@meshxdata/fops 0.1.52 → 0.1.53

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks-core.js

@@ -1057,64 +1057,55 @@ export async function aksList(opts = {}) {
 
   banner("AKS Clusters");
 
-  // If no clusters tracked locally, try to discover fops-managed clusters from Azure
-  if (names.length === 0) {
+  // Always discover fops-managed clusters from Azure so we pick up clusters
+  // created by teammates or missing from local state.
+  try {
     const execa = await lazyExeca();
-    try {
-      await ensureAzCli(execa);
-      await ensureAzAuth(execa, { subscription: opts.profile });
-    } catch {
-      hint("No clusters tracked.");
-      hint("Create one:  fops azure aks up <name>\n");
-      return;
-    }
-
-    hint("No clusters tracked locally — checking Azure for fops-managed clusters…\n");
+    await ensureAzCli(execa);
+    await ensureAzAuth(execa, { subscription: opts.profile });
 
-    try {
-      // Query all AKS clusters and filter by managed=fops tag
-      const { stdout, exitCode } = await execa("az", [
-        "aks", "list",
-        "--query", "[?tags.managed=='fops']",
-        "--output", "json",
-        ...subArgs(opts.profile),
-      ], { timeout: 60000, reject: false });
-
-      if (exitCode === 0 && stdout?.trim()) {
-        const discovered = JSON.parse(stdout);
-        if (discovered.length > 0) {
-          for (const cl of discovered) {
-            const name = cl.name;
-            const info = {
-              resourceGroup: cl.resourceGroup,
-              location: cl.location,
-              kubernetesVersion: cl.kubernetesVersion,
-              fqdn: cl.fqdn,
-              nodeCount: cl.agentPoolProfiles?.reduce((s, p) => s + (p.count || 0), 0) || 0,
-              nodeVmSize: cl.agentPoolProfiles?.[0]?.vmSize || "unknown",
-              subscriptionId: cl.id?.split("/")[2],
-              createdAt: cl.provisioningState === "Succeeded" ? new Date().toISOString() : null,
-            };
-            writeClusterState(name, info);
-            console.log(OK(`  + Discovered ${name} (${cl.location})`));
-          }
-          console.log("");
-          // Re-read after discovery
-          const updated = readAksClusters();
-          activeCluster = updated.activeCluster;
-          clusters = updated.clusters;
-          names = Object.keys(clusters);
-        }
+    const { stdout, exitCode } = await execa("az", [
+      "aks", "list",
+      "--query", "[?tags.managed=='fops']",
+      "--output", "json",
+      ...subArgs(opts.profile),
+    ], { timeout: 60000, reject: false });
+
+    if (exitCode === 0 && stdout?.trim()) {
+      const discovered = JSON.parse(stdout);
+      let added = 0;
+      for (const cl of discovered) {
+        if (clusters[cl.name]) continue; // already tracked
+        const info = {
+          resourceGroup: cl.resourceGroup,
+          location: cl.location,
+          kubernetesVersion: cl.kubernetesVersion,
+          fqdn: cl.fqdn,
+          nodeCount: cl.agentPoolProfiles?.reduce((s, p) => s + (p.count || 0), 0) || 0,
+          nodeVmSize: cl.agentPoolProfiles?.[0]?.vmSize || "unknown",
+          subscriptionId: cl.id?.split("/")[2],
+          createdAt: cl.provisioningState === "Succeeded" ? new Date().toISOString() : null,
+        };
+        writeClusterState(cl.name, info);
+        console.log(OK(`  + Discovered ${cl.name} (${cl.location})`));
+        added++;
+      }
+      if (added > 0) {
+        console.log("");
+        const updated = readAksClusters();
+        activeCluster = updated.activeCluster;
+        clusters = updated.clusters;
+        names = Object.keys(clusters);
       }
-    } catch {
-      // Discovery failed, continue with empty list
     }
+  } catch {
+    // az not available or not authenticated — continue with local state
+  }
 
