@meshxdata/fops 0.1.36 → 0.1.37

package/src/plugins/bundled/fops-plugin-azure/lib/commands/infra-cmds.js

@@ -0,0 +1,890 @@
+/**
+ * Infrastructure commands: storage, openai, keyvault, AKS, embed index.
+ */
+import chalk from "chalk";
+import { resolveRemoteAuth, suppressTlsWarning } from "../azure-auth.js";
+import { parsePytestSummary, parsePytestDurations } from "../pytest-parse.js";
+
+export function registerInfraCommands(azure) {
+  // ── Storage (blob management) ──────────────────────────────────────────
+
+  const storage = azure
+    .command("storage")
+    .description("Manage Azure Blob Storage accounts, containers, and blobs");
+
+  storage
+    .command("accounts")
+    .description("List storage accounts")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (opts) => {
+      const { storageList } = await import("../azure-storage.js");
+      await storageList({ profile: opts.profile });
+    });
+
+  storage
+    .command("create <name>")
+    .description("Create a new storage account")
+    .option("--resource-group <name>", "Resource group (lists available if omitted)")
+    .requiredOption("--location <region>", "Azure region (e.g. eastus, westeurope, uaenorth)")
+    .option("--sku <sku>", "Replication SKU (default: Standard_LRS)", "Standard_LRS")
+    .option("--kind <kind>", "Account kind (default: StorageV2)", "StorageV2")
+    .option("--infra-encryption", "Enable infrastructure (double) encryption")
+    .option("--tags <tags>", "Space-separated tags: key1=val1 key2=val2")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (name, opts) => {
+      const { storageCreate } = await import("../azure-storage.js");
+      await storageCreate({
+        name, resourceGroup: opts.resourceGroup, location: opts.location,
+        sku: opts.sku, kind: opts.kind, infraEncryption: opts.infraEncryption,
+        tags: opts.tags, profile: opts.profile,
+      });
+    });
+
+  const containers = storage
+    .command("container")
+    .description("Manage blob containers");
+
+  containers
+    .command("list")
+    .description("List containers in a storage account")
+    .option("--account <name>", "Storage account (auto-detected if only one)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (opts) => {
+      const { containerList } = await import("../azure-storage.js");
+      await containerList({ account: opts.account, profile: opts.profile });
+    });
+
+  containers
+    .command("create <name>")
+    .description("Create a new container")
+    .option("--account <name>", "Storage account (auto-detected if only one)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (name, opts) => {
+      const { containerCreate } = await import("../azure-storage.js");
+      await containerCreate({ account: opts.account, name, profile: opts.profile });
+    });
+
+  containers
+    .command("delete <name>")
+    .description("Delete a container (asks for confirmation)")
+    .option("--account <name>", "Storage account (auto-detected if only one)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (name, opts) => {
+      const { containerDelete } = await import("../azure-storage.js");
+      await containerDelete({ account: opts.account, name, profile: opts.profile });
+    });
+
+  const blob = storage
+    .command("blob")
+    .description("Manage blobs in a container");
+
+  blob
+    .command("list")
+    .description("List blobs in a container")
+    .option("--account <name>", "Storage account (auto-detected if only one)")
+    .requiredOption("--container <name>", "Container name")
+    .option("--prefix <prefix>", "Filter by blob name prefix")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (opts) => {
+      const { blobList } = await import("../azure-storage.js");
+      await blobList({ account: opts.account, container: opts.container, prefix: opts.prefix, profile: opts.profile });
+    });
+
+  blob
+    .command("upload <file>")
+    .description("Upload a file as a blob")
+    .option("--account <name>", "Storage account (auto-detected if only one)")
+    .requiredOption("--container <name>", "Container name")
+    .option("--name <blob-name>", "Blob name (default: filename)")
+    .option("--overwrite", "Overwrite existing blob")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (file, opts) => {
+      const { blobUpload } = await import("../azure-storage.js");
+      await blobUpload({ account: opts.account, container: opts.container, file, name: opts.name, overwrite: opts.overwrite, profile: opts.profile });
+    });
+
+  blob
+    .command("download <name>")
+    .description("Download a blob to a local file")
+    .option("--account <name>", "Storage account (auto-detected if only one)")
+    .requiredOption("--container <name>", "Container name")
+    .option("--dest <path>", "Local destination path (default: blob filename)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (name, opts) => {
+      const { blobDownload } = await import("../azure-storage.js");
