@meshxdata/fops 0.1.44 → 0.1.46

package/src/plugins/bundled/fops-plugin-azure/lib/commands/infra-cmds.js

@@ -337,6 +337,57 @@ export function registerInfraCommands(azure) {
       await keyvaultStatus({ profile: opts.profile });
     });
 
+  // ── Key Vault Network commands ────────────────────────────────────────────
+  const kvNetwork = keyvault
+    .command("network")
+    .description("Configure Key Vault network access (VNet, firewall)");
+
+  kvNetwork
+    .command("show", { isDefault: true })
+    .description("Show network configuration for a Key Vault")
+    .option("--vault <name>", "Key Vault name (auto-detected if only one)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (opts) => {
+      const { networkShow } = await import("../azure-keyvault.js");
+      await networkShow({ vault: opts.vault, profile: opts.profile });
+    });
+
+  kvNetwork
+    .command("add-vnet")
+    .description("Add VNet/subnet access rule (also adds service endpoint)")
+    .option("--vault <name>", "Key Vault name (auto-detected if only one)")
+    .requiredOption("--vnet <name>", "Virtual network name")
+    .requiredOption("--subnet <name>", "Subnet name")
+    .option("--resource-group <name>", "VNet resource group (if different from Key Vault)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (opts) => {
+      const { networkAddVnet } = await import("../azure-keyvault.js");
+      await networkAddVnet({
+        vault: opts.vault, vnet: opts.vnet, subnet: opts.subnet,
+        resourceGroup: opts.resourceGroup, profile: opts.profile,
+      });
+    });
+
+  kvNetwork
+    .command("private")
+    .description("Set Key Vault to private (deny public access, allow VNets)")
+    .option("--vault <name>", "Key Vault name (auto-detected if only one)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (opts) => {
+      const { networkPrivate } = await import("../azure-keyvault.js");
+      await networkPrivate({ vault: opts.vault, profile: opts.profile });
+    });
+
+  kvNetwork
+    .command("public")
+    .description("Set Key Vault to public (allow all networks)")
+    .option("--vault <name>", "Key Vault name (auto-detected if only one)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (opts) => {
+      const { networkPublic } = await import("../azure-keyvault.js");
+      await networkPublic({ vault: opts.vault, profile: opts.profile });
+    });
+
   const kvSecret = keyvault
     .command("secret")
     .description("Manage secrets in a Key Vault");
@@ -506,9 +557,23 @@ export function registerInfraCommands(azure) {
     .option("--flux-path <path>", "Path in repo for cluster manifests (default: clusters/<name>)")
     .option("--flux-branch <branch>", "Git branch for Flux (default: main)")
     .option("--github-token <token>", "GitHub PAT for Flux + GHCR pull (default: $GITHUB_TOKEN)")
+    .option("--template-repo <repo>", "Template repo name (default: platform-flux-template)")
+    .option("--template-owner <owner>", "Template repo owner (default: meshxdata)")
+    .option("--template-branch <branch>", "Template repo branch (default: main)")
+    .option("--environment <env>", "Environment: demo | staging | live (default: demo)")
+    .option("--keyvault-url <url>", "Override KeyVault URL")
     .option("--no-flux", "Skip Flux bootstrap")
+    .option("--no-template", "Skip template rendering, use legacy Flux bootstrap")
+    .option("--no-commit", "Render template locally only, don't push to flux repo")
+    .option("--dry-run", "Show what would be committed without actually committing")
     .option("--no-postgres", "Skip Postgres Flexible Server provisioning")
+    .option("--managed-kafka", "Use Azure Event Hubs (Kafka) instead of in-cluster Kafka")
     .option("--dai", "Include DAI (Dashboards AI) workloads")
+    .option("--zones", "Enable availability zone redundancy (default when nodes >= 3)")
+    .option("--no-zones", "Disable availability zone redundancy")
+    .option("--geo-replica", "Create Postgres geo-replica for DR (default when in UAE)")
+    .option("--no-geo-replica", "Skip Postgres geo-replica creation")
+    .option("--reprovision", "Re-render and push cluster template (for existing clusters)")
     .action(async (name, opts) => {
       const { aksUp } = await import("../azure-aks.js");
       await aksUp({
@@ -522,9 +587,19 @@ export function registerInfraCommands(azure) {
         fluxRepo: opts.fluxRepo, fluxOwner: opts.fluxOwner,
         fluxPath: opts.fluxPath, fluxBranch: opts.fluxBranch,
         githubToken: opts.githubToken,
