npm - @meshxdata/fops - Versions diffs - 0.1.49 → 0.1.50 - Mend

@meshxdata/fops 0.1.49 → 0.1.50

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (30) hide show

package/src/plugins/bundled/fops-plugin-azure/lib/azure-ops.js CHANGED Viewed

@@ -17,6 +17,25 @@ import {
   setVmKnockTag,
 } from "./azure-helpers.js";
+// Re-export config functions from dedicated module
+export {
+  azureConfig,
+  azureConfigVersions,
+  azureDeployVersion,
+  FOUNDATION_COMPONENTS,
+  parseComponentVersions,
+  applyVersionChanges,
+} from "./azure-ops-config.js";
+// Re-export SSH/remote functions from dedicated module
+export {
+  azureSsh,
+  azurePortForward,
+  azureSshAdminAdd,
+  azureAgent,
+  azureOpenAiDebugVm,
+} from "./azure-ops-ssh.js";
 // ── status ──────────────────────────────────────────────────────────────────
 export async function azureStatus(opts = {}) {
@@ -405,416 +424,6 @@ export async function azureVmCheck(opts = {}) {
   if (state.knockSequence?.length) await closeKnock(ssh, { quiet: true });
 }
-// ── ssh ─────────────────────────────────────────────────────────────────────
-export async function azureSsh(opts = {}) {
-  const { knockForVm, ensureKnockSequence } = await import("./azure-helpers.js");
-  // Sync IP + knock sequence from Azure before using them
-  const freshState = await ensureKnockSequence(requireVmState(opts.vmName));
-  const ip = freshState?.publicIp;
-  if (!ip) { console.error(chalk.red("\n  No IP address. Is the VM running? Try: fops azure start\n")); process.exit(1); }
-  const sshUser = opts.user || DEFAULTS.adminUser;
-  await knockForVm(freshState);
-  const { execa } = await import("execa");
-  const result = await execa("ssh", [
-    "-o", "StrictHostKeyChecking=no",
-    "-o", "UserKnownHostsFile=/dev/null",
-    "-o", "ConnectTimeout=15",
-    `${sshUser}@${ip}`,
-  ], { stdio: "inherit", reject: false });
-  if (result.exitCode !== 0 && result.exitCode !== null) {
-    console.error(chalk.red(`\n  SSH failed (exit ${result.exitCode}). If port-knock is enabled, try: fops azure knock open ${freshState?.vmName}\n`));
-    process.exit(1);
-  }
-}
-// ── port forward ─────────────────────────────────────────────────────────────
-export async function azurePortForward(opts = {}) {
-  const { remotePort, localPort } = opts;
-  const state = requireVmState(opts.vmName);
-  const ip = state.publicIp;
-  if (!ip) { console.error(chalk.red("\n  No IP address. Is the VM running? Try: fops azure start\n")); process.exit(1); }
-  await knockForVm(state);
-  const lp = localPort || remotePort;
-  console.log(chalk.cyan(`\n  Forwarding localhost:${lp} → ${ip}:${remotePort}`));
-  console.log(DIM("  Press Ctrl+C to stop\n"));
-  const { execa } = await import("execa");
-  await execa("ssh", [
-    ...MUX_OPTS(ip, DEFAULTS.adminUser),
-    "-N",
-    "-L", `${lp}:localhost:${remotePort}`,
-    `${DEFAULTS.adminUser}@${ip}`,
-  ], { stdio: "inherit", reject: false });
-}
-// ── ssh admin ────────────────────────────────────────────────────────────────
-export async function azureSshAdminAdd(opts = {}) {
-  const { pubKey } = opts;
-  if (!pubKey?.trim()) {
-    console.error(chalk.red("\n  ✗ No public key provided\n"));
-    process.exit(1);
-  }
-  const { vms } = listVms();
-  const vmNames = Object.keys(vms);
-  if (vmNames.length === 0) {
-    console.error(chalk.red("\n  ✗ No VMs tracked. Use: fops azure up <name>\n"));
-    process.exit(1);
-  }
-  const execa = await lazyExeca();
-  const adminUser = DEFAULTS.adminUser;
-  const keyLine = pubKey.trim();
-  banner("Adding SSH key to all VMs");
-  console.log(DIM(`  Key: ${keyLine.slice(0, 60)}...`));
-  console.log(DIM(`  VMs: ${vmNames.join(", ")}\n`));
-  let success = 0, failed = 0;
-  for (const vmName of vmNames) {
-    const vm = vms[vmName];
-    const ip = vm.publicIp;
-    if (!ip) {
-      console.log(WARN(`  ⚠ ${vmName}: no IP (VM stopped?) — skipped`));
-      failed++;
-      continue;
-    }
-    await knockForVm(vm);
-    const sshOk = await waitForSsh(execa, ip, adminUser, 15000);
-    if (!sshOk) {
-      console.log(ERR(`  ✗ ${vmName}: SSH unreachable — skipped`));
-      failed++;
-      continue;
-    }
-    const addKeyCmd = `grep -qxF '${keyLine}' ~/.ssh/authorized_keys 2>/dev/null || echo '${keyLine}' >> ~/.ssh/authorized_keys`;
-    const { exitCode } = await sshCmd(execa, ip, adminUser, addKeyCmd, 30000);
-    if (exitCode === 0) {
-      console.log(OK(`  ✓ ${vmName}: key added`));
-      success++;
-    } else {
-      console.log(ERR(`  ✗ ${vmName}: failed to add key`));
-      failed++;
-    }
-  }
-  console.log("");
-  if (failed === 0) {
-    console.log(OK(`  ✓ SSH key added to all ${success} VM(s)\n`));
-  } else {
-    console.log(WARN(`  Done: ${success} succeeded, ${failed} failed\n`));
-  }
-}
-// ── agent (remote TUI via SSH) ───────────────────────────────────────────────
-/** Shell-escape a value for single-quoted export (e.g. foo -> 'foo', a'b -> 'a'\''b'). */
-function shellExportValue(v) {
-  if (v == null || v === "") return "''";
-  const s = String(v);
-  return "'" + s.replace(/'/g, "'\\''") + "'";
-}
-/**
- * Resolve Foundation project root for reading .env. Uses findProjectRoot() first, then
- * readState().projectRoot so that keys always come from project .env even when cwd is not the repo.
- * When we find root via cwd/FOUNDATION_ROOT, we persist it to state so running from ~ later still works.
- */
-async function resolveProjectRootForEnv() {
-  const { findProjectRoot } = await import("./azure-openai.js");
-  let root = findProjectRoot();
-  if (root) {
-    root = path.resolve(root);
-    try {
-      const state = readState();
-      const existing = state?.projectRoot?.trim();
-      if (existing !== root) saveState({ ...state, projectRoot: root });
-    } catch {}
-    return root;
-  }
-  try {
-    const state = readState();
-    const candidate = state?.projectRoot?.trim();
-    if (candidate && fs.existsSync(candidate)) {
-      const compose = path.join(candidate, "docker-compose.yaml");
-      const composeAlt = path.join(candidate, "docker-compose.yml");
-      if (fs.existsSync(compose) || fs.existsSync(composeAlt)) return path.resolve(candidate);
-    }
-  } catch {}
-  return null;
-}
-/**
- * Build Azure OpenAI env vars from local project .env for the remote session.
- * Returns { exportPrefix, inlineEnv, envFileLines } where:
- * - exportPrefix: "export VAR='val' ... ; " (for sourcing before other commands)
- * - inlineEnv: "VAR='val' VAR2='val2' " for inline env (may be truncated by SSH argv limits)
- * - envFileLines: array of "VAR=val" lines for writing to a file on the VM and sourcing (most reliable).
- */
-async function buildAzureOpenAIEnvForRemote() {
-  const { readAzureOpenAIConfigFromEnv } = await import("./azure-openai.js");
-  const root = await resolveProjectRootForEnv();
-  if (!root) return { exportPrefix: "", inlineEnv: "", envFileLines: [] };
-  const envPath = path.join(root, ".env");
-  const cfg = readAzureOpenAIConfigFromEnv(envPath);
-  if (!cfg.endpoint || !cfg.key) return { exportPrefix: "", inlineEnv: "", envFileLines: [] };
-  const deployment = cfg.deployment || "gpt-4o";
-  const apiVersion = cfg.apiVersion || "2024-12-01-preview";
-  const lines = [
-    `AZURE_OPENAI_ENDPOINT=${cfg.endpoint}`,
-    `AZURE_OPENAI_API_KEY=${cfg.key}`,
-    `MX_OPENAI_API_KEY=${cfg.key}`,
-    `AZURE_OPENAI_DEPLOYMENT=${deployment}`,
-    `AZURE_OPENAI_API_VERSION=${apiVersion}`,
-  ];
-  if (cfg.fastDeployment) lines.push(`AZURE_OPENAI_FAST_DEPLOYMENT=${cfg.fastDeployment}`);
-  const parts = lines.map((l) => {
-    const eq = l.indexOf("=");
-    const k = l.slice(0, eq);
-    const v = l.slice(eq + 1);
-    return `${k}=${shellExportValue(v)}`;
-  });
-  const assign = parts.join(" ");
-  return {
-    exportPrefix: "export " + assign + "; ",
-    inlineEnv: assign + " ",
-    envFileLines: lines,
-  };
-}
-/** @deprecated Use buildAzureOpenAIEnvForRemote(). */
-async function buildAzureOpenAIExportPrefix() {
-  const { exportPrefix } = await buildAzureOpenAIEnvForRemote();
-  return exportPrefix;
-}
-/**
- * Sync Azure OpenAI config from the local project .env to the VM's /opt/foundation-compose/.env
- * when they differ. Source of truth is the project .env; we only push if the VM's Azure OpenAI
- * vars don't match local .env. No-op if no project root, endpoint/key missing in .env, or VM
- * already matches.
