@meshxdata/fops 0.1.40 → 0.1.42

package/src/plugins/bundled/fops-plugin-azure/lib/azure-auth.js

@@ -13,7 +13,7 @@ export function hashContent(text) {
 }
 
 /**
- * Resolve Foundation credentials from env → ~/.fops.json → .env files.
+ * Resolve Foundation credentials from env → .env → ~/.fops.json.
  * Returns { bearerToken } or { user, password } or null.
  */
 export function resolveFoundationCreds() {
@@ -26,25 +26,6 @@ export function resolveFoundationCreds() {
     if (cfg.bearerToken?.trim()) return { bearerToken: cfg.bearerToken.trim() };
     if (cfg.user?.trim() && cfg.password) return { user: cfg.user.trim(), password: cfg.password };
   } catch { /* no fops.json */ }
-
-  // Fall back to .env files for credentials
-  const envCandidates = [pathMod.resolve(".env"), pathMod.resolve("..", ".env")];
-  try {
-    const raw = JSON.parse(fs.readFileSync(pathMod.join(os.homedir(), ".fops.json"), "utf8"));
-    if (raw?.projectRoot) envCandidates.unshift(pathMod.join(raw.projectRoot, ".env"));
-  } catch { /* ignore */ }
-  for (const ep of envCandidates) {
-    try {
-      const lines = fs.readFileSync(ep, "utf8").split("\n");
-      const get = (k) => {
-        const ln = lines.find((l) => l.startsWith(`${k}=`));
-        return ln ? ln.slice(k.length + 1).trim().replace(/^["']|["']$/g, "") : "";
-      };
-      const user = get("QA_USERNAME") || get("FOUNDATION_USERNAME");
-      const pass = get("QA_PASSWORD") || get("FOUNDATION_PASSWORD");
-      if (user && pass) return { user, password: pass };
-    } catch { /* try next */ }
-  }
   return null;
 }
 
@@ -60,44 +41,12 @@ export function suppressTlsWarning() {
   };
 }
 
-/**
- * Resolve Cloudflare Access service-token headers from env or .env files.
- * Returns { "CF-Access-Client-Id": ..., "CF-Access-Client-Secret": ... } or {}.
- */
-let _cfAccessHeaders;
-export function resolveCfAccessHeaders() {
-  if (_cfAccessHeaders !== undefined) return _cfAccessHeaders;
-  let id = process.env.CF_ACCESS_CLIENT_ID || "";
-  let secret = process.env.CF_ACCESS_CLIENT_SECRET || "";
-  if (!id) {
-    // Try .env files
-    const candidates = [pathMod.resolve(".env"), pathMod.resolve("..", ".env")];
-    try {
-      const raw = JSON.parse(fs.readFileSync(pathMod.join(os.homedir(), ".fops.json"), "utf8"));
-      if (raw?.projectRoot) candidates.unshift(pathMod.join(raw.projectRoot, ".env"));
-    } catch {}
-    for (const ep of candidates) {
-      try {
-        const lines = fs.readFileSync(ep, "utf8").split("\n");
-        const get = (k) => { const ln = lines.find((l) => l.startsWith(`${k}=`)); return ln ? ln.slice(k.length + 1).trim().replace(/^["']|["']$/g, "") : ""; };
-        id = id || get("CF_ACCESS_CLIENT_ID");
-        secret = secret || get("CF_ACCESS_CLIENT_SECRET");
-        if (id && secret) break;
-      } catch {}
-    }
-  }
-  _cfAccessHeaders = id && secret ? { "CF-Access-Client-Id": id, "CF-Access-Client-Secret": secret } : {};
-  return _cfAccessHeaders;
-}
-
 export async function vmFetch(url, opts = {}) {
   suppressTlsWarning();
   const prev = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
   process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
   try {
-    const cfHeaders = resolveCfAccessHeaders();
-    const headers = { ...cfHeaders, ...(opts.headers || {}) };
-    return await fetch(url, { signal: AbortSignal.timeout(10_000), ...opts, headers });
+    return await fetch(url, { signal: AbortSignal.timeout(10_000), ...opts });
   } finally {
     if (prev === undefined) delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
     else process.env.NODE_TLS_REJECT_UNAUTHORIZED = prev;
@@ -143,7 +92,7 @@ export function resolveAuth0Config() {
  * Tries the backend /iam/login first, then falls back to Auth0 ROPC.
  */
 export async function authenticateVm(vmUrl, ip, creds) {
-  if (creds.bearerToken) return creds.bearerToken;
+  if (creds.bearerToken && !isJwtExpired(creds.bearerToken)) return creds.bearerToken;
 