-    if (names.length === 0) {
-      hint("No fops-managed clusters found in Azure.");
-      hint("Create one:  fops azure aks up <name>\n");
-      return;
-    }
+  if (names.length === 0) {
+    hint("No clusters tracked.");
+    hint("Create one:  fops azure aks up <name>\n");
+    return;
   }
 
   // Refresh each tracked cluster from Azure so RG, Location, Nodes, FQDN, etc. are current

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks-storage.js

@@ -38,7 +38,7 @@ export async function reconcileStorageAccount(ctx) {
   const { execa, clusterName, rg, sub } = ctx;
   const storageAccountName = `fops${clusterName.replace(/-/g, "")}`.toLowerCase().slice(0, 24);
   const vaultName = `fops-${clusterName}-kv`;
-  const containers = ["foundation", "vault"];
+  const containers = ["foundation", "vault", "loki"];
 
   hint(`Reconciling Azure Storage Account "${storageAccountName}"…`);
 
@@ -571,7 +571,7 @@ export async function reconcileStorageReplication(ctx) {
 
   const sourceAccountName = `fops${clusterName.replace(/-/g, "")}`.toLowerCase().slice(0, 24);
   const destAccountName = `fops${clusterName.replace(/-/g, "")}ha`.toLowerCase().slice(0, 24);
-  const containers = ["foundation", "vault"];
+  const containers = ["foundation", "vault", "loki"];
 
   hint(`Setting up cross-region storage replication (${location} → ${replicaRegion})…`);
 

package/src/plugins/bundled/fops-plugin-azure/lib/azure-cost.js

@@ -24,22 +24,50 @@ async function az(args, opts = {}) {
   }
 }
 
+// In-memory cache for cost queries (TTL: 1 hour)
+const _costCache = new Map();
+const COST_CACHE_TTL = 60 * 60 * 1000; // 1 hour
+
 async function costQuery(scope, dataset) {
-  try {
-    const body = JSON.stringify({ ...dataset });
-    const { stdout, stderr } = await execa("az", [
-      "rest", "--method", "POST",
-      "--url", `https://management.azure.com${scope}/providers/Microsoft.CostManagement/query?api-version=2023-11-01`,
-      "--body", body,
-      "--output", "json",
-    ], { timeout: 120_000, reject: false });
-    if (stderr?.includes("Please run 'az login'") || stderr?.includes("AADSTS")) {
-      return { error: stderr.split("\n")[0] };
+  const cacheKey = JSON.stringify({ scope, dataset });
+  const cached = _costCache.get(cacheKey);
+  if (cached && Date.now() - cached.ts < COST_CACHE_TTL) {
+    return cached.data;
+  }
+
+  const maxRetries = 3;
+  for (let attempt = 0; attempt < maxRetries; attempt++) {
+    try {
+      const body = JSON.stringify({ ...dataset });
+      const { stdout, stderr } = await execa("az", [
+        "rest", "--method", "POST",
+        "--url", `https://management.azure.com${scope}/providers/Microsoft.CostManagement/query?api-version=2023-11-01`,
+        "--body", body,
+        "--output", "json",
+      ], { timeout: 120_000, reject: false });
+
+      if (stderr?.includes("Please run 'az login'") || stderr?.includes("AADSTS")) {
+        return { error: stderr.split("\n")[0] + "\nMake sure you are logged into Azure (az login) and have Cost Management access." };
+      }
+
+      // Handle 429 rate limiting
+      if (stderr?.includes("429") || stderr?.includes("Too many requests") || stderr?.includes("Too Many Requests")) {
+        const wait = Math.pow(2, attempt + 1) * 5000; // 10s, 20s, 40s
+        if (attempt < maxRetries - 1) {
+          await new Promise((r) => setTimeout(r, wait));
+          continue;
+        }
+        return { error: `Rate limited by Azure Cost Management API after ${maxRetries} retries. Try again in a few minutes.` };
+      }
+
+      const result = JSON.parse(stdout || "{}");
+      _costCache.set(cacheKey, { data: result, ts: Date.now() });
+      return result;
+    } catch (err) {
+      if (attempt === maxRetries - 1) return { error: err.message };
     }
-    return JSON.parse(stdout || "{}");
-  } catch (err) {
-    return { error: err.message };
   }
+  return { error: "Cost query failed after retries" };
 }
 
 function formatCost(amount, currency = "USD") {
@@ -402,16 +430,18 @@ export async function registerCostTools(api) {
         ? allVms.filter(v => v.powerState?.toLowerCase().includes(input.state))
         : allVms;
 
