@meshxdata/fops 0.1.51 → 0.1.52

package/CHANGELOG.md

@@ -1,9 +1,12 @@
-# Changelog
-
-All notable changes to @meshxdata/fops (Foundation Operator CLI) are documented here.
-
-## [0.1.51] - 2026-03-24
-
+## [0.1.52] - 2026-03-24
+
+- fix(doctor): set KUBECONFIG for k3s kubectl commands (db9359b)
+- fix(azure): move --landscape to test run command, not separate subcommand (4b9b089)
+- feat(azure): add test integration command with landscape support (b2990a0)
+- fix(fleet): skip VMs without public IPs in fleet exec (39acbaa)
+- feat(azure): detect and fix External Secrets identity issues (f907d11)
+- operator cli bump 0.1.51 (db55bdc)
+- feat: add postgres-exporter and Azure tray menu improvements (2a337ac)
 - operator cli plugin fix (4dae908)
 - operator cli plugin fix (25620cc)
 - operator cli test fixes (1d1c18f)
@@ -176,195 +179,6 @@ All notable changes to @meshxdata/fops (Foundation Operator CLI) are documented
 - azure packer (12175b8)
 - init hashed pwd (db8523c)
 - packer (5b5c7c4)
-- doctor for azure vm (ed524fa)
-- packer and 1pwd (c6d053e)
-- split big index.js (dc85a1b)
-- kafka volume update (21815ec)
-- fix openai azure tools confirmation and flow (0118cd1)
-- nighly fixx, test fix (5e0d04f)
-- open ai training (cdc494a)
-
-## [0.1.50] - 2026-03-24
-
-- operator cli plugin fix (25620cc)
-- operator cli test fixes (1d1c18f)
-- feat(test): add setup-users command for QA test user creation (b929507)
-- feat(aks): show HA standby clusters with visual grouping (8fb640c)
-- refactor(provision): extract VM provisioning to dedicated module (af321a7)
-- refactor(provision): extract post-start health checks to dedicated module (6ed5f2d)
-- fix: ping timeout 15s, fix prometheus sed escaping (d11ac14)
-- refactor(vm): extract terraform HCL generation to dedicated module (896a64b)
-- refactor(keyvault): extract key operations to dedicated module (716bbe4)
-- refactor(azure): extract swarm functions to azure-fleet-swarm.js (4690e34)
-- refactor(azure): extract SSH/remote functions to azure-ops-ssh.js (e62b8f0)
-- refactor(azure): split azure-ops.js into smaller modules (4515425)
-- feat(aks): add --ha flag for full cross-region HA setup (ece68c5)
-- feat(fops): inject ENVIRONMENT_NAME on VM provisioning (6ef2a27)
-- fix(postgres): disable SSL mode to fix connection issues (c789ae9)
-- feat(trino): add caching configuration for docker-compose (3668224)
-- fix(fops-azure): run pytest directly instead of missing scripts (29f8410)
-- add -d detach option for local frontend dev, remove hive cpu limits (3306667)
-- release 0.1.49 (dcca32b)
-- release 0.1.48 (9b195e5)
-- stash on updates (2916c01)
-- stash on updates (b5c14df)
-- stash on updates (d0453d1)
-- frontend dev fixes (0ca7b00)
-- fix: update azure test commands (77c81da)
-- default locust to CLI mode, add --web for UI (ca35bff)
