@meshxdata/fops 0.1.43 → 0.1.45

package/CHANGELOG.md

@@ -1,3 +1,377 @@
+## [0.1.45] - 2026-03-12
+
+- bump fops to 0.1.44 (8c0ef5d)
+- Mlflow and azure plugin fix (176881f)
+- fix lifecycle (a2cb9e7)
+- callback url for localhost (821fb94)
+- disable 4 scaffolding plugin by default. (bfb2b76)
+- jaccard improvements (b7494a0)
+- refactor azure plugin (68dfef4)
+- refactor azure plugin (b24a008)
+- fix trino catalog missing (4928a55)
+- v36 bump and changelog generation on openai (37a0440)
+- v36 bump and changelog generation on openai (a3b02d9)
+- bump (a990058)
+- status bar fix and new plugin for ttyd (27dde1e)
+- file demo and tray (1a3e704)
+- electron app (59ad0bb)
+- compose and fops file plugin (1cf0e81)
+- bump (346ffc1)
+- localhost replaced by 127.0.0.1 (82b9f30)
+- .29 (587b0e1)
+- improve up down and bootstrap script (b79ebaf)
+- checksum (22c8086)
+- checksum (96b434f)
+- checksum (15ed3c0)
+- checksum (8a6543a)
+- bump embed trino linksg (8440504)
+- bump data (765ffd9)
+- bump (cb8b232)
+- broken tests (c532229)
+- release 0.1.18, preflight checks (d902249)
+- fix compute display bug (d10f5d9)
+- cleanup packer files (6330f18)
+- plan mode (cb36a8a)
+- bump to 0.1.16 - agent ui (41ac1a2)
+- bump to 0.1.15 - agent ui (4ebe2e1)
+- bump to 0.1.14 (6c3a7fa)
+- bump to 0.1.13 (8db570f)
+- release 0.1.12 (c1c79e5)
+- bump (11aa3b0)
+- git keep and bump tui (be1678e)
+- skills, index, rrf, compacted context (100k > 10k) (7b2fffd)
+- cloudflare and token consumption, graphs indexing (0ad9eec)
+- bump storage default (22c83ba)
+- storage fix (68a22a0)
+- skills update (7f56500)
+- v9 bump (3864446)
+- bump (c95eedc)
+- rrf (dbf8c95)
+- feat: warning when running predictions (95e8c52)
+- feat: support for local predictions (45cf26b)
+- feat: wip support for predictions + mlflow (3457052)
+- add Reciprocal Rank Fusion (RRF) to knowledge and skill retrieval (61549bc)
+- validate CSV headers in compute_run readiness check (a8c7a43)
+- fix corrupted Iceberg metadata: probe tables + force cleanup on re-apply (50578af)
+- enforce: never use foundation_apply to fix broken products (2e049bf)
+- update SKILL.md with complete tool reference for knowledge retrieval (30b1924)
+- add storage read, input DP table probe, and compute_run improvements (34e6c4c)
+- skills update (1220385)
+- skills update (bb66958)
+- some tui improvement andd tools apply overwrite (e90c35c)
+- skills update (e9227a1)
+- skills update (669c4b3)
+- fix plugin pre-flight checks (f741743)
+- increase agent context (6479aaa)
+- skills and init sql fixes (5fce35e)
+- checksum (3518b56)
+- penging job limit (a139861)
+- checksum (575d28c)
+- bump (92049ba)
+- fix bug per tab status (0a33657)
+- fix bug per tab status (50457c6)
+- checksumming (0ad842e)
+- shot af mardkwon overlapping (51f63b9)
+- add spark dockerfile for multiarch builds (95abbd1)
+- fix plugin initialization (16b9782)
+- split index.js (50902a2)
+- cloudflare cidr (cc4e021)
+- cloduflare restrictions (2f6ba2d)
+- sequential start (86b496e)
+- sequential start (4930fe1)
+- sequential start (353f014)
+- qa tests (2dc6a1a)
+- bump sha for .85 (dc2edfe)
+- preserve env on sudo (7831227)
+- bump sha for .84 (6c052f9)
+- non interactive for azure vms (0aa8a2f)
+- keep .env if present (d072450)
+- bump (7a8e732)
+- ensure opa is on compose if not set (f4a5228)
+- checksum bump (a2ccc20)
+- netrc defensive checks (a0b0ccc)
+- netrc defensive checks (ae37403)
+- checksum (ec45d11)
+- update sync and fix up (7f9af72)
+- expand test for azure and add new per app tag support (388a168)
+- checksum on update (44005fc)
+- cleanup for later (15e5313)
+- cleanup for later (11c9597)
+- switch branch feature (822fecc)
+- add pull (d1c19ab)
+- Bump hono from 4.11.9 to 4.12.0 in /operator-cli (ad25144)
+- tests (f180a9a)
+- cleanup (39c49a3)
+- registry (7b7126a)
+- reconcile kafka (832d0db)
+- gh login bug (025886c)
+- cleanup (bb96cab)
+- strip envs from process (2421180)
+- force use of gh creds not tokens in envs var (fff7787)
+- resolve import between npm installs and npm link (79522e1)
+- fix gh scope and azure states (afd846c)
+- refactoring (da50352)
+- split fops repo (d447638)
+- aks (b791f8f)
+- refactor azure (67d3bad)
+- wildcard (391f023)
+- azure plugin (c074074)
+- zap (d7e6e7f)
+- fix knock (cf89c05)
+- azure (4adec98)
+- Bump tar from 7.5.7 to 7.5.9 in /operator-cli (e41e98e)
+- azure stack index.js split (de12272)
+- Bump ajv from 8.17.1 to 8.18.0 in /operator-cli (76da21f)
+- packer (9665fbc)
+- remove stack api (db0fd4d)
+- packer cleanup (fe1bf14)
+- force refresh token (3a3d7e2)
+- provision shell (2ad505f)
+- azure vm management (91dcb31)
+- azure specific (2b0cca8)
+- azure packer (12175b8)
+- init hashed pwd (db8523c)
+- packer (5b5c7c4)
+- doctor for azure vm (ed524fa)
+- packer and 1pwd (c6d053e)
+- split big index.js (dc85a1b)
+- kafka volume update (21815ec)
+- fix openai azure tools confirmation and flow (0118cd1)
+- nighly fixx, test fix (5e0d04f)
+- open ai training (cdc494a)
+- openai integration in azure (1ca1475)
+- ci (672cea9)
+- refresh ghcr creds (4220c48)
+- cleaned up version (1a0074f)
+- traefik on ghcr and templates (8e31a05)
+- apply fcl (e78911f)
+- demo landscape (dd205fe)
+- smarter login and schema (1af514f)
+- no down before up unless something broke (56b1132)
+- dai, reconcile failed containers (12907fa)
+- reconcile dead container (7da75e4)
+- defensive around storage buckets dir (b98871d)
+- defensive around storage buckets dir (e86e132)
+- gear in for multiarch (bf3fa3e)
+- up autofix (99c7f89)
+- autofix stale containers on up (43c7d0f)
+- shared sessions fix (5de1359)
+- share sessions between ui and tui (8321391)
+- fix chat view display details (e263996)
+- fix chat view display details (9babdda)
+- tui up fixes (86e9f17)
+- fix commands init (442538b)
+- enable k3s profile (b2dcfc8)
+- test up till job creation (656d388)
+- tui fixes (0599779)
+- cleanup (27731f0)
+- train (90bf559)
+- training (f809bf6)
+- training (ba2b836)
+- training (6fc5267)
+- training (4af8ac9)
+- fix build script (bd82836)
+- infra test (5b79815)
+- infra test (3a0ac05)
+- infra test (e5c67b5)
+- tests (ae7b621)
+- tests (c09ae6a)
+- update tui (4784153)
+- training (0a5a330)
+- tui (df4dd4a)
+- pkg builds (4dc9993)
+- also source env for creds (9a17d8f)
+- fcl support (e8a5743)
+
+# Changelog
+
