thinkwork-cli 0.1.0 → 0.2.0

package/dist/terraform/modules/app/agentcore-runtime/main.tf

@@ -0,0 +1,217 @@
+################################################################################
+# AgentCore Runtime — App Module
+#
+# Creates ECR repository, IAM roles, and container build infrastructure
+# for the Strands-based agent runtime. Full implementation ported in Phase 3.
+# Phase 1 creates the ECR repo and IAM scaffolding only.
+################################################################################
+
+variable "stage" {
+  description = "Deployment stage"
+  type        = string
+}
+
+variable "account_id" {
+  description = "AWS account ID"
+  type        = string
+}
+
+variable "region" {
+  description = "AWS region"
+  type        = string
+}
+
+variable "bucket_name" {
+  description = "Primary S3 bucket for skills and workspace files"
+  type        = string
+}
+
+variable "memory_engine" {
+  description = "Memory engine: 'managed' or 'hindsight'. Passed as MEMORY_ENGINE env var to the container."
+  type        = string
+  default     = "managed"
+}
+
+variable "hindsight_endpoint" {
+  description = "Hindsight API endpoint (only used when memory_engine = 'hindsight')"
+  type        = string
+  default     = ""
+}
+
+variable "agentcore_memory_id" {
+  description = "AgentCore Memory resource ID (only used when memory_engine = 'managed')"
+  type        = string
+  default     = ""
+}
+
+################################################################################
+# ECR Repository
+################################################################################
+
+resource "aws_ecr_repository" "agentcore" {
+  name                 = "thinkwork-${var.stage}-agentcore"
+  image_tag_mutability = "MUTABLE"
+  force_delete         = true
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-agentcore"
+  }
+}
+
+resource "aws_ecr_lifecycle_policy" "agentcore" {
+  repository = aws_ecr_repository.agentcore.name
+
+  policy = jsonencode({
+    rules = [{
+      rulePriority = 1
+      description  = "Keep last 10 images"
+      selection = {
+        tagStatus   = "any"
+        countType   = "imageCountMoreThan"
+        countNumber = 10
+      }
+      action = {
+        type = "expire"
+      }
+    }]
+  })
+}
+
+################################################################################
+# Execution Role
+################################################################################
+
+resource "aws_iam_role" "agentcore" {
+  name = "thinkwork-${var.stage}-agentcore-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect    = "Allow"
+      Principal = { Service = ["ecs-tasks.amazonaws.com", "lambda.amazonaws.com"] }
+      Action    = "sts:AssumeRole"
+    }]
+  })
+}
+
+resource "aws_iam_role_policy" "agentcore" {
+  name = "agentcore-permissions"
+  role = aws_iam_role.agentcore.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "S3Access"
+        Effect = "Allow"
+        Action = ["s3:GetObject", "s3:PutObject", "s3:ListBucket"]
+        Resource = [
+          "arn:aws:s3:::${var.bucket_name}",
+          "arn:aws:s3:::${var.bucket_name}/*",
+        ]
+      },
+      {
+        Sid      = "BedrockInvoke"