-- add locust command for load testing AKS clusters (1278722)
-- update spot node pool default autoscaling to 1-20 (617c182)
-- module for aks (3dd1a61)
-- add hive to PG_SERVICE_DBS for fops pg-setup (afccb16)
-- feat(azure): enhance aks doctor with ExternalSecrets and PGSSLMODE checks (8b14861)
-- add foundation-postgres ExternalName service to reconciler (ea88e11)
-- new flux templates (0e2e372)
-- feat(azure): add storage-engine secrets to Key Vault (a4f488e)
-- feat(azure-aks): add AUTH0_DOMAIN to template rendering variables (216c37e)
-- feat(azure): add storage account creation per cluster (aa1b138)
-- bump watcher (ab24473)
-- fix: concurrent compute calls (#66) (03e2edf)
-- bump backend version (5058ff5)
-- bump fops to 0.1.44 (8c0ef5d)
-- Mlflow and azure plugin fix (176881f)
-- fix lifecycle (a2cb9e7)
-- callback url for localhost (821fb94)
-- disable 4 scaffolding plugin by default. (bfb2b76)
-- jaccard improvements (b7494a0)
-- refactor azure plugin (68dfef4)
-- refactor azure plugin (b24a008)
-- fix trino catalog missing (4928a55)
-- v36 bump and changelog generation on openai (37a0440)
-- v36 bump and changelog generation on openai (a3b02d9)
-- bump (a990058)
-- status bar fix and new plugin for ttyd (27dde1e)
-- file demo and tray (1a3e704)
-- electron app (59ad0bb)
-- compose and fops file plugin (1cf0e81)
-- bump (346ffc1)
-- localhost replaced by 127.0.0.1 (82b9f30)
-- .29 (587b0e1)
-- improve up down and bootstrap script (b79ebaf)
-- checksum (22c8086)
-- checksum (96b434f)
-- checksum (15ed3c0)
-- checksum (8a6543a)
-- bump embed trino linksg (8440504)
-- bump data (765ffd9)
-- bump (cb8b232)
-- broken tests (c532229)
-- release 0.1.18, preflight checks (d902249)
-- fix compute display bug (d10f5d9)
-- cleanup packer files (6330f18)
-- plan mode (cb36a8a)
-- bump to 0.1.16 - agent ui (41ac1a2)
-- bump to 0.1.15 - agent ui (4ebe2e1)
-- bump to 0.1.14 (6c3a7fa)
-- bump to 0.1.13 (8db570f)
-- release 0.1.12 (c1c79e5)
-- bump (11aa3b0)
-- git keep and bump tui (be1678e)
-- skills, index, rrf, compacted context (100k > 10k) (7b2fffd)
-- cloudflare and token consumption, graphs indexing (0ad9eec)
-- bump storage default (22c83ba)
-- storage fix (68a22a0)
-- skills update (7f56500)
-- v9 bump (3864446)
-- bump (c95eedc)
-- rrf (dbf8c95)
-- feat: warning when running predictions (95e8c52)
-- feat: support for local predictions (45cf26b)
-- feat: wip support for predictions + mlflow (3457052)
-- add Reciprocal Rank Fusion (RRF) to knowledge and skill retrieval (61549bc)
-- validate CSV headers in compute_run readiness check (a8c7a43)
-- fix corrupted Iceberg metadata: probe tables + force cleanup on re-apply (50578af)
-- enforce: never use foundation_apply to fix broken products (2e049bf)
-- update SKILL.md with complete tool reference for knowledge retrieval (30b1924)
