@meshxdata/fops 0.1.49 → 0.1.50

package/CHANGELOG.md

@@ -1,3 +1,185 @@
+## [0.1.50] - 2026-03-24
+
+- operator cli plugin fix (25620cc)
+- operator cli test fixes (1d1c18f)
+- feat(test): add setup-users command for QA test user creation (b929507)
+- feat(aks): show HA standby clusters with visual grouping (8fb640c)
+- refactor(provision): extract VM provisioning to dedicated module (af321a7)
+- refactor(provision): extract post-start health checks to dedicated module (6ed5f2d)
+- fix: ping timeout 15s, fix prometheus sed escaping (d11ac14)
+- refactor(vm): extract terraform HCL generation to dedicated module (896a64b)
+- refactor(keyvault): extract key operations to dedicated module (716bbe4)
+- refactor(azure): extract swarm functions to azure-fleet-swarm.js (4690e34)
+- refactor(azure): extract SSH/remote functions to azure-ops-ssh.js (e62b8f0)
+- refactor(azure): split azure-ops.js into smaller modules (4515425)
+- feat(aks): add --ha flag for full cross-region HA setup (ece68c5)
+- feat(fops): inject ENVIRONMENT_NAME on VM provisioning (6ef2a27)
+- fix(postgres): disable SSL mode to fix connection issues (c789ae9)
+- feat(trino): add caching configuration for docker-compose (3668224)
+- fix(fops-azure): run pytest directly instead of missing scripts (29f8410)
+- add -d detach option for local frontend dev, remove hive cpu limits (3306667)
+- release 0.1.49 (dcca32b)
+- release 0.1.48 (9b195e5)
+- stash on updates (2916c01)
+- stash on updates (b5c14df)
+- stash on updates (d0453d1)
+- frontend dev fixes (0ca7b00)
+- fix: update azure test commands (77c81da)
+- default locust to CLI mode, add --web for UI (ca35bff)
+- add locust command for load testing AKS clusters (1278722)
+- update spot node pool default autoscaling to 1-20 (617c182)
+- module for aks (3dd1a61)
+- add hive to PG_SERVICE_DBS for fops pg-setup (afccb16)
+- feat(azure): enhance aks doctor with ExternalSecrets and PGSSLMODE checks (8b14861)
+- add foundation-postgres ExternalName service to reconciler (ea88e11)
+- new flux templates (0e2e372)
+- feat(azure): add storage-engine secrets to Key Vault (a4f488e)
+- feat(azure-aks): add AUTH0_DOMAIN to template rendering variables (216c37e)
+- feat(azure): add storage account creation per cluster (aa1b138)
+- bump watcher (ab24473)
+- fix: concurrent compute calls (#66) (03e2edf)
+- bump backend version (5058ff5)
+- bump fops to 0.1.44 (8c0ef5d)
+- Mlflow and azure plugin fix (176881f)
+- fix lifecycle (a2cb9e7)
+- callback url for localhost (821fb94)
+- disable 4 scaffolding plugin by default. (bfb2b76)
+- jaccard improvements (b7494a0)
+- refactor azure plugin (68dfef4)
+- refactor azure plugin (b24a008)
+- fix trino catalog missing (4928a55)
+- v36 bump and changelog generation on openai (37a0440)
+- v36 bump and changelog generation on openai (a3b02d9)
+- bump (a990058)
+- status bar fix and new plugin for ttyd (27dde1e)
+- file demo and tray (1a3e704)
+- electron app (59ad0bb)
+- compose and fops file plugin (1cf0e81)
+- bump (346ffc1)
+- localhost replaced by 127.0.0.1 (82b9f30)
+- .29 (587b0e1)
+- improve up down and bootstrap script (b79ebaf)
+- checksum (22c8086)
+- checksum (96b434f)
+- checksum (15ed3c0)
+- checksum (8a6543a)
+- bump embed trino linksg (8440504)
+- bump data (765ffd9)
+- bump (cb8b232)
+- broken tests (c532229)
+- release 0.1.18, preflight checks (d902249)
+- fix compute display bug (d10f5d9)
+- cleanup packer files (6330f18)
+- plan mode (cb36a8a)
+- bump to 0.1.16 - agent ui (41ac1a2)
+- bump to 0.1.15 - agent ui (4ebe2e1)
+- bump to 0.1.14 (6c3a7fa)
+- bump to 0.1.13 (8db570f)
+- release 0.1.12 (c1c79e5)
+- bump (11aa3b0)
+- git keep and bump tui (be1678e)
