thinkwork-cli 0.1.1 → 0.2.0

package/dist/cli.js

@@ -83,7 +83,19 @@ function resolveTierDir(terraformDir, stage, tier) {
   if (existsSync(envDir)) {
     return envDir;
   }
-  return path.join(terraformDir, "examples", "greenfield");
+  const greenfield = path.join(terraformDir, "examples", "greenfield");
+  if (existsSync(greenfield)) {
+    return greenfield;
+  }
+  const flat = path.join(terraformDir);
+  if (existsSync(path.join(flat, "main.tf"))) {
+    return flat;
+  }
+  const cwdTf = path.join(process.cwd(), "terraform");
+  if (existsSync(path.join(cwdTf, "main.tf"))) {
+    return cwdTf;
+  }
+  return terraformDir;
 }
 async function ensureWorkspace(cwd, stage) {
   const list = await runTerraformRaw(cwd, ["workspace", "list"]);
@@ -709,11 +721,13 @@ function registerLoginCommand(program2) {
 }
 
 // src/commands/init.ts
-import { existsSync as existsSync3, mkdirSync, writeFileSync as writeFileSync2 } from "fs";
-import { resolve as resolve2, join } from "path";
+import { existsSync as existsSync3, mkdirSync, writeFileSync as writeFileSync2, cpSync } from "fs";
+import { resolve as resolve2, join, dirname } from "path";
 import { execSync as execSync4 } from "child_process";
+import { fileURLToPath } from "url";
 import { createInterface as createInterface3 } from "readline";
 import chalk3 from "chalk";
+var __dirname = dirname(fileURLToPath(import.meta.url));
 function ask2(prompt, defaultVal = "") {
   const rl = createInterface3({ input: process.stdin, output: process.stdout });
   const suffix = defaultVal ? chalk3.dim(` [${defaultVal}]`) : "";
@@ -736,6 +750,15 @@ function generateSecret(length = 32) {
   for (const b of bytes) result += chars[b % chars.length];
   return result;
 }
+function findBundledTerraform() {
+  const bundled = resolve2(__dirname, "..", "terraform");
+  if (existsSync3(join(bundled, "modules"))) return bundled;
+  const repoTf = resolve2(__dirname, "..", "..", "..", "..", "terraform");
+  if (existsSync3(join(repoTf, "modules"))) return repoTf;
+  throw new Error(
+    "Terraform modules not found. The CLI package may be incomplete.\nTry reinstalling: npm install -g thinkwork-cli@latest"
+  );
+}
 function buildTfvars(config) {
   const lines = [
     `# Thinkwork \u2014 ${config.stage} stage`,
@@ -782,7 +805,7 @@ function buildTfvars(config) {
   return lines.join("\n");
 }
 function registerInitCommand(program2) {
-  program2.command("init").description("Initialize a new Thinkwork environment").requiredOption("-s, --stage <name>", "Stage name (e.g. dev, staging, prod)").option("-d, --dir <path>", "Directory to initialize in", ".").option("--defaults", "Skip interactive prompts, use all defaults").action(async (opts) => {
+  program2.command("init").description("Initialize a new Thinkwork environment").requiredOption("-s, --stage <name>", "Stage name (e.g. dev, staging, prod)").option("-d, --dir <path>", "Target directory", ".").option("--defaults", "Skip interactive prompts, use all defaults").action(async (opts) => {
     const stageCheck = validateStage(opts.stage);
     if (!stageCheck.valid) {
       printError(stageCheck.error);
@@ -794,8 +817,8 @@ function registerInitCommand(program2) {
       printError("AWS credentials not configured. Run `thinkwork login` first.");
       process.exit(1);
     }
