120000 });
+            await execa("sudo", ["apt-get", "install", "-y", "azure-cli"], { stdio: "inherit", timeout: 120000 });
           } else {
             throw new Error("Auto-install only on macOS and Linux — use the Microsoft install link");
           }

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks.js

@@ -148,7 +148,7 @@ function resolveFluxConfig(clusterName, opts) {
   return {
     fluxRepo: opts?.fluxRepo ?? tracked?.flux?.repo ?? az.fluxRepo ?? project?.fluxRepo ?? AKS_DEFAULTS.fluxRepo,
     fluxOwner: opts?.fluxOwner ?? tracked?.flux?.owner ?? az.fluxOwner ?? project?.fluxOwner ?? AKS_DEFAULTS.fluxOwner,
-    fluxPath: opts?.fluxPath || tracked?.flux?.path || az.fluxPath || project?.fluxPath || `clusters/${clusterName}`,
+    fluxPath: opts?.fluxPath || tracked?.flux?.path || az.fluxPath || project?.fluxPath || AKS_DEFAULTS.fluxPath,
     fluxBranch: opts?.fluxBranch ?? tracked?.flux?.branch ?? az.fluxBranch ?? project?.fluxBranch ?? AKS_DEFAULTS.fluxBranch,
   };
 }
@@ -182,107 +182,6 @@ function requireCluster(name) {
   };
 }
 
-// ── Flux local-repo scaffolding ───────────────────────────────────────────────
-
-/**
- * Auto-detect the local flux repo clone.
- * Searches common relative paths from the project root and CWD.
- */
-function findFluxLocalRepo() {
-  const state = readState();
-  const projectRoot = state.azure?.projectRoot || state.projectRoot;
-
-  const candidates = [];
-  if (projectRoot) {
-    candidates.push(path.resolve(projectRoot, "..", "flux"));
-    candidates.push(path.resolve(projectRoot, "flux"));
-  }
-  candidates.push(path.resolve("../flux"));
-  candidates.push(path.resolve("../../flux"));
-
-  for (const p of candidates) {
-    if (fs.existsSync(path.join(p, "clusters"))) return p;
-  }
-  return null;
-}
-
-/**
- * Resolve the bundled cluster template directory shipped with the CLI.
- */
-function resolveClusterTemplate() {
-  const thisDir = path.dirname(fileURLToPath(import.meta.url));
-  return path.resolve(thisDir, "..", "templates", "cluster");
-}
-
-/**
- * Scaffold a new cluster directory in the local flux repo from the bundled
- * template, substituting {{CLUSTER_NAME}} and {{OVERLAY}} placeholders.
- * Then commits and pushes the change.
- */
-async function scaffoldFluxCluster(execa, { clusterName, fluxLocalRepo, overlay }) {
-  const templateDir = resolveClusterTemplate();
-  const destDir = path.join(fluxLocalRepo, "clusters", clusterName);
-
-  if (!fs.existsSync(templateDir)) {
-    console.log(WARN(`  ⚠ Cluster template not found at ${templateDir}`));
-    return false;
-  }
-
-  if (fs.existsSync(destDir)) {
-    console.log(OK(`  ✓ Cluster directory already exists: clusters/${clusterName}`));
-    return true;
-  }
-
-  const vars = {
-    "{{CLUSTER_NAME}}": clusterName,
-    "{{OVERLAY}}": overlay || "demo-azure",
-  };
-
-  hint("Scaffolding Flux cluster manifests…");
-
-  function copyDir(src, dest) {
-    fs.mkdirSync(dest, { recursive: true });
-    for (const entry of fs.readdirSync(src, { withFileTypes: true })) {
-      const srcPath = path.join(src, entry.name);
-      const destPath = path.join(dest, entry.name);
-      if (entry.isDirectory()) {
-        copyDir(srcPath, destPath);
-      } else {
-        let content = fs.readFileSync(srcPath, "utf8");
-        for (const [k, v] of Object.entries(vars)) {
-          content = content.replaceAll(k, v);
-        }
-        fs.writeFileSync(destPath, content);
-      }
-    }
-  }
-
-  copyDir(templateDir, destDir);
-  console.log(OK(`  ✓ Cluster directory created: clusters/${clusterName}`));
-
-  // List remaining placeholders
-  const remaining = [];
-  for (const line of fs.readFileSync(path.join(destDir, "kustomization.yaml"), "utf8").split("\n")) {
-    const m = line.match(/\{\{(\w+)\}\}/g);
-    if (m) remaining.push(...m);
-  }
-
-  // Git add + commit + push
-  hint("Committing and pushing to flux repo…");
-  try {
-    await execa("git", ["-C", fluxLocalRepo, "add", `clusters/${clusterName}`], { timeout: 15000 });
-    await execa("git", ["-C", fluxLocalRepo, "commit", "-m", `Add cluster ${clusterName}`], { timeout: 15000 });
-    await execa("git", ["-C", fluxLocalRepo, "push"], { timeout: 60000 });
-    console.log(OK(`  ✓ Pushed clusters/${clusterName} to flux repo`));
-  } catch (err) {
-    const msg = (err.stderr || err.message || "").split("\n")[0];
-    console.log(WARN(`  ⚠ Git push failed: ${msg}`));
-    hint(`Manually commit and push clusters/${clusterName} in the flux repo`);
-  }
-
-  return true;
-}
-
 // ── Flux helpers ──────────────────────────────────────────────────────────────
 
 async function ensureFluxCli(execa) {
@@ -345,18 +244,6 @@ export async function aksUp(opts = {}) {
   if (exists === 0) {
     console.log(WARN(`\n  Cluster "${clusterName}" already exists — reconciling…`));
 
-    // Scaffold cluster directory if it doesn't exist yet
-    if (!opts.noFlux) {
-      const fluxLocalRepo = opts.fluxLocalRepo || findFluxLocalRepo();
-      if (fluxLocalRepo) {
-        await scaffoldFluxCluster(execa, {
-          clusterName,
-          fluxLocalRepo,
-          overlay: opts.overlay,
-        });
-      }
-    }
-
     const maxPods = opts.maxPods || 110;
     const ctx = { execa, clusterName, rg, sub, opts, minCount, maxCount, maxPods };
     await reconcileCluster(ctx);
@@ -460,22 +347,7 @@ export async function aksUp(opts = {}) {
   const fluxRepo = opts.fluxRepo ?? AKS_DEFAULTS.fluxRepo;
   const fluxOwner = opts.fluxOwner ?? AKS_DEFAULTS.fluxOwner;
   const fluxBranch = opts.fluxBranch ?? AKS_DEFAULTS.fluxBranch;
-  const fluxPath = opts.fluxPath || `clusters/${clusterName}`;
-
-  // Scaffold cluster directory in the flux repo before bootstrapping
-  if (!opts.noFlux) {
-    const fluxLocalRepo = opts.fluxLocalRepo || findFluxLocalRepo();
-    if (fluxLocalRepo) {
-      await scaffoldFluxCluster(execa, {
-        clusterName,
-        fluxLocalRepo,
-        templateCluster: opts.templateCluster,
-      });
-    } else {
-      console.log(WARN("  ⚠ Local flux repo not found — skipping cluster scaffolding."));
-      hint("Pass --flux-local-repo <path> or clone meshxdata/flux next to foundation-compose.");
-    }
-  }
+  const fluxPath = opts.fluxPath || AKS_DEFAULTS.fluxPath;
 
   if (opts.noFlux) {
     console.log("");