@meshxdata/fops 0.1.49 → 0.1.50

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks-postgres.js

@@ -6,7 +6,7 @@
 
 import chalk from "chalk";
 import { DEFAULTS, OK, WARN, ERR, DIM, hint, banner, kvLine, subArgs } from "./azure.js";
-import { pgServerName, generatePassword, PG_DEFAULTS, PG_REPLICA_REGIONS, EH_DEFAULTS, ehNamespaceName } from "./azure-aks-naming.js";
+import { pgServerName, generatePassword, PG_DEFAULTS, PG_REPLICA_REGIONS, EH_DEFAULTS, ehNamespaceName, cidrOverlaps } from "./azure-aks-naming.js";
 import { readClusterState, writeClusterState, requireCluster } from "./azure-aks-state.js";
 import { findAvailableSubnetCidr, findAksVnet } from "./azure-aks-network.js";
 
@@ -358,6 +358,15 @@ export async function aksPostgresReplicaCreate(opts = {}) {
 
   const source = JSON.parse(sourceJson);
   const sourceId = source.id;
+  const sourceTier = source.sku?.tier;
+
+  // Burstable tier doesn't support read replicas
+  if (sourceTier === "Burstable") {
+    console.error(ERR(`\n  ✗ Read replicas require General Purpose or Memory Optimized tier`));
+    hint(`  Current tier: ${sourceTier} (${source.sku?.name})`);
+    hint(`  Upgrade with: az postgres flexible-server update -g ${rg} -n ${sourceServer} --tier GeneralPurpose --sku-name Standard_D2ds_v4`);
+    process.exit(1);
+  }
 
   // Check if replica already exists
   const { exitCode: replicaExists } = await execa("az", [
@@ -371,16 +380,174 @@ export async function aksPostgresReplicaCreate(opts = {}) {
     return;
   }
 
