@meshxdata/fops 0.1.44 → 0.1.46

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks.js

@@ -1,4248 +1,158 @@
-import crypto from "node:crypto";
-import fs from "node:fs";
-import os from "node:os";
-import path from "node:path";
-import { fileURLToPath, pathToFileURL } from "node:url";
-import chalk from "chalk";
-import {
-  DEFAULTS, DIM, OK, WARN, ERR, LABEL, ACCENT,
-  banner, hint, kvLine,
-  lazyExeca, ensureAzCli, ensureAzAuth, subArgs, buildTags, fetchMyIp,
-  readState, saveState,
-  resolveGithubToken, runReconcilers,
-  resolveUniqueDomain,
-} from "./azure.js";
-import { syncDns } from "./cloudflare.js";
-
-/** Resolve a module path under the CLI's src/ directory (works from source and ~/.fops/plugins). */
-function resolveCliSrc(relPath) {
-  const thisDir = path.dirname(fileURLToPath(import.meta.url));
-  const fromSource = path.resolve(thisDir, "../../../..", relPath);
-  if (fs.existsSync(fromSource)) return pathToFileURL(fromSource).href;
-  const fopsBin = process.argv[1];
-  if (fopsBin) {
-    try {
-      const cliRoot = path.dirname(fs.realpathSync(fopsBin));
-      const fromCli = path.resolve(cliRoot, "src", relPath);
-      if (fs.existsSync(fromCli)) return pathToFileURL(fromCli).href;
-    } catch { /* fall through */ }
-  }
-  return "../../../../" + relPath;
-}
-
-function timeSince(isoStr) {
-  const ms = Date.now() - new Date(isoStr).getTime();
-  if (ms < 60_000) return `${Math.round(ms / 1000)}s`;
-  if (ms < 3600_000) return `${Math.round(ms / 60_000)}m`;
-  if (ms < 86400_000) return `${Math.round(ms / 3600_000)}h`;
-  return `${Math.round(ms / 86400_000)}d`;
-}
-
-// ── AKS Defaults ──────────────────────────────────────────────────────────────
-
-const AKS_DEFAULTS = {
-  clusterName: "foundation-aks",
-  resourceGroup: process.env.AZURE_AKS_RESOURCE_GROUP || "foundation-aks-rg",
-  location: DEFAULTS.location,
-  nodeCount: 3,
-  minCount: 1,
-  maxCount: 3,
-  nodeVmSize: "Standard_D8s_v3",
-  kubernetesVersion: "1.33",
-  tier: "standard",        // "free" | "standard" | "premium"
-  networkPlugin: "azure",  // "azure" (CNI) | "kubenet"
-  fluxOwner: "meshxdata",
-  fluxRepo: "flux",
-  fluxBranch: "main",
-  fluxPath: "clusters/fops",
-};
-
-// ── K8s version resolver ─────────────────────────────────────────────────────
-
 /**
- * Query the latest GA (non-preview) Kubernetes version available in a region.
- * Falls back to AKS_DEFAULTS.kubernetesVersion if the query fails.
+ * azure-aks.js – Barrel re-export for backward compatibility
+ *
+ * This module re-exports all public APIs from the split modules.
+ * Direct imports of sub-modules are preferred for new code.
  */
-async function resolveK8sVersion(execa, { location, subscription } = {}) {
-  try {
-    const args = [
-      "aks", "get-versions",
-      "--location", location || AKS_DEFAULTS.location,
-      "--output", "json",
-    ];
-    if (subscription) args.push("--subscription", subscription);
-
-    const { stdout } = await execa("az", args, { timeout: 30000 });
-    const data = JSON.parse(stdout);
-
-    // data.values is an array of { version, isPreview, patchVersions }
-    const gaVersions = (data.values || [])
-      .filter((v) => !v.isPreview)
-      .map((v) => v.version)
-      .sort((a, b) => {
-        const pa = a.split(".").map(Number);
-        const pb = b.split(".").map(Number);
-        return pb[0] - pa[0] || pb[1] - pa[1] || (pb[2] || 0) - (pa[2] || 0);
-      });
-
-    if (gaVersions.length > 0) return gaVersions[0];
-  } catch { /* fall through to default */ }
-  return AKS_DEFAULTS.kubernetesVersion;
-}
-
-// ── Cluster state ─────────────────────────────────────────────────────────────
-// State layout: { azure: { ..., activeCluster: "<name>", clusters: { ... } } }
-
-export function readAksClusters() {
-  const state = readState();
-  const az = state.azure || {};
-  return {
-    activeCluster: az.activeCluster,
-    clusters: az.clusters || {},
-  };
-}
-
-export function readClusterState(name) {
-  const { activeCluster, clusters } = readAksClusters();
-  if (name) return clusters[name] || null;
-  if (activeCluster && clusters[activeCluster]) return clusters[activeCluster];
-  return null;
-}
-
-export function writeClusterState(name, patch) {
-  const state = readState();
-  const az = state.azure || {};
-  const clusters = az.clusters || {};
-  clusters[name] = { ...clusters[name], ...patch, clusterName: name };
-  az.clusters = clusters;
-  az.activeCluster = name;
-  state.azure = az;
-  saveState(state);
-}
-
-/** Read flux defaults from project root: .fops.json or config/azure-flux.json (azure.fluxOwner, etc.). */
-function readProjectFluxConfig(projectRoot) {
-  if (!projectRoot || !fs.existsSync(projectRoot)) return null;
-  const tryFile = (p) => {
-    if (!fs.existsSync(p)) return null;
-    try {
-      const raw = JSON.parse(fs.readFileSync(p, "utf8"));
-      const az = raw?.azure || raw;
-      const out = {};
-      if (az.fluxOwner != null) out.fluxOwner = az.fluxOwner;
-      if (az.fluxRepo != null) out.fluxRepo = az.fluxRepo;
-      if (az.fluxPath != null) out.fluxPath = az.fluxPath;
-      if (az.fluxBranch != null) out.fluxBranch = az.fluxBranch;
-      return Object.keys(out).length ? out : null;
-    } catch { return null; }
-  };
-  return tryFile(path.join(projectRoot, ".fops.json")) || tryFile(path.join(projectRoot, "config", "azure-flux.json")) || null;
-}
-
-/** Resolve effective Flux repo: CLI opts > cluster state > global azure > project config > AKS_DEFAULTS. */
-function resolveFluxConfig(clusterName, opts) {
-  const state = readState();
-  const az = state.azure || {};
-  const tracked = readClusterState(clusterName);
-  const project = readProjectFluxConfig(az.projectRoot || state.projectRoot);
-  return {
-    fluxRepo: opts?.fluxRepo ?? tracked?.flux?.repo ?? az.fluxRepo ?? project?.fluxRepo ?? AKS_DEFAULTS.fluxRepo,
-    fluxOwner: opts?.fluxOwner ?? tracked?.flux?.owner ?? az.fluxOwner ?? project?.fluxOwner ?? AKS_DEFAULTS.fluxOwner,
-    fluxPath: opts?.fluxPath || tracked?.flux?.path || az.fluxPath || project?.fluxPath || AKS_DEFAULTS.fluxPath,
-    fluxBranch: opts?.fluxBranch ?? tracked?.flux?.branch ?? az.fluxBranch ?? project?.fluxBranch ?? AKS_DEFAULTS.fluxBranch,
-  };
-}
-
-function clearClusterState(name) {
-  const state = readState();
-  const az = state.azure || {};
-  const clusters = az.clusters || {};
-  delete clusters[name];
-  if (az.activeCluster === name) {
-    const remaining = Object.keys(clusters);
-    az.activeCluster = remaining.length > 0 ? remaining[0] : undefined;
-  }
-  az.clusters = clusters;
-  state.azure = az;
-  saveState(state);
-}
-
-function requireCluster(name) {
-  const cl = readClusterState(name);
-  if (!cl || !cl.clusterName) {
-    const label = name ? `"${name}"` : "(none active)";
-    console.error(ERR(`\n  No AKS cluster tracked: ${label}`));
-    hint("Create one:  fops azure aks up <name>");
-    hint("List:        fops azure aks list\n");
-    process.exit(1);
-  }
-  return {
-    ...cl,
-    resourceGroup: cl.resourceGroup ?? AKS_DEFAULTS.resourceGroup,
-  };
-}
-
-// ── Flux helpers ──────────────────────────────────────────────────────────────
-
-async function ensureFluxCli(execa) {
-  try {
-    await execa("flux", ["--version"], { timeout: 10000 });
-  } catch {
-    console.error(ERR("\n  Flux CLI is not installed."));
-    hint("Install:  brew install fluxcd/tap/flux");
-    hint("Or:       curl -s https://fluxcd.io/install.sh | sudo bash\n");
-    process.exit(1);
-  }
-}
-
-async function ensureKubectl(execa) {
-  try {
-    await execa("kubectl", ["version", "--client", "--output=json"], { timeout: 10000 });
-  } catch {
-    console.error(ERR("\n  kubectl is not installed."));
-    hint("Install:  brew install kubectl\n");
-    process.exit(1);
-  }
-}
-
-// ── aks up ────────────────────────────────────────────────────────────────────
-
-export async function aksUp(opts = {}) {
-  const execa = await lazyExeca();
-  const clusterName = opts.clusterName || AKS_DEFAULTS.clusterName;
-  const rg = opts.resourceGroup || AKS_DEFAULTS.resourceGroup;
-  const location = opts.location || AKS_DEFAULTS.location;
-  const nodeCount = opts.nodeCount || AKS_DEFAULTS.nodeCount;
-  const minCount = opts.minCount || AKS_DEFAULTS.minCount;
-  const maxCount = opts.maxCount || AKS_DEFAULTS.maxCount;
-  const nodeVmSize = opts.nodeVmSize || AKS_DEFAULTS.nodeVmSize;
-  const tier = opts.tier || AKS_DEFAULTS.tier;
-  const networkPlugin = opts.networkPlugin || AKS_DEFAULTS.networkPlugin;
-  const sub = opts.profile;
-
-  await ensureAzCli(execa);
-  await ensureKubectl(execa);
-  const account = await ensureAzAuth(execa, { subscription: sub });
-
-  // Resolve K8s version: use explicit opt, otherwise auto-detect latest GA for region
-  const k8sVersion = opts.kubernetesVersion ||
-    await resolveK8sVersion(execa, { location, subscription: sub });
-
-  banner(`AKS Up: ${clusterName}`);
-  kvLine("Account",    DIM(`${account.name} (${account.id})`));
-  kvLine("Location",   DIM(location));
-  kvLine("Nodes",      DIM(`${nodeCount} x ${nodeVmSize} (autoscale ${minCount}–${maxCount})`));
-  kvLine("K8s",        DIM(k8sVersion));
-  kvLine("Tier",       DIM(tier));
-
-  // Check if cluster already exists
-  const { exitCode: exists } = await execa("az", [
-    "aks", "show", "-g", rg, "-n", clusterName, "--output", "none",
-    ...subArgs(sub),
-  ], { reject: false, timeout: 30000 });
-
-  if (exists === 0) {
-    console.log(WARN(`\n  Cluster "${clusterName}" already exists — reconciling…`));
-
-    const maxPods = opts.maxPods || 110;
-    const ctx = { execa, clusterName, rg, sub, opts, minCount, maxCount, maxPods };
-    await reconcileCluster(ctx);
-
-    const tracked = readClusterState(clusterName);
-    if (tracked) printClusterInfo(tracked);
-    return tracked;
-  }
-
-  // Create resource group
-  hint(`Ensuring resource group ${rg}…`);
-  await execa("az", [
-    "group", "create", "--name", rg, "--location", location,
-    "--output", "none", ...subArgs(sub),
-  ], { timeout: 30000 });
-
-  // Create AKS cluster
-  banner(`Creating AKS cluster "${clusterName}"`);
-
-  // Detect operator IP to lock down the API server
-  hint("Detecting your public IP…");
-  const myIp = await fetchMyIp();
-  if (myIp) {
-    console.log(OK(`  ✓ API server will be scoped to ${myIp}`));
-  } else {
-    console.log(WARN("  ⚠ Could not detect public IP — API server will be open to all"));
-    hint("Lock it down later: az aks update -g <rg> -n <name> --api-server-authorized-ip-ranges <ip>/32");
-  }
-
-  hint("This takes 5–10 minutes…\n");
-
-  const tags = buildTags(clusterName, {
-    createdBy: account.user?.name || "fops",
-    type: "aks",
-  });
-  const tagStr = Object.entries(tags).map(([k, v]) => `${k}=${v}`).join(" ");
-
-  const maxPods = opts.maxPods || 110;
-
-  const createArgs = [
-    "aks", "create",
-    "--resource-group", rg,
-    "--name", clusterName,
-    "--location", location,
-    "--node-count", String(nodeCount),
-    "--node-vm-size", nodeVmSize,
-    "--max-pods", String(maxPods),
-    "--enable-cluster-autoscaler",
-    "--min-count", String(minCount),
-    "--max-count", String(maxCount),
-    "--kubernetes-version", k8sVersion,
-    "--tier", tier,
-    "--network-plugin", networkPlugin,
-    "--generate-ssh-keys",
-    "--enable-managed-identity",
-    "--enable-oidc-issuer",
-    "--enable-workload-identity",
-    "--tags", ...tagStr.split(" "),
-    "--output", "json",
-    ...subArgs(sub),
-  ];
-
-  if (myIp) {
-    createArgs.push("--api-server-authorized-ip-ranges", `${myIp}/32`);
-  }
-
-  let cluster;
-  try {
-    const { stdout: clusterJson } = await execa("az", createArgs, { timeout: 900000 });
-    cluster = JSON.parse(clusterJson);
-  } catch (err) {
-    const msg = (err.stderr || err.message || "").replace(/^.*ERROR:\s*/m, "");
-    console.error(ERR(`\n  ✗ Cluster creation failed:\n    ${msg.split("\n")[0]}`));
-    throw err;
-  }
-  console.log(OK(`  ✓ AKS cluster created`));
-
-  // Get kubeconfig
-  await getCredentials(execa, { clusterName, rg, sub });
-
-  // Save state
-  writeClusterState(clusterName, {
-    resourceGroup: rg,
-    location,
-    nodeCount,
-    nodeVmSize,
-    kubernetesVersion: cluster.kubernetesVersion || k8sVersion,
-    subscriptionId: account.id,
-    fqdn: cluster.fqdn,
-    provisioningState: cluster.provisioningState,
-    createdAt: new Date().toISOString(),
-  });
-
-  // Create GHCR pull secret so the cluster can pull private images
-  const githubToken = resolveGithubToken(opts);
-  if (githubToken) {
-    await ensureGhcrPullSecret(execa, { clusterName, githubToken });
-  }
-
-  // Bootstrap Flux — defaults to meshxdata/flux
-  const fluxRepo = opts.fluxRepo ?? AKS_DEFAULTS.fluxRepo;
-  const fluxOwner = opts.fluxOwner ?? AKS_DEFAULTS.fluxOwner;
-  const fluxBranch = opts.fluxBranch ?? AKS_DEFAULTS.fluxBranch;
-  const fluxPath = opts.fluxPath || AKS_DEFAULTS.fluxPath;
-
-  if (opts.noFlux) {
-    console.log("");
-    hint("Flux not bootstrapped (--no-flux).");
-    hint("Bootstrap later:  fops azure aks flux bootstrap <name>");
-  } else if (!githubToken) {
-    console.log("");
-    console.log(WARN("  ⚠ Skipping Flux bootstrap — no GitHub token found."));
-    hint("Authenticate with:  gh auth login   (writes to ~/.netrc)");
-    hint("Or set GITHUB_TOKEN, or pass --github-token, then run:");
-    hint(`  fops azure aks flux bootstrap ${clusterName}`);
-  } else {
-    await bootstrapFlux(execa, {
-      clusterName, rg, sub,
-      githubToken,
-      repo: fluxRepo,
-      owner: fluxOwner,
-      path: fluxPath,
-      branch: fluxBranch,
-    });
-    writeClusterState(clusterName, {
-      flux: { repo: fluxRepo, owner: fluxOwner, path: fluxPath, branch: fluxBranch },
-    });
-  }
-
-  // Pre-install CRDs and fix webhook scheduling so Flux kustomizations can reconcile
-  if (!opts.noFlux) {
-    try {
-      await reconcileFluxPrereqs({ execa, clusterName, rg, sub, opts });
-    } catch (err) {
-      console.log(WARN(`  ⚠ Flux prereqs: ${(err.message || "").split("\n")[0]}`));
-      hint("Run again with: fops azure aks up " + clusterName);
-    }
-  }
-
-  // Provision Postgres Flexible Server in the AKS VNet
-  if (opts.noPostgres !== true) {
-    try {
-      // Re-fetch cluster to get nodeResourceGroup
-      const { stdout: freshJson } = await execa("az", [
-        "aks", "show", "-g", rg, "-n", clusterName, "--output", "json",
-        ...subArgs(sub),
-      ], { timeout: 30000 });
-      const freshCluster = JSON.parse(freshJson);
-      const pgCtx = { execa, clusterName, rg, sub, cluster: freshCluster, opts };
-      await reconcilePostgres(pgCtx);
-    } catch (err) {
-      const msg = err.message || "";
-      const stderr = err.stderr ? err.stderr.trim().split("\n").slice(-2).join(" ") : "";
-      console.log(WARN(`  ⚠ Postgres provisioning failed: ${msg.split("\n")[0]}`));
-      if (stderr && !msg.includes(stderr)) hint(stderr);
-      hint("Retry with: fops azure aks up " + clusterName);
-    }
-  }
-
-  const info = readClusterState(clusterName);
-  printClusterInfo(info);
-  return info;
-}
-
-// ── aks down ──────────────────────────────────────────────────────────────────
-
-export async function aksDown(opts = {}) {
-  const execa = await lazyExeca();
-  const sub = opts.profile;
-  await ensureAzCli(execa);
-  await ensureAzAuth(execa, { subscription: sub });
-
-  const name = opts.clusterName;
-  let clusterName, rg;
-
-  // Try local state first
-  const tracked = readClusterState(name);
-  if (tracked?.clusterName) {
-    clusterName = tracked.clusterName;
-    rg = tracked.resourceGroup;
-  } else if (name) {
-    // Not in local state — probe Azure directly for residual clusters
-    rg = AKS_DEFAULTS.resourceGroup;
-    const { exitCode, stdout } = await execa("az", [
-      "aks", "show", "-g", rg, "-n", name, "--output", "json", ...subArgs(sub),
-    ], { reject: false, timeout: 30000 });
-
-    if (exitCode === 0 && stdout) {
-      clusterName = name;
-      const info = JSON.parse(stdout);
-      rg = info.resourceGroup || rg;
-      console.log(WARN(`\n  Cluster "${name}" not in local state but found in Azure (residual).`));
-    } else {
-      // Also try listing all clusters in the default RG
-      const { stdout: listJson } = await execa("az", [
-        "aks", "list", "-g", rg, "--output", "json", ...subArgs(sub),
-      ], { reject: false, timeout: 30000 });
-      const clusters = listJson ? JSON.parse(listJson) : [];
-      const match = clusters.find((c) => c.name === name);
-      if (match) {
-        clusterName = match.name;
-        rg = match.resourceGroup || rg;
-        console.log(WARN(`\n  Cluster "${name}" not in local state but found in Azure (residual).`));
-      } else {
-        console.error(ERR(`\n  Cluster "${name}" not found in local state or Azure (RG: ${rg}).`));
-        hint("List Azure clusters:  az aks list -g foundation-aks-rg -o table");
-        hint("List tracked:         fops azure aks list\n");
-        process.exit(1);
-      }
-    }
-  } else {
-    // No name given, require tracked state
-    requireCluster(name);
-    return; // unreachable, requireCluster exits
-  }
-
-  banner(`Destroying AKS cluster "${clusterName}"`);
-  kvLine("RG", DIM(rg));
-
-  if (!opts.yes) {
-    const { confirm } = await import(resolveCliSrc("ui/confirm.js"));
-    const ok = await confirm(`  Destroy cluster "${clusterName}" and all workloads?`);
-    if (!ok) { console.log(DIM("\n  Cancelled.\n")); return; }
-  }
-
-  hint("This takes 3–5 minutes…\n");
-
-  await execa("az", [
-    "aks", "delete", "--resource-group", rg, "--name", clusterName,
-    "--yes", "--no-wait", "--output", "none",
-    ...subArgs(sub),
-  ], { timeout: 300000 });
-  console.log(OK("  ✓ Cluster deletion initiated"));
-
-  // Remove kubeconfig context
-  try {
-    await execa("kubectl", ["config", "delete-context", clusterName], { reject: false, timeout: 10000 });
-    await execa("kubectl", ["config", "delete-cluster", clusterName], { reject: false, timeout: 10000 });
-    console.log(OK("  ✓ Kubeconfig context removed"));
-  } catch { /* best-effort */ }
-
-  clearClusterState(clusterName);
-  console.log(OK("\n  ✓ Done.") + DIM("  State cleared.\n"));
-}
-
-// ── aks list ──────────────────────────────────────────────────────────────────
-
-export async function aksList(opts = {}) {
-  let { activeCluster, clusters } = readAksClusters();
-  let names = Object.keys(clusters);
-
-  banner("AKS Clusters");
-
-  // If no clusters tracked locally, try to discover fops-managed clusters from Azure
-  if (names.length === 0) {
-    const execa = await lazyExeca();
-    try {
-      await ensureAzCli(execa);
-      await ensureAzAuth(execa, { subscription: opts.profile });
-    } catch {
-      hint("No clusters tracked.");
-      hint("Create one:  fops azure aks up <name>\n");
-      return;
-    }
-
-    hint("No clusters tracked locally — checking Azure for fops-managed clusters…\n");
-
-    try {
-      // Query all AKS clusters and filter by managed=fops tag
-      const { stdout, exitCode } = await execa("az", [
-        "aks", "list",
-        "--query", "[?tags.managed=='fops']",
-        "--output", "json",
-        ...subArgs(opts.profile),
-      ], { timeout: 60000, reject: false });
-
-      if (exitCode === 0 && stdout?.trim()) {
-        const discovered = JSON.parse(stdout);
-        if (discovered.length > 0) {
-          for (const cl of discovered) {
-            const name = cl.name;
-            const info = {
-              resourceGroup: cl.resourceGroup,
-              location: cl.location,
-              kubernetesVersion: cl.kubernetesVersion,
-              fqdn: cl.fqdn,
-              nodeCount: cl.agentPoolProfiles?.reduce((s, p) => s + (p.count || 0), 0) || 0,
-              nodeVmSize: cl.agentPoolProfiles?.[0]?.vmSize || "unknown",
-              subscriptionId: cl.id?.split("/")[2],
-              createdAt: cl.provisioningState === "Succeeded" ? new Date().toISOString() : null,
-            };
-            writeClusterState(name, info);
-            console.log(OK(`  + Discovered ${name} (${cl.location})`));
-          }
-          console.log("");
-          // Re-read after discovery
-          const updated = readAksClusters();
-          activeCluster = updated.activeCluster;
-          clusters = updated.clusters;
-          names = Object.keys(clusters);
-        }
-      }
-    } catch {
-      // Discovery failed, continue with empty list
-    }
-
-    if (names.length === 0) {
-      hint("No fops-managed clusters found in Azure.");
-      hint("Create one:  fops azure aks up <name>\n");
-      return;
-    }
-  }
-
-  // Refresh each tracked cluster from Azure so RG, Location, Nodes, FQDN, etc. are current
-  try {
-    const execa = await lazyExeca();
-    await ensureAzCli(execa);
-    await ensureAzAuth(execa, { subscription: opts.profile });
-    for (const name of names) {
-      const cl = clusters[name];
-      let azCluster = null;
-      if (cl.resourceGroup) {
-        const { stdout, exitCode } = await execa("az", [
-          "aks", "show", "-g", cl.resourceGroup, "-n", name, "--output", "json",
-          ...subArgs(opts.profile),
-        ], { timeout: 15000, reject: false });
-        if (exitCode === 0 && stdout?.trim()) azCluster = JSON.parse(stdout);
-      }
-      if (!azCluster) {
-        const { stdout, exitCode } = await execa("az", [
-          "aks", "list", "--output", "json", ...subArgs(opts.profile),
-        ], { timeout: 60000, reject: false });
-        if (exitCode === 0 && stdout?.trim()) {
-          const list = JSON.parse(stdout);
-          azCluster = list.find((c) => c.name === name) || null;
-        }
-      }
-      if (azCluster) {
-        const info = {
-          resourceGroup: azCluster.resourceGroup,
