thinkwork-cli 0.12.2 → 0.12.4

package/dist/cli.js

@@ -201,7 +201,7 @@ async function ensureWorkspace(cwd, stage) {
   }
 }
 function runTerraformRaw(cwd, args) {
-  return new Promise((resolve4, reject) => {
+  return new Promise((resolve7, reject) => {
     const proc = spawn("terraform", args, {
       cwd,
       stdio: ["pipe", "pipe", "pipe"]
@@ -211,13 +211,13 @@ function runTerraformRaw(cwd, args) {
     proc.stdout.on("data", (d) => stdout += d);
     proc.stderr.on("data", (d) => stderr += d);
     proc.on("close", (code) => {
-      if (code === 0) resolve4(stdout);
+      if (code === 0) resolve7(stdout);
       else reject(new Error(`terraform ${args.join(" ")} failed (exit ${code}): ${stderr}`));
     });
   });
 }
 function runTerraform(cwd, args) {
-  return new Promise((resolve4) => {
+  return new Promise((resolve7) => {
     console.log(`
   \u2192 terraform ${args.join(" ")}
 `);
@@ -225,7 +225,7 @@ function runTerraform(cwd, args) {
       cwd,
       stdio: "inherit"
     });
-    proc.on("close", (code) => resolve4(code ?? 1));
+    proc.on("close", (code) => resolve7(code ?? 1));
   });
 }
 async function ensureInit(cwd) {
@@ -469,10 +469,10 @@ async function confirm(message) {
     input: process.stdin,
     output: process.stdout
   });
-  return new Promise((resolve4) => {
+  return new Promise((resolve7) => {
     rl.question(`${message} [y/N] `, (answer) => {
       rl.close();
-      resolve4(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
+      resolve7(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
     });
   });
 }
@@ -553,7 +553,7 @@ async function runPostDeployProbe(stage) {
     );
     return;
   }
-  await new Promise((resolve4) => {
+  await new Promise((resolve7) => {
     const proc = spawn2("bash", [scriptPath, "--stage", stage], {
       stdio: "inherit",
       env: process.env
@@ -564,11 +564,11 @@ async function runPostDeployProbe(stage) {
           `post-deploy probe exited ${code} \u2014 deploy not rolled back`
         );
       }
-      resolve4();
+      resolve7();
     });
     proc.on("error", (err) => {
       printWarning(`post-deploy probe spawn failed: ${err.message}`);
-      resolve4();
+      resolve7();
     });
   });
 }
@@ -782,11 +782,21 @@ import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, existsS
 import chalk4 from "chalk";
 
 // src/environments.ts
-import { existsSync as existsSync4, mkdirSync as mkdirSync2, writeFileSync as writeFileSync2, readFileSync as readFileSync2, readdirSync } from "fs";
+import {
+  existsSync as existsSync4,
+  mkdirSync as mkdirSync2,
+  writeFileSync as writeFileSync2,
+  readFileSync as readFileSync2,
+  readdirSync
+} from "fs";
 import { join as join2 } from "path";
 import { homedir as homedir2 } from "os";
 var THINKWORK_HOME = join2(homedir2(), ".thinkwork");
 var ENVIRONMENTS_DIR = join2(THINKWORK_HOME, "environments");
+var ENTERPRISE_DEPLOYMENTS_DIR = join2(
+  THINKWORK_HOME,
+  "enterprise-deployments"
+);
 function ensureDir(dir) {
   if (!existsSync4(dir)) mkdirSync2(dir, { recursive: true });
 }
@@ -799,6 +809,13 @@ function saveEnvironment(config) {
     JSON.stringify(config, null, 2) + "\n"
   );
 }
+function saveEnterpriseDeployment(config) {
+  ensureDir(ENTERPRISE_DEPLOYMENTS_DIR);
+  writeFileSync2(
+    join2(ENTERPRISE_DEPLOYMENTS_DIR, `${config.customerSlug}.json`),
+    JSON.stringify(config, null, 2) + "\n"
+  );
+}
 function loadEnvironment(stage) {
   const configPath = join2(ENVIRONMENTS_DIR, stage, "config.json");
   if (!existsSync4(configPath)) return null;
@@ -1008,7 +1025,7 @@ function registerConfigCommand(program2) {
 import { spawn as spawn3 } from "child_process";
 import { resolve } from "path";
 function getTerraformOutput(cwd, key) {
-  return new Promise((resolve4, reject) => {
+  return new Promise((resolve7, reject) => {
     const proc = spawn3("terraform", ["output", "-raw", key], {
       cwd,
       stdio: ["pipe", "pipe", "pipe"]
@@ -1016,17 +1033,17 @@ function getTerraformOutput(cwd, key) {
     let stdout = "";
     proc.stdout.on("data", (d) => stdout += d);
     proc.on("close", (code) => {
-      if (code === 0) resolve4(stdout.trim());
+      if (code === 0) resolve7(stdout.trim());
       else reject(new Error(`terraform output ${key} failed (exit ${code})`));
     });
   });
 }
 function runScript(scriptPath, args) {
-  return new Promise((resolve4) => {
+  return new Promise((resolve7) => {
     const proc = spawn3("bash", [scriptPath, ...args], {
       stdio: "inherit"
     });
-    proc.on("close", (code) => resolve4(code ?? 1));
+    proc.on("close", (code) => resolve7(code ?? 1));
   });
 }
 function registerBootstrapCommand(program2) {
@@ -1266,9 +1283,9 @@ async function ensureTerraform() {
 }
 async function ensurePrerequisites() {
   console.log(chalk5.dim("  Checking prerequisites...\n"));
-  const awsOk = await ensureAwsCli();
+  const awsOk2 = await ensureAwsCli();
   const tfOk = await ensureTerraform();
-  if (awsOk && tfOk) {
+  if (awsOk2 && tfOk) {
     console.log("");
     return true;
   }
@@ -1401,7 +1418,7 @@ function buildAuthorizeUrl(cognito, redirectUri, state) {
   return `${cognito.domainUrl}/oauth2/authorize?${params.toString()}`;
 }
 function waitForCallbackCode(opts) {
-  return new Promise((resolve4, reject) => {
+  return new Promise((resolve7, reject) => {
     const server = createServer((req, res) => handleRequest(req, res));
     let finished = false;
     const finish = (err, code) => {
@@ -1412,7 +1429,7 @@ function waitForCallbackCode(opts) {
       closer.closeAllConnections?.();
       server.close(() => {
         if (err) reject(err);
-        else resolve4(code);
+        else resolve7(code);
       });
     };
     const timer = setTimeout(() => {
@@ -1603,10 +1620,10 @@ function escapeHtml(s) {
 // src/commands/login.ts
 function ask(prompt) {
   const rl = createInterface2({ input: process.stdin, output: process.stdout });
-  return new Promise((resolve4) => {
+  return new Promise((resolve7) => {
     rl.question(prompt, (answer) => {
       rl.close();
-      resolve4(answer.trim());
+      resolve7(answer.trim());
     });
   });
 }
@@ -2018,8 +2035,8 @@ Registered callback URL:
       }
       const targetProfile = opts.profile ?? "thinkwork";
       printHeader("login", targetProfile);
-      const awsOk = await ensureAwsCli();
-      if (!awsOk) process.exit(1);
+      const awsOk2 = await ensureAwsCli();
+      if (!awsOk2) process.exit(1);
       const port = Number.parseInt(opts.port, 10);
       if (!Number.isFinite(port) || port < 1 || port > 65535) {
         printError(`Invalid --port value: "${opts.port}".`);
@@ -2167,10 +2184,10 @@ var __dirname = dirname3(fileURLToPath2(import.meta.url));
 function ask2(prompt, defaultVal = "") {
   const rl = createInterface3({ input: process.stdin, output: process.stdout });
   const suffix = defaultVal ? chalk8.dim(` [${defaultVal}]`) : "";
-  return new Promise((resolve4) => {
+  return new Promise((resolve7) => {
     rl.question(`  ${prompt}${suffix}: `, (answer) => {
       rl.close();
-      resolve4(answer.trim() || defaultVal);
+      resolve7(answer.trim() || defaultVal);
     });
   });
 }
@@ -3906,7 +3923,7 @@ function registerUpdateCommand(program2) {
 import { spawn as spawn5 } from "child_process";
 import { input as input2, select as select7 } from "@inquirer/prompts";
 function getTerraformOutput2(cwd, key) {
-  return new Promise((resolve4, reject) => {
+  return new Promise((resolve7, reject) => {
     const proc = spawn5("terraform", ["output", "-raw", key], {
       cwd,
       stdio: ["pipe", "pipe", "pipe"]
@@ -3916,7 +3933,7 @@ function getTerraformOutput2(cwd, key) {
     proc.stdout.on("data", (d) => stdout += d);
     proc.stderr.on("data", (d) => stderr += d);
     proc.on("close", (code) => {
-      if (code === 0) resolve4(stdout.trim());
+      if (code === 0) resolve7(stdout.trim());
       else
         reject(
           new Error(
@@ -3927,7 +3944,7 @@ function getTerraformOutput2(cwd, key) {
   });
 }
 function runAwsCognitoReset(userPoolId, username, region) {
-  return new Promise((resolve4) => {
+  return new Promise((resolve7) => {
     const args = [
       "cognito-idp",
       "admin-reset-user-password",
@@ -3944,7 +3961,7 @@ function runAwsCognitoReset(userPoolId, username, region) {
     let stderr = "";
     proc.stdout.on("data", (d) => stdout += d);
     proc.stderr.on("data", (d) => stderr += d);
-    proc.on("close", (code) => resolve4({ code: code ?? 1, stdout, stderr }));
+    proc.on("close", (code) => resolve7({ code: code ?? 1, stdout, stderr }));
   });
 }
 function requireTty2(label) {
@@ -4625,6 +4642,7 @@ var CliRoutineTenantBySlugDocument = { "kind": "Document", "definitions": [{ "ki
 var CliScheduledJobsDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "query", "name": { "kind": "Name", "value": "CliScheduledJobs" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "tenantId" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "ID" } } } }, { "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "agentId" } }, "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "ID" } } }, { "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "routineId" } }, "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "ID" } } }, { "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "triggerType" } }, "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "String" } } }, { "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "enabled" } }, "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "Boolean" } } }, { "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "limit" } }, "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "Int" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "scheduledJobs" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "tenantId" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "tenantId" } } }, { "kind": "Argument", "name": { "kind": "Name", "value": "agentId" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "agentId" } } }, { "kind": "Argument", "name": { "kind": "Name", "value": "routineId" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "routineId" } } }, { "kind": "Argument", "name": { "kind": "Name", "value": "triggerType" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "triggerType" } } }, { "kind": "Argument", "name": { "kind": "Name", "value": "enabled" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "enabled" } } }, { "kind": "Argument", "name": { "kind": "Name", "value": "limit" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "limit" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }, { "kind": "Field", "name": { "kind": "Name", "value": "name" } }, { "kind": "Field", "name": { "kind": "Name", "value": "description" } }, { "kind": "Field", "name": { "kind": "Name", "value": "triggerType" } }, { "kind": "Field", "name": { "kind": "Name", "value": "agentId" } }, { "kind": "Field", "name": { "kind": "Name", "value": "routineId" } }, { "kind": "Field", "name": { "kind": "Name", "value": "scheduleType" } }, { "kind": "Field", "name": { "kind": "Name", "value": "scheduleExpression" } }, { "kind": "Field", "name": { "kind": "Name", "value": "timezone" } }, { "kind": "Field", "name": { "kind": "Name", "value": "enabled" } }, { "kind": "Field", "name": { "kind": "Name", "value": "lastRunAt" } }, { "kind": "Field", "name": { "kind": "Name", "value": "nextRunAt" } }, { "kind": "Field", "name": { "kind": "Name", "value": "createdAt" } }] } }] } }] };
