@meshxdata/fops 0.1.52 → 0.1.54

package/src/fleet-registry.js

@@ -102,13 +102,31 @@ function parseSnapshot(raw, vmMeta) {
     if (eq > 0) flags[line.slice(0, eq)] = line.slice(eq + 1);
   }
 
-  // Services
+  // Services — health + version from container images
+  const SERVICE_IMAGE_MAP = {
+    be: "foundation-backend",
+    fe: "foundation-frontend",
+    pr: "foundation-processor",
+    wa: "foundation-watcher",
+    sc: "foundation-scheduler",
+    se: "foundation-storage-engine",
+  };
+
   const services = {
     backend: (raw.backendHealth || "").trim() === "OK" ? "healthy" : "down",
     frontend: (raw.frontendHealth || "").trim() === "OK" ? "healthy" : "down",
     storage: (raw.storageHealth || "").trim() === "OK" ? "healthy" : "down",
   };
 
+  // Extract version tags from container images
+  for (const [key, imageName] of Object.entries(SERVICE_IMAGE_MAP)) {
+    const c = containers.find((c) => c.image?.includes(imageName));
+    if (c?.image) {
+      const tag = c.image.split(":").pop() || "";
+      services[key] = { tag, health: c.healthy ? "healthy" : c.unhealthy ? "unhealthy" : "down" };
+    }
+  }
+
   // Foundation entities (meshes, data systems, data sources, data products)
   let foundation = null;
   try {
@@ -306,7 +324,25 @@ export class FleetRegistry {
         fopsVersion: s.stack.fopsVersion,
         branch: s.stack.gitBranch,
         commit: s.stack.gitSha,
-        services: s.services,
+        services: (() => {
+          const svc = { ...s.services };
+          // HTTP scrape puts versions in a nested object; merge them up
+          if (svc.versions) {
+            Object.assign(svc, svc.versions);
+            delete svc.versions;
+          }
+          // If still no version keys, extract from container images
+          if (!svc.be && s.containers?.list) {
+            const IMAGE_MAP = { be: "foundation-backend", fe: "foundation-frontend", pr: "foundation-processor", wa: "foundation-watcher", sc: "foundation-scheduler", se: "foundation-storage-engine" };
+            for (const [key, img] of Object.entries(IMAGE_MAP)) {
+              const c = s.containers.list.find((c) => c.image?.includes(img));
+              if (c?.image) {
+                svc[key] = { tag: c.image.split(":").pop() || "", health: c.healthy ? "healthy" : c.unhealthy ? "unhealthy" : "down" };
+              }
+            }
+          }
+          return svc;
+        })(),
         lastScrape: entry.lastScrape,
       });
     }

package/src/plugins/__test-fixtures__/fake-plugin.js

@@ -0,0 +1,2 @@
+// Test fixture: minimal plugin with register function
+export function register(api) {}

package/src/plugins/__test-fixtures__/no-register-plugin.js

@@ -0,0 +1,2 @@
+// Test fixture: plugin without register function
+export const name = "no-register";

package/src/plugins/__test-fixtures__/with-register/index.js

@@ -0,0 +1,2 @@
+// Test fixture: discovered plugin with register function
+export function register(api) {}

package/src/plugins/__test-fixtures__/without-register/index.js

@@ -0,0 +1,2 @@
+// Test fixture: discovered plugin without register function
+export const name = "no-register";

package/src/plugins/api.js

@@ -98,6 +98,10 @@ export function createPluginApi(pluginId, registry, opts = {}) {
       registry.services.push({ pluginId, name, instance });
     },
 
+    registerWebPanel(panel) {
+      registry.addWebPanel({ pluginId, ...panel });
+    },
+
     registerIndexSource(source) {
       if (!registry.indexSources) registry.indexSources = [];
       registry.indexSources.push({ pluginId, name: source.name, fn: source.fn });

package/src/plugins/builtins/docker-compose.js

@@ -465,6 +465,71 @@ You manage Docker Compose stacks: inspect containers, read logs, restart service
 - If asked about security or CVEs, use compose_scan.`,
     });
 