-    const rootDir = resolve2(opts.dir);
-    const tfDir = join(rootDir, "terraform", "examples", "greenfield");
+    const targetDir = resolve2(opts.dir);
+    const tfDir = join(targetDir, "terraform");
     const tfvarsPath = join(tfDir, "terraform.tfvars");
     if (existsSync3(tfvarsPath)) {
       printWarning(`terraform.tfvars already exists at ${tfvarsPath}`);
@@ -851,13 +874,110 @@ function registerInitCommand(program2) {
       console.log(chalk3.dim(`  DB password:     ${config.db_password.slice(0, 8)}...`));
       console.log(chalk3.dim(`  API auth secret: ${config.api_auth_secret.slice(0, 16)}...`));
     }
-    if (!existsSync3(tfDir)) {
-      mkdirSync(tfDir, { recursive: true });
+    console.log("");
+    console.log("  Scaffolding Terraform modules...");
+    let bundledTf;
+    try {
+      bundledTf = findBundledTerraform();
+    } catch (err) {
+      printError(String(err));
+      process.exit(1);
+    }
+    mkdirSync(tfDir, { recursive: true });
+    const copyDirs = ["modules", "examples"];
+    for (const dir of copyDirs) {
+      const src = join(bundledTf, dir);
+      const dst = join(tfDir, dir);
+      if (existsSync3(src) && !existsSync3(dst)) {
+        cpSync(src, dst, { recursive: true });
+      }
+    }
+    const schemaPath = join(bundledTf, "schema.graphql");
+    if (existsSync3(schemaPath) && !existsSync3(join(tfDir, "schema.graphql"))) {
+      cpSync(schemaPath, join(tfDir, "schema.graphql"));
     }
     const tfvars = buildTfvars(config);
     writeFileSync2(tfvarsPath, tfvars);
-    console.log("");
-    console.log(`  Wrote ${chalk3.cyan(tfvarsPath)}`);
+    const mainTfPath = join(tfDir, "main.tf");
+    if (!existsSync3(mainTfPath)) {
+      writeFileSync2(mainTfPath, `################################################################################
+# Thinkwork \u2014 ${config.stage}
+# Generated by: thinkwork init -s ${config.stage}
+################################################################################
+
+terraform {
+  required_version = ">= 1.5"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    archive = {
+      source  = "hashicorp/archive"
+      version = "~> 2.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = "~> 3.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.region
+}
+
+variable "stage" { type = string }
+variable "region" { type = string; default = "us-east-1" }
+variable "account_id" { type = string }
+variable "db_password" { type = string; sensitive = true }
+variable "database_engine" { type = string; default = "aurora-serverless" }
+variable "memory_engine" { type = string; default = "managed" }
+variable "google_oauth_client_id" { type = string; default = "" }
+variable "google_oauth_client_secret" { type = string; sensitive = true; default = "" }
+variable "pre_signup_lambda_zip" { type = string; default = "" }
+variable "lambda_zips_dir" { type = string; default = "" }
+variable "api_auth_secret" { type = string; sensitive = true; default = "" }
+variable "admin_callback_urls" { type = list(string); default = ["http://localhost:5174", "http://localhost:5174/auth/callback"] }
+variable "admin_logout_urls" { type = list(string); default = ["http://localhost:5174"] }
+variable "mobile_callback_urls" { type = list(string); default = ["exp://localhost:8081", "thinkwork://", "thinkwork://auth/callback"] }
