thinkwork-cli 0.5.3 → 0.6.0

package/README.md

@@ -5,6 +5,10 @@ Deploy and manage Thinkwork AI agent stacks on AWS.
 ## Install
 
 ```bash
+# Homebrew (macOS / Linux) — auto-taps thinkwork-ai/tap on first install
+brew install thinkwork-ai/tap/thinkwork
+
+# npm
 npm install -g thinkwork-cli
 ```
 

package/dist/cli.js

@@ -752,8 +752,8 @@ function registerBootstrapCommand(program2) {
       bucket = await getTerraformOutput(cwd, "bucket_name");
       dbEndpoint = await getTerraformOutput(cwd, "db_cluster_endpoint");
       const secretArn = await getTerraformOutput(cwd, "db_secret_arn");
-      const { execSync: execSync10 } = await import("child_process");
-      const secretJson = execSync10(
+      const { execSync: execSync9 } = await import("child_process");
+      const secretJson = execSync9(
         `aws secretsmanager get-secret-value --secret-id "${secretArn}" --query SecretString --output text`,
         { encoding: "utf-8" }
       ).trim();
@@ -1522,7 +1522,9 @@ function printStageDetail(info) {
   console.log("");
 }
 function registerStatusCommand(program2) {
-  program2.command("status").description("Show all Thinkwork environments (AWS + local)").option("-s, --stage <name>", "Show details for a specific stage").option("--region <region>", "AWS region to scan", "us-east-1").action(async (opts) => {
+  program2.command("status").alias("list").alias("ls").description(
+    "Show all Thinkwork environments / deployments (AWS + local). Aliases: list, ls"
+  ).option("-s, --stage <name>", "Show details for a specific stage").option("--region <region>", "AWS region to scan", "us-east-1").action(async (opts) => {
     const identity = getAwsIdentity();
     printHeader("status", opts.stage || "all", identity);
     if (!identity) {
@@ -1575,9 +1577,11 @@ function registerStatusCommand(program2) {
 }
 
 // src/commands/mcp.ts
+import chalk7 from "chalk";
+
+// src/api-client.ts
 import { readFileSync as readFileSync3, existsSync as existsSync6 } from "fs";
 import { execSync as execSync7 } from "child_process";
-import chalk7 from "chalk";
 function readTfVar2(tfvarsPath, key) {
   if (!existsSync6(tfvarsPath)) return null;
   const content = readFileSync3(tfvarsPath, "utf-8");
@@ -1621,6 +1625,19 @@ async function apiFetch(apiUrl, authSecret, path2, options = {}, extraHeaders =
   }
   return res.json();
 }
+async function apiFetchRaw(apiUrl, authSecret, path2, options = {}, extraHeaders = {}) {
+  const res = await fetch(`${apiUrl}${path2}`, {
+    ...options,
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${authSecret}`,
+      ...extraHeaders,
+      ...options.headers
+    }
+  });
+  const body = await res.json().catch(() => ({}));
+  return { ok: res.ok, status: res.status, body };
+}
 function resolveApiConfig(stage) {
   const tfvarsPath = resolveTfvarsPath2(stage);
   const authSecret = readTfVar2(tfvarsPath, "api_auth_secret");
@@ -1631,11 +1648,15 @@ function resolveApiConfig(stage) {
   const region = readTfVar2(tfvarsPath, "region") || "us-east-1";
   const apiUrl = getApiEndpoint(stage, region);
   if (!apiUrl) {
-    printError(`Cannot discover API endpoint for stage "${stage}". Is the stack deployed?`);
+    printError(
+      `Cannot discover API endpoint for stage "${stage}". Is the stack deployed?`
+    );
     return null;
   }
   return { apiUrl, authSecret };
 }
+
+// src/commands/mcp.ts
 function registerMcpCommand(program2) {
   const mcp = program2.command("mcp").description("Manage MCP servers for your tenant");
   mcp.command("list").description("List registered MCP servers").requiredOption("-s, --stage <name>", "Deployment stage").requiredOption("--tenant <slug>", "Tenant slug").action(async (opts) => {
@@ -1791,68 +1812,8 @@ function registerMcpCommand(program2) {
 }
 