-- add storage read, input DP table probe, and compute_run improvements (34e6c4c)
-- skills update (1220385)
-- skills update (bb66958)
-- some tui improvement andd tools apply overwrite (e90c35c)
-- skills update (e9227a1)
-- skills update (669c4b3)
-- fix plugin pre-flight checks (f741743)
-- increase agent context (6479aaa)
-- skills and init sql fixes (5fce35e)
-- checksum (3518b56)
-- penging job limit (a139861)
-- checksum (575d28c)
-- bump (92049ba)
-- fix bug per tab status (0a33657)
-- fix bug per tab status (50457c6)
-- checksumming (0ad842e)
-- shot af mardkwon overlapping (51f63b9)
-- add spark dockerfile for multiarch builds (95abbd1)
-- fix plugin initialization (16b9782)
-- split index.js (50902a2)
-- cloudflare cidr (cc4e021)
-- cloduflare restrictions (2f6ba2d)
-- sequential start (86b496e)
-- sequential start (4930fe1)
-- sequential start (353f014)
-- qa tests (2dc6a1a)
-- bump sha for .85 (dc2edfe)
-- preserve env on sudo (7831227)
-- bump sha for .84 (6c052f9)
-- non interactive for azure vms (0aa8a2f)
-- keep .env if present (d072450)
-- bump (7a8e732)
-- ensure opa is on compose if not set (f4a5228)
-- checksum bump (a2ccc20)
-- netrc defensive checks (a0b0ccc)
-- netrc defensive checks (ae37403)
-- checksum (ec45d11)
-- update sync and fix up (7f9af72)
-- expand test for azure and add new per app tag support (388a168)
-- checksum on update (44005fc)
-- cleanup for later (15e5313)
-- cleanup for later (11c9597)
-- switch branch feature (822fecc)
-- add pull (d1c19ab)
-- Bump hono from 4.11.9 to 4.12.0 in /operator-cli (ad25144)
-- tests (f180a9a)
-- cleanup (39c49a3)
-- registry (7b7126a)
-- reconcile kafka (832d0db)
-- gh login bug (025886c)
-- cleanup (bb96cab)
-- strip envs from process (2421180)
-- force use of gh creds not tokens in envs var (fff7787)
-- resolve import between npm installs and npm link (79522e1)
-- fix gh scope and azure states (afd846c)
-- refactoring (da50352)
-- split fops repo (d447638)
-- aks (b791f8f)
-- refactor azure (67d3bad)
-- wildcard (391f023)
-- azure plugin (c074074)
-- zap (d7e6e7f)
-- fix knock (cf89c05)
-- azure (4adec98)
-- Bump tar from 7.5.7 to 7.5.9 in /operator-cli (e41e98e)
-- azure stack index.js split (de12272)
-- Bump ajv from 8.17.1 to 8.18.0 in /operator-cli (76da21f)
-- packer (9665fbc)
-- remove stack api (db0fd4d)
-- packer cleanup (fe1bf14)
-- force refresh token (3a3d7e2)
-- provision shell (2ad505f)
-- azure vm management (91dcb31)
-- azure specific (2b0cca8)
-- azure packer (12175b8)
-- init hashed pwd (db8523c)
-- packer (5b5c7c4)
-- doctor for azure vm (ed524fa)
-- packer and 1pwd (c6d053e)
-- split big index.js (dc85a1b)
-- kafka volume update (21815ec)
-- fix openai azure tools confirmation and flow (0118cd1)
-- nighly fixx, test fix (5e0d04f)
-- open ai training (cdc494a)
-- openai integration in azure (1ca1475)
 
