thinkwork-cli 0.5.4 → 0.6.1

package/dist/terraform/modules/thinkwork/main.tf

@@ -13,10 +13,22 @@ locals {
   bucket_name = var.bucket_name != "" ? var.bucket_name : "thinkwork-${var.stage}-storage"
 
   # Hindsight is an optional add-on. Preferred toggle: var.enable_hindsight.
-  # For one release we also honor the deprecated var.memory_engine == "hindsight"
-  # so existing tfvars keep working. The CLI config command also auto-translates
-  # between the two. Remove the legacy branch in a future release.
+  # For one release we also honor the legacy var.memory_engine == "hindsight"
+  # so existing tfvars keep working.
   hindsight_enabled = var.enable_hindsight || var.memory_engine == "hindsight"
+
+  # Canonical long-term memory engine for this deployment. Exactly one engine
+  # is active per deployment for recall/inspect/export. Auto-selects from
+  # enable_hindsight when var.memory_engine is left empty so existing deploys
+  # keep working without config changes. Legacy value "managed" maps to
+  # "agentcore".
+  resolved_memory_engine = (
+    var.memory_engine == "hindsight" || var.memory_engine == "agentcore"
+    ? var.memory_engine
+    : var.memory_engine == "managed"
+    ? "agentcore"
+    : local.hindsight_enabled ? "hindsight" : "agentcore"
+  )
 }
 
 ################################################################################
@@ -66,11 +78,13 @@ module "cognito" {
 
   admin_callback_urls = concat(
     var.admin_callback_urls,
-    ["https://${module.admin_site.distribution_domain}", "https://${module.admin_site.distribution_domain}/auth/callback"]
+    ["https://${module.admin_site.distribution_domain}", "https://${module.admin_site.distribution_domain}/auth/callback"],
+    var.admin_domain != "" ? ["https://${var.admin_domain}", "https://${var.admin_domain}/auth/callback"] : []
   )
   admin_logout_urls = concat(
     var.admin_logout_urls,
-    ["https://${module.admin_site.distribution_domain}"]
+    ["https://${module.admin_site.distribution_domain}"],
+    var.admin_domain != "" ? ["https://${var.admin_domain}"] : []
   )
   mobile_callback_urls = var.mobile_callback_urls
   mobile_logout_urls   = var.mobile_logout_urls
@@ -174,10 +188,13 @@ module "api" {
   agentcore_function_arn  = module.agentcore.agentcore_function_arn
   hindsight_endpoint      = local.hindsight_enabled ? module.hindsight[0].hindsight_endpoint : ""
   agentcore_memory_id     = module.agentcore_memory.memory_id
+  memory_engine           = local.resolved_memory_engine
   admin_url               = "https://${module.admin_site.distribution_domain}"
   docs_url                = "https://${module.docs_site.distribution_domain}"
   appsync_realtime_url    = module.appsync.graphql_realtime_url
   ecr_repository_url      = module.agentcore.ecr_repository_url
+  job_scheduler_role_arn  = module.job_triggers.job_scheduler_role_arn
+  lastmile_tasks_api_url  = var.lastmile_tasks_api_url
 }
 
 ################################################################################
@@ -206,6 +223,7 @@ module "agentcore" {
 
   hindsight_endpoint  = local.hindsight_enabled ? module.hindsight[0].hindsight_endpoint : ""
   agentcore_memory_id = module.agentcore_memory.memory_id
+  memory_engine       = local.resolved_memory_engine
 }
 
 module "crons" {
@@ -239,8 +257,16 @@ module "hindsight" {
 module "ses" {
   source = "../app/ses-email"
 
-  stage      = var.stage
-  account_id = var.account_id
+  stage        = var.stage
+  account_id   = var.account_id
+  region       = var.region
+  email_domain = var.ses_inbound_domain
+
+  inbound_bucket_name   = module.s3.bucket_name
+  email_inbound_fn_arn  = module.api.email_inbound_fn_arn
+  email_inbound_fn_name = module.api.email_inbound_fn_name
+
+  manage_active_rule_set = var.ses_manage_active_rule_set
 }
 
 ################################################################################
@@ -250,8 +276,11 @@ module "ses" {
 module "admin_site" {
   source = "../app/static-site"
 
-  stage     = var.stage
-  site_name = "admin"
+  stage           = var.stage
+  site_name       = "admin"
+  is_spa          = true
+  custom_domain   = var.admin_domain
+  certificate_arn = var.admin_certificate_arn
 }
 
