@swovohq/fuel 0.2.0-alpha.3 → 0.2.0-alpha.30

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Swovo HQ
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,231 @@
+# @swovohq/fuel
+
+CLI tool to scaffold apps from the Fuel monorepo and provision cloud infrastructure on AWS with ECS.
+
+## Installation
+
+```bash
+npx @swovohq/fuel <command>
+```
+
+Or install globally:
+
+```bash
+npm install -g @swovohq/fuel
+```
+
+## Quick Start
+
+### Scaffold a new app
+
+```bash
+fuel create:app my-app
+fuel create:app my-app -m billing,documents
+```
+
+### Full ECS provisioning (scaffold + cloud infra)
+
+```bash
+fuel infra:init                                  # Step 1: generate fuel.yml + .fuel-credentials
+fuel create:app my-app -c fuel.yml            # Step 2: scaffold + provision infrastructure
+```
+
+### Add infra to an existing project
+
+```bash
+fuel infra:init                                  # Step 1: generate fuel.yml + .fuel-credentials
+fuel infra:deploy --config fuel.yml           # Step 2: provision infrastructure
+```
+
+## Commands
+
+| Command | Description |
+|---|---|
+| `fuel list:modules` | List available modules |
+| `fuel config:verify <path>` | Validate `fuel.yml` and run preflight checks |
+| `fuel create:app <name>` | Scaffold a new app from the monorepo template |
+| `fuel infra:init` | Generate `fuel.yml` and `.fuel-credentials` interactively |
+| `fuel infra:deploy` | Run or resume infrastructure provisioning |
+| `fuel infra:destroy` | Tear down all provisioned cloud resources |
+| `fuel migrate:init` | Generate and run database migrations |
+
+## `create:app`
+
+Creates a new project from the Fuel monorepo template.
+
+```bash
+fuel create:app <name> [options]
+```
+
+**Options:**
+
+| Flag | Description |
+|---|---|
+| `-m, --modules <list>` | Comma-separated modules to include (e.g. `billing,documents`) |
+| `-o, --output <path>` | Output directory (defaults to `./<name>`) |
+| `-s, --source <path>` | Path to a local monorepo root |
+| `-c, --config <path>` | Path to `fuel.yml` — triggers ECS provisioning |
+| `--dry-run` | Preview without writing files |
+| `--skip-install` | Skip `yarn install` (also skips migrations) |
+| `--skip-build` | Skip `yarn build` (also skips migrations) |
+| `--skip-git` | Skip `git init` and initial commit |
+| `--skip-migration-generation` | Skip database migration generation |
+| `--keep-migrations` | Keep existing migration files from the template and skip migration generation |
+| `--target-branch <branch>` | Only push to this branch in the target repo (CI use) |
+| `--force-push` | Force push to the target repo (for CI-managed repos) |
+| `--destroy-on-failure` | Destroy provisioned infrastructure if OpenTofu apply fails (default: preserve) |
+| `--skip-branch-protection` | Skip applying branch protection rules after pushing (useful in CI when protections are already set) |
+| `--github-token <token>` | GitHub token |
+| `--github-username <user>` | GitHub username |
+| `--github-organization <org>` | GitHub organization |
+| `--aws-access-key-id <key>` | AWS access key ID |
+| `--aws-secret-access-key <secret>` | AWS secret access key |
+| `--aws-region <region>` | AWS region |
+
+**What it does:**
+
+1. Copies the monorepo template, removing unselected modules
+2. Installs dependencies and builds the project
+3. Starts Docker, generates and runs database migrations
+4. Creates an initial git commit
+
+With `--config fuel.yml`, it additionally:
+
+5. Creates a GitHub repository
+6. Provisions AWS infrastructure (ECR, OIDC, VPC, RDS, ECS)
+7. Configures GitHub Actions secrets and workflows
+8. Pushes code to trigger the first deployment
+9. Applies branch protection rules
+
+## `config:verify`
+
+Validates `fuel.yml` syntax/schema and optionally runs preflight checks (OpenTofu, credentials). Failures are reported as warnings — the command never exits with an error.
+
+```bash
+fuel config:verify <path> [options]
+```
+
+| Flag | Description |
+|---|---|
+| `--config-only` | Only validate the config file. Skip preflight checks. |
+
+**Examples:**
+
+```bash
+fuel config:verify fuel.yml                  # Validate config + preflight checks
