@meshxdata/fops 0.1.41 → 0.1.43

package/CHANGELOG.md

@@ -1,3 +1,377 @@
+## [0.1.43] - 2026-03-11
+
+- Mlflow and azure plugin fix (176881f)
+- fix lifecycle (a2cb9e7)
+- callback url for localhost (821fb94)
+- disable 4 scaffolding plugin by default. (bfb2b76)
+- jaccard improvements (b7494a0)
+- refactor azure plugin (68dfef4)
+- refactor azure plugin (b24a008)
+- fix trino catalog missing (4928a55)
+- v36 bump and changelog generation on openai (37a0440)
+- v36 bump and changelog generation on openai (a3b02d9)
+- bump (a990058)
+- status bar fix and new plugin for ttyd (27dde1e)
+- file demo and tray (1a3e704)
+- electron app (59ad0bb)
+- compose and fops file plugin (1cf0e81)
+- bump (346ffc1)
+- localhost replaced by 127.0.0.1 (82b9f30)
+- .29 (587b0e1)
+- improve up down and bootstrap script (b79ebaf)
+- checksum (22c8086)
+- checksum (96b434f)
+- checksum (15ed3c0)
+- checksum (8a6543a)
+- bump embed trino linksg (8440504)
+- bump data (765ffd9)
+- bump (cb8b232)
+- broken tests (c532229)
+- release 0.1.18, preflight checks (d902249)
+- fix compute display bug (d10f5d9)
+- cleanup packer files (6330f18)
+- plan mode (cb36a8a)
+- bump to 0.1.16 - agent ui (41ac1a2)
+- bump to 0.1.15 - agent ui (4ebe2e1)
+- bump to 0.1.14 (6c3a7fa)
+- bump to 0.1.13 (8db570f)
+- release 0.1.12 (c1c79e5)
+- bump (11aa3b0)
+- git keep and bump tui (be1678e)
+- skills, index, rrf, compacted context (100k > 10k) (7b2fffd)
+- cloudflare and token consumption, graphs indexing (0ad9eec)
+- bump storage default (22c83ba)
+- storage fix (68a22a0)
+- skills update (7f56500)
+- v9 bump (3864446)
+- bump (c95eedc)
+- rrf (dbf8c95)
+- feat: warning when running predictions (95e8c52)
+- feat: support for local predictions (45cf26b)
+- feat: wip support for predictions + mlflow (3457052)
+- add Reciprocal Rank Fusion (RRF) to knowledge and skill retrieval (61549bc)
+- validate CSV headers in compute_run readiness check (a8c7a43)
+- fix corrupted Iceberg metadata: probe tables + force cleanup on re-apply (50578af)
+- enforce: never use foundation_apply to fix broken products (2e049bf)
+- update SKILL.md with complete tool reference for knowledge retrieval (30b1924)
+- add storage read, input DP table probe, and compute_run improvements (34e6c4c)
+- skills update (1220385)
+- skills update (bb66958)
+- some tui improvement andd tools apply overwrite (e90c35c)
+- skills update (e9227a1)
+- skills update (669c4b3)
+- fix plugin pre-flight checks (f741743)
+- increase agent context (6479aaa)
+- skills and init sql fixes (5fce35e)
+- checksum (3518b56)
+- penging job limit (a139861)
+- checksum (575d28c)
+- bump (92049ba)
+- fix bug per tab status (0a33657)
+- fix bug per tab status (50457c6)
+- checksumming (0ad842e)
+- shot af mardkwon overlapping (51f63b9)
+- add spark dockerfile for multiarch builds (95abbd1)
+- fix plugin initialization (16b9782)
+- split index.js (50902a2)
+- cloudflare cidr (cc4e021)
+- cloduflare restrictions (2f6ba2d)
+- sequential start (86b496e)
+- sequential start (4930fe1)
+- sequential start (353f014)
+- qa tests (2dc6a1a)
+- bump sha for .85 (dc2edfe)
+- preserve env on sudo (7831227)
+- bump sha for .84 (6c052f9)
