thinkwork-cli 0.12.1 → 0.12.3

package/dist/cli.js

@@ -201,7 +201,7 @@ async function ensureWorkspace(cwd, stage) {
   }
 }
 function runTerraformRaw(cwd, args) {
-  return new Promise((resolve4, reject) => {
+  return new Promise((resolve6, reject) => {
     const proc = spawn("terraform", args, {
       cwd,
       stdio: ["pipe", "pipe", "pipe"]
@@ -211,13 +211,13 @@ function runTerraformRaw(cwd, args) {
     proc.stdout.on("data", (d) => stdout += d);
     proc.stderr.on("data", (d) => stderr += d);
     proc.on("close", (code) => {
-      if (code === 0) resolve4(stdout);
+      if (code === 0) resolve6(stdout);
       else reject(new Error(`terraform ${args.join(" ")} failed (exit ${code}): ${stderr}`));
     });
   });
 }
 function runTerraform(cwd, args) {
-  return new Promise((resolve4) => {
+  return new Promise((resolve6) => {
     console.log(`
   \u2192 terraform ${args.join(" ")}
 `);
@@ -225,7 +225,7 @@ function runTerraform(cwd, args) {
       cwd,
       stdio: "inherit"
     });
-    proc.on("close", (code) => resolve4(code ?? 1));
+    proc.on("close", (code) => resolve6(code ?? 1));
   });
 }
 async function ensureInit(cwd) {
@@ -469,10 +469,10 @@ async function confirm(message) {
     input: process.stdin,
     output: process.stdout
   });
-  return new Promise((resolve4) => {
+  return new Promise((resolve6) => {
     rl.question(`${message} [y/N] `, (answer) => {
       rl.close();
-      resolve4(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
+      resolve6(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
     });
   });
 }
@@ -553,7 +553,7 @@ async function runPostDeployProbe(stage) {
     );
     return;
   }
-  await new Promise((resolve4) => {
+  await new Promise((resolve6) => {
     const proc = spawn2("bash", [scriptPath, "--stage", stage], {
       stdio: "inherit",
       env: process.env
@@ -564,11 +564,11 @@ async function runPostDeployProbe(stage) {
           `post-deploy probe exited ${code} \u2014 deploy not rolled back`
         );
       }
-      resolve4();
+      resolve6();
     });
     proc.on("error", (err) => {
       printWarning(`post-deploy probe spawn failed: ${err.message}`);
-      resolve4();
+      resolve6();
     });
   });
 }
@@ -782,11 +782,21 @@ import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, existsS
 import chalk4 from "chalk";
 
 // src/environments.ts
-import { existsSync as existsSync4, mkdirSync as mkdirSync2, writeFileSync as writeFileSync2, readFileSync as readFileSync2, readdirSync } from "fs";
+import {
+  existsSync as existsSync4,
+  mkdirSync as mkdirSync2,
+  writeFileSync as writeFileSync2,
+  readFileSync as readFileSync2,
+  readdirSync
+} from "fs";
 import { join as join2 } from "path";
 import { homedir as homedir2 } from "os";
 var THINKWORK_HOME = join2(homedir2(), ".thinkwork");
 var ENVIRONMENTS_DIR = join2(THINKWORK_HOME, "environments");
+var ENTERPRISE_DEPLOYMENTS_DIR = join2(
+  THINKWORK_HOME,
+  "enterprise-deployments"
+);
 function ensureDir(dir) {
   if (!existsSync4(dir)) mkdirSync2(dir, { recursive: true });
 }
@@ -799,6 +809,13 @@ function saveEnvironment(config) {
     JSON.stringify(config, null, 2) + "\n"
   );
 }
+function saveEnterpriseDeployment(config) {
+  ensureDir(ENTERPRISE_DEPLOYMENTS_DIR);
+  writeFileSync2(
+    join2(ENTERPRISE_DEPLOYMENTS_DIR, `${config.customerSlug}.json`),
+    JSON.stringify(config, null, 2) + "\n"
+  );
+}
 function loadEnvironment(stage) {
   const configPath = join2(ENVIRONMENTS_DIR, stage, "config.json");
   if (!existsSync4(configPath)) return null;
@@ -1008,7 +1025,7 @@ function registerConfigCommand(program2) {
 import { spawn as spawn3 } from "child_process";
 import { resolve } from "path";
 function getTerraformOutput(cwd, key) {
-  return new Promise((resolve4, reject) => {
+  return new Promise((resolve6, reject) => {
     const proc = spawn3("terraform", ["output", "-raw", key], {
       cwd,
       stdio: ["pipe", "pipe", "pipe"]
@@ -1016,17 +1033,17 @@ function getTerraformOutput(cwd, key) {
     let stdout = "";
     proc.stdout.on("data", (d) => stdout += d);
     proc.on("close", (code) => {
-      if (code === 0) resolve4(stdout.trim());
+      if (code === 0) resolve6(stdout.trim());
       else reject(new Error(`terraform output ${key} failed (exit ${code})`));
     });
   });
 }
 function runScript(scriptPath, args) {
-  return new Promise((resolve4) => {
+  return new Promise((resolve6) => {
     const proc = spawn3("bash", [scriptPath, ...args], {
       stdio: "inherit"
     });
-    proc.on("close", (code) => resolve4(code ?? 1));
+    proc.on("close", (code) => resolve6(code ?? 1));
   });
 }
 function registerBootstrapCommand(program2) {
@@ -1266,9 +1283,9 @@ async function ensureTerraform() {
 }
 async function ensurePrerequisites() {
   console.log(chalk5.dim("  Checking prerequisites...\n"));
-  const awsOk = await ensureAwsCli();
+  const awsOk2 = await ensureAwsCli();
   const tfOk = await ensureTerraform();
-  if (awsOk && tfOk) {
+  if (awsOk2 && tfOk) {
     console.log("");
     return true;
   }
@@ -1401,7 +1418,7 @@ function buildAuthorizeUrl(cognito, redirectUri, state) {
   return `${cognito.domainUrl}/oauth2/authorize?${params.toString()}`;
 }
 function waitForCallbackCode(opts) {
-  return new Promise((resolve4, reject) => {
+  return new Promise((resolve6, reject) => {
     const server = createServer((req, res) => handleRequest(req, res));
     let finished = false;
     const finish = (err, code) => {
@@ -1412,7 +1429,7 @@ function waitForCallbackCode(opts) {
       closer.closeAllConnections?.();
       server.close(() => {
         if (err) reject(err);
-        else resolve4(code);
+        else resolve6(code);
       });
     };
     const timer = setTimeout(() => {
@@ -1603,10 +1620,10 @@ function escapeHtml(s) {
 // src/commands/login.ts
 function ask(prompt) {
   const rl = createInterface2({ input: process.stdin, output: process.stdout });
-  return new Promise((resolve4) => {
+  return new Promise((resolve6) => {
     rl.question(prompt, (answer) => {
       rl.close();
-      resolve4(answer.trim());
+      resolve6(answer.trim());
     });
   });
 }
@@ -1744,13 +1761,66 @@ function finalizeAws(profile, mode) {
       `  Override per-command with --profile <other>, or unset with \`rm ~/.thinkwork/config.json\`.`
     )
   );
-  console.log("");
-  console.log(
-    `  ${chalk7.bold("Next:")} run ${chalk7.cyan("thinkwork login --stage <stage>")} if you also need`
-  );
-  console.log(
-    `        an API session (required for ${chalk7.cyan("eval")}, ${chalk7.cyan("agent")}, ${chalk7.cyan("thread")}, etc.).`
+  return identity;
+}
+async function offerApiLoginChain(opts) {
+  const stages = listDeployedStages(opts.region);
+  const candidates = stages.filter(
+    (stage) => loadStageSession(stage) === null
   );
+  if (candidates.length === 0 || !isInteractive()) {
+    console.log("");
+    console.log(
+      `  ${chalk7.bold("Next:")} run ${chalk7.cyan("thinkwork login --stage <stage>")} if you also need`
+    );
+    console.log(
+      `        an API session (required for ${chalk7.cyan("eval")}, ${chalk7.cyan("agent")}, ${chalk7.cyan("thread")}, etc.).`
+    );
+    return;
+  }
+  console.log("");
+  let chosen;
+  if (candidates.length === 1) {
+    const stage = candidates[0];
+    const answer = await select2({
+      message: `Also sign in to the API for stage "${stage}"? (required for eval / agent / thread)`,
+      choices: [
+        { name: `Yes \u2014 sign in to ${stage}`, value: stage },
+        { name: "No \u2014 skip", value: null }
+      ]
+    });
+    chosen = answer ?? null;
+  } else {
+    const skip = "__skip__";
+    const answer = await select2({
+      message: "Also sign in to an API stage now?",
+      choices: [
+        ...candidates.map((stage) => ({
+          name: `Yes \u2014 ${stage}`,
+          value: stage
