mysystem-cli 1.0.0 → 1.0.1

package/AGENTS.md

@@ -0,0 +1,66 @@
+# MySystem Agent Guidelines (AGENTS.md)
+
+This file contains critical production-readiness instructions for AI coding agents (Cursor, Claude Code, Lovable, Bolt, Antigravity, etc.).
+
+> [!IMPORTANT]
+> **To the AI Agent**: You MUST read and follow these rules when editing or creating code in this codebase.
+
+---
+
+## 1. Core Production Architecture Rules
+
+### 1.1 Port & Port Binding
+* Always bind the application web server to the port specified in the `PORT` environment variable.
+* If `PORT` is not defined, fall back to a standard default (e.g., `3000` or `8080`), but never hardcode the listen port without checking `process.env.PORT` (Node) or `os.environ.get("PORT")` (Python).
+
+### 1.2 Health Check Endpoint
+* The application must expose a GET `/health` or `/healthz` endpoint.
+* It must return a `200 OK` response (preferably JSON, e.g., `{"status": "healthy"}`) with no authentication required.
+* The AWS Load Balancer uses this endpoint to verify if the container is running. If it fails, the container will be terminated and replaced.
+
+### 1.3 Statelessness & File Storage
+* Do NOT write persistent files to the local container filesystem. The container instances are ephemeral and can be destroyed at any time.
+* For file uploads, use an external object storage service (e.g., AWS S3).
+* For temporary processing, use the system `/tmp` directory, but expect it to disappear.
+
+### 1.4 Environment Variables & Secrets
+* Never hardcode API keys, database credentials, passwords, or secrets.
+* Always read configurations from environment variables.
+* Generate a sample `.env.example` file when adding new environment variables.
+
+### 1.5 Database Migrations
+* Ensure database migrations are safe to run concurrently or executed as a single-run step during deployment (never inside the web server's startup command if scaling to multiple container instances).
+* Design database changes to be backward-compatible (e.g., add new columns as nullable, deprecate columns in a two-stage deployment).
+
+### 1.6 Logging & Error Tracking (Sentry & Pino)
+* **Structured Logging**: For Node.js/TypeScript applications, format production logs in JSON using `pino` (or standard JSON formatters in Python/Go) for easy querying in CloudWatch. Avoid plain-text print statements in production.
+* **Error Tracking**: If the `SENTRY_DSN` environment variable is present:
+  1. Install the appropriate Sentry SDK (e.g., `@sentry/nextjs` for Next.js, `@sentry/node` for Node, or `sentry-sdk` for Python).
+  2. Initialize the SDK in the application entrypoint.
+  3. Ensure unhandled exceptions and runtime errors are automatically captured and reported to Sentry.
+
+### 1.7 EC2 Instance Sizing (Hobbyist Tier)
+If the project is configured to use the **Hobbyist Tier** (single EC2 + Docker Compose), you must select and manage the `instance_type` parameter in `terraform/terraform.tfvars` according to the application footprint:
+* **Micro-services / Static Frontends (Vite/React)**: Use `t4g.nano` (ARM64, 0.5GB RAM, ~$3.20/month) for maximum savings.
+* **Standard Frameworks (Express, Next.js, FastAPI + Postgres)**: Use `t3.micro` (x86, 1GB RAM, **AWS Free Tier eligible**).
+* **Medium Apps (App + Postgres + Redis or memory-intensive runtimes)**: Use `t3.small` (2GB RAM, ~$16/month) to prevent Out-Of-Memory (OOM) crashes.
+* **Large Monoliths**: Scale to `t3.medium` (4GB RAM, ~$32/month) or larger when active traffic warrants it.
+* *Note: When deploying on t4g (ARM) instances, ensure the Dockerfile is compiled for arm64.*
+
+---
+
+## 2. Docker & Container Rules
+* Do not modify the `Dockerfile` in a way that breaks multi-stage optimization.
+* Keep container images small by using minimal base images (e.g., alpine or slim variants).
+* Always run the container application under a non-root user (e.g., `node` in Node.js) for security.
+
+---
+
+## 3. Automated Git Push Workflow (Vibecoder Deployment)
+If the user tells you: **"I have set up the OIDC role / GitHub secrets"** or **"Deploy the app now"**:
+
+1. **Verify Git Status**: Run `git status` via terminal to verify the changes.
+2. **Stage files**: Run `git add .` to stage the changes.
+3. **Commit**: Commit with a clean message: `git commit -m "chore: configure MySystem deployment assets"`
+4. **Push**: Identify the active branch (usually `main` or `master`) and push it: `git push origin main`
+5. **Confirm**: Let the user know the push was successful and the GitHub Actions deployment pipeline has been triggered.

