thinkwork-cli 0.1.0

package/README.md

@@ -0,0 +1,126 @@
+# @thinkwork-ai/cli
+
+Deploy and manage Thinkwork AI agent stacks on AWS.
+
+## Install
+
+```bash
+npm install -g @thinkwork-ai/cli
+```
+
+Or run without installing:
+
+```bash
+npx @thinkwork-ai/cli --help
+```
+
+## Quick Start
+
+```bash
+# 1. Authenticate with AWS
+thinkwork login
+
+# 2. Check prerequisites
+thinkwork doctor -s dev
+
+# 3. Initialize a new environment
+thinkwork init -s dev
+
+# 4. Review the plan
+thinkwork plan -s dev
+
+# 5. Deploy
+thinkwork deploy -s dev
+
+# 6. Seed workspace files + skill catalog
+thinkwork bootstrap -s dev
+```
+
+## Commands
+
+### Setup
+
+| Command | Description |
+|---------|-------------|
+| `thinkwork login` | Configure AWS credentials (access keys or SSO) |
+| `thinkwork init -s <stage>` | Initialize a new environment (generates tfvars, runs terraform init) |
+| `thinkwork doctor -s <stage>` | Check prerequisites (AWS CLI, Terraform, credentials, Bedrock access) |
+
+### Deploy
+
+| Command | Description |
+|---------|-------------|
+| `thinkwork plan -s <stage>` | Preview infrastructure changes |
+| `thinkwork deploy -s <stage>` | Deploy infrastructure (terraform apply) |
+| `thinkwork bootstrap -s <stage>` | Seed workspace defaults, skill catalog, and per-tenant files |
+| `thinkwork destroy -s <stage>` | Tear down infrastructure |
+
+### Manage
+
+| Command | Description |
+|---------|-------------|
+| `thinkwork outputs -s <stage>` | Show deployment outputs (API URL, Cognito IDs, etc.) |
+| `thinkwork config get <key> -s <stage>` | Read a configuration value |
+| `thinkwork config set <key> <value> -s <stage>` | Update a configuration value |
+
+## Options
+
+```
+-s, --stage <name>      Deployment stage (required for most commands)
+-p, --profile <name>    AWS profile to use
+-c, --component <tier>  Component tier: foundation, data, app, or all (default: all)
+-y, --yes               Skip confirmation prompts (for CI)
+-v, --version           Print CLI version
+-h, --help              Show help
+```
+
+## Examples
+
+### Switch memory engine
+
+```bash
+# Switch from managed to Hindsight memory
+thinkwork config set memory-engine hindsight -s dev --apply
+```
+
+### Deploy a specific tier
+
+```bash
+# Only deploy the app tier (Lambda functions, API Gateway)
+thinkwork deploy -s dev -c app
+```
+
+### Use with AWS SSO
+
+```bash
+thinkwork login --sso --profile my-org
+thinkwork deploy -s dev --profile my-org
+```
+
+### CI/CD (non-interactive)
+
+```bash
+thinkwork deploy -s prod -y
+```
+
+## Prerequisites
+
+- Node.js >= 20
+- [AWS CLI](https://aws.amazon.com/cli/) v2
+- [Terraform](https://developer.hashicorp.com/terraform/install) >= 1.5
+- AWS account with Bedrock model access enabled
+
+## What Gets Deployed
+
+Thinkwork provisions a complete AI agent stack:
+
+- **Compute**: Lambda functions (39 handlers), AgentCore container (Lambda + ECR)
+- **Database**: Aurora Serverless PostgreSQL with pgvector
+- **Auth**: Cognito user pool (admin + mobile clients)
+- **API**: API Gateway (REST + GraphQL), AppSync (WebSocket subscriptions)
+- **Storage**: S3 (workspace files, skills, knowledge bases)
+- **Memory**: Managed (built-in) or Hindsight (ECS Fargate, opt-in)
+
+## License
+
+MIT

package/dist/cli.d.ts

@@ -0,0 +1 @@
+#!/usr/bin/env node

package/dist/cli.js

@@ -0,0 +1,828 @@
+#!/usr/bin/env node
+
+// src/cli.ts
+import { Command } from "commander";
+
+// src/version.ts
+import { createRequire } from "module";
+var require2 = createRequire(import.meta.url);
+var pkg = require2("../package.json");
+var VERSION = pkg.version;
+
+// src/config.ts
+var VALID_COMPONENTS = ["foundation", "data", "app", "all"];
+var PROD_LIKE_STAGES = ["main", "prod", "production", "staging"];
+function validateStage(stage) {
+  if (!stage) {
+    return { valid: false, error: "Stage name is required." };
+  }
+  if (!/^[a-z][a-z0-9-]{1,29}$/.test(stage)) {
+    return {
+      valid: false,
+      error: `Invalid stage name "${stage}". Must be lowercase alphanumeric + hyphens, 2-30 characters, starting with a letter.`
+    };
+  }
+  return { valid: true };
+}
+function validateComponent(component) {
+  if (!VALID_COMPONENTS.includes(component)) {
+    return {
+      valid: false,
+      error: `Invalid component "${component}". Must be one of: ${VALID_COMPONENTS.join(", ")}`
