thinkwork-cli 0.5.1 → 0.5.3

package/dist/terraform/modules/app/hindsight-memory/README.md

@@ -1,66 +1,87 @@
-# Memory Engine Module
+# Hindsight Memory Module (optional add-on)
 
-Thinkwork supports pluggable long-term memory for agents. Choose the engine that fits your stage and requirements.
+Thinkwork has two long-term memory systems. **AgentCore managed memory is
+always on** — every agent gets automatic per-turn retention out of the box
+with zero configuration. **Hindsight is an optional add-on** you can layer
+on top for advanced semantic + entity-graph retrieval.
 
-## Engines
+## Memory layers
 
-| Engine | `memory_engine` value | Best for | Extra infra | Cost |
-|--------|----------------------|----------|-------------|------|
-| **AgentCore Managed** | `managed` (default) | All stages. Production-ready, zero-config. | None | $0 additional |
-| **Hindsight** | `hindsight` | Advanced recall/reflect with entity graph, cross-encoder reranking. | ECS Fargate + ALB | ~$75/mo (ARM64) |
+| Layer | Backend | Always on | What it stores |
+|-------|---------|-----------|----------------|
+| 1. Workspace files | S3 per-agent | Yes | Scratchpad, working files |
+| 2. Thread history | Aurora `messages` table | Yes | Last 30 turns per thread |
+| 3a. Managed long-term | AgentCore Memory | **Yes** | Semantic facts, preferences, summaries, episodes — extracted automatically from every turn |
+| 3b. Hindsight long-term | Hindsight ECS service | **Optional** | Same purpose as 3a, plus entity graph + BM25 + cross-encoder reranking |
 
-Both engines provide agents with memory tools. The Strands runtime reads `MEMORY_ENGINE` and loads the right tool set:
+## How retention works
 
-- **Managed**: `remember()`, `recall()`, `forget()` — backed by AgentCore Memory API with 4 strategies (semantic facts, user preferences, session summaries, episodic).
-- **Hindsight**: `hindsight_retain()`, `hindsight_recall()`, `hindsight_reflect()` — backed by the Hindsight service with semantic + BM25 + entity graph + temporal retrieval and cross-encoder reranking.
+The agent container automatically emits a `CreateEvent` into AgentCore
+Memory after every turn (user message + assistant response), via
+`memory.store_turn_pair` in `packages/agentcore/agent-container/memory.py`.
+AgentCore's background strategies extract facts into four namespaces:
 
-## What's pluggable
+- `assistant_{actorId}` — semantic facts
+- `preferences_{actorId}` — user preferences
+- `session_{sessionId}` — session summaries
+- `episodes_{actorId}/{sessionId}` — episodic memory
 
-Only **Layer 3 (long-term cross-thread memory)** is pluggable. The other memory layers are core infrastructure:
+The agent reads them back via the `recall()` tool. There is no need for
+the model to call `remember()` for routine facts — it only exists for
+user-driven "please remember X" requests.
 
-- **Layer 1** — Workspace files on S3 (per-agent scratchpad). Always available.
-- **Layer 2** — Thread history in Aurora (conversation memory). Always available.
-- **Layer 3** — Long-term cross-thread recall. **This is what `memory_engine` controls.**
+When Hindsight is enabled, the container ALSO registers
+`hindsight_retain`, `hindsight_recall`, and `hindsight_reflect` tools that
+route to the Hindsight service. `remember()` dual-writes to both backends
+so explicit memories land in both systems.
 
 ## Usage
 
-### Managed (default — no extra config needed)
+### Default — managed memory only (zero config)
 
 ```hcl
 module "thinkwork" {
   source = "thinkwork-ai/thinkwork/aws"
 
-  stage      = "prod"
-  # memory_engine defaults to "managed" — nothing to set
+  stage = "prod"
+  # enable_hindsight defaults to false — nothing else to set
 }
 ```
 
-### Hindsight (opt-in)
+The `terraform/modules/app/agentcore-memory` module is always instantiated
+and provisions the AgentCore Memory resource with the four strategies.
+
+### With the Hindsight add-on
 
 ```hcl
 module "thinkwork" {
   source = "thinkwork-ai/thinkwork/aws"
 
-  stage         = "prod"
-  memory_engine = "hindsight"
+  stage            = "prod"
+  enable_hindsight = true
 
   # Optional: pin the Hindsight image version
-  # hindsight_image_tag = "0.4.22"
+  # hindsight_image_tag = "0.5.0"
 }
 ```
 
