thinkwork-cli 0.5.4 → 0.6.1

package/dist/terraform/examples/greenfield/main.tf

@@ -29,6 +29,10 @@ terraform {
       source  = "hashicorp/null"
       version = "~> 3.0"
     }
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "~> 4.0"
+    }
   }
 
   backend "s3" {
@@ -44,6 +48,10 @@ provider "aws" {
   region = var.region
 }
 
+# Cloudflare provider reads its token from the CLOUDFLARE_API_TOKEN env var.
+# Never commit the token to tfvars or source control.
+provider "cloudflare" {}
+
 variable "stage" {
   description = "Deployment stage — must match the Terraform workspace name"
   type        = string
@@ -110,6 +118,46 @@ variable "api_auth_secret" {
   default     = ""
 }
 
+variable "www_domain" {
+  description = "Public website apex domain (e.g. thinkwork.ai). Leave empty to skip the custom domain and DNS wiring."
+  type        = string
+  default     = ""
+}
+
+variable "cloudflare_zone_id" {
+  description = "Cloudflare zone ID for var.www_domain. Non-secret. Required when www_domain is set."
+  type        = string
+  default     = ""
+}
+
+variable "ses_inbound_domain" {
+  description = "Subdomain for agent email (e.g. agents.thinkwork.ai). Terraform creates a delegated Route53 hosted zone, SES domain identity + DKIM, MX record, and receipt rule. Leave empty to skip SES inbound resources."
+  type        = string
+  default     = ""
+}
+
+variable "lastmile_tasks_api_url" {
+  description = <<-EOT
+    OPTIONAL fallback base URL for the LastMile Tasks REST API.
+
+    Prefer setting the URL per-tenant via the admin Connectors → LastMile
+    page (stored in webhooks.config.baseUrl); that value takes precedence.
+    This variable only fires when the per-tenant config is empty, and is
+    mainly useful for single-tenant dev stacks and bootstrap scenarios.
+
+    Leave blank (default) unless you specifically need the env-var
+    fallback. Example: https://api-dev.lastmile-tei.com.
+  EOT
+  type        = string
+  default     = ""
+}
+
+locals {
+  www_dns_enabled = var.www_domain != "" && var.cloudflare_zone_id != ""
+  docs_domain     = var.www_domain != "" ? "docs.${var.www_domain}" : ""
+  admin_domain    = var.www_domain != "" ? "admin.${var.www_domain}" : ""
+}
+
 module "thinkwork" {
   source = "../../modules/thinkwork"
 
@@ -126,9 +174,80 @@ module "thinkwork" {
   lambda_zips_dir            = var.lambda_zips_dir
   api_auth_secret            = var.api_auth_secret
 
+  # Public website custom domain (optional — wired only when www_domain is set)
+  www_domain          = var.www_domain
+  www_certificate_arn = local.www_dns_enabled ? module.www_dns[0].certificate_arn : ""
+
+  # Docs site custom domain (derived from www_domain — docs.<apex>). The
+  # same ACM cert covers apex + www + docs + admin so every distribution
+  # shares it.
+  docs_domain          = local.www_dns_enabled ? local.docs_domain : ""
+  docs_certificate_arn = local.www_dns_enabled ? module.www_dns[0].certificate_arn : ""
+
+  # Admin SPA custom domain (derived from www_domain — admin.<apex>).
+  admin_domain          = local.www_dns_enabled ? local.admin_domain : ""
+  admin_certificate_arn = local.www_dns_enabled ? module.www_dns[0].certificate_arn : ""
+
+  # SES inbound email subdomain (delegated Route53 subzone).
+  ses_inbound_domain = var.ses_inbound_domain
+
+  # LastMile Tasks REST API base URL — feature-flags the outbound task
+  # sync. Empty string keeps mobile-created tasks in sync_status='local'.
+  lastmile_tasks_api_url = var.lastmile_tasks_api_url
+
   # Greenfield: create everything (all defaults are true)
 }
 