+        templateRepo: opts.templateRepo, templateOwner: opts.templateOwner,
+        templateBranch: opts.templateBranch, environment: opts.environment,
+        keyvaultUrl: opts.keyvaultUrl,
         noFlux: opts.flux === false,
+        noTemplate: opts.template === false,
+        noCommit: opts.commit === false,
+        dryRun: opts.dryRun === true,
         noPostgres: opts.postgres === false,
+        managedKafka: opts.managedKafka === true,
         dai: opts.dai === true,
+        zones: opts.zones,
+        geoReplica: opts.geoReplica,
+        reprovision: opts.reprovision === true,
       });
     });
 
@@ -556,6 +631,16 @@ export function registerInfraCommands(azure) {
       await aksStatus({ clusterName: name, profile: opts.profile });
     });
 
+  aks
+    .command("doctor [name]")
+    .description("Diagnose and fix common AKS cluster issues (GHCR secrets, SecretStore, etc.)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .option("--github-token <token>", "GitHub PAT for GHCR pull secret (default: $GITHUB_TOKEN)")
+    .action(async (name, opts) => {
+      const { aksDoctor } = await import("../azure-aks.js");
+      await aksDoctor({ clusterName: name, profile: opts.profile, githubToken: opts.githubToken });
+    });
+
   const aksConfig = aks
     .command("config")
     .description("Manage service versions on the AKS cluster");
@@ -773,10 +858,20 @@ export function registerInfraCommands(azure) {
       await aksKubeconfig({ clusterName: name, profile: opts.profile, admin: opts.admin });
     });
 
+  aks
+    .command("whitelist-me [name]")
+    .description("Add your current public IP to the AKS API server authorized IP ranges")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (name, opts) => {
+      const { aksWhitelistMe } = await import("../azure-aks.js");
+      await aksWhitelistMe({ clusterName: name, profile: opts.profile });
+    });
+
   aks
     .command("bootstrap [clusterName]")
     .description("Create demo data mesh on the cluster (same as fops bootstrap, targeting AKS backend)")
     .option("--api-url <url>", "Foundation backend API URL (e.g. https://foundation.example.com/api)")
+    .option("--bearer-token <token>", "Bearer token for API authentication")
     .option("--yes", "Use credentials from env or ~/.fops.json, skip prompt")
     .option("--profile <subscription>", "Azure subscription name or ID")
     .action(async (clusterName, opts) => {
@@ -785,10 +880,165 @@ export function registerInfraCommands(azure) {
         clusterName,
         profile: opts.profile,
         apiUrl: opts.apiUrl,
+        bearerToken: opts.bearerToken,
         yes: opts.yes,
       });
     });
 
+  // Note: locust command group is defined later in the file
+  // This block is kept for reference but disabled to avoid duplicate command error
+  // Use: fops azure aks locust run [name]
+  const _locustRunCmd = aks
+    .command("locust-run [name]", { hidden: true })
+    .description("Run Locust load tests against an AKS cluster (use 'locust run' instead)")
+    .option("-u, --users <n>", "Number of concurrent users", "10")
+    .option("-r, --spawn-rate <n>", "User spawn rate per second", "2")
+    .option("-t, --run-time <duration>", "Run time (e.g. 60s, 5m)", "30s")
+    .option("--bearer-token <token>", "Bearer token for API authentication")
+    .option("--cf-client-id <id>", "Cloudflare Access client ID")
+    .option("--cf-client-secret <secret>", "Cloudflare Access client secret")
+    .option("--web", "Start web UI instead of CLI mode")
+    .option("--web-port <port>", "Web UI port", "8089")
+    .action(async (name, opts) => {
+      const { readClusterState, clusterDomain } = await import("../azure-aks.js");
+      const { resolveCliSrc } = await import("../azure-helpers.js");
+      const { rootDir } = await import(resolveCliSrc("project.js"));
+      const fsp = await import("node:fs/promises");
+      const path = await import("node:path");
+
+      const cluster = readClusterState(name);
+      if (!cluster?.clusterName) {
+        console.error(chalk.red(`\n  No AKS cluster tracked: "${name || "(none active)"}"`));
+        console.error(chalk.dim("  Create one:  fops azure aks up <name>\n"));
+        process.exit(1);
+      }
+
+      const domain = cluster.domain || clusterDomain(cluster.clusterName);
+      const apiUrl = `https://api.${domain}`;
+
+      const root = rootDir();
+      if (!root) {
+        console.error(chalk.red("\n  Foundation project root not found.\n"));
