thinkwork-cli 0.5.4 → 0.6.1

package/dist/cli.js

@@ -9,6 +9,30 @@ var require2 = createRequire(import.meta.url);
 var pkg = require2("../package.json");
 var VERSION = pkg.version;
 
+// src/cli-config.ts
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
+import { homedir } from "os";
+import { dirname, join } from "path";
+function getCliConfigPath(override) {
+  return override ?? join(homedir(), ".thinkwork", "config.json");
+}
+function loadCliConfig(pathOverride) {
+  const path2 = getCliConfigPath(pathOverride);
+  if (!existsSync(path2)) return {};
+  try {
+    return JSON.parse(readFileSync(path2, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+function saveCliConfig(next, pathOverride) {
+  const path2 = getCliConfigPath(pathOverride);
+  const dir = dirname(path2);
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+  const merged = { ...loadCliConfig(pathOverride), ...next };
+  writeFileSync(path2, JSON.stringify(merged, null, 2) + "\n");
+}
+
 // src/config.ts
 var VALID_COMPONENTS = ["foundation", "data", "app", "all"];
 var PROD_LIKE_STAGES = ["main", "prod", "production", "staging"];
@@ -76,23 +100,23 @@ function getAwsIdentity() {
 
 // src/terraform.ts
 import { spawn } from "child_process";
-import { existsSync } from "fs";
+import { existsSync as existsSync2 } from "fs";
 import path from "path";
 function resolveTierDir(terraformDir, stage, tier) {
   const envDir = path.join(terraformDir, "environments", stage, tier);
-  if (existsSync(envDir)) {
+  if (existsSync2(envDir)) {
     return envDir;
   }
   const greenfield = path.join(terraformDir, "examples", "greenfield");
-  if (existsSync(greenfield)) {
+  if (existsSync2(greenfield)) {
     return greenfield;
   }
   const flat = path.join(terraformDir);
-  if (existsSync(path.join(flat, "main.tf"))) {
+  if (existsSync2(path.join(flat, "main.tf"))) {
     return flat;
   }
   const cwdTf = path.join(process.cwd(), "terraform");
-  if (existsSync(path.join(cwdTf, "main.tf"))) {
+  if (existsSync2(path.join(cwdTf, "main.tf"))) {
     return cwdTf;
   }
   return terraformDir;
@@ -136,7 +160,7 @@ function runTerraform(cwd, args) {
 }
 async function ensureInit(cwd) {
   const dotTerraform = path.join(cwd, ".terraform");
-  if (!existsSync(dotTerraform)) {
+  if (!existsSync2(dotTerraform)) {
     const code = await runTerraform(cwd, ["init"]);
     if (code !== 0) {
       throw new Error("terraform init failed");
@@ -485,58 +509,58 @@ function registerOutputsCommand(program2) {
 }
 
 // src/commands/config.ts
-import { readFileSync as readFileSync2, writeFileSync as writeFileSync2, existsSync as existsSync3 } from "fs";
+import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, existsSync as existsSync4 } from "fs";
 import chalk3 from "chalk";
 
 // src/environments.ts
-import { existsSync as existsSync2, mkdirSync, writeFileSync, readFileSync, readdirSync } from "fs";
-import { join } from "path";
-import { homedir } from "os";
-var THINKWORK_HOME = join(homedir(), ".thinkwork");
-var ENVIRONMENTS_DIR = join(THINKWORK_HOME, "environments");
+import { existsSync as existsSync3, mkdirSync as mkdirSync2, writeFileSync as writeFileSync2, readFileSync as readFileSync2, readdirSync } from "fs";
+import { join as join2 } from "path";
+import { homedir as homedir2 } from "os";
+var THINKWORK_HOME = join2(homedir2(), ".thinkwork");
+var ENVIRONMENTS_DIR = join2(THINKWORK_HOME, "environments");
 function ensureDir(dir) {
-  if (!existsSync2(dir)) mkdirSync(dir, { recursive: true });
+  if (!existsSync3(dir)) mkdirSync2(dir, { recursive: true });
 }
 function saveEnvironment(config) {
   ensureDir(ENVIRONMENTS_DIR);
-  const envDir = join(ENVIRONMENTS_DIR, config.stage);
+  const envDir = join2(ENVIRONMENTS_DIR, config.stage);
   ensureDir(envDir);
-  writeFileSync(
-    join(envDir, "config.json"),
+  writeFileSync2(
+    join2(envDir, "config.json"),
     JSON.stringify(config, null, 2) + "\n"
   );
 }
 function loadEnvironment(stage) {
-  const configPath = join(ENVIRONMENTS_DIR, stage, "config.json");
-  if (!existsSync2(configPath)) return null;
-  return JSON.parse(readFileSync(configPath, "utf-8"));
+  const configPath = join2(ENVIRONMENTS_DIR, stage, "config.json");
+  if (!existsSync3(configPath)) return null;
+  return JSON.parse(readFileSync2(configPath, "utf-8"));
 }
 function listEnvironments() {
-  if (!existsSync2(ENVIRONMENTS_DIR)) return [];
+  if (!existsSync3(ENVIRONMENTS_DIR)) return [];
   return readdirSync(ENVIRONMENTS_DIR).filter((name) => {
-    return existsSync2(join(ENVIRONMENTS_DIR, name, "config.json"));
+    return existsSync3(join2(ENVIRONMENTS_DIR, name, "config.json"));
   }).map((name) => {
     return JSON.parse(
-      readFileSync(join(ENVIRONMENTS_DIR, name, "config.json"), "utf-8")
+      readFileSync2(join2(ENVIRONMENTS_DIR, name, "config.json"), "utf-8")
     );
   }).sort((a, b) => a.stage.localeCompare(b.stage));
 }
 function resolveTerraformDir(stage) {
   const env = loadEnvironment(stage);
-  if (env?.terraformDir && existsSync2(env.terraformDir)) {
+  if (env?.terraformDir && existsSync3(env.terraformDir)) {
     return env.terraformDir;
   }
   const envVar = process.env.THINKWORK_TERRAFORM_DIR;
-  if (envVar && existsSync2(envVar)) return envVar;
-  const cwdTf = join(process.cwd(), "terraform");
-  if (existsSync2(join(cwdTf, "main.tf"))) return cwdTf;
+  if (envVar && existsSync3(envVar)) return envVar;
+  const cwdTf = join2(process.cwd(), "terraform");
+  if (existsSync3(join2(cwdTf, "main.tf"))) return cwdTf;
   return null;
 }
 
 // src/commands/config.ts
 function readTfVar(tfvarsPath, key) {
-  if (!existsSync3(tfvarsPath)) return null;
-  const content = readFileSync2(tfvarsPath, "utf-8");
+  if (!existsSync4(tfvarsPath)) return null;
+  const content = readFileSync3(tfvarsPath, "utf-8");
   const quoted = content.match(new RegExp(`^${key}\\s*=\\s*"([^"]*)"`, "m"));
   if (quoted) return quoted[1];
   const bare = content.match(new RegExp(`^${key}\\s*=\\s*([^\\s#]+)`, "m"));
@@ -544,10 +568,10 @@ function readTfVar(tfvarsPath, key) {
 }
 var BARE_KEYS = /* @__PURE__ */ new Set(["enable_hindsight"]);
 function setTfVar(tfvarsPath, key, value) {
-  if (!existsSync3(tfvarsPath)) {
+  if (!existsSync4(tfvarsPath)) {
     throw new Error(`terraform.tfvars not found at ${tfvarsPath}`);
   }
-  let content = readFileSync2(tfvarsPath, "utf-8");
+  let content = readFileSync3(tfvarsPath, "utf-8");
   const bare = BARE_KEYS.has(key);
   const newLine = bare ? `${key} = ${value}` : `${key} = "${value}"`;
   const existingRegex = new RegExp(`^${key}\\s*=\\s*(?:"[^"]*"|[^\\s#]+)`, "m");
@@ -558,13 +582,13 @@ function setTfVar(tfvarsPath, key, value) {
 ${newLine}
 `;
   }
-  writeFileSync2(tfvarsPath, content);
+  writeFileSync3(tfvarsPath, content);
 }
 function resolveTfvarsPath(stage) {
   const tfDir = resolveTerraformDir(stage);
   if (tfDir) {
     const direct = `${tfDir}/terraform.tfvars`;
-    if (existsSync3(direct)) return direct;
+    if (existsSync4(direct)) return direct;
   }
