thinkwork-cli 0.1.0 → 0.2.0

package/dist/terraform/modules/app/lambda-api/handlers.tf

@@ -0,0 +1,311 @@
+################################################################################
+# Real Lambda Handlers
+#
+# Each handler is bundled by scripts/build-lambdas.sh into dist/lambdas/<name>.zip.
+# Terraform references them via var.lambda_zips_dir (local path) for dev deploys,
+# or via S3 (lambda_artifact_bucket) for production.
+################################################################################
+
+locals {
+  use_local_zips = var.lambda_zips_dir != ""
+  runtime        = "nodejs20.x"
+
+  # Common environment variables shared by all API handlers
+  common_env = {
+    STAGE                  = var.stage
+    DATABASE_URL           = "postgresql://${var.db_username}:${urlencode(var.db_password)}@${var.db_cluster_endpoint}:5432/${var.database_name}?sslmode=no-verify"
+    DATABASE_SECRET_ARN    = var.graphql_db_secret_arn
+    DATABASE_HOST          = var.db_cluster_endpoint
+    DATABASE_NAME          = var.database_name
+    BUCKET_NAME                = var.bucket_name
+    USER_POOL_ID               = var.user_pool_id
+    COGNITO_USER_POOL_ID       = var.user_pool_id
+    ADMIN_CLIENT_ID            = var.admin_client_id
+    MOBILE_CLIENT_ID           = var.mobile_client_id
+    COGNITO_APP_CLIENT_IDS     = "${var.admin_client_id},${var.mobile_client_id}"
+    APPSYNC_ENDPOINT           = var.appsync_api_url
+    APPSYNC_API_KEY            = var.appsync_api_key
+    GRAPHQL_API_KEY            = var.appsync_api_key
+    API_AUTH_SECRET             = var.api_auth_secret
+    THINKWORK_API_SECRET        = var.api_auth_secret
+    MANIFLOW_API_SECRET         = var.api_auth_secret
+    AGENTCORE_INVOKE_URL        = var.agentcore_invoke_url
+    AGENTCORE_FUNCTION_NAME     = var.agentcore_function_name
+    WORKSPACE_BUCKET            = var.bucket_name
+    HINDSIGHT_ENDPOINT          = var.hindsight_endpoint
+    NODE_OPTIONS           = "--enable-source-maps"
+  }
+}
+
+# ---------------------------------------------------------------------------
+# Helper: creates a Lambda function from a local zip
+# ---------------------------------------------------------------------------
+
+resource "aws_lambda_function" "handler" {
+  for_each = local.use_local_zips ? toset([
+    "graphql-http",
+    "chat-agent-invoke",
+    "wakeup-processor",
+    "agents",
+    "agent-actions",
+    "messages",
+    "connections",
+    "oauth-authorize",
+    "oauth-callback",
+    "teams",
+    "team-members",
+    "tenants",
+    "users",
+    "invites",
+    "skills",
+    "activity",
+    "routines",
+    "budgets",
+    "guardrails",
+    "scheduled-jobs",
+    "job-schedule-manager",
+    "webhooks",
+    "webhooks-admin",
+    "workspace-files",
+    "knowledge-base-manager",
+    "knowledge-base-files",
+    "email-send",
+    "email-inbound",
+    "github-app",
+    "github-repos",
+    "memory",
+    "artifact-deliver",
+    "recipe-refresh",
+    "connector-installs",
+    "connector-secrets",
+    "agent-skills-list",
+    "bootstrap-workspaces",
+    "code-factory",
+  ]) : toset([])
+
+  function_name = "thinkwork-${var.stage}-api-${each.key}"
+  role          = aws_iam_role.lambda.arn
+  handler       = "index.handler"
+  runtime       = local.runtime
+  timeout       = each.key == "wakeup-processor" ? 300 : each.key == "chat-agent-invoke" ? 300 : 30
+  memory_size   = each.key == "graphql-http" ? 512 : each.key == "wakeup-processor" ? 512 : 256
+
+  filename         = "${var.lambda_zips_dir}/${each.key}.zip"
+  source_code_hash = filebase64sha256("${var.lambda_zips_dir}/${each.key}.zip")
+
+  environment {
+    variables = merge(local.common_env, {
+      FUNCTION_NAME = each.key
+    })
+  }
+
+  tags = {
+    Name    = "thinkwork-${var.stage}-api-${each.key}"
+    Handler = each.key
+  }
+}
+
+# ---------------------------------------------------------------------------
+# API Gateway routes → Lambda integrations
+# ---------------------------------------------------------------------------
+
+locals {
+  # Map of route_key → handler name for API Gateway
+  api_routes = local.use_local_zips ? {
+    # GraphQL — the main API entry point
+    "POST /graphql"              = "graphql-http"
+    "GET /graphql"               = "graphql-http"
+
+    # Health check (keep placeholder alive too)
+    # "GET /health" is handled by placeholder
+
+    # Agents
