@meshxdata/fops 0.1.51 → 0.1.53

package/src/plugins/bundled/fops-plugin-cloud/api.js

@@ -0,0 +1,712 @@
+/**
+ * Cloud panel API routes — Hono sub-app mounted at /cloud/api
+ */
+
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { Hono } from "hono";
+import { stream } from "hono/streaming";
+import { createRemoteJWKSet, jwtVerify } from "jose";
+import { AzureProvider } from "./lib/azure-provider.js";
+
+// ── Flux template reader ────────────────────────────────────────────────
+// Reads service image tags from platform-flux-template kustomization overlays.
+const SVC_SHORT = { backend: "be", frontend: "fe", processor: "pr", watcher: "wa", scheduler: "sc", "storage-engine": "se" };
+const TAG_RE = /^\s*tag:\s*(.+)$/m;
+
+/**
+ * Given a cluster name (e.g. "demo"), resolve service versions from flux overlays.
+ * Tries "{name}-azure" overlay convention in platform-flux-template.
+ * @param {string} rootDir - project root (foundation-compose)
+ * @param {string} clusterName
+ * @returns {{ [shortKey]: { tag: string } }}
+ */
+/** Resolve the foundation-compose root directory from ~/.fops.json projectRoot. */
+let _composeRoot = null;
+function resolveComposeRoot() {
+  if (_composeRoot !== null) return _composeRoot;
+  const envRoot = process.env.FOUNDATION_ROOT || process.env.COMPOSE_ROOT;
+  if (envRoot && fs.existsSync(envRoot)) { _composeRoot = envRoot; return _composeRoot; }
+  try {
+    const cfg = JSON.parse(fs.readFileSync(path.join(os.homedir(), ".fops.json"), "utf8"));
+    if (cfg.projectRoot && fs.existsSync(cfg.projectRoot)) { _composeRoot = cfg.projectRoot; return _composeRoot; }
+  } catch {}
+  _composeRoot = "";
+  return _composeRoot;
+}
+
+function readFluxServiceVersions(rootDir, clusterName) {
+  if (!rootDir) return {};
+  const fluxBase = path.join(rootDir, "platform-flux-template", "apps", "foundation");
+  if (!fs.existsSync(fluxBase)) return {};
+
+  const overlayName = `${clusterName}-azure`;
+  const services = {};
+  for (const [svcName, shortKey] of Object.entries(SVC_SHORT)) {
+    const kustomPath = path.join(fluxBase, svcName, "overlays", overlayName, "kustomization.yaml");
+    try {
+      const content = fs.readFileSync(kustomPath, "utf8");
+      const m = content.match(TAG_RE);
+      if (m) {
+        const tag = m[1].trim().replace(/["']/g, "");
+        // Skip unresolved template vars like {{IMAGE_TAG}}
+        if (!tag.startsWith("{{")) {
+          services[shortKey] = { tag };
+        }
+      }
+    } catch { /* overlay not found */ }
+  }
+  return services;
+}
+
+// ── Auth0 config ────────────────────────────────────────────────────────
+/** Auth0 is behind a feature flag. Set CLOUD_AUTH=1 to enable. Default: off. */
+function isAuthEnabled() {
+  const flag = process.env.CLOUD_AUTH || "0";
+  return flag === "1" || flag === "true";
+}
+
+function getAuth0Config() {
+  return {
+    domain: process.env.AUTH0_DOMAIN || process.env.MX_AUTH0_DOMAIN || "",
+    clientId: process.env.NEXT_PUBLIC_AUTH0_CLIENT_ID || process.env.MX_AUTH0_CLIENT_ID || "",
+    audience: process.env.AUTH0_AUDIENCE || process.env.MX_AUTH0_AUDIENCE || "",
+  };
+}
+
+let _jwks = null;
+function getJWKS(domain) {
+  if (!_jwks) {
+    _jwks = createRemoteJWKSet(new URL(`https://${domain}/.well-known/jwks.json`));
+  }
+  return _jwks;
+}
+
+/**
+ * Verify an Auth0 JWT and return decoded payload.