+        })),
+        new Separator(),
+        { name: "Skip", value: skip }
+      ]
+    });
+    chosen = answer === skip ? null : answer;
+  }
+  if (!chosen) {
+    console.log("");
+    console.log(
+      chalk7.dim(
+        `  Skipped. Run ${chalk7.cyan("thinkwork login --stage <stage>")} later for an API session.`
+      )
+    );
+    return;
+  }
+  console.log("");
+  await doCognitoLogin({
+    stage: chosen,
+    region: opts.region,
+    port: opts.port,
+    noBrowser: opts.noBrowser
+  });
 }
 async function bootstrapUserAndTenant(stage, region, idToken) {
   const baseUrl = getApiEndpoint(stage, region);
@@ -1879,7 +1949,7 @@ async function doApiKeyLogin(opts) {
 }
 function registerLoginCommand(program2) {
   program2.command("login").description(
-    "Sign in. Without --stage: configure AWS credentials (for deploy / destroy). With --stage <s>: sign in to that stack's Cognito / API and cache a session for API-backed commands."
+    "Sign in. Without --stage: configure AWS credentials AND offer to sign in to a deployed stack's API (the natural one-step UX). With --stage <s>: go straight to that stack's Cognito / API login and cache a session for API-backed commands."
   ).option(
     "--profile <name>",
     'AWS profile name to configure (used when entering new keys or SSO). Defaults to "thinkwork" only on the AWS-credentials branch; the Cognito branch leaves AWS_PROFILE alone.'
@@ -1950,33 +2020,41 @@ Registered callback URL:
           });
           return;
         }
-        const port = Number.parseInt(opts.port, 10);
-        if (!Number.isFinite(port) || port < 1 || port > 65535) {
+        const port2 = Number.parseInt(opts.port, 10);
+        if (!Number.isFinite(port2) || port2 < 1 || port2 > 65535) {
           printError(`Invalid --port value: "${opts.port}".`);
           process.exit(1);
         }
         await doCognitoLogin({
           stage: opts.stage,
           region: opts.region,
-          port,
+          port: port2,
           noBrowser: opts.browser === false
         });
         return;
       }
       const targetProfile = opts.profile ?? "thinkwork";
       printHeader("login", targetProfile);
-      const awsOk = await ensureAwsCli();
-      if (!awsOk) process.exit(1);
+      const awsOk2 = await ensureAwsCli();
+      if (!awsOk2) process.exit(1);
+      const port = Number.parseInt(opts.port, 10);
+      if (!Number.isFinite(port) || port < 1 || port > 65535) {
+        printError(`Invalid --port value: "${opts.port}".`);
+        process.exit(1);
+      }
+      const chainOpts = { port, noBrowser: opts.browser === false };
       if (opts.sso) {
         if (!runSsoLogin(targetProfile)) process.exit(1);
         process.env.AWS_PROFILE = targetProfile;
-        finalizeAws(targetProfile, "SSO");
+        const { region: region2 } = finalizeAws(targetProfile, "SSO");
+        await offerApiLoginChain({ region: region2, ...chainOpts });
         return;
       }
       if (opts.keys) {
         if (!await runKeyEntry(targetProfile)) process.exit(1);
         process.env.AWS_PROFILE = targetProfile;
-        finalizeAws(targetProfile, "access keys");
+        const { region: region2 } = finalizeAws(targetProfile, "access keys");
+        await offerApiLoginChain({ region: region2, ...chainOpts });
         return;
       }
       const profiles = listAwsProfiles();
@@ -1988,7 +2066,8 @@ Registered callback URL:
         );
         if (!await runKeyEntry(targetProfile)) process.exit(1);
         process.env.AWS_PROFILE = targetProfile;
-        finalizeAws(targetProfile, "access keys");
+        const { region: region2 } = finalizeAws(targetProfile, "access keys");
+        await offerApiLoginChain({ region: region2, ...chainOpts });
         return;
       }
       const choice = await pickProfile(profiles);
@@ -2000,13 +2079,15 @@ Registered callback URL:
       if (choice.kind === "keys") {
         if (!await runKeyEntry(targetProfile)) process.exit(1);
         process.env.AWS_PROFILE = targetProfile;
-        finalizeAws(targetProfile, "access keys");
+        const { region: region2 } = finalizeAws(targetProfile, "access keys");
+        await offerApiLoginChain({ region: region2, ...chainOpts });
         return;
       }
       if (choice.kind === "sso") {
         if (!runSsoLogin(targetProfile)) process.exit(1);
         process.env.AWS_PROFILE = targetProfile;
-        finalizeAws(targetProfile, "SSO");
+        const { region: region2 } = finalizeAws(targetProfile, "SSO");
+        await offerApiLoginChain({ region: region2, ...chainOpts });
         return;
       }
       const picked = choice.name;
@@ -2020,7 +2101,8 @@ Registered callback URL:
         process.exit(1);
       }
       process.env.AWS_PROFILE = picked;
-      finalizeAws(picked, "existing profile");
+      const { region } = finalizeAws(picked, "existing profile");
+      await offerApiLoginChain({ region, ...chainOpts });
     }
   );
 }
@@ -2102,10 +2184,10 @@ var __dirname = dirname3(fileURLToPath2(import.meta.url));
 function ask2(prompt, defaultVal = "") {
   const rl = createInterface3({ input: process.stdin, output: process.stdout });
   const suffix = defaultVal ? chalk8.dim(` [${defaultVal}]`) : "";
-  return new Promise((resolve4) => {
+  return new Promise((resolve6) => {
     rl.question(`  ${prompt}${suffix}: `, (answer) => {
       rl.close();
-      resolve4(answer.trim() || defaultVal);
+      resolve6(answer.trim() || defaultVal);
     });
   });
 }
@@ -3841,7 +3923,7 @@ function registerUpdateCommand(program2) {
 import { spawn as spawn5 } from "child_process";
 import { input as input2, select as select7 } from "@inquirer/prompts";
 function getTerraformOutput2(cwd, key) {
-  return new Promise((resolve4, reject) => {
+  return new Promise((resolve6, reject) => {
     const proc = spawn5("terraform", ["output", "-raw", key], {
       cwd,
       stdio: ["pipe", "pipe", "pipe"]
@@ -3851,7 +3933,7 @@ function getTerraformOutput2(cwd, key) {
     proc.stdout.on("data", (d) => stdout += d);
     proc.stderr.on("data", (d) => stderr += d);
     proc.on("close", (code) => {
-      if (code === 0) resolve4(stdout.trim());
+      if (code === 0) resolve6(stdout.trim());
       else
         reject(
           new Error(
@@ -3862,7 +3944,7 @@ function getTerraformOutput2(cwd, key) {
   });
 }
 function runAwsCognitoReset(userPoolId, username, region) {
-  return new Promise((resolve4) => {
+  return new Promise((resolve6) => {
     const args = [
       "cognito-idp",
       "admin-reset-user-password",
@@ -3879,7 +3961,7 @@ function runAwsCognitoReset(userPoolId, username, region) {
     let stderr = "";
     proc.stdout.on("data", (d) => stdout += d);
     proc.stderr.on("data", (d) => stderr += d);
-    proc.on("close", (code) => resolve4({ code: code ?? 1, stdout, stderr }));
+    proc.on("close", (code) => resolve6({ code: code ?? 1, stdout, stderr }));
   });
 }
 function requireTty2(label) {
@@ -4560,6 +4642,7 @@ var CliRoutineTenantBySlugDocument = { "kind": "Document", "definitions": [{ "ki