+All notable changes to @meshxdata/fops (Foundation Operator CLI) are documented here.
+
+## [0.1.44] - 2026-03-11
+
+- Mlflow and azure plugin fix (176881f)
+- fix lifecycle (a2cb9e7)
+- callback url for localhost (821fb94)
+- disable 4 scaffolding plugin by default. (bfb2b76)
+- jaccard improvements (b7494a0)
+- refactor azure plugin (68dfef4)
+- refactor azure plugin (b24a008)
+- fix trino catalog missing (4928a55)
+- v36 bump and changelog generation on openai (37a0440)
+- v36 bump and changelog generation on openai (a3b02d9)
+- bump (a990058)
+- status bar fix and new plugin for ttyd (27dde1e)
+- file demo and tray (1a3e704)
+- electron app (59ad0bb)
+- compose and fops file plugin (1cf0e81)
+- bump (346ffc1)
+- localhost replaced by 127.0.0.1 (82b9f30)
+- .29 (587b0e1)
+- improve up down and bootstrap script (b79ebaf)
+- checksum (22c8086)
+- checksum (96b434f)
+- checksum (15ed3c0)
+- checksum (8a6543a)
+- bump embed trino linksg (8440504)
+- bump data (765ffd9)
+- bump (cb8b232)
+- broken tests (c532229)
+- release 0.1.18, preflight checks (d902249)
+- fix compute display bug (d10f5d9)
+- cleanup packer files (6330f18)
+- plan mode (cb36a8a)
+- bump to 0.1.16 - agent ui (41ac1a2)
+- bump to 0.1.15 - agent ui (4ebe2e1)
+- bump to 0.1.14 (6c3a7fa)
+- bump to 0.1.13 (8db570f)
+- release 0.1.12 (c1c79e5)
+- bump (11aa3b0)
+- git keep and bump tui (be1678e)
+- skills, index, rrf, compacted context (100k > 10k) (7b2fffd)
+- cloudflare and token consumption, graphs indexing (0ad9eec)
+- bump storage default (22c83ba)
+- storage fix (68a22a0)
+- skills update (7f56500)
+- v9 bump (3864446)
+- bump (c95eedc)
+- rrf (dbf8c95)
+- feat: warning when running predictions (95e8c52)
+- feat: support for local predictions (45cf26b)
+- feat: wip support for predictions + mlflow (3457052)
+- add Reciprocal Rank Fusion (RRF) to knowledge and skill retrieval (61549bc)
+- validate CSV headers in compute_run readiness check (a8c7a43)
+- fix corrupted Iceberg metadata: probe tables + force cleanup on re-apply (50578af)
+- enforce: never use foundation_apply to fix broken products (2e049bf)
+- update SKILL.md with complete tool reference for knowledge retrieval (30b1924)
+- add storage read, input DP table probe, and compute_run improvements (34e6c4c)
+- skills update (1220385)
+- skills update (bb66958)
+- some tui improvement andd tools apply overwrite (e90c35c)
+- skills update (e9227a1)
+- skills update (669c4b3)
+- fix plugin pre-flight checks (f741743)
+- increase agent context (6479aaa)
+- skills and init sql fixes (5fce35e)
+- checksum (3518b56)
+- penging job limit (a139861)
+- checksum (575d28c)
+- bump (92049ba)
+- fix bug per tab status (0a33657)
+- fix bug per tab status (50457c6)
+- checksumming (0ad842e)
+- shot af mardkwon overlapping (51f63b9)
+- add spark dockerfile for multiarch builds (95abbd1)
+- fix plugin initialization (16b9782)
+- split index.js (50902a2)
+- cloudflare cidr (cc4e021)
+- cloduflare restrictions (2f6ba2d)
+- sequential start (86b496e)
+- sequential start (4930fe1)
+- sequential start (353f014)
+- qa tests (2dc6a1a)
+- bump sha for .85 (dc2edfe)
+- preserve env on sudo (7831227)
+- bump sha for .84 (6c052f9)
+- non interactive for azure vms (0aa8a2f)
+- keep .env if present (d072450)
+- bump (7a8e732)
+- ensure opa is on compose if not set (f4a5228)
+- checksum bump (a2ccc20)
+- netrc defensive checks (a0b0ccc)
+- netrc defensive checks (ae37403)
+- checksum (ec45d11)
+- update sync and fix up (7f9af72)
+- expand test for azure and add new per app tag support (388a168)
+- checksum on update (44005fc)
+- cleanup for later (15e5313)
+- cleanup for later (11c9597)
+- switch branch feature (822fecc)
+- add pull (d1c19ab)
+- Bump hono from 4.11.9 to 4.12.0 in /operator-cli (ad25144)
+- tests (f180a9a)
+- cleanup (39c49a3)
+- registry (7b7126a)
+- reconcile kafka (832d0db)
+- gh login bug (025886c)
+- cleanup (bb96cab)
+- strip envs from process (2421180)
+- force use of gh creds not tokens in envs var (fff7787)
+- resolve import between npm installs and npm link (79522e1)
+- fix gh scope and azure states (afd846c)
+- refactoring (da50352)
+- split fops repo (d447638)
+- aks (b791f8f)
+- refactor azure (67d3bad)
+- wildcard (391f023)
+- azure plugin (c074074)
+- zap (d7e6e7f)
+- fix knock (cf89c05)
+- azure (4adec98)
+- Bump tar from 7.5.7 to 7.5.9 in /operator-cli (e41e98e)
+- azure stack index.js split (de12272)
+- Bump ajv from 8.17.1 to 8.18.0 in /operator-cli (76da21f)
+- packer (9665fbc)
+- remove stack api (db0fd4d)
+- packer cleanup (fe1bf14)
+- force refresh token (3a3d7e2)
+- provision shell (2ad505f)
+- azure vm management (91dcb31)
+- azure specific (2b0cca8)
+- azure packer (12175b8)
+- init hashed pwd (db8523c)
+- packer (5b5c7c4)
+- doctor for azure vm (ed524fa)
+- packer and 1pwd (c6d053e)
+- split big index.js (dc85a1b)
+- kafka volume update (21815ec)
+- fix openai azure tools confirmation and flow (0118cd1)
+- nighly fixx, test fix (5e0d04f)
+- open ai training (cdc494a)
+- openai integration in azure (1ca1475)
+- ci (672cea9)
+- refresh ghcr creds (4220c48)
+- cleaned up version (1a0074f)
+- traefik on ghcr and templates (8e31a05)
+- apply fcl (e78911f)
+- demo landscape (dd205fe)
+- smarter login and schema (1af514f)
+- no down before up unless something broke (56b1132)
+- dai, reconcile failed containers (12907fa)
+- reconcile dead container (7da75e4)
+- defensive around storage buckets dir (b98871d)
+- defensive around storage buckets dir (e86e132)
+- gear in for multiarch (bf3fa3e)
+- up autofix (99c7f89)
+- autofix stale containers on up (43c7d0f)
+- shared sessions fix (5de1359)
+- share sessions between ui and tui (8321391)
+- fix chat view display details (e263996)
+- fix chat view display details (9babdda)
+- tui up fixes (86e9f17)
+- fix commands init (442538b)
+- enable k3s profile (b2dcfc8)
+- test up till job creation (656d388)
+- tui fixes (0599779)
+- cleanup (27731f0)
+- train (90bf559)
+- training (f809bf6)
+- training (ba2b836)
+- training (6fc5267)
+- training (4af8ac9)
+- fix build script (bd82836)
+- infra test (5b79815)
+- infra test (3a0ac05)
+- infra test (e5c67b5)
+- tests (ae7b621)
+- tests (c09ae6a)
+- update tui (4784153)
+- training (0a5a330)
+- tui (df4dd4a)
+- pkg builds (4dc9993)
+- also source env for creds (9a17d8f)
+- fcl support (e8a5743)
+- fcl support (8d6b6cd)
+
 ## [0.1.43] - 2026-03-11
 