+        process.exit(1);
+      }
+
+      const qaDir = path.join(root, "foundation-qa-automation");
+      const locustFile = path.join(qaDir, "locustfile.py");
+      try { await fsp.access(locustFile); } catch {
+        console.error(chalk.red("\n  locustfile.py not found in foundation-qa-automation/"));
+        process.exit(1);
+      }
+
+      const { execa: execaFn } = await import("execa");
+
+      const os = await import("node:os");
+
+      // Read .env file for credentials
+      let envCreds = {};
+      try {
+        const envPath = path.join(root, ".env");
+        const envContent = await fsp.readFile(envPath, "utf8");
+        for (const line of envContent.split("\n")) {
+          const match = line.match(/^(CF_ACCESS_CLIENT_ID|CF_ACCESS_CLIENT_SECRET|BEARER_TOKEN)=(.*)$/);
+          if (match) envCreds[match[1]] = match[2].trim().replace(/^["']|["']$/g, "");
+        }
+      } catch { /* no .env */ }
+
+      // Read ~/.fops.json for credentials
+      let fopsCreds = {};
+      try {
+        const fopsPath = path.join(os.homedir(), ".fops.json");
+        const fopsContent = JSON.parse(await fsp.readFile(fopsPath, "utf8"));
+        const cfg = fopsContent?.plugins?.entries?.["fops-plugin-foundation"]?.config || fopsContent || {};
+        fopsCreds = {
+          CF_ACCESS_CLIENT_ID: cfg.cfAccessClientId || cfg.CF_ACCESS_CLIENT_ID,
+          CF_ACCESS_CLIENT_SECRET: cfg.cfAccessClientSecret || cfg.CF_ACCESS_CLIENT_SECRET,
+          BEARER_TOKEN: cfg.bearerToken || cfg.BEARER_TOKEN,
+        };
+      } catch { /* no fops.json */ }
+
+      // Resolve Cloudflare Access credentials (from options, env, .env, fops.json, or cluster state)
+      let cfClientId = opts.cfClientId || process.env.CF_ACCESS_CLIENT_ID || envCreds.CF_ACCESS_CLIENT_ID || fopsCreds.CF_ACCESS_CLIENT_ID || cluster.cfAccessClientId || "";
+      let cfClientSecret = opts.cfClientSecret || process.env.CF_ACCESS_CLIENT_SECRET || envCreds.CF_ACCESS_CLIENT_SECRET || fopsCreds.CF_ACCESS_CLIENT_SECRET || cluster.cfAccessClientSecret || "";
+
+      // Use explicit token if provided, otherwise resolve via auth chain
+      let bearerToken = opts.bearerToken || process.env.BEARER_TOKEN || envCreds.BEARER_TOKEN || fopsCreds.BEARER_TOKEN || "";
+      let qaUser = "compose@meshx.io";
+
+      if (cfClientId && cfClientSecret) {
+        console.log(chalk.green(`  ✓ Using Cloudflare Access credentials`));
+      } else if (bearerToken) {
+        console.log(chalk.green(`  ✓ Using provided bearer token`));
+      } else {
+        const { listVms: lv, sshCmd: sc, knockForVm: kfv } = await import("../azure.js");
+        const { vms: allVms } = lv();
+        const vmEntry = Object.entries(allVms).find(([, v]) => v.publicIp);
+
+        console.log(chalk.dim(`  Authenticating against ${apiUrl}…`));
+        const auth = await resolveRemoteAuth({
+          apiUrl,
+          ip: vmEntry?.[1]?.publicIp,
+          vmState: vmEntry?.[1],
+          execaFn, sshCmd: sc, knockForVm: kfv, suppressTlsWarning,
+        });
+        bearerToken = auth.bearerToken;
+        qaUser = auth.qaUser || qaUser;
+      }
+
+      if (!bearerToken && !cfClientId) {
+        console.error(chalk.red("\n  No credentials found."));
+        console.error(chalk.dim("  Use --bearer-token, --cf-client-id/--cf-client-secret, or set CF_ACCESS_CLIENT_ID/CF_ACCESS_CLIENT_SECRET env vars\n"));
+        process.exit(1);
+      }
+
+      const locustEnv = {
+        ...process.env,
+        OWNER_EMAIL: qaUser || "compose@meshx.io",
+      };
+      if (bearerToken) locustEnv.BEARER_TOKEN = bearerToken;
+      if (cfClientId) locustEnv.CF_ACCESS_CLIENT_ID = cfClientId;
+      if (cfClientSecret) locustEnv.CF_ACCESS_CLIENT_SECRET = cfClientSecret;
+
+      // Ensure venv + deps (including locust)
+      try { await fsp.access(path.join(qaDir, "venv")); } catch {
+        console.log(chalk.cyan("  Setting up QA automation environment…"));
+        await execaFn("python3", ["-m", "venv", "venv"], { cwd: qaDir, stdio: "inherit" });
+        await execaFn("bash", ["-c", "source venv/bin/activate && pip install -r requirements.txt"], { cwd: qaDir, stdio: "inherit" });
+      }
+
+      // Ensure locust is installed
+      const locustCheck = await execaFn("bash", ["-c", "source venv/bin/activate && python -c 'import locust'"], { cwd: qaDir, reject: false });
+      if (locustCheck.exitCode !== 0) {
+        console.log(chalk.cyan("  Installing locust…"));
