thinkwork-cli 0.4.1 → 0.5.0

package/dist/cli.js

@@ -1486,12 +1486,13 @@ function getApiEndpoint(stage, region) {
     return null;
   }
 }
-async function apiFetch(apiUrl, authSecret, path2, options = {}) {
+async function apiFetch(apiUrl, authSecret, path2, options = {}, extraHeaders = {}) {
   const res = await fetch(`${apiUrl}${path2}`, {
     ...options,
     headers: {
       "Content-Type": "application/json",
       Authorization: `Bearer ${authSecret}`,
+      ...extraHeaders,
       ...options.headers
     }
   });
@@ -1517,8 +1518,8 @@ function resolveApiConfig(stage) {
   return { apiUrl, authSecret };
 }
 function registerMcpCommand(program2) {
-  const mcp = program2.command("mcp").description("Manage MCP servers for agents");
-  mcp.command("list").description("List MCP servers registered for an agent").requiredOption("-s, --stage <name>", "Deployment stage").requiredOption("--agent <id>", "Agent ID").action(async (opts) => {
+  const mcp = program2.command("mcp").description("Manage MCP servers for your tenant");
+  mcp.command("list").description("List registered MCP servers").requiredOption("-s, --stage <name>", "Deployment stage").requiredOption("--tenant <slug>", "Tenant slug").action(async (opts) => {
     const check = validateStage(opts.stage);
     if (!check.valid) {
       printError(check.error);
@@ -1528,20 +1529,21 @@ function registerMcpCommand(program2) {
     if (!api) process.exit(1);
     printHeader("mcp list", opts.stage);
     try {
-      const { servers } = await apiFetch(api.apiUrl, api.authSecret, `/api/skills/agent/${opts.agent}/mcp-servers`);
+      const { servers } = await apiFetch(api.apiUrl, api.authSecret, "/api/skills/mcp-servers", {}, { "x-tenant-slug": opts.tenant });
       if (!servers || servers.length === 0) {
-        console.log(chalk7.dim("  No MCP servers registered for this agent."));
+        console.log(chalk7.dim("  No MCP servers registered."));
         return;
       }
       console.log("");
       for (const s of servers) {
         const status = s.enabled ? chalk7.green("enabled") : chalk7.dim("disabled");
-        console.log(`  ${chalk7.bold(s.name)}  ${status}`);
+        const authLabel = s.authType === "per_user_oauth" ? `OAuth (${s.oauthProvider})` : s.authType === "tenant_api_key" ? "API Key" : "none";
+        console.log(`  ${chalk7.bold(s.name)}  ${chalk7.dim(s.slug)}  ${status}`);
         console.log(`    URL:       ${s.url}`);
         console.log(`    Transport: ${s.transport}`);
-        console.log(`    Auth:      ${s.authType || "none"}`);
+        console.log(`    Auth:      ${authLabel}`);
         if (s.tools?.length) {
-          console.log(`    Tools:     ${s.tools.join(", ")}`);
+          console.log(`    Tools:     ${s.tools.length} cached`);
         }
         console.log("");
       }
@@ -1550,7 +1552,7 @@ function registerMcpCommand(program2) {
       process.exit(1);
     }
   });
-  mcp.command("add <name>").description("Register an MCP server for an agent").requiredOption("-s, --stage <name>", "Deployment stage").requiredOption("--agent <id>", "Agent ID").requiredOption("--url <url>", "MCP server URL").option("--transport <type>", "Transport type (streamable-http|sse)", "streamable-http").option("--auth-type <type>", "Auth type (none|bearer|api-key)", "none").option("--auth-value <token>", "Auth token or API key").option("--connection-id <uuid>", "OAuth connection ID").option("--provider-id <uuid>", "OAuth provider ID (for connection-based auth)").option("--tools <list>", "Comma-separated tool allowlist").action(async (name, opts) => {
+  mcp.command("add <name>").description("Register an MCP server").requiredOption("-s, --stage <name>", "Deployment stage").requiredOption("--tenant <slug>", "Tenant slug").requiredOption("--url <url>", "MCP server URL").option("--transport <type>", "Transport type (streamable-http|sse)", "streamable-http").option("--auth-type <type>", "Auth type (none|tenant_api_key|per_user_oauth)", "none").option("--api-key <token>", "API key (for tenant_api_key auth)").option("--oauth-provider <name>", "OAuth provider name (for per_user_oauth auth)").action(async (name, opts) => {
     const check = validateStage(opts.stage);
     if (!check.valid) {
       printError(check.error);
@@ -1558,29 +1560,26 @@ function registerMcpCommand(program2) {
     }
     const api = resolveApiConfig(opts.stage);
     if (!api) process.exit(1);
-    printHeader("mcp add", opts.stage);
     const body = {
       name,
       url: opts.url,
-      transport: opts.transport,
-      authType: opts.authType !== "none" ? opts.authType : void 0
+      transport: opts.transport
     };
-    if (opts.authValue) body.apiKey = opts.authValue;
-    if (opts.connectionId) body.connectionId = opts.connectionId;
-    if (opts.providerId) body.providerId = opts.providerId;
-    if (opts.tools) body.tools = opts.tools.split(",").map((t) => t.trim());
+    if (opts.authType !== "none") body.authType = opts.authType;
+    if (opts.apiKey) body.apiKey = opts.apiKey;
+    if (opts.oauthProvider) body.oauthProvider = opts.oauthProvider;