+  // Cross-region replica needs VNet + private DNS in target region
+  const sourceLocation = (source.location || "").toLowerCase().replace(/\s/g, "");
+  const isCrossRegion = sourceLocation !== targetRegion.toLowerCase().replace(/\s/g, "");
+  let replicaSubnetId = null;
+  let replicaDnsZone = null;
+
+  if (isCrossRegion) {
+    hint("Setting up cross-region networking…\n");
+
+    const vnetName = `fops-${clusterName}-vnet-${targetRegion.replace(/[^a-z]/g, "")}`;
+    const subnetName = "postgres-subnet";
+
+    // Get source VNet CIDR to avoid overlap
+    const sourceSubnetId = source.network?.delegatedSubnetResourceId;
+    let sourceVnetCidrs = [];
+    if (sourceSubnetId) {
+      const sourceVnetMatch = sourceSubnetId.match(/resourceGroups\/([^/]+)\/providers\/Microsoft.Network\/virtualNetworks\/([^/]+)/i);
+      if (sourceVnetMatch) {
+        const { stdout: srcCidrs } = await execa("az", [
+          "network", "vnet", "show", "-g", sourceVnetMatch[1], "-n", sourceVnetMatch[2],
+          "--query", "addressSpace.addressPrefixes", "-o", "tsv", ...subArgs(sub),
+        ], { reject: false, timeout: 15000 });
+        sourceVnetCidrs = (srcCidrs || "").split("\n").filter(Boolean);
+      }
+    }
+
+    // Pick a non-overlapping CIDR (try 10.250, 10.251, 10.252...)
+    let vnetCidr = "10.250.0.0/16";
+    let subnetCidr = "10.250.1.0/24";
+    for (let i = 250; i < 255; i++) {
+      const testCidr = `10.${i}.0.0/16`;
+      const overlaps = sourceVnetCidrs.some(src => cidrOverlaps(testCidr, [src]));
+      if (!overlaps) {
+        vnetCidr = testCidr;
+        subnetCidr = `10.${i}.1.0/24`;
+        break;
+      }
+    }
+
+    // Create VNet in target region if not exists
+    const { exitCode: vnetExists } = await execa("az", [
+      "network", "vnet", "show", "-g", rg, "-n", vnetName, "--output", "none", ...subArgs(sub),
+    ], { reject: false, timeout: 15000 });
+
+    if (vnetExists !== 0) {
+      hint(`Creating VNet "${vnetName}" in ${targetRegion}…`);
+      await execa("az", [
+        "network", "vnet", "create",
+        "-g", rg, "-n", vnetName, "--location", targetRegion,
+        "--address-prefix", vnetCidr, "--output", "none", ...subArgs(sub),
+      ], { timeout: 60000 });
+      console.log(OK(`  ✓ VNet "${vnetName}" created`));
+    } else {
+      console.log(OK(`  ✓ VNet "${vnetName}" exists`));
+    }
+
+    // Create postgres subnet with delegation
+    const { exitCode: subnetExists } = await execa("az", [
+      "network", "vnet", "subnet", "show",
+      "-g", rg, "--vnet-name", vnetName, "-n", subnetName, "--output", "none", ...subArgs(sub),
+    ], { reject: false, timeout: 15000 });
+
+    if (subnetExists !== 0) {
+      hint(`Creating subnet "${subnetName}"…`);
+      await execa("az", [
+        "network", "vnet", "subnet", "create",
+        "-g", rg, "--vnet-name", vnetName, "-n", subnetName,
+        "--address-prefixes", subnetCidr,
+        "--delegations", "Microsoft.DBforPostgreSQL/flexibleServers",
+        "--output", "none", ...subArgs(sub),
+      ], { timeout: 60000 });
+      console.log(OK(`  ✓ Subnet "${subnetName}" created`));
+    }
+
+    // Get subnet ID
+    const { stdout: subnetJson } = await execa("az", [
+      "network", "vnet", "subnet", "show",
+      "-g", rg, "--vnet-name", vnetName, "-n", subnetName, "--output", "json", ...subArgs(sub),
+    ], { timeout: 15000 });
+    replicaSubnetId = JSON.parse(subnetJson).id;
+
+    // Create private DNS zone for replica
+    replicaDnsZone = `${replicaName}.private.postgres.database.azure.com`;
+    const { exitCode: dnsExists } = await execa("az", [
+      "network", "private-dns", "zone", "show", "-g", rg, "-n", replicaDnsZone, "--output", "none", ...subArgs(sub),
+    ], { reject: false, timeout: 15000 });
+
+    if (dnsExists !== 0) {
+      hint(`Creating private DNS zone…`);
+      await execa("az", [
+        "network", "private-dns", "zone", "create", "-g", rg, "-n", replicaDnsZone, "--output", "none", ...subArgs(sub),
+      ], { timeout: 60000 });
+
+      // Link DNS zone to the replica VNet
+      await execa("az", [
+        "network", "private-dns", "link", "vnet", "create",
+        "-g", rg, "--zone-name", replicaDnsZone, "--name", `${vnetName}-link`,
+        "--virtual-network", vnetName, "--registration-enabled", "false", "--output", "none", ...subArgs(sub),
+      ], { timeout: 60000 });
+      console.log(OK(`  ✓ Private DNS zone configured`));
+    }
+
+    // Set up VNet peering between source and replica VNets
+    const sourceVnetMatch = sourceSubnetId?.match(/resourceGroups\/([^/]+)\/providers\/Microsoft.Network\/virtualNetworks\/([^/]+)/i);
+    if (sourceVnetMatch) {
+      const sourceVnetRg = sourceVnetMatch[1];
+      const sourceVnetName = sourceVnetMatch[2];
+
+      // Get full VNet IDs
+      const { stdout: sourceVnetJson } = await execa("az", [
+        "network", "vnet", "show", "-g", sourceVnetRg, "-n", sourceVnetName, "--query", "id", "-o", "tsv", ...subArgs(sub),
+      ], { reject: false, timeout: 15000 });
+      const sourceVnetId = (sourceVnetJson || "").trim();
+
+      const { stdout: replicaVnetJson } = await execa("az", [
+        "network", "vnet", "show", "-g", rg, "-n", vnetName, "--query", "id", "-o", "tsv", ...subArgs(sub),
+      ], { reject: false, timeout: 15000 });
+      const replicaVnetId = (replicaVnetJson || "").trim();
+
+      if (sourceVnetId && replicaVnetId) {
+        const peeringName1 = `${sourceVnetName}-to-${vnetName}`;
+        const peeringName2 = `${vnetName}-to-${sourceVnetName}`;
+
+        // Check if peering already exists
+        const { exitCode: peering1Exists } = await execa("az", [
+          "network", "vnet", "peering", "show",
+          "-g", sourceVnetRg, "--vnet-name", sourceVnetName, "-n", peeringName1, "--output", "none", ...subArgs(sub),
+        ], { reject: false, timeout: 15000 });
+
+        if (peering1Exists !== 0) {
+          hint(`Creating VNet peering…`);
+          // Source -> Replica peering
+          await execa("az", [
+            "network", "vnet", "peering", "create",
+            "-g", sourceVnetRg, "--vnet-name", sourceVnetName, "-n", peeringName1,
+            "--remote-vnet", replicaVnetId, "--allow-vnet-access", "--output", "none", ...subArgs(sub),
+          ], { timeout: 60000 });
+
+          // Replica -> Source peering
+          await execa("az", [
+            "network", "vnet", "peering", "create",
+            "-g", rg, "--vnet-name", vnetName, "-n", peeringName2,
+            "--remote-vnet", sourceVnetId, "--allow-vnet-access", "--output", "none", ...subArgs(sub),
+          ], { timeout: 60000 });
+          console.log(OK(`  ✓ VNet peering configured`));
+        } else {
+          console.log(OK(`  ✓ VNet peering exists`));
+        }
+      }
+    }
+
+    console.log("");
+  }
+
   hint("Creating read replica (this takes 10-15 minutes)…\n");
 
