thinkwork-cli 0.12.2 → 0.12.4

package/dist/commands/enterprise/templates/deploy-repo/.github/workflows/deploy.yml

@@ -0,0 +1,236 @@
+# thinkwork-managed: enterprise-deploy-template
+name: Deploy ThinkWork
+
+on:
+  workflow_dispatch:
+    inputs:
+      stage:
+        description: "Deployment stage"
+        type: string
+        required: true
+        default: dev
+      component:
+        description: "Deployment component"
+        type: choice
+        required: true
+        default: all
+        options:
+          - all
+          - foundation
+          - artifacts
+          - overlays
+          - smokes
+      run_smokes:
+        description: "Run post-deploy smoke checks"
+        type: boolean
+        required: true
+        default: true
+
+permissions:
+  contents: read
+  id-token: write
+
+concurrency:
+  group: thinkwork-${{ github.event.inputs.stage }}
+  cancel-in-progress: false
+
+jobs:
+  deploy:
+    name: Deploy ${{ github.event.inputs.stage }}
+    runs-on: ubuntu-latest
+    environment: ${{ github.event.inputs.stage }}
+    env:
+      STAGE: ${{ github.event.inputs.stage }}
+      COMPONENT: ${{ github.event.inputs.component }}
+      RUN_SMOKES: ${{ github.event.inputs.run_smokes }}
+      RELEASE_DIR: /tmp/thinkwork-release
+      RELEASE_MANIFEST: /tmp/thinkwork-release/thinkwork-release.json
+      DEPLOY_SUMMARY_JSON: /tmp/thinkwork-release/deploy-summary.json
+      TF_IN_AUTOMATION: "true"
+      TF_INPUT: "false"
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
+      - name: Read pinned ThinkWork release
+        id: lock
+        shell: bash
+        run: |
+          set -euo pipefail
+          test -f thinkwork.lock
+          test -f customer/deployment.json
+          test -f "terraform/backend-${STAGE}.hcl"
+          test -f "terraform/stages/${STAGE}.tfvars"
+          jq -e --arg stage "$STAGE" '.stages[$stage]' customer/deployment.json >/dev/null
+          mkdir -p "$RELEASE_DIR"
+          echo "release=$(jq -r '.thinkwork.release' thinkwork.lock)" >> "$GITHUB_OUTPUT"
+          echo "manifest_url=$(jq -r '.thinkwork.manifestUrl' thinkwork.lock)" >> "$GITHUB_OUTPUT"
+          echo "manifest_sha256=$(jq -r '.thinkwork.manifestSha256' thinkwork.lock)" >> "$GITHUB_OUTPUT"
+          echo "artifact_bucket=$(jq -r '.artifacts.bucket' thinkwork.lock)" >> "$GITHUB_OUTPUT"
+          echo "lambda_prefix=$(jq -r '.artifacts.lambdaPrefix' thinkwork.lock)" >> "$GITHUB_OUTPUT"
+
+      - name: Fetch and verify release manifest
+        shell: bash
+        run: |
+          set -euo pipefail
+          curl -fsSL "${{ steps.lock.outputs.manifest_url }}" -o "$RELEASE_MANIFEST"
+          if [ "${{ steps.lock.outputs.manifest_sha256 }}" != "CHANGE_ME" ]; then
+            echo "${{ steps.lock.outputs.manifest_sha256 }}  $RELEASE_MANIFEST" | sha256sum -c -
+          fi
+          node scripts/apply-release.mjs validate-manifest \
+            --manifest "$RELEASE_MANIFEST" \
+            --expected-release "${{ steps.lock.outputs.release }}"
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: ${{ vars.AWS_ROLE_ARN }}
+          role-session-name: thinkwork-${{ github.event.inputs.stage }}-${{ github.run_id }}
+
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_wrapper: false
+
+      - name: Prepare release artifacts
+        if: ${{ github.event.inputs.component == 'all' || github.event.inputs.component == 'foundation' || github.event.inputs.component == 'artifacts' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          node scripts/apply-release.mjs prepare \
+            --manifest "$RELEASE_MANIFEST" \
+            --work-dir "$RELEASE_DIR" \
+            --artifact-bucket "${{ steps.lock.outputs.artifact_bucket }}" \
+            --lambda-prefix "${{ steps.lock.outputs.lambda_prefix }}"
+
+      - name: Terraform init
+        if: ${{ github.event.inputs.component == 'all' || github.event.inputs.component == 'foundation' || github.event.inputs.component == 'artifacts' || github.event.inputs.component == 'smokes' }}
+        working-directory: terraform
+        shell: bash
+        run: terraform init -backend-config="backend-${STAGE}.hcl"
+
+      - name: Select Terraform workspace
+        if: ${{ github.event.inputs.component == 'all' || github.event.inputs.component == 'foundation' || github.event.inputs.component == 'artifacts' || github.event.inputs.component == 'smokes' }}
+        working-directory: terraform
+        shell: bash
+        run: |
+          set -euo pipefail
+          if [ "$COMPONENT" = "all" ] || [ "$COMPONENT" = "foundation" ]; then
+            terraform workspace select "$STAGE" || terraform workspace new "$STAGE"
+          else
+            terraform workspace select "$STAGE"
+          fi
+
+      - name: Terraform apply
