thinkwork-cli 0.5.3 → 0.6.0

package/dist/terraform/modules/app/static-site/main.tf

@@ -33,6 +33,12 @@ variable "certificate_arn" {
   default     = ""
 }
 
+variable "is_spa" {
+  description = "When true, configure CloudFront for a single-page app: drop the directory-rewrite function and fall back to /index.html with 200 on 403/404 so the client router can handle deep links."
+  type        = bool
+  default     = false
+}
+
 ################################################################################
 # S3 Bucket
 ################################################################################
@@ -74,6 +80,11 @@ resource "aws_cloudfront_origin_access_control" "site" {
 #
 # S3 with OAC doesn't auto-serve index.html for subdirectory requests.
 # /getting-started/ → /getting-started/index.html
+#
+# Always created (so flipping is_spa on an existing distribution doesn't hit
+# CloudFront's "can't delete a function still associated with a distribution"
+# error), but the viewer-request association is only wired up for non-SPA
+# sites. For SPAs we rely on the 403/404 → /index.html fallback below.
 ################################################################################
 
 resource "aws_cloudfront_function" "rewrite" {
@@ -94,6 +105,19 @@ resource "aws_cloudfront_function" "rewrite" {
   EOF
 }
 
+locals {
+  # For SPAs, 403/404 from S3 means "not a real asset" — serve index.html with
+  # a 200 so the client router can resolve the route. For directory-style
+  # static sites, surface a real 404 page.
+  error_responses = var.is_spa ? [
+    { error_code = 403, response_code = 200, response_page_path = "/index.html" },
+    { error_code = 404, response_code = 200, response_page_path = "/index.html" },
+    ] : [
+    { error_code = 404, response_code = 404, response_page_path = "/404.html" },
+    { error_code = 403, response_code = 404, response_page_path = "/404.html" },
+  ]
+}
+
 ################################################################################
 # CloudFront Distribution
 ################################################################################
@@ -117,9 +141,12 @@ resource "aws_cloudfront_distribution" "site" {
     cached_methods         = ["GET", "HEAD"]
     compress               = true
 
-    function_association {
-      event_type   = "viewer-request"
-      function_arn = aws_cloudfront_function.rewrite.arn
+    dynamic "function_association" {
+      for_each = var.is_spa ? [] : [1]
+      content {
+        event_type   = "viewer-request"
+        function_arn = aws_cloudfront_function.rewrite.arn
+      }
     }
 
     forwarded_values {
@@ -130,17 +157,13 @@ resource "aws_cloudfront_distribution" "site" {
     }
   }
 
-  # Fallback for true 404s (e.g. deleted pages) — serve the 404 page
-  custom_error_response {
-    error_code         = 404
-    response_code      = 404
-    response_page_path = "/404.html"
-  }
-
-  custom_error_response {
-    error_code         = 403
-    response_code      = 404
-    response_page_path = "/404.html"
+  dynamic "custom_error_response" {
+    for_each = local.error_responses
+    content {
+      error_code         = custom_error_response.value.error_code
+      response_code      = custom_error_response.value.response_code
+      response_page_path = custom_error_response.value.response_page_path
+    }
   }
 
