thinkwork-cli 0.1.0 → 0.2.0

package/README.md

@@ -1,17 +1,17 @@
-# @thinkwork-ai/cli
+# thinkwork-cli
 
 Deploy and manage Thinkwork AI agent stacks on AWS.
 
 ## Install
 
 ```bash
-npm install -g @thinkwork-ai/cli
+npm install -g thinkwork-cli
 ```
 
 Or run without installing:
 
 ```bash
-npx @thinkwork-ai/cli --help
+npx thinkwork-cli --help
 ```
 
 ## Quick Start

package/dist/cli.js

@@ -83,7 +83,19 @@ function resolveTierDir(terraformDir, stage, tier) {
   if (existsSync(envDir)) {
     return envDir;
   }
-  return path.join(terraformDir, "examples", "greenfield");
+  const greenfield = path.join(terraformDir, "examples", "greenfield");
+  if (existsSync(greenfield)) {
+    return greenfield;
+  }
+  const flat = path.join(terraformDir);
+  if (existsSync(path.join(flat, "main.tf"))) {
+    return flat;
+  }
+  const cwdTf = path.join(process.cwd(), "terraform");
+  if (existsSync(path.join(cwdTf, "main.tf"))) {
+    return cwdTf;
+  }
+  return terraformDir;
 }
 async function ensureWorkspace(cwd, stage) {
   const list = await runTerraformRaw(cwd, ["workspace", "list"]);
@@ -709,47 +721,91 @@ function registerLoginCommand(program2) {
 }
 