+    };
+  }
+  return { valid: true };
+}
+function isProdLike(stage) {
+  return PROD_LIKE_STAGES.includes(stage);
+}
+function expandComponent(component) {
+  if (component === "all") {
+    return ["foundation", "data", "app"];
+  }
+  return [component];
+}
+
+// src/aws.ts
+import { execSync } from "child_process";
+function getAwsIdentity() {
+  try {
+    const raw = execSync("aws sts get-caller-identity --output json", {
+      encoding: "utf-8",
+      timeout: 1e4,
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    const parsed = JSON.parse(raw);
+    let region = process.env.AWS_REGION || process.env.AWS_DEFAULT_REGION || "unknown";
+    if (region === "unknown") {
+      try {
+        region = execSync("aws configure get region", {
+          encoding: "utf-8",
+          timeout: 5e3,
+          stdio: ["pipe", "pipe", "pipe"]
+        }).trim() || "unknown";
+      } catch {
+      }
+    }
+    return {
+      account: parsed.Account,
+      region,
+      arn: parsed.Arn
+    };
+  } catch {
+    return null;
+  }
+}
+
+// src/terraform.ts
+import { spawn } from "child_process";
+import { existsSync } from "fs";
+import path from "path";
+function resolveTierDir(terraformDir, stage, tier) {
+  const envDir = path.join(terraformDir, "environments", stage, tier);
+  if (existsSync(envDir)) {
+    return envDir;
+  }
+  return path.join(terraformDir, "examples", "greenfield");
+}
+async function ensureWorkspace(cwd, stage) {
+  const list = await runTerraformRaw(cwd, ["workspace", "list"]);
+  const workspaces = list.split("\n").map((l) => l.replace("*", "").trim()).filter(Boolean);
+  if (!workspaces.includes(stage)) {
+    await runTerraformRaw(cwd, ["workspace", "new", stage]);
+  } else {
+    await runTerraformRaw(cwd, ["workspace", "select", stage]);
+  }
+}
+function runTerraformRaw(cwd, args) {
+  return new Promise((resolve3, reject) => {
+    const proc = spawn("terraform", args, {
+      cwd,
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    let stdout = "";
+    let stderr = "";
+    proc.stdout.on("data", (d) => stdout += d);
+    proc.stderr.on("data", (d) => stderr += d);
+    proc.on("close", (code) => {
+      if (code === 0) resolve3(stdout);
+      else reject(new Error(`terraform ${args.join(" ")} failed (exit ${code}): ${stderr}`));
+    });
+  });
+}
+function runTerraform(cwd, args) {
+  return new Promise((resolve3) => {
+    console.log(`
+  \u2192 terraform ${args.join(" ")}
+`);
+    const proc = spawn("terraform", args, {
+      cwd,
+      stdio: "inherit"
+    });
+    proc.on("close", (code) => resolve3(code ?? 1));
+  });
+}
+async function ensureInit(cwd) {
+  const dotTerraform = path.join(cwd, ".terraform");
+  if (!existsSync(dotTerraform)) {
+    const code = await runTerraform(cwd, ["init"]);
+    if (code !== 0) {
+      throw new Error("terraform init failed");
+    }
+  }
+}
+
+// src/ui.ts
+import chalk from "chalk";
+import ora from "ora";
+var TIER_LABELS = {
+  foundation: "Foundation",
+  data: "Data",
+  app: "App"
+};
+function printHeader(command, stage, identity) {
+  console.log("");
+  console.log(chalk.bold.cyan("  \u2B21 Thinkwork") + chalk.dim(` \u2014 ${command}`));
+  console.log(chalk.dim(`  Stage: ${chalk.white(stage)}`));
+  if (identity) {
+    console.log(chalk.dim(`  AWS:   ${chalk.white(identity.account)} / ${chalk.white(identity.region)}`));
+  }
+  console.log("");
+}
+function printTierHeader(tier, index, total) {
+  const label = TIER_LABELS[tier] ?? tier;
+  const progress = chalk.dim(`[${index + 1}/${total}]`);
+  console.log(`  ${progress} ${chalk.bold(label)}`);
+}
+function printSuccess(message) {
+  console.log(`
+  ${chalk.green("\u2713")} ${chalk.bold(message)}`);
+}
+function printError(message) {
+  console.log(`
+  ${chalk.red("\u2717")} ${chalk.bold.red(message)}`);
+}
+function printWarning(message) {
+  console.log(`  ${chalk.yellow("\u26A0")} ${message}`);
+}
+function printSummary(command, stage, tiers, startTime) {
+  const elapsed = ((Date.now() - startTime) / 1e3).toFixed(1);
+  console.log("");
+  console.log(chalk.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log(`  ${chalk.bold("Command:")}  ${command}`);
+  console.log(`  ${chalk.bold("Stage:")}    ${stage}`);
+  console.log(`  ${chalk.bold("Tiers:")}    ${tiers.map((t) => TIER_LABELS[t] ?? t).join(" \u2192 ")}`);