   const terraformDir = process.env.THINKWORK_TERRAFORM_DIR || process.cwd();
   const cwd = resolveTierDir(terraformDir, stage, "app");
@@ -591,10 +615,10 @@ function registerConfigCommand(program2) {
       console.log(`  ${chalk3.bold("Updated:")}         ${env.updatedAt}`);
       console.log(chalk3.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
       const tfvarsPath = `${env.terraformDir}/terraform.tfvars`;
-      if (existsSync3(tfvarsPath)) {
+      if (existsSync4(tfvarsPath)) {
         console.log("");
         console.log(chalk3.dim("  terraform.tfvars:"));
-        const content = readFileSync2(tfvarsPath, "utf-8");
+        const content = readFileSync3(tfvarsPath, "utf-8");
         for (const line of content.split("\n")) {
           if (line.trim() && !line.trim().startsWith("#")) {
             const masked = line.replace(
@@ -752,8 +776,8 @@ function registerBootstrapCommand(program2) {
       bucket = await getTerraformOutput(cwd, "bucket_name");
       dbEndpoint = await getTerraformOutput(cwd, "db_cluster_endpoint");
       const secretArn = await getTerraformOutput(cwd, "db_secret_arn");
-      const { execSync: execSync10 } = await import("child_process");
-      const secretJson = execSync10(
+      const { execSync: execSync9 } = await import("child_process");
+      const secretJson = execSync9(
         `aws secretsmanager get-secret-value --secret-id "${secretArn}" --query SecretString --output text`,
         { encoding: "utf-8" }
       ).trim();
@@ -778,12 +802,89 @@ function registerBootstrapCommand(program2) {
 // src/commands/login.ts
 import { execSync as execSync4 } from "child_process";
 import { createInterface as createInterface2 } from "readline";
+import chalk5 from "chalk";
+
+// src/aws-profiles.ts
+import { existsSync as existsSync5, readFileSync as readFileSync4 } from "fs";
+import { homedir as homedir3 } from "os";
+import { join as join3 } from "path";
+var CREDENTIALS_PATH = join3(homedir3(), ".aws", "credentials");
+var CONFIG_PATH = join3(homedir3(), ".aws", "config");
+function parseIni(content) {
+  const sections = {};
+  let current = null;
+  for (const rawLine of content.split(/\r?\n/)) {
+    const line = rawLine.trim();
+    if (!line || line.startsWith("#") || line.startsWith(";")) continue;
+    const header = line.match(/^\[(.+)\]$/);
+    if (header) {
+      current = header[1].trim();
+      sections[current] ??= {};
+      continue;
+    }
+    if (!current) continue;
+    const eq = line.indexOf("=");
+    if (eq === -1) continue;
+    const key = line.slice(0, eq).trim();
+    const value = line.slice(eq + 1).trim();
+    sections[current][key] = value;
+  }
+  return sections;
+}
+function normalizeConfigSection(section) {
+  if (section === "default") return "default";
+  if (section.startsWith("profile ")) return section.slice("profile ".length).trim();
+  return null;
+}
+function classify(fields) {
+  if (fields.aws_access_key_id) return "keys";
+  if (fields.sso_start_url || fields.sso_session || fields.sso_account_id || fields.sso_role_name) {
+    return "sso";
+  }
+  if (fields.role_arn || fields.source_profile || fields.credential_source) {
+    return "role";
+  }
+  return "other";
+}
+function listAwsProfiles() {
+  const byName = /* @__PURE__ */ new Map();
+  if (existsSync5(CREDENTIALS_PATH)) {
+    const sections = parseIni(readFileSync4(CREDENTIALS_PATH, "utf-8"));
+    for (const [section, fields] of Object.entries(sections)) {
+      byName.set(section, {
+        name: section,
+        source: "credentials",
+        type: classify(fields)
+      });
+    }
+  }
+  if (existsSync5(CONFIG_PATH)) {
+    const sections = parseIni(readFileSync4(CONFIG_PATH, "utf-8"));
+    for (const [section, fields] of Object.entries(sections)) {
+      const name = normalizeConfigSection(section);
+      if (!name) continue;
+      const existing = byName.get(name);
+      const type = classify(fields);
+      if (existing) {
+        byName.set(name, {
+          ...existing,
+          source: "both",
+          // Prefer the more specific type if one side says "other".
+          type: existing.type === "other" ? type : existing.type
+        });
+      } else {
+        byName.set(name, { name, source: "config", type });
+      }
+    }
+  }
+  return [...byName.values()].sort((a, b) => a.name.localeCompare(b.name));
+}
 
 // src/prerequisites.ts
 import { execSync as execSync3 } from "child_process";
-import { mkdirSync as mkdirSync2, createWriteStream, chmodSync } from "fs";
-import { join as join2 } from "path";
-import { homedir as homedir2, platform, arch } from "os";
+import { mkdirSync as mkdirSync3, createWriteStream, chmodSync } from "fs";
+import { join as join4 } from "path";
+import { homedir as homedir4, platform, arch } from "os";
 import chalk4 from "chalk";
 function run(cmd, opts) {
   try {
@@ -815,14 +916,14 @@ async function ensureAwsCli() {
   }
   if (os === "linux") {
     try {
-      const tmpDir = join2(homedir2(), ".thinkwork", "tmp");
-      mkdirSync2(tmpDir, { recursive: true });
-      const zipPath = join2(tmpDir, "awscliv2.zip");
+      const tmpDir = join4(homedir4(), ".thinkwork", "tmp");
+      mkdirSync3(tmpDir, { recursive: true });
+      const zipPath = join4(tmpDir, "awscliv2.zip");
       console.log("    Downloading AWS CLI...");
       run(`curl -sL "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "${zipPath}"`);
       run(`cd "${tmpDir}" && unzip -qo "${zipPath}"`);
-      run(`"${tmpDir}/aws/install" --install-dir "${homedir2()}/.thinkwork/aws-cli" --bin-dir "${homedir2()}/.local/bin" --update`);
-      process.env.PATH = `${homedir2()}/.local/bin:${process.env.PATH}`;
+      run(`"${tmpDir}/aws/install" --install-dir "${homedir4()}/.thinkwork/aws-cli" --bin-dir "${homedir4()}/.local/bin" --update`);
+      process.env.PATH = `${homedir4()}/.local/bin:${process.env.PATH}`;
       if (isInstalled("aws")) {
         console.log(`  ${chalk4.green("\u2713")} AWS CLI installed to ~/.local/bin/aws`);
         return true;
@@ -832,9 +933,9 @@ async function ensureAwsCli() {
   }
   if (os === "darwin") {
     try {
-      const tmpDir = join2(homedir2(), ".thinkwork", "tmp");
-      mkdirSync2(tmpDir, { recursive: true });
-      const pkgPath = join2(tmpDir, "AWSCLIV2.pkg");
+      const tmpDir = join4(homedir4(), ".thinkwork", "tmp");
+      mkdirSync3(tmpDir, { recursive: true });
+      const pkgPath = join4(tmpDir, "AWSCLIV2.pkg");
       console.log("    Downloading AWS CLI...");
       run(`curl -sL "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "${pkgPath}"`);
       run(`installer -pkg "${pkgPath}" -target CurrentUserHomeDirectory 2>/dev/null || sudo installer -pkg "${pkgPath}" -target /`);
@@ -865,15 +966,15 @@ async function ensureTerraform() {
   const archName = arch() === "arm64" ? "arm64" : "amd64";
   const url = `https://releases.hashicorp.com/terraform/${tfVersion}/terraform_${tfVersion}_${osName}_${archName}.zip`;
   try {
-    const tmpDir = join2(homedir2(), ".thinkwork", "tmp");