+################################################################################
+# Public Website DNS (Cloudflare zone, ACM cert, www→apex redirect, docs)
+################################################################################
+
+module "www_dns" {
+  count  = local.www_dns_enabled ? 1 : 0
+  source = "../../modules/app/www-dns"
+
+  stage                  = var.stage
+  domain                 = var.www_domain
+  cloudflare_zone_id     = var.cloudflare_zone_id
+  cloudfront_domain_name = module.thinkwork.www_distribution_domain
+
+  # Docs: include_docs is a plain bool (no output reference) so the
+  # ACM cert SAN list doesn't depend on the docs distribution output,
+  # which itself depends on the cert. docs_cloudfront_domain_name is
+  # read only after the cert is created, for the CNAME record.
+  include_docs                = true
+  docs_cloudfront_domain_name = module.thinkwork.docs_distribution_domain
+
+  # Admin: same cycle-avoidance pattern.
+  include_admin                = true
+  admin_cloudfront_domain_name = module.thinkwork.admin_distribution_domain
+}
+
+################################################################################
+# SES Inbound DNS Delegation
+#
+# The ses-email module creates a Route53 hosted zone for var.ses_inbound_domain
+# (e.g. agents.thinkwork.ai). For the subzone to resolve, the parent zone
+# (thinkwork.ai at Cloudflare) must carry NS records pointing at the 4 AWS name
+# servers. New Route53 zones always return exactly 4 name servers, so we can
+# hardcode count = 4 without hitting "count value is not known" at plan time.
+#
+# Without this delegation, terraform creates the Route53 zone and the MX/DKIM
+# records inside it, but the outside world asks Cloudflare for agents.thinkwork.ai
+# and gets NXDOMAIN because Cloudflare doesn't know to delegate.
+################################################################################
+
+resource "cloudflare_record" "agents_ns" {
+  count = var.ses_inbound_domain != "" && var.cloudflare_zone_id != "" ? 4 : 0
+
+  zone_id = var.cloudflare_zone_id
+  name    = var.ses_inbound_domain
+  content = module.thinkwork.ses_inbound_name_servers[count.index]
+  type    = "NS"
+  ttl     = 300
+  proxied = false
+}
+
 ################################################################################
 # Outputs
 ################################################################################
@@ -216,7 +335,7 @@ output "agentcore_memory_id" {
 
 output "admin_url" {
   description = "Admin app URL"
-  value       = "https://${module.thinkwork.admin_distribution_domain}"
+  value       = local.www_dns_enabled ? "https://${local.admin_domain}" : "https://${module.thinkwork.admin_distribution_domain}"
 }
 
 output "admin_distribution_id" {
@@ -231,7 +350,7 @@ output "admin_bucket_name" {
 
 output "docs_url" {
   description = "Docs site URL"
-  value       = "https://${module.thinkwork.docs_distribution_domain}"
+  value       = local.www_dns_enabled ? "https://${local.docs_domain}" : "https://${module.thinkwork.docs_distribution_domain}"
 }
 
 output "docs_distribution_id" {
@@ -243,3 +362,38 @@ output "docs_bucket_name" {
   description = "S3 bucket for docs site assets"
   value       = module.thinkwork.docs_bucket_name
 }
+
+output "www_url" {
+  description = "Public website URL"
+  value       = var.www_domain != "" ? "https://${var.www_domain}" : "https://${module.thinkwork.www_distribution_domain}"
+}
+
+output "www_distribution_id" {
+  description = "CloudFront distribution ID for the public website (for cache invalidation)"
+  value       = module.thinkwork.www_distribution_id
+}
+
+output "www_distribution_domain" {
+  description = "CloudFront distribution domain for the public website"
+  value       = module.thinkwork.www_distribution_domain
+}
+
+output "www_bucket_name" {
+  description = "S3 bucket for public website assets"
+  value       = module.thinkwork.www_bucket_name
+}
+
+output "ses_inbound_zone_id" {
+  description = "Route53 hosted zone ID for the email subdomain (null when ses_inbound_domain is not set)"
+  value       = module.thinkwork.ses_inbound_zone_id
+}
+
+output "ses_inbound_name_servers" {
+  description = "Name servers for the delegated email subzone. Paste these as NS records at the registrar that hosts the parent domain (Google Domains for thinkwork.ai) before SES can verify."
+  value       = module.thinkwork.ses_inbound_name_servers
+}
+
+output "ses_inbound_mx_target" {
+  description = "MX target host for the email subdomain. Already written into the subzone by Terraform — informational."
+  value       = module.thinkwork.ses_inbound_mx_target
+}

package/dist/terraform/examples/greenfield/terraform.tfvars.example

@@ -29,3 +29,13 @@ db_password = "CHANGE_ME_strong_password_here"
 