+- skills, index, rrf, compacted context (100k > 10k) (7b2fffd)
+- cloudflare and token consumption, graphs indexing (0ad9eec)
+- bump storage default (22c83ba)
+- storage fix (68a22a0)
+- skills update (7f56500)
+- v9 bump (3864446)
+- bump (c95eedc)
+- rrf (dbf8c95)
+- feat: warning when running predictions (95e8c52)
+- feat: support for local predictions (45cf26b)
+- feat: wip support for predictions + mlflow (3457052)
+- add Reciprocal Rank Fusion (RRF) to knowledge and skill retrieval (61549bc)
+- validate CSV headers in compute_run readiness check (a8c7a43)
+- fix corrupted Iceberg metadata: probe tables + force cleanup on re-apply (50578af)
+- enforce: never use foundation_apply to fix broken products (2e049bf)
+- update SKILL.md with complete tool reference for knowledge retrieval (30b1924)
+- add storage read, input DP table probe, and compute_run improvements (34e6c4c)
+- skills update (1220385)
+- skills update (bb66958)
+- some tui improvement andd tools apply overwrite (e90c35c)
+- skills update (e9227a1)
+- skills update (669c4b3)
+- fix plugin pre-flight checks (f741743)
+- increase agent context (6479aaa)
+- skills and init sql fixes (5fce35e)
+- checksum (3518b56)
+- penging job limit (a139861)
+- checksum (575d28c)
+- bump (92049ba)
+- fix bug per tab status (0a33657)
+- fix bug per tab status (50457c6)
+- checksumming (0ad842e)
+- shot af mardkwon overlapping (51f63b9)
+- add spark dockerfile for multiarch builds (95abbd1)
+- fix plugin initialization (16b9782)
+- split index.js (50902a2)
+- cloudflare cidr (cc4e021)
+- cloduflare restrictions (2f6ba2d)
+- sequential start (86b496e)
+- sequential start (4930fe1)
+- sequential start (353f014)
+- qa tests (2dc6a1a)
+- bump sha for .85 (dc2edfe)
+- preserve env on sudo (7831227)
+- bump sha for .84 (6c052f9)
+- non interactive for azure vms (0aa8a2f)
+- keep .env if present (d072450)
+- bump (7a8e732)
+- ensure opa is on compose if not set (f4a5228)
+- checksum bump (a2ccc20)
+- netrc defensive checks (a0b0ccc)
+- netrc defensive checks (ae37403)
+- checksum (ec45d11)
+- update sync and fix up (7f9af72)
+- expand test for azure and add new per app tag support (388a168)
+- checksum on update (44005fc)
+- cleanup for later (15e5313)
+- cleanup for later (11c9597)
+- switch branch feature (822fecc)
+- add pull (d1c19ab)
+- Bump hono from 4.11.9 to 4.12.0 in /operator-cli (ad25144)
+- tests (f180a9a)
+- cleanup (39c49a3)
+- registry (7b7126a)
+- reconcile kafka (832d0db)
+- gh login bug (025886c)
+- cleanup (bb96cab)
+- strip envs from process (2421180)
+- force use of gh creds not tokens in envs var (fff7787)
+- resolve import between npm installs and npm link (79522e1)
+- fix gh scope and azure states (afd846c)
+- refactoring (da50352)
+- split fops repo (d447638)
+- aks (b791f8f)
+- refactor azure (67d3bad)
+- wildcard (391f023)
+- azure plugin (c074074)
+- zap (d7e6e7f)
+- fix knock (cf89c05)
+- azure (4adec98)
+- Bump tar from 7.5.7 to 7.5.9 in /operator-cli (e41e98e)
+- azure stack index.js split (de12272)
+- Bump ajv from 8.17.1 to 8.18.0 in /operator-cli (76da21f)
+- packer (9665fbc)
+- remove stack api (db0fd4d)
+- packer cleanup (fe1bf14)
+- force refresh token (3a3d7e2)
+- provision shell (2ad505f)
+- azure vm management (91dcb31)
+- azure specific (2b0cca8)
+- azure packer (12175b8)
+- init hashed pwd (db8523c)
+- packer (5b5c7c4)
+- doctor for azure vm (ed524fa)
+- packer and 1pwd (c6d053e)
+- split big index.js (dc85a1b)
+- kafka volume update (21815ec)
+- fix openai azure tools confirmation and flow (0118cd1)
+- nighly fixx, test fix (5e0d04f)
+- open ai training (cdc494a)
+- openai integration in azure (1ca1475)
+
 # Changelog
 