+fuel config:verify fuel.yml --config-only    # Validate config only
+```
+
+## `infra:init`
+
+Interactively generates `fuel.yml` and `.fuel-credentials`.
+
+```bash
+fuel infra:init [options]
+```
+
+| Flag | Description |
+|---|---|
+| `-o, --output <path>` | Output path for `fuel.yml` |
+| `--template` | Write a minimal template without prompts |
+
+## `infra:deploy`
+
+Runs or resumes infrastructure provisioning on an existing project.
+
+```bash
+fuel infra:deploy [options]
+```
+
+| Flag | Description |
+|---|---|
+| `-p, --path <path>` | Path to project root |
+| `-c, --config <path>` | Path to `fuel.yml` (generates `fuel.yml`) |
+| `--regenerate` | Regenerate the `/infra` folder from templates |
+| `--plan-only` | Run OpenTofu plan without creating resources |
+| `--infra-only` | Run only OpenTofu on an existing `/infra` folder (no config, no git push) |
+| `--destroy-on-failure` | Destroy provisioned resources if OpenTofu apply fails (default: preserve) |
+| `--skip-branch-protection` | Skip applying branch protection rules after pushing (useful in CI when protections are already set) |
+| `--github-token <token>` | GitHub token |
+| `--github-username <user>` | GitHub username |
+| `--github-organization <org>` | GitHub organization |
+| `--aws-access-key-id <key>` | AWS access key ID |
+| `--aws-secret-access-key <secret>` | AWS secret access key |
+| `--aws-region <region>` | AWS region |
+
+## `infra:destroy`
+
+Destroys all AWS infrastructure managed by OpenTofu.
+
+```bash
+fuel infra:destroy [options]
+```
+
+| Flag | Description |
+|---|---|
+| `-p, --path <path>` | Path to project root |
+| `--github-token <token>` | GitHub token |
+| `--github-username <user>` | GitHub username |
+| `--github-organization <org>` | GitHub organization |
+| `--aws-access-key-id <key>` | AWS access key ID |
+| `--aws-secret-access-key <secret>` | AWS secret access key |
+| `--aws-region <region>` | AWS region |
+
+## `migrate:init`
+
+Generates and runs database migrations for an existing project.
+
+```bash
+fuel migrate:init [options]
+```
+
+| Flag | Description |
+|---|---|
+| `-p, --path <path>` | Path to project root |
+| `--skip-commit` | Skip the git commit after migrations |
+
+## Configuration Schema
+
+`fuel.yml` includes a JSON Schema reference for editor autocompletion. When using VS Code with the [YAML extension](https://marketplace.visualstudio.com/items?itemName=redhat.vscode-yaml), you get autocomplete, validation, and inline documentation automatically.
+
+The schema is bundled at `node_modules/@swovohq/fuel/schema/fuel.schema.json`.
+
+## Credentials
+
+Infrastructure commands require AWS and GitHub credentials. Each key is resolved independently in this order (sources are merged):
+
+1. **CLI flags** (e.g., `--github-token`) — highest priority
+2. **`.fuel-credentials`** JSON file (project root, then CWD fallback)
+3. **Environment variables**: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `GITHUB_TOKEN`, `GITHUB_USERNAME`, `GITHUB_ORGANIZATION`
+
+Sources complement each other — e.g., AWS keys from env vars + `GITHUB_TOKEN` from `.fuel-credentials` = valid.
+
+Run `fuel infra:init --credentials-only` to generate `.fuel-credentials` interactively.
+
+## Infrastructure Architecture
+
+When using `--config fuel.yml`, the CLI provisions:
+
+- **ECR** - Container registry for app images
+- **ECS** (Fargate) - Container orchestration with ALB
+- **RDS** - PostgreSQL database
+- **VPC** - Networking with public/private subnets
+- **IAM** - OIDC role for GitHub Actions deployments
+- **S3** - OpenTofu state storage
+- **Secrets Manager** - Infrastructure configuration
+- **CloudWatch** - Monitoring and alarms
+- **GuardDuty** - Threat detection
+
+GitHub resources (repository, secrets, branch protections) are managed directly by the CLI via the GitHub API.
+
+## Requirements
+
+- Node.js >= 18
+- Docker (for migration generation)
+- [OpenTofu](https://opentofu.org/) >= 1.5 (for infrastructure provisioning)
+- AWS credentials with appropriate permissions
+- GitHub personal access token with `repo` and `admin:org` scopes
+
+## License
+
+MIT - see [LICENSE](./LICENSE)