 # Pre-signup Lambda (optional — leave empty if not using custom pre-signup logic)
 # pre_signup_lambda_zip = "./lambdas/pre-signup.zip"
+
+# Public website (apps/www) custom domain.
+# Leave www_domain empty to skip the custom domain and serve on the raw
+# CloudFront URL. When set, you must also provide cloudflare_zone_id below —
+# the www-dns module creates the ACM cert, apex CNAME, and www→apex redirect.
+#
+# The Cloudflare API token is read from the CLOUDFLARE_API_TOKEN environment
+# variable. NEVER put the token in this file.
+# www_domain         = "thinkwork.ai"
+# cloudflare_zone_id = "your-cloudflare-zone-id"

package/dist/terraform/modules/app/agentcore-runtime/main.tf

@@ -38,6 +38,26 @@ variable "agentcore_memory_id" {
   default     = ""
 }
 
+variable "memory_engine" {
+  description = "Active long-term memory engine ('hindsight' or 'agentcore'). Surfaced to the runtime as MEMORY_ENGINE for telemetry/debugging only; engine selection itself happens in the API's normalized memory layer when memory-retain is invoked."
+  type        = string
+  default     = "hindsight"
+  validation {
+    condition     = contains(["hindsight", "agentcore"], var.memory_engine)
+    error_message = "memory_engine must be 'hindsight' or 'agentcore'."
+  }
+}
+
+# memory-retain Lambda name + ARN are constructed locally rather than
+# taken as inputs to avoid a circular dependency: the lambda-api module
+# already consumes this module's outputs (agentcore_function_name/arn).
+# The Lambda name follows the deterministic pattern from
+# lambda-api/handlers.tf: thinkwork-${stage}-api-${handler_name}.
+locals {
+  memory_retain_fn_name = "thinkwork-${var.stage}-api-memory-retain"
+  memory_retain_fn_arn  = "arn:aws:lambda:${var.region}:${var.account_id}:function:${local.memory_retain_fn_name}"
+}
+
 ################################################################################
 # ECR Repository
 ################################################################################
@@ -157,6 +177,17 @@ resource "aws_iam_role_policy" "agentcore" {
         Action   = ["ssm:GetParameter", "ssm:PutParameter"]
         Resource = "arn:aws:ssm:${var.region}:${var.account_id}:parameter/thinkwork/${var.stage}/agentcore/*"
       },
+      {
+        # Async-invoke the memory-retain Lambda after every chat turn so
+        # the API's normalized memory layer can run the active engine's
+        # retainTurn() path (Hindsight POST /memories or AgentCore
+        # CreateEvent). InvocationType=Event from the Python client; this
+        # Lambda is the only target.
+        Sid      = "MemoryRetainInvoke"
+        Effect   = "Allow"
+        Action   = ["lambda:InvokeFunction"]
+        Resource = local.memory_retain_fn_arn
+      },
     ]
   })
 }
@@ -192,6 +223,8 @@ resource "aws_lambda_function" "agentcore" {
       AWS_LWA_PORT           = "8080"
       AGENTCORE_MEMORY_ID    = var.agentcore_memory_id
       AGENTCORE_FILES_BUCKET = var.bucket_name
+      MEMORY_ENGINE          = var.memory_engine
+      MEMORY_RETAIN_FN_NAME  = local.memory_retain_fn_name
     }
   }
 