-          location: azCluster.location,
-          kubernetesVersion: azCluster.kubernetesVersion,
-          fqdn: azCluster.fqdn,
-          nodeCount: azCluster.agentPoolProfiles?.reduce((s, p) => s + (p.count || 0), 0) ?? null,
-          nodeVmSize: azCluster.agentPoolProfiles?.[0]?.vmSize || null,
-          subscriptionId: azCluster.id?.split("/")[2],
-        };
-        if (!cl.createdAt && azCluster.provisioningState === "Succeeded") {
-          info.createdAt = new Date().toISOString();
-        }
-        writeClusterState(name, info);
-      }
-    }
-    const updated = readAksClusters();
-    clusters = updated.clusters;
-  } catch {
-    // Keep existing state if refresh fails (e.g. az not logged in)
-  }
-
-  for (const name of names) {
-    const cl = clusters[name];
-    const active = name === activeCluster ? OK(" ◀ active") : "";
-    console.log(`\n  ${LABEL(name)}${active}`);
-    kvLine("  RG",       DIM(cl.resourceGroup || "—"), { pad: 12 });
-    kvLine("  Location", DIM(cl.location || "—"), { pad: 12 });
-    kvLine("  Nodes",    DIM(`${cl.nodeCount || "?"} x ${cl.nodeVmSize || "?"}`), { pad: 12 });
-    kvLine("  K8s",      DIM(cl.kubernetesVersion || "—"), { pad: 12 });
-    kvLine("  FQDN",     DIM(cl.fqdn || "—"), { pad: 12 });
-    if (cl.flux) {
-      kvLine("  Flux",   DIM(`${cl.flux.owner}/${cl.flux.repo} (${cl.flux.path})`), { pad: 12 });
-    }
-    kvLine("  Created",  DIM(cl.createdAt ? new Date(cl.createdAt).toLocaleString() : "—"), { pad: 12 });
-    if (cl.domain) {
-      kvLine("  Domain",   DIM(cl.domain), { pad: 12 });
-    }
-    if (cl.qa) {
-      const qaAge = timeSince(cl.qa.at);
-      const qaLabel = cl.qa.passed ? OK(`✓ passed (${qaAge} ago)`) : ERR(`✗ failed (${qaAge} ago)`);
-      kvLine("  QA",       qaLabel, { pad: 12 });
-    }
-  }
-  console.log("");
-}
-
-// ── aks status ────────────────────────────────────────────────────────────────
-
-export async function aksStatus(opts = {}) {
-  const execa = await lazyExeca();
-  const sub = opts.profile;
-  await ensureAzCli(execa);
-  await ensureAzAuth(execa, { subscription: sub });
-  const { clusterName, resourceGroup: rg } = requireCluster(opts.clusterName);
-
-  banner(`AKS Status: ${clusterName}`);
-
-  // Cluster info from Azure
-  const { stdout: showJson } = await execa("az", [
-    "aks", "show", "-g", rg, "-n", clusterName, "--output", "json",
-    ...subArgs(sub),
-  ], { timeout: 30000 });
-  const info = JSON.parse(showJson);
-
-  kvLine("State",      info.provisioningState === "Succeeded" ? OK(info.provisioningState) : WARN(info.provisioningState));
-  kvLine("Power",      info.powerState?.code === "Running" ? OK(info.powerState.code) : WARN(info.powerState?.code || "unknown"));
-  kvLine("K8s",        DIM(info.kubernetesVersion));
-  kvLine("FQDN",       DIM(info.fqdn));
-  kvLine("Location",   DIM(info.location));
-  kvLine("Tier",       DIM(info.sku?.tier || "—"));
-
-  // Node pools
-  const pools = info.agentPoolProfiles || [];
-  console.log(`\n  ${LABEL("Node Pools")}`);
-  for (const pool of pools) {
-    const status = pool.provisioningState === "Succeeded" ? OK("ready") : WARN(pool.provisioningState);
-    console.log(`    ${pool.name}: ${pool.count} x ${pool.vmSize} [${status}]`);
-  }
-
-  // Flux status (if available)
-  try {
-    await execa("flux", ["--version"], { timeout: 5000 });
-    console.log(`\n  ${LABEL("Flux Status")}`);
-    const { stdout: fluxStatus } = await execa("flux", [
-      "get", "all", "--context", clusterName, "--no-header",
-    ], { timeout: 30000, reject: false });
-    if (fluxStatus?.trim()) {
-      for (const line of fluxStatus.trim().split("\n").slice(0, 20)) {
-        console.log(`    ${DIM(line)}`);
-      }
-    } else {
-      hint("  Flux not installed or no resources found.");
-    }
-  } catch {
-    hint("  Flux CLI not available — skipping Flux status.");
-  }
-
-  console.log("");
-}
-
-// ── aks config versions ──────────────────────────────────────────────────────
-
-const AKS_FOUNDATION_COMPONENTS = {
-  "foundation-backend":        { label: "Backend",   short: "be" },
-  "foundation-frontend":       { label: "Frontend",  short: "fe" },
-  "foundation-processor":      { label: "Processor", short: "pr" },
-  "foundation-watcher":        { label: "Watcher",   short: "wa" },
-  "foundation-scheduler":      { label: "Scheduler", short: "sc" },
-  "foundation-storage-engine": { label: "Storage",   short: "se" },
-};
-
-export async function aksConfigVersions(opts = {}) {
-  const execa = await lazyExeca();
-  const { clusterName } = requireCluster(opts.clusterName);
-
-  banner(`Service Versions: ${clusterName}`);
-
-  const kubectl = (args) =>
-    execa("kubectl", ["--context", clusterName, ...args], { timeout: 15000, reject: false });
-
-  const { stdout, exitCode } = await kubectl([
-    "get", "deployments", "-n", "foundation",
-    "-o", "jsonpath={range .items[*]}{.metadata.name}={.spec.template.spec.containers[0].image}{\"\\n\"}{end}",
-  ]);
-
-  if (exitCode !== 0 || !stdout?.trim()) {
-    hint("Could not read deployments. Is kubeconfig merged?");
-    hint(`  Run: fops azure aks kubeconfig ${clusterName}\n`);
-    return;
-  }
-
-  const versions = {};
-  for (const line of stdout.trim().split("\n")) {
-    const eq = line.indexOf("=");
-    if (eq < 0) continue;
-    const name = line.slice(0, eq).trim();
-    const image = line.slice(eq + 1).trim();
-    const comp = AKS_FOUNDATION_COMPONENTS[name];
-    if (!comp) continue;
-    const colon = image.lastIndexOf(":");
-    const tag = colon >= 0 ? image.slice(colon + 1) : "latest";
-    versions[name] = { ...comp, image, tag };
-  }
-
-  if (Object.keys(versions).length === 0) {
-    hint("No Foundation services found in the 'foundation' namespace.\n");
-    return;
-  }
-
-  const maxLabel = Math.max(...Object.values(versions).map(v => v.label.length));
-  for (const [, v] of Object.entries(versions)) {
-    console.log(`  ${ACCENT(v.label.padEnd(maxLabel + 2))} ${chalk.white(v.tag)}  ${DIM(v.image)}`);
-  }
-  console.log("");
-
-  // Check for version drift
-  const tags = [...new Set(Object.values(versions).map(v => v.tag))];
-  if (tags.length === 1) {
-    console.log(OK(`  ✓ All services on ${tags[0]}`));
-  } else {
-    console.log(WARN(`  ⚠ Version drift detected — ${tags.length} different tags in use`));
-  }
-  console.log("");
-}
-
-// ── aks terraform ────────────────────────────────────────────────────────────
-
-export async function aksTerraform(opts = {}) {
-  const execa = await lazyExeca();
-  const sub = opts.profile;
-  await ensureAzCli(execa);
-  await ensureAzAuth(execa, { subscription: sub });
-  const { clusterName, resourceGroup: rg } = requireCluster(opts.clusterName);
-
-  banner(`AKS Terraform: ${clusterName}`);
-  hint("Fetching cluster details from Azure…");
-
-  const { stdout: showJson } = await execa("az", [
-    "aks", "show", "-g", rg, "-n", clusterName, "--output", "json",
-    ...subArgs(sub),
-  ], { timeout: 30000 });
-  const cluster = JSON.parse(showJson);
-
-  // Fetch resource group details for location
-  let rgLocation = cluster.location;
-  try {
-    const { stdout: rgJson } = await execa("az", [
-      "group", "show", "--name", rg, "--output", "json", ...subArgs(sub),
-    ], { timeout: 15000 });
-    rgLocation = JSON.parse(rgJson).location || rgLocation;
-  } catch { /* use cluster location */ }
-
-  // Discover companion resources in parallel
-  hint("Discovering companion resources…");
-  const serverName = `fops-${clusterName}-psql`;
-  const vaultName = `fops-${clusterName}-kv`.replace(/[^a-zA-Z0-9-]/g, "").slice(0, 24);
-
-  const [pgResult, kvResult, fluxExtResult, fluxCfgResult] = await Promise.allSettled([
-    execa("az", [
-      "postgres", "flexible-server", "show",
-      "--name", serverName, "--resource-group", rg,
-      "--output", "json", ...subArgs(sub),
-    ], { reject: false, timeout: 30000 }),
-    execa("az", [
-      "keyvault", "show", "--name", vaultName,
-      "--output", "json", ...subArgs(sub),
-    ], { reject: false, timeout: 30000 }),
-    execa("az", [
-      "k8s-extension", "show",
-      "--resource-group", rg, "--cluster-name", clusterName,
-      "--cluster-type", "managedClusters", "--name", "flux",
-      "--output", "json", ...subArgs(sub),
-    ], { reject: false, timeout: 30000 }),
-    execa("az", [
-      "k8s-configuration", "flux", "list",
-      "--resource-group", rg, "--cluster-name", clusterName,
-      "--cluster-type", "managedClusters",
-      "--output", "json", ...subArgs(sub),
-    ], { reject: false, timeout: 30000 }),
-  ]);
-
-  const pgServer = pgResult.status === "fulfilled" && pgResult.value.exitCode === 0 && pgResult.value.stdout?.trim()
-    ? JSON.parse(pgResult.value.stdout) : null;
-  const keyVault = kvResult.status === "fulfilled" && kvResult.value.exitCode === 0 && kvResult.value.stdout?.trim()
-    ? JSON.parse(kvResult.value.stdout) : null;
-  const fluxExt = fluxExtResult.status === "fulfilled" && fluxExtResult.value.exitCode === 0 && fluxExtResult.value.stdout?.trim()
-    ? JSON.parse(fluxExtResult.value.stdout) : null;
-  const fluxConfigs = fluxCfgResult.status === "fulfilled" && fluxCfgResult.value.exitCode === 0 && fluxCfgResult.value.stdout?.trim()
-    ? JSON.parse(fluxCfgResult.value.stdout) : [];
-
-  const hcl = generateAksTerraform(cluster, { rg, rgLocation, pgServer, keyVault, fluxExt, fluxConfigs });
-
-  console.log(OK("  ✓ Terraform HCL generated from live cluster state\n"));
-
-  if (opts.output) {
-    fs.mkdirSync(path.dirname(path.resolve(opts.output)), { recursive: true });
-    fs.writeFileSync(path.resolve(opts.output), hcl, "utf8");
-    console.log(OK(`  ✓ Written to ${opts.output}\n`));
-  } else {
-    console.log(hcl);
-  }
-}
-
-function generateAksTerraform(cluster, { rg, rgLocation, pgServer, keyVault, fluxExt, fluxConfigs }) {
-  const sku = cluster.sku || {};
-  const netProfile = cluster.networkProfile || {};
-  const identity = cluster.identity || {};
-  const pools = cluster.agentPoolProfiles || [];
-  const defaultPool = pools.find((p) => p.mode === "System") || pools[0];
-  const extraPools = pools.filter((p) => p !== defaultPool);
-  const apiAccess = cluster.apiServerAccessProfile || {};
-  const autoUpgrade = cluster.autoUpgradeProfile || {};
-
-  const tfName = (cluster.name || "aks").replace(/[^a-zA-Z0-9_]/g, "_");
-
-  const lines = [];
-  const w = (s = "") => lines.push(s);
-
-  // ── variables ──────────────────────────────────────────────────────────────
-
-  w(`# ─── Variables ────────────────────────────────────────────────────────────────`);
-  w();
-  w(`variable "resource_group_name" {`);
-  w(`  description = "Name of the Azure resource group"`);
-  w(`  type        = string`);
-  w(`  default     = "${rg}"`);
-  w(`}`);
-  w();
-  w(`variable "location" {`);
-  w(`  description = "Azure region"`);
-  w(`  type        = string`);
-  w(`  default     = "${rgLocation}"`);
-  w(`}`);
-  w();
-  w(`variable "cluster_name" {`);
-  w(`  description = "AKS cluster name"`);
-  w(`  type        = string`);
-  w(`  default     = "${cluster.name}"`);
-  w(`}`);
-  w();
-  w(`variable "kubernetes_version" {`);
-  w(`  description = "Kubernetes version"`);
-  w(`  type        = string`);
-  w(`  default     = "${cluster.kubernetesVersion}"`);
-  w(`}`);
-  w();
-  w(`variable "dns_prefix" {`);
-  w(`  description = "DNS prefix for the cluster"`);
-  w(`  type        = string`);
-  w(`  default     = "${cluster.dnsPrefix || cluster.name}"`);
-  w(`}`);
-  w();
-  w(`variable "sku_tier" {`);
-  w(`  description = "AKS SKU tier (Free, Standard, Premium)"`);
-  w(`  type        = string`);
-  w(`  default     = "${sku.tier || "Standard"}"`);
-  w(`}`);
-  w();
-
-  if (defaultPool) {
-    w(`variable "default_node_pool_vm_size" {`);
-    w(`  description = "VM size for the default node pool"`);
-    w(`  type        = string`);
-    w(`  default     = "${defaultPool.vmSize}"`);
-    w(`}`);
-    w();
-    w(`variable "default_node_pool_count" {`);
-    w(`  description = "Node count for the default pool"`);
-    w(`  type        = number`);
-    w(`  default     = ${defaultPool.count}`);
-    w(`}`);
-    w();
-    if (defaultPool.enableAutoScaling) {
-      w(`variable "default_node_pool_min_count" {`);
-      w(`  description = "Autoscaler minimum node count"`);
-      w(`  type        = number`);
-      w(`  default     = ${defaultPool.minCount}`);
-      w(`}`);
-      w();
-      w(`variable "default_node_pool_max_count" {`);
-      w(`  description = "Autoscaler maximum node count"`);
-      w(`  type        = number`);
-      w(`  default     = ${defaultPool.maxCount}`);
-      w(`}`);
-      w();
-    }
-  }
-
-  if (pgServer) {
-    w(`variable "postgres_admin_login" {`);
-    w(`  description = "Postgres administrator login"`);
-    w(`  type        = string`);
-    w(`  default     = "${pgServer.administratorLogin || "fopsadmin"}"`);
-    w(`}`);
-    w();
-    w(`variable "postgres_admin_password" {`);
-    w(`  description = "Postgres administrator password"`);
-    w(`  type        = string`);
-    w(`  sensitive   = true`);
-    w(`}`);
-    w();
-  }
-
-  if (fluxConfigs?.length) {
-    w(`variable "flux_github_token" {`);
-    w(`  description = "GitHub PAT for Flux HTTPS access"`);
-    w(`  type        = string`);
-    w(`  sensitive   = true`);
-    w(`  default     = ""`);
-    w(`}`);
-    w();
-  }
-
-  if (keyVault) {
-    w(`variable "tenant_id" {`);
-    w(`  description = "Azure AD tenant ID for Key Vault"`);
-    w(`  type        = string`);
-    w(`  default     = "${keyVault.properties?.tenantId || ""}"`);
-    w(`}`);
-    w();
-  }
-
-  // ── provider ───────────────────────────────────────────────────────────────
-
-  w(`# ─── Provider ─────────────────────────────────────────────────────────────────`);
-  w();
-  w(`terraform {`);
-  w(`  required_providers {`);
-  w(`    azurerm = {`);
-  w(`      source  = "hashicorp/azurerm"`);
-  w(`      version = "~> 4.0"`);
-  w(`    }`);
-  w(`  }`);
-  w(`}`);
-  w();
-  w(`provider "azurerm" {`);
-  w(`  features {}`);
-  w(`}`);
-  w();
-
-  // ── resource group ─────────────────────────────────────────────────────────
-
-  w(`# ─── Resource Group ──────────────────────────────────────────────────────────`);
-  w();
-  w(`resource "azurerm_resource_group" "aks" {`);
-  w(`  name     = var.resource_group_name`);
-  w(`  location = var.location`);
-  w(`}`);
-  w();
-
-  // ── AKS cluster ────────────────────────────────────────────────────────────
-
-  w(`# ─── AKS Cluster ─────────────────────────────────────────────────────────────`);
-  w();
-  w(`resource "azurerm_kubernetes_cluster" "${tfName}" {`);
-  w(`  name                = var.cluster_name`);
-  w(`  location            = azurerm_resource_group.aks.location`);
-  w(`  resource_group_name = azurerm_resource_group.aks.name`);
-  w(`  dns_prefix          = var.dns_prefix`);
-  w(`  kubernetes_version  = var.kubernetes_version`);
-  w(`  sku_tier            = var.sku_tier`);
-  w();
-
-  if (apiAccess.authorizedIpRanges?.length) {
-    w(`  api_server_access_profile {`);
-    w(`    authorized_ip_ranges = [${apiAccess.authorizedIpRanges.map((r) => `"${r}"`).join(", ")}]`);
-    w(`  }`);
-    w();
-  }
-
-  if (autoUpgrade.upgradeChannel) {
-    w(`  automatic_upgrade_channel = "${autoUpgrade.upgradeChannel}"`);
-    w();
-  }
-
-  if (identity.type) {
-    const identityType = identity.type === "SystemAssigned" ? "SystemAssigned" : "UserAssigned";
-    w(`  identity {`);
-    w(`    type = "${identityType}"`);
-    w(`  }`);
-    w();
-  }
-
-  if (defaultPool) {
-    w(`  default_node_pool {`);
-    w(`    name                = "${defaultPool.name}"`);
-    w(`    vm_size             = var.default_node_pool_vm_size`);
-    w(`    node_count          = var.default_node_pool_count`);
-    if (defaultPool.enableAutoScaling) {
-      w(`    auto_scaling_enabled = true`);
-      w(`    min_count           = var.default_node_pool_min_count`);
-      w(`    max_count           = var.default_node_pool_max_count`);
-    }
-    if (defaultPool.maxPods) {
-      w(`    max_pods            = ${defaultPool.maxPods}`);
-    }
-    if (defaultPool.osDiskSizeGb) {
-      w(`    os_disk_size_gb     = ${defaultPool.osDiskSizeGb}`);
-    }
-    if (defaultPool.osDiskType && defaultPool.osDiskType !== "Managed") {
-      w(`    os_disk_type        = "${defaultPool.osDiskType}"`);
-    }
-    if (defaultPool.vnetSubnetId) {
-      w(`    vnet_subnet_id      = "${defaultPool.vnetSubnetId}"`);
-    }
-    if (defaultPool.availabilityZones?.length) {
-      w(`    zones               = [${defaultPool.availabilityZones.map((z) => `"${z}"`).join(", ")}]`);
-    }
-    w(`  }`);
-    w();
-  }
-
-  if (netProfile.networkPlugin) {
-    w(`  network_profile {`);
-    w(`    network_plugin     = "${netProfile.networkPlugin}"`);
-    if (netProfile.networkPolicy) w(`    network_policy     = "${netProfile.networkPolicy}"`);
-    if (netProfile.serviceCidr) w(`    service_cidr       = "${netProfile.serviceCidr}"`);
-    if (netProfile.dnsServiceIp) w(`    dns_service_ip     = "${netProfile.dnsServiceIp}"`);
-    if (netProfile.loadBalancerSku) w(`    load_balancer_sku  = "${netProfile.loadBalancerSku}"`);
-    w(`  }`);
-    w();
-  }
-
-  if (cluster.oidcIssuerProfile?.enabled) {
-    w(`  oidc_issuer_enabled       = true`);
-  }
-  if (cluster.securityProfile?.workloadIdentity?.enabled) {
-    w(`  workload_identity_enabled = true`);
-  }
-
-  const tags = cluster.tags || {};
-  const tagEntries = Object.entries(tags);
-  if (tagEntries.length) {
-    w();
-    w(`  tags = {`);
-    for (const [k, v] of tagEntries) {
-      w(`    ${JSON.stringify(k)} = ${JSON.stringify(v)}`);
-    }
-    w(`  }`);
-  }
-
-  w(`}`);
-  w();
-
-  // ── extra node pools ───────────────────────────────────────────────────────
-
-  for (const pool of extraPools) {
-    const poolTf = pool.name.replace(/[^a-zA-Z0-9_]/g, "_");
-    w(`resource "azurerm_kubernetes_cluster_node_pool" "${poolTf}" {`);
-    w(`  name                  = "${pool.name}"`);
-    w(`  kubernetes_cluster_id = azurerm_kubernetes_cluster.${tfName}.id`);
-    w(`  vm_size               = "${pool.vmSize}"`);
-    w(`  node_count            = ${pool.count}`);
-    if (pool.enableAutoScaling) {
-      w(`  auto_scaling_enabled  = true`);
-      w(`  min_count             = ${pool.minCount}`);
-      w(`  max_count             = ${pool.maxCount}`);
-    }
-    if (pool.maxPods) {
-      w(`  max_pods              = ${pool.maxPods}`);
-    }
-    if (pool.mode) {
-      w(`  mode                  = "${pool.mode}"`);
-    }
-    if (pool.osDiskSizeGb) {
-      w(`  os_disk_size_gb       = ${pool.osDiskSizeGb}`);
-    }
-    if (pool.scaleSetPriority === "Spot") {
-      w(`  priority              = "Spot"`);
-      w(`  eviction_policy       = "${pool.scaleSetEvictionPolicy || "Delete"}"`);
-      if (pool.spotMaxPrice != null && pool.spotMaxPrice !== -1) {
-        w(`  spot_max_price        = ${pool.spotMaxPrice}`);
-      }
-    }
-    if (pool.vnetSubnetId) {
-      w(`  vnet_subnet_id        = "${pool.vnetSubnetId}"`);
-    }
-    if (pool.availabilityZones?.length) {
-      w(`  zones                 = [${pool.availabilityZones.map((z) => `"${z}"`).join(", ")}]`);
-    }
-    const poolTags = pool.tags || {};
-    const poolTagEntries = Object.entries(poolTags);
-    if (poolTagEntries.length) {
-      w();
-      w(`  tags = {`);
-      for (const [k, v] of poolTagEntries) {
-        w(`    ${JSON.stringify(k)} = ${JSON.stringify(v)}`);
-      }
-      w(`  }`);
-    }
-    w(`}`);
-    w();
-  }
-
-  // ── Postgres Flexible Server ───────────────────────────────────────────────
-
-  if (pgServer) {
-    const pgTf = (pgServer.name || "psql").replace(/[^a-zA-Z0-9_]/g, "_");
-    const pgSku = pgServer.sku || {};
-    const pgStorage = pgServer.storage || {};
-    w(`# ─── Postgres Flexible Server ─────────────────────────────────────────────────`);
-    w();
-    w(`resource "azurerm_postgresql_flexible_server" "${pgTf}" {`);
-    w(`  name                          = "${pgServer.name}"`);
-    w(`  resource_group_name           = azurerm_resource_group.aks.name`);
-    w(`  location                      = azurerm_resource_group.aks.location`);
-    w(`  version                       = "${pgServer.version || "16"}"`);
-    w(`  administrator_login           = var.postgres_admin_login`);
-    w(`  administrator_password        = var.postgres_admin_password`);
-    if (pgSku.name) w(`  sku_name                      = "${pgSku.name}"`);
-    if (pgSku.tier) w(`  zone                          = "${pgServer.availabilityZone || "1"}"`);
-    if (pgStorage.storageSizeGb) {
-      w(`  storage_mb                    = ${pgStorage.storageSizeGb * 1024}`);
-    }
-    if (pgServer.delegatedSubnetArguments?.subnetArmResourceId) {
-      w(`  delegated_subnet_id           = "${pgServer.delegatedSubnetArguments.subnetArmResourceId}"`);
-    }
-    if (pgServer.network?.privateDnsZoneArmResourceId) {
-      w(`  private_dns_zone_id           = "${pgServer.network.privateDnsZoneArmResourceId}"`);
-    }
-    const pgTags = pgServer.tags || {};
-    const pgTagEntries = Object.entries(pgTags);
-    if (pgTagEntries.length) {
-      w();
-      w(`  tags = {`);
-      for (const [k, v] of pgTagEntries) {
-        w(`    ${JSON.stringify(k)} = ${JSON.stringify(v)}`);
-      }
-      w(`  }`);
-    }
-    w(`}`);
-    w();
-  }
-
-  // ── Key Vault ──────────────────────────────────────────────────────────────
-
-  if (keyVault) {
-    const kvTf = (keyVault.name || "kv").replace(/[^a-zA-Z0-9_]/g, "_");
-    w(`# ─── Key Vault ────────────────────────────────────────────────────────────────`);
-    w();
-    w(`resource "azurerm_key_vault" "${kvTf}" {`);
-    w(`  name                       = "${keyVault.name}"`);
