thinkwork-cli 0.1.1 → 0.2.0

package/dist/terraform/modules/app/appsync-subscriptions/main.tf

@@ -0,0 +1,122 @@
+################################################################################
+# AppSync Subscriptions — App Module
+#
+# AppSync exists ONLY as a thin realtime/event layer for subscription fan-out.
+# Queries and mutations go through API Gateway V2 → Lambda, NOT through AppSync.
+#
+# Per Decision 9: the unused RDS data source is removed. Only the NONE
+# passthrough data source remains for notification mutations. The schema is
+# a subscription-only fragment, not the full product schema.
+#
+# Post-launch consideration: replace with standard graphql-ws over API Gateway
+# V2 WebSocket API. Not v0.1 scope.
+################################################################################
+
+################################################################################
+# GraphQL API
+################################################################################
+
+resource "aws_appsync_graphql_api" "subscriptions" {
+  name                = "thinkwork-${var.stage}-subscriptions"
+  authentication_type = "API_KEY"
+  xray_enabled        = false
+
+  schema = var.subscription_schema
+
+  additional_authentication_provider {
+    authentication_type = "AWS_IAM"
+  }
+
+  additional_authentication_provider {
+    authentication_type = "AMAZON_COGNITO_USER_POOLS"
+
+    user_pool_config {
+      user_pool_id = var.user_pool_id
+    }
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-subscriptions"
+  }
+}
+
+################################################################################
+# API Key — 365 day expiry
+################################################################################
+
+resource "aws_appsync_api_key" "main" {
+  api_id  = aws_appsync_graphql_api.subscriptions.id
+  expires = timeadd(timestamp(), "8760h")
+
+  lifecycle {
+    ignore_changes = [expires]
+  }
+}
+
+################################################################################
+# NONE Data Source (passthrough for notification mutations)
+################################################################################
+
+resource "aws_appsync_datasource" "none" {
+  api_id = aws_appsync_graphql_api.subscriptions.id
+  name   = "NonePassthrough"
+  type   = "NONE"
+}
+
+################################################################################
+# Notification Mutation Resolvers
+#
+# v1 events only — deferred events (onEvalRunUpdated, onCostRecorded) are cut.
+################################################################################
+
+locals {
+  notification_mutations = [
+    "notifyAgentStatus",
+    "notifyNewMessage",
+    "notifyHeartbeatActivity",
+    "notifyThreadUpdate",
+    "notifyInboxItemUpdate",
+    "notifyThreadTurnUpdate",
+    "notifyOrgUpdate",
+  ]
+}
+
+resource "aws_appsync_resolver" "notifications" {
+  for_each = toset(local.notification_mutations)
+
+  api_id      = aws_appsync_graphql_api.subscriptions.id
+  type        = "Mutation"
+  field       = each.value
+  data_source = aws_appsync_datasource.none.name
+
+  request_template = <<-EOF
+    {"version":"2017-02-28","payload":$util.toJson($context.arguments)}
+  EOF
+
+  response_template = <<-EOF
+    #set($result = $context.result)
+    #if(!$result.updatedAt)
+      #set($result.updatedAt = $util.time.nowISO8601())
+    #end
+    #if(!$result.createdAt)
+      #set($result.createdAt = $util.time.nowISO8601())
+    #end
+    $util.toJson($result)
+  EOF
+}
+
+################################################################################
+# Custom Domain (optional)
+################################################################################
+
+resource "aws_appsync_domain_name" "main" {
+  count           = var.custom_domain != "" ? 1 : 0
+  domain_name     = var.custom_domain
+  certificate_arn = var.certificate_arn
+}
+
+resource "aws_appsync_domain_name_api_association" "main" {
+  count       = var.custom_domain != "" ? 1 : 0
+  api_id      = aws_appsync_graphql_api.subscriptions.id
+  domain_name = aws_appsync_domain_name.main[0].domain_name
+}