-  const { exitCode, stderr } = await execa("az", [
+  const replicaArgs = [
     "postgres", "flexible-server", "replica", "create",
     "--replica-name", replicaName,
     "--resource-group", rg,
     "--source-server", sourceId,
     "--location", targetRegion,
-    "--output", "json", ...subArgs(sub),
-  ], { timeout: 900000, reject: false });
+  ];
+  if (replicaSubnetId) replicaArgs.push("--subnet", replicaSubnetId);
+  if (replicaDnsZone) replicaArgs.push("--private-dns-zone", replicaDnsZone);
+  replicaArgs.push("--output", "json", ...subArgs(sub));
+
+  const { exitCode, stderr } = await execa("az", replicaArgs, { timeout: 900000, reject: false });
 
   if (exitCode !== 0) {
     const errMsg = (stderr || "").split("\n").find(l => l.includes("ERROR")) || stderr;

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks-storage.js

@@ -6,8 +6,8 @@
 
 import crypto from "node:crypto";
 import { OK, WARN, hint, subArgs } from "./azure.js";
-import { pgServerName } from "./azure-aks-naming.js";
-import { readClusterState } from "./azure-aks-state.js";
+import { pgServerName, HA_REPLICA_REGIONS } from "./azure-aks-naming.js";
+import { readClusterState, writeClusterState } from "./azure-aks-state.js";
 
 // ── Helm Repositories ─────────────────────────────────────────────────────────
 
@@ -51,14 +51,17 @@ export async function reconcileStorageAccount(ctx) {
     ...subArgs(sub),
   ], { reject: false, timeout: 30000 });
 
+  // HA SKU preference: RAGZRS (zone + geo redundant) > RAGRS (geo redundant)
+  const haSku = "Standard_RAGZRS";
+  const fallbackSku = "Standard_RAGRS";
+
   if (saExists !== 0) {
-    // Create storage account
-    hint(`Creating Storage Account "${storageAccountName}"…`);
-    const { exitCode, stderr } = await execa("az", [
+    hint(`Creating Storage Account "${storageAccountName}" with cross-region HA (${haSku})…`);
+    let { exitCode, stderr } = await execa("az", [
       "storage", "account", "create",
       "--name", storageAccountName,
       "--resource-group", rg,
-      "--sku", "Standard_LRS",
+      "--sku", haSku,
       "--kind", "StorageV2",
       "--https-only", "true",
       "--min-tls-version", "TLS1_2",
@@ -67,13 +70,72 @@ export async function reconcileStorageAccount(ctx) {
       ...subArgs(sub),
     ], { reject: false, timeout: 120000 });
 