+    "ANY /api/agents/{proxy+}"   = "agents"
+    "ANY /api/agents"            = "agents"
+
+    # Agent actions (start/stop/heartbeat/budget)
+    "ANY /api/agent-actions/{proxy+}" = "agent-actions"
+
+    # Messages
+    "ANY /api/messages/{proxy+}" = "messages"
+    "ANY /api/messages"          = "messages"
+
+    # Teams
+    "ANY /api/teams/{proxy+}"    = "teams"
+    "ANY /api/teams"             = "teams"
+    "ANY /api/team-members/{proxy+}" = "team-members"
+
+    # Tenants
+    "ANY /api/tenants/{proxy+}"  = "tenants"
+    "ANY /api/tenants"           = "tenants"
+
+    # Users
+    "ANY /api/users/{proxy+}"    = "users"
+    "ANY /api/users"             = "users"
+
+    # Invites
+    "ANY /api/invites/{proxy+}"  = "invites"
+    "ANY /api/invites"           = "invites"
+
+    # Skills
+    "ANY /api/skills/{proxy+}"   = "skills"
+    "ANY /api/skills"            = "skills"
+
+    # Activity
+    "ANY /api/activity/{proxy+}" = "activity"
+    "ANY /api/activity"          = "activity"
+
+    # Connections + OAuth
+    "ANY /api/connections/{proxy+}" = "connections"
+    "ANY /api/connections"          = "connections"
+    "GET /api/oauth/authorize"      = "oauth-authorize"
+    "GET /api/oauth/callback"       = "oauth-callback"
+
+    # Routines
+    "ANY /api/routines/{proxy+}" = "routines"
+    "ANY /api/routines"          = "routines"
+
+    # Budgets
+    "ANY /api/budgets/{proxy+}"  = "budgets"
+    "ANY /api/budgets"           = "budgets"
+
+    # Guardrails
+    "ANY /api/guardrails/{proxy+}" = "guardrails"
+    "ANY /api/guardrails"          = "guardrails"
+
+    # Scheduled Jobs
+    "ANY /api/scheduled-jobs/{proxy+}" = "scheduled-jobs"
+    "ANY /api/scheduled-jobs"          = "scheduled-jobs"
+    "ANY /api/thread-turns/{proxy+}"   = "scheduled-jobs"
+    "ANY /api/thread-turns"            = "scheduled-jobs"
+
+    # Job Schedule Manager (EventBridge CRUD)
+    "ANY /api/job-schedules/{proxy+}" = "job-schedule-manager"
+    "ANY /api/job-schedules"          = "job-schedule-manager"
+
+    # Webhooks (public trigger)
+    "POST /webhooks/{proxy+}" = "webhooks"
+
+    # Webhooks admin
+    "ANY /api/webhooks/{proxy+}" = "webhooks-admin"
+    "ANY /api/webhooks"          = "webhooks-admin"
+
+    # Workspace files
+    "ANY /api/workspaces/{proxy+}" = "workspace-files"
+
+    # Knowledge bases
+    "ANY /api/knowledge-bases/{proxy+}" = "knowledge-base-files"
+
+    # Email
+    "POST /api/email/send" = "email-send"
+
+    # Memory
+    "ANY /api/memory/{proxy+}" = "memory"
+
+    # Artifacts
+    "POST /api/artifacts/{proxy+}" = "artifact-deliver"
+
+    # Recipes
+    "POST /api/recipe-refresh" = "recipe-refresh"
+
+    # GitHub App
+    "ANY /api/github-app/{proxy+}" = "github-app"
+    "POST /api/github/webhook"     = "github-app"
+
+    # Connectors
+    "ANY /api/connector-installs/{proxy+}" = "connector-installs"
+    "ANY /api/connector-secrets/{proxy+}"  = "connector-secrets"
+  } : {}
+}
+
+resource "aws_apigatewayv2_integration" "handler" {
+  for_each = local.api_routes
+
+  api_id                 = aws_apigatewayv2_api.main.id
+  integration_type       = "AWS_PROXY"
+  integration_uri        = aws_lambda_function.handler[each.value].invoke_arn
+  payload_format_version = "2.0"
+}
+
+resource "aws_apigatewayv2_route" "handler" {
+  for_each = local.api_routes
+
+  api_id    = aws_apigatewayv2_api.main.id
+  route_key = each.key
+  target    = "integrations/${aws_apigatewayv2_integration.handler[each.key].id}"
+}
+
+resource "aws_lambda_permission" "handler_apigw" {
+  for_each = local.use_local_zips ? toset(distinct(values(local.api_routes))) : toset([])
+
+  statement_id  = "AllowAPIGateway"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.handler[each.key].function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${aws_apigatewayv2_api.main.execution_arn}/*/*"
+}
+
+# ---------------------------------------------------------------------------
+# Wakeup Processor — EventBridge schedule (every 1 min)
+# ---------------------------------------------------------------------------
+
+resource "aws_scheduler_schedule" "wakeup_processor" {
+  count = local.use_local_zips ? 1 : 0
+
+  name                = "thinkwork-${var.stage}-wakeup-processor"
+  group_name          = "default"
+  schedule_expression = "rate(1 minutes)"
+  state               = "ENABLED"
+
+  flexible_time_window {
+    mode = "OFF"
+  }
+
+  target {