+ * Payload includes `permissions` array if RBAC is enabled on the Auth0 API.
+ */
+async function verifyToken(token) {
+  const { domain, audience } = getAuth0Config();
+  if (!domain) throw new Error("AUTH0_DOMAIN not configured");
+  const jwks = getJWKS(domain);
+  const { payload } = await jwtVerify(token, jwks, {
+    issuer: `https://${domain}/`,
+    audience,
+  });
+  return payload;
+}
+
+/**
+ * Hono middleware — rejects requests without a valid JWT.
+ * Sets c.set("user", payload) on success.
+ */
+function requireAuth() {
+  return async (c, next) => {
+    const auth = c.req.header("Authorization");
+    if (!auth?.startsWith("Bearer ")) {
+      return c.json({ error: "Missing or invalid Authorization header" }, 401);
+    }
+    try {
+      const payload = await verifyToken(auth.slice(7));
+      c.set("user", payload);
+      return next();
+    } catch (e) {
+      return c.json({ error: "Invalid token", detail: e.message }, 401);
+    }
+  };
+}
+
+/**
+ * Hono middleware — checks that the user has one of the required permissions.
+ * Must be used after requireAuth().
+ */
+function requirePermission(...perms) {
+  return async (c, next) => {
+    const user = c.get("user");
+    const userPerms = user?.permissions || [];
+    const roles = user?.["https://meshx.dev/roles"] || [];
+    // Admin role bypasses permission checks
+    if (roles.includes("admin")) return next();
+    if (perms.some((p) => userPerms.includes(p))) return next();
+    return c.json({ error: "Forbidden", required: perms }, 403);
+  };
+}
+
+// ANSI escape code stripper
+const ANSI_RE = /\x1b\[[0-9;]*m/g;
+const strip = (s) => s.replace(ANSI_RE, "");
+
+// ── Job store ───────────────────────────────────────────────────────────
+// In-memory store for active/recent provisioning jobs so the UI can
+// reconnect after a page reload and still see buffered log output.
+
+const jobs = new Map(); // id → { id, label, status, logs[], result?, error?, startedAt }
+let jobSeq = 0;
+const JOB_TTL_MS = 30 * 60 * 1000; // keep completed jobs for 30 min
+
+function createJob(label) {
+  const id = `job-${++jobSeq}-${Date.now().toString(36)}`;
+  const job = { id, label, status: "running", logs: [], result: null, error: null, startedAt: Date.now() };
+  jobs.set(id, job);
+  return job;
+}
+
+function pruneJobs() {
+  const cutoff = Date.now() - JOB_TTL_MS;
+  for (const [id, job] of jobs) {
+    if (job.status !== "running" && job.startedAt < cutoff) jobs.delete(id);
+  }
+}
+
+// ── Console capture ─────────────────────────────────────────────────
+// Multiple streaming operations can run concurrently. Instead of monkey-patching
+// console.log per-operation (which breaks when two overlap), we install a single
+// permanent intercept and dispatch to all active listeners.
+
+const _origLog = console.log;
+const _origErr = console.error;
+const _listeners = new Set(); // Set<{ send: (type, text) => void }>
+
+let _installed = false;
+function installConsoleCapture() {
+  if (_installed) return;
+  _installed = true;
+
+  console.log = (...args) => {
+    const line = args.map(String).join(" ");
+    for (const l of _listeners) l.send("log", line);
+    _origLog.apply(console, args);
+  };
+  console.error = (...args) => {
+    const line = args.map(String).join(" ");
+    for (const l of _listeners) l.send("error", line);
+    _origErr.apply(console, args);
+  };
+}
+
+/**
+ * Run an async function while capturing console.log/error output,
+ * streaming each line as an SSE event to the client AND buffering
+ * them in a job so the UI can reconnect after reload.
