@meshxdata/fops 0.1.58 → 0.1.60

package/CHANGELOG.md

@@ -2,6 +2,376 @@
 
 All notable changes to @meshxdata/fops (Foundation Operator CLI) are documented here.
 
+## [0.1.60] - 2026-03-26
+
+- fix(provision): detect and repair broken submodule mounts from Docker (13269c5)
+- fix(provision): recheck Docker after install failure instead of blocking (d7bc11c)
+- bump cli vm lifecycle (a3521ac)
+- fix(k3s): remove minio123 fallback from sync-secrets (e185cb9)
+- fix: add frontend-prod profile to fopsUpCmd, FOUNDATION_ROOT always wins in rootDir (a412709)
+- bump storage (a1a5761)
+- restore all missing services (pgpool, exporters, grafana, etc), add loki to k3s profile, always activate loki profile in fops up (4e2744a)
+- fix: grafana alert-rules provisioning, ENVIRONMENT_NAME from --url, k3s secret sync, vm-sizes endpoint, project root resolution (9839052)
+- feat(azure): add 'fops azure reconcile <name>' command for VM drift fix (79ba6e2)
+- fix(otel,loki): remove duplicate spanmetrics dimensions, use .env for loki S3 creds (e3d1def)
+- fix(loki): pass S3 credentials from .env so loki works without vault-init (c57906d)
+- fix(azure): improve VM provisioning reliability (2ddd669)
+- cluster discovery (009257d)
+- feat(storage): add loki container to provisioning (898c544)
+- feat(azure): add ping command to check backend health (8336825)
+- operator cli bump 0.1.52 (f052cb5)
+- fix(doctor): set KUBECONFIG for k3s kubectl commands (db9359b)
+- fix(azure): move --landscape to test run command, not separate subcommand (4b9b089)
+- feat(azure): add test integration command with landscape support (b2990a0)
+- fix(fleet): skip VMs without public IPs in fleet exec (39acbaa)
+- feat(azure): detect and fix External Secrets identity issues (f907d11)
+- operator cli bump 0.1.51 (db55bdc)
+- feat: add postgres-exporter and Azure tray menu improvements (2a337ac)
+- operator cli plugin fix (4dae908)
+- operator cli plugin fix (25620cc)
+- operator cli test fixes (1d1c18f)
+- feat(test): add setup-users command for QA test user creation (b929507)
+- feat(aks): show HA standby clusters with visual grouping (8fb640c)
+- refactor(provision): extract VM provisioning to dedicated module (af321a7)
+- refactor(provision): extract post-start health checks to dedicated module (6ed5f2d)
+- fix: ping timeout 15s, fix prometheus sed escaping (d11ac14)
+- refactor(vm): extract terraform HCL generation to dedicated module (896a64b)
+- refactor(keyvault): extract key operations to dedicated module (716bbe4)
+- refactor(azure): extract swarm functions to azure-fleet-swarm.js (4690e34)
+- refactor(azure): extract SSH/remote functions to azure-ops-ssh.js (e62b8f0)
+- refactor(azure): split azure-ops.js into smaller modules (4515425)
+- feat(aks): add --ha flag for full cross-region HA setup (ece68c5)
+- feat(fops): inject ENVIRONMENT_NAME on VM provisioning (6ef2a27)
+- fix(postgres): disable SSL mode to fix connection issues (c789ae9)
+- feat(trino): add caching configuration for docker-compose (3668224)
+- fix(fops-azure): run pytest directly instead of missing scripts (29f8410)
+- add -d detach option for local frontend dev, remove hive cpu limits (3306667)
+- release 0.1.49 (dcca32b)
+- release 0.1.48 (9b195e5)
+- stash on updates (2916c01)
+- stash on updates (b5c14df)
+- stash on updates (d0453d1)