 - Mlflow and azure plugin fix (176881f)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meshxdata/fops",
-  "version": "0.1.43",
+  "version": "0.1.45",
   "description": "CLI to install and manage data mesh platforms",
   "keywords": [
     "fops",

package/src/commands/lifecycle.js

@@ -159,6 +159,26 @@ export function registerLifecycleCommands(program, registry) {
       await dockerCompose(root, args);
     });
 
+  program
+    .command("restart")
+    .description("Restart Foundation services (all or specific)")
+    .argument("[services...]", "Services to restart (e.g. backend, watcher)")
+    .action(async (services) => {
+      const root = requireRoot(program);
+      const serviceNames = (services || []).filter(Boolean).flatMap((s) => {
+        const sub = COMPONENT_SUBMODULES[s];
+        if (sub) return sub.restart;
+        return [resolveServiceName(root, s)];
+      });
+      if (serviceNames.length) {
+        console.log(chalk.cyan(`  Restarting ${serviceNames.join(", ")}...`));
+        await dockerCompose(root, ["restart", ...serviceNames]);
+      } else {
+        console.log(chalk.cyan("  Restarting all services..."));
+        await dockerCompose(root, ["restart"]);
+      }
+    });
+
   program
     .command("bake")
     .description("Build and push multi-arch base container images (node, etc.)")