+      await blobDownload({ account: opts.account, container: opts.container, name, dest: opts.dest, profile: opts.profile });
+    });
+
+  blob
+    .command("delete <name>")
+    .description("Delete a blob (asks for confirmation)")
+    .option("--account <name>", "Storage account (auto-detected if only one)")
+    .requiredOption("--container <name>", "Container name")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (name, opts) => {
+      const { blobDelete } = await import("../azure-storage.js");
+      await blobDelete({ account: opts.account, container: opts.container, name, profile: opts.profile });
+    });
+
+  blob
+    .command("url <name>")
+    .description("Generate a temporary SAS URL for a blob")
+    .option("--account <name>", "Storage account (auto-detected if only one)")
+    .requiredOption("--container <name>", "Container name")
+    .option("--expiry <hours>", "Link expiry in hours (default: 24)", "24")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (name, opts) => {
+      const { blobUrl } = await import("../azure-storage.js");
+      await blobUrl({ account: opts.account, container: opts.container, name, expiry: opts.expiry, profile: opts.profile });
+    });
+
+  const encryption = storage
+    .command("encryption")
+    .description("Show or configure storage account encryption settings");
+
+  encryption
+    .command("show", { isDefault: true })
+    .description("Show encryption posture for a storage account")
+    .option("--account <name>", "Storage account (auto-detected if only one)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (opts) => {
+      const { storageEncryption } = await import("../azure-storage.js");
+      await storageEncryption({ account: opts.account, profile: opts.profile });
+    });
+
+  encryption
+    .command("configure")
+    .description("Configure encryption and security settings")
+    .option("--account <name>", "Storage account (auto-detected if only one)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .option("--https-only", "Enforce HTTPS-only traffic")
+    .option("--min-tls <version>", "Minimum TLS version (TLS1_0, TLS1_1, TLS1_2)")
+    .option("--disable-shared-key", "Disable shared key auth (force AAD-only)")
+    .option("--enable-shared-key", "Re-enable shared key auth")
+    .option("--cmk", "Use customer-managed key (requires --key-vault, --key-name)")
+    .option("--key-vault <uri>", "Key Vault URI for CMK")
+    .option("--key-name <name>", "Key name in Key Vault")
+    .option("--key-version <version>", "Key version (default: latest)")
+    .option("--microsoft-keys", "Revert to Microsoft-managed keys")
+    .option("--infra-encryption", "Check/recommend infrastructure (double) encryption")
+    .option("--soft-delete <days>", "Enable blob soft delete (0 to disable)")
+    .option("--versioning", "Enable blob versioning")
+    .option("--no-versioning", "Disable blob versioning")
+    .option("--disable-blob-public", "Block anonymous read access on all containers")
+    .option("--deny-public-access", "Firewall: deny all networks except allowed IPs/VNets")
+    .option("--allow-public-access", "Firewall: allow all networks (remove restriction)")
+    .action(async (opts) => {
+      const { storageEncryptionConfigure } = await import("../azure-storage.js");
+      await storageEncryptionConfigure({
+        account: opts.account, profile: opts.profile,
+        httpsOnly: opts.httpsOnly, minTls: opts.minTls,
+        disableSharedKey: opts.disableSharedKey, enableSharedKey: opts.enableSharedKey,
+        cmk: opts.cmk, keyVault: opts.keyVault, keyName: opts.keyName, keyVersion: opts.keyVersion,
+        microsoftKeys: opts.microsoftKeys, infraEncryption: opts.infraEncryption,
+        softDelete: opts.softDelete, versioning: opts.versioning,
+        disableBlobPublic: opts.disableBlobPublic,
+        denyPublicAccess: opts.denyPublicAccess, allowPublicAccess: opts.allowPublicAccess,
+      });
+    });
+
+  // ── Azure OpenAI ───────────────────────────────────────────────────────
+
+  const openai = azure
+    .command("openai")
+    .description("Create/list Azure OpenAI resources (e.g. in uaenorth so VMs can use them)");
+
+  openai
+    .command("list", { isDefault: true })
+    .description("List Azure OpenAI resources in the subscription")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (opts) => {
+      const { openaiList } = await import("../azure-openai.js");
+      await openaiList({ profile: opts.profile });
+    });
+
+  openai
+    .command("create <name>")
+    .description("Create an Azure OpenAI resource in a region (default: uaenorth)")
+    .requiredOption("--resource-group <name>", "Resource group (create with: az group create --name <name> --location uaenorth)")
+    .option("--location <region>", "Azure region (default: uaenorth)", "uaenorth")
+    .option("--sku <sku>", "SKU (default: S0)", "S0")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (name, opts) => {
+      const { openaiCreate } = await import("../azure-openai.js");