+variable "mobile_logout_urls" { type = list(string); default = ["exp://localhost:8081", "thinkwork://"] }
+
+module "thinkwork" {
+  source = "./modules/thinkwork"
+
+  stage      = var.stage
+  region     = var.region
+  account_id = var.account_id
+
+  db_password                = var.db_password
+  database_engine            = var.database_engine
+  memory_engine              = var.memory_engine
+  google_oauth_client_id     = var.google_oauth_client_id
+  google_oauth_client_secret = var.google_oauth_client_secret
+  pre_signup_lambda_zip      = var.pre_signup_lambda_zip
+  lambda_zips_dir            = var.lambda_zips_dir
+  api_auth_secret            = var.api_auth_secret
+  admin_callback_urls        = var.admin_callback_urls
+  admin_logout_urls          = var.admin_logout_urls
+  mobile_callback_urls       = var.mobile_callback_urls
+  mobile_logout_urls         = var.mobile_logout_urls
+}
+
+output "api_endpoint"       { value = module.thinkwork.api_endpoint }
+output "user_pool_id"       { value = module.thinkwork.user_pool_id }
+output "admin_client_id"    { value = module.thinkwork.admin_client_id }
+output "mobile_client_id"   { value = module.thinkwork.mobile_client_id }
+output "bucket_name"        { value = module.thinkwork.bucket_name }
+output "db_cluster_endpoint" { value = module.thinkwork.db_cluster_endpoint }
+output "db_secret_arn"      { value = module.thinkwork.db_secret_arn; sensitive = true }
+output "ecr_repository_url" { value = module.thinkwork.ecr_repository_url }
+output "memory_engine"      { value = module.thinkwork.memory_engine }
+output "hindsight_endpoint"  { value = module.thinkwork.hindsight_endpoint }
+`);
+    }
+    console.log(`  Wrote ${chalk3.cyan(tfDir + "/")}`);
     console.log("");
     console.log(chalk3.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
     console.log(`  ${chalk3.bold("Stage:")}           ${config.stage}`);
@@ -866,6 +986,7 @@ function registerInitCommand(program2) {
     console.log(`  ${chalk3.bold("Database:")}        ${config.database_engine}`);
     console.log(`  ${chalk3.bold("Memory:")}          ${config.memory_engine}`);
     console.log(`  ${chalk3.bold("Google OAuth:")}    ${config.google_oauth_client_id ? "enabled" : "disabled"}`);
+    console.log(`  ${chalk3.bold("Directory:")}       ${tfDir}`);
     console.log(chalk3.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
     console.log("\n  Initializing Terraform...\n");
     try {
@@ -878,7 +999,7 @@ function registerInitCommand(program2) {
     console.log("");
     console.log("  Next steps:");
     console.log(`    ${chalk3.cyan("1.")} thinkwork plan -s ${opts.stage}        ${chalk3.dim("# Review infrastructure plan")}`);
-    console.log(`    ${chalk3.cyan("2.")} thinkwork deploy -s ${opts.stage}       ${chalk3.dim("# Deploy to AWS")}`);
+    console.log(`    ${chalk3.cyan("2.")} thinkwork deploy -s ${opts.stage}       ${chalk3.dim("# Deploy to AWS (~5 min)")}`);
     console.log(`    ${chalk3.cyan("3.")} thinkwork bootstrap -s ${opts.stage}    ${chalk3.dim("# Seed workspace files + skills")}`);
     console.log(`    ${chalk3.cyan("4.")} thinkwork outputs -s ${opts.stage}      ${chalk3.dim("# Show API URL, Cognito IDs, etc.")}`);
     console.log("");