+- frontend dev fixes (0ca7b00)
+- fix: update azure test commands (77c81da)
+- default locust to CLI mode, add --web for UI (ca35bff)
+- add locust command for load testing AKS clusters (1278722)
+- update spot node pool default autoscaling to 1-20 (617c182)
+- module for aks (3dd1a61)
+- add hive to PG_SERVICE_DBS for fops pg-setup (afccb16)
+- feat(azure): enhance aks doctor with ExternalSecrets and PGSSLMODE checks (8b14861)
+- add foundation-postgres ExternalName service to reconciler (ea88e11)
+- new flux templates (0e2e372)
+- feat(azure): add storage-engine secrets to Key Vault (a4f488e)
+- feat(azure-aks): add AUTH0_DOMAIN to template rendering variables (216c37e)
+- feat(azure): add storage account creation per cluster (aa1b138)
+- bump watcher (ab24473)
+- fix: concurrent compute calls (#66) (03e2edf)
+- bump backend version (5058ff5)
+- bump fops to 0.1.44 (8c0ef5d)
+- Mlflow and azure plugin fix (176881f)
+- fix lifecycle (a2cb9e7)
+- callback url for localhost (821fb94)
+- disable 4 scaffolding plugin by default. (bfb2b76)
+- jaccard improvements (b7494a0)
+- refactor azure plugin (68dfef4)
+- refactor azure plugin (b24a008)
+- fix trino catalog missing (4928a55)
+- v36 bump and changelog generation on openai (37a0440)
+- v36 bump and changelog generation on openai (a3b02d9)
+- bump (a990058)
+- status bar fix and new plugin for ttyd (27dde1e)
+- file demo and tray (1a3e704)
+- electron app (59ad0bb)
+- compose and fops file plugin (1cf0e81)
+- bump (346ffc1)
+- localhost replaced by 127.0.0.1 (82b9f30)
+- .29 (587b0e1)
+- improve up down and bootstrap script (b79ebaf)
+- checksum (22c8086)
+- checksum (96b434f)
+- checksum (15ed3c0)
+- checksum (8a6543a)
+- bump embed trino linksg (8440504)
+- bump data (765ffd9)
+- bump (cb8b232)
+- broken tests (c532229)
+- release 0.1.18, preflight checks (d902249)
+- fix compute display bug (d10f5d9)
+- cleanup packer files (6330f18)
+- plan mode (cb36a8a)
+- bump to 0.1.16 - agent ui (41ac1a2)
+- bump to 0.1.15 - agent ui (4ebe2e1)
+- bump to 0.1.14 (6c3a7fa)
+- bump to 0.1.13 (8db570f)
+- release 0.1.12 (c1c79e5)
+- bump (11aa3b0)
+- git keep and bump tui (be1678e)
+- skills, index, rrf, compacted context (100k > 10k) (7b2fffd)
+- cloudflare and token consumption, graphs indexing (0ad9eec)
+- bump storage default (22c83ba)
+- storage fix (68a22a0)
+- skills update (7f56500)
+- v9 bump (3864446)
+- bump (c95eedc)
+- rrf (dbf8c95)
+- feat: warning when running predictions (95e8c52)
+- feat: support for local predictions (45cf26b)
+- feat: wip support for predictions + mlflow (3457052)
+- add Reciprocal Rank Fusion (RRF) to knowledge and skill retrieval (61549bc)
+- validate CSV headers in compute_run readiness check (a8c7a43)
+- fix corrupted Iceberg metadata: probe tables + force cleanup on re-apply (50578af)
+- enforce: never use foundation_apply to fix broken products (2e049bf)
+- update SKILL.md with complete tool reference for knowledge retrieval (30b1924)
+- add storage read, input DP table probe, and compute_run improvements (34e6c4c)
+- skills update (1220385)
+- skills update (bb66958)
+- some tui improvement andd tools apply overwrite (e90c35c)
+- skills update (e9227a1)
+- skills update (669c4b3)
+- fix plugin pre-flight checks (f741743)
+- increase agent context (6479aaa)
+- skills and init sql fixes (5fce35e)