-    w(`  resource_group_name        = azurerm_resource_group.aks.name`);
-    w(`  location                   = azurerm_resource_group.aks.location`);
-    w(`  tenant_id                  = var.tenant_id`);
-    w(`  sku_name                   = "${keyVault.properties?.sku?.name || "standard"}"`);
-    w(`  enable_rbac_authorization  = ${keyVault.properties?.enableRbacAuthorization ?? true}`);
-    if (keyVault.properties?.enableSoftDelete !== undefined) {
-      w(`  soft_delete_retention_days = ${keyVault.properties?.softDeleteRetentionInDays || 90}`);
-    }
-    if (keyVault.properties?.enablePurgeProtection) {
-      w(`  purge_protection_enabled  = true`);
-    }
-    const kvTags = keyVault.tags || {};
-    const kvTagEntries = Object.entries(kvTags);
-    if (kvTagEntries.length) {
-      w();
-      w(`  tags = {`);
-      for (const [k, v] of kvTagEntries) {
-        w(`    ${JSON.stringify(k)} = ${JSON.stringify(v)}`);
-      }
-      w(`  }`);
-    }
-    w(`}`);
-    w();
-  }
-
-  // ── Flux extension ─────────────────────────────────────────────────────────
-
-  if (fluxExt) {
-    w(`# ─── Flux ─────────────────────────────────────────────────────────────────────`);
-    w();
-    w(`resource "azurerm_kubernetes_cluster_extension" "flux" {`);
-    w(`  name           = "flux"`);
-    w(`  cluster_id     = azurerm_kubernetes_cluster.${tfName}.id`);
-    w(`  extension_type = "microsoft.flux"`);
-    w(`}`);
-    w();
-  }
-
-  // ── Flux GitOps configurations ─────────────────────────────────────────────
-
-  for (const cfg of (fluxConfigs || [])) {
-    const cfgTf = (cfg.name || "flux_system").replace(/[^a-zA-Z0-9_]/g, "_");
-    const gitRepo = cfg.gitRepository || {};
-    const kustomizations = cfg.kustomizations || {};
-
-    w(`resource "azurerm_kubernetes_flux_configuration" "${cfgTf}" {`);
-    w(`  name       = "${cfg.name}"`);
-    w(`  cluster_id = azurerm_kubernetes_cluster.${tfName}.id`);
-    w(`  namespace  = "${cfg.namespace || "flux-system"}"`);
-    w(`  scope      = "${cfg.scope || "cluster"}"`);
-    w();
-    if (gitRepo.url) {
-      w(`  git_repository {`);
-      w(`    url             = "${gitRepo.url}"`);
-      w(`    reference_type  = "branch"`);
-      w(`    reference_value = "${gitRepo.repositoryRef?.branch || "main"}"`);
-      if (gitRepo.httpsUser) {
-        w(`    https_user      = "${gitRepo.httpsUser}"`);
-        w(`    https_key       = var.flux_github_token`);
-      }
-      w(`  }`);
-      w();
-    }
-    for (const [ksName, ks] of Object.entries(kustomizations)) {
-      w(`  kustomizations {`);
-      w(`    name = "${ksName}"`);
-      if (ks.path) w(`    path = "${ks.path}"`);
-      if (ks.prune != null) w(`    prune = ${ks.prune}`);
-      w(`  }`);
-      w();
-    }
-
-    w(`  depends_on = [azurerm_kubernetes_cluster_extension.flux]`);
-    w(`}`);
-    w();
-  }
-
-  // ── outputs ────────────────────────────────────────────────────────────────
-
-  w(`# ─── Outputs ─────────────────────────────────────────────────────────────────`);
-  w();
-  w(`output "cluster_name" {`);
-  w(`  value = azurerm_kubernetes_cluster.${tfName}.name`);
-  w(`}`);
-  w();
-  w(`output "cluster_fqdn" {`);
-  w(`  value = azurerm_kubernetes_cluster.${tfName}.fqdn`);
-  w(`}`);
-  w();
-  w(`output "kube_config" {`);
-  w(`  value     = azurerm_kubernetes_cluster.${tfName}.kube_config_raw`);
-  w(`  sensitive = true`);
-  w(`}`);
-  w();
-  if (pgServer) {
-    w(`output "postgres_fqdn" {`);
-    const pgTf = (pgServer.name || "psql").replace(/[^a-zA-Z0-9_]/g, "_");
-    w(`  value = azurerm_postgresql_flexible_server.${pgTf}.fqdn`);
-    w(`}`);
-    w();
-  }
-  if (keyVault) {
-    const kvTf = (keyVault.name || "kv").replace(/[^a-zA-Z0-9_]/g, "_");
-    w(`output "key_vault_uri" {`);
-    w(`  value = azurerm_key_vault.${kvTf}.vault_uri`);
-    w(`}`);
-    w();
-  }
-
-  return lines.join("\n");
-}
-
-// ── aks kubeconfig ────────────────────────────────────────────────────────────
-
-export async function aksKubeconfig(opts = {}) {
-  const execa = await lazyExeca();
-  const sub = opts.profile;
-  await ensureAzCli(execa);
-  await ensureAzAuth(execa, { subscription: sub });
-  const { clusterName, resourceGroup: rg } = requireCluster(opts.clusterName);
-
-  await getCredentials(execa, { clusterName, rg, sub, admin: opts.admin });
-  console.log(OK(`\n  ✓ Kubeconfig merged for "${clusterName}"`));
-  hint(`kubectl config use-context ${clusterName}\n`);
-}
-
-// ── aks node-pool add ─────────────────────────────────────────────────────────
-
-export async function aksNodePoolAdd(opts = {}) {
-  const execa = await lazyExeca();
-  const sub = opts.profile;
-  await ensureAzCli(execa);
-  await ensureAzAuth(execa, { subscription: sub });
-  const { clusterName, resourceGroup: rg } = requireCluster(opts.clusterName);
-
-  const poolName = opts.poolName;
-  const nodeCount = opts.nodeCount || 3;
-  const vmSize = opts.nodeVmSize || AKS_DEFAULTS.nodeVmSize;
-
-  if (!poolName) {
-    console.error(ERR("\n  --pool-name is required.\n"));
-    process.exit(1);
-  }
-
-  banner(`Adding node pool "${poolName}" to ${clusterName}`);
-  kvLine("Size",  DIM(`${nodeCount} x ${vmSize}`));
-  hint("This takes a few minutes…\n");
-
-  const args = [
-    "aks", "nodepool", "add",
-    "--resource-group", rg,
-    "--cluster-name", clusterName,
-    "--name", poolName,
-    "--node-count", String(nodeCount),
-    "--node-vm-size", vmSize,
-    "--output", "none",
-    ...subArgs(sub),
-  ];
-  if (opts.mode) args.push("--mode", opts.mode);
-  if (opts.labels) args.push("--labels", opts.labels);
-  if (opts.taints) args.push("--node-taints", opts.taints);
-  if (opts.maxPods) args.push("--max-pods", String(opts.maxPods));
-
-  await execa("az", args, { timeout: 600000 });
-  console.log(OK(`  ✓ Node pool "${poolName}" added\n`));
-}
-
-// ── aks node-pool remove ──────────────────────────────────────────────────────
-
-export async function aksNodePoolRemove(opts = {}) {
-  const execa = await lazyExeca();
-  const sub = opts.profile;
-  await ensureAzCli(execa);
-  await ensureAzAuth(execa, { subscription: sub });
-  const { clusterName, resourceGroup: rg } = requireCluster(opts.clusterName);
-  const poolName = opts.poolName;
-
-  if (!poolName) {
-    console.error(ERR("\n  Pool name is required.\n"));
-    process.exit(1);
-  }
-
-  banner(`Removing node pool "${poolName}" from ${clusterName}`);
-  hint("This takes a few minutes…\n");
-
-  await execa("az", [
-    "aks", "nodepool", "delete",
-    "--resource-group", rg,
-    "--cluster-name", clusterName,
-    "--name", poolName,
-    "--output", "none",
-    ...subArgs(sub),
-  ], { timeout: 600000 });
-  console.log(OK(`  ✓ Node pool "${poolName}" removed\n`));
-}
-
-// ── flux init (scaffold cluster manifests) ───────────────────────────────────
-
-export async function aksFluxInit(opts = {}) {
-  const clusterName = opts.clusterName;
-  if (!clusterName) {
-    console.error(ERR("\n  Cluster name is required."));
-    hint("Usage: fops azure aks flux init <name> --flux-repo <path>\n");
-    process.exit(1);
-  }
-
-  const overlay = opts.overlay || "demo-azure";
-  const namespace = opts.namespace || "foundation";
-  const fluxRepoPath = opts.fluxRepo;
-
-  if (!fluxRepoPath) {
-    console.error(ERR("\n  --flux-repo <path> is required (path to your local flux repo clone)."));
-    hint("Example: fops azure aks flux init alessio --flux-repo ../flux\n");
-    process.exit(1);
-  }
-
-  const fluxRepo = path.resolve(fluxRepoPath);
-  if (!fs.existsSync(path.join(fluxRepo, "clusters"))) {
-    console.error(ERR(`\n  "${fluxRepo}" does not look like a flux repo (no clusters/ dir).`));
-    process.exit(1);
-  }
-
-  const clusterDir = path.join(fluxRepo, "clusters", clusterName);
-  if (fs.existsSync(clusterDir)) {
-    console.error(ERR(`\n  Cluster directory already exists: ${clusterDir}`));
-    hint("Remove it first or use a different name.\n");
-    process.exit(1);
-  }
-
-  const state = readState();
-  const projectRoot = state.azure?.projectRoot || state.projectRoot;
-  const thisDir = path.dirname(fileURLToPath(import.meta.url));
-  let templateRoot = projectRoot && fs.existsSync(path.join(projectRoot, "flux-templates", "cluster"))
-    ? path.join(projectRoot, "flux-templates", "cluster")
-    : path.resolve(thisDir, "../../../../foundation-flux/cluster");
-  if (!fs.existsSync(templateRoot)) {
-    console.error(ERR("\n  Template directory not found."));
-    hint(`Expected at: ${templateRoot}`);
-    hint("Create flux-templates/cluster/ in your project or install foundation-flux.\n");
-    process.exit(1);
-  }
-
-  const vars = {
-    "{{CLUSTER_NAME}}": clusterName,
-    "{{OVERLAY}}": overlay,
-    "{{NAMESPACE}}": namespace,
-    "{{FLUX_PATH}}": opts.fluxPath || `clusters/${clusterName}`,
-    "{{POSTGRES_HOST}}": opts.postgresHost || `{{POSTGRES_HOST}}`,
-    "{{ACCESS_KEY_ID}}": opts.accessKeyId || `{{ACCESS_KEY_ID}}`,
-    "{{AZURE_SP_CLIENT_ID_B64}}": opts.azureSpClientId || `{{AZURE_SP_CLIENT_ID_B64}}`,
-    "{{AZURE_SP_CLIENT_SECRET_B64}}": opts.azureSpClientSecret || `{{AZURE_SP_CLIENT_SECRET_B64}}`,
-    "{{AZURE_IDENTITY_ID}}": opts.azureIdentityId || `{{AZURE_IDENTITY_ID}}`,
-    "{{AZURE_TENANT_ID}}": opts.azureTenantId || `{{AZURE_TENANT_ID}}`,
-    "{{AZURE_KEYVAULT_URL}}": opts.azureKeyvaultUrl || `{{AZURE_KEYVAULT_URL}}`,
-  };
-
-  function applyVars(content) {
-    let out = content;
-    for (const [k, v] of Object.entries(vars)) {
-      out = out.replaceAll(k, v);
-    }
-    return out;
-  }
-
-  function copyDir(src, dest) {
-    fs.mkdirSync(dest, { recursive: true });
-    for (const entry of fs.readdirSync(src, { withFileTypes: true })) {
-      const srcPath = path.join(src, entry.name);
-      const destPath = path.join(dest, entry.name);
-      if (entry.isDirectory()) {
-        copyDir(srcPath, destPath);
-      } else {
-        const content = fs.readFileSync(srcPath, "utf8");
-        fs.writeFileSync(destPath, applyVars(content));
-      }
-    }
-  }
-
-  banner(`Flux Init: ${clusterName}`);
-  kvLine("Cluster",   clusterName);
-  kvLine("Overlay",   overlay);
-  kvLine("Namespace", namespace);
-  kvLine("Output",    DIM(clusterDir));
-  console.log("");
-
-  // Scaffold cluster directory from templates
-  hint("Scaffolding cluster manifests…");
-  copyDir(templateRoot, clusterDir);
-  console.log(OK("  ✓ Cluster directory created"));
-
-  // Check remaining placeholders
-  const remaining = Object.entries(vars)
-    .filter(([, v]) => v.startsWith("{{"))
-    .map(([k]) => k);
-
-  if (remaining.length) {
-    console.log(`\n  ${WARN("Placeholders to fill in:")}`);
-    for (const p of remaining) {
-      hint(`  ${p}`);
-    }
-  }
-
-  // Verify the overlay exists in the flux repo
-  const sampleOverlay = path.join(fluxRepo, "apps/foundation/backend/overlays/meshx", overlay);
-  if (!fs.existsSync(sampleOverlay)) {
-    console.log(WARN(`\n  ⚠ Overlay "${overlay}" not found in apps/ — app Kustomizations will fail until it exists.`));
-    hint(`Create overlays or use an existing one: --overlay demo-azure`);
-  }
-
-  console.log("");
-  hint("Next steps:");
-  hint(`  1. Fill in remaining {{…}} placeholders in clusters/${clusterName}/`);
-  hint(`  2. Commit and push to the flux repo`);
-  hint(`  3. Bootstrap Flux: fops azure aks flux bootstrap ${clusterName}`);
-  console.log("");
-}
-
-// ── flux bootstrap ────────────────────────────────────────────────────────────
-
-export async function aksFluxBootstrap(opts = {}) {
-  const execa = await lazyExeca();
-  const sub = opts.profile;
-  await ensureAzCli(execa);
-  await ensureAzAuth(execa, { subscription: sub });
-  const cl = requireCluster(opts.clusterName);
-
-  // Ensure kubeconfig is current
-  await getCredentials(execa, {
-    clusterName: cl.clusterName,
-    rg: cl.resourceGroup,
-    sub,
-  });
-
-  const githubToken = resolveGithubToken(opts);
-  if (!githubToken) {
-    console.error(ERR("\n  GitHub token required for Flux bootstrap."));
-    hint("Authenticate:  gh auth login   or set GITHUB_TOKEN\n");
-    process.exit(1);
-  }
-
-  const fluxOpts = {
-    fluxRepo: opts.repo,
-    fluxOwner: opts.owner,
-    fluxPath: opts.path,
-    fluxBranch: opts.branch,
-  };
-  const { fluxRepo, fluxOwner, fluxPath, fluxBranch } = resolveFluxConfig(cl.clusterName, fluxOpts);
-
-  await ensureGhcrPullSecret(execa, { clusterName: cl.clusterName, githubToken });
-
-  await reconcileFlux(execa, {
-    clusterName: cl.clusterName,
-    rg: cl.resourceGroup,
-    sub,
-    githubToken,
-    repo: fluxRepo,
-    owner: fluxOwner,
-    path: fluxPath,
-    branch: fluxBranch,
-  });
-
-  writeClusterState(cl.clusterName, {
-    flux: { repo: fluxRepo, owner: fluxOwner, path: fluxPath, branch: fluxBranch },
-  });
-  console.log(OK(`  ✓ Flux now using ${fluxOwner}/${fluxRepo}\n`));
-}
-
-// ── data bootstrap (demo data mesh, same as fops bootstrap targeting AKS backend) ─
-
-function findBootstrapRepoRoot() {
-  const scriptPath = "scripts/bootstrap_foundation.py";
-  const envRoot = process.env.FOUNDATION_ROOT;
-  if (envRoot && fs.existsSync(path.join(envRoot, scriptPath))) return path.resolve(envRoot);
-  try {
-    const fopsPath = path.join(os.homedir(), ".fops.json");
-    const raw = JSON.parse(fs.readFileSync(fopsPath, "utf8"));
-    const root = raw?.projectRoot;
-    if (root && fs.existsSync(path.join(root, scriptPath))) return path.resolve(root);
-  } catch {}
-  let dir = path.resolve(process.cwd());
-  for (;;) {
-    if (fs.existsSync(path.join(dir, scriptPath))) return dir;
-    const parent = path.dirname(dir);
-    if (parent === dir) break;
-    dir = parent;
-  }
-  return null;
-}
-
-async function discoverFoundationApiUrlFromCluster(execa, clusterName) {
-  try {
-    const { stdout } = await execa("kubectl", [
-      "get", "ingress", "-A",
-      "-o", "jsonpath={.items[*].spec.rules[*].host}",
-      "--context", clusterName,
-    ], { timeout: 15000 });
-    const first = (stdout || "").trim().split(/\s+/).filter(Boolean)[0];
-    if (first) return `https://${first}/api`;
-  } catch {}
-  return null;
-}
-
-export async function aksDataBootstrap(opts = {}) {
-  const execa = await lazyExeca();
-  await ensureAzCli(execa);
-  await ensureAzAuth(execa, { subscription: opts.profile });
-  const cl = requireCluster(opts.clusterName);
-
-  await getCredentials(execa, {
-    clusterName: cl.clusterName,
-    rg: cl.resourceGroup,
-    sub: opts.profile,
-  });
-
-  let apiUrl = opts.apiUrl?.trim() || cl.foundationApiUrl?.trim();
-  if (!apiUrl) {
-    apiUrl = await discoverFoundationApiUrlFromCluster(execa, cl.clusterName);
-    if (apiUrl) {
-      hint(`Using API URL from cluster ingress: ${apiUrl}`);
-      writeClusterState(cl.clusterName, { foundationApiUrl: apiUrl });
-    }
-  }
-  if (!apiUrl) {
-    console.error(ERR("\n  Foundation backend API URL is required."));
-    hint("Pass the backend API base URL (e.g. https://foundation.example.com/api):");
-    hint("  fops azure aks bootstrap " + cl.clusterName + " --api-url https://your-foundation-host/api\n");
-    process.exit(1);
-  }
-  const normalized = apiUrl.replace(/\/+$/, "");
-  if (!normalized.endsWith("/api")) {
-    console.log(WARN("  API URL should usually end with /api (e.g. https://host/api). Using as-is."));
-  }
-
-  const root = findBootstrapRepoRoot();
-  if (!root) {
-    console.error(ERR("\n  Could not find foundation-compose root (scripts/bootstrap_foundation.py)."));
-    hint("Run from the foundation-compose directory, or set FOUNDATION_ROOT.\n");
-    process.exit(1);
-  }
-
-  const { loadEnvFromFile } = await import("./azure-helpers.js");
-  const projectEnv = loadEnvFromFile(path.join(root, ".env"));
-  let bootstrapEnv = {
-    ...process.env,
-    ...projectEnv,
-    PYTHONUNBUFFERED: "1",
-    API_URL: normalized,
-  };
-
-  let hasCreds = !!(bootstrapEnv.BEARER_TOKEN?.trim()
-    || (bootstrapEnv.QA_USERNAME?.trim() && bootstrapEnv.QA_PASSWORD != null));
-  if (!hasCreds) {
-    try {
-      const fopsPath = path.join(os.homedir(), ".fops.json");
-      const raw = JSON.parse(fs.readFileSync(fopsPath, "utf8"));
-      const cfg = raw?.plugins?.entries?.["fops-plugin-foundation"]?.config || {};
-      if (cfg.bearerToken?.trim()) {
-        bootstrapEnv.BEARER_TOKEN = cfg.bearerToken.trim();
-        hasCreds = true;
-      } else if (cfg.user?.trim() && cfg.password) {
-        bootstrapEnv.QA_USERNAME = cfg.user.trim();
-        bootstrapEnv.QA_PASSWORD = cfg.password;
-        hasCreds = true;
-      }
-    } catch {}
-  }
-  if (!hasCreds && !opts.yes) {
-    console.log(WARN("  No Foundation credentials in env or ~/.fops.json."));
-    const { getInquirer } = await import(resolveCliSrc("lazy.js"));
-    const inquirer = await getInquirer();
-    const { authMethod } = await inquirer.prompt([{
-      type: "list",
-      name: "authMethod",
-      message: "Authentication method:",
-      choices: [
-        { name: "Username / password", value: "password" },
-        { name: "Bearer token (JWT)", value: "jwt" },
-      ],
-    }]);
-    if (authMethod === "jwt") {
-      const { token } = await inquirer.prompt([{ type: "input", name: "token", message: "Bearer token:", validate: (v) => v?.trim() ? true : "Token required" }]);
-      bootstrapEnv.BEARER_TOKEN = token.trim();
-    } else {
-      const { user } = await inquirer.prompt([{ type: "input", name: "user", message: "Username (email):", validate: (v) => v?.trim() ? true : "Username required" }]);
-      const { password } = await inquirer.prompt([{ type: "password", name: "password", message: "Password:", mask: "*", validate: (v) => v ? true : "Password required" }]);
-      bootstrapEnv.QA_USERNAME = user.trim();
-      bootstrapEnv.QA_PASSWORD = password;
-    }
-    hasCreds = true;
-  }
-  if (!hasCreds) {
-    console.error(ERR("  Set BEARER_TOKEN or QA_USERNAME+QA_PASSWORD (env or ~/.fops.json), or run without --yes.\n"));
-    process.exit(1);
-  }
-
-  banner("Bootstrap demo data (AKS)");
-  kvLine("Cluster", cl.clusterName);
-  kvLine("API URL", normalized);
-  hint("Same as fops bootstrap — creates demo data mesh via backend API.\n");
-
-  const scriptsDir = path.join(root, "scripts");
-  const venvPython = path.join(scriptsDir, ".venv", "bin", "python");
-  const scriptPath = path.join(scriptsDir, "bootstrap_foundation.py");
-  if (!fs.existsSync(venvPython)) {
-    hint("Creating scripts/.venv…");
-    await execa("python3", ["-m", "venv", path.join(scriptsDir, ".venv")], { cwd: root, timeout: 30000 });
-    const pip = path.join(scriptsDir, ".venv", "bin", "pip");
-    if (!fs.existsSync(pip)) {
-      hint("Installing pip into venv…");
-      await execa("sh", ["-c", `curl -sS https://bootstrap.pypa.io/get-pip.py | ${venvPython}`], { cwd: root, timeout: 60000 });
-    }
-    const reqPath = path.join(scriptsDir, "requirements.txt");
-    if (fs.existsSync(reqPath)) {
-      await execa(venvPython, ["-m", "pip", "install", "--quiet", "-r", reqPath], { cwd: root, timeout: 120000 });
-    }
-  }
-
-  let captured = "";
-  const proc = execa(venvPython, ["-u", scriptPath], {
-    cwd: root,
-    timeout: 600_000,
-    env: bootstrapEnv,
-    reject: false,
-  });
-  proc.stdout?.on("data", (chunk) => { const s = chunk.toString(); captured += s; process.stdout.write(s); });
-  proc.stderr?.on("data", (chunk) => { const s = chunk.toString(); captured += s; process.stderr.write(s); });
-  const result = await proc;
-
-  if (result.exitCode === 0) {
-    console.log(OK("\n  ✓ Bootstrap complete! Demo data mesh created on the cluster backend."));
-    writeClusterState(cl.clusterName, { foundationApiUrl: normalized });
-    return;
-  }
-  if ((captured || "").includes("401") || (captured || "").includes("Insufficient permissions")) {
-    hint("\n  If the user needs Foundation Admin, grant it in the UI or via your IdP, then retry.");
-  }
-  const code = result.exitCode === 255 || result.exitCode === -1 ? 1 : result.exitCode;
-  console.error(ERR(`\n  Bootstrap failed (exit code ${code}).`));
-  hint("Ensure the AKS backend is up and reachable at " + normalized);
-  process.exit(1);
-}
-
-// ── flux status ───────────────────────────────────────────────────────────────
-
-export async function aksFluxStatus(opts = {}) {
-  const execa = await lazyExeca();
-  await ensureFluxCli(execa);
-  const cl = requireCluster(opts.clusterName);
-
-  banner(`Flux Status: ${cl.clusterName}`);
-
-  const commands = [
-    { label: "Sources",         args: ["get", "sources", "all"] },
-    { label: "Kustomizations",  args: ["get", "kustomizations"] },
-    { label: "Helm Releases",   args: ["get", "helmreleases", "--all-namespaces"] },
-  ];
-
-  for (const { label, args } of commands) {
-    console.log(`\n  ${LABEL(label)}`);
-    const { stdout } = await execa("flux", [
-      ...args, "--context", cl.clusterName,
-    ], { timeout: 30000, reject: false });
-    if (stdout?.trim()) {
-      for (const line of stdout.trim().split("\n")) {
-        console.log(`    ${DIM(line)}`);
-      }
-    } else {
-      hint(`  No ${label.toLowerCase()} found.`);
-    }
-  }
-
-  console.log("");
-}
-
-// ── flux reconcile ────────────────────────────────────────────────────────────
-
-export async function aksFluxReconcile(opts = {}) {
-  const execa = await lazyExeca();
-  await ensureFluxCli(execa);
-  const cl = requireCluster(opts.clusterName);
-
-  banner(`Flux Reconcile: ${cl.clusterName}`);
-
-  const source = opts.source || "flux-system";
-  hint(`Triggering reconcile for source "${source}"…\n`);
-
-  await execa("flux", [
-    "reconcile", "source", "git", source,
-    "--context", cl.clusterName,
-  ], { timeout: 60000, stdio: "inherit" });
-
-  // Azure-managed Flux names kustomizations as "<config>-<kustomization>"
-  // (e.g. "flux-system-flux-system"), while standalone Flux uses just "flux-system".