-    const binDir = join2(homedir2(), ".local", "bin");
-    mkdirSync2(tmpDir, { recursive: true });
-    mkdirSync2(binDir, { recursive: true });
-    const zipPath = join2(tmpDir, "terraform.zip");
+    const tmpDir = join4(homedir4(), ".thinkwork", "tmp");
+    const binDir = join4(homedir4(), ".local", "bin");
+    mkdirSync3(tmpDir, { recursive: true });
+    mkdirSync3(binDir, { recursive: true });
+    const zipPath = join4(tmpDir, "terraform.zip");
     console.log(`    Downloading Terraform ${tfVersion}...`);
     run(`curl -sL "${url}" -o "${zipPath}"`);
     run(`unzip -qo "${zipPath}" -d "${binDir}"`);
-    chmodSync(join2(binDir, "terraform"), 493);
+    chmodSync(join4(binDir, "terraform"), 493);
     if (!process.env.PATH?.includes(binDir)) {
       process.env.PATH = `${binDir}:${process.env.PATH}`;
     }
@@ -910,93 +1011,212 @@ function ask(prompt2) {
     });
   });
 }
+function verifyProfile(profile) {
+  try {
+    const raw = execSync4(
+      `aws sts get-caller-identity --profile ${profile} --output json`,
+      { encoding: "utf-8", timeout: 15e3, stdio: ["pipe", "pipe", "pipe"] }
+    );
+    const parsed = JSON.parse(raw);
+    return { account: parsed.Account, arn: parsed.Arn };
+  } catch {
+    return null;
+  }
+}
+function describeType(type) {
+  switch (type) {
+    case "keys":
+      return "access keys";
+    case "sso":
+      return "SSO";
+    case "role":
+      return "assumed role";
+    default:
+      return "config only";
+  }
+}
+async function pickProfile(profiles) {
+  console.log("");
+  console.log(chalk5.bold("  Found these profiles in ~/.aws:"));
+  profiles.forEach((p, i) => {
+    const idx = String(i + 1).padStart(2, " ");
+    console.log(
+      `    ${chalk5.cyan(idx)}. ${chalk5.bold(p.name)}  ${chalk5.dim(`(${describeType(p.type)})`)}`
+    );
+  });
+  const newIdx = profiles.length + 1;
+  const ssoIdx = profiles.length + 2;
+  console.log(
+    `    ${chalk5.cyan(String(newIdx).padStart(2, " "))}. Enter new access keys`
+  );
+  console.log(
+    `    ${chalk5.cyan(String(ssoIdx).padStart(2, " "))}. Log in via AWS SSO`
+  );
+  console.log("");
+  const answer = await ask(`  Pick a profile [1-${ssoIdx}] (Enter to cancel): `);
+  if (!answer) return { kind: "cancel" };
+  const n = Number.parseInt(answer, 10);
+  if (Number.isNaN(n) || n < 1 || n > ssoIdx) {
+    printError(`"${answer}" is not a valid option.`);
+    return { kind: "cancel" };
+  }
+  if (n === newIdx) return { kind: "keys" };
+  if (n === ssoIdx) return { kind: "sso" };
+  return { kind: "existing", name: profiles[n - 1].name };
+}
+async function runKeyEntry(targetProfile) {
+  console.log("");
+  console.log("  Enter your AWS credentials. These will be saved to the");
+  console.log(`  AWS CLI profile "${targetProfile}".`);
+  console.log("");
+  const accessKeyId = await ask("  AWS Access Key ID: ");
+  if (!accessKeyId) {
+    printError("Access Key ID is required");
+    return false;
+  }
+  const secretAccessKey = await ask("  AWS Secret Access Key: ");
+  if (!secretAccessKey) {
+    printError("Secret Access Key is required");
+    return false;
+  }
+  const region = await ask("  Default region [us-east-1]: ");
+  const finalRegion = region || "us-east-1";
+  try {
+    execSync4(
+      `aws configure set aws_access_key_id "${accessKeyId}" --profile ${targetProfile}`,
+      { stdio: "pipe" }
+    );
+    execSync4(
+      `aws configure set aws_secret_access_key "${secretAccessKey}" --profile ${targetProfile}`,
+      { stdio: "pipe" }
+    );
+    execSync4(
+      `aws configure set region "${finalRegion}" --profile ${targetProfile}`,
+      { stdio: "pipe" }
+    );
+    return true;
+  } catch (err) {
+    printError(`Failed to save credentials: ${err}`);
+    return false;
+  }
+}
+function runSsoLogin(targetProfile) {
+  console.log("  Launching AWS SSO login...");
+  console.log("");
+  try {
+    execSync4(`aws sso login --profile ${targetProfile}`, { stdio: "inherit" });
+    return true;
+  } catch {
+    printError(
+      `SSO login failed. Run \`aws configure sso --profile ${targetProfile}\` first to set up the profile.`
+    );
+    return false;
+  }
+}
+function finalize(profile, mode) {
+  const identity = getAwsIdentity();
+  if (!identity) {
+    printError(
+      `Credentials saved but could not verify with profile "${profile}". Try \`aws sts get-caller-identity --profile ${profile}\`.`
+    );
+    process.exit(1);
+  }
+  saveCliConfig({ defaultProfile: profile });
+  printSuccess(
+    `Logged in via ${mode} (account: ${identity.account}, region: ${identity.region})`
+  );
+  console.log("");
+  console.log(
+    `  Profile "${profile}" saved as your Thinkwork default. Subsequent commands`
+  );
+  console.log(
+    `  (\`thinkwork list\`, \`thinkwork deploy\`, \u2026) will use it automatically.`
+  );
+  console.log(
+    chalk5.dim(
+      `  Override per-command with --profile <other>, or unset with \`rm ~/.thinkwork/config.json\`.`
+    )
+  );
+}
 function registerLoginCommand(program2) {
-  program2.command("login").description("Configure AWS credentials for Thinkwork deployments").option("--profile <name>", "AWS profile name to configure", "thinkwork").option("--sso", "Use AWS SSO (Identity Center) login").action(async (opts) => {
+  program2.command("login").description(
+    "Configure AWS credentials for Thinkwork. Picks from existing ~/.aws profiles by default; falls back to new keys or SSO."
+  ).option(
+    "--profile <name>",
+    "AWS profile name to configure (used when entering new keys or SSO)",
+    "thinkwork"
+  ).option("--sso", "Skip the picker and go straight to SSO login").option("--keys", "Skip the picker and go straight to access-key entry").action(async (opts) => {
     printHeader("login", opts.profile);
     const awsOk = await ensureAwsCli();
-    if (!awsOk) {
-      process.exit(1);
+    if (!awsOk) process.exit(1);
+    if (opts.sso) {
+      if (!runSsoLogin(opts.profile)) process.exit(1);
+      process.env.AWS_PROFILE = opts.profile;
+      finalize(opts.profile, "SSO");
+      return;
+    }
+    if (opts.keys) {
+      if (!await runKeyEntry(opts.profile)) process.exit(1);
+      process.env.AWS_PROFILE = opts.profile;
+      finalize(opts.profile, "access keys");
+      return;
     }
-    const existing = getAwsIdentity();
-    if (existing) {
-      console.log(`  Already authenticated:`);
-      console.log(`    Account: ${existing.account}`);
-      console.log(`    Region:  ${existing.region}`);
-      console.log(`    ARN:     ${existing.arn}`);
+    const profiles = listAwsProfiles();
+    if (profiles.length === 0) {
       console.log("");
-      const reauth = await ask("  Re-authenticate? [y/N] ");
-      if (reauth.toLowerCase() !== "y") {
-        printSuccess("Using existing credentials");
-        return;
-      }
+      console.log(chalk5.dim("  No AWS profiles found in ~/.aws/."));
+      console.log(
+        chalk5.dim("  Falling through to access-key entry for a new profile.")