+    // Fallback to RAGRS if RAGZRS not available in region
+    if (exitCode !== 0 && (stderr || "").includes("not supported")) {
+      hint(`RAGZRS not available, falling back to ${fallbackSku}…`);
+      ({ exitCode, stderr } = await execa("az", [
+        "storage", "account", "create",
+        "--name", storageAccountName,
+        "--resource-group", rg,
+        "--sku", fallbackSku,
+        "--kind", "StorageV2",
+        "--https-only", "true",
+        "--min-tls-version", "TLS1_2",
+        "--allow-blob-public-access", "false",
+        "--output", "none",
+        ...subArgs(sub),
+      ], { reject: false, timeout: 120000 }));
+    }
+
     if (exitCode !== 0) {
       console.log(WARN(`  ⚠ Storage Account creation failed: ${(stderr || "").split("\n")[0]}`));
       return;
     }
-    console.log(OK(`  ✓ Storage Account "${storageAccountName}" created`));
+    console.log(OK(`  ✓ Storage Account "${storageAccountName}" created (cross-region HA)`));
   } else {
-    console.log(OK(`  ✓ Storage Account "${storageAccountName}" exists`));
+    const { stdout: skuJson } = await execa("az", [
+      "storage", "account", "show",
+      "--name", storageAccountName,
+      "--resource-group", rg,
+      "--query", "sku.name",
+      "-o", "tsv",
+      ...subArgs(sub),
+    ], { reject: false, timeout: 30000 });
+    const currentSku = (skuJson || "").trim();
+
+    // Upgrade path: LRS → RAGZRS, ZRS → RAGZRS, RAGRS → RAGZRS
+    const upgradeNeeded = ["Standard_LRS", "Standard_ZRS", "Standard_RAGRS"].includes(currentSku);
+    if (upgradeNeeded) {
+      hint(`Upgrading Storage Account from ${currentSku} to ${haSku}…`);
+      let { exitCode } = await execa("az", [
+        "storage", "account", "update",
+        "--name", storageAccountName,
+        "--resource-group", rg,
+        "--sku", haSku,
+        "--output", "none",
+        ...subArgs(sub),
+      ], { reject: false, timeout: 120000 });
+
+      // Fallback if RAGZRS upgrade fails (region limitation or LRS→RAGZRS not allowed)
+      if (exitCode !== 0 && currentSku === "Standard_LRS") {
+        ({ exitCode } = await execa("az", [
+          "storage", "account", "update",
+          "--name", storageAccountName,
+          "--resource-group", rg,
+          "--sku", fallbackSku,
+          "--output", "none",
+          ...subArgs(sub),
+        ], { reject: false, timeout: 120000 }));
+      }
+
+      if (exitCode === 0) {
+        console.log(OK(`  ✓ Storage Account "${storageAccountName}" upgraded to cross-region HA`));
+      } else {
+        console.log(WARN(`  ⚠ Could not upgrade Storage Account SKU (current: ${currentSku})`));
+      }
+    } else {
+      console.log(OK(`  ✓ Storage Account "${storageAccountName}" exists (${currentSku})`));
+    }
   }
 