 var CliScheduledJobDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "query", "name": { "kind": "Name", "value": "CliScheduledJob" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "id" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "ID" } } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "scheduledJob" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "id" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "id" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }, { "kind": "Field", "name": { "kind": "Name", "value": "name" } }, { "kind": "Field", "name": { "kind": "Name", "value": "description" } }, { "kind": "Field", "name": { "kind": "Name", "value": "triggerType" } }, { "kind": "Field", "name": { "kind": "Name", "value": "agentId" } }, { "kind": "Field", "name": { "kind": "Name", "value": "routineId" } }, { "kind": "Field", "name": { "kind": "Name", "value": "prompt" } }, { "kind": "Field", "name": { "kind": "Name", "value": "scheduleType" } }, { "kind": "Field", "name": { "kind": "Name", "value": "scheduleExpression" } }, { "kind": "Field", "name": { "kind": "Name", "value": "timezone" } }, { "kind": "Field", "name": { "kind": "Name", "value": "enabled" } }, { "kind": "Field", "name": { "kind": "Name", "value": "ebScheduleName" } }, { "kind": "Field", "name": { "kind": "Name", "value": "lastRunAt" } }, { "kind": "Field", "name": { "kind": "Name", "value": "nextRunAt" } }, { "kind": "Field", "name": { "kind": "Name", "value": "createdAt" } }, { "kind": "Field", "name": { "kind": "Name", "value": "updatedAt" } }] } }] } }] };
 var CliCreateScheduledJobDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "mutation", "name": { "kind": "Name", "value": "CliCreateScheduledJob" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "input" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "CreateScheduledJobInput" } } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "createScheduledJob" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "input" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "input" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }, { "kind": "Field", "name": { "kind": "Name", "value": "name" } }, { "kind": "Field", "name": { "kind": "Name", "value": "enabled" } }, { "kind": "Field", "name": { "kind": "Name", "value": "scheduleExpression" } }, { "kind": "Field", "name": { "kind": "Name", "value": "timezone" } }] } }] } }] };
+var CliDeleteScheduledJobDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "mutation", "name": { "kind": "Name", "value": "CliDeleteScheduledJob" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "id" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "ID" } } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "deleteScheduledJob" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "id" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "id" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }, { "kind": "Field", "name": { "kind": "Name", "value": "ok" } }] } }] } }] };
 var CliSchedJobTenantBySlugDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "query", "name": { "kind": "Name", "value": "CliSchedJobTenantBySlug" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "slug" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "String" } } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "tenantBySlug" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "slug" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "slug" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }] } }] } }] };
 var CliSkillCatalogDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "query", "name": { "kind": "Name", "value": "CliSkillCatalog" }, "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "skillCatalog" }, "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }, { "kind": "Field", "name": { "kind": "Name", "value": "skillId" } }, { "kind": "Field", "name": { "kind": "Name", "value": "displayName" } }, { "kind": "Field", "name": { "kind": "Name", "value": "description" } }, { "kind": "Field", "name": { "kind": "Name", "value": "category" } }, { "kind": "Field", "name": { "kind": "Name", "value": "icon" } }, { "kind": "Field", "name": { "kind": "Name", "value": "source" } }, { "kind": "Field", "name": { "kind": "Name", "value": "enabled" } }] } }] } }] };
 var CliSkillTenantBySlugDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "query", "name": { "kind": "Name", "value": "CliSkillTenantBySlug" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "slug" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "String" } } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "tenantBySlug" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "slug" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "slug" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }] } }] } }] };
@@ -4683,6 +4701,7 @@ var CliCreateWebhookDocument = { "kind": "Document", "definitions": [{ "kind": "
 var CliUpdateWebhookDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "mutation", "name": { "kind": "Name", "value": "CliUpdateWebhook" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "id" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "ID" } } } }, { "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "input" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "UpdateWebhookInput" } } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "updateWebhook" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "id" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "id" } } }, { "kind": "Argument", "name": { "kind": "Name", "value": "input" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "input" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }, { "kind": "Field", "name": { "kind": "Name", "value": "name" } }, { "kind": "Field", "name": { "kind": "Name", "value": "targetType" } }, { "kind": "Field", "name": { "kind": "Name", "value": "enabled" } }, { "kind": "Field", "name": { "kind": "Name", "value": "rateLimit" } }] } }] } }] };
 var CliDeleteWebhookDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "mutation", "name": { "kind": "Name", "value": "CliDeleteWebhook" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "id" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "ID" } } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "deleteWebhook" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "id" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "id" } } }] }] } }] };
 var CliRegenerateWebhookTokenDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "mutation", "name": { "kind": "Name", "value": "CliRegenerateWebhookToken" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "id" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "ID" } } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "regenerateWebhookToken" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "id" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "id" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }, { "kind": "Field", "name": { "kind": "Name", "value": "token" } }] } }] } }] };
+var CliWebhookDeliveriesDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "query", "name": { "kind": "Name", "value": "CliWebhookDeliveries" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "webhookId" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "ID" } } } }, { "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "limit" } }, "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "Int" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "webhookDeliveries" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "webhookId" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "webhookId" } } }, { "kind": "Argument", "name": { "kind": "Name", "value": "limit" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "limit" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }, { "kind": "Field", "name": { "kind": "Name", "value": "providerName" } }, { "kind": "Field", "name": { "kind": "Name", "value": "providerEventId" } }, { "kind": "Field", "name": { "kind": "Name", "value": "normalizedKind" } }, { "kind": "Field", "name": { "kind": "Name", "value": "receivedAt" } }, { "kind": "Field", "name": { "kind": "Name", "value": "signatureStatus" } }, { "kind": "Field", "name": { "kind": "Name", "value": "resolutionStatus" } }, { "kind": "Field", "name": { "kind": "Name", "value": "statusCode" } }, { "kind": "Field", "name": { "kind": "Name", "value": "durationMs" } }, { "kind": "Field", "name": { "kind": "Name", "value": "threadId" } }, { "kind": "Field", "name": { "kind": "Name", "value": "threadCreated" } }, { "kind": "Field", "name": { "kind": "Name", "value": "retryCount" } }, { "kind": "Field", "name": { "kind": "Name", "value": "isReplay" } }, { "kind": "Field", "name": { "kind": "Name", "value": "errorMessage" } }] } }] } }] };
 var CliWebhookTenantBySlugDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "query", "name": { "kind": "Name", "value": "CliWebhookTenantBySlug" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "slug" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "String" } } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "tenantBySlug" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "slug" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "slug" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }] } }] } }] };
 var CliWikiTenantBySlugDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "query", "name": { "kind": "Name", "value": "CliWikiTenantBySlug" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "slug" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "String" } } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "tenantBySlug" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "slug" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "slug" } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }, { "kind": "Field", "name": { "kind": "Name", "value": "slug" } }, { "kind": "Field", "name": { "kind": "Name", "value": "name" } }] } }] } }] };