+    // ── Debug Agent ───────────────────────────────────────────────────
+    api.registerAgent({
+      name: "debug",
+      description: "Debug stack issues — diagnose alerts, check containers, logs, metrics, and suggest fixes",
+      contextMode: "minimal",
+      tools: [
+        "compose_ps",
+        "compose_logs",
+        "compose_restart",
+        "compose_exec",
+        "compose_inspect",
+        "compose_stats",
+        "compose_images",
+        "embeddings_search",
+      ],
+      maxIterations: 20,
+      systemPrompt: `You are FOPS Debug Agent — an expert platform debugger for Foundation stack issues.
+
+## Role
+You investigate alerts, diagnose service failures, and suggest fixes. You have direct access to Docker containers, logs, and system metrics. You are called by the Glue bot when monitoring alerts fire.
+
+## Tools Available
+- **compose_ps**: List all containers and their status (start here)
+- **compose_logs**: Read container logs (check for errors, crashes, OOM)
+- **compose_inspect**: Get container details (health checks, env vars, mounts, restarts)
+- **compose_stats**: CPU/memory/network usage per container
+- **compose_exec**: Run commands inside containers (e.g. check disk, network, processes)
+- **compose_images**: List images and versions
+- **compose_restart**: Restart specific services
+- **embeddings_search**: Search docs, configs, and past knowledge for context
+
+## Investigation Approach
+1. **Triage**: Run compose_ps to see overall stack health. Identify unhealthy/restarting containers.
+2. **Diagnose**: For each affected container:
+   - compose_logs to find errors, exceptions, OOM kills, crash traces
+   - compose_inspect for health check failures, restart count, resource limits
+   - compose_stats for CPU/memory spikes
+3. **Context**: Use embeddings_search to find relevant docs or known issues.
+4. **Root cause**: Correlate findings — is it a code bug, resource exhaustion, dependency failure, config issue?
+5. **Fix**: Suggest specific actions (restart, config change, scale, rollback).
+
+## Output Format
+Structure your response with blank lines between each section:
+
+**Status:** One-line summary (e.g. "Processor container restarting due to OOM")
+
+**Findings:** What you discovered from each tool
+
+**Root Cause:** Most likely cause
+
+**Actions:** Specific steps to fix
+
+**Prevention:** How to avoid this in the future
+
+## Rules
+- Always check compose_ps first.
+- Check logs BEFORE suggesting restarts.
+- Look for patterns: repeated restarts, OOM kills, connection refused, timeout errors.
+- If a dependency is down (postgres, kafka), flag it — fixing the dependency fixes the dependent.
+- Be concise — this output goes into a Glue chat thread.
+- Never suggest 'docker compose down' — prefer targeted restarts.
+- After restarting, verify with compose_ps.
+- IMPORTANT: Always put a blank line between sections in your response so they render as separate paragraphs.`,
+    });
+
     // ── Doctor check: Trivy ───────────────────────────────────────────
     api.registerDoctorCheck({
       name: "Trivy",

package/src/plugins/bundled/fops-plugin-azure/index.js

@@ -23,6 +23,10 @@ import { registerRegistryCommands } from "./lib/commands/registry-cmds.js";
 export { resolveFoundationCreds, resolveAuth0Config, authenticateVm, vmFetch };
 
 export async function register(api) {
+  // ── Service: expose structured API for cross-plugin use ──
+  const { AzureService } = await import("./lib/azure-service.js");
+  api.registerService("azure", new AzureService());
+
   // ── Commands ──────────────────────────────────────────────────────────
 
   api.registerCommand((program, registry) => {

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks-core.js

@@ -1057,64 +1057,55 @@ export async function aksList(opts = {}) {
 
   banner("AKS Clusters");
 
-  // If no clusters tracked locally, try to discover fops-managed clusters from Azure
-  if (names.length === 0) {
+  // Always discover fops-managed clusters from Azure so we pick up clusters
+  // created by teammates or missing from local state.
+  try {
     const execa = await lazyExeca();
-    try {
-      await ensureAzCli(execa);
-      await ensureAzAuth(execa, { subscription: opts.profile });
-    } catch {
-      hint("No clusters tracked.");
-      hint("Create one:  fops azure aks up <name>\n");
-      return;
-    }
-
-    hint("No clusters tracked locally — checking Azure for fops-managed clusters…\n");
+    await ensureAzCli(execa);
+    await ensureAzAuth(execa, { subscription: opts.profile });
 