- */
-async function syncOpenAIKeysToVm(execa, ip, adminUser, state) {
-  const {
-    readAzureOpenAIConfigFromEnv,
-    parseAzureOpenAIConfigFromContent,
-    azureOpenAIConfigEqual,
-  } = await import("./azure-openai.js");
-  const root = await resolveProjectRootForEnv();
-  if (!root) return;
-  const envPath = path.join(root, ".env");
-  const fromFile = readAzureOpenAIConfigFromEnv(envPath);
-  const endpoint = fromFile.endpoint;
-  const key = fromFile.key;
-  if (!endpoint || !key) return;
-  const deployment = fromFile.deployment || "gpt-4o";
-  const apiVersion = fromFile.apiVersion || "2024-12-01-preview";
-  const fastDeployment = fromFile.fastDeployment || "";
-  try {
-    const { stdout: remoteEnv } = await sshCmd(execa, ip, adminUser, "cat /opt/foundation-compose/.env 2>/dev/null || true", 10000);
-    const onVm = parseAzureOpenAIConfigFromContent(remoteEnv || "");
-    if (azureOpenAIConfigEqual(fromFile, onVm)) return;
-  } catch {
-    // If we can't read VM .env, sync anyway so VM gets local config
-  }
-  console.log(chalk.dim("  VM .env differs from local project .env; syncing Azure OpenAI config…"));
-  const tmpFile = path.join(os.tmpdir(), `fops-openai-env-${Date.now()}`);
-  const lines = [
-    `AZURE_OPENAI_ENDPOINT=${endpoint}`,
-    `AZURE_OPENAI_API_KEY=${key}`,
-    `MX_OPENAI_API_KEY=${key}`,
-    `AZURE_OPENAI_DEPLOYMENT=${deployment}`,
-    `AZURE_OPENAI_API_VERSION=${apiVersion}`,
-  ];
-  if (fastDeployment) lines.push(`AZURE_OPENAI_FAST_DEPLOYMENT=${fastDeployment}`);
-  fs.writeFileSync(tmpFile, lines.join("\n") + "\n", "utf8");
-  const remotePath = "/tmp/fops-openai-env-update";
-  try {
-    const { exitCode: scpCode } = await execa("scp", [
-      ...MUX_OPTS(ip, adminUser),
-      tmpFile,
-      `${adminUser}@${ip}:${remotePath}`,
-    ], { timeout: 15000, reject: false });
-    if (scpCode !== 0) {
-      console.log(chalk.yellow("  ⚠ SCP failed — could not upload env to VM"));
-      return;
-    }
-    // Loop body must use semicolons so "do" is not followed by "&&" (invalid on remote bash)
-    const mergeScript = [
-      "cd /opt/foundation-compose",
-      "touch .env",
-      "while IFS= read -r line; do [[ -z \"$line\" || \"$line\" =~ ^# ]] && continue; key=\"${line%%=*}\"; key=\"${key%% *}\"; [[ -z \"$key\" ]] && continue; (grep -v \"^$key=\" .env 2>/dev/null || true) > .env.tmp; echo \"$line\" >> .env.tmp; mv .env.tmp .env; done < " + remotePath,
-      "rm -f " + remotePath,
-    ].join(" && ");
-    const { exitCode: mergeCode } = await sshCmd(execa, ip, adminUser, mergeScript, 15000);
-    if (mergeCode === 0) {
-      console.log(chalk.dim("  ✓ Azure OpenAI keys synced to VM .env"));
-    } else {
-      console.log(chalk.yellow("  ⚠ Merge script failed on VM (exit " + mergeCode + ") — .env may not be updated"));
-    }
-  } finally {
-    try { fs.unlinkSync(tmpFile); } catch {}
-  }
-}
-export async function azureAgent(opts = {}) {
-  const execa = await lazyExeca();
-  const state = requireVmState(opts.vmName);
-  const ip = state.publicIp;
-  const adminUser = DEFAULTS.adminUser;
-  if (!ip) { console.error(chalk.red("\n  No IP address. Is the VM running? Try: fops azure start\n")); process.exit(1); }
-  await knockForVm(state);
-  // Whitelist VM's public IP on Azure OpenAI (if resource has firewall) so agent on VM can call the API
-  await ensureOpenAiNetworkAccess(execa, ip, opts.profile);
-  await syncOpenAIKeysToVm(execa, ip, adminUser, state);
-  const webPort = 3099;
-  const agentName = opts.agent || "foundation";
-  const vmName = state.vmName;
-  console.log(chalk.dim(`  VM: ${vmName} (${ip}) — agent: ${agentName}\n`));
-  // Sync local project root .env Azure OpenAI into the remote session (inline VAR=val before fops agent so the process gets them)
-  const { exportPrefix, inlineEnv } = await buildAzureOpenAIEnvForRemote();
-  if (!inlineEnv) {
-    const root = await resolveProjectRootForEnv();
-    const envPath = root ? path.join(root, ".env") : null;
-    console.log(chalk.yellow("  ⚠ Azure OpenAI keys are read from the project .env; none found."));
-    console.log(chalk.dim("     Agent on VM will show \"Connection error\" or \"No API key found\" unless keys are present."));
-    if (envPath) {
-      console.log(chalk.dim(`     Add AZURE_OPENAI_ENDPOINT and AZURE_OPENAI_API_KEY to ${envPath} then run this again.`));
-    } else {
-      console.log(chalk.dim(`     Project root not found (cwd: ${process.cwd()}). Set FOUNDATION_ROOT or projectRoot in ~/.fops.json to your foundation-compose directory, or run this from that directory. Then add AZURE_OPENAI_ENDPOINT and AZURE_OPENAI_API_KEY to that project's .env.`));
-    }
-    console.log(chalk.dim(""));
-  }
-  const envPrefix = "set -a && . /opt/foundation-compose/.env 2>/dev/null; set +a && cd /opt/foundation-compose && ";
-  const remotePrefix = exportPrefix + envPrefix;
-  const agentEnv = inlineEnv; // inline VAR=val before "fops agent" so the process inherits them (reliable with ssh sh -c)
-  const args = [
-    "-t",
-    "-L", `${webPort}:localhost:${webPort}`,
-    "-o", "StrictHostKeyChecking=no",
-    "-o", "ExitOnForwardFailure=no",
-    `${DEFAULTS.adminUser}@${ip}`,
-    remotePrefix + agentEnv + `fops agent ${agentName}`.trim(),
-  ];
-  if (opts.message) {
-    args.pop();
-    args.push(remotePrefix + agentEnv + `fops agent ${agentName} -m ${JSON.stringify(opts.message)}`.trim());
-  }
-  if (opts.classic) {
-    args[args.length - 1] += " --classic";
-  }
-  if (opts.model) {
-    args[args.length - 1] += ` --model ${opts.model}`;
-  }
-  console.log(chalk.cyan(`  Agent web UI: http://localhost:${webPort}`));
-  console.log(chalk.dim("  Wait for the TUI to appear on the VM before opening the URL (avoids \"channel 3: open failed: Connection refused\")."));
-  console.log(chalk.dim("  If the agent shows a connection error to Azure OpenAI, run: fops azure openai debug-vm " + (vmName && vmName !== "alessio" ? vmName : "") + "\n"));
-  const result = await execa("ssh", args, { stdio: "inherit", reject: false });
-  if (result?.exitCode !== 0 && result?.exitCode != null) {
-    console.log(chalk.yellow("\n  SSH exited with code " + result.exitCode + ". For Azure OpenAI connection errors run: fops azure openai debug-vm" + (vmName && vmName !== "alessio" ? " " + vmName : "") + "\n"));
-  }
-}
-/**
- * Run a single agent request on the VM with DEBUG=1 and stream back stdout+stderr
- * so we can see the real connection error (e.g. cause.message, cause.code).
- */
-export async function azureOpenAiDebugVm(opts = {}) {
-  const execa = await lazyExeca();
-  const state = requireVmState(opts.vmName);
-  const ip = state.publicIp;
-  const adminUser = DEFAULTS.adminUser;
-  const remoteEnvPath = "/tmp/fops-azure-env." + process.pid;
-  if (!ip) {
-    console.error(chalk.red("\n  No IP address. Is the VM running? Try: fops azure start\n"));
-    process.exit(1);
-  }
-  await knockForVm(state);
-  await ensureOpenAiNetworkAccess(execa, ip, opts.profile);
-  await syncOpenAIKeysToVm(execa, ip, adminUser, state);
-  const agentName = opts.agent || "foundation";
-  const root = await resolveProjectRootForEnv();
-  const envPath = root ? path.join(root, ".env") : null;
-  const { envFileLines } = await buildAzureOpenAIEnvForRemote();
-  if (envFileLines.length) {
-    console.log(chalk.dim("  Pushing Azure OpenAI vars to VM .env, then running agent (sourcing .env so process gets keys)."));
-    const tmpFile = path.join(os.tmpdir(), `fops-azure-env-${process.pid}`);
-    fs.writeFileSync(tmpFile, envFileLines.join("\n") + "\n", "utf8");
-    try {
-      const { exitCode: scpCode } = await execa("scp", [
-        ...MUX_OPTS(ip, adminUser),
-        tmpFile,
-        `${adminUser}@${ip}:${remoteEnvPath}`,
-      ], { timeout: 15000, reject: false });
-      if (scpCode === 0) {
-        const mergeScript = [
-          "cd /opt/foundation-compose",
-          "touch .env",
-          "while IFS= read -r line; do [[ -z \"$line\" || \"$line\" =~ ^# ]] && continue; key=\"${line%%=*}\"; key=\"${key%% *}\"; [[ -z \"$key\" ]] && continue; (grep -v \"^$key=\" .env 2>/dev/null || true) > .env.tmp; echo \"$line\" >> .env.tmp; mv .env.tmp .env; done < " + remoteEnvPath,
-          "rm -f " + remoteEnvPath,
-        ].join(" && ");
-        const { exitCode: mergeCode } = await sshCmd(execa, ip, adminUser, mergeScript, 15000);
-        if (mergeCode === 0) {
-          const { stdout: check } = await sshCmd(execa, ip, adminUser, "grep -E '^AZURE_OPENAI_ENDPOINT=|^AZURE_OPENAI_API_KEY=' /opt/foundation-compose/.env 2>/dev/null | sed 's/=.*/=***/' || true", 5000);
-          if (check?.trim()) console.log(chalk.dim("  VM .env: " + check.trim().replace(/\n/g, " ")));
-        }
-      }
-    } finally {
-      try { fs.unlinkSync(tmpFile); } catch {}
-    }
-  } else {
-    console.log(chalk.yellow("  ⚠ Not injecting Azure OpenAI — remote session will have no keys from project .env."));
-    if (envPath) {
-      const { readAzureOpenAIConfigFromEnv } = await import("./azure-openai.js");
-      const cfg = fs.existsSync(envPath) ? readAzureOpenAIConfigFromEnv(envPath) : { endpoint: "", key: "" };
-      const missing = [];
-      if (!cfg.endpoint?.trim()) missing.push("AZURE_OPENAI_ENDPOINT");
-      if (!cfg.key?.trim()) missing.push("AZURE_OPENAI_API_KEY or MX_OPENAI_API_KEY");
-      if (missing.length) {
-        console.log(chalk.dim(`     Tried ${envPath} — missing: ${missing.join(", ")}.`));
-      } else {
-        console.log(chalk.dim(`     Project root not found. Tried cwd/FOUNDATION_ROOT/~/.fops.json projectRoot.`));
-      }
-      console.log(chalk.dim(`     Add the missing var(s) to ${envPath}, then run again.\n`));
-    } else {