package/dist/bin/fuel.js

@@ -37,6 +37,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const commander_1 = require("commander");
 const fs = __importStar(require("fs-extra"));
 const path = __importStar(require("path"));
+const config_verify_1 = require("../commands/config-verify");
 const create_app_1 = require("../commands/create-app");
 const infra_deploy_1 = require("../commands/infra-deploy");
 const infra_destroy_1 = require("../commands/infra-destroy");
@@ -45,6 +46,31 @@ const list_modules_1 = require("../commands/list-modules");
 const migrate_init_1 = require("../commands/migrate-init");
 const packageJson = require(path.join(__dirname, '..', '..', 'package.json'));
 const program = new commander_1.Command();
+function addCredentialOptions(cmd) {
+    return cmd
+        .option('--github-token <token>', 'GitHub token. Falls back to .fuel-credentials or GITHUB_TOKEN env var.')
+        .option('--github-username <username>', 'GitHub username. Falls back to .fuel-credentials or GITHUB_USERNAME env var.')
+        .option('--github-organization <org>', 'GitHub organization. Falls back to .fuel-credentials or GITHUB_ORGANIZATION env var.')
+        .option('--aws-access-key-id <key>', 'AWS access key ID. Falls back to .fuel-credentials or AWS_ACCESS_KEY_ID env var.')
+        .option('--aws-secret-access-key <secret>', 'AWS secret access key. Falls back to .fuel-credentials or AWS_SECRET_ACCESS_KEY env var.')
+        .option('--aws-region <region>', 'AWS region. Falls back to .fuel-credentials or AWS_REGION env var.');
+}
+function buildOverrides(flags) {
+    const overrides = {};
+    if (flags.githubToken)
+        overrides.GITHUB_TOKEN = flags.githubToken;
+    if (flags.githubUsername)
+        overrides.GITHUB_USERNAME = flags.githubUsername;
+    if (flags.githubOrganization)
+        overrides.GITHUB_ORGANIZATION = flags.githubOrganization;
+    if (flags.awsAccessKeyId)
+        overrides.AWS_ACCESS_KEY_ID = flags.awsAccessKeyId;
+    if (flags.awsSecretAccessKey)
+        overrides.AWS_SECRET_ACCESS_KEY = flags.awsSecretAccessKey;
+    if (flags.awsRegion)
+        overrides.AWS_REGION = flags.awsRegion;
+    return Object.keys(overrides).length > 0 ? overrides : undefined;
+}
 program
     .name('fuel')
     .description('Fuel CLI – scaffold apps from the fuel monorepo and provision cloud infrastructure.')
@@ -56,12 +82,12 @@ Workflows:
      fuel create:app <name> [-m modules]
 
   2. Full ECS provisioning (scaffold + cloud infra):
-     fuel infra:init                                     Step 1: generate config.json + .fuel-credentials
-     fuel create:app <name> -d ecs -c config.json        Step 2: scaffold code and provision infrastructure
+     fuel infra:init                                     Step 1: generate fuel.yml + .fuel-credentials
+     fuel create:app <name> -c fuel.yml               Step 2: scaffold code and provision infrastructure
 
-  3. Add infra to an existing project (created without -d ecs):
-     fuel infra:init                                     Step 1: generate config.json + .fuel-credentials
-     fuel infra:deploy --config config.json              Step 2: generate fuel.config.json + provision infrastructure
+  3. Add infra to an existing project (created without -c):
+     fuel infra:init                                     Step 1: generate fuel.yml + .fuel-credentials
+     fuel infra:deploy --config fuel.yml              Step 2: generate fuel.yml + provision infrastructure
 