package/src/plugins/bundled/fops-plugin-azure/lib/azure-grafana.js

@@ -0,0 +1,344 @@
+/**
+ * Grafana datasource federation for Azure VMs via SSH tunnels.
+ *
+ * Each VM exposes Prometheus on port 9091 and Loki on port 3100 (host-bound
+ * in docker-compose). These are NOT routed through Traefik (which has Auth0
+ * SSO), so we use SSH port-forwards instead.
+ *
+ * Flow:
+ *   1. fops azure grafana tunnel   — opens SSH tunnels for all VMs, blocks
+ *   2. fops azure grafana sync     — registers localhost:<port> datasources
+ *                                    in Grafana for each tunnelled VM
+ *   3. fops azure up/down          — auto-registers/deregisters datasources
+ *                                    if tunnel ports are already assigned
+ *
+ * Config in ~/.fops.json:
+ *   grafana: { url, token, tunnelPorts: { "<vmName>": { prometheus, loki } } }
+ */
+import net from "node:net";
+import { spawn } from "node:child_process";
+import chalk from "chalk";
+import { readState, saveState } from "./azure-state.js";
+import { DEFAULTS, MUX_OPTS } from "./azure-helpers.js";
+
+const DIM  = (s) => chalk.dim(s);
+const OK   = (s) => chalk.green(s);
+const WARN = (s) => chalk.yellow(s);
+const ERR  = (s) => chalk.red(s);
+
+// Remote ports as bound by docker-compose
+const REMOTE_PROMETHEUS = 9091;
+const REMOTE_LOKI       = 3100;
+
+// ── Config helpers ────────────────────────────────────────────────────────────
+
+export function readGrafanaConfig() {
+  return readState().grafana || null;
+}
+
+export function writeGrafanaConfig(patch) {
+  const state = readState();
+  state.grafana = { ...state.grafana, ...patch };
+  saveState(state);
+}
+
+/** Get stored tunnel port pair for a VM, or null if not yet assigned. */
+export function readTunnelPorts(vmName) {
+  return readState().grafana?.tunnelPorts?.[vmName] || null;
+}
+
+/** Persist tunnel port pair for a VM. */
+export function writeTunnelPorts(vmName, ports) {
+  const state = readState();
+  if (!state.grafana) state.grafana = {};
+  if (!state.grafana.tunnelPorts) state.grafana.tunnelPorts = {};
+  state.grafana.tunnelPorts[vmName] = ports;
+  saveState(state);
+}
+
+/** Remove tunnel port assignment for a VM. */
+export function clearTunnelPorts(vmName) {
+  const state = readState();
+  if (state.grafana?.tunnelPorts?.[vmName]) {
+    delete state.grafana.tunnelPorts[vmName];
+    saveState(state);
+  }
+}
+
+// ── Free port finder ──────────────────────────────────────────────────────────
+
+function findFreePort() {
+  return new Promise((resolve, reject) => {
+    const s = net.createServer();
+    s.listen(0, "127.0.0.1", () => {
+      const port = s.address().port;
+      s.close(() => resolve(port));
+    });
+    s.on("error", reject);
+  });
+}
+
+async function assignPorts(vmName) {
+  const existing = readTunnelPorts(vmName);
+  if (existing) return existing;
+  const prometheus = await findFreePort();
+  const loki       = await findFreePort();
+  const ports = { prometheus, loki };
+  writeTunnelPorts(vmName, ports);
+  return ports;
+}
+
+// ── SSH tunnel management ─────────────────────────────────────────────────────
+
+/**
+ * Open SSH port-forwards for a single VM (non-blocking, returns child process).
+ * Forwards: localPrometheus → VM:9091, localLoki → VM:3100
+ */
+function spawnTunnel(ip, user, ports) {
+  const args = [
+    ...MUX_OPTS(ip, user),
+    "-N",
+    "-L", `${ports.prometheus}:localhost:${REMOTE_PROMETHEUS}`,
+    "-L", `${ports.loki}:localhost:${REMOTE_LOKI}`,
+    `${user}@${ip}`,
+  ];
+  return spawn("ssh", args, { stdio: "ignore", detached: false });
+}
+
+/**
+ * Open SSH tunnels for all given VMs. Blocks until Ctrl+C.
+ * Port assignments are stored in ~/.fops.json so `grafana sync` can use them.
+ */
+export async function openGrafanaTunnels(vms, { knockForVm }) {
+  const cfg = readGrafanaConfig();
+  const user = DEFAULTS.adminUser;
+  const entries = Object.entries(vms).filter(([, s]) => s?.publicIp);
+
+  if (entries.length === 0) {
+    console.log(WARN("  No running VMs found (need publicIp in state)."));
+    return;
+  }
+
+  console.log(chalk.cyan(`\n  Opening Grafana tunnels for ${entries.length} VM(s)…\n`));
+
+  const children = [];
+
+  for (const [vmName, state] of entries) {
+    const ip = state.publicIp;
+    const ports = await assignPorts(vmName);
+
+    if (state.knockSequence?.length) await knockForVm(state);
+
+    const child = spawnTunnel(ip, user, ports);
+    children.push({ vmName, child, ports });
+
+    console.log(`  ${OK("✓")} ${chalk.bold(vmName)}`);
+    console.log(`    ${DIM(`prometheus → localhost:${ports.prometheus}`)}`);
+    console.log(`    ${DIM(`loki       → localhost:${ports.loki}`)}`);
+  }
+
+  console.log(chalk.cyan("\n  Tunnels open. Run in another terminal:"));
+  console.log(DIM("    fops azure grafana sync\n"));
+  console.log(DIM("  Press Ctrl+C to close.\n"));
+
+  await new Promise((resolve) => {
+    const cleanup = () => {
+      for (const { child } of children) {
+        try { child.kill(); } catch {}
+      }
+      resolve();
+    };
+    process.on("SIGINT", cleanup);
+    process.on("SIGTERM", cleanup);
+  });
+}
+
+// ── Grafana HTTP API helpers ──────────────────────────────────────────────────
+
+async function grafanaFetch(cfg, path, method = "GET", body = undefined) {
+  const url = `${cfg.url.replace(/\/$/, "")}${path}`;
+  const res = await fetch(url, {
+    method,
+    headers: {
+      "Content-Type": "application/json",
+      "Authorization": `Bearer ${cfg.token}`,
+    },
+    body: body ? JSON.stringify(body) : undefined,
+  });
+  const text = await res.text();
+  let json;
+  try { json = JSON.parse(text); } catch { json = { message: text }; }
+  return { ok: res.ok, status: res.status, json };
+}
+
+async function listDatasources(cfg) {
+  const { ok, json } = await grafanaFetch(cfg, "/api/datasources");
+  if (!ok) throw new Error(`Failed to list datasources: ${JSON.stringify(json)}`);
+  return json;
+}
+
+async function upsertDatasource(cfg, ds) {
+  const all = await listDatasources(cfg);
+  const existing = all.find((d) => d.name === ds.name);
+  if (existing) {
+    const { ok, json } = await grafanaFetch(cfg, `/api/datasources/${existing.id}`, "PUT", { ...ds, id: existing.id });
+    if (!ok) throw new Error(`Failed to update "${ds.name}": ${JSON.stringify(json)}`);
+    return { action: "updated", id: existing.id };
+  }
+  const { ok, json } = await grafanaFetch(cfg, "/api/datasources", "POST", ds);
+  if (!ok) throw new Error(`Failed to create "${ds.name}": ${JSON.stringify(json)}`);
+  return { action: "created", id: json.datasource?.id ?? json.id };
+}
+
+async function deleteDatasourceByName(cfg, name) {
+  const all = await listDatasources(cfg);
+  const existing = all.find((d) => d.name === name);
+  if (!existing) return false;
+  const { ok, json } = await grafanaFetch(cfg, `/api/datasources/${existing.id}`, "DELETE");
+  if (!ok) throw new Error(`Failed to delete "${name}": ${JSON.stringify(json)}`);
+  return true;
+}
+
+// ── Datasource definitions ────────────────────────────────────────────────────
+
+function prometheusDs(vmName, localPort) {
+  return {
+    name: `${vmName}-prometheus`,
+    type: "prometheus",
+    url: `http://localhost:${localPort}`,
+    access: "proxy",
+    isDefault: false,
+    jsonData: { timeInterval: "15s" },
+  };
+}
+
+function lokiDs(vmName, localPort) {
+  return {
+    name: `${vmName}-loki`,
+    type: "loki",
+    url: `http://localhost:${localPort}`,
+    access: "proxy",
+    isDefault: false,
+    jsonData: {},
+  };
+}
+
+// ── Public API ────────────────────────────────────────────────────────────────
+
+/**
+ * Register Prometheus + Loki datasources for a VM using its stored tunnel ports.
+ * No-ops if Grafana isn't configured or tunnel ports haven't been assigned yet.
+ */
+export async function registerVmDatasources(vmName) {
+  const cfg = readGrafanaConfig();
+  if (!cfg?.url || !cfg?.token) return;
+
+  const ports = readTunnelPorts(vmName);
+  if (!ports) return; // tunnel not yet set up — user runs `grafana tunnel` first
+
+  try {
+    const pResult = await upsertDatasource(cfg, prometheusDs(vmName, ports.prometheus));
+    const lResult = await upsertDatasource(cfg, lokiDs(vmName, ports.loki));
+    console.log(OK(`  ✓ Grafana datasources ${pResult.action}: ${vmName}-prometheus, ${vmName}-loki`));
+  } catch (err) {
+    console.log(WARN(`  ⚠ Grafana datasource registration failed: ${err.message}`));
+  }
+}
+
+/**
+ * Remove Prometheus + Loki datasources and clear stored tunnel ports for a VM.
+ * No-ops if Grafana isn't configured.
+ */
+export async function deregisterVmDatasources(vmName) {
+  const cfg = readGrafanaConfig();
+  if (!cfg?.url || !cfg?.token) {
+    clearTunnelPorts(vmName);
+    return;
+  }
+
+  try {
+    const pd = await deleteDatasourceByName(cfg, `${vmName}-prometheus`);
+    const ld = await deleteDatasourceByName(cfg, `${vmName}-loki`);
+    if (pd || ld) console.log(OK(`  ✓ Grafana datasources removed: ${vmName}-prometheus, ${vmName}-loki`));
+  } catch (err) {
+    console.log(WARN(`  ⚠ Grafana datasource removal failed: ${err.message}`));
+  }
+
+  clearTunnelPorts(vmName);
+}
+
+/**
+ * Reconcile Grafana datasources for all tracked VMs that have tunnel ports assigned.
+ * Removes datasources for VMs that are no longer tracked.
+ */
+export async function syncGrafanaDatasources(vms) {
+  const cfg = readGrafanaConfig();
+  if (!cfg?.url || !cfg?.token) {
+    console.log(WARN("  No Grafana configured. Run: fops azure grafana configure <url> <token>"));
+    return;
+  }
+
+  console.log(chalk.cyan(`\n  Syncing Grafana datasources → ${cfg.url}\n`));
+
+  let synced = 0;
+  for (const [vmName] of Object.entries(vms)) {
+    const ports = readTunnelPorts(vmName);
+    if (!ports) {
+      console.log(`  ${DIM(`⊘ ${vmName}: no tunnel ports — run: fops azure grafana tunnel`)}`);
+      continue;
+    }
+    try {
+      const pResult = await upsertDatasource(cfg, prometheusDs(vmName, ports.prometheus));
+      const lResult = await upsertDatasource(cfg, lokiDs(vmName, ports.loki));
+      console.log(`  ${OK("✓")} ${vmName}: ${DIM(`prometheus :${ports.prometheus} (${pResult.action}), loki :${ports.loki} (${lResult.action})`)}`);
+      synced++;
+    } catch (err) {
+      console.log(`  ${WARN("⚠")} ${vmName}: ${err.message}`);
+    }
+  }
+
+  // Remove stale datasources for VMs no longer tracked
+  try {
+    const all = await listDatasources(cfg);
+    const trackedNames = new Set(Object.keys(vms));
+    for (const ds of all) {
+      const match = ds.name.match(/^(.+)-(prometheus|loki)$/);
+      if (!match) continue;
+      const [, dsVmName] = match;
+      if (!trackedNames.has(dsVmName)) {
+        await deleteDatasourceByName(cfg, ds.name);
+        console.log(`  ${DIM(`✗ Removed stale: ${ds.name}`)}`);
+      }
+    }
+  } catch (err) {
+    console.log(WARN(`  ⚠ Stale datasource cleanup failed: ${err.message}`));
+  }
+
+  if (synced === 0) {
+    console.log(chalk.cyan("\n  No tunnels active. Start them first:"));
+    console.log(DIM("    fops azure grafana tunnel\n"));
+  } else {
+    console.log();
+  }
+}
+
+/** Test connectivity to the configured Grafana instance. */
+export async function testGrafanaConnection() {
+  const cfg = readGrafanaConfig();
+  if (!cfg?.url || !cfg?.token) {
+    console.log(ERR("  No Grafana configured. Run: fops azure grafana configure <url> <token>"));
+    return false;
+  }
+  try {
+    const { ok, json } = await grafanaFetch(cfg, "/api/org");
+    if (ok) {
+      console.log(OK(`  ✓ Connected to Grafana: ${json.name || cfg.url}`));
+      return true;
+    }
+    console.log(ERR(`  ✗ Auth failed (${json.message || "check token"})`));
+    return false;
+  } catch (err) {
+    console.log(ERR(`  ✗ Cannot reach Grafana at ${cfg.url}: ${err.message}`));
+    return false;
+  }
+}