-      // Rough monthly cost estimates (USD, Pay-As-You-Go, select regions)
+      // Rough monthly cost estimates (USD, Pay-As-You-Go)
       const costs = {
-        Standard_B2s: 30, Standard_B4ms: 60, Standard_B2ms: 60,
-        Standard_D2s_v3: 70, Standard_D4s_v3: 140, Standard_D8s_v3: 281,
-        Standard_D16s_v3: 562, Standard_D32s_v3: 1124,
-        Standard_D2s_v5: 70, Standard_D4s_v5: 140, Standard_D8s_v5: 281,
-        Standard_D16s_v5: 562, Standard_D32s_v5: 1124,
-        Standard_E2s_v3: 92, Standard_E4s_v3: 184, Standard_E8s_v3: 368,
-        Standard_E16s_v3: 736, Standard_E32s_v3: 1472,
-        Standard_F2s_v2: 62, Standard_F4s_v2: 124, Standard_F8s_v2: 248,
+        // B-series (burstable)
+        Standard_B1s: 8, Standard_B2s: 30, Standard_B2ms: 60, Standard_B4ms: 120,
+        // D-series (general purpose) — v3/v4/v5 similar pricing
+        Standard_D2s_v3: 70, Standard_D4s_v3: 140, Standard_D8s_v3: 281, Standard_D16s_v3: 562, Standard_D32s_v3: 1124,
+        Standard_D2s_v5: 70, Standard_D4s_v5: 140, Standard_D8s_v5: 281, Standard_D16s_v5: 562, Standard_D32s_v5: 1124, Standard_D64s_v5: 2249,
+        // E-series (memory optimized)
+        Standard_E2s_v3: 92, Standard_E4s_v3: 184, Standard_E8s_v3: 368, Standard_E16s_v3: 736, Standard_E32s_v3: 1472,
+        Standard_E2s_v5: 92, Standard_E4s_v5: 184, Standard_E8s_v5: 368, Standard_E16s_v5: 736, Standard_E32s_v5: 1472, Standard_E64s_v5: 2621,
+        // F-series (compute optimized)
+        Standard_F2s_v2: 62, Standard_F4s_v2: 124, Standard_F8s_v2: 248, Standard_F16s_v2: 496, Standard_F32s_v2: 992,
       };
 
       let output = "Azure VMs\n" + "=".repeat(75) + "\n";

package/src/plugins/bundled/fops-plugin-azure/lib/azure-helpers.js

@@ -854,16 +854,20 @@ export function fopsUpCmd(publicUrl, { k3s, traefik, dai } = {}) {
   ].join("; ");
 
   const debugPostamble = [
-    `echo \\\"=== fops up finished at \\$(date -Iseconds) with exit code \\$? ===\\\" >> ${logFile}`,
+    `echo \\\"=== fops up finished at \\$(date -Iseconds) with exit code \\$_fops_rc ===\\\" >> ${logFile}`,
     `echo \\\"--- Container status ---\\\" >> ${logFile}`,
     `docker compose ps --format 'table {{.Name}}\\t{{.Status}}' >> ${logFile} 2>&1`,
     `echo \\\"--- Recent docker events ---\\\" >> ${logFile}`,
     `tail -50 ${eventsLog} >> ${logFile} 2>&1 || true`,
+    `exit \\$_fops_rc`,
   ].join("; ");
 