   4. Resume / retry infra (after a failure in step 2 or 3):
      fuel infra:deploy [--path <project>]                Re-run infrastructure provisioning without re-scaffolding
@@ -85,9 +111,9 @@ Quick examples:
   fuel create:app my-app                                Scaffold base app
   fuel create:app my-app -m billing,documents           Scaffold with modules
   fuel infra:init                                       Interactive infra config setup
-  fuel create:app my-app -d ecs -c config.json          Full ECS provisioning
+  fuel create:app my-app -c fuel.yml               Full ECS provisioning
   fuel infra:deploy                                     Resume failed infra provisioning
-  fuel infra:deploy --config config.json                Add infra to existing project
+  fuel infra:deploy --config fuel.yml                Add infra to existing project
   fuel infra:deploy --path ./my-app --regenerate        Regenerate /infra and re-deploy
   fuel migrate:init                                     Re-run migration generation
   fuel infra:destroy                                    Tear down all infrastructure`);
@@ -110,6 +136,28 @@ Examples:
         process.exit(1);
     }
 });
+program
+    .command('config:verify <configPath>')
+    .description('Validate a fuel.yml config file and optionally run preflight checks.\n\n' +
+    '  By default, validates the config syntax/schema AND runs preflight checks\n' +
+    '  (OpenTofu version, credentials). Preflight failures are reported as\n' +
+    '  warnings — the command never exits with an error.\n\n' +
+    '  Use --config-only to skip preflight checks and only validate the file.')
+    .option('--config-only', 'Only validate the config file syntax and schema. Skip preflight checks (OpenTofu, credentials).')
+    .addHelpText('after', `
+Examples:
+  fuel config:verify fuel.yml                  Validate config + run preflight checks
+  fuel config:verify fuel.yml --config-only    Validate config syntax/schema only`)
+    .action(async (configPath, opts) => {
+    try {
+        await (0, config_verify_1.configVerify)(configPath, opts);
+        process.exit(0);
+    }
+    catch (error) {
+        console.error(`\n  Error: ${error instanceof Error ? error.message : String(error)}\n`);
+        process.exit(1);
+    }
+});
 program
     .command('create:app [appName]')
     .description('Create a new app from the fuel monorepo.\n\n' +
@@ -118,14 +166,14 @@ program
     '    Copies the monorepo template, removes unselected modules, installs\n' +
     '    dependencies, builds, starts Docker, generates database migrations,\n' +
     '    and creates an initial git commit.\n\n' +
-    '  ECS mode (-d ecs):\n' +
+    '  ECS mode (-c fuel.yml):\n' +
     '    Performs all scaffolding steps above, then provisions cloud infrastructure:\n' +
-    '    writes fuel.config.json, generates /infra (OpenTofu) and .github/workflows/,\n' +
-    '    creates the S3 state bucket, writes secrets to AWS Secrets Manager, runs\n' +
-    '    tofu apply in 3 passes (ECR + GitHub repo, GitHub Actions, full ECS),\n' +
-    '    and prints ALB/ECR/GitHub URLs.\n' +
-    '    Requires --config. Run "fuel infra:init" first to generate config.json.')
+    '    writes fuel.yml, generates /infra (OpenTofu) and .github/workflows/,\n' +
+    '    creates a GitHub repo, provisions all AWS infrastructure via OpenTofu,\n' +
+    '    configures GitHub Actions secrets, pushes code, and applies branch protections.\n' +