+  console.log(`  ${chalk.bold("Time:")}     ${elapsed}s`);
+  console.log(chalk.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+}
+
+// src/commands/plan.ts
+function registerPlanCommand(program2) {
+  program2.command("plan").description("Run terraform plan for a stage").option("-p, --profile <name>", "AWS profile").requiredOption("-s, --stage <name>", "Deployment stage").option("-c, --component <tier>", "Component tier (foundation|data|app|all)", "all").action(async (opts) => {
+    const startTime = Date.now();
+    const stageCheck = validateStage(opts.stage);
+    if (!stageCheck.valid) {
+      printError(stageCheck.error);
+      process.exit(1);
+    }
+    const compCheck = validateComponent(opts.component);
+    if (!compCheck.valid) {
+      printError(compCheck.error);
+      process.exit(1);
+    }
+    const identity = getAwsIdentity();
+    printHeader("plan", opts.stage, identity);
+    const terraformDir = process.env.THINKWORK_TERRAFORM_DIR || process.cwd();
+    const tiers = expandComponent(opts.component);
+    for (let i = 0; i < tiers.length; i++) {
+      const tier = tiers[i];
+      printTierHeader(tier, i, tiers.length);
+      const cwd = resolveTierDir(terraformDir, opts.stage, tier);
+      await ensureInit(cwd);
+      await ensureWorkspace(cwd, opts.stage);
+      const code = await runTerraform(cwd, [
+        "plan",
+        `-var=stage=${opts.stage}`
+      ]);
+      if (code !== 0) {
+        printError(`Plan failed for ${tier} (exit ${code})`);
+        process.exit(code);
+      }
+    }
+    printSuccess("Plan complete");
+    printSummary("plan", opts.stage, tiers, startTime);
+  });
+}
+
+// src/prompt.ts
+import { createInterface } from "readline";
+async function confirm(message) {
+  const rl = createInterface({
+    input: process.stdin,
+    output: process.stdout
+  });
+  return new Promise((resolve3) => {
+    rl.question(`${message} [y/N] `, (answer) => {
+      rl.close();
+      resolve3(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
+    });
+  });
+}
+
+// src/commands/deploy.ts
+function registerDeployCommand(program2) {
+  program2.command("deploy").description("Run terraform apply for a stage").option("-p, --profile <name>", "AWS profile").requiredOption("-s, --stage <name>", "Deployment stage").option("-c, --component <tier>", "Component tier (foundation|data|app|all)", "all").option("-y, --yes", "Skip interactive confirmation (for CI)").action(async (opts) => {
+    const startTime = Date.now();
+    const stageCheck = validateStage(opts.stage);
+    if (!stageCheck.valid) {
+      printError(stageCheck.error);
+      process.exit(1);
+    }
+    const compCheck = validateComponent(opts.component);
+    if (!compCheck.valid) {
+      printError(compCheck.error);
+      process.exit(1);
+    }
+    const identity = getAwsIdentity();
+    printHeader("deploy", opts.stage, identity);
+    if (!identity) {
+      printWarning("Could not resolve AWS identity. Is the AWS CLI configured?");
+    }
+    if (isProdLike(opts.stage) && !opts.yes) {
+      const ok = await confirm(
+        `  Stage "${opts.stage}" is production-like. Deploy?`
+      );
+      if (!ok) {
+        console.log("  Aborted.");
+        process.exit(0);
+      }
+    } else if (!opts.yes) {
+      const ok = await confirm(`  Deploy to stage "${opts.stage}"?`);
+      if (!ok) {
+        console.log("  Aborted.");
+        process.exit(0);
+      }
+    }
+    const terraformDir = process.env.THINKWORK_TERRAFORM_DIR || process.cwd();
+    const tiers = expandComponent(opts.component);
+    for (let i = 0; i < tiers.length; i++) {
+      const tier = tiers[i];
+      printTierHeader(tier, i, tiers.length);
+      const cwd = resolveTierDir(terraformDir, opts.stage, tier);
+      await ensureInit(cwd);
+      await ensureWorkspace(cwd, opts.stage);
+      const code = await runTerraform(cwd, [
+        "apply",
+        "-auto-approve",
+        `-var=stage=${opts.stage}`
+      ]);
+      if (code !== 0) {
+        printError(`Deploy failed for ${tier} (exit ${code})`);
+        process.exit(code);
+      }
+    }
+    printSuccess("Deploy complete");
+    printSummary("deploy", opts.stage, tiers, startTime);
+  });
+}
+
+// src/commands/destroy.ts
+function registerDestroyCommand(program2) {