+      await openaiCreate({
+        name,
+        resourceGroup: opts.resourceGroup,
+        location: opts.location,
+        sku: opts.sku,
+        profile: opts.profile,
+      });
+    });
+
+  openai
+    .command("allowlist-me")
+    .description("Add an IP to Azure OpenAI resource allowlists (uses az cli)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .option("--all", "Allowlist on every OpenAI/AIServices resource across all subscriptions")
+    .option("--name <resource>", "Target a specific Azure OpenAI resource by name")
+    .option("--resource-group <rg>", "Resource group (auto-detected if omitted)")
+    .option("--ip <address>", "IP address to allowlist (auto-detected if omitted)")
+    .action(async (opts) => {
+      const { openaiAllowlistMe } = await import("../azure-openai.js");
+      await openaiAllowlistMe({
+        profile: opts.profile,
+        all: opts.all,
+        name: opts.name,
+        resourceGroup: opts.resourceGroup,
+        ip: opts.ip,
+      });
+    });
+
+  openai
+    .command("debug-vm [vmName] [run]")
+    .description("Run a single agent request on the VM with DEBUG=1 to capture Azure OpenAI connection errors")
+    .option("--vm-name <name>", "Target VM (default: active VM)")
+    .option("--agent <name>", "Agent name (default: foundation)", "foundation")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (vmName, _run, opts) => {
+      const name = vmName === "run" ? undefined : (vmName || opts.vmName);
+      const { azureOpenAiDebugVm } = await import("../azure.js");
+      await azureOpenAiDebugVm({
+        vmName: name,
+        agent: opts.agent,
+        profile: opts.profile,
+      });
+    });
+
+  // ── Key Vault ──────────────────────────────────────────────────────────
+
+  const keyvault = azure
+    .command("keyvault")
+    .description("Manage Azure Key Vaults and secrets");
+
+  keyvault
+    .command("list", { isDefault: true })
+    .description("List Key Vaults in the subscription")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (opts) => {
+      const { keyvaultList } = await import("../azure-keyvault.js");
+      await keyvaultList({ profile: opts.profile });
+    });
+
+  keyvault
+    .command("show")
+    .description("Show Key Vault details and object counts")
+    .option("--vault <name>", "Key Vault name (auto-detected if only one)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (opts) => {
+      const { keyvaultShow } = await import("../azure-keyvault.js");
+      await keyvaultShow({ vault: opts.vault, profile: opts.profile });
+    });
+
+  keyvault
+    .command("create <name>")
+    .description("Create a new Key Vault")
+    .option("--resource-group <name>", "Resource group (lists available if omitted)")
+    .requiredOption("--location <region>", "Azure region (e.g. eastus, westeurope, uaenorth)")
+    .option("--sku <sku>", "SKU: standard or premium (default: standard)", "standard")
+    .option("--enable-purge-protection", "Enable purge protection (irreversible)")
+    .option("--retention-days <days>", "Soft-delete retention days (default: 90)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (name, opts) => {
+      const { keyvaultCreate } = await import("../azure-keyvault.js");
+      await keyvaultCreate({
+        name, resourceGroup: opts.resourceGroup, location: opts.location,
+        sku: opts.sku, enablePurgeProtection: opts.enablePurgeProtection,
+        retentionDays: opts.retentionDays, profile: opts.profile,
+      });
+    });
+
+  keyvault
+    .command("delete")
+    .description("Delete a Key Vault (soft-delete)")
+    .option("--vault <name>", "Key Vault name (auto-detected if only one)")
+    .option("--purge", "Permanently purge after deletion (requires purge protection off)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (opts) => {
+      const { keyvaultDelete } = await import("../azure-keyvault.js");
+      await keyvaultDelete({ vault: opts.vault, purge: opts.purge, profile: opts.profile });
+    });
+
+  keyvault
+    .command("sync")
+    .description("Pull secrets from Key Vault into .env files (reads .env.keyvault templates)")
+    .option("--vault <name>", "Override default vault for all references")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (opts) => {
+      const { keyvaultSync } = await import("../azure-keyvault.js");
+      await keyvaultSync({ vault: opts.vault, profile: opts.profile });
+    });
+
+  keyvault
+    .command("setup")
+    .description("Interactive setup: pick vault, set auto-sync, scaffold .env.keyvault templates")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (opts) => {
+      const { keyvaultSetup } = await import("../azure-keyvault.js");
+      await keyvaultSetup({ profile: opts.profile });
+    });
+
+  keyvault
+    .command("status")
+    .description("Show Key Vault sync status: auth, config, discovered templates")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (opts) => {
+      const { keyvaultStatus } = await import("../azure-keyvault.js");