+        await execaFn("bash", ["-c", "source venv/bin/activate && pip install locust"], { cwd: qaDir, stdio: "inherit" });
+      }
+
+      const locustArgs = [
+        "-f", locustFile,
+        "--host", apiUrl,
+      ];
+
+      if (opts.web) {
+        locustArgs.push("--web-port", opts.webPort);
+        console.log(chalk.cyan(`\n  Starting Locust web UI at http://localhost:${opts.webPort}`));
+        console.log(chalk.dim(`  Target: ${apiUrl}\n`));
+      } else {
+        locustArgs.push("--headless", "-u", opts.users, "-r", opts.spawnRate, "-t", opts.runTime);
+        console.log(chalk.cyan(`\n  Locust: ${opts.users} users, ${opts.spawnRate}/s, ${opts.runTime}`));
+        console.log(chalk.dim(`  Target: ${apiUrl}\n`));
+      }
+
+      const locustCmd = `source venv/bin/activate && locust ${locustArgs.join(" ")}`;
+      const proc = execaFn("bash", ["-c", locustCmd], {
+        cwd: qaDir,
+        env: locustEnv,
+        stdio: "inherit",
+        reject: false,
+      });
+
+      await proc;
+    });
+
   // ── Node pool management ───────────────────────────────────────────────
 
   const nodePool = aks
@@ -806,6 +1056,7 @@ export function registerInfraCommands(azure) {
     .option("--labels <labels>", "Node labels (key=value pairs)")
     .option("--taints <taints>", "Node taints (key=value:effect)")
     .option("--max-pods <count>", "Max pods per node")
+    .option("--zones <zones>", "Availability zones (e.g. 1,2,3)")
     .action(async (clusterName, opts) => {
       const { aksNodePoolAdd } = await import("../azure-aks.js");
       await aksNodePoolAdd({
@@ -814,6 +1065,7 @@ export function registerInfraCommands(azure) {
         nodeVmSize: opts.nodeVmSize, mode: opts.mode,
         labels: opts.labels, taints: opts.taints,
         maxPods: opts.maxPods ? Number(opts.maxPods) : undefined,
+        zones: opts.zones,
       });
     });
 
@@ -827,6 +1079,73 @@ export function registerInfraCommands(azure) {
       await aksNodePoolRemove({ clusterName, profile: opts.profile, poolName: opts.poolName });
     });
 
+  // ── Postgres subcommands (replicas, HA) ─────────────────────────────────
+
+  const postgres = aks
+    .command("postgres")
+    .description("Manage PostgreSQL Flexible Server (replicas, HA)");
+
+  const pgReplica = postgres
+    .command("replica")
+    .description("Manage cross-region read replicas for disaster recovery");
+
+  pgReplica
+    .command("create [clusterName]")
+    .description("Create a read replica in another region (UAE → EU)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .option("--region <region>", "Target region for replica (default: westeurope)")
+    .option("--replica-name <name>", "Custom replica name")
+    .action(async (clusterName, opts) => {
+      const { aksPostgresReplicaCreate } = await import("../azure-aks.js");
+      await aksPostgresReplicaCreate({
+        clusterName,
+        profile: opts.profile,
+        region: opts.region,
+        replicaName: opts.replicaName,
+      });
+    });
+
+  pgReplica
+    .command("list [clusterName]")
+    .description("List all read replicas")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (clusterName, opts) => {
+      const { aksPostgresReplicaList } = await import("../azure-aks.js");
+      await aksPostgresReplicaList({ clusterName, profile: opts.profile });
+    });
+
+  pgReplica
+    .command("promote [clusterName]")
+    .description("Promote replica to standalone (DR failover)")
+    .requiredOption("--replica-name <name>", "Replica name to promote")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .option("--yes", "Skip confirmation")
+    .action(async (clusterName, opts) => {
+      const { aksPostgresReplicaPromote } = await import("../azure-aks.js");
+      await aksPostgresReplicaPromote({
+        clusterName,
+        profile: opts.profile,
+        replicaName: opts.replicaName,
+        yes: opts.yes,
+      });
+    });
+
+  pgReplica
+    .command("delete [clusterName]")
+    .description("Delete a read replica")
+    .requiredOption("--replica-name <name>", "Replica name to delete")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .option("--yes", "Skip confirmation")
+    .action(async (clusterName, opts) => {
+      const { aksPostgresReplicaDelete } = await import("../azure-aks.js");
+      await aksPostgresReplicaDelete({
+        clusterName,
+        profile: opts.profile,
+        replicaName: opts.replicaName,
+        yes: opts.yes,
+      });
+    });
+
   // ── Flux subcommands ───────────────────────────────────────────────────
 