+  program2.command("destroy").description("Run terraform destroy for a stage").option("-p, --profile <name>", "AWS profile").requiredOption("-s, --stage <name>", "Deployment stage").option("-c, --component <tier>", "Component tier (foundation|data|app|all)", "all").option("-y, --yes", "Skip interactive confirmation (for CI)").action(async (opts) => {
+    const startTime = Date.now();
+    const stageCheck = validateStage(opts.stage);
+    if (!stageCheck.valid) {
+      printError(stageCheck.error);
+      process.exit(1);
+    }
+    const compCheck = validateComponent(opts.component);
+    if (!compCheck.valid) {
+      printError(compCheck.error);
+      process.exit(1);
+    }
+    const identity = getAwsIdentity();
+    printHeader("destroy", opts.stage, identity);
+    if (!identity) {
+      printWarning("Could not resolve AWS identity. Is the AWS CLI configured?");
+    }
+    if (isProdLike(opts.stage)) {
+      printWarning(`Stage "${opts.stage}" is production-like.`);
+      if (!opts.yes) {
+        const ok = await confirm(
+          `  Type 'y' to confirm destruction of stage "${opts.stage}":`
+        );
+        if (!ok) {
+          console.log("  Aborted.");
+          process.exit(0);
+        }
+      }
+      console.log(`  Proceeding with destroy of "${opts.stage}" (--yes provided).`);
+    } else if (!opts.yes) {
+      const ok = await confirm(`  Destroy stage "${opts.stage}"?`);
+      if (!ok) {
+        console.log("  Aborted.");
+        process.exit(0);
+      }
+    }
+    const terraformDir = process.env.THINKWORK_TERRAFORM_DIR || process.cwd();
+    const tiers = expandComponent(opts.component).reverse();
+    for (let i = 0; i < tiers.length; i++) {
+      const tier = tiers[i];
+      printTierHeader(tier, i, tiers.length);
+      const cwd = resolveTierDir(terraformDir, opts.stage, tier);
+      await ensureInit(cwd);
+      await ensureWorkspace(cwd, opts.stage);
+      const code = await runTerraform(cwd, [
+        "destroy",
+        "-auto-approve",
+        `-var=stage=${opts.stage}`
+      ]);
+      if (code !== 0) {
+        printError(`Destroy failed for ${tier} (exit ${code})`);
+        process.exit(code);
+      }
+    }
+    printSuccess("Destroy complete");
+    printSummary("destroy", opts.stage, tiers, startTime);
+  });
+}
+
+// src/commands/doctor.ts
+import chalk2 from "chalk";
+import { execSync as execSync2 } from "child_process";
+function checkAwsCli() {
+  return {
+    name: "AWS CLI installed",
+    run: () => {
+      try {
+        const v = execSync2("aws --version", { encoding: "utf-8", timeout: 5e3, stdio: ["pipe", "pipe", "pipe"] }).trim();
+        return { pass: true, detail: v.split(" ")[0] ?? v };
+      } catch {
+        return { pass: false, detail: "aws CLI not found. Install: https://aws.amazon.com/cli/" };
+      }
+    }
+  };
+}
+function checkTerraformCli() {
+  return {
+    name: "Terraform CLI installed",
+    run: () => {
+      try {
+        const v = execSync2("terraform version -json", { encoding: "utf-8", timeout: 5e3, stdio: ["pipe", "pipe", "pipe"] });
+        const parsed = JSON.parse(v);
+        return { pass: true, detail: `v${parsed.terraform_version}` };
+      } catch {
+        return { pass: false, detail: "terraform CLI not found. Install: https://developer.hashicorp.com/terraform/install" };
+      }
+    }
+  };
+}
+function checkAwsIdentity() {
+  return {
+    name: "AWS credentials configured",
+    run: () => {
+      const identity = getAwsIdentity();
+      if (identity) {
+        return { pass: true, detail: `account=${identity.account} region=${identity.region}` };
+      }
+      return { pass: false, detail: "Could not resolve AWS identity. Run `aws configure` or set AWS_PROFILE." };
+    }
+  };
+}
+function checkBedrockAccess() {
+  return {
+    name: "Bedrock model access",
+    run: () => {
+      try {
+        execSync2(
+          "aws bedrock get-foundation-model --model-identifier anthropic.claude-3-haiku-20240307-v1:0 --output json --region us-east-1",
+          { encoding: "utf-8", timeout: 1e4, stdio: ["pipe", "pipe", "pipe"] }
+        );
+        return { pass: true, detail: "anthropic.claude-3-haiku accessible" };
+      } catch {
+        return {
+          pass: false,
+          detail: "Bedrock model access not confirmed. You may need to request model access in the AWS console."