+      await keyvaultStatus({ profile: opts.profile });
+    });
+
+  const kvSecret = keyvault
+    .command("secret")
+    .description("Manage secrets in a Key Vault");
+
+  kvSecret
+    .command("list", { isDefault: true })
+    .description("List secrets in a Key Vault")
+    .option("--vault <name>", "Key Vault name (auto-detected if only one)")
+    .option("--include-managed", "Include managed (certificate-linked) secrets")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (opts) => {
+      const { secretList } = await import("../azure-keyvault.js");
+      await secretList({ vault: opts.vault, includeManaged: opts.includeManaged, profile: opts.profile });
+    });
+
+  kvSecret
+    .command("show <name>")
+    .description("Show secret metadata (add --show-value to reveal)")
+    .option("--vault <name>", "Key Vault name (auto-detected if only one)")
+    .option("--version <version>", "Specific secret version (default: latest)")
+    .option("--show-value", "Display the secret value")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (name, opts) => {
+      const { secretShow } = await import("../azure-keyvault.js");
+      await secretShow({ vault: opts.vault, name, version: opts.version, showValue: opts.showValue, profile: opts.profile });
+    });
+
+  kvSecret
+    .command("set <name>")
+    .description("Set a secret value (creates or updates)")
+    .option("--vault <name>", "Key Vault name (auto-detected if only one)")
+    .option("--value <value>", "Secret value (use --file for binary/large)")
+    .option("--file <path>", "Read secret value from a file")
+    .option("--content-type <type>", "Content type (e.g. text/plain, application/json)")
+    .option("--expires <datetime>", "Expiration date (ISO 8601)")
+    .option("--disabled", "Create the secret in disabled state")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (name, opts) => {
+      const { secretSet } = await import("../azure-keyvault.js");
+      await secretSet({
+        vault: opts.vault, name, value: opts.value, file: opts.file,
+        contentType: opts.contentType, expires: opts.expires,
+        disabled: opts.disabled, profile: opts.profile,
+      });
+    });
+
+  kvSecret
+    .command("delete <name>")
+    .description("Delete a secret (soft-delete, recoverable)")
+    .option("--vault <name>", "Key Vault name (auto-detected if only one)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (name, opts) => {
+      const { secretDelete } = await import("../azure-keyvault.js");
+      await secretDelete({ vault: opts.vault, name, profile: opts.profile });
+    });
+
+  const kvKey = keyvault
+    .command("key")
+    .description("Manage cryptographic keys in a Key Vault");
+
+  kvKey
+    .command("list", { isDefault: true })
+    .description("List keys in a Key Vault")
+    .option("--vault <name>", "Key Vault name (auto-detected if only one)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (opts) => {
+      const { keyList } = await import("../azure-keyvault.js");
+      await keyList({ vault: opts.vault, profile: opts.profile });
+    });
+
+  kvKey
+    .command("show <name>")
+    .description("Show key details and rotation policy")
+    .option("--vault <name>", "Key Vault name (auto-detected if only one)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (name, opts) => {
+      const { keyShow } = await import("../azure-keyvault.js");
+      await keyShow({ vault: opts.vault, name, profile: opts.profile });
+    });
+
+  kvKey
+    .command("create <name>")
+    .description("Create a key with optional auto-rotation policy")
+    .option("--vault <name>", "Key Vault name (auto-detected if only one)")
+    .option("--type <kty>", "Key type: RSA, RSA-HSM, EC, EC-HSM, oct, oct-HSM (default: RSA)", "RSA")
+    .option("--size <bits>", "RSA key size: 2048, 3072, 4096 (default: 2048)", "2048")
+    .option("--curve <curve>", "EC curve: P-256, P-384, P-521 (default: P-256)")
+    .option("--ops <operations>", "Space-separated key operations (encrypt decrypt sign verify wrapKey unwrapKey)")
+    .option("--rotate-every <duration>", "Auto-rotation interval as ISO 8601 duration (e.g. P90D, P6M, P1Y)")
+    .option("--expires-in <duration>", "Key expiry as ISO 8601 duration (e.g. P1Y, P2Y)")
+    .option("--notify-before <duration>", "Notify before expiry (default: P30D)")
+    .option("--disabled", "Create the key in disabled state")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (name, opts) => {
+      const { keyCreate } = await import("../azure-keyvault.js");
+      await keyCreate({
+        vault: opts.vault, name, type: opts.type, size: opts.size,
+        curve: opts.curve, ops: opts.ops, rotateEvery: opts.rotateEvery,
+        expiresIn: opts.expiresIn, notifyBefore: opts.notifyBefore,
+        disabled: opts.disabled, profile: opts.profile,
+      });
+    });
+
+  kvKey
+    .command("rotate <name>")
+    .description("Rotate a key on-demand (creates a new version)")
