thinkwork-cli 0.1.1 → 0.2.1

package/dist/terraform/examples/greenfield/main.tf

@@ -0,0 +1,190 @@
+################################################################################
+# Greenfield Example
+#
+# Creates everything from scratch in a fresh AWS account.
+# Copy this directory to start a new Thinkwork deployment.
+#
+# Usage:
+#   cd terraform/examples/greenfield
+#   cp terraform.tfvars.example terraform.tfvars  # edit with your values
+#   terraform init
+#   terraform workspace new dev                    # or your stage name
+#   terraform plan -var-file=terraform.tfvars
+#   terraform apply -var-file=terraform.tfvars
+################################################################################
+
+terraform {
+  required_version = ">= 1.5"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    archive = {
+      source  = "hashicorp/archive"
+      version = "~> 2.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = "~> 3.0"
+    }
+  }
+
+  # For the example, use local state. Production deployments should
+  # use S3 + DynamoDB backend — see the docs for configuration.
+  # backend "s3" { ... }
+}
+
+provider "aws" {
+  region = var.region
+}
+
+variable "stage" {
+  description = "Deployment stage — must match the Terraform workspace name"
+  type        = string
+}
+
+variable "region" {
+  description = "AWS region"
+  type        = string
+  default     = "us-east-1"
+}
+
+variable "account_id" {
+  description = "AWS account ID"
+  type        = string
+}
+
+variable "db_password" {
+  description = "Master password for the Aurora cluster"
+  type        = string
+  sensitive   = true
+}
+
+variable "database_engine" {
+  description = "Database engine: 'aurora-serverless' (production) or 'rds-postgres' (dev/test, cheaper)"
+  type        = string
+  default     = "aurora-serverless"
+}
+
+variable "memory_engine" {
+  description = "Memory engine: 'managed' (AgentCore built-in, default) or 'hindsight' (ECS+ALB, opt-in)"
+  type        = string
+  default     = "managed"
+}
+
+variable "google_oauth_client_id" {
+  description = "Google OAuth client ID (optional — leave empty to skip Google login)"
+  type        = string
+  default     = ""
+}
+
+variable "google_oauth_client_secret" {
+  description = "Google OAuth client secret"
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+
+variable "pre_signup_lambda_zip" {
+  description = "Path to the Cognito pre-signup Lambda zip"
+  type        = string
+  default     = ""
+}
+
+variable "lambda_zips_dir" {
+  description = "Local directory containing Lambda zip artifacts (from pnpm build:lambdas)"
+  type        = string
+  default     = ""
+}
+
+variable "api_auth_secret" {
+  description = "Shared secret for inter-service API authentication"
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+
+module "thinkwork" {
+  source = "../../modules/thinkwork"
+
+  stage      = var.stage
+  region     = var.region
+  account_id = var.account_id
+
+  db_password                = var.db_password
+  database_engine            = var.database_engine
+  memory_engine              = var.memory_engine
+  google_oauth_client_id     = var.google_oauth_client_id
+  google_oauth_client_secret = var.google_oauth_client_secret
+  pre_signup_lambda_zip      = var.pre_signup_lambda_zip
+  lambda_zips_dir            = var.lambda_zips_dir
+  api_auth_secret            = var.api_auth_secret
+
+  # Greenfield: create everything (all defaults are true)
+}
+
+################################################################################
+# Outputs
+################################################################################
+
+output "api_endpoint" {
+  description = "API Gateway endpoint URL"
+  value       = module.thinkwork.api_endpoint
+}
+
+output "appsync_realtime_url" {
+  description = "AppSync realtime WebSocket URL (for frontend subscription clients)"
+  value       = module.thinkwork.appsync_realtime_url
+}
+
+output "user_pool_id" {
+  description = "Cognito user pool ID"
+  value       = module.thinkwork.user_pool_id
+}
+
+output "admin_client_id" {
+  description = "Cognito app client ID for web admin"
+  value       = module.thinkwork.admin_client_id
+}
+
+output "mobile_client_id" {
+  description = "Cognito app client ID for mobile"
+  value       = module.thinkwork.mobile_client_id
+}
+
+output "ecr_repository_url" {
+  description = "ECR repository URL for the AgentCore container"
+  value       = module.thinkwork.ecr_repository_url
+}
+
+output "bucket_name" {
+  description = "Primary S3 bucket"
+  value       = module.thinkwork.bucket_name
+}
+
+output "db_cluster_endpoint" {
+  description = "Aurora cluster endpoint"
+  value       = module.thinkwork.db_cluster_endpoint
+}
+
+output "db_secret_arn" {
+  description = "Secrets Manager ARN for database credentials"
+  value       = module.thinkwork.db_secret_arn
+}
+
+output "database_name" {
+  description = "Database name"
+  value       = module.thinkwork.database_name
+}
+
+output "memory_engine" {
+  description = "Active memory engine (managed or hindsight)"
+  value       = module.thinkwork.memory_engine
+}
+
+output "hindsight_endpoint" {
+  description = "Hindsight API endpoint (null when memory_engine = managed)"
+  value       = module.thinkwork.hindsight_endpoint
+}