+        Effect   = "Allow"
+        Action   = ["bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream", "bedrock:InvokeAgent"]
+        Resource = "*"
+      },
+      {
+        Sid      = "CloudWatchLogs"
+        Effect   = "Allow"
+        Action   = ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"]
+        Resource = "arn:aws:logs:${var.region}:${var.account_id}:*"
+      },
+      {
+        Sid      = "ECRPull"
+        Effect   = "Allow"
+        Action   = ["ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:GetAuthorizationToken"]
+        Resource = "*"
+      },
+      {
+        Sid      = "SSMParameterAccess"
+        Effect   = "Allow"
+        Action   = ["ssm:GetParameter", "ssm:PutParameter"]
+        Resource = "arn:aws:ssm:${var.region}:${var.account_id}:parameter/thinkwork/${var.stage}/agentcore/*"
+      },
+    ]
+  })
+}
+
+################################################################################
+# CloudWatch Log Group
+################################################################################
+
+resource "aws_cloudwatch_log_group" "agentcore" {
+  name              = "/thinkwork/${var.stage}/agentcore"
+  retention_in_days = 30
+
+  tags = {
+    Name = "thinkwork-${var.stage}-agentcore-logs"
+  }
+}
+
+################################################################################
+# Lambda Container Image
+################################################################################
+
+resource "aws_lambda_function" "agentcore" {
+  function_name = "thinkwork-${var.stage}-agentcore"
+  role          = aws_iam_role.agentcore.arn
+  package_type  = "Image"
+  image_uri     = "${aws_ecr_repository.agentcore.repository_url}:latest"
+  timeout       = 900
+  memory_size   = 2048
+
+  environment {
+    variables = {
+      PORT                   = "8080"
+      AWS_LWA_PORT           = "8080"
+      MEMORY_ENGINE          = var.memory_engine
+      AGENTCORE_MEMORY_ID    = var.agentcore_memory_id
+      AGENTCORE_FILES_BUCKET = var.bucket_name
+    }
+  }
+
+  logging_config {
+    log_group  = aws_cloudwatch_log_group.agentcore.name
+    log_format = "Text"
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-agentcore"
+  }
+}
+
+resource "aws_lambda_function_url" "agentcore" {
+  function_name      = aws_lambda_function.agentcore.function_name
+  authorization_type = "NONE"
+}
+
+################################################################################
+# Outputs
+################################################################################
+
+output "ecr_repository_url" {
+  description = "ECR repository URL for the AgentCore container"
+  value       = aws_ecr_repository.agentcore.repository_url
+}
+
+output "execution_role_arn" {
+  description = "IAM role ARN for AgentCore execution"
+  value       = aws_iam_role.agentcore.arn
+}
+
+output "agentcore_invoke_url" {
+  description = "Lambda Function URL for the AgentCore container"
+  value       = aws_lambda_function_url.agentcore.function_url
+}
+
+output "agentcore_function_name" {
+  description = "AgentCore Lambda function name (for direct SDK invoke)"
+  value       = aws_lambda_function.agentcore.function_name
+}