+  // Fail fast if Docker is not installed
+  const dockerGuard = `command -v docker >/dev/null 2>&1 || { echo \\\"ERROR: Docker is not installed — cannot start Foundation\\\" >> ${logFile}; echo \\\"ERROR: Docker is not installed\\\" >&2; exit 1; }`;
+
   // Run from project dir with FOUNDATION_ROOT set explicitly (sudo can reset cwd)
   const envSetup = `export PATH=/usr/local/bin:/usr/bin:\\$PATH FOUNDATION_ROOT=/opt/foundation-compose`;
-  return `bash -c "cd /opt/foundation-compose && ${envSetup}; ${debugPreamble}; ${quietPull}; if command -v fops >/dev/null 2>&1; then ${profileEnv}${fopsCmd}; else echo 'fops not found — falling back to docker compose'; ${composeCmd}; fi; ${debugPostamble}"`;
+  return `bash -c "cd /opt/foundation-compose && ${envSetup}; ${dockerGuard}; ${debugPreamble}; ${quietPull}; if command -v fops >/dev/null 2>&1; then ${profileEnv}${fopsCmd}; else echo 'fops not found — falling back to docker compose'; ${composeCmd}; fi; _fops_rc=\\$?; ${debugPostamble}"`;
 }
 
 /** Build remote "fops up [component] [branch]" args (same as local fops up). For foreground run on VM. */

package/src/plugins/bundled/fops-plugin-azure/lib/azure-ops.js

@@ -321,6 +321,71 @@ export async function azureTrinoStatus(opts = {}) {
   console.log("");
 }
 
+// ── ping ─────────────────────────────────────────────────────────────────────
+
+/**
+ * Check Foundation backend /api/ping/json health endpoint on a VM.
+ */
+export async function azurePing(opts = {}) {
+  const execa = await lazyExeca();
+  const state = requireVmState(opts.vmName);
+  const { vmName } = state;
+  const ip = state.publicIp;
+  const adminUser = DEFAULTS.adminUser;
+
+  if (!ip) {
+    console.log(WARN(`  VM ${vmName} has no public IP (probably stopped)`));
+    return;
+  }
+
+  await knockForVm(state);
+  const sshOk = await waitForSsh(execa, ip, adminUser, 10000);
+  if (!sshOk) {
+    console.log(WARN("\n  ⚠ SSH not reachable"));
+    return;
+  }
+
+  const pingToken = opts.token || process.env.FOPS_PING_TOKEN || "";
+  const tokenHeader = pingToken ? `-H "X-Ping-Token: ${pingToken}"` : "";
+  const { stdout, exitCode } = await sshCmd(execa, ip, adminUser,
+    `curl -sf ${tokenHeader} http://localhost:9001/api/ping/json 2>/dev/null || echo '{}'`,
+    15000,
+  );
+
+  let ping;
+  try {
+    ping = JSON.parse(stdout.trim() || "{}");
+  } catch {
+    console.log(ERR(`  Failed to parse ping response: ${stdout}`));
+    return;
+  }
+
+  banner(`Ping: ${vmName}`);
+
+  if (ping.ok === undefined) {
+    console.log(WARN("  No response from backend /api/ping/json"));
+    hint("Backend may be down or starting up");
+    console.log("");
+    return;
+  }
+
+  const overall = ping.ok ? OK("✓ healthy") : ERR("✗ unhealthy");
+  kvLine("Status", overall);
+  if (ping.tag) kvLine("Tag", DIM(ping.tag));
+
+  if (ping.checks) {
+    console.log("");
+    console.log(ACCENT("  Checks:"));
+    for (const [name, check] of Object.entries(ping.checks)) {
+      const status = check.ok ? OK("✓") : ERR("✗");
+      const latency = check.latency_ms !== undefined ? DIM(` (${check.latency_ms}ms)`) : "";
+      const err = check.error ? ERR(` — ${check.error}`) : "";
+      console.log(`    ${status} ${name}${latency}${err}`);
+    }
+  }
+  console.log("");
+}
+
 /**
  * Run VM diagnostics: show config versions, then run make download and print
  * full output so image-pull failures (e.g. after config versions change) can be diagnosed.
@@ -1295,6 +1360,41 @@ export async function azureList(opts = {}) {
     }
   } catch { /* az not available or not authenticated */ }
 