     try {
-      const result = await apiFetch(api.apiUrl, api.authSecret, `/api/skills/agent/${opts.agent}/mcp-servers`, {
+      const result = await apiFetch(api.apiUrl, api.authSecret, "/api/skills/mcp-servers", {
         method: "POST",
         body: JSON.stringify(body)
-      });
-      printSuccess(`MCP server "${name}" ${result.created ? "added" : "updated"} (skill: ${result.skillId})`);
+      }, { "x-tenant-slug": opts.tenant });
+      printSuccess(`MCP server "${name}" ${result.created ? "registered" : "updated"} (slug: ${result.slug})`);
     } catch (err) {
       printError(err.message);
       process.exit(1);
     }
   });
-  mcp.command("remove <name>").description("Remove an MCP server from an agent").requiredOption("-s, --stage <name>", "Deployment stage").requiredOption("--agent <id>", "Agent ID").action(async (name, opts) => {
+  mcp.command("remove <id>").description("Remove an MCP server").requiredOption("-s, --stage <name>", "Deployment stage").requiredOption("--tenant <slug>", "Tenant slug").action(async (id, opts) => {
     const check = validateStage(opts.stage);
     if (!check.valid) {
       printError(check.error);
@@ -1589,16 +1588,16 @@ function registerMcpCommand(program2) {
     const api = resolveApiConfig(opts.stage);
     if (!api) process.exit(1);
     try {
-      await apiFetch(api.apiUrl, api.authSecret, `/api/skills/agent/${opts.agent}/mcp-servers/${name}`, {
+      await apiFetch(api.apiUrl, api.authSecret, `/api/skills/mcp-servers/${id}`, {
         method: "DELETE"
-      });
-      printSuccess(`MCP server "${name}" removed.`);
+      }, { "x-tenant-slug": opts.tenant });
+      printSuccess(`MCP server removed.`);
     } catch (err) {
       printError(err.message);
       process.exit(1);
     }
   });
-  mcp.command("test <name>").description("Test connection to an MCP server and list its tools").requiredOption("-s, --stage <name>", "Deployment stage").requiredOption("--agent <id>", "Agent ID").action(async (name, opts) => {
+  mcp.command("test <id>").description("Test connection and discover tools").requiredOption("-s, --stage <name>", "Deployment stage").requiredOption("--tenant <slug>", "Tenant slug").action(async (id, opts) => {
     const check = validateStage(opts.stage);
     if (!check.valid) {
       printError(check.error);
@@ -1608,17 +1607,17 @@ function registerMcpCommand(program2) {
     if (!api) process.exit(1);
     printHeader("mcp test", opts.stage);
     try {
-      const result = await apiFetch(api.apiUrl, api.authSecret, `/api/skills/agent/${opts.agent}/mcp-servers/${name}/test`, {
+      const result = await apiFetch(api.apiUrl, api.authSecret, `/api/skills/mcp-servers/${id}/test`, {
         method: "POST"
-      });
+      }, { "x-tenant-slug": opts.tenant });
       if (result.ok) {
-        printSuccess(`Connection to "${name}" successful.`);
+        printSuccess("Connection successful.");
         if (result.tools?.length) {
           console.log(chalk7.bold(`
-  Available tools (${result.tools.length}):
+  Discovered tools (${result.tools.length}):
 `));
           for (const t of result.tools) {
-            console.log(`    ${chalk7.cyan(t.name)}${t.description ? chalk7.dim(` \u2014 ${t.description}`) : ""}`);
+            console.log(`    ${chalk7.cyan(t.name)}${t.description ? chalk7.dim(` - ${t.description}`) : ""}`);
           }
           console.log("");
         } else {
@@ -1633,6 +1632,43 @@ function registerMcpCommand(program2) {
       process.exit(1);
     }
   });
+  mcp.command("assign <mcpServerId>").description("Assign an MCP server to an agent").requiredOption("-s, --stage <name>", "Deployment stage").requiredOption("--agent <id>", "Agent ID").action(async (mcpServerId, opts) => {
+    const check = validateStage(opts.stage);
+    if (!check.valid) {
+      printError(check.error);
+      process.exit(1);
+    }
+    const api = resolveApiConfig(opts.stage);
+    if (!api) process.exit(1);
+    try {
+      const result = await apiFetch(api.apiUrl, api.authSecret, `/api/skills/agents/${opts.agent}/mcp-servers`, {
+        method: "POST",
+        body: JSON.stringify({ mcpServerId })
+      });
+      printSuccess(`MCP server assigned to agent. (${result.created ? "new" : "updated"})`);
+    } catch (err) {
+      printError(err.message);
+      process.exit(1);
+    }
+  });
+  mcp.command("unassign <mcpServerId>").description("Remove an MCP server from an agent").requiredOption("-s, --stage <name>", "Deployment stage").requiredOption("--agent <id>", "Agent ID").action(async (mcpServerId, opts) => {
+    const check = validateStage(opts.stage);
+    if (!check.valid) {
+      printError(check.error);
+      process.exit(1);
+    }
+    const api = resolveApiConfig(opts.stage);
+    if (!api) process.exit(1);
+    try {
+      await apiFetch(api.apiUrl, api.authSecret, `/api/skills/agents/${opts.agent}/mcp-servers/${mcpServerId}`, {
+        method: "DELETE"
+      });
+      printSuccess("MCP server unassigned from agent.");
+    } catch (err) {
+      printError(err.message);
+      process.exit(1);
+    }
+  });
 }
 