+- checksum (3518b56)
+- penging job limit (a139861)
+- checksum (575d28c)
+- bump (92049ba)
+- fix bug per tab status (0a33657)
+- fix bug per tab status (50457c6)
+- checksumming (0ad842e)
+- shot af mardkwon overlapping (51f63b9)
+- add spark dockerfile for multiarch builds (95abbd1)
+- fix plugin initialization (16b9782)
+- split index.js (50902a2)
+- cloudflare cidr (cc4e021)
+- cloduflare restrictions (2f6ba2d)
+- sequential start (86b496e)
+- sequential start (4930fe1)
+- sequential start (353f014)
+- qa tests (2dc6a1a)
+- bump sha for .85 (dc2edfe)
+- preserve env on sudo (7831227)
+- bump sha for .84 (6c052f9)
+- non interactive for azure vms (0aa8a2f)
+- keep .env if present (d072450)
+- bump (7a8e732)
+- ensure opa is on compose if not set (f4a5228)
+- checksum bump (a2ccc20)
+- netrc defensive checks (a0b0ccc)
+- netrc defensive checks (ae37403)
+- checksum (ec45d11)
+- update sync and fix up (7f9af72)
+- expand test for azure and add new per app tag support (388a168)
+- checksum on update (44005fc)
+- cleanup for later (15e5313)
+- cleanup for later (11c9597)
+- switch branch feature (822fecc)
+- add pull (d1c19ab)
+- Bump hono from 4.11.9 to 4.12.0 in /operator-cli (ad25144)
+- tests (f180a9a)
+- cleanup (39c49a3)
+- registry (7b7126a)
+- reconcile kafka (832d0db)
+- gh login bug (025886c)
+- cleanup (bb96cab)
+- strip envs from process (2421180)
+- force use of gh creds not tokens in envs var (fff7787)
+- resolve import between npm installs and npm link (79522e1)
+- fix gh scope and azure states (afd846c)
+- refactoring (da50352)
+- split fops repo (d447638)
+- aks (b791f8f)
+- refactor azure (67d3bad)
+- wildcard (391f023)
+- azure plugin (c074074)
+- zap (d7e6e7f)
+
+## [0.1.59] - 2026-03-26
+
+- fix(k3s): remove minio123 fallback from sync-secrets (e185cb9)
+- fix: add frontend-prod profile to fopsUpCmd, FOUNDATION_ROOT always wins in rootDir (a412709)
+- bump storage (a1a5761)
+- restore all missing services (pgpool, exporters, grafana, etc), add loki to k3s profile, always activate loki profile in fops up (4e2744a)
+- fix: grafana alert-rules provisioning, ENVIRONMENT_NAME from --url, k3s secret sync, vm-sizes endpoint, project root resolution (9839052)
+- feat(azure): add 'fops azure reconcile <name>' command for VM drift fix (79ba6e2)
+- fix(otel,loki): remove duplicate spanmetrics dimensions, use .env for loki S3 creds (e3d1def)
+- fix(loki): pass S3 credentials from .env so loki works without vault-init (c57906d)
+- fix(azure): improve VM provisioning reliability (2ddd669)
+- cluster discovery (009257d)
+- feat(storage): add loki container to provisioning (898c544)
+- feat(azure): add ping command to check backend health (8336825)
+- operator cli bump 0.1.52 (f052cb5)
+- fix(doctor): set KUBECONFIG for k3s kubectl commands (db9359b)
+- fix(azure): move --landscape to test run command, not separate subcommand (4b9b089)
+- feat(azure): add test integration command with landscape support (b2990a0)
+- fix(fleet): skip VMs without public IPs in fleet exec (39acbaa)
+- feat(azure): detect and fix External Secrets identity issues (f907d11)
+- operator cli bump 0.1.51 (db55bdc)
+- feat: add postgres-exporter and Azure tray menu improvements (2a337ac)
+- operator cli plugin fix (4dae908)
+- operator cli plugin fix (25620cc)