+    '    Run "fuel infra:init" first to generate fuel.yml.')
     .option('-m, --modules <list>', 'Comma-separated modules to include (e.g. billing,documents). Omit for base only.', '')
+    .option('-a, --all-modules', 'Include all available modules. Cannot be combined with -m.')
     .option('-o, --output <path>', 'Output directory. Defaults to ./<appName> in the current directory.')
     .option('-s, --source <path>', 'Path to the monorepo root containing fuel.modules.json. If omitted, walks up from the current directory.')
     .option('--dry-run', 'Preview what would be done without writing any files or provisioning resources.')
@@ -133,9 +181,18 @@ program
     .option('--skip-git', 'Skip git init and the initial commit.')
     .option('--skip-build', 'Skip yarn build. Also implicitly skips migration generation (requires build).')
     .option('--skip-migration-generation', 'Skip database migration generation and execution. Docker will not be started.')
-    .option('-d, --deployment <type>', 'Deployment target. Only "ecs" is supported. Cannot be combined with --skip-install, --skip-build, or --skip-migration-generation.')
-    .option('-c, --config <path>', 'Path to config.json for ECS provisioning (required when -d ecs is set). Generate one with "fuel infra:init".')
-    .option('--github-token <token>', 'GitHub token for downloading template assets from private repositories. Falls back to GITHUB_TOKEN env var.')
+    .option('--keep-migrations', 'Keep existing migration files from the template and skip migration generation. Docker will not be started.')
+    .option('-c, --config <path>', 'Path to fuel.yml for ECS provisioning. When provided, infrastructure is provisioned after scaffolding. Generate one with "fuel infra:init". Cannot be combined with --skip-install, --skip-build, or --skip-migration-generation (unless --keep-migrations is also set).')
+    .option('--target-branch <branch>', 'Only push to this branch in the target repo. Useful in CI to deploy a specific environment.')
+    .option('--force-push', 'Force push to the target repo. Use when each run scaffolds a fresh project and the target repo already has commits.')
+    .option('--destroy-on-failure', 'Destroy provisioned infrastructure if OpenTofu apply fails. Default: false (resources are preserved for re-run).')
+    .option('--skip-branch-protection', 'Skip applying branch protection rules after pushing.')
+    .option('--github-token <token>', 'GitHub token. Falls back to .fuel-credentials or GITHUB_TOKEN env var.')
+    .option('--github-username <username>', 'GitHub username. Falls back to .fuel-credentials or GITHUB_USERNAME env var.')
+    .option('--github-organization <org>', 'GitHub organization. Falls back to .fuel-credentials or GITHUB_ORGANIZATION env var.')
+    .option('--aws-access-key-id <key>', 'AWS access key ID. Falls back to .fuel-credentials or AWS_ACCESS_KEY_ID env var.')
+    .option('--aws-secret-access-key <secret>', 'AWS secret access key. Falls back to .fuel-credentials or AWS_SECRET_ACCESS_KEY env var.')
+    .option('--aws-region <region>', 'AWS region. Falls back to .fuel-credentials or AWS_REGION env var.')
     .addHelpText('after', `
 Scaffolding examples:
   fuel create:app my-app                              Base app, no optional modules
@@ -146,8 +203,8 @@ Scaffolding examples:
   fuel create:app my-app --skip-install --skip-git    Scaffold only, no install/git/migrations
 