package/dist/terraform/modules/app/appsync-subscriptions/outputs.tf

@@ -0,0 +1,20 @@
+output "graphql_api_id" {
+  description = "AppSync GraphQL API ID"
+  value       = aws_appsync_graphql_api.subscriptions.id
+}
+
+output "graphql_api_url" {
+  description = "AppSync GraphQL endpoint URL (used by backend to push notifications)"
+  value       = aws_appsync_graphql_api.subscriptions.uris["GRAPHQL"]
+}
+
+output "graphql_realtime_url" {
+  description = "AppSync realtime WebSocket URL (used by frontend subscription clients)"
+  value       = aws_appsync_graphql_api.subscriptions.uris["REALTIME"]
+}
+
+output "graphql_api_key" {
+  description = "AppSync API key"
+  value       = aws_appsync_api_key.main.key
+  sensitive   = true
+}

package/dist/terraform/modules/app/appsync-subscriptions/variables.tf

@@ -0,0 +1,31 @@
+variable "stage" {
+  description = "Deployment stage"
+  type        = string
+}
+
+variable "region" {
+  description = "AWS region"
+  type        = string
+}
+
+variable "user_pool_id" {
+  description = "Cognito user pool ID for authentication"
+  type        = string
+}
+
+variable "subscription_schema" {
+  description = "GraphQL schema containing only Subscription + notification Mutation types. This is a subscription-only fragment, NOT the full product schema."
+  type        = string
+}
+
+variable "custom_domain" {
+  description = "Custom domain for the AppSync API (e.g. subscriptions.thinkwork.ai). Leave empty to skip."
+  type        = string
+  default     = ""
+}
+
+variable "certificate_arn" {
+  description = "ACM certificate ARN for the custom domain (required when custom_domain is set)"
+  type        = string
+  default     = ""
+}

package/dist/terraform/modules/app/crons/main.tf

@@ -0,0 +1,55 @@
+################################################################################
+# Crons — App Module
+#
+# Scheduled jobs and event-driven processors. Full implementation ported
+# in Phase 4. Phase 1 creates the IAM role and a placeholder cron only.
+#
+# v1 scope: standard crons + wakeup processor.
+# Cut: kg_extract_fanout, kg_extract_worker, span_enrichment (PRD-41B).
+################################################################################
+
+variable "stage" {
+  description = "Deployment stage"
+  type        = string
+}
+
+variable "account_id" {
+  description = "AWS account ID"
+  type        = string
+}
+
+variable "region" {
+  description = "AWS region"
+  type        = string
+}
+
+################################################################################
+# Shared IAM Role for Cron Lambdas
+################################################################################
+
+resource "aws_iam_role" "cron_lambda" {
+  name = "thinkwork-${var.stage}-cron-lambda-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect    = "Allow"
+      Principal = { Service = "lambda.amazonaws.com" }
+      Action    = "sts:AssumeRole"
+    }]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "cron_basic" {
+  role       = aws_iam_role.cron_lambda.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+
+################################################################################
+# Outputs
+################################################################################
+
+output "cron_lambda_role_arn" {
+  description = "IAM role ARN for cron Lambda functions"
+  value       = aws_iam_role.cron_lambda.arn
+}