-  // Try the Azure-managed name first, fall back to the standard name.
-  const ksNames = ["flux-system-flux-system", "flux-system"];
-  let reconciled = false;
-  for (const ks of ksNames) {
-    const { exitCode } = await execa("flux", [
-      "reconcile", "kustomization", ks,
-      "--context", cl.clusterName,
-    ], { timeout: 60000, stdio: "inherit", reject: false });
-    if (exitCode === 0) { reconciled = true; break; }
-  }
-
-  if (reconciled) {
-    console.log(OK("\n  ✓ Reconciliation triggered.\n"));
-  } else {
-    console.error(ERR("\n  ✗ Could not reconcile kustomization. Check: kubectl --context " + cl.clusterName + " get kustomizations -n flux-system\n"));
-  }
-}
-
-// ── Shared internals ──────────────────────────────────────────────────────────
-
-async function ensureGhcrPullSecret(execa, { clusterName, githubToken, namespace = "default" }) {
-  if (!githubToken) return;
-
-  banner("GHCR Pull Secret");
-  hint("Creating image pull secret for ghcr.io…");
-
-  const secretName = "ghcr-pull-secret";
-
-  // Create the secret in the target namespace
-  const { exitCode } = await execa("kubectl", [
-    "create", "secret", "docker-registry", secretName,
-    "--docker-server=ghcr.io",
-    "--docker-username=x-access-token",
-    `--docker-password=${githubToken}`,
-    "--namespace", namespace,
-    "--context", clusterName,
-    "--dry-run=client", "-o", "yaml",
-  ], { timeout: 15000, reject: false }).then(async (dryRun) => {
-    if (dryRun.exitCode !== 0) return dryRun;
-    // Pipe through kubectl apply so it's idempotent
-    return execa("kubectl", [
-      "apply", "-f", "-", "--context", clusterName,
-    ], { input: dryRun.stdout, timeout: 15000, reject: false });
-  });
-
-  if (exitCode === 0) {
-    console.log(OK(`  ✓ Pull secret "${secretName}" in namespace "${namespace}"`));
-  } else {
-    console.log(WARN(`  ⚠ Could not create pull secret — create manually:`));
-    hint(`  kubectl create secret docker-registry ${secretName} --docker-server=ghcr.io --docker-username=x-access-token --docker-password=<token>`);
-  }
-
-  // Also create in flux-system namespace (Flux needs it for image automation)
-  const { exitCode: fluxNsCode } = await execa("kubectl", [
-    "create", "namespace", "flux-system",
-    "--context", clusterName, "--dry-run=client", "-o", "yaml",
-  ], { timeout: 10000, reject: false }).then(async (ns) => {
-    if (ns.exitCode !== 0) return ns;
-    return execa("kubectl", ["apply", "-f", "-", "--context", clusterName],
-      { input: ns.stdout, timeout: 10000, reject: false });
-  });
-
-  if (fluxNsCode === 0) {
-    const { exitCode: fsCode } = await execa("kubectl", [
-      "create", "secret", "docker-registry", secretName,
-      "--docker-server=ghcr.io",
-      "--docker-username=x-access-token",
-      `--docker-password=${githubToken}`,
-      "--namespace", "flux-system",
-      "--context", clusterName,
-      "--dry-run=client", "-o", "yaml",
-    ], { timeout: 15000, reject: false }).then(async (dryRun) => {
-      if (dryRun.exitCode !== 0) return dryRun;
-      return execa("kubectl", ["apply", "-f", "-", "--context", clusterName],
-        { input: dryRun.stdout, timeout: 15000, reject: false });
-    });
-    if (fsCode === 0) {
-      console.log(OK(`  ✓ Pull secret "${secretName}" in namespace "flux-system"`));
-    }
-  }
-}
-
-async function getCredentials(execa, { clusterName, rg, sub, admin } = {}) {
-  hint("Fetching kubeconfig…");
-  const args = [
-    "aks", "get-credentials",
-    "--resource-group", rg,
-    "--name", clusterName,
-    "--overwrite-existing",
-    "--output", "none",
-    ...subArgs(sub),
-  ];
-  if (admin) args.push("--admin");
-  await execa("az", args, { timeout: 30000 });
-  console.log(OK(`  ✓ Kubeconfig merged`));
-}
-
-async function bootstrapFlux(execa, { clusterName, rg, sub, githubToken, repo, owner, path: fluxPath, branch }) {
-  repo = repo || AKS_DEFAULTS.fluxRepo;
-  owner = owner || AKS_DEFAULTS.fluxOwner;
-  branch = branch || AKS_DEFAULTS.fluxBranch;
-
-  if (!githubToken) {
-    console.error(ERR("\n  GitHub token required for Flux bootstrap."));
-    hint("Authenticate:  gh auth login   (writes to ~/.netrc)");
-    hint("Or:            export GITHUB_TOKEN=<token>");
-    hint("Or:            --github-token <token>\n");
-    process.exit(1);
-  }
-
-  const repoUrl = `https://github.com/${owner}/${repo}`;
-  const configName = "flux-system";
-
-  banner("Flux Bootstrap (Azure GitOps)");
-  kvLine("Repo",   DIM(`${owner}/${repo}`));
-  kvLine("Path",   DIM(fluxPath));
-  kvLine("Branch", DIM(branch));
-  kvLine("Mode",   DIM("Azure-managed extension (read-only)"));
-  hint("This takes 2–5 minutes…\n");
-
-  // 1. Install the microsoft.flux extension on the cluster
-  hint("Installing Flux extension…");
-  try {
-    await execa("az", [
-      "k8s-extension", "create",
-      "--resource-group", rg,
-      "--cluster-name", clusterName,
-      "--cluster-type", "managedClusters",
-      "--name", "flux",
-      "--extension-type", "microsoft.flux",
-      "--scope", "cluster",
-      "--output", "none",
-      ...subArgs(sub),
-    ], { timeout: 600000 });
-    console.log(OK("  ✓ Flux extension installed"));
-  } catch (err) {
-    const msg = (err.stderr || err.message || "").toString();
-    if (/rpds|No module named|ModuleNotFoundError/.test(msg)) {
-      console.error(ERR("\n  Azure k8s-extension failed (broken vendored rpds — known Azure CLI bug)."));
-      hint("Workaround (macOS Homebrew): install rpds-py into Azure CLI's Python, then remove the extension's vendored rpds:");
-      hint("  $(brew --prefix azure-cli)/libexec/bin/pip install rpds-py");
-      hint("  rm -rf ~/.azure/cliextensions/k8s-extension/rpds");
-      hint("Then re-run. See: https://github.com/Azure/azure-cli/issues/32709\n");
-      throw err;
-    }
-    throw err;
-  }
-
-  // 2. Create the Flux GitOps configuration
-  hint("Creating GitOps configuration…");
-  await execa("az", [
-    "k8s-configuration", "flux", "create",
-    "--resource-group", rg,
-    "--cluster-name", clusterName,
-    "--cluster-type", "managedClusters",
-    "--name", configName,
-    "--namespace", "flux-system",
-    "--scope", "cluster",
-    "--url", repoUrl,
-    "--branch", branch,
-    "--https-user", "x-access-token",
-    "--https-key", githubToken,
-    "--kustomization", `name=${configName}`, `path=./${fluxPath}`, "prune=true",
-    "--output", "none",
-    ...subArgs(sub),
-  ], { timeout: 300000 });
-  console.log(OK("  ✓ GitOps configuration created (read-only — no push to repo)"));
-}
-
-// ── Cluster reconciler ───────────────────────────────────────────────────────
-// Each reconciler: { name, fn(ctx, cluster) } — returns silently on success,
-// warns on non-fatal failure. Adding a new concern = one new entry in the array.
-
-async function reconcileCluster(ctx) {
-  const { execa, clusterName, rg, sub } = ctx;
-
-  try {
-    const { stdout } = await execa("az", [
-      "aks", "show", "-g", rg, "-n", clusterName, "--output", "json",
-      ...subArgs(sub),
-    ], { timeout: 30000 });
-    ctx.cluster = JSON.parse(stdout);
-  } catch (err) {
-    console.log(WARN(`  ⚠ Could not fetch cluster details: ${(err.message || "").split("\n")[0]}`));
-    ctx.cluster = {};
-  }
-
-  await runReconcilers(AKS_RECONCILERS, ctx);
-}
-
-// Kustomizations that fops manages directly — suspend them so Flux doesn't revert our patches.
-const FOPS_MANAGED_KUSTOMIZATIONS = [
-  "foundation-backend",
-  "foundation-processor",
-  "foundation-scheduler",
-  "foundation-watcher",
-  "foundation-storage-engine",
-  "istio-controlplane",
-];
-
-const DAI_KUSTOMIZATIONS = [
-  "dai-backend",
-  "dai-trino",
-];
-
-async function suspendManagedKustomizations(ctx) {
-  const { execa, clusterName, opts } = ctx;
-  const kubectl = (args, o = {}) =>
-    execa("kubectl", ["--context", clusterName, ...args], { timeout: 15000, reject: false, ...o });
-
-  // When --dai is NOT set, also suspend DAI kustomizations so they don't schedule workloads
-  const targets = opts?.dai
-    ? FOPS_MANAGED_KUSTOMIZATIONS
-    : [...FOPS_MANAGED_KUSTOMIZATIONS, ...DAI_KUSTOMIZATIONS];
-
-  let suspended = 0;
-  for (const name of targets) {
-    const { exitCode } = await kubectl([
-      "get", "kustomization", name, "-n", "flux-system",
-    ]);
-    if (exitCode !== 0) continue;
-
-    const { stdout: isSuspended } = await kubectl([
-      "get", "kustomization", name, "-n", "flux-system",
-      "-o", "jsonpath={.spec.suspend}",
-    ]);
-    if (isSuspended === "true") continue;
-
-    await kubectl([
-      "patch", "kustomization", name, "-n", "flux-system",
-      "--type", "merge", "-p", '{"spec":{"suspend":true}}',
-    ]);
-    suspended++;
-  }
-  if (suspended > 0) {
-    console.log(OK(`  ✓ Suspended ${suspended} Flux Kustomization(s) to prevent revert`));
-  } else {
-    console.log(OK("  ✓ Managed Kustomizations already suspended"));
-  }
-}
-
-const AKS_RECONCILERS = [
-  { name: "api-server-ip", fn: reconcileApiServerIp },
-  { name: "addons",        fn: reconcileAddons },
-  { name: "autoscaler",    fn: reconcileAutoscaler },
-  { name: "spot-pool",     fn: reconcileSpotPool },
-  { name: "kubeconfig",    fn: reconcileKubeconfig },
-  { name: "suspend-flux",  fn: suspendManagedKustomizations },
-  { name: "descheduler",   fn: reconcileDescheduler },
-  { name: "postgres",      fn: reconcilePostgres },
-  { name: "pg-databases",  fn: reconcilePgDatabases },
-  { name: "secret-store",  fn: reconcileSecretStore },
-  { name: "k8s-secrets",   fn: reconcileK8sSecrets },
-  { name: "storage-engine", fn: reconcileStorageEngine },
-  { name: "flux",          fn: reconcileFluxStep },
-  { name: "helm-repos",    fn: reconcileHelmRepos },
-  { name: "flux-prereqs",  fn: reconcileFluxPrereqs },
-  { name: "acr-webhooks",  fn: reconcileAcrWebhooks },
-  { name: "helm-values",   fn: reconcileHelmValues },
-  { name: "vault-unseal",  fn: reconcileVaultUnseal },
-  { name: "ingress-ip",   fn: reconcileIngressIp },
-  { name: "frontend-auth", fn: reconcileFrontendAuth },
-  { name: "fops-api",      fn: reconcileFopsApi },
-];
-
-async function reconcileApiServerIp(ctx) {
-  const { execa, clusterName, rg, sub, cluster } = ctx;
-  const myIp = await fetchMyIp();
-  if (!myIp) return;
-
-  const ranges = cluster.apiServerAccessProfile?.authorizedIpRanges || [];
-  if (ranges.length === 0) {
-    hint(`Scoping API server to ${myIp}…`);
-    await execa("az", [
-      "aks", "update", "-g", rg, "-n", clusterName,
-      "--api-server-authorized-ip-ranges", `${myIp}/32`,
-      "--output", "none", ...subArgs(sub),
-    ], { timeout: 120000 });
-    console.log(OK(`  ✓ API server scoped to ${myIp}/32`));
-  } else if (!ranges.some(r => r.startsWith(myIp))) {
-    const updated = [...ranges, `${myIp}/32`].join(",");
-    hint(`Adding ${myIp} to authorized IP ranges…`);
-    await execa("az", [
-      "aks", "update", "-g", rg, "-n", clusterName,
-      "--api-server-authorized-ip-ranges", updated,
-      "--output", "none", ...subArgs(sub),
-    ], { timeout: 120000 });
-    console.log(OK(`  ✓ API server ranges updated (${ranges.length + 1} IPs)`));
-  } else {
-    console.log(OK(`  ✓ API server already includes ${myIp}`));
-  }
-}
-
-async function reconcileAddons(ctx) {
-  const { execa, clusterName, rg, sub } = ctx;
-  const cluster = ctx.cluster || {};
-  const baseArgs = ["-g", rg, "-n", clusterName, ...subArgs(sub)];
-
-  const defenderOn = cluster.securityProfile?.defender?.securityMonitoring?.enabled === true;
-  const monitoringOn = cluster.addonProfiles?.omsagent?.enabled === true;
-  const azurePolicyOn = cluster.addonProfiles?.azurepolicy?.enabled === true;
-  const fileDriverOn = cluster.storageProfile?.fileCSIDriver?.enabled !== false;
-
-  if (!defenderOn && !monitoringOn && !azurePolicyOn && !fileDriverOn) {
-    console.log(OK("  ✓ Unwanted addons already disabled"));
-    return;
-  }
-
-  let changed = false;
-
-  // Defender for Containers: az aks create/update do not support --disable-defender;
-  // disable via portal or: az security auto-provisioning update --auto-provision Off
-  if (defenderOn) {
-    hint("Defender is enabled; to disable use Azure Portal or security auto-provisioning.");
-  }
-
-  // Monitoring + Azure Policy use `aks disable-addons` with a comma-separated list
-  const addons = [];
-  if (monitoringOn) addons.push("monitoring");
-  if (azurePolicyOn) addons.push("azure-policy");
-
-  if (addons.length > 0) {
-    hint(`Disabling ${addons.join(", ")}…`);
-    const r = await execa("az", [
-      "aks", "disable-addons", ...baseArgs, "--addons", addons.join(","),
-      "--output", "none",
-    ], { reject: false, timeout: 300000 });
-    if (r.exitCode === 0) { console.log(OK(`  ✓ Disabled: ${addons.join(", ")}`)); changed = true; }
-    else { console.log(WARN(`  ⚠ Addons: ${(r.stderr || "").split("\n")[0]}`)); }
-  }
-
-  if (fileDriverOn) {
-    hint("Disabling Azure File CSI driver (not needed)…");
-    const r = await execa("az", [
-      "aks", "update", ...baseArgs, "--disable-file-driver", "--yes", "--output", "none",
-    ], { reject: false, timeout: 300000 });
-    if (r.exitCode === 0) { console.log(OK("  ✓ Azure File driver disabled (−8 pods)")); changed = true; }
-    else { console.log(WARN(`  ⚠ File driver: ${(r.stderr || "").split("\n")[0]}`)); }
-  }
-
-  if (changed) {
-    try {
-      const { stdout } = await execa("az", [
-        "aks", "show", ...baseArgs, "--output", "json",
-      ], { timeout: 30000 });
-      ctx.cluster = JSON.parse(stdout);
-    } catch {}
-  }
-}
-
-async function reconcileAutoscaler(ctx) {
-  const { execa, clusterName, rg, sub, minCount, maxCount, cluster } = ctx;
-  const pool = (cluster.agentPoolProfiles || []).find(p => p.mode === "System")
-    || (cluster.agentPoolProfiles || [])[0];
-  if (!pool) return;
-
-  if (!pool.enableAutoScaling) {
-    hint(`Enabling autoscaler on pool "${pool.name}" (${minCount}–${maxCount})…`);
-    // Use nodepool update instead of aks update to support multi-pool clusters
-    await execa("az", [
-      "aks", "nodepool", "update",
-      "--resource-group", rg,
-      "--cluster-name", clusterName,
-      "--name", pool.name,
-      "--enable-cluster-autoscaler",
-      "--min-count", String(minCount),
-      "--max-count", String(maxCount),
-      "--output", "none", ...subArgs(sub),
-    ], { timeout: 120000 });
-    console.log(OK(`  ✓ Autoscaler enabled on "${pool.name}" (${minCount}–${maxCount})`));
-  } else {
-    console.log(OK(`  ✓ Autoscaler already enabled on "${pool.name}" (${pool.minCount}–${pool.maxCount})`));
-  }
-}
-
-async function reconcileSpotPool(ctx) {
-  const { execa, clusterName, rg, sub, cluster, maxPods } = ctx;
-  const pools = cluster.agentPoolProfiles || [];
-  const spotPool = pools.find(p => p.scaleSetPriority === "Spot");
-
-  if (spotPool) {
-    const count = spotPool.count || 0;
-    const scaling = spotPool.enableAutoScaling
-      ? `autoscale ${spotPool.minCount}–${spotPool.maxCount}`
-      : `${count} nodes`;
-    console.log(OK(`  ✓ Spot pool "${spotPool.name}" present (${scaling}, max-pods ${spotPool.maxPods})`));
-    return;
-  }
-
-  hint("Creating spot node pool for workloads that require spot instances…");
-  const sysPool = pools.find(p => p.mode === "System") || pools[0];
-  const vmSize = sysPool?.vmSize || "Standard_D8s_v3";
-
-  const { exitCode, stderr } = await execa("az", [
-    "aks", "nodepool", "add",
-    "--resource-group", rg,
-    "--cluster-name", clusterName,
-    "--name", "spot",
-    "--node-count", "2",
-    "--node-vm-size", vmSize,
-    "--max-pods", String(maxPods || 110),
-    "--priority", "Spot",
-    "--eviction-policy", "Delete",
-    "--spot-max-price", "-1",
-    "--enable-cluster-autoscaler",
-    "--min-count", "1",
-    "--max-count", "3",
-    "--labels", "kubernetes.azure.com/scalesetpriority=spot",
-    "--node-taints", "kubernetes.azure.com/scalesetpriority=spot:NoSchedule",
-    "--output", "none",
-    ...subArgs(sub),
-  ], { timeout: 300000, reject: false });
-
-  if (exitCode === 0) {
-    console.log(OK("  ✓ Spot pool created (2 nodes, autoscale 1–3)"));
-  } else {
-    const errMsg = (stderr || "").split("\n")[0];
-    console.log(WARN(`  ⚠ Spot pool creation failed: ${errMsg}`));
-  }
-}
-
-async function reconcileDescheduler(ctx) {
-  const { execa, clusterName } = ctx;
-  const kubectl = (args, opts = {}) =>
-    execa("kubectl", ["--context", clusterName, ...args], { timeout: 30000, reject: false, ...opts });
-
-  const { exitCode } = await kubectl(["get", "cronjob", "descheduler", "-n", "kube-system"]);
-  if (exitCode === 0) {
-    console.log(OK("  ✓ Descheduler already installed"));
-    return;
-  }
-
-  hint("Installing descheduler…");
-
-  const { exitCode: helmCheck } = await execa("helm", ["version", "--short"], { reject: false, timeout: 10000 });
-  if (helmCheck !== 0) {
-    console.log(WARN("  ⚠ Helm not found — skipping descheduler install"));
-    return;
-  }
-
-  const { exitCode: repoAdd } = await execa("helm", [
-    "repo", "add", "descheduler", "https://kubernetes-sigs.github.io/descheduler/",
-  ], { reject: false, timeout: 30000 });
-  if (repoAdd !== 0) {
-    await execa("helm", ["repo", "update", "descheduler"], { reject: false, timeout: 30000 });
-  }
-
-  const manifest = `
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: descheduler-policy
-  namespace: kube-system
-data:
-  policy.yaml: |
-    apiVersion: "descheduler/v1alpha2"
-    kind: "DeschedulerPolicy"
-    profiles:
-    - name: default
-      pluginConfig:
-      - name: RemoveDuplicates
-        args:
-          excludeOwnerKinds: ["ReplicaSet"]
-      - name: LowNodeUtilization
-        args:
-          thresholds:
-            cpu: 20
-            memory: 20
-            pods: 20
-          targetThresholds:
-            cpu: 50
-            memory: 50
-            pods: 50
-      - name: RemovePodsHavingTooManyRestarts
-        args:
-          podRestartThreshold: 10
-          includingInitContainers: true
-      plugins:
-        balance:
-          enabled:
-          - RemoveDuplicates
-          - LowNodeUtilization
-        deschedule:
-          enabled:
-          - RemovePodsHavingTooManyRestarts
-`;
-
-  const { exitCode: installCode, stderr } = await execa("helm", [
-    "upgrade", "--install", "descheduler", "descheduler/descheduler",
-    "--namespace", "kube-system",
-    "--kube-context", clusterName,
-    "--set", "schedule=*/5 * * * *",