 var CliAllTenantAgentsForWikiDocument = { "kind": "Document", "definitions": [{ "kind": "OperationDefinition", "operation": "query", "name": { "kind": "Name", "value": "CliAllTenantAgentsForWiki" }, "variableDefinitions": [{ "kind": "VariableDefinition", "variable": { "kind": "Variable", "name": { "kind": "Name", "value": "tenantId" } }, "type": { "kind": "NonNullType", "type": { "kind": "NamedType", "name": { "kind": "Name", "value": "ID" } } } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "allTenantAgents" }, "arguments": [{ "kind": "Argument", "name": { "kind": "Name", "value": "tenantId" }, "value": { "kind": "Variable", "name": { "kind": "Name", "value": "tenantId" } } }, { "kind": "Argument", "name": { "kind": "Name", "value": "includeSystem" }, "value": { "kind": "BooleanValue", "value": false } }, { "kind": "Argument", "name": { "kind": "Name", "value": "includeSubAgents" }, "value": { "kind": "BooleanValue", "value": false } }], "selectionSet": { "kind": "SelectionSet", "selections": [{ "kind": "Field", "name": { "kind": "Name", "value": "id" } }, { "kind": "Field", "name": { "kind": "Name", "value": "name" } }, { "kind": "Field", "name": { "kind": "Name", "value": "slug" } }, { "kind": "Field", "name": { "kind": "Name", "value": "type" } }, { "kind": "Field", "name": { "kind": "Name", "value": "status" } }] } }] } }] };
@@ -4800,6 +4819,7 @@ var documents = {
   "\n  query CliScheduledJobs(\n    $tenantId: ID!\n    $agentId: ID\n    $routineId: ID\n    $triggerType: String\n    $enabled: Boolean\n    $limit: Int\n  ) {\n    scheduledJobs(\n      tenantId: $tenantId\n      agentId: $agentId\n      routineId: $routineId\n      triggerType: $triggerType\n      enabled: $enabled\n      limit: $limit\n    ) {\n      id\n      name\n      description\n      triggerType\n      agentId\n      routineId\n      scheduleType\n      scheduleExpression\n      timezone\n      enabled\n      lastRunAt\n      nextRunAt\n      createdAt\n    }\n  }\n": CliScheduledJobsDocument,
   "\n  query CliScheduledJob($id: ID!) {\n    scheduledJob(id: $id) {\n      id\n      name\n      description\n      triggerType\n      agentId\n      routineId\n      prompt\n      scheduleType\n      scheduleExpression\n      timezone\n      enabled\n      ebScheduleName\n      lastRunAt\n      nextRunAt\n      createdAt\n      updatedAt\n    }\n  }\n": CliScheduledJobDocument,
   "\n  mutation CliCreateScheduledJob($input: CreateScheduledJobInput!) {\n    createScheduledJob(input: $input) {\n      id\n      name\n      enabled\n      scheduleExpression\n      timezone\n    }\n  }\n": CliCreateScheduledJobDocument,
+  "\n  mutation CliDeleteScheduledJob($id: ID!) {\n    deleteScheduledJob(id: $id) {\n      id\n      ok\n    }\n  }\n": CliDeleteScheduledJobDocument,
   "\n  query CliSchedJobTenantBySlug($slug: String!) {\n    tenantBySlug(slug: $slug) {\n      id\n    }\n  }\n": CliSchedJobTenantBySlugDocument,
   "\n  query CliSkillCatalog {\n    skillCatalog {\n      id\n      skillId\n      displayName\n      description\n      category\n      icon\n      source\n      enabled\n    }\n  }\n": CliSkillCatalogDocument,
   "\n  query CliSkillTenantBySlug($slug: String!) {\n    tenantBySlug(slug: $slug) {\n      id\n    }\n  }\n": CliSkillTenantBySlugDocument,
@@ -4858,6 +4878,7 @@ var documents = {
   "\n  mutation CliUpdateWebhook($id: ID!, $input: UpdateWebhookInput!) {\n    updateWebhook(id: $id, input: $input) {\n      id\n      name\n      targetType\n      enabled\n      rateLimit\n    }\n  }\n": CliUpdateWebhookDocument,
   "\n  mutation CliDeleteWebhook($id: ID!) {\n    deleteWebhook(id: $id)\n  }\n": CliDeleteWebhookDocument,
   "\n  mutation CliRegenerateWebhookToken($id: ID!) {\n    regenerateWebhookToken(id: $id) {\n      id\n      token\n    }\n  }\n": CliRegenerateWebhookTokenDocument,
+  "\n  query CliWebhookDeliveries($webhookId: ID!, $limit: Int) {\n    webhookDeliveries(webhookId: $webhookId, limit: $limit) {\n      id\n      providerName\n      providerEventId\n      normalizedKind\n      receivedAt\n      signatureStatus\n      resolutionStatus\n      statusCode\n      durationMs\n      threadId\n      threadCreated\n      retryCount\n      isReplay\n      errorMessage\n    }\n  }\n": CliWebhookDeliveriesDocument,
   "\n  query CliWebhookTenantBySlug($slug: String!) {\n    tenantBySlug(slug: $slug) {\n      id\n    }\n  }\n": CliWebhookTenantBySlugDocument,
   "\n  query CliWikiTenantBySlug($slug: String!) {\n    tenantBySlug(slug: $slug) {\n      id\n      slug\n      name\n    }\n  }\n": CliWikiTenantBySlugDocument,
   "\n  query CliAllTenantAgentsForWiki($tenantId: ID!) {\n    allTenantAgents(tenantId: $tenantId, includeSystem: false, includeSubAgents: false) {\n      id\n      name\n      slug\n      type\n      status\n    }\n  }\n": CliAllTenantAgentsForWikiDocument,
@@ -9912,6 +9933,14 @@ var CreateScheduledJobDoc = graphql(`
     }
   }
 `);
+var DeleteScheduledJobDoc = graphql(`
+  mutation CliDeleteScheduledJob($id: ID!) {
+    deleteScheduledJob(id: $id) {
+      id
+      ok
+    }
+  }
+`);
 var SchedJobTenantBySlugDoc = graphql(`
   query CliSchedJobTenantBySlug($slug: String!) {
     tenantBySlug(slug: $slug) {
@@ -10072,6 +10101,39 @@ async function runSchedCreate(name, opts) {
     `Created scheduled job ${data.createScheduledJob.id} \u2014 ${data.createScheduledJob.name} (${data.createScheduledJob.scheduleExpression}, ${data.createScheduledJob.timezone}).`
   );
 }
+async function runSchedDelete(id, opts) {
+  const ctx = await resolveSchedContext(opts);
+  if (!opts.yes) {
+    if (!isInteractive()) {
+      printError(
+        "Refusing to delete without --yes in non-interactive mode (CI / piped stdin)."
+      );
+      process.exit(1);
+    }
+    requireTty("confirmation");
+    const answer = await promptOrExit(
+      () => input16({
+        message: `Delete scheduled job ${id}? Type "delete" to confirm:`
+      })
+    );
+    if (answer.trim() !== "delete") {
+      console.log("  Cancelled.");
+      return;
+    }
+  }
+  const data = await gqlMutate(ctx.client, DeleteScheduledJobDoc, { id });
+  if (isJsonMode()) {
+    printJson(data.deleteScheduledJob);
+    return;
+  }
+  if (data.deleteScheduledJob.ok) {
+    printSuccess(`Deleted scheduled job ${data.deleteScheduledJob.id}.`);
+  } else {
+    console.log(
+      `  Scheduled job ${id} was already deleted (no row matched).`
+    );
+  }
+}
 function notYetImplementedAtApi(verb) {
   printError(
     `\`scheduled-job ${verb}\` is not yet implemented at the GraphQL API.
@@ -10096,7 +10158,9 @@ Examples:
 `
   ).action(runSchedCreate);
   job.command("update <id>").description("Update a scheduled job. (API surface pending \u2014 currently a no-op.)").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--schedule <expr>").option("--timezone <tz>").option("--payload <json>").option("--enable").option("--disable").action(() => notYetImplementedAtApi("update"));
-  job.command("delete <id>").description("Delete a scheduled job. (API surface pending.)").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-y, --yes", "Skip confirmation").action(() => notYetImplementedAtApi("delete"));
+  job.command("delete <id>").description(
+    "Delete a scheduled job. Deprovisions the EventBridge schedule first, then removes the row."
+  ).option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-y, --yes", "Skip confirmation").action(runSchedDelete);
   job.command("run <id>").description("Trigger a scheduled job immediately. (API surface pending.)").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--wait", "Block until the run completes").action(() => notYetImplementedAtApi("run"));
 }
 
@@ -10557,6 +10621,26 @@ var RegenerateWebhookTokenDoc = graphql(`
     }
   }
 `);
+var WebhookDeliveriesDoc = graphql(`
+  query CliWebhookDeliveries($webhookId: ID!, $limit: Int) {
+    webhookDeliveries(webhookId: $webhookId, limit: $limit) {
+      id
+      providerName
+      providerEventId
+      normalizedKind
+      receivedAt
+      signatureStatus
+      resolutionStatus
+      statusCode
+      durationMs
+      threadId
+      threadCreated
+      retryCount
+      isReplay
+      errorMessage
+    }
+  }
+`);
 var WebhookTenantBySlugDoc = graphql(`
   query CliWebhookTenantBySlug($slug: String!) {
     tenantBySlug(slug: $slug) {
@@ -10790,6 +10874,50 @@ async function runWebhookRotate(id, opts) {
   console.log("  New token (SAVE THIS):");
   console.log(`    ${wh.token}`);
 }
+async function runWebhookDeliveries(id, opts) {
+  const ctx = await resolveWebhookContext(opts);
+  const limit = Math.min(
+    Math.max(Number.parseInt(opts.limit ?? "25", 10) || 25, 1),
+    500
+  );
+  const data = await gqlQuery(ctx.client, WebhookDeliveriesDoc, {
+    webhookId: id,
+    limit
+  });
+  const rows = data.webhookDeliveries;
+  if (isJsonMode()) {
+    printJson({ items: rows });
+    return;
+  }
+  if (rows.length === 0) {
+    logStderr(`No deliveries recorded for webhook ${id}.`);
+    return;
+  }
+  printTable(
+    rows.map((r) => ({
+      received: r.receivedAt ?? "",
+      provider: r.providerName ?? "\u2014",
+      event: r.normalizedKind ?? r.providerEventId ?? "\u2014",
+      sig: r.signatureStatus,
+      resolution: r.resolutionStatus,
+      status: r.statusCode != null ? String(r.statusCode) : "\u2014",
+      durMs: r.durationMs != null ? String(r.durationMs) : "\u2014",
+      retry: r.retryCount != null ? String(r.retryCount) : "\u2014",
+      thread: r.threadId ?? "\u2014"
+    })),
+    [
+      { key: "received", header: "Received" },
+      { key: "provider", header: "Provider" },
+      { key: "event", header: "Event" },
+      { key: "sig", header: "Sig" },
+      { key: "resolution", header: "Resolution" },
+      { key: "status", header: "Status" },
+      { key: "durMs", header: "Dur(ms)" },
+      { key: "retry", header: "Retry" },
+      { key: "thread", header: "Thread" }
+    ]
+  );
+}
 function notYetImplementedAtApi2(verb) {
   printError(
     `\`webhook ${verb}\` is not yet implemented at the GraphQL API.
@@ -10812,7 +10940,9 @@ Examples:
   wh.command("delete <id>").description("Delete a webhook (its URL stops working immediately).").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-y, --yes", "Skip confirmation").action(runWebhookDelete);
   wh.command("test <id>").description("Send a synthetic payload to the webhook. (API surface pending.)").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--payload <json>").action(() => notYetImplementedAtApi2("test"));
   wh.command("rotate <id>").description("Generate a new token for an existing webhook.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-y, --yes", "Skip confirmation").action(runWebhookRotate);
-  wh.command("deliveries <id>").description("Show recent delivery attempts. (API surface pending.)").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--limit <n>", "Max rows", "25").action(() => notYetImplementedAtApi2("deliveries"));
+  wh.command("deliveries <id>").description(
+    "Show recent delivery attempts for a webhook (newest first). Default 25, max 500."
