thinkwork-cli 0.3.2 → 0.4.0

package/dist/cli.js

@@ -738,8 +738,8 @@ function registerBootstrapCommand(program2) {
       bucket = await getTerraformOutput(cwd, "bucket_name");
       dbEndpoint = await getTerraformOutput(cwd, "db_cluster_endpoint");
       const secretArn = await getTerraformOutput(cwd, "db_secret_arn");
-      const { execSync: execSync7 } = await import("child_process");
-      const secretJson = execSync7(
+      const { execSync: execSync8 } = await import("child_process");
+      const secretJson = execSync8(
         `aws secretsmanager get-secret-value --secret-id "${secretArn}" --query SecretString --output text`,
         { encoding: "utf-8" }
       ).trim();
@@ -1316,6 +1316,10 @@ function discoverAwsStages(region) {
       `appsync list-graphql-apis --region ${region} --query "graphqlApis[?name=='thinkwork-${stage}-subscriptions'].uris.REALTIME|[0]" --output text`
     );
     if (appsyncRaw && appsyncRaw !== "None") info.appsyncUrl = appsyncRaw;
+    const appsyncApiRaw = runAws(
+      `appsync list-graphql-apis --region ${region} --query "graphqlApis[?name=='thinkwork-${stage}-subscriptions'].uris.GRAPHQL|[0]" --output text`
+    );
+    if (appsyncApiRaw && appsyncApiRaw !== "None") info.appsyncApiUrl = appsyncApiRaw;
     const acRaw = runAws(
       `lambda get-function --function-name thinkwork-${stage}-agentcore --region ${region} --query "Configuration.State" --output text 2>/dev/null`
     );
@@ -1344,6 +1348,27 @@ function discoverAwsStages(region) {
     } else {
       info.memoryEngine = "managed";
     }
+    const dbRaw = runAws(
+      `rds describe-db-clusters --region ${region} --query "DBClusters[?starts_with(DBClusterIdentifier, 'thinkwork-${stage}')].Endpoint|[0]" --output text`
+    );
+    if (dbRaw && dbRaw !== "None") info.dbEndpoint = dbRaw;
+    const ecrRaw = runAws(
+      `ecr describe-repositories --region ${region} --query "repositories[?repositoryName=='thinkwork-${stage}-agentcore'].repositoryUri|[0]" --output text`
+    );
+    if (ecrRaw && ecrRaw !== "None") info.ecrUrl = ecrRaw;
+    const cfJson = runAws(
+      `cloudfront list-distributions --query "DistributionList.Items[?contains(Origins.Items[0].DomainName, 'thinkwork-${stage}-')].{Origin:Origins.Items[0].DomainName,Domain:DomainName}" --output json`
+    );
+    if (cfJson) {
+      try {
+        const dists = JSON.parse(cfJson);
+        for (const d of dists) {
+          if (d.Origin.includes(`thinkwork-${stage}-admin`)) info.adminUrl = `https://${d.Domain}`;
+          if (d.Origin.includes(`thinkwork-${stage}-docs`)) info.docsUrl = `https://${d.Domain}`;
+        }
+      } catch {
+      }
+    }
   }
   return stages;
 }
@@ -1395,9 +1420,14 @@ function registerStatusCommand(program2) {
       console.log(`  ${chalk6.bold("Memory:")}          ${info.memoryEngine || "unknown"}`);
       if (info.hindsightHealth) console.log(`  ${chalk6.bold("Hindsight:")}       ${info.hindsightHealth}`);
       if (info.bucketName) console.log(`  ${chalk6.bold("S3 bucket:")}       ${info.bucketName}`);
+      if (info.dbEndpoint) console.log(`  ${chalk6.bold("Database:")}        ${info.dbEndpoint}`);
+      if (info.ecrUrl) console.log(`  ${chalk6.bold("ECR:")}             ${info.ecrUrl}`);
       console.log("");
       console.log(chalk6.bold("  URLs:"));
+      if (info.adminUrl) console.log(`    Admin:     ${link(info.adminUrl)}`);
+      if (info.docsUrl) console.log(`    Docs:      ${link(info.docsUrl)}`);
       if (info.apiEndpoint) console.log(`    API:       ${link(info.apiEndpoint)}`);
+      if (info.appsyncApiUrl) console.log(`    AppSync:   ${link(info.appsyncApiUrl)}`);
       if (info.appsyncUrl) console.log(`    WebSocket: ${link(info.appsyncUrl)}`);
       if (info.hindsightEndpoint) console.log(`    Hindsight: ${link(info.hindsightEndpoint)}`);
       console.log(chalk6.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
@@ -1434,9 +1464,11 @@ function registerStatusCommand(program2) {
       const memBadge = info.memoryEngine === "hindsight" ? info.hindsightHealth === "healthy" ? chalk6.magenta("hindsight \u2713") : chalk6.yellow("hindsight ?") : chalk6.dim(info.memoryEngine || "\u2014");
       const prefix = `  ${sourceBadge} ` + chalk6.bold(info.stage.padEnd(COL1 - 1)) + " " + (info.source === "both" ? "aws+cli" : info.source).padEnd(COL2) + String(info.lambdaCount || "\u2014").padEnd(COL3);
       const urls = [];
-      if (info.apiEndpoint) urls.push(`API: ${link(info.apiEndpoint, info.apiEndpoint)}`);
-      if (info.appsyncUrl) urls.push(`WS:  ${link(info.appsyncUrl, info.appsyncUrl.replace("wss://", "").split(".")[0] + "...")}`);
-      if (info.hindsightEndpoint) urls.push(`Mem: ${link(info.hindsightEndpoint, info.hindsightEndpoint)}`);
+      if (info.adminUrl) urls.push(`Admin: ${link(info.adminUrl, info.adminUrl)}`);
+      if (info.docsUrl) urls.push(`Docs:  ${link(info.docsUrl, info.docsUrl)}`);
+      if (info.apiEndpoint) urls.push(`API:   ${link(info.apiEndpoint, info.apiEndpoint)}`);
+      if (info.appsyncUrl) urls.push(`WS:    ${link(info.appsyncUrl, info.appsyncUrl.replace("wss://", "").split(".")[0] + "...")}`);
+      if (info.hindsightEndpoint) urls.push(`Mem:   ${link(info.hindsightEndpoint, info.hindsightEndpoint)}`);
       if (urls.length === 0) {
         console.log(prefix + acStatus.padEnd(22) + memBadge.padEnd(22) + chalk6.dim("\u2014"));
       } else {
@@ -1456,6 +1488,186 @@ function registerStatusCommand(program2) {
   });
 }
 