package/copy-templates.js

@@ -0,0 +1,47 @@
+const fs = require('fs');
+const path = require('path');
+
+const rootDir = path.join(__dirname, '../..');
+const cliDir = __dirname;
+
+const srcTemplates = path.join(rootDir, 'templates');
+const destTemplates = path.join(cliDir, 'templates');
+
+const srcAgents = path.join(rootDir, 'AGENTS.md');
+const destAgents = path.join(cliDir, 'AGENTS.md');
+
+// Helper to recursively copy directories
+function copyDirSync(src, dest) {
+  fs.mkdirSync(dest, { recursive: true });
+  const entries = fs.readdirSync(src, { withFileTypes: true });
+
+  for (let entry of entries) {
+    const srcPath = path.join(src, entry.name);
+    const destPath = path.join(dest, entry.name);
+
+    if (entry.isDirectory()) {
+      copyDirSync(srcPath, destPath);
+    } else {
+      fs.copyFileSync(srcPath, destPath);
+    }
+  }
+}
+
+console.log('Copying templates to CLI package...');
+if (fs.existsSync(srcTemplates)) {
+  if (fs.existsSync(destTemplates)) {
+    fs.rmSync(destTemplates, { recursive: true, force: true });
+  }
+  copyDirSync(srcTemplates, destTemplates);
+  console.log('  ✅ Templates copied.');
+} else {
+  console.error('  ❌ Source templates folder not found at:', srcTemplates);
+}
+
+console.log('Copying AGENTS.md to CLI package...');
+if (fs.existsSync(srcAgents)) {
+  fs.copyFileSync(srcAgents, destAgents);
+  console.log('  ✅ AGENTS.md copied.');
+} else {
+  console.error('  ❌ Source AGENTS.md not found at:', srcAgents);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mysystem-cli",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "Zero-config deployment standard and CLI for AI-generated applications on AWS Fargate",
   "main": "dist/index.js",
   "bin": {
@@ -8,7 +8,7 @@
     "mysystem-cli": "dist/index.js"
   },
   "scripts": {
-    "build": "tsc",
+    "build": "tsc && node copy-templates.js",
     "prepublishOnly": "npm run build"
   },
   "keywords": [

package/templates/docker/fastapi.Dockerfile

@@ -0,0 +1,32 @@
+# Multi-stage build for Python FastAPI Applications
+
+# --- Build Stage ---
+FROM python:3.11-slim AS builder
+WORKDIR /app
+RUN python -m venv /opt/venv
+ENV PATH="/opt/venv/bin:$PATH"
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+# --- Production Stage ---
+FROM python:3.11-slim AS runner
+WORKDIR /app
+COPY --from=builder /opt/venv /opt/venv
+ENV PATH="/opt/venv/bin:$PATH"
+ENV PYTHONDONTWRITEBYTECODE=1
+ENV PYTHONUNBUFFERED=1
+
+COPY . .
+
+# Run as non-privileged user
+RUN adduser --disabled-password --gecos "" appuser && chown -R appuser:appuser /app
+USER appuser
+
+# Healthcheck
+HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
+  CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:' + str(os.environ.get('PORT', 8000)) + '/health', timeout=5)" || exit 1
+
+EXPOSE 8000
+ENV PORT=8000
+
+CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]