   restrictions {

package/dist/terraform/modules/app/www-dns/README.md

@@ -0,0 +1,39 @@
+# www-dns
+
+DNS + TLS wiring for the public website, using a Cloudflare-managed zone and an AWS ACM certificate.
+
+## What it creates
+
+1. ACM certificate in `us-east-1` covering the apex and `www` SAN, DNS-validated via Cloudflare records.
+2. Apex CNAME in Cloudflare pointing at the primary www CloudFront distribution (DNS-only, grey-cloud).
+3. S3 website-redirect bucket + a second CloudFront distribution that 301s `www.<domain>` → `https://<domain>`, plus its Cloudflare CNAME.
+
+## Why a second CloudFront distribution instead of a Cloudflare page rule
+
+The apex and www records must be **DNS-only** so CloudFront can terminate TLS with the ACM cert. DNS-only traffic bypasses Cloudflare's proxy, so Cloudflare page rules and transform rules never run. The redirect has to live at AWS. An S3 website bucket with `redirect_all_requests_to` is the cheapest, simplest thing that works.
+
+## Required environment
+
+- `CLOUDFLARE_API_TOKEN` — exported in the shell or CI environment. **Never** committed to tfvars. Rotate after anyone outside the deploy path sees it.
+
+## Usage (from greenfield example)
+
+```hcl
+provider "cloudflare" {
+  # token read from CLOUDFLARE_API_TOKEN env var
+}
+
+module "www_dns" {
+  source                 = "../../modules/app/www-dns"
+  stage                  = var.stage
+  domain                 = var.www_domain
+  cloudflare_zone_id     = var.cloudflare_zone_id
+  cloudfront_domain_name = module.thinkwork.www_distribution_domain
+}
+```
+
+Then pass `module.www_dns.certificate_arn` back into `module "thinkwork"` as `www_certificate_arn`.
+
+## First-apply ordering
+
+On a fresh apply, Terraform has to create the primary CloudFront distribution (via `module.thinkwork.www_site`) before this module can reference its domain name. Terraform's dependency graph handles that automatically. If you're applying after a `terraform destroy`, two `apply` passes are fine — the first resolves the cert + distributions, the second binds the apex CNAME once the CloudFront distribution has deployed.