package/dist/terraform/examples/greenfield/main.tf

@@ -0,0 +1,190 @@
+################################################################################
+# Greenfield Example
+#
+# Creates everything from scratch in a fresh AWS account.
+# Copy this directory to start a new Thinkwork deployment.
+#
+# Usage:
+#   cd terraform/examples/greenfield
+#   cp terraform.tfvars.example terraform.tfvars  # edit with your values
+#   terraform init
+#   terraform workspace new dev                    # or your stage name
+#   terraform plan -var-file=terraform.tfvars
+#   terraform apply -var-file=terraform.tfvars
+################################################################################
+
+terraform {
+  required_version = ">= 1.5"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    archive = {
+      source  = "hashicorp/archive"
+      version = "~> 2.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = "~> 3.0"
+    }
+  }
+
+  # For the example, use local state. Production deployments should
+  # use S3 + DynamoDB backend — see the docs for configuration.
+  # backend "s3" { ... }
+}
+
+provider "aws" {
+  region = var.region
+}
+
+variable "stage" {
+  description = "Deployment stage — must match the Terraform workspace name"
+  type        = string
+}
+
+variable "region" {
+  description = "AWS region"
+  type        = string
+  default     = "us-east-1"
+}
+
+variable "account_id" {
+  description = "AWS account ID"
+  type        = string
+}
+
+variable "db_password" {
+  description = "Master password for the Aurora cluster"
+  type        = string
+  sensitive   = true
+}
+
+variable "database_engine" {
+  description = "Database engine: 'aurora-serverless' (production) or 'rds-postgres' (dev/test, cheaper)"
+  type        = string
+  default     = "aurora-serverless"
+}
+
+variable "memory_engine" {
+  description = "Memory engine: 'managed' (AgentCore built-in, default) or 'hindsight' (ECS+ALB, opt-in)"
+  type        = string
+  default     = "managed"
+}
+
+variable "google_oauth_client_id" {
+  description = "Google OAuth client ID (optional — leave empty to skip Google login)"
+  type        = string
+  default     = ""
+}
+
+variable "google_oauth_client_secret" {
+  description = "Google OAuth client secret"
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+
+variable "pre_signup_lambda_zip" {
+  description = "Path to the Cognito pre-signup Lambda zip"
+  type        = string
+  default     = ""
+}
+
+variable "lambda_zips_dir" {
+  description = "Local directory containing Lambda zip artifacts (from pnpm build:lambdas)"
+  type        = string
+  default     = ""
+}
+
+variable "api_auth_secret" {
+  description = "Shared secret for inter-service API authentication"
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+
+module "thinkwork" {
+  source = "../../modules/thinkwork"
+
+  stage      = var.stage
+  region     = var.region
+  account_id = var.account_id
+
+  db_password                = var.db_password
+  database_engine            = var.database_engine
+  memory_engine              = var.memory_engine
+  google_oauth_client_id     = var.google_oauth_client_id
+  google_oauth_client_secret = var.google_oauth_client_secret
+  pre_signup_lambda_zip      = var.pre_signup_lambda_zip
+  lambda_zips_dir            = var.lambda_zips_dir
+  api_auth_secret            = var.api_auth_secret
+
+  # Greenfield: create everything (all defaults are true)
+}
+
+################################################################################
+# Outputs
+################################################################################
+
+output "api_endpoint" {
+  description = "API Gateway endpoint URL"
+  value       = module.thinkwork.api_endpoint
+}
+
+output "appsync_realtime_url" {
+  description = "AppSync realtime WebSocket URL (for frontend subscription clients)"
+  value       = module.thinkwork.appsync_realtime_url
+}
+
+output "user_pool_id" {
+  description = "Cognito user pool ID"
+  value       = module.thinkwork.user_pool_id
+}
+
+output "admin_client_id" {
+  description = "Cognito app client ID for web admin"
+  value       = module.thinkwork.admin_client_id
+}
+
+output "mobile_client_id" {
+  description = "Cognito app client ID for mobile"
+  value       = module.thinkwork.mobile_client_id
+}
+
+output "ecr_repository_url" {
+  description = "ECR repository URL for the AgentCore container"
+  value       = module.thinkwork.ecr_repository_url
+}
+
+output "bucket_name" {
+  description = "Primary S3 bucket"
+  value       = module.thinkwork.bucket_name
+}
+
+output "db_cluster_endpoint" {
+  description = "Aurora cluster endpoint"
+  value       = module.thinkwork.db_cluster_endpoint
+}
+
+output "db_secret_arn" {
+  description = "Secrets Manager ARN for database credentials"
+  value       = module.thinkwork.db_secret_arn
+}
+
+output "database_name" {
+  description = "Database name"
+  value       = module.thinkwork.database_name
+}
+
+output "memory_engine" {
+  description = "Active memory engine (managed or hindsight)"
+  value       = module.thinkwork.memory_engine
+}
+
+output "hindsight_endpoint" {
+  description = "Hindsight API endpoint (null when memory_engine = managed)"
+  value       = module.thinkwork.hindsight_endpoint
+}