-    try {
-      // Query all AKS clusters and filter by managed=fops tag
-      const { stdout, exitCode } = await execa("az", [
-        "aks", "list",
-        "--query", "[?tags.managed=='fops']",
-        "--output", "json",
-        ...subArgs(opts.profile),
-      ], { timeout: 60000, reject: false });
-
-      if (exitCode === 0 && stdout?.trim()) {
-        const discovered = JSON.parse(stdout);
-        if (discovered.length > 0) {
-          for (const cl of discovered) {
-            const name = cl.name;
-            const info = {
-              resourceGroup: cl.resourceGroup,
-              location: cl.location,
-              kubernetesVersion: cl.kubernetesVersion,
-              fqdn: cl.fqdn,
-              nodeCount: cl.agentPoolProfiles?.reduce((s, p) => s + (p.count || 0), 0) || 0,
-              nodeVmSize: cl.agentPoolProfiles?.[0]?.vmSize || "unknown",
-              subscriptionId: cl.id?.split("/")[2],
-              createdAt: cl.provisioningState === "Succeeded" ? new Date().toISOString() : null,
-            };
-            writeClusterState(name, info);
-            console.log(OK(`  + Discovered ${name} (${cl.location})`));
-          }
-          console.log("");
-          // Re-read after discovery
-          const updated = readAksClusters();
-          activeCluster = updated.activeCluster;
-          clusters = updated.clusters;
-          names = Object.keys(clusters);
-        }
+    const { stdout, exitCode } = await execa("az", [
+      "aks", "list",
+      "--query", "[?tags.managed=='fops']",
+      "--output", "json",
+      ...subArgs(opts.profile),
+    ], { timeout: 60000, reject: false });
+
+    if (exitCode === 0 && stdout?.trim()) {
+      const discovered = JSON.parse(stdout);
+      let added = 0;
+      for (const cl of discovered) {
+        if (clusters[cl.name]) continue; // already tracked
+        const info = {
+          resourceGroup: cl.resourceGroup,
+          location: cl.location,
+          kubernetesVersion: cl.kubernetesVersion,
+          fqdn: cl.fqdn,
+          nodeCount: cl.agentPoolProfiles?.reduce((s, p) => s + (p.count || 0), 0) || 0,
+          nodeVmSize: cl.agentPoolProfiles?.[0]?.vmSize || "unknown",
+          subscriptionId: cl.id?.split("/")[2],
+          createdAt: cl.provisioningState === "Succeeded" ? new Date().toISOString() : null,
+        };
+        writeClusterState(cl.name, info);
+        console.log(OK(`  + Discovered ${cl.name} (${cl.location})`));
+        added++;
+      }
+      if (added > 0) {
+        console.log("");
+        const updated = readAksClusters();
+        activeCluster = updated.activeCluster;
+        clusters = updated.clusters;
+        names = Object.keys(clusters);
       }
-    } catch {
-      // Discovery failed, continue with empty list
     }
+  } catch {
+    // az not available or not authenticated — continue with local state
+  }
 
-    if (names.length === 0) {
-      hint("No fops-managed clusters found in Azure.");
-      hint("Create one:  fops azure aks up <name>\n");
-      return;
-    }
+  if (names.length === 0) {
+    hint("No clusters tracked.");
+    hint("Create one:  fops azure aks up <name>\n");
+    return;
   }
 
   // Refresh each tracked cluster from Azure so RG, Location, Nodes, FQDN, etc. are current

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks-storage.js

@@ -38,7 +38,7 @@ export async function reconcileStorageAccount(ctx) {
   const { execa, clusterName, rg, sub } = ctx;
   const storageAccountName = `fops${clusterName.replace(/-/g, "")}`.toLowerCase().slice(0, 24);
   const vaultName = `fops-${clusterName}-kv`;
-  const containers = ["foundation", "vault"];
+  const containers = ["foundation", "vault", "loki"];
 
   hint(`Reconciling Azure Storage Account "${storageAccountName}"…`);
 
@@ -571,7 +571,7 @@ export async function reconcileStorageReplication(ctx) {
 
   const sourceAccountName = `fops${clusterName.replace(/-/g, "")}`.toLowerCase().slice(0, 24);
   const destAccountName = `fops${clusterName.replace(/-/g, "")}ha`.toLowerCase().slice(0, 24);
-  const containers = ["foundation", "vault"];
+  const containers = ["foundation", "vault", "loki"];
 
   hint(`Setting up cross-region storage replication (${location} → ${replicaRegion})…`);
 