package/dist/terraform/modules/app/job-triggers/main.tf

@@ -55,6 +55,27 @@ resource "aws_iam_role" "job_scheduler" {
   })
 }
 
+# When job-schedule-manager creates a schedule, it sets this role as the
+# target RoleArn. EventBridge Scheduler assumes it and invokes the
+# job-trigger Lambda. ARN is constructed by naming convention so this
+# module doesn't have to import the lambda-api module's outputs.
+resource "aws_iam_role_policy" "job_scheduler_invoke" {
+  name = "invoke-job-trigger"
+  role = aws_iam_role.job_scheduler.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Action = ["lambda:InvokeFunction"]
+      Resource = [
+        "arn:aws:lambda:${var.region}:${var.account_id}:function:thinkwork-${var.stage}-api-job-trigger",
+        "arn:aws:lambda:${var.region}:${var.account_id}:function:thinkwork-${var.stage}-api-job-trigger:*",
+      ]
+    }]
+  })
+}
+
 ################################################################################
 # Outputs
 ################################################################################

package/dist/terraform/modules/app/lambda-api/handlers.tf

@@ -28,17 +28,40 @@ locals {
     GRAPHQL_API_KEY         = var.appsync_api_key
     API_AUTH_SECRET         = var.api_auth_secret
     THINKWORK_API_SECRET    = var.api_auth_secret
-    MANIFLOW_API_SECRET     = var.api_auth_secret
+    EMAIL_HMAC_SECRET       = var.api_auth_secret
+    THINKWORK_API_URL       = "https://${aws_apigatewayv2_api.main.id}.execute-api.${var.region}.amazonaws.com"
     AGENTCORE_FUNCTION_NAME = var.agentcore_function_name
     WORKSPACE_BUCKET        = var.bucket_name
     HINDSIGHT_ENDPOINT      = var.hindsight_endpoint
     AGENTCORE_MEMORY_ID     = var.agentcore_memory_id
-    ADMIN_URL               = var.admin_url
-    DOCS_URL                = var.docs_url
-    APPSYNC_REALTIME_URL    = var.appsync_realtime_url
-    ECR_REPOSITORY_URL      = var.ecr_repository_url
-    AWS_ACCOUNT_ID          = var.account_id
-    NODE_OPTIONS            = "--enable-source-maps"
+    MEMORY_ENGINE           = var.memory_engine
+    # Skip the SSM indirection for cross-function ARN lookup. Terraform
+    # already knows this ARN at apply time and the Lambda role's SSM
+    # permission has been a recurring source of silent failures where
+    # getChatAgentInvokeFnArn falls back to null and sendMessage loses
+    # message_history on the wakeup-processor fallback path.
+    CHAT_AGENT_INVOKE_FN_ARN = "arn:aws:lambda:${var.region}:${var.account_id}:function:thinkwork-${var.stage}-api-chat-agent-invoke"
+    ADMIN_URL                = var.admin_url
+    DOCS_URL                 = var.docs_url
+    APPSYNC_REALTIME_URL     = var.appsync_realtime_url
+    ECR_REPOSITORY_URL       = var.ecr_repository_url
+    AWS_ACCOUNT_ID           = var.account_id
+    NODE_OPTIONS             = "--enable-source-maps"
+    # LastMile Tasks REST API base URL — feature-flags the outbound sync
+    # path. When unset, syncExternalTaskOnCreate writes sync_status='local'
+    # and the workflow picker proxy returns 503. Set to the LMI develop /
+    # staging / prod base URL per stage to enable real cross-system sync.
+    LASTMILE_TASKS_API_URL   = var.lastmile_tasks_api_url
+  }
+
+  # Per-handler env-var overrides. ARNs are constructed from the naming
+  # pattern (same trick as lambda_api_cross_invoke in main.tf) so we don't
+  # introduce a self-referential dependency inside the handler for_each.
+  handler_extra_env = {
+    "job-schedule-manager" = {
+      JOB_TRIGGER_ARN      = "arn:aws:lambda:${var.region}:${var.account_id}:function:thinkwork-${var.stage}-api-job-trigger"
+      JOB_TRIGGER_ROLE_ARN = var.job_scheduler_role_arn
+    }
   }
 }
 