+  // Always discover AKS clusters from Azure (tag managed=fops)
+  try {
+    const execa = await lazyExeca();
+    const { writeClusterState } = await import("./azure-aks-state.js");
+    const { stdout, exitCode } = await execa("az", [
+      "aks", "list",
+      "--query", "[?tags.managed=='fops']",
+      "--output", "json",
+      ...subArgs(opts.subscription),
+    ], { timeout: 60000, reject: false });
+    if (exitCode === 0 && stdout?.trim()) {
+      const discovered = JSON.parse(stdout);
+      let added = 0;
+      for (const cl of discovered) {
+        if (aksClusters[cl.name]) continue;
+        writeClusterState(cl.name, {
+          resourceGroup: cl.resourceGroup,
+          location: cl.location,
+          kubernetesVersion: cl.kubernetesVersion,
+          fqdn: cl.fqdn,
+          nodeCount: cl.agentPoolProfiles?.reduce((s, p) => s + (p.count || 0), 0) || 0,
+          nodeVmSize: cl.agentPoolProfiles?.[0]?.vmSize || "unknown",
+          subscriptionId: cl.id?.split("/")[2],
+        });
+        added++;
+      }
+      if (added > 0) {
+        console.log(OK(`  ✓ Re-discovered ${added} AKS cluster(s) from Azure`) + DIM(" (tag managed=fops)\n"));
+        fullState = readState();
+        aksClusters = (fullState.azure || {}).clusters || {};
+        hasAks = Object.keys(aksClusters).length > 0;
+      }
+    }
+  } catch { /* az not available or AKS discovery failed */ }
+
   // JSON output mode - early return with structured data
   if (opts.json) {
     const output = {
@@ -1568,10 +1668,9 @@ export async function azureList(opts = {}) {
       const hasPrimary = primaryName && clusterNames.includes(primaryName);
       const prefix = isStandby && hasPrimary ? "  └─" : "";
       const dot = active ? OK("●") : DIM("○");
-      const displayName = isStandby && hasPrimary
-        ? `${cr.name} ${DIM("(HA standby)")}`
-        : cr.name;
-      const cNameTxt = active ? OK(displayName.padEnd(maxCName + 13)) : LABEL(displayName.padEnd(maxCName + 13));
+      const paddedName = cr.name.padEnd(maxCName);
+      const standbySuffix = isStandby && hasPrimary ? ` ${DIM("(HA standby)")}` : "";
+      const cNameTxt = active ? OK(paddedName) + standbySuffix : LABEL(paddedName) + standbySuffix;
       const loc = (cl?.location || cr.location || "–").padEnd(10);
       const nodes = cr.nodes != null ? `${cr.nodes} x ${cr.sizes || "?"}` : "–";
       const k8s = (cr.kubernetesVersion || "–").padEnd(6);
@@ -1640,12 +1739,19 @@ export function printServiceMatrix(results, nameWidth) {
   const withSvc = results.filter(r => r.services && Object.keys(r.services).length > 0);
   if (withSvc.length === 0) return;
 
+  // Resolve display value for a service entry (supports both string and {tag,sha} formats)
+  const svcVal = (entry) => {
+    if (!entry) return null;
+    if (typeof entry === "string") return entry;
+    return entry.sha || entry.tag || null;
+  };
+
   // Find the majority value per column to highlight drift
   const majority = {};
   for (const svc of SVC_ORDER) {
     const counts = {};
     for (const r of withSvc) {
-      const v = r.services?.[svc];
+      const v = svcVal(r.services?.[svc]);
       if (v) counts[v] = (counts[v] || 0) + 1;
     }
     const sorted = Object.entries(counts).sort((a, b) => b[1] - a[1]);
@@ -1660,7 +1766,7 @@ export function printServiceMatrix(results, nameWidth) {
   for (const r of withSvc) {
     const nameTxt = LABEL(r.name.padEnd(nameWidth));
     const cells = SVC_ORDER.map(svc => {
-      const v = r.services?.[svc] || "–";
+      const v = svcVal(r.services?.[svc]) || "–";
       const display = v.padEnd(colW);
       if (v === "–") return DIM(display);
       if (v !== majority[svc]) return WARN(display);
@@ -1671,7 +1777,7 @@ export function printServiceMatrix(results, nameWidth) {
 