+    .option("--vault <name>", "Key Vault name (auto-detected if only one)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (name, opts) => {
+      const { keyRotate } = await import("../azure-keyvault.js");
+      await keyRotate({ vault: opts.vault, name, profile: opts.profile });
+    });
+
+  const kvRotationPolicy = kvKey
+    .command("rotation-policy")
+    .description("Manage key auto-rotation policy");
+
+  kvRotationPolicy
+    .command("show <name>")
+    .description("Show the rotation policy for a key")
+    .option("--vault <name>", "Key Vault name (auto-detected if only one)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (name, opts) => {
+      const { keyRotationPolicyShow } = await import("../azure-keyvault.js");
+      await keyRotationPolicyShow({ vault: opts.vault, name, profile: opts.profile });
+    });
+
+  kvRotationPolicy
+    .command("set <name>")
+    .description("Set auto-rotation policy for a key")
+    .option("--vault <name>", "Key Vault name (auto-detected if only one)")
+    .requiredOption("--rotate-every <duration>", "Rotation interval (ISO 8601: P30D, P90D, P6M, P1Y)")
+    .option("--expires-in <duration>", "Key expiry duration (ISO 8601: P1Y, P2Y)")
+    .option("--notify-before <duration>", "Notify before expiry (default: P30D)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (name, opts) => {
+      const { keyRotationPolicySet } = await import("../azure-keyvault.js");
+      await keyRotationPolicySet({
+        vault: opts.vault, name, rotateEvery: opts.rotateEvery,
+        expiresIn: opts.expiresIn, notifyBefore: opts.notifyBefore,
+        profile: opts.profile,
+      });
+    });
+
+  // ── AKS (Azure Kubernetes Service) ────────────────────────────────────
+
+  const aks = azure
+    .command("aks")
+    .description("Manage Foundation on AKS clusters (bootstrapped via Flux)");
+
+  aks
+    .command("up [name]")
+    .description("Create an AKS cluster, create GHCR pull secret, and bootstrap Flux (meshxdata/flux)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .option("--location <region>", "Azure region (default: uaenorth)")
+    .option("--node-count <count>", "Initial node count (default: 3)")
+    .option("--min-count <count>", "Autoscaler min nodes (default: 1)")
+    .option("--max-count <count>", "Autoscaler max nodes (default: 5)")
+    .option("--node-vm-size <size>", "Node VM size (default: Standard_D8s_v3)")
+    .option("--kubernetes-version <version>", "K8s version (default: 1.30)")
+    .option("--tier <tier>", "AKS tier: free | standard | premium (default: standard)")
+    .option("--network-plugin <plugin>", "Network plugin: azure | kubenet (default: azure)")
+    .option("--max-pods <count>", "Max pods per node (default: 110)")
+    .option("--resource-group <name>", "Resource group (default: foundation-aks-rg)")
+    .option("--flux-repo <repo>", "GitHub repo for Flux (default: flux)")
+    .option("--flux-owner <owner>", "GitHub owner/org for Flux (default: meshxdata)")
+    .option("--flux-path <path>", "Path in repo for cluster manifests (default: clusters/<name>)")
+    .option("--flux-branch <branch>", "Git branch for Flux (default: main)")
+    .option("--github-token <token>", "GitHub PAT for Flux + GHCR pull (default: $GITHUB_TOKEN)")
+    .option("--no-flux", "Skip Flux bootstrap")
+    .option("--no-postgres", "Skip Postgres Flexible Server provisioning")
+    .option("--dai", "Include DAI (Dashboards AI) workloads")
+    .action(async (name, opts) => {
+      const { aksUp } = await import("../azure-aks.js");
+      await aksUp({
+        clusterName: name, profile: opts.profile, location: opts.location,
+        nodeCount: opts.nodeCount ? Number(opts.nodeCount) : undefined,
+        minCount: opts.minCount ? Number(opts.minCount) : undefined,
+        maxCount: opts.maxCount ? Number(opts.maxCount) : undefined,
+        nodeVmSize: opts.nodeVmSize, kubernetesVersion: opts.kubernetesVersion,
+        tier: opts.tier, networkPlugin: opts.networkPlugin, maxPods: opts.maxPods ? Number(opts.maxPods) : undefined,
+        resourceGroup: opts.resourceGroup,
+        fluxRepo: opts.fluxRepo, fluxOwner: opts.fluxOwner,
+        fluxPath: opts.fluxPath, fluxBranch: opts.fluxBranch,
+        githubToken: opts.githubToken,
+        noFlux: opts.flux === false,
+        noPostgres: opts.postgres === false,
+        dai: opts.dai === true,
+      });
+    });
+
+  aks
+    .command("down [name]")
+    .description("Destroy the AKS cluster and all workloads")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .option("--yes", "Skip confirmation prompt")
+    .action(async (name, opts) => {
+      const { aksDown } = await import("../azure-aks.js");
+      await aksDown({ clusterName: name, profile: opts.profile, yes: opts.yes });
+    });
+
+  aks
+    .command("list")
+    .description("List all tracked AKS clusters")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (opts) => {
+      const { aksList } = await import("../azure-aks.js");