 // src/commands/init.ts
-import { existsSync as existsSync3, mkdirSync, writeFileSync as writeFileSync2 } from "fs";
-import { resolve as resolve2, join } from "path";
+import { existsSync as existsSync3, mkdirSync, writeFileSync as writeFileSync2, cpSync } from "fs";
+import { resolve as resolve2, join, dirname } from "path";
 import { execSync as execSync4 } from "child_process";
+import { fileURLToPath } from "url";
 import { createInterface as createInterface3 } from "readline";
+import chalk3 from "chalk";
+var __dirname = dirname(fileURLToPath(import.meta.url));
 function ask2(prompt, defaultVal = "") {
   const rl = createInterface3({ input: process.stdin, output: process.stdout });
-  const suffix = defaultVal ? ` [${defaultVal}]` : "";
+  const suffix = defaultVal ? chalk3.dim(` [${defaultVal}]`) : "";
   return new Promise((resolve3) => {
-    rl.question(`${prompt}${suffix}: `, (answer) => {
+    rl.question(`  ${prompt}${suffix}: `, (answer) => {
       rl.close();
       resolve3(answer.trim() || defaultVal);
     });
   });
 }
-function generatePassword() {
-  const chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%";
-  let pw = "";
-  const bytes = new Uint8Array(32);
+function choose(prompt, options, defaultVal) {
+  const optStr = options.map((o) => o === defaultVal ? chalk3.bold(o) : chalk3.dim(o)).join(" / ");
+  return ask2(`${prompt} (${optStr})`, defaultVal);
+}
+function generateSecret(length = 32) {
+  const chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+  let result = "";
+  const bytes = new Uint8Array(length);
   globalThis.crypto.getRandomValues(bytes);
-  for (const b of bytes) pw += chars[b % chars.length];
-  return pw;
+  for (const b of bytes) result += chars[b % chars.length];
+  return result;
+}
+function findBundledTerraform() {
+  const bundled = resolve2(__dirname, "..", "terraform");
+  if (existsSync3(join(bundled, "modules"))) return bundled;
+  const repoTf = resolve2(__dirname, "..", "..", "..", "..", "terraform");
+  if (existsSync3(join(repoTf, "modules"))) return repoTf;
+  throw new Error(
+    "Terraform modules not found. The CLI package may be incomplete.\nTry reinstalling: npm install -g thinkwork-cli@latest"
+  );
+}
+function buildTfvars(config) {
+  const lines = [
+    `# Thinkwork \u2014 ${config.stage} stage`,
+    `# Generated by: thinkwork init -s ${config.stage}`,
+    `# ${(/* @__PURE__ */ new Date()).toISOString().split("T")[0]}`,
+    ``,
+    `# \u2500\u2500 Core \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500`,
+    `stage      = "${config.stage}"`,
+    `region     = "${config.region}"`,
+    `account_id = "${config.account_id}"`,
+    ``,
+    `# \u2500\u2500 Database \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500`,
+    `database_engine = "${config.database_engine}"`,
+    `db_password     = "${config.db_password}"`,
+    ``,
+    `# \u2500\u2500 Memory \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500`,
+    `memory_engine = "${config.memory_engine}"`,
+    ``,
+    `# \u2500\u2500 Auth \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500`,
+    `api_auth_secret = "${config.api_auth_secret}"`
+  ];
+  if (config.google_oauth_client_id) {
+    lines.push(``);
+    lines.push(`# \u2500\u2500 Google OAuth \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500`);
+    lines.push(`google_oauth_client_id     = "${config.google_oauth_client_id}"`);
+    lines.push(`google_oauth_client_secret = "${config.google_oauth_client_secret}"`);
+  } else {
+    lines.push(``);
+    lines.push(`# \u2500\u2500 Google OAuth (uncomment to enable Google social login) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500`);
+    lines.push(`# google_oauth_client_id     = ""`);
+    lines.push(`# google_oauth_client_secret = ""`);
+  }
+  if (config.admin_url && config.admin_url !== "http://localhost:5174") {
+    lines.push(``);
+    lines.push(`# \u2500\u2500 Callback URLs \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500`);
+    lines.push(`admin_callback_urls  = ["${config.admin_url}", "${config.admin_url}/auth/callback"]`);
+    lines.push(`admin_logout_urls    = ["${config.admin_url}"]`);
+  }
+  if (config.mobile_scheme && config.mobile_scheme !== "thinkwork") {
+    lines.push(`mobile_callback_urls = ["${config.mobile_scheme}://", "${config.mobile_scheme}://auth/callback"]`);
+    lines.push(`mobile_logout_urls   = ["${config.mobile_scheme}://"]`);
+  }
+  lines.push(``);
+  return lines.join("\n");
 }
-var TFVARS_TEMPLATE = `# Thinkwork \u2014 {STAGE} stage
-# Generated by: thinkwork init -s {STAGE}
-
-stage      = "{STAGE}"
-region     = "{REGION}"
-account_id = "{ACCOUNT_ID}"
-
-# Database
-database_engine = "aurora-serverless"
-db_password = "{DB_PASSWORD}"
-
-# Memory engine: "managed" (built-in) or "hindsight" (ECS Fargate service)
-memory_engine = "{MEMORY_ENGINE}"
-
-# API authentication secret (shared between services)
-api_auth_secret = "{API_SECRET}"
-`;
 function registerInitCommand(program2) {
-  program2.command("init").description("Initialize a new Thinkwork environment").requiredOption("-s, --stage <name>", "Stage name (e.g. dev, staging, prod)").option("-d, --dir <path>", "Directory to initialize in", ".").action(async (opts) => {