 var CliScheduledJobsDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "query", "name": { "kind": "Name", "value": "CliScheduledJobs" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "tenantId" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "ID" } } } }, { "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "agentId" } }, "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "ID" } } }, { "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "routineId" } }, "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "ID" } } }, { "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "triggerType" } }, "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "String" } } }, { "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "enabled" } }, "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "Boolean" } } }, { "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "limit" } }, "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "Int" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "scheduledJobs" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "tenantId" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "tenantId" } } }, { "kind": "Argument", "name": { "kind": "Name", "value": "agentId" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "agentId" } } }, { "kind": "Argument", "name": { "kind": "Name", "value": "routineId" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "routineId" } } }, { "kind": "Argument", "name": { "kind": "Name", "value": "triggerType" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "triggerType" } } }, { "kind": "Argument", "name": { "kind": "Name", "value": "enabled" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "enabled" } } }, { "kind": "Argument", "name": { "kind": "Name", "value": "limit" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "limit" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }, { "kind": "Field", "name": { "kind": "Name", "value": "name" } }, { "kind": "Field", "name": { "kind": "Name", "value": "description" } }, { "kind": "Field", "name": { "kind": "Name", "value": "triggerType" } }, { "kind": "Field", "name": { "kind": "Name", "value": "agentId" } }, { "kind": "Field", "name": { "kind": "Name", "value": "routineId" } }, { "kind": "Field", "name": { "kind": "Name", "value": "scheduleType" } }, { "kind": "Field", "name": { "kind": "Name", "value": "scheduleExpression" } }, { "kind": "Field", "name": { "kind": "Name", "value": "timezone" } }, { "kind": "Field", "name": { "kind": "Name", "value": "enabled" } }, { "kind": "Field", "name": { "kind": "Name", "value": "lastRunAt" } }, { "kind": "Field", "name": { "kind": "Name", "value": "nextRunAt" } }, { "kind": "Field", "name": { "kind": "Name", "value": "createdAt" } }] } }] } }] };
 var CliScheduledJobDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "query", "name": { "kind": "Name", "value": "CliScheduledJob" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "id" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "ID" } } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "scheduledJob" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "id" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "id" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }, { "kind": "Field", "name": { "kind": "Name", "value": "name" } }, { "kind": "Field", "name": { "kind": "Name", "value": "description" } }, { "kind": "Field", "name": { "kind": "Name", "value": "triggerType" } }, { "kind": "Field", "name": { "kind": "Name", "value": "agentId" } }, { "kind": "Field", "name": { "kind": "Name", "value": "routineId" } }, { "kind": "Field", "name": { "kind": "Name", "value": "prompt" } }, { "kind": "Field", "name": { "kind": "Name", "value": "scheduleType" } }, { "kind": "Field", "name": { "kind": "Name", "value": "scheduleExpression" } }, { "kind": "Field", "name": { "kind": "Name", "value": "timezone" } }, { "kind": "Field", "name": { "kind": "Name", "value": "enabled" } }, { "kind": "Field", "name": { "kind": "Name", "value": "ebScheduleName" } }, { "kind": "Field", "name": { "kind": "Name", "value": "lastRunAt" } }, { "kind": "Field", "name": { "kind": "Name", "value": "nextRunAt" } }, { "kind": "Field", "name": { "kind": "Name", "value": "createdAt" } }, { "kind": "Field", "name": { "kind": "Name", "value": "updatedAt" } }] } }] } }] };
 var CliCreateScheduledJobDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "mutation", "name": { "kind": "Name", "value": "CliCreateScheduledJob" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "input" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "CreateScheduledJobInput" } } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "createScheduledJob" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "input" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "input" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }, { "kind": "Field", "name": { "kind": "Name", "value": "name" } }, { "kind": "Field", "name": { "kind": "Name", "value": "enabled" } }, { "kind": "Field", "name": { "kind": "Name", "value": "scheduleExpression" } }, { "kind": "Field", "name": { "kind": "Name", "value": "timezone" } }] } }] } }] };
+var CliDeleteScheduledJobDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "mutation", "name": { "kind": "Name", "value": "CliDeleteScheduledJob" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "id" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "ID" } } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "deleteScheduledJob" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "id" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "id" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }, { "kind": "Field", "name": { "kind": "Name", "value": "ok" } }] } }] } }] };
 var CliSchedJobTenantBySlugDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "query", "name": { "kind": "Name", "value": "CliSchedJobTenantBySlug" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "slug" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "String" } } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "tenantBySlug" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "slug" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "slug" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }] } }] } }] };
 var CliSkillCatalogDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "query", "name": { "kind": "Name", "value": "CliSkillCatalog" }, "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "skillCatalog" }, "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }, { "kind": "Field", "name": { "kind": "Name", "value": "skillId" } }, { "kind": "Field", "name": { "kind": "Name", "value": "displayName" } }, { "kind": "Field", "name": { "kind": "Name", "value": "description" } }, { "kind": "Field", "name": { "kind": "Name", "value": "category" } }, { "kind": "Field", "name": { "kind": "Name", "value": "icon" } }, { "kind": "Field", "name": { "kind": "Name", "value": "source" } }, { "kind": "Field", "name": { "kind": "Name", "value": "enabled" } }] } }] } }] };
 var CliSkillTenantBySlugDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "query", "name": { "kind": "Name", "value": "CliSkillTenantBySlug" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "slug" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "String" } } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "tenantBySlug" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "slug" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "slug" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }] } }] } }] };
@@ -4735,6 +4818,7 @@ var documents = {
   "\n  query CliScheduledJobs(\n    $tenantId: ID!\n    $agentId: ID\n    $routineId: ID\n    $triggerType: String\n    $enabled: Boolean\n    $limit: Int\n  ) {\n    scheduledJobs(\n      tenantId: $tenantId\n      agentId: $agentId\n      routineId: $routineId\n      triggerType: $triggerType\n      enabled: $enabled\n      limit: $limit\n    ) {\n      id\n      name\n      description\n      triggerType\n      agentId\n      routineId\n      scheduleType\n      scheduleExpression\n      timezone\n      enabled\n      lastRunAt\n      nextRunAt\n      createdAt\n    }\n  }\n": CliScheduledJobsDocument,
   "\n  query CliScheduledJob($id: ID!) {\n    scheduledJob(id: $id) {\n      id\n      name\n      description\n      triggerType\n      agentId\n      routineId\n      prompt\n      scheduleType\n      scheduleExpression\n      timezone\n      enabled\n      ebScheduleName\n      lastRunAt\n      nextRunAt\n      createdAt\n      updatedAt\n    }\n  }\n": CliScheduledJobDocument,