+      await aksList({ profile: opts.profile });
+    });
+
+  aks
+    .command("status [name]")
+    .description("Show cluster state, node pools, and Flux health")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (name, opts) => {
+      const { aksStatus } = await import("../azure-aks.js");
+      await aksStatus({ clusterName: name, profile: opts.profile });
+    });
+
+  const aksConfig = aks
+    .command("config")
+    .description("Manage service versions on the AKS cluster");
+
+  aksConfig
+    .command("versions [name]", { isDefault: true })
+    .description("Show Foundation service image tags running on the cluster")
+    .action(async (name) => {
+      const { aksConfigVersions } = await import("../azure-aks.js");
+      await aksConfigVersions({ clusterName: name });
+    });
+
+  aks
+    .command("terraform [name]")
+    .description("Generate Terraform HCL for the AKS cluster and its resources")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .option("--output <file>", "Write HCL to a file instead of stdout")
+    .action(async (name, opts) => {
+      const { aksTerraform } = await import("../azure-aks.js");
+      await aksTerraform({ clusterName: name, profile: opts.profile, output: opts.output });
+    });
+
+  aks
+    .command("test [name]")
+    .description("Run QA automation tests locally against an AKS cluster")
+    .action(async (name) => {
+      const { readClusterState, writeClusterState, clusterDomain } = await import("../azure-aks.js");
+      const { resolveCliSrc } = await import("../azure-helpers.js");
+      const { rootDir } = await import(resolveCliSrc("project.js"));
+      const fsp = await import("node:fs/promises");
+      const path = await import("node:path");
+
+      const cluster = readClusterState(name);
+      if (!cluster?.clusterName) {
+        console.error(chalk.red(`\n  No AKS cluster tracked: "${name || "(none active)"}"`));
+        console.error(chalk.dim("  Create one:  fops azure aks up <name>\n"));
+        process.exit(1);
+      }
+
+      const domain = cluster.domain || clusterDomain(cluster.clusterName);
+      const baseUrl = `https://${domain}`;
+      const apiUrl = `${baseUrl}/api`;
+
+      const root = rootDir();
+      if (!root) {
+        console.error(chalk.red("\n  Foundation project root not found. Run from the compose repo or set FOUNDATION_ROOT.\n"));
+        process.exit(1);
+      }
+
+      const qaDir = path.join(root, "foundation-qa-automation");
+      try { await fsp.access(qaDir); } catch {
+        console.error(chalk.red("\n  foundation-qa-automation/ not found in project root."));
+        console.error(chalk.dim("  Run: git submodule update --init\n"));
+        process.exit(1);
+      }
+
+      const { execa: execaFn } = await import("execa");
+
+      // For AKS: use a tracked VM for SSH fallback
+      const { listVms: lv, sshCmd: sc, knockForVm: kfv } = await import("../azure.js");
+      const { vms: allVms } = lv();
+      const vmEntry = Object.entries(allVms).find(([, v]) => v.publicIp);
+
+      console.log(chalk.dim(`  Authenticating against ${apiUrl}…`));
+      const auth = await resolveRemoteAuth({
+        apiUrl,
+        ip: vmEntry?.[1]?.publicIp,
+        vmState: vmEntry?.[1],
+        execaFn, sshCmd: sc, knockForVm: kfv, suppressTlsWarning,
+      });
+      let { bearerToken, qaUser, qaPass, useTokenMode } = auth;
+
+      if (!bearerToken && !qaUser) {
+        console.error(chalk.red("\n  No credentials found (local or remote)."));
+        console.error(chalk.dim("  Set BEARER_TOKEN or QA_USERNAME/QA_PASSWORD in env or ~/.fops.json\n"));
+        process.exit(1);
+      }
+
+      // Write QA .env
+      const envPath = path.join(qaDir, ".env");
+      const examplePath = path.join(qaDir, ".env.example");
+      let envContent;
+      try { envContent = await fsp.readFile(examplePath, "utf8"); } catch {
+        envContent = await fsp.readFile(envPath, "utf8").catch(() => "");
+      }
+      const setVar = (content, key, value) => {
+        const re = new RegExp(`^${key}=.*`, "m");
+        return re.test(content) ? content.replace(re, `${key}=${value}`) : content + `\n${key}=${value}`;
+      };
+      envContent = setVar(envContent, "API_URL", apiUrl);
+      envContent = setVar(envContent, "DEV_API_URL", apiUrl);
+      envContent = setVar(envContent, "LIVE_API_URL", apiUrl);
+      envContent = setVar(envContent, "QA_USERNAME", qaUser);
+      envContent = setVar(envContent, "QA_PASSWORD", qaPass);
+      envContent = setVar(envContent, "QA_X_ACCOUNT", "root");
+      envContent = setVar(envContent, "ADMIN_USERNAME", qaUser);
+      envContent = setVar(envContent, "ADMIN_PASSWORD", qaPass);
+      envContent = setVar(envContent, "ADMIN_X_ACCOUNT", "root");
+      envContent = setVar(envContent, "CDO_USERNAME", qaUser);
+      envContent = setVar(envContent, "CDO_PASSWORD", qaPass);
+      envContent = setVar(envContent, "CDO_X_ACCOUNT", "root");
+      envContent = setVar(envContent, "OWNER_EMAIL", qaUser);