 // src/cli.ts

package/dist/terraform/modules/app/agentcore-runtime/main.tf

@@ -92,7 +92,7 @@ resource "aws_iam_role" "agentcore" {
     Version = "2012-10-17"
     Statement = [{
       Effect    = "Allow"
-      Principal = { Service = ["ecs-tasks.amazonaws.com", "lambda.amazonaws.com"] }
+      Principal = { Service = ["ecs-tasks.amazonaws.com", "lambda.amazonaws.com", "bedrock-agentcore.amazonaws.com"] }
       Action    = "sts:AssumeRole"
     }]
   })
@@ -118,18 +118,24 @@ resource "aws_iam_role_policy" "agentcore" {
         Sid      = "BedrockInvoke"
         Effect   = "Allow"
         Action   = ["bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream", "bedrock:InvokeAgent"]
-        Resource = "*"
+        Resource = "arn:aws:bedrock:${var.region}::foundation-model/*"
       },
       {
         Sid      = "CloudWatchLogs"
         Effect   = "Allow"
         Action   = ["logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents"]
-        Resource = "arn:aws:logs:${var.region}:${var.account_id}:*"
+        Resource = "arn:aws:logs:${var.region}:${var.account_id}:log-group:/aws/lambda/thinkwork-${var.stage}-*"
       },
       {
         Sid      = "ECRPull"
         Effect   = "Allow"
-        Action   = ["ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage", "ecr:GetAuthorizationToken"]
+        Action   = ["ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage"]
+        Resource = "arn:aws:ecr:${var.region}:${var.account_id}:repository/thinkwork-${var.stage}-*"
+      },
+      {
+        Sid      = "ECRAuth"
+        Effect   = "Allow"
+        Action   = ["ecr:GetAuthorizationToken"]
         Resource = "*"
       },
       {

package/dist/terraform/modules/app/lambda-api/main.tf

@@ -27,9 +27,9 @@ resource "aws_apigatewayv2_api" "main" {
   protocol_type = "HTTP"
 
   cors_configuration {
-    allow_headers = ["*"]
-    allow_methods = ["*"]
-    allow_origins = ["*"]
+    allow_headers = ["Content-Type", "Authorization", "x-api-key", "x-tenant-id", "x-tenant-slug", "x-principal-id"]
+    allow_methods = ["GET", "POST", "PUT", "DELETE", "OPTIONS"]
+    allow_origins = var.cors_allowed_origins
     max_age       = 3600
   }
 