   // Check for drift
   const hasDrift = SVC_ORDER.some(svc => {
-    const vals = withSvc.map(r => r.services?.[svc]).filter(Boolean);
+    const vals = withSvc.map(r => svcVal(r.services?.[svc])).filter(Boolean);
     return new Set(vals).size > 1;
   });
   if (hasDrift) {

package/src/plugins/bundled/fops-plugin-azure/lib/azure-provision-init.js

@@ -44,19 +44,26 @@ export async function provisionVm(execa, ip, adminUser, { githubToken, branch =
     "apt-get install -y -qq apt-transport-https ca-certificates curl gnupg lsb-release jq git make unzip zsh software-properties-common python3-venv python3-pip",
   ].join("\n"), 300000);
 
-  await runScript("Installing Docker", [
+  const dockerExit = await runScript("Installing Docker", [
     waitAptLock,
     "export DEBIAN_FRONTEND=noninteractive",
     "install -m 0755 -d /etc/apt/keyrings",
-    "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg",
+    "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --batch --yes --dearmor -o /etc/apt/keyrings/docker.gpg",
     "chmod a+r /etc/apt/keyrings/docker.gpg",
     `echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list`,
-    "apt-get update -qq",
-    "apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin",
+    "set +e",
+    "for _ in 1 2 3 4 5; do if apt-get update -qq && apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin; then break; fi; echo 'Retrying Docker install in 10s…'; sleep 10; done",
+    "set -e",
+    "command -v docker >/dev/null 2>&1 || (echo 'Docker not found after install attempts' && exit 1)",
     "systemctl enable docker && systemctl start docker",
     `usermod -aG docker ${adminUser}`,
   ].join("\n"), 300000);
 
+  if (dockerExit !== 0) {
+    console.log(WARN("  ✗ Docker installation failed — cannot continue provisioning"));
+    throw new Error("Docker installation failed");
+  }
+
   await runScript("Configuring br_netfilter for k3s DNS", [
     "modprobe br_netfilter",
     "echo br_netfilter > /etc/modules-load.d/br_netfilter.conf",
@@ -178,6 +185,8 @@ export async function provisionVm(execa, ip, adminUser, { githubToken, branch =
   Project dir:   /opt/foundation-compose
 
 MOTD`,
+    `grep -q 'cd /opt/foundation-compose' /home/${adminUser}/.bashrc 2>/dev/null || echo 'cd /opt/foundation-compose' >> /home/${adminUser}/.bashrc`,
+    `grep -q 'cd /opt/foundation-compose' /home/${adminUser}/.zshrc 2>/dev/null || echo 'cd /opt/foundation-compose' >> /home/${adminUser}/.zshrc`,
   ].join("\n"));
 
   await ssh("sudo apt-get clean && sudo rm -rf /var/lib/apt/lists/*", 30000);

package/src/plugins/bundled/fops-plugin-azure/lib/azure-provision.js

@@ -44,7 +44,7 @@ async function ensureGhcrOnVm(ssh, user, githubToken, { timeout = 60000 } = {})
 // ── Configure a fresh or restarted VM ───────────────────────────────────────
 
 export async function configureVm(execa, ip, user, publicUrl, { githubToken, k3s, traefik, dai, deferStartToReconcile, quiet } = {}) {
-  const ssh = (cmd) => sshCmd(execa, ip, user, cmd);
+  const ssh = (cmd, timeout) => sshCmd(execa, ip, user, cmd, timeout);
 
   if (!quiet) console.log(chalk.dim("  Configuring VM..."));
 
@@ -72,6 +72,68 @@ export async function configureVm(execa, ip, user, publicUrl, { githubToken, k3s
   ].join("\n");
   await ssh(setupBatch);
 