+// src/commands/mcp.ts
+import { readFileSync as readFileSync3, existsSync as existsSync6 } from "fs";
+import { execSync as execSync7 } from "child_process";
+import chalk7 from "chalk";
+function readTfVar2(tfvarsPath, key) {
+  if (!existsSync6(tfvarsPath)) return null;
+  const content = readFileSync3(tfvarsPath, "utf-8");
+  const match = content.match(new RegExp(`^${key}\\s*=\\s*"([^"]*)"`, "m"));
+  return match ? match[1] : null;
+}
+function resolveTfvarsPath2(stage) {
+  const tfDir = resolveTerraformDir(stage);
+  if (tfDir) {
+    const direct = `${tfDir}/terraform.tfvars`;
+    if (existsSync6(direct)) return direct;
+  }
+  const terraformDir = process.env.THINKWORK_TERRAFORM_DIR || process.cwd();
+  const cwd = resolveTierDir(terraformDir, stage, "app");
+  return `${cwd}/terraform.tfvars`;
+}
+function getApiEndpoint(stage, region) {
+  try {
+    const raw = execSync7(
+      `aws apigatewayv2 get-apis --region ${region} --query "Items[?Name=='thinkwork-${stage}-api'].ApiEndpoint|[0]" --output text`,
+      { encoding: "utf-8", timeout: 15e3, stdio: ["pipe", "pipe", "pipe"] }
+    ).trim();
+    return raw && raw !== "None" ? raw : null;
+  } catch {
+    return null;
+  }
+}
+async function apiFetch(apiUrl, authSecret, path2, options = {}) {
+  const res = await fetch(`${apiUrl}${path2}`, {
+    ...options,
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${authSecret}`,
+      ...options.headers
+    }
+  });
+  if (!res.ok) {
+    const body = await res.json().catch(() => ({}));
+    throw new Error(body.error || `HTTP ${res.status}`);
+  }
+  return res.json();
+}
+function resolveApiConfig(stage) {
+  const tfvarsPath = resolveTfvarsPath2(stage);
+  const authSecret = readTfVar2(tfvarsPath, "api_auth_secret");
+  if (!authSecret) {
+    printError(`Cannot read api_auth_secret from ${tfvarsPath}`);
+    return null;
+  }
+  const region = readTfVar2(tfvarsPath, "region") || "us-east-1";
+  const apiUrl = getApiEndpoint(stage, region);
+  if (!apiUrl) {
+    printError(`Cannot discover API endpoint for stage "${stage}". Is the stack deployed?`);
+    return null;
+  }
+  return { apiUrl, authSecret };
+}
+function registerMcpCommand(program2) {
+  const mcp = program2.command("mcp").description("Manage MCP servers for agents");
+  mcp.command("list").description("List MCP servers registered for an agent").requiredOption("-s, --stage <name>", "Deployment stage").requiredOption("--agent <id>", "Agent ID").action(async (opts) => {
+    const check = validateStage(opts.stage);
+    if (!check.valid) {
+      printError(check.error);
+      process.exit(1);
+    }
+    const api = resolveApiConfig(opts.stage);
+    if (!api) process.exit(1);
+    printHeader("mcp list", opts.stage);
+    try {
+      const { servers } = await apiFetch(api.apiUrl, api.authSecret, `/api/skills/agent/${opts.agent}/mcp-servers`);
+      if (!servers || servers.length === 0) {
+        console.log(chalk7.dim("  No MCP servers registered for this agent."));
+        return;
+      }
+      console.log("");
+      for (const s of servers) {
+        const status = s.enabled ? chalk7.green("enabled") : chalk7.dim("disabled");
+        console.log(`  ${chalk7.bold(s.name)}  ${status}`);
+        console.log(`    URL:       ${s.url}`);
+        console.log(`    Transport: ${s.transport}`);
+        console.log(`    Auth:      ${s.authType || "none"}`);
+        if (s.tools?.length) {
+          console.log(`    Tools:     ${s.tools.join(", ")}`);
+        }
+        console.log("");
+      }
+    } catch (err) {
+      printError(err.message);
+      process.exit(1);
+    }
+  });