+ */
+function streamOperation(c, fn, label = "operation") {
+  const job = createJob(label);
+  pruneJobs();
+  installConsoleCapture();
+
+  return stream(c, async (s) => {
+    c.header("Content-Type", "text/event-stream");
+    c.header("Cache-Control", "no-cache");
+    c.header("Connection", "keep-alive");
+
+    await s.write(`data: ${JSON.stringify({ type: "job", jobId: job.id })}\n\n`);
+
+    const listener = {
+      send: (type, text) => {
+        const raw = String(text);
+        if (!strip(raw).trim()) return;
+        job.logs.push({ type, text: raw });
+        try { s.write(`data: ${JSON.stringify({ type, text: raw })}\n\n`); } catch { /* client disconnected */ }
+      },
+    };
+    _listeners.add(listener);
+
+    try {
+      const result = await fn();
+      job.status = "done";
+      job.result = result;
+      await s.write(`data: ${JSON.stringify({ type: "done", result })}\n\n`);
+    } catch (e) {
+      job.status = "error";
+      job.error = e.message;
+      await s.write(`data: ${JSON.stringify({ type: "error", text: e.message })}\n\n`);
+    } finally {
+      _listeners.delete(listener);
+    }
+  });
+}
+
+/**
+ * Create API routes for the cloud panel.
+ * @param {object} registry - Plugin registry
+ * @returns {Hono}
+ */
+export function createCloudApi(registry) {
+  const app = new Hono();
+
+  // ── Public routes (no auth required) ────────────────
+  app.get("/auth-config", (c) => {
+    const enabled = isAuthEnabled();
+    const cfg = getAuth0Config();
+    return c.json({
+      enabled,
+      domain: cfg.domain,
+      clientId: cfg.clientId,
+      audience: cfg.audience,
+    });
+  });
+
+  // ── Protected routes (skipped when auth is disabled) ──
+  app.use("/*", async (c, next) => {
+    // Skip auth for auth-config endpoint (already handled above)
+    if (c.req.path === "/auth-config") return next();
+    // When auth is disabled, grant full access
+    if (!isAuthEnabled()) {
+      c.set("user", { sub: "local", permissions: ["cloud:admin"], "https://meshx.dev/roles": ["admin"] });
+      return next();
+    }
+    return requireAuth()(c, next);
+  });
+
+  // User profile from token
+  app.get("/me", (c) => {
+    const user = c.get("user");
+    return c.json({
+      sub: user.sub,
+      email: user.email || user["https://meshx.dev/email"] || "",
+      name: user.name || user["https://meshx.dev/name"] || "",
+      picture: user.picture || user["https://meshx.dev/picture"] || "",
+      roles: user["https://meshx.dev/roles"] || [],
+      permissions: user.permissions || [],
+    });
+  });
+
+  /** Lazily resolve providers from plugin services */
+  function getProviders() {
+    const providers = [];
+    const azureSvc = registry.services.find((s) => s.name === "azure");
+    if (azureSvc) {
+      providers.push(new AzureProvider(azureSvc.instance));
+    }
+    return providers;
+  }
+
+  function getProvider(name) {
+    return getProviders().find((p) => p.name === name) || null;
+  }
+
+  // ── Jobs ──────────────────────────────────────────────
+
+  app.get("/jobs", (c) => {
+    const list = [...jobs.values()].map(({ id, label, status, startedAt, logs }) => ({
+      id, label, status, startedAt, lineCount: logs.length,
+    }));
+    return c.json(list);
+  });
+
+  app.get("/jobs/:id", (c) => {
+    const job = jobs.get(c.req.param("id"));
+    if (!job) return c.json({ error: "Job not found" }, 404);
+    const since = parseInt(c.req.query("since") || "0", 10);
+    return c.json({
+      id: job.id,
+      label: job.label,
+      status: job.status,
+      logs: job.logs.slice(since),
+      offset: since,
+      total: job.logs.length,
+      result: job.result,
+      error: job.error,
+    });
+  });
+
+  // ── Health ──────────────────────────────────────────────
+