@@ -118,11 +118,22 @@ resource "aws_iam_role_policy" "lambda_secrets" {
 
   policy = jsonencode({
     Version = "2012-10-17"
-    Statement = [{
-      Effect   = "Allow"
-      Action   = ["secretsmanager:GetSecretValue"]
-      Resource = var.graphql_db_secret_arn
-    }]
+    Statement = [
+      {
+        Effect   = "Allow"
+        Action   = ["secretsmanager:GetSecretValue"]
+        Resource = var.graphql_db_secret_arn
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "secretsmanager:CreateSecret",
+          "secretsmanager:UpdateSecret",
+          "secretsmanager:GetSecretValue"
+        ]
+        Resource = "arn:aws:secretsmanager:${var.region}:${var.account_id}:secret:thinkwork/*"
+      }
+    ]
   })
 }
 
@@ -175,7 +186,7 @@ resource "aws_iam_role_policy" "lambda_bedrock" {
     Statement = [{
       Effect   = "Allow"
       Action   = ["bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream"]
-      Resource = "*"
+      Resource = "arn:aws:bedrock:${var.region}::foundation-model/*"
     }]
   })
 }

package/dist/terraform/modules/app/lambda-api/variables.tf

@@ -151,3 +151,9 @@ variable "agentcore_function_name" {
   type        = string
   default     = ""
 }
+
+variable "cors_allowed_origins" {
+  description = "Allowed CORS origins for the API Gateway. Use [\"*\"] for development."
+  type        = list(string)
+  default     = ["*"]
+}

package/dist/terraform/modules/app/static-site/main.tf

@@ -69,6 +69,31 @@ resource "aws_cloudfront_origin_access_control" "site" {
   signing_protocol                  = "sigv4"
 }
 
+################################################################################
+# CloudFront Function — rewrite directory URIs to index.html
+#
+# S3 with OAC doesn't auto-serve index.html for subdirectory requests.
+# /getting-started/ → /getting-started/index.html
+################################################################################
+
+resource "aws_cloudfront_function" "rewrite" {
+  name    = "thinkwork-${var.stage}-${var.site_name}-rewrite"
+  runtime = "cloudfront-js-2.0"
+  publish = true
+  code    = <<-EOF
+    function handler(event) {
+      var request = event.request;
+      var uri = request.uri;
+      if (uri.endsWith('/')) {
+        request.uri += 'index.html';
+      } else if (!uri.includes('.')) {
+        request.uri += '/index.html';
+      }
+      return request;
+    }
+  EOF
+}
+
 ################################################################################
 # CloudFront Distribution
 ################################################################################
@@ -92,6 +117,11 @@ resource "aws_cloudfront_distribution" "site" {
     cached_methods         = ["GET", "HEAD"]
     compress               = true
 
+    function_association {
+      event_type   = "viewer-request"
+      function_arn = aws_cloudfront_function.rewrite.arn
+    }
+
     forwarded_values {
       query_string = false
       cookies {
@@ -100,16 +130,17 @@ resource "aws_cloudfront_distribution" "site" {
     }
   }
 
+  # Fallback for true 404s (e.g. deleted pages) — serve the 404 page
   custom_error_response {
     error_code         = 404
-    response_code      = 200
-    response_page_path = "/index.html"
+    response_code      = 404
+    response_page_path = "/404.html"
   }
 
   custom_error_response {
     error_code         = 403
-    response_code      = 200
-    response_page_path = "/index.html"
+    response_code      = 404
+    response_page_path = "/404.html"
   }
 
   restrictions {

package/dist/terraform/modules/data/s3-buckets/main.tf

@@ -20,6 +20,12 @@ variable "bucket_name" {
   type        = string
 }
 
+variable "cors_allowed_origins" {
+  description = "Allowed CORS origins. Use [\"*\"] for development."
+  type        = list(string)
+  default     = ["*"]
+}
+
 resource "aws_s3_bucket" "main" {
   bucket = var.bucket_name
 
@@ -33,9 +39,9 @@ resource "aws_s3_bucket_cors_configuration" "main" {
   bucket = aws_s3_bucket.main.id
 
   cors_rule {
-    allowed_headers = ["*"]
-    allowed_methods = ["GET", "PUT", "POST", "HEAD"]
-    allowed_origins = ["*"]
+    allowed_headers = ["Content-Type", "Authorization", "x-amz-*"]
+    allowed_methods = ["GET", "PUT", "HEAD"]
+    allowed_origins = var.cors_allowed_origins
     expose_headers  = ["ETag"]
     max_age_seconds = 3000
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thinkwork-cli",
-  "version": "0.4.1",
+  "version": "0.5.0",
   "description": "Thinkwork CLI — deploy, manage, and interact with your Thinkwork stack",
   "license": "MIT",
   "type": "module",