-      console.log(chalk.dim(`     Project root not found (cwd: ${process.cwd()}). Set FOUNDATION_ROOT or projectRoot in ~/.fops.json, or run from foundation-compose. Then add AZURE_OPENAI_* to that project's .env.\n`));
-    }
-  }
-  // Source VM .env so AZURE_OPENAI_* (and MX_OPENAI_API_KEY) are in the environment, then run fops
-  const cmd =
-    "bash -c 'cd /opt/foundation-compose && set -a && . ./.env 2>/dev/null; set +a; exec env DEBUG=1 fops agent " + agentName + " -m \"hi\" 2>&1'";
-  console.log(chalk.cyan("\n  Running: DEBUG=1 fops agent " + agentName + " -m 'hi' (VM .env sourced so AZURE_OPENAI_* are exported)\n"));
-  const { stdout, stderr, exitCode } = await sshCmd(execa, ip, adminUser, cmd, 60000);
-  const out = [stdout, stderr].filter(Boolean).join("\n");
-  if (out) console.log(out);
-  if (exitCode !== 0) {
-    console.log(chalk.yellow("\n  Exit code: " + exitCode + " — see output above. If 'No API key': ensure VM .env has AZURE_OPENAI_* or run 'fops azure deploy' to update VM fops."));
-  }
-}
 // ── deploy (git pull + restart) ─────────────────────────────────────────────
 export async function azureDeploy(opts = {}) {
@@ -1030,779 +639,43 @@ export async function azureRunUp(opts = {}) {
       console.error(DIM(`  Try manually: fops azure ssh ${state.vmName}, then: sudo npm install -g @meshxdata/fops@latest`));
       process.exit(1);
     }
-    // Ensure symlinks
-    await ssh(
-      'sudo -E rm -f /usr/local/bin/fops /usr/bin/fops 2>/dev/null; MJS="$(npm root -g 2>/dev/null)/@meshxdata/fops/fops.mjs"; [ -f "$MJS" ] || MJS="$(sudo -E npm root -g 2>/dev/null)/@meshxdata/fops/fops.mjs"; [ -f "$MJS" ] && sudo -E ln -sf "$MJS" /usr/local/bin/fops && sudo -E ln -sf /usr/local/bin/fops /usr/bin/fops',
-      15000,
-    );
-    console.log(OK("  ✓ fops updated"));
-    // Pull images
-    const { exitCode: dlCode, stdout: dlOut, stderr: dlErr } = await ssh("cd /opt/foundation-compose && make download 2>&1", 600000);
-    if (dlCode !== 0) {
-      console.error(ERR(`  image pull failed (exit ${dlCode})`));
-      console.error(DIM(`  ${(dlErr || dlOut || "").split("\n").slice(-5).join("\n  ")}`));
-      process.exit(1);
-    }
-    console.log(OK("  ✓ images pulled\n"));
-  }
-  const publicUrl = opts.url || state.publicUrl || `https://${resolveUniqueDomain(state.vmName, "vm")}`;
-  const k3s = opts.k3s ?? false;
-  const traefik = opts.traefik ?? true;
-  const dai = opts.dai ?? false;
-  const upArgs = buildRemoteFopsUpArgs(publicUrl, {
-    k3s,
-    traefik,
-    dai,
-    component: opts.component,
-    branch: opts.branch,
-  });
-  const cmd = `cd /opt/foundation-compose && export PATH=/usr/local/bin:/usr/bin:$PATH && sudo -E ${upArgs}`;
-  banner(`Run fops up on ${state.vmName}${opts.component && opts.branch ? ` (${opts.component} ${opts.branch})` : ""}`);
-  kvLine("IP", DIM(ip));
-  kvLine("URL", LABEL(publicUrl));
-  console.log("");
-  const result = await sshCmd(execa, ip, adminUser, cmd, 600000, { stdio: "inherit" });
-  if (result.exitCode !== 0) process.exit(result.exitCode);
-}
-// ── config (remote feature flags) ────────────────────────────────────────────
-export async function azureConfig(opts = {}) {
-  const execa = await lazyExeca();
-  const state = requireVmState(opts.vmName);
-  const ip = state.publicIp;
-  const adminUser = DEFAULTS.adminUser;
-  if (!ip) { console.error(chalk.red("\n  No IP. Is the VM running? Try: fops azure start\n")); process.exit(1); }
-  await knockForVm(state);
-  const ssh = (cmd) => sshCmd(execa, ip, adminUser, cmd, 30000);
-  hint("Reading feature flags from VM…");
-  const { stdout: composeContent, exitCode } = await ssh("cat /opt/foundation-compose/docker-compose.yaml");
-  if (exitCode !== 0 || !composeContent?.trim()) {
-    console.error(chalk.red("\n  Could not read docker-compose.yaml from VM.\n"));
-    process.exit(1);
-  }
-  const { KNOWN_FLAGS, parseComposeFlagsFromContent, applyComposeFlagChanges } =
-    await import(resolveCliSrc("feature-flags.js"));
-  const composeFlags = parseComposeFlagsFromContent(composeContent);
-  const allFlags = {};
-  for (const [name, info] of Object.entries(composeFlags)) {
-    allFlags[name] = { ...info, inCompose: true };
-  }
-  for (const name of Object.keys(KNOWN_FLAGS)) {
-    if (!allFlags[name]) {
-      allFlags[name] = { value: false, services: new Set(), lines: [], inCompose: false };
-    }
-  }
-  const flagNames = Object.keys(allFlags).sort();
-  console.log(chalk.bold.cyan("\n  Feature Flags") + chalk.dim(` — ${state.vmName} (${ip})\n`));
-  for (const name of flagNames) {
-    const flag = allFlags[name];
-    const label = KNOWN_FLAGS[name] || name;
-    const services = flag.services.size > 0 ? chalk.dim(` (${[...flag.services].join(", ")})`) : "";
-    if (flag.value) {
-      console.log(chalk.green(`  ✓ ${label}`) + services);
-    } else {
-      console.log(chalk.dim(`  · ${label}`) + services);
-    }
-  }
-  console.log("");
-  const { getInquirer } = await import(resolveCliSrc("lazy.js"));
-  const choices = flagNames.map((name) => ({
-    name: KNOWN_FLAGS[name] || name,
-    value: name,
-    checked: allFlags[name].value,
-  }));
-  const { enabled } = await (await getInquirer()).prompt([{
-    type: "checkbox",
-    name: "enabled",
-    message: "Toggle feature flags:",
-    choices,
-  }]);
-  const changes = [];
-  const affectedServices = new Set();
-  for (const name of flagNames) {
-    const flag = allFlags[name];
-    const newValue = enabled.includes(name);
-    if (newValue !== flag.value) {
-      if (flag.inCompose) {
-        for (const line of flag.lines) {
-          changes.push({ lineNum: line.lineNum, newValue: String(newValue) });
-        }
-        for (const svc of flag.services) affectedServices.add(svc);
-      } else if (newValue) {
-        console.log(chalk.yellow(`  ⚠ ${KNOWN_FLAGS[name] || name} not in docker-compose.yaml — add it to service environments to take effect`));
-      }
-    }
-  }
-  if (changes.length === 0) {
-    console.log(chalk.dim("\n  No changes.\n"));
-    if (state.knockSequence?.length) {
-      await closeKnock(ssh, { quiet: true });
-    }
-    return;
-  }
-  const updatedContent = applyComposeFlagChanges(composeContent, changes);
-  hint("Applying changes to VM…");
-  const b64 = Buffer.from(updatedContent).toString("base64");
-  const { exitCode: writeCode } = await sshCmd(execa, ip, adminUser,
-    `echo '${b64}' | base64 -d > /opt/foundation-compose/docker-compose.yaml`,
-    30000,
-  );
-  if (writeCode !== 0) {
-    console.error(chalk.red("\n  Failed to write docker-compose.yaml on VM.\n"));
-    if (state.knockSequence?.length) await closeKnock(ssh, { quiet: true });
-    process.exit(1);
-  }
-  console.log(chalk.green(`\n  ✓ Updated ${changes.length} flag value(s) on VM`));
-  if (affectedServices.size === 0) {
-    if (state.knockSequence?.length) await closeKnock(ssh, { quiet: true });
-    console.log("");
-    return;
-  }
-  const serviceList = [...affectedServices];
-  console.log(chalk.dim(`  Affected: ${serviceList.join(", ")}`));
-  const { restart } = await (await getInquirer()).prompt([{
-    type: "confirm",
-    name: "restart",
-    message: `Restart ${serviceList.length} service(s) on VM?`,
-    default: true,
-  }]);
-  if (restart) {
-    const svcArgs = serviceList.join(" ");
-    console.log(chalk.cyan(`\n  ▶ docker compose up -d --remove-orphans ${svcArgs}\n`));
-    await sshCmd(execa, ip, adminUser,
-      `cd /opt/foundation-compose && docker compose up -d --remove-orphans ${svcArgs}`,
-      120000,
-    );
-    console.log(chalk.green("\n  ✓ Services restarted on VM.\n"));
-  } else {
-    console.log(chalk.dim("\n  Changes saved. Restart manually: fops azure deploy\n"));
-  }
-  if (state.knockSequence?.length) {
-    await closeKnock(ssh, { quiet: true });
-  }
-}
-// ── GHCR: resolve latest tag via gh CLI ──────────────────────────────────────
-const GHCR_ORG = "meshxdata";
-/**
- * Pick a short error-like line from command output (git, etc.) for inclusion in reason.
- */
-function pickErrorLine(output) {
-  const lines = (output || "").trim().split("\n").map((l) => l.trim()).filter(Boolean);
-  if (lines.length === 0) return "";
-  const errorLike = /error|failed|denied|fatal|refused|cannot|unable|invalid|conflict|Permission/i;
-  for (let i = lines.length - 1; i >= 0; i--) {
-    if (errorLike.test(lines[i]) && lines[i].length < 120) return lines[i];
-  }
-  return lines[lines.length - 1].length < 120 ? lines[lines.length - 1] : "";
-}
-/**
- * Pick the most useful line from make download / docker pull output for a failure message.
- * Prefers a line that mentions both an image and an error; then any error line; then last non-noise.
- */
-function pickPullErrorLine(output) {
-  const lines = (output || "").trim().split("\n").map((l) => l.trim()).filter(Boolean);
-  if (lines.length === 0) return "";
-  const errorLike = /error|failed|denied|unauthorized|not found|manifest|invalid|refused|required/i;
-  const imageRef = /ghcr\.io\/[\w.-]+\/[\w.-]+/;
-  const noise = /^(?:[\da-f]{12}\s+)?(?:Download complete|Pull complete|Pulled|Extracting|Waiting)$/i;
-  for (let i = lines.length - 1; i >= 0; i--) {
-    const line = lines[i];
-    if (imageRef.test(line) && errorLike.test(line)) return line;
-  }
-  for (let i = lines.length - 1; i >= 0; i--) {
-    const line = lines[i];
-    if (errorLike.test(line)) return line;
-  }
-  for (let i = lines.length - 1; i >= 0; i--) {
-    if (imageRef.test(lines[i])) return lines[i];
-  }
-  for (let i = lines.length - 1; i >= 0; i--) {
-    if (!noise.test(lines[i])) return lines[i];
-  }
-  return lines[lines.length - 1];
-}
-/**
- * Parse make download / docker output for image:tag that failed (not found).