+  app.get("/health", async (c) => {
+    const providers = getProviders();
+    const checks = await Promise.all(
+      providers.map(async (p) => ({
+        provider: p.name,
+        ...(await p.healthCheck()),
+      })),
+    );
+    const healthy = checks.every((ch) => ch.available);
+    return c.json({ ok: healthy, providers: checks });
+  });
+
+  // ── Providers ───────────────────────────────────────────
+
+  app.get("/providers", (c) => {
+    const providers = getProviders().map((p) => ({ name: p.name }));
+    return c.json(providers);
+  });
+
+  // ── Resources ───────────────────────────────────────────
+
+  app.get("/resources", async (c) => {
+    const providers = getProviders();
+    let allVms = [];
+    let allClusters = [];
+    for (const p of providers) {
+      try {
+        const { vms, clusters } = await p.listResources();
+        allVms.push(...vms);
+        allClusters.push(...clusters);
+      } catch (e) {
+        // skip unavailable providers
+      }
+    }
+    return c.json({ vms: allVms, clusters: allClusters });
+  });
+
+  app.get("/resources/:type/:name", async (c) => {
+    const { type, name } = c.req.param();
+    const providers = getProviders();
+    for (const p of providers) {
+      try {
+        const resource = await p.getResource(type, name);
+        if (resource) return c.json(resource);
+      } catch { /* try next */ }
+    }
+    return c.json({ error: "Resource not found" }, 404);
+  });
+
+  app.post("/resources/:type", requirePermission("cloud:write", "cloud:admin"), async (c) => {
+    const { type } = c.req.param();
+    const body = await c.req.json();
+    const providerName = body.provider || "azure";
+    const provider = getProvider(providerName);
+    if (!provider) return c.json({ error: `Provider "${providerName}" not available` }, 400);
+    const name = body.vmName || body.clusterName || type;
+    return streamOperation(c, () => provider.createResource(type, body), `create-${type}-${name}`);
+  });
+
+  app.post("/resources/:type/:name/:action", requirePermission("cloud:write", "cloud:admin"), async (c) => {
+    const { type, name, action } = c.req.param();
+    let body = {};
+    try { body = await c.req.json(); } catch { /* no body is fine */ }
+    const providerName = body.provider || "azure";
+    const provider = getProvider(providerName);
+    if (!provider) return c.json({ error: `Provider "${providerName}" not available` }, 400);
+    return streamOperation(c, () => provider.performAction(type, name, action, body));
+  });
+
+  app.delete("/resources/:type/:name", requirePermission("cloud:write", "cloud:admin"), async (c) => {
+    const { type, name } = c.req.param();
+    const providers = getProviders();
+    for (const p of providers) {
+      try {
+        const resource = await p.getResource(type, name);
+        if (resource) {
+          return streamOperation(c, () => p.deleteResource(type, name));
+        }
+      } catch { /* try next */ }
+    }
+    return c.json({ error: "Resource not found" }, 404);
+  });
+
+  // ── Feature Flags ─────────────────────────────────────────
+
+  app.get("/flags/:vmName", async (c) => {
+    const { vmName } = c.req.param();
+    const provider = getProvider("azure");
+    if (!provider) return c.json({ error: "Azure provider not available" }, 400);
+    try {
+      const result = await provider.svc.listFeatureFlags(vmName);
+      return c.json(result);
+    } catch (e) {
+      return c.json({ error: e.message }, 500);
+    }
+  });
+
+  app.post("/flags/:vmName", requirePermission("cloud:write", "cloud:admin"), async (c) => {
+    const { vmName } = c.req.param();
+    const body = await c.req.json();
+    const provider = getProvider("azure");
+    if (!provider) return c.json({ error: "Azure provider not available" }, 400);