package/templates/docker/nextjs.Dockerfile

@@ -0,0 +1,45 @@
+# Multi-stage build for Next.js (using Standalone output)
+
+# --- Dependencies Stage ---
+FROM node:20-alpine AS deps
+RUN apk add --no-cache libc6-compat
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci
+
+# --- Build Stage ---
+FROM node:20-alpine AS builder
+WORKDIR /app
+COPY --from=deps /app/node_modules ./node_modules
+COPY . .
+# Set Next.js telemetry disable
+ENV NEXT_TELEMETRY_DISABLED=1
+RUN npm run build
+
+# --- Production Stage ---
+FROM node:20-alpine AS runner
+WORKDIR /app
+
+ENV NODE_ENV=production
+ENV NEXT_TELEMETRY_DISABLED=1
+
+# Create non-root user
+RUN addgroup --system --gid 1001 nodejs
+RUN adduser --system --uid 1001 nextjs
+
+# Copy standalone build and static assets
+COPY --from=builder /app/public ./public
+COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
+COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
+
+USER nextjs
+
+EXPOSE 3000
+ENV PORT=3000
+ENV HOSTNAME="0.0.0.0"
+
+# Healthcheck
+HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 \
+  CMD node -e "fetch('http://localhost:3000/api/health').then(r => r.status === 200 ? process.exit(0) : process.exit(1)).catch(() => process.exit(1))"
+
+CMD ["node", "server.js"]

package/templates/docker/node.Dockerfile

@@ -0,0 +1,32 @@
+# Multi-stage build for Node.js Applications
+
+# --- Build Stage ---
+FROM node:20-alpine AS builder
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci
+COPY . .
+RUN npm run build --if-present
+
+# --- Production Stage ---
+FROM node:20-alpine AS runner
+WORKDIR /app
+ENV NODE_ENV=production
+COPY package*.json ./
+RUN npm ci --only=production
+COPY --from=builder /app/dist ./dist --keep-directory-structure --if-present
+COPY --from=builder /app/build ./build --keep-directory-structure --if-present
+COPY --from=builder /app/server.js ./server.js --if-present
+COPY --from=builder /app/index.js ./index.js --if-present
+
+# Set safe, non-root user
+USER node
+
+# Health check setup
+HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
+  CMD node -e "fetch('http://localhost:' + (process.env.PORT || 3000) + '/health').then(r => r.status === 200 ? process.exit(0) : process.exit(1)).catch(() => process.exit(1))"
+
+EXPOSE 3000
+ENV PORT=3000
+
+CMD ["node", "dist/index.js"]

package/templates/docker/react.Dockerfile

@@ -0,0 +1,38 @@
+# Multi-stage build for React/Vite Single Page Applications (served via Nginx)
+
+# --- Build Stage ---
+FROM node:20-alpine AS builder
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci
+COPY . .
+RUN npm run build
+
+# --- Production Stage ---
+FROM nginx:alpine AS runner
+COPY --from=builder /app/dist /usr/share/nginx/html
+
+# Custom Nginx configuration to support SPA routing (redirect all fallback routes to index.html)
+RUN echo $'\n\
+server {\n\
+    listen 80;\n\
+    location / {\n\
+        root /usr/share/nginx/html;\n\
+        index index.html index.htm;\n\
+        try_files $uri $uri/ /index.html;\n\
+    }\n\
+    location /health {\n\
+        access_log off;\n\
+        add_header Content-Type text/plain;\n\
+        return 200 "healthy\\n";\n\
+    }\n\
+}' > /etc/nginx/conf.d/default.conf
+
+# Healthcheck
+HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
+  CMD wget --no-verbose --tries=1 --spider http://localhost/health || exit 1
+
+EXPOSE 80
+ENV PORT=80
+
+CMD ["nginx", "-g", "daemon off;"]