+  ).option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("--limit <n>", "Max rows (1-500)", "25").action(runWebhookDeliveries);
 }
 
 // src/lib/plugin-zip.ts
@@ -13205,10 +13335,15 @@ async function runEvalSeed(opts) {
     categories: opts.category && opts.category.length > 0 ? opts.category : null
   });
   if (isJsonMode()) {
-    printJson({ inserted: data.seedEvalTestCases });
+    printJson({
+      source: "built-in-yaml-seed",
+      inserted: data.seedEvalTestCases
+    });
     return;
   }
-  printSuccess(`Seeded ${data.seedEvalTestCases} new test case(s). (Duplicates were skipped.)`);
+  printSuccess(
+    `Seeded ${data.seedEvalTestCases} new test case(s). (Duplicates were skipped.)`
+  );
 }
 
 // src/commands/eval/test-case/list.ts
@@ -14393,6 +14528,1424 @@ Examples:
   });
 }
 
+// src/commands/enterprise/bootstrap.ts
+import { resolve as resolve5 } from "path";
+
+// src/commands/enterprise/template.ts
+import {
+  existsSync as existsSync10,
+  mkdirSync as mkdirSync5,
+  readFileSync as readFileSync8,
+  readdirSync as readdirSync2,
+  statSync as statSync2,
+  writeFileSync as writeFileSync5
+} from "fs";
+import { dirname as dirname4, join as join7, relative as relative2, resolve as resolve4 } from "path";
+import { fileURLToPath as fileURLToPath3 } from "url";
+var __dirname2 = dirname4(fileURLToPath3(import.meta.url));
+var MANAGED_MARKER = "thinkwork-managed: enterprise-deploy-template";
+var CUSTOMER_SLUG_PATTERN = /^[a-z][a-z0-9-]{1,38}[a-z0-9]$/;
+function renderEnterpriseDeployRepoTemplate(options) {
+  const customerSlug = validateCustomerSlug(options.customerSlug);
+  const stages = validateStages(options.stages ?? ["dev", "prod"]);
+  const targetDir = resolve4(options.targetDir);
+  const templateRoot = findEnterpriseTemplateRoot();
+  const replacements = buildTemplateReplacements({
+    ...options,
+    customerSlug,
+    stages
+  });
+  const templateFiles = listTemplateFiles(templateRoot).filter(
+    (path2) => !relative2(templateRoot, path2).startsWith("terraform/stages/") && !/^terraform\/backend-[^.]+\.hcl$/.test(
+      relative2(templateRoot, path2).split("\\").join("/")
+    )
+  );
+  const written = [];
+  const preserved = [];
+  for (const templatePath of templateFiles) {
+    const relativePath = relative2(templateRoot, templatePath);
+    const outputPath = join7(targetDir, relativePath);
+    let content = applyTemplate(
+      readFileSync8(templatePath, "utf8"),
+      replacements
+    );
+    if (relativePath.split("\\").join("/") === "customer/deployment.json") {
+      content = renderCustomerDeploymentJson(content, customerSlug, stages);
+    }
+    writeManagedFile(outputPath, content, written, preserved);
+  }
+  const stageTemplateRoot = join7(templateRoot, "terraform", "stages");
+  const backendTemplatePath = join7(
+    templateRoot,
+    "terraform",
+    "backend-dev.hcl"
+  );
+  for (const stage of stages) {
+    const explicitTemplate = join7(stageTemplateRoot, `${stage}.tfvars`);
+    const fallbackTemplate = join7(stageTemplateRoot, "dev.tfvars");
+    const templatePath = existsSync10(explicitTemplate) ? explicitTemplate : fallbackTemplate;
+    const outputPath = join7(
+      targetDir,
+      "terraform",
+      "stages",
+      `${stage}.tfvars`
+    );
+    const content = applyTemplate(readFileSync8(templatePath, "utf8"), {
+      ...replacements,
+      STAGE: stage
+    });
+    writeManagedFile(outputPath, content, written, preserved);
+    const backendPath = join7(targetDir, "terraform", `backend-${stage}.hcl`);
+    const backendContent = applyTemplate(
+      readFileSync8(backendTemplatePath, "utf8"),
+      {
+        ...replacements,
+        STAGE: stage
+      }
+    );
+    writeManagedFile(backendPath, backendContent, written, preserved);
+  }
+  return { targetDir, written, preserved };
+}
+function validateCustomerSlug(slug) {
+  const normalized = slug.trim();
+  if (!CUSTOMER_SLUG_PATTERN.test(normalized)) {
+    throw new Error(
+      `Invalid customer slug "${slug}". Must be lowercase alphanumeric + hyphens, 3-40 characters, starting with a letter.`
+    );
+  }
+  return normalized;
+}
+function validateStages(stages) {
+  const normalized = [
+    ...new Set(stages.map((stage) => stage.trim()).filter(Boolean))
+  ];
+  if (normalized.length === 0) {
+    throw new Error("At least one deployment stage is required.");
+  }
+  for (const stage of normalized) {
+    const check = validateStage(stage);
+    if (!check.valid) {
+      throw new Error(check.error ?? `Invalid stage name "${stage}".`);
+    }
+  }
+  return normalized;
+}
+function findEnterpriseTemplateRoot() {
+  const candidates = [
+    resolve4(__dirname2, "templates/deploy-repo"),
+    resolve4(__dirname2, "commands/enterprise/templates/deploy-repo")
+  ];
+  for (const candidate of candidates) {
+    if (existsSync10(join7(candidate, "thinkwork.lock"))) return candidate;
+  }
+  throw new Error(
+    "Enterprise deployment repo template not found. The CLI package may be incomplete."
+  );
+}
+function buildTemplateReplacements(options) {
+  const releaseVersion = options.releaseVersion ?? "v0.0.0";
+  const artifactBucket = options.artifactBucket ?? `${options.customerSlug}-thinkwork-release-artifacts`;
+  return {
+    ACCOUNT_ID: options.accountId ?? "123456789012",
+    ARTIFACT_BUCKET: artifactBucket,
+    CUSTOMER_SLUG: options.customerSlug,
+    LAMBDA_ARTIFACT_PREFIX: `releases/${releaseVersion}/lambdas`,
+    REGION: options.region ?? "us-east-1",
+    RELEASE_MANIFEST_SHA256: options.releaseManifestSha256 ?? "CHANGE_ME",
+    RELEASE_MANIFEST_URL: options.releaseManifestUrl ?? `https://github.com/thinkwork-ai/thinkwork/releases/download/${releaseVersion}/thinkwork-release.json`,
+    RELEASE_VERSION: releaseVersion,
+    TERRAFORM_MODULE_VERSION: options.terraformModuleVersion ?? releaseVersion.replace(/^v/, "")
+  };
+}
+function renderCustomerDeploymentJson(content, customerSlug, stages) {
+  const deployment = JSON.parse(content);
+  deployment.stages = Object.fromEntries(
+    stages.map((stage) => [
+      stage,
+      {
+        tenantSlug: stage === "prod" ? customerSlug : `${customerSlug}-${stage}`,
+        evalPacks: [],
+        seedPacks: [],
+        skillPacks: [],
+        workspaceDefaultPacks: [],
+        branding: null
+      }
+    ])
+  );
+  return `${JSON.stringify(deployment, null, 2)}
+`;
+}
+function listTemplateFiles(root) {
+  const out = [];
+  for (const entry of readdirSync2(root)) {
+    const path2 = join7(root, entry);
+    const stat = statSync2(path2);
+    if (stat.isDirectory()) {
+      out.push(...listTemplateFiles(path2));
+    } else if (stat.isFile()) {
+      out.push(path2);
+    }
+  }
+  return out.sort();
+}
+function applyTemplate(source, replacements) {
+  return source.replaceAll(/\{\{([A-Z0-9_]+)\}\}/g, (_match, key) => {
+    if (!(key in replacements)) {
+      throw new Error(`Unknown enterprise deployment template token: ${key}`);
+    }
+    return replacements[key];
+  });
+}
+function writeManagedFile(path2, content, written, preserved) {
+  mkdirSync5(dirname4(path2), { recursive: true });
+  if (existsSync10(path2)) {
+    const current = readFileSync8(path2, "utf8");
+    if (!current.includes(MANAGED_MARKER)) {
+      preserved.push(path2);
+      return;
+    }
+  }
+  writeFileSync5(path2, content);
+  written.push(path2);
+}
+
+// src/commands/enterprise/aws-bootstrap.ts
+import { execFileSync } from "child_process";
+import { mkdtempSync, writeFileSync as writeFileSync6 } from "fs";
+import { tmpdir } from "os";
+import { join as join8 } from "path";
+function buildEnterpriseAwsBootstrapPlan(config) {
+  const oidcProviderArn = `arn:aws:iam::${config.accountId}:oidc-provider/token.actions.githubusercontent.com`;
+  return {
+    stateBucket: config.stateBucket,
+    lockTable: config.lockTable,
+    artifactBucket: config.artifactBucket,
+    oidcProviderArn,
+    stageRoles: config.stages.map((stage) => {
+      const roleName = `thinkwork-${config.customerSlug}-${stage}-deploy`;
+      return {
+        stage,
+        roleName,
+        roleArn: `arn:aws:iam::${config.accountId}:role/${roleName}`,
+        trustPolicy: buildGitHubOidcTrustPolicy({
+          oidcProviderArn,
+          repository: config.repository,
+          stage
+        }),
+        deployPolicyName: `thinkwork-${config.customerSlug}-${stage}-deploy`,
+        deployPolicy: buildEnterpriseDeployRolePolicy({
+          accountId: config.accountId,
+          region: config.region,
+          stage,
+          stateBucket: config.stateBucket,
+          lockTable: config.lockTable,
+          artifactBucket: config.artifactBucket
+        })
+      };
+    })
+  };
+}
+function buildGitHubOidcTrustPolicy(options) {
+  return {
+    Version: "2012-10-17",
+    Statement: [
+      {
+        Effect: "Allow",
+        Principal: {
+          Federated: options.oidcProviderArn
+        },
+        Action: "sts:AssumeRoleWithWebIdentity",
+        Condition: {
+          StringEquals: {
+            "token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
+            "token.actions.githubusercontent.com:sub": `repo:${options.repository}:environment:${options.stage}`
+          }
+        }
+      }
+    ]
+  };
+}
+function buildEnterpriseDeployRolePolicy(options) {
+  const thinkworkPrefix = `thinkwork-${options.stage}`;
+  return {
+    Version: "2012-10-17",
+    Statement: [
+      {
+        Sid: "TerraformStateAndReleaseBuckets",
+        Effect: "Allow",
+        Action: [
+          "s3:GetBucketLocation",
+          "s3:GetBucketVersioning",
+          "s3:GetEncryptionConfiguration",
+          "s3:ListBucket",
+          "s3:PutBucketVersioning",
+          "s3:PutEncryptionConfiguration",
+          "s3:PutLifecycleConfiguration",
+          "s3:PutPublicAccessBlock"
+        ],
+        Resource: [
+          `arn:aws:s3:::${options.stateBucket}`,
+          `arn:aws:s3:::${options.artifactBucket}`,
+          `arn:aws:s3:::${thinkworkPrefix}-*`
+        ]
+      },
+      {
+        Sid: "TerraformStateAndReleaseObjects",
+        Effect: "Allow",
+        Action: [
+          "s3:AbortMultipartUpload",
+          "s3:DeleteObject",
+          "s3:GetObject",
+          "s3:PutObject"
+        ],
+        Resource: [
+          `arn:aws:s3:::${options.stateBucket}/*`,
+          `arn:aws:s3:::${options.artifactBucket}/*`,
+          `arn:aws:s3:::${thinkworkPrefix}-*/*`
+        ]
+      },
+      {
+        Sid: "TerraformStateLocks",
+        Effect: "Allow",
+        Action: [
+          "dynamodb:CreateTable",
+          "dynamodb:DescribeTable",
+          "dynamodb:GetItem",
+          "dynamodb:PutItem",
+          "dynamodb:DeleteItem",
+          "dynamodb:UpdateItem"
+        ],
+        Resource: `arn:aws:dynamodb:${options.region}:${options.accountId}:table/${options.lockTable}`
+      },
+      {
+        Sid: "ThinkWorkNamedResources",
+        Effect: "Allow",
+        Action: [
+          "apigateway:*",
+          "appsync:*",
+          "bedrock:*",
+          "bedrock-agentcore:*",
+          "cloudfront:*",
+          "cognito-idp:*",
+          "dynamodb:*",
+          "ec2:*",
+          "ecr:*",
+          "ecs:*",
+          "elasticfilesystem:*",
+          "elasticloadbalancing:*",
+          "events:*",
+          "iam:*",
+          "lambda:*",
+          "logs:*",
+          "rds:*",
+          "scheduler:*",
+          "secretsmanager:*",
+          "ses:*",
+          "sqs:*",
+          "ssm:*",
+          "states:*",
+          "xray:*"
+        ],
+        Resource: "*"
+      }
+    ]
+  };
+}
+var AwsCliEnterpriseBootstrapClient = class {
+  async ensureStateBucket(bucket, region) {
+    return ensureBucket(bucket, region, "terraform state bucket");
+  }
+  async ensureLockTable(table, region) {
+    if (awsOk([
+      "dynamodb",
+      "describe-table",
+      "--table-name",
+      table,
+      "--region",
+      region
+    ])) {
+      return {
+        target: table,
+        status: "reused",
+        message: `DynamoDB lock table ${table} already exists.`
+      };
+    }
+    execFileSync("aws", [
+      "dynamodb",
+      "create-table",
+      "--table-name",
+      table,
+      "--attribute-definitions",
+      "AttributeName=LockID,AttributeType=S",
+      "--key-schema",
+      "AttributeName=LockID,KeyType=HASH",
+      "--billing-mode",
+      "PAY_PER_REQUEST",
+      "--region",
+      region
+    ]);
+    return {
+      target: table,
+      status: "created",
+      message: `Created DynamoDB lock table ${table}.`
+    };
+  }
+  async ensureArtifactBucket(bucket, region) {
+    return ensureBucket(bucket, region, "release artifact bucket");
+  }
+  async ensureOidcProvider(accountId) {
+    const arn = `arn:aws:iam::${accountId}:oidc-provider/token.actions.githubusercontent.com`;
+    if (awsOk([
+      "iam",
+      "get-open-id-connect-provider",
+      "--open-id-connect-provider-arn",
+      arn
+    ])) {
+      return {
+        target: arn,
+        status: "reused",
+        message: "GitHub Actions OIDC provider already exists."