 ECS provisioning (full workflow):
-  fuel infra:init                                     Step 1: generate config.json + .fuel-credentials
-  fuel create:app my-app -d ecs -c config.json        Step 2: scaffold + provision cloud infrastructure
+  fuel infra:init                                     Step 1: generate fuel.yml + .fuel-credentials
+  fuel create:app my-app -c fuel.yml               Step 2: scaffold + provision cloud infrastructure
 
 Recovery commands:
   cd my-app && fuel infra:deploy                      Resume failed infra provisioning
@@ -164,18 +221,27 @@ Recovery commands:
                 throw new Error('Missing app name. Provide it as a positional argument or use --config to read it from a config file.');
             }
             const configPath = path.resolve(opts.config);
-            const raw = await fs.readJson(configPath);
+            const content = await fs.readFile(configPath, 'utf-8');
+            const YAML = require('yaml');
+            const raw = configPath.endsWith('.json')
+                ? JSON.parse(content)
+                : YAML.parse(content);
             if (!raw.name || typeof raw.name !== 'string') {
                 throw new Error(`Config file "${opts.config}" does not contain a valid "name" field.`);
             }
             resolvedAppName = raw.name;
         }
-        const modules = opts.modules
-            ? opts.modules
-                .split(',')
-                .map((m) => m.trim())
-                .filter(Boolean)
-            : [];
+        if (opts.allModules && opts.modules) {
+            throw new Error('Cannot use --all-modules and --modules together. Use one or the other.');
+        }
+        const modules = opts.allModules
+            ? '__all__'
+            : opts.modules
+                ? opts.modules
+                    .split(',')
+                    .map((m) => m.trim())
+                    .filter(Boolean)
+                : [];
         await (0, create_app_1.createApp)(resolvedAppName, {
             modules,
             output: opts.output,
@@ -185,10 +251,16 @@ Recovery commands:
             skipGit: opts.skipGit,
             skipBuild: opts.skipBuild,
             skipMigrationGeneration: opts.skipMigrationGeneration,
-            deployment: opts.deployment,
+            keepMigrations: opts.keepMigrations,
+            targetBranch: opts.targetBranch,
+            forcePush: opts.forcePush,
+            destroyOnFailure: opts.destroyOnFailure,
+            skipBranchProtection: opts.skipBranchProtection,
             config: opts.config,
-            githubToken: opts.githubToken
+            githubToken: opts.githubToken,
+            credentialOverrides: buildOverrides(opts)
         });
+        process.exit(0);
     }
     catch (error) {
         console.error(`\n  Error: ${error instanceof Error ? error.message : String(error)}\n`);
@@ -197,39 +269,41 @@ Recovery commands:
 });
 program
     .command('infra:init')
-    .description('Generate config.json and .fuel-credentials for ECS infrastructure provisioning.\n\n' +
+    .description('Generate fuel.yml and .fuel-credentials for ECS infrastructure provisioning.\n\n' +
     '  Interactive mode (default):\n' +
     '    Prompts for AWS credentials, GitHub token, app configuration (API/Web,\n' +
     '    PostgreSQL, Redis, CPU/memory), environments (dev/staging/production),\n' +
     '    domains, and environment variables. Validates credentials against AWS\n' +
-    '    and GitHub APIs. Writes config.json and .fuel-credentials (auto-added\n' +
+    '    and GitHub APIs. Writes fuel.yml and .fuel-credentials (auto-added\n' +
     '    to .gitignore).\n\n' +
     '  Template mode (--template):\n' +
-    '    Writes a minimal config.json template for manual editing. Does not\n' +
+    '    Writes a minimal fuel.yml template for manual editing. Does not\n' +
     '    prompt for credentials or validate anything.')
-    .option('-o, --output <path>', 'Output path for config.json. Defaults to ./config.json in the current directory.')
-    .option('--template', 'Write a minimal config.json template without prompts or credential validation.')
+    .option('-o, --output <path>', 'Output path for fuel.yml. Defaults to ./fuel.yml in the current directory.')
+    .option('--template', 'Write a minimal fuel.yml template without prompts or credential validation.')
+    .option('--credentials-only', 'Only generate .fuel-credentials (prompt for AWS + GitHub credentials, verify, and write). Skips fuel.yml generation.')
     .addHelpText('after', `
 Generated files:
-  config.json          Infrastructure configuration (apps, environments, domains, resources)
+  fuel.yml             Infrastructure configuration (apps, environments, domains, resources)
   .fuel-credentials    AWS + GitHub credentials (auto-added to .gitignore, never commit this file)
 
 Workflows using this command:
   New project (scaffold + infra in one step):
-    1. fuel infra:init                                   Generate config.json + .fuel-credentials
-    2. fuel create:app <name> -d ecs -c config.json      Scaffold + provision infrastructure
+    1. fuel infra:init                                   Generate fuel.yml + .fuel-credentials
+    2. fuel create:app <name> -c fuel.yml               Scaffold + provision infrastructure
 
   Existing project (add infra later):
-    1. fuel infra:init                                   Generate config.json + .fuel-credentials
-    2. fuel infra:deploy -c config.json                  Generate fuel.config.json + provision infrastructure
+    1. fuel infra:init                                   Generate fuel.yml + .fuel-credentials
+    2. fuel infra:deploy -c fuel.yml                  Generate fuel.yml + provision infrastructure
 