   // 2. Get storage account key
@@ -494,3 +556,236 @@ export async function reconcileAcrWebhooks(ctx) {
     }
   }
 }
+
+// ── Cross-region storage object replication (HA) ──────────────────────────────
+
+export async function reconcileStorageReplication(ctx) {
+  const { execa, clusterName, rg, sub, cluster } = ctx;
+  const location = (cluster?.location || "uaenorth").toLowerCase().replace(/\s/g, "");
+  const replicaRegion = ctx.opts?.haRegion || HA_REPLICA_REGIONS[location];
+
+  if (!replicaRegion) {
+    console.log(WARN(`  ⚠ No HA replica region configured for ${location}`));
+    return;
+  }
+
+  const sourceAccountName = `fops${clusterName.replace(/-/g, "")}`.toLowerCase().slice(0, 24);
+  const destAccountName = `fops${clusterName.replace(/-/g, "")}ha`.toLowerCase().slice(0, 24);
+  const containers = ["foundation", "vault"];
+
+  hint(`Setting up cross-region storage replication (${location} → ${replicaRegion})…`);
+
+  // 1. Check if source account exists
+  const { exitCode: srcExists } = await execa("az", [
+    "storage", "account", "show",
+    "--name", sourceAccountName,
+    "--resource-group", rg,
+    "--output", "none",
+    ...subArgs(sub),
+  ], { reject: false, timeout: 30000 });
+
+  if (srcExists !== 0) {
+    console.log(WARN(`  ⚠ Source storage account "${sourceAccountName}" not found — skipping replication`));
+    return;
+  }
+
+  // 2. Create destination storage account in replica region
+  const { exitCode: destExists } = await execa("az", [
+    "storage", "account", "show",
+    "--name", destAccountName,
+    "--resource-group", rg,
+    "--output", "none",
+    ...subArgs(sub),
+  ], { reject: false, timeout: 30000 });
+
+  if (destExists !== 0) {
+    hint(`Creating HA storage account "${destAccountName}" in ${replicaRegion}…`);
+    // Try RAGZRS first, fallback to RAGRS
+    let { exitCode, stderr } = await execa("az", [
+      "storage", "account", "create",
+      "--name", destAccountName,
+      "--resource-group", rg,
+      "--location", replicaRegion,
+      "--sku", "Standard_RAGZRS",
+      "--kind", "StorageV2",
+      "--https-only", "true",
+      "--min-tls-version", "TLS1_2",
+      "--allow-blob-public-access", "false",
+      "--output", "none",
+      ...subArgs(sub),
+    ], { reject: false, timeout: 120000 });
+
+    if (exitCode !== 0 && (stderr || "").includes("not supported")) {
+      ({ exitCode, stderr } = await execa("az", [
+        "storage", "account", "create",
+        "--name", destAccountName,
+        "--resource-group", rg,
+        "--location", replicaRegion,
+        "--sku", "Standard_RAGRS",
+        "--kind", "StorageV2",
+        "--https-only", "true",
+        "--min-tls-version", "TLS1_2",
+        "--allow-blob-public-access", "false",
+        "--output", "none",
+        ...subArgs(sub),
+      ], { reject: false, timeout: 120000 }));
+    }
+
+    if (exitCode !== 0) {
+      console.log(WARN(`  ⚠ HA storage account creation failed: ${(stderr || "").split("\n")[0]}`));
+      return;
+    }
+    console.log(OK(`  ✓ HA storage account "${destAccountName}" created in ${replicaRegion}`));
+  } else {
+    console.log(OK(`  ✓ HA storage account "${destAccountName}" exists`));
+  }
+
+  // 3. Enable blob versioning on both accounts (required for object replication)
+  for (const account of [sourceAccountName, destAccountName]) {
+    await execa("az", [
+      "storage", "account", "blob-service-properties", "update",
+      "--account-name", account,
+      "--resource-group", rg,
+      "--enable-versioning", "true",
+      "--output", "none",
+      ...subArgs(sub),
+    ], { reject: false, timeout: 60000 });
+  }
+  console.log(OK("  ✓ Blob versioning enabled on both accounts"));
+
+  // 4. Get destination account key and create containers
+  const { stdout: destKeyJson } = await execa("az", [
+    "storage", "account", "keys", "list",
+    "--account-name", destAccountName,
+    "--resource-group", rg,
+    "--query", "[0].value",
+    "--output", "tsv",
+    ...subArgs(sub),
+  ], { timeout: 30000 });
+  const destKey = destKeyJson?.trim();
+
+  for (const container of containers) {
+    const { exitCode: containerExists } = await execa("az", [
+      "storage", "container", "show",
+      "--name", container,
+      "--account-name", destAccountName,
+      "--account-key", destKey,
+      "--output", "none",
+    ], { reject: false, timeout: 30000 });
+
+    if (containerExists !== 0) {
+      await execa("az", [
+        "storage", "container", "create",
+        "--name", container,
+        "--account-name", destAccountName,
+        "--account-key", destKey,
+        "--output", "none",
+      ], { reject: false, timeout: 30000 });
+      console.log(OK(`  ✓ Container "${container}" created in HA account`));
+    }
+  }
+
+  // 5. Set up object replication policy
+  const { stdout: srcIdJson } = await execa("az", [
+    "storage", "account", "show",
+    "--name", sourceAccountName,
+    "--resource-group", rg,
+    "--query", "id",
+    "-o", "tsv",
+    ...subArgs(sub),
+  ], { timeout: 15000 });
+  const srcId = srcIdJson?.trim();
+
+  const { stdout: destIdJson } = await execa("az", [
+    "storage", "account", "show",
+    "--name", destAccountName,
+    "--resource-group", rg,
+    "--query", "id",
+    "-o", "tsv",
+    ...subArgs(sub),
+  ], { timeout: 15000 });
+  const destId = destIdJson?.trim();
+
+  // Check if policy already exists
+  const { stdout: policiesJson } = await execa("az", [
+    "storage", "account", "or-policy", "list",
+    "--account-name", sourceAccountName,
+    "--resource-group", rg,
+    "--output", "json",
+    ...subArgs(sub),
+  ], { reject: false, timeout: 30000 });
+
+  const policies = JSON.parse(policiesJson || "[]");
+  const existingPolicy = policies.find(p => p.destinationAccount === destId);
+
+  if (!existingPolicy) {
+    hint("Creating object replication policy…");
+    // Build rules for each container
+    const rules = containers.map(c => ({
+      sourceContainer: c,
+      destinationContainer: c,
+      filters: { minCreationTime: new Date().toISOString() },
+    }));
+
+    const policyJson = JSON.stringify({
+      sourceAccount: srcId,
+      destinationAccount: destId,
+      rules,
+    });
+
+    const tmpFile = `/tmp/fops-or-policy-${clusterName}.json`;
+    const { writeFileSync, unlinkSync } = await import("node:fs");
+    writeFileSync(tmpFile, policyJson);
+
+    const { exitCode: policyCode, stderr: policyErr } = await execa("az", [
+      "storage", "account", "or-policy", "create",
+      "--account-name", destAccountName,
+      "--resource-group", rg,
+      "--source-account", srcId,
+      "--destination-account", destId,
+      "--policy", "@" + tmpFile,
+      "--output", "none",
+      ...subArgs(sub),
+    ], { reject: false, timeout: 60000 });
+
+    try { unlinkSync(tmpFile); } catch {}
+
+    if (policyCode === 0) {
+      console.log(OK(`  ✓ Object replication policy created (${sourceAccountName} → ${destAccountName})`));
+    } else {
+      // Fallback: create policy without file
+      const { exitCode: fallbackCode } = await execa("az", [
+        "storage", "account", "or-policy", "create",
+        "--account-name", destAccountName,
+        "--resource-group", rg,
+        "--source-account", srcId,
+        "--destination-account", destId,
+        "--source-container", containers[0],
+        "--destination-container", containers[0],
+        "--output", "none",
+        ...subArgs(sub),
+      ], { reject: false, timeout: 60000 });
+
+      if (fallbackCode === 0) {
+        console.log(OK(`  ✓ Object replication policy created for "${containers[0]}" container`));
+      } else {
+        console.log(WARN(`  ⚠ Object replication policy failed: ${(policyErr || "").split("\n")[0]}`));
+        hint(`  Create manually: az storage account or-policy create --account-name ${destAccountName} ...`);
+      }
+    }
+  } else {
+    console.log(OK(`  ✓ Object replication policy already exists`));
+  }
+
+  // Save HA storage info to state
+  writeClusterState(clusterName, {
+    storageHA: {
+      sourceAccount: sourceAccountName,
+      destAccount: destAccountName,
+      destRegion: replicaRegion,
+      configuredAt: new Date().toISOString(),
+    },
+  });
+
+  console.log(OK(`  ✓ Storage HA configured: ${location} → ${replicaRegion}`));
+}