-When `memory_engine = "hindsight"`, Terraform creates:
+When `enable_hindsight = true`, Terraform creates:
 - ECS Fargate cluster + service (ARM64, 2 vCPU, 4 GB)
 - Application Load Balancer
 - Security groups (ALB → Hindsight → Aurora ingress)
 - CloudWatch log group
 
-When `memory_engine = "managed"`, none of the above is created.
+Cost: ~$75/mo (ARM64 Fargate + ALB hours).
+
+## Turning the add-on on/off
 
-## Switching engines
+Toggling `enable_hindsight` and re-running `thinkwork deploy`:
 
-Changing `memory_engine` and running `thinkwork deploy` will:
-- **managed → hindsight**: Create the ECS/ALB infrastructure. Agents start using Hindsight tools on next invoke.
-- **hindsight → managed**: Destroy the ECS/ALB infrastructure. Agents fall back to AgentCore memory tools.
+- **false → true**: creates the ECS + ALB infra. Agents gain the three
+  `hindsight_*` tools on their next invoke. Managed retention continues
+  running unchanged.
+- **true → false**: destroys the ECS + ALB infra. Agents lose the
+  `hindsight_*` tools. Managed memory keeps working as before.
 
-Memory data is not migrated between engines. Each engine has its own storage backend.
+Memory data is not migrated between backends. Hindsight records and
+AgentCore records live in separate stores.

package/dist/terraform/modules/app/hindsight-memory/main.tf

@@ -1,13 +1,15 @@
 ################################################################################
-# Hindsight Memory Engine — App Module
+# Hindsight Memory (Optional Add-On) — App Module
 #
-# Optional ECS Fargate + ALB service for Hindsight long-term memory.
-# Only created when memory_engine = "hindsight". When memory_engine = "managed",
-# this module creates nothing and AgentCore's built-in memory is used instead.
+# Optional ECS Fargate + ALB service for Hindsight long-term memory. Only
+# created when `enable_hindsight = true`. AgentCore managed memory is
+# always on (see ../agentcore-memory) — Hindsight runs alongside it as an
+# add-on, not as a replacement.
 #
-# Hindsight provides retain/recall/reflect tools for cross-thread,
-# cross-session organizational memory. It runs local embeddings + reranker
-# and uses the shared Aurora PostgreSQL instance with pgvector.
+# Hindsight provides hindsight_retain/recall/reflect tools for cross-thread
+# organizational memory with entity-graph traversal and cross-encoder
+# reranking. It runs local embeddings + reranker and uses the shared Aurora
+# PostgreSQL instance with pgvector.
 ################################################################################
 