 // src/commands/tools.ts
-import { readFileSync as readFileSync4, existsSync as existsSync7 } from "fs";
-import { execSync as execSync8 } from "child_process";
 import { createInterface as createInterface4 } from "readline";
 import chalk8 from "chalk";
-function readTfVar3(tfvarsPath, key) {
-  if (!existsSync7(tfvarsPath)) return null;
-  const content = readFileSync4(tfvarsPath, "utf-8");
-  const match = content.match(new RegExp(`^${key}\\s*=\\s*"([^"]*)"`, "m"));
-  return match ? match[1] : null;
-}
-function resolveTfvarsPath3(stage) {
-  const tfDir = resolveTerraformDir(stage);
-  if (tfDir) {
-    const direct = `${tfDir}/terraform.tfvars`;
-    if (existsSync7(direct)) return direct;
-  }
-  const terraformDir = process.env.THINKWORK_TERRAFORM_DIR || process.cwd();
-  const cwd = resolveTierDir(terraformDir, stage, "app");
-  return `${cwd}/terraform.tfvars`;
-}
-function getApiEndpoint2(stage, region) {
-  try {
-    const raw = execSync8(
-      `aws apigatewayv2 get-apis --region ${region} --query "Items[?Name=='thinkwork-${stage}-api'].ApiEndpoint|[0]" --output text`,
-      { encoding: "utf-8", timeout: 15e3, stdio: ["pipe", "pipe", "pipe"] }
-    ).trim();
-    return raw && raw !== "None" ? raw : null;
-  } catch {
-    return null;
-  }
-}
-async function apiFetch2(apiUrl, authSecret, path2, options = {}, extraHeaders = {}) {
-  const res = await fetch(`${apiUrl}${path2}`, {
-    ...options,
-    headers: {
-      "Content-Type": "application/json",
-      Authorization: `Bearer ${authSecret}`,
-      ...extraHeaders,
-      ...options.headers
-    }
-  });
-  if (!res.ok) {
-    const body = await res.json().catch(() => ({}));
-    throw new Error(body.error || `HTTP ${res.status}`);
-  }
-  return res.json();
-}
-function resolveApiConfig2(stage) {
-  const tfvarsPath = resolveTfvarsPath3(stage);
-  const authSecret = readTfVar3(tfvarsPath, "api_auth_secret");
-  if (!authSecret) {
-    printError(`Cannot read api_auth_secret from ${tfvarsPath}`);
-    return null;
-  }
-  const region = readTfVar3(tfvarsPath, "region") || "us-east-1";
-  const apiUrl = getApiEndpoint2(stage, region);
-  if (!apiUrl) {
-    printError(`Cannot discover API endpoint for stage "${stage}". Is the stack deployed?`);
-    return null;
-  }
-  return { apiUrl, authSecret };
-}
 function prompt(question) {
   const rl = createInterface4({ input: process.stdin, output: process.stdout });
   return new Promise((resolve3) => {
@@ -1873,11 +1834,11 @@ function registerToolsCommand(program2) {
       printError(check.error);
       process.exit(1);
     }
-    const api = resolveApiConfig2(opts.stage);
+    const api = resolveApiConfig(opts.stage);
     if (!api) process.exit(1);
     printHeader("tools list", opts.stage);
     try {
-      const { tools: rows } = await apiFetch2(
+      const { tools: rows } = await apiFetch(
         api.apiUrl,
         api.authSecret,
         "/api/skills/builtin-tools",
@@ -1914,7 +1875,7 @@ function registerToolsCommand(program2) {
       printError(check.error);
       process.exit(1);
     }
-    const api = resolveApiConfig2(opts.stage);
+    const api = resolveApiConfig(opts.stage);
     if (!api) process.exit(1);
     let provider = opts.provider;
     if (!provider) {
@@ -1933,7 +1894,7 @@ function registerToolsCommand(program2) {
       process.exit(1);
     }
     try {
-      await apiFetch2(
+      await apiFetch(
         api.apiUrl,
         api.authSecret,
         "/api/skills/builtin-tools/web-search",
@@ -1956,11 +1917,11 @@ function registerToolsCommand(program2) {
       printError(check.error);
       process.exit(1);
     }
-    const api = resolveApiConfig2(opts.stage);
+    const api = resolveApiConfig(opts.stage);
     if (!api) process.exit(1);
     printHeader("tools web-search test", opts.stage);
     try {
-      const result = await apiFetch2(
+      const result = await apiFetch(
         api.apiUrl,
         api.authSecret,
         "/api/skills/builtin-tools/web-search/test",
@@ -1984,10 +1945,10 @@ function registerToolsCommand(program2) {
       printError(check.error);
       process.exit(1);
     }
-    const api = resolveApiConfig2(opts.stage);
+    const api = resolveApiConfig(opts.stage);
     if (!api) process.exit(1);
     try {
-      await apiFetch2(
+      await apiFetch(
         api.apiUrl,
         api.authSecret,
         "/api/skills/builtin-tools/web-search",
@@ -2006,10 +1967,10 @@ function registerToolsCommand(program2) {
       printError(check.error);
       process.exit(1);
     }
-    const api = resolveApiConfig2(opts.stage);
+    const api = resolveApiConfig(opts.stage);
     if (!api) process.exit(1);
     try {
-      await apiFetch2(
+      await apiFetch(
         api.apiUrl,
         api.authSecret,
         "/api/skills/builtin-tools/web-search",
@@ -2025,11 +1986,12 @@ function registerToolsCommand(program2) {
 }
 