 # Changelog
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meshxdata/fops",
-  "version": "0.1.51",
+  "version": "0.1.52",
   "description": "CLI to install and manage data mesh platforms",
   "keywords": [
     "fops",

package/src/doctor.js

@@ -22,6 +22,9 @@ const KEY_PORTS = {
   18201: "Vault",
 };
 
+// K3s kubectl requires explicit KUBECONFIG inside the container
+const K3S_KUBECTL = ["exec", "-e", "KUBECONFIG=/etc/rancher/k3s/k3s.yaml", "k3s-server", "kubectl"];
+
 const LABEL_WIDTH = 36;
 
 function header(title) {
@@ -1187,7 +1190,7 @@ export async function runDoctor(opts = {}, registry = null) {
       // 1. Cluster reachable
       try {
         const { stdout: nodesOut, exitCode: nodesExit } = await execa("docker", [
-          "exec", "k3s-server", "kubectl", "get", "nodes",
+          ...K3S_KUBECTL, "get", "nodes",
         ], { timeout: 10000, reject: false });
         if (nodesExit === 0 && /Ready/.test(nodesOut)) {
           ok("K3s cluster reachable", nodesOut.trim().split("\n").find((l) => /Ready/.test(l))?.trim().replace(/\s+/g, " ") || "ready");
@@ -1216,11 +1219,11 @@ export async function runDoctor(opts = {}, registry = null) {
         }
         console.log(chalk.cyan("  ▶ Deleting old ghcr-secret…"));
         await execa("docker", [
-          "exec", "k3s-server", "kubectl", "delete", "secret", "ghcr-secret", "-n", "spark-jobs",
+          ...K3S_KUBECTL, "delete", "secret", "ghcr-secret", "-n", "spark-jobs",
         ], { timeout: 10000, reject: false });
         console.log(chalk.cyan("  ▶ Creating new ghcr-secret…"));
         await execa("docker", [
-          "exec", "k3s-server", "kubectl", "create", "secret", "docker-registry", "ghcr-secret",
+          ...K3S_KUBECTL, "create", "secret", "docker-registry", "ghcr-secret",
           "--docker-server=ghcr.io", "--docker-username=x-access-token", `--docker-password=${freshToken}`,
           "--namespace=spark-jobs",
         ], { timeout: 10000 });
@@ -1229,7 +1232,7 @@ export async function runDoctor(opts = {}, registry = null) {
         const patchJson = '{"imagePullSecrets":[{"name":"ghcr-secret"}]}';
         for (const sa of ["spark-operator-spark", "spark", "default"]) {
           await execa("docker", [
-            "exec", "k3s-server", "kubectl", "patch", "serviceaccount", sa,
+            ...K3S_KUBECTL, "patch", "serviceaccount", sa,
             "-n", "spark-jobs", "-p", patchJson,
           ], { timeout: 10000, reject: false });
         }
@@ -1238,7 +1241,7 @@ export async function runDoctor(opts = {}, registry = null) {
 
       try {
         const { exitCode: secretExit } = await execa("docker", [
-          "exec", "k3s-server", "kubectl", "get", "secret", "ghcr-secret", "-n", "spark-jobs",
+          ...K3S_KUBECTL, "get", "secret", "ghcr-secret", "-n", "spark-jobs",
         ], { timeout: 10000, reject: false });
 
         if (secretExit !== 0) {
@@ -1248,7 +1251,7 @@ export async function runDoctor(opts = {}, registry = null) {
           let ghcrTokenValid = false;
           try {
             const { stdout: b64Data } = await execa("docker", [
-              "exec", "k3s-server", "kubectl", "get", "secret", "ghcr-secret",
+              ...K3S_KUBECTL, "get", "secret", "ghcr-secret",
               "-n", "spark-jobs", "-o", "jsonpath={.data.\\.dockerconfigjson}",
             ], { timeout: 10000 });
             if (b64Data?.trim()) {
@@ -1280,7 +1283,7 @@ export async function runDoctor(opts = {}, registry = null) {
       // 3. ECR / regcred secret (informational)
       try {
         const { exitCode: ecrExit } = await execa("docker", [
-          "exec", "k3s-server", "kubectl", "get", "secret", "ecr-secret", "-n", "spark-jobs",
+          ...K3S_KUBECTL, "get", "secret", "ecr-secret", "-n", "spark-jobs",
         ], { timeout: 10000, reject: false });
         if (ecrExit === 0) {
           ok("ECR pull secret (ecr-secret)", "exists in spark-jobs");
@@ -1291,7 +1294,7 @@ export async function runDoctor(opts = {}, registry = null) {
 
       try {
         const { exitCode: regExit } = await execa("docker", [
-          "exec", "k3s-server", "kubectl", "get", "secret", "regcred", "-n", "spark-jobs",
+          ...K3S_KUBECTL, "get", "secret", "regcred", "-n", "spark-jobs",
         ], { timeout: 10000, reject: false });
         if (regExit === 0) {
           ok("regcred secret", "exists in spark-jobs");