 Examples:
   fuel infra:init                            Interactive setup
   fuel infra:init --template                 Write base template (no prompts, no credentials)
-  fuel infra:init -o ./infra/config.json     Write config.json to a custom path`)
+  fuel infra:init -o ./infra/fuel.yml         Write fuel.yml to a custom path`)
     .action(async (opts) => {
     try {
         await (0, infra_init_1.infraInit)(opts);
+        process.exit(0);
     }
     catch (error) {
         console.error(`\n  Error: ${error instanceof Error ? error.message : String(error)}\n`);
@@ -239,41 +313,50 @@ Examples:
 program
     .command('infra:deploy')
     .description('Run or resume infrastructure provisioning on an already-generated project.\n\n' +
-    '  Use this command after "fuel create:app -d ecs" fails during the infrastructure\n' +
+    '  Use this command after "fuel create:app -c fuel.yml" fails during the infrastructure\n' +
     '  phase (e.g. missing AWS credentials, network timeout, OpenTofu errors).\n' +
     '  It re-runs only the infrastructure steps without re-scaffolding the project.\n\n' +
     '  You can also use this to add infrastructure to a project that was originally\n' +
-    '  created without -d ecs, by passing --config <path> to generate fuel.config.json.\n\n' +
+    '  created without -c, by passing --config <path> to generate fuel.yml.\n\n' +
     '  Prerequisites:\n' +
-    '    - The project must contain a fuel.config.json, or --config must be provided\n' +
+    '    - The project must contain a fuel.yml, or --config must be provided\n' +
     '    - Credentials must be available via env vars or .fuel-credentials file\n\n' +
     '  On failure, partial cloud resources are preserved (no rollback), so you\n' +
     '  can fix the issue and re-run this command as many times as needed.')
     .option('-p, --path <path>', 'Path to the project root. Defaults to the current directory.')
-    .option('-c, --config <path>', 'Path to config.json. Generates fuel.config.json in the project and provisions infrastructure. Use this to add infra to a project created without -d ecs.')
-    .option('--regenerate', 'Delete and regenerate the /infra folder from templates before deploying. Use this if you changed config.json and need fresh OpenTofu files.')
+    .option('-c, --config <path>', 'Path to fuel.yml. Generates fuel.yml in the project and provisions infrastructure. Use this to add infra to a project created without -c.')
+    .option('--regenerate', 'Delete and regenerate the /infra folder from templates before deploying. Use this if you changed fuel.yml and need fresh OpenTofu files.')
     .option('--plan-only', 'Run OpenTofu plan instead of apply. Shows what would change without creating any resources.')
+    .option('--infra-only', 'Run only OpenTofu init + apply on an existing /infra folder. Skips config validation, secret upload, GitHub repo creation, and code push. Reads all variables from default.tfvars.')
+    .option('--destroy-on-failure', 'Destroy all provisioned resources if OpenTofu apply fails. Default: false (resources are preserved for re-run).')
+    .option('--skip-branch-protection', 'Skip applying branch protection rules after pushing. Useful in CI when protections are already set.')
+    .option('--github-token <token>', 'GitHub token. Falls back to .fuel-credentials or GITHUB_TOKEN env var.')
+    .option('--github-username <username>', 'GitHub username. Falls back to .fuel-credentials or GITHUB_USERNAME env var.')
+    .option('--github-organization <org>', 'GitHub organization. Falls back to .fuel-credentials or GITHUB_ORGANIZATION env var.')
+    .option('--aws-access-key-id <key>', 'AWS access key ID. Falls back to .fuel-credentials or AWS_ACCESS_KEY_ID env var.')
+    .option('--aws-secret-access-key <secret>', 'AWS secret access key. Falls back to .fuel-credentials or AWS_SECRET_ACCESS_KEY env var.')
+    .option('--aws-region <region>', 'AWS region. Falls back to .fuel-credentials or AWS_REGION env var.')
     .addHelpText('after', `
 Credential resolution (in order of priority):
-  1. Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION,
-     GITHUB_TOKEN, GITHUB_USERNAME, GITHUB_ORGANIZATION)
+  1. CLI flags (--github-token, --aws-access-key-id, etc.)
   2. .fuel-credentials file in the project root (--path)
   3. .fuel-credentials file in the current working directory
+  4. Environment variables (AWS_ACCESS_KEY_ID, GITHUB_TOKEN, etc.)
 