package/dist/terraform/examples/greenfield/terraform.tfvars.example

@@ -0,0 +1,28 @@
+# Thinkwork Greenfield Deployment
+#
+# Copy this file to terraform.tfvars and fill in your values.
+# DO NOT commit terraform.tfvars to version control.
+
+stage      = "dev"
+region     = "us-east-1"
+account_id = "123456789012"  # your AWS account ID
+
+# Database engine:
+#   "aurora-serverless" — Aurora Serverless v2 (production, auto-scaling, deletion protection on)
+#   "rds-postgres"      — Standard RDS PostgreSQL (dev/test, cheaper, deletion protection off)
+database_engine = "rds-postgres"
+
+# Memory engine:
+#   "managed"   — AgentCore built-in long-term memory (default, no extra infra)
+#   "hindsight" — Hindsight ECS+ALB service (opt-in, adds retain/recall/reflect tools)
+memory_engine = "managed"
+
+# Database master password — use a strong password
+db_password = "CHANGE_ME_strong_password_here"
+
+# Google OAuth (optional — leave empty to skip Google social login)
+# google_oauth_client_id     = ""
+# google_oauth_client_secret = ""
+
+# Pre-signup Lambda (optional — leave empty if not using custom pre-signup logic)
+# pre_signup_lambda_zip = "./lambdas/pre-signup.zip"

package/dist/terraform/modules/_internal/workspace-guard/main.tf

@@ -0,0 +1,29 @@
+################################################################################
+# Workspace Guard
+#
+# Prevents applying the wrong var file to the wrong Terraform workspace.
+# Every tier (foundation, data, app) should consume this module.
+#
+# History: on 2026-04-05, running `terraform apply -var-file=prod.tfvars` in
+# the dev workspace destroyed dev infrastructure. This guard prevents that
+# class of incident by failing the plan before any damage occurs.
+################################################################################
+
+variable "stage" {
+  description = "The deployment stage (must match the Terraform workspace name)"
+  type        = string
+}
+
+resource "null_resource" "workspace_guard" {
+  triggers = {
+    stage     = var.stage
+    workspace = terraform.workspace
+  }
+
+  lifecycle {
+    precondition {
+      condition     = var.stage == terraform.workspace
+      error_message = "SAFETY: stage '${var.stage}' does not match workspace '${terraform.workspace}'. You are applying the wrong var file!"
+    }
+  }
+}