+  // Verify Docker is installed — if missing, install it before anything else
+  const { exitCode: dockerCheck } = await ssh("sudo docker info >/dev/null 2>&1");
+  if (dockerCheck !== 0) {
+    if (!quiet) console.log(chalk.yellow("  ⚠ Docker not found — installing..."));
+    // Repo setup is idempotent (tolerates partial prior attempts); install+start uses &&
+    const repoSetup = [
+      "export DEBIAN_FRONTEND=noninteractive",
+      "while fuser /var/lib/dpkg/lock-frontend /var/lib/apt/lists/lock /var/cache/apt/archives/lock >/dev/null 2>&1; do sleep 3; done",
+      "sudo install -m 0755 -d /etc/apt/keyrings",
+      "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --batch --yes --dearmor -o /etc/apt/keyrings/docker.gpg",
+      "sudo chmod a+r /etc/apt/keyrings/docker.gpg",
+      `echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null`,
+    ].join("; ");
+    const installAndStart = [
+      "sudo apt-get update -qq",
+      "sudo apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin",
+      "sudo systemctl enable docker && sudo systemctl start docker",
+      `sudo usermod -aG docker ${user}`,
+    ].join(" && ");
+    const { exitCode: installExit } = await ssh(`${repoSetup}; ${installAndStart}`, 300000);
+    if (installExit === 0) {
+      if (!quiet) console.log(chalk.green("  ✓ Docker installed"));
+    } else {
+      console.log(chalk.red("  ✗ Docker installation failed — container operations will not work"));
+      console.log(chalk.dim(`    SSH in and check: ssh ${user}@${ip} "sudo apt-get install -y docker-ce"`));
+    }
+  }
+
+  // Verify Node.js + fops CLI are installed — if missing, install them
+  const { stdout: fopsWhich } = await ssh("command -v fops 2>/dev/null || echo MISSING");
+  if (!fopsWhich?.trim() || fopsWhich.includes("MISSING")) {
+    if (!quiet) console.log(chalk.yellow("  ⚠ fops CLI not found — installing Node.js + fops..."));
+    const installNode = [
+      "export DEBIAN_FRONTEND=noninteractive",
+      "if ! command -v node >/dev/null 2>&1; then curl -fsSL https://deb.nodesource.com/setup_20.x | sudo bash - && sudo apt-get install -y -qq nodejs; fi",
+    ].join("; ");
+    await ssh(installNode, 120000);
+    // Install fops globally, retry with sudo if needed
+    let fopsInstalled = false;
+    const { exitCode: userInstall } = await ssh("npm install -g @meshxdata/fops@latest 2>&1", 300000);
+    if (userInstall === 0) {
+      fopsInstalled = true;
+    } else {
+      const { exitCode: sudoInstall } = await ssh(
+        "sudo bash -c 'D=\"$(npm root -g)/@meshxdata\"; rm -rf \"$D\" 2>/dev/null; npm install -g @meshxdata/fops@latest' 2>&1",
+        300000,
+      );
+      fopsInstalled = sudoInstall === 0;
+    }
+    // Ensure fops is on PATH
+    await ssh(
+      'MJS="$(npm root -g 2>/dev/null)/@meshxdata/fops/fops.mjs"; [ -f "$MJS" ] || MJS="$(sudo npm root -g 2>/dev/null)/@meshxdata/fops/fops.mjs"; [ -f "$MJS" ] && sudo ln -sf "$MJS" /usr/local/bin/fops; true',
+      15000,
+    );
+    if (fopsInstalled) {
+      if (!quiet) console.log(chalk.green("  ✓ fops CLI installed"));
+    } else {
+      console.log(chalk.red("  ✗ fops CLI installation failed"));
+      console.log(chalk.dim(`    SSH in and check: ssh ${user}@${ip} "sudo npm install -g @meshxdata/fops@latest"`));
+    }
+  }
+
   let ghcrOk = false;
   if (githubToken) {
     if (!quiet) console.log(chalk.dim("  Configuring GitHub/GHCR credentials..."));
@@ -458,9 +520,12 @@ async function vmReconcileNetworking(ctx) {
       console.log(chalk.yellow("  ⚠ No NSG attached to NIC"));
     }
 