+      );
+      if (!await runKeyEntry(opts.profile)) process.exit(1);
+      process.env.AWS_PROFILE = opts.profile;
+      finalize(opts.profile, "access keys");
+      return;
     }
-    if (opts.sso) {
-      console.log("  Launching AWS SSO login...");
+    const choice = await pickProfile(profiles);
+    if (choice.kind === "cancel") {
       console.log("");
-      try {
-        execSync4(`aws sso login --profile ${opts.profile}`, {
-          stdio: "inherit"
-        });
-        process.env.AWS_PROFILE = opts.profile;
-        const identity2 = getAwsIdentity();
-        if (identity2) {
-          printSuccess(`Logged in via SSO (account: ${identity2.account}, region: ${identity2.region})`);
-        } else {
-          printError("SSO login succeeded but could not verify identity");
-        }
-      } catch {
-        printError("SSO login failed. Run `aws configure sso` first to set up your SSO profile.");
-      }
+      console.log(chalk5.dim("  Cancelled. No changes made."));
       return;
     }
-    console.log("  Enter your AWS credentials. These will be saved to the");
-    console.log(`  AWS CLI profile "${opts.profile}".`);
-    console.log("");
-    const accessKeyId = await ask("  AWS Access Key ID: ");
-    if (!accessKeyId) {
-      printError("Access Key ID is required");
-      process.exit(1);
+    if (choice.kind === "keys") {
+      if (!await runKeyEntry(opts.profile)) process.exit(1);
+      process.env.AWS_PROFILE = opts.profile;
+      finalize(opts.profile, "access keys");
+      return;
     }
-    const secretAccessKey = await ask("  AWS Secret Access Key: ");
-    if (!secretAccessKey) {
-      printError("Secret Access Key is required");
-      process.exit(1);
+    if (choice.kind === "sso") {
+      if (!runSsoLogin(opts.profile)) process.exit(1);
+      process.env.AWS_PROFILE = opts.profile;
+      finalize(opts.profile, "SSO");
+      return;
     }
-    const region = await ask("  Default region [us-east-1]: ");
-    const finalRegion = region || "us-east-1";
-    try {
-      execSync4(`aws configure set aws_access_key_id "${accessKeyId}" --profile ${opts.profile}`, { stdio: "pipe" });
-      execSync4(`aws configure set aws_secret_access_key "${secretAccessKey}" --profile ${opts.profile}`, { stdio: "pipe" });
-      execSync4(`aws configure set region "${finalRegion}" --profile ${opts.profile}`, { stdio: "pipe" });
-    } catch (err) {
-      printError(`Failed to save credentials: ${err}`);
+    const picked = choice.name;
+    console.log("");
+    console.log(`  Verifying "${picked}"...`);
+    const identity = verifyProfile(picked);
+    if (!identity) {
+      printError(
+        `Could not authenticate with profile "${picked}". If it's an SSO profile, try \`aws sso login --profile ${picked}\` first.`
+      );
       process.exit(1);
     }
-    process.env.AWS_PROFILE = opts.profile;
-    const identity = getAwsIdentity();
-    if (identity) {
-      printSuccess(`Logged in (account: ${identity.account}, region: ${identity.region})`);
-      console.log("");
-      console.log(`  Profile saved as "${opts.profile}". Use it with:`);
-      console.log(`    thinkwork deploy -s dev --profile ${opts.profile}`);
-      console.log(`    export AWS_PROFILE=${opts.profile}`);
-    } else {
-      printError("Credentials saved but could not verify. Check your Access Key ID and Secret.");
-    }
+    process.env.AWS_PROFILE = picked;
+    finalize(picked, "existing profile");
   });
 }
 
 // src/commands/init.ts
-import { existsSync as existsSync5, mkdirSync as mkdirSync3, writeFileSync as writeFileSync3, cpSync } from "fs";
-import { resolve as resolve2, join as join3, dirname } from "path";
+import { existsSync as existsSync7, mkdirSync as mkdirSync4, writeFileSync as writeFileSync4, cpSync } from "fs";
+import { resolve as resolve2, join as join5, dirname as dirname2 } from "path";
 import { execSync as execSync5 } from "child_process";
 import { fileURLToPath } from "url";
 import { createInterface as createInterface3 } from "readline";
-import chalk5 from "chalk";
-var __dirname = dirname(fileURLToPath(import.meta.url));
+import chalk6 from "chalk";
+var __dirname = dirname2(fileURLToPath(import.meta.url));
 function ask2(prompt2, defaultVal = "") {
   const rl = createInterface3({ input: process.stdin, output: process.stdout });
-  const suffix = defaultVal ? chalk5.dim(` [${defaultVal}]`) : "";
+  const suffix = defaultVal ? chalk6.dim(` [${defaultVal}]`) : "";
   return new Promise((resolve3) => {
     rl.question(`  ${prompt2}${suffix}: `, (answer) => {
       rl.close();
@@ -1005,7 +1225,7 @@ function ask2(prompt2, defaultVal = "") {
   });
 }
 function choose(prompt2, options, defaultVal) {
-  const optStr = options.map((o) => o === defaultVal ? chalk5.bold(o) : chalk5.dim(o)).join(" / ");
+  const optStr = options.map((o) => o === defaultVal ? chalk6.bold(o) : chalk6.dim(o)).join(" / ");
   return ask2(`${prompt2} (${optStr})`, defaultVal);
 }
 function generateSecret(length = 32) {
@@ -1018,9 +1238,9 @@ function generateSecret(length = 32) {
 }
 function findBundledTerraform() {
   const bundled = resolve2(__dirname, "terraform");
-  if (existsSync5(join3(bundled, "modules"))) return bundled;
+  if (existsSync7(join5(bundled, "modules"))) return bundled;
   const repoTf = resolve2(__dirname, "..", "..", "..", "terraform");
-  if (existsSync5(join3(repoTf, "modules"))) return repoTf;
+  if (existsSync7(join5(repoTf, "modules"))) return repoTf;
   throw new Error(
     "Terraform modules not found. The CLI package may be incomplete.\nTry reinstalling: npm install -g thinkwork-cli@latest"
   );
@@ -1090,9 +1310,9 @@ function registerInitCommand(program2) {
       process.exit(1);
     }
     const targetDir = resolve2(opts.dir);
-    const tfDir = join3(targetDir, "terraform");
-    const tfvarsPath = join3(tfDir, "terraform.tfvars");
-    if (existsSync5(tfvarsPath)) {
+    const tfDir = join5(targetDir, "terraform");
+    const tfvarsPath = join5(tfDir, "terraform.tfvars");
+    if (existsSync7(tfvarsPath)) {
       printWarning(`terraform.tfvars already exists at ${tfvarsPath}`);
       const overwrite = await ask2("Overwrite?", "N");
       if (overwrite.toLowerCase() !== "y") {
@@ -1116,21 +1336,21 @@ function registerInitCommand(program2) {
       config.admin_url = "http://localhost:5174";
       config.mobile_scheme = "thinkwork";
     } else {
-      console.log(chalk5.bold("  Configure your Thinkwork environment\n"));
+      console.log(chalk6.bold("  Configure your Thinkwork environment\n"));
       const defaultRegion = identity.region !== "unknown" ? identity.region : "us-east-1";
       config.region = await ask2("AWS Region", defaultRegion);
       console.log("");
-      console.log(chalk5.dim("  \u2500\u2500 Database \u2500\u2500"));
+      console.log(chalk6.dim("  \u2500\u2500 Database \u2500\u2500"));
       config.database_engine = await choose("Database engine", ["aurora-serverless", "rds-postgres"], "aurora-serverless");
       console.log("");
-      console.log(chalk5.dim("  \u2500\u2500 Memory \u2500\u2500"));
-      console.log(chalk5.dim("  AgentCore managed memory is always on (automatic retention)."));
-      console.log(chalk5.dim("  Hindsight is an optional add-on: ECS Fargate service for"));
-      console.log(chalk5.dim("  semantic + entity-graph retrieval (~$75/mo)."));
+      console.log(chalk6.dim("  \u2500\u2500 Memory \u2500\u2500"));
+      console.log(chalk6.dim("  AgentCore managed memory is always on (automatic retention)."));
+      console.log(chalk6.dim("  Hindsight is an optional add-on: ECS Fargate service for"));
+      console.log(chalk6.dim("  semantic + entity-graph retrieval (~$75/mo)."));
       const hindsightAnswer = await ask2("Enable Hindsight long-term memory add-on? (y/N)", "N");
       config.enable_hindsight = hindsightAnswer.toLowerCase() === "y" ? "true" : "false";
       console.log("");
-      console.log(chalk5.dim("  \u2500\u2500 Auth \u2500\u2500"));
+      console.log(chalk6.dim("  \u2500\u2500 Auth \u2500\u2500"));
       const useGoogle = await ask2("Enable Google OAuth login? (y/N)", "N");
       if (useGoogle.toLowerCase() === "y") {
         config.google_oauth_client_id = await ask2("Google OAuth Client ID");