package/src/plugins/bundled/fops-plugin-azure/lib/azure-helpers.js

@@ -825,7 +825,7 @@ export async function ensureOpenAiNetworkAccess(execa, publicIp, sub) {
 // ── Remote fops up command builder ──────────────────────────────────────────
 
 export function fopsUpCmd(publicUrl, { k3s, traefik, dai } = {}) {
-  const profiles = ["k3s", "traefik"];
+  const profiles = ["k3s", "traefik", "loki"];
   if (dai) profiles.push("dai");
 
   const profileEnv = `COMPOSE_PROFILES=${profiles.join(",")} `;

package/src/plugins/bundled/fops-plugin-azure/lib/azure-ops.js

@@ -414,6 +414,7 @@ export async function azureSsh(opts = {}) {
   const ip = freshState?.publicIp;
   if (!ip) { console.error(chalk.red("\n  No IP address. Is the VM running? Try: fops azure start\n")); process.exit(1); }
 
+  const sshUser = opts.user || DEFAULTS.adminUser;
   await knockForVm(freshState);
 
   const { execa } = await import("execa");
@@ -421,7 +422,7 @@ export async function azureSsh(opts = {}) {
     "-o", "StrictHostKeyChecking=no",
     "-o", "UserKnownHostsFile=/dev/null",
     "-o", "ConnectTimeout=15",
-    `${DEFAULTS.adminUser}@${ip}`,
+    `${sshUser}@${ip}`,
   ], { stdio: "inherit", reject: false });
   if (result.exitCode !== 0 && result.exitCode !== null) {
     console.error(chalk.red(`\n  SSH failed (exit ${result.exitCode}). If port-knock is enabled, try: fops azure knock open ${freshState?.vmName}\n`));
@@ -858,7 +859,7 @@ export async function azureDeploy(opts = {}) {
 
   hint(`Pulling latest (branch: ${branch})…`);
   const { stdout: pullOut, exitCode: pullCode } = await ssh(
-    `cd /opt/foundation-compose && git fetch origin && git checkout ${branch} && git pull origin ${branch}`
+    `cd /opt/foundation-compose && cp -f .env .env.local-backup 2>/dev/null; git checkout -- .env 2>/dev/null; git fetch origin && git checkout ${branch} && git pull origin ${branch}; cp -f .env.local-backup .env 2>/dev/null; true`
   );
   if (pullCode !== 0) {
     console.log(WARN("  ⚠ git pull had issues — continuing anyway"));
@@ -991,12 +992,15 @@ export async function azureRunUp(opts = {}) {
       console.log(WARN("  .env sanitized (invalid lines removed)"));
     }
 
-    // Git pull
+    // Git pull — preserve .env (always has local overrides) to avoid merge conflicts
     const gitScript = [
       "cd /opt/foundation-compose",
+      "cp -f .env .env.local-backup 2>/dev/null || true",
+      "git checkout -- .env 2>/dev/null || true",
       "git stash --include-untracked 2>&1 || true",
       "( git pull --ff-only 2>&1 || ( git fetch origin 2>&1 && git reset --hard \"origin/$(git branch --show-current)\" 2>&1 ) )",
       "git stash pop 2>&1 || echo 'nothing to pop'",
+      "cp -f .env.local-backup .env 2>/dev/null || true",
       "git submodule update --init --recursive 2>&1",
     ].join(" && ");
     const { exitCode: gitCode, stdout: gitOut, stderr: gitErr } = await ssh(gitScript, 120000);
@@ -1856,12 +1860,15 @@ export async function azureUpdate(opts = {}) {
         ).catch(() => {});
       }
 
-      // Stash local changes, pull latest (or fetch+reset if non–fast-forward), then stash pop and submodules
+      // Preserve .env (local overrides), pull latest (or fetch+reset if non–fast-forward), restore .env
       const gitScript = [
         "cd /opt/foundation-compose",
+        "cp -f .env .env.local-backup 2>/dev/null || true",
+        "git checkout -- .env 2>/dev/null || true",
         "git stash --include-untracked 2>&1 || true",
         "( git pull --ff-only 2>&1 || ( git fetch origin 2>&1 && git reset --hard \"origin/$(git branch --show-current)\" 2>&1 ) )",
         "git stash pop 2>&1 || echo 'nothing to pop'",
+        "cp -f .env.local-backup .env 2>/dev/null || true",
         "git submodule update --init --recursive 2>&1",
       ].join(" && ");
       const { exitCode: gitCode, stdout: gitOut, stderr: gitErr } = await ssh(gitScript, 120000);
@@ -2129,6 +2136,35 @@ export async function azureLogs(service, opts = {}) {
   ], { stdio: "inherit", reject: false });
 }
 
+// ── restart ─────────────────────────────────────────────────────────────────
+
+export async function azureRestart(service, opts = {}) {
+  const state = requireVmState(opts.vmName);
+  const ip = state.publicIp;
+  if (!ip) { console.error(chalk.red("\n  No IP. Is the VM running?\n")); process.exit(1); }
+
+  await knockForVm(state);
+
+  const { execa } = await import("execa");
+  const adminUser = DEFAULTS.adminUser;
+
+  const svcArg = service ? (service.startsWith("foundation-") ? service : `foundation-${service}`) : "";
+  const label = svcArg || "all services";
+  console.log(chalk.cyan(`  Restarting ${label} on ${state.vmName || ip}...`));
+
+  const { exitCode } = await execa("ssh", [
+    "-o", "StrictHostKeyChecking=no",
+    `${adminUser}@${ip}`,
+    `cd /opt/foundation-compose && sudo docker compose restart ${svcArg}`,
+  ], { stdio: "inherit", reject: false });
+
+  if (exitCode === 0) {
+    console.log(chalk.green(`  ✓ ${label} restarted`));
+  } else {
+    console.error(chalk.red(`  ✗ restart failed (exit ${exitCode})`));
+  }
+}
+
 // ── grant-admin ─────────────────────────────────────────────────────────────
 
 export async function azureGrantAdmin(opts = {}) {

package/src/plugins/bundled/fops-plugin-azure/lib/azure-provision.js

@@ -80,7 +80,7 @@ export async function configureVm(execa, ip, user, publicUrl, { githubToken, k3s
 
   console.log(chalk.dim("  Configuring VM..."));
 