+- non interactive for azure vms (0aa8a2f)
+- keep .env if present (d072450)
+- bump (7a8e732)
+- ensure opa is on compose if not set (f4a5228)
+- checksum bump (a2ccc20)
+- netrc defensive checks (a0b0ccc)
+- netrc defensive checks (ae37403)
+- checksum (ec45d11)
+- update sync and fix up (7f9af72)
+- expand test for azure and add new per app tag support (388a168)
+- checksum on update (44005fc)
+- cleanup for later (15e5313)
+- cleanup for later (11c9597)
+- switch branch feature (822fecc)
+- add pull (d1c19ab)
+- Bump hono from 4.11.9 to 4.12.0 in /operator-cli (ad25144)
+- tests (f180a9a)
+- cleanup (39c49a3)
+- registry (7b7126a)
+- reconcile kafka (832d0db)
+- gh login bug (025886c)
+- cleanup (bb96cab)
+- strip envs from process (2421180)
+- force use of gh creds not tokens in envs var (fff7787)
+- resolve import between npm installs and npm link (79522e1)
+- fix gh scope and azure states (afd846c)
+- refactoring (da50352)
+- split fops repo (d447638)
+- aks (b791f8f)
+- refactor azure (67d3bad)
+- wildcard (391f023)
+- azure plugin (c074074)
+- zap (d7e6e7f)
+- fix knock (cf89c05)
+- azure (4adec98)
+- Bump tar from 7.5.7 to 7.5.9 in /operator-cli (e41e98e)
+- azure stack index.js split (de12272)
+- Bump ajv from 8.17.1 to 8.18.0 in /operator-cli (76da21f)
+- packer (9665fbc)
+- remove stack api (db0fd4d)
+- packer cleanup (fe1bf14)
+- force refresh token (3a3d7e2)
+- provision shell (2ad505f)
+- azure vm management (91dcb31)
+- azure specific (2b0cca8)
+- azure packer (12175b8)
+- init hashed pwd (db8523c)
+- packer (5b5c7c4)
+- doctor for azure vm (ed524fa)
+- packer and 1pwd (c6d053e)
+- split big index.js (dc85a1b)
+- kafka volume update (21815ec)
+- fix openai azure tools confirmation and flow (0118cd1)
+- nighly fixx, test fix (5e0d04f)
+- open ai training (cdc494a)
+- openai integration in azure (1ca1475)
+- ci (672cea9)
+- refresh ghcr creds (4220c48)
+- cleaned up version (1a0074f)
+- traefik on ghcr and templates (8e31a05)
+- apply fcl (e78911f)
+- demo landscape (dd205fe)
+- smarter login and schema (1af514f)
+- no down before up unless something broke (56b1132)
+- dai, reconcile failed containers (12907fa)
+- reconcile dead container (7da75e4)
+- defensive around storage buckets dir (b98871d)
+- defensive around storage buckets dir (e86e132)
+- gear in for multiarch (bf3fa3e)
+- up autofix (99c7f89)
+- autofix stale containers on up (43c7d0f)
+- shared sessions fix (5de1359)
+- share sessions between ui and tui (8321391)
+- fix chat view display details (e263996)
+- fix chat view display details (9babdda)
+- tui up fixes (86e9f17)
+- fix commands init (442538b)
+- enable k3s profile (b2dcfc8)
+- test up till job creation (656d388)
+- tui fixes (0599779)
+- cleanup (27731f0)
+- train (90bf559)
+- training (f809bf6)
+- training (ba2b836)
+- training (6fc5267)
+- training (4af8ac9)
+- fix build script (bd82836)
+- infra test (5b79815)
+- infra test (3a0ac05)
+- infra test (e5c67b5)
+- tests (ae7b621)
+- tests (c09ae6a)
+- update tui (4784153)
+- training (0a5a330)
+- tui (df4dd4a)
+- pkg builds (4dc9993)
+- also source env for creds (9a17d8f)
+- fcl support (e8a5743)
+- fcl support (8d6b6cd)
+
+# Changelog
+