 variable "stage" {

package/dist/terraform/modules/app/lambda-api/handlers.tf

@@ -12,28 +12,33 @@ locals {
 
   # Common environment variables shared by all API handlers
   common_env = {
-    STAGE                  = var.stage
-    DATABASE_URL           = "postgresql://${var.db_username}:${urlencode(var.db_password)}@${var.db_cluster_endpoint}:5432/${var.database_name}?sslmode=no-verify"
-    DATABASE_SECRET_ARN    = var.graphql_db_secret_arn
-    DATABASE_HOST          = var.db_cluster_endpoint
-    DATABASE_NAME          = var.database_name
-    BUCKET_NAME                = var.bucket_name
-    USER_POOL_ID               = var.user_pool_id
-    COGNITO_USER_POOL_ID       = var.user_pool_id
-    ADMIN_CLIENT_ID            = var.admin_client_id
-    MOBILE_CLIENT_ID           = var.mobile_client_id
-    COGNITO_APP_CLIENT_IDS     = "${var.admin_client_id},${var.mobile_client_id}"
-    APPSYNC_ENDPOINT           = var.appsync_api_url
-    APPSYNC_API_KEY            = var.appsync_api_key
-    GRAPHQL_API_KEY            = var.appsync_api_key
-    API_AUTH_SECRET             = var.api_auth_secret
-    THINKWORK_API_SECRET        = var.api_auth_secret
-    MANIFLOW_API_SECRET         = var.api_auth_secret
-    AGENTCORE_INVOKE_URL        = var.agentcore_invoke_url
-    AGENTCORE_FUNCTION_NAME     = var.agentcore_function_name
-    WORKSPACE_BUCKET            = var.bucket_name
-    HINDSIGHT_ENDPOINT          = var.hindsight_endpoint
-    NODE_OPTIONS           = "--enable-source-maps"
+    STAGE                   = var.stage
+    DATABASE_URL            = "postgresql://${var.db_username}:${urlencode(var.db_password)}@${var.db_cluster_endpoint}:5432/${var.database_name}?sslmode=no-verify"
+    DATABASE_SECRET_ARN     = var.graphql_db_secret_arn
+    DATABASE_HOST           = var.db_cluster_endpoint
+    DATABASE_NAME           = var.database_name
+    BUCKET_NAME             = var.bucket_name
+    USER_POOL_ID            = var.user_pool_id
+    COGNITO_USER_POOL_ID    = var.user_pool_id
+    ADMIN_CLIENT_ID         = var.admin_client_id
+    MOBILE_CLIENT_ID        = var.mobile_client_id
+    COGNITO_APP_CLIENT_IDS  = "${var.admin_client_id},${var.mobile_client_id}"
+    APPSYNC_ENDPOINT        = var.appsync_api_url
+    APPSYNC_API_KEY         = var.appsync_api_key
+    GRAPHQL_API_KEY         = var.appsync_api_key
+    API_AUTH_SECRET         = var.api_auth_secret
+    THINKWORK_API_SECRET    = var.api_auth_secret
+    MANIFLOW_API_SECRET     = var.api_auth_secret
+    AGENTCORE_FUNCTION_NAME = var.agentcore_function_name
+    WORKSPACE_BUCKET        = var.bucket_name
+    HINDSIGHT_ENDPOINT      = var.hindsight_endpoint
+    AGENTCORE_MEMORY_ID     = var.agentcore_memory_id
+    ADMIN_URL               = var.admin_url
+    DOCS_URL                = var.docs_url
+    APPSYNC_REALTIME_URL    = var.appsync_realtime_url
+    ECR_REPOSITORY_URL      = var.ecr_repository_url
+    AWS_ACCOUNT_ID          = var.account_id
+    NODE_OPTIONS            = "--enable-source-maps"
   }
 }
 
@@ -113,15 +118,15 @@ locals {
   # Map of route_key → handler name for API Gateway
   api_routes = local.use_local_zips ? {
     # GraphQL — the main API entry point
-    "POST /graphql"              = "graphql-http"
-    "GET /graphql"               = "graphql-http"
+    "POST /graphql" = "graphql-http"
+    "GET /graphql"  = "graphql-http"
 
     # Health check (keep placeholder alive too)
     # "GET /health" is handled by placeholder
 
     # Agents
-    "ANY /api/agents/{proxy+}"   = "agents"
-    "ANY /api/agents"            = "agents"
+    "ANY /api/agents/{proxy+}" = "agents"
+    "ANY /api/agents"          = "agents"
 
     # Agent actions (start/stop/heartbeat/budget)
     "ANY /api/agent-actions/{proxy+}" = "agent-actions"
@@ -131,25 +136,25 @@ locals {
     "ANY /api/messages"          = "messages"
 
     # Teams
-    "ANY /api/teams/{proxy+}"    = "teams"
-    "ANY /api/teams"             = "teams"
+    "ANY /api/teams/{proxy+}"        = "teams"
+    "ANY /api/teams"                 = "teams"
     "ANY /api/team-members/{proxy+}" = "team-members"
 
     # Tenants
-    "ANY /api/tenants/{proxy+}"  = "tenants"
-    "ANY /api/tenants"           = "tenants"
+    "ANY /api/tenants/{proxy+}" = "tenants"
+    "ANY /api/tenants"          = "tenants"
 
     # Users
-    "ANY /api/users/{proxy+}"    = "users"
-    "ANY /api/users"             = "users"
+    "ANY /api/users/{proxy+}" = "users"
+    "ANY /api/users"          = "users"
 
     # Invites
-    "ANY /api/invites/{proxy+}"  = "invites"
-    "ANY /api/invites"           = "invites"
+    "ANY /api/invites/{proxy+}" = "invites"
+    "ANY /api/invites"          = "invites"
 
     # Skills
-    "ANY /api/skills/{proxy+}"   = "skills"
-    "ANY /api/skills"            = "skills"
+    "ANY /api/skills/{proxy+}" = "skills"
+    "ANY /api/skills"          = "skills"
 
     # Activity
     "ANY /api/activity/{proxy+}" = "activity"
@@ -166,8 +171,8 @@ locals {
     "ANY /api/routines"          = "routines"
 