package/templates/github/deploy-ec2.yml

@@ -0,0 +1,163 @@
+name: MySystem EC2 Deployment
+
+on:
+  push:
+    branches:
+      - main
+      - master
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy:
+    name: Deploy to AWS EC2 (Hobbyist Tier)
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      # --- Step 1: Parse MySystem Config File ---
+      - name: Parse MySystem Config
+        id: config
+        run: |
+          echo "APP_NAME=$(jq -r .name mysystem.json)" >> $GITHUB_ENV
+          echo "AWS_REGION=$(jq -r .region mysystem.json)" >> $GITHUB_ENV
+          echo "CONTAINER_PORT=$(jq -r .port mysystem.json)" >> $GITHUB_ENV
+          echo "BILLING_EMAIL=$(jq -r .billingEmail mysystem.json)" >> $GITHUB_ENV
+          echo "ENABLE_CUSTOM_DOMAIN=$(jq -r .customDomain mysystem.json)" >> $GITHUB_ENV
+          echo "DOMAIN_NAME=$(jq -r .domainName mysystem.json)" >> $GITHUB_ENV
+          echo "DNS_PROVIDER=$(jq -r .dnsProvider mysystem.json)" >> $GITHUB_ENV
+
+      # --- Step 2: Authenticate with AWS via OIDC ---
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: ${{ env.AWS_REGION }}
+          audience: sts.amazonaws.com
+
+      # --- Step 3: Provision EC2 & ECR via Terraform ---
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.6.0
+
+      - name: Terraform Init & Apply
+        working-directory: ./terraform
+        env:
+          TF_VAR_aws_region: ${{ env.AWS_REGION }}
+          TF_VAR_app_name: ${{ env.APP_NAME }}
+          TF_VAR_container_port: ${{ env.CONTAINER_PORT }}
+          TF_VAR_billing_email: ${{ env.BILLING_EMAIL }}
+          TF_VAR_enable_custom_domain: ${{ env.ENABLE_CUSTOM_DOMAIN }}
+          TF_VAR_domain_name: ${{ env.DOMAIN_NAME }}
+          TF_VAR_dns_provider: ${{ env.DNS_PROVIDER }}
+        run: |
+          terraform init
+          terraform apply -auto-approve
+
+      # --- Step 4: Extract Terraform Outputs ---
+      - name: Get Outputs
+        id: tf_outputs
+        working-directory: ./terraform
+        run: |
+          echo "ECR_REPO=$(terraform output -raw ecr_repository_url)" >> $GITHUB_OUTPUT
+          echo "INSTANCE_ID=$(terraform output -raw instance_id)" >> $GITHUB_OUTPUT
+          echo "APP_URL=$(terraform output -raw application_url)" >> $GITHUB_OUTPUT
+
+      # --- Step 5: Login to Amazon ECR ---
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      # --- Step 6: Build and Push Docker Image ---
+      - name: Build, Tag, and Push Image to ECR
+        id: build-image
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          ECR_REPOSITORY: ${{ steps.tf_outputs.outputs.ECR_REPO }}
+          IMAGE_TAG: ${{ github.sha }}
+        run: |
+          docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+          echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
+
+      # --- Step 7: Deploy to EC2 via AWS SSM ---
+      - name: Deploy to EC2 via AWS SSM
+        env:
+          INSTANCE_ID: ${{ steps.tf_outputs.outputs.INSTANCE_ID }}
+          IMAGE_URL: ${{ steps.build-image.outputs.image }}
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          AWS_DEFAULT_REGION: ${{ env.AWS_REGION }}
+          CONTAINER_PORT: ${{ env.CONTAINER_PORT }}
+          SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
+        run: |
+          # Generate a secure password for Postgres
+          DB_PASSWORD=$(openssl rand -base64 12)
+
+          # Write the deployment script
+          cat <<EOF > deploy.sh
+          #!/bin/bash
+          # 1. Login to ECR
+          aws ecr get-login-password --region ${AWS_DEFAULT_REGION} | docker login --username AWS --password-stdin ${ECR_REGISTRY}
+
+          # 2. Create app directory
+          mkdir -p /home/ec2-user/app
+          
+          # 3. Create docker-compose.yml
+          cat <<'COMPOSE' > /home/ec2-user/app/docker-compose.yml
+          version: '3.8'
+          services:
+            web:
+              image: ${IMAGE_URL}
+              restart: always
+              ports:
+                - "80:${CONTAINER_PORT}"
+              environment:
+                - PORT=${CONTAINER_PORT}
+                - NODE_ENV=production
+                - DATABASE_URL=postgresql://mysystem_admin:${DB_PASSWORD}@db:5432/mysystem_db
+                - SENTRY_DSN=${SENTRY_DSN}
+              depends_on:
+                - db
+
+            db:
+              image: postgres:15-alpine
+              restart: always
+              environment:
+                - POSTGRES_USER=mysystem_admin
+                - POSTGRES_PASSWORD=${DB_PASSWORD}
+                - POSTGRES_DB=mysystem_db
+              volumes:
+                - pgdata:/var/lib/postgresql/data
+
+          volumes:
+            pgdata:
+          COMPOSE
+
+          # 4. Pull and run containers
+          cd /home/ec2-user/app
+          docker compose pull
+          docker compose up -d
+          EOF
+
+          # Base64 encode the script to avoid all command-line escaping issues
+          B64_SCRIPT=\$(base64 -w 0 deploy.sh)
+
+          # Send run command to AWS SSM
+          CMD_ID=\$(aws ssm send-command \
+            --instance-ids "${INSTANCE_ID}" \
+            --document-name "AWS-RunShellScript" \
+            --parameters "commands=[\"echo '\$B64_SCRIPT' | base64 -d > /tmp/deploy.sh\", \"chmod +x /tmp/deploy.sh\", \"/tmp/deploy.sh\"]" \
+            --query "Command.CommandId" \
+            --region "${AWS_DEFAULT_REGION}" \
+            --output text)
+
+          echo "Deployment initiated via SSM. Command ID: \$CMD_ID"
+
+      - name: Show App URL
+        run: |
+          echo "🎉 App successfully deployed to: ${{ steps.tf_outputs.outputs.APP_URL }}"