+  program2.command("init").description("Initialize a new Thinkwork environment").requiredOption("-s, --stage <name>", "Stage name (e.g. dev, staging, prod)").option("-d, --dir <path>", "Target directory", ".").option("--defaults", "Skip interactive prompts, use all defaults").action(async (opts) => {
     const stageCheck = validateStage(opts.stage);
     if (!stageCheck.valid) {
       printError(stageCheck.error);
@@ -761,43 +817,191 @@ function registerInitCommand(program2) {
       printError("AWS credentials not configured. Run `thinkwork login` first.");
       process.exit(1);
     }
-    const rootDir = resolve2(opts.dir);
-    const tfDir = join(rootDir, "terraform", "examples", "greenfield");
+    const targetDir = resolve2(opts.dir);
+    const tfDir = join(targetDir, "terraform");
     const tfvarsPath = join(tfDir, "terraform.tfvars");
     if (existsSync3(tfvarsPath)) {
       printWarning(`terraform.tfvars already exists at ${tfvarsPath}`);
-      const overwrite = await ask2("  Overwrite? [y/N]");
+      const overwrite = await ask2("Overwrite?", "N");
       if (overwrite.toLowerCase() !== "y") {
         console.log("  Aborted.");
         return;
       }
+      console.log("");
     }
-    console.log("  Configure your Thinkwork environment:\n");
-    const region = await ask2("  AWS Region", identity.region !== "unknown" ? identity.region : "us-east-1");
-    const memoryEngine = await ask2("  Memory engine (managed/hindsight)", "managed");
-    const dbPassword = generatePassword();
-    const apiSecret = `tw-${opts.stage}-${generatePassword().slice(0, 12)}`;
-    if (!existsSync3(tfDir)) {
-      mkdirSync(tfDir, { recursive: true });
+    const config = {
+      stage: opts.stage,
+      account_id: identity.account,
+      db_password: generateSecret(24),
+      api_auth_secret: `tw-${opts.stage}-${generateSecret(16)}`
+    };
+    if (opts.defaults) {
+      config.region = identity.region !== "unknown" ? identity.region : "us-east-1";
+      config.database_engine = "aurora-serverless";
+      config.memory_engine = "managed";
+      config.google_oauth_client_id = "";
+      config.google_oauth_client_secret = "";
+      config.admin_url = "http://localhost:5174";
+      config.mobile_scheme = "thinkwork";
+    } else {
+      console.log(chalk3.bold("  Configure your Thinkwork environment\n"));
+      const defaultRegion = identity.region !== "unknown" ? identity.region : "us-east-1";
+      config.region = await ask2("AWS Region", defaultRegion);
+      console.log("");
+      console.log(chalk3.dim("  \u2500\u2500 Database \u2500\u2500"));
+      config.database_engine = await choose("Database engine", ["aurora-serverless", "rds-postgres"], "aurora-serverless");
+      console.log("");
+      console.log(chalk3.dim("  \u2500\u2500 Memory \u2500\u2500"));
+      console.log(chalk3.dim("  managed    = Built-in AgentCore memory (remember/recall/forget)"));
+      console.log(chalk3.dim("  hindsight  = ECS Fargate service with semantic + graph retrieval"));
+      config.memory_engine = await choose("Memory engine", ["managed", "hindsight"], "managed");
+      console.log("");
+      console.log(chalk3.dim("  \u2500\u2500 Auth \u2500\u2500"));
+      const useGoogle = await ask2("Enable Google OAuth login? (y/N)", "N");
+      if (useGoogle.toLowerCase() === "y") {
+        config.google_oauth_client_id = await ask2("Google OAuth Client ID");
+        config.google_oauth_client_secret = await ask2("Google OAuth Client Secret");
+      } else {
+        config.google_oauth_client_id = "";
+        config.google_oauth_client_secret = "";
+      }
+      console.log("");
+      console.log(chalk3.dim("  \u2500\u2500 Frontend URLs \u2500\u2500"));
+      config.admin_url = await ask2("Admin UI URL", "http://localhost:5174");
+      config.mobile_scheme = await ask2("Mobile app URL scheme", "thinkwork");
+      console.log("");
+      console.log(chalk3.dim("  \u2500\u2500 Secrets (auto-generated) \u2500\u2500"));
+      console.log(chalk3.dim(`  DB password:     ${config.db_password.slice(0, 8)}...`));
+      console.log(chalk3.dim(`  API auth secret: ${config.api_auth_secret.slice(0, 16)}...`));
     }
-    const tfvars = TFVARS_TEMPLATE.replace(/{STAGE}/g, opts.stage).replace(/{REGION}/g, region).replace(/{ACCOUNT_ID}/g, identity.account).replace(/{DB_PASSWORD}/g, dbPassword).replace(/{MEMORY_ENGINE}/g, memoryEngine).replace(/{API_SECRET}/g, apiSecret);
+    console.log("");
+    console.log("  Scaffolding Terraform modules...");
+    let bundledTf;
+    try {
+      bundledTf = findBundledTerraform();
+    } catch (err) {
+      printError(String(err));
+      process.exit(1);
+    }
+    mkdirSync(tfDir, { recursive: true });
+    const copyDirs = ["modules", "examples"];
+    for (const dir of copyDirs) {
+      const src = join(bundledTf, dir);
+      const dst = join(tfDir, dir);
+      if (existsSync3(src) && !existsSync3(dst)) {
+        cpSync(src, dst, { recursive: true });
+      }
+    }
+    const schemaPath = join(bundledTf, "schema.graphql");
+    if (existsSync3(schemaPath) && !existsSync3(join(tfDir, "schema.graphql"))) {
+      cpSync(schemaPath, join(tfDir, "schema.graphql"));
+    }
+    const tfvars = buildTfvars(config);
     writeFileSync2(tfvarsPath, tfvars);
-    console.log(`
-  Wrote ${tfvarsPath}`);
+    const mainTfPath = join(tfDir, "main.tf");
+    if (!existsSync3(mainTfPath)) {
+      writeFileSync2(mainTfPath, `################################################################################