+- operator cli test fixes (1d1c18f)
+- feat(test): add setup-users command for QA test user creation (b929507)
+- feat(aks): show HA standby clusters with visual grouping (8fb640c)
+- refactor(provision): extract VM provisioning to dedicated module (af321a7)
+- refactor(provision): extract post-start health checks to dedicated module (6ed5f2d)
+- fix: ping timeout 15s, fix prometheus sed escaping (d11ac14)
+- refactor(vm): extract terraform HCL generation to dedicated module (896a64b)
+- refactor(keyvault): extract key operations to dedicated module (716bbe4)
+- refactor(azure): extract swarm functions to azure-fleet-swarm.js (4690e34)
+- refactor(azure): extract SSH/remote functions to azure-ops-ssh.js (e62b8f0)
+- refactor(azure): split azure-ops.js into smaller modules (4515425)
+- feat(aks): add --ha flag for full cross-region HA setup (ece68c5)
+- feat(fops): inject ENVIRONMENT_NAME on VM provisioning (6ef2a27)
+- fix(postgres): disable SSL mode to fix connection issues (c789ae9)
+- feat(trino): add caching configuration for docker-compose (3668224)
+- fix(fops-azure): run pytest directly instead of missing scripts (29f8410)
+- add -d detach option for local frontend dev, remove hive cpu limits (3306667)
+- release 0.1.49 (dcca32b)
+- release 0.1.48 (9b195e5)
+- stash on updates (2916c01)
+- stash on updates (b5c14df)
+- stash on updates (d0453d1)
+- frontend dev fixes (0ca7b00)
+- fix: update azure test commands (77c81da)
+- default locust to CLI mode, add --web for UI (ca35bff)
+- add locust command for load testing AKS clusters (1278722)
+- update spot node pool default autoscaling to 1-20 (617c182)
+- module for aks (3dd1a61)
+- add hive to PG_SERVICE_DBS for fops pg-setup (afccb16)
+- feat(azure): enhance aks doctor with ExternalSecrets and PGSSLMODE checks (8b14861)
+- add foundation-postgres ExternalName service to reconciler (ea88e11)
+- new flux templates (0e2e372)
+- feat(azure): add storage-engine secrets to Key Vault (a4f488e)
+- feat(azure-aks): add AUTH0_DOMAIN to template rendering variables (216c37e)
+- feat(azure): add storage account creation per cluster (aa1b138)
+- bump watcher (ab24473)
+- fix: concurrent compute calls (#66) (03e2edf)
+- bump backend version (5058ff5)
+- bump fops to 0.1.44 (8c0ef5d)
+- Mlflow and azure plugin fix (176881f)
+- fix lifecycle (a2cb9e7)
+- callback url for localhost (821fb94)
+- disable 4 scaffolding plugin by default. (bfb2b76)
+- jaccard improvements (b7494a0)
+- refactor azure plugin (68dfef4)
+- refactor azure plugin (b24a008)
+- fix trino catalog missing (4928a55)
+- v36 bump and changelog generation on openai (37a0440)
+- v36 bump and changelog generation on openai (a3b02d9)
+- bump (a990058)
+- status bar fix and new plugin for ttyd (27dde1e)
+- file demo and tray (1a3e704)
+- electron app (59ad0bb)
+- compose and fops file plugin (1cf0e81)
+- bump (346ffc1)
+- localhost replaced by 127.0.0.1 (82b9f30)
+- .29 (587b0e1)
+- improve up down and bootstrap script (b79ebaf)
+- checksum (22c8086)
+- checksum (96b434f)
+- checksum (15ed3c0)
+- checksum (8a6543a)
+- bump embed trino linksg (8440504)
+- bump data (765ffd9)
+- bump (cb8b232)
+- broken tests (c532229)
+- release 0.1.18, preflight checks (d902249)
+- fix compute display bug (d10f5d9)
+- cleanup packer files (6330f18)
+- plan mode (cb36a8a)