+        };
+      }
+    }
+  };
+}
+function registerDoctorCommand(program2) {
+  program2.command("doctor").description("Check AWS account prerequisites for a Thinkwork deployment").option("-p, --profile <name>", "AWS profile").requiredOption("-s, --stage <name>", "Deployment stage").action((opts) => {
+    const stageCheck = validateStage(opts.stage);
+    if (!stageCheck.valid) {
+      printError(stageCheck.error);
+      process.exit(1);
+    }
+    printHeader("doctor", opts.stage);
+    const checks = [
+      checkAwsCli(),
+      checkTerraformCli(),
+      checkAwsIdentity(),
+      checkBedrockAccess()
+    ];
+    let allPass = true;
+    for (const check of checks) {
+      const result = check.run();
+      const icon = result.pass ? chalk2.green("\u2713") : chalk2.red("\u2717");
+      const detail = result.pass ? chalk2.dim(result.detail) : chalk2.yellow(result.detail);
+      console.log(`  ${icon} ${check.name}  ${detail}`);
+      if (!result.pass) allPass = false;
+    }
+    if (allPass) {
+      console.log(`
+  ${chalk2.green.bold("All checks passed.")}`);
+    } else {
+      console.log(`
+  ${chalk2.yellow.bold("Some checks failed.")} Fix the issues above before deploying.`);
+    }
+    process.exit(allPass ? 0 : 1);
+  });
+}
+
+// src/commands/outputs.ts
+function registerOutputsCommand(program2) {
+  program2.command("outputs").description("Show terraform outputs for a stage").option("-p, --profile <name>", "AWS profile").requiredOption("-s, --stage <name>", "Deployment stage").option("-c, --component <tier>", "Component tier (foundation|data|app|all)", "all").action(async (opts) => {
+    const stageCheck = validateStage(opts.stage);
+    if (!stageCheck.valid) {
+      printError(stageCheck.error);
+      process.exit(1);
+    }
+    const compCheck = validateComponent(opts.component);
+    if (!compCheck.valid) {
+      printError(compCheck.error);
+      process.exit(1);
+    }
+    printHeader("outputs", opts.stage);
+    const terraformDir = process.env.THINKWORK_TERRAFORM_DIR || process.cwd();
+    const tiers = expandComponent(opts.component);
+    for (let i = 0; i < tiers.length; i++) {
+      const tier = tiers[i];
+      printTierHeader(tier, i, tiers.length);
+      const cwd = resolveTierDir(terraformDir, opts.stage, tier);
+      await ensureInit(cwd);
+      await ensureWorkspace(cwd, opts.stage);
+      const code = await runTerraform(cwd, ["output"]);
+      if (code !== 0) {
+        printError(`Outputs failed for ${tier} (exit ${code})`);
+        process.exit(code);
+      }
+    }
+  });
+}
+
+// src/commands/config.ts
+import { readFileSync, writeFileSync, existsSync as existsSync2 } from "fs";
+var VALID_MEMORY_ENGINES = ["managed", "hindsight"];
+function readTfVar(tfvarsPath, key) {
+  if (!existsSync2(tfvarsPath)) return null;
+  const content = readFileSync(tfvarsPath, "utf-8");
+  const match = content.match(new RegExp(`^${key}\\s*=\\s*"([^"]*)"`, "m"));
+  return match ? match[1] : null;
+}
+function setTfVar(tfvarsPath, key, value) {
+  if (!existsSync2(tfvarsPath)) {
+    throw new Error(`terraform.tfvars not found at ${tfvarsPath}`);
+  }
+  let content = readFileSync(tfvarsPath, "utf-8");
+  const regex = new RegExp(`^(${key}\\s*=\\s*)"[^"]*"`, "m");
+  if (regex.test(content)) {
+    content = content.replace(regex, `$1"${value}"`);
+  } else {
+    content += `
+${key} = "${value}"
+`;
+  }
+  writeFileSync(tfvarsPath, content);
+}
+function registerConfigCommand(program2) {
+  const config = program2.command("config").description("View or change stack configuration");
+  config.command("get <key>").description("Get a configuration value (e.g. memory-engine)").requiredOption("-s, --stage <name>", "Deployment stage").action((key, opts) => {
+    const stageCheck = validateStage(opts.stage);
+    if (!stageCheck.valid) {
+      printError(stageCheck.error);
+      process.exit(1);
+    }
+    const terraformDir = process.env.THINKWORK_TERRAFORM_DIR || process.cwd();
+    const cwd = resolveTierDir(terraformDir, opts.stage, "app");
+    const tfvarsPath = `${cwd}/terraform.tfvars`;
+    const tfKey = key.replace(/-/g, "_");
+    const value = readTfVar(tfvarsPath, tfKey);
+    if (value === null) {
+      printWarning(`${key} is not set in ${tfvarsPath}`);
+    } else {
+      console.log(`  ${key} = ${value}`);
+    }
+  });
+  config.command("set <key> <value>").description("Set a configuration value and optionally deploy (e.g. config set memory-engine hindsight)").requiredOption("-s, --stage <name>", "Deployment stage").option("--apply", "Run terraform apply after changing the value").action(async (key, value, opts) => {