   const flux = aks
@@ -887,4 +1206,443 @@ export function registerInfraCommands(azure) {
       const { aksFluxReconcile } = await import("../azure-aks.js");
       await aksFluxReconcile({ clusterName, source: opts.source });
     });
+
+  // ── Vault management ────────────────────────────────────────────────────
+
+  const vault = aks
+    .command("vault")
+    .description("Manage HashiCorp Vault on the AKS cluster");
+
+  vault
+    .command("init [clusterName]")
+    .description("Bootstrap Vault with Azure Key Vault auto-unseal")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (clusterName, opts) => {
+      const { aksVaultInit } = await import("../azure-aks-secrets.js");
+      await aksVaultInit({ clusterName, profile: opts.profile });
+    });
+
+  // ── Stack management ────────────────────────────────────────────────────
+
+  const stack = aks
+    .command("stack")
+    .description("Manage Foundation stacks in cluster (multi-tenant namespaces)");
+
+  stack
+    .command("up <namespace>")
+    .description("Deploy a Foundation stack to a namespace")
+    .option("--cluster <name>", "Target cluster (default: active cluster)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (namespace, opts) => {
+      const { aksStackUp } = await import("../azure-aks.js");
+      await aksStackUp({
+        namespace,
+        clusterName: opts.cluster,
+        profile: opts.profile,
+      });
+    });
+
+  stack
+    .command("down <namespace>")
+    .description("Remove a Foundation stack from a namespace")
+    .option("--cluster <name>", "Target cluster (default: active cluster)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .option("--yes", "Skip confirmation prompt")
+    .action(async (namespace, opts) => {
+      const { aksStackDown } = await import("../azure-aks.js");
+      await aksStackDown({
+        namespace,
+        clusterName: opts.cluster,
+        profile: opts.profile,
+        yes: opts.yes,
+      });
+    });
+
+  stack
+    .command("list")
+    .description("List all deployed stacks in a cluster")
+    .option("--cluster <name>", "Target cluster (default: active cluster)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (opts) => {
+      const { aksStackList } = await import("../azure-aks.js");
+      await aksStackList({
+        clusterName: opts.cluster,
+        profile: opts.profile,
+      });
+    });
+
+  stack
+    .command("status <namespace>")
+    .description("Show status of a deployed stack")
+    .option("--cluster <name>", "Target cluster (default: active cluster)")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (namespace, opts) => {
+      const { aksStackStatus } = await import("../azure-aks.js");
+      await aksStackStatus({
+        namespace,
+        clusterName: opts.cluster,
+        profile: opts.profile,
+      });
+    });
+
+  // ── Locust load testing ───────────────────────────────────────────────────
+
+  const locust = aks
+    .command("locust")
+    .description("Run Locust load tests against Foundation clusters");
+
+  locust
+    .command("demo")
+    .description("Run Locust load test against demo.meshx.app")
+    .option("--users <count>", "Number of concurrent users (default: 10)", "10")
+    .option("--spawn-rate <rate>", "Users spawned per second (default: 2)", "2")
+    .option("--run-time <duration>", "Test duration e.g. 1m, 5m, 30s (default: 1m)", "1m")
+    .option("--headless", "Run without web UI (default: true)", true)
+    .option("--web", "Run with web UI on http://localhost:8089")
+    .option("--html <file>", "Generate HTML report to file")
+    .action(async (opts) => {
+      const { resolveCliSrc } = await import("../azure-helpers.js");
+      const { rootDir } = await import(resolveCliSrc("project.js"));
+      const fsp = await import("node:fs/promises");
+      const path = await import("node:path");
+
+      const root = rootDir();
+      if (!root) {
+        console.error(chalk.red("\n  Foundation project root not found. Run from the compose repo or set FOUNDATION_ROOT.\n"));
+        process.exit(1);
+      }
+
+      const qaDir = path.join(root, "foundation-qa-automation");
+      const locustFile = path.join(qaDir, "locustfile.py");
+      try { await fsp.access(locustFile); } catch {
+        console.error(chalk.red("\n  locustfile.py not found in foundation-qa-automation/"));
+        console.error(chalk.dim("  Expected: " + locustFile + "\n"));
+        process.exit(1);
+      }
+
+      const apiUrl = "https://demo.meshx.app/api";