@@ -69,8 +92,11 @@ resource "aws_lambda_function" "handler" {
     "guardrails",
     "scheduled-jobs",
     "job-schedule-manager",
+    "job-trigger",
     "webhooks",
     "webhooks-admin",
+    "webhook-deliveries-cleanup",
+    "task-connectors",
     "workspace-files",
     "knowledge-base-manager",
     "knowledge-base-files",
@@ -79,10 +105,9 @@ resource "aws_lambda_function" "handler" {
     "github-app",
     "github-repos",
     "memory",
+    "memory-retain",
     "artifact-deliver",
     "recipe-refresh",
-    "connector-installs",
-    "connector-secrets",
     "agent-skills-list",
     "bootstrap-workspaces",
     "code-factory",
@@ -99,9 +124,11 @@ resource "aws_lambda_function" "handler" {
   source_code_hash = filebase64sha256("${var.lambda_zips_dir}/${each.key}.zip")
 
   environment {
-    variables = merge(local.common_env, {
-      FUNCTION_NAME = each.key
-    })
+    variables = merge(
+      local.common_env,
+      { FUNCTION_NAME = each.key },
+      lookup(local.handler_extra_env, each.key, {}),
+    )
   }
 
   tags = {
@@ -195,6 +222,10 @@ locals {
     "ANY /api/webhooks/{proxy+}" = "webhooks-admin"
     "ANY /api/webhooks"          = "webhooks-admin"
 
+    # Task Connectors admin
+    "ANY /api/task-connectors/{proxy+}" = "task-connectors"
+    "ANY /api/task-connectors"          = "task-connectors"
+
     # Workspace files
     "ANY /api/workspaces/{proxy+}" = "workspace-files"
 
@@ -216,10 +247,6 @@ locals {
     # GitHub App
     "ANY /api/github-app/{proxy+}" = "github-app"
     "POST /api/github/webhook"     = "github-app"
-
-    # Connectors
-    "ANY /api/connector-installs/{proxy+}" = "connector-installs"
-    "ANY /api/connector-secrets/{proxy+}"  = "connector-secrets"
   } : {}
 }
 
@@ -272,6 +299,28 @@ resource "aws_scheduler_schedule" "wakeup_processor" {
   }
 }
 
+# ---------------------------------------------------------------------------
+# webhook_deliveries retention cron — daily delete of rows older than 90 days
+# ---------------------------------------------------------------------------
+
+resource "aws_scheduler_schedule" "webhook_deliveries_cleanup" {
+  count = local.use_local_zips ? 1 : 0
+
+  name                = "thinkwork-${var.stage}-webhook-deliveries-cleanup"
+  group_name          = "default"
+  schedule_expression = "cron(0 4 * * ? *)" # daily at 04:00 UTC
+  state               = "ENABLED"
+
+  flexible_time_window {
+    mode = "OFF"
+  }
+
+  target {
+    arn      = aws_lambda_function.handler["webhook-deliveries-cleanup"].arn
+    role_arn = aws_iam_role.scheduler.arn
+  }
+}
+
 resource "aws_iam_role" "scheduler" {
   name = "thinkwork-${var.stage}-scheduler-role"
 
@@ -308,6 +357,7 @@ resource "aws_ssm_parameter" "lambda_arns" {
     "chat-agent-invoke-fn-arn"    = aws_lambda_function.handler["chat-agent-invoke"].arn
     "kb-manager-fn-arn"           = aws_lambda_function.handler["knowledge-base-manager"].arn
     "job-schedule-manager-fn-arn" = aws_lambda_function.handler["job-schedule-manager"].arn
+    "memory-retain-fn-arn"        = aws_lambda_function.handler["memory-retain"].arn
   } : {}
 
   name  = "/thinkwork/${var.stage}/${each.key}"

package/dist/terraform/modules/app/lambda-api/main.tf

@@ -28,7 +28,7 @@ resource "aws_apigatewayv2_api" "main" {
 
   cors_configuration {
     allow_headers = ["Content-Type", "Authorization", "x-api-key", "x-tenant-id", "x-tenant-slug", "x-principal-id"]
-    allow_methods = ["GET", "POST", "PUT", "DELETE", "OPTIONS"]
+    allow_methods = ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"]
     allow_origins = var.cors_allowed_origins
     max_age       = 3600
   }
@@ -206,6 +206,30 @@ resource "aws_iam_role_policy" "lambda_bedrock" {
   })
 }
 