package/dist/terraform/modules/app/appsync-subscriptions/main.tf

@@ -0,0 +1,122 @@
+################################################################################
+# AppSync Subscriptions — App Module
+#
+# AppSync exists ONLY as a thin realtime/event layer for subscription fan-out.
+# Queries and mutations go through API Gateway V2 → Lambda, NOT through AppSync.
+#
+# Per Decision 9: the unused RDS data source is removed. Only the NONE
+# passthrough data source remains for notification mutations. The schema is
+# a subscription-only fragment, not the full product schema.
+#
+# Post-launch consideration: replace with standard graphql-ws over API Gateway
+# V2 WebSocket API. Not v0.1 scope.
+################################################################################
+
+################################################################################
+# GraphQL API
+################################################################################
+
+resource "aws_appsync_graphql_api" "subscriptions" {
+  name                = "thinkwork-${var.stage}-subscriptions"
+  authentication_type = "API_KEY"
+  xray_enabled        = false
+
+  schema = var.subscription_schema
+
+  additional_authentication_provider {
+    authentication_type = "AWS_IAM"
+  }
+
+  additional_authentication_provider {
+    authentication_type = "AMAZON_COGNITO_USER_POOLS"
+
+    user_pool_config {
+      user_pool_id = var.user_pool_id
+    }
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-subscriptions"
+  }
+}
+
+################################################################################
+# API Key — 365 day expiry
+################################################################################
+
+resource "aws_appsync_api_key" "main" {
+  api_id  = aws_appsync_graphql_api.subscriptions.id
+  expires = timeadd(timestamp(), "8760h")
+
+  lifecycle {
+    ignore_changes = [expires]
+  }
+}
+
+################################################################################
+# NONE Data Source (passthrough for notification mutations)
+################################################################################
+
+resource "aws_appsync_datasource" "none" {
+  api_id = aws_appsync_graphql_api.subscriptions.id
+  name   = "NonePassthrough"
+  type   = "NONE"
+}
+
+################################################################################
+# Notification Mutation Resolvers
+#
+# v1 events only — deferred events (onEvalRunUpdated, onCostRecorded) are cut.
+################################################################################
+
+locals {
+  notification_mutations = [
+    "notifyAgentStatus",
+    "notifyNewMessage",
+    "notifyHeartbeatActivity",
+    "notifyThreadUpdate",
+    "notifyInboxItemUpdate",
+    "notifyThreadTurnUpdate",
+    "notifyOrgUpdate",
+  ]
+}
+
+resource "aws_appsync_resolver" "notifications" {
+  for_each = toset(local.notification_mutations)
+
+  api_id      = aws_appsync_graphql_api.subscriptions.id
+  type        = "Mutation"
+  field       = each.value
+  data_source = aws_appsync_datasource.none.name
+
+  request_template = <<-EOF
+    {"version":"2017-02-28","payload":$util.toJson($context.arguments)}
+  EOF
+
+  response_template = <<-EOF
+    #set($result = $context.result)
+    #if(!$result.updatedAt)
+      #set($result.updatedAt = $util.time.nowISO8601())
+    #end
+    #if(!$result.createdAt)
+      #set($result.createdAt = $util.time.nowISO8601())
+    #end
+    $util.toJson($result)
+  EOF
+}
+
+################################################################################
+# Custom Domain (optional)
+################################################################################
+
+resource "aws_appsync_domain_name" "main" {
+  count           = var.custom_domain != "" ? 1 : 0
+  domain_name     = var.custom_domain
+  certificate_arn = var.certificate_arn
+}
+
+resource "aws_appsync_domain_name_api_association" "main" {
+  count       = var.custom_domain != "" ? 1 : 0
+  api_id      = aws_appsync_graphql_api.subscriptions.id
+  domain_name = aws_appsync_domain_name.main[0].domain_name
+}

package/dist/terraform/modules/app/appsync-subscriptions/outputs.tf

@@ -0,0 +1,20 @@
+output "graphql_api_id" {
+  description = "AppSync GraphQL API ID"
+  value       = aws_appsync_graphql_api.subscriptions.id
+}
+
+output "graphql_api_url" {
+  description = "AppSync GraphQL endpoint URL (used by backend to push notifications)"
+  value       = aws_appsync_graphql_api.subscriptions.uris["GRAPHQL"]
+}
+
+output "graphql_realtime_url" {
+  description = "AppSync realtime WebSocket URL (used by frontend subscription clients)"
+  value       = aws_appsync_graphql_api.subscriptions.uris["REALTIME"]
+}
+
+output "graphql_api_key" {
+  description = "AppSync API key"
+  value       = aws_appsync_api_key.main.key
+  sensitive   = true
+}

package/dist/terraform/modules/app/appsync-subscriptions/variables.tf

@@ -0,0 +1,31 @@
+variable "stage" {
+  description = "Deployment stage"
+  type        = string
+}
+
+variable "region" {
+  description = "AWS region"
+  type        = string
+}
+
+variable "user_pool_id" {
+  description = "Cognito user pool ID for authentication"
+  type        = string
+}
+
+variable "subscription_schema" {
+  description = "GraphQL schema containing only Subscription + notification Mutation types. This is a subscription-only fragment, NOT the full product schema."
+  type        = string
+}
+
+variable "custom_domain" {
+  description = "Custom domain for the AppSync API (e.g. subscriptions.thinkwork.ai). Leave empty to skip."
+  type        = string
+  default     = ""
+}
+
+variable "certificate_arn" {
+  description = "ACM certificate ARN for the custom domain (required when custom_domain is set)"
+  type        = string
+  default     = ""
+}