+# Thinkwork \u2014 ${config.stage}
+# Generated by: thinkwork init -s ${config.stage}
+################################################################################
+
+terraform {
+  required_version = ">= 1.5"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    archive = {
+      source  = "hashicorp/archive"
+      version = "~> 2.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = "~> 3.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.region
+}
+
+variable "stage" { type = string }
+variable "region" { type = string; default = "us-east-1" }
+variable "account_id" { type = string }
+variable "db_password" { type = string; sensitive = true }
+variable "database_engine" { type = string; default = "aurora-serverless" }
+variable "memory_engine" { type = string; default = "managed" }
+variable "google_oauth_client_id" { type = string; default = "" }
+variable "google_oauth_client_secret" { type = string; sensitive = true; default = "" }
+variable "pre_signup_lambda_zip" { type = string; default = "" }
+variable "lambda_zips_dir" { type = string; default = "" }
+variable "api_auth_secret" { type = string; sensitive = true; default = "" }
+variable "admin_callback_urls" { type = list(string); default = ["http://localhost:5174", "http://localhost:5174/auth/callback"] }
+variable "admin_logout_urls" { type = list(string); default = ["http://localhost:5174"] }
+variable "mobile_callback_urls" { type = list(string); default = ["exp://localhost:8081", "thinkwork://", "thinkwork://auth/callback"] }
+variable "mobile_logout_urls" { type = list(string); default = ["exp://localhost:8081", "thinkwork://"] }
+
+module "thinkwork" {
+  source = "./modules/thinkwork"
+
+  stage      = var.stage
+  region     = var.region
+  account_id = var.account_id
+
+  db_password                = var.db_password
+  database_engine            = var.database_engine
+  memory_engine              = var.memory_engine
+  google_oauth_client_id     = var.google_oauth_client_id
+  google_oauth_client_secret = var.google_oauth_client_secret
+  pre_signup_lambda_zip      = var.pre_signup_lambda_zip
+  lambda_zips_dir            = var.lambda_zips_dir
+  api_auth_secret            = var.api_auth_secret
+  admin_callback_urls        = var.admin_callback_urls
+  admin_logout_urls          = var.admin_logout_urls
+  mobile_callback_urls       = var.mobile_callback_urls
+  mobile_logout_urls         = var.mobile_logout_urls
+}
+
+output "api_endpoint"       { value = module.thinkwork.api_endpoint }
+output "user_pool_id"       { value = module.thinkwork.user_pool_id }
+output "admin_client_id"    { value = module.thinkwork.admin_client_id }
+output "mobile_client_id"   { value = module.thinkwork.mobile_client_id }
+output "bucket_name"        { value = module.thinkwork.bucket_name }
+output "db_cluster_endpoint" { value = module.thinkwork.db_cluster_endpoint }
+output "db_secret_arn"      { value = module.thinkwork.db_secret_arn; sensitive = true }
+output "ecr_repository_url" { value = module.thinkwork.ecr_repository_url }
+output "memory_engine"      { value = module.thinkwork.memory_engine }
+output "hindsight_endpoint"  { value = module.thinkwork.hindsight_endpoint }
+`);
+    }
+    console.log(`  Wrote ${chalk3.cyan(tfDir + "/")}`);
+    console.log("");
+    console.log(chalk3.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+    console.log(`  ${chalk3.bold("Stage:")}           ${config.stage}`);
+    console.log(`  ${chalk3.bold("Region:")}          ${config.region}`);
+    console.log(`  ${chalk3.bold("Account:")}         ${config.account_id}`);
+    console.log(`  ${chalk3.bold("Database:")}        ${config.database_engine}`);
+    console.log(`  ${chalk3.bold("Memory:")}          ${config.memory_engine}`);
+    console.log(`  ${chalk3.bold("Google OAuth:")}    ${config.google_oauth_client_id ? "enabled" : "disabled"}`);
+    console.log(`  ${chalk3.bold("Directory:")}       ${tfDir}`);
+    console.log(chalk3.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
     console.log("\n  Initializing Terraform...\n");
     try {
       execSync4("terraform init", { cwd: tfDir, stdio: "inherit" });
     } catch {
-      printWarning("Terraform init failed \u2014 you may need to install Terraform first.");
-      printWarning("Run: thinkwork doctor -s " + opts.stage);
+      printWarning("Terraform init failed. Run `thinkwork doctor -s " + opts.stage + "` to check prerequisites.");
       return;
     }
     printSuccess(`Environment "${opts.stage}" initialized`);
     console.log("");
     console.log("  Next steps:");
-    console.log(`    1. thinkwork plan -s ${opts.stage}        # Review the plan`);
-    console.log(`    2. thinkwork deploy -s ${opts.stage}       # Deploy infrastructure`);
-    console.log(`    3. thinkwork bootstrap -s ${opts.stage}    # Seed workspace + skills`);
+    console.log(`    ${chalk3.cyan("1.")} thinkwork plan -s ${opts.stage}        ${chalk3.dim("# Review infrastructure plan")}`);
+    console.log(`    ${chalk3.cyan("2.")} thinkwork deploy -s ${opts.stage}       ${chalk3.dim("# Deploy to AWS (~5 min)")}`);
+    console.log(`    ${chalk3.cyan("3.")} thinkwork bootstrap -s ${opts.stage}    ${chalk3.dim("# Seed workspace files + skills")}`);
+    console.log(`    ${chalk3.cyan("4.")} thinkwork outputs -s ${opts.stage}      ${chalk3.dim("# Show API URL, Cognito IDs, etc.")}`);
     console.log("");
   });
 }