+  mcp.command("add <name>").description("Register an MCP server for an agent").requiredOption("-s, --stage <name>", "Deployment stage").requiredOption("--agent <id>", "Agent ID").requiredOption("--url <url>", "MCP server URL").option("--transport <type>", "Transport type (streamable-http|sse)", "streamable-http").option("--auth-type <type>", "Auth type (none|bearer|api-key)", "none").option("--auth-value <token>", "Auth token or API key").option("--connection-id <uuid>", "OAuth connection ID").option("--provider-id <uuid>", "OAuth provider ID (for connection-based auth)").option("--tools <list>", "Comma-separated tool allowlist").action(async (name, opts) => {
+    const check = validateStage(opts.stage);
+    if (!check.valid) {
+      printError(check.error);
+      process.exit(1);
+    }
+    const api = resolveApiConfig(opts.stage);
+    if (!api) process.exit(1);
+    printHeader("mcp add", opts.stage);
+    const body = {
+      name,
+      url: opts.url,
+      transport: opts.transport,
+      authType: opts.authType !== "none" ? opts.authType : void 0
+    };
+    if (opts.authValue) body.apiKey = opts.authValue;
+    if (opts.connectionId) body.connectionId = opts.connectionId;
+    if (opts.providerId) body.providerId = opts.providerId;
+    if (opts.tools) body.tools = opts.tools.split(",").map((t) => t.trim());
+    try {
+      const result = await apiFetch(api.apiUrl, api.authSecret, `/api/skills/agent/${opts.agent}/mcp-servers`, {
+        method: "POST",
+        body: JSON.stringify(body)
+      });
+      printSuccess(`MCP server "${name}" ${result.created ? "added" : "updated"} (skill: ${result.skillId})`);
+    } catch (err) {
+      printError(err.message);
+      process.exit(1);
+    }
+  });
+  mcp.command("remove <name>").description("Remove an MCP server from an agent").requiredOption("-s, --stage <name>", "Deployment stage").requiredOption("--agent <id>", "Agent ID").action(async (name, opts) => {
+    const check = validateStage(opts.stage);
+    if (!check.valid) {
+      printError(check.error);
+      process.exit(1);
+    }
+    const api = resolveApiConfig(opts.stage);
+    if (!api) process.exit(1);
+    try {
+      await apiFetch(api.apiUrl, api.authSecret, `/api/skills/agent/${opts.agent}/mcp-servers/${name}`, {
+        method: "DELETE"
+      });
+      printSuccess(`MCP server "${name}" removed.`);
+    } catch (err) {
+      printError(err.message);
+      process.exit(1);
+    }
+  });
+  mcp.command("test <name>").description("Test connection to an MCP server and list its tools").requiredOption("-s, --stage <name>", "Deployment stage").requiredOption("--agent <id>", "Agent ID").action(async (name, opts) => {
+    const check = validateStage(opts.stage);
+    if (!check.valid) {
+      printError(check.error);
+      process.exit(1);
+    }
+    const api = resolveApiConfig(opts.stage);
+    if (!api) process.exit(1);
+    printHeader("mcp test", opts.stage);
+    try {
+      const result = await apiFetch(api.apiUrl, api.authSecret, `/api/skills/agent/${opts.agent}/mcp-servers/${name}/test`, {
+        method: "POST"
+      });
+      if (result.ok) {
+        printSuccess(`Connection to "${name}" successful.`);
+        if (result.tools?.length) {
+          console.log(chalk7.bold(`
+  Available tools (${result.tools.length}):
+`));
+          for (const t of result.tools) {
+            console.log(`    ${chalk7.cyan(t.name)}${t.description ? chalk7.dim(` \u2014 ${t.description}`) : ""}`);
+          }
+          console.log("");
+        } else {
+          printWarning("Server connected but reported no tools.");
+        }
+      } else {
+        printError(`Connection failed: ${result.error}`);
+        process.exit(1);
+      }
+    } catch (err) {
+      printError(err.message);
+      process.exit(1);
+    }
+  });
+}
+
 // src/cli.ts
 var program = new Command();
 program.name("thinkwork").description(
@@ -1480,4 +1692,5 @@ registerDestroyCommand(program);
 registerStatusCommand(program);
 registerOutputsCommand(program);
 registerConfigCommand(program);
+registerMcpCommand(program);
 program.parse();