   const hasDomain = vmUrl && !vmUrl.match(/^https?:\/\/\d+\.\d+\.\d+\.\d+/);
   const apiUrls = hasDomain
@@ -199,6 +148,28 @@ export function isJwt(token) {
   return token && token.split(".").length === 3;
 }
 
+/**
+ * Decode a JWT payload without verification (for expiry checks only).
+ * Returns the parsed payload or null on failure.
+ */
+function decodeJwtPayload(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const payload = Buffer.from(parts[1], "base64url").toString("utf8");
+    return JSON.parse(payload);
+  } catch { return null; }
+}
+
+/**
+ * Check if a JWT is expired (with 60s grace buffer).
+ */
+export function isJwtExpired(token) {
+  const payload = decodeJwtPayload(token);
+  if (!payload?.exp) return false; // no exp claim → assume valid
+  return Date.now() / 1000 > payload.exp - 60;
+}
+
 /**
  * Resolve a valid JWT bearer token for a remote VM/cluster.
  * Auth chain: local bearer → pre-auth /iam/login → Auth0 ROPC → SSH fetch from VM.
@@ -213,23 +184,19 @@ export async function resolveRemoteAuth(opts = {}) {
 
   const creds = resolveFoundationCreds();
   let qaUser = creds?.user || process.env.QA_USERNAME || process.env.FOUNDATION_USERNAME || "operator@local";
-  let qaPass = creds?.password || process.env.QA_PASSWORD || process.env.FOUNDATION_PASSWORD || "";
+  let qaPass = creds?.password || process.env.QA_PASSWORD || "";
   let bearerToken = creds?.bearerToken || "";
 
-  // 1) Use local bearer if it's a valid JWT
+  // 1) Use local bearer if it's a valid, non-expired JWT
   if (bearerToken && isJwt(bearerToken)) {
-    return { bearerToken, qaUser, qaPass, useTokenMode: true };
+    if (!isJwtExpired(bearerToken)) {
+      return { bearerToken, qaUser, qaPass, useTokenMode: true };
+    }
+    log(chalk.dim("  Local bearer token expired — refreshing…"));
   }
   bearerToken = "";
 
   // 2) Pre-auth against the backend /iam/login
-  const cfHeaders = resolveCfAccessHeaders();
-  const cfKeys = Object.keys(cfHeaders);
-  if (cfKeys.length) {
-    log(chalk.dim(`  CF Access headers: ${cfKeys.join(", ")} (id=${cfHeaders["CF-Access-Client-Id"]?.slice(0, 8)}…)`));
-  } else {
-    log(chalk.yellow("  ⚠ No CF Access service token found (set CF_ACCESS_CLIENT_ID + CF_ACCESS_CLIENT_SECRET)"));
-  }
   if (qaUser && qaPass && apiUrl) {
     try {
       if (suppressTls) suppressTls();
@@ -238,8 +205,8 @@ export async function resolveRemoteAuth(opts = {}) {
       try {
         const resp = await fetch(`${apiUrl}/iam/login`, {
           method: "POST",
-          headers: { "Content-Type": "application/json", ...cfHeaders },
-          body: JSON.stringify({ user: qaUser, password: qaPass }),
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ username: qaUser, password: qaPass }),
           signal: AbortSignal.timeout(10_000),
         });
         if (resp.ok) {
@@ -250,9 +217,7 @@ export async function resolveRemoteAuth(opts = {}) {
             return { bearerToken, qaUser, qaPass, useTokenMode: true };
           }
         } else {
-          const body = await resp.text().catch(() => "");
-          log(chalk.dim(`  Local creds rejected: HTTP ${resp.status} (user=${qaUser})`));
-          if (body) log(chalk.dim(`  Response: ${body.slice(0, 200)}`));
+          log(chalk.dim(`  Local creds rejected: HTTP ${resp.status}`));
         }
       } finally {
         if (prev === undefined) delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
@@ -315,8 +280,11 @@ export async function resolveRemoteAuth(opts = {}) {
 