-    "--set", "deschedulerPolicy.strategies.RemoveDuplicates.enabled=true",
-    "--set", "deschedulerPolicy.strategies.LowNodeUtilization.enabled=true",
-    "--set", "deschedulerPolicy.strategies.RemovePodsHavingTooManyRestarts.enabled=true",
-    "--wait", "--timeout", "120s",
-  ], { timeout: 180000, reject: false });
-
-  if (installCode === 0) {
-    console.log(OK("  ✓ Descheduler installed (runs every 5 min)"));
-  } else {
-    const errMsg = (stderr || "").split("\n")[0];
-    console.log(WARN(`  ⚠ Descheduler install failed: ${errMsg}`));
-  }
-}
-
-async function reconcileKubeconfig(ctx) {
-  await getCredentials(ctx.execa, { clusterName: ctx.clusterName, rg: ctx.rg, sub: ctx.sub });
-}
-
-// ── Postgres Flexible Server reconciler ──────────────────────────────────────
-
-const PG_DEFAULTS = {
-  sku: "Standard_B2ms",
-  tier: "Burstable",
-  version: "15",
-  storageSizeGb: 32,
-  adminUser: "foundation",
-};
-
-function pgServerName(clusterName) {
-  return `fops-${clusterName}-psql`;
-}
-
-function generatePassword(len = 32) {
-  const chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
-  const bytes = crypto.randomBytes(len);
-  return Array.from(bytes, b => chars[b % chars.length]).join("");
-}
-
-async function reconcilePostgres(ctx) {
-  const { execa, clusterName, rg, sub, cluster } = ctx;
-  const location = cluster.location || DEFAULTS.location;
-  const serverName = pgServerName(clusterName);
-
-  // 1. Check if server already exists
-  const { exitCode: pgExists, stdout: pgJson } = await execa("az", [
-    "postgres", "flexible-server", "show",
-    "--name", serverName, "--resource-group", rg,
-    "--output", "json", ...subArgs(sub),
-  ], { reject: false, timeout: 30000 });
-
-  let fqdn;
-  let adminPassword;
-
-  if (pgExists === 0 && pgJson?.trim()) {
-    const pg = JSON.parse(pgJson);
-    fqdn = pg.fullyQualifiedDomainName;
-    console.log(OK(`  ✓ Postgres Flexible Server "${serverName}" exists (${fqdn})`));
-
-    // Reconcile storage auto-grow
-    const autoGrow = pg.storage?.autoGrow;
-    if (autoGrow !== "Enabled") {
-      hint("Enabling storage auto-grow…");
-      await execa("az", [
-        "postgres", "flexible-server", "update",
-        "--name", serverName, "--resource-group", rg,
-        "--storage-auto-grow", "Enabled",
-        "--output", "none", ...subArgs(sub),
-      ], { reject: false, timeout: 120000 });
-      console.log(OK("  ✓ Storage auto-grow enabled"));
-    }
-
-    adminPassword = readClusterState(clusterName)?.postgres?.adminPassword;
-    if (!adminPassword) {
-      console.log(WARN("  ⚠ Postgres admin password not in local state — secret sync skipped"));
-      hint(`  Password was set at creation time. If lost, reset with:`);
-      hint(`  az postgres flexible-server update -g ${rg} -n ${serverName} --admin-password <new>`);
-      return;
-    }
-  } else {
-    // 2. Resolve the AKS VNet + create a delegated subnet for Postgres
-    const nodeRg = cluster.nodeResourceGroup;
-    if (!nodeRg) {
-      console.log(WARN("  ⚠ Could not determine node resource group — skipping Postgres"));
-      return;
-    }
-
-    hint(`Resolving AKS VNet in ${nodeRg}…`);
-    const { stdout: vnetListJson, exitCode: vnetCode } = await execa("az", [
-      "network", "vnet", "list", "-g", nodeRg, "--output", "json",
-      ...subArgs(sub),
-    ], { reject: false, timeout: 15000 });
-
-    if (vnetCode !== 0 || !vnetListJson?.trim()) {
-      console.log(WARN("  ⚠ No VNet found in node resource group — skipping Postgres"));
-      return;
-    }
-
-    const vnets = JSON.parse(vnetListJson);
-    const vnet = vnets[0];
-    if (!vnet) {
-      console.log(WARN("  ⚠ No VNet found — skipping Postgres"));
-      return;
-    }
-
-    const vnetName = vnet.name;
-    const pgSubnetName = "postgres-subnet";
-
-    // Check if the postgres subnet already exists
-    const { exitCode: subnetExists } = await execa("az", [
-      "network", "vnet", "subnet", "show",
-      "-g", nodeRg, "--vnet-name", vnetName, "-n", pgSubnetName,
-      "--output", "none", ...subArgs(sub),
-    ], { reject: false, timeout: 15000 });
-
-    if (subnetExists !== 0) {
-      const vnetPrefix = vnet.addressSpace?.addressPrefixes?.[0] || "10.224.0.0/12";
-      const pgCidr = await findAvailableSubnetCidr(execa, nodeRg, vnetName, vnetPrefix, sub);
-
-      hint(`Creating subnet "${pgSubnetName}" (${pgCidr}) in ${vnetName}…`);
-      const { exitCode: createCode, stderr: createErr } = await execa("az", [
-        "network", "vnet", "subnet", "create",
-        "-g", nodeRg, "--vnet-name", vnetName, "-n", pgSubnetName,
-        "--address-prefixes", pgCidr,
-        "--delegations", "Microsoft.DBforPostgreSQL/flexibleServers",
-        "--output", "none", ...subArgs(sub),
-      ], { reject: false, timeout: 60000 });
-      if (createCode !== 0) {
-        const detail = (createErr || "").split("\n").filter(l => l.trim()).slice(-2).join(" ");
-        throw new Error(`Subnet creation failed (${pgCidr}): ${detail || "exit code " + createCode}`);
-      }
-      console.log(OK(`  ✓ Subnet "${pgSubnetName}" created`));
-    }
-
-    // Get subnet ID
-    const { stdout: subnetJson } = await execa("az", [
-      "network", "vnet", "subnet", "show",
-      "-g", nodeRg, "--vnet-name", vnetName, "-n", pgSubnetName,
-      "--output", "json", ...subArgs(sub),
-    ], { timeout: 15000 });
-    const subnetId = JSON.parse(subnetJson).id;
-
-    // Create a private DNS zone for Postgres in the VNet
-    const dnsZone = `${serverName}.private.postgres.database.azure.com`;
-    const { exitCode: dnsExists } = await execa("az", [
-      "network", "private-dns", "zone", "show",
-      "-g", rg, "-n", dnsZone, "--output", "none",
-      ...subArgs(sub),
-    ], { reject: false, timeout: 15000 });
-
-    if (dnsExists !== 0) {
-      hint(`Creating private DNS zone ${dnsZone}…`);
-      await execa("az", [
-        "network", "private-dns", "zone", "create",
-        "-g", rg, "-n", dnsZone, "--output", "none",
-        ...subArgs(sub),
-      ], { timeout: 60000 });
-    }
-
-    // 3. Create the Flexible Server
-    adminPassword = generatePassword();
-    console.log(chalk.yellow(`  ↻ Creating Postgres Flexible Server "${serverName}"…`));
-    hint("This takes 3–5 minutes…");
-
-    await execa("az", [
-      "postgres", "flexible-server", "create",
-      "--name", serverName,
-      "--resource-group", rg,
-      "--location", location,
-      "--admin-user", PG_DEFAULTS.adminUser,
-      "--admin-password", adminPassword,
-      "--sku-name", PG_DEFAULTS.sku,
-      "--tier", PG_DEFAULTS.tier,
-      "--version", PG_DEFAULTS.version,
-      "--storage-size", String(PG_DEFAULTS.storageSizeGb),
-      "--storage-auto-grow", "Enabled",
-      "--subnet", subnetId,
-      "--private-dns-zone", dnsZone,
-      "--yes",
-      "--output", "json", ...subArgs(sub),
-    ], { timeout: 600000 });
-
-    // Read the created server to get the FQDN
-    const { stdout: createdJson } = await execa("az", [
-      "postgres", "flexible-server", "show",
-      "--name", serverName, "--resource-group", rg,
-      "--output", "json", ...subArgs(sub),
-    ], { timeout: 15000 });
-    fqdn = JSON.parse(createdJson).fullyQualifiedDomainName;
-
-    console.log(OK(`  ✓ Postgres Flexible Server created (${fqdn})`));
-
-    // Save password + FQDN to local state
-    writeClusterState(clusterName, {
-      postgres: { serverName, fqdn, adminUser: PG_DEFAULTS.adminUser, adminPassword },
-    });
-  }
-
-  // 4. Allowlist pg_trgm extension (required by backend search migration)
-  const { stdout: extVal } = await execa("az", [
-    "postgres", "flexible-server", "parameter", "show",
-    "--resource-group", rg, "--server-name", serverName,
-    "--name", "azure.extensions", "--query", "value", "-o", "tsv",
-    ...subArgs(sub),
-  ], { reject: false, timeout: 15000 });
-  const currentExts = (extVal || "").trim().split(",").map(e => e.trim()).filter(Boolean);
-  if (!currentExts.includes("PG_TRGM") && !currentExts.includes("pg_trgm")) {
-    const newExts = [...currentExts, "pg_trgm"].join(",");
-    hint("Allowlisting pg_trgm extension…");
-    await execa("az", [
-      "postgres", "flexible-server", "parameter", "set",
-      "--resource-group", rg, "--server-name", serverName,
-      "--name", "azure.extensions", "--value", newExts,
-      "--output", "none", ...subArgs(sub),
-    ], { reject: false, timeout: 60000 });
-    console.log(OK("  ✓ pg_trgm extension allowlisted"));
-  }
-
-  // 5. Sync the K8s "postgres" secret into the foundation namespace
-  if (fqdn && adminPassword) {
-    await syncPostgresSecret(execa, { clusterName, fqdn, adminUser: PG_DEFAULTS.adminUser, adminPassword });
-  }
-}
-
-function parseCidr(cidr) {
-  const [ip, bits] = cidr.split("/");
-  const octets = ip.split(".").map(Number);
-  const addr = ((octets[0] << 24) | (octets[1] << 16) | (octets[2] << 8) | octets[3]) >>> 0;
-  const mask = bits === "0" ? 0 : (0xFFFFFFFF << (32 - Number(bits))) >>> 0;
-  return { start: (addr & mask) >>> 0, end: ((addr & mask) | ~mask) >>> 0 };
-}
-
-function cidrOverlaps(cidr, existingCidrs) {
-  const a = parseCidr(cidr);
-  return existingCidrs.some(ec => {
-    const b = parseCidr(ec);
-    return a.start <= b.end && a.end >= b.start;
-  });
-}
-
-async function findAvailableSubnetCidr(execa, nodeRg, vnetName, vnetPrefix, sub) {
-  let existingCidrs = [];
-  try {
-    const { stdout } = await execa("az", [
-      "network", "vnet", "subnet", "list",
-      "-g", nodeRg, "--vnet-name", vnetName, "--output", "json",
-      ...subArgs(sub),
-    ], { timeout: 15000 });
-    const subnets = JSON.parse(stdout || "[]");
-    existingCidrs = subnets.flatMap(s => s.addressPrefix ? [s.addressPrefix] : (s.addressPrefixes || []));
-  } catch (err) {
-    console.log(WARN(`  ⚠ Could not list existing subnets: ${err.message}`));
-  }
-
-  const { start: vnetStart, end: vnetEnd } = parseCidr(vnetPrefix);
-
-  // Scan /24 blocks from the top of the VNet range downward to avoid
-  // collisions with AKS's default low-range subnets (often a wide /16).
-  const blockSize = 256;
-  const topBlock = (vnetEnd - blockSize + 1) >>> 0;
-  let iterations = 0;
-  for (let addr = topBlock; addr >= vnetStart && iterations < 4096; addr = (addr - blockSize) >>> 0, iterations++) {
-    const o1 = (addr >>> 24) & 0xFF;
-    const o2 = (addr >>> 16) & 0xFF;
-    const o3 = (addr >>> 8) & 0xFF;
-    const candidate = `${o1}.${o2}.${o3}.0/24`;
-    if (!cidrOverlaps(candidate, existingCidrs)) return candidate;
-    if (addr === 0) break;
-  }
-
-  throw new Error(
-    `No available /24 subnet in VNet ${vnetName} (${vnetPrefix}). ` +
-    `Existing subnets: ${existingCidrs.join(", ")}. Free a subnet or expand the VNet address space.`
-  );
-}
-
-async function syncPostgresSecret(execa, { clusterName, fqdn, adminUser, adminPassword }) {
-  const namespaces = ["foundation"];
-  for (const ns of namespaces) {
-    // Ensure namespace exists
-    await execa("kubectl", [
-      "--context", clusterName,
-      "create", "namespace", ns, "--dry-run=client", "-o", "yaml",
-    ], { reject: false, timeout: 10000 }).then(({ stdout }) =>
-      execa("kubectl", ["--context", clusterName, "apply", "-f", "-"], { input: stdout, timeout: 10000, reject: false })
-    );
-
-    // Create or update the postgres secret
-    const { exitCode } = await execa("kubectl", [
-      "--context", clusterName, "-n", ns,
-      "create", "secret", "generic", "postgres",
-      "--from-literal=host=" + fqdn,
-      "--from-literal=superUserPassword=" + adminPassword,
-      "--from-literal=user=" + adminUser,
-      "--from-literal=password=" + adminPassword,
-      "--dry-run=client", "-o", "yaml",
-    ], { timeout: 10000 }).then(({ stdout }) =>
-      execa("kubectl", [
-        "--context", clusterName, "-n", ns, "apply", "-f", "-",
-      ], { input: stdout, timeout: 10000, reject: false })
-    );
-
-    if (exitCode === 0) {
-      console.log(OK(`  ✓ Secret "postgres" synced to ${ns} namespace`));
-    } else {
-      console.log(WARN(`  ⚠ Could not sync postgres secret to ${ns}`));
-    }
-  }
-}
-
-// ── Postgres databases & roles: create service databases on the Flexible Server ──
-
-const PG_SERVICE_DBS = ["foundation", "processor", "scheduler", "watcher", "mlflow"];
-
-async function reconcilePgDatabases(ctx) {
-  const { execa, clusterName } = ctx;
-  const kubectl = (args, opts = {}) =>
-    execa("kubectl", ["--context", clusterName, ...args], { timeout: 60000, reject: false, ...opts });
-
-  const pgServer = pgServerName(clusterName);
-  const pgHost = `${pgServer}.postgres.database.azure.com`;
-
-  // Read password from the postgres secret
-  const { stdout: pwB64 } = await kubectl([
-    "get", "secret", "postgres", "-n", "foundation",
-    "-o", "jsonpath={.data.password}",
-  ]);
-  if (!pwB64) {
-    console.log(WARN("  ⚠ No postgres secret found — skipping DB setup"));
-    return;
-  }
-  const pgPass = Buffer.from(pwB64, "base64").toString();
-
-  // Run a psql job to create all databases and roles
-  const sqlLines = PG_SERVICE_DBS.map(db => [
-    `SELECT 'CREATE DATABASE ${db}' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '${db}');`,
-    `DO \\$\\$ BEGIN IF NOT EXISTS (SELECT FROM pg_database WHERE datname = '${db}') THEN EXECUTE 'CREATE DATABASE ${db}'; END IF; IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = '${db}') THEN CREATE ROLE ${db} LOGIN PASSWORD '${pgPass}'; END IF; END \\$\\$;`,
-    `GRANT ALL ON DATABASE ${db} TO ${db};`,
-  ]).flat();
-
-  const script = sqlLines.map(s => `psql -c "${s}"`).join(" && ") + " && echo DONE";
-
-  const jobManifest = JSON.stringify({
-    apiVersion: "batch/v1", kind: "Job",
-    metadata: { name: "fops-pg-setup", namespace: "foundation" },
-    spec: {
-      backoffLimit: 2, ttlSecondsAfterFinished: 60,
-      template: {
-        spec: {
-          restartPolicy: "Never",
-          containers: [{
-            name: "psql",
-            image: "postgres:16-alpine",
-            env: [
-              { name: "PGHOST", value: pgHost },
-              { name: "PGUSER", value: "foundation" },
-              { name: "PGDATABASE", value: "postgres" },
-              { name: "PGPASSWORD", value: pgPass },
-              { name: "PGSSLMODE", value: "require" },
-            ],
-            command: ["sh", "-c", script],
-          }],
-        },
-      },
-    },
-  });
-
-  // Delete old job if it exists
-  await kubectl(["delete", "job", "fops-pg-setup", "-n", "foundation", "--ignore-not-found"]);
-  await new Promise(r => setTimeout(r, 2000));
-
-  const { exitCode, stderr } = await kubectl(["apply", "-f", "-"], { input: jobManifest });
-  if (exitCode !== 0) {
-    console.log(WARN(`  ⚠ pg-setup job failed: ${(stderr || "").split("\n")[0]}`));
-    return;
-  }
-
-  // Wait for job to complete (max 60s)
-  const { exitCode: waitCode } = await execa("kubectl", [
-    "--context", clusterName,
-    "wait", "--for=condition=complete", "job/fops-pg-setup",
-    "-n", "foundation", "--timeout=60s",
-  ], { timeout: 70000, reject: false });
-
-  if (waitCode === 0) {
-    console.log(OK(`  ✓ Postgres databases ready (${PG_SERVICE_DBS.join(", ")})`));
-  } else {
-    const { stdout: logs } = await kubectl([
-      "logs", "job/fops-pg-setup", "-n", "foundation", "--tail=5",
-    ]);
-    if (logs?.includes("DONE")) {
-      console.log(OK(`  ✓ Postgres databases ready (${PG_SERVICE_DBS.join(", ")})`));
-    } else {
-      console.log(WARN("  ⚠ pg-setup job didn't complete — check: kubectl logs job/fops-pg-setup -n foundation"));
-    }
-  }
-
-  await kubectl(["delete", "job", "fops-pg-setup", "-n", "foundation", "--ignore-not-found"]);
-}
-
-// ── K8s secrets: ensure required secrets exist with correct keys ──────────────
-
-async function reconcileK8sSecrets(ctx) {
-  const { execa, clusterName, rg, sub } = ctx;
-  const kubectl = (args, opts = {}) =>
-    execa("kubectl", ["--context", clusterName, ...args], { timeout: 30000, reject: false, ...opts });
-
-  // Read current postgres password
-  const { stdout: pwB64 } = await kubectl([
-    "get", "secret", "postgres", "-n", "foundation",
-    "-o", "jsonpath={.data.password}",
-  ]);
-  if (!pwB64) return;
-  let pgPass = Buffer.from(pwB64, "base64").toString();
-  const pgHost = `${pgServerName(clusterName)}.postgres.database.azure.com`;
-  const serverName = pgServerName(clusterName);
-
-  // Check for URL-unsafe characters that break pogo-migrate connection strings
-  const URL_UNSAFE = /[^a-zA-Z0-9]/;
-  if (URL_UNSAFE.test(pgPass)) {
-    console.log(WARN("  ⚠ Postgres password contains URL-unsafe characters — regenerating…"));
-    const newPass = generatePassword();
-
-    // Update the Azure Flexible Server admin password
-    await execa("az", [
-      "postgres", "flexible-server", "update",
-      "--name", serverName, "--resource-group", rg,
-      "--admin-password", newPass,
-      "--output", "none", ...subArgs(sub),
-    ], { reject: false, timeout: 120000 });
-
-    // Update all database role passwords via psql job
-    const sqlStatements = PG_SERVICE_DBS
-      .map(role => `ALTER ROLE ${role} WITH PASSWORD '${newPass}';`)
-      .join(" ");
-    const jobYaml = JSON.stringify({
-      apiVersion: "batch/v1", kind: "Job",
-      metadata: { name: "fops-pg-repass", namespace: "foundation" },
-      spec: {
-        backoffLimit: 2, ttlSecondsAfterFinished: 120,
-        template: {
-          spec: {
-            restartPolicy: "Never",
-            containers: [{
-              name: "psql", image: "postgres:16-alpine",
-              command: ["sh", "-c", `export PGPASSWORD='${newPass}' PGHOST='${pgHost}' PGUSER=foundation PGSSLMODE=require; psql -d foundation -c "${sqlStatements}"`],
-            }],
-          },
-        },
-      },
-    });
-    await kubectl(["delete", "job", "fops-pg-repass", "-n", "foundation", "--ignore-not-found"]);
-    await kubectl(["apply", "-f", "-"], { input: jobYaml, timeout: 60000 });
-    // Wait for the job to complete
-    await kubectl(["wait", "--for=condition=complete", "job/fops-pg-repass", "-n", "foundation", "--timeout=60s"], { timeout: 70000 });
-
-    pgPass = newPass;
-
-    // Update local state
-    writeClusterState(clusterName, {
-      postgres: { adminPassword: newPass },
-    });
-    console.log(OK("  ✓ Postgres password regenerated (URL-safe)"));
-  }
-
-  // Ensure postgres secret has all required keys (mlflow needs mlflow-username etc.)