+    return streamOperation(c, () => provider.svc.setFeatureFlags(vmName, body.flags || {}), `flags-${vmName}`);
+  });
+
+  // ── Deploy ───────────────────────────────────────────────
+
+  app.post("/deploy/:vmName", requirePermission("cloud:deploy", "cloud:admin"), async (c) => {
+    const { vmName } = c.req.param();
+    let body = {};
+    try { body = await c.req.json(); } catch {}
+    const provider = getProvider("azure");
+    if (!provider) return c.json({ error: "Azure provider not available" }, 400);
+    return streamOperation(c, () => provider.svc.deployStack(vmName, body), `deploy-${vmName}`);
+  });
+
+  // ── Fleet ───────────────────────────────────────────────
+
+  // Proxy helper: try fops serve API first, fall back to providers
+  const FOPS_SERVE_URL = process.env.FOPS_API_URL || "http://127.0.0.1:4100";
+  async function proxyFopsServe(path, { method = "GET", body } = {}) {
+    const opts = { signal: AbortSignal.timeout(60_000), method };
+    if (body !== undefined) {
+      opts.headers = { "Content-Type": "application/json" };
+      opts.body = JSON.stringify(body);
+    }
+    const res = await fetch(`${FOPS_SERVE_URL}${path}`, opts);
+    if (!res.ok) return null;
+    return res.json();
+  }
+  // Run tool directly from registry (works without fops serve)
+  async function runToolDirect(name, input = {}) {
+    const tool = (registry.tools || []).find((t) => t.name === name);
+    if (!tool) return null;
+    const fn = tool.execute || tool.handler;
+    if (typeof fn !== "function") return null;
+    const result = await fn(input);
+    if (typeof result === "string") {
+      try { return JSON.parse(result); } catch { return result; }
+    }
+    return result;
+  }
+
+  // Tool proxy helper — POST /api/tools/:name, parse stringified result
+  async function proxyTool(name, input = {}) {
+    const raw = await proxyFopsServe(`/api/tools/${name}`, { method: "POST", body: input });
+    if (!raw) return null;
+    const result = raw.result;
+    // Tool handlers return { tool, result } where result may be a JSON string
+    if (typeof result === "string") {
+      try { return JSON.parse(result); } catch { return result; }
+    }
+    return result || raw;
+  }
+
+  app.get("/fleet", async (c) => {
+    const SVC_MAP = { backend: "be", frontend: "fe", processor: "pr", watcher: "wa", scheduler: "sc", storage: "se" };
+
+    // Try fops serve fleet data first (has live container/scrape data)
+    let vmsObj = null;
+    try {
+      const serveData = await proxyFopsServe("/api/fleet");
+      if (serveData?.vms?.length) {
+        vmsObj = {};
+        for (const vm of serveData.vms) {
+          const services = {};
+          if (vm.services) {
+            for (const [fullName, status] of Object.entries(vm.services)) {
+              const shortKey = SVC_MAP[fullName] || fullName;
+              services[shortKey] = status;
+            }
+          }
+          const containerParts = (vm.containers || "").toString().split("/");
+          const running = parseInt(containerParts[0]) || 0;
+          const total = parseInt(containerParts[1]) || running;
+          vmsObj[vm.vm] = {
+            publicUrl: vm.url || `https://${vm.vm}.meshx.app`,
+            location: vm.location || "",
+            status: vm.status,
+            branch: vm.branch || "",
+            commit: vm.commit || "",
+            sha: vm.commit || "",
+            running,
+            total,
+            services,
+            fopsVersion: vm.fopsVersion || "",
+            disk: vm.disk || "",
+            memory: vm.memory || "",
+            load: vm.load || 0,
+          };
+        }
+      }
+    } catch { /* fall through */ }
+
+    // Fetch cluster data from provider fleet cache (has flux, services, status from sync)