package/templates/github/deploy.yml

@@ -0,0 +1,94 @@
+name: MySystem Deployment
+
+on:
+  push:
+    branches:
+      - main
+      - master
+
+permissions:
+  id-token: write # Required for AWS OIDC authentication
+  contents: read
+
+jobs:
+  deploy:
+    name: Deploy to AWS Fargate
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      # --- Step 1: Authenticate with AWS via OIDC ---
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: us-east-1 # Will be customized by CLI on setup
+          audience: sts.amazonaws.com
+
+      # --- Step 2: Provision Infrastructure using Terraform ---
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.6.0
+
+      - name: Terraform Init & Apply
+        working-directory: ./terraform
+        run: |
+          terraform init
+          terraform apply -auto-approve
+
+      # --- Step 3: Extract Terraform Outputs ---
+      - name: Get Outputs
+        id: tf_outputs
+        working-directory: ./terraform
+        run: |
+          echo "ECR_REPO=$(terraform output -raw ecr_repository_url)" >> $GITHUB_OUTPUT
+          echo "APP_URL=$(terraform output -raw application_url)" >> $GITHUB_OUTPUT
+
+      # --- Step 4: Login to Amazon ECR ---
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      # --- Step 5: Build and Push Docker Image ---
+      - name: Build, Tag, and Push Image to ECR
+        id: build-image
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          ECR_REPOSITORY: ${{ steps.tf_outputs.outputs.ECR_REPO }}
+          IMAGE_TAG: ${{ github.sha }}
+        run: |
+          # Build a local Docker image
+          docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
+          # Push it to ECR
+          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+          # Save image URL as output
+          echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
+
+      # --- Step 6: Deploy to ECS Fargate ---
+      # This pulls down the task definition template, updates it with the new image, and deploys it.
+      - name: Download Task Definition
+        run: |
+          aws ecs describe-task-definition --task-definition ${{ github.event.repository.name }} --query taskDefinition > task-definition.json
+
+      - name: Fill in the new image ID in the Amazon ECS task definition
+        id: render-task-def
+        uses: aws-actions/amazon-ecs-render-task-definition@v1
+        with:
+          task-definition: task-definition.json
+          container-name: ${{ github.event.repository.name }}
+          image: ${{ steps.build-image.outputs.image }}
+
+      - name: Deploy Amazon ECS task definition
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
+        with:
+          task-definition: ${{ steps.render-task-def.outputs.task-definition }}
+          service: ${{ github.event.repository.name }}
+          cluster: ${{ github.event.repository.name }}-cluster
+          wait-for-service-stability: true
+
+      - name: Show App URL
+        run: |
+          echo "🎉 App successfully deployed to: ${{ steps.tf_outputs.outputs.APP_URL }}"