@@ -1140,13 +1360,13 @@ function registerInitCommand(program2) {
         config.google_oauth_client_secret = "";
       }
       console.log("");
-      console.log(chalk5.dim("  \u2500\u2500 Frontend URLs \u2500\u2500"));
+      console.log(chalk6.dim("  \u2500\u2500 Frontend URLs \u2500\u2500"));
       config.admin_url = await ask2("Admin UI URL", "http://localhost:5174");
       config.mobile_scheme = await ask2("Mobile app URL scheme", "thinkwork");
       console.log("");
-      console.log(chalk5.dim("  \u2500\u2500 Secrets (auto-generated) \u2500\u2500"));
-      console.log(chalk5.dim(`  DB password:     ${config.db_password.slice(0, 8)}...`));
-      console.log(chalk5.dim(`  API auth secret: ${config.api_auth_secret.slice(0, 16)}...`));
+      console.log(chalk6.dim("  \u2500\u2500 Secrets (auto-generated) \u2500\u2500"));
+      console.log(chalk6.dim(`  DB password:     ${config.db_password.slice(0, 8)}...`));
+      console.log(chalk6.dim(`  API auth secret: ${config.api_auth_secret.slice(0, 16)}...`));
     }
     console.log("");
     console.log("  Scaffolding Terraform modules...");
@@ -1157,24 +1377,24 @@ function registerInitCommand(program2) {
       printError(String(err));
       process.exit(1);
     }
-    mkdirSync3(tfDir, { recursive: true });
+    mkdirSync4(tfDir, { recursive: true });
     const copyDirs = ["modules", "examples"];
     for (const dir of copyDirs) {
-      const src = join3(bundledTf, dir);
-      const dst = join3(tfDir, dir);
-      if (existsSync5(src) && !existsSync5(dst)) {
+      const src = join5(bundledTf, dir);
+      const dst = join5(tfDir, dir);
+      if (existsSync7(src) && !existsSync7(dst)) {
         cpSync(src, dst, { recursive: true });
       }
     }
-    const schemaPath = join3(bundledTf, "schema.graphql");
-    if (existsSync5(schemaPath) && !existsSync5(join3(tfDir, "schema.graphql"))) {
-      cpSync(schemaPath, join3(tfDir, "schema.graphql"));
+    const schemaPath = join5(bundledTf, "schema.graphql");
+    if (existsSync7(schemaPath) && !existsSync7(join5(tfDir, "schema.graphql"))) {
+      cpSync(schemaPath, join5(tfDir, "schema.graphql"));
     }
     const tfvars = buildTfvars(config);
-    writeFileSync3(tfvarsPath, tfvars);
-    const mainTfPath = join3(tfDir, "main.tf");
-    if (!existsSync5(mainTfPath)) {
-      writeFileSync3(mainTfPath, `################################################################################
+    writeFileSync4(tfvarsPath, tfvars);
+    const mainTfPath = join5(tfDir, "main.tf");
+    if (!existsSync7(mainTfPath)) {
+      writeFileSync4(mainTfPath, `################################################################################
 # Thinkwork \u2014 ${config.stage}
 # Generated by: thinkwork init -s ${config.stage}
 ################################################################################
@@ -1351,17 +1571,17 @@ output "agentcore_memory_id" {
 }
 `);
     }
-    console.log(`  Wrote ${chalk5.cyan(tfDir + "/")}`);
+    console.log(`  Wrote ${chalk6.cyan(tfDir + "/")}`);
     console.log("");
-    console.log(chalk5.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
-    console.log(`  ${chalk5.bold("Stage:")}           ${config.stage}`);
-    console.log(`  ${chalk5.bold("Region:")}          ${config.region}`);
-    console.log(`  ${chalk5.bold("Account:")}         ${config.account_id}`);
-    console.log(`  ${chalk5.bold("Database:")}        ${config.database_engine}`);
-    console.log(`  ${chalk5.bold("Memory:")}          managed (always on)${config.enable_hindsight === "true" ? " + hindsight" : ""}`);
-    console.log(`  ${chalk5.bold("Google OAuth:")}    ${config.google_oauth_client_id ? "enabled" : "disabled"}`);
-    console.log(`  ${chalk5.bold("Directory:")}       ${tfDir}`);
-    console.log(chalk5.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+    console.log(chalk6.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+    console.log(`  ${chalk6.bold("Stage:")}           ${config.stage}`);
+    console.log(`  ${chalk6.bold("Region:")}          ${config.region}`);
+    console.log(`  ${chalk6.bold("Account:")}         ${config.account_id}`);
+    console.log(`  ${chalk6.bold("Database:")}        ${config.database_engine}`);
+    console.log(`  ${chalk6.bold("Memory:")}          managed (always on)${config.enable_hindsight === "true" ? " + hindsight" : ""}`);
+    console.log(`  ${chalk6.bold("Google OAuth:")}    ${config.google_oauth_client_id ? "enabled" : "disabled"}`);
+    console.log(`  ${chalk6.bold("Directory:")}       ${tfDir}`);
+    console.log(chalk6.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
     console.log("\n  Initializing Terraform...\n");
     try {
       execSync5("terraform init", { cwd: tfDir, stdio: "inherit" });
@@ -1383,17 +1603,17 @@ output "agentcore_memory_id" {
     printSuccess(`Environment "${opts.stage}" initialized`);
     console.log("");
     console.log("  Next steps:");
-    console.log(`    ${chalk5.cyan("1.")} thinkwork plan -s ${opts.stage}        ${chalk5.dim("# Review infrastructure plan")}`);
-    console.log(`    ${chalk5.cyan("2.")} thinkwork deploy -s ${opts.stage}       ${chalk5.dim("# Deploy to AWS (~5 min)")}`);
-    console.log(`    ${chalk5.cyan("3.")} thinkwork bootstrap -s ${opts.stage}    ${chalk5.dim("# Seed workspace files + skills")}`);
-    console.log(`    ${chalk5.cyan("4.")} thinkwork outputs -s ${opts.stage}      ${chalk5.dim("# Show API URL, Cognito IDs, etc.")}`);
+    console.log(`    ${chalk6.cyan("1.")} thinkwork plan -s ${opts.stage}        ${chalk6.dim("# Review infrastructure plan")}`);
+    console.log(`    ${chalk6.cyan("2.")} thinkwork deploy -s ${opts.stage}       ${chalk6.dim("# Deploy to AWS (~5 min)")}`);
+    console.log(`    ${chalk6.cyan("3.")} thinkwork bootstrap -s ${opts.stage}    ${chalk6.dim("# Seed workspace files + skills")}`);
+    console.log(`    ${chalk6.cyan("4.")} thinkwork outputs -s ${opts.stage}      ${chalk6.dim("# Show API URL, Cognito IDs, etc.")}`);
     console.log("");
   });
 }
 
 // src/commands/status.ts
 import { execSync as execSync6 } from "child_process";
-import chalk6 from "chalk";
+import chalk7 from "chalk";
 function link(url, label) {
   const text = label || url;
   return `\x1B]8;;${url}\x1B\\${text}\x1B]8;;\x1B\\`;
@@ -1491,45 +1711,47 @@ function discoverAwsStages(region) {
   return stages;
 }
 function printStageDetail(info) {
-  console.log(chalk6.bold.cyan(`  \u2B21 ${info.stage}`));
-  console.log(chalk6.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
-  console.log(`  ${chalk6.bold("Source:")}          ${info.source === "both" ? "AWS + local config" : info.source === "aws" ? "AWS (no local config)" : "local only (not in AWS)"}`);
-  console.log(`  ${chalk6.bold("Region:")}          ${info.region}`);
-  console.log(`  ${chalk6.bold("Account:")}         ${info.accountId}`);
-  console.log(`  ${chalk6.bold("Lambda fns:")}      ${info.lambdaCount || "\u2014"}`);
-  console.log(`  ${chalk6.bold("AgentCore:")}       ${info.agentcoreStatus || "unknown"}`);
-  console.log(`  ${chalk6.bold("Memory:")}          managed (always on)`);
+  console.log(chalk7.bold.cyan(`  \u2B21 ${info.stage}`));
+  console.log(chalk7.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log(`  ${chalk7.bold("Source:")}          ${info.source === "both" ? "AWS + local config" : info.source === "aws" ? "AWS (no local config)" : "local only (not in AWS)"}`);
+  console.log(`  ${chalk7.bold("Region:")}          ${info.region}`);
+  console.log(`  ${chalk7.bold("Account:")}         ${info.accountId}`);
+  console.log(`  ${chalk7.bold("Lambda fns:")}      ${info.lambdaCount || "\u2014"}`);
+  console.log(`  ${chalk7.bold("AgentCore:")}       ${info.agentcoreStatus || "unknown"}`);
+  console.log(`  ${chalk7.bold("Memory:")}          managed (always on)`);
   const hindsightLabel = info.hindsightEnabled === void 0 ? "unknown" : info.hindsightEnabled ? info.hindsightHealth || "running" : "disabled";
-  console.log(`  ${chalk6.bold("Hindsight:")}       ${hindsightLabel}`);
-  if (info.bucketName) console.log(`  ${chalk6.bold("S3 bucket:")}       ${info.bucketName}`);
-  if (info.dbEndpoint) console.log(`  ${chalk6.bold("Database:")}        ${info.dbEndpoint}`);
-  if (info.ecrUrl) console.log(`  ${chalk6.bold("ECR:")}             ${info.ecrUrl}`);