+# SES send permissions for the email-send handler. Scoped to any
+# verified identity in this account+region so the email-send Lambda
+# can SendRawEmail from agents.thinkwork.ai (and any other domain
+# identity a future deployment might add).
+resource "aws_iam_role_policy" "lambda_ses_send" {
+  name = "ses-send"
+  role = aws_iam_role.lambda.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Action = [
+        "ses:SendEmail",
+        "ses:SendRawEmail",
+      ]
+      Resource = [
+        "arn:aws:ses:${var.region}:${var.account_id}:identity/*",
+        "arn:aws:ses:${var.region}:${var.account_id}:configuration-set/*",
+      ]
+    }]
+  })
+}
+
 # Allow API Lambdas to directly invoke the AgentCore Lambda. Used by
 # chat-agent-invoke (and future wake-up/retry paths) via InvokeCommand.
 resource "aws_iam_role_policy" "lambda_agentcore_invoke" {
@@ -232,7 +256,7 @@ resource "aws_iam_role_policy" "lambda_agentcore_invoke" {
 # memoryRecords / memorySearch call ListMemoryRecordsCommand to fetch
 # records across the tenant's agents.
 resource "aws_iam_role_policy" "lambda_agentcore_memory" {
-  name = "agentcore-memory-read"
+  name = "agentcore-memory-rw"
   role = aws_iam_role.lambda.id
 
   policy = jsonencode({
@@ -243,12 +267,106 @@ resource "aws_iam_role_policy" "lambda_agentcore_memory" {
         "bedrock-agentcore:ListMemoryRecords",
         "bedrock-agentcore:RetrieveMemoryRecords",
         "bedrock-agentcore:GetMemoryRecord",
+        "bedrock-agentcore:BatchCreateMemoryRecords",
+        "bedrock-agentcore:BatchUpdateMemoryRecords",
+        "bedrock-agentcore:BatchDeleteMemoryRecords",
+        "bedrock-agentcore:DeleteMemoryRecord",
       ]
       Resource = "*"
     }]
   })
 }
 
+# graphql-http's sendMessage mutation reads SSM parameters like
+# /thinkwork/${stage}/chat-agent-invoke-fn-arn to discover the direct
+# Lambda targets for cross-function invocation. Without this, the SSM
+# GetParameter call fails with AccessDenied, the caller silently
+# catches the error, and sendMessage falls back to the wakeup-processor
+# path — which doesn't load messages_history from Aurora. That's why
+# multi-turn chat was losing prior context: history was only loaded on
+# the direct path, which never ran.
+resource "aws_iam_role_policy" "lambda_ssm_read" {
+  name = "ssm-param-read"
+  role = aws_iam_role.lambda.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Action = [
+        "ssm:GetParameter",
+        "ssm:GetParameters",
+      ]
+      Resource = "arn:aws:ssm:${var.region}:${var.account_id}:parameter/thinkwork/${var.stage}/*"
+    }]
+  })
+}
+
+# job-schedule-manager creates/updates/deletes EventBridge Scheduler
+# schedules (and the thinkwork-jobs schedule group on first use). Without
+# these permissions the manager Lambda threw silently and every scheduled
+# automation was orphaned with eb_schedule_name = null.
+resource "aws_iam_role_policy" "lambda_scheduler" {
+  name = "eventbridge-scheduler-rw"
+  role = aws_iam_role.lambda.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "scheduler:CreateSchedule",
+          "scheduler:UpdateSchedule",
+          "scheduler:DeleteSchedule",
+          "scheduler:GetSchedule",
+          "scheduler:ListSchedules",
+          "scheduler:CreateScheduleGroup",
+          "scheduler:GetScheduleGroup",
+          "scheduler:DeleteScheduleGroup",
+          "scheduler:TagResource",
+        ]
+        Resource = "*"
+      },
+      # Scheduler.CreateSchedule takes a RoleArn for the target; AWS requires
+      # the caller to have iam:PassRole on that role. Without this the
+      # CreateSchedule call fails with AccessDenied even if the scheduler
+      # permissions above are set.
+      {
+        Effect   = "Allow"
+        Action   = ["iam:PassRole"]
+        Resource = var.job_scheduler_role_arn != "" ? var.job_scheduler_role_arn : "*"
+      },
+    ]
+  })
+}
+
+# Allow API handler Lambdas to invoke each other directly. sendMessage
+# dispatches to chat-agent-invoke for instant chat response; the memory
+# resolvers reach knowledge-base-manager and job-schedule-manager for
+# admin-driven operations. The existing lambda_agentcore_invoke policy
+# covers the Strands runtime Lambda only — this one covers internal
+# api-to-api calls. ARNs are constructed deterministically from the
+# handler naming pattern so we don't create a dependency cycle with the
+# handler resource.
+resource "aws_iam_role_policy" "lambda_api_cross_invoke" {
+  name = "api-cross-function-invoke"
+  role = aws_iam_role.lambda.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Action = ["lambda:InvokeFunction"]
+      Resource = [
+        "arn:aws:lambda:${var.region}:${var.account_id}:function:thinkwork-${var.stage}-api-chat-agent-invoke",
+        "arn:aws:lambda:${var.region}:${var.account_id}:function:thinkwork-${var.stage}-api-knowledge-base-manager",
+        "arn:aws:lambda:${var.region}:${var.account_id}:function:thinkwork-${var.stage}-api-job-schedule-manager",
+      ]
+    }]
+  })
+}
+
 ################################################################################
 # Placeholder Lambda — proves the infrastructure works
 #