     # Budgets
-    "ANY /api/budgets/{proxy+}"  = "budgets"
-    "ANY /api/budgets"           = "budgets"
+    "ANY /api/budgets/{proxy+}" = "budgets"
+    "ANY /api/budgets"          = "budgets"
 
     # Guardrails
     "ANY /api/guardrails/{proxy+}" = "guardrails"

package/dist/terraform/modules/app/lambda-api/main.tf

@@ -168,6 +168,7 @@ resource "aws_iam_role_policy" "lambda_cognito" {
     Statement = [{
       Effect = "Allow"
       Action = [
+        "cognito-idp:AdminCreateUser",
         "cognito-idp:AdminGetUser",
         "cognito-idp:AdminUpdateUserAttributes",
         "cognito-idp:ListUsers",
@@ -177,6 +178,20 @@ resource "aws_iam_role_policy" "lambda_cognito" {
   })
 }
 
+resource "aws_iam_role_policy" "lambda_cloudwatch_read" {
+  name = "cloudwatch-logs-read"
+  role = aws_iam_role.lambda.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect   = "Allow"
+      Action   = ["logs:FilterLogEvents", "logs:GetLogEvents", "logs:DescribeLogGroups"]
+      Resource = "arn:aws:logs:${var.region}:${var.account_id}:log-group:*model-invocations*"
+    }]
+  })
+}
+
 resource "aws_iam_role_policy" "lambda_bedrock" {
   name = "bedrock-invoke"
   role = aws_iam_role.lambda.id
@@ -191,6 +206,49 @@ resource "aws_iam_role_policy" "lambda_bedrock" {
   })
 }
 
+# Allow API Lambdas to directly invoke the AgentCore Lambda. Used by
+# chat-agent-invoke (and future wake-up/retry paths) via InvokeCommand.
+resource "aws_iam_role_policy" "lambda_agentcore_invoke" {
+  count = var.agentcore_function_arn != "" ? 1 : 0
+  name  = "agentcore-invoke"
+  role  = aws_iam_role.lambda.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Action = [
+        "lambda:InvokeFunction",
+      ]
+      Resource = [
+        var.agentcore_function_arn,
+        "${var.agentcore_function_arn}:*",
+      ]
+    }]
+  })
+}
+
+# AgentCore Memory read access for the GraphQL memory resolvers.
+# memoryRecords / memorySearch call ListMemoryRecordsCommand to fetch
+# records across the tenant's agents.
+resource "aws_iam_role_policy" "lambda_agentcore_memory" {
+  name = "agentcore-memory-read"
+  role = aws_iam_role.lambda.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Action = [
+        "bedrock-agentcore:ListMemoryRecords",
+        "bedrock-agentcore:RetrieveMemoryRecords",
+        "bedrock-agentcore:GetMemoryRecord",
+      ]
+      Resource = "*"
+    }]
+  })
+}
+
 ################################################################################
 # Placeholder Lambda — proves the infrastructure works
 #

package/dist/terraform/modules/app/lambda-api/variables.tf

@@ -134,20 +134,50 @@ variable "api_auth_secret" {
   default     = ""
 }
 
-variable "agentcore_invoke_url" {
-  description = "Lambda Function URL for AgentCore container invocation"
+variable "hindsight_endpoint" {
+  description = "Hindsight API endpoint (empty when enable_hindsight = false)"
   type        = string
   default     = ""
 }
 
-variable "hindsight_endpoint" {
-  description = "Hindsight API endpoint (empty when memory_engine = managed)"
+variable "agentcore_memory_id" {
+  description = "Bedrock AgentCore Memory resource ID — used by the GraphQL memory resolvers to list records across tenant agents."
   type        = string
   default     = ""
 }
 
 variable "agentcore_function_name" {
-  description = "AgentCore Lambda function name (for direct SDK invoke instead of Function URL)"
+  description = "AgentCore Lambda function name (for direct SDK invoke)"
+  type        = string
+  default     = ""
+}
+
+variable "agentcore_function_arn" {
+  description = "AgentCore Lambda function ARN (used to grant lambda:InvokeFunction)"
+  type        = string
+  default     = ""
+}
+
+variable "admin_url" {
+  description = "Admin app URL (e.g. https://d3li9vbqnhv7w.cloudfront.net)"
+  type        = string
+  default     = ""
+}
+
+variable "docs_url" {
+  description = "Docs site URL (e.g. https://d2grg1uavrp7lx.cloudfront.net)"
+  type        = string
+  default     = ""
+}
+
+variable "appsync_realtime_url" {
+  description = "AppSync realtime/WebSocket endpoint URL"
+  type        = string
+  default     = ""
+}
+
+variable "ecr_repository_url" {
+  description = "ECR repository URL for AgentCore container"
   type        = string
   default     = ""
 }