+        if: ${{ github.event.inputs.component == 'all' || github.event.inputs.component == 'foundation' }}
+        working-directory: terraform
+        shell: bash
+        env:
+          TF_VAR_db_password: ${{ secrets.TF_VAR_DB_PASSWORD }}
+          TF_VAR_api_auth_secret: ${{ secrets.TF_VAR_API_AUTH_SECRET }}
+        run: |
+          set -euo pipefail
+          terraform apply \
+            -var-file="stages/${STAGE}.tfvars" \
+            -var="lambda_artifact_bucket=${{ steps.lock.outputs.artifact_bucket }}" \
+            -var="lambda_artifact_prefix=${{ steps.lock.outputs.lambda_prefix }}" \
+            -auto-approve
+
+      - name: Copy runtime images into customer ECR
+        if: ${{ github.event.inputs.component == 'all' || github.event.inputs.component == 'foundation' || github.event.inputs.component == 'artifacts' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          ECR_REPOSITORY_URL="$(terraform -chdir=terraform output -raw ecr_repository_url)"
+          aws ecr get-login-password --region "${{ vars.AWS_REGION }}" | docker login --username AWS --password-stdin "${ECR_REPOSITORY_URL%/*}"
+          node scripts/apply-release.mjs copy-runtime-images \
+            --manifest "$RELEASE_MANIFEST" \
+            --work-dir "$RELEASE_DIR" \
+            --stage "$STAGE" \
+            --ecr-repository-url "$ECR_REPOSITORY_URL"
+
+      - name: Update AgentCore runtimes
+        if: ${{ github.event.inputs.component == 'all' || github.event.inputs.component == 'foundation' || github.event.inputs.component == 'artifacts' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          node scripts/apply-release.mjs update-agentcore-runtimes \
+            --work-dir "$RELEASE_DIR" \
+            --stage "$STAGE" \
+            --region "${{ vars.AWS_REGION }}"
+
+      - name: Sync static site bundles
+        if: ${{ github.event.inputs.component == 'all' || github.event.inputs.component == 'foundation' || github.event.inputs.component == 'artifacts' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          node scripts/apply-release.mjs sync-static \
+            --manifest "$RELEASE_MANIFEST" \
+            --work-dir "$RELEASE_DIR" \
+            --terraform-dir terraform
+
+      - name: Apply customer overlay contract
+        if: ${{ github.event.inputs.component == 'all' || github.event.inputs.component == 'overlays' }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          CLI_VERSION="${{ steps.lock.outputs.release }}"
+          CLI_VERSION="${CLI_VERSION#v}"
+          TENANT_SLUG="$(jq -r --arg stage "$STAGE" '.stages[$stage].tenantSlug' customer/deployment.json)"
+          npx -y "thinkwork-cli@${CLI_VERSION}" --json enterprise overlay apply . \
+            --stage "$STAGE" \
+            --region "${{ vars.AWS_REGION }}" \
+            --tenant "$TENANT_SLUG" \
+            > "$RELEASE_DIR/overlay-report.json"
+
+      - name: Run smoke checks
+        if: ${{ github.event.inputs.run_smokes == 'true' && (github.event.inputs.component == 'all' || github.event.inputs.component == 'smokes') }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          node scripts/smoke.mjs \
+            --stage "$STAGE" \
+            --terraform-dir terraform \
+            --summary "$RELEASE_DIR/smoke-summary.json"
+
+      - name: Write deploy summary
+        if: always()
+        shell: bash
+        run: |
+          set -euo pipefail
+          node scripts/apply-release.mjs write-summary \
+            --manifest "$RELEASE_MANIFEST" \
+            --work-dir "$RELEASE_DIR" \
+            --terraform-dir terraform \
+            --stage "$STAGE" \
+            --component "$COMPONENT" \
+            --output "$DEPLOY_SUMMARY_JSON"
+          cat "$DEPLOY_SUMMARY_JSON"
+          {
+            echo "## ThinkWork deploy summary"
+            echo
+            jq -r '
+              "- Stage: " + .stage,
+              "- Release: " + .release.version,
+              "- Component: " + .component,
+              "- API: " + (.outputs.api_endpoint // "n/a"),
+              "- Admin: " + (.outputs.admin_url // "n/a"),
+              "- Computer: " + (.outputs.computer_url // "n/a"),
+              "- Runtime images copied: " + ((.runtimeImages // []) | length | tostring),
+              "- Overlay status: " + (.overlay.status // "not-run"),
+              "- Smoke status: " + (.smokes.status // "not-run")
+            ' "$DEPLOY_SUMMARY_JSON"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: thinkwork-deploy-${{ github.event.inputs.stage }}-${{ github.run_id }}
+          path: |
+            /tmp/thinkwork-release/*.json
+            /tmp/thinkwork-release/runtime-images.json
+            /tmp/thinkwork-release/overlay-report.json
+            /tmp/thinkwork-release/smoke-summary.json