       const remoteToken = remoteEnv.BEARER_TOKEN;
       if (remoteToken && isJwt(remoteToken)) {
-        log(chalk.green("  ✓ Got JWT bearer token from VM"));
-        return { bearerToken: remoteToken, qaUser, qaPass, useTokenMode: true };
+        if (!isJwtExpired(remoteToken)) {
+          log(chalk.green("  ✓ Got JWT bearer token from VM"));
+          return { bearerToken: remoteToken, qaUser, qaPass, useTokenMode: true };
+        }
+        log(chalk.dim("  Remote bearer token expired — trying VM Auth0…"));
       }
 
       if (remoteEnv.MX_AUTH0_DOMAIN && remoteEnv.MX_AUTH0_CLIENT_ID) {

package/src/plugins/bundled/fops-plugin-azure/lib/azure-helpers.js

@@ -275,15 +275,7 @@ export async function ensureAzAuth(execa, { subscription, throwOnMissing = false
     if (subscription) args.push("--subscription", subscription);
     const { stdout } = await execa("az", args, { timeout: 15000 });
     return JSON.parse(stdout);
-  } catch (err) {
-    if (isAzSessionExpiredError(err)) {
-      const { suggested } = parseAzReloginHint(err);
-      const msg = `Azure session expired (MFA). Run:\n  ${suggested.replace(/\n/g, "\n  ")}`;
-      if (throwOnMissing) throw new Error(msg);
-      console.error(chalk.yellow(`\n  Azure session expired (MFA or token refresh required).`));
-      console.error(chalk.cyan(`  Run: ${suggested.split("\n")[0]}\n`));
-      process.exit(1);
-    }
+  } catch {
     const msg = "Not logged in to Azure. Run: az login";
     if (throwOnMissing) throw new Error(msg);
     console.error(chalk.red("\n  Not logged in to Azure. Run: az login\n"));
@@ -455,61 +447,7 @@ async function refreshTokenViaGh(execa, missingScopes) {
 }
 
 export async function verifyGithubToken(token) {
-  if (!token) {
-    // No token anywhere — try gh CLI auth
-    const execa = await lazyExeca();
-    try {
-      const { stdout: ghToken, exitCode } = await execa("gh", ["auth", "token", "-h", "github.com"], { timeout: 10000, reject: false });
-      const existing = (ghToken || "").trim();
-      if (exitCode === 0 && existing) {
-        console.log(chalk.cyan("  No token in env/netrc — using gh CLI token"));
-        token = existing;
-      }
-    } catch { /* gh not installed or not authed */ }
-
-    if (!token) {
-      // Still no token — offer interactive gh auth login
-      console.log(chalk.yellow("\n  ⚠ No GitHub token found (checked --github-token, $GITHUB_TOKEN, ~/.netrc, gh CLI)"));
-      try {
-        const { exitCode: ghExists } = await execa("which", ["gh"], { reject: false, timeout: 5000 });
-        if (ghExists === 0) {
-          console.log(chalk.cyan("  ▶ Running gh auth login…\n"));
-          const { exitCode: loginExit } = await execa("gh", ["auth", "login", "-h", "github.com", "-s", "write:packages,repo"], { stdio: "inherit", reject: false, timeout: 300000 });
-          if (loginExit === 0) {
-            const { stdout: newToken } = await execa("gh", ["auth", "token", "-h", "github.com"], { timeout: 10000 });
-            token = (newToken || "").trim();
-            if (token) {
-              // Sync to .netrc for future use
-              const netrcPath = path.join(os.homedir(), ".netrc");
-              const entry = `machine github.com login x-access-token password ${token}`;
-              try {
-                let content = "";
-                try { content = fs.readFileSync(netrcPath, "utf8"); } catch {}
-                if (/^machine\s+github\.com\b/m.test(content)) {
-                  content = content.replace(
-                    /machine\s+github\.com\b[^\n]*(\n\s*(login|password)\s+[^\n]*)*/gm,
-                    entry,
-                  );
-                } else {
-                  content = content.trimEnd() + (content ? "\n" : "") + entry + "\n";
-                }
-                fs.writeFileSync(netrcPath, content, { mode: 0o600 });
-                console.log(chalk.green("  ✓ ~/.netrc updated"));
-              } catch {}
-            }
-          }
-        } else {
-          console.log(chalk.dim("  Install gh CLI to authenticate: https://cli.github.com"));
-        }
-      } catch {}
-
-      if (!token) {
-        console.error(chalk.red("  ✗ GitHub authentication required — GHCR pulls will fail without a token."));
-        console.error(chalk.dim("  Set $GITHUB_TOKEN, run gh auth login, or pass --github-token.\n"));
-        process.exit(1);
-      }
-    }
-  }
+  if (!token) return { token, login: undefined };
   const execa = await lazyExeca();
   try {
     let res = await fetch("https://api.github.com/user", {