- * Returns [{ image: "ghcr.io/org/name", tag: "0.3.65" }, ...].
- */
-function parseNotFoundImages(output) {
-  if (!output?.trim()) return [];
-  const seen = new Set();
-  const out = [];
-  // "Image ghcr.io/meshxdata/foundation-backend:0.3.65 failed to resolve reference"
-  // "failed to resolve reference \"...\": ... not found" (image:tag appears before "not found")
-  const re = /(ghcr\.io\/[^/]+\/[^:]+):([^\s"']+).*?(?:failed|not found)/gi;
-  let m;
-  while ((m = re.exec(output)) !== null) {
-    const key = `${m[1]}:${m[2]}`;
-    if (!seen.has(key)) {
-      seen.add(key);
-      out.push({ image: m[1], tag: m[2] });
-    }
-  }
-  return out;
-}
-/**
- * Get latest available tag for a GHCR image via gh api (org packages container versions).
- * Returns tag string or null if not ghcr.io/org/... or gh api fails.
- * Prefers semver-like tag, then "compose", then first tag.
- */
-async function getLatestTagForGhcrImage(execa, imageFull) {
-  const match = imageFull.match(/^ghcr\.io\/([^/]+)\/(.+)$/);
-  if (!match) return null;
-  const [, org, pkg] = match;
-  try {
-    const { stdout, exitCode } = await execa("gh", [
-      "api",
-      `orgs/${org}/packages/container/${pkg}/versions`,
-      "--jq", "if length == 0 then null else (.[0].metadata.container.tags // []) end",
-    ], { timeout: 15000, reject: false });
-    if (exitCode !== 0 || !stdout?.trim() || stdout === "null") return null;
-    let tags = [];
-    try {
-      tags = JSON.parse(stdout);
-    } catch {
-      return null;
-    }
-    if (!Array.isArray(tags) || tags.length === 0) return null;
-    const semver = tags.find(t => /^\d+\.\d+\.\d+(-.+)?$/.test(t));
-    if (semver) return semver;
-    if (tags.includes("compose")) return "compose";
-    if (tags.includes("latest")) return "latest";
-    return tags[0];
-  } catch {
-    return null;
-  }
-}
-// ── config versions (remote component image tags) ────────────────────────────
-const FOUNDATION_COMPONENTS = {
-  backend:   { label: "Backend",        image: "ghcr.io/meshxdata/foundation-backend",        envKey: "BACKEND" },
-  frontend:  { label: "Frontend",       image: "ghcr.io/meshxdata/foundation-frontend",       envKey: "FRONTEND" },
-  processor: { label: "Processor",      image: "ghcr.io/meshxdata/foundation-processor",      envKey: "PROCESSOR" },
-  watcher:   { label: "Watcher",        image: "ghcr.io/meshxdata/foundation-watcher",       envKey: "WATCHER" },
-  scheduler: { label: "Scheduler",      image: "ghcr.io/meshxdata/foundation-scheduler",      envKey: "SCHEDULER" },
-  storage:   { label: "Storage",        image: "ghcr.io/meshxdata/foundation-storage-engine",  envKey: "STORAGE" },
-  hive:      { label: "Hive Metastore", image: "ghcr.io/meshxdata/foundation-hive-metastore", envKey: "HIVE" },
-  data:      { label: "Data",           image: "ghcr.io/meshxdata/foundation-data",           envKey: "DATA" },
-  dataBase:  { label: "Data Base",      image: "ghcr.io/meshxdata/foundation-data-base",      envKey: "DATA_BASE" },
-};
-function trimEnvValue(val) {
-  if (val == null) return null;
-  return val.trim().replace(/\s*#.*$/, "").trim().replace(/^["']|["']$/g, "") || null;
-}
-function parseImageTagFromEnv(envContent) {
-  if (!envContent?.trim()) return null;
-  const line = envContent.match(/^\s*IMAGE_TAG\s*=\s*(.+)/m)?.[1];
-  if (line == null) return null;
-  return trimEnvValue(line);
-}
-function parsePerComponentTagsFromEnv(envContent) {
-  const out = {};
-  if (!envContent?.trim()) return out;
-  for (const key of Object.keys(FOUNDATION_COMPONENTS)) {
-    const envKey = FOUNDATION_COMPONENTS[key].envKey;
-    const varName = `IMAGE_TAG_${envKey}`;
-    const re = new RegExp(`^\\s*${varName}\\s*=[ \\t]*([^\\n\\r]*)`, "m");
-    const m = envContent.match(re);
-    if (m) {
-      const v = trimEnvValue(m[1]);
-      if (v) out[varName] = v;
-    }
-  }
-  return out;
-}
-function parseComponentVersions(composeContent, envContent) {
-  const envTag = parseImageTagFromEnv(envContent);
-  const perComponent = parsePerComponentTagsFromEnv(envContent);
-  const versions = {};
-  for (const [key, comp] of Object.entries(FOUNDATION_COMPONENTS)) {
-    const escapedImage = comp.image.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-    const re = new RegExp(`image:\\s*${escapedImage}:\\s*(.+)`, "m");
-    const m = composeContent.match(re);
-    if (m) {
-      const rawTag = m[1].trim();
-      const isEnvRef = rawTag.includes("${IMAGE_TAG");
-      const componentVar = `IMAGE_TAG_${comp.envKey}`;
-      const effectiveTag = isEnvRef
-        ? (perComponent[componentVar] ?? envTag ?? "compose")
-        : rawTag;
-      versions[key] = { ...comp, rawTag, effectiveTag, isEnvRef };
-    }
-  }
-  return { versions, globalTag: envTag || null };
-}
-function applyVersionChanges(composeContent, changes) {
-  let result = composeContent;
-  for (const { image, oldPattern, newTag } of changes) {
-    const escapedImage = image.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-    const escapedOld = oldPattern.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-    const re = new RegExp(`(image:\\s*${escapedImage}:)\\s*${escapedOld}`, "g");
-    result = result.replace(re, `$1${newTag}`);
-  }
-  return result;
-}
-export async function azureConfigVersions(opts = {}) {
-  const execa = await lazyExeca();
-  const state = requireVmState(opts.vmName);
-  const ip = state.publicIp;
-  const adminUser = DEFAULTS.adminUser;
-  if (!ip) { console.error(chalk.red("\n  No IP. Is the VM running? Try: fops azure start\n")); process.exit(1); }
-  await knockForVm(state);
-  const ssh = (cmd) => sshCmd(execa, ip, adminUser, cmd, 30000);
-  hint("Reading component versions from VM…");
-  const { stdout: composeContent, exitCode } = await ssh("cat /opt/foundation-compose/docker-compose.yaml");
-  if (exitCode !== 0 || !composeContent?.trim()) {
-    console.error(chalk.red("\n  Could not read docker-compose.yaml from VM.\n"));
-    process.exit(1);
-  }
-  const { stdout: envContent } = await ssh("cat /opt/foundation-compose/.env 2>/dev/null || echo ''");
-  const { versions, globalTag } = parseComponentVersions(composeContent, envContent);
-  const n = nameArg(state.vmName);
-  console.log(chalk.bold.cyan("\n  Component Versions") + chalk.dim(` — ${state.vmName} (${ip})\n`));
-  if (globalTag) {
-    console.log(chalk.dim(`  IMAGE_TAG=${globalTag}  (from .env)\n`));
-  }
-  const maxLabel = Math.max(...Object.values(versions).map(v => v.label.length));
-  for (const [key, v] of Object.entries(versions)) {
-    const tagDisplay = v.isEnvRef
-      ? `${chalk.white(v.effectiveTag)}  ${chalk.dim("(via IMAGE_TAG)")}`
-      : `${chalk.white(v.effectiveTag)}  ${chalk.yellow("(hardcoded in compose)")}`;
-    console.log(`  ${chalk.cyan(v.label.padEnd(maxLabel + 2))} ${tagDisplay}`);
-  }
-  console.log("");
-  const { getInquirer } = await import(resolveCliSrc("lazy.js"));
-  const inquirer = await getInquirer();
-  // Ask: set all at once, or pick individual components
-  const { mode } = await inquirer.prompt([{
-    type: "list",
-    name: "mode",
-    message: "How do you want to set versions?",
-    choices: [
-      { name: "Set all components to one tag (IMAGE_TAG)", value: "global" },
-      { name: "Set individual component tags", value: "individual" },
-      { name: "Cancel", value: "cancel" },
-    ],
-  }]);
-  if (mode === "cancel") {
-    console.log(chalk.dim("\n  Cancelled.\n"));
-    if (state.knockSequence?.length) await closeKnock(ssh, { quiet: true });
-    return;
-  }
-  const envPerComponent = {};
-  const composeChanges = [];
-  let envChanges = null;
-  const affectedComponents = [];
-  if (mode === "global") {
-    const { tag } = await inquirer.prompt([{
-      type: "input",
-      name: "tag",
-      message: "Tag for all components:",
-      default: globalTag || "compose",
-    }]);
-    const trimmed = tag.trim();
-    if (!trimmed) {
-      console.log(chalk.dim("\n  No tag entered.\n"));
-      if (state.knockSequence?.length) await closeKnock(ssh, { quiet: true });
-      return;
-    }
-    envChanges = trimmed;
-    for (const [key, v] of Object.entries(versions)) {
-      if (v.effectiveTag !== trimmed) affectedComponents.push(key);
-    }
-  } else {
-    // Individual mode — pick components; write IMAGE_TAG_* to .env only (no compose edit)
-    const componentKeys = Object.keys(versions);
-    const selected = [];
-    while (true) {
-      const remaining = componentKeys.filter(k => !selected.includes(k));
-      const choices = [
-        ...remaining.map(key => ({
-          name: `${versions[key].label}  (${versions[key].effectiveTag})`,
-          value: key,
-        })),
-        { name: chalk.dim(selected.length ? "── Done" : "── Cancel"), value: "_done" },
-      ];
-      const { pick } = await inquirer.prompt([{
-        type: "list",
-        name: "pick",
-        message: selected.length
-          ? `Selected: ${selected.map(k => versions[k].label).join(", ")}. Add more?`
-          : "Pick a component:",
-        choices,
-      }]);
-      if (pick === "_done") break;
-      const v = versions[pick];
-      const { tag } = await inquirer.prompt([{
-        type: "input",
-        name: "tag",
-        message: `Tag for ${v.label}:`,
-        default: v.effectiveTag,
-      }]);
-      const trimmed = tag.trim();