+      };
+    }
+    execFileSync("aws", [
+      "iam",
+      "create-open-id-connect-provider",
+      "--url",
+      "https://token.actions.githubusercontent.com",
+      "--client-id-list",
+      "sts.amazonaws.com",
+      "--thumbprint-list",
+      "6938fd4d98bab03faadb97b34396831e3780aea1"
+    ]);
+    return {
+      target: arn,
+      status: "created",
+      message: "Created GitHub Actions OIDC provider."
+    };
+  }
+  async ensureDeployRole(role) {
+    if (awsOk(["iam", "get-role", "--role-name", role.roleName])) {
+      putRolePolicy(role);
+      return {
+        target: role.roleArn,
+        status: "updated",
+        message: `Deploy role ${role.roleName} already exists; updated inline deploy policy ${role.deployPolicyName}.`
+      };
+    }
+    const dir = mkdtempSync(join8(tmpdir(), "thinkwork-enterprise-role-"));
+    const trustPath = join8(dir, "trust.json");
+    writeFileSync6(trustPath, JSON.stringify(role.trustPolicy));
+    execFileSync("aws", [
+      "iam",
+      "create-role",
+      "--role-name",
+      role.roleName,
+      "--assume-role-policy-document",
+      `file://${trustPath}`
+    ]);
+    putRolePolicy(role);
+    return {
+      target: role.roleArn,
+      status: "created",
+      message: `Created deploy role ${role.roleName} and attached inline deploy policy ${role.deployPolicyName}.`
+    };
+  }
+};
+function putRolePolicy(role) {
+  const dir = mkdtempSync(join8(tmpdir(), "thinkwork-enterprise-policy-"));
+  const policyPath = join8(dir, "policy.json");
+  writeFileSync6(policyPath, JSON.stringify(role.deployPolicy));
+  execFileSync("aws", [
+    "iam",
+    "put-role-policy",
+    "--role-name",
+    role.roleName,
+    "--policy-name",
+    role.deployPolicyName,
+    "--policy-document",
+    `file://${policyPath}`
+  ]);
+}
+function ensureBucket(bucket, region, label) {
+  if (awsOk(["s3api", "head-bucket", "--bucket", bucket])) {
+    return {
+      target: bucket,
+      status: "reused",
+      message: `${label} ${bucket} already exists.`
+    };
+  }
+  const args = region === "us-east-1" ? ["s3api", "create-bucket", "--bucket", bucket, "--region", region] : [
+    "s3api",
+    "create-bucket",
+    "--bucket",
+    bucket,
+    "--region",
+    region,
+    "--create-bucket-configuration",
+    `LocationConstraint=${region}`
+  ];
+  execFileSync("aws", args);
+  execFileSync("aws", [
+    "s3api",
+    "put-public-access-block",
+    "--bucket",
+    bucket,
+    "--public-access-block-configuration",
+    "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
+  ]);
+  return {
+    target: bucket,
+    status: "created",
+    message: `Created ${label} ${bucket}.`
+  };
+}
+function awsOk(args) {
+  try {
+    execFileSync("aws", args, { stdio: "ignore" });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// src/commands/enterprise/github.ts
+import { execFileSync as execFileSync2 } from "child_process";
+function parseGitHubRepository(input20) {
+  const trimmed = input20.trim();
+  const match = /^([A-Za-z0-9_.-]+)\/([A-Za-z0-9_.-]+)$/.exec(trimmed);
+  if (!match) {
+    throw new Error(
+      `Invalid GitHub repository "${input20}". Use owner/name, for example acme/thinkwork-deploy.`
+    );
+  }
+  return {
+    owner: match[1],
+    name: match[2],
+    fullName: `${match[1]}/${match[2]}`
+  };
+}
+function buildEnterpriseGitHubBootstrapPlan(options) {
+  const repository = parseGitHubRepository(options.repository);
+  return {
+    repository,
+    dispatchWorkflow: options.dispatchWorkflow ?? false,
+    environments: options.stages.map((stage) => {
+      const role = options.stageRoles.find((item) => item.stage === stage);
+      if (!role) {
+        throw new Error(`Missing deploy role for stage "${stage}".`);
+      }
+      return {
+        stage,
+        roleArn: role.roleArn,
+        vars: {
+          AWS_REGION: options.region,
+          AWS_ROLE_ARN: role.roleArn,
+          THINKWORK_ARTIFACT_BUCKET: options.artifactBucket
+        },
+        secretPlaceholders: ["TF_VAR_DB_PASSWORD", "TF_VAR_API_AUTH_SECRET"]
+      };
+    })
+  };
+}
+var GhCliEnterpriseBootstrapClient = class {
+  constructor(repository) {
+    this.repository = repository;
+  }
+  repository;
+  async ensureEnvironment(environment) {
+    gh([
+      "api",
+      "--method",
+      "PUT",
+      `repos/${this.repository.fullName}/environments/${environment.stage}`,
+      "--field",
+      "wait_timer=0"
+    ]);
+    return {
+      target: `${this.repository.fullName}:${environment.stage}`,
+      status: "updated",
+      message: `Ensured GitHub Environment ${environment.stage}.`
+    };
+  }
+  async upsertEnvironmentVariables(environment) {
+    for (const [name, value] of Object.entries(environment.vars)) {
+      gh([
+        "variable",
+        "set",
+        name,
+        "--repo",
+        this.repository.fullName,
+        "--env",
+        environment.stage,
+        "--body",
+        value
+      ]);
+    }
+    return {
+      target: `${this.repository.fullName}:${environment.stage}:vars`,
+      status: "updated",
+      message: `Updated non-secret GitHub Environment variables for ${environment.stage}.`
+    };
+  }
+  async writeRepositoryFiles(targetDir) {
+    return {
+      target: targetDir,
+      status: "updated",
+      message: "Repository files were written locally. Commit/push this directory or run from a checked-out deployment repo."
+    };
+  }
+  async dispatchWorkflow(stage) {
+    gh([
+      "workflow",
+      "run",
+      "deploy.yml",
+      "--repo",
+      this.repository.fullName,
+      "--field",
+      `stage=${stage}`
+    ]);
+    return {
+      target: `${this.repository.fullName}:deploy.yml:${stage}`,
+      status: "created",
+      message: `Dispatched deploy workflow for ${stage}.`
+    };
+  }
+};
+function gh(args) {
+  return execFileSync2("gh", args, { encoding: "utf8" });
+}
+
+// src/commands/enterprise/release.ts
+function resolveEnterpriseReleasePin(options) {
+  const version = options.releaseVersion ?? `v${VERSION}`;
+  return {
+    version,
+    manifestUrl: options.manifestUrl ?? `https://github.com/thinkwork-ai/thinkwork/releases/download/${version}/thinkwork-release.json`,
+    manifestSha256: options.manifestSha256 ?? "CHANGE_ME",
+    terraformModuleVersion: options.terraformModuleVersion ?? version.replace(/^v/, "")
+  };
+}
+
+// src/commands/enterprise/bootstrap.ts
+function buildEnterpriseBootstrapPlan(options, identity) {
+  const customerSlug = validateCustomerSlug(options.customerSlug);
+  const repository = parseGitHubRepository(options.repository).fullName;
+  const stages = validateStages(options.stages ?? ["dev", "prod"]);
+  const accountId = options.accountId ?? identity?.account;
+  const region = options.region ?? identity?.region;
+  if (!accountId) {
+    throw new Error(
+      "AWS account ID is required. Configure AWS credentials or pass --account-id."