package/src/plugins/bundled/fops-plugin-azure/lib/azure-ops.js

@@ -2369,6 +2369,31 @@ export async function azureList(opts = {}) {
   let aksClusters = (fullState.azure || {}).clusters || {};
   let hasAks = Object.keys(aksClusters).length > 0;
 
+  // Always try to discover VMs from Azure (tag managed=fops) so we re-add any that were
+  // lost from local state (e.g. state file reset or edited).
+  try {
+    const execa = await lazyExeca();
+    await ensureAzCli(execa);
+    await ensureAzAuth(execa, { subscription: opts.subscription });
+    const found = await discoverVmsFromAzure(execa, { quiet: true, subscription: opts.subscription });
+    if (found > 0) {
+      console.log(OK(`  ✓ Re-discovered ${found} VM(s) from Azure`) + DIM(" (tag managed=fops)\n"));
+      ({ activeVm, vms } = listVms());
+      vmNames = Object.keys(vms);
+      fullState = readState();
+      aksClusters = (fullState.azure || {}).clusters || {};
+      hasAks = Object.keys(aksClusters).length > 0;
+    }
+  } catch { /* az not available or not authenticated */ }
+
+  if (vmNames.length === 0 && !hasAks) {
+    banner("Azure VMs");
+    hint("No VMs or clusters found in Azure.");
+    hint("Create a VM:       fops azure up <name>");
+    hint("Create a cluster:  fops azure aks up <name>\n");
+    return;
+  }
+
   // Use cache if fresh, otherwise try shared tags, then fall back to full sync
   const forceLive = opts.live;
   let cache = readCache();
@@ -2389,37 +2414,13 @@ export async function azureList(opts = {}) {
       } catch { /* tag read failed, fall through to full sync */ }
     }
 
-    // Discovery + full sync only when all caches are stale
     if (!fresh) {
-      try {
-        const execa = await lazyExeca();
-        await ensureAzCli(execa);
-        await ensureAzAuth(execa, { subscription: opts.subscription });
-        const found = await discoverVmsFromAzure(execa, { quiet: true, subscription: opts.subscription });
-        if (found > 0) {
-          console.log(OK(`  ✓ Re-discovered ${found} VM(s) from Azure`) + DIM(" (tag managed=fops)\n"));
-          ({ activeVm, vms } = listVms());
-          vmNames = Object.keys(vms);
-          fullState = readState();
-          aksClusters = (fullState.azure || {}).clusters || {};
-          hasAks = Object.keys(aksClusters).length > 0;
-        }
-      } catch { /* az not available or not authenticated */ }
-
       await azureSync({ quiet: !opts.verbose });
       cache = readCache();
       cacheSource = "live";
     }
   }
 
-  if (vmNames.length === 0 && !hasAks) {
-    banner("Azure VMs");
-    hint("No VMs or clusters found in Azure.");
-    hint("Create a VM:       fops azure up <name>");
-    hint("Create a cluster:  fops azure aks up <name>\n");
-    return;
-  }
-
   const cachedVms = cache?.vms || {};
   const cachedClusters = cache?.clusters || {};
   const cacheTime = cache?.updatedAt;
@@ -3273,7 +3274,7 @@ export async function azureSshWhitelistMe(opts = {}) {
 