package/src/plugins/bundled/fops-plugin-azure/lib/azure-cost.js

@@ -24,22 +24,50 @@ async function az(args, opts = {}) {
   }
 }
 
+// In-memory cache for cost queries (TTL: 1 hour)
+const _costCache = new Map();
+const COST_CACHE_TTL = 60 * 60 * 1000; // 1 hour
+
 async function costQuery(scope, dataset) {
-  try {
-    const body = JSON.stringify({ ...dataset });
-    const { stdout, stderr } = await execa("az", [
-      "rest", "--method", "POST",
-      "--url", `https://management.azure.com${scope}/providers/Microsoft.CostManagement/query?api-version=2023-11-01`,
-      "--body", body,
-      "--output", "json",
-    ], { timeout: 120_000, reject: false });
-    if (stderr?.includes("Please run 'az login'") || stderr?.includes("AADSTS")) {
-      return { error: stderr.split("\n")[0] };
+  const cacheKey = JSON.stringify({ scope, dataset });
+  const cached = _costCache.get(cacheKey);
+  if (cached && Date.now() - cached.ts < COST_CACHE_TTL) {
+    return cached.data;
+  }
+
+  const maxRetries = 3;
+  for (let attempt = 0; attempt < maxRetries; attempt++) {
+    try {
+      const body = JSON.stringify({ ...dataset });
+      const { stdout, stderr } = await execa("az", [
+        "rest", "--method", "POST",
+        "--url", `https://management.azure.com${scope}/providers/Microsoft.CostManagement/query?api-version=2023-11-01`,
+        "--body", body,
+        "--output", "json",
+      ], { timeout: 120_000, reject: false });
+
+      if (stderr?.includes("Please run 'az login'") || stderr?.includes("AADSTS")) {
+        return { error: stderr.split("\n")[0] + "\nMake sure you are logged into Azure (az login) and have Cost Management access." };
+      }
+
+      // Handle 429 rate limiting
+      if (stderr?.includes("429") || stderr?.includes("Too many requests") || stderr?.includes("Too Many Requests")) {
+        const wait = Math.pow(2, attempt + 1) * 5000; // 10s, 20s, 40s
+        if (attempt < maxRetries - 1) {
+          await new Promise((r) => setTimeout(r, wait));
+          continue;
+        }
+        return { error: `Rate limited by Azure Cost Management API after ${maxRetries} retries. Try again in a few minutes.` };
+      }
+
+      const result = JSON.parse(stdout || "{}");
+      _costCache.set(cacheKey, { data: result, ts: Date.now() });
+      return result;
+    } catch (err) {
+      if (attempt === maxRetries - 1) return { error: err.message };
     }
-    return JSON.parse(stdout || "{}");
-  } catch (err) {
-    return { error: err.message };
   }
+  return { error: "Cost query failed after retries" };
 }
 
 function formatCost(amount, currency = "USD") {
@@ -402,16 +430,18 @@ export async function registerCostTools(api) {
         ? allVms.filter(v => v.powerState?.toLowerCase().includes(input.state))
         : allVms;
 
-      // Rough monthly cost estimates (USD, Pay-As-You-Go, select regions)
+      // Rough monthly cost estimates (USD, Pay-As-You-Go)
       const costs = {
-        Standard_B2s: 30, Standard_B4ms: 60, Standard_B2ms: 60,
-        Standard_D2s_v3: 70, Standard_D4s_v3: 140, Standard_D8s_v3: 281,
-        Standard_D16s_v3: 562, Standard_D32s_v3: 1124,
-        Standard_D2s_v5: 70, Standard_D4s_v5: 140, Standard_D8s_v5: 281,
-        Standard_D16s_v5: 562, Standard_D32s_v5: 1124,
-        Standard_E2s_v3: 92, Standard_E4s_v3: 184, Standard_E8s_v3: 368,
-        Standard_E16s_v3: 736, Standard_E32s_v3: 1472,
-        Standard_F2s_v2: 62, Standard_F4s_v2: 124, Standard_F8s_v2: 248,
+        // B-series (burstable)
+        Standard_B1s: 8, Standard_B2s: 30, Standard_B2ms: 60, Standard_B4ms: 120,
+        // D-series (general purpose) — v3/v4/v5 similar pricing
+        Standard_D2s_v3: 70, Standard_D4s_v3: 140, Standard_D8s_v3: 281, Standard_D16s_v3: 562, Standard_D32s_v3: 1124,
+        Standard_D2s_v5: 70, Standard_D4s_v5: 140, Standard_D8s_v5: 281, Standard_D16s_v5: 562, Standard_D32s_v5: 1124, Standard_D64s_v5: 2249,
+        // E-series (memory optimized)
+        Standard_E2s_v3: 92, Standard_E4s_v3: 184, Standard_E8s_v3: 368, Standard_E16s_v3: 736, Standard_E32s_v3: 1472,
+        Standard_E2s_v5: 92, Standard_E4s_v5: 184, Standard_E8s_v5: 368, Standard_E16s_v5: 736, Standard_E32s_v5: 1472, Standard_E64s_v5: 2621,
+        // F-series (compute optimized)
+        Standard_F2s_v2: 62, Standard_F4s_v2: 124, Standard_F8s_v2: 248, Standard_F16s_v2: 496, Standard_F32s_v2: 992,
       };
 