 All notable changes to @meshxdata/fops (Foundation Operator CLI) are documented here.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meshxdata/fops",
-  "version": "0.1.49",
+  "version": "0.1.50",
   "description": "CLI to install and manage data mesh platforms",
   "keywords": [
     "fops",

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks-core.js

@@ -17,7 +17,7 @@ import {
   readState,
   resolveGithubToken,
 } from "./azure.js";
-import { AKS_DEFAULTS, PG_REPLICA_REGIONS, timeSince } from "./azure-aks-naming.js";
+import { AKS_DEFAULTS, PG_REPLICA_REGIONS, HA_REPLICA_REGIONS, timeSince } from "./azure-aks-naming.js";
 import {
   readAksClusters,
   readClusterState,
@@ -34,6 +34,7 @@ import {
 } from "./azure-aks-flux.js";
 import { reconcileNetworkAccess } from "./azure-aks-network.js";
 import { reconcilePostgres, aksPostgresReplicaCreate, reconcileEventHubs } from "./azure-aks-postgres.js";
+import { reconcileStorageReplication, reconcileStorageAccount } from "./azure-aks-storage.js";
 import { clusterDomain } from "./azure-aks-ingress.js";
 import { printClusterInfo } from "./azure-aks-stacks.js";
 
@@ -217,6 +218,177 @@ export async function getCredentials(execa, { clusterName, rg, sub, admin } = {}
   console.log(OK(`  ✓ Kubeconfig merged`));
 }
 