+    );
+  }
+  if (!region || region === "unknown") {
+    throw new Error(
+      "AWS region is required. Configure AWS_REGION or pass --region."
+    );
+  }
+  const release = resolveEnterpriseReleasePin({
+    releaseVersion: options.releaseVersion,
+    manifestUrl: options.manifestUrl,
+    manifestSha256: options.manifestSha256,
+    terraformModuleVersion: options.terraformModuleVersion
+  });
+  const artifactBucket = options.artifactBucket ?? `${customerSlug}-thinkwork-release-artifacts`;
+  const stateBucket = options.stateBucket ?? `${customerSlug}-thinkwork-terraform-state`;
+  const lockTable = options.lockTable ?? `${customerSlug}-thinkwork-terraform-locks`;
+  const aws = buildEnterpriseAwsBootstrapPlan({
+    accountId,
+    region,
+    repository,
+    stages,
+    customerSlug,
+    stateBucket,
+    lockTable,
+    artifactBucket
+  });
+  const github = buildEnterpriseGitHubBootstrapPlan({
+    repository,
+    stages,
+    region,
+    artifactBucket,
+    stageRoles: aws.stageRoles,
+    dispatchWorkflow: options.dispatchWorkflow
+  });
+  return {
+    customerSlug,
+    targetDir: resolve5(options.targetDir),
+    repository,
+    stages,
+    accountId,
+    region,
+    release,
+    aws,
+    github
+  };
+}
+async function runEnterpriseBootstrap(options, deps = {}) {
+  const identity = deps.identity === void 0 ? getAwsIdentity() : deps.identity;
+  if (!options.dryRun && !identity && (!options.accountId || !options.region)) {
+    throw new Error(
+      "AWS identity is required before mutating AWS or GitHub resources."
+    );
+  }
+  const plan = buildEnterpriseBootstrapPlan(options, identity);
+  const template = renderEnterpriseDeployRepoTemplate({
+    targetDir: plan.targetDir,
+    customerSlug: plan.customerSlug,
+    stages: plan.stages,
+    region: plan.region,
+    accountId: plan.accountId,
+    releaseVersion: plan.release.version,
+    releaseManifestUrl: plan.release.manifestUrl,
+    releaseManifestSha256: plan.release.manifestSha256,
+    terraformModuleVersion: plan.release.terraformModuleVersion,
+    artifactBucket: plan.aws.artifactBucket
+  });
+  const awsClient = deps.awsClient ?? new AwsCliEnterpriseBootstrapClient();
+  const githubClient = deps.githubClient ?? new GhCliEnterpriseBootstrapClient(parseGitHubRepository(plan.repository));
+  const awsResults = [];
+  const githubResults = [];
+  if (options.dryRun) {
+    awsResults.push(
+      planned(plan.aws.stateBucket, "Would ensure Terraform state bucket."),
+      planned(plan.aws.lockTable, "Would ensure Terraform lock table."),
+      planned(plan.aws.artifactBucket, "Would ensure release artifact bucket."),
+      planned(
+        plan.aws.oidcProviderArn,
+        "Would ensure GitHub Actions OIDC provider."
+      ),
+      ...plan.aws.stageRoles.map(
+        (role) => planned(role.roleArn, `Would ensure deploy role for ${role.stage}.`)
+      )
+    );
+    githubResults.push(
+      planned(plan.targetDir, "Would write deployment repository files."),
+      ...plan.github.environments.flatMap((environment) => [
+        planned(
+          `${plan.repository}:${environment.stage}`,
+          `Would ensure GitHub Environment ${environment.stage}.`
+        ),
+        planned(
+          `${plan.repository}:${environment.stage}:vars`,
+          `Would upsert non-secret GitHub variables for ${environment.stage}.`
+        ),
+        planned(
+          `${plan.repository}:${environment.stage}:secrets`,
+          `Would require GitHub Environment secrets for ${environment.stage}: ${environment.secretPlaceholders.join(", ")}.`
+        ),
+        ...plan.github.dispatchWorkflow ? [
+          planned(
+            `${plan.repository}:deploy.yml:${environment.stage}`,
+            `Would dispatch deploy workflow for ${environment.stage}.`
+          )
+        ] : []
+      ])
+    );
+  } else {
+    awsResults.push(
+      await awsClient.ensureStateBucket(plan.aws.stateBucket, plan.region),
+      await awsClient.ensureLockTable(plan.aws.lockTable, plan.region),
+      await awsClient.ensureArtifactBucket(
+        plan.aws.artifactBucket,
+        plan.region
+      ),
+      await awsClient.ensureOidcProvider(plan.accountId)
+    );
+    for (const role of plan.aws.stageRoles) {
+      awsResults.push(await awsClient.ensureDeployRole(role));
+    }
+    githubResults.push(await githubClient.writeRepositoryFiles(plan.targetDir));
+    for (const environment of plan.github.environments) {
+      githubResults.push(
+        await githubClient.ensureEnvironment(environment),
+        await githubClient.upsertEnvironmentVariables(environment),
+        secretPlaceholderResult(plan.repository, environment)
+      );
+      if (plan.github.dispatchWorkflow) {
+        githubResults.push(
+          await githubClient.dispatchWorkflow(environment.stage)
+        );
+      }
+    }
+  }
+  const metadata = options.dryRun ? planned(
+    plan.customerSlug,
+    "Would record local enterprise deployment metadata without secrets."
+  ) : recordDeploymentMetadata(plan, deps.saveDeployment);
+  return {
+    plan,
+    template,
+    aws: awsResults,
+    github: githubResults,
+    metadata
+  };
+}
+function registerEnterpriseBootstrapCommand(program2) {
+  program2.command("bootstrap [targetDir]").description(
+    "Bootstrap a customer-owned ThinkWork deployment repository and CI trust bridge."
+  ).option("--customer <slug>", "Customer slug, e.g. acme").option("--repo <owner/name>", "Customer GitHub deployment repository").option("--stage <stage...>", "Deployment stage(s)", ["dev", "prod"]).option("--region <region>", "AWS region").option("--account-id <id>", "AWS account ID").option("--release-version <version>", "Pinned ThinkWork release version").option("--manifest-url <url>", "Pinned ThinkWork release manifest URL").option(
+    "--manifest-sha256 <sha256>",
+    "Pinned ThinkWork release manifest SHA-256"
+  ).option(
+    "--terraform-module-version <version>",
+    "Pinned Terraform Registry module version"
+  ).option(
+    "--artifact-bucket <bucket>",
+    "Customer-owned release artifact bucket"
+  ).option("--state-bucket <bucket>", "Terraform state bucket").option("--lock-table <table>", "Terraform state lock table").option("--dispatch", "Dispatch deploy workflow after bootstrap").option(
+    "--dry-run",
+    "Render files and print the plan without mutating AWS/GitHub"
+  ).option("-y, --yes", "Skip confirmation for mutating bootstrap").action(
+    async (targetDir, opts) => {
+      try {
+        const customerSlug = await resolveCustomerSlug(opts.customer);
+        const repository = await resolveRepository(opts.repo);
+        const identity = getAwsIdentity();
+        printHeader("enterprise bootstrap", customerSlug, identity);
+        if (!opts.dryRun && !opts.yes) {
+          const prodStages = (opts.stage ?? ["dev", "prod"]).filter(
+            isProdLike
+          );
+          const message = prodStages.length > 0 ? `  Bootstrap deployment authority for ${repository} including production-like stage(s): ${prodStages.join(", ")}?` : `  Bootstrap deployment authority for ${repository}?`;
+          if (!await confirm(message)) {
+            console.log("  Aborted.");
+            return;
+          }
+        }
+        const result = await runEnterpriseBootstrap(
+          {
+            targetDir: targetDir ?? ".",
+            customerSlug,
+            repository,
+            stages: opts.stage,
+            region: opts.region,
+            accountId: opts.accountId,
+            releaseVersion: opts.releaseVersion,
+            manifestUrl: opts.manifestUrl,
+            manifestSha256: opts.manifestSha256,
+            terraformModuleVersion: opts.terraformModuleVersion,
+            artifactBucket: opts.artifactBucket,
+            stateBucket: opts.stateBucket,
+            lockTable: opts.lockTable,
+            dispatchWorkflow: opts.dispatch,
+            dryRun: opts.dryRun
+          },
+          { identity }
+        );
+        printBootstrapSummary(result);
+        printSuccess(
+          opts.dryRun ? "Enterprise bootstrap dry-run complete" : "Enterprise bootstrap complete"
+        );
+      } catch (err) {
+        printError(err.message);
+        process.exit(1);
+      }
+    }
+  );
+}
+function planned(target, message) {
+  return { target, status: "planned", message };
+}
+function secretPlaceholderResult(repository, environment) {
+  return {
+    target: `${repository}:${environment.stage}:secrets`,
+    status: "planned",
+    message: `Set GitHub Environment secrets for ${environment.stage}: ${environment.secretPlaceholders.join(", ")}.`
+  };
+}
+function recordDeploymentMetadata(plan, saveDeployment = saveEnterpriseDeployment) {
+  saveDeployment({
+    customerSlug: plan.customerSlug,
+    repository: plan.repository,
+    targetDir: plan.targetDir,
+    accountId: plan.accountId,
+    region: plan.region,
+    stages: plan.stages,
+    artifactBucket: plan.aws.artifactBucket,
+    stateBucket: plan.aws.stateBucket,
+    lockTable: plan.aws.lockTable,
+    releaseVersion: plan.release.version,
+    releaseManifestUrl: plan.release.manifestUrl,
+    updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  });
+  return {
+    target: plan.customerSlug,
+    status: "updated",
+    message: "Recorded local enterprise deployment metadata without secrets."