+    arn      = aws_lambda_function.handler["wakeup-processor"].arn
+    role_arn = aws_iam_role.scheduler.arn
+  }
+}
+
+resource "aws_iam_role" "scheduler" {
+  name = "thinkwork-${var.stage}-scheduler-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect    = "Allow"
+      Principal = { Service = "scheduler.amazonaws.com" }
+      Action    = "sts:AssumeRole"
+    }]
+  })
+}
+
+resource "aws_iam_role_policy" "scheduler_invoke" {
+  name = "invoke-lambda"
+  role = aws_iam_role.scheduler.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect   = "Allow"
+      Action   = ["lambda:InvokeFunction"]
+      Resource = local.use_local_zips ? [for k, v in aws_lambda_function.handler : v.arn] : []
+    }]
+  })
+}
+
+# ---------------------------------------------------------------------------
+# SSM Parameters — Lambda ARNs for cross-function invocation
+# ---------------------------------------------------------------------------
+
+resource "aws_ssm_parameter" "lambda_arns" {
+  for_each = local.use_local_zips ? {
+    "chat-agent-invoke-fn-arn"    = aws_lambda_function.handler["chat-agent-invoke"].arn
+    "kb-manager-fn-arn"           = aws_lambda_function.handler["knowledge-base-manager"].arn
+    "job-schedule-manager-fn-arn" = aws_lambda_function.handler["job-schedule-manager"].arn
+  } : {}
+
+  name  = "/thinkwork/${var.stage}/${each.key}"
+  type  = "String"
+  value = each.value
+}

package/dist/terraform/modules/app/lambda-api/main.tf

@@ -0,0 +1,245 @@
+################################################################################
+# Lambda API — App Module
+#
+# Creates the API Gateway V2 HTTP API and a shared Lambda execution role.
+# Individual Lambda functions are added in migration Phases 2-4 as their
+# code is ported. For Phase 1, a hello-world placeholder Lambda proves
+# the infrastructure works end-to-end.
+#
+# In production this module will contain 30+ Lambda functions covering:
+# - GraphQL HTTP handler (the main API entry point)
+# - Agent invoke / chat
+# - Thread, agent, template, connector CRUD
+# - Skills, KB, memory handlers
+# - Connectors (Slack, GitHub, Google)
+# - Email inbound/outbound
+# - OAuth callbacks
+################################################################################
+
+data "aws_caller_identity" "current" {}
+
+################################################################################
+# API Gateway V2 — HTTP API
+################################################################################
+
+resource "aws_apigatewayv2_api" "main" {
+  name          = "thinkwork-${var.stage}-api"
+  protocol_type = "HTTP"
+
+  cors_configuration {
+    allow_headers = ["*"]
+    allow_methods = ["*"]
+    allow_origins = ["*"]
+    max_age       = 3600
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-api"
+  }
+}
+
+resource "aws_apigatewayv2_stage" "default" {
+  api_id      = aws_apigatewayv2_api.main.id
+  name        = "$default"
+  auto_deploy = true
+
+  tags = {
+    Name = "thinkwork-${var.stage}-api-default"
+  }
+}
+
+################################################################################
+# Custom Domain (optional)
+################################################################################
+
+resource "aws_apigatewayv2_domain_name" "main" {
+  count       = var.custom_domain != "" ? 1 : 0
+  domain_name = var.custom_domain
+
+  domain_name_configuration {
+    certificate_arn = var.certificate_arn
+    endpoint_type   = "REGIONAL"
+    security_policy = "TLS_1_2"
+  }
+}
+
+resource "aws_apigatewayv2_api_mapping" "main" {
+  count       = var.custom_domain != "" ? 1 : 0
+  api_id      = aws_apigatewayv2_api.main.id
+  domain_name = aws_apigatewayv2_domain_name.main[0].id
+  stage       = aws_apigatewayv2_stage.default.id
+}
+
+################################################################################
+# Shared Lambda Execution Role
+################################################################################
+
+resource "aws_iam_role" "lambda" {
+  name = "thinkwork-${var.stage}-api-lambda-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect    = "Allow"
+      Principal = { Service = "lambda.amazonaws.com" }
+      Action    = "sts:AssumeRole"
+    }]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_basic" {
+  role       = aws_iam_role.lambda.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+
+resource "aws_iam_role_policy" "lambda_rds" {