package/dist/commands/enterprise/templates/deploy-repo/README.md

@@ -0,0 +1,33 @@
+<!-- thinkwork-managed: enterprise-deploy-template -->
+
+# {{CUSTOMER_SLUG}} ThinkWork Deployment
+
+This repository deploys a pinned ThinkWork foundation into the customer AWS
+account. It is intentionally not a fork of the ThinkWork source monorepo:
+`thinkwork.lock` pins a release manifest, Terraform consumes published release
+artifacts, and customer-specific work lives under `customer/`.
+
+## Deployment Model
+
+- GitHub Actions deploys through AWS OIDC and per-stage GitHub Environments.
+- `terraform/stages/*.tfvars` contains non-secret stage configuration.
+- Secrets stay in GitHub Environment secrets, AWS Secrets Manager, or SSM.
+- `customer/deployment.json` declares which customer overlays apply to each
+  stage.
+
+## First-Time Setup
+
+1. Run `thinkwork enterprise bootstrap` from an admin machine with temporary
+   AWS bootstrap access.
+2. Review the generated GitHub Environments for `dev` and `prod`.
+3. Add required environment secrets, including `TF_VAR_db_password` and
+   `TF_VAR_api_auth_secret`.
+4. Dispatch `.github/workflows/deploy.yml` for the target stage.
+5. Use `docs/runbook.md` for release upgrades, overlay-only changes,
+   rollback, and break-glass guidance.
+
+## Customer Overlay
+
+Place customer-specific eval packs, seeds, skills, workspace defaults, and
+branding assets under `customer/`. Reusable platform behavior should be built
+upstream in ThinkWork and adopted here by bumping `thinkwork.lock`.

package/dist/commands/enterprise/templates/deploy-repo/customer/branding/README.md

@@ -0,0 +1,7 @@
+<!-- thinkwork-managed: enterprise-deploy-template -->
+
+# Branding
+
+Add customer-approved branding assets here. Reference active assets from
+`customer/deployment.json`; do not commit private signing keys, OAuth client
+secrets, or other secret material.

package/dist/commands/enterprise/templates/deploy-repo/customer/deployment.json

@@ -0,0 +1,6 @@
+{
+  "_comment": "thinkwork-managed: enterprise-deploy-template",
+  "schemaVersion": 1,
+  "customerSlug": "{{CUSTOMER_SLUG}}",
+  "stages": {}
+}

package/dist/commands/enterprise/templates/deploy-repo/customer/evals/README.md

@@ -0,0 +1,10 @@
+<!-- thinkwork-managed: enterprise-deploy-template -->
+
+# Eval Packs
+
+Add customer-specific eval datasets and scorer configuration here. Reference
+enabled packs from `customer/deployment.json` per stage.
+
+Keep customer evals in this folder when they are specific to the enterprise
+deployment. Move reusable evaluators upstream into ThinkWork and consume them by
+bumping `thinkwork.lock`.