package/dist/terraform/examples/greenfield/main.tf

@@ -31,9 +31,13 @@ terraform {
     }
   }
 
-  # For the example, use local state. Production deployments should
-  # use S3 + DynamoDB backend — see the docs for configuration.
-  # backend "s3" { ... }
+  backend "s3" {
+    bucket         = "thinkwork-terraform-state"
+    key            = "thinkwork/dev/terraform.tfstate"
+    region         = "us-east-1"
+    dynamodb_table = "thinkwork-terraform-locks"
+    encrypt        = true
+  }
 }
 
 provider "aws" {
@@ -134,11 +138,27 @@ output "api_endpoint" {
   value       = module.thinkwork.api_endpoint
 }
 
+output "appsync_api_url" {
+  description = "AppSync GraphQL URL"
+  value       = module.thinkwork.appsync_api_url
+}
+
 output "appsync_realtime_url" {
   description = "AppSync realtime WebSocket URL (for frontend subscription clients)"
   value       = module.thinkwork.appsync_realtime_url
 }
 
+output "appsync_api_key" {
+  description = "AppSync API key"
+  value       = module.thinkwork.appsync_api_key
+  sensitive   = true
+}
+
+output "auth_domain" {
+  description = "Cognito hosted UI domain"
+  value       = module.thinkwork.auth_domain
+}
+
 output "user_pool_id" {
   description = "Cognito user pool ID"
   value       = module.thinkwork.user_pool_id
@@ -188,3 +208,33 @@ output "hindsight_endpoint" {
   description = "Hindsight API endpoint (null when memory_engine = managed)"
   value       = module.thinkwork.hindsight_endpoint
 }
+
+output "admin_url" {
+  description = "Admin app URL"
+  value       = "https://${module.thinkwork.admin_distribution_domain}"
+}
+
+output "admin_distribution_id" {
+  description = "CloudFront distribution ID for admin (for cache invalidation)"
+  value       = module.thinkwork.admin_distribution_id
+}
+
+output "admin_bucket_name" {
+  description = "S3 bucket for admin app assets"
+  value       = module.thinkwork.admin_bucket_name
+}
+
+output "docs_url" {
+  description = "Docs site URL"
+  value       = "https://${module.thinkwork.docs_distribution_domain}"
+}
+
+output "docs_distribution_id" {
+  description = "CloudFront distribution ID for docs (for cache invalidation)"
+  value       = module.thinkwork.docs_distribution_id
+}
+
+output "docs_bucket_name" {
+  description = "S3 bucket for docs site assets"
+  value       = module.thinkwork.docs_bucket_name
+}

package/dist/terraform/modules/thinkwork/main.tf

@@ -58,8 +58,14 @@ module "cognito" {
   google_oauth_client_secret = var.google_oauth_client_secret
   pre_signup_lambda_zip      = var.pre_signup_lambda_zip
 