   const merged = [...new Set([...currentSources.filter(s => s && s !== "*" && s !== "Internet"), myCidr])];
   console.log(chalk.yellow(`  ↻ Adding ${myCidr} to SSH rule on ${nsgName} (${currentSources.length} existing)...`));
-  const { exitCode: updateCode, stderr: updateStderr } = await execa("az", [
+  const { exitCode: updateCode } = await execa("az", [
     "network", "nsg", "rule", "create", "-g", rg, "--nsg-name", nsgName,
     "-n", sshRule?.name || "allow-ssh", "--priority", String(sshRule?.priority || 1000),
     "--destination-port-ranges", "22", "--access", "Allow",
@@ -3283,17 +3284,8 @@ export async function azureSshWhitelistMe(opts = {}) {
   ], { reject: false, timeout: 30000 });
 
   if (updateCode !== 0) {
-    console.error(ERR(`\n  Failed to update NSG rule on ${nsgName}`));
-    const msg = (updateStderr || "").trim();
-    if (msg.includes("AADSTS") || msg.includes("Interactive authentication")) {
-      console.error(ERR("  Azure session expired — run: az login"));
-    } else if (msg.includes("AuthorizationFailed")) {
-      console.error(ERR("  Insufficient permissions to update NSG rules in this subscription."));
-    } else if (msg) {
-      console.error(DIM(`  ${msg.split("\n")[0]}`));
-    }
-    console.error("");
-    return;
+    console.error(ERR(`\n  Failed to update NSG rule on ${nsgName}\n`));
+    process.exit(1);
   }
   console.log(OK(`\n  ✓ SSH (22) whitelisted for ${myCidr} on ${vmName} (${nsgName})\n`));
   console.log(`  Sources: ${merged.join(", ")}\n`);

package/src/plugins/bundled/fops-plugin-azure/lib/azure-shared-cache.js

@@ -22,7 +22,7 @@ import { readState, listVms } from "./azure-state.js";
 //   fops_by       = alessio                  (who synced)
 
 const TAG_PREFIX = "fops_";
-const TAG_MAX_AGE_MS = 20 * 60 * 1000; // 20 minutes — tags are cheaper to check
+const TAG_MAX_AGE_MS = 10 * 60 * 1000; // 10 minutes — tags are cheaper to check
 
 // ── Write: publish probe results as tags on a VM ─────────────────────────────
 

package/src/plugins/bundled/fops-plugin-azure/lib/azure-sync.js

@@ -12,7 +12,7 @@ import {
 // Stored in ~/.fops.json under azure.cache:
 //   { updatedAt, vms: { <name>: { ... } }, clusters: { <name>: { ... } } }
 
-const CACHE_MAX_AGE_MS = 15 * 60 * 1000; // 15 minutes
+const CACHE_MAX_AGE_MS = 5 * 60 * 1000; // 5 minutes
 
 // Short keys for the 6 tracked Foundation services
 const SVC_MAP = {
@@ -169,16 +169,16 @@ async function syncVms(execa) {
 
       // After a knock, iptables rule needs a moment to propagate; first SSH needs full handshake.
       // Brief delay then retry once to avoid false "unreachable" (e.g. uaenorth latency).
-      await new Promise((r) => setTimeout(r, 400));
+      await new Promise((r) => setTimeout(r, 800));
       let sshOk = false;
       for (let attempt = 0; attempt < 2; attempt++) {
         const { exitCode: sshCode } = await execa("ssh", [
           ...MUX_OPTS(vm.publicIp, DEFAULTS.adminUser),
           "-o", "BatchMode=yes",
           `${DEFAULTS.adminUser}@${vm.publicIp}`, "echo ok",
-        ], { timeout: 8000, reject: false }).catch(() => ({ exitCode: 1 }));
+        ], { timeout: 15000, reject: false }).catch(() => ({ exitCode: 1 }));
         if (sshCode === 0) { sshOk = true; break; }
-        if (attempt === 0) await new Promise((r) => setTimeout(r, 1000));
+        if (attempt === 0) await new Promise((r) => setTimeout(r, 2000));
       }
 
       if (!sshOk) {

package/src/plugins/bundled/fops-plugin-azure/lib/azure-vm-lifecycle.js

@@ -257,6 +257,10 @@ export async function azureUp(opts = {}) {
   if (!publicIp) { console.error(ERR("  VM created but no public IP assigned.")); process.exit(1); }
   console.log(OK(`  ✓ VM created — ${publicIp}`));
 