+All notable changes to @meshxdata/fops (Foundation Operator CLI) are documented here.
+
+## [0.1.42] - 2026-03-11
+
+- Mlflow and azure plugin fix (176881f)
+- fix lifecycle (a2cb9e7)
+- callback url for localhost (821fb94)
+- disable 4 scaffolding plugin by default. (bfb2b76)
+- jaccard improvements (b7494a0)
+- refactor azure plugin (68dfef4)
+- refactor azure plugin (b24a008)
+- fix trino catalog missing (4928a55)
+- v36 bump and changelog generation on openai (37a0440)
+- v36 bump and changelog generation on openai (a3b02d9)
+- bump (a990058)
+- status bar fix and new plugin for ttyd (27dde1e)
+- file demo and tray (1a3e704)
+- electron app (59ad0bb)
+- compose and fops file plugin (1cf0e81)
+- bump (346ffc1)
+- localhost replaced by 127.0.0.1 (82b9f30)
+- .29 (587b0e1)
+- improve up down and bootstrap script (b79ebaf)
+- checksum (22c8086)
+- checksum (96b434f)
+- checksum (15ed3c0)
+- checksum (8a6543a)
+- bump embed trino linksg (8440504)
+- bump data (765ffd9)
+- bump (cb8b232)
+- broken tests (c532229)
+- release 0.1.18, preflight checks (d902249)
+- fix compute display bug (d10f5d9)
+- cleanup packer files (6330f18)
+- plan mode (cb36a8a)
+- bump to 0.1.16 - agent ui (41ac1a2)
+- bump to 0.1.15 - agent ui (4ebe2e1)
+- bump to 0.1.14 (6c3a7fa)
+- bump to 0.1.13 (8db570f)
+- release 0.1.12 (c1c79e5)
+- bump (11aa3b0)
+- git keep and bump tui (be1678e)
+- skills, index, rrf, compacted context (100k > 10k) (7b2fffd)
+- cloudflare and token consumption, graphs indexing (0ad9eec)
+- bump storage default (22c83ba)
+- storage fix (68a22a0)
+- skills update (7f56500)
+- v9 bump (3864446)
+- bump (c95eedc)
+- rrf (dbf8c95)
+- feat: warning when running predictions (95e8c52)
+- feat: support for local predictions (45cf26b)
+- feat: wip support for predictions + mlflow (3457052)
+- add Reciprocal Rank Fusion (RRF) to knowledge and skill retrieval (61549bc)
+- validate CSV headers in compute_run readiness check (a8c7a43)
+- fix corrupted Iceberg metadata: probe tables + force cleanup on re-apply (50578af)
+- enforce: never use foundation_apply to fix broken products (2e049bf)
+- update SKILL.md with complete tool reference for knowledge retrieval (30b1924)
+- add storage read, input DP table probe, and compute_run improvements (34e6c4c)
+- skills update (1220385)
+- skills update (bb66958)
+- some tui improvement andd tools apply overwrite (e90c35c)
+- skills update (e9227a1)
+- skills update (669c4b3)
+- fix plugin pre-flight checks (f741743)
+- increase agent context (6479aaa)
+- skills and init sql fixes (5fce35e)
+- checksum (3518b56)
+- penging job limit (a139861)
+- checksum (575d28c)
+- bump (92049ba)
+- fix bug per tab status (0a33657)
+- fix bug per tab status (50457c6)
+- checksumming (0ad842e)
+- shot af mardkwon overlapping (51f63b9)
+- add spark dockerfile for multiarch builds (95abbd1)
+- fix plugin initialization (16b9782)
+- split index.js (50902a2)
+- cloudflare cidr (cc4e021)
+- cloduflare restrictions (2f6ba2d)
+- sequential start (86b496e)
+- sequential start (4930fe1)
+- sequential start (353f014)
+- qa tests (2dc6a1a)
+- bump sha for .85 (dc2edfe)
+- preserve env on sudo (7831227)
+- bump sha for .84 (6c052f9)