+    const stageCheck = validateStage(opts.stage);
+    if (!stageCheck.valid) {
+      printError(stageCheck.error);
+      process.exit(1);
+    }
+    const tfKey = key.replace(/-/g, "_");
+    if (tfKey === "memory_engine" && !VALID_MEMORY_ENGINES.includes(value)) {
+      printError(`Invalid memory engine "${value}". Must be: ${VALID_MEMORY_ENGINES.join(", ")}`);
+      process.exit(1);
+    }
+    const identity = getAwsIdentity();
+    printHeader("config set", opts.stage, identity);
+    const terraformDir = process.env.THINKWORK_TERRAFORM_DIR || process.cwd();
+    const cwd = resolveTierDir(terraformDir, opts.stage, "app");
+    const tfvarsPath = `${cwd}/terraform.tfvars`;
+    const oldValue = readTfVar(tfvarsPath, tfKey);
+    setTfVar(tfvarsPath, tfKey, value);
+    console.log(`  ${key}: ${oldValue ?? "(unset)"} \u2192 ${value}`);
+    if (opts.apply) {
+      console.log("");
+      console.log("  Applying configuration change...");
+      await ensureInit(cwd);
+      await ensureWorkspace(cwd, opts.stage);
+      const code = await runTerraform(cwd, [
+        "apply",
+        "-auto-approve",
+        `-var=stage=${opts.stage}`
+      ]);
+      if (code !== 0) {
+        printError(`Deploy failed (exit ${code})`);
+        process.exit(code);
+      }
+      printSuccess(`Configuration applied: ${key} = ${value}`);
+    } else {
+      printSuccess(`Configuration updated: ${key} = ${value}`);
+      printWarning("Run with --apply to deploy the change, or run 'thinkwork deploy' separately.");
+    }
+  });
+}
+
+// src/commands/bootstrap.ts
+import { spawn as spawn2 } from "child_process";
+import { resolve } from "path";
+function getTerraformOutput(cwd, key) {
+  return new Promise((resolve3, reject) => {
+    const proc = spawn2("terraform", ["output", "-raw", key], {
+      cwd,
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    let stdout = "";
+    proc.stdout.on("data", (d) => stdout += d);
+    proc.on("close", (code) => {
+      if (code === 0) resolve3(stdout.trim());
+      else reject(new Error(`terraform output ${key} failed (exit ${code})`));
+    });
+  });
+}
+function runScript(scriptPath, args) {
+  return new Promise((resolve3) => {
+    const proc = spawn2("bash", [scriptPath, ...args], {
+      stdio: "inherit"
+    });
+    proc.on("close", (code) => resolve3(code ?? 1));
+  });
+}
+function registerBootstrapCommand(program2) {
+  program2.command("bootstrap").description("Seed workspace defaults, skill catalog, and per-tenant files for a stage").requiredOption("-s, --stage <name>", "Deployment stage").action(async (opts) => {
+    const stageCheck = validateStage(opts.stage);
+    if (!stageCheck.valid) {
+      printError(stageCheck.error);
+      process.exit(1);
+    }
+    const identity = getAwsIdentity();
+    printHeader("bootstrap", opts.stage, identity);
+    const terraformDir = process.env.THINKWORK_TERRAFORM_DIR || process.cwd();
+    const cwd = resolveTierDir(terraformDir, opts.stage, "app");
+    await ensureInit(cwd);
+    await ensureWorkspace(cwd, opts.stage);
+    let bucket;
+    let dbEndpoint;
+    let dbPassword;
+    try {
+      bucket = await getTerraformOutput(cwd, "bucket_name");
+      dbEndpoint = await getTerraformOutput(cwd, "db_cluster_endpoint");
+      const secretArn = await getTerraformOutput(cwd, "db_secret_arn");
+      const { execSync: execSync5 } = await import("child_process");
+      const secretJson = execSync5(
+        `aws secretsmanager get-secret-value --secret-id "${secretArn}" --query SecretString --output text`,
+        { encoding: "utf-8" }
+      ).trim();
+      const secret = JSON.parse(secretJson);
+      dbPassword = secret.password;
+    } catch (err) {
+      printError(`Failed to read terraform outputs: ${err}`);
+      process.exit(1);
+    }
+    const databaseUrl = `postgresql://thinkwork_admin:${encodeURIComponent(dbPassword)}@${dbEndpoint}:5432/thinkwork?sslmode=no-verify`;
+    const repoRoot = resolve(terraformDir);
+    const scriptPath = resolve(repoRoot, "scripts/bootstrap-workspace.sh");
+    const code = await runScript(scriptPath, [opts.stage, bucket, databaseUrl]);
+    if (code !== 0) {
+      printError(`Bootstrap failed (exit ${code})`);
+      process.exit(code);
+    }
+    printSuccess("Bootstrap complete");
+  });
+}
+
+// src/commands/login.ts
+import { execSync as execSync3 } from "child_process";
+import { createInterface as createInterface2 } from "readline";
+function ask(prompt) {
+  const rl = createInterface2({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve3) => {