+  };
+}
+async function resolveCustomerSlug(flag) {
+  if (flag) return flag;
+  if (!process.stdin.isTTY) {
+    throw new Error("Customer slug is required. Pass --customer <slug>.");
+  }
+  const { input: input20 } = await import("@inquirer/prompts");
+  return input20({ message: "Customer slug:" });
+}
+async function resolveRepository(flag) {
+  if (flag) return flag;
+  if (!process.stdin.isTTY) {
+    throw new Error("GitHub repository is required. Pass --repo <owner/name>.");
+  }
+  const { input: input20 } = await import("@inquirer/prompts");
+  return input20({ message: "GitHub deployment repo (owner/name):" });
+}
+function printBootstrapSummary(result) {
+  console.log("");
+  console.log("  AWS");
+  for (const step of result.aws) {
+    console.log(`  - ${step.status}: ${step.message}`);
+  }
+  console.log("  GitHub");
+  for (const step of result.github) {
+    console.log(`  - ${step.status}: ${step.message}`);
+  }
+  if (result.template.preserved.length > 0) {
+    printWarning(
+      `Preserved ${result.template.preserved.length} customer-owned file(s) without the ThinkWork managed marker.`
+    );
+  }
+}
+
+// src/commands/enterprise/overlay.ts
+import { resolve as resolve6 } from "path";
+
+// src/commands/enterprise/overlay-schema.ts
+import { existsSync as existsSync11, readdirSync as readdirSync3, readFileSync as readFileSync9, statSync as statSync3 } from "fs";
+import { join as join9, relative as relative3, sep as sep2 } from "path";
+function loadEnterpriseOverlayDefinition(repoRoot) {
+  const path2 = join9(repoRoot, "customer", "deployment.json");
+  if (!existsSync11(path2)) {
+    throw new Error(`Missing customer overlay definition: ${path2}`);
+  }
+  const parsed = JSON.parse(readFileSync9(path2, "utf8"));
+  if (parsed.schemaVersion !== 1) {
+    throw new Error(
+      `Unsupported customer/deployment.json schemaVersion ${parsed.schemaVersion}`
+    );
+  }
+  if (!isNonEmptyString(parsed.customerSlug)) {
+    throw new Error("customer/deployment.json requires customerSlug");
+  }
+  if (!isRecord(parsed.stages)) {
+    throw new Error("customer/deployment.json requires stages");
+  }
+  return {
+    schemaVersion: 1,
+    customerSlug: parsed.customerSlug,
+    stages: Object.fromEntries(
+      Object.entries(parsed.stages).map(([stage, value]) => [
+        stage,
+        normalizeStage(stage, value)
+      ])
+    )
+  };
+}
+function stageOverlay(definition, stage) {
+  const config = definition.stages[stage];
+  if (!config) {
+    throw new Error(`customer/deployment.json does not define stage ${stage}`);
+  }
+  return config;
+}
+function readCustomerEvalPack(repoRoot, packName) {
+  assertPackName(packName, "eval");
+  const path2 = join9(repoRoot, "customer", "evals", `${packName}.json`);
+  if (!existsSync11(path2)) {
+    throw new Error(`Eval pack "${packName}" is missing: ${path2}`);
+  }
+  const parsed = JSON.parse(readFileSync9(path2, "utf8"));
+  if (!Array.isArray(parsed)) {
+    throw new Error(`Eval pack "${packName}" must be a JSON array`);
+  }
+  return parsed.map(
+    (value, index) => normalizeEvalSeed(value, `customer/evals/${packName}.json[${index}]`)
+  );
+}
+function readJsonSeedPack(repoRoot, packName) {
+  assertPackName(packName, "seed");
+  const path2 = join9(repoRoot, "customer", "seeds", `${packName}.json`);
+  if (!existsSync11(path2)) {
+    throw new Error(`Seed pack "${packName}" is missing: ${path2}`);
+  }
+  return JSON.parse(readFileSync9(path2, "utf8"));
+}
+function collectOverlayFiles(repoRoot, family, packName) {
+  assertPackName(packName, family);
+  const root = join9(repoRoot, "customer", family, packName);
+  if (!existsSync11(root) || !statSync3(root).isDirectory()) {
+    throw new Error(`Overlay pack "${family}/${packName}" is missing: ${root}`);
+  }
+  const files = [];
+  walkFiles(root, (path2) => {
+    const relativePath = relative3(root, path2).split(sep2).join("/");
+    if (relativePath === ".DS_Store" || relativePath.endsWith("/.DS_Store")) {
+      return;
+    }
+    files.push({
+      relativePath,
+      content: readFileSync9(path2, "utf8")
+    });
+  });
+  if (family === "skills" && !files.some((file) => file.relativePath === "SKILL.md")) {
+    throw new Error(`Skill pack "${packName}" must include SKILL.md`);
+  }
+  if (files.length === 0) {
+    throw new Error(`Overlay pack "${family}/${packName}" contains no files`);
+  }
+  return files.sort((a, b) => a.relativePath.localeCompare(b.relativePath));
+}
+function normalizeStage(stage, value) {
+  if (!isRecord(value)) {
+    throw new Error(`Stage ${stage} must be an object`);
+  }
+  if (!isNonEmptyString(value.tenantSlug)) {
+    throw new Error(`Stage ${stage} requires tenantSlug`);
+  }
+  const branding = value.branding;
+  if (branding !== null && branding !== void 0 && !isRecord(branding)) {
+    throw new Error(`Stage ${stage} branding must be an object or null`);
+  }
+  return {
+    tenantSlug: value.tenantSlug,
+    evalPacks: normalizePackArray(value.evalPacks, `${stage}.evalPacks`),
+    seedPacks: normalizePackArray(value.seedPacks, `${stage}.seedPacks`),
+    skillPacks: normalizePackArray(value.skillPacks, `${stage}.skillPacks`),
+    workspaceDefaultPacks: normalizePackArray(
+      value.workspaceDefaultPacks,
+      `${stage}.workspaceDefaultPacks`
+    ),
+    branding: branding ?? null,
+    defaultAgentTemplateSlug: isNonEmptyString(value.defaultAgentTemplateSlug) ? value.defaultAgentTemplateSlug : "default"
+  };
+}
+function normalizeEvalSeed(value, label) {
+  if (!isRecord(value)) throw new Error(`${label} must be an object`);
+  if (!isNonEmptyString(value.name))
+    throw new Error(`${label}.name is required`);
+  if (!isNonEmptyString(value.category))
+    throw new Error(`${label}.category is required`);
+  if (!isNonEmptyString(value.query))
+    throw new Error(`${label}.query is required`);
+  const assertions = value.assertions;
+  if (!Array.isArray(assertions)) {
+    throw new Error(`${label}.assertions must be an array`);
+  }
+  return {
+    name: value.name,
+    category: value.category,
+    query: value.query,
+    systemPrompt: typeof value.systemPrompt === "string" ? value.systemPrompt : null,
+    agentTemplateId: typeof value.agentTemplateId === "string" ? value.agentTemplateId : null,
+    assertions: assertions.map(
+      (assertion, index) => normalizeAssertion(assertion, `${label}.assertions[${index}]`)
+    ),
+    agentcoreEvaluatorIds: normalizeOptionalStringArray(
+      value.agentcoreEvaluatorIds,
+      `${label}.agentcoreEvaluatorIds`
+    ),
+    tags: normalizeOptionalStringArray(value.tags, `${label}.tags`),
+    enabled: typeof value.enabled === "boolean" ? value.enabled : true
+  };
+}
+function normalizeAssertion(value, label) {
+  if (!isRecord(value)) throw new Error(`${label} must be an object`);
+  if (!isNonEmptyString(value.type))
+    throw new Error(`${label}.type is required`);
+  return {
+    type: value.type,
+    value: typeof value.value === "string" || value.value === null ? value.value : void 0,
+    path: typeof value.path === "string" || value.path === null ? value.path : void 0
+  };
+}
+function normalizePackArray(value, label) {
+  const items = normalizeStringArray(value, label);
+  for (const item of items) assertPackName(item, label);
+  return items;
+}
+function normalizeStringArray(value, label) {
+  if (value === void 0) return [];
+  if (!Array.isArray(value)) throw new Error(`${label} must be an array`);
+  return value.map((item, index) => {
+    if (!isNonEmptyString(item)) {
+      throw new Error(`${label}[${index}] must be a non-empty string`);
+    }
+    return item;
+  });
+}
+function normalizeOptionalStringArray(value, label) {
+  if (value === void 0 || value === null) return [];
+  return normalizeStringArray(value, label);
+}
+function assertPackName(value, label) {
+  if (!/^[a-z0-9][a-z0-9_.-]*$/.test(value)) {
+    throw new Error(
+      `${label} pack "${value}" must use lowercase letters, numbers, dot, underscore, or hyphen`
+    );
+  }
+}
+function walkFiles(root, visit) {
+  for (const entry of readdirSync3(root, { withFileTypes: true })) {
+    const path2 = join9(root, entry.name);
+    if (entry.isDirectory()) {
+      walkFiles(path2, visit);
+    } else if (entry.isFile()) {
+      visit(path2);
+    }
+  }
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isNonEmptyString(value) {
+  return typeof value === "string" && value.trim().length > 0;
+}
+
+// src/commands/enterprise/overlay-apply.ts
+function buildEnterpriseOverlayPlan(options) {
+  const definition = loadEnterpriseOverlayDefinition(options.repoRoot);
+  const stage = stageOverlay(definition, options.stage);
+  return {
+    repoRoot: options.repoRoot,
+    stage: options.stage,
+    tenantSlug: stage.tenantSlug,
+    targetTemplateSlug: stage.defaultAgentTemplateSlug,
+    operations: [
+      ...evalOperations(options.repoRoot, stage),
+      ...workspaceFileOperations(options.repoRoot, stage),
+      ...seedOperations(options.repoRoot, stage),
+      ...stage.branding ? [{ kind: "branding", branding: stage.branding }] : []
+    ]
+  };
+}
+async function applyEnterpriseOverlay(plan, client) {
+  const result = {
+    stage: plan.stage,
+    tenantSlug: plan.tenantSlug,
+    evals: { inserted: 0, updated: 0, skipped: 0, packs: [] },
+    workspaceFiles: { written: 0, packs: [] },
+    seeds: { validated: 0, packs: [] },
+    branding: "not-configured"
+  };
+  const existing = await client.listEvalTestCases();
+  const existingByOverlayKey = new Map(
+    existing.flatMap(
+      (testCase) => (testCase.tags ?? []).filter((tag) => tag.startsWith("customer-overlay:key:")).map((tag) => [tag, testCase])
+    )
+  );
+  for (const operation of plan.operations) {
+    if (operation.kind === "eval-pack") {
+      const packResult = {
+        pack: operation.pack,
+        inserted: 0,
+        updated: 0,
+        skipped: 0
+      };
+      for (const testCase of operation.testCases) {
+        const input20 = withOverlayTags(
+          operation.pack,
+          testCase,
+          client.targetAgentTemplateId
+        );
+        const existingCase = existingByOverlayKey.get(
+          overlayKeyTag(operation.pack, testCase)
+        );
+        if (existingCase) {
+          if (sameEval(existingCase, input20)) {