+// ── aks standby create (internal helper) ──────────────────────────────────────
+
+async function aksStandbyCreate(execa, opts) {
+  const {
+    primaryClusterName,
+    standbyClusterName,
+    rg,
+    location,
+    nodeCount,
+    minCount,
+    maxCount,
+    nodeVmSize,
+    tier,
+    networkPlugin,
+    k8sVersion,
+    sub,
+    githubToken,
+    fluxRepo,
+    fluxOwner,
+    fluxBranch,
+    templateRepo,
+    templateOwner,
+    templateBranch,
+    environment,
+    account,
+  } = opts;
+
+  banner(`Creating Standby AKS: ${standbyClusterName}`);
+  kvLine("Region",     DIM(location));
+  kvLine("Primary",    DIM(primaryClusterName));
+
+  // Detect operator IP
+  const myIp = await fetchMyIp();
+
+  // Zone redundancy for standby
+  let zones = [];
+  try {
+    const { stdout: skuJson } = await execa("az", [
+      "vm", "list-skus", "--location", location, "--size", nodeVmSize,
+      "--resource-type", "virtualMachines", "--query", "[0].locationInfo[0].zones",
+      "--output", "json", ...subArgs(sub),
+    ], { timeout: 30000 });
+    zones = JSON.parse(skuJson || "[]").sort();
+  } catch { zones = []; }
+
+  const tags = buildTags(standbyClusterName, {
+    createdBy: account?.user?.name || "fops",
+    type: "aks-standby",
+    primaryCluster: primaryClusterName,
+  });
+  const tagStr = Object.entries(tags).map(([k, v]) => `${k}=${v}`).join(" ");
+
+  const createArgs = [
+    "aks", "create",
+    "--resource-group", rg,
+    "--name", standbyClusterName,
+    "--location", location,
+    "--node-count", String(nodeCount),
+    "--node-vm-size", nodeVmSize,
+    "--max-pods", "110",
+    "--enable-cluster-autoscaler",
+    "--min-count", String(minCount),
+    "--max-count", String(maxCount),
+    "--kubernetes-version", k8sVersion,
+    "--tier", tier,
+    "--network-plugin", networkPlugin,
+    "--generate-ssh-keys",
+    "--enable-managed-identity",
+    "--enable-oidc-issuer",
+    "--enable-workload-identity",
+    "--ssh-access", "disabled",
+    "--tags", ...tagStr.split(" "),
+    "--output", "json",
+    ...subArgs(sub),
+  ];
+
+  if (zones.length > 0) createArgs.push("--zones", ...zones);
+  if (myIp) createArgs.push("--api-server-authorized-ip-ranges", `${myIp}/32`);
+
+  hint("Creating standby cluster (5-10 minutes)…\n");
+  const { stdout: clusterJson } = await execa("az", createArgs, { timeout: 900000 });
+  const cluster = JSON.parse(clusterJson);
+  console.log(OK(`  ✓ Standby AKS cluster created in ${location}`));
+
+  // Get kubeconfig
+  await getCredentials(execa, { clusterName: standbyClusterName, rg, sub });
+
+  // Save standby state
+  writeClusterState(standbyClusterName, {
+    resourceGroup: rg,
+    location,
+    nodeCount,
+    nodeVmSize,
+    kubernetesVersion: cluster.kubernetesVersion || k8sVersion,
+    subscriptionId: account?.id,
+    fqdn: cluster.fqdn,
+    provisioningState: cluster.provisioningState,
+    zones: zones.length > 0 ? zones : undefined,
+    isStandby: true,
+    primaryCluster: primaryClusterName,
+    createdAt: new Date().toISOString(),
+  });
+
+  // Bootstrap Flux with same config as primary
+  if (githubToken) {
+    const fluxPath = `clusters/${standbyClusterName}`;
+
+    // Provision templates for standby cluster
+    try {
+      await provisionFluxFromTemplate(execa, {
+        clusterName: standbyClusterName,
+        region: location,
+        domain: clusterDomain(standbyClusterName),
+        keyvaultUrl: `https://fops-${standbyClusterName}-kv.vault.azure.net`,
+        environment,
+        githubToken,
+        fluxRepo,
+        fluxOwner,
+        fluxBranch,
+        templateRepo,
+        templateOwner,
+        templateBranch,
+      });
+    } catch (err) {
+      console.log(WARN(`  ⚠ Template provisioning: ${(err.message || "").split("\n")[0]}`));
+    }
+
+    await bootstrapFlux(execa, {
+      clusterName: standbyClusterName, rg, sub,
+      githubToken,
+      repo: fluxRepo,
+      owner: fluxOwner,
+      path: fluxPath,
+      branch: fluxBranch,
+    });
+
+    writeClusterState(standbyClusterName, {
+      flux: { repo: fluxRepo, owner: fluxOwner, path: fluxPath, branch: fluxBranch },
+    });
+
+    // Pre-install CRDs and fix webhook scheduling
+    try {
+      await reconcileFluxPrereqs({ execa, clusterName: standbyClusterName, rg, sub, opts: {} });
+    } catch { /* best effort */ }
+  }
+
+  // Set up Key Vault and network access for standby
+  try {
+    const { stdout: freshJson } = await execa("az", [
+      "aks", "show", "-g", rg, "-n", standbyClusterName, "--output", "json", ...subArgs(sub),
+    ], { timeout: 30000 });
+    const freshCluster = JSON.parse(freshJson);
+    await reconcileNetworkAccess({ execa, clusterName: standbyClusterName, rg, sub, cluster: freshCluster, opts: {} });
+  } catch { /* best effort */ }
+
+  // Create storage account in standby region (uses HA storage)
+  try {
+    const { stdout: freshJson } = await execa("az", [
+      "aks", "show", "-g", rg, "-n", standbyClusterName, "--output", "json", ...subArgs(sub),
+    ], { timeout: 30000 });
+    const freshCluster = JSON.parse(freshJson);
+    await reconcileStorageAccount({ execa, clusterName: standbyClusterName, rg, sub, cluster: freshCluster, opts: {} });
+  } catch { /* best effort */ }
+
+  console.log(OK(`\n  ✓ Standby cluster "${standbyClusterName}" ready`));
+  hint(`  Flux will sync workloads from ${fluxOwner}/${fluxRepo}`);
+  hint(`  Configure postgres secret to point to read replica for read-only mode\n`);
+
+  return { clusterName: standbyClusterName, cluster };
+}
+
 // ── aks up ────────────────────────────────────────────────────────────────────
 
 export async function aksUp(opts = {}) {
@@ -246,6 +418,10 @@ export async function aksUp(opts = {}) {
   kvLine("Nodes",      DIM(`${nodeCount} x ${nodeVmSize} (autoscale ${minCount}–${maxCount})`));
   kvLine("K8s",        DIM(k8sVersion));
   kvLine("Tier",       DIM(tier));
+  if (opts.ha) {
+    const haRegion = HA_REPLICA_REGIONS[location] || "northeurope";
+    kvLine("HA",       OK(`enabled (replica: ${haRegion})`));
+  }
 
   // Check if cluster already exists
   const { exitCode: exists } = await execa("az", [
@@ -302,6 +478,89 @@ export async function aksUp(opts = {}) {
       }
     }
 