package/dist/terraform/modules/app/agentcore-runtime/main.tf

@@ -0,0 +1,217 @@
+################################################################################
+# AgentCore Runtime — App Module
+#
+# Creates ECR repository, IAM roles, and container build infrastructure
+# for the Strands-based agent runtime. Full implementation ported in Phase 3.
+# Phase 1 creates the ECR repo and IAM scaffolding only.
+################################################################################
+
+variable "stage" {
+  description = "Deployment stage"
+  type        = string
+}
+
+variable "account_id" {
+  description = "AWS account ID"
+  type        = string
+}
+
+variable "region" {
+  description = "AWS region"
+  type        = string
+}
+
+variable "bucket_name" {
+  description = "Primary S3 bucket for skills and workspace files"
+  type        = string
+}
+
+variable "memory_engine" {
+  description = "Memory engine: 'managed' or 'hindsight'. Passed as MEMORY_ENGINE env var to the container."
+  type        = string
+  default     = "managed"
+}
+
+variable "hindsight_endpoint" {
+  description = "Hindsight API endpoint (only used when memory_engine = 'hindsight')"
+  type        = string
+  default     = ""
+}
+
+variable "agentcore_memory_id" {
+  description = "AgentCore Memory resource ID (only used when memory_engine = 'managed')"
+  type        = string
+  default     = ""
+}
+
+################################################################################
+# ECR Repository
+################################################################################
+
+resource "aws_ecr_repository" "agentcore" {
+  name                 = "thinkwork-${var.stage}-agentcore"
+  image_tag_mutability = "MUTABLE"
+  force_delete         = true
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-agentcore"
+  }
+}
+
+resource "aws_ecr_lifecycle_policy" "agentcore" {
+  repository = aws_ecr_repository.agentcore.name
+
+  policy = jsonencode({
+    rules = [{
+      rulePriority = 1
+      description  = "Keep last 10 images"
+      selection = {
+        tagStatus   = "any"
+        countType   = "imageCountMoreThan"
+        countNumber = 10
+      }
+      action = {
+        type = "expire"
+      }
+    }]
+  })
+}
+
+################################################################################
+# Execution Role
+################################################################################
+
+resource "aws_iam_role" "agentcore" {
+  name = "thinkwork-${var.stage}-agentcore-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect    = "Allow"
+      Principal = { Service = ["ecs-tasks.amazonaws.com", "lambda.amazonaws.com"] }
+      Action    = "sts:AssumeRole"
+    }]
+  })
+}
+
+resource "aws_iam_role_policy" "agentcore" {
+  name = "agentcore-permissions"
+  role = aws_iam_role.agentcore.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "S3Access"
+        Effect = "Allow"
+        Action = ["s3:GetObject", "s3:PutObject", "s3:ListBucket"]
+        Resource = [
+          "arn:aws:s3:::${var.bucket_name}",
+          "arn:aws:s3:::${var.bucket_name}/*",
+        ]
+      },
+      {
+        Sid      = "BedrockInvoke"
+        Effect   = "Allow"
+        Action   = ["bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream", "bedrock:InvokeAgent"]
+        Resource = "*"
+      },
+      {
+        Sid      = "CloudWatchLogs"
+        Effect   = "Allow"
+        Action   = ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"]
+        Resource = "arn:aws:logs:${var.region}:${var.account_id}:*"
+      },
+      {
+        Sid      = "ECRPull"
+        Effect   = "Allow"
+        Action   = ["ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:GetAuthorizationToken"]
+        Resource = "*"
+      },
+      {
+        Sid      = "SSMParameterAccess"
+        Effect   = "Allow"
+        Action   = ["ssm:GetParameter", "ssm:PutParameter"]
+        Resource = "arn:aws:ssm:${var.region}:${var.account_id}:parameter/thinkwork/${var.stage}/agentcore/*"
+      },
+    ]
+  })
+}
+
+################################################################################
+# CloudWatch Log Group
+################################################################################
+
+resource "aws_cloudwatch_log_group" "agentcore" {
+  name              = "/thinkwork/${var.stage}/agentcore"
+  retention_in_days = 30
+
+  tags = {
+    Name = "thinkwork-${var.stage}-agentcore-logs"
+  }
+}
+
+################################################################################
+# Lambda Container Image
+################################################################################
+
+resource "aws_lambda_function" "agentcore" {
+  function_name = "thinkwork-${var.stage}-agentcore"
+  role          = aws_iam_role.agentcore.arn
+  package_type  = "Image"
+  image_uri     = "${aws_ecr_repository.agentcore.repository_url}:latest"
+  timeout       = 900
+  memory_size   = 2048
+
+  environment {
+    variables = {
+      PORT                   = "8080"
+      AWS_LWA_PORT           = "8080"
+      MEMORY_ENGINE          = var.memory_engine
+      AGENTCORE_MEMORY_ID    = var.agentcore_memory_id
+      AGENTCORE_FILES_BUCKET = var.bucket_name
+    }
+  }
+
+  logging_config {
+    log_group  = aws_cloudwatch_log_group.agentcore.name
+    log_format = "Text"
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-agentcore"
+  }
+}
+
+resource "aws_lambda_function_url" "agentcore" {
+  function_name      = aws_lambda_function.agentcore.function_name
+  authorization_type = "NONE"
+}
+
+################################################################################
+# Outputs
+################################################################################
+
+output "ecr_repository_url" {
+  description = "ECR repository URL for the AgentCore container"
+  value       = aws_ecr_repository.agentcore.repository_url
+}
+
+output "execution_role_arn" {
+  description = "IAM role ARN for AgentCore execution"
+  value       = aws_iam_role.agentcore.arn
+}
+
+output "agentcore_invoke_url" {
+  description = "Lambda Function URL for the AgentCore container"
+  value       = aws_lambda_function_url.agentcore.function_url
+}
+
+output "agentcore_function_name" {
+  description = "AgentCore Lambda function name (for direct SDK invoke)"
+  value       = aws_lambda_function.agentcore.function_name
+}