   "\n  mutation CliCreateScheduledJob($input: CreateScheduledJobInput!) {\n    createScheduledJob(input: $input) {\n      id\n      name\n      enabled\n      scheduleExpression\n      timezone\n    }\n  }\n": CliCreateScheduledJobDocument,
+  "\n  mutation CliDeleteScheduledJob($id: ID!) {\n    deleteScheduledJob(id: $id) {\n      id\n      ok\n    }\n  }\n": CliDeleteScheduledJobDocument,
   "\n  query CliSchedJobTenantBySlug($slug: String!) {\n    tenantBySlug(slug: $slug) {\n      id\n    }\n  }\n": CliSchedJobTenantBySlugDocument,
   "\n  query CliSkillCatalog {\n    skillCatalog {\n      id\n      skillId\n      displayName\n      description\n      category\n      icon\n      source\n      enabled\n    }\n  }\n": CliSkillCatalogDocument,
   "\n  query CliSkillTenantBySlug($slug: String!) {\n    tenantBySlug(slug: $slug) {\n      id\n    }\n  }\n": CliSkillTenantBySlugDocument,
@@ -9847,6 +9931,14 @@ var CreateScheduledJobDoc = graphql(`
     }
   }
 `);
+var DeleteScheduledJobDoc = graphql(`
+  mutation CliDeleteScheduledJob($id: ID!) {
+    deleteScheduledJob(id: $id) {
+      id
+      ok
+    }
+  }
+`);
 var SchedJobTenantBySlugDoc = graphql(`
   query CliSchedJobTenantBySlug($slug: String!) {
     tenantBySlug(slug: $slug) {
@@ -10007,6 +10099,39 @@ async function runSchedCreate(name, opts) {
     `Created scheduled job ${data.createScheduledJob.id} \u2014 ${data.createScheduledJob.name} (${data.createScheduledJob.scheduleExpression}, ${data.createScheduledJob.timezone}).`
   );
 }
+async function runSchedDelete(id, opts) {
+  const ctx = await resolveSchedContext(opts);
+  if (!opts.yes) {
+    if (!isInteractive()) {
+      printError(
+        "Refusing to delete without --yes in non-interactive mode (CI / piped stdin)."
+      );
+      process.exit(1);
+    }
+    requireTty("confirmation");
+    const answer = await promptOrExit(
+      () => input16({
+        message: `Delete scheduled job ${id}? Type "delete" to confirm:`
+      })
+    );
+    if (answer.trim() !== "delete") {
+      console.log("  Cancelled.");
+      return;
+    }
+  }
+  const data = await gqlMutate(ctx.client, DeleteScheduledJobDoc, { id });
+  if (isJsonMode()) {
+    printJson(data.deleteScheduledJob);
+    return;
+  }
+  if (data.deleteScheduledJob.ok) {
+    printSuccess(`Deleted scheduled job ${data.deleteScheduledJob.id}.`);
+  } else {
+    console.log(
+      `  Scheduled job ${id} was already deleted (no row matched).`
+    );
+  }
+}
 function notYetImplementedAtApi(verb) {
   printError(
     `\`scheduled-job ${verb}\` is not yet implemented at the GraphQL API.
@@ -10031,7 +10156,9 @@ Examples:
 `
   ).action(runSchedCreate);
   job.command("update <id>").description("Update a scheduled job. (API surface pending \u2014 currently a no-op.)").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--schedule <expr>").option("--timezone <tz>").option("--payload <json>").option("--enable").option("--disable").action(() => notYetImplementedAtApi("update"));
-  job.command("delete <id>").description("Delete a scheduled job. (API surface pending.)").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-y, --yes", "Skip confirmation").action(() => notYetImplementedAtApi("delete"));
+  job.command("delete <id>").description(
+    "Delete a scheduled job. Deprovisions the EventBridge schedule first, then removes the row."
+  ).option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-y, --yes", "Skip confirmation").action(runSchedDelete);
   job.command("run <id>").description("Trigger a scheduled job immediately. (API surface pending.)").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--wait", "Block until the run completes").action(() => notYetImplementedAtApi("run"));
 }
 
@@ -14328,6 +14455,895 @@ Examples:
   });
 }
 
+// src/commands/enterprise/bootstrap.ts
+import { resolve as resolve5 } from "path";
+
+// src/commands/enterprise/template.ts
+import {
+  existsSync as existsSync10,
+  mkdirSync as mkdirSync5,
+  readFileSync as readFileSync8,
+  readdirSync as readdirSync2,
+  statSync as statSync2,
+  writeFileSync as writeFileSync5
+} from "fs";
+import { dirname as dirname4, join as join7, relative as relative2, resolve as resolve4 } from "path";
+import { fileURLToPath as fileURLToPath3 } from "url";
+var __dirname2 = dirname4(fileURLToPath3(import.meta.url));
+var MANAGED_MARKER = "thinkwork-managed: enterprise-deploy-template";
+var CUSTOMER_SLUG_PATTERN = /^[a-z][a-z0-9-]{1,38}[a-z0-9]$/;
+function renderEnterpriseDeployRepoTemplate(options) {
+  const customerSlug = validateCustomerSlug(options.customerSlug);
+  const stages = validateStages(options.stages ?? ["dev", "prod"]);
+  const targetDir = resolve4(options.targetDir);
+  const templateRoot = findEnterpriseTemplateRoot();
+  const replacements = buildTemplateReplacements({
+    ...options,
+    customerSlug,
+    stages
+  });
+  const templateFiles = listTemplateFiles(templateRoot).filter(
+    (path2) => !relative2(templateRoot, path2).startsWith("terraform/stages/") && !/^terraform\/backend-[^.]+\.hcl$/.test(
+      relative2(templateRoot, path2).split("\\").join("/")
+    )
+  );
+  const written = [];
+  const preserved = [];
+  for (const templatePath of templateFiles) {
+    const relativePath = relative2(templateRoot, templatePath);
+    const outputPath = join7(targetDir, relativePath);
+    let content = applyTemplate(
+      readFileSync8(templatePath, "utf8"),
+      replacements
+    );
+    if (relativePath.split("\\").join("/") === "customer/deployment.json") {
+      content = renderCustomerDeploymentJson(content, customerSlug, stages);
+    }
+    writeManagedFile(outputPath, content, written, preserved);
+  }
+  const stageTemplateRoot = join7(templateRoot, "terraform", "stages");
+  const backendTemplatePath = join7(
+    templateRoot,
+    "terraform",
+    "backend-dev.hcl"
+  );
+  for (const stage of stages) {
+    const explicitTemplate = join7(stageTemplateRoot, `${stage}.tfvars`);
+    const fallbackTemplate = join7(stageTemplateRoot, "dev.tfvars");
+    const templatePath = existsSync10(explicitTemplate) ? explicitTemplate : fallbackTemplate;
+    const outputPath = join7(
+      targetDir,
+      "terraform",
+      "stages",
+      `${stage}.tfvars`
+    );
+    const content = applyTemplate(readFileSync8(templatePath, "utf8"), {
+      ...replacements,
+      STAGE: stage
+    });
+    writeManagedFile(outputPath, content, written, preserved);
+    const backendPath = join7(targetDir, "terraform", `backend-${stage}.hcl`);
+    const backendContent = applyTemplate(
+      readFileSync8(backendTemplatePath, "utf8"),
+      {
+        ...replacements,
+        STAGE: stage
+      }
+    );
+    writeManagedFile(backendPath, backendContent, written, preserved);
+  }
+  return { targetDir, written, preserved };
+}
+function validateCustomerSlug(slug) {
+  const normalized = slug.trim();
+  if (!CUSTOMER_SLUG_PATTERN.test(normalized)) {
+    throw new Error(
+      `Invalid customer slug "${slug}". Must be lowercase alphanumeric + hyphens, 3-40 characters, starting with a letter.`
+    );
+  }
+  return normalized;
+}
+function validateStages(stages) {
+  const normalized = [
+    ...new Set(stages.map((stage) => stage.trim()).filter(Boolean))
+  ];
+  if (normalized.length === 0) {
+    throw new Error("At least one deployment stage is required.");
+  }
+  for (const stage of normalized) {
+    const check = validateStage(stage);
+    if (!check.valid) {
+      throw new Error(check.error ?? `Invalid stage name "${stage}".`);
+    }
+  }
+  return normalized;
+}
+function findEnterpriseTemplateRoot() {
+  const candidates = [
+    resolve4(__dirname2, "templates/deploy-repo"),
+    resolve4(__dirname2, "commands/enterprise/templates/deploy-repo")
+  ];
+  for (const candidate of candidates) {
+    if (existsSync10(join7(candidate, "thinkwork.lock"))) return candidate;
+  }
+  throw new Error(
+    "Enterprise deployment repo template not found. The CLI package may be incomplete."