+- non interactive for azure vms (0aa8a2f)
+- keep .env if present (d072450)
+- bump (7a8e732)
+- ensure opa is on compose if not set (f4a5228)
+- checksum bump (a2ccc20)
+- netrc defensive checks (a0b0ccc)
+- netrc defensive checks (ae37403)
+- checksum (ec45d11)
+- update sync and fix up (7f9af72)
+- expand test for azure and add new per app tag support (388a168)
+- checksum on update (44005fc)
+- cleanup for later (15e5313)
+- cleanup for later (11c9597)
+- switch branch feature (822fecc)
+- add pull (d1c19ab)
+- Bump hono from 4.11.9 to 4.12.0 in /operator-cli (ad25144)
+- tests (f180a9a)
+- cleanup (39c49a3)
+- registry (7b7126a)
+- reconcile kafka (832d0db)
+- gh login bug (025886c)
+- cleanup (bb96cab)
+- strip envs from process (2421180)
+- force use of gh creds not tokens in envs var (fff7787)
+- resolve import between npm installs and npm link (79522e1)
+- fix gh scope and azure states (afd846c)
+- refactoring (da50352)
+- split fops repo (d447638)
+- aks (b791f8f)
+- refactor azure (67d3bad)
+- wildcard (391f023)
+- azure plugin (c074074)
+- zap (d7e6e7f)
+- fix knock (cf89c05)
+- azure (4adec98)
+- Bump tar from 7.5.7 to 7.5.9 in /operator-cli (e41e98e)
+- azure stack index.js split (de12272)
+- Bump ajv from 8.17.1 to 8.18.0 in /operator-cli (76da21f)
+- packer (9665fbc)
+- remove stack api (db0fd4d)
+- packer cleanup (fe1bf14)
+- force refresh token (3a3d7e2)
+- provision shell (2ad505f)
+- azure vm management (91dcb31)
+- azure specific (2b0cca8)
+- azure packer (12175b8)
+- init hashed pwd (db8523c)
+- packer (5b5c7c4)
+- doctor for azure vm (ed524fa)
+- packer and 1pwd (c6d053e)
+- split big index.js (dc85a1b)
+- kafka volume update (21815ec)
+- fix openai azure tools confirmation and flow (0118cd1)
+- nighly fixx, test fix (5e0d04f)
+- open ai training (cdc494a)
+- openai integration in azure (1ca1475)
+- ci (672cea9)
+- refresh ghcr creds (4220c48)
+- cleaned up version (1a0074f)
+- traefik on ghcr and templates (8e31a05)
+- apply fcl (e78911f)
+- demo landscape (dd205fe)
+- smarter login and schema (1af514f)
+- no down before up unless something broke (56b1132)
+- dai, reconcile failed containers (12907fa)
+- reconcile dead container (7da75e4)
+- defensive around storage buckets dir (b98871d)
+- defensive around storage buckets dir (e86e132)
+- gear in for multiarch (bf3fa3e)
+- up autofix (99c7f89)
+- autofix stale containers on up (43c7d0f)
+- shared sessions fix (5de1359)
+- share sessions between ui and tui (8321391)
+- fix chat view display details (e263996)
+- fix chat view display details (9babdda)
+- tui up fixes (86e9f17)
+- fix commands init (442538b)
+- enable k3s profile (b2dcfc8)
+- test up till job creation (656d388)
+- tui fixes (0599779)
+- cleanup (27731f0)
+- train (90bf559)
+- training (f809bf6)
+- training (ba2b836)
+- training (6fc5267)
+- training (4af8ac9)
+- fix build script (bd82836)
+- infra test (5b79815)
+- infra test (3a0ac05)
+- infra test (e5c67b5)
+- tests (ae7b621)
+- tests (c09ae6a)
+- update tui (4784153)
+- training (0a5a330)
+- tui (df4dd4a)
+- pkg builds (4dc9993)
+- also source env for creds (9a17d8f)
+- fcl support (e8a5743)
+- fcl support (8d6b6cd)
+
 ## [0.1.41] - 2026-03-11
 