-      if (!trimmed || trimmed === v.effectiveTag) continue;
-      selected.push(pick);
-      envPerComponent[`IMAGE_TAG_${v.envKey}`] = trimmed;
-      affectedComponents.push(pick);
-      if (remaining.length <= 1) break;
-    }
-    if (!selected.length) {
-      console.log(chalk.dim("\n  No components selected.\n"));
-      if (state.knockSequence?.length) await closeKnock(ssh, { quiet: true });
-      return;
-    }
-  }
-  if (Object.keys(envPerComponent).length === 0 && composeChanges.length === 0 && !envChanges) {
-    console.log(chalk.dim("\n  No changes.\n"));
-    if (state.knockSequence?.length) await closeKnock(ssh, { quiet: true });
-    return;
-  }
-  let envAfterGlobal = envContent || "";
-  // Apply IMAGE_TAG to .env (global mode)
-  if (envChanges) {
-    hint(`Setting IMAGE_TAG=${envChanges} in .env…`);
-    if (/^\s*IMAGE_TAG\s*=/m.test(envAfterGlobal)) {
-      envAfterGlobal = envAfterGlobal.replace(/^\s*IMAGE_TAG\s*=.*/m, `IMAGE_TAG=${envChanges}`);
-    } else {
-      envAfterGlobal = envAfterGlobal.trimEnd() + (envAfterGlobal.trim() ? "\n" : "") + `IMAGE_TAG=${envChanges}\n`;
-    }
-    const envB64 = Buffer.from(envAfterGlobal).toString("base64");
-    const { exitCode: envWriteCode } = await sshCmd(execa, ip, adminUser,
-      `echo '${envB64}' | base64 -d > /opt/foundation-compose/.env`,
-      30000,
-    );
-    if (envWriteCode !== 0) {
-      console.error(chalk.red("\n  Failed to write .env on VM.\n"));
-      if (state.knockSequence?.length) await closeKnock(ssh, { quiet: true });
-      process.exit(1);
-    }
-    console.log(chalk.green(`  ✓ IMAGE_TAG=${envChanges}`));
-  }
-  // Apply per-component tags to .env only (no compose edit)
-  if (Object.keys(envPerComponent).length > 0) {
-    hint("Setting per-component tags in .env…");
-    let currentEnv = envAfterGlobal;
-    for (const [varName, tag] of Object.entries(envPerComponent)) {
-      const re = new RegExp(`^\\s*${varName}\\s*=.*`, "m");
-      if (re.test(currentEnv)) {
-        currentEnv = currentEnv.replace(re, `${varName}=${tag}`);
-      } else {
-        currentEnv = currentEnv.trimEnd() + (currentEnv.trim() ? "\n" : "") + `${varName}=${tag}\n`;
-      }
-      const comp = Object.values(FOUNDATION_COMPONENTS).find(c => `IMAGE_TAG_${c.envKey}` === varName);
-      console.log(chalk.green(`  ✓ ${comp?.label || varName}: ${tag}`));
-    }
-    const envB64 = Buffer.from(currentEnv).toString("base64");
-    const { exitCode: envWriteCode } = await sshCmd(execa, ip, adminUser,
-      `echo '${envB64}' | base64 -d > /opt/foundation-compose/.env`,
-      30000,
-    );
-    if (envWriteCode !== 0) {
-      console.error(chalk.red("\n  Failed to write .env on VM.\n"));
-      if (state.knockSequence?.length) await closeKnock(ssh, { quiet: true });
-      process.exit(1);
-    }
-  }
-  // Compose edits only for legacy hardcoded-tag fixes (e.g. make download fallback)
-  if (composeChanges.length > 0) {
-    hint("Updating docker-compose.yaml…");
-    const updatedContent = applyVersionChanges(composeContent, composeChanges);
-    const composeB64 = Buffer.from(updatedContent).toString("base64");
-    const { exitCode: composeWriteCode } = await sshCmd(execa, ip, adminUser,
-      `echo '${composeB64}' | base64 -d > /opt/foundation-compose/docker-compose.yaml`,
-      30000,
+    // Ensure symlinks
+    await ssh(
+      'sudo -E rm -f /usr/local/bin/fops /usr/bin/fops 2>/dev/null; MJS="$(npm root -g 2>/dev/null)/@meshxdata/fops/fops.mjs"; [ -f "$MJS" ] || MJS="$(sudo -E npm root -g 2>/dev/null)/@meshxdata/fops/fops.mjs"; [ -f "$MJS" ] && sudo -E ln -sf "$MJS" /usr/local/bin/fops && sudo -E ln -sf /usr/local/bin/fops /usr/bin/fops',
+      15000,
     );
-    if (composeWriteCode !== 0) {
-      console.error(chalk.red("\n  Failed to write docker-compose.yaml on VM.\n"));
-      if (state.knockSequence?.length) await closeKnock(ssh, { quiet: true });
-      process.exit(1);
-    }
-    for (const c of composeChanges) {
-      const comp = Object.values(FOUNDATION_COMPONENTS).find(v => v.image === c.image);
-      console.log(chalk.green(`  ✓ ${comp?.label || c.image}: ${c.newTag}`));
-    }
-  }
-  console.log(chalk.green(`\n  ✓ ${affectedComponents.length} component(s) updated`));
-  // Offer to pull + restart
-  if (affectedComponents.length > 0) {
-    const { action } = await inquirer.prompt([{
-      type: "list",
-      name: "action",
-      message: "Pull images and restart?",
-      choices: [
-        { name: "Pull + restart affected services", value: "pull-restart" },
-        { name: "Pull only (no restart)", value: "pull" },
-        { name: "Skip (apply on next deploy)", value: "skip" },
-      ],
-    }]);
-    if (action === "pull-restart" || action === "pull") {
-      hint("Pulling images…");
-      await sshCmd(execa, ip, adminUser,
-        "cd /opt/foundation-compose && sudo docker compose pull --ignore-pull-failures 2>/dev/null; true",
-        300000,
-      );
-      console.log(chalk.green("  ✓ Images pulled"));
-      if (action === "pull-restart") {
-        hint("Restarting services…");
-        await sshCmd(execa, ip, adminUser,
-          "cd /opt/foundation-compose && sudo docker compose up -d --remove-orphans",
-          120000,
-        );
-        console.log(chalk.green("  ✓ Services restarted"));
-      }
-    } else {
-      hint(`Apply on next deploy: fops azure deploy${n}`);
-    }
-  }
-  if (state.knockSequence?.length) {
-    await closeKnock(ssh, { quiet: true });
-  }
-  console.log("");
-}
-// ── deploy version (non-interactive, CI-friendly) ────────────────────────────
-export async function azureDeployVersion(opts = {}) {
-  const execa = await lazyExeca();
-  const component = opts.component;
-  const tag = opts.tag;
-  if (!component || !tag) {
-    console.error(chalk.red("\n  Usage: fops azure deploy version <component> <tag>"));
-    console.error(chalk.dim("  Components: " + Object.keys(FOUNDATION_COMPONENTS).join(", ")));
-    console.error(chalk.dim("  Example:    fops azure deploy version backend v0.3.80\n"));
-    process.exit(1);
-  }
-  const compDef = FOUNDATION_COMPONENTS[component];
-  if (!compDef) {
-    console.error(chalk.red(`\n  Unknown component: "${component}"`));
-    console.error(chalk.dim("  Available: " + Object.keys(FOUNDATION_COMPONENTS).join(", ") + "\n"));
-    process.exit(1);
-  }
-  const { activeVm, vms } = listVms();
-  const vmNames = Object.keys(vms);
+    console.log(OK("  ✓ fops updated"));
-  // Determine targets: specific VM, all VMs, or AKS
-  const targets = [];
-  if (opts.vmName) {
-    if (!vms[opts.vmName]) {
-      console.error(chalk.red(`\n  VM "${opts.vmName}" not tracked. Run: fops azure list\n`));
+    // Pull images
+    const { exitCode: dlCode, stdout: dlOut, stderr: dlErr } = await ssh("cd /opt/foundation-compose && make download 2>&1", 600000);
+    if (dlCode !== 0) {
+      console.error(ERR(`  image pull failed (exit ${dlCode})`));
+      console.error(DIM(`  ${(dlErr || dlOut || "").split("\n").slice(-5).join("\n  ")}`));
       process.exit(1);
     }
-    targets.push(opts.vmName);
-  } else if (opts.all) {
-    targets.push(...vmNames);
-  } else if (vmNames.length === 1) {
-    targets.push(vmNames[0]);
-  } else if (activeVm && vms[activeVm]) {
-    targets.push(activeVm);
-  } else if (vmNames.length > 0) {
-    targets.push(...vmNames);
-  }
-  banner(`Deploy ${compDef.label} → ${tag}`);
-  // Deploy to VMs
-  if (targets.length > 0) {
-    kvLine("VMs", DIM(targets.join(", ")));
-    kvLine("Image", DIM(`${compDef.image}:${tag}`));
-    console.log("");
-    const results = await Promise.allSettled(targets.map(async (name) => {
-      const vm = vms[name];
-      if (!vm?.publicIp) return { name, ok: false, reason: "no public IP" };
-      try {
-        await knockForVm(vm);
-        const ip = vm.publicIp;
-        const adminUser = DEFAULTS.adminUser;
-        const ssh = (cmd) => sshCmd(execa, ip, adminUser, cmd, 30000);
-        // Read current compose + env
-        const { stdout: composeContent } = await ssh("cat /opt/foundation-compose/docker-compose.yaml");
-        const { stdout: envContent } = await ssh("cat /opt/foundation-compose/.env 2>/dev/null || echo ''");
-        if (!composeContent?.trim()) throw new Error("Cannot read docker-compose.yaml");
-        const { versions } = parseComponentVersions(composeContent, envContent);
-        const v = versions[component];
-        if (!v) {
-          console.log(chalk.dim(`  ${name}: ${compDef.label} not found in compose — skipping`));
-          return { name, ok: true, skipped: true };
-        }
-        if (v.effectiveTag === tag) {
-          console.log(OK(`  ${name}: ${compDef.label} already at ${tag}`));
-          return { name, ok: true, unchanged: true };
-        }
-        // Apply version change: per-component env var in .env only (no compose edit for env refs)
-        if (v.isEnvRef) {
-          const varName = `IMAGE_TAG_${v.envKey}`;
-          const currentEnv = envContent || "";
-          let newEnv;
-          const re = new RegExp(`^\\s*${varName}\\s*=.*`, "m");
-          if (re.test(currentEnv)) {
-            newEnv = currentEnv.replace(re, `${varName}=${tag}`);
-          } else {
-            newEnv = currentEnv.trimEnd() + (currentEnv.trim() ? "\n" : "") + `${varName}=${tag}\n`;
-          }