+      envContent = setVar(envContent, "OWNER_NAME", "Foundation Operator");
+      if (bearerToken) {
+        envContent = setVar(envContent, "BEARER_TOKEN", bearerToken);
+        envContent = setVar(envContent, "TOKEN_AUTH0", bearerToken);
+      }
+      await fsp.writeFile(envPath, envContent);
+      console.log(chalk.green(`  ✓ Configured QA .env → ${apiUrl}`));
+
+      // Ensure venv + deps
+      try { await fsp.access(path.join(qaDir, "venv")); } catch {
+        console.log(chalk.cyan("  Setting up QA automation environment…"));
+        await execaFn("python3", ["-m", "venv", "venv"], { cwd: qaDir, stdio: "inherit" });
+        await execaFn("bash", ["-c", "source venv/bin/activate && pip install -r requirements.txt && playwright install"], { cwd: qaDir, stdio: "inherit" });
+      }
+
+      const authMode = useTokenMode ? "bearer token (--use-token)" : `user/pass (${qaUser})`;
+      console.log(chalk.cyan(`\n  Running QA tests against AKS ${cluster.clusterName} (${baseUrl}) [${authMode}]…\n`));
+      const pytestArgsList = [
+        "tests/",
+        "--env", "staging",
+        "--role", "FOUNDATION_ADMIN",
+        "--numprocesses=0",
+        "-v",
+        "--durations=0",
+        "--html=./playwright-report/report.html",
+        "--self-contained-html",
+        "--ignore=tests/e2e/landscape",
+        "--ignore=tests/e2e/procedures",
+        "--ignore=tests/e2e/upload_file_s3",
+        "--ignore=tests/roles",
+        "--ignore=tests/unit/data_product/test_data_product_consumers_v2.py",
+        "--ignore=tests/unit/data_product/test_data_product_query.py",
+        "--ignore=tests/unit/data_product/test_data_product_quality_v2.py",
+        "--ignore=tests/unit/data_product/test_data_product_schema_v2.py",
+      ];
+      if (useTokenMode) pytestArgsList.push("--use-token");
+      const pytestArgs = pytestArgsList.join(" ");
+
+      const testEnv = {
+        ...process.env,
+        API_URL: apiUrl,
+        DEV_API_URL: apiUrl,
+        LIVE_API_URL: apiUrl,
+        ROLE_NAME: "FOUNDATION_ADMIN",
+        QA_USERNAME: qaUser,
+        QA_PASSWORD: qaPass,
+        ADMIN_USERNAME: qaUser,
+        ADMIN_PASSWORD: qaPass,
+        QA_X_ACCOUNT: "root",
+        ADMIN_X_ACCOUNT: "root",
+        CDO_USERNAME: qaUser,
+        CDO_PASSWORD: qaPass,
+        CDO_X_ACCOUNT: "root",
+        OWNER_EMAIL: qaUser,
+        OWNER_NAME: "Foundation Operator",
+      };
+      if (bearerToken) {
+        testEnv.BEARER_TOKEN = bearerToken;
+        testEnv.TOKEN_AUTH0 = bearerToken;
+      }
+
+      const aksStartMs = Date.now();
+      const aksProc = execaFn(
+        "bash",
+        ["-c", `source venv/bin/activate && pytest ${pytestArgs}`],
+        { cwd: qaDir, timeout: 600_000, reject: false, env: testEnv },
+      );
+      let aksCaptured = "";
+      aksProc.stdout?.on("data", (d) => { const s = d.toString(); aksCaptured += s; process.stdout.write(s); });
+      aksProc.stderr?.on("data", (d) => { const s = d.toString(); aksCaptured += s; process.stderr.write(s); });
+      const { exitCode } = await aksProc;
+      const aksWallSec = Math.round((Date.now() - aksStartMs) / 1000);
+
+      const aksCounts = parsePytestSummary(aksCaptured);
+      const aksTiming = parsePytestDurations(aksCaptured);
+      const qaResult = {
+        passed: exitCode === 0,
+        exitCode,
+        at: new Date().toISOString(),
+        ...(aksCounts.passed != null && { numPassed: aksCounts.passed }),
+        ...(aksCounts.failed != null && { numFailed: aksCounts.failed }),
+        ...(aksCounts.error != null && { numErrors: aksCounts.error }),
+        ...(aksCounts.errors != null && { numErrors: aksCounts.errors }),
+        ...(aksCounts.skipped != null && { numSkipped: aksCounts.skipped }),
+        durationSec: aksCounts.durationSec || aksWallSec,
+        ...(aksTiming && { timing: aksTiming }),
+      };
+      writeClusterState(cluster.clusterName, { qa: qaResult });
+
+      if (exitCode === 0) {
+        console.log(chalk.green("\n  ✓ QA tests passed\n"));
+      } else {
+        console.error(chalk.red(`\n  QA tests failed (exit ${exitCode}).`));
+        console.error(chalk.dim(`  Report: ${path.join(qaDir, "playwright-report", "report.html")}\n`));
+        process.exitCode = 1;
+      }
+
+      try {
+        const { resultsPush } = await import("../azure-results.js");
+        await resultsPush(cluster.clusterName, qaResult, { quiet: false });
+      } catch (pushErr) {
+        console.log(chalk.dim(`  (Result push skipped: ${pushErr.message})`));
+      }
+    });
+
+  aks
+    .command("kubeconfig [name]")
+    .description("Merge cluster kubeconfig into ~/.kube/config")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .option("--admin", "Get admin credentials (cluster-admin role)")
+    .action(async (name, opts) => {
+      const { aksKubeconfig } = await import("../azure-aks.js");
+      await aksKubeconfig({ clusterName: name, profile: opts.profile, admin: opts.admin });