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks-core.js

@@ -1250,6 +1250,15 @@ export async function aksStatus(opts = {}) {
     hint("  Flux CLI not available — skipping Flux status.");
   }
 
+  // External Secrets health check
+  console.log(`\n  ${LABEL("External Secrets")}`);
+  try {
+    const { validateExternalSecretsHealth } = await import("./azure-aks-secrets.js");
+    await validateExternalSecretsHealth({ execa, clusterName, rg, sub });
+  } catch (e) {
+    hint(`  Could not check External Secrets: ${e.message}`);
+  }
+
   console.log("");
 }
 

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks-secrets.js

@@ -172,6 +172,32 @@ export async function reconcileSecretStore(ctx) {
     }
   }
 
+  // 2c. Check for External Secrets managed identity (ext-* prefix) and grant Key Vault access
+  const extSecretsIdentity = await detectExternalSecretsIdentity(execa, clusterName, sub);
+  if (extSecretsIdentity && kvId) {
+    const { stdout: hasExtRole } = await execa("az", [
+      "role", "assignment", "list",
+      "--assignee", extSecretsIdentity.clientId,
+      "--role", "Key Vault Secrets User",
+      "--scope", kvId,
+      "--query", "[0].id", "-o", "tsv",
+      ...subArgs(sub),
+    ], { reject: false, timeout: 30000 });
+
+    if (!hasExtRole?.trim()) {
+      await execa("az", [
+        "role", "assignment", "create",
+        "--assignee", extSecretsIdentity.clientId,
+        "--role", "Key Vault Secrets User",
+        "--scope", kvId,
+        ...subArgs(sub),
+      ], { reject: false, timeout: 30000 });
+      console.log(OK(`  ✓ External Secrets identity granted Key Vault Secrets User role`));
+    }
+    // Store the identity ID for SecretStore configuration
+    ctx.extSecretsIdentityId = extSecretsIdentity.clientId;
+  }
+
   // 3. Ensure azure-secret-sp exists in each target namespace
   const { stdout: spSecretJson } = await kubectl([
     "get", "secret", "azure-secret-sp", "-n", "foundation", "-o", "json",
@@ -579,6 +605,131 @@ export async function detectEsApiVersion(kubectl) {
   return "external-secrets.io/v1";
 }
 