-          const envB64 = Buffer.from(newEnv).toString("base64");
-          await sshCmd(execa, ip, adminUser,
-            `echo '${envB64}' | base64 -d > /opt/foundation-compose/.env`, 30000);
-        } else {
-          const updated = applyVersionChanges(composeContent, [
-            { image: v.image, oldPattern: v.rawTag, newTag: tag },
-          ]);
-          const composeB64 = Buffer.from(updated).toString("base64");
-          await sshCmd(execa, ip, adminUser,
-            `echo '${composeB64}' | base64 -d > /opt/foundation-compose/docker-compose.yaml`, 30000);
-        }
-        // Pull the specific image and restart the service
-        const serviceName = `foundation-${component}`;
-        hint(`  ${name}: pulling ${compDef.image}:${tag}…`);
-        await sshCmd(execa, ip, adminUser,
-          `cd /opt/foundation-compose && sudo docker compose pull ${serviceName} 2>/dev/null; true`,
-          300000);
-        if (!opts.noPull) {
-          hint(`  ${name}: restarting ${serviceName}…`);
-          await sshCmd(execa, ip, adminUser,
-            `cd /opt/foundation-compose && sudo docker compose up -d --remove-orphans ${serviceName}`,
-            120000);
-        }
-        console.log(OK(`  ${name}: ${compDef.label} → ${tag} ✓`));
-        if (vm.knockSequence?.length) {
-          const sshFn = (cmd) => sshCmd(execa, ip, adminUser, cmd, 30000);
-          await closeKnock(sshFn, { quiet: true });
-        }
-        return { name, ok: true };
-      } catch (err) {
-        console.log(chalk.red(`  ${name}: failed — ${err.message}`));
-        return { name, ok: false, reason: err.message };
-      }
-    }));
-    const succeeded = results.filter(r => r.status === "fulfilled" && r.value?.ok).length;
-    const failed = targets.length - succeeded;
-    console.log(`\n  ${chalk.green(succeeded + " ok")}${failed ? chalk.red(", " + failed + " failed") : ""}`);
-  } else {
-    hint("No VMs tracked.");
+    console.log(OK("  ✓ images pulled\n"));
   }
-  // Deploy to AKS clusters if --aks or --all
-  if (opts.aks || opts.aksCluster) {
-    const aksTarget = opts.aksCluster || "";
-    hint(`\nUpdating AKS image tag…`);
-    try {
-      const { readAksClusters } = await import(resolveCliSrc("plugins/bundled/fops-plugin-azure/lib/azure-aks.js"));
-      const { clusters } = readAksClusters?.() || {};
-      const clusterNames = aksTarget ? [aksTarget] : Object.keys(clusters || {});
-      for (const cn of clusterNames) {
-        const fullImage = `${compDef.image}:${tag}`;
-        const namespace = "foundation";
-        const deployName = `foundation-${component}`;
-        const { exitCode, stderr } = await execa("kubectl", [
-          "--context", cn,
-          "set", "image",
-          `deployment/${deployName}`,
-          `${component}=${fullImage}`,
-          "-n", namespace,
-        ], { reject: false, timeout: 30000 });
-        if (exitCode === 0) {
-          console.log(OK(`  ${cn}: ${deployName} → ${tag}`));
-        } else {
-          console.log(WARN(`  ${cn}: ${(stderr || "").split("\n")[0]}`));
-        }
-      }
-    } catch (err) {
-      console.log(WARN(`  AKS deploy failed: ${err.message}`));
-    }
-  }
+  const publicUrl = opts.url || state.publicUrl || `https://${resolveUniqueDomain(state.vmName, "vm")}`;
+  const k3s = opts.k3s ?? false;
+  const traefik = opts.traefik ?? true;
+  const dai = opts.dai ?? false;
+  const upArgs = buildRemoteFopsUpArgs(publicUrl, {
+    k3s,
+    traefik,
+    dai,
+    component: opts.component,
+    branch: opts.branch,
+  });
+  const cmd = `cd /opt/foundation-compose && export PATH=/usr/local/bin:/usr/bin:$PATH && sudo -E ${upArgs}`;
+  banner(`Run fops up on ${state.vmName}${opts.component && opts.branch ? ` (${opts.component} ${opts.branch})` : ""}`);
+  kvLine("IP", DIM(ip));
+  kvLine("URL", LABEL(publicUrl));
   console.log("");
+  const result = await sshCmd(execa, ip, adminUser, cmd, 600000, { stdio: "inherit" });
+  if (result.exitCode !== 0) process.exit(result.exitCode);
 }
 // ── update (parallel fops update on remote hosts) ────────────────────────────
@@ -2422,6 +1295,28 @@ export async function azureList(opts = {}) {
     }
   } catch { /* az not available or not authenticated */ }
+  // JSON output mode - early return with structured data
+  if (opts.json) {
+    const output = {
+      vms: vmNames.map(name => ({
+        name,
+        publicIp: vms[name]?.publicIp || null,
+        resourceGroup: vms[name]?.resourceGroup || null,
+        location: vms[name]?.location || null,
+        state: vms[name]?.powerState || "unknown",
+      })),
+      clusters: Object.entries(aksClusters).map(([name, cl]) => ({
+        name,
+        resourceGroup: cl.resourceGroup || null,
+        location: cl.location || null,
+        provisioningState: cl.provisioningState || "unknown",
+        kubernetesVersion: cl.kubernetesVersion || null,
+      })),
+    };
+    console.log(JSON.stringify(output, null, 2));
+    return;
+  }
   if (vmNames.length === 0 && !hasAks) {
     banner("Azure VMs");
     hint("No VMs or clusters found in Azure.");
@@ -2643,6 +1538,16 @@ export async function azureList(opts = {}) {
       ...(cachedClusters[name] || { status: "unknown" }),
     }));
+    // Sort: primaries first, then their standbys grouped together
+    clusterResults.sort((a, b) => {
+      const aIsStandby = a.name.endsWith("-standby");
+      const bIsStandby = b.name.endsWith("-standby");
+      const aBase = aIsStandby ? a.name.replace(/-standby$/, "") : a.name;
+      const bBase = bIsStandby ? b.name.replace(/-standby$/, "") : b.name;
+      if (aBase !== bBase) return aBase.localeCompare(bBase);
+      return aIsStandby ? 1 : -1; // primary before standby
+    });
     const maxCName = Math.max(...clusterResults.map(c => c.name.length), 4);
     const hasAksQa = clusterNames.some(n => aksClusters[n]?.qa);
     const aksQaW = 20;
@@ -2658,8 +1563,15 @@ export async function azureList(opts = {}) {
     for (const cr of clusterResults) {
       const cl = aksClusters[cr.name];
       const active = cr.name === activeCluster;
+      const isStandby = cr.name.endsWith("-standby");
+      const primaryName = isStandby ? cr.name.replace(/-standby$/, "") : null;
+      const hasPrimary = primaryName && clusterNames.includes(primaryName);
+      const prefix = isStandby && hasPrimary ? "  └─" : "";
       const dot = active ? OK("●") : DIM("○");
-      const cNameTxt = active ? OK(cr.name.padEnd(maxCName)) : LABEL(cr.name.padEnd(maxCName));
+      const displayName = isStandby && hasPrimary
+        ? `${cr.name} ${DIM("(HA standby)")}`
+        : cr.name;
+      const cNameTxt = active ? OK(displayName.padEnd(maxCName + 13)) : LABEL(displayName.padEnd(maxCName + 13));
       const loc = (cl?.location || cr.location || "–").padEnd(10);
       const nodes = cr.nodes != null ? `${cr.nodes} x ${cr.sizes || "?"}` : "–";
       const k8s = (cr.kubernetesVersion || "–").padEnd(6);
@@ -2702,7 +1614,8 @@ export async function azureList(opts = {}) {
         costCell = `  ${formatCostCell(amount, costData.currency).padEnd(14)}`;
       }
-      console.log(`  ${dot} ${cNameTxt}  ${DIM(loc)}  ${DIM(nodes.padEnd(12))}  ${DIM(k8s)}  ${flux}${aksQaCell}${costCell}  ${statusTxt}`);
+      const rowPrefix = prefix ? DIM(prefix) : `  ${dot}`;
+      console.log(`${rowPrefix} ${cNameTxt}  ${DIM(loc)}  ${DIM(nodes.padEnd(12))}  ${DIM(k8s)}  ${flux}${aksQaCell}${costCell}  ${statusTxt}`);
     }
     const costSuffix = showCost && aksTotal > 0
@@ -2813,513 +1726,13 @@ export async function azureApply(file, opts = {}) {
   ], { stdio: "inherit", reject: false, timeout: 300000 });
 }
-// ── knock ────────────────────────────────────────────────────────────────────
-export async function azureKnock(opts = {}) {
-  const { ensureKnockSequence } = await import("./azure-helpers.js");
-  // Sync IP + knock sequence from Azure before using them
-  const state = await ensureKnockSequence(requireVmState(opts.vmName));
-  if (!state?.knockSequence?.length) {
-    console.error(ERR("\n  Port knocking is not configured on this VM."));
-    hint(`Provision with:  fops azure up${nameArg(state?.vmName)}\n`);
-    process.exit(1);
-  }
-  const ip = state.publicIp;
-  if (!ip) { console.error(ERR("\n  No IP address. Is the VM running?\n")); process.exit(1); }
-  await performKnock(ip, state.knockSequence);
-  hint("SSH (22) open for ~5 min from your IP.");
-  hint(`Connect:  ssh ${DEFAULTS.adminUser}@${ip}`);
-  if (state.publicUrl) hint(`Browse:   ${state.publicUrl}`);
-  console.log();
-}
-export async function azureKnockClose(opts = {}) {
-  const execa = await lazyExeca();
-  const state = requireVmState(opts.vmName);
-  if (!state.knockSequence?.length) {
-    console.error(ERR("\n  Port knocking is not configured on this VM."));
-    hint(`Provision with:  fops azure up${nameArg(state?.vmName)}\n`);
-    process.exit(1);
-  }
-  const ip = state.publicIp;
-  if (!ip) { console.error(ERR("\n  No IP. Is the VM running?\n")); process.exit(1); }
-  await performKnock(ip, state.knockSequence, { quiet: true });
-  const ssh = (cmd) => sshCmd(execa, ip, DEFAULTS.adminUser, cmd);
-  await closeKnock(ssh);
-}
-/**
- * Run the same teardown as removeKnockd on the VM via Azure Run Command (no SSH needed).
- * Use when VM is unreachable (e.g. knock broken, wrong sequence).