       let output = "Azure VMs\n" + "=".repeat(75) + "\n";

package/src/plugins/bundled/fops-plugin-azure/lib/azure-helpers.js

@@ -854,16 +854,20 @@ export function fopsUpCmd(publicUrl, { k3s, traefik, dai } = {}) {
   ].join("; ");
 
   const debugPostamble = [
-    `echo \\\"=== fops up finished at \\$(date -Iseconds) with exit code \\$? ===\\\" >> ${logFile}`,
+    `echo \\\"=== fops up finished at \\$(date -Iseconds) with exit code \\$_fops_rc ===\\\" >> ${logFile}`,
     `echo \\\"--- Container status ---\\\" >> ${logFile}`,
     `docker compose ps --format 'table {{.Name}}\\t{{.Status}}' >> ${logFile} 2>&1`,
     `echo \\\"--- Recent docker events ---\\\" >> ${logFile}`,
     `tail -50 ${eventsLog} >> ${logFile} 2>&1 || true`,
+    `exit \\$_fops_rc`,
   ].join("; ");
 
+  // Fail fast if Docker is not installed
+  const dockerGuard = `command -v docker >/dev/null 2>&1 || { echo \\\"ERROR: Docker is not installed — cannot start Foundation\\\" >> ${logFile}; echo \\\"ERROR: Docker is not installed\\\" >&2; exit 1; }`;
+
   // Run from project dir with FOUNDATION_ROOT set explicitly (sudo can reset cwd)
   const envSetup = `export PATH=/usr/local/bin:/usr/bin:\\$PATH FOUNDATION_ROOT=/opt/foundation-compose`;
-  return `bash -c "cd /opt/foundation-compose && ${envSetup}; ${debugPreamble}; ${quietPull}; if command -v fops >/dev/null 2>&1; then ${profileEnv}${fopsCmd}; else echo 'fops not found — falling back to docker compose'; ${composeCmd}; fi; ${debugPostamble}"`;
+  return `bash -c "cd /opt/foundation-compose && ${envSetup}; ${dockerGuard}; ${debugPreamble}; ${quietPull}; if command -v fops >/dev/null 2>&1; then ${profileEnv}${fopsCmd}; else echo 'fops not found — falling back to docker compose'; ${composeCmd}; fi; _fops_rc=\\$?; ${debugPostamble}"`;
 }
 
 /** Build remote "fops up [component] [branch]" args (same as local fops up). For foreground run on VM. */

package/src/plugins/bundled/fops-plugin-azure/lib/azure-ops.js

@@ -321,6 +321,71 @@ export async function azureTrinoStatus(opts = {}) {
   console.log("");
 }
 