package/dist/terraform/modules/app/lambda-api/outputs.tf

@@ -22,3 +22,23 @@ output "lambda_role_name" {
   description = "Shared Lambda execution role name"
   value       = aws_iam_role.lambda.name
 }
+
+output "memory_retain_fn_name" {
+  description = "Memory-retain Lambda function name. Strands runtime invokes this directly to push conversational turns into the active memory engine."
+  value       = local.use_local_zips ? aws_lambda_function.handler["memory-retain"].function_name : ""
+}
+
+output "memory_retain_fn_arn" {
+  description = "Memory-retain Lambda ARN. Used to grant lambda:InvokeFunction to the agentcore-runtime role."
+  value       = local.use_local_zips ? aws_lambda_function.handler["memory-retain"].arn : ""
+}
+
+output "email_inbound_fn_arn" {
+  description = "email-inbound Lambda ARN. Used by the SES module to wire the receipt rule Lambda action."
+  value       = local.use_local_zips ? aws_lambda_function.handler["email-inbound"].arn : ""
+}
+
+output "email_inbound_fn_name" {
+  description = "email-inbound Lambda function name. Used by the SES module for lambda:InvokeFunction permissions."
+  value       = local.use_local_zips ? aws_lambda_function.handler["email-inbound"].function_name : ""
+}

package/dist/terraform/modules/app/lambda-api/variables.tf

@@ -146,6 +146,16 @@ variable "agentcore_memory_id" {
   default     = ""
 }
 
+variable "memory_engine" {
+  description = "Active long-term memory engine for this deployment. Exactly one engine is canonical for recall/inspect/export. Defaults to 'hindsight' for hosted ThinkWork; self-hosted/serverless deployments may choose 'agentcore'."
+  type        = string
+  default     = "hindsight"
+  validation {
+    condition     = contains(["hindsight", "agentcore"], var.memory_engine)
+    error_message = "memory_engine must be 'hindsight' or 'agentcore'."
+  }
+}
+
 variable "agentcore_function_name" {
   description = "AgentCore Lambda function name (for direct SDK invoke)"
   type        = string
@@ -187,3 +197,15 @@ variable "cors_allowed_origins" {
   type        = list(string)
   default     = ["*"]
 }
+
+variable "job_scheduler_role_arn" {
+  description = "IAM role ARN that EventBridge Scheduler assumes to invoke the job-trigger Lambda. Passed from the job-triggers module."
+  type        = string
+  default     = ""
+}
+
+variable "lastmile_tasks_api_url" {
+  description = "Base URL of the LastMile Tasks REST API used by the outbound sync path (POST /tasks, GET /workflows, etc). Leave blank to feature-flag the integration off; mobile-created tasks then land in sync_status='local' until the URL is set."
+  type        = string
+  default     = ""
+}