package/dist/terraform/examples/greenfield/main.tf

@@ -0,0 +1,190 @@
+################################################################################
+# Greenfield Example
+#
+# Creates everything from scratch in a fresh AWS account.
+# Copy this directory to start a new Thinkwork deployment.
+#
+# Usage:
+#   cd terraform/examples/greenfield
+#   cp terraform.tfvars.example terraform.tfvars  # edit with your values
+#   terraform init
+#   terraform workspace new dev                    # or your stage name
+#   terraform plan -var-file=terraform.tfvars
+#   terraform apply -var-file=terraform.tfvars
+################################################################################
+
+terraform {
+  required_version = ">= 1.5"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    archive = {
+      source  = "hashicorp/archive"
+      version = "~> 2.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = "~> 3.0"
+    }
+  }
+
+  # For the example, use local state. Production deployments should
+  # use S3 + DynamoDB backend — see the docs for configuration.
+  # backend "s3" { ... }
+}
+
+provider "aws" {
+  region = var.region
+}
+
+variable "stage" {
+  description = "Deployment stage — must match the Terraform workspace name"
+  type        = string
+}
+
+variable "region" {
+  description = "AWS region"
+  type        = string
+  default     = "us-east-1"
+}
+
+variable "account_id" {
+  description = "AWS account ID"
+  type        = string
+}
+
+variable "db_password" {
+  description = "Master password for the Aurora cluster"
+  type        = string
+  sensitive   = true
+}
+
+variable "database_engine" {
+  description = "Database engine: 'aurora-serverless' (production) or 'rds-postgres' (dev/test, cheaper)"
+  type        = string
+  default     = "aurora-serverless"
+}
+
+variable "memory_engine" {
+  description = "Memory engine: 'managed' (AgentCore built-in, default) or 'hindsight' (ECS+ALB, opt-in)"
+  type        = string
+  default     = "managed"
+}
+
+variable "google_oauth_client_id" {
+  description = "Google OAuth client ID (optional — leave empty to skip Google login)"
+  type        = string
+  default     = ""
+}
+
+variable "google_oauth_client_secret" {
+  description = "Google OAuth client secret"
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+
+variable "pre_signup_lambda_zip" {
+  description = "Path to the Cognito pre-signup Lambda zip"
+  type        = string
+  default     = ""
+}
+
+variable "lambda_zips_dir" {
+  description = "Local directory containing Lambda zip artifacts (from pnpm build:lambdas)"
+  type        = string
+  default     = ""
+}
+
+variable "api_auth_secret" {
+  description = "Shared secret for inter-service API authentication"
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+
+module "thinkwork" {
+  source = "../../modules/thinkwork"
+
+  stage      = var.stage
+  region     = var.region
+  account_id = var.account_id
+
+  db_password                = var.db_password
+  database_engine            = var.database_engine
+  memory_engine              = var.memory_engine
+  google_oauth_client_id     = var.google_oauth_client_id
+  google_oauth_client_secret = var.google_oauth_client_secret
+  pre_signup_lambda_zip      = var.pre_signup_lambda_zip
+  lambda_zips_dir            = var.lambda_zips_dir
+  api_auth_secret            = var.api_auth_secret
+
+  # Greenfield: create everything (all defaults are true)
+}
+
+################################################################################
+# Outputs
+################################################################################
+
+output "api_endpoint" {
+  description = "API Gateway endpoint URL"
+  value       = module.thinkwork.api_endpoint
+}
+
+output "appsync_realtime_url" {
+  description = "AppSync realtime WebSocket URL (for frontend subscription clients)"
+  value       = module.thinkwork.appsync_realtime_url
+}
+
+output "user_pool_id" {
+  description = "Cognito user pool ID"
+  value       = module.thinkwork.user_pool_id
+}
+
+output "admin_client_id" {
+  description = "Cognito app client ID for web admin"
+  value       = module.thinkwork.admin_client_id
+}
+
+output "mobile_client_id" {
+  description = "Cognito app client ID for mobile"
+  value       = module.thinkwork.mobile_client_id
+}
+
+output "ecr_repository_url" {
+  description = "ECR repository URL for the AgentCore container"
+  value       = module.thinkwork.ecr_repository_url
+}
+
+output "bucket_name" {
+  description = "Primary S3 bucket"
+  value       = module.thinkwork.bucket_name
+}
+
+output "db_cluster_endpoint" {
+  description = "Aurora cluster endpoint"
+  value       = module.thinkwork.db_cluster_endpoint
+}
+
+output "db_secret_arn" {
+  description = "Secrets Manager ARN for database credentials"
+  value       = module.thinkwork.db_secret_arn
+}
+
+output "database_name" {
+  description = "Database name"
+  value       = module.thinkwork.database_name
+}
+
+output "memory_engine" {
+  description = "Active memory engine (managed or hindsight)"
+  value       = module.thinkwork.memory_engine
+}
+
+output "hindsight_endpoint" {
+  description = "Hindsight API endpoint (null when memory_engine = managed)"
+  value       = module.thinkwork.hindsight_endpoint
+}