+  console.log(`  ${chalk7.bold("Hindsight:")}       ${hindsightLabel}`);
+  if (info.bucketName) console.log(`  ${chalk7.bold("S3 bucket:")}       ${info.bucketName}`);
+  if (info.dbEndpoint) console.log(`  ${chalk7.bold("Database:")}        ${info.dbEndpoint}`);
+  if (info.ecrUrl) console.log(`  ${chalk7.bold("ECR:")}             ${info.ecrUrl}`);
   console.log("");
-  console.log(chalk6.bold("  URLs:"));
+  console.log(chalk7.bold("  URLs:"));
   if (info.adminUrl) console.log(`    Admin:     ${link(info.adminUrl)}`);
   if (info.docsUrl) console.log(`    Docs:      ${link(info.docsUrl)}`);
   if (info.apiEndpoint) console.log(`    API:       ${link(info.apiEndpoint)}`);
   if (info.appsyncApiUrl) console.log(`    AppSync:   ${link(info.appsyncApiUrl)}`);
   if (info.appsyncUrl) console.log(`    WebSocket: ${link(info.appsyncUrl)}`);
   if (info.hindsightEndpoint) console.log(`    Hindsight: ${link(info.hindsightEndpoint)}`);
-  console.log(chalk6.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log(chalk7.dim("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
   const local = loadEnvironment(info.stage);
   if (local) {
-    console.log(chalk6.dim(`  Terraform dir: ${local.terraformDir}`));
+    console.log(chalk7.dim(`  Terraform dir: ${local.terraformDir}`));
   } else {
-    console.log(chalk6.dim(`  No local config. Run: thinkwork init -s ${info.stage}`));
+    console.log(chalk7.dim(`  No local config. Run: thinkwork init -s ${info.stage}`));
   }
   console.log("");
 }
 function registerStatusCommand(program2) {
-  program2.command("status").description("Show all Thinkwork environments (AWS + local)").option("-s, --stage <name>", "Show details for a specific stage").option("--region <region>", "AWS region to scan", "us-east-1").action(async (opts) => {
+  program2.command("status").alias("list").alias("ls").description(
+    "Show all Thinkwork environments / deployments (AWS + local). Aliases: list, ls"
+  ).option("-s, --stage <name>", "Show details for a specific stage").option("--region <region>", "AWS region to scan", "us-east-1").action(async (opts) => {
     const identity = getAwsIdentity();
     printHeader("status", opts.stage || "all", identity);
     if (!identity) {
       printError("AWS credentials not configured. Run `thinkwork login` first.");
       process.exit(1);
     }
-    console.log(chalk6.dim("  Scanning AWS account for Thinkwork deployments...\n"));
+    console.log(chalk7.dim("  Scanning AWS account for Thinkwork deployments...\n"));
     const awsStages = discoverAwsStages(opts.region);
     const localEnvs = listEnvironments();
     const merged = /* @__PURE__ */ new Map();
@@ -1564,7 +1786,7 @@ function registerStatusCommand(program2) {
     }
     if (merged.size === 0) {
       console.log("  No Thinkwork environments found.");
-      console.log(`  Run ${chalk6.cyan("thinkwork init -s <stage>")} to create one.`);
+      console.log(`  Run ${chalk7.cyan("thinkwork init -s <stage>")} to create one.`);
       console.log("");
       return;
     }
@@ -1575,12 +1797,14 @@ function registerStatusCommand(program2) {
 }
 
 // src/commands/mcp.ts
-import { readFileSync as readFileSync3, existsSync as existsSync6 } from "fs";
+import chalk8 from "chalk";
+
+// src/api-client.ts
+import { readFileSync as readFileSync5, existsSync as existsSync8 } from "fs";
 import { execSync as execSync7 } from "child_process";
-import chalk7 from "chalk";
 function readTfVar2(tfvarsPath, key) {
-  if (!existsSync6(tfvarsPath)) return null;
-  const content = readFileSync3(tfvarsPath, "utf-8");
+  if (!existsSync8(tfvarsPath)) return null;
+  const content = readFileSync5(tfvarsPath, "utf-8");
   const match = content.match(new RegExp(`^${key}\\s*=\\s*"([^"]*)"`, "m"));
   return match ? match[1] : null;
 }
@@ -1588,7 +1812,7 @@ function resolveTfvarsPath2(stage) {
   const tfDir = resolveTerraformDir(stage);
   if (tfDir) {
     const direct = `${tfDir}/terraform.tfvars`;
-    if (existsSync6(direct)) return direct;
+    if (existsSync8(direct)) return direct;
   }
   const terraformDir = process.env.THINKWORK_TERRAFORM_DIR || process.cwd();
   const cwd = resolveTierDir(terraformDir, stage, "app");
@@ -1621,6 +1845,19 @@ async function apiFetch(apiUrl, authSecret, path2, options = {}, extraHeaders =
   }
   return res.json();
 }
+async function apiFetchRaw(apiUrl, authSecret, path2, options = {}, extraHeaders = {}) {
+  const res = await fetch(`${apiUrl}${path2}`, {
+    ...options,
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${authSecret}`,
+      ...extraHeaders,
+      ...options.headers
+    }
+  });
+  const body = await res.json().catch(() => ({}));
+  return { ok: res.ok, status: res.status, body };
+}
 function resolveApiConfig(stage) {
   const tfvarsPath = resolveTfvarsPath2(stage);
   const authSecret = readTfVar2(tfvarsPath, "api_auth_secret");
@@ -1631,11 +1868,15 @@ function resolveApiConfig(stage) {
   const region = readTfVar2(tfvarsPath, "region") || "us-east-1";
   const apiUrl = getApiEndpoint(stage, region);
   if (!apiUrl) {
-    printError(`Cannot discover API endpoint for stage "${stage}". Is the stack deployed?`);
+    printError(
+      `Cannot discover API endpoint for stage "${stage}". Is the stack deployed?`
+    );
     return null;
   }
   return { apiUrl, authSecret };
 }
+
+// src/commands/mcp.ts
 function registerMcpCommand(program2) {
   const mcp = program2.command("mcp").description("Manage MCP servers for your tenant");
   mcp.command("list").description("List registered MCP servers").requiredOption("-s, --stage <name>", "Deployment stage").requiredOption("--tenant <slug>", "Tenant slug").action(async (opts) => {
@@ -1650,14 +1891,14 @@ function registerMcpCommand(program2) {
     try {
       const { servers } = await apiFetch(api.apiUrl, api.authSecret, "/api/skills/mcp-servers", {}, { "x-tenant-slug": opts.tenant });
       if (!servers || servers.length === 0) {
-        console.log(chalk7.dim("  No MCP servers registered."));
+        console.log(chalk8.dim("  No MCP servers registered."));
         return;
       }
       console.log("");
       for (const s of servers) {
-        const status = s.enabled ? chalk7.green("enabled") : chalk7.dim("disabled");
+        const status = s.enabled ? chalk8.green("enabled") : chalk8.dim("disabled");
         const authLabel = s.authType === "per_user_oauth" ? `OAuth (${s.oauthProvider})` : s.authType === "tenant_api_key" ? "API Key" : "none";
-        console.log(`  ${chalk7.bold(s.name)}  ${chalk7.dim(s.slug)}  ${status}`);
+        console.log(`  ${chalk8.bold(s.name)}  ${chalk8.dim(s.slug)}  ${status}`);
         console.log(`    URL:       ${s.url}`);
         console.log(`    Transport: ${s.transport}`);
         console.log(`    Auth:      ${authLabel}`);
@@ -1732,11 +1973,11 @@ function registerMcpCommand(program2) {
       if (result.ok) {
         printSuccess("Connection successful.");
         if (result.tools?.length) {
-          console.log(chalk7.bold(`
+          console.log(chalk8.bold(`
   Discovered tools (${result.tools.length}):
 `));
           for (const t of result.tools) {
-            console.log(`    ${chalk7.cyan(t.name)}${t.description ? chalk7.dim(` - ${t.description}`) : ""}`);
+            console.log(`    ${chalk8.cyan(t.name)}${t.description ? chalk8.dim(` - ${t.description}`) : ""}`);
           }
           console.log("");
         } else {
@@ -1791,68 +2032,8 @@ function registerMcpCommand(program2) {
 }
 
 // src/commands/tools.ts
-import { readFileSync as readFileSync4, existsSync as existsSync7 } from "fs";
-import { execSync as execSync8 } from "child_process";
 import { createInterface as createInterface4 } from "readline";
-import chalk8 from "chalk";
-function readTfVar3(tfvarsPath, key) {
-  if (!existsSync7(tfvarsPath)) return null;
-  const content = readFileSync4(tfvarsPath, "utf-8");
-  const match = content.match(new RegExp(`^${key}\\s*=\\s*"([^"]*)"`, "m"));
-  return match ? match[1] : null;
-}
-function resolveTfvarsPath3(stage) {
-  const tfDir = resolveTerraformDir(stage);
-  if (tfDir) {
-    const direct = `${tfDir}/terraform.tfvars`;
-    if (existsSync7(direct)) return direct;
-  }
-  const terraformDir = process.env.THINKWORK_TERRAFORM_DIR || process.cwd();