package/dist/terraform/modules/app/www-dns/main.tf

@@ -0,0 +1,245 @@
+################################################################################
+# Public Website DNS + TLS (Cloudflare zone, AWS ACM cert, www→apex 301)
+#
+# Responsibilities:
+#   1. ACM certificate in us-east-1 covering apex + www
+#      (+ optional docs + optional admin).
+#   2. Cloudflare DNS records for ACM DNS validation.
+#   3. Apex CNAME in Cloudflare → primary CloudFront distribution (DNS-only).
+#   4. Second CloudFront distribution fronting an S3 website-redirect bucket
+#      that 301s www.<domain> → https://<domain>, plus its Cloudflare CNAME.
+#   5. Optional docs.<domain> CNAME → docs CloudFront distribution.
+#   6. Optional admin.<domain> CNAME → admin CloudFront distribution.
+#
+# Cloudflare records MUST be DNS-only (grey cloud). CloudFront terminates TLS
+# with the ACM cert and needs the real Host header.
+################################################################################
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "~> 4.0"
+    }
+  }
+}
+
+locals {
+  apex    = var.domain
+  www     = "www.${var.domain}"
+  docs    = "docs.${var.domain}"
+  admin   = "admin.${var.domain}"
+  name_id = replace(var.domain, ".", "-")
+
+  # ACM SANs: always include www, conditionally include docs and admin.
+  # Gated on plain bool vars (not on CloudFront outputs) to keep the
+  # dependency graph acyclic — distributions depend on the cert, so
+  # the cert mustn't depend on distribution outputs.
+  cert_sans = concat(
+    [local.www],
+    var.include_docs ? [local.docs] : [],
+    var.include_admin ? [local.admin] : [],
+  )
+
+  # CNAME records can only be created when we have the distribution
+  # domain to point at. Those inputs come after the cert is done, so
+  # they don't participate in the cert's dependency graph.
+  create_docs_record  = var.include_docs && var.docs_cloudfront_domain_name != ""
+  create_admin_record = var.include_admin && var.admin_cloudfront_domain_name != ""
+}
+
+################################################################################
+# ACM certificate (us-east-1, covers apex + www [+ docs])
+################################################################################
+
+resource "aws_acm_certificate" "www" {
+  domain_name               = local.apex
+  subject_alternative_names = local.cert_sans
+  validation_method         = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-${local.name_id}"
+  }
+}
+
+resource "cloudflare_record" "acm_validation" {
+  for_each = {
+    for dvo in aws_acm_certificate.www.domain_validation_options : dvo.domain_name => {
+      name  = dvo.resource_record_name
+      value = dvo.resource_record_value
+      type  = dvo.resource_record_type
+    }
+  }
+
+  zone_id = var.cloudflare_zone_id
+  name    = trimsuffix(each.value.name, ".")
+  content = trimsuffix(each.value.value, ".")
+  type    = each.value.type
+  ttl     = 60
+  proxied = false
+  comment = "ACM DNS validation for ${each.key}"
+}
+
+resource "aws_acm_certificate_validation" "www" {
+  certificate_arn         = aws_acm_certificate.www.arn
+  validation_record_fqdns = [for r in cloudflare_record.acm_validation : r.hostname]
+}
+
+################################################################################
+# Apex DNS → primary CloudFront distribution
+#
+# Cloudflare flattens apex CNAMEs automatically. proxied=false is required so
+# CloudFront sees the real Host header and the ACM cert matches.
+################################################################################
+
+resource "cloudflare_record" "apex" {
+  zone_id = var.cloudflare_zone_id
+  name    = local.apex
+  content = var.cloudfront_domain_name
+  type    = "CNAME"
+  ttl     = 300
+  proxied = false
+  comment = "thinkwork-${var.stage} apex → CloudFront (www)"
+}
+
+################################################################################
+# www.<domain> → apex 301 redirect
+#
+# Uses an S3 website-redirect bucket (website endpoint, not REST). Fronted by
+# its own CloudFront distribution with the www alias and the same ACM cert.
+################################################################################
+
+resource "aws_s3_bucket" "www_redirect" {
+  bucket = "thinkwork-${var.stage}-www-redirect"
+
+  tags = {
+    Name = "thinkwork-${var.stage}-www-redirect"
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "www_redirect" {
+  bucket = aws_s3_bucket.www_redirect.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_website_configuration" "www_redirect" {
+  bucket = aws_s3_bucket.www_redirect.id
+
+  redirect_all_requests_to {
+    host_name = local.apex
+    protocol  = "https"
+  }
+}
+
+resource "aws_cloudfront_distribution" "www_redirect" {
+  enabled         = true
+  aliases         = [local.www]
+  price_class     = "PriceClass_100"
+  is_ipv6_enabled = true
+  comment         = "thinkwork-${var.stage}-www-redirect → ${local.apex}"
+
+  origin {
+    domain_name = aws_s3_bucket_website_configuration.www_redirect.website_endpoint
+    origin_id   = "s3-website-${aws_s3_bucket.www_redirect.id}"
+
+    custom_origin_config {
+      http_port              = 80
+      https_port             = 443
+      origin_protocol_policy = "http-only"
+      origin_ssl_protocols   = ["TLSv1.2"]
+    }
+  }
+
+  default_cache_behavior {
+    target_origin_id       = "s3-website-${aws_s3_bucket.www_redirect.id}"
+    viewer_protocol_policy = "redirect-to-https"
+    allowed_methods        = ["GET", "HEAD"]
+    cached_methods         = ["GET", "HEAD"]
+    compress               = true
+
+    forwarded_values {
+      query_string = false
+      cookies {
+        forward = "none"
+      }
+    }
+
+    min_ttl     = 0
+    default_ttl = 3600
+    max_ttl     = 86400
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  viewer_certificate {
+    acm_certificate_arn      = aws_acm_certificate_validation.www.certificate_arn
+    ssl_support_method       = "sni-only"
+    minimum_protocol_version = "TLSv1.2_2021"
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-www-redirect"
+  }
+}
+
+resource "cloudflare_record" "www_redirect" {
+  zone_id = var.cloudflare_zone_id
+  name    = local.www
+  content = aws_cloudfront_distribution.www_redirect.domain_name
+  type    = "CNAME"
+  ttl     = 300
+  proxied = false
+  comment = "thinkwork-${var.stage} www → redirect distribution"
+}
+
+################################################################################
+# docs.<domain> → docs CloudFront distribution (optional)
+#
+# Created only when the greenfield stack wires docs_cloudfront_domain_name.
+# The docs CloudFront alias picks up the same ACM cert via certificate_arn
+# on the thinkwork module's docs_site.
+################################################################################
+
+resource "cloudflare_record" "docs" {
+  count = local.create_docs_record ? 1 : 0
+
+  zone_id = var.cloudflare_zone_id
+  name    = local.docs
+  content = var.docs_cloudfront_domain_name
+  type    = "CNAME"
+  ttl     = 300
+  proxied = false
+  comment = "thinkwork-${var.stage} docs → CloudFront"
+}
+
+################################################################################
+# admin.<domain> → admin CloudFront distribution (optional)
+################################################################################
+
+resource "cloudflare_record" "admin" {
+  count = local.create_admin_record ? 1 : 0
+
+  zone_id = var.cloudflare_zone_id
+  name    = local.admin
+  content = var.admin_cloudfront_domain_name
+  type    = "CNAME"
+  ttl     = 300
+  proxied = false
+  comment = "thinkwork-${var.stage} admin → CloudFront"
+}