+    const rootDir = resolveComposeRoot();
+    let clustersObj = {};
+    const providers = getProviders();
+    for (const p of providers) {
+      try {
+        const fleet = await p.getFleet();
+        for (const [name, cluster] of Object.entries(fleet?.clusters || {})) {
+          // Use sync cache services, fall back to reading flux template overlays
+          let services = cluster.services || {};
+          if (!services || Object.keys(services).length === 0) {
+            services = rootDir ? readFluxServiceVersions(rootDir, name) : {};
+          }
+          // Derive flux info from template if not in sync cache
+          let flux = cluster.flux || null;
+          if (!flux && rootDir && Object.keys(services).length > 0) {
+            flux = { owner: "meshxdata", repo: "platform-flux-template", path: `apps/foundation`, branch: "main" };
+          }
+
+          clustersObj[name] = {
+            location: cluster.location || "",
+            kubernetesVersion: cluster.kubernetesVersion || "",
+            status: cluster.status || "unknown",
+            domain: cluster.fqdn || "",
+            active: cluster.active || false,
+            isStandby: cluster.isStandby || false,
+            nodes: cluster.nodes ?? null,
+            services,
+            ha: cluster.ha || null,
+            flux,
+            storageAccount: cluster.storageAccount || "",
+            storageHA: cluster.storageHA || null,
+            vault: cluster.vault || null,
+            postgres: cluster.postgres || null,
+          };
+        }
+      } catch { /* skip */ }
+    }
+
+    if (vmsObj) {
+      return c.json({ azure: { vms: vmsObj, clusters: clustersObj } });
+    }
+
+    // Full fallback — no fops serve data at all
+    const fleets = {};
+    for (const p of providers) {
+      try {
+        const fleet = await p.getFleet();
+        fleets[p.name] = { ...fleet, clusters: { ...(fleet?.clusters || {}), ...clustersObj } };
+      } catch { /* skip */ }
+    }
+    return c.json(fleets);
+  });
+
+  // ── Costs ───────────────────────────────────────────────
+
+  app.get("/costs", async (c) => {
+    const days = parseInt(c.req.query("days") || "30", 10);
+    const providers = getProviders();
+    const results = {};
+    for (const p of providers) {
+      try {
+        results[p.name] = await p.getCosts({ days });
+      } catch (e) {
+        results[p.name] = { error: e.message };
+      }
+    }
+    return c.json(results);
+  });
+
+  // ── Costs (direct tool execution, proxy fallback) ──────
+
+  app.get("/costs/budgets", async (c) => {
+    try {
+      const data = await runToolDirect("azure_budgets") || await proxyTool("azure_budgets");
+      return c.json(data || {});
+    } catch (e) {
+      return c.json({ error: e.message }, 500);
+    }
+  });
+
+  app.get("/costs/waste", async (c) => {
+    try {
+      const data = await runToolDirect("azure_vm_waste") || await proxyTool("azure_vm_waste");
+      return c.json(data || {});
+    } catch (e) {
+      return c.json({ error: e.message }, 500);
+    }
+  });
+
+  app.get("/costs/recommendations", async (c) => {
+    try {
+      const data = await runToolDirect("azure_advisor_recommendations", { category: "Cost" }) || await proxyTool("azure_advisor_recommendations", { category: "Cost" });
+      return c.json(data || {});
+    } catch (e) {
+      return c.json({ error: e.message }, 500);
+    }
+  });
+
+  // ── Audit (cached — Azure audit is slow and rate-limited) ──────────
+
+  let _auditCache = null;
+  let _auditCacheTs = 0;
+  const AUDIT_CACHE_TTL = 60 * 60 * 1000; // 1 hour
+
+  app.get("/audit", async (c) => {
+    const forceRefresh = c.req.query("refresh") === "true";
+
+    // Return cached data if fresh