+  );
+}
+function buildTemplateReplacements(options) {
+  const releaseVersion = options.releaseVersion ?? "v0.0.0";
+  const artifactBucket = options.artifactBucket ?? `${options.customerSlug}-thinkwork-release-artifacts`;
+  return {
+    ACCOUNT_ID: options.accountId ?? "123456789012",
+    ARTIFACT_BUCKET: artifactBucket,
+    CUSTOMER_SLUG: options.customerSlug,
+    LAMBDA_ARTIFACT_PREFIX: `releases/${releaseVersion}/lambdas`,
+    REGION: options.region ?? "us-east-1",
+    RELEASE_MANIFEST_SHA256: options.releaseManifestSha256 ?? "CHANGE_ME",
+    RELEASE_MANIFEST_URL: options.releaseManifestUrl ?? `https://github.com/thinkwork-ai/thinkwork/releases/download/${releaseVersion}/thinkwork-release.json`,
+    RELEASE_VERSION: releaseVersion,
+    TERRAFORM_MODULE_VERSION: options.terraformModuleVersion ?? releaseVersion.replace(/^v/, "")
+  };
+}
+function renderCustomerDeploymentJson(content, customerSlug, stages) {
+  const deployment = JSON.parse(content);
+  deployment.stages = Object.fromEntries(
+    stages.map((stage) => [
+      stage,
+      {
+        tenantSlug: stage === "prod" ? customerSlug : `${customerSlug}-${stage}`,
+        evalPacks: [],
+        seedPacks: [],
+        skillPacks: [],
+        workspaceDefaultPacks: [],
+        branding: null
+      }
+    ])
+  );
+  return `${JSON.stringify(deployment, null, 2)}
+`;
+}
+function listTemplateFiles(root) {
+  const out = [];
+  for (const entry of readdirSync2(root)) {
+    const path2 = join7(root, entry);
+    const stat = statSync2(path2);
+    if (stat.isDirectory()) {
+      out.push(...listTemplateFiles(path2));
+    } else if (stat.isFile()) {
+      out.push(path2);
+    }
+  }
+  return out.sort();
+}
+function applyTemplate(source, replacements) {
+  return source.replaceAll(/\{\{([A-Z0-9_]+)\}\}/g, (_match, key) => {
+    if (!(key in replacements)) {
+      throw new Error(`Unknown enterprise deployment template token: ${key}`);
+    }
+    return replacements[key];
+  });
+}
+function writeManagedFile(path2, content, written, preserved) {
+  mkdirSync5(dirname4(path2), { recursive: true });
+  if (existsSync10(path2)) {
+    const current = readFileSync8(path2, "utf8");
+    if (!current.includes(MANAGED_MARKER)) {
+      preserved.push(path2);
+      return;
+    }
+  }
+  writeFileSync5(path2, content);
+  written.push(path2);
+}
+
+// src/commands/enterprise/aws-bootstrap.ts
+import { execFileSync } from "child_process";
+import { mkdtempSync, writeFileSync as writeFileSync6 } from "fs";
+import { tmpdir } from "os";
+import { join as join8 } from "path";
+function buildEnterpriseAwsBootstrapPlan(config) {
+  const oidcProviderArn = `arn:aws:iam::${config.accountId}:oidc-provider/token.actions.githubusercontent.com`;
+  return {
+    stateBucket: config.stateBucket,
+    lockTable: config.lockTable,
+    artifactBucket: config.artifactBucket,
+    oidcProviderArn,
+    stageRoles: config.stages.map((stage) => {
+      const roleName = `thinkwork-${config.customerSlug}-${stage}-deploy`;
+      return {
+        stage,
+        roleName,
+        roleArn: `arn:aws:iam::${config.accountId}:role/${roleName}`,
+        trustPolicy: buildGitHubOidcTrustPolicy({
+          oidcProviderArn,
+          repository: config.repository,
+          stage
+        }),
+        deployPolicyName: `thinkwork-${config.customerSlug}-${stage}-deploy`,
+        deployPolicy: buildEnterpriseDeployRolePolicy({
+          accountId: config.accountId,
+          region: config.region,
+          stage,
+          stateBucket: config.stateBucket,
+          lockTable: config.lockTable,
+          artifactBucket: config.artifactBucket
+        })
+      };
+    })
+  };
+}
+function buildGitHubOidcTrustPolicy(options) {
+  return {
+    Version: "2012-10-17",
+    Statement: [
+      {
+        Effect: "Allow",
+        Principal: {
+          Federated: options.oidcProviderArn
+        },
+        Action: "sts:AssumeRoleWithWebIdentity",
+        Condition: {
+          StringEquals: {
+            "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
+            "token.actions.githubusercontent.com:sub": `repo:${options.repository}:environment:${options.stage}`
+          }
+        }
+      }
+    ]
+  };
+}
+function buildEnterpriseDeployRolePolicy(options) {
+  const thinkworkPrefix = `thinkwork-${options.stage}`;
+  return {
+    Version: "2012-10-17",
+    Statement: [
+      {
+        Sid: "TerraformStateAndReleaseBuckets",
+        Effect: "Allow",
+        Action: [
+          "s3:GetBucketLocation",
+          "s3:GetBucketVersioning",
+          "s3:GetEncryptionConfiguration",
+          "s3:ListBucket",
+          "s3:PutBucketVersioning",
+          "s3:PutEncryptionConfiguration",
+          "s3:PutLifecycleConfiguration",
+          "s3:PutPublicAccessBlock"
+        ],
+        Resource: [
+          `arn:aws:s3:::${options.stateBucket}`,
+          `arn:aws:s3:::${options.artifactBucket}`,
+          `arn:aws:s3:::${thinkworkPrefix}-*`
+        ]
+      },
+      {
+        Sid: "TerraformStateAndReleaseObjects",
+        Effect: "Allow",
+        Action: [
+          "s3:AbortMultipartUpload",
+          "s3:DeleteObject",
+          "s3:GetObject",
+          "s3:PutObject"
+        ],
+        Resource: [
+          `arn:aws:s3:::${options.stateBucket}/*`,
+          `arn:aws:s3:::${options.artifactBucket}/*`,
+          `arn:aws:s3:::${thinkworkPrefix}-*/*`
+        ]
+      },
+      {
+        Sid: "TerraformStateLocks",
+        Effect: "Allow",
+        Action: [
+          "dynamodb:CreateTable",
+          "dynamodb:DescribeTable",
+          "dynamodb:GetItem",
+          "dynamodb:PutItem",
+          "dynamodb:DeleteItem",
+          "dynamodb:UpdateItem"
+        ],
+        Resource: `arn:aws:dynamodb:${options.region}:${options.accountId}:table/${options.lockTable}`
+      },
+      {
+        Sid: "ThinkWorkNamedResources",
+        Effect: "Allow",
+        Action: [
+          "apigateway:*",
+          "appsync:*",
+          "bedrock:*",
+          "bedrock-agentcore:*",
+          "cloudfront:*",
+          "cognito-idp:*",
+          "dynamodb:*",
+          "ec2:*",
+          "ecr:*",
+          "ecs:*",
+          "elasticfilesystem:*",
+          "elasticloadbalancing:*",
+          "events:*",
+          "iam:*",
+          "lambda:*",
+          "logs:*",
+          "rds:*",
+          "scheduler:*",
+          "secretsmanager:*",
+          "ses:*",
+          "sqs:*",
+          "ssm:*",
+          "states:*",
+          "xray:*"
+        ],
+        Resource: "*"
+      }
+    ]
+  };
+}
+var AwsCliEnterpriseBootstrapClient = class {
+  async ensureStateBucket(bucket, region) {
+    return ensureBucket(bucket, region, "terraform state bucket");