+            result.evals.skipped++;
+            packResult.skipped++;
+          } else {
+            await client.updateEvalTestCase(existingCase.id, input20);
+            result.evals.updated++;
+            packResult.updated++;
+          }
+        } else {
+          await client.createEvalTestCase(input20);
+          result.evals.inserted++;
+          packResult.inserted++;
+        }
+      }
+      result.evals.packs.push(packResult);
+      continue;
+    }
+    if (operation.kind === "workspace-file-pack") {
+      for (const file of operation.files) {
+        await client.putWorkspaceFile({
+          templateSlug: operation.targetTemplateSlug,
+          path: workspaceTargetPath(
+            operation.family,
+            operation.pack,
+            file.relativePath
+          ),
+          content: file.content
+        });
+        result.workspaceFiles.written++;
+      }
+      result.workspaceFiles.packs.push({
+        family: operation.family,
+        pack: operation.pack,
+        written: operation.files.length
+      });
+      continue;
+    }
+    if (operation.kind === "seed-pack") {
+      result.seeds.validated++;
+      result.seeds.packs.push(operation.pack);
+      continue;
+    }
+    if (operation.kind === "branding") {
+      result.branding = "recorded";
+    }
+  }
+  return result;
+}
+function evalOperations(repoRoot, stage) {
+  return stage.evalPacks.map((pack) => ({
+    kind: "eval-pack",
+    pack,
+    testCases: readCustomerEvalPack(repoRoot, pack)
+  }));
+}
+function workspaceFileOperations(repoRoot, stage) {
+  return [
+    ...stage.skillPacks.map((pack) => ({
+      kind: "workspace-file-pack",
+      family: "skills",
+      pack,
+      targetTemplateSlug: stage.defaultAgentTemplateSlug,
+      files: collectOverlayFiles(repoRoot, "skills", pack)
+    })),
+    ...stage.workspaceDefaultPacks.map((pack) => ({
+      kind: "workspace-file-pack",
+      family: "workspace-defaults",
+      pack,
+      targetTemplateSlug: stage.defaultAgentTemplateSlug,
+      files: collectOverlayFiles(repoRoot, "workspace-defaults", pack)
+    }))
+  ];
+}
+function seedOperations(repoRoot, stage) {
+  return stage.seedPacks.map((pack) => ({
+    kind: "seed-pack",
+    pack,
+    payload: readJsonSeedPack(repoRoot, pack)
+  }));
+}
+function workspaceTargetPath(family, pack, relativePath) {
+  if (family === "skills") return `skills/${pack}/${relativePath}`;
+  return relativePath;
+}
+function withOverlayTags(pack, testCase, defaultAgentTemplateId) {
+  return {
+    ...testCase,
+    agentTemplateId: testCase.agentTemplateId ?? defaultAgentTemplateId,
+    tags: Array.from(
+      /* @__PURE__ */ new Set([
+        ...testCase.tags ?? [],
+        "source:customer-overlay",
+        `customer-overlay:pack:${pack}`,
+        overlayKeyTag(pack, testCase)
+      ])
+    )
+  };
+}
+function overlayKeyTag(pack, testCase) {
+  return `customer-overlay:key:${pack}/${slugify(testCase.name)}`;
+}
+function sameEval(existing, next) {
+  return existing.name === next.name && existing.category === next.category && existing.query === next.query && (existing.systemPrompt ?? null) === (next.systemPrompt ?? null) && JSON.stringify(existing.assertions ?? []) === JSON.stringify(next.assertions ?? []) && JSON.stringify(existing.agentcoreEvaluatorIds ?? []) === JSON.stringify(next.agentcoreEvaluatorIds ?? []) && JSON.stringify(existing.tags ?? []) === JSON.stringify(next.tags ?? []) && (existing.enabled ?? true) === (next.enabled ?? true);
+}
+function slugify(value) {
+  return value.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 80);
+}
+
+// src/commands/enterprise/overlay.ts
+function registerEnterpriseOverlayCommand(program2) {
+  const overlay = program2.command("overlay").description(
+    "Validate and apply customer overlay packs from a deployment repo."
+  );
+  overlay.command("plan").argument("[repoRoot]", "Deployment repository root", ".").description(
+    "Validate customer/deployment.json and print the overlay plan."
+  ).option("-s, --stage <name>", "Deployment stage").option("-r, --region <region>", "AWS region", "us-east-1").action(
+    (repoRoot, opts) => runEnterpriseOverlayPlan(repoRoot, opts)
+  );
+  overlay.command("apply").argument("[repoRoot]", "Deployment repository root", ".").description("Apply customer overlay packs to the deployed stage.").option("-s, --stage <name>", "Deployment stage").option("-t, --tenant <slug>", "Tenant slug").option("-r, --region <region>", "AWS region", "us-east-1").option("--dry-run", "Validate and print the apply plan without mutation").action(
+    (repoRoot, opts) => runEnterpriseOverlayApply(repoRoot, opts)
+  );
+}
+async function runEnterpriseOverlayPlan(repoRoot, opts) {
+  const plan = buildEnterpriseOverlayPlan({
+    repoRoot: resolve6(repoRoot),
+    stage: resolveOverlayStage(opts)
+  });
+  printJson(publicPlan(plan));
+}
+async function runEnterpriseOverlayApply(repoRoot, opts) {
+  const stage = resolveOverlayStage(opts);
+  const plan = buildEnterpriseOverlayPlan({
+    repoRoot: resolve6(repoRoot),
+    stage
+  });
+  if (opts.dryRun) {
+    printJson({ dryRun: true, plan: publicPlan(plan) });
+    return;
+  }
+  const client = await createOverlayApiClient(plan, opts);
+  const result = await applyEnterpriseOverlay(plan, client);
+  if (isJsonMode()) {
+    printJson(result);
+    return;
+  }
+  printSuccess(
+    `Applied overlay for ${plan.tenantSlug}: ${result.evals.inserted} eval(s) inserted, ${result.evals.updated} updated, ${result.workspaceFiles.written} workspace file(s) written.`
+  );
+}
+async function createOverlayApiClient(plan, opts) {
+  const region = opts.region ?? "us-east-1";
+  const ctx = await resolveEvalContext({
+    stage: plan.stage,
+    region,
+    tenant: opts.tenant ?? plan.tenantSlug
+  });
+  const templateId = await resolveTemplateId(
+    ctx.client,
+    ctx.tenantId,
+    plan.targetTemplateSlug
+  );
+  const auth = await resolveAuth({ stage: plan.stage, region });
+  const apiUrl = getApiEndpoint(plan.stage, region);
+  if (!apiUrl) {
+    printError(
+      `Cannot discover API endpoint for stage "${plan.stage}" in ${region}.`
+    );
+    process.exit(1);
+  }
+  return {
+    targetAgentTemplateId: templateId,
+    async listEvalTestCases() {
+      const data = await gqlQuery(ctx.client, EvalTestCasesDoc, {
+        tenantId: ctx.tenantId,
+        category: null,
+        search: null
+      });
+      return data.evalTestCases;
+    },
+    async createEvalTestCase(input20) {
+      await gqlMutate(ctx.client, CreateEvalTestCaseDoc, {
+        tenantId: ctx.tenantId,
+        input: evalInput(input20)
+      });
+    },
+    async updateEvalTestCase(id, input20) {
+      await gqlMutate(ctx.client, UpdateEvalTestCaseDoc, {
+        id,
+        input: evalInput(input20)
+      });
+    },
+    async putWorkspaceFile(input20) {
+      const response = await fetch(
+        `${apiUrl.replace(/\/+$/, "")}/api/workspaces/files`,
+        {
+          method: "POST",
+          headers: {
+            "content-type": "application/json",
+            ...auth.headers,
+            "x-tenant-id": ctx.tenantId
+          },
+          body: JSON.stringify({
+            action: "put",
+            templateId,
+            path: input20.path,
+            content: input20.content
+          })
+        }
+      );
+      if (!response.ok) {
+        const text = await response.text();
+        throw new Error(
+          `PUT ${input20.path} failed: ${response.status} ${text || response.statusText}`
+        );
+      }
+    }
+  };
+}
+async function resolveTemplateId(client, tenantId, templateSlug) {
+  const data = await gqlQuery(client, AgentTemplatesForEvalDoc, { tenantId });
+  const template = data.agentTemplates.find(
+    (item) => item.slug === templateSlug
+  );
+  if (!template) {
+    throw new Error(
+      `Agent template "${templateSlug}" not found for tenant ${tenantId}`
+    );
+  }
+  return template.id;
+}
+function evalInput(input20) {
+  return {
+    name: input20.name,
+    category: input20.category,
+    query: input20.query,
+    systemPrompt: input20.systemPrompt ?? null,
+    agentTemplateId: input20.agentTemplateId ?? null,
+    assertions: input20.assertions,
+    agentcoreEvaluatorIds: input20.agentcoreEvaluatorIds ?? [],
+    tags: input20.tags ?? [],
+    enabled: input20.enabled ?? true
+  };
+}
+function publicPlan(plan) {
+  return {
+    stage: plan.stage,
+    tenantSlug: plan.tenantSlug,
+    targetTemplateSlug: plan.targetTemplateSlug,
+    operations: plan.operations.map((operation) => {
+      if (operation.kind === "eval-pack") {
+        return {
+          kind: operation.kind,
+          pack: operation.pack,
+          testCases: operation.testCases.length
+        };
+      }
+      if (operation.kind === "workspace-file-pack") {
+        return {
+          kind: operation.kind,
+          family: operation.family,
+          pack: operation.pack,
+          targetTemplateSlug: operation.targetTemplateSlug,
+          files: operation.files.length
+        };
+      }
+      if (operation.kind === "seed-pack") {
+        return {
+          kind: operation.kind,
+          pack: operation.pack,
+          status: "validated"
+        };
+      }
+      return { kind: operation.kind, status: "recorded" };
+    })
+  };
+}
+function resolveOverlayStage(opts) {
+  const stage = opts.stage ?? process.env.STAGE;
+  if (!stage) {
+    throw new Error("Deployment stage is required. Pass --stage or set STAGE.");
+  }
+  return stage;
+}
+
+// src/commands/enterprise.ts
+function registerEnterpriseCommand(program2) {
+  const enterprise = program2.command("enterprise").description(
+    "Bootstrap and operate customer-owned ThinkWork enterprise deployment repositories."
+  );
+  registerEnterpriseBootstrapCommand(enterprise);
+  registerEnterpriseOverlayCommand(enterprise);
+}
+
 // src/cli.ts
 var program = new Command();
 program.name("thinkwork").description(
@@ -14458,6 +16011,7 @@ registerPerformanceCommand(program);
 registerTraceCommand(program);
 registerDashboardCommand(program);
 registerEvalCommand(program);
+registerEnterpriseCommand(program);
 registerWikiCommand(program);
 for (const cmd of program.commands) {
   if (!cmd.options.some((o) => o.long === "--json")) {