+    if (!forceRefresh && _auditCache && Date.now() - _auditCacheTs < AUDIT_CACHE_TTL) {
+      return c.json({ ..._auditCache, _cached: true, _cachedAt: new Date(_auditCacheTs).toISOString() });
+    }
+
+    // Collect fleet-based findings (fast, from SSH scrape data)
+    let fleetResult = null;
+    let fleetAuditData = null;
+    try {
+      const fleetAudit = await proxyFopsServe("/api/fleet/audit");
+      if (fleetAudit && !fleetAudit.error && fleetAudit.vms?.length) {
+        fleetAuditData = fleetAudit;
+        const vmFindings = [];
+        for (const vm of fleetAudit.vms) {
+          const findings = [];
+          if (vm.status === "unhealthy") findings.push({ severity: "warn", check: "vm-status", message: `VM ${vm.vm} is unhealthy`, fix: `fops azure up ${vm.vm}` });
+          if (vm.status === "degraded") findings.push({ severity: "info", check: "vm-status", message: `VM ${vm.vm} is degraded (${vm.containers})`, fix: `fops azure doctor ${vm.vm}` });
+          const svcs = vm.services || {};
+          for (const [svc, status] of Object.entries(svcs)) {
+            if (typeof status === "string" && status === "down") {
+              findings.push({ severity: "warn", check: `service-${svc}`, message: `${svc} is down on ${vm.vm}`, fix: `fops azure ssh ${vm.vm} -- docker compose restart foundation-${svc}` });
+            }
+          }
+          vmFindings.push({ vm: vm.vm, location: "", findings });
+        }
+        fleetResult = {
+          vms: vmFindings,
+          findings: vmFindings.flatMap((v) => v.findings),
+        };
+      }
+    } catch { /* fleet unavailable, continue */ }
+
+    // Full Azure infrastructure audit (disk encryption, NSG, AKS, storage, etc.)
+    let azureAudit = null;
+    try {
+      azureAudit = await runToolDirect("security_audit_all") || await proxyTool("security_audit_all");
+    } catch { /* azure audit unavailable */ }
+
+    // Merge fleet findings with Azure audit findings
+    const result = {
+      vms: { vms: [], findings: [] },
+      aks: { clusters: [], findings: [] },
+      storage: { accounts: [], findings: [] },
+    };
+
+    if (azureAudit) {
+      result.vms = azureAudit.vms || result.vms;
+      result.aks = azureAudit.aks || result.aks;
+      result.storage = azureAudit.storage || result.storage;
+    }
+
+    // Merge fleet VM findings into Azure VM findings (avoid duplicates by vm name)
+    if (fleetResult) {
+      const azureVmNames = new Set((result.vms.vms || []).map((v) => v.vm));
+      for (const fv of fleetResult.vms) {
+        const existing = (result.vms.vms || []).find((v) => v.vm === fv.vm);
+        if (existing) {
+          // Append fleet-specific findings to the Azure audit entry
+          existing.findings = [...(existing.findings || []), ...fv.findings];
+        } else {
+          result.vms.vms = [...(result.vms.vms || []), fv];
+        }
+      }
+      // Rebuild top-level VM findings from merged per-VM findings
+      result.vms.findings = (result.vms.vms || []).flatMap((v) => v.findings || []);
+      result._fleet = fleetAuditData;
+    }
+
+    result._source = azureAudit && fleetResult ? "fleet+azure" : azureAudit ? "azure" : fleetResult ? "fleet-scrape" : "none";
+
+    _auditCache = result;
+    _auditCacheTs = Date.now();
+    return c.json(result);
+  });
+
+  // ── Sync ────────────────────────────────────────────────
+
+  app.post("/sync", requirePermission("cloud:write", "cloud:admin"), async (c) => {
+    const providers = getProviders();
+    return streamOperation(c, async () => {
+      const results = {};
+      for (const p of providers) {
+        try {
+          results[p.name] = await p.syncResources();
+        } catch (e) {
+          results[p.name] = { error: e.message };
+        }
+      }
+      return results;
+    });
+  });
+
+  return app;
+}