+  }
+  async ensureLockTable(table, region) {
+    if (awsOk([
+      "dynamodb",
+      "describe-table",
+      "--table-name",
+      table,
+      "--region",
+      region
+    ])) {
+      return {
+        target: table,
+        status: "reused",
+        message: `DynamoDB lock table ${table} already exists.`
+      };
+    }
+    execFileSync("aws", [
+      "dynamodb",
+      "create-table",
+      "--table-name",
+      table,
+      "--attribute-definitions",
+      "AttributeName=LockID,AttributeType=S",
+      "--key-schema",
+      "AttributeName=LockID,KeyType=HASH",
+      "--billing-mode",
+      "PAY_PER_REQUEST",
+      "--region",
+      region
+    ]);
+    return {
+      target: table,
+      status: "created",
+      message: `Created DynamoDB lock table ${table}.`
+    };
+  }
+  async ensureArtifactBucket(bucket, region) {
+    return ensureBucket(bucket, region, "release artifact bucket");
+  }
+  async ensureOidcProvider(accountId) {
+    const arn = `arn:aws:iam::${accountId}:oidc-provider/token.actions.githubusercontent.com`;
+    if (awsOk([
+      "iam",
+      "get-open-id-connect-provider",
+      "--open-id-connect-provider-arn",
+      arn
+    ])) {
+      return {
+        target: arn,
+        status: "reused",
+        message: "GitHub Actions OIDC provider already exists."
+      };
+    }
+    execFileSync("aws", [
+      "iam",
+      "create-open-id-connect-provider",
+      "--url",
+      "https://token.actions.githubusercontent.com",
+      "--client-id-list",
+      "sts.amazonaws.com",
+      "--thumbprint-list",
+      "6938fd4d98bab03faadb97b34396831e3780aea1"
+    ]);
+    return {
+      target: arn,
+      status: "created",
+      message: "Created GitHub Actions OIDC provider."
+    };
+  }
+  async ensureDeployRole(role) {
+    if (awsOk(["iam", "get-role", "--role-name", role.roleName])) {
+      putRolePolicy(role);
+      return {
+        target: role.roleArn,
+        status: "updated",
+        message: `Deploy role ${role.roleName} already exists; updated inline deploy policy ${role.deployPolicyName}.`
+      };
+    }
+    const dir = mkdtempSync(join8(tmpdir(), "thinkwork-enterprise-role-"));
+    const trustPath = join8(dir, "trust.json");
+    writeFileSync6(trustPath, JSON.stringify(role.trustPolicy));
+    execFileSync("aws", [
+      "iam",
+      "create-role",
+      "--role-name",
+      role.roleName,
+      "--assume-role-policy-document",
+      `file://${trustPath}`
+    ]);
+    putRolePolicy(role);
+    return {
+      target: role.roleArn,
+      status: "created",
+      message: `Created deploy role ${role.roleName} and attached inline deploy policy ${role.deployPolicyName}.`
+    };
+  }
+};
+function putRolePolicy(role) {
+  const dir = mkdtempSync(join8(tmpdir(), "thinkwork-enterprise-policy-"));
+  const policyPath = join8(dir, "policy.json");
+  writeFileSync6(policyPath, JSON.stringify(role.deployPolicy));
+  execFileSync("aws", [
+    "iam",
+    "put-role-policy",
+    "--role-name",
+    role.roleName,
+    "--policy-name",
+    role.deployPolicyName,
+    "--policy-document",
+    `file://${policyPath}`
+  ]);
+}
+function ensureBucket(bucket, region, label) {
+  if (awsOk(["s3api", "head-bucket", "--bucket", bucket])) {
+    return {
+      target: bucket,
+      status: "reused",
+      message: `${label} ${bucket} already exists.`
+    };
+  }
+  const args = region === "us-east-1" ? ["s3api", "create-bucket", "--bucket", bucket, "--region", region] : [
+    "s3api",
+    "create-bucket",
+    "--bucket",
+    bucket,
+    "--region",
+    region,
+    "--create-bucket-configuration",
+    `LocationConstraint=${region}`
+  ];
+  execFileSync("aws", args);
+  execFileSync("aws", [
+    "s3api",
+    "put-public-access-block",
+    "--bucket",
+    bucket,
+    "--public-access-block-configuration",
+    "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
+  ]);
+  return {
+    target: bucket,
+    status: "created",
+    message: `Created ${label} ${bucket}.`
+  };
+}
+function awsOk(args) {
+  try {
+    execFileSync("aws", args, { stdio: "ignore" });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// src/commands/enterprise/github.ts
+import { execFileSync as execFileSync2 } from "child_process";
+function parseGitHubRepository(input20) {
+  const trimmed = input20.trim();
+  const match = /^([A-Za-z0-9_.-]+)\/([A-Za-z0-9_.-]+)$/.exec(trimmed);
+  if (!match) {
+    throw new Error(
+      `Invalid GitHub repository "${input20}". Use owner/name, for example acme/thinkwork-deploy.`
+    );
+  }
+  return {
+    owner: match[1],
+    name: match[2],
+    fullName: `${match[1]}/${match[2]}`
+  };
+}
+function buildEnterpriseGitHubBootstrapPlan(options) {
+  const repository = parseGitHubRepository(options.repository);
+  return {
+    repository,
+    dispatchWorkflow: options.dispatchWorkflow ?? false,
+    environments: options.stages.map((stage) => {
+      const role = options.stageRoles.find((item) => item.stage === stage);
+      if (!role) {
+        throw new Error(`Missing deploy role for stage "${stage}".`);
+      }
+      return {
+        stage,
+        roleArn: role.roleArn,
+        vars: {
+          AWS_REGION: options.region,
+          AWS_ROLE_ARN: role.roleArn,
+          THINKWORK_ARTIFACT_BUCKET: options.artifactBucket
+        },
+        secretPlaceholders: ["TF_VAR_DB_PASSWORD", "TF_VAR_API_AUTH_SECRET"]
+      };
+    })
+  };
+}
+var GhCliEnterpriseBootstrapClient = class {
+  constructor(repository) {
+    this.repository = repository;
+  }
+  repository;
+  async ensureEnvironment(environment) {
+    gh([
+      "api",
+      "--method",
+      "PUT",
+      `repos/${this.repository.fullName}/environments/${environment.stage}`,
+      "--field",
+      "wait_timer=0"
+    ]);
+    return {
+      target: `${this.repository.fullName}:${environment.stage}`,
+      status: "updated",
+      message: `Ensured GitHub Environment ${environment.stage}.`
+    };
+  }
+  async upsertEnvironmentVariables(environment) {
+    for (const [name, value] of Object.entries(environment.vars)) {
+      gh([
+        "variable",
+        "set",
+        name,
+        "--repo",
+        this.repository.fullName,
+        "--env",
+        environment.stage,
+        "--body",
+        value
+      ]);
+    }
+    return {
+      target: `${this.repository.fullName}:${environment.stage}:vars`,
+      status: "updated",
+      message: `Updated non-secret GitHub Environment variables for ${environment.stage}.`
+    };
+  }
+  async writeRepositoryFiles(targetDir) {
+    return {
+      target: targetDir,
+      status: "updated",
+      message: "Repository files were written locally. Commit/push this directory or run from a checked-out deployment repo."