+      console.log(chalk.dim(`  Authenticating against ${apiUrl}…`));
+
+      const { execa: execaFn } = await import("execa");
+      const { listVms: lv, sshCmd: sc, knockForVm: kfv } = await import("../azure.js");
+      const { vms: allVms } = lv();
+      const vmEntry = Object.entries(allVms).find(([, v]) => v.publicIp);
+      const ip = vmEntry?.[1]?.publicIp;
+      const vmState = vmEntry?.[1];
+
+      const auth = await resolveRemoteAuth({
+        apiUrl, ip, vmState,
+        execaFn, sshCmd: sc, knockForVm: kfv, suppressTlsWarning,
+      });
+      const { bearerToken, qaUser, qaPass } = auth;
+
+      if (!bearerToken && !qaUser) {
+        console.error(chalk.red("\n  No credentials found (local or remote)."));
+        console.error(chalk.dim("  Set BEARER_TOKEN or QA_USERNAME/QA_PASSWORD in env or ~/.fops.json\n"));
+        process.exit(1);
+      }
+
+      // Resolve tokens from qa-automation .env file
+      let cfAccessClientId = process.env.CF_ACCESS_CLIENT_ID || "";
+      let cfAccessClientSecret = process.env.CF_ACCESS_CLIENT_SECRET || "";
+      let envBearerToken = "";
+
+      try {
+        const qaEnv = await fsp.readFile(path.join(qaDir, ".env"), "utf8");
+        for (const line of qaEnv.split("\n")) {
+          const cfMatch = line.match(/^CF_ACCESS_CLIENT_(ID|SECRET)=(.+)$/);
+          if (cfMatch?.[1] === "ID") cfAccessClientId = cfMatch[2].trim().replace(/^["']|["']$/g, "");
+          if (cfMatch?.[1] === "SECRET") cfAccessClientSecret = cfMatch[2].trim().replace(/^["']|["']$/g, "");
+          const tokenMatch = line.match(/^(TOKEN_AUTH0|BEARER_TOKEN)=(.+)$/);
+          if (tokenMatch && !envBearerToken) envBearerToken = tokenMatch[2].trim().replace(/^["']|["']$/g, "");
+        }
+        if (cfAccessClientId) console.log(chalk.dim("  ✓ Found CF Access tokens in qa .env"));
+        if (envBearerToken) console.log(chalk.dim("  ✓ Found bearer token in qa .env"));
+      } catch { /* no .env */ }
+
+      // Use token from .env if available, otherwise use Auth0 token
+      const finalToken = envBearerToken || bearerToken;
+
+      // Fall back to SSH fetching from VM
+      if (!cfAccessClientId && ip) {
+        try {
+          const sshUser = vmState?.adminUser || "azureuser";
+          const { stdout: cfOut } = await sc(execaFn, ip, sshUser,
+            "grep -E '^CF_ACCESS_CLIENT_(ID|SECRET)=' /opt/foundation-compose/.env",
+            10_000,
+          );
+          for (const line of (cfOut || "").split("\n")) {
+            const m = line.match(/^CF_ACCESS_CLIENT_(ID|SECRET)=(.+)$/);
+            if (m?.[1] === "ID") cfAccessClientId = m[2].trim();
+            if (m?.[1] === "SECRET") cfAccessClientSecret = m[2].trim();
+          }
+          if (cfAccessClientId) console.log(chalk.dim("  ✓ Retrieved CF Access tokens from VM"));
+        } catch { /* no CF tokens on VM */ }
+      }
+
+      // Ensure venv + locust
+      const venvPath = path.join(qaDir, "venv");
+      try { await fsp.access(venvPath); } catch {
+        console.log(chalk.cyan("  Setting up Python virtual environment…"));
+        await execaFn("python3", ["-m", "venv", "venv"], { cwd: qaDir, stdio: "inherit" });
+      }
+
+      // Check/install locust
+      const checkLocust = await execaFn("bash", ["-c", "source venv/bin/activate && pip show locust"], { cwd: qaDir, reject: false });
+      if (checkLocust.exitCode !== 0) {
+        console.log(chalk.cyan("  Installing locust…"));
+        await execaFn("bash", ["-c", "source venv/bin/activate && pip install locust"], { cwd: qaDir, stdio: "inherit" });
+      }
+
+      // Pass token + CF Access tokens
+      const locustEnv = {
+        ...process.env,
+        BEARER_TOKEN: finalToken || "",
+        CF_ACCESS_CLIENT_ID: cfAccessClientId,
+        CF_ACCESS_CLIENT_SECRET: cfAccessClientSecret,
+      };
+
+      const locustArgs = ["-f", locustFile, "--host", apiUrl];
+
+      if (opts.web) {
+        console.log(chalk.cyan(`\n  Starting Locust web UI at http://localhost:8089`));
+        console.log(chalk.dim(`  Target: ${apiUrl}\n`));
+      } else {
+        locustArgs.push("--headless");
+        locustArgs.push("--users", opts.users);
+        locustArgs.push("--spawn-rate", opts.spawnRate);
+        locustArgs.push("--run-time", opts.runTime);
+        console.log(chalk.cyan(`\n  Running Locust load test against demo.meshx.app`));
+        console.log(chalk.dim(`  Users: ${opts.users}, Spawn rate: ${opts.spawnRate}/s, Duration: ${opts.runTime}\n`));
+      }
+
+      if (opts.html) {