package/dist/terraform/modules/app/www-dns/outputs.tf

@@ -0,0 +1,14 @@
+output "certificate_arn" {
+  description = "ACM certificate ARN (us-east-1) covering apex + www. Pass this to the static-site module via www_certificate_arn."
+  value       = aws_acm_certificate_validation.www.certificate_arn
+}
+
+output "www_redirect_distribution_id" {
+  description = "CloudFront distribution ID for the www→apex redirect"
+  value       = aws_cloudfront_distribution.www_redirect.id
+}
+
+output "www_redirect_distribution_domain" {
+  description = "CloudFront distribution domain for the www→apex redirect"
+  value       = aws_cloudfront_distribution.www_redirect.domain_name
+}

package/dist/terraform/modules/app/www-dns/variables.tf

@@ -0,0 +1,43 @@
+variable "stage" {
+  description = "Deployment stage (used for resource naming)"
+  type        = string
+}
+
+variable "domain" {
+  description = "Apex domain served by the public website (e.g. thinkwork.ai)"
+  type        = string
+}
+
+variable "cloudflare_zone_id" {
+  description = "Cloudflare zone ID for the apex domain. Non-secret; lives in tfvars."
+  type        = string
+}
+
+variable "cloudfront_domain_name" {
+  description = "CloudFront distribution domain name for the primary www site (e.g. d123.cloudfront.net). Passed in from the static-site module output."
+  type        = string
+}
+
+variable "include_docs" {
+  description = "When true, add docs.<domain> to the ACM cert SANs and create a Cloudflare CNAME for it. Separated from docs_cloudfront_domain_name to avoid a Terraform dependency cycle (distribution depends on cert, so the cert can't depend on the distribution output)."
+  type        = bool
+  default     = false
+}
+
+variable "docs_cloudfront_domain_name" {
+  description = "CloudFront distribution domain name for the docs site. Used as the target for the docs.<domain> Cloudflare CNAME when include_docs is true."
+  type        = string
+  default     = ""
+}
+
+variable "include_admin" {
+  description = "When true, add admin.<domain> to the ACM cert SANs and create a Cloudflare CNAME for it. Same cycle-avoidance rationale as include_docs."
+  type        = bool
+  default     = false
+}
+
+variable "admin_cloudfront_domain_name" {
+  description = "CloudFront distribution domain name for the admin SPA. Used as the target for the admin.<domain> Cloudflare CNAME when include_admin is true."
+  type        = string
+  default     = ""
+}

package/dist/terraform/modules/thinkwork/main.tf

@@ -13,10 +13,22 @@ locals {
   bucket_name = var.bucket_name != "" ? var.bucket_name : "thinkwork-${var.stage}-storage"
 
   # Hindsight is an optional add-on. Preferred toggle: var.enable_hindsight.
-  # For one release we also honor the deprecated var.memory_engine == "hindsight"
-  # so existing tfvars keep working. The CLI config command also auto-translates
-  # between the two. Remove the legacy branch in a future release.
+  # For one release we also honor the legacy var.memory_engine == "hindsight"
+  # so existing tfvars keep working.
   hindsight_enabled = var.enable_hindsight || var.memory_engine == "hindsight"
+
+  # Canonical long-term memory engine for this deployment. Exactly one engine
+  # is active per deployment for recall/inspect/export. Auto-selects from
+  # enable_hindsight when var.memory_engine is left empty so existing deploys
+  # keep working without config changes. Legacy value "managed" maps to
+  # "agentcore".
+  resolved_memory_engine = (
+    var.memory_engine == "hindsight" || var.memory_engine == "agentcore"
+    ? var.memory_engine
+    : var.memory_engine == "managed"
+    ? "agentcore"
+    : local.hindsight_enabled ? "hindsight" : "agentcore"
+  )
 }
 