+    };
+  }
+  async dispatchWorkflow(stage) {
+    gh([
+      "workflow",
+      "run",
+      "deploy.yml",
+      "--repo",
+      this.repository.fullName,
+      "--field",
+      `stage=${stage}`
+    ]);
+    return {
+      target: `${this.repository.fullName}:deploy.yml:${stage}`,
+      status: "created",
+      message: `Dispatched deploy workflow for ${stage}.`
+    };
+  }
+};
+function gh(args) {
+  return execFileSync2("gh", args, { encoding: "utf8" });
+}
+
+// src/commands/enterprise/release.ts
+function resolveEnterpriseReleasePin(options) {
+  const version = options.releaseVersion ?? `v${VERSION}`;
+  return {
+    version,
+    manifestUrl: options.manifestUrl ?? `https://github.com/thinkwork-ai/thinkwork/releases/download/${version}/thinkwork-release.json`,
+    manifestSha256: options.manifestSha256 ?? "CHANGE_ME",
+    terraformModuleVersion: options.terraformModuleVersion ?? version.replace(/^v/, "")
+  };
+}
+
+// src/commands/enterprise/bootstrap.ts
+function buildEnterpriseBootstrapPlan(options, identity) {
+  const customerSlug = validateCustomerSlug(options.customerSlug);
+  const repository = parseGitHubRepository(options.repository).fullName;
+  const stages = validateStages(options.stages ?? ["dev", "prod"]);
+  const accountId = options.accountId ?? identity?.account;
+  const region = options.region ?? identity?.region;
+  if (!accountId) {
+    throw new Error(
+      "AWS account ID is required. Configure AWS credentials or pass --account-id."
+    );
+  }
+  if (!region || region === "unknown") {
+    throw new Error(
+      "AWS region is required. Configure AWS_REGION or pass --region."
+    );
+  }
+  const release = resolveEnterpriseReleasePin({
+    releaseVersion: options.releaseVersion,
+    manifestUrl: options.manifestUrl,
+    manifestSha256: options.manifestSha256,
+    terraformModuleVersion: options.terraformModuleVersion
+  });
+  const artifactBucket = options.artifactBucket ?? `${customerSlug}-thinkwork-release-artifacts`;
+  const stateBucket = options.stateBucket ?? `${customerSlug}-thinkwork-terraform-state`;
+  const lockTable = options.lockTable ?? `${customerSlug}-thinkwork-terraform-locks`;
+  const aws = buildEnterpriseAwsBootstrapPlan({
+    accountId,
+    region,
+    repository,
+    stages,
+    customerSlug,
+    stateBucket,
+    lockTable,
+    artifactBucket
+  });
+  const github = buildEnterpriseGitHubBootstrapPlan({
+    repository,
+    stages,
+    region,
+    artifactBucket,
+    stageRoles: aws.stageRoles,
+    dispatchWorkflow: options.dispatchWorkflow
+  });
+  return {
+    customerSlug,
+    targetDir: resolve5(options.targetDir),
+    repository,
+    stages,
+    accountId,
+    region,
+    release,
+    aws,
+    github
+  };
+}
+async function runEnterpriseBootstrap(options, deps = {}) {
+  const identity = deps.identity === void 0 ? getAwsIdentity() : deps.identity;
+  if (!options.dryRun && !identity && (!options.accountId || !options.region)) {
+    throw new Error(
+      "AWS identity is required before mutating AWS or GitHub resources."
+    );
+  }
+  const plan = buildEnterpriseBootstrapPlan(options, identity);
+  const template = renderEnterpriseDeployRepoTemplate({
+    targetDir: plan.targetDir,
+    customerSlug: plan.customerSlug,
+    stages: plan.stages,
+    region: plan.region,
+    accountId: plan.accountId,
+    releaseVersion: plan.release.version,
+    releaseManifestUrl: plan.release.manifestUrl,
+    releaseManifestSha256: plan.release.manifestSha256,
+    terraformModuleVersion: plan.release.terraformModuleVersion,
+    artifactBucket: plan.aws.artifactBucket
+  });
+  const awsClient = deps.awsClient ?? new AwsCliEnterpriseBootstrapClient();
+  const githubClient = deps.githubClient ?? new GhCliEnterpriseBootstrapClient(parseGitHubRepository(plan.repository));
+  const awsResults = [];
+  const githubResults = [];
+  if (options.dryRun) {
+    awsResults.push(
+      planned(plan.aws.stateBucket, "Would ensure Terraform state bucket."),
+      planned(plan.aws.lockTable, "Would ensure Terraform lock table."),
+      planned(plan.aws.artifactBucket, "Would ensure release artifact bucket."),
+      planned(
+        plan.aws.oidcProviderArn,
+        "Would ensure GitHub Actions OIDC provider."