- */
-async function removeKnockdViaRunCommand(execa, rg, vmName, sub) {
-  const script = [
-    "for dport in $(sudo iptables -L INPUT -n 2>/dev/null | grep 'tcp dpt:' | grep -oP 'dpt:\\K[0-9]+' | sort -u); do sudo iptables -D INPUT -p tcp --dport $dport -j DROP 2>/dev/null || true; sudo iptables -D INPUT -p tcp --dport $dport -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || true; done",
-    "sudo netfilter-persistent save 2>/dev/null || true",
-    "sudo systemctl stop knockd 2>/dev/null || true",
-    "sudo systemctl disable knockd 2>/dev/null || true",
-  ].join(" && ");
-  const { exitCode } = await execa("az", [
-    "vm", "run-command", "invoke", "--resource-group", rg, "--name", vmName,
-    "--command-id", "RunShellScript", "--scripts", script,
-    "--output", "none", ...subArgs(sub),
-  ], { timeout: 60000, reject: false });
-  return exitCode === 0;
-}
-export async function azureKnockDisable(opts = {}) {
-  const execa = await lazyExeca();
-  const state = requireVmState(opts.vmName);
-  const ip = state.publicIp;
-  if (!ip) { console.error(chalk.red("\n  No IP. Is the VM running?\n")); process.exit(1); }
-  if (!state.knockSequence?.length) {
-    console.log(chalk.dim("\n  Port knocking is not configured.\n"));
-    return;
-  }
-  const rg = state.resourceGroup;
-  const vmName = state.vmName || opts.vmName;
-  const sub = opts.profile;
-  const trySsh = async () => {
-    await performKnock(ip, state.knockSequence, { quiet: true });
-    const ssh = (cmd) => sshCmd(execa, ip, DEFAULTS.adminUser, cmd, 15000);
-    await removeKnockd(ssh);
-  };
-  let sshOk = false;
-  if (rg && vmName) {
-    let sshReachable = false;
-    try {
-      await performKnock(ip, state.knockSequence, { quiet: true });
-      const { exitCode } = await execa("ssh", [
-        ...MUX_OPTS(ip, DEFAULTS.adminUser),
-        "-o", "BatchMode=yes", "-o", "ConnectTimeout=8",
-        `${DEFAULTS.adminUser}@${ip}`, "echo ok",
-      ], { timeout: 12000, reject: false });
-      sshReachable = exitCode === 0;
-    } catch { sshReachable = false; }
-    if (sshReachable) {
-      try {
-        await trySsh();
-        sshOk = true;
-      } catch (e) {
-        console.log(chalk.yellow("  SSH failed: " + (e?.message || e) + " — trying Azure Run Command…"));
-      }
-    } else {
-      console.log(chalk.dim("  VM not reachable via SSH — using Azure Run Command (no knock required)."));
-    }
-    if (!sshOk && rg && vmName) {
-      const ok = await removeKnockdViaRunCommand(execa, rg, vmName, sub);
-      if (ok) {
-        console.log(chalk.green("  ✓ Port knocking disabled via Azure Run Command — all ports open"));
-        sshOk = true;
-      } else {
-        console.error(chalk.red("\n  Run Command failed. Ensure VM agent is running and you have access to the resource group.\n"));
-        process.exit(1);
-      }
-    }
-  }
-  if (!sshOk) {
-    try {
-      await trySsh();
-    } catch (e) {
-      if (rg && vmName) {
-        console.error(chalk.red("\n  Could not reach VM via SSH and no resource group/vm name for Run Command.\n"));
-      } else {
-        console.error(chalk.red("\n  Could not reach VM via SSH. If knock is broken, ensure state has resourceGroup/vmName and retry (uses az vm run-command).\n"));
-      }
-      process.exit(1);
-    }
-  }
-  writeVmState(state.vmName, { knockSequence: undefined });
-}
-export async function azureKnockVerify(opts = {}) {
-  const execa = await lazyExeca();
-  const { vms } = listVms();
-  const targets = opts.vmName ? [opts.vmName] : Object.keys(vms);
-  if (targets.length === 0) {
-    hint("No VMs tracked.\n");
-    return;
-  }
-  banner("Knock Verification");
-  let issues = 0;
-  const KNOCK_PORT_RANGE = { min: 49152, max: 49200 };
-  const knockRangeStr = `${KNOCK_PORT_RANGE.min}-${KNOCK_PORT_RANGE.max}`;
-  for (const name of targets) {
-    const state = vms[name];
-    if (!state) { console.log(ERR(`  ✗ ${name}: not tracked`)); issues++; continue; }
-    const ip = state.publicIp;
-    if (!ip) { console.log(ERR(`  ✗ ${name}: no public IP`)); issues++; continue; }
-    console.log(`\n  ${LABEL(name)} ${DIM(`(${ip})`)}`);
-    // ── Azure NSG (firewall) — no SSH needed ─────────────────────────────────
-    const rg = state.resourceGroup;
-    const vmName = state.vmName || name;
-    if (rg) {
-      try {
-        const { stdout: nicId } = await execa("az", [
-          "vm", "show", "-g", rg, "-n", vmName,
-          "--query", "networkProfile.networkInterfaces[0].id", "-o", "tsv",
-          ...subArgs(opts.profile),
-        ], { timeout: 15000, reject: false });
-        if (nicId?.trim()) {
-          const { stdout: nsgId } = await execa("az", [
-            "network", "nic", "show", "--ids", nicId.trim(),
-            "--query", "networkSecurityGroup.id", "-o", "tsv",
-            ...subArgs(opts.profile),
-          ], { timeout: 10000, reject: false });
-          if (nsgId?.trim()) {
-            const nsgName = nsgId.trim().split("/").pop();
-            const { stdout: rulesJson } = await execa("az", [
-              "network", "nsg", "rule", "list", "-g", rg, "--nsg-name", nsgName,
-              "--output", "json", ...subArgs(opts.profile),
-            ], { timeout: 10000, reject: false });
-            const rules = rulesJson ? JSON.parse(rulesJson) : [];
-            const allow = rules.filter((r) => r.direction === "Inbound" && r.access === "Allow");
-            const has22 = allow.some((r) =>
-              r.destinationPortRange === "22" || (r.destinationPortRanges || []).includes("22")
-            );
-            const hasKnockRange = allow.some((r) =>
-              r.destinationPortRange === knockRangeStr ||
-              (r.destinationPortRanges || []).some((p) => {
-                const n = parseInt(p, 10);
-                return n >= KNOCK_PORT_RANGE.min && n <= KNOCK_PORT_RANGE.max;
-              })
-            );
-            if (has22 && hasKnockRange) {
-              console.log(OK(`    ✓ NSG "${nsgName}": SSH (22) + knock range (${knockRangeStr}) allowed`));
-            } else {
-              if (!has22) { console.log(ERR(`    ✗ NSG: no rule allowing port 22`)); issues++; }
-              if (!hasKnockRange) { console.log(ERR(`    ✗ NSG: no rule allowing knock ports ${knockRangeStr}`)); issues++; }
-              hint(`      Fix: fops azure up ${name}  (reconciles NSG rules)`);
-            }
-          } else {
-            console.log(WARN("    ⚠ No NSG on NIC — SSH/knock not restricted at Azure level"));
-          }
-        }
-      } catch (e) {
-        console.log(WARN(`    ⚠ Could not check NSG: ${e.message || e}`));
-      }
-    }
-    // Check local config
-    if (!state.knockSequence?.length) {
-      console.log(WARN("    ⚠ No knock sequence stored locally"));
-      console.log(DIM("      Fix: fops azure up " + name));
-      issues++;
-      continue;
-    }
-    console.log(OK(`    ✓ Local sequence: ${state.knockSequence.join(" → ")}`));
-    // Knock to get SSH access for diagnostics
-    await performKnock(ip, state.knockSequence, { quiet: true });
-    const ssh = (cmd) => sshCmd(execa, ip, DEFAULTS.adminUser, cmd, 10000);
-    // In-guest checks (may fail if knock/SSH still blocked)
-    let sshOk = false;
-    try {
-      const { exitCode } = await execa("ssh", [
-        ...MUX_OPTS(ip, DEFAULTS.adminUser),
-        "-o", "BatchMode=yes", "-o", "ConnectTimeout=8",
-        `${DEFAULTS.adminUser}@${ip}`, "echo ok",
-      ], { timeout: 12000, reject: false });
-      sshOk = exitCode === 0;
-    } catch { sshOk = false; }
-    if (!sshOk) {
-      console.log(ERR("    ✗ SSH unreachable after knock — check NSG above and sequence match"));
-      hint(`      Try: fops azure knock open ${name}  then  fops azure ssh ${name}`);
-      hint(`      Or: fops azure knock fix ${name}  to re-setup knock`);
-      issues++;
-      continue;
-    }
-    // Check knockd service
-    const { stdout: knockdStatus } = await ssh(
-      "systemctl is-active knockd 2>/dev/null || echo inactive"
-    );
-    if (knockdStatus?.trim() === "active") {
-      console.log(OK("    ✓ knockd service: active"));
-    } else {
-      console.log(ERR("    ✗ knockd service: " + (knockdStatus?.trim() || "unknown")));
-      console.log(DIM("      Fix: fops azure up " + name));
-      issues++;
-    }
-    // Check iptables DROP rules for port 22 and 443
-    const { stdout: iptables } = await ssh(
-      "sudo iptables -L INPUT -n --line-numbers 2>/dev/null"
-    );
-    const lines = (iptables || "").split("\n");
-    for (const port of [22, 443]) {
-      const dropRule = lines.find(l => l.includes("DROP") && l.includes(`dpt:${port}`));
-      const estRule = lines.find(l => l.includes("ACCEPT") && l.includes(`dpt:${port}`) && l.includes("ESTABLISHED"));
-      if (dropRule && estRule) {
-        const dropNum = parseInt(dropRule.trim());
-        const estNum = parseInt(estRule.trim());
-        if (estNum < dropNum) {
-          console.log(OK(`    ✓ Port ${port}: DROP rule #${dropNum}, ESTABLISHED rule #${estNum} (correct order)`));
-        } else {
-          console.log(ERR(`    ✗ Port ${port}: ESTABLISHED rule #${estNum} is AFTER DROP #${dropNum} (wrong order)`));
-          issues++;
-        }
-      } else if (!dropRule) {
-        console.log(ERR(`    ✗ Port ${port}: no DROP rule — port is wide open`));
-        issues++;
-      } else if (!estRule) {
-        console.log(WARN(`    ⚠ Port ${port}: DROP exists but no ESTABLISHED rule (may break active sessions)`));
-        issues++;
-      }
-    }
-    // Check for broad ACCEPT rules that would override DROP
-    const broadAccept = lines.filter(l =>
-      l.includes("ACCEPT") &&