 What this command does:
-  1. If --config is provided, writes fuel.config.json to the project root
-  2. Validates fuel.config.json, OpenTofu version, and credentials
+  1. If --config is provided, writes fuel.yml to the project root
+  2. Validates fuel.yml, OpenTofu version, and credentials
   3. Generates the /infra folder if missing (or if --regenerate / --config is passed)
   4. Creates the S3 state bucket if it does not exist (with a unique suffix)
   5. Writes infrastructure secrets to AWS Secrets Manager
-  6. Runs OpenTofu in 3 passes: ECR + GitHub repo, GitHub Actions, full ECS
-  7. Wires the git remote and prints ALB/ECR/GitHub URLs
+  6. Creates a GitHub repo and runs OpenTofu apply (all AWS resources)
+  7. Sets GitHub Actions secrets, pushes code, applies branch protections
 
 Examples:
   cd my-app && fuel infra:deploy                Resume from inside the project
   fuel infra:deploy -p ./my-app                 Resume from outside the project
-  fuel infra:deploy -c config.json              Add infra to an existing project
-  fuel infra:deploy -c config.json --plan-only  Preview what infra would be created
+  fuel infra:deploy -c fuel.yml              Add infra to an existing project
+  fuel infra:deploy -c fuel.yml --plan-only  Preview what infra would be created
   fuel infra:deploy --regenerate                Regenerate /infra folder, then deploy
   fuel infra:deploy --plan-only                 Preview changes without deploying
 
@@ -281,7 +364,11 @@ To tear down provisioned resources:
   fuel infra:destroy                            Destroy all infrastructure`)
     .action(async (opts) => {
     try {
-        await (0, infra_deploy_1.infraDeploy)(opts);
+        await (0, infra_deploy_1.infraDeploy)({
+            ...opts,
+            credentialOverrides: buildOverrides(opts)
+        });
+        process.exit(0);
     }
     catch (error) {
         console.error(`\n  Error: ${error instanceof Error ? error.message : String(error)}\n`);
@@ -320,6 +407,7 @@ Examples:
     .action(async (opts) => {
     try {
         await (0, migrate_init_1.migrateInit)(opts);
+        process.exit(0);
     }
     catch (error) {
         console.error(`\n  Error: ${error instanceof Error ? error.message : String(error)}\n`);
@@ -332,12 +420,18 @@ program
     '  Runs "tofu destroy" against the /infra folder, tearing down all AWS and\n' +
     '  GitHub resources managed by OpenTofu (ECR, ECS, RDS, ALB, GitHub repo, etc.).\n\n' +
     '  Prerequisites:\n' +
-    '    - The project must contain fuel.config.json and an /infra folder\n' +
+    '    - The project must contain fuel.yml and an /infra folder\n' +
     '    - Credentials must be available via env vars or .fuel-credentials file')
     .option('-p, --path <path>', 'Path to the project root. Defaults to the current directory.')
+    .option('--github-token <token>', 'GitHub token. Falls back to .fuel-credentials or GITHUB_TOKEN env var.')
+    .option('--github-username <username>', 'GitHub username. Falls back to .fuel-credentials or GITHUB_USERNAME env var.')
+    .option('--github-organization <org>', 'GitHub organization. Falls back to .fuel-credentials or GITHUB_ORGANIZATION env var.')
+    .option('--aws-access-key-id <key>', 'AWS access key ID. Falls back to .fuel-credentials or AWS_ACCESS_KEY_ID env var.')
+    .option('--aws-secret-access-key <secret>', 'AWS secret access key. Falls back to .fuel-credentials or AWS_SECRET_ACCESS_KEY env var.')
+    .option('--aws-region <region>', 'AWS region. Falls back to .fuel-credentials or AWS_REGION env var.')
     .addHelpText('after', `
 What this command does:
-  1. Validates fuel.config.json, OpenTofu version, and credentials
+  1. Validates fuel.yml, OpenTofu version, and credentials
   2. Runs "tofu init" to initialize the backend
   3. Runs "tofu destroy -auto-approve" to tear down all resources
 
@@ -349,7 +443,8 @@ To re-provision after destroying:
   fuel infra:deploy                         Re-create all infrastructure`)
     .action(async (opts) => {
     try {
-        await (0, infra_destroy_1.infraDestroy)(opts);
+        await (0, infra_destroy_1.infraDestroy)({ ...opts, credentialOverrides: buildOverrides(opts) });
+        process.exit(0);
     }
     catch (error) {
         console.error(`\n  Error: ${error instanceof Error ? error.message : String(error)}\n`);