-  const { stdout: existingKeys } = await kubectl([
-    "get", "secret", "postgres", "-n", "foundation",
-    "-o", "jsonpath={.data}",
-  ]);
-  const keys = existingKeys ? Object.keys(JSON.parse(existingKeys)) : [];
-  const requiredKeys = [
-    "host", "user", "password", "superUserPassword",
-    "postgres-password", "mlflow-username", "mlflow-password",
-  ];
-  const missing = requiredKeys.filter(k => !keys.includes(k));
-  const needsUpdate = missing.length > 0 || URL_UNSAFE.test(Buffer.from(pwB64, "base64").toString());
-
-  if (needsUpdate) {
-    if (missing.length) hint(`Adding missing keys to postgres secret: ${missing.join(", ")}`);
-    const args = [
-      "create", "secret", "generic", "postgres", "-n", "foundation",
-      "--from-literal", `host=${pgHost}`,
-      "--from-literal", `user=foundation`,
-      "--from-literal", `password=${pgPass}`,
-      "--from-literal", `superUserPassword=${pgPass}`,
-      "--from-literal", `postgres-password=${pgPass}`,
-      "--from-literal", `mlflow-username=mlflow`,
-      "--from-literal", `mlflow-password=${pgPass}`,
-      "--dry-run=client", "-o", "yaml",
-    ];
-    const { stdout: secretYaml } = await kubectl(args);
-    if (secretYaml) {
-      await kubectl(["apply", "-f", "-"], { input: secretYaml });
-      console.log(OK("  ✓ Postgres secret updated with all required keys"));
-    }
-  }
-
-  // Ensure OPA keypair secret exists
-  const { exitCode: opaExists } = await kubectl([
-    "get", "secret", "foundation-opa-keypair", "-n", "foundation",
-  ]);
-  if (opaExists !== 0) {
-    hint("Creating OPA keypair secret…");
-    // Use the OPA AWS-style keys from the VM env or generate placeholders
-    const { listVms } = await import("./azure-state.js");
-    const { vms: vmMap } = listVms();
-    const vms = Object.entries(vmMap || {}).filter(([, v]) => v.ip);
-
-    let opaAccessKey = "placeholder";
-    let opaSecretKey = "placeholder";
-
-    if (vms.length > 0) {
-      const [, vm] = vms[0];
-      const { sshCmd } = await import("./azure-helpers.js");
-      const user = vm.adminUser || "azureuser";
-      const { stdout: envContent } = await sshCmd(
-        execa, vm.ip, user,
-        "grep -E '^OPA_(ACCESS_KEY_ID|SECRET_ACCESS_KEY)=' /opt/foundation-compose/.env 2>/dev/null",
-        15000,
-      );
-      if (envContent) {
-        const m1 = envContent.match(/OPA_ACCESS_KEY_ID=(.+)/);
-        const m2 = envContent.match(/OPA_SECRET_ACCESS_KEY=(.+)/);
-        if (m1) opaAccessKey = m1[1].trim();
-        if (m2) opaSecretKey = m2[1].trim();
-      }
-    }
-
-    const { stdout: opaYaml } = await kubectl([
-      "create", "secret", "generic", "foundation-opa-keypair", "-n", "foundation",
-      "--from-literal", `OPA_ACCESS_KEY_ID=${opaAccessKey}`,
-      "--from-literal", `OPA_SECRET_ACCESS_KEY=${opaSecretKey}`,
-      "--dry-run=client", "-o", "yaml",
-    ]);
-    if (opaYaml) {
-      await kubectl(["apply", "-f", "-"], { input: opaYaml });
-      console.log(OK("  ✓ OPA keypair secret created"));
-    }
-  } else {
-    console.log(OK("  ✓ OPA keypair secret exists"));
-  }
-}
-
-// ── ACR webhooks: clean up orphaned webhooks that block pods ──────────────────
-
-async function reconcileAcrWebhooks(ctx) {
-  const { execa, clusterName } = ctx;
-  const kubectl = (args, opts = {}) =>
-    execa("kubectl", ["--context", clusterName, ...args], { timeout: 15000, reject: false, ...opts });
-
-  for (const wh of ["acr-pod-webhook", "acr-helm-webhook"]) {
-    const { exitCode } = await kubectl([
-      "get", "mutatingwebhookconfiguration", wh,
-    ]);
-    if (exitCode === 0) {
-      await kubectl(["delete", "mutatingwebhookconfiguration", wh]);
-      console.log(OK(`  ✓ Removed orphaned ${wh}`));
-    }
-  }
-}
-
-// ── Secret Store: Azure Key Vault + ExternalSecrets SecretStore ───────────────
-
-const SECRET_STORE_NAMESPACES_BASE = ["foundation"];
-const SECRET_STORE_NAMESPACES_DAI = ["dai"];
-const SECRET_STORE_NAME = "azure-secretsmanager";
-
-function kvName(clusterName) {
-  const base = `fops-${clusterName}-kv`.replace(/[^a-zA-Z0-9-]/g, "").slice(0, 24);
-  return base;
-}
-
-async function reconcileSecretStore(ctx) {
-  const { execa, clusterName, rg, sub, opts } = ctx;
-  const vaultName = kvName(clusterName);
-  const location = ctx.cluster?.location || DEFAULTS.location;
-  const ssNamespaces = opts?.dai
-    ? [...SECRET_STORE_NAMESPACES_BASE, ...SECRET_STORE_NAMESPACES_DAI]
-    : SECRET_STORE_NAMESPACES_BASE;
-
-  const kubectl = (args, opts = {}) =>
-    execa("kubectl", ["--context", clusterName, ...args], { timeout: 30000, reject: false, ...opts });
-
-  // 1. Ensure Key Vault exists
-  const { exitCode: kvExists } = await execa("az", [
-    "keyvault", "show", "--name", vaultName, "--output", "none",
-    ...subArgs(sub),
-  ], { reject: false, timeout: 30000 });
-
-  if (kvExists !== 0) {
-    hint(`Creating Key Vault "${vaultName}"…`);
-    const { exitCode, stderr } = await execa("az", [
-      "keyvault", "create",
-      "--name", vaultName,
-      "--resource-group", rg,
-      "--location", location,
-      "--enable-rbac-authorization", "true",
-      "--output", "none",
-      ...subArgs(sub),
-    ], { timeout: 120000, reject: false });
-    if (exitCode !== 0) {
-      console.log(WARN(`  ⚠ Key Vault creation failed: ${(stderr || "").split("\n")[0]}`));
-      return;
-    }
-    console.log(OK(`  ✓ Key Vault "${vaultName}" created`));
-  } else {
-    console.log(OK(`  ✓ Key Vault "${vaultName}" exists`));
-  }
-
-  // 2. Get Key Vault resource ID and ensure SP has Secrets Officer role
-  const spClientId = await getSpClientId(kubectl);
-  if (spClientId) {
-    const { stdout: kvJson } = await execa("az", [
-      "keyvault", "show", "--name", vaultName, "--query", "id", "-o", "tsv",
-      ...subArgs(sub),
-    ], { reject: false, timeout: 30000 });
-    const kvId = (kvJson || "").trim();
-
-    if (kvId) {
-      const { stdout: spObjId } = await execa("az", [
-        "ad", "sp", "show", "--id", spClientId, "--query", "id", "-o", "tsv",
-      ], { reject: false, timeout: 30000 });
-      const objectId = (spObjId || "").trim();
-
-      if (objectId) {
-        const { exitCode: roleExists } = await execa("az", [
-          "role", "assignment", "list",
-          "--assignee", objectId,
-          "--role", "Key Vault Secrets Officer",
-          "--scope", kvId,
-          "--query", "[0].id", "-o", "tsv",
-          ...subArgs(sub),
-        ], { reject: false, timeout: 30000 });
-
-        const hasRole = roleExists === 0;
-        if (!hasRole) {
-          await execa("az", [
-            "role", "assignment", "create",
-            "--assignee-object-id", objectId,
-            "--assignee-principal-type", "ServicePrincipal",
-            "--role", "Key Vault Secrets Officer",
-            "--scope", kvId,
-            ...subArgs(sub),
-          ], { reject: false, timeout: 30000 });
-          console.log(OK("  ✓ SP granted Key Vault Secrets Officer role"));
-        }
-      }
-    }
-  }
-
-  // 3. Ensure azure-secret-sp exists in each target namespace
-  const { stdout: spSecretJson } = await kubectl([
-    "get", "secret", "azure-secret-sp", "-n", "foundation", "-o", "json",
-  ]);
-  const spSecret = spSecretJson ? JSON.parse(spSecretJson) : null;
-
-  if (!spSecret || !spSecret.data?.ClientID) {
-    console.log(WARN("  ⚠ Secret 'azure-secret-sp' not found in foundation — SecretStore needs SP credentials"));
-    hint("Create it with: kubectl create secret generic azure-secret-sp -n foundation --from-literal=ClientID=<sp-client-id> --from-literal=ClientSecret=<sp-secret>");
-    return;
-  }
-
-  // Replicate azure-secret-sp to other namespaces
-  for (const ns of ssNamespaces) {
-    await kubectl(["create", "namespace", ns, "--dry-run=client", "-o", "yaml"]);
-    const { exitCode: nsExists } = await kubectl(["get", "namespace", ns]);
-    if (nsExists !== 0) {
-      await kubectl(["create", "namespace", ns]);
-    }
-    if (ns === "foundation") continue;
-    const { exitCode: spExists } = await kubectl(["get", "secret", "azure-secret-sp", "-n", ns]);
-    if (spExists !== 0) {
-      await kubectl([
-        "create", "secret", "generic", "azure-secret-sp",
-        "-n", ns,
-        "--from-literal", `ClientID=${Buffer.from(spSecret.data.ClientID, "base64").toString()}`,
-        "--from-literal", `ClientSecret=${Buffer.from(spSecret.data.ClientSecret, "base64").toString()}`,
-      ]);
-      console.log(OK(`  ✓ Replicated azure-secret-sp to ${ns}`));
-    }
-  }
-
-  // 4. Get tenant ID
-  const { stdout: tenantId } = await execa("az", [
-    "account", "show", "--query", "tenantId", "-o", "tsv",
-    ...subArgs(sub),
-  ], { reject: false, timeout: 15000 });
-
-  // 5. Create SecretStore in each namespace
-  const apiVersion = await detectEsApiVersion(kubectl);
-
-  for (const ns of ssNamespaces) {
-    const { exitCode: ssExists } = await kubectl([
-      "get", "secretstore", SECRET_STORE_NAME, "-n", ns,
-    ]);
-    if (ssExists === 0) continue;
-
-    const manifest = `apiVersion: ${apiVersion}
-kind: SecretStore
-metadata:
-  name: ${SECRET_STORE_NAME}
-  namespace: ${ns}
-spec:
-  provider:
-    azurekv:
-      authType: ServicePrincipal
-      vaultUrl: https://${vaultName}.vault.azure.net
-      tenantId: ${(tenantId || "").trim()}
-      authSecretRef:
-        clientId:
-          name: azure-secret-sp
-          key: ClientID
-        clientSecret:
-          name: azure-secret-sp
-          key: ClientSecret
-`;
-    const { exitCode: applyCode, stderr } = await kubectl(
-      ["apply", "-f", "-"],
-      { input: manifest },
-    );
-    if (applyCode === 0) {
-      console.log(OK(`  ✓ SecretStore "${SECRET_STORE_NAME}" created in ${ns}`));
-    } else {
-      console.log(WARN(`  ⚠ SecretStore creation failed in ${ns}: ${(stderr || "").split("\n")[0]}`));
-    }
-  }
-
-  // 6. Seed Key Vault secrets from a running VM if the vault is empty
-  await seedKeyVaultFromVm(execa, { vaultName, sub, dai: opts?.dai });
-}
-
-async function getSpClientId(kubectl) {
-  const { stdout } = await kubectl([
-    "get", "secret", "azure-secret-sp", "-n", "foundation",
-    "-o", "jsonpath={.data.ClientID}",
-  ]);
-  if (!stdout) return null;
-  return Buffer.from(stdout, "base64").toString();
-}
-
-async function detectEsApiVersion(kubectl) {
-  const { exitCode } = await kubectl([
-    "api-resources", "--api-group=external-secrets.io",
-    "-o", "name",
-  ]);
-  if (exitCode !== 0) return "external-secrets.io/v1beta1";
-  const { stdout } = await kubectl([
-    "get", "crd", "secretstores.external-secrets.io",
-    "-o", "jsonpath={.spec.versions[*].name}",
-  ]);
-  const versions = (stdout || "").split(/\s+/);
-  if (versions.includes("v1")) return "external-secrets.io/v1";
-  if (versions.includes("v1beta1")) return "external-secrets.io/v1beta1";
-  return "external-secrets.io/v1";
-}
-
-const KV_SEED_SECRETS = [
-  { name: "foundation-secrets", envKeys: {
-    password: "POSTGRES_PASSWORD",
-    secret_key: "MX_SECRET_KEY",
-    "auth0.secret": "AUTH0_SECRET",
-    "auth0.client_id": "AUTH0_CLIENT_ID",
-    "auth0.client_secret": "AUTH0_CLIENT_SECRET",
-    "auth0.domain": "AUTH0_DOMAIN",
-    "auth0.audience": "AUTH0_AUDIENCE",
-    "auth0.issuer_base_url": "AUTH0_ISSUER_BASE_URL",
-    "auth0.base_url": "AUTH0_BASE_URL",
-  }},
-  { name: "auth0", envKeys: {
-    client_id: "AUTH0_CLIENT_ID",
-    client_secret: "AUTH0_CLIENT_SECRET",
-  }},
-  { name: "foundation-trino-jwt", envKeys: {
-    "jwt-secret.pem": "MX_SECRET_KEY",
-    secret_key: "MX_SECRET_KEY",
-  }},
-  { name: "foundation-nats", envKeys: {
-    "nkeys-secret": "MX_SECRET_KEY",
-    secret_key: "MX_SECRET_KEY",
-  }},
-  { name: "foundation-storage-engine-auth", envKeys: {
-    AUTH_IDENTITY: "AUTH_IDENTITY",
-    AUTH_CREDENTIAL: "AUTH_CREDENTIAL",
-  }},
-  { name: "dai-secrets", daiOnly: true, envKeys: {
-    AUTH0_CLIENT_ID: "AUTH0_CLIENT_ID",
-    AUTH0_CLIENT_SECRET: "AUTH0_CLIENT_SECRET",
-    AUTH0_SECRET: "AUTH0_SECRET",
-    NATS_NKEYS_SECRET: "MX_SECRET_KEY",
-    AZURE_OPENAI_API_KEY: "MX_OPENAI_API_KEY",
-  }},
-  { name: "foundation-scheduler-secrets", envKeys: {
-    secretKey: "MX_SECRET_KEY",
-  }},
-];
-
-async function seedKeyVaultFromVm(execa, { vaultName, sub, dai }) {
-  // Check if vault already has secrets
-  const { stdout: existingSecrets } = await execa("az", [
-    "keyvault", "secret", "list", "--vault-name", vaultName,
-    "--query", "length(@)", "-o", "tsv",
-    ...subArgs(sub),
-  ], { reject: false, timeout: 30000 });
-
-  if (parseInt(existingSecrets || "0", 10) > 0) {
-    console.log(OK(`  ✓ Key Vault has ${existingSecrets.trim()} secret(s) — skipping seed`));
-    return;
-  }
-
-  // Try to pull .env from a running VM
-  const { listVms } = await import("./azure-state.js");
-  const { vms: vmMap } = listVms();
-  const vms = Object.entries(vmMap || {}).filter(([, v]) => v.ip);
-  if (vms.length === 0) {
-    hint("No VMs tracked — seed Key Vault manually or run fops azure aks seed-secrets");
-    return;
-  }
-
-  const [vmName, vm] = vms[0];
-  hint(`Seeding Key Vault from VM "${vmName}" (${vm.ip})…`);
-
-  const { sshCmd } = await import("./azure-helpers.js");
-  const user = vm.adminUser || "azureuser";
-  const { stdout: envContent, exitCode } = await sshCmd(
-    execa, vm.ip, user,
-    "cat /opt/foundation-compose/.env 2>/dev/null",
-    30000,
-  );
-  if (exitCode !== 0 || !envContent) {
-    console.log(WARN(`  ⚠ Could not read .env from ${vmName} — seed manually`));
-    return;
-  }
-
-  const envMap = {};
-  for (const line of envContent.split("\n")) {
-    const m = line.match(/^([A-Z0-9_]+)=(.+)$/);
-    if (m) envMap[m[1]] = m[2].replace(/^["']|["']$/g, "");
-  }
-
-  let seeded = 0;
-  const secrets = dai ? KV_SEED_SECRETS : KV_SEED_SECRETS.filter(s => !s.daiOnly);
-  for (const { name: secretName, envKeys } of secrets) {
-    const secretObj = {};
-    for (const [prop, envKey] of Object.entries(envKeys)) {
-      if (envMap[envKey]) secretObj[prop] = envMap[envKey];
-    }
-    if (Object.keys(secretObj).length === 0) continue;
-
-    const value = JSON.stringify(secretObj);
-    const { exitCode: setCode } = await execa("az", [
-      "keyvault", "secret", "set",
-      "--vault-name", vaultName,
-      "--name", secretName,
-      "--value", value,
-      "--content-type", "application/json",
-      ...subArgs(sub),
-    ], { reject: false, timeout: 30000 });
-
-    if (setCode === 0) seeded++;
-  }
-
-  if (seeded > 0) {
-    console.log(OK(`  ✓ Seeded ${seeded} secret(s) into Key Vault from VM "${vmName}"`));
-  } else {
-    console.log(WARN("  ⚠ No matching env vars found on VM — seed secrets manually"));
-  }
-}
-
-async function reconcileFluxStep(ctx) {
-  const { execa, clusterName, rg, sub, opts } = ctx;
-  if (opts.noFlux) return;
-
-  const githubToken = resolveGithubToken(opts);
-  if (!githubToken) {
-    console.log(WARN("  ⚠ Skipping Flux — no GitHub token found."));
-    hint("Authenticate with:  gh auth login");
-    return;
-  }
-
-  const { fluxRepo, fluxOwner, fluxPath, fluxBranch } = resolveFluxConfig(clusterName, opts);
-
-  await reconcileFlux(execa, {
-    clusterName, rg, sub, githubToken,
-    repo: fluxRepo, owner: fluxOwner,
-    path: fluxPath, branch: fluxBranch,
-  });
-
-  writeClusterState(clusterName, {
-    flux: { repo: fluxRepo, owner: fluxOwner, path: fluxPath, branch: fluxBranch },
-  });
-}
-
-// ── Helm repos: ensure HelmRepository sources exist for Foundation charts ─────
-
-const HELM_REPOS = [
-  {
-    name: "foundation", namespace: "flux-system",
-    spec: { type: "oci", interval: "1m0s", url: "oci://meshxregistry.azurecr.io/helm", secretRef: { name: "meshxregistry-helm-secret" } },
-  },
-  {
-    name: "hive-metastore", namespace: "flux-system",
-    spec: { type: "oci", interval: "1m0s", url: "oci://meshxregistry.azurecr.io/helm", secretRef: { name: "meshxregistry-helm-secret" } },
-  },
-  {
-    name: "trinodb", namespace: "flux-system",
-    spec: { interval: "30m", url: "https://trinodb.github.io/charts" },
-  },
-];
-
-async function reconcileHelmRepos(ctx) {
-  const { execa, clusterName } = ctx;
-  const tracked = readClusterState(clusterName);
-  if (!tracked?.flux) return;
-
-  const kubectl = (args, opts = {}) =>
-    execa("kubectl", ["--context", clusterName, ...args], { reject: false, timeout: 30000, ...opts });
-
-  // Detect which API version the cluster supports
-  const { stdout: crdJson } = await kubectl([
-    "get", "crd", "helmrepositories.source.toolkit.fluxcd.io",
-    "-o", "jsonpath={.spec.versions[*].name}",
-  ]);
-  const versions = (crdJson || "").split(/\s+/).filter(Boolean);
-  const apiVersion = versions.includes("v1")
-    ? "source.toolkit.fluxcd.io/v1"
-    : versions.includes("v1beta2")
-      ? "source.toolkit.fluxcd.io/v1beta2"
-      : "source.toolkit.fluxcd.io/v1";
-
-  // Ensure the ACR helm secret exists in flux-system for HelmRepository auth
-  const { exitCode: secretExists } = await kubectl([
-    "get", "secret", "meshxregistry-helm-secret", "-n", "flux-system",
-  ]);
-  if (secretExists !== 0) {
-    hint("Creating ACR helm secret in flux-system…");
-    const secretNs = ["acr-cache-system", "foundation"].find(async ns => {
-      const { exitCode } = await kubectl(["get", "secret", "meshxregistry-helm-secret", "-n", ns]);
-      return exitCode === 0;
-    });
-    if (secretNs) {
-      const { stdout: secretYaml } = await kubectl([
-        "get", "secret", "meshxregistry-helm-secret", "-n", secretNs, "-o", "json",
-      ]);
-      if (secretYaml) {
-        try {
-          const secret = JSON.parse(secretYaml);
-          delete secret.metadata.namespace;
-          delete secret.metadata.resourceVersion;
-          delete secret.metadata.uid;
-          delete secret.metadata.creationTimestamp;
-          if (secret.metadata.annotations) {
-            delete secret.metadata.annotations["kubectl.kubernetes.io/last-applied-configuration"];
-          }
-          const clean = JSON.stringify(secret);
-          await execa("kubectl", [
-            "--context", clusterName, "apply", "-n", "flux-system", "-f", "-",
-          ], { input: clean, reject: false, timeout: 10000 });
-          console.log(OK("  ✓ ACR helm secret replicated to flux-system"));
-        } catch { /* reflector should handle this eventually */ }
-      }
-    }
-  }
-
-  let updated = 0;
-  let unchanged = 0;
-  let failed = 0;
-
-  const repos = ctx.opts?.dai ? HELM_REPOS : HELM_REPOS.filter(r => !r.daiOnly);
-  for (const repo of repos) {
-    const specLines = [];
-    for (const [k, v] of Object.entries(repo.spec)) {
-      if (k === "secretRef") {
-        specLines.push(`  secretRef:`);
-        specLines.push(`    name: ${v.name}`);
-      } else {
-        specLines.push(`  ${k}: "${v}"`);
-      }
-    }
-
-    const yaml = [
-      `apiVersion: ${apiVersion}`,
-      `kind: HelmRepository`,
-      `metadata:`,
-      `  name: ${repo.name}`,
-      `  namespace: ${repo.namespace}`,
-      `spec:`,
-      ...specLines,
-    ].join("\n");
-
-    const applyResult = await execa("kubectl", [
-      "--context", clusterName, "apply", "-f", "-",
-    ], { input: yaml, reject: false, timeout: 15000 });
-
-    if (applyResult.exitCode === 0) {
-      const out = (applyResult.stdout || "").trim();
-      if (out.includes("configured")) updated++;
-      else unchanged++;
-    } else {
-      failed++;
-      const errMsg = (applyResult.stderr || applyResult.stdout || "unknown error").trim().split("\n")[0];
-      console.log(WARN(`  ⚠ HelmRepository ${repo.namespace}/${repo.name}: ${errMsg}`));
-    }
-  }
-
-  // Verify they actually exist
-  const { stdout: verify } = await kubectl([
-    "get", "helmrepository.source.toolkit.fluxcd.io", "-n", "flux-system",
-    "--no-headers", "-o", "custom-columns=NAME:.metadata.name",
-  ]);
-  const actual = (verify || "").trim().split("\n").filter(Boolean);
-  if (updated > 0) {
-    console.log(OK(`  ✓ ${actual.length} HelmRepository source(s) in flux-system (${updated} updated, ${unchanged} unchanged)`));
-  } else if (failed === 0) {
-    console.log(OK(`  ✓ All ${actual.length} HelmRepository sources up to date`));
-  }
-  if (actual.length < HELM_REPOS.length) {
-    const missing = HELM_REPOS.filter(r => !actual.includes(r.name));
-    for (const m of missing) {
-      console.log(WARN(`  ⚠ Missing: ${m.name}`));
-    }
-  }
-}
-
-// ── Flux prereqs: pre-install CRDs and fix scheduling so Flux dry-runs pass ──
-
-async function reconcileFluxPrereqs(ctx) {
-  const { execa, clusterName } = ctx;
-  const tracked = readClusterState(clusterName);
-  if (!tracked?.flux) return;
-
-  banner("Flux Prerequisites");
-
-  const kubectl = (args, opts = {}) =>
-    execa("kubectl", ["--context", clusterName, ...args], { reject: false, timeout: 60000, ...opts });
-
-  // 1. Clean up legacy acr-cache-system if present (replaced by direct pull secrets)
-  try {
-    const { exitCode } = await kubectl(["get", "namespace", "acr-cache-system"]);
-    if (exitCode === 0) {
-      hint("Cleaning up legacy acr-cache-system namespace…");
-      for (const wh of ["acr-pod-webhook", "acr-helm-webhook"]) {
-        await kubectl(["delete", "mutatingwebhookconfiguration", wh, "--ignore-not-found"]);
-      }
-      await kubectl(["delete", "namespace", "acr-cache-system", "--ignore-not-found"]);
-      console.log(OK("  ✓ Legacy acr-cache-system removed"));
-    }
-  } catch { /* not present, nothing to do */ }
-
-  // 2. Pre-install CRDs that Flux manifests reference before their operators deploy.