+      ),
+      ...plan.aws.stageRoles.map(
+        (role) => planned(role.roleArn, `Would ensure deploy role for ${role.stage}.`)
+      )
+    );
+    githubResults.push(
+      planned(plan.targetDir, "Would write deployment repository files."),
+      ...plan.github.environments.flatMap((environment) => [
+        planned(
+          `${plan.repository}:${environment.stage}`,
+          `Would ensure GitHub Environment ${environment.stage}.`
+        ),
+        planned(
+          `${plan.repository}:${environment.stage}:vars`,
+          `Would upsert non-secret GitHub variables for ${environment.stage}.`
+        ),
+        planned(
+          `${plan.repository}:${environment.stage}:secrets`,
+          `Would require GitHub Environment secrets for ${environment.stage}: ${environment.secretPlaceholders.join(", ")}.`
+        ),
+        ...plan.github.dispatchWorkflow ? [
+          planned(
+            `${plan.repository}:deploy.yml:${environment.stage}`,
+            `Would dispatch deploy workflow for ${environment.stage}.`
+          )
+        ] : []
+      ])
+    );
+  } else {
+    awsResults.push(
+      await awsClient.ensureStateBucket(plan.aws.stateBucket, plan.region),
+      await awsClient.ensureLockTable(plan.aws.lockTable, plan.region),
+      await awsClient.ensureArtifactBucket(
+        plan.aws.artifactBucket,
+        plan.region
+      ),
+      await awsClient.ensureOidcProvider(plan.accountId)
+    );
+    for (const role of plan.aws.stageRoles) {
+      awsResults.push(await awsClient.ensureDeployRole(role));
+    }
+    githubResults.push(await githubClient.writeRepositoryFiles(plan.targetDir));
+    for (const environment of plan.github.environments) {
+      githubResults.push(
+        await githubClient.ensureEnvironment(environment),
+        await githubClient.upsertEnvironmentVariables(environment),
+        secretPlaceholderResult(plan.repository, environment)
+      );
+      if (plan.github.dispatchWorkflow) {
+        githubResults.push(
+          await githubClient.dispatchWorkflow(environment.stage)
+        );
+      }
+    }
+  }
+  const metadata = options.dryRun ? planned(
+    plan.customerSlug,
+    "Would record local enterprise deployment metadata without secrets."
+  ) : recordDeploymentMetadata(plan, deps.saveDeployment);
+  return {
+    plan,
+    template,
+    aws: awsResults,
+    github: githubResults,
+    metadata
+  };
+}
+function registerEnterpriseBootstrapCommand(program2) {
+  program2.command("bootstrap [targetDir]").description(
+    "Bootstrap a customer-owned ThinkWork deployment repository and CI trust bridge."
+  ).option("--customer <slug>", "Customer slug, e.g. acme").option("--repo <owner/name>", "Customer GitHub deployment repository").option("--stage <stage...>", "Deployment stage(s)", ["dev", "prod"]).option("--region <region>", "AWS region").option("--account-id <id>", "AWS account ID").option("--release-version <version>", "Pinned ThinkWork release version").option("--manifest-url <url>", "Pinned ThinkWork release manifest URL").option(
+    "--manifest-sha256 <sha256>",
+    "Pinned ThinkWork release manifest SHA-256"
+  ).option(
+    "--terraform-module-version <version>",
+    "Pinned Terraform Registry module version"
+  ).option(
+    "--artifact-bucket <bucket>",
+    "Customer-owned release artifact bucket"
+  ).option("--state-bucket <bucket>", "Terraform state bucket").option("--lock-table <table>", "Terraform state lock table").option("--dispatch", "Dispatch deploy workflow after bootstrap").option(
+    "--dry-run",
+    "Render files and print the plan without mutating AWS/GitHub"
+  ).option("-y, --yes", "Skip confirmation for mutating bootstrap").action(
+    async (targetDir, opts) => {
+      try {
+        const customerSlug = await resolveCustomerSlug(opts.customer);
+        const repository = await resolveRepository(opts.repo);
+        const identity = getAwsIdentity();
+        printHeader("enterprise bootstrap", customerSlug, identity);
+        if (!opts.dryRun && !opts.yes) {
+          const prodStages = (opts.stage ?? ["dev", "prod"]).filter(
+            isProdLike
+          );
+          const message = prodStages.length > 0 ? `  Bootstrap deployment authority for ${repository} including production-like stage(s): ${prodStages.join(", ")}?` : `  Bootstrap deployment authority for ${repository}?`;
+          if (!await confirm(message)) {
+            console.log("  Aborted.");
+            return;
+          }
+        }
+        const result = await runEnterpriseBootstrap(
+          {
+            targetDir: targetDir ?? ".",
+            customerSlug,
+            repository,
+            stages: opts.stage,
+            region: opts.region,
+            accountId: opts.accountId,
+            releaseVersion: opts.releaseVersion,
+            manifestUrl: opts.manifestUrl,
+            manifestSha256: opts.manifestSha256,
+            terraformModuleVersion: opts.terraformModuleVersion,
+            artifactBucket: opts.artifactBucket,
+            stateBucket: opts.stateBucket,
+            lockTable: opts.lockTable,
+            dispatchWorkflow: opts.dispatch,
+            dryRun: opts.dryRun
+          },
+          { identity }
+        );
+        printBootstrapSummary(result);
+        printSuccess(
+          opts.dryRun ? "Enterprise bootstrap dry-run complete" : "Enterprise bootstrap complete"
+        );
+      } catch (err) {
+        printError(err.message);
+        process.exit(1);
+      }
+    }
+  );
+}
+function planned(target, message) {
+  return { target, status: "planned", message };
+}
+function secretPlaceholderResult(repository, environment) {
+  return {
+    target: `${repository}:${environment.stage}:secrets`,
+    status: "planned",
+    message: `Set GitHub Environment secrets for ${environment.stage}: ${environment.secretPlaceholders.join(", ")}.`
+  };
+}
+function recordDeploymentMetadata(plan, saveDeployment = saveEnterpriseDeployment) {
+  saveDeployment({
+    customerSlug: plan.customerSlug,
+    repository: plan.repository,
+    targetDir: plan.targetDir,
+    accountId: plan.accountId,
+    region: plan.region,
+    stages: plan.stages,
+    artifactBucket: plan.aws.artifactBucket,
+    stateBucket: plan.aws.stateBucket,
+    lockTable: plan.aws.lockTable,
+    releaseVersion: plan.release.version,
+    releaseManifestUrl: plan.release.manifestUrl,
+    updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  });
+  return {
+    target: plan.customerSlug,
+    status: "updated",
+    message: "Recorded local enterprise deployment metadata without secrets."
+  };
+}
+async function resolveCustomerSlug(flag) {
+  if (flag) return flag;
+  if (!process.stdin.isTTY) {
+    throw new Error("Customer slug is required. Pass --customer <slug>.");
+  }
+  const { input: input20 } = await import("@inquirer/prompts");
+  return input20({ message: "Customer slug:" });
+}
+async function resolveRepository(flag) {
+  if (flag) return flag;
+  if (!process.stdin.isTTY) {
+    throw new Error("GitHub repository is required. Pass --repo <owner/name>.");
+  }
+  const { input: input20 } = await import("@inquirer/prompts");
+  return input20({ message: "GitHub deployment repo (owner/name):" });
+}
+function printBootstrapSummary(result) {
+  console.log("");
+  console.log("  AWS");
+  for (const step of result.aws) {
+    console.log(`  - ${step.status}: ${step.message}`);
+  }
+  console.log("  GitHub");
+  for (const step of result.github) {
+    console.log(`  - ${step.status}: ${step.message}`);
+  }
+  if (result.template.preserved.length > 0) {
+    printWarning(
+      `Preserved ${result.template.preserved.length} customer-owned file(s) without the ThinkWork managed marker.`
+    );
+  }
+}
+
+// src/commands/enterprise.ts
+function registerEnterpriseCommand(program2) {
+  const enterprise = program2.command("enterprise").description(
+    "Bootstrap and operate customer-owned ThinkWork enterprise deployment repositories."
+  );
+  registerEnterpriseBootstrapCommand(enterprise);
+}
+
 // src/cli.ts
 var program = new Command();
 program.name("thinkwork").description(
@@ -14393,6 +15409,7 @@ registerPerformanceCommand(program);
 registerTraceCommand(program);
 registerDashboardCommand(program);
 registerEvalCommand(program);
+registerEnterpriseCommand(program);
 registerWikiCommand(program);
 for (const cmd of program.commands) {
   if (!cmd.options.some((o) => o.long === "--json")) {