package/src/plugins/bundled/fops-plugin-azure/lib/azure-aks.js

@@ -11,6 +11,7 @@ export {
   PG_DEFAULTS,
   EH_DEFAULTS,
   PG_REPLICA_REGIONS,
+  HA_REPLICA_REGIONS,
   pgServerName,
   kvName,
   ehNamespaceName,
@@ -66,6 +67,7 @@ export {
   OLD_PG_HOSTS,
   reconcileStorageAccount,
   reconcileStorageEngine,
+  reconcileStorageReplication,
   reconcileHelmRepos,
   reconcileHelmValues,
   reconcileAcrWebhooks,

package/src/plugins/bundled/fops-plugin-azure/lib/azure-auth.js

@@ -78,7 +78,7 @@ export function resolveAuth0Config() {
         };
         const domain = get("MX_AUTH0_DOMAIN") || get("AUTH0_DOMAIN");
         const clientId = get("MX_AUTH0_CLIENT_ID") || get("AUTH0_CLIENT_ID");
-        const clientSecret = get("MX_AUTH0_CLIENT_SECRET") || get("AUTH0_CLIENT_SECRET");
+        const clientSecret = get("MX_AUTH0_CLIENT_SECRET") || get("AUTH0_CLIENT_SECRET") || get("AUTH0_SECRET");
         const audience = get("MX_AUTH0_AUDIENCE") || get("AUTH0_AUDIENCE");
         if (domain && clientId) return { domain, clientId, clientSecret, audience };
       } catch { /* try next */ }