package/dist/terraform/examples/greenfield/terraform.tfvars.example

@@ -0,0 +1,28 @@
+# Thinkwork Greenfield Deployment
+#
+# Copy this file to terraform.tfvars and fill in your values.
+# DO NOT commit terraform.tfvars to version control.
+
+stage      = "dev"
+region     = "us-east-1"
+account_id = "123456789012"  # your AWS account ID
+
+# Database engine:
+#   "aurora-serverless" — Aurora Serverless v2 (production, auto-scaling, deletion protection on)
+#   "rds-postgres"      — Standard RDS PostgreSQL (dev/test, cheaper, deletion protection off)
+database_engine = "rds-postgres"
+
+# Memory engine:
+#   "managed"   — AgentCore built-in long-term memory (default, no extra infra)
+#   "hindsight" — Hindsight ECS+ALB service (opt-in, adds retain/recall/reflect tools)
+memory_engine = "managed"
+
+# Database master password — use a strong password
+db_password = "CHANGE_ME_strong_password_here"
+
+# Google OAuth (optional — leave empty to skip Google social login)
+# google_oauth_client_id     = ""
+# google_oauth_client_secret = ""
+
+# Pre-signup Lambda (optional — leave empty if not using custom pre-signup logic)
+# pre_signup_lambda_zip = "./lambdas/pre-signup.zip"

package/dist/terraform/modules/_internal/workspace-guard/main.tf

@@ -0,0 +1,29 @@
+################################################################################
+# Workspace Guard
+#
+# Prevents applying the wrong var file to the wrong Terraform workspace.
+# Every tier (foundation, data, app) should consume this module.
+#
+# History: on 2026-04-05, running `terraform apply -var-file=prod.tfvars` in
+# the dev workspace destroyed dev infrastructure. This guard prevents that
+# class of incident by failing the plan before any damage occurs.
+################################################################################
+
+variable "stage" {
+  description = "The deployment stage (must match the Terraform workspace name)"
+  type        = string
+}
+
+resource "null_resource" "workspace_guard" {
+  triggers = {
+    stage     = var.stage
+    workspace = terraform.workspace
+  }
+
+  lifecycle {
+    precondition {
+      condition     = var.stage == terraform.workspace
+      error_message = "SAFETY: stage '${var.stage}' does not match workspace '${terraform.workspace}'. You are applying the wrong var file!"
+    }
+  }
+}