+  // Persist IP immediately so it's never lost if later steps fail or user Ctrl+C's
+  const publicUrl = opts.url || defaultUrl;
+  writeVmState(vmName, { resourceGroup: rg, location, publicIp, publicUrl, subscriptionId: subId, createdAt: new Date().toISOString() });
+
   hint("Enabling accelerated networking…");
   const nicName = `${vmName}VMNic`;
   const dealloc = await execa("az", ["vm", "deallocate", "-g", rg, "-n", vmName, "--output", "none", ...subArgs(sub)], { reject: false, timeout: 120000 });
@@ -361,9 +365,6 @@ export async function azureUp(opts = {}) {
   ], { reject: false, timeout: 30000 });
   console.log(OK("  ✓ Knock port range open"));
 
-  const publicUrl = opts.url || defaultUrl;
-  writeVmState(vmName, { resourceGroup: rg, location, publicIp, publicUrl, subscriptionId: subId, createdAt: new Date().toISOString() });
-
   // Save SSH key to 1Password if available
   try {
     const { opWhoami, opEnsureVault, opSaveSSHKey } = await import("../../fops-plugin-1password/lib/op.js");
@@ -393,6 +394,12 @@ export async function azureUp(opts = {}) {
   await syncDns(cfToken, publicUrl, publicIp);
   await ensureOpenAiNetworkAccess(execa, publicIp, sub);
 
+  // Print IP/URL prominently before the long SSH wait so users don't miss it
+  console.log("");
+  kvLine("IP",  ACCENT(publicIp));
+  kvLine("URL", ACCENT(publicUrl));
+  console.log("");
+
   console.log(chalk.magenta("  ✻") + " " + DIM("Waiting for SSH…"));
   const sshMaxWait = 300000;
   let ready = await waitForSsh(execa, publicIp, adminUser, sshMaxWait);

package/src/plugins/bundled/fops-plugin-azure/lib/commands/infra-cmds.js

@@ -508,8 +508,6 @@ export function registerInfraCommands(azure) {
     .option("--github-token <token>", "GitHub PAT for Flux + GHCR pull (default: $GITHUB_TOKEN)")
     .option("--no-flux", "Skip Flux bootstrap")
     .option("--no-postgres", "Skip Postgres Flexible Server provisioning")
-    .option("--flux-local-repo <path>", "Path to local flux repo clone (auto-detected if omitted)")
-    .option("--overlay <name>", "App overlay name in flux repo (default: demo-azure)")
     .option("--dai", "Include DAI (Dashboards AI) workloads")
     .action(async (name, opts) => {
       const { aksUp } = await import("../azure-aks.js");
@@ -526,8 +524,6 @@ export function registerInfraCommands(azure) {
         githubToken: opts.githubToken,
         noFlux: opts.flux === false,
         noPostgres: opts.postgres === false,
-        fluxLocalRepo: opts.fluxLocalRepo,
-        overlay: opts.overlay,
         dai: opts.dai === true,
       });
     });

package/src/plugins/bundled/fops-plugin-azure/lib/commands/test-cmds.js

@@ -15,14 +15,17 @@ export function registerTestCommands(azure) {
     .description("Run QA automation tests locally against a remote VM")
     .option("--vm-name <name>", "Target VM (default: active)")
     .action(async (name, opts) => {
-      const { requireVmState, knockForVm } = await import("../azure.js");
-      const { resolveCliSrc } = await import("../azure-helpers.js");
+      const { resolveCliSrc, lazyExeca, ensureAzCli, ensureAzAuth, resolvePublicIp } = await import("../azure-helpers.js");
+      const { requireVmState, knockForVm, sshCmd, MUX_OPTS } = await import("../azure.js");
       const { rootDir } = await import(resolveCliSrc("project.js"));
       const fsp = await import("node:fs/promises");
       const path = await import("node:path");
 
       const state = requireVmState(opts.vmName || name);
-      const ip = state.publicIp;
+      const execa = await lazyExeca();
+      await ensureAzCli(execa);
+      await ensureAzAuth(execa);
+      const ip = await resolvePublicIp(execa, state.resourceGroup, state.vmName, state.publicIp);
       if (!ip) {
         console.error(chalk.red("\n  No IP address. Is the VM running? Try: fops azure start\n"));
         process.exit(1);
@@ -45,13 +48,11 @@ export function registerTestCommands(azure) {
 