 // src/commands/update.ts
-import { execSync as execSync9 } from "child_process";
+import { execSync as execSync8 } from "child_process";
+import { realpathSync } from "fs";
 import chalk9 from "chalk";
 function getLatestVersion() {
   try {
-    return execSync9("npm view thinkwork-cli version", {
+    return execSync8("npm view thinkwork-cli version", {
       encoding: "utf-8",
       timeout: 1e4,
       stdio: ["pipe", "pipe", "pipe"]
@@ -2040,13 +2002,17 @@ function getLatestVersion() {
 }
 function detectInstallMethod() {
   try {
-    const which = execSync9("which thinkwork", {
+    const which = execSync8("which thinkwork", {
       encoding: "utf-8",
       timeout: 5e3,
       stdio: ["pipe", "pipe", "pipe"]
     }).trim();
-    if (which.includes("Cellar") || which.includes("homebrew")) return "homebrew";
-    if (which.includes("node_modules") || which.includes("npm") || which.includes("nvm") || which.includes("fnm")) return "npm";
+    let resolved = which;
+    try {
+      resolved = realpathSync(which);
+    } catch {
+    }
+    if (resolved.includes("/Cellar/")) return "homebrew";
     return "npm";
   } catch {
     return "npm";
@@ -2096,7 +2062,7 @@ function registerUpdateCommand(program2) {
     console.log(chalk9.dim(`  $ ${cmd}`));
     console.log("");
     try {
-      execSync9(cmd, { stdio: "inherit", timeout: 12e4 });
+      execSync8(cmd, { stdio: "inherit", timeout: 12e4 });
       console.log("");
       console.log(chalk9.green(`  \u2713 Upgraded to thinkwork-cli@${latest}`));
     } catch {
@@ -2108,6 +2074,178 @@ function registerUpdateCommand(program2) {
   });
 }
 