-  // Batch: sshd tuning + docker group + ownership — single SSH round-trip
+  // Batch: sshd tuning + docker group + ownership + br_netfilter — single SSH round-trip
   const setupBatch = [
     // Speed up SSH: accept forwarded env vars, disable DNS reverse lookup
     `sudo grep -q '^AcceptEnv.*BEARER_TOKEN' /etc/ssh/sshd_config 2>/dev/null || {`,
@@ -91,6 +91,8 @@ export async function configureVm(execa, ip, user, publicUrl, { githubToken, k3s
     `}`,
     `sudo usermod -aG docker ${user} 2>/dev/null; true`,
     "sudo chown -R azureuser:azureuser /opt/foundation-compose 2>/dev/null; true",
+    // Ensure br_netfilter is loaded so k3s CoreDNS service-IP routing works
+    "sudo modprobe br_netfilter 2>/dev/null; sudo sysctl -qw net.bridge.bridge-nf-call-iptables=1 2>/dev/null; true",
     // Only inject FOUNDATION_PUBLIC_URL if not already set — never overwrite
     `cd /opt/foundation-compose && grep -q '^FOUNDATION_PUBLIC_URL=' .env 2>/dev/null || echo 'FOUNDATION_PUBLIC_URL=${publicUrl}' >> .env`,
   ].join("\n");
@@ -1633,7 +1635,7 @@ export async function provisionVm(execa, ip, adminUser, { githubToken, branch =
     waitAptLock,
     "export DEBIAN_FRONTEND=noninteractive",
     "apt-get update -y -qq",
-    "apt-get install -y -qq apt-transport-https ca-certificates curl gnupg lsb-release jq git make unzip zsh software-properties-common",
+    "apt-get install -y -qq apt-transport-https ca-certificates curl gnupg lsb-release jq git make unzip zsh software-properties-common python3-venv python3-pip",
   ].join("\n"), 300000);
 
   await runScript("Installing Docker", [
@@ -1649,6 +1651,13 @@ export async function provisionVm(execa, ip, adminUser, { githubToken, branch =
     `usermod -aG docker ${adminUser}`,
   ].join("\n"), 300000);
 
+  await runScript("Configuring br_netfilter for k3s DNS", [
+    "modprobe br_netfilter",
+    "echo br_netfilter > /etc/modules-load.d/br_netfilter.conf",
+    "sysctl -w net.bridge.bridge-nf-call-iptables=1",
+    "echo 'net.bridge.bridge-nf-call-iptables = 1' > /etc/sysctl.d/99-br-netfilter.conf",
+  ].join("\n"));
+
   await runScript("Installing GitHub CLI", [
     waitAptLock,
     "set +e",

package/src/plugins/bundled/fops-plugin-azure/lib/azure-results.js

@@ -235,6 +235,79 @@ export async function resultsPush(target, qaResult, opts = {}) {
   return { blob, account: store.account };
 }
 
+// ── Remove ──────────────────────────────────────────────────────────────────
+
+export async function resultsRemove(target, opts = {}) {
+  const execa = await lazyExeca();
+  await ensureAzCli(execa);
+  await ensureAzAuth(execa, { subscription: opts.subscription });
+
+  // 1. Clear local state
+  const state = readState();
+  const vm = state.azure?.vms?.[target];
+  if (vm?.qa) {
+    delete vm.qa;
+    saveState(state);
+    console.log(OK(`  ✓ Local QA state cleared for "${target}"`));
+  } else {
+    console.log(DIM(`  No local QA state found for "${target}"`));
+  }
+
+  // 2. Delete blobs from storage
+  const store = getResultsConfig();
+  if (!store?.account) {
+    console.log(DIM("  No results storage configured — skipping blob deletion."));
+    return;
+  }
+
+  const prefix = `${BLOB_PREFIX}/${target}/`;
+  let blobs;
+  try {
+    const { stdout } = await execa("az", [
+      "storage", "blob", "list",
+      "--account-name", store.account,
+      "--container-name", CONTAINER_NAME,
+      "--prefix", prefix,
+      "--query", "[].name",
+      "--output", "json",
+      ...AUTH,
+      ...subArgs(opts.subscription),
+    ], { timeout: 30000 });
+    blobs = JSON.parse(stdout || "[]");
+  } catch (err) {
+    console.log(WARN(`  ⚠ Could not list blobs: ${err.message}`));
+    return;
+  }
+
+  if (blobs.length === 0) {
+    console.log(DIM(`  No stored results found in blob storage for "${target}"`));
+    return;
+  }
+
+  console.log(chalk.cyan(`\n  Deleting ${blobs.length} result(s) from ${store.account}/${CONTAINER_NAME}/${prefix}…\n`));
+
+  let deleted = 0;
+  for (const blobName of blobs) {
+    try {
+      await execa("az", [
+        "storage", "blob", "delete",
+        "--account-name", store.account,
+        "--container-name", CONTAINER_NAME,
+        "--name", blobName,
+        ...AUTH,
+        "--output", "none",
+        ...subArgs(opts.subscription),
+      ], { timeout: 15000 });
+      console.log(`  ${DIM(`✗ ${blobName}`)}`);
+      deleted++;
+    } catch (err) {
+      console.log(WARN(`  ⚠ Failed to delete ${blobName}: ${err.message}`));
+    }
+  }
+
+  console.log(OK(`\n  ✓ Removed ${deleted}/${blobs.length} result(s) for "${target}"\n`));
+}
+
 // ── List ────────────────────────────────────────────────────────────────────
 
 export async function resultsList(opts = {}) {

package/src/plugins/bundled/fops-plugin-azure/lib/azure-vm-lifecycle.js

@@ -437,6 +437,10 @@ export async function azureUp(opts = {}) {
   }
 
   await ensureResourceLock(execa, rg, vmName, sub);
+
+  const { registerVmDatasources } = await import("./azure-grafana.js");
+  await registerVmDatasources(vmName, publicUrl);
+
   printInfo(vmName, publicIp, adminUser, publicUrl);
   return { publicIp, publicUrl, vmName, resourceGroup: rg };
 }
@@ -617,6 +621,9 @@ export async function azureDown(opts = {}) {
     await cleanupDns(cfToken, tracked.publicUrl);
   }
 
+  const { deregisterVmDatasources } = await import("./azure-grafana.js");
+  await deregisterVmDatasources(vmName);
+
   clearVmState(vmName);
   console.log(OK("\n  ✓ Done.") + DIM("  State cleared.\n"));
 }

package/src/plugins/bundled/fops-plugin-azure/lib/azure.js

@@ -48,7 +48,7 @@ export {
 export {
   azureStatus, azureTrinoStatus, azureSsh, azureSshWhitelistMe, azurePortForward, azureSshAdminAdd, azureVmCheck, azureAgent, azureOpenAiDebugVm,
   azureDeploy, azurePull, azureDeployVersion, azureRunUp, azureConfig, azureConfigVersions, azureUpdate,
-  azureLogs, azureGrantAdmin, azureContext,
+  azureLogs, azureRestart, azureGrantAdmin, azureContext,
   azureList, azureApply,
   azureKnock, azureKnockClose, azureKnockDisable, azureKnockVerify, azureKnockFix,
 } from "./azure-ops.js";

package/src/plugins/bundled/fops-plugin-azure/lib/commands/test-cmds.js

@@ -56,6 +56,39 @@ export function registerTestCommands(azure) {
       });
       let { bearerToken, qaUser, qaPass, useTokenMode } = auth;
 
