kyma-deploylisted

# Deploying kyma to production kyma's production topology: **ECS Fargate** runs the engine container (web UI + API, ARM64), **S3** holds the columnar extents (keyless IAM task-role auth), **Supabase** provides the catalog Postgres and user sign-in (Supabase Auth — email/password + OAuth providers). Terraform is the source of truth; Pulumi wraps the same stack. Cost floor ≈ ALB ~$16/mo + 1 Fargate task ~$15/mo + S3 + Supabase tier (no NAT gateway). ## The happy path ```sh kyma deploy init # wizard: credentials, region, domain, admin emails kyma deploy up # terraform init+apply (streams output), then prints the engine URL kyma deploy status # outputs + live /health probe ``` `init` is interactive by default and acquires credentials on the user's behalf where possible: - **Supabase token**: `SUPABASE_ACCESS_TOKEN` env → reuse `supabase login` (`~/.supabase/access-token`) → browser OAuth (if `KYMA_SUPABASE_OAUTH_CLIENT_ID` is configured) → guided paste from https://supabase.com/dashboard/account/tokens - **AWS**: standard credential chain; on failure it tells the user to run `aws configure` or `aws sso login`. Useful flags: `--name <ws>` (multiple deployments), `--tool pulumi`, `--region`, `--domain kyma.example.com`, `--admin-email a@b.com`, `--yes` (non-interactive; requires `--supabase-org` + a token source), `--print-only` (render config + show planned commands, run nothing — use this to preview for the user before doing anything real). ## Local test d