+  name = "rds-data-api"
+  role = aws_iam_role.lambda.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Action = [
+        "rds-data:ExecuteStatement",
+        "rds-data:BatchExecuteStatement",
+        "rds-data:BeginTransaction",
+        "rds-data:CommitTransaction",
+        "rds-data:RollbackTransaction",
+      ]
+      Resource = var.db_cluster_arn
+    }]
+  })
+}
+
+resource "aws_iam_role_policy" "lambda_secrets" {
+  name = "secrets-manager"
+  role = aws_iam_role.lambda.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect   = "Allow"
+      Action   = ["secretsmanager:GetSecretValue"]
+      Resource = var.graphql_db_secret_arn
+    }]
+  })
+}
+
+resource "aws_iam_role_policy" "lambda_s3" {
+  name = "s3-access"
+  role = aws_iam_role.lambda.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Action = [
+        "s3:GetObject",
+        "s3:PutObject",
+        "s3:DeleteObject",
+        "s3:ListBucket",
+      ]
+      Resource = [
+        var.bucket_arn,
+        "${var.bucket_arn}/*",
+      ]
+    }]
+  })
+}
+
+resource "aws_iam_role_policy" "lambda_cognito" {
+  name = "cognito-access"
+  role = aws_iam_role.lambda.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Action = [
+        "cognito-idp:AdminGetUser",
+        "cognito-idp:AdminUpdateUserAttributes",
+        "cognito-idp:ListUsers",
+      ]
+      Resource = var.user_pool_arn
+    }]
+  })
+}
+
+resource "aws_iam_role_policy" "lambda_bedrock" {
+  name = "bedrock-invoke"
+  role = aws_iam_role.lambda.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect   = "Allow"
+      Action   = ["bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream"]
+      Resource = "*"
+    }]
+  })
+}
+
+################################################################################
+# Placeholder Lambda — proves the infrastructure works
+#
+# This will be replaced by real handlers in Phases 2-4.
+################################################################################
+
+data "archive_file" "placeholder" {
+  type        = "zip"
+  output_path = "${path.module}/.build/placeholder.zip"
+
+  source {
+    content  = <<-JS
+      exports.handler = async (event) => ({
+        statusCode: 200,
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ status: "ok", stage: process.env.STAGE }),
+      });
+    JS
+    filename = "index.js"
+  }
+}
+
+resource "aws_lambda_function" "placeholder" {
+  function_name = "thinkwork-${var.stage}-api-placeholder"
+  role          = aws_iam_role.lambda.arn
+  handler       = "index.handler"
+  runtime       = "nodejs20.x"
+  timeout       = 10
+
+  filename         = data.archive_file.placeholder.output_path
+  source_code_hash = data.archive_file.placeholder.output_base64sha256
+
+  environment {
+    variables = {
+      STAGE = var.stage
+    }
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-api-placeholder"
+  }
+}
+
+resource "aws_apigatewayv2_integration" "placeholder" {
+  api_id                 = aws_apigatewayv2_api.main.id
+  integration_type       = "AWS_PROXY"
+  integration_uri        = aws_lambda_function.placeholder.invoke_arn
+  payload_format_version = "2.0"
+}
+
+resource "aws_apigatewayv2_route" "placeholder" {
+  api_id    = aws_apigatewayv2_api.main.id
+  route_key = "GET /health"
+  target    = "integrations/${aws_apigatewayv2_integration.placeholder.id}"
+}
+
+resource "aws_lambda_permission" "placeholder_apigw" {
+  statement_id  = "AllowAPIGateway"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.placeholder.function_name
+  principal     = "apigateway.amazonaws.com"
+  source_arn    = "${aws_apigatewayv2_api.main.execution_arn}/*/*"
+}

package/dist/terraform/modules/app/lambda-api/outputs.tf

@@ -0,0 +1,24 @@
+output "api_id" {
+  description = "API Gateway V2 API ID"
+  value       = aws_apigatewayv2_api.main.id
+}
+
+output "api_endpoint" {
+  description = "API Gateway V2 endpoint URL"
+  value       = aws_apigatewayv2_stage.default.invoke_url
+}
+
+output "api_execution_arn" {
+  description = "API Gateway V2 execution ARN (for Lambda permissions)"
+  value       = aws_apigatewayv2_api.main.execution_arn
+}
+
+output "lambda_role_arn" {
+  description = "Shared Lambda execution role ARN (for other modules that add routes)"
+  value       = aws_iam_role.lambda.arn
+}
+
+output "lambda_role_name" {
+  description = "Shared Lambda execution role name"
+  value       = aws_iam_role.lambda.name
+}