+    // Accelerated networking — only supported on D/E/F/M series (2+ vCPU), not B-series
+    const vmSize = (iv.hardwareProfile?.vmSize || "").toLowerCase();
+    const supportsAccelNet = !vmSize.startsWith("standard_b") && !vmSize.startsWith("standard_a");
     if (nic.enableAcceleratedNetworking) {
       reconcileOk("Accelerated networking", "enabled");
-    } else {
+    } else if (supportsAccelNet) {
       console.log(chalk.yellow("  ↻ Accelerated networking not enabled — enabling…"));
       const { exitCode: anCode } = await execa("az", [
         "network", "nic", "update", "-g", rg, "-n", ctx.nicName,
@@ -469,8 +534,9 @@ async function vmReconcileNetworking(ctx) {
       ], { reject: false, timeout: 30000 });
       console.log(anCode === 0
         ? chalk.green(`  ✓ ${"Accelerated networking".padEnd(RECONCILE_LABEL_WIDTH)} — enabled`)
-        : chalk.yellow("  ⚠ Could not enable accelerated networking (VM size may not support it)"));
+        : chalk.yellow("  ⚠ Could not enable accelerated networking"));
     }
+    // B-series and A-series VMs don't support accelerated networking — skip silently
   }
 
   if (!ctx.ip) ctx.ip = await resolvePublicIp(execa, rg, vmName);
@@ -832,10 +898,16 @@ async function vmReconcileSecurity(ctx) {
     reconcileOk("Boot diagnostics", "enabled");
   } else {
     console.log(chalk.yellow("  ↻ Boot diagnostics not enabled — enabling..."));
-    const { exitCode: bdCode } = await execa("az", [
-      "vm", "boot-diagnostics", "enable", "-g", rg, "-n", vmName, "--output", "none",
-      ...subArgs(sub),
-    ], { reject: false, timeout: 30000 });
+    let bdCode = 1;
+    for (let attempt = 0; attempt < 3; attempt++) {
+      const res = await execa("az", [
+        "vm", "boot-diagnostics", "enable", "-g", rg, "-n", vmName, "--output", "none",
+        ...subArgs(sub),
+      ], { reject: false, timeout: 30000 });
+      bdCode = res.exitCode;
+      if (bdCode === 0) break;
+      if (attempt < 2) await new Promise((r) => setTimeout(r, 5000));
+    }
     if (bdCode === 0) {
       await new Promise((r) => setTimeout(r, 2000));
       const { stdout: bdJson } = await execa("az", [
@@ -880,20 +952,25 @@ async function vmReconcileSecurity(ctx) {
     console.log(amCode === 0
       ? chalk.green(`  ✓ ${"Antimalware extension".padEnd(RECONCILE_LABEL_WIDTH)} — installed`)
       : chalk.yellow("  ⚠ Could not install antimalware extension"));
-  } else {
-    console.log(chalk.dim(`  Antimalware extension — Windows only (skipped on Linux)`));
   }
+  // Linux VMs don't need antimalware — skip silently
 
   if (isTrustedLaunch) {
     if (hasGuestAttestation) {
       reconcileOk("Guest Attestation extension", "installed");
     } else {
       console.log(chalk.yellow("  ↻ Guest Attestation missing — installing…"));
-      const { exitCode: gaCode } = await execa("az", [
-        "vm", "extension", "set", "-g", rg, "--vm-name", vmName,
-        "-n", "GuestAttestation", "--publisher", "Microsoft.Azure.Security.LinuxAttestation",
-        "--output", "none", ...subArgs(sub),
-      ], { reject: false, timeout: 120000 });
+      let gaCode = 1;
+      for (let attempt = 0; attempt < 3; attempt++) {
+        const res = await execa("az", [
+          "vm", "extension", "set", "-g", rg, "--vm-name", vmName,
+          "-n", "GuestAttestation", "--publisher", "Microsoft.Azure.Security.LinuxAttestation",
+          "--output", "none", ...subArgs(sub),
+        ], { reject: false, timeout: 120000 });
+        gaCode = res.exitCode;
+        if (gaCode === 0) break;
+        if (attempt < 2) await new Promise((r) => setTimeout(r, 10000));
+      }
       console.log(gaCode === 0
         ? chalk.green(`  ✓ ${"Guest Attestation extension".padEnd(RECONCILE_LABEL_WIDTH)} — installed`)
         : chalk.yellow("  ⚠ Could not install Guest Attestation extension"));