package/dist/terraform/modules/app/agentcore-runtime/main.tf

@@ -0,0 +1,217 @@
+################################################################################
+# AgentCore Runtime — App Module
+#
+# Creates ECR repository, IAM roles, and container build infrastructure
+# for the Strands-based agent runtime. Full implementation ported in Phase 3.
+# Phase 1 creates the ECR repo and IAM scaffolding only.
+################################################################################
+
+variable "stage" {
+  description = "Deployment stage"
+  type        = string
+}
+
+variable "account_id" {
+  description = "AWS account ID"
+  type        = string
+}
+
+variable "region" {
+  description = "AWS region"
+  type        = string
+}
+
+variable "bucket_name" {
+  description = "Primary S3 bucket for skills and workspace files"
+  type        = string
+}
+
+variable "memory_engine" {
+  description = "Memory engine: 'managed' or 'hindsight'. Passed as MEMORY_ENGINE env var to the container."
+  type        = string
+  default     = "managed"
+}
+
+variable "hindsight_endpoint" {
+  description = "Hindsight API endpoint (only used when memory_engine = 'hindsight')"
+  type        = string
+  default     = ""
+}
+
+variable "agentcore_memory_id" {
+  description = "AgentCore Memory resource ID (only used when memory_engine = 'managed')"
+  type        = string
+  default     = ""
+}
+
+################################################################################
+# ECR Repository
+################################################################################
+
+resource "aws_ecr_repository" "agentcore" {
+  name                 = "thinkwork-${var.stage}-agentcore"
+  image_tag_mutability = "MUTABLE"
+  force_delete         = true
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-agentcore"
+  }
+}
+
+resource "aws_ecr_lifecycle_policy" "agentcore" {
+  repository = aws_ecr_repository.agentcore.name
+
+  policy = jsonencode({
+    rules = [{
+      rulePriority = 1
+      description  = "Keep last 10 images"
+      selection = {
+        tagStatus   = "any"
+        countType   = "imageCountMoreThan"
+        countNumber = 10
+      }
+      action = {
+        type = "expire"
+      }
+    }]
+  })
+}
+
+################################################################################
+# Execution Role
+################################################################################
+
+resource "aws_iam_role" "agentcore" {
+  name = "thinkwork-${var.stage}-agentcore-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect    = "Allow"
+      Principal = { Service = ["ecs-tasks.amazonaws.com", "lambda.amazonaws.com"] }
+      Action    = "sts:AssumeRole"
+    }]
+  })
+}
+
+resource "aws_iam_role_policy" "agentcore" {
+  name = "agentcore-permissions"
+  role = aws_iam_role.agentcore.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "S3Access"
+        Effect = "Allow"
+        Action = ["s3:GetObject", "s3:PutObject", "s3:ListBucket"]
+        Resource = [
+          "arn:aws:s3:::${var.bucket_name}",
+          "arn:aws:s3:::${var.bucket_name}/*",
+        ]
+      },
+      {
+        Sid      = "BedrockInvoke"
+        Effect   = "Allow"
+        Action   = ["bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream", "bedrock:InvokeAgent"]
+        Resource = "*"
+      },
+      {
+        Sid      = "CloudWatchLogs"
+        Effect   = "Allow"
+        Action   = ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"]
+        Resource = "arn:aws:logs:${var.region}:${var.account_id}:*"
+      },
+      {
+        Sid      = "ECRPull"
+        Effect   = "Allow"
+        Action   = ["ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:GetAuthorizationToken"]
+        Resource = "*"
+      },
+      {
+        Sid      = "SSMParameterAccess"
+        Effect   = "Allow"
+        Action   = ["ssm:GetParameter", "ssm:PutParameter"]
+        Resource = "arn:aws:ssm:${var.region}:${var.account_id}:parameter/thinkwork/${var.stage}/agentcore/*"
+      },
+    ]
+  })
+}
+
+################################################################################
+# CloudWatch Log Group
+################################################################################
+
+resource "aws_cloudwatch_log_group" "agentcore" {
+  name              = "/thinkwork/${var.stage}/agentcore"
+  retention_in_days = 30
+
+  tags = {
+    Name = "thinkwork-${var.stage}-agentcore-logs"
+  }
+}
+
+################################################################################
+# Lambda Container Image
+################################################################################
+
+resource "aws_lambda_function" "agentcore" {
+  function_name = "thinkwork-${var.stage}-agentcore"
+  role          = aws_iam_role.agentcore.arn
+  package_type  = "Image"
+  image_uri     = "${aws_ecr_repository.agentcore.repository_url}:latest"
+  timeout       = 900
+  memory_size   = 2048
+
+  environment {
+    variables = {
+      PORT                   = "8080"
+      AWS_LWA_PORT           = "8080"
+      MEMORY_ENGINE          = var.memory_engine
+      AGENTCORE_MEMORY_ID    = var.agentcore_memory_id
+      AGENTCORE_FILES_BUCKET = var.bucket_name
+    }
+  }
+
+  logging_config {
+    log_group  = aws_cloudwatch_log_group.agentcore.name
+    log_format = "Text"
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-agentcore"
+  }
+}
+
+resource "aws_lambda_function_url" "agentcore" {
+  function_name      = aws_lambda_function.agentcore.function_name
+  authorization_type = "NONE"
+}
+
+################################################################################
+# Outputs
+################################################################################
+
+output "ecr_repository_url" {
+  description = "ECR repository URL for the AgentCore container"
+  value       = aws_ecr_repository.agentcore.repository_url
+}
+
+output "execution_role_arn" {
+  description = "IAM role ARN for AgentCore execution"
+  value       = aws_iam_role.agentcore.arn
+}
+
+output "agentcore_invoke_url" {
+  description = "Lambda Function URL for the AgentCore container"
+  value       = aws_lambda_function_url.agentcore.function_url
+}
+
+output "agentcore_function_name" {
+  description = "AgentCore Lambda function name (for direct SDK invoke)"
+  value       = aws_lambda_function.agentcore.function_name
+}