-      l.includes("0.0.0.0/0") &&
-      !l.includes("dpt:") &&
-      !l.includes("ESTABLISHED") &&
-      !l.includes("RELATED")
-    );
-    if (broadAccept.length > 0) {
-      for (const rule of broadAccept) {
-        const ruleNum = parseInt(rule.trim());
-        const drop22 = lines.find(l => l.includes("DROP") && l.includes("dpt:22"));
-        const dropNum = drop22 ? parseInt(drop22.trim()) : 999;
-        if (ruleNum < dropNum) {
-          console.log(ERR(`    ✗ Broad ACCEPT-all rule #${ruleNum} is before DROP #${dropNum} — bypasses knock!`));
-          issues++;
-        }
-      }
-    }
-    // Check knockd config matches local sequence
-    const { stdout: confRaw } = await ssh("sudo cat /etc/knockd.conf 2>/dev/null || echo ''");
-    const seqMatch = confRaw?.match(/sequence\s*=\s*([\d,]+)/);
-    if (seqMatch) {
-      const remoteSeq = seqMatch[1].split(",").map(Number);
-      const localSeq = state.knockSequence;
-      if (JSON.stringify(remoteSeq) === JSON.stringify(localSeq)) {
-        console.log(OK("    ✓ knockd.conf sequence matches local state"));
-      } else {
-        console.log(ERR(`    ✗ Sequence mismatch — remote: [${remoteSeq.join(",")}] vs local: [${localSeq.join(",")}]`));
-        console.log(DIM("      Fix: fops azure knock disable " + name + " && fops azure up " + name));
-        issues++;
-      }
-    } else {
-      console.log(ERR("    ✗ Could not read /etc/knockd.conf"));
-      issues++;
-    }
-    // Close the door after verification
-    await closeKnock(ssh, { quiet: true });
-  }
-  console.log("");
-  if (issues > 0) {
-    console.log(ERR(`  ${issues} issue(s) found.`));
-    hint("To re-setup knock on all VMs: fops azure knock fix\n");
-  } else {
-    console.log(OK("  ✓ All VMs properly configured — ports are blocked until knocked.\n"));
-  }
-}
-export async function azureKnockFix(opts = {}) {
-  const execa = await lazyExeca();
-  const { generateKnockSequence } = await import("./port-knock.js");
-  const { vms } = listVms();
-  const targets = opts.vmName ? [opts.vmName] : Object.keys(vms);
-  if (targets.length === 0) {
-    hint("No VMs tracked.\n");
-    return;
-  }
-  await ensureAzCli(execa);
-  await ensureAzAuth(execa, { subscription: opts.profile });
-  banner("Knock Fix");
-  for (const name of targets) {
-    const state = vms[name];
-    if (!state?.resourceGroup) {
-      console.log(chalk.dim(`  ${name}: no resource group — skipped`));
-      continue;
-    }
-    const { publicIp: ip, resourceGroup: rg } = state;
-    console.log(`\n  ${LABEL(name)} ${DIM(`(${ip || "no IP"})`)}`);
-    const knockSeq = state.knockSequence?.length ? state.knockSequence : generateKnockSequence();
-    const appPort = DEFAULTS.publicPort || 443;
-    // Build the setup script to run via az vm run-command (works even when SSH is locked)
-    const script = buildKnockdScript(knockSeq, appPort);
-    console.log(chalk.dim("  Running via az vm run-command (bypasses firewall)..."));
-    const { stdout, exitCode } = await execa("az", [
-      "vm", "run-command", "invoke",
-      "--resource-group", rg,
-      "--name", name,
-      "--command-id", "RunShellScript",
-      "--scripts", script,
-      "--output", "json",
-      ...subArgs(opts.profile),
-    ], { reject: false, timeout: 180000 });
-    if (exitCode !== 0) {
-      console.error(ERR(`    ✗ az run-command failed for ${name}`));
-      continue;
-    }
-    // Check script output for errors
-    try {
-      const result = JSON.parse(stdout);
-      const msg = result?.value?.[0]?.message || "";
-      if (msg.toLowerCase().includes("failed") || msg.toLowerCase().includes("error")) {
-        console.log(chalk.dim(`    Script output: ${msg.slice(0, 200)}`));
-      }
-    } catch { /* ignore parse errors */ }
-    writeVmState(name, { knockSequence: knockSeq });
-    await setVmKnockTag(execa, rg, name, knockSeq, opts.profile);
-    console.log(OK(`    ✓ Knock re-configured (sequence: ${knockSeq.join(" → ")})`));
-  }
-  console.log(OK(`\n  ✓ Done — run fops azure knock verify to confirm.\n`));
-}
-/**
- * Build a self-contained bash script that installs knockd and configures
- * iptables. Designed to run via az vm run-command (no SSH needed).
- */
-function buildKnockdScript(sequence, appPort) {
-  const ports = [22];
-  if (appPort && appPort !== 22) ports.push(Number(appPort));
-  const openCmds = ports.map(p => `/usr/sbin/iptables -I INPUT -s %IP% -p tcp --dport ${p} -j ACCEPT`).join(" && ");
-  const closeCmds = ports.map(p => `/usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport ${p} -j ACCEPT`).join(" && ");
-  const KNOCK_CMD_TIMEOUT = 300;
-  // iptables rules: clean up stale entries, then insert DROP + ESTABLISHED
-  const iptRules = [];
-  for (const p of ports) {
-    iptRules.push(
-      `while iptables -D INPUT -p tcp --dport ${p} -j DROP 2>/dev/null; do :; done`,
-      `while iptables -D INPUT -p tcp --dport ${p} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 2>/dev/null; do :; done`,
-      `while iptables -D INPUT -p tcp --dport ${p} -j ACCEPT 2>/dev/null; do :; done`,
-    );
-  }
-  for (const p of ports) {
-    iptRules.push(
-      `iptables -I INPUT -p tcp --dport ${p} -j DROP`,
-      `iptables -I INPUT -p tcp --dport ${p} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT`,
-    );
-  }
-  return [
-    "#!/bin/bash",
-    "set -e",
-    // Detect interface dynamically inside the script
-    "IFACE=$(ip route show default 2>/dev/null | awk '{print $5}' | head -1)",
-    "IFACE=${IFACE:-eth0}",
-    // Install knockd
-    "export DEBIAN_FRONTEND=noninteractive",
-    "apt-get update -qq",
-    "apt-get install -y -qq knockd iptables-persistent 2>/dev/null || true",
-    // Write knockd.conf using printf to avoid heredoc quoting issues
-    `printf '[options]\\n    UseSyslog\\n    Interface = %s\\n\\n[openPorts]\\n    sequence    = ${sequence.join(",")}\\n    seq_timeout = 15\\n    command     = ${openCmds}\\n    tcpflags    = syn\\n    cmd_timeout = ${KNOCK_CMD_TIMEOUT}\\n    stop_command = ${closeCmds}\\n' "$IFACE" > /etc/knockd.conf`,
-    // Enable knockd service
-    "sed -i 's/^START_KNOCKD=0/START_KNOCKD=1/' /etc/default/knockd 2>/dev/null || true",
-    `sed -i "s|^KNOCKD_OPTS=.*|KNOCKD_OPTS=\\"-i $IFACE\\"|" /etc/default/knockd 2>/dev/null || true`,
-    // Apply iptables rules
-    ...iptRules,
-    "netfilter-persistent save 2>/dev/null || true",
-    "systemctl enable knockd",
-    "systemctl restart knockd",
-    "echo 'knockd configured OK'",
-  ].join("\n");
-}
-// ── ssh whitelist-me ─────────────────────────────────────────────────────────
-export async function azureSshWhitelistMe(opts = {}) {
-  const execa = await lazyExeca();
-  const sub = opts.profile;
-  await ensureAzCli(execa);
-  await ensureAzAuth(execa, { subscription: sub });
-  const state = requireVmState(opts.vmName);
-  const { vmName, resourceGroup: rg } = state;
-  const myIp = await fetchMyIp();
-  if (!myIp) {
-    console.error(ERR("\n  Could not detect your public IP address.\n"));
-    process.exit(1);
-  }
-  const myCidr = `${myIp}/32`;
-  // Resolve NSG name from NIC
-  const nicName = `${vmName}VMNic`;
-  const { stdout: nicJson, exitCode: nicCode } = await execa("az", [
-    "network", "nic", "show", "-g", rg, "-n", nicName, "--output", "json",
-    ...subArgs(sub),
-  ], { reject: false, timeout: 15000 });
-  let nsgName = `${vmName}NSG`;
-  if (nicCode === 0) {
-    const nsgId = JSON.parse(nicJson).networkSecurityGroup?.id || "";
-    if (nsgId) nsgName = nsgId.split("/").pop();
-  }
-  // Fetch current SSH rule
-  const { stdout: rulesJson, exitCode: rulesCode } = await execa("az", [
-    "network", "nsg", "rule", "list", "-g", rg, "--nsg-name", nsgName, "--output", "json",
-    ...subArgs(sub),
-  ], { reject: false, timeout: 15000 });
-  const rules = rulesCode === 0 ? JSON.parse(rulesJson || "[]") : [];
-  const inboundAllow = rules.filter(r => r.access === "Allow" && r.direction === "Inbound");
-  const sshRule = inboundAllow.find(r =>
-    r.destinationPortRange === "22" ||
-    (Array.isArray(r.destinationPortRanges) && r.destinationPortRanges.includes("22"))
-  );
-  const currentSources = [];
-  if (sshRule?.sourceAddressPrefix) currentSources.push(sshRule.sourceAddressPrefix);
-  if (Array.isArray(sshRule?.sourceAddressPrefixes)) currentSources.push(...sshRule.sourceAddressPrefixes);
+// ── knock & ssh whitelist (split to azure-ops-knock.js) ─────────────────────
-  if (currentSources.includes(myCidr)) {
-    console.log(OK(`\n  ✓ ${myCidr} is already whitelisted for SSH on ${vmName}\n`));
-    return;
-  }
-  const merged = [...new Set([...currentSources.filter(s => s && s !== "*" && s !== "Internet"), myCidr])];
-  console.log(chalk.yellow(`  ↻ Adding ${myCidr} to SSH rule on ${nsgName} (${currentSources.length} existing)...`));
-  const { exitCode: updateCode } = await execa("az", [
-    "network", "nsg", "rule", "create", "-g", rg, "--nsg-name", nsgName,
-    "-n", sshRule?.name || "allow-ssh", "--priority", String(sshRule?.priority || 1000),
-    "--destination-port-ranges", "22", "--access", "Allow",
-    "--source-address-prefixes", ...merged,
-    "--protocol", "Tcp", "--direction", "Inbound", "--output", "none",
-    ...subArgs(sub),
-  ], { reject: false, timeout: 30000 });
-  if (updateCode !== 0) {
-    console.error(ERR(`\n  Failed to update NSG rule on ${nsgName}\n`));
-    process.exit(1);
-  }
-  console.log(OK(`\n  ✓ SSH (22) whitelisted for ${myCidr} on ${vmName} (${nsgName})\n`));
-  console.log(`  Sources: ${merged.join(", ")}\n`);
-}
+export {
+  azureKnock,
+  azureKnockClose,
+  azureKnockDisable,
+  azureKnockVerify,
+  azureKnockFix,
+  azureSshWhitelistMe,
+} from "./azure-ops-knock.js";