       const vmUrl = state.publicUrl || `https://${ip}`;
       const apiUrl = `${vmUrl}/api`;
-      const { execa: execaFn } = await import("execa");
-      const { sshCmd, MUX_OPTS } = await import("../azure.js");
 
       console.log(chalk.dim(`  Authenticating against ${vmUrl}…`));
       const auth = await resolveRemoteAuth({
         apiUrl, ip, vmState: state,
-        execaFn, sshCmd, knockForVm, suppressTlsWarning,
+        execaFn: execa, sshCmd, knockForVm, suppressTlsWarning,
       });
       let { bearerToken, qaUser, qaPass, useTokenMode } = auth;
 
@@ -78,20 +79,6 @@ export function registerTestCommands(azure) {
           : content + `\n${key}=${value}`;
       };
 
-      // Resolve CF Access service token for Cloudflare-proxied endpoints
-      let cfClientId = process.env.CF_ACCESS_CLIENT_ID || "";
-      let cfClientSecret = process.env.CF_ACCESS_CLIENT_SECRET || "";
-      if (!cfClientId) {
-        // Try reading from the compose .env
-        try {
-          const composeDotEnv = await fsp.readFile(path.join(root, ".env"), "utf8");
-          const idMatch = composeDotEnv.match(/^CF_ACCESS_CLIENT_ID=(.+)$/m);
-          const secretMatch = composeDotEnv.match(/^CF_ACCESS_CLIENT_SECRET=(.+)$/m);
-          if (idMatch) cfClientId = idMatch[1].trim();
-          if (secretMatch) cfClientSecret = secretMatch[1].trim();
-        } catch { /* .env may not exist */ }
-      }
-
       envContent = setVar(envContent, "API_URL", apiUrl);
       envContent = setVar(envContent, "DEV_API_URL", apiUrl);
       envContent = setVar(envContent, "LIVE_API_URL", apiUrl);
@@ -107,10 +94,6 @@ export function registerTestCommands(azure) {
         envContent = setVar(envContent, "BEARER_TOKEN", bearerToken);
         envContent = setVar(envContent, "TOKEN_AUTH0", bearerToken);
       }
-      if (cfClientId && cfClientSecret) {
-        envContent = setVar(envContent, "CF_ACCESS_CLIENT_ID", cfClientId);
-        envContent = setVar(envContent, "CF_ACCESS_CLIENT_SECRET", cfClientSecret);
-      }
 
       await fsp.writeFile(envPath, envContent);
       console.log(chalk.green(`  ✓ Configured QA .env → ${apiUrl}`));
@@ -120,8 +103,8 @@ export function registerTestCommands(azure) {
         await fsp.access(path.join(qaDir, "venv"));
       } catch {
         console.log(chalk.cyan("  Setting up QA automation environment…"));
-        await execaFn("python3", ["-m", "venv", "venv"], { cwd: qaDir, stdio: "inherit" });
-        await execaFn("bash", ["-c", "source venv/bin/activate && pip install -r requirements.txt && playwright install"], { cwd: qaDir, stdio: "inherit" });
+        await execa("python3", ["-m", "venv", "venv"], { cwd: qaDir, stdio: "inherit" });
+        await execa("bash", ["-c", "source venv/bin/activate && pip install -r requirements.txt && playwright install"], { cwd: qaDir, stdio: "inherit" });
       }
 
       // Knock to ensure VM is reachable
@@ -172,13 +155,9 @@ export function registerTestCommands(azure) {
         testEnv.BEARER_TOKEN = bearerToken;
         testEnv.TOKEN_AUTH0 = bearerToken;
       }
-      if (cfClientId && cfClientSecret) {
-        testEnv.CF_ACCESS_CLIENT_ID = cfClientId;
-        testEnv.CF_ACCESS_CLIENT_SECRET = cfClientSecret;
-      }
 
       const startMs = Date.now();
-      const proc = execaFn(
+      const proc = execa(
         "bash",
         ["-c", `source venv/bin/activate && pytest ${pytestArgs}`],
         { cwd: qaDir, timeout: 600_000, reject: false, env: testEnv },

package/src/plugins/bundled/fops-plugin-azure/lib/commands/vm-cmds.js

@@ -171,6 +171,36 @@ export function registerVmCommands(azure, api, registry) {
       await azureList({ live: opts.live, verbose: opts.verbose, cost: opts.cost, days: parseInt(opts.days), versions: opts.versions });
     });
 