+// src/commands/user.ts
+import { spawn as spawn3 } from "child_process";
+function getTerraformOutput2(cwd, key) {
+  return new Promise((resolve3, reject) => {
+    const proc = spawn3("terraform", ["output", "-raw", key], {
+      cwd,
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    let stdout = "";
+    let stderr = "";
+    proc.stdout.on("data", (d) => stdout += d);
+    proc.stderr.on("data", (d) => stderr += d);
+    proc.on("close", (code) => {
+      if (code === 0) resolve3(stdout.trim());
+      else
+        reject(
+          new Error(
+            `terraform output ${key} failed (exit ${code}): ${stderr.trim() || "no stderr"}`
+          )
+        );
+    });
+  });
+}
+function runAwsCognitoReset(userPoolId, username, region) {
+  return new Promise((resolve3) => {
+    const args = [
+      "cognito-idp",
+      "admin-reset-user-password",
+      "--user-pool-id",
+      userPoolId,
+      "--username",
+      username,
+      "--output",
+      "json"
+    ];
+    if (region) args.push("--region", region);
+    const proc = spawn3("aws", args, { stdio: ["ignore", "pipe", "pipe"] });
+    let stdout = "";
+    let stderr = "";
+    proc.stdout.on("data", (d) => stdout += d);
+    proc.stderr.on("data", (d) => stderr += d);
+    proc.on("close", (code) => resolve3({ code: code ?? 1, stdout, stderr }));
+  });
+}
+function registerUserCommand(program2) {
+  const user = program2.command("user").description("User-management utilities for a deployed Thinkwork stack");
+  user.command("invite <email>").description(
+    "Invite a teammate to a tenant. Creates the Cognito user (Cognito emails a temporary password) and adds them as a tenant member."
+  ).requiredOption("-s, --stage <name>", "Deployment stage").requiredOption("--tenant <slug>", "Tenant slug").option("--name <name>", "Display name for the invited user").option("--role <role>", "Tenant member role", "member").action(
+    async (email, opts) => {
+      const stageCheck = validateStage(opts.stage);
+      if (!stageCheck.valid) {
+        printError(stageCheck.error);
+        process.exit(1);
+      }
+      const trimmed = email.trim().toLowerCase();
+      if (!trimmed || !trimmed.includes("@")) {
+        printError(
+          `"${email}" doesn't look like an email address. Pass the user's sign-in email.`
+        );
+        process.exit(1);
+      }
+      const api = resolveApiConfig(opts.stage);
+      if (!api) process.exit(1);
+      printHeader("user invite", opts.stage);
+      console.log(`  Tenant: ${opts.tenant}`);
+      console.log(`  Email:  ${trimmed}`);
+      if (opts.name) console.log(`  Name:   ${opts.name}`);
+      console.log(`  Role:   ${opts.role}`);
+      console.log("");
+      try {
+        const result = await apiFetchRaw(
+          api.apiUrl,
+          api.authSecret,
+          `/api/tenants/${encodeURIComponent(opts.tenant)}/members`,
+          {
+            method: "POST",
+            body: JSON.stringify({
+              email: trimmed,
+              name: opts.name ?? null,
+              role: opts.role
+            })
+          }
+        );
+        if (!result.ok) {
+          const msg = result.body?.error || `HTTP ${result.status}`;
+          printError(`Invite failed: ${msg}`);
+          process.exit(1);
+        }
+        if (result.body.alreadyMember) {
+          printWarning(
+            `${trimmed} is already a member of "${opts.tenant}" (role: ${result.body.role}). No email sent.`