+- bump to 0.1.16 - agent ui (41ac1a2)
+- bump to 0.1.15 - agent ui (4ebe2e1)
+- bump to 0.1.14 (6c3a7fa)
+- bump to 0.1.13 (8db570f)
+- release 0.1.12 (c1c79e5)
+- bump (11aa3b0)
+- git keep and bump tui (be1678e)
+- skills, index, rrf, compacted context (100k > 10k) (7b2fffd)
+- cloudflare and token consumption, graphs indexing (0ad9eec)
+- bump storage default (22c83ba)
+- storage fix (68a22a0)
+- skills update (7f56500)
+- v9 bump (3864446)
+- bump (c95eedc)
+- rrf (dbf8c95)
+- feat: warning when running predictions (95e8c52)
+- feat: support for local predictions (45cf26b)
+- feat: wip support for predictions + mlflow (3457052)
+- add Reciprocal Rank Fusion (RRF) to knowledge and skill retrieval (61549bc)
+- validate CSV headers in compute_run readiness check (a8c7a43)
+- fix corrupted Iceberg metadata: probe tables + force cleanup on re-apply (50578af)
+- enforce: never use foundation_apply to fix broken products (2e049bf)
+- update SKILL.md with complete tool reference for knowledge retrieval (30b1924)
+- add storage read, input DP table probe, and compute_run improvements (34e6c4c)
+- skills update (1220385)
+- skills update (bb66958)
+- some tui improvement andd tools apply overwrite (e90c35c)
+- skills update (e9227a1)
+- skills update (669c4b3)
+- fix plugin pre-flight checks (f741743)
+- increase agent context (6479aaa)
+- skills and init sql fixes (5fce35e)
+- checksum (3518b56)
+- penging job limit (a139861)
+- checksum (575d28c)
+- bump (92049ba)
+- fix bug per tab status (0a33657)
+- fix bug per tab status (50457c6)
+- checksumming (0ad842e)
+- shot af mardkwon overlapping (51f63b9)
+- add spark dockerfile for multiarch builds (95abbd1)
+- fix plugin initialization (16b9782)
+- split index.js (50902a2)
+- cloudflare cidr (cc4e021)
+- cloduflare restrictions (2f6ba2d)
+- sequential start (86b496e)
+- sequential start (4930fe1)
+- sequential start (353f014)
+- qa tests (2dc6a1a)
+- bump sha for .85 (dc2edfe)
+- preserve env on sudo (7831227)
+- bump sha for .84 (6c052f9)
+- non interactive for azure vms (0aa8a2f)
+- keep .env if present (d072450)
+- bump (7a8e732)
+- ensure opa is on compose if not set (f4a5228)
+- checksum bump (a2ccc20)
+- netrc defensive checks (a0b0ccc)
+- netrc defensive checks (ae37403)
+- checksum (ec45d11)
+- update sync and fix up (7f9af72)
+- expand test for azure and add new per app tag support (388a168)
+- checksum on update (44005fc)
+- cleanup for later (15e5313)
+- cleanup for later (11c9597)
+- switch branch feature (822fecc)
+- add pull (d1c19ab)
+- Bump hono from 4.11.9 to 4.12.0 in /operator-cli (ad25144)
+- tests (f180a9a)
+- cleanup (39c49a3)
+- registry (7b7126a)
+- reconcile kafka (832d0db)
+- gh login bug (025886c)
+- cleanup (bb96cab)
+- strip envs from process (2421180)
+- force use of gh creds not tokens in envs var (fff7787)
+- resolve import between npm installs and npm link (79522e1)
+- fix gh scope and azure states (afd846c)
+- refactoring (da50352)
+- split fops repo (d447638)
+- aks (b791f8f)
+- refactor azure (67d3bad)
+- wildcard (391f023)
+- azure plugin (c074074)
+- zap (d7e6e7f)
+- fix knock (cf89c05)
+- azure (4adec98)
+- Bump tar from 7.5.7 to 7.5.9 in /operator-cli (e41e98e)
+
+# Changelog
+
+All notable changes to @meshxdata/fops (Foundation Operator CLI) are documented here.
+
 ## [0.1.58] - 2026-03-26
 