-  //    Without these, Flux dry-run rejects the entire kustomization.
-  const crdBundles = [
-    {
-      name: "external-secrets",
-      check: "externalsecrets.external-secrets.io",
-      url: "https://raw.githubusercontent.com/external-secrets/external-secrets/main/deploy/crds/bundle.yaml",
-      serverSide: true,
-    },
-    {
-      name: "Istio",
-      check: "virtualservices.networking.istio.io",
-      helm: { repo: "https://istio-release.storage.googleapis.com/charts", chart: "base", release: "istio-base", namespace: "istio-system" },
-    },
-  ];
-
-  for (const bundle of crdBundles) {
-    const { exitCode } = await kubectl(["get", "crd", bundle.check], { timeout: 10000 });
-    if (exitCode === 0) {
-      console.log(OK(`  ✓ ${bundle.name} CRDs present`));
-      continue;
-    }
-
-    hint(`Installing ${bundle.name} CRDs…`);
-    try {
-      if (bundle.helm) {
-        await execa("helm", ["repo", "add", bundle.name, bundle.helm.repo, "--force-update"], { reject: false, timeout: 30000 });
-        await execa("helm", [
-          "--kube-context", clusterName,
-          "install", bundle.helm.release, `${bundle.name}/${bundle.helm.chart}`,
-          "-n", bundle.helm.namespace, "--create-namespace",
-          "--wait", "--timeout", "90s",
-        ], { timeout: 120000 });
-      } else {
-        const applyArgs = ["apply", "-f", bundle.url];
-        if (bundle.serverSide) applyArgs.push("--server-side");
-        await kubectl(applyArgs, { timeout: 120000 });
-      }
-      console.log(OK(`  ✓ ${bundle.name} CRDs installed`));
-    } catch (err) {
-      console.log(WARN(`  ⚠ ${bundle.name} CRDs failed: ${(err.message || "").split("\n")[0]}`));
-    }
-  }
-
-  // 3. Enable v1beta1 on ExternalSecret CRD if the operator disabled it.
-  //    Some Flux manifests still reference v1beta1.
-  try {
-    const { stdout: crdJson } = await kubectl([
-      "get", "crd", "externalsecrets.external-secrets.io",
-      "-o", "jsonpath={.spec.versions[?(@.name==\"v1beta1\")].served}",
-    ], { timeout: 10000 });
-    if (crdJson === "false") {
-      hint("Enabling v1beta1 on ExternalSecret CRD…");
-      const { stdout: fullCrd } = await kubectl([
-        "get", "crd", "externalsecrets.external-secrets.io", "-o", "json",
-      ], { timeout: 10000 });
-      const crd = JSON.parse(fullCrd);
-      for (const v of crd.spec.versions) {
-        if (v.name === "v1beta1") v.served = true;
-      }
-      await execa("kubectl", [
-        "--context", clusterName, "apply", "--server-side", "-f", "-",
-      ], { input: JSON.stringify(crd), timeout: 30000, reject: false });
-
-      // Same for SecretStore CRD
-      const { stdout: ssCrd } = await kubectl([
-        "get", "crd", "secretstores.external-secrets.io", "-o", "json",
-      ], { timeout: 10000 });
-      const ss = JSON.parse(ssCrd);
-      for (const v of ss.spec.versions) {
-        if (v.name === "v1beta1") v.served = true;
-      }
-      await execa("kubectl", [
-        "--context", clusterName, "apply", "--server-side", "-f", "-",
-      ], { input: JSON.stringify(ss), timeout: 30000, reject: false });
-
-      console.log(OK("  ✓ v1beta1 enabled on ExternalSecret CRDs"));
-    }
-  } catch { /* CRD not installed yet — will be handled on next reconcile */ }
-
-  // 4. Trigger a full Flux reconciliation so kustomizations pick up the new CRDs
-  try {
-    hint("Triggering Flux reconciliation…");
-    const { stdout: ksList } = await kubectl([
-      "get", "kustomization", "-n", "flux-system", "--no-headers",
-      "-o", "custom-columns=NAME:.metadata.name",
-    ]);
-    const names = ksList.trim().split("\n").map(n => n.trim()).filter(Boolean);
-    const ts = String(Date.now());
-    for (const ks of names) {
-      await kubectl([
-        "annotate", "kustomization", ks, "-n", "flux-system",
-        `reconcile.fluxcd.io/requestedAt=${ts}-${ks}`, "--overwrite",
-      ], { timeout: 10000 });
-    }
-    console.log(OK(`  ✓ Reconciliation triggered for ${names.length} kustomizations`));
-  } catch {
-    hint("Could not trigger reconciliation — Flux may not be ready yet");
-  }
-}
-
-// ── fops-api deployment ──────────────────────────────────────────────────────
-
-const FOPS_API_NS = "fops-system";
-
-function fopsApiManifests(clusterName) {
-  const labels = { app: "fops-api", "app.kubernetes.io/managed-by": "fops" };
-  return [
-    {
-      apiVersion: "v1", kind: "Namespace",
-      metadata: { name: FOPS_API_NS, labels: { "app.kubernetes.io/managed-by": "fops" } },
-    },
-    {
-      apiVersion: "v1", kind: "ServiceAccount",
-      metadata: { name: "fops-api", namespace: FOPS_API_NS, labels },
-    },
-    {
-      apiVersion: "rbac.authorization.k8s.io/v1", kind: "ClusterRoleBinding",
-      metadata: { name: "fops-api-viewer", labels },
-      subjects: [{ kind: "ServiceAccount", name: "fops-api", namespace: FOPS_API_NS }],
-      roleRef: { kind: "ClusterRole", name: "view", apiGroup: "rbac.authorization.k8s.io" },
-    },
-    {
-      apiVersion: "apps/v1", kind: "Deployment",
-      metadata: { name: "fops-api", namespace: FOPS_API_NS, labels },
-      spec: {
-        replicas: 1,
-        selector: { matchLabels: { app: "fops-api" } },
-        template: {
-          metadata: { labels },
-          spec: {
-            serviceAccountName: "fops-api",
-            containers: [{
-              name: "fops-api",
-              image: "node:20-alpine",
-              command: ["sh", "-c", "npm install -g @meshxdata/fops && fops serve --host 0.0.0.0 --port 4100"],
-              ports: [{ name: "http", containerPort: 4100 }],
-              env: [
-                { name: "NODE_ENV", value: "production" },
-                { name: "FOPS_CLUSTER", value: clusterName },
-              ],
-              resources: {
-                requests: { cpu: "100m", memory: "256Mi" },
-                limits:   { cpu: "500m", memory: "512Mi" },
-              },
-              readinessProbe: {
-                httpGet: { path: "/api/health", port: 4100 },
-                initialDelaySeconds: 30, periodSeconds: 10,
-              },
-              livenessProbe: {
-                httpGet: { path: "/api/health", port: 4100 },
-                initialDelaySeconds: 60, periodSeconds: 30,
-              },
-            }],
-          },
-        },
-      },
-    },
-    {
-      apiVersion: "v1", kind: "Service",
-      metadata: { name: "fops-api", namespace: FOPS_API_NS, labels },
-      spec: {
-        selector: { app: "fops-api" },
-        ports: [{ name: "http", port: 4100, targetPort: 4100 }],
-      },
-    },
-  ];
-}
-
-// ── Helm Values: patch HelmRelease values that reference cluster-specific settings ──
-
-const OLD_PG_HOSTS = [
-  "az-vel-app-data-demo-uaen-psql.postgres.database.azure.com",
-];
-
-// ── Vault: patch unsealConfig to use the cluster's Key Vault + grant SP RBAC ──
-
-async function reconcileVaultUnseal(ctx) {
-  const { execa, clusterName, rg, sub } = ctx;
-  const kubectl = (args, opts = {}) =>
-    execa("kubectl", ["--context", clusterName, ...args], { timeout: 30000, reject: false, ...opts });
-
-  const correctKv = kvName(clusterName);
-
-  // Check if Vault CR exists
-  const { exitCode, stdout } = await kubectl([
-    "get", "vault", "vault", "-n", "foundation",
-    "-o", "jsonpath={.spec.unsealConfig.azure.keyVaultName}",
-  ]);
-  if (exitCode !== 0) return;
-
-  const currentKv = (stdout || "").trim();
-  if (currentKv === correctKv) {
-    console.log(OK(`  ✓ Vault unseal config → ${correctKv}`));
-    return;
-  }
-
-  hint(`Patching Vault unsealConfig: ${currentKv || "(unset)"} → ${correctKv}`);
-  await kubectl([
-    "patch", "vault", "vault", "-n", "foundation",
-    "--type", "merge", "-p",
-    JSON.stringify({ spec: { unsealConfig: { azure: { keyVaultName: correctKv } } } }),
-  ]);
-
-  // Ensure the Vault SP has Secrets Officer on the KV
-  const spClientId = await getSpClientId(kubectl);
-  if (spClientId) {
-    // Also check envsConfig for AZURE_CLIENT_ID which vault uses directly
-    const { stdout: vaultSpId } = await kubectl([
-      "get", "vault", "vault", "-n", "foundation",
-      "-o", "jsonpath={.spec.envsConfig[?(@.name=='AZURE_CLIENT_ID')].value}",
-    ]);
-    const targetSp = (vaultSpId || "").trim() || spClientId;
-
-    const { stdout: kvId } = await execa("az", [
-      "keyvault", "show", "--name", correctKv, "--query", "id", "-o", "tsv",
-      ...subArgs(sub),
-    ], { reject: false, timeout: 15000 });
-
-    if (kvId?.trim()) {
-      await execa("az", [
-        "role", "assignment", "create",
-        "--assignee", targetSp,
-        "--role", "Key Vault Secrets Officer",
-        "--scope", kvId.trim(),
-        "--output", "none", ...subArgs(sub),
-      ], { reject: false, timeout: 30000 });
-    }
-  }
-
-  // Restart vault pod to pick up the new unseal config
-  await kubectl(["delete", "pod", "vault-0", "-n", "foundation", "--ignore-not-found"]);
-  console.log(OK(`  ✓ Vault unseal config patched → ${correctKv}`));
-}
-
-async function reconcileHelmValues(ctx) {
-  const { execa, clusterName } = ctx;
-  const kubectl = (args, opts = {}) =>
-    execa("kubectl", ["--context", clusterName, ...args], { timeout: 30000, reject: false, ...opts });
-
-  const pgServer = pgServerName(clusterName);
-  const correctHost = `${pgServer}.postgres.database.azure.com`;
-
-  // List HelmReleases in foundation namespace
-  const { stdout: hrJson } = await kubectl(["get", "helmrelease", "-n", "foundation", "-o", "json"]);
-  if (!hrJson) return;
-
-  const hrs = JSON.parse(hrJson).items || [];
-  let patched = 0;
-
-  for (const hr of hrs) {
-    const name = hr.metadata?.name;
-    const valsStr = JSON.stringify(hr.spec?.values || {});
-    let needsPatch = false;
-
-    for (const oldHost of OLD_PG_HOSTS) {
-      if (valsStr.includes(oldHost)) {
-        needsPatch = true;
-        break;
-      }
-    }
-    if (!needsPatch) continue;
-
-    let newVals = valsStr;
-    for (const oldHost of OLD_PG_HOSTS) {
-      newVals = newVals.replaceAll(oldHost, correctHost);
-    }
-
-    const patch = JSON.stringify({ spec: { values: JSON.parse(newVals) } });
-    const tmpFile = `/tmp/fops-hr-patch-${name}.json`;
-    const { writeFileSync, unlinkSync } = await import("node:fs");
-    writeFileSync(tmpFile, patch);
-
-    const { exitCode } = await kubectl([
-      "patch", "helmrelease", name, "-n", "foundation",
-      "--type", "merge", "--patch-file", tmpFile,
-    ]);
-    try { unlinkSync(tmpFile); } catch {}
-
-    if (exitCode === 0) patched++;
-  }
-
-  if (patched > 0) {
-    console.log(OK(`  ✓ Patched postgres host in ${patched} HelmRelease(s) → ${correctHost}`));
-  } else {
-    console.log(OK("  ✓ HelmRelease postgres hosts are correct"));
-  }
-}
-
-// ── Storage engine: ensure foundation-storage-engine Deployment + Service exist ──
-
-async function reconcileStorageEngine(ctx) {
-  const { execa, clusterName } = ctx;
-  const kubectl = (args, opts = {}) =>
-    execa("kubectl", ["--context", clusterName, ...args], { timeout: 30000, reject: false, ...opts });
-
-  // Check if deployment already exists
-  const { exitCode } = await kubectl([
-    "get", "deployment", "foundation-storage-engine", "-n", "foundation",
-  ]);
-  if (exitCode === 0) {
-    console.log(OK("  ✓ Storage engine deployment exists"));
-    return;
-  }
-
-  hint("Creating foundation-storage-engine deployment…");
-  const manifest = JSON.stringify({
-    apiVersion: "apps/v1", kind: "Deployment",
-    metadata: { name: "foundation-storage-engine", namespace: "foundation", labels: { app: "foundation-storage-engine" } },
-    spec: {
-      replicas: 1,
-      selector: { matchLabels: { app: "foundation-storage-engine" } },
-      template: {
-        metadata: { labels: { app: "foundation-storage-engine" } },
-        spec: {
-          containers: [{
-            name: "storage-engine",
-            image: "minio/minio:RELEASE.2024-11-07T00-52-20Z",
-            args: ["server", "/data", "--console-address", ":9001"],
-            env: [
-              { name: "MINIO_ROOT_USER", value: "minio" },
-              { name: "MINIO_ROOT_PASSWORD", value: "minio123" },
-            ],
-            ports: [
-              { containerPort: 9000, name: "api" },
-              { containerPort: 9001, name: "console" },
-            ],
-            volumeMounts: [{ name: "data", mountPath: "/data" }],
-            resources: { requests: { cpu: "100m", memory: "256Mi" }, limits: { cpu: "500m", memory: "512Mi" } },
-            readinessProbe: { httpGet: { path: "/minio/health/ready", port: 9000 }, initialDelaySeconds: 5, periodSeconds: 10 },
-          }],
-          volumes: [{ name: "data", emptyDir: {} }],
-        },
-      },
-    },
-  });
-  await kubectl(["apply", "-f", "-"], { input: manifest });
-
-  // Service: foundation-storage-engine (port 8080 → 9000)
-  const svcManifest = JSON.stringify({
-    apiVersion: "v1", kind: "Service",
-    metadata: { name: "foundation-storage-engine", namespace: "foundation" },
-    spec: {
-      selector: { app: "foundation-storage-engine" },
-      ports: [
-        { port: 8080, targetPort: 9000, name: "api" },
-        { port: 9000, targetPort: 9000, name: "s3" },
-      ],
-    },
-  });
-  await kubectl(["apply", "-f", "-"], { input: svcManifest });
-
-  // Also patch the existing "minio" service to point here (Vault uses minio.foundation.svc)
-  const minioSvcManifest = JSON.stringify({
-    apiVersion: "v1", kind: "Service",
-    metadata: { name: "minio", namespace: "foundation" },
-    spec: {
-      selector: { app: "foundation-storage-engine" },
-      ports: [
-        { port: 80, targetPort: 9000, name: "http" },
-        { port: 9000, targetPort: 9000, name: "s3" },
-        { port: 8080, targetPort: 9000, name: "api" },
-      ],
-    },
-  });
-  await kubectl(["apply", "-f", "-"], { input: minioSvcManifest });
-
-  // Wait for the deployment to be ready, then create the vault bucket
-  await kubectl(["rollout", "status", "deployment/foundation-storage-engine", "-n", "foundation", "--timeout=60s"], { timeout: 70000 });
-
-  // Create the vault bucket via a one-shot mc pod
-  const mcJobYaml = JSON.stringify({
-    apiVersion: "batch/v1", kind: "Job",
-    metadata: { name: "fops-mc-init", namespace: "foundation" },
-    spec: {
-      backoffLimit: 3, ttlSecondsAfterFinished: 60,
-      template: {
-        spec: {
-          restartPolicy: "Never",
-          containers: [{
-            name: "mc",
-            image: "minio/mc:latest",
-            command: ["sh", "-c", "mc alias set local http://foundation-storage-engine:8080 minio minio123 && mc mb local/vault --ignore-existing"],
-          }],
-        },
-      },
-    },
-  });
-  await kubectl(["delete", "job", "fops-mc-init", "-n", "foundation", "--ignore-not-found"]);
-  await kubectl(["apply", "-f", "-"], { input: mcJobYaml });
-  await kubectl(["wait", "--for=condition=complete", "job/fops-mc-init", "-n", "foundation", "--timeout=60s"], { timeout: 70000 });
-
-  console.log(OK("  ✓ Storage engine deployed with vault bucket"));
-}
-
-// ── Ingress IP: ensure Istio gateway LB has an external IP ───────────────────
-
-export function clusterDomain(clusterName) {
-  return resolveUniqueDomain(clusterName, "aks");
-}
-
-const INGRESS_VIRTUALSERVICES = [
-  { name: "frontend",       namespace: "foundation", gateway: "foundation-gateway", hostPrefix: "" },
-  { name: "foundation-api", namespace: "foundation", gateway: "foundation-gateway", hostPrefix: "api." },
-];
-
-async function reconcileIngressIp(ctx) {
-  const { execa, clusterName } = ctx;
-  const kubectl = (args, opts = {}) =>
-    execa("kubectl", ["--context", clusterName, ...args], { timeout: 15000, reject: false, ...opts });
-
-  const domain = clusterDomain(clusterName);
-  writeClusterState(clusterName, { domain });
-
-  // ── 1. Ensure LB has an external IP ──
-
-  const { exitCode, stdout } = await kubectl([
-    "get", "svc", "istio-ingressgateway", "-n", "istio-system",
-    "-o", "json",
-  ]);
-  if (exitCode !== 0 || !stdout) return;
-
-  const svc = JSON.parse(stdout);
-  const annotations = svc.metadata?.annotations || {};
-  const pipName = annotations["service.beta.kubernetes.io/azure-pip-name"] || "";
-  let externalIp = svc.status?.loadBalancer?.ingress?.[0]?.ip;
-
-  // Remove stale annotations from other clouds / restrictive source ranges
-  const staleKeys = Object.keys(annotations).filter(k =>
-    k.startsWith("service.beta.kubernetes.io/aws-") ||
-    k === "service.beta.kubernetes.io/load-balancer-source-ranges" ||
-    k === "service.beta.kubernetes.io/azure-allowed-service-tags"
-  );
-  if (staleKeys.length > 0) {
-    hint(`Removing ${staleKeys.length} stale/restrictive annotation(s) from istio-ingressgateway…`);
-    await kubectl([
-      "annotate", "svc", "istio-ingressgateway", "-n", "istio-system",
-      ...staleKeys.map(k => `${k}-`),
-    ]);
-    console.log(OK(`  ✓ Cleaned ${staleKeys.length} stale annotation(s)`));
-  }
-
-  if (!externalIp && pipName) {
-    hint(`Removing stale PIP annotation "${pipName}" from istio-ingressgateway…`);
-    await kubectl([
-      "annotate", "svc", "istio-ingressgateway", "-n", "istio-system",
-      "service.beta.kubernetes.io/azure-pip-name-",
-      "service.beta.kubernetes.io/azure-pip-name-IPv6-",
-    ]);
-    for (let i = 0; i < 6; i++) {
-      await new Promise(r => setTimeout(r, 10000));
-      const { stdout: refreshed } = await kubectl([
-        "get", "svc", "istio-ingressgateway", "-n", "istio-system",
-        "-o", "jsonpath={.status.loadBalancer.ingress[0].ip}",
-      ]);
-      if (refreshed?.trim()) { externalIp = refreshed.trim(); break; }
-    }
-  }
-
-  if (externalIp) {
-    console.log(OK(`  ✓ Ingress gateway IP: ${externalIp}`));
-  } else {
-    console.log(WARN("  ⚠ Ingress gateway has no external IP yet"));
-    hint(`  kubectl describe svc istio-ingressgateway -n istio-system --context ${clusterName}`);
-  }
-
-  // ── 2. Self-signed TLS cert for Istio ingress ──
-
-  const TLS_SECRET = "istio-ingressgateway-certs";
-  const { exitCode: tlsCheck } = await kubectl([
-    "get", "secret", TLS_SECRET, "-n", "istio-system",
-  ]);
-  if (tlsCheck !== 0) {
-    hint("Creating self-signed TLS certificate for ingress…");
-    const { stdout: certOut, exitCode: certCode } = await execa("openssl", [
-      "req", "-x509", "-newkey", "rsa:2048",
-      "-keyout", "/tmp/fops-aks-tls.key", "-out", "/tmp/fops-aks-tls.crt",
-      "-days", "3650", "-nodes",
-      "-subj", `/CN=*.meshx.app`,
-      "-addext", `subjectAltName=DNS:*.meshx.app,DNS:meshx.app,DNS:*.${domain}`,
-    ], { timeout: 15000, reject: false });
-    if (certCode === 0) {
-      await execa("kubectl", [
-        "--context", clusterName,
-        "create", "secret", "tls", TLS_SECRET, "-n", "istio-system",
-        "--cert=/tmp/fops-aks-tls.crt", "--key=/tmp/fops-aks-tls.key",
-      ], { timeout: 15000 });
-      console.log(OK("  ✓ Self-signed TLS secret created"));
-    } else {
-      console.log(WARN("  ⚠ Could not generate TLS cert — HTTPS on ingress may not work"));
-    }
-  }
-
-  // ── 3. Reconcile Istio Gateways ──
-
-  const allHosts = INGRESS_VIRTUALSERVICES.map(vs => `${vs.hostPrefix}${domain}`);
-  const uniqueHosts = [...new Set(allHosts)];
-
-  // Single gateway in foundation namespace with HTTP + HTTPS
-  const gwYaml = `apiVersion: networking.istio.io/v1beta1
-kind: Gateway
-metadata:
-  name: foundation-gateway
-  namespace: foundation
-spec:
-  selector:
-    istio: ingressgateway
-  servers:
-  - port:
-      number: 80
-      name: http
-      protocol: HTTP
-    hosts:
-${uniqueHosts.map(h => `    - "${h}"`).join("\n")}
-  - port:
-      number: 443
-      name: https
-      protocol: HTTPS
-    tls:
-      mode: SIMPLE
-      credentialName: ${TLS_SECRET}
-    hosts:
-${uniqueHosts.map(h => `    - "${h}"`).join("\n")}`;
-
-  await kubectl(["apply", "-f", "-"], { input: gwYaml });
-  // Remove duplicate gateway from legacy velora namespace if it exists
-  await kubectl(["delete", "gateway", "foundation-gateway", "-n", "velora", "--ignore-not-found"]);
-  console.log(OK(`  ✓ Istio Gateway → ${domain} (HTTP + HTTPS)`));
-
-  // ── 4. Reconcile VirtualService hosts + gateway refs ──
-
-  let patched = 0;
-  for (const vs of INGRESS_VIRTUALSERVICES) {
-    const correctHost = `${vs.hostPrefix}${domain}`;
-    const { stdout: vsJson } = await kubectl([
-      "get", "virtualservice", vs.name, "-n", vs.namespace, "-o", "json",
-    ]);
-    if (!vsJson) continue;
-
-    const vsObj = JSON.parse(vsJson);
-    const hosts = vsObj.spec?.hosts || [];
-    const gateways = vsObj.spec?.gateways || [];
-    const needsHostFix = hosts.length !== 1 || hosts[0] !== correctHost;
-    const needsGwFix = gateways.some(g => g.includes("velora/"));
-
-    if (!needsHostFix && !needsGwFix) continue;
-
-    const patches = [];
-    if (needsHostFix) patches.push({ op: "replace", path: "/spec/hosts", value: [correctHost] });
-    if (needsGwFix) patches.push({ op: "replace", path: "/spec/gateways", value: ["foundation-gateway"] });
-
-    await kubectl([
-      "patch", "virtualservice", vs.name, "-n", vs.namespace,
-      "--type", "json", "-p", JSON.stringify(patches),
-    ]);
-    patched++;
-  }
-
-  if (patched > 0) {
-    console.log(OK(`  ✓ Patched ${patched} VirtualService(s) → *.${domain}`));
-  } else {
-    console.log(OK(`  ✓ VirtualService hosts correct (*.${domain})`));
-  }
-
-  // ── 5. DNS records ──
-  // Root domain is CF-proxied (universal SSL covers *.meshx.app).