+    // Set up HA for existing cluster if --ha flag is set
+    if (opts.ha === true) {
+      const haRegion = HA_REPLICA_REGIONS[location];
+      if (haRegion) {
+        // Storage replication
+        try {
+          const { stdout: freshJson } = await execa("az", [
+            "aks", "show", "-g", rg, "-n", clusterName, "--output", "json",
+            ...subArgs(sub),
+          ], { timeout: 30000 });
+          const freshCluster = JSON.parse(freshJson);
+          const storageCtx = { execa, clusterName, rg, sub, cluster: freshCluster, opts };
+          await reconcileStorageReplication(storageCtx);
+        } catch (err) {
+          console.log(WARN(`  ⚠ Storage HA: ${(err.message || "").split("\n")[0]}`));
+        }
+
+        // Postgres read replica
+        try {
+          hint(`Checking Postgres replica in ${haRegion}…`);
+          await aksPostgresReplicaCreate({
+            clusterName,
+            profile: sub,
+            region: haRegion,
+          });
+        } catch (err) {
+          if (!err.message?.includes("already exists")) {
+            console.log(WARN(`  ⚠ Postgres replica: ${(err.message || "").split("\n")[0]}`));
+          }
+        }
+
+        // Standby AKS cluster
+        const standbyClusterName = `${clusterName}-standby`;
+        try {
+          const { exitCode: standbyExists } = await execa("az", [
+            "aks", "show", "-g", rg, "-n", standbyClusterName, "--output", "none",
+            ...subArgs(sub),
+          ], { reject: false, timeout: 30000 });
+
+          if (standbyExists === 0) {
+            console.log(OK(`  ✓ Standby cluster "${standbyClusterName}" already exists`));
+          } else {
+            const githubToken = resolveGithubToken(opts);
+            await aksStandbyCreate(execa, {
+              primaryClusterName: clusterName,
+              standbyClusterName,
+              rg,
+              location: haRegion,
+              nodeCount,
+              minCount,
+              maxCount,
+              nodeVmSize,
+              tier,
+              networkPlugin,
+              k8sVersion,
+              sub,
+              githubToken,
+              fluxRepo: opts.fluxRepo ?? AKS_DEFAULTS.fluxRepo,
+              fluxOwner: opts.fluxOwner ?? AKS_DEFAULTS.fluxOwner,
+              fluxBranch: opts.fluxBranch ?? AKS_DEFAULTS.fluxBranch,
+              templateRepo: opts.templateRepo ?? TEMPLATE_DEFAULTS.templateRepo,
+              templateOwner: opts.templateOwner ?? TEMPLATE_DEFAULTS.templateOwner,
+              templateBranch: opts.templateBranch ?? TEMPLATE_DEFAULTS.templateBranch,
+              environment: opts.environment || "demo",
+              account,
+            });
+          }
+
+          writeClusterState(clusterName, {
+            ha: {
+              enabled: true,
+              standbyCluster: standbyClusterName,
+              standbyRegion: haRegion,
+              configuredAt: new Date().toISOString(),
+            },
+          });
+        } catch (err) {
+          console.log(WARN(`  ⚠ Standby cluster: ${(err.message || "").split("\n")[0]}`));
+          hint(`  Create manually: fops azure aks up ${standbyClusterName} --location ${haRegion}`);
+        }
+      }
+    }
+
     const tracked = readClusterState(clusterName);
     if (tracked) printClusterInfo(tracked);
     return tracked;
@@ -545,12 +804,13 @@ export async function aksUp(opts = {}) {
       const pgCtx = { execa, clusterName, rg, sub, cluster: freshCluster, opts };
       await reconcilePostgres(pgCtx);
 
-      // Create geo-replica for HA (default: enabled when in a supported region)
-      const geoReplicaRegion = PG_REPLICA_REGIONS[location];
-      const createGeoReplica = opts.geoReplica !== false && geoReplicaRegion;
-      if (createGeoReplica) {
+      // Create geo-replica for HA when --ha flag is set (uses HA_REPLICA_REGIONS)
+      // or when --geo-replica is explicitly requested (uses PG_REPLICA_REGIONS)
+      const haRegion = opts.ha ? HA_REPLICA_REGIONS[location] : null;
+      const geoReplicaRegion = haRegion || (opts.geoReplica !== false ? PG_REPLICA_REGIONS[location] : null);
+      if (geoReplicaRegion && (opts.ha || opts.geoReplica !== false)) {
         try {
-          console.log(OK(`  ✓ Creating geo-replica in ${geoReplicaRegion} for HA…`));
+          hint(`Creating Postgres read replica in ${geoReplicaRegion} for HA…`);
           await aksPostgresReplicaCreate({
             clusterName,
             profile: sub,
@@ -570,6 +830,81 @@ export async function aksUp(opts = {}) {
     }
   }
 