 ################################################################################
@@ -66,11 +78,13 @@ module "cognito" {
 
   admin_callback_urls = concat(
     var.admin_callback_urls,
-    ["https://${module.admin_site.distribution_domain}", "https://${module.admin_site.distribution_domain}/auth/callback"]
+    ["https://${module.admin_site.distribution_domain}", "https://${module.admin_site.distribution_domain}/auth/callback"],
+    var.admin_domain != "" ? ["https://${var.admin_domain}", "https://${var.admin_domain}/auth/callback"] : []
   )
   admin_logout_urls = concat(
     var.admin_logout_urls,
-    ["https://${module.admin_site.distribution_domain}"]
+    ["https://${module.admin_site.distribution_domain}"],
+    var.admin_domain != "" ? ["https://${var.admin_domain}"] : []
   )
   mobile_callback_urls = var.mobile_callback_urls
   mobile_logout_urls   = var.mobile_logout_urls
@@ -174,10 +188,13 @@ module "api" {
   agentcore_function_arn  = module.agentcore.agentcore_function_arn
   hindsight_endpoint      = local.hindsight_enabled ? module.hindsight[0].hindsight_endpoint : ""
   agentcore_memory_id     = module.agentcore_memory.memory_id
+  memory_engine           = local.resolved_memory_engine
   admin_url               = "https://${module.admin_site.distribution_domain}"
   docs_url                = "https://${module.docs_site.distribution_domain}"
   appsync_realtime_url    = module.appsync.graphql_realtime_url
   ecr_repository_url      = module.agentcore.ecr_repository_url
+  job_scheduler_role_arn  = module.job_triggers.job_scheduler_role_arn
+  lastmile_tasks_api_url  = var.lastmile_tasks_api_url
 }
 
 ################################################################################
@@ -206,6 +223,7 @@ module "agentcore" {
 
   hindsight_endpoint  = local.hindsight_enabled ? module.hindsight[0].hindsight_endpoint : ""
   agentcore_memory_id = module.agentcore_memory.memory_id
+  memory_engine       = local.resolved_memory_engine
 }
 
 module "crons" {
@@ -239,8 +257,16 @@ module "hindsight" {
 module "ses" {
   source = "../app/ses-email"
 
-  stage      = var.stage
-  account_id = var.account_id
+  stage        = var.stage
+  account_id   = var.account_id
+  region       = var.region
+  email_domain = var.ses_inbound_domain
+
+  inbound_bucket_name   = module.s3.bucket_name
+  email_inbound_fn_arn  = module.api.email_inbound_fn_arn
+  email_inbound_fn_name = module.api.email_inbound_fn_name
+
+  manage_active_rule_set = var.ses_manage_active_rule_set
 }
 
 ################################################################################
@@ -250,8 +276,11 @@ module "ses" {
 module "admin_site" {
   source = "../app/static-site"
 
-  stage     = var.stage
-  site_name = "admin"
+  stage           = var.stage
+  site_name       = "admin"
+  is_spa          = true
+  custom_domain   = var.admin_domain
+  certificate_arn = var.admin_certificate_arn
 }
 
 ################################################################################
@@ -266,3 +295,17 @@ module "docs_site" {
   custom_domain   = var.docs_domain
   certificate_arn = var.docs_certificate_arn
 }
+
+################################################################################
+# Public Website (www)
+################################################################################
+
+module "www_site" {
+  source = "../app/static-site"
+
+  stage           = var.stage
+  site_name       = "www"
+  custom_domain   = var.www_domain
+  certificate_arn = var.www_certificate_arn
+  # is_spa defaults to false — SSG output, directory URIs get rewritten to index.html
+}

package/dist/terraform/modules/thinkwork/outputs.tf

@@ -127,3 +127,35 @@ output "docs_bucket_name" {
   description = "S3 bucket for docs site assets"
   value       = module.docs_site.bucket_name
 }
+
+# Public website (www)
+output "www_distribution_id" {
+  description = "CloudFront distribution ID for the public website"
+  value       = module.www_site.distribution_id
+}
+
+output "www_distribution_domain" {
+  description = "CloudFront domain for the public website"
+  value       = module.www_site.distribution_domain
+}
+
+output "www_bucket_name" {
+  description = "S3 bucket for the public website assets"
+  value       = module.www_site.bucket_name
+}
+
+# SES inbound email
+output "ses_inbound_zone_id" {
+  description = "Route53 hosted zone ID for the email subdomain (null when ses_inbound_domain is not set)"
+  value       = module.ses.zone_id
+}
+
+output "ses_inbound_name_servers" {
+  description = "Name servers for the delegated email subzone. Paste these as NS records at the registrar that hosts the parent domain (e.g. Google Domains) before SES can verify."
+  value       = module.ses.name_servers
+}
+
+output "ses_inbound_mx_target" {
+  description = "MX target host for the email subdomain. Terraform already writes this into the subzone — this output is informational."
+  value       = module.ses.mx_target
+}