package/templates/github/destroy.yml

@@ -0,0 +1,43 @@
+name: MySystem Teardown (Destroy)
+
+on:
+  workflow_dispatch: # Allows manual trigger from the GitHub Actions UI
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  destroy:
+    name: Teardown AWS Infrastructure
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      # --- Step 1: Authenticate with AWS via OIDC ---
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: us-east-1 # Will be customized by CLI on setup
+          audience: sts.amazonaws.com
+
+      # --- Step 2: Set up Terraform ---
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.6.0
+
+      # --- Step 3: Run Terraform Destroy ---
+      - name: Terraform Init & Destroy
+        working-directory: ./terraform
+        run: |
+          terraform init
+          terraform destroy -auto-approve
+
+      - name: Success Message
+        run: |
+          echo "🔥 All AWS resources for this application have been successfully destroyed."
+          echo "Your AWS billing for this project has been stopped."

package/templates/terraform/alb.tf

@@ -0,0 +1,69 @@
+resource "aws_lb" "main" {
+  name               = "${var.app_name}-alb"
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.alb.id]
+  subnets            = aws_subnet.public[*].id
+
+  tags = {
+    Name = "${var.app_name}-alb"
+  }
+}
+
+resource "aws_lb_target_group" "app" {
+  name        = "${var.app_name}-tg"
+  port        = var.container_port
+  protocol    = "HTTP"
+  vpc_id      = aws_vpc.main.id
+  target_type = "ip"
+
+  health_check {
+    healthy_threshold   = 3
+    unhealthy_threshold = 3
+    timeout             = 5
+    interval            = 30
+    path                = "/health" # Compliant with AGENTS.md rule
+    protocol            = "HTTP"
+    matcher             = "200"
+  }
+
+  tags = {
+    Name = "${var.app_name}-tg"
+  }
+}
+
+# HTTP Listener (Port 80)
+resource "aws_lb_listener" "http" {
+  load_balancer_arn = aws_lb.main.arn
+  port              = "80"
+  protocol          = "HTTP"
+
+  default_action {
+    type             = var.enable_custom_domain ? "redirect" : "forward"
+    target_group_arn = var.enable_custom_domain ? null : aws_lb_target_group.app.arn
+
+    dynamic "redirect" {
+      for_each = var.enable_custom_domain ? [1] : []
+      content {
+        port        = "443"
+        protocol    = "HTTPS"
+        status_code = "HTTP_301"
+      }
+    }
+  }
+}
+
+# HTTPS Listener (Port 443) - Created only if custom domain is enabled
+resource "aws_lb_listener" "https" {
+  count             = var.enable_custom_domain ? 1 : 0
+  load_balancer_arn = aws_lb.main.arn
+  port              = "443"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-2016-08"
+  certificate_arn   = aws_acm_certificate.cert[0].arn
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.app.arn
+  }
+}