+          );
+          return;
+        }
+        printSuccess(
+          `Invited ${trimmed} to "${opts.tenant}" (role: ${result.body.role}). Cognito has emailed a temporary password; the user sets a new password on first sign-in.`
+        );
+      } catch (err) {
+        printError(
+          `Invite failed: ${err instanceof Error ? err.message : String(err)}`
+        );
+        process.exit(1);
+      }
+    }
+  );
+  user.command("reset-password <email>").description(
+    "Trigger Cognito's forgot-password flow for a user (admin-initiated). Sends them a verification code email."
+  ).option("-p, --profile <name>", "AWS profile").requiredOption("-s, --stage <name>", "Deployment stage").option(
+    "-r, --region <name>",
+    "AWS region (defaults to AWS CLI default / AWS_REGION)"
+  ).action(
+    async (email, opts) => {
+      const stageCheck = validateStage(opts.stage);
+      if (!stageCheck.valid) {
+        printError(stageCheck.error);
+        process.exit(1);
+      }
+      if (!email || !email.includes("@")) {
+        printError(
+          `"${email}" doesn't look like an email address. Pass the user's sign-in email.`
+        );
+        process.exit(1);
+      }
+      printHeader("user reset-password", opts.stage);
+      const terraformDir = process.env.THINKWORK_TERRAFORM_DIR || process.cwd();
+      const cwd = resolveTierDir(terraformDir, opts.stage, "app");
+      await ensureInit(cwd);
+      await ensureWorkspace(cwd, opts.stage);
+      let userPoolId;
+      try {
+        userPoolId = await getTerraformOutput2(cwd, "user_pool_id");
+      } catch (err) {
+        printError(
+          `Failed to read user_pool_id from Terraform outputs. Is the stack deployed? ${err instanceof Error ? err.message : String(err)}`
+        );
+        process.exit(1);
+      }
+      if (!userPoolId) {
+        printError(
+          "user_pool_id output is empty \u2014 the stack may not be fully deployed."
+        );
+        process.exit(1);
+      }
+      console.log(`  User pool: ${userPoolId}`);
+      console.log(`  Email:     ${email}`);
+      console.log("");
+      const result = await runAwsCognitoReset(userPoolId, email, opts.region);
+      if (result.code === 0) {
+        printSuccess(
+          `Reset triggered for ${email}. Cognito has emailed a verification code; the user sets a new password on next sign-in.`
+        );
+        return;
+      }
+      if (result.stderr.includes("UserNotFoundException")) {
+        printError(
+          `No user found with email ${email} in pool ${userPoolId}. Check the address (case-insensitive) or that they've signed up.`
+        );
+      } else if (result.stderr.includes("NotAuthorizedException")) {
+        printError(
+          "Cognito rejected the call \u2014 your AWS credentials may not have cognito-idp:AdminResetUserPassword on this pool."
+        );
+      } else {
+        printError(
+          `admin-reset-user-password failed (exit ${result.code}): ${result.stderr.trim() || "no stderr"}`
+        );
+      }
+      process.exit(result.code);
+    }
+  );
+}
+
 // src/cli.ts
 var program = new Command();
 program.name("thinkwork").description(
@@ -2135,4 +2273,5 @@ registerConfigCommand(program);
 registerMcpCommand(program);
 registerToolsCommand(program);
 registerUpdateCommand(program);
+registerUserCommand(program);
 program.parse();