-  admin_callback_urls   = var.admin_callback_urls
-  admin_logout_urls     = var.admin_logout_urls
+  admin_callback_urls = concat(
+    var.admin_callback_urls,
+    ["https://${module.admin_site.distribution_domain}", "https://${module.admin_site.distribution_domain}/auth/callback"]
+  )
+  admin_logout_urls = concat(
+    var.admin_logout_urls,
+    ["https://${module.admin_site.distribution_domain}"]
+  )
   mobile_callback_urls = var.mobile_callback_urls
   mobile_logout_urls   = var.mobile_logout_urls
 }
@@ -210,3 +216,27 @@ module "ses" {
   stage      = var.stage
   account_id = var.account_id
 }
+
+################################################################################
+# Admin Static Site
+################################################################################
+
+module "admin_site" {
+  source = "../app/static-site"
+
+  stage     = var.stage
+  site_name = "admin"
+}
+
+################################################################################
+# Docs Static Site
+################################################################################
+
+module "docs_site" {
+  source = "../app/static-site"
+
+  stage           = var.stage
+  site_name       = "docs"
+  custom_domain   = var.docs_domain
+  certificate_arn = var.docs_certificate_arn
+}

package/dist/terraform/modules/thinkwork/outputs.tf

@@ -72,6 +72,11 @@ output "appsync_api_key" {
   sensitive = true
 }
 
+output "auth_domain" {
+  description = "Cognito hosted UI domain"
+  value       = module.cognito.auth_domain
+}
+
 output "ecr_repository_url" {
   value = module.agentcore.ecr_repository_url
 }
@@ -85,3 +90,35 @@ output "hindsight_endpoint" {
   description = "Hindsight API endpoint (only when memory_engine = hindsight)"
   value       = var.memory_engine == "hindsight" ? module.hindsight[0].hindsight_endpoint : null
 }
+
+# Admin static site
+output "admin_distribution_id" {
+  description = "CloudFront distribution ID for the admin app"
+  value       = module.admin_site.distribution_id
+}
+
+output "admin_distribution_domain" {
+  description = "CloudFront domain for the admin app"
+  value       = module.admin_site.distribution_domain
+}
+
+output "admin_bucket_name" {
+  description = "S3 bucket for admin app assets"
+  value       = module.admin_site.bucket_name
+}
+
+# Docs static site
+output "docs_distribution_id" {
+  description = "CloudFront distribution ID for the docs site"
+  value       = module.docs_site.distribution_id
+}
+
+output "docs_distribution_domain" {
+  description = "CloudFront domain for the docs site"
+  value       = module.docs_site.distribution_domain
+}
+
+output "docs_bucket_name" {
+  description = "S3 bucket for docs site assets"
+  value       = module.docs_site.bucket_name
+}

package/dist/terraform/modules/thinkwork/variables.tf

@@ -239,3 +239,19 @@ variable "pre_signup_lambda_zip" {
   type        = string
   default     = ""
 }
+
+# ---------------------------------------------------------------------------
+# Docs site (custom domain — optional)
+# ---------------------------------------------------------------------------
+
+variable "docs_domain" {
+  description = "Custom domain for the docs site (e.g. docs.thinkwork.ai). Leave empty for CloudFront default."
+  type        = string
+  default     = ""
+}
+
+variable "docs_certificate_arn" {
+  description = "ACM certificate ARN for the docs domain (us-east-1, required for CloudFront custom domains)"
+  type        = string
+  default     = ""
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thinkwork-cli",
-  "version": "0.3.2",
+  "version": "0.4.0",
   "description": "Thinkwork CLI — deploy, manage, and interact with your Thinkwork stack",
   "license": "MIT",
   "type": "module",