+  // ── ip ─────────────────────────────────────────────────────────────────
+  azure
+    .command("ip [name]")
+    .description("Print the public IP (and URL) of a VM — quick lookup")
+    .option("--resolve", "Query Azure for the current IP (ignores cached)")
+    .action(async (name, opts) => {
+      const { requireVmState } = await import("../azure-state.js");
+      const state = requireVmState(name);
+      let ip = state.publicIp;
+
+      if (opts.resolve) {
+        const { lazyExeca, ensureAzCli, ensureAzAuth, resolvePublicIp, subArgs } = await import("../azure.js");
+        const { writeVmState } = await import("../azure-state.js");
+        const execa = await lazyExeca();
+        await ensureAzCli(execa);
+        await ensureAzAuth(execa);
+        ip = await resolvePublicIp(execa, state.resourceGroup, state.vmName, state.publicIp);
+        if (ip && ip !== state.publicIp) {
+          writeVmState(state.vmName, { publicIp: ip });
+        }
+      }
+
+      if (!ip) {
+        console.error(chalk.red("\n  No IP address found. Is the VM running? Try: fops azure start\n"));
+        process.exit(1);
+      }
+      console.log(ip);
+      if (state.publicUrl) console.log(chalk.dim(state.publicUrl));
+    });
+
   // ── select ───────────────────────────────────────────────────────────────
   azure
     .command("select [name]")

package/src/plugins/bundled/fops-plugin-foundation/index.js

@@ -986,24 +986,11 @@ app.run()
       .option("--url <url>", "Override the backend API URL")
       .action(async (opts) => {
         const { spawn } = await import("node:child_process");
-        const { writeFileSync, existsSync, realpathSync, readFileSync, unlinkSync, mkdirSync } = await import("node:fs");
+        const { writeFileSync, existsSync, realpathSync, readFileSync } = await import("node:fs");
         const { tmpdir, homedir } = await import("node:os");
         const { join, dirname } = await import("node:path");
         const { findComposeRoot } = await import("./lib/tools-write.js");
 
-        // ── Singleton: kill any existing tray process ──────────────────────────
-        const pidDir = join(homedir(), ".fops");
-        const pidFile = join(pidDir, "tray.pid");
-        if (existsSync(pidFile)) {
-          try {
-            const oldPid = parseInt(readFileSync(pidFile, "utf8").trim(), 10);
-            if (oldPid) process.kill(oldPid, "SIGTERM");
-          } catch {
-            // process already gone — ignore
-          }
-          try { unlinkSync(pidFile); } catch {}
-        }
-
         const composeRoot = program._fopsRoot || findComposeRoot() || "";
 
         let apiUrl = opts.url || process.env.FOPS_API_URL || "http://127.0.0.1:9001";
@@ -1248,8 +1235,6 @@ $tray.Visible = $false
             env: trayEnv,
             windowsHide: true,
           });
-          if (!existsSync(pidDir)) mkdirSync(pidDir, { recursive: true });
-          writeFileSync(pidFile, String(winChild.pid));
           winChild.unref();
           return;
         }
@@ -2010,8 +1995,6 @@ app.run()
           detached: true,
           env: trayEnv,
         });
-        if (!existsSync(pidDir)) mkdirSync(pidDir, { recursive: true });
-        writeFileSync(pidFile, String(child.pid));
         child.unref();
       });
   });

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/dai-backend.yaml

@@ -1,13 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: dai-backend
-  namespace: flux-system
-spec:
-  interval: 1m
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  path: ./apps/dai/backend/overlays/meshx/{{OVERLAY}}
-  prune: true

package/src/plugins/bundled/fops-plugin-azure/templates/cluster/apps/dai-frontend.yaml

@@ -1,13 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: dai-frontend
-  namespace: flux-system
-spec:
-  interval: 1m
-  sourceRef:
-    kind: GitRepository
-    name: flux-system
-  path: ./apps/dai/frontend/overlays/meshx/{{OVERLAY}}
-  prune: true