+    rl.question(prompt, (answer) => {
+      rl.close();
+      resolve3(answer.trim());
+    });
+  });
+}
+function registerLoginCommand(program2) {
+  program2.command("login").description("Configure AWS credentials for Thinkwork deployments").option("--profile <name>", "AWS profile name to configure", "thinkwork").option("--sso", "Use AWS SSO (Identity Center) login").action(async (opts) => {
+    printHeader("login", opts.profile);
+    const existing = getAwsIdentity();
+    if (existing) {
+      console.log(`  Already authenticated:`);
+      console.log(`    Account: ${existing.account}`);
+      console.log(`    Region:  ${existing.region}`);
+      console.log(`    ARN:     ${existing.arn}`);
+      console.log("");
+      const reauth = await ask("  Re-authenticate? [y/N] ");
+      if (reauth.toLowerCase() !== "y") {
+        printSuccess("Using existing credentials");
+        return;
+      }
+    }
+    if (opts.sso) {
+      console.log("  Launching AWS SSO login...");
+      console.log("");
+      try {
+        execSync3(`aws sso login --profile ${opts.profile}`, {
+          stdio: "inherit"
+        });
+        process.env.AWS_PROFILE = opts.profile;
+        const identity2 = getAwsIdentity();
+        if (identity2) {
+          printSuccess(`Logged in via SSO (account: ${identity2.account}, region: ${identity2.region})`);
+        } else {
+          printError("SSO login succeeded but could not verify identity");
+        }
+      } catch {
+        printError("SSO login failed. Run `aws configure sso` first to set up your SSO profile.");
+      }
+      return;
+    }
+    console.log("  Enter your AWS credentials. These will be saved to the");
+    console.log(`  AWS CLI profile "${opts.profile}".`);
+    console.log("");
+    const accessKeyId = await ask("  AWS Access Key ID: ");
+    if (!accessKeyId) {
+      printError("Access Key ID is required");
+      process.exit(1);
+    }
+    const secretAccessKey = await ask("  AWS Secret Access Key: ");
+    if (!secretAccessKey) {
+      printError("Secret Access Key is required");
+      process.exit(1);
+    }
+    const region = await ask("  Default region [us-east-1]: ");
+    const finalRegion = region || "us-east-1";
+    try {
+      execSync3(`aws configure set aws_access_key_id "${accessKeyId}" --profile ${opts.profile}`, { stdio: "pipe" });
+      execSync3(`aws configure set aws_secret_access_key "${secretAccessKey}" --profile ${opts.profile}`, { stdio: "pipe" });
+      execSync3(`aws configure set region "${finalRegion}" --profile ${opts.profile}`, { stdio: "pipe" });
+    } catch (err) {
+      printError(`Failed to save credentials: ${err}`);
+      process.exit(1);
+    }
+    process.env.AWS_PROFILE = opts.profile;
+    const identity = getAwsIdentity();
+    if (identity) {
+      printSuccess(`Logged in (account: ${identity.account}, region: ${identity.region})`);
+      console.log("");
+      console.log(`  Profile saved as "${opts.profile}". Use it with:`);
+      console.log(`    thinkwork deploy -s dev --profile ${opts.profile}`);
+      console.log(`    export AWS_PROFILE=${opts.profile}`);
+    } else {
+      printError("Credentials saved but could not verify. Check your Access Key ID and Secret.");
+    }
+  });
+}
+
+// src/commands/init.ts
+import { existsSync as existsSync3, mkdirSync, writeFileSync as writeFileSync2 } from "fs";
+import { resolve as resolve2, join } from "path";
+import { execSync as execSync4 } from "child_process";
+import { createInterface as createInterface3 } from "readline";
+function ask2(prompt, defaultVal = "") {
+  const rl = createInterface3({ input: process.stdin, output: process.stdout });
+  const suffix = defaultVal ? ` [${defaultVal}]` : "";
+  return new Promise((resolve3) => {
+    rl.question(`${prompt}${suffix}: `, (answer) => {
+      rl.close();
+      resolve3(answer.trim() || defaultVal);
+    });
+  });
+}
+function generatePassword() {
+  const chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%";
+  let pw = "";
+  const bytes = new Uint8Array(32);
+  globalThis.crypto.getRandomValues(bytes);
+  for (const b of bytes) pw += chars[b % chars.length];
+  return pw;
+}
+var TFVARS_TEMPLATE = `# Thinkwork \u2014 {STAGE} stage
+# Generated by: thinkwork init -s {STAGE}
+
+stage      = "{STAGE}"
+region     = "{REGION}"
+account_id = "{ACCOUNT_ID}"
+
+# Database
+database_engine = "aurora-serverless"
+db_password = "{DB_PASSWORD}"
+
+# Memory engine: "managed" (built-in) or "hindsight" (ECS Fargate service)
+memory_engine = "{MEMORY_ENGINE}"
+
+# API authentication secret (shared between services)
+api_auth_secret = "{API_SECRET}"