 ################################################################################
@@ -266,3 +295,17 @@ module "docs_site" {
   custom_domain   = var.docs_domain
   certificate_arn = var.docs_certificate_arn
 }
+
+################################################################################
+# Public Website (www)
+################################################################################
+
+module "www_site" {
+  source = "../app/static-site"
+
+  stage           = var.stage
+  site_name       = "www"
+  custom_domain   = var.www_domain
+  certificate_arn = var.www_certificate_arn
+  # is_spa defaults to false — SSG output, directory URIs get rewritten to index.html
+}

package/dist/terraform/modules/thinkwork/outputs.tf

@@ -127,3 +127,35 @@ output "docs_bucket_name" {
   description = "S3 bucket for docs site assets"
   value       = module.docs_site.bucket_name
 }
+
+# Public website (www)
+output "www_distribution_id" {
+  description = "CloudFront distribution ID for the public website"
+  value       = module.www_site.distribution_id
+}
+
+output "www_distribution_domain" {
+  description = "CloudFront domain for the public website"
+  value       = module.www_site.distribution_domain
+}
+
+output "www_bucket_name" {
+  description = "S3 bucket for the public website assets"
+  value       = module.www_site.bucket_name
+}
+
+# SES inbound email
+output "ses_inbound_zone_id" {
+  description = "Route53 hosted zone ID for the email subdomain (null when ses_inbound_domain is not set)"
+  value       = module.ses.zone_id
+}
+
+output "ses_inbound_name_servers" {
+  description = "Name servers for the delegated email subzone. Paste these as NS records at the registrar that hosts the parent domain (e.g. Google Domains) before SES can verify."
+  value       = module.ses.name_servers
+}
+
+output "ses_inbound_mx_target" {
+  description = "MX target host for the email subdomain. Terraform already writes this into the subzone — this output is informational."
+  value       = module.ses.mx_target
+}

package/dist/terraform/modules/thinkwork/variables.tf

@@ -145,13 +145,13 @@ variable "enable_hindsight" {
 }
 
 variable "memory_engine" {
-  description = "DEPRECATED. Use `enable_hindsight` instead. For backwards compatibility, setting this to 'hindsight' is equivalent to `enable_hindsight = true`. AgentCore managed memory is always on and cannot be disabled."
+  description = "Active long-term memory engine for canonical recall/inspect/export. Exactly one engine is authoritative per deployment. Accepted values: 'hindsight' (requires enable_hindsight = true), 'agentcore' (uses the always-on AgentCore managed memory). Legacy value 'managed' maps to 'agentcore'. Empty = auto-select: 'hindsight' when enable_hindsight = true, otherwise 'agentcore'."
   type        = string
   default     = ""
 
   validation {
-    condition     = var.memory_engine == "" || contains(["managed", "hindsight"], var.memory_engine)
-    error_message = "memory_engine (deprecated) must be empty, 'managed', or 'hindsight'. Prefer enable_hindsight instead."
+    condition     = var.memory_engine == "" || contains(["managed", "hindsight", "agentcore"], var.memory_engine)
+    error_message = "memory_engine must be empty, 'hindsight', 'agentcore', or legacy 'managed'."
   }
 }
 
@@ -261,3 +261,57 @@ variable "docs_certificate_arn" {
   type        = string
   default     = ""
 }
+
+# ---------------------------------------------------------------------------
+# Public website (custom domain — optional)
+# ---------------------------------------------------------------------------
+
+variable "www_domain" {
+  description = "Custom domain for the public website (e.g. thinkwork.ai). Leave empty for CloudFront default."
+  type        = string
+  default     = ""
+}
+
+variable "www_certificate_arn" {
+  description = "ACM certificate ARN for the www domain (us-east-1, required for CloudFront custom domains). Covers both the apex and www subdomain."
+  type        = string
+  default     = ""
+}
+
+# ---------------------------------------------------------------------------
+# Admin site (custom domain — optional)
+# ---------------------------------------------------------------------------
+
+variable "admin_domain" {
+  description = "Custom domain for the admin SPA (e.g. admin.thinkwork.ai). Leave empty for CloudFront default."
+  type        = string
+  default     = ""
+}
+
+variable "admin_certificate_arn" {
+  description = "ACM certificate ARN for the admin domain (us-east-1, required for CloudFront custom domains)."
+  type        = string
+  default     = ""
+}
+
+# ---------------------------------------------------------------------------
+# SES inbound email (delegated subzone — Option A)
+# ---------------------------------------------------------------------------
+
+variable "ses_inbound_domain" {
+  description = "Subdomain used for agent email (e.g. agents.thinkwork.ai). Terraform creates a delegated Route53 hosted zone for this name, manages the SES domain identity + DKIM CNAMEs + MX in that zone, and wires an SES receipt rule that stores inbound mail in S3 and invokes the email-inbound Lambda. Leave empty to skip all SES inbound resources. After first apply, paste the `ses_inbound_name_servers` output as NS records at whatever hosts the parent domain."
+  type        = string
+  default     = ""
+}
+
+variable "ses_manage_active_rule_set" {
+  description = "Activate the SES receipt rule set. Only ONE rule set can be active per region per AWS account; set false on secondary stages that share an account so they don't fight over activation."
+  type        = bool
+  default     = true
+}
+
+variable "lastmile_tasks_api_url" {
+  description = "Base URL of the LastMile Tasks REST API (e.g. https://api-dev.lastmile-tei.com for develop). Feature-flags the outbound task sync — leave blank to keep mobile-created tasks in sync_status='local'."
+  type        = string
+  default     = ""
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thinkwork-cli",
-  "version": "0.5.4",
+  "version": "0.6.1",
   "description": "Thinkwork CLI — deploy, manage, and interact with your Thinkwork stack",
   "license": "MIT",
   "type": "module",