-  // Subdomains (api.X.meshx.app) go dns-only because CF universal SSL
-  // doesn't cover two levels deep (*.X.meshx.app).
-  if (externalIp) {
-    const cfToken = process.env.CLOUDFLARE_API_TOKEN || ctx.cfToken;
-    if (cfToken) {
-      const dnsNames = [...new Set(INGRESS_VIRTUALSERVICES.map(vs => `${vs.hostPrefix}${domain}`))];
-      for (const host of dnsNames) {
-        const isRoot = host === domain;
-        await syncDns(cfToken, `https://${host}`, externalIp, { proxied: isRoot });
-      }
-    } else {
-      hint(`  No CLOUDFLARE_API_TOKEN — add DNS A records manually:`);
-      const dnsNames = [...new Set(INGRESS_VIRTUALSERVICES.map(vs => `${vs.hostPrefix}${domain}`))];
-      for (const host of dnsNames) {
-        hint(`    ${host} → ${externalIp}`);
-      }
-    }
-  }
-
-  // Save the ingress info to state
-  if (externalIp) {
-    writeClusterState(clusterName, { ingressIp: externalIp, domain });
-  }
-}
-
-// ── Frontend Auth0: APP_BASE_URL, API_URL, and Auth0 callback registration ───
-
-async function reconcileFrontendAuth(ctx) {
-  const { execa, clusterName } = ctx;
-  const kubectl = (args, opts = {}) =>
-    execa("kubectl", ["--context", clusterName, ...args], { timeout: 30000, reject: false, ...opts });
-
-  const domain = clusterDomain(clusterName);
-  const baseUrl = `https://${domain}`;
-
-  // Read Auth0 creds from env (fops loads .env at startup) or project .env
-  let auth0 = {
-    clientId:      process.env.AUTH0_CLIENT_ID,
-    clientSecret:  process.env.AUTH0_CLIENT_SECRET,
-    domain:        process.env.AUTH0_DOMAIN,
-    audience:      process.env.AUTH0_AUDIENCE,
-    issuerBaseUrl: process.env.AUTH0_ISSUER_BASE_URL,
-    secret:        process.env.AUTH0_SECRET,
-  };
-
-  if (!auth0.clientId) {
-    try {
-      const { rootDir } = await import(resolveCliSrc("project.js"));
-      const root = rootDir();
-      if (root) {
-        const envRaw = fs.readFileSync(path.join(root, ".env"), "utf8");
-        for (const line of envRaw.split("\n")) {
-          const m = line.match(/^([A-Z0-9_]+)=(.+)$/);
-          if (!m) continue;
-          const [, k, v] = m;
-          const val = v.replace(/^["']|["']$/g, "");
-          if (k === "AUTH0_CLIENT_ID")       auth0.clientId = val;
-          if (k === "AUTH0_CLIENT_SECRET")   auth0.clientSecret = val;
-          if (k === "AUTH0_DOMAIN")          auth0.domain = val;
-          if (k === "AUTH0_AUDIENCE")        auth0.audience = val;
-          if (k === "AUTH0_ISSUER_BASE_URL") auth0.issuerBaseUrl = val;
-          if (k === "AUTH0_SECRET")          auth0.secret = val;
-        }
-      }
-    } catch { /* no project root or .env */ }
-  }
-
-  if (!auth0.clientId || !auth0.domain) {
-    console.log(WARN("  ⚠ No Auth0 credentials found — skipping frontend auth setup"));
-    hint("  Set AUTH0_CLIENT_ID / AUTH0_DOMAIN in .env or environment");
-    return;
-  }
-
-  // ── 1. Create/update the frontend auth0 K8s secret ──
-
-  const secretArgs = [
-    "create", "secret", "generic", "foundation-frontend-auth0", "-n", "foundation",
-    "--from-literal", `APP_BASE_URL=${baseUrl}`,
-    "--from-literal", `AUTH0_CLIENT_ID=${auth0.clientId}`,
-    "--from-literal", `AUTH0_CLIENT_SECRET=${auth0.clientSecret || ""}`,
-    "--from-literal", `AUTH0_DOMAIN=${auth0.domain}`,
-    "--from-literal", `AUTH0_AUDIENCE=${auth0.audience || ""}`,
-    "--from-literal", `AUTH0_ISSUER_BASE_URL=${auth0.issuerBaseUrl || `https://${auth0.domain}/`}`,
-    "--from-literal", `AUTH0_SECRET=${auth0.secret || auth0.clientSecret || ""}`,
-    "--from-literal", `NEXT_PUBLIC_AUTH0_CLIENT_ID=${auth0.clientId}`,
-    "--from-literal", `NEXT_PUBLIC_AUTH0_DOMAIN=${auth0.domain}`,
-    "--dry-run=client", "-o", "yaml",
-  ];
-  const { stdout: secretYaml } = await kubectl(secretArgs);
-  if (secretYaml) {
-    await kubectl(["apply", "-f", "-"], { input: secretYaml });
-    console.log(OK(`  ✓ Frontend Auth0 secret → APP_BASE_URL=${baseUrl}`));
-  }
-
-  // ── 2. Patch frontend deployment API_URL to point at own ingress ──
-
-  const { exitCode: feExists } = await kubectl([
-    "get", "deploy", "foundation-frontend", "-n", "foundation",
-  ]);
-  if (feExists === 0) {
-    const apiUrl = `${baseUrl}/api/`;
-    const { exitCode: envExit } = await execa("kubectl", [
-      "--context", clusterName,
-      "set", "env", "deploy/foundation-frontend", "-n", "foundation",
-      `API_URL=${apiUrl}`,
-    ], { timeout: 15000, reject: false });
-    if (envExit === 0) {
-      console.log(OK(`  ✓ Frontend API_URL → ${apiUrl}`));
-    }
-  }
-
-  // ── 3. Ensure Auth0 wildcard callback URLs exist ──
-  // Uses https://*.meshx.app so any cluster/VM domain is automatically allowed.
-
-  if (!auth0.clientSecret) {
-    hint("  No AUTH0_CLIENT_SECRET — cannot verify Auth0 wildcard callbacks");
-    return;
-  }
-
-  try {
-    const tokenResp = await fetch(`https://${auth0.domain}/oauth/token`, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({
-        client_id: auth0.clientId,
-        client_secret: auth0.clientSecret,
-        audience: `https://${auth0.domain}/api/v2/`,
-        grant_type: "client_credentials",
-      }),
-      signal: AbortSignal.timeout(10_000),
-    });
-    if (!tokenResp.ok) { hint("  Could not get Auth0 management token"); return; }
-    const mgmtToken = (await tokenResp.json()).access_token;
-    if (!mgmtToken) return;
-
-    const appResp = await fetch(
-      `https://${auth0.domain}/api/v2/clients/${auth0.clientId}?fields=callbacks,allowed_logout_urls,web_origins,allowed_origins`,
-      { headers: { Authorization: `Bearer ${mgmtToken}` }, signal: AbortSignal.timeout(10_000) },
-    );
-    if (!appResp.ok) return;
-    const app = await appResp.json();
-
-    const wildcardCb1 = "https://*.meshx.app/auth/callback";
-    const wildcardCb2 = "https://*.meshx.app/api/auth/callback";
-    const wildcardOrigin = "https://*.meshx.app";
-
-    const callbacks = new Set(app.callbacks || []);
-    const logoutUrls = new Set(app.allowed_logout_urls || []);
-    const webOrigins = new Set(app.web_origins || []);
-    const allowedOrigins = new Set(app.allowed_origins || []);
-
-    // Auth0 requires exact callback URLs (wildcards are not matched). Add this cluster's URL.
-    callbacks.add(`${baseUrl}/auth/callback`);
-    callbacks.add(`${baseUrl}/api/auth/callback`);
-    logoutUrls.add(baseUrl);
-    webOrigins.add(baseUrl);
-    allowedOrigins.add(baseUrl);
-
-    const before = callbacks.size + logoutUrls.size + webOrigins.size + allowedOrigins.size;
-    callbacks.add(wildcardCb1);
-    callbacks.add(wildcardCb2);
-    logoutUrls.add(wildcardOrigin);
-    webOrigins.add(wildcardOrigin);
-    allowedOrigins.add(wildcardOrigin);
-    const after = callbacks.size + logoutUrls.size + webOrigins.size + allowedOrigins.size;
-
-    if (after > before) {
-      const patchResp = await fetch(
-        `https://${auth0.domain}/api/v2/clients/${auth0.clientId}`,
-        {
-          method: "PATCH",
-          headers: { Authorization: `Bearer ${mgmtToken}`, "Content-Type": "application/json" },
-          body: JSON.stringify({
-            callbacks: [...callbacks],
-            allowed_logout_urls: [...logoutUrls],
-            web_origins: [...webOrigins],
-            allowed_origins: [...allowedOrigins],
-          }),
-          signal: AbortSignal.timeout(10_000),
-        },
-      );
-      if (patchResp.ok) {
-        console.log(OK("  ✓ Auth0 wildcard callbacks ensured (*.meshx.app)"));
-      } else {
-        console.log(WARN(`  ⚠ Auth0 callback update failed: HTTP ${patchResp.status}`));
-      }
-    } else {
-      console.log(OK("  ✓ Auth0 wildcard callbacks already configured"));
-    }
-  } catch (e) {
-    hint(`  Auth0 callback check failed: ${e.message}`);
-  }
-}
-
-async function reconcileFopsApi(ctx) {
-  const { execa, clusterName } = ctx;
-
-  const kubectl = (args, opts = {}) =>
-    execa("kubectl", ["--context", clusterName, ...args], { reject: false, timeout: 30000, ...opts });
-
-  // Check if already deployed and running
-  const { stdout: existing, exitCode } = await kubectl([
-    "get", "deployment", "fops-api", "-n", FOPS_API_NS,
-    "-o", "jsonpath={.status.readyReplicas}",
-  ]);
-
-  if (exitCode === 0 && parseInt(existing) > 0) {
-    console.log(OK("  ✓ fops-api deployment running"));
-    return;
-  }
-
-  hint("Deploying fops-api to cluster…");
-
-  const manifests = fopsApiManifests(clusterName);
-  const yaml = manifests.map(m => JSON.stringify(m)).join("\n---\n");
-
-  const result = await execa("kubectl", [
-    "--context", clusterName, "apply", "-f", "-",
-  ], { input: yaml, reject: false, timeout: 30000 });
-
-  if (result.exitCode === 0) {
-    console.log(OK(`  ✓ fops-api deployed to ${FOPS_API_NS} namespace`));
-    hint(`  Access: kubectl --context ${clusterName} port-forward svc/fops-api -n ${FOPS_API_NS} 4100:4100`);
-  } else {
-    const errMsg = (result.stderr || result.stdout || "").trim().split("\n")[0];
-    console.log(WARN(`  ⚠ fops-api deploy failed: ${errMsg}`));
-  }
-}
-
-async function reconcileFlux(execa, { clusterName, rg, sub, githubToken, repo, owner, path: fluxPath, branch }) {
-  repo = repo || AKS_DEFAULTS.fluxRepo;
-  owner = owner || AKS_DEFAULTS.fluxOwner;
-  branch = branch || AKS_DEFAULTS.fluxBranch;
-  const repoUrl = `https://github.com/${owner}/${repo}`;
-  const configName = "flux-system";
-
-  // Check if the Flux extension is already installed
-  const { exitCode: extExists } = await execa("az", [
-    "k8s-extension", "show",
-    "--resource-group", rg,
-    "--cluster-name", clusterName,
-    "--cluster-type", "managedClusters",
-    "--name", "flux",
-    "--output", "none",
-    ...subArgs(sub),
-  ], { reject: false, timeout: 30000 });
-
-  if (extExists !== 0) {
-    hint("Installing Flux extension…");
-    try {
-      await execa("az", [
-        "k8s-extension", "create",
-        "--resource-group", rg,
-        "--cluster-name", clusterName,
-        "--cluster-type", "managedClusters",
-        "--name", "flux",
-        "--extension-type", "microsoft.flux",
-        "--scope", "cluster",
-        "--output", "none",
-        ...subArgs(sub),
-      ], { timeout: 600000 });
-      console.log(OK("  ✓ Flux extension installed"));
-    } catch (err) {
-      const msg = (err.stderr || err.message || "").toString();
-      if (/rpds|No module named|ModuleNotFoundError/.test(msg)) {
-        console.error(ERR("\n  Azure k8s-extension failed (broken vendored rpds — known Azure CLI bug)."));
-        hint("Workaround (macOS Homebrew): install rpds-py into Azure CLI's Python, then remove the extension's vendored rpds:");
-        hint("  $(brew --prefix azure-cli)/libexec/bin/pip install rpds-py");
-        hint("  rm -rf ~/.azure/cliextensions/k8s-extension/rpds");
-        hint("Then re-run. See: https://github.com/Azure/azure-cli/issues/32709\n");
-        throw err;
-      }
-      throw err;
-    }
-  } else {
-    console.log(OK("  ✓ Flux extension already installed"));
-  }
-
-  // Check if the GitOps configuration already exists
-  const { exitCode: cfgExists } = await execa("az", [
-    "k8s-configuration", "flux", "show",
-    "--resource-group", rg,
-    "--cluster-name", clusterName,
-    "--cluster-type", "managedClusters",
-    "--name", configName,
-    "--output", "none",
-    ...subArgs(sub),
-  ], { reject: false, timeout: 30000 });
-
-  if (cfgExists !== 0) {
-    hint("Creating GitOps configuration…");
-    try {
-      await execa("az", [
-        "k8s-configuration", "flux", "create",
-        "--resource-group", rg,
-        "--cluster-name", clusterName,
-        "--cluster-type", "managedClusters",
-        "--name", configName,
-        "--namespace", "flux-system",
-        "--scope", "cluster",
-        "--url", repoUrl,
-        "--branch", branch,
-        "--https-user", "x-access-token",
-        "--https-key", githubToken,
-        "--kustomization", `name=${configName}`, `path=./${fluxPath}`, "prune=true",
-        "--output", "none",
-        ...subArgs(sub),
-      ], { timeout: 300000 });
-      console.log(OK("  ✓ GitOps configuration created"));
-    } catch (err) {
-      const azErr = (err.stderr || err.message || "").replace(/^.*ERROR:\s*/m, "").split("\n")[0];
-      console.log(WARN(`  ⚠ GitOps configuration failed: ${azErr}`));
-      hint("Create manually: az k8s-configuration flux create -g " + rg + " -c " + clusterName + " -t managedClusters -n " + configName + " ...");
-    }
-  } else {
-    const { stdout: cfgJson } = await execa("az", [
-      "k8s-configuration", "flux", "show",
-      "--resource-group", rg,
-      "--cluster-name", clusterName,
-      "--cluster-type", "managedClusters",
-      "--name", configName,
-      "--output", "json",
-      ...subArgs(sub),
-    ], { reject: false, timeout: 30000 });
-    let currentUrl = "";
-    let currentPath = "";
-    if (cfgJson) {
-      try {
-        const cfg = JSON.parse(cfgJson);
-        currentUrl = (cfg.gitRepository && cfg.gitRepository.url) || "";
-        const ks = cfg.kustomizations && cfg.kustomizations[configName];
-        currentPath = (ks && ks.path) || "";
-      } catch { /* ignore */ }
-    }
-    const desiredPath = fluxPath.startsWith("./") ? fluxPath : `./${fluxPath}`;
-    const urlMismatch = currentUrl && currentUrl !== repoUrl;
-    const pathMismatch = currentPath && currentPath !== desiredPath;
-    if (urlMismatch || pathMismatch) {
-      hint(`Updating Flux to ${owner}/${repo} (was ${currentUrl || "unknown"})…`);
-      try {
-        await execa("az", [
-          "k8s-configuration", "flux", "update",
-          "--resource-group", rg,
-          "--cluster-name", clusterName,
-          "--cluster-type", "managedClusters",
-          "--name", configName,
-          "--url", repoUrl,
-          "--branch", branch,
-          "--https-user", "x-access-token",
-          "--https-key", githubToken,
-          "--kustomization", `name=${configName}`, `path=${desiredPath}`, "prune=true",
-          "--output", "none",
-          ...subArgs(sub),
-        ], { timeout: 300000 });
-        console.log(OK("  ✓ GitOps configuration updated to your repo"));
-      } catch (err) {
-        const azErr = (err.stderr || err.message || "").replace(/^.*ERROR:\s*/m, "").split("\n")[0];
-        console.log(WARN(`  ⚠ Flux update failed: ${azErr}`));
-      }
-    } else {
-      console.log(OK("  ✓ GitOps configuration already exists"));
-    }
-  }
-}
 
-function printClusterInfo(cl) {
-  console.log(`\n  ${LABEL("Cluster Info")}`);
-  kvLine("Name",     cl.clusterName, { pad: 12 });
-  kvLine("RG",       cl.resourceGroup, { pad: 12 });
-  kvLine("FQDN",     cl.fqdn || "—", { pad: 12 });
-  kvLine("K8s",      cl.kubernetesVersion || "—", { pad: 12 });
-  kvLine("Nodes",    `${cl.nodeCount || "?"} x ${cl.nodeVmSize || "?"}`, { pad: 12 });
-  if (cl.flux) {
-    kvLine("Flux",   `${cl.flux.owner}/${cl.flux.repo}`, { pad: 12 });
-  }
-  hint("");
-  hint(`kubectl:  kubectl --context ${cl.clusterName} get nodes`);
-  hint(`status:   fops azure aks status ${cl.clusterName}`);
-  if (!cl.flux) {
-    hint(`flux:     fops azure aks flux bootstrap ${cl.clusterName} --flux-owner <org> --flux-repo <repo>`);
-  }
-  console.log("");
-}
+// ── Naming helpers and constants ─────────────────────────────────────────────
+export {
+  AKS_DEFAULTS,
+  PG_DEFAULTS,
+  EH_DEFAULTS,
+  PG_REPLICA_REGIONS,
+  pgServerName,
+  kvName,
+  ehNamespaceName,
+  generatePassword,
+  timeSince,
+  parseCidr,
+  cidrOverlaps,
+} from "./azure-aks-naming.js";
+
+// ── State management ─────────────────────────────────────────────────────────
+export {
+  readAksClusters,
+  readClusterState,
+  writeClusterState,
+  clearClusterState,
+  readStackState,
+  writeStackState,
+  deleteStackState,
+  listStacks,
+  readProjectFluxConfig,
+  resolveFluxConfig,
+  requireCluster,
+} from "./azure-aks-state.js";
+
+// ── Network ──────────────────────────────────────────────────────────────────
+export {
+  reconcileApiServerIp,
+  reconcileNetworkAccess,
+  findAvailableSubnetCidr,
+  findAksVnet,
+  aksWhitelistMe,
+} from "./azure-aks-network.js";
+
+// ── Secrets ──────────────────────────────────────────────────────────────────
+export {
+  SECRET_STORE_NAMESPACES_BASE,
+  SECRET_STORE_NAMESPACES_DAI,
+  SECRET_STORE_NAME,
+  KV_SEED_SECRETS,
+  VAULT_UNSEAL_KEY_NAME,
+  reconcileSecretStore,
+  reconcileK8sSecrets,
+  reconcileVaultUnseal,
+  seedKeyVaultFromVm,
+  getSpClientId,
+  detectEsApiVersion,
+  aksVaultInit,
+} from "./azure-aks-secrets.js";
+
+// ── Storage ──────────────────────────────────────────────────────────────────
+export {
+  HELM_REPOS,
+  OLD_PG_HOSTS,
+  reconcileStorageAccount,
+  reconcileStorageEngine,
+  reconcileHelmRepos,
+  reconcileHelmValues,
+  reconcileAcrWebhooks,
+} from "./azure-aks-storage.js";
+
+// ── PostgreSQL ───────────────────────────────────────────────────────────────
+export {
+  PG_SERVICE_DBS,
+  reconcilePostgres,
+  reconcilePgDatabases,
+  syncPostgresSecret,
+  aksPostgresReplicaCreate,
+  aksPostgresReplicaList,
+  aksPostgresReplicaPromote,
+  aksPostgresReplicaDelete,
+  reconcileEventHubs,
+} from "./azure-aks-postgres.js";
+
+// ── Flux ─────────────────────────────────────────────────────────────────────
+export {
+  TEMPLATE_DEFAULTS,
+  FOPS_MANAGED_KUSTOMIZATIONS,
+  DAI_KUSTOMIZATIONS,
+  ensureFluxCli,
+  cloneOrUpdateRepo,
+  renderTemplate,
+  copyAndRenderTemplateDir,
+  commitClusterToFlux,
+  provisionFluxFromTemplate,
+  bootstrapFlux,
+  reconcileFlux,
+  reconcileFluxStep,
+  suspendManagedKustomizations,
+  reconcileFluxPrereqs,
+  aksFluxInit,
+  aksFluxBootstrap,
+  aksFluxStatus,
+  aksFluxReconcile,
+  aksDataBootstrap,
+} from "./azure-aks-flux.js";
+
+// ── Ingress ──────────────────────────────────────────────────────────────────
+export {
+  clusterDomain,
+  INGRESS_VIRTUALSERVICES,
+  reconcileIngressIp,
+  reconcileFrontendAuth,
+} from "./azure-aks-ingress.js";
+
+// ── Terraform ────────────────────────────────────────────────────────────────
+export {
+  aksTerraform,
+  generateAksTerraform,
+} from "./azure-aks-terraform.js";
+
+// ── Reconcilers ──────────────────────────────────────────────────────────────
+export {
+  AKS_RECONCILERS,
+  reconcileCluster,
+  aksDoctor,
+} from "./azure-aks-reconcilers.js";
+
+// ── Stacks ───────────────────────────────────────────────────────────────────
+export {
+  printClusterInfo,
+  stackDomain,
+  pgDatabaseName,
+  STACK_RECONCILERS,
+  aksStackUp,
+  aksStackDown,
+  aksStackList,
+  aksStackStatus,
+} from "./azure-aks-stacks.js";
+
+// ── Core CLI commands ────────────────────────────────────────────────────────
+export {
+  resolveK8sVersion,
+  ensureKubectl,
+  ensureGhcrPullSecret,
+  getCredentials,
+  aksUp,
+  aksDown,
+  aksList,
+  aksStatus,
+  aksConfigVersions,
+  aksKubeconfig,
+  aksNodePoolAdd,
+  aksNodePoolRemove,
+  aksGrantAdmin,
+} from "./azure-aks-core.js";