+// ── ping ─────────────────────────────────────────────────────────────────────
+
+/**
+ * Check Foundation backend /api/ping/json health endpoint on a VM.
+ */
+export async function azurePing(opts = {}) {
+  const execa = await lazyExeca();
+  const state = requireVmState(opts.vmName);
+  const { vmName } = state;
+  const ip = state.publicIp;
+  const adminUser = DEFAULTS.adminUser;
+
+  if (!ip) {
+    console.log(WARN(`  VM ${vmName} has no public IP (probably stopped)`));
+    return;
+  }
+
+  await knockForVm(state);
+  const sshOk = await waitForSsh(execa, ip, adminUser, 10000);
+  if (!sshOk) {
+    console.log(WARN("\n  ⚠ SSH not reachable"));
+    return;
+  }
+
+  const pingToken = opts.token || process.env.FOPS_PING_TOKEN || "";
+  const tokenHeader = pingToken ? `-H "X-Ping-Token: ${pingToken}"` : "";
+  const { stdout, exitCode } = await sshCmd(execa, ip, adminUser,
+    `curl -sf ${tokenHeader} http://localhost:9001/api/ping/json 2>/dev/null || echo '{}'`,
+    15000,
+  );
+
+  let ping;
+  try {
+    ping = JSON.parse(stdout.trim() || "{}");
+  } catch {
+    console.log(ERR(`  Failed to parse ping response: ${stdout}`));
+    return;
+  }
+
+  banner(`Ping: ${vmName}`);
+
+  if (ping.ok === undefined) {
+    console.log(WARN("  No response from backend /api/ping/json"));
+    hint("Backend may be down or starting up");
+    console.log("");
+    return;
+  }
+
+  const overall = ping.ok ? OK("✓ healthy") : ERR("✗ unhealthy");
+  kvLine("Status", overall);
+  if (ping.tag) kvLine("Tag", DIM(ping.tag));
+
+  if (ping.checks) {
+    console.log("");
+    console.log(ACCENT("  Checks:"));
+    for (const [name, check] of Object.entries(ping.checks)) {
+      const status = check.ok ? OK("✓") : ERR("✗");
+      const latency = check.latency_ms !== undefined ? DIM(` (${check.latency_ms}ms)`) : "";
+      const err = check.error ? ERR(` — ${check.error}`) : "";
+      console.log(`    ${status} ${name}${latency}${err}`);
+    }
+  }
+  console.log("");
+}
+
 /**
  * Run VM diagnostics: show config versions, then run make download and print
  * full output so image-pull failures (e.g. after config versions change) can be diagnosed.
@@ -1295,6 +1360,41 @@ export async function azureList(opts = {}) {
     }
   } catch { /* az not available or not authenticated */ }
 
+  // Always discover AKS clusters from Azure (tag managed=fops)
+  try {
+    const execa = await lazyExeca();
+    const { writeClusterState } = await import("./azure-aks-state.js");
+    const { stdout, exitCode } = await execa("az", [
+      "aks", "list",
+      "--query", "[?tags.managed=='fops']",
+      "--output", "json",
+      ...subArgs(opts.subscription),
+    ], { timeout: 60000, reject: false });
+    if (exitCode === 0 && stdout?.trim()) {
+      const discovered = JSON.parse(stdout);
+      let added = 0;
+      for (const cl of discovered) {
+        if (aksClusters[cl.name]) continue;
+        writeClusterState(cl.name, {
+          resourceGroup: cl.resourceGroup,
+          location: cl.location,
+          kubernetesVersion: cl.kubernetesVersion,
+          fqdn: cl.fqdn,
+          nodeCount: cl.agentPoolProfiles?.reduce((s, p) => s + (p.count || 0), 0) || 0,
+          nodeVmSize: cl.agentPoolProfiles?.[0]?.vmSize || "unknown",
+          subscriptionId: cl.id?.split("/")[2],
+        });
+        added++;
+      }
+      if (added > 0) {
+        console.log(OK(`  ✓ Re-discovered ${added} AKS cluster(s) from Azure`) + DIM(" (tag managed=fops)\n"));
+        fullState = readState();
+        aksClusters = (fullState.azure || {}).clusters || {};
+        hasAks = Object.keys(aksClusters).length > 0;
+      }
+    }
+  } catch { /* az not available or AKS discovery failed */ }
+
   // JSON output mode - early return with structured data
   if (opts.json) {
     const output = {
@@ -1568,10 +1668,9 @@ export async function azureList(opts = {}) {
       const hasPrimary = primaryName && clusterNames.includes(primaryName);
       const prefix = isStandby && hasPrimary ? "  └─" : "";
       const dot = active ? OK("●") : DIM("○");
-      const displayName = isStandby && hasPrimary
-        ? `${cr.name} ${DIM("(HA standby)")}`
-        : cr.name;
-      const cNameTxt = active ? OK(displayName.padEnd(maxCName + 13)) : LABEL(displayName.padEnd(maxCName + 13));
+      const paddedName = cr.name.padEnd(maxCName);
+      const standbySuffix = isStandby && hasPrimary ? ` ${DIM("(HA standby)")}` : "";
+      const cNameTxt = active ? OK(paddedName) + standbySuffix : LABEL(paddedName) + standbySuffix;
       const loc = (cl?.location || cr.location || "–").padEnd(10);
       const nodes = cr.nodes != null ? `${cr.nodes} x ${cr.sizes || "?"}` : "–";
       const k8s = (cr.kubernetesVersion || "–").padEnd(6);
@@ -1640,12 +1739,19 @@ export function printServiceMatrix(results, nameWidth) {
   const withSvc = results.filter(r => r.services && Object.keys(r.services).length > 0);
   if (withSvc.length === 0) return;
 