 - fix lifecycle (a2cb9e7)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meshxdata/fops",
-  "version": "0.1.41",
+  "version": "0.1.43",
   "description": "CLI to install and manage data mesh platforms",
   "keywords": [
     "fops",

package/src/plugins/bundled/fops-plugin-azure/lib/azure-auth.js

@@ -92,7 +92,7 @@ export function resolveAuth0Config() {
  * Tries the backend /iam/login first, then falls back to Auth0 ROPC.
  */
 export async function authenticateVm(vmUrl, ip, creds) {
-  if (creds.bearerToken) return creds.bearerToken;
+  if (creds.bearerToken && !isJwtExpired(creds.bearerToken)) return creds.bearerToken;
 
   const hasDomain = vmUrl && !vmUrl.match(/^https?:\/\/\d+\.\d+\.\d+\.\d+/);
   const apiUrls = hasDomain
@@ -148,6 +148,28 @@ export function isJwt(token) {
   return token && token.split(".").length === 3;
 }
 
+/**
+ * Decode a JWT payload without verification (for expiry checks only).
+ * Returns the parsed payload or null on failure.
+ */
+function decodeJwtPayload(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const payload = Buffer.from(parts[1], "base64url").toString("utf8");
+    return JSON.parse(payload);
+  } catch { return null; }
+}
+
+/**
+ * Check if a JWT is expired (with 60s grace buffer).
+ */
+export function isJwtExpired(token) {
+  const payload = decodeJwtPayload(token);
+  if (!payload?.exp) return false; // no exp claim → assume valid
+  return Date.now() / 1000 > payload.exp - 60;
+}
+
 /**
  * Resolve a valid JWT bearer token for a remote VM/cluster.
  * Auth chain: local bearer → pre-auth /iam/login → Auth0 ROPC → SSH fetch from VM.
@@ -165,9 +187,12 @@ export async function resolveRemoteAuth(opts = {}) {
   let qaPass = creds?.password || process.env.QA_PASSWORD || "";
   let bearerToken = creds?.bearerToken || "";
 
-  // 1) Use local bearer if it's a valid JWT
+  // 1) Use local bearer if it's a valid, non-expired JWT
   if (bearerToken && isJwt(bearerToken)) {
-    return { bearerToken, qaUser, qaPass, useTokenMode: true };
+    if (!isJwtExpired(bearerToken)) {
+      return { bearerToken, qaUser, qaPass, useTokenMode: true };
+    }
+    log(chalk.dim("  Local bearer token expired — refreshing…"));
   }
   bearerToken = "";
 
@@ -224,32 +249,8 @@ export async function resolveRemoteAuth(opts = {}) {
         if (resp.ok) {
           const data = await resp.json();
           if (data.access_token) {
-            // Validate the token against the target API before committing to it.
-            // Local Auth0 config may have a different audience than the remote VM expects.
-            let tokenValid = true;
-            if (apiUrl) {
-              try {
-                const prev = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
-                process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
-                try {
-                  const check = await fetch(`${apiUrl}/iam/me`, {
-                    headers: { Authorization: `Bearer ${data.access_token}` },
-                    signal: AbortSignal.timeout(8_000),
-                  });
-                  if (check.status === 401 || check.status === 403) {
-                    tokenValid = false;
-                    log(chalk.dim(`  Auth0 token rejected by API (wrong audience) — trying SSH fallback…`));
-                  }
-                } finally {
-                  if (prev === undefined) delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
-                  else process.env.NODE_TLS_REJECT_UNAUTHORIZED = prev;
-                }
-              } catch { /* network error — assume token is OK */ }
-            }
-            if (tokenValid) {
-              log(chalk.green(`  ✓ Authenticated as ${qaUser} via Auth0`));
-              return { bearerToken: data.access_token, qaUser, qaPass, useTokenMode: true };
-            }
+            log(chalk.green(`  ✓ Authenticated as ${qaUser} via Auth0`));
+            return { bearerToken: data.access_token, qaUser, qaPass, useTokenMode: true };
           }
         } else {
           log(chalk.dim(`  Auth0 rejected: HTTP ${resp.status}`));
@@ -279,8 +280,11 @@ export async function resolveRemoteAuth(opts = {}) {
 
       const remoteToken = remoteEnv.BEARER_TOKEN;
       if (remoteToken && isJwt(remoteToken)) {
-        log(chalk.green("  ✓ Got JWT bearer token from VM"));
-        return { bearerToken: remoteToken, qaUser, qaPass, useTokenMode: true };
+        if (!isJwtExpired(remoteToken)) {
+          log(chalk.green("  ✓ Got JWT bearer token from VM"));
+          return { bearerToken: remoteToken, qaUser, qaPass, useTokenMode: true };
+        }
+        log(chalk.dim("  Remote bearer token expired — trying VM Auth0…"));
       }
 