+    });
+
+  aks
+    .command("bootstrap [clusterName]")
+    .description("Create demo data mesh on the cluster (same as fops bootstrap, targeting AKS backend)")
+    .option("--api-url <url>", "Foundation backend API URL (e.g. https://foundation.example.com/api)")
+    .option("--yes", "Use credentials from env or ~/.fops.json, skip prompt")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (clusterName, opts) => {
+      const { aksDataBootstrap } = await import("../azure-aks.js");
+      await aksDataBootstrap({
+        clusterName,
+        profile: opts.profile,
+        apiUrl: opts.apiUrl,
+        yes: opts.yes,
+      });
+    });
+
+  // ── Node pool management ───────────────────────────────────────────────
+
+  const nodePool = aks
+    .command("node-pool")
+    .description("Manage AKS node pools");
+
+  nodePool
+    .command("add [clusterName]")
+    .description("Add a node pool to the cluster")
+    .requiredOption("--pool-name <name>", "Node pool name")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .option("--node-count <count>", "Node count (default: 3)")
+    .option("--node-vm-size <size>", "VM size (default: Standard_D8s_v3)")
+    .option("--mode <mode>", "Pool mode: System | User")
+    .option("--labels <labels>", "Node labels (key=value pairs)")
+    .option("--taints <taints>", "Node taints (key=value:effect)")
+    .option("--max-pods <count>", "Max pods per node")
+    .action(async (clusterName, opts) => {
+      const { aksNodePoolAdd } = await import("../azure-aks.js");
+      await aksNodePoolAdd({
+        clusterName, profile: opts.profile, poolName: opts.poolName,
+        nodeCount: opts.nodeCount ? Number(opts.nodeCount) : undefined,
+        nodeVmSize: opts.nodeVmSize, mode: opts.mode,
+        labels: opts.labels, taints: opts.taints,
+        maxPods: opts.maxPods ? Number(opts.maxPods) : undefined,
+      });
+    });
+
+  nodePool
+    .command("remove [clusterName]")
+    .description("Remove a node pool from the cluster")
+    .requiredOption("--pool-name <name>", "Node pool name to remove")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (clusterName, opts) => {
+      const { aksNodePoolRemove } = await import("../azure-aks.js");
+      await aksNodePoolRemove({ clusterName, profile: opts.profile, poolName: opts.poolName });
+    });
+
+  // ── Flux subcommands ───────────────────────────────────────────────────
+
+  const flux = aks
+    .command("flux")
+    .description("Manage Flux GitOps on the AKS cluster");
+
+  flux
+    .command("init <clusterName>")
+    .description("Scaffold cluster manifests from the Foundation Flux template")
+    .requiredOption("--flux-repo <path>", "Path to local flux repo clone")
+    .option("--overlay <name>", "Overlay name for app kustomizations (default: <name>-azure)")
+    .option("--namespace <ns>", "Kubernetes namespace for the tenant (default: velora)")
+    .option("--postgres-host <host>", "Postgres hostname")
+    .option("--acr-username <user>", "ACR pull username")
+    .option("--acr-password <pass>", "ACR pull password")
+    .action(async (clusterName, opts) => {
+      const { aksFluxInit } = await import("../azure-aks.js");
+      await aksFluxInit({
+        clusterName, fluxRepo: opts.fluxRepo,
+        overlay: opts.overlay, namespace: opts.namespace,
+        postgresHost: opts.postgresHost,
+        acrUsername: opts.acrUsername, acrPassword: opts.acrPassword,
+      });
+    });
+
+  flux
+    .command("bootstrap [clusterName]")
+    .description("Bootstrap Flux on the cluster with a GitHub repo")
+    .requiredOption("--flux-repo <repo>", "GitHub repo name")
+    .requiredOption("--flux-owner <owner>", "GitHub owner/org")
+    .option("--flux-path <path>", "Path in repo for cluster manifests (default: clusters/<name>)")
+    .option("--flux-branch <branch>", "Git branch (default: main)")
+    .option("--github-token <token>", "GitHub PAT (default: $GITHUB_TOKEN)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (clusterName, opts) => {
+      const { aksFluxBootstrap } = await import("../azure-aks.js");
+      await aksFluxBootstrap({
+        clusterName, profile: opts.profile,
+        repo: opts.fluxRepo, owner: opts.fluxOwner,
+        path: opts.fluxPath, branch: opts.fluxBranch,
+        githubToken: opts.githubToken,
+      });
+    });
+
+  flux
+    .command("status [clusterName]")
+    .description("Show Flux sources, kustomizations, and helm releases")
+    .action(async (clusterName) => {
+      const { aksFluxStatus } = await import("../azure-aks.js");
+      await aksFluxStatus({ clusterName });
+    });
+
+  flux
+    .command("reconcile [clusterName]")
+    .description("Trigger a Flux reconciliation (pull + apply)")
+    .option("--source <name>", "Git source name (default: flux-system)")
+    .action(async (clusterName, opts) => {
+      const { aksFluxReconcile } = await import("../azure-aks.js");
+      await aksFluxReconcile({ clusterName, source: opts.source });
+    });
+}