package/dist/terraform/examples/greenfield/main.tf

@@ -29,6 +29,10 @@ terraform {
       source  = "hashicorp/null"
       version = "~> 3.0"
     }
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "~> 4.0"
+    }
   }
 
   backend "s3" {
@@ -44,6 +48,10 @@ provider "aws" {
   region = var.region
 }
 
+# Cloudflare provider reads its token from the CLOUDFLARE_API_TOKEN env var.
+# Never commit the token to tfvars or source control.
+provider "cloudflare" {}
+
 variable "stage" {
   description = "Deployment stage — must match the Terraform workspace name"
   type        = string
@@ -110,6 +118,46 @@ variable "api_auth_secret" {
   default     = ""
 }
 
+variable "www_domain" {
+  description = "Public website apex domain (e.g. thinkwork.ai). Leave empty to skip the custom domain and DNS wiring."
+  type        = string
+  default     = ""
+}
+
+variable "cloudflare_zone_id" {
+  description = "Cloudflare zone ID for var.www_domain. Non-secret. Required when www_domain is set."
+  type        = string
+  default     = ""
+}
+
+variable "ses_inbound_domain" {
+  description = "Subdomain for agent email (e.g. agents.thinkwork.ai). Terraform creates a delegated Route53 hosted zone, SES domain identity + DKIM, MX record, and receipt rule. Leave empty to skip SES inbound resources."
+  type        = string
+  default     = ""
+}
+
+variable "lastmile_tasks_api_url" {
+  description = <<-EOT
+    OPTIONAL fallback base URL for the LastMile Tasks REST API.
+
+    Prefer setting the URL per-tenant via the admin Connectors → LastMile
+    page (stored in webhooks.config.baseUrl); that value takes precedence.
+    This variable only fires when the per-tenant config is empty, and is
+    mainly useful for single-tenant dev stacks and bootstrap scenarios.
+
+    Leave blank (default) unless you specifically need the env-var
+    fallback. Example: https://api-dev.lastmile-tei.com.
+  EOT
+  type        = string
+  default     = ""
+}
+
+locals {
+  www_dns_enabled = var.www_domain != "" && var.cloudflare_zone_id != ""
+  docs_domain     = var.www_domain != "" ? "docs.${var.www_domain}" : ""
+  admin_domain    = var.www_domain != "" ? "admin.${var.www_domain}" : ""
+}
+
 module "thinkwork" {
   source = "../../modules/thinkwork"
 
@@ -126,9 +174,80 @@ module "thinkwork" {
   lambda_zips_dir            = var.lambda_zips_dir
   api_auth_secret            = var.api_auth_secret
 
+  # Public website custom domain (optional — wired only when www_domain is set)
+  www_domain          = var.www_domain
+  www_certificate_arn = local.www_dns_enabled ? module.www_dns[0].certificate_arn : ""
+
+  # Docs site custom domain (derived from www_domain — docs.<apex>). The
+  # same ACM cert covers apex + www + docs + admin so every distribution
+  # shares it.
+  docs_domain          = local.www_dns_enabled ? local.docs_domain : ""
+  docs_certificate_arn = local.www_dns_enabled ? module.www_dns[0].certificate_arn : ""
+
+  # Admin SPA custom domain (derived from www_domain — admin.<apex>).
+  admin_domain          = local.www_dns_enabled ? local.admin_domain : ""
+  admin_certificate_arn = local.www_dns_enabled ? module.www_dns[0].certificate_arn : ""
+
+  # SES inbound email subdomain (delegated Route53 subzone).
+  ses_inbound_domain = var.ses_inbound_domain
+
+  # LastMile Tasks REST API base URL — feature-flags the outbound task
+  # sync. Empty string keeps mobile-created tasks in sync_status='local'.
+  lastmile_tasks_api_url = var.lastmile_tasks_api_url
+
   # Greenfield: create everything (all defaults are true)
 }
 
+################################################################################
+# Public Website DNS (Cloudflare zone, ACM cert, www→apex redirect, docs)
+################################################################################
+
+module "www_dns" {
+  count  = local.www_dns_enabled ? 1 : 0
+  source = "../../modules/app/www-dns"
+
+  stage                  = var.stage
+  domain                 = var.www_domain
+  cloudflare_zone_id     = var.cloudflare_zone_id
+  cloudfront_domain_name = module.thinkwork.www_distribution_domain
+
+  # Docs: include_docs is a plain bool (no output reference) so the
+  # ACM cert SAN list doesn't depend on the docs distribution output,
+  # which itself depends on the cert. docs_cloudfront_domain_name is
+  # read only after the cert is created, for the CNAME record.
+  include_docs                = true
+  docs_cloudfront_domain_name = module.thinkwork.docs_distribution_domain
+
+  # Admin: same cycle-avoidance pattern.
+  include_admin                = true
+  admin_cloudfront_domain_name = module.thinkwork.admin_distribution_domain
+}
+
+################################################################################
+# SES Inbound DNS Delegation
+#
+# The ses-email module creates a Route53 hosted zone for var.ses_inbound_domain
+# (e.g. agents.thinkwork.ai). For the subzone to resolve, the parent zone
+# (thinkwork.ai at Cloudflare) must carry NS records pointing at the 4 AWS name
+# servers. New Route53 zones always return exactly 4 name servers, so we can
+# hardcode count = 4 without hitting "count value is not known" at plan time.
+#
+# Without this delegation, terraform creates the Route53 zone and the MX/DKIM
+# records inside it, but the outside world asks Cloudflare for agents.thinkwork.ai
+# and gets NXDOMAIN because Cloudflare doesn't know to delegate.
+################################################################################
+
+resource "cloudflare_record" "agents_ns" {
+  count = var.ses_inbound_domain != "" && var.cloudflare_zone_id != "" ? 4 : 0
+
+  zone_id = var.cloudflare_zone_id
+  name    = var.ses_inbound_domain
+  content = module.thinkwork.ses_inbound_name_servers[count.index]
+  type    = "NS"
+  ttl     = 300
+  proxied = false
+}
+
 ################################################################################
 # Outputs
 ################################################################################
@@ -216,7 +335,7 @@ output "agentcore_memory_id" {
 