       if (remoteEnv.MX_AUTH0_DOMAIN && remoteEnv.MX_AUTH0_CLIENT_ID) {

package/src/plugins/bundled/fops-plugin-azure/lib/azure-helpers.js

@@ -369,10 +369,33 @@ export async function resolvePublicIp(execa, rg, vmName, fallback) {
       "vm", "list-ip-addresses", "-g", rg, "-n", vmName, "--output", "json",
     ], { reject: false, timeout: 15000 });
     const ips = JSON.parse(stdout);
-    return ips?.[0]?.virtualMachine?.network?.publicIpAddresses?.[0]?.ipAddress || fallback || "";
-  } catch {
-    return fallback || "";
-  }
+    const ip = ips?.[0]?.virtualMachine?.network?.publicIpAddresses?.[0]?.ipAddress;
+    if (ip) return ip;
+  } catch {}
+  // Fallback: query the VM's NIC directly (az vm list-ip-addresses can miss attached IPs)
+  try {
+    const { stdout: nicOut } = await execa("az", [
+      "vm", "show", "-g", rg, "-n", vmName,
+      "--query", "networkProfile.networkInterfaces[0].id", "--output", "tsv",
+    ], { reject: false, timeout: 10000 });
+    const nicId = nicOut?.trim();
+    if (nicId) {
+      const { stdout: ipOut } = await execa("az", [
+        "network", "nic", "show", "--ids", nicId,
+        "--query", "ipConfigurations[0].publicIPAddress.id", "--output", "tsv",
+      ], { reject: false, timeout: 10000 });
+      const pubId = ipOut?.trim();
+      if (pubId) {
+        const { stdout: addrOut } = await execa("az", [
+          "network", "public-ip", "show", "--ids", pubId,
+          "--query", "ipAddress", "--output", "tsv",
+        ], { reject: false, timeout: 10000 });
+        const addr = addrOut?.trim();
+        if (addr) return addr;
+      }
+    }
+  } catch {}
+  return fallback || "";
 }
 
 // ── GitHub token helpers ────────────────────────────────────────────────────

package/src/plugins/bundled/fops-plugin-azure/lib/azure-ops.js

@@ -2394,6 +2394,28 @@ export async function azureList(opts = {}) {
     return;
   }
 
+  // Resolve missing public IPs from Azure before sync (so sync can SSH into VMs)
+  const needIp = vmNames.filter((n) => !vms[n]?.publicIp && vms[n]?.resourceGroup);
+  if (needIp.length > 0) {
+    try {
+      const execa = await lazyExeca();
+      await ensureAzCli(execa);
+      const resolved = await Promise.all(
+        needIp.map(async (name) => {
+          const ip = await resolvePublicIp(execa, vms[name].resourceGroup, name, null);
+          return { name, ip };
+        }),
+      );
+      for (const { name, ip } of resolved) {
+        if (ip) writeVmState(name, { publicIp: ip });
+      }
+      const updated = resolved.filter((r) => r.ip).length;
+      if (updated > 0) {
+        ({ vms } = listVms());
+      }
+    } catch { /* ignore */ }
+  }
+
   // Use cache if fresh, otherwise try shared tags, then fall back to full sync
   const forceLive = opts.live;
   let cache = readCache();
@@ -2429,31 +2451,6 @@ export async function azureList(opts = {}) {
     ? DIM(`  (synced ${timeSince(cacheTime)} ago${sourceLabel})`)
     : "";
 
-  // Resolve missing public IPs from Azure (e.g. VM added by discover but IP not in state yet)
-  const needIp = vmNames.filter((n) => !vms[n]?.publicIp && !cachedVms[n]?.publicIp && vms[n]?.resourceGroup);
-  if (needIp.length > 0) {
-    try {
-      const execa = await lazyExeca();
-      await ensureAzCli(execa);
-      const resolved = await Promise.all(
-        needIp.map(async (name) => {
-          const ip = await resolvePublicIp(execa, vms[name].resourceGroup, name, null);
-          return { name, ip };
-        }),
-      );
-      for (const { name, ip } of resolved) {
-        if (ip) {
-          writeVmState(name, { publicIp: ip });
-          if (cachedVms[name]) cachedVms[name].publicIp = ip;
-        }
-      }
-      const updated = resolved.filter((r) => r.ip).length;
-      if (updated > 0) {
-        ({ vms } = listVms());
-      }
-    } catch { /* ignore */ }
-  }
-
   // ── VM sizes (one az call for all fops-managed VMs) ───────────────────────
   let vmSizes = {};
   if (vmNames.length > 0) {