package/dist/terraform/modules/thinkwork/main.tf

@@ -11,6 +11,12 @@
 
 locals {
   bucket_name = var.bucket_name != "" ? var.bucket_name : "thinkwork-${var.stage}-storage"
+
+  # Hindsight is an optional add-on. Preferred toggle: var.enable_hindsight.
+  # For one release we also honor the deprecated var.memory_engine == "hindsight"
+  # so existing tfvars keep working. The CLI config command also auto-translates
+  # between the two. Remove the legacy branch in a future release.
+  hindsight_enabled = var.enable_hindsight || var.memory_engine == "hindsight"
 }
 
 ################################################################################
@@ -47,12 +53,12 @@ module "cognito" {
   stage  = var.stage
   region = var.region
 
-  create_cognito              = var.create_cognito
-  existing_user_pool_id       = var.existing_user_pool_id
-  existing_user_pool_arn      = var.existing_user_pool_arn
-  existing_admin_client_id     = var.existing_admin_client_id
+  create_cognito            = var.create_cognito
+  existing_user_pool_id     = var.existing_user_pool_id
+  existing_user_pool_arn    = var.existing_user_pool_arn
+  existing_admin_client_id  = var.existing_admin_client_id
   existing_mobile_client_id = var.existing_mobile_client_id
-  existing_identity_pool_id   = var.existing_identity_pool_id
+  existing_identity_pool_id = var.existing_identity_pool_id
 
   google_oauth_client_id     = var.google_oauth_client_id
   google_oauth_client_secret = var.google_oauth_client_secret
@@ -90,7 +96,7 @@ module "s3" {
 module "database" {
   source = "../data/aurora-postgres"
 
-  stage  = var.stage
+  stage = var.stage
 
   create_database               = var.create_database
   existing_db_cluster_arn       = var.existing_db_cluster_arn
@@ -151,9 +157,9 @@ module "api" {
   bucket_name = module.s3.bucket_name
   bucket_arn  = module.s3.bucket_arn
 
-  user_pool_id       = module.cognito.user_pool_id
-  user_pool_arn      = module.cognito.user_pool_arn
-  admin_client_id     = module.cognito.admin_client_id
+  user_pool_id     = module.cognito.user_pool_id
+  user_pool_arn    = module.cognito.user_pool_arn
+  admin_client_id  = module.cognito.admin_client_id
   mobile_client_id = module.cognito.mobile_client_id
 
   appsync_api_url = module.appsync.graphql_api_url
@@ -161,12 +167,33 @@ module "api" {
 
   kb_service_role_arn = module.bedrock_kb.kb_service_role_arn
 
-  lambda_zips_dir      = var.lambda_zips_dir
-  api_auth_secret      = var.api_auth_secret
-  db_password          = var.db_password
-  agentcore_invoke_url    = module.agentcore.agentcore_invoke_url
+  lambda_zips_dir         = var.lambda_zips_dir
+  api_auth_secret         = var.api_auth_secret
+  db_password             = var.db_password
   agentcore_function_name = module.agentcore.agentcore_function_name
-  hindsight_endpoint      = var.memory_engine == "hindsight" ? module.hindsight[0].hindsight_endpoint : ""
+  agentcore_function_arn  = module.agentcore.agentcore_function_arn
+  hindsight_endpoint      = local.hindsight_enabled ? module.hindsight[0].hindsight_endpoint : ""
+  agentcore_memory_id     = module.agentcore_memory.memory_id
+  admin_url               = "https://${module.admin_site.distribution_domain}"
+  docs_url                = "https://${module.docs_site.distribution_domain}"
+  appsync_realtime_url    = module.appsync.graphql_realtime_url
+  ecr_repository_url      = module.agentcore.ecr_repository_url
+}
+
+################################################################################
+# AgentCore Memory (managed) — always created. Provides automatic per-turn
+# retention via memory.store_turn_pair in the agent container. If the caller
+# already has a memory resource, set `agentcore_memory_id` on the root module
+# to short-circuit provisioning.
+################################################################################
+
+module "agentcore_memory" {
+  source = "../app/agentcore-memory"
+
+  stage              = var.stage
+  region             = var.region
+  account_id         = var.account_id
+  existing_memory_id = var.agentcore_memory_id
 }
 
 module "agentcore" {
@@ -177,9 +204,8 @@ module "agentcore" {
   region      = var.region
   bucket_name = module.s3.bucket_name
 