 - bump storage (a1a5761)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meshxdata/fops",
-  "version": "0.1.58",
+  "version": "0.1.60",
   "description": "CLI to install and manage data mesh platforms",
   "keywords": [
     "fops",

package/src/commands/k3s-cmd.js

@@ -21,7 +21,7 @@ async function kubectlApply(execa, args) {
   if (apply.exitCode !== 0) throw new Error(`kubectl apply failed: ${apply.stderr}`);
 }
 
-async function syncSecrets(root) {
+export async function syncSecrets(root) {
   const { execa } = await import("execa");
   const { loadEnvFromFile } = await import("../utils/load-env.js");
 
@@ -38,7 +38,7 @@ async function syncSecrets(root) {
   // Load credentials from .env (same resolution as setup-kubernetes.sh)
   const env = loadEnvFromFile(path.join(root, ".env"));
   const s3Id = env.BOOTSTRAP_STORAGE_ACCESS_KEY || env.AUTH_IDENTITY || "minio";
-  const s3Pw = env.BOOTSTRAP_STORAGE_SECRET_KEY || env.AUTH_CREDENTIAL || "minio123";
+  const s3Pw = env.BOOTSTRAP_STORAGE_SECRET_KEY || env.AUTH_CREDENTIAL || "";
 
   console.log(DIM(`  Storage credentials: ${s3Id} / ${"*".repeat(Math.min(s3Pw.length, 8))}`));
 
@@ -84,7 +84,25 @@ async function syncSecrets(root) {
   ], { timeout: 10000, reject: false });
   console.log(OK(`  ✓ ${sparkSecretName} (with label)`));
 
-  console.log(OK("\n  ✓ All storage secrets synced to k3s"));
+  // 4. Update stale credentials in the database (public.secret table)
+  console.log(DIM("  Updating storage credentials in database..."));
+  const secretKeys = ["AWS_SECRET_ACCESS_KEY", "MY_S3_SECRET", "S3_SECRET", "S3_SECRET_KEY"];
+  const accessKeys = ["AWS_ACCESS_KEY_ID", "MY_S3_ACCESS", "S3_ACCESS", "S3_ACCESS_KEY"];
+  const updateSql = [
+    ...secretKeys.map(k => `UPDATE public.secret SET value = '${s3Pw.replace(/'/g, "''")}' WHERE key = '${k}' AND value != '${s3Pw.replace(/'/g, "''")}';`),
+    ...accessKeys.map(k => `UPDATE public.secret SET value = '${s3Id.replace(/'/g, "''")}' WHERE key = '${k}' AND value != '${s3Id.replace(/'/g, "''")}';`),
+  ].join("\n");
+  const dbResult = await execa("docker", [
+    "compose", "exec", "-T", "postgres",
+    "psql", "-U", "foundation", "-d", "foundation", "-c", updateSql,
+  ], { cwd: root, timeout: 15000, reject: false });
+  if (dbResult.exitCode === 0) {
+    console.log(OK("  ✓ Database secrets updated"));
+  } else {
+    console.log(WARN("  ⚠ Database secret update failed (postgres may not be running)"));
+  }
+
+  console.log(OK("\n  ✓ All storage secrets synced"));
 }
 
 export function registerK3sCommands(program) {

package/src/commands/lifecycle.js

@@ -1473,6 +1473,18 @@ async function runUp(program, registry, opts) {
   }
   console.log(chalk.green("\n  ✓ Foundation services started successfully!"));
 
+  // Sync storage secrets into k3s so Spark jobs use current credentials
+  if (hasK3s) {
+    try {
+      const { syncSecrets } = await import("./k3s-cmd.js");
+      console.log(chalk.dim("  Syncing storage secrets to k3s..."));
+      await syncSecrets(root);
+    } catch (err) {
+      console.log(chalk.yellow(`  ⚠ k3s secret sync failed: ${err.message}`));
+      console.log(chalk.dim("  Run manually: fops k3s sync-secrets"));
+    }
+  }
+
   // Start DAI services if requested
   if (opts.dai) {
     const daiRoot = path.join(root, "dai-compose");

package/src/plugins/bundled/fops-plugin-azure/lib/azure-helpers.js

@@ -830,7 +830,7 @@ export async function ensureOpenAiNetworkAccess(execa, publicIp, sub) {
 // ── Remote fops up command builder ──────────────────────────────────────────
 
 export function fopsUpCmd(publicUrl, { k3s, traefik, dai } = {}) {
-  const profiles = ["k3s", "traefik", "loki"];
+  const profiles = ["k3s", "traefik", "loki", "frontend-prod"];
   if (dai) profiles.push("dai");
 
   const profileEnv = `COMPOSE_PROFILES=${profiles.join(",")} `;