package/src/plugins/bundled/fops-plugin-azure/lib/azure-state.js

@@ -118,6 +118,10 @@ function _tryRecover() {
         if (current[k] !== undefined) recovered.state[k] = current[k];
       }
     } catch { /* current file unreadable or invalid JSON, skip merge */ }
+    // Recompute checksum after merge so next readState() doesn't see a mismatch
+    if (recovered.state._meta) {
+      recovered.state._meta.checksum = _checksum(JSON.stringify(_stateBody(recovered.state)));
+    }
     try { _atomicWrite(STATE_PATH, JSON.stringify(recovered.state, null, 2) + "\n"); } catch {}
     return recovered.state;
   }

package/src/plugins/bundled/fops-plugin-azure/lib/commands/test-cmds.js

@@ -15,14 +15,17 @@ export function registerTestCommands(azure) {
     .description("Run QA automation tests locally against a remote VM")
     .option("--vm-name <name>", "Target VM (default: active)")
     .action(async (name, opts) => {
-      const { requireVmState, knockForVm } = await import("../azure.js");
-      const { resolveCliSrc } = await import("../azure-helpers.js");
+      const { resolveCliSrc, lazyExeca, ensureAzCli, ensureAzAuth, resolvePublicIp } = await import("../azure-helpers.js");
+      const { requireVmState, knockForVm, sshCmd, MUX_OPTS } = await import("../azure.js");
       const { rootDir } = await import(resolveCliSrc("project.js"));
       const fsp = await import("node:fs/promises");
       const path = await import("node:path");
 
       const state = requireVmState(opts.vmName || name);
-      const ip = state.publicIp;
+      const execa = await lazyExeca();
+      await ensureAzCli(execa);
+      await ensureAzAuth(execa);
+      const ip = await resolvePublicIp(execa, state.resourceGroup, state.vmName, state.publicIp);
       if (!ip) {
         console.error(chalk.red("\n  No IP address. Is the VM running? Try: fops azure start\n"));
         process.exit(1);
@@ -45,13 +48,11 @@ export function registerTestCommands(azure) {
 
       const vmUrl = state.publicUrl || `https://${ip}`;
       const apiUrl = `${vmUrl}/api`;
-      const { execa: execaFn } = await import("execa");
-      const { sshCmd, MUX_OPTS } = await import("../azure.js");
 
       console.log(chalk.dim(`  Authenticating against ${vmUrl}…`));
       const auth = await resolveRemoteAuth({
         apiUrl, ip, vmState: state,
-        execaFn, sshCmd, knockForVm, suppressTlsWarning,
+        execaFn: execa, sshCmd, knockForVm, suppressTlsWarning,
       });
       let { bearerToken, qaUser, qaPass, useTokenMode } = auth;
 
@@ -102,8 +103,8 @@ export function registerTestCommands(azure) {
         await fsp.access(path.join(qaDir, "venv"));
       } catch {
         console.log(chalk.cyan("  Setting up QA automation environment…"));
-        await execaFn("python3", ["-m", "venv", "venv"], { cwd: qaDir, stdio: "inherit" });
-        await execaFn("bash", ["-c", "source venv/bin/activate && pip install -r requirements.txt && playwright install"], { cwd: qaDir, stdio: "inherit" });
+        await execa("python3", ["-m", "venv", "venv"], { cwd: qaDir, stdio: "inherit" });
+        await execa("bash", ["-c", "source venv/bin/activate && pip install -r requirements.txt && playwright install"], { cwd: qaDir, stdio: "inherit" });
       }
 
       // Knock to ensure VM is reachable
@@ -156,7 +157,7 @@ export function registerTestCommands(azure) {
       }
 
       const startMs = Date.now();
-      const proc = execaFn(
+      const proc = execa(
         "bash",
         ["-c", `source venv/bin/activate && pytest ${pytestArgs}`],
         { cwd: qaDir, timeout: 600_000, reject: false, env: testEnv },