+`;
+function registerInitCommand(program2) {
+  program2.command("init").description("Initialize a new Thinkwork environment").requiredOption("-s, --stage <name>", "Stage name (e.g. dev, staging, prod)").option("-d, --dir <path>", "Directory to initialize in", ".").action(async (opts) => {
+    const stageCheck = validateStage(opts.stage);
+    if (!stageCheck.valid) {
+      printError(stageCheck.error);
+      process.exit(1);
+    }
+    const identity = getAwsIdentity();
+    printHeader("init", opts.stage, identity);
+    if (!identity) {
+      printError("AWS credentials not configured. Run `thinkwork login` first.");
+      process.exit(1);
+    }
+    const rootDir = resolve2(opts.dir);
+    const tfDir = join(rootDir, "terraform", "examples", "greenfield");
+    const tfvarsPath = join(tfDir, "terraform.tfvars");
+    if (existsSync3(tfvarsPath)) {
+      printWarning(`terraform.tfvars already exists at ${tfvarsPath}`);
+      const overwrite = await ask2("  Overwrite? [y/N]");
+      if (overwrite.toLowerCase() !== "y") {
+        console.log("  Aborted.");
+        return;
+      }
+    }
+    console.log("  Configure your Thinkwork environment:\n");
+    const region = await ask2("  AWS Region", identity.region !== "unknown" ? identity.region : "us-east-1");
+    const memoryEngine = await ask2("  Memory engine (managed/hindsight)", "managed");
+    const dbPassword = generatePassword();
+    const apiSecret = `tw-${opts.stage}-${generatePassword().slice(0, 12)}`;
+    if (!existsSync3(tfDir)) {
+      mkdirSync(tfDir, { recursive: true });
+    }
+    const tfvars = TFVARS_TEMPLATE.replace(/{STAGE}/g, opts.stage).replace(/{REGION}/g, region).replace(/{ACCOUNT_ID}/g, identity.account).replace(/{DB_PASSWORD}/g, dbPassword).replace(/{MEMORY_ENGINE}/g, memoryEngine).replace(/{API_SECRET}/g, apiSecret);
+    writeFileSync2(tfvarsPath, tfvars);
+    console.log(`
+  Wrote ${tfvarsPath}`);
+    console.log("\n  Initializing Terraform...\n");
+    try {
+      execSync4("terraform init", { cwd: tfDir, stdio: "inherit" });
+    } catch {
+      printWarning("Terraform init failed \u2014 you may need to install Terraform first.");
+      printWarning("Run: thinkwork doctor -s " + opts.stage);
+      return;
+    }
+    printSuccess(`Environment "${opts.stage}" initialized`);
+    console.log("");
+    console.log("  Next steps:");
+    console.log(`    1. thinkwork plan -s ${opts.stage}        # Review the plan`);
+    console.log(`    2. thinkwork deploy -s ${opts.stage}       # Deploy infrastructure`);
+    console.log(`    3. thinkwork bootstrap -s ${opts.stage}    # Seed workspace + skills`);
+    console.log("");
+  });
+}
+
+// src/cli.ts
+var program = new Command();
+program.name("thinkwork").description(
+  "Thinkwork CLI \u2014 deploy, manage, and interact with your Thinkwork stack"
+).version(VERSION, "-v, --version", "Print the CLI version").option(
+  "-p, --profile <name>",
+  "AWS profile to use (sets AWS_PROFILE for Terraform and AWS CLI)"
+);
+program.hook("preAction", (_thisCommand, actionCommand) => {
+  const profile = actionCommand.opts().profile ?? program.opts().profile;
+  if (profile) {
+    process.env.AWS_PROFILE = profile;
+  }
+});
+registerLoginCommand(program);
+registerInitCommand(program);
+registerDoctorCommand(program);
+registerPlanCommand(program);
+registerDeployCommand(program);
+registerBootstrapCommand(program);
+registerDestroyCommand(program);
+registerOutputsCommand(program);
+registerConfigCommand(program);
+program.parse();

package/package.json

@@ -0,0 +1,49 @@
+{
+  "name": "thinkwork-cli",
+  "version": "0.1.0",
+  "description": "Thinkwork CLI — deploy, manage, and interact with your Thinkwork stack",
+  "license": "MIT",
+  "type": "module",
+  "bin": {
+    "thinkwork": "dist/cli.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsup src/cli.ts --format esm --dts --clean",
+    "dev": "tsx src/cli.ts",
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run",
+    "lint": "echo 'lint: skipped (eslint not configured)'",
+    "prepublishOnly": "npm run build && npm run typecheck"
+  },
+  "dependencies": {
+    "chalk": "^5.6.2",
+    "commander": "^12.0.0",
+    "ora": "^9.3.0"
+  },
+  "devDependencies": {
+    "@types/node": "^25.6.0",
+    "tsup": "^8.0.0",
+    "tsx": "^4.0.0",
+    "typescript": "^5.5.0",
+    "vitest": "^2.0.0"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/thinkwork-ai/thinkwork.git",
+    "directory": "apps/cli"
+  },
+  "homepage": "https://thinkwork.ai",
+  "keywords": [
+    "thinkwork",
+    "aws",
+    "agents",
+    "terraform",
+    "cli"
+  ]
+}