+/**
+ * Detect External Secrets managed identity (ext-* prefix) for clusters with multiple identities.
+ * When AKS has multiple user-assigned identities, SecretStore needs to specify which one to use.
+ */
+export async function detectExternalSecretsIdentity(execa, clusterName, sub) {
+  const { subArgs } = await import("./azure.js");
+
+  // List all managed identities that match the external-secrets pattern
+  const { stdout: identitiesJson } = await execa("az", [
+    "identity", "list",
+    "--query", `[?contains(name, '${clusterName}')].{name:name,clientId:clientId}`,
+    "-o", "json",
+    ...subArgs(sub),
+  ], { reject: false, timeout: 30000 });
+
+  let identities = [];
+  try { identities = JSON.parse(identitiesJson || "[]"); } catch {}
+
+  // Look for ext-* identity (External Secrets workload identity)
+  const extIdentity = identities.find(i => i.name?.startsWith("ext-") && i.name?.includes(clusterName));
+  if (extIdentity) {
+    return { name: extIdentity.name, clientId: extIdentity.clientId };
+  }
+
+  // If multiple identities exist but no ext-* found, warn about potential issues
+  if (identities.length > 1) {
+    const { WARN, hint } = await import("./azure.js");
+    console.log(WARN(`  ⚠ Multiple managed identities found for ${clusterName} but no ext-* identity detected`));
+    hint("External Secrets may fail with 'Multiple user assigned identities exist' error");
+    hint("Create a dedicated identity: az identity create -n ext-<cluster> -g <rg>");
+  }
+
+  return null;
+}
+
+/**
+ * Validate External Secrets health - checks SecretStore config and ExternalSecret status.
+ * Reports issues like missing identityId when multiple identities exist.
+ */
+export async function validateExternalSecretsHealth(ctx) {
+  const { execa, clusterName, sub } = ctx;
+  const { OK, WARN, DIM, hint, subArgs } = await import("./azure.js");
+
+  const kubectl = (args, opts = {}) =>
+    execa("kubectl", ["--context", clusterName, ...args], { timeout: 30000, reject: false, ...opts });
+
+  const issues = [];
+
+  // Check SecretStore status
+  const { stdout: ssJson } = await kubectl([
+    "get", "secretstore", SECRET_STORE_NAME, "-n", "foundation", "-o", "json",
+  ]);
+  if (!ssJson) {
+    issues.push({ level: "error", msg: "SecretStore not found in foundation namespace" });
+    return issues;
+  }
+
+  const ss = JSON.parse(ssJson);
+  const ssReady = ss.status?.conditions?.find(c => c.type === "Ready")?.status === "True";
+  const authType = ss.spec?.provider?.azurekv?.authType;
+  const identityId = ss.spec?.provider?.azurekv?.identityId;
+
+  // Check if using ManagedIdentity auth without identityId when multiple identities exist
+  if (authType === "ManagedIdentity" && !identityId) {
+    const extIdentity = await detectExternalSecretsIdentity(execa, clusterName, sub);
+    if (extIdentity) {
+      issues.push({
+        level: "warn",
+        msg: `SecretStore uses ManagedIdentity but identityId is empty`,
+        fix: `Set identityId to "${extIdentity.clientId}" in clusters/${clusterName}/config/secret-store.yaml`,
+      });
+    }
+  }
+
+  // Check ExternalSecret status
+  const { stdout: esJson } = await kubectl([
+    "get", "externalsecret", "-n", "foundation", "-o", "json",
+  ]);
+  const externalSecrets = esJson ? JSON.parse(esJson).items : [];
+
+  for (const es of externalSecrets) {
+    const ready = es.status?.conditions?.find(c => c.type === "Ready");
+    if (ready?.status !== "True") {
+      const msg = ready?.message || "Unknown error";
+      if (msg.includes("Multiple user assigned identities exist")) {
+        const extIdentity = await detectExternalSecretsIdentity(execa, clusterName, sub);
+        issues.push({
+          level: "error",
+          msg: `ExternalSecret "${es.metadata.name}" failing: Multiple identities detected`,
+          fix: extIdentity
+            ? `Add identityId: "${extIdentity.clientId}" to SecretStore spec`
+            : "Create ext-* managed identity and grant Key Vault access",
+        });
+      } else if (msg.includes("Forbidden") || msg.includes("not authorized")) {
+        issues.push({
+          level: "error",
+          msg: `ExternalSecret "${es.metadata.name}" failing: Key Vault access denied`,
+          fix: "Run: fops azure aks doctor --fix to grant Key Vault permissions",
+        });
+      } else {
+        issues.push({
+          level: "error",
+          msg: `ExternalSecret "${es.metadata.name}" failing: ${msg.substring(0, 100)}`,
+        });
+      }
+    }
+  }
+
+  // Report findings
+  if (issues.length === 0) {
+    console.log(OK("  ✓ External Secrets healthy"));
+  } else {
+    for (const issue of issues) {
+      if (issue.level === "error") {
+        console.log(WARN(`  ✗ ${issue.msg}`));
+      } else {
+        console.log(WARN(`  ⚠ ${issue.msg}`));
+      }
+      if (issue.fix) hint(`    Fix: ${issue.fix}`);
+    }
+  }
+
+  return issues;
+}
+
 // ── Vault auto-unseal bootstrap ──────────────────────────────────────────────
 
 export const VAULT_UNSEAL_KEY_NAME = "vault-unseal";

package/src/plugins/bundled/fops-plugin-azure/lib/azure-fleet.js

@@ -71,20 +71,28 @@ async function forEachVm({
     return { results: [], vms };
   }
 