+        locustArgs.push("--html", opts.html);
+      }
+
+      const locustProc = execaFn(
+        "bash",
+        ["-c", `source venv/bin/activate && locust ${locustArgs.map(a => `"${a}"`).join(" ")}`],
+        { cwd: qaDir, stdio: "inherit", env: locustEnv, reject: false },
+      );
+
+      const result = await locustProc;
+      if (result.signal === "SIGINT") {
+        console.log(chalk.yellow("\n  Locust test interrupted\n"));
+      } else {
+        // Locust exits 1 if there were failed requests, but this is normal for load testing
+        console.log(chalk.green("\n  ✓ Locust test completed\n"));
+        if (opts.html) {
+          console.log(chalk.dim(`  Report: ${opts.html}\n`));
+        }
+      }
+    });
+
+  locust
+    .command("run [clusterName]")
+    .description("Run Locust load test against an AKS cluster")
+    .option("--users <count>", "Number of concurrent users (default: 10)", "10")
+    .option("--spawn-rate <rate>", "Users spawned per second (default: 2)", "2")
+    .option("--run-time <duration>", "Test duration e.g. 1m, 5m, 30s (default: 1m)", "1m")
+    .option("--headless", "Run without web UI (default: true)", true)
+    .option("--web", "Run with web UI on http://localhost:8089")
+    .option("--html <file>", "Generate HTML report to file")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (name, opts) => {
+      const { readClusterState, clusterDomain } = await import("../azure-aks.js");
+      const { resolveCliSrc } = await import("../azure-helpers.js");
+      const { rootDir } = await import(resolveCliSrc("project.js"));
+      const fsp = await import("node:fs/promises");
+      const path = await import("node:path");
+
+      const cluster = readClusterState(name);
+      if (!cluster?.clusterName) {
+        console.error(chalk.red(`\n  No AKS cluster tracked: "${name || "(none active)"}"`));
+        console.error(chalk.dim("  Create one:  fops azure aks up <name>\n"));
+        process.exit(1);
+      }
+
+      const domain = cluster.domain || clusterDomain(cluster.clusterName);
+      const apiUrl = `https://${domain}/api`;
+
+      const root = rootDir();
+      if (!root) {
+        console.error(chalk.red("\n  Foundation project root not found.\n"));
+        process.exit(1);
+      }
+
+      const qaDir = path.join(root, "foundation-qa-automation");
+      const locustFile = path.join(qaDir, "locustfile.py");
+      try { await fsp.access(locustFile); } catch {
+        console.error(chalk.red("\n  locustfile.py not found in foundation-qa-automation/\n"));
+        process.exit(1);
+      }
+
+      console.log(chalk.dim(`  Authenticating against ${apiUrl}…`));
+
+      const { execa: execaFn } = await import("execa");
+      const { listVms: lv, sshCmd: sc, knockForVm: kfv } = await import("../azure.js");
+      const { vms: allVms } = lv();
+      const vmEntry = Object.entries(allVms).find(([, v]) => v.publicIp);
+
+      const auth = await resolveRemoteAuth({
+        apiUrl,
+        ip: vmEntry?.[1]?.publicIp,
+        vmState: vmEntry?.[1],
+        execaFn, sshCmd: sc, knockForVm: kfv, suppressTlsWarning,
+      });
+      const { bearerToken, qaUser, qaPass } = auth;
+
+      if (!bearerToken && !qaUser) {
+        console.error(chalk.red("\n  No credentials found.\n"));
+        process.exit(1);
+      }
+
+      const venvPath = path.join(qaDir, "venv");
+      try { await fsp.access(venvPath); } catch {
+        console.log(chalk.cyan("  Setting up Python virtual environment…"));
+        await execaFn("python3", ["-m", "venv", "venv"], { cwd: qaDir, stdio: "inherit" });
+      }
+
+      const checkLocust = await execaFn("bash", ["-c", "source venv/bin/activate && pip show locust"], { cwd: qaDir, reject: false });
+      if (checkLocust.exitCode !== 0) {
+        console.log(chalk.cyan("  Installing locust…"));
+        await execaFn("bash", ["-c", "source venv/bin/activate && pip install locust"], { cwd: qaDir, stdio: "inherit" });
+      }
+
+      // Pass credentials only - Locust authenticates via /iam/login
+      const locustEnv = { ...process.env, QA_USERNAME: qaUser || "", QA_PASSWORD: qaPass || "" };
+      delete locustEnv.BEARER_TOKEN;
+
+      const locustArgs = ["-f", locustFile, "--host", apiUrl];
+
+      if (opts.web) {
+        console.log(chalk.cyan(`\n  Starting Locust web UI at http://localhost:8089`));
+        console.log(chalk.dim(`  Target: ${apiUrl}\n`));
+      } else {
+        locustArgs.push("--headless");
+        locustArgs.push("--users", opts.users);