package/dist/terraform/modules/app/appsync-subscriptions/main.tf

@@ -0,0 +1,122 @@
+################################################################################
+# AppSync Subscriptions — App Module
+#
+# AppSync exists ONLY as a thin realtime/event layer for subscription fan-out.
+# Queries and mutations go through API Gateway V2 → Lambda, NOT through AppSync.
+#
+# Per Decision 9: the unused RDS data source is removed. Only the NONE
+# passthrough data source remains for notification mutations. The schema is
+# a subscription-only fragment, not the full product schema.
+#
+# Post-launch consideration: replace with standard graphql-ws over API Gateway
+# V2 WebSocket API. Not v0.1 scope.
+################################################################################
+
+################################################################################
+# GraphQL API
+################################################################################
+
+resource "aws_appsync_graphql_api" "subscriptions" {
+  name                = "thinkwork-${var.stage}-subscriptions"
+  authentication_type = "API_KEY"
+  xray_enabled        = false
+
+  schema = var.subscription_schema
+
+  additional_authentication_provider {
+    authentication_type = "AWS_IAM"
+  }
+
+  additional_authentication_provider {
+    authentication_type = "AMAZON_COGNITO_USER_POOLS"
+
+    user_pool_config {
+      user_pool_id = var.user_pool_id
+    }
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-subscriptions"
+  }
+}
+
+################################################################################
+# API Key — 365 day expiry
+################################################################################
+
+resource "aws_appsync_api_key" "main" {
+  api_id  = aws_appsync_graphql_api.subscriptions.id
+  expires = timeadd(timestamp(), "8760h")
+
+  lifecycle {
+    ignore_changes = [expires]
+  }
+}
+
+################################################################################
+# NONE Data Source (passthrough for notification mutations)
+################################################################################
+
+resource "aws_appsync_datasource" "none" {
+  api_id = aws_appsync_graphql_api.subscriptions.id
+  name   = "NonePassthrough"
+  type   = "NONE"
+}
+
+################################################################################
+# Notification Mutation Resolvers
+#
+# v1 events only — deferred events (onEvalRunUpdated, onCostRecorded) are cut.
+################################################################################
+
+locals {
+  notification_mutations = [
+    "notifyAgentStatus",
+    "notifyNewMessage",
+    "notifyHeartbeatActivity",
+    "notifyThreadUpdate",
+    "notifyInboxItemUpdate",
+    "notifyThreadTurnUpdate",
+    "notifyOrgUpdate",
+  ]
+}
+
+resource "aws_appsync_resolver" "notifications" {
+  for_each = toset(local.notification_mutations)
+
+  api_id      = aws_appsync_graphql_api.subscriptions.id
+  type        = "Mutation"
+  field       = each.value
+  data_source = aws_appsync_datasource.none.name
+
+  request_template = <<-EOF
+    {"version":"2017-02-28","payload":$util.toJson($context.arguments)}
+  EOF
+
+  response_template = <<-EOF
+    #set($result = $context.result)
+    #if(!$result.updatedAt)
+      #set($result.updatedAt = $util.time.nowISO8601())
+    #end
+    #if(!$result.createdAt)
+      #set($result.createdAt = $util.time.nowISO8601())
+    #end
+    $util.toJson($result)
+  EOF
+}
+
+################################################################################
+# Custom Domain (optional)
+################################################################################
+
+resource "aws_appsync_domain_name" "main" {
+  count           = var.custom_domain != "" ? 1 : 0
+  domain_name     = var.custom_domain
+  certificate_arn = var.certificate_arn
+}
+
+resource "aws_appsync_domain_name_api_association" "main" {
+  count       = var.custom_domain != "" ? 1 : 0
+  api_id      = aws_appsync_graphql_api.subscriptions.id
+  domain_name = aws_appsync_domain_name.main[0].domain_name
+}