+      // Fetch CF Access service token (needed to bypass Cloudflare Access)
+      // Priority: local .env file → process.env → remote VM .env
+      let cfAccessClientId = "";
+      let cfAccessClientSecret = "";
+      const localEnvPath = path.join(root, ".env");
+      try {
+        const localEnv = await fsp.readFile(localEnvPath, "utf8");
+        for (const line of localEnv.split("\n")) {
+          const m = line.match(/^CF_ACCESS_CLIENT_(ID|SECRET)=(.+)$/);
+          if (m?.[1] === "ID") cfAccessClientId = m[2].trim().replace(/^["']|["']$/g, "");
+          if (m?.[1] === "SECRET") cfAccessClientSecret = m[2].trim().replace(/^["']|["']$/g, "");
+        }
+      } catch { /* no local .env */ }
+      if (!cfAccessClientId) {
+        cfAccessClientId = process.env.CF_ACCESS_CLIENT_ID || "";
+        cfAccessClientSecret = process.env.CF_ACCESS_CLIENT_SECRET || "";
+      }
+      if (!cfAccessClientId && ip) {
+        try {
+          const sshUser = state?.adminUser || "azureuser";
+          const { stdout: cfOut } = await sshCmd(execa, ip, sshUser,
+            "grep -E '^CF_ACCESS_CLIENT_(ID|SECRET)=' /opt/foundation-compose/.env",
+            10_000,
+          );
+          for (const line of (cfOut || "").split("\n")) {
+            const m = line.match(/^CF_ACCESS_CLIENT_(ID|SECRET)=(.+)$/);
+            if (m?.[1] === "ID") cfAccessClientId = m[2].trim();
+            if (m?.[1] === "SECRET") cfAccessClientSecret = m[2].trim();
+          }
+          if (cfAccessClientId) console.log(chalk.green("  ✓ Got CF Access service token from VM"));
+        } catch { /* optional — tests still run without it */ }
+      }
+
       if (!bearerToken && !qaUser) {
         console.error(chalk.red("\n  No credentials found (local or remote)."));
         console.error(chalk.dim("  Set BEARER_TOKEN or QA_USERNAME/QA_PASSWORD, or ensure the VM has Auth0 configured in .env\n"));
@@ -94,6 +127,10 @@ export function registerTestCommands(azure) {
         envContent = setVar(envContent, "BEARER_TOKEN", bearerToken);
         envContent = setVar(envContent, "TOKEN_AUTH0", bearerToken);
       }
+      if (cfAccessClientId) {
+        envContent = setVar(envContent, "CF_ACCESS_CLIENT_ID", cfAccessClientId);
+        envContent = setVar(envContent, "CF_ACCESS_CLIENT_SECRET", cfAccessClientSecret);
+      }
 
       await fsp.writeFile(envPath, envContent);
       console.log(chalk.green(`  ✓ Configured QA .env → ${apiUrl}`));
@@ -155,6 +192,10 @@ export function registerTestCommands(azure) {
         testEnv.BEARER_TOKEN = bearerToken;
         testEnv.TOKEN_AUTH0 = bearerToken;
       }
+      if (cfAccessClientId) {
+        testEnv.CF_ACCESS_CLIENT_ID = cfAccessClientId;
+        testEnv.CF_ACCESS_CLIENT_SECRET = cfAccessClientSecret;
+      }
 
       const startMs = Date.now();
       const proc = execa(
@@ -245,6 +286,15 @@ export function registerTestCommands(azure) {
       await resultsCompare({ target, last: parseInt(opts.last) });
     });
 
+  test
+    .command("rm <target>")
+    .description("Remove all stored test results for a VM (local state + blob storage)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (target, opts) => {
+      const { resultsRemove } = await import("../azure-results.js");
+      await resultsRemove(target, { subscription: opts.profile });
+    });
+
   test
     .command("push [target]")
     .description("Push local QA results to blob storage (default: all VMs with results)")

package/src/plugins/bundled/fops-plugin-azure/lib/commands/vm-cmds.js

@@ -347,11 +347,20 @@ export function registerVmCommands(azure, api, registry) {
 
   ssh
     .command("connect [name]", { isDefault: true })
-    .description("Open an interactive SSH session to the VM")
+    .description("Open an interactive SSH session (user@vm or just vm for azureuser)")
     .option("--vm-name <name>", "Target VM (default: active VM)")
+    .option("--user <user>", "SSH user (default: azureuser)")
     .action(async (name, opts) => {
       const { azureSsh } = await import("../azure.js");
-      await azureSsh({ vmName: opts.vmName || name });
+      let vmName = opts.vmName || name;
+      let user = opts.user;
+      // Parse user@vm syntax
+      if (vmName && vmName.includes("@")) {
+        const parts = vmName.split("@");
+        user = parts[0];
+        vmName = parts[1];
+      }
+      await azureSsh({ vmName, user });
     });
 
   const sshAdmin = ssh.command("admin").description("Manage admin SSH keys across all VMs");
@@ -866,6 +875,16 @@ export function registerVmCommands(azure, api, registry) {
       await azureLogs(service, { vmName: opts.vmName || name });
     });
 
+  // ── restart ─────────────────────────────────────────────────────────────────
+  azure
+    .command("restart [name] [service]")
+    .description("Restart Foundation services on the VM (all or specific)")
+    .option("--vm-name <name>", "Target VM (default: active VM)")
+    .action(async (name, service, opts) => {
+      const { azureRestart } = await import("../azure.js");
+      await azureRestart(service, { vmName: opts.vmName || name });
+    });
+
   // ── context ───────────────────────────────────────────────────────────────
   azure
     .command("context [name]")
@@ -920,4 +939,48 @@ export function registerVmCommands(azure, api, registry) {
       const { azureSubscriptions } = await import("../azure.js");
       await azureSubscriptions();
     });
+
+  // ── grafana ───────────────────────────────────────────────────────────────
+  const grafana = azure.command("grafana").description("Manage Grafana datasource federation");
+
+  grafana
+    .command("configure <url> <token>")
+    .description("Set Grafana URL and service account token (stored in ~/.fops.json)")
+    .action(async (url, token) => {
+      const { writeGrafanaConfig, testGrafanaConnection } = await import("../azure-grafana.js");
+      writeGrafanaConfig({ url, token });
+      console.log(chalk.green(`  ✓ Grafana configured: ${url}`));
+      await testGrafanaConnection();
+    });
+
+  grafana
+    .command("tunnel")
+    .description("Open SSH tunnels for Prometheus + Loki on all tracked VMs (blocks until Ctrl+C)")
+    .action(async () => {
+      const { openGrafanaTunnels } = await import("../azure-grafana.js");
+      const { listVms } = await import("../azure-state.js");
+      const { knockForVm } = await import("../azure.js");
+      const { vms } = listVms();
+      await openGrafanaTunnels(vms, { knockForVm });
+    });
+
+  grafana
+    .command("sync")
+    .description("Register localhost datasources in Grafana for all tunnelled VMs")
+    .action(async () => {
+      const { syncGrafanaDatasources } = await import("../azure-grafana.js");
+      const { listVms } = await import("../azure-state.js");
+      const { vms } = listVms();
+      await syncGrafanaDatasources(vms);
+    });
+
+  grafana
+    .command("status")
+    .description("Test connectivity to the configured Grafana instance")
+    .action(async () => {
+      const { testGrafanaConnection, readGrafanaConfig } = await import("../azure-grafana.js");
+      const cfg = readGrafanaConfig();
+      if (cfg?.url) console.log(chalk.dim(`  URL:   ${cfg.url}`));
+      await testGrafanaConnection();
+    });
 }