-  const targets = opts.vmName ? [opts.vmName] : names;
-  for (const t of targets) {
+  const allTargets = opts.vmName ? [opts.vmName] : names;
+  for (const t of allTargets) {
     if (!vms[t]) {
       console.error(ERR(`\n  VM "${t}" not tracked. Run: fops azure list\n`));
       process.exit(1);
     }
   }
 
+  // Filter out VMs without public IPs (e.g., local stack) unless explicitly targeted
+  const skippedVms = opts.vmName ? [] : allTargets.filter(t => !vms[t].publicIp);
+  const targets = opts.vmName ? allTargets : allTargets.filter(t => vms[t].publicIp);
+
   banner(title);
-  hint(`${targets.length} VM(s)${concurrency ? ` (concurrency: ${concurrency})` : ""}…\n`);
+  if (targets.length === 0) {
+    hint("No VMs with public IPs to target.\n");
+    return { results: [], vms, activeVm: listVms().activeVm };
+  }
+  hint(`${targets.length} VM(s)${skippedVms.length ? ` (${skippedVms.length} skipped: no public IP)` : ""}${concurrency ? ` (concurrency: ${concurrency})` : ""}…\n`);
 
   async function runOne(name) {
     const vm = vms[name];
-    if (!vm.publicIp) return { name, ok: false, reason: "no public IP" };
+    if (!vm.publicIp) return { name, ok: false, reason: "no public IP (local stack?)" };
 
     try {
       await knockForVm(vm);

package/src/plugins/bundled/fops-plugin-azure/lib/commands/test-cmds.js

@@ -14,6 +14,8 @@ export function registerTestCommands(azure) {
     .command("run [name]", { isDefault: true })
     .description("Run QA automation tests locally against a remote VM")
     .option("--vm-name <name>", "Target VM (default: active)")
+    .option("--landscape <file>", "Apply landscape file (FCL/HCL/YAML) before running tests")
+    .option("--landscape-template <name>", "Use built-in landscape template (demo, pipeline_demo)")
     .action(async (name, opts) => {
       const { resolveCliSrc, lazyExeca, ensureAzCli, ensureAzAuth, resolvePublicIp } = await import("../azure-helpers.js");
       const { requireVmState, knockForVm, sshCmd, MUX_OPTS } = await import("../azure.js");
@@ -46,6 +48,32 @@ export function registerTestCommands(azure) {
         process.exit(1);
       }
 
+      // Apply landscape if specified
+      let landscapeFile = opts.landscape;
+      if (!landscapeFile && opts.landscapeTemplate) {
+        const templateDir = path.join(root, "operator-cli/src/plugins/bundled/fops-plugin-foundation/templates/landscapes");
+        const templateName = opts.landscapeTemplate.endsWith(".fcl") ? opts.landscapeTemplate : `${opts.landscapeTemplate}.fcl`;
+        landscapeFile = path.join(templateDir, templateName);
+        try {
+          await fsp.access(landscapeFile);
+        } catch {
+          console.error(chalk.red(`\n  Landscape template not found: ${templateName}`));
+          console.error(chalk.dim(`  Available: demo.fcl, pipeline_demo.fcl\n`));
+          process.exit(1);
+        }
+      }
+      if (landscapeFile) {
+        console.log(chalk.cyan(`\n  Applying landscape: ${path.basename(landscapeFile)}…\n`));
+        const { azureApply } = await import("../azure.js");
+        try {
+          await azureApply(landscapeFile, { vmName: state.vmName });
+          console.log(chalk.green("  ✓ Landscape applied\n"));
+        } catch (err) {
+          console.error(chalk.red(`\n  Failed to apply landscape: ${err.message}\n`));
+          process.exit(1);
+        }
+      }
+
       const vmUrl = state.publicUrl || `https://${ip}`;
       const apiUrl = `${vmUrl}/api`;