-  const cwd = resolveTierDir(terraformDir, stage, "app");
-  return `${cwd}/terraform.tfvars`;
-}
-function getApiEndpoint2(stage, region) {
-  try {
-    const raw = execSync8(
-      `aws apigatewayv2 get-apis --region ${region} --query "Items[?Name=='thinkwork-${stage}-api'].ApiEndpoint|[0]" --output text`,
-      { encoding: "utf-8", timeout: 15e3, stdio: ["pipe", "pipe", "pipe"] }
-    ).trim();
-    return raw && raw !== "None" ? raw : null;
-  } catch {
-    return null;
-  }
-}
-async function apiFetch2(apiUrl, authSecret, path2, options = {}, extraHeaders = {}) {
-  const res = await fetch(`${apiUrl}${path2}`, {
-    ...options,
-    headers: {
-      "Content-Type": "application/json",
-      Authorization: `Bearer ${authSecret}`,
-      ...extraHeaders,
-      ...options.headers
-    }
-  });
-  if (!res.ok) {
-    const body = await res.json().catch(() => ({}));
-    throw new Error(body.error || `HTTP ${res.status}`);
-  }
-  return res.json();
-}
-function resolveApiConfig2(stage) {
-  const tfvarsPath = resolveTfvarsPath3(stage);
-  const authSecret = readTfVar3(tfvarsPath, "api_auth_secret");
-  if (!authSecret) {
-    printError(`Cannot read api_auth_secret from ${tfvarsPath}`);
-    return null;
-  }
-  const region = readTfVar3(tfvarsPath, "region") || "us-east-1";
-  const apiUrl = getApiEndpoint2(stage, region);
-  if (!apiUrl) {
-    printError(`Cannot discover API endpoint for stage "${stage}". Is the stack deployed?`);
-    return null;
-  }
-  return { apiUrl, authSecret };
-}
+import chalk9 from "chalk";
 function prompt(question) {
   const rl = createInterface4({ input: process.stdin, output: process.stdout });
   return new Promise((resolve3) => {
@@ -1873,11 +2054,11 @@ function registerToolsCommand(program2) {
       printError(check.error);
       process.exit(1);
     }
-    const api = resolveApiConfig2(opts.stage);
+    const api = resolveApiConfig(opts.stage);
     if (!api) process.exit(1);
     printHeader("tools list", opts.stage);
     try {
-      const { tools: rows } = await apiFetch2(
+      const { tools: rows } = await apiFetch(
         api.apiUrl,
         api.authSecret,
         "/api/skills/builtin-tools",
@@ -1885,16 +2066,16 @@ function registerToolsCommand(program2) {
         { "x-tenant-slug": opts.tenant }
       );
       if (!rows || rows.length === 0) {
-        console.log(chalk8.dim("  No built-in tools configured."));
-        console.log(chalk8.dim("  Try: thinkwork tools web-search set --tenant <slug> -s <stage>"));
+        console.log(chalk9.dim("  No built-in tools configured."));
+        console.log(chalk9.dim("  Try: thinkwork tools web-search set --tenant <slug> -s <stage>"));
         return;
       }
       console.log("");
       for (const r of rows) {
-        const status = r.enabled ? chalk8.green("enabled") : chalk8.dim("disabled");
-        const key = r.hasSecret ? chalk8.green("yes") : chalk8.red("no");
-        const provider = r.provider ?? chalk8.dim("\u2014");
-        console.log(`  ${chalk8.bold(r.toolSlug)}  ${status}`);
+        const status = r.enabled ? chalk9.green("enabled") : chalk9.dim("disabled");
+        const key = r.hasSecret ? chalk9.green("yes") : chalk9.red("no");
+        const provider = r.provider ?? chalk9.dim("\u2014");
+        console.log(`  ${chalk9.bold(r.toolSlug)}  ${status}`);
         console.log(`    Provider:  ${provider}`);
         console.log(`    Has key:   ${key}`);
         if (r.lastTestedAt) {
@@ -1914,7 +2095,7 @@ function registerToolsCommand(program2) {
       printError(check.error);
       process.exit(1);
     }
-    const api = resolveApiConfig2(opts.stage);
+    const api = resolveApiConfig(opts.stage);
     if (!api) process.exit(1);
     let provider = opts.provider;
     if (!provider) {
@@ -1933,7 +2114,7 @@ function registerToolsCommand(program2) {
       process.exit(1);
     }
     try {
-      await apiFetch2(
+      await apiFetch(
         api.apiUrl,
         api.authSecret,
         "/api/skills/builtin-tools/web-search",
@@ -1956,11 +2137,11 @@ function registerToolsCommand(program2) {
       printError(check.error);
       process.exit(1);
     }
-    const api = resolveApiConfig2(opts.stage);
+    const api = resolveApiConfig(opts.stage);
     if (!api) process.exit(1);
     printHeader("tools web-search test", opts.stage);
     try {
-      const result = await apiFetch2(
+      const result = await apiFetch(
         api.apiUrl,
         api.authSecret,
         "/api/skills/builtin-tools/web-search/test",
@@ -1984,10 +2165,10 @@ function registerToolsCommand(program2) {
       printError(check.error);
       process.exit(1);
     }
-    const api = resolveApiConfig2(opts.stage);
+    const api = resolveApiConfig(opts.stage);
     if (!api) process.exit(1);
     try {
-      await apiFetch2(
+      await apiFetch(
         api.apiUrl,
         api.authSecret,
         "/api/skills/builtin-tools/web-search",
@@ -2006,10 +2187,10 @@ function registerToolsCommand(program2) {
       printError(check.error);
       process.exit(1);
     }
-    const api = resolveApiConfig2(opts.stage);
+    const api = resolveApiConfig(opts.stage);
     if (!api) process.exit(1);
     try {
-      await apiFetch2(
+      await apiFetch(
         api.apiUrl,
         api.authSecret,
         "/api/skills/builtin-tools/web-search",
@@ -2025,12 +2206,12 @@ function registerToolsCommand(program2) {
 }
 
 // src/commands/update.ts
-import { execSync as execSync9 } from "child_process";
+import { execSync as execSync8 } from "child_process";
 import { realpathSync } from "fs";
-import chalk9 from "chalk";
+import chalk10 from "chalk";
 function getLatestVersion() {
   try {
-    return execSync9("npm view thinkwork-cli version", {
+    return execSync8("npm view thinkwork-cli version", {
       encoding: "utf-8",
       timeout: 1e4,
       stdio: ["pipe", "pipe", "pipe"]
@@ -2041,7 +2222,7 @@ function getLatestVersion() {
 }
 function detectInstallMethod() {
   try {
-    const which = execSync9("which thinkwork", {
+    const which = execSync8("which thinkwork", {
       encoding: "utf-8",
       timeout: 5e3,
       stdio: ["pipe", "pipe", "pipe"]
@@ -2069,28 +2250,28 @@ function compareVersions(a, b) {
 function registerUpdateCommand(program2) {
   program2.command("update").description("Check for and install CLI updates").option("--check", "Only check for updates, don't install").action(async (opts) => {
     printHeader("update", "", null);
-    console.log(`  Current version: ${chalk9.bold(VERSION)}`);
+    console.log(`  Current version: ${chalk10.bold(VERSION)}`);
     const latest = getLatestVersion();
     if (!latest) {
-      console.log(chalk9.yellow("  Could not check npm registry for updates."));
+      console.log(chalk10.yellow("  Could not check npm registry for updates."));
       return;
     }
-    console.log(`  Latest version:  ${chalk9.bold(latest)}`);
+    console.log(`  Latest version:  ${chalk10.bold(latest)}`);
     console.log("");
     const cmp = compareVersions(VERSION, latest);
     if (cmp >= 0) {
-      console.log(chalk9.green("  \u2713 You're on the latest version."));
+      console.log(chalk10.green("  \u2713 You're on the latest version."));
       console.log("");
       return;
     }
-    console.log(chalk9.cyan(`  Update available: ${VERSION} \u2192 ${latest}`));
+    console.log(chalk10.cyan(`  Update available: ${VERSION} \u2192 ${latest}`));
     console.log("");
     if (opts.check) {
       const method2 = detectInstallMethod();
       if (method2 === "homebrew") {
-        console.log(`  Run: ${chalk9.cyan("brew upgrade thinkwork-ai/tap/thinkwork")}`);
+        console.log(`  Run: ${chalk10.cyan("brew upgrade thinkwork-ai/tap/thinkwork")}`);
       } else {
-        console.log(`  Run: ${chalk9.cyan(`npm install -g thinkwork-cli@${latest}`)}`);
+        console.log(`  Run: ${chalk10.cyan(`npm install -g thinkwork-cli@${latest}`)}`);
       }
       console.log("");
       return;
@@ -2098,21 +2279,193 @@ function registerUpdateCommand(program2) {
     const method = detectInstallMethod();
     const cmd = method === "homebrew" ? "brew upgrade thinkwork-ai/tap/thinkwork" : `npm install -g thinkwork-cli@${latest}`;
     console.log(`  Installing via ${method}...`);