package/src/plugins/bundled/fops-plugin-github-roles/index.js

@@ -1,4 +1,27 @@
 import chalk from "chalk";
+import fs from "node:fs";
+import path from "node:path";
+import { fileURLToPath, pathToFileURL } from "node:url";
+
+/** Resolve a module inside the azure plugin (works from source tree and ~/.fops/plugins). */
+function resolveAzure(relPath) {
+  const thisDir = path.dirname(fileURLToPath(import.meta.url));
+  // Source tree: ../../fops-plugin-azure/<relPath>
+  const fromSource = path.resolve(thisDir, "..", "fops-plugin-azure", relPath);
+  if (fs.existsSync(fromSource)) return pathToFileURL(fromSource).href;
+  // Installed CLI: find via the fops binary
+  const fopsBin = process.argv[1];
+  if (fopsBin) {
+    try {
+      const cliRoot = path.dirname(fs.realpathSync(fopsBin));
+      const fromCli = path.resolve(cliRoot, "src/plugins/bundled/fops-plugin-azure", relPath);
+      if (fs.existsSync(fromCli)) return pathToFileURL(fromCli).href;
+    } catch {}
+  }
+  // Fallback: ~/.fops/plugins sibling
+  const fromFops = path.resolve(thisDir, "../../fops-plugin-azure", relPath);
+  return pathToFileURL(fromFops).href;
+}
 
 export async function register(api) {
   const config = api.config || {};
@@ -133,6 +156,112 @@ export async function register(api) {
         console.log(chalk.dim("  Customize via config.commandRoles in ~/.fops.json\n"));
       });
 
+    gh
+      .command("ssh-sync <username> [names...]")
+      .description("Sync a GitHub user's SSH keys to Azure VMs")
+      .option("--vm-name <name>", "Target a single VM instead of all")
+      .action(async (username, names, opts) => {
+        const { fetchUserKeys } = await import("./lib/github.js");
+
+        console.log(chalk.dim(`\n  Fetching SSH keys for github.com/${username}…`));
+        let keys;
+        try {
+          keys = await fetchUserKeys(username);
+        } catch (err) {
+          console.log(chalk.yellow(`  ⚠ ${username}: ${err.message} — skipped\n`));
+          return;
+        }
+        if (keys.length === 0) {
+          console.log(chalk.yellow(`  ⚠ ${username}: no SSH keys on GitHub — skipped\n`));
+          return;
+        }
+        console.log(chalk.green(`  ✓ Found ${keys.length} key(s)`));
+
+        // Resolve VMs from the azure plugin
+        const { listVms, requireVmState } = await import(resolveAzure("lib/azure-state.js"));
+        const {
+          lazyExeca, resolvePublicIp, knockForVm, waitForSsh, sshCmd, DEFAULTS,
+        } = await import(resolveAzure("lib/azure-helpers.js"));
+
+        let targetVms;
+        if (opts.vmName) {
+          const vm = requireVmState(opts.vmName);
+          targetVms = { [opts.vmName]: vm };
+        } else if (names.length > 0) {
+          targetVms = {};
+          for (const n of names) targetVms[n] = requireVmState(n);
+        } else {
+          ({ vms: targetVms } = listVms());
+        }
+
+        const vmNames = Object.keys(targetVms);
+        if (vmNames.length === 0) {
+          console.error(chalk.red("\n  ✗ No VMs tracked. Use: fops azure up <name>\n"));
+          process.exit(1);
+        }
+
+        const execa = await lazyExeca();
+        const adminUser = DEFAULTS.adminUser;
+        let success = 0, failed = 0;
+
+        // Sanitize GitHub username → Linux username (lowercase, no leading hyphen)
+        const linuxUser = username.toLowerCase().replace(/[^a-z0-9_-]/g, "").replace(/^-/, "_");
+
+        console.log(chalk.cyan(`\n  Syncing user ${chalk.white(linuxUser)} (${keys.length} key(s)) → ${vmNames.join(", ")}\n`));
+
+        for (const vmName of vmNames) {
+          const vm = targetVms[vmName];
+          let ip = vm.publicIp;
+          if (!ip) {
+            try {
+              ip = await resolvePublicIp(execa, vm.resourceGroup, vmName, null);
+            } catch {}
+          }
+          if (!ip) {
+            console.log(chalk.yellow(`  ⚠ ${vmName}: no IP — skipped`));
+            failed++;
+            continue;
+          }
+
+          try { await knockForVm({ ...vm, vmName }); } catch {}
+          const sshOk = await waitForSsh(execa, ip, adminUser, 15000);
+          if (!sshOk) {
+            console.log(chalk.red(`  ✗ ${vmName}: SSH unreachable — skipped`));
+            failed++;
+            continue;
+          }
+
+          // Create user with sudo, docker group, and SSH dir
+          const keysEscaped = keys.map(k => k.replace(/'/g, "'\\''")).join("\n");
+          const setupCmd = [
+            `sudo id ${linuxUser} &>/dev/null || sudo useradd -m -s /bin/bash ${linuxUser}`,
+            `sudo usermod -aG sudo,docker ${linuxUser} 2>/dev/null || sudo usermod -aG sudo ${linuxUser}`,
+            `sudo mkdir -p /home/${linuxUser}/.ssh`,
+            `echo '${keysEscaped}' | sudo tee /home/${linuxUser}/.ssh/authorized_keys >/dev/null`,
+            `sudo chmod 700 /home/${linuxUser}/.ssh`,
+            `sudo chmod 600 /home/${linuxUser}/.ssh/authorized_keys`,
+            `sudo chown -R ${linuxUser}:${linuxUser} /home/${linuxUser}/.ssh`,
+            `echo '${linuxUser} ALL=(ALL) NOPASSWD:ALL' | sudo tee /etc/sudoers.d/${linuxUser} >/dev/null`,
+          ].join(" && ");
+
+          const { exitCode } = await sshCmd(execa, ip, adminUser, setupCmd, 30000);
+          if (exitCode === 0) {
+            console.log(chalk.green(`  ✓ ${vmName}: user ${linuxUser} created with ${keys.length} key(s)`));
+            success++;
+          } else {
+            console.log(chalk.red(`  ✗ ${vmName}: failed (exit ${exitCode})`));
+            failed++;
+          }
+        }
+
+        console.log("");
+        if (failed === 0) {
+          console.log(chalk.green(`  ✓ User ${linuxUser} synced to all ${success} VM(s)\n`));
+        } else {
+          console.log(chalk.yellow(`  Done: ${success} succeeded, ${failed} failed\n`));
+        }
+      });
+
     gh
       .command("logout")
       .description("Clear stored GitHub token and cached role")

package/src/plugins/bundled/fops-plugin-github-roles/lib/github.js

@@ -127,6 +127,21 @@ export async function isOrgOwner(token, org, username) {
   return data.role === "admin";
 }
 
+/**
+ * Fetch a GitHub user's public SSH keys.
+ * Uses the unauthenticated https://github.com/<user>.keys endpoint.
+ * @param {string} username
+ * @returns {Promise<string[]>} - public key lines
+ */
+export async function fetchUserKeys(username) {
+  const res = await fetch(`https://github.com/${encodeURIComponent(username)}.keys`, {
+    signal: AbortSignal.timeout(10_000),
+  });
+  if (!res.ok) throw new Error(`Failed to fetch keys for ${username}: HTTP ${res.status}`);
+  const text = await res.text();
+  return text.trim().split("\n").filter(Boolean);
+}
+
 /**
  * Get the teams a user belongs to within an org.
  * Uses the "list teams for authenticated user" endpoint filtered by org.