package/dist/terraform/modules/app/hindsight-memory/README.md

@@ -0,0 +1,66 @@
+# Memory Engine Module
+
+Thinkwork supports pluggable long-term memory for agents. Choose the engine that fits your stage and requirements.
+
+## Engines
+
+| Engine | `memory_engine` value | Best for | Extra infra | Cost |
+|--------|----------------------|----------|-------------|------|
+| **AgentCore Managed** | `managed` (default) | All stages. Production-ready, zero-config. | None | $0 additional |
+| **Hindsight** | `hindsight` | Advanced recall/reflect with entity graph, cross-encoder reranking. | ECS Fargate + ALB | ~$75/mo (ARM64) |
+
+Both engines provide agents with memory tools. The Strands runtime reads `MEMORY_ENGINE` and loads the right tool set:
+
+- **Managed**: `remember()`, `recall()`, `forget()` — backed by AgentCore Memory API with 4 strategies (semantic facts, user preferences, session summaries, episodic).
+- **Hindsight**: `hindsight_retain()`, `hindsight_recall()`, `hindsight_reflect()` — backed by the Hindsight service with semantic + BM25 + entity graph + temporal retrieval and cross-encoder reranking.
+
+## What's pluggable
+
+Only **Layer 3 (long-term cross-thread memory)** is pluggable. The other memory layers are core infrastructure:
+
+- **Layer 1** — Workspace files on S3 (per-agent scratchpad). Always available.
+- **Layer 2** — Thread history in Aurora (conversation memory). Always available.
+- **Layer 3** — Long-term cross-thread recall. **This is what `memory_engine` controls.**
+
+## Usage
+
+### Managed (default — no extra config needed)
+
+```hcl
+module "thinkwork" {
+  source = "thinkwork-ai/thinkwork/aws"
+
+  stage      = "prod"
+  # memory_engine defaults to "managed" — nothing to set
+}
+```
+
+### Hindsight (opt-in)
+
+```hcl
+module "thinkwork" {
+  source = "thinkwork-ai/thinkwork/aws"
+
+  stage         = "prod"
+  memory_engine = "hindsight"
+
+  # Optional: pin the Hindsight image version
+  # hindsight_image_tag = "0.4.22"
+}
+```
+
+When `memory_engine = "hindsight"`, Terraform creates:
+- ECS Fargate cluster + service (ARM64, 2 vCPU, 4 GB)
+- Application Load Balancer
+- Security groups (ALB → Hindsight → Aurora ingress)
+- CloudWatch log group
+
+When `memory_engine = "managed"`, none of the above is created.
+
+## Switching engines
+
+Changing `memory_engine` and running `thinkwork deploy` will:
+- **managed → hindsight**: Create the ECS/ALB infrastructure. Agents start using Hindsight tools on next invoke.
+- **hindsight → managed**: Destroy the ECS/ALB infrastructure. Agents fall back to AgentCore memory tools.
+
+Memory data is not migrated between engines. Each engine has its own storage backend.