+  // Set up cross-region storage replication when --ha flag is set
+  if (opts.ha === true) {
+    try {
+      const { stdout: freshJson } = await execa("az", [
+        "aks", "show", "-g", rg, "-n", clusterName, "--output", "json",
+        ...subArgs(sub),
+      ], { timeout: 30000 });
+      const freshCluster = JSON.parse(freshJson);
+      const storageCtx = { execa, clusterName, rg, sub, cluster: freshCluster, opts };
+      await reconcileStorageReplication(storageCtx);
+    } catch (err) {
+      const msg = err.message || "";
+      console.log(WARN(`  ⚠ Storage HA setup failed: ${msg.split("\n")[0]}`));
+      hint("Retry with: fops azure aks up " + clusterName + " --ha");
+    }
+
+    // Create standby AKS cluster in HA region
+    const haRegion = HA_REPLICA_REGIONS[location];
+    if (haRegion) {
+      const standbyClusterName = `${clusterName}-standby`;
+      hint(`\nSetting up standby AKS cluster in ${haRegion}…`);
+
+      try {
+        // Check if standby cluster already exists
+        const { exitCode: standbyExists } = await execa("az", [
+          "aks", "show", "-g", rg, "-n", standbyClusterName, "--output", "none",
+          ...subArgs(sub),
+        ], { reject: false, timeout: 30000 });
+
+        if (standbyExists === 0) {
+          console.log(OK(`  ✓ Standby cluster "${standbyClusterName}" already exists`));
+        } else {
+          // Create standby cluster with same config but in HA region
+          await aksStandbyCreate(execa, {
+            primaryClusterName: clusterName,
+            standbyClusterName,
+            rg,
+            location: haRegion,
+            nodeCount,
+            minCount,
+            maxCount,
+            nodeVmSize,
+            tier,
+            networkPlugin,
+            k8sVersion,
+            sub,
+            githubToken,
+            fluxRepo: opts.fluxRepo ?? AKS_DEFAULTS.fluxRepo,
+            fluxOwner: opts.fluxOwner ?? AKS_DEFAULTS.fluxOwner,
+            fluxBranch: opts.fluxBranch ?? AKS_DEFAULTS.fluxBranch,
+            templateRepo: opts.templateRepo ?? TEMPLATE_DEFAULTS.templateRepo,
+            templateOwner: opts.templateOwner ?? TEMPLATE_DEFAULTS.templateOwner,
+            templateBranch: opts.templateBranch ?? TEMPLATE_DEFAULTS.templateBranch,
+            environment: opts.environment || "demo",
+            account,
+          });
+        }
+
+        // Save HA cluster info to state
+        writeClusterState(clusterName, {
+          ha: {
+            enabled: true,
+            standbyCluster: standbyClusterName,
+            standbyRegion: haRegion,
+            configuredAt: new Date().toISOString(),
+          },
+        });
+      } catch (err) {
+        const msg = err.message || "";
+        console.log(WARN(`  ⚠ Standby cluster creation failed: ${msg.split("\n")[0]}`));
+        hint(`  Create manually: fops azure aks up ${standbyClusterName} --location ${haRegion}`);
+      }
+    }
+  }
+
   // Provision Event Hubs (managed Kafka) if requested
   if (opts.managedKafka === true) {
     try {
@@ -852,6 +1187,12 @@ export async function aksList(opts = {}) {
       const qaLabel = cl.qa.passed ? OK(`✓ passed (${qaAge} ago)`) : ERR(`✗ failed (${qaAge} ago)`);
       kvLine("  QA",       qaLabel, { pad: 12 });
     }
+    if (cl.ha?.enabled) {
+      kvLine("  HA",       OK(`✓ ${cl.ha.standbyCluster} (${cl.ha.standbyRegion})`), { pad: 12 });
+    }
+    if (cl.isStandby) {
+      kvLine("  Role",     WARN(`standby for ${cl.primaryCluster}`), { pad: 12 });
+    }
   }
   console.log("");
 }