 output "admin_url" {
   description = "Admin app URL"
-  value       = "https://${module.thinkwork.admin_distribution_domain}"
+  value       = local.www_dns_enabled ? "https://${local.admin_domain}" : "https://${module.thinkwork.admin_distribution_domain}"
 }
 
 output "admin_distribution_id" {
@@ -231,7 +350,7 @@ output "admin_bucket_name" {
 
 output "docs_url" {
   description = "Docs site URL"
-  value       = "https://${module.thinkwork.docs_distribution_domain}"
+  value       = local.www_dns_enabled ? "https://${local.docs_domain}" : "https://${module.thinkwork.docs_distribution_domain}"
 }
 
 output "docs_distribution_id" {
@@ -243,3 +362,38 @@ output "docs_bucket_name" {
   description = "S3 bucket for docs site assets"
   value       = module.thinkwork.docs_bucket_name
 }
+
+output "www_url" {
+  description = "Public website URL"
+  value       = var.www_domain != "" ? "https://${var.www_domain}" : "https://${module.thinkwork.www_distribution_domain}"
+}
+
+output "www_distribution_id" {
+  description = "CloudFront distribution ID for the public website (for cache invalidation)"
+  value       = module.thinkwork.www_distribution_id
+}
+
+output "www_distribution_domain" {
+  description = "CloudFront distribution domain for the public website"
+  value       = module.thinkwork.www_distribution_domain
+}
+
+output "www_bucket_name" {
+  description = "S3 bucket for public website assets"
+  value       = module.thinkwork.www_bucket_name
+}
+
+output "ses_inbound_zone_id" {
+  description = "Route53 hosted zone ID for the email subdomain (null when ses_inbound_domain is not set)"
+  value       = module.thinkwork.ses_inbound_zone_id
+}
+
+output "ses_inbound_name_servers" {
+  description = "Name servers for the delegated email subzone. Paste these as NS records at the registrar that hosts the parent domain (Google Domains for thinkwork.ai) before SES can verify."
+  value       = module.thinkwork.ses_inbound_name_servers
+}
+
+output "ses_inbound_mx_target" {
+  description = "MX target host for the email subdomain. Already written into the subzone by Terraform — informational."
+  value       = module.thinkwork.ses_inbound_mx_target
+}

package/dist/terraform/examples/greenfield/terraform.tfvars.example

@@ -29,3 +29,13 @@ db_password = "CHANGE_ME_strong_password_here"
 
 # Pre-signup Lambda (optional — leave empty if not using custom pre-signup logic)
 # pre_signup_lambda_zip = "./lambdas/pre-signup.zip"
+
+# Public website (apps/www) custom domain.
+# Leave www_domain empty to skip the custom domain and serve on the raw
+# CloudFront URL. When set, you must also provide cloudflare_zone_id below —
+# the www-dns module creates the ACM cert, apex CNAME, and www→apex redirect.
+#
+# The Cloudflare API token is read from the CLOUDFLARE_API_TOKEN environment
+# variable. NEVER put the token in this file.
+# www_domain         = "thinkwork.ai"
+# cloudflare_zone_id = "your-cloudflare-zone-id"