+  // Resolve display value for a service entry (supports both string and {tag,sha} formats)
+  const svcVal = (entry) => {
+    if (!entry) return null;
+    if (typeof entry === "string") return entry;
+    return entry.sha || entry.tag || null;
+  };
+
   // Find the majority value per column to highlight drift
   const majority = {};
   for (const svc of SVC_ORDER) {
     const counts = {};
     for (const r of withSvc) {
-      const v = r.services?.[svc];
+      const v = svcVal(r.services?.[svc]);
       if (v) counts[v] = (counts[v] || 0) + 1;
     }
     const sorted = Object.entries(counts).sort((a, b) => b[1] - a[1]);
@@ -1660,7 +1766,7 @@ export function printServiceMatrix(results, nameWidth) {
   for (const r of withSvc) {
     const nameTxt = LABEL(r.name.padEnd(nameWidth));
     const cells = SVC_ORDER.map(svc => {
-      const v = r.services?.[svc] || "–";
+      const v = svcVal(r.services?.[svc]) || "–";
       const display = v.padEnd(colW);
       if (v === "–") return DIM(display);
       if (v !== majority[svc]) return WARN(display);
@@ -1671,7 +1777,7 @@ export function printServiceMatrix(results, nameWidth) {
 
   // Check for drift
   const hasDrift = SVC_ORDER.some(svc => {
-    const vals = withSvc.map(r => r.services?.[svc]).filter(Boolean);
+    const vals = withSvc.map(r => svcVal(r.services?.[svc])).filter(Boolean);
     return new Set(vals).size > 1;
   });
   if (hasDrift) {

package/src/plugins/bundled/fops-plugin-azure/lib/azure-provision-init.js

@@ -44,19 +44,26 @@ export async function provisionVm(execa, ip, adminUser, { githubToken, branch =
     "apt-get install -y -qq apt-transport-https ca-certificates curl gnupg lsb-release jq git make unzip zsh software-properties-common python3-venv python3-pip",
   ].join("\n"), 300000);
 
-  await runScript("Installing Docker", [
+  const dockerExit = await runScript("Installing Docker", [
     waitAptLock,
     "export DEBIAN_FRONTEND=noninteractive",
     "install -m 0755 -d /etc/apt/keyrings",
-    "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg",
+    "curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --batch --yes --dearmor -o /etc/apt/keyrings/docker.gpg",
     "chmod a+r /etc/apt/keyrings/docker.gpg",
     `echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list`,
-    "apt-get update -qq",
-    "apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin",
+    "set +e",
+    "for _ in 1 2 3 4 5; do if apt-get update -qq && apt-get install -y -qq docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin; then break; fi; echo 'Retrying Docker install in 10s…'; sleep 10; done",
+    "set -e",
+    "command -v docker >/dev/null 2>&1 || (echo 'Docker not found after install attempts' && exit 1)",
     "systemctl enable docker && systemctl start docker",
     `usermod -aG docker ${adminUser}`,
   ].join("\n"), 300000);
 
+  if (dockerExit !== 0) {
+    console.log(WARN("  ✗ Docker installation failed — cannot continue provisioning"));
+    throw new Error("Docker installation failed");
+  }
+
   await runScript("Configuring br_netfilter for k3s DNS", [
     "modprobe br_netfilter",
     "echo br_netfilter > /etc/modules-load.d/br_netfilter.conf",
@@ -178,6 +185,8 @@ export async function provisionVm(execa, ip, adminUser, { githubToken, branch =
   Project dir:   /opt/foundation-compose
 
 MOTD`,
+    `grep -q 'cd /opt/foundation-compose' /home/${adminUser}/.bashrc 2>/dev/null || echo 'cd /opt/foundation-compose' >> /home/${adminUser}/.bashrc`,
+    `grep -q 'cd /opt/foundation-compose' /home/${adminUser}/.zshrc 2>/dev/null || echo 'cd /opt/foundation-compose' >> /home/${adminUser}/.zshrc`,
   ].join("\n"));
 
   await ssh("sudo apt-get clean && sudo rm -rf /var/lib/apt/lists/*", 30000);