package/dist/terraform/modules/app/hindsight-memory/main.tf

@@ -0,0 +1,331 @@
+################################################################################
+# Hindsight Memory Engine — App Module
+#
+# Optional ECS Fargate + ALB service for Hindsight long-term memory.
+# Only created when memory_engine = "hindsight". When memory_engine = "managed",
+# this module creates nothing and AgentCore's built-in memory is used instead.
+#
+# Hindsight provides retain/recall/reflect tools for cross-thread,
+# cross-session organizational memory. It runs local embeddings + reranker
+# and uses the shared Aurora PostgreSQL instance with pgvector.
+################################################################################
+
+variable "stage" {
+  type = string
+}
+
+variable "vpc_id" {
+  type = string
+}
+
+variable "subnet_ids" {
+  type = list(string)
+}
+
+variable "db_security_group_id" {
+  type = string
+}
+
+variable "database_url" {
+  type      = string
+  sensitive = true
+}
+
+variable "image_tag" {
+  description = "Hindsight Docker image tag (ghcr.io/vectorize-io/hindsight:<tag>)"
+  type        = string
+  default     = "0.4.22"
+}
+
+data "aws_region" "current" {}
+
+################################################################################
+# ECS Cluster
+################################################################################
+
+resource "aws_ecs_cluster" "main" {
+  name = "thinkwork-${var.stage}-cluster"
+
+  setting {
+    name  = "containerInsights"
+    value = "enabled"
+  }
+
+  tags = { Name = "thinkwork-${var.stage}-cluster" }
+}
+
+################################################################################
+# IAM
+################################################################################
+
+resource "aws_iam_role" "ecs_execution" {
+  name = "thinkwork-${var.stage}-hindsight-execution"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action    = "sts:AssumeRole"
+      Effect    = "Allow"
+      Principal = { Service = "ecs-tasks.amazonaws.com" }
+    }]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_execution" {
+  role       = aws_iam_role.ecs_execution.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+resource "aws_iam_role" "ecs_task" {
+  name = "thinkwork-${var.stage}-hindsight-task"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action    = "sts:AssumeRole"
+      Effect    = "Allow"
+      Principal = { Service = "ecs-tasks.amazonaws.com" }
+    }]
+  })
+}
+
+resource "aws_iam_role_policy" "bedrock_access" {
+  name = "bedrock-access"
+  role = aws_iam_role.ecs_task.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect   = "Allow"
+      Action   = ["bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream"]
+      Resource = "*"
+    }]
+  })
+}
+
+################################################################################
+# Security Groups
+################################################################################
+
+resource "aws_security_group" "hindsight" {
+  name_prefix = "thinkwork-${var.stage}-hindsight-"
+  description = "Hindsight ECS task"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    description     = "ALB to Hindsight API"
+    from_port       = 8888
+    to_port         = 8888
+    protocol        = "tcp"
+    security_groups = [aws_security_group.alb.id]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = { Name = "thinkwork-${var.stage}-hindsight-sg" }
+  lifecycle { create_before_destroy = true }
+}
+
+resource "aws_security_group" "alb" {
+  name_prefix = "thinkwork-${var.stage}-hindsight-alb-"
+  description = "Hindsight ALB"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = { Name = "thinkwork-${var.stage}-hindsight-alb-sg" }
+  lifecycle { create_before_destroy = true }
+}
+
+resource "aws_security_group_rule" "aurora_from_hindsight" {
+  type                     = "ingress"
+  from_port                = 5432
+  to_port                  = 5432
+  protocol                 = "tcp"
+  source_security_group_id = aws_security_group.hindsight.id
+  security_group_id        = var.db_security_group_id
+}
+
+################################################################################
+# ALB
+################################################################################
+
+resource "aws_lb" "hindsight" {
+  name               = "tw-${var.stage}-hindsight"
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.alb.id]
+  subnets            = var.subnet_ids
+
+  tags = { Name = "thinkwork-${var.stage}-hindsight-alb" }
+}
+
+resource "aws_lb_target_group" "hindsight" {
+  name        = "tw-${var.stage}-hindsight"
+  port        = 8888
+  protocol    = "HTTP"
+  vpc_id      = var.vpc_id
+  target_type = "ip"
+
+  health_check {
+    path                = "/health"
+    port                = "8888"
+    protocol            = "HTTP"
+    healthy_threshold   = 2
+    unhealthy_threshold = 3
+    timeout             = 10
+    interval            = 30
+    matcher             = "200-399"
+  }
+
+  tags = { Name = "thinkwork-${var.stage}-hindsight-tg" }
+}
+
+resource "aws_lb_listener" "hindsight" {
+  load_balancer_arn = aws_lb.hindsight.arn
+  port              = 80
+  protocol          = "HTTP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.hindsight.arn
+  }
+}
+
+################################################################################
+# CloudWatch Logs
+################################################################################
+
+resource "aws_cloudwatch_log_group" "hindsight" {
+  name              = "/thinkwork/${var.stage}/hindsight"
+  retention_in_days = 14
+
+  tags = { Name = "thinkwork-${var.stage}-hindsight-logs" }
+}
+
+################################################################################
+# ECS Task Definition
+################################################################################
+
+resource "aws_ecs_task_definition" "hindsight" {
+  family                   = "thinkwork-${var.stage}-hindsight"
+  requires_compatibilities = ["FARGATE"]
+  network_mode             = "awsvpc"
+  cpu                      = 2048
+  memory                   = 4096
+  execution_role_arn       = aws_iam_role.ecs_execution.arn
+  task_role_arn            = aws_iam_role.ecs_task.arn
+
+  runtime_platform {
+    operating_system_family = "LINUX"
+    cpu_architecture        = "ARM64"
+  }
+
+  container_definitions = jsonencode([{
+    name      = "hindsight"
+    image     = "ghcr.io/vectorize-io/hindsight:${var.image_tag}"
+    essential = true
+
+    portMappings = [{
+      containerPort = 8888
+      protocol      = "tcp"
+    }]
+
+    environment = [
+      { name = "HINDSIGHT_API_DATABASE_URL", value = var.database_url },
+      { name = "HINDSIGHT_API_DATABASE_SCHEMA", value = "hindsight" },
+      { name = "HINDSIGHT_API_VECTOR_EXTENSION", value = "pgvector" },
+      { name = "HINDSIGHT_API_TEXT_SEARCH_EXTENSION", value = "native" },
+      { name = "HINDSIGHT_API_RUN_MIGRATIONS_ON_STARTUP", value = "true" },
+      { name = "HINDSIGHT_API_LLM_PROVIDER", value = "bedrock" },
+      { name = "HINDSIGHT_API_LLM_MODEL", value = "openai.gpt-oss-20b-1:0" },
+      { name = "AWS_REGION_NAME", value = data.aws_region.current.name },
+      { name = "AWS_DEFAULT_REGION", value = data.aws_region.current.name },
+      { name = "HINDSIGHT_API_RETAIN_LLM_PROVIDER", value = "bedrock" },
+      { name = "HINDSIGHT_API_RETAIN_LLM_MODEL", value = "openai.gpt-oss-20b-1:0" },
+      { name = "HINDSIGHT_API_REFLECT_LLM_PROVIDER", value = "bedrock" },
+      { name = "HINDSIGHT_API_REFLECT_LLM_MODEL", value = "openai.gpt-oss-120b-1:0" },
+      { name = "HINDSIGHT_API_EMBEDDINGS_PROVIDER", value = "local" },
+      { name = "HINDSIGHT_API_EMBEDDINGS_LOCAL_MODEL", value = "BAAI/bge-small-en-v1.5" },
+      { name = "HINDSIGHT_API_RERANKER_PROVIDER", value = "local" },
+    ]
+
+    logConfiguration = {
+      logDriver = "awslogs"
+      options = {
+        "awslogs-group"         = aws_cloudwatch_log_group.hindsight.name
+        "awslogs-region"        = data.aws_region.current.name
+        "awslogs-stream-prefix" = "hindsight"
+      }
+    }
+
+    healthCheck = {
+      command     = ["CMD-SHELL", "curl -f http://localhost:8888/health || exit 1"]
+      interval    = 30
+      timeout     = 10
+      retries     = 3
+      startPeriod = 300
+    }
+  }])
+
+  tags = { Name = "thinkwork-${var.stage}-hindsight" }
+}
+
+################################################################################
+# ECS Service
+################################################################################
+
+resource "aws_ecs_service" "hindsight" {
+  name            = "thinkwork-${var.stage}-hindsight"
+  cluster         = aws_ecs_cluster.main.id
+  task_definition = aws_ecs_task_definition.hindsight.arn
+  desired_count   = 1
+  launch_type     = "FARGATE"
+
+  network_configuration {
+    subnets          = var.subnet_ids
+    security_groups  = [aws_security_group.hindsight.id]
+    assign_public_ip = true
+  }
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.hindsight.arn
+    container_name   = "hindsight"
+    container_port   = 8888
+  }
+
+  depends_on = [aws_lb_listener.hindsight]
+
+  tags = { Name = "thinkwork-${var.stage}-hindsight" }
+}
+
+################################################################################
+# Outputs
+################################################################################
+
+output "hindsight_endpoint" {
+  description = "Hindsight API endpoint (ALB URL)"
+  value       = "http://${aws_lb.hindsight.dns_name}"
+}
+
+output "ecs_cluster_arn" {
+  description = "ECS cluster ARN"
+  value       = aws_ecs_cluster.main.arn
+}