package/dist/commands/enterprise/templates/deploy-repo/customer/seeds/README.md

@@ -0,0 +1,7 @@
+<!-- thinkwork-managed: enterprise-deploy-template -->
+
+# Seed Packs
+
+Add tenant bootstrap data that is safe to replay idempotently. Seed files must
+not contain secrets; store secret material in GitHub Environment secrets, AWS
+Secrets Manager, or SSM Parameter Store.

package/dist/commands/enterprise/templates/deploy-repo/customer/skills/README.md

@@ -0,0 +1,7 @@
+<!-- thinkwork-managed: enterprise-deploy-template -->
+
+# Skill Packs
+
+Add customer-owned script skills here. Each skill should include the same
+metadata shape used by upstream ThinkWork skill catalog entries, then be listed
+from `customer/deployment.json`.

package/dist/commands/enterprise/templates/deploy-repo/customer/workspace-defaults/README.md

@@ -0,0 +1,7 @@
+<!-- thinkwork-managed: enterprise-deploy-template -->
+
+# Workspace Defaults
+
+Add customer-specific workspace defaults here, such as guardrails, memory guide
+fragments, capability defaults, or template workspace files. Keep broad product
+defaults upstream in ThinkWork.

package/dist/commands/enterprise/templates/deploy-repo/docs/runbook.md

@@ -0,0 +1,79 @@
+<!-- thinkwork-managed: enterprise-deploy-template -->
+
+# ThinkWork Enterprise Deployment Runbook
+
+This repository deploys a pinned ThinkWork release into the customer AWS
+account. It is a deployment repository, not a source fork.
+
+## Normal Sequence
+
+1. Bootstrap the repo once:
+
+   ```bash
+   thinkwork enterprise bootstrap . \
+     --customer {{CUSTOMER_SLUG}} \
+     --repo <github-owner>/<github-repo> \
+     --stage dev \
+     --stage prod
+   ```
+
+2. Review GitHub Environment settings for each stage.
+3. Add required secrets such as `TF_VAR_db_password` and
+   `TF_VAR_api_auth_secret`.
+4. Dispatch `.github/workflows/deploy.yml`.
+5. CI verifies `thinkwork.lock`, prepares release artifacts, runs Terraform,
+   updates AgentCore runtimes, applies customer overlays, runs smoke checks,
+   and writes a summary artifact.
+
+The exact operational path is:
+
+```text
+bootstrap -> workflow dispatch -> CI deploy -> overlay apply -> smoke summary
+```
+
+## Release Upgrades
+
+1. Update `thinkwork.lock` to the approved release manifest URL and checksum.
+2. Review ThinkWork release notes for schema or operator changes.
+3. Dispatch the workflow with `component=all`.
+4. Save the deploy summary artifact as evidence.
+
+## Overlay-Only Changes
+
+1. Edit files under `customer/`.
+2. Run a local dry-run:
+
+   ```bash
+   thinkwork enterprise overlay apply . --stage dev --dry-run --json
+   ```
+
+3. Dispatch the workflow with `component=overlays`.
+4. Confirm `overlay-report.json` in the workflow artifacts.
+
+## Secrets
+
+Never commit secrets. Supported secret homes are:
+
+- GitHub Environment secrets for CI inputs.
+- AWS Secrets Manager for deployed application/runtime secrets.
+- SSM Parameter Store for stage configuration consumed by Terraform or runtime
+  code.
+
+Do not store plaintext secrets in `terraform/stages/*.tfvars`, `.env`,
+`customer/`, or runbook files.
+
+## Rollback
+
+To roll back application code, restore `thinkwork.lock` to the previously
+working release and dispatch the workflow. To roll back customer overlays,
+revert the customer repo commit and dispatch `component=overlays`.
+
+If a deploy fails after Terraform apply but before smoke summary, inspect the
+workflow artifacts first: `release-manifest.json`, `overlay-report.json`, and
+the deploy summary identify which stage failed.
+
+## Break Glass
+
+A full ThinkWork source fork is emergency debt. Use it only when the customer
+requires source changes that cannot be shipped upstream quickly enough. Record
+the fork reason, owner, and expected upstream PR before deploying it.