-    console.log(chalk9.dim(`  $ ${cmd}`));
+    console.log(chalk10.dim(`  $ ${cmd}`));
     console.log("");
     try {
-      execSync9(cmd, { stdio: "inherit", timeout: 12e4 });
+      execSync8(cmd, { stdio: "inherit", timeout: 12e4 });
       console.log("");
-      console.log(chalk9.green(`  \u2713 Upgraded to thinkwork-cli@${latest}`));
+      console.log(chalk10.green(`  \u2713 Upgraded to thinkwork-cli@${latest}`));
     } catch {
       console.log("");
-      console.log(chalk9.red(`  Failed to upgrade. Try manually:`));
-      console.log(`    ${chalk9.cyan(cmd)}`);
+      console.log(chalk10.red(`  Failed to upgrade. Try manually:`));
+      console.log(`    ${chalk10.cyan(cmd)}`);
     }
     console.log("");
   });
 }
 
+// src/commands/user.ts
+import { spawn as spawn3 } from "child_process";
+function getTerraformOutput2(cwd, key) {
+  return new Promise((resolve3, reject) => {
+    const proc = spawn3("terraform", ["output", "-raw", key], {
+      cwd,
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    let stdout = "";
+    let stderr = "";
+    proc.stdout.on("data", (d) => stdout += d);
+    proc.stderr.on("data", (d) => stderr += d);
+    proc.on("close", (code) => {
+      if (code === 0) resolve3(stdout.trim());
+      else
+        reject(
+          new Error(
+            `terraform output ${key} failed (exit ${code}): ${stderr.trim() || "no stderr"}`
+          )
+        );
+    });
+  });
+}
+function runAwsCognitoReset(userPoolId, username, region) {
+  return new Promise((resolve3) => {
+    const args = [
+      "cognito-idp",
+      "admin-reset-user-password",
+      "--user-pool-id",
+      userPoolId,
+      "--username",
+      username,
+      "--output",
+      "json"
+    ];
+    if (region) args.push("--region", region);
+    const proc = spawn3("aws", args, { stdio: ["ignore", "pipe", "pipe"] });
+    let stdout = "";
+    let stderr = "";
+    proc.stdout.on("data", (d) => stdout += d);
+    proc.stderr.on("data", (d) => stderr += d);
+    proc.on("close", (code) => resolve3({ code: code ?? 1, stdout, stderr }));
+  });
+}
+function registerUserCommand(program2) {
+  const user = program2.command("user").description("User-management utilities for a deployed Thinkwork stack");
+  user.command("invite <email>").description(
+    "Invite a teammate to a tenant. Creates the Cognito user (Cognito emails a temporary password) and adds them as a tenant member."
+  ).requiredOption("-s, --stage <name>", "Deployment stage").requiredOption("--tenant <slug>", "Tenant slug").option("--name <name>", "Display name for the invited user").option("--role <role>", "Tenant member role", "member").action(
+    async (email, opts) => {
+      const stageCheck = validateStage(opts.stage);
+      if (!stageCheck.valid) {
+        printError(stageCheck.error);
+        process.exit(1);
+      }
+      const trimmed = email.trim().toLowerCase();
+      if (!trimmed || !trimmed.includes("@")) {
+        printError(
+          `"${email}" doesn't look like an email address. Pass the user's sign-in email.`
+        );
+        process.exit(1);
+      }
+      const api = resolveApiConfig(opts.stage);
+      if (!api) process.exit(1);
+      printHeader("user invite", opts.stage);
+      console.log(`  Tenant: ${opts.tenant}`);
+      console.log(`  Email:  ${trimmed}`);
+      if (opts.name) console.log(`  Name:   ${opts.name}`);
+      console.log(`  Role:   ${opts.role}`);
+      console.log("");
+      try {
+        const result = await apiFetchRaw(
+          api.apiUrl,
+          api.authSecret,
+          `/api/tenants/${encodeURIComponent(opts.tenant)}/members`,
+          {
+            method: "POST",
+            body: JSON.stringify({
+              email: trimmed,
+              name: opts.name ?? null,
+              role: opts.role
+            })
+          }
+        );
+        if (!result.ok) {
+          const msg = result.body?.error || `HTTP ${result.status}`;
+          printError(`Invite failed: ${msg}`);
+          process.exit(1);
+        }
+        if (result.body.alreadyMember) {
+          printWarning(
+            `${trimmed} is already a member of "${opts.tenant}" (role: ${result.body.role}). No email sent.`
+          );
+          return;
+        }
+        printSuccess(
+          `Invited ${trimmed} to "${opts.tenant}" (role: ${result.body.role}). Cognito has emailed a temporary password; the user sets a new password on first sign-in.`
+        );
+      } catch (err) {
+        printError(
+          `Invite failed: ${err instanceof Error ? err.message : String(err)}`
+        );
+        process.exit(1);
+      }
+    }
+  );
+  user.command("reset-password <email>").description(
+    "Trigger Cognito's forgot-password flow for a user (admin-initiated). Sends them a verification code email."
+  ).option("-p, --profile <name>", "AWS profile").requiredOption("-s, --stage <name>", "Deployment stage").option(
+    "-r, --region <name>",
+    "AWS region (defaults to AWS CLI default / AWS_REGION)"
+  ).action(
+    async (email, opts) => {
+      const stageCheck = validateStage(opts.stage);
+      if (!stageCheck.valid) {
+        printError(stageCheck.error);
+        process.exit(1);
+      }
+      if (!email || !email.includes("@")) {
+        printError(
+          `"${email}" doesn't look like an email address. Pass the user's sign-in email.`
+        );
+        process.exit(1);
+      }
+      printHeader("user reset-password", opts.stage);
+      const terraformDir = process.env.THINKWORK_TERRAFORM_DIR || process.cwd();
+      const cwd = resolveTierDir(terraformDir, opts.stage, "app");
+      await ensureInit(cwd);
+      await ensureWorkspace(cwd, opts.stage);
+      let userPoolId;
+      try {
+        userPoolId = await getTerraformOutput2(cwd, "user_pool_id");
+      } catch (err) {
+        printError(
+          `Failed to read user_pool_id from Terraform outputs. Is the stack deployed? ${err instanceof Error ? err.message : String(err)}`
+        );
+        process.exit(1);
+      }
+      if (!userPoolId) {
+        printError(
+          "user_pool_id output is empty \u2014 the stack may not be fully deployed."
+        );
+        process.exit(1);
+      }
+      console.log(`  User pool: ${userPoolId}`);
+      console.log(`  Email:     ${email}`);
+      console.log("");
+      const result = await runAwsCognitoReset(userPoolId, email, opts.region);
+      if (result.code === 0) {
+        printSuccess(
+          `Reset triggered for ${email}. Cognito has emailed a verification code; the user sets a new password on next sign-in.`
+        );
+        return;
+      }
+      if (result.stderr.includes("UserNotFoundException")) {
+        printError(
+          `No user found with email ${email} in pool ${userPoolId}. Check the address (case-insensitive) or that they've signed up.`
+        );
+      } else if (result.stderr.includes("NotAuthorizedException")) {
+        printError(
+          "Cognito rejected the call \u2014 your AWS credentials may not have cognito-idp:AdminResetUserPassword on this pool."
+        );
+      } else {
+        printError(
+          `admin-reset-user-password failed (exit ${result.code}): ${result.stderr.trim() || "no stderr"}`
+        );
+      }
+      process.exit(result.code);
+    }
+  );
+}
+
 // src/cli.ts
 var program = new Command();
 program.name("thinkwork").description(
@@ -2122,10 +2475,14 @@ program.name("thinkwork").description(
   "AWS profile to use (sets AWS_PROFILE for Terraform and AWS CLI)"
 );
 program.hook("preAction", (_thisCommand, actionCommand) => {
-  const profile = actionCommand.opts().profile ?? program.opts().profile;
-  if (profile) {
-    process.env.AWS_PROFILE = profile;
+  const explicit = actionCommand.opts().profile ?? program.opts().profile;
+  if (explicit) {
+    process.env.AWS_PROFILE = explicit;
+    return;
   }
+  if (process.env.AWS_PROFILE) return;
+  const fallback = loadCliConfig().defaultProfile;
+  if (fallback) process.env.AWS_PROFILE = fallback;
 });
 registerLoginCommand(program);
 registerInitCommand(program);
@@ -2140,4 +2497,5 @@ registerConfigCommand(program);
 registerMcpCommand(program);
 registerToolsCommand(program);
 registerUpdateCommand(program);
+registerUserCommand(program);
 program.parse();