package/dist/terraform/modules/app/job-triggers/main.tf

@@ -0,0 +1,70 @@
+################################################################################
+# Job Triggers — App Module
+#
+# EventBridge Scheduler + Lambda for routine/scheduled job execution.
+# Full implementation ported in Phase 4. Phase 1 creates IAM scaffolding.
+################################################################################
+
+variable "stage" {
+  description = "Deployment stage"
+  type        = string
+}
+
+variable "account_id" {
+  description = "AWS account ID"
+  type        = string
+}
+
+variable "region" {
+  description = "AWS region"
+  type        = string
+}
+
+################################################################################
+# IAM Roles
+################################################################################
+
+resource "aws_iam_role" "job_trigger_lambda" {
+  name = "thinkwork-${var.stage}-job-trigger-lambda-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect    = "Allow"
+      Principal = { Service = "lambda.amazonaws.com" }
+      Action    = "sts:AssumeRole"
+    }]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "job_trigger_basic" {
+  role       = aws_iam_role.job_trigger_lambda.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+
+resource "aws_iam_role" "job_scheduler" {
+  name = "thinkwork-${var.stage}-job-scheduler-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect    = "Allow"
+      Principal = { Service = "scheduler.amazonaws.com" }
+      Action    = "sts:AssumeRole"
+    }]
+  })
+}
+
+################################################################################
+# Outputs
+################################################################################
+
+output "job_trigger_lambda_role_arn" {
+  description = "IAM role ARN for job trigger Lambda"
+  value       = aws_iam_role.job_trigger_lambda.arn
+}
+
+output "job_scheduler_role_arn" {
+  description = "IAM role ARN for EventBridge Scheduler"
+  value       = aws_iam_role.job_scheduler.arn
+}