package/dist/terraform/examples/greenfield/terraform.tfvars.example

@@ -0,0 +1,28 @@
+# Thinkwork Greenfield Deployment
+#
+# Copy this file to terraform.tfvars and fill in your values.
+# DO NOT commit terraform.tfvars to version control.
+
+stage      = "dev"
+region     = "us-east-1"
+account_id = "123456789012"  # your AWS account ID
+
+# Database engine:
+#   "aurora-serverless" — Aurora Serverless v2 (production, auto-scaling, deletion protection on)
+#   "rds-postgres"      — Standard RDS PostgreSQL (dev/test, cheaper, deletion protection off)
+database_engine = "rds-postgres"
+
+# Memory engine:
+#   "managed"   — AgentCore built-in long-term memory (default, no extra infra)
+#   "hindsight" — Hindsight ECS+ALB service (opt-in, adds retain/recall/reflect tools)
+memory_engine = "managed"
+
+# Database master password — use a strong password
+db_password = "CHANGE_ME_strong_password_here"
+
+# Google OAuth (optional — leave empty to skip Google social login)
+# google_oauth_client_id     = ""
+# google_oauth_client_secret = ""
+
+# Pre-signup Lambda (optional — leave empty if not using custom pre-signup logic)
+# pre_signup_lambda_zip = "./lambdas/pre-signup.zip"

package/dist/terraform/modules/_internal/workspace-guard/main.tf

@@ -0,0 +1,29 @@
+################################################################################
+# Workspace Guard
+#
+# Prevents applying the wrong var file to the wrong Terraform workspace.
+# Every tier (foundation, data, app) should consume this module.
+#
+# History: on 2026-04-05, running `terraform apply -var-file=prod.tfvars` in
+# the dev workspace destroyed dev infrastructure. This guard prevents that
+# class of incident by failing the plan before any damage occurs.
+################################################################################
+
+variable "stage" {
+  description = "The deployment stage (must match the Terraform workspace name)"
+  type        = string
+}
+
+resource "null_resource" "workspace_guard" {
+  triggers = {
+    stage     = var.stage
+    workspace = terraform.workspace
+  }
+
+  lifecycle {
+    precondition {
+      condition     = var.stage == terraform.workspace
+      error_message = "SAFETY: stage '${var.stage}' does not match workspace '${terraform.workspace}'. You are applying the wrong var file!"
+    }
+  }
+}