-  memory_engine       = var.memory_engine
-  hindsight_endpoint  = var.memory_engine == "hindsight" ? module.hindsight[0].hindsight_endpoint : ""
-  agentcore_memory_id = var.agentcore_memory_id
+  hindsight_endpoint  = local.hindsight_enabled ? module.hindsight[0].hindsight_endpoint : ""
+  agentcore_memory_id = module.agentcore_memory.memory_id
 }
 
 module "crons" {
@@ -199,7 +225,7 @@ module "job_triggers" {
 }
 
 module "hindsight" {
-  count  = var.memory_engine == "hindsight" ? 1 : 0
+  count  = local.hindsight_enabled ? 1 : 0
   source = "../app/hindsight-memory"
 
   stage                = var.stage

package/dist/terraform/modules/thinkwork/outputs.tf

@@ -81,14 +81,19 @@ output "ecr_repository_url" {
   value = module.agentcore.ecr_repository_url
 }
 
-output "memory_engine" {
-  description = "Which memory engine is active (managed or hindsight)"
-  value       = var.memory_engine
+output "agentcore_memory_id" {
+  description = "Bedrock AgentCore Memory resource ID (always present — managed memory is always on)"
+  value       = module.agentcore_memory.memory_id
+}
+
+output "hindsight_enabled" {
+  description = "Whether the Hindsight add-on is enabled"
+  value       = local.hindsight_enabled
 }
 
 output "hindsight_endpoint" {
-  description = "Hindsight API endpoint (only when memory_engine = hindsight)"
-  value       = var.memory_engine == "hindsight" ? module.hindsight[0].hindsight_endpoint : null
+  description = "Hindsight API endpoint (null when enable_hindsight = false)"
+  value       = local.hindsight_enabled ? module.hindsight[0].hindsight_endpoint : null
 }
 
 # Admin static site

package/dist/terraform/modules/thinkwork/variables.tf

@@ -138,25 +138,31 @@ variable "database_engine" {
   default     = "aurora-serverless"
 }
 
+variable "enable_hindsight" {
+  description = "Enable Hindsight long-term memory as an optional add-on alongside the always-on AgentCore managed memory. When true, deploys an ECS+ALB service for semantic/entity-graph/cross-encoder retrieval. Default false."
+  type        = bool
+  default     = false
+}
+
 variable "memory_engine" {
-  description = "Memory engine: 'managed' (AgentCore built-in, default) or 'hindsight' (ECS+ALB service, opt-in)"
+  description = "DEPRECATED. Use `enable_hindsight` instead. For backwards compatibility, setting this to 'hindsight' is equivalent to `enable_hindsight = true`. AgentCore managed memory is always on and cannot be disabled."
   type        = string
-  default     = "managed"
+  default     = ""
 
   validation {
-    condition     = contains(["managed", "hindsight"], var.memory_engine)
-    error_message = "memory_engine must be 'managed' or 'hindsight'"
+    condition     = var.memory_engine == "" || contains(["managed", "hindsight"], var.memory_engine)
+    error_message = "memory_engine (deprecated) must be empty, 'managed', or 'hindsight'. Prefer enable_hindsight instead."
   }
 }
 
 variable "hindsight_image_tag" {
-  description = "Hindsight Docker image tag (only used when memory_engine = 'hindsight')"
+  description = "Hindsight Docker image tag (only used when enable_hindsight = true)"
   type        = string
   default     = "0.5.0"
 }
 
 variable "agentcore_memory_id" {
-  description = "AgentCore Memory resource ID (only used when memory_engine = 'managed')"
+  description = "Optional pre-existing AgentCore Memory resource ID. When set, the agentcore-memory module skips provisioning and reuses this ID. Leave empty to auto-provision."
   type        = string
   default     = ""
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thinkwork-cli",
-  "version": "0.5.1",
+  "version": "0.5.3",
   "description": "Thinkwork CLI — deploy, manage, and interact with your Thinkwork stack",
   "license": "MIT",
   "type": "module",