package/src/plugins/bundled/fops-plugin-azure/lib/azure-provision-health.js

@@ -158,22 +158,24 @@ export async function postStartChecks(execa, ip, adminUser, { maxWait = POSTGRES
   console.log(OK("  ✓ Postgres ready"));
 
   hint("Waiting for backend migrations…");
+  const MIGRATION_MAX_WAIT_MS = 300000; // 5 min — migrations can be slow after recovery or image pulls
+  const MIGRATION_POLL_INTERVAL_MS = 10000;
+  const MIGRATION_PROGRESS_INTERVAL_MS = 60000;
   const migStart = Date.now();
   let migReady = false;
-  while (Date.now() - migStart < 120000) {
+  let lastMigProgressAt = 0;
+  while (Date.now() - migStart < MIGRATION_MAX_WAIT_MS) {
     const { exitCode: migCheck } = await ssh(
       `cd /opt/foundation-compose && sudo docker compose exec -T postgres psql -U foundation -d foundation -c "SELECT 1 FROM \\"user\\" LIMIT 1" >/dev/null 2>&1`
     );
     if (migCheck === 0) { migReady = true; break; }
-    await new Promise((r) => setTimeout(r, 5000));
-  }
-  if (!migReady) {
-    hint("Retrying migration check in 30s…");
-    await new Promise((r) => setTimeout(r, 30000));
-    const { exitCode: retryCheck } = await ssh(
-      `cd /opt/foundation-compose && sudo docker compose exec -T postgres psql -U foundation -d foundation -c "SELECT 1 FROM \\"user\\" LIMIT 1" >/dev/null 2>&1`
-    );
-    if (retryCheck === 0) migReady = true;
+    const now = Date.now();
+    if (now - lastMigProgressAt >= MIGRATION_PROGRESS_INTERVAL_MS) {
+      const elapsed = Math.round((now - migStart) / 1000);
+      hint(`Still waiting for migrations… [${elapsed}s]`);
+      lastMigProgressAt = now;
+    }
+    await new Promise((r) => setTimeout(r, MIGRATION_POLL_INTERVAL_MS));
   }
   if (!migReady) {
     console.log(WARN("  ⚠ Migrations not complete — skipping grant-admin (schema not ready)"));

package/src/plugins/bundled/fops-plugin-azure/lib/azure-provision.js

@@ -95,8 +95,15 @@ export async function configureVm(execa, ip, user, publicUrl, { githubToken, k3s
     if (installExit === 0) {
       if (!quiet) console.log(chalk.green("  ✓ Docker installed"));
     } else {
-      console.log(chalk.red("  ✗ Docker installation failed — container operations will not work"));
-      console.log(chalk.dim(`    SSH in and check: ssh ${user}@${ip} "sudo apt-get install -y docker-ce"`));
+      // apt can fail due to lock conflicts with cloud-init but Docker may have installed anyway
+      const { exitCode: recheck } = await ssh("sudo docker info >/dev/null 2>&1");
+      if (recheck === 0) {
+        if (!quiet) console.log(chalk.yellow("  ⚠ Docker install had warnings but Docker is working"));
+      } else {
+        console.log(chalk.red("  ✗ Docker installation failed — cannot continue provisioning"));
+        console.log(chalk.dim(`    SSH in and check: ssh ${user}@${ip} "sudo apt-get install -y docker-ce"`));
+        throw new Error("Docker installation failed");
+      }
     }
   }
 