package/dist/terraform/modules/app/crons/main.tf

@@ -0,0 +1,55 @@
+################################################################################
+# Crons — App Module
+#
+# Scheduled jobs and event-driven processors. Full implementation ported
+# in Phase 4. Phase 1 creates the IAM role and a placeholder cron only.
+#
+# v1 scope: standard crons + wakeup processor.
+# Cut: kg_extract_fanout, kg_extract_worker, span_enrichment (PRD-41B).
+################################################################################
+
+variable "stage" {
+  description = "Deployment stage"
+  type        = string
+}
+
+variable "account_id" {
+  description = "AWS account ID"
+  type        = string
+}
+
+variable "region" {
+  description = "AWS region"
+  type        = string
+}
+
+################################################################################
+# Shared IAM Role for Cron Lambdas
+################################################################################
+
+resource "aws_iam_role" "cron_lambda" {
+  name = "thinkwork-${var.stage}-cron-lambda-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect    = "Allow"
+      Principal = { Service = "lambda.amazonaws.com" }
+      Action    = "sts:AssumeRole"
+    }]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "cron_basic" {
+  role       = aws_iam_role.cron_lambda.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+
+################################################################################
+# Outputs
+################################################################################
+
+output "cron_lambda_role_arn" {
+  description = "IAM role ARN for cron Lambda functions"
+  value       = aws_iam_role.cron_lambda.arn
+}

package/dist/terraform/modules/app/hindsight-memory/README.md

@@ -0,0 +1,66 @@
+# Memory Engine Module
+
+Thinkwork supports pluggable long-term memory for agents. Choose the engine that fits your stage and requirements.
+
+## Engines
+
+| Engine | `memory_engine` value | Best for | Extra infra | Cost |
+|--------|----------------------|----------|-------------|------|
+| **AgentCore Managed** | `managed` (default) | All stages. Production-ready, zero-config. | None | $0 additional |
+| **Hindsight** | `hindsight` | Advanced recall/reflect with entity graph, cross-encoder reranking. | ECS Fargate + ALB | ~$75/mo (ARM64) |
+
+Both engines provide agents with memory tools. The Strands runtime reads `MEMORY_ENGINE` and loads the right tool set:
+
+- **Managed**: `remember()`, `recall()`, `forget()` — backed by AgentCore Memory API with 4 strategies (semantic facts, user preferences, session summaries, episodic).
+- **Hindsight**: `hindsight_retain()`, `hindsight_recall()`, `hindsight_reflect()` — backed by the Hindsight service with semantic + BM25 + entity graph + temporal retrieval and cross-encoder reranking.
+
+## What's pluggable
+
+Only **Layer 3 (long-term cross-thread memory)** is pluggable. The other memory layers are core infrastructure:
+
+- **Layer 1** — Workspace files on S3 (per-agent scratchpad). Always available.
+- **Layer 2** — Thread history in Aurora (conversation memory). Always available.
+- **Layer 3** — Long-term cross-thread recall. **This is what `memory_engine` controls.**
+
+## Usage
+
+### Managed (default — no extra config needed)
+
+```hcl
+module "thinkwork" {
+  source = "thinkwork-ai/thinkwork/aws"
+
+  stage      = "prod"
+  # memory_engine defaults to "managed" — nothing to set
+}
+```
+
+### Hindsight (opt-in)
+
+```hcl
+module "thinkwork" {
+  source = "thinkwork-ai/thinkwork/aws"
+
+  stage         = "prod"
+  memory_engine = "hindsight"
+
+  # Optional: pin the Hindsight image version
+  # hindsight_image_tag = "0.4.22"
+}
+```
+
+When `memory_engine = "hindsight"`, Terraform creates:
+- ECS Fargate cluster + service (ARM64, 2 vCPU, 4 GB)
+- Application Load Balancer
+- Security groups (ALB → Hindsight → Aurora ingress)
+- CloudWatch log group
+
+When `memory_engine = "managed"`, none of the above is created.
+
+## Switching engines
+
+Changing `memory_engine` and running `thinkwork deploy` will:
+- **managed → hindsight**: Create the ECS/ALB infrastructure. Agents start using Hindsight tools on next invoke.
+- **hindsight → managed**: Destroy the ECS/ALB infrastructure. Agents fall back to AgentCore memory tools.
+
+Memory data is not migrated between engines. Each engine has its own storage backend.