+        locustArgs.push("--spawn-rate", opts.spawnRate);
+        locustArgs.push("--run-time", opts.runTime);
+        console.log(chalk.cyan(`\n  Running Locust load test against ${cluster.clusterName}`));
+        console.log(chalk.dim(`  Users: ${opts.users}, Spawn rate: ${opts.spawnRate}/s, Duration: ${opts.runTime}\n`));
+      }
+
+      if (opts.html) {
+        locustArgs.push("--html", opts.html);
+      }
+
+      const locustProc = execaFn(
+        "bash",
+        ["-c", `source venv/bin/activate && locust ${locustArgs.map(a => `"${a}"`).join(" ")}`],
+        { cwd: qaDir, stdio: "inherit", env: locustEnv },
+      );
+
+      try {
+        await locustProc;
+        console.log(chalk.green("\n  ✓ Locust test completed\n"));
+      } catch (err) {
+        if (err.signal === "SIGINT") {
+          console.log(chalk.yellow("\n  Locust test interrupted\n"));
+        } else {
+          console.error(chalk.red(`\n  Locust test failed: ${err.message}\n`));
+          process.exitCode = 1;
+        }
+      }
+    });
+
+  // ── Grant subcommands ─────────────────────────────────────────────────────
+
+  const grant = aks
+    .command("grant")
+    .description("Grant permissions to users");
+
+  grant
+    .command("admin [clusterName]")
+    .description("Grant admin role to a user in the Foundation backend")
+    .requiredOption("--email <email>", "User email to grant admin")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .action(async (clusterName, opts) => {
+      const { aksGrantAdmin } = await import("../azure-aks.js");
+      await aksGrantAdmin({
+        clusterName,
+        profile: opts.profile,
+        email: opts.email,
+      });
+    });
+
+  // ── Agent (Claude Code with cluster context) ─────────────────────────────────
+
+  aks
+    .command("agent [clusterName]")
+    .description("Launch Claude Code agent with cluster context")
+    .option("--profile <subscription>", "Azure subscription name or ID")
+    .option("--port-forward", "Port-forward backend API to localhost:65432")
+    .action(async (clusterName, opts) => {
+      const { readClusterState, requireCluster, clusterDomain } = await import("../azure-aks.js");
+      const { execa } = await import("execa");
+      const path = await import("node:path");
+
+      const { clusterName: name } = requireCluster(clusterName);
+      const state = readClusterState(name);
+      if (!state) {
+        console.error(chalk.red(`\n  Cluster "${name}" not found. Run: fops azure aks list\n`));
+        process.exit(1);
+      }
+
+      // Ensure kubeconfig is available
+      console.log(chalk.dim(`  Ensuring kubeconfig for ${name}…`));
+      const { getCredentials } = await import("../azure-aks-core.js");
+      await getCredentials(execa, {
+        clusterName: name,
+        rg: state.resourceGroup,
+        sub: opts.profile,
+      });
+
+      // Get cluster API URL
+      const domain = clusterDomain(name);
+      const apiUrl = `https://${domain}/api`;
+
+      // Build environment for Claude
+      const agentEnv = {
+        ...process.env,
+        KUBECONFIG: process.env.KUBECONFIG || path.join(process.env.HOME, ".kube", "config"),
+        KUBE_CONTEXT: name,
+        FOUNDATION_API_URL: apiUrl,
+        FOUNDATION_CLUSTER: name,
+      };
+
+      // Start port-forward in background if requested
+      let portForward = null;
+      if (opts.portForward) {
+        console.log(chalk.dim(`  Port-forwarding backend to localhost:65432…`));
+        portForward = execa("kubectl", [
+          "--context", name,
+          "port-forward", "svc/foundation-backend", "65432:65432",
+          "-n", "foundation",
+        ], { reject: false, stdio: "ignore" });
+        agentEnv.FOUNDATION_API_URL = "http://localhost:65432";
+        await new Promise(r => setTimeout(r, 2000));
+      }
+
+      console.log(chalk.cyan(`\n  Launching Claude Code agent for cluster: ${name}`));
+      console.log(chalk.dim(`  API: ${agentEnv.FOUNDATION_API_URL}`));
+      console.log(chalk.dim(`  Context: kubectl --context ${name}\n`));
+
+      try {
+        await execa("claude", [], {
+          env: agentEnv,
+          stdio: "inherit",
+          cwd: process.cwd(),
+        });
+      } catch (err) {
+        if (err.exitCode !== 0 && err.signal !== "SIGINT") {
+          console.error(chalk.red(`\n  Claude exited with code ${err.exitCode}\n`));
+        }
+      } finally {
+        if (portForward) {
+          portForward.kill("SIGTERM");
+        }
+      }
+    });
 }