@@ -1281,6 +1288,18 @@ async function vmReconcileRepo(ctx) {
 
   const { stdout: exists } = await ssh("[ -d /opt/foundation-compose/.git ] && echo yes || echo no");
   if (exists?.trim() === "yes") {
+    // Fix broken submodule mounts: Docker creates empty dirs when bind-mounting missing files.
+    // Detect and repair: if a submodule dir exists but is empty or has no real files, re-init it.
+    const checkSubs = "cd /opt/foundation-compose && for d in foundation-backend foundation-frontend foundation-watcher foundation-processor foundation-scheduler foundation-storage-engine; do [ -d $d ] && [ ! -f $d/pyproject.toml ] && [ ! -f $d/package.json ] && [ ! -f $d/Makefile ] && echo $d; done";
+    const { stdout: brokenSubs } = await ssh(checkSubs);
+    const broken = (brokenSubs || "").trim().split("\n").filter(Boolean);
+    if (broken.length > 0) {
+      console.log(chalk.yellow(`  ↻ Fixing ${broken.length} broken submodule(s): ${broken.join(", ")}`));
+      for (const sub of broken) {
+        await ssh(`cd /opt/foundation-compose && sudo rm -rf ${sub} && git checkout ${sub} && git submodule update --init --recursive --depth 1 ${sub}`, 60000);
+      }
+      await ssh("sudo chown -R azureuser:azureuser /opt/foundation-compose");
+    }
     reconcileOk("Repository", "/opt/foundation-compose");
     return;
   }

package/src/plugins/bundled/fops-plugin-azure/lib/azure-service.js

@@ -47,6 +47,8 @@ export class AzureService {
       publicIp: vm.publicIp,
       publicUrl: vm.publicUrl,
       subscriptionId: vm.subscriptionId,
+      vmSize: vm.vmSize || null,
+      image: vm.image || null,
       active: name === activeVm,
       createdAt: vm.createdAt || vm.discoveredAt || null,
     }));

package/src/plugins/bundled/fops-plugin-azure/lib/azure-vm-lifecycle.js

@@ -263,7 +263,7 @@ export async function azureUp(opts = {}) {
 
   // Persist IP immediately so it's never lost if later steps fail or user Ctrl+C's
   const publicUrl = opts.url || defaultUrl;
-  writeVmState(vmName, { resourceGroup: rg, location, publicIp, publicUrl, subscriptionId: subId, createdAt: new Date().toISOString() });
+  writeVmState(vmName, { resourceGroup: rg, location, publicIp, publicUrl, subscriptionId: subId, vmSize, image, createdAt: new Date().toISOString() });
 
   hint("Enabling accelerated networking…");
   const nicName = `${vmName}VMNic`;

package/src/plugins/bundled/fops-plugin-cloud/api.js

@@ -337,13 +337,13 @@ export function createCloudApi(registry) {
 
   app.get("/vm-sizes", (c) => {
     return c.json([
-      "Standard_D4s_v5",
-      "Standard_D8s_v5",
-      "Standard_D16s_v5",
-      "Standard_D32s_v5",
-      "Standard_D48s_v5",
-      "Standard_D64s_v5",
-      "Standard_D96s_v5",
+      "Standard_D2s_v3",
+      "Standard_D4s_v3",
+      "Standard_D8s_v3",
+      "Standard_D16s_v3",
+      "Standard_D32s_v3",
+      "Standard_D48s_v3",
+      "Standard_D64s_v3",
     ]);
   });
 

package/src/project.js

@@ -41,14 +41,19 @@ function saveProjectRoot(root) {
 }
 
 export function rootDir(cwd = process.cwd()) {
-
-  // Check FOUNDATION_ROOT env var first (explicit override)
+  // FOUNDATION_ROOT always wins — explicit override
   const envRoot = process.env.FOUNDATION_ROOT;
   if (envRoot && isFoundationRoot(envRoot)) {
     return path.resolve(envRoot);
   }
 
-  // Check ~/.fops.json for saved project root (projectRoot or foundationRoot)
+  const dir = path.resolve(cwd);
+  if (isFoundationRoot(dir)) {
+    saveProjectRoot(dir);
+    return dir;
+  }
+
+  // Fallback: ~/.fops.json saved project root
   try {
     const fopsConfig = JSON.parse(fs.readFileSync(path.join(os.homedir(), ".fops.json"), "utf8"));
     const configRoot = fopsConfig.foundationRoot || fopsConfig.projectRoot;
@@ -57,12 +62,6 @@ export function rootDir(cwd = process.cwd()) {
     }
   } catch {}
 
-  const dir = path.resolve(cwd);
-  if (isFoundationRoot(dir)) {
-    saveProjectRoot(dir);
-    return dir;
-  }
-
   // Look one level down — e.g. cwd is ~/code/foundation, find foundation-compose/ inside
   try {
     const entries = fs.readdirSync(dir, { withFileTypes: true });