package/dist/terraform/modules/app/appsync-subscriptions/outputs.tf

@@ -0,0 +1,20 @@
+output "graphql_api_id" {
+  description = "AppSync GraphQL API ID"
+  value       = aws_appsync_graphql_api.subscriptions.id
+}
+
+output "graphql_api_url" {
+  description = "AppSync GraphQL endpoint URL (used by backend to push notifications)"
+  value       = aws_appsync_graphql_api.subscriptions.uris["GRAPHQL"]
+}
+
+output "graphql_realtime_url" {
+  description = "AppSync realtime WebSocket URL (used by frontend subscription clients)"
+  value       = aws_appsync_graphql_api.subscriptions.uris["REALTIME"]
+}
+
+output "graphql_api_key" {
+  description = "AppSync API key"
+  value       = aws_appsync_api_key.main.key
+  sensitive   = true
+}

package/dist/terraform/modules/app/appsync-subscriptions/variables.tf

@@ -0,0 +1,31 @@
+variable "stage" {
+  description = "Deployment stage"
+  type        = string
+}
+
+variable "region" {
+  description = "AWS region"
+  type        = string
+}
+
+variable "user_pool_id" {
+  description = "Cognito user pool ID for authentication"
+  type        = string
+}
+
+variable "subscription_schema" {
+  description = "GraphQL schema containing only Subscription + notification Mutation types. This is a subscription-only fragment, NOT the full product schema."
+  type        = string
+}
+
+variable "custom_domain" {
+  description = "Custom domain for the AppSync API (e.g. subscriptions.thinkwork.ai). Leave empty to skip."
+  type        = string
+  default     = ""
+}
+
+variable "certificate_arn" {
+  description = "ACM certificate ARN for the custom domain (required when custom_domain is set)"
+  type        = string
+  default     = ""
+}

package/dist/terraform/modules/app/crons/main.tf

@@ -0,0 +1,55 @@
+################################################################################
+# Crons — App Module
+#
+# Scheduled jobs and event-driven processors. Full implementation ported
+# in Phase 4. Phase 1 creates the IAM role and a placeholder cron only.
+#
+# v1 scope: standard crons + wakeup processor.
+# Cut: kg_extract_fanout, kg_extract_worker, span_enrichment (PRD-41B).
+################################################################################
+
+variable "stage" {
+  description = "Deployment stage"
+  type        = string
+}
+
+variable "account_id" {
+  description = "AWS account ID"
+  type        = string
+}
+
+variable "region" {
+  description = "AWS region"
+  type        = string
+}
+
+################################################################################
+# Shared IAM Role for Cron Lambdas
+################################################################################
+
+resource "aws_iam_role" "cron_lambda" {
+  name = "thinkwork-${var.stage}-cron-lambda-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect    = "Allow"
+      Principal = { Service = "lambda.amazonaws.com" }
+      Action    = "sts:AssumeRole"
+    }]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "cron_basic" {
+  role       = aws_iam_role.cron_lambda.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+
+################################################################################
+# Outputs
+################################################################################
+
+output "cron_lambda_role_arn" {
+  description = "IAM role ARN for cron Lambda functions"
+  value       = aws_iam_role.cron_lambda.arn
+}