package/dist/terraform/modules/thinkwork/variables.tf

@@ -145,13 +145,13 @@ variable "enable_hindsight" {
 }
 
 variable "memory_engine" {
-  description = "DEPRECATED. Use `enable_hindsight` instead. For backwards compatibility, setting this to 'hindsight' is equivalent to `enable_hindsight = true`. AgentCore managed memory is always on and cannot be disabled."
+  description = "Active long-term memory engine for canonical recall/inspect/export. Exactly one engine is authoritative per deployment. Accepted values: 'hindsight' (requires enable_hindsight = true), 'agentcore' (uses the always-on AgentCore managed memory). Legacy value 'managed' maps to 'agentcore'. Empty = auto-select: 'hindsight' when enable_hindsight = true, otherwise 'agentcore'."
   type        = string
   default     = ""
 
   validation {
-    condition     = var.memory_engine == "" || contains(["managed", "hindsight"], var.memory_engine)
-    error_message = "memory_engine (deprecated) must be empty, 'managed', or 'hindsight'. Prefer enable_hindsight instead."
+    condition     = var.memory_engine == "" || contains(["managed", "hindsight", "agentcore"], var.memory_engine)
+    error_message = "memory_engine must be empty, 'hindsight', 'agentcore', or legacy 'managed'."
   }
 }
 
@@ -261,3 +261,57 @@ variable "docs_certificate_arn" {
   type        = string
   default     = ""
 }
+
+# ---------------------------------------------------------------------------
+# Public website (custom domain — optional)
+# ---------------------------------------------------------------------------
+
+variable "www_domain" {
+  description = "Custom domain for the public website (e.g. thinkwork.ai). Leave empty for CloudFront default."
+  type        = string
+  default     = ""
+}
+
+variable "www_certificate_arn" {
+  description = "ACM certificate ARN for the www domain (us-east-1, required for CloudFront custom domains). Covers both the apex and www subdomain."
+  type        = string
+  default     = ""
+}
+
+# ---------------------------------------------------------------------------
+# Admin site (custom domain — optional)
+# ---------------------------------------------------------------------------
+
+variable "admin_domain" {
+  description = "Custom domain for the admin SPA (e.g. admin.thinkwork.ai). Leave empty for CloudFront default."
+  type        = string
+  default     = ""
+}
+
+variable "admin_certificate_arn" {
+  description = "ACM certificate ARN for the admin domain (us-east-1, required for CloudFront custom domains)."
+  type        = string
+  default     = ""
+}
+
+# ---------------------------------------------------------------------------
+# SES inbound email (delegated subzone — Option A)
+# ---------------------------------------------------------------------------
+
+variable "ses_inbound_domain" {
+  description = "Subdomain used for agent email (e.g. agents.thinkwork.ai). Terraform creates a delegated Route53 hosted zone for this name, manages the SES domain identity + DKIM CNAMEs + MX in that zone, and wires an SES receipt rule that stores inbound mail in S3 and invokes the email-inbound Lambda. Leave empty to skip all SES inbound resources. After first apply, paste the `ses_inbound_name_servers` output as NS records at whatever hosts the parent domain."
+  type        = string
+  default     = ""
+}
+
+variable "ses_manage_active_rule_set" {
+  description = "Activate the SES receipt rule set. Only ONE rule set can be active per region per AWS account; set false on secondary stages that share an account so they don't fight over activation."
+  type        = bool
+  default     = true
+}
+
+variable "lastmile_tasks_api_url" {
+  description = "Base URL of the LastMile Tasks REST API (e.g. https://api-dev.lastmile-tei.com for develop). Feature-flags the outbound task sync — leave blank to keep mobile-created tasks in sync_status='local'."
+  type        = string
+  default     = ""
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thinkwork-cli",
-  "version": "0.5.3",
+  "version": "0.6.0",
   "description": "Thinkwork CLI — deploy, manage, and interact with your Thinkwork stack",
   "license": "MIT",
   "type": "module",