thinkwork-cli 0.6.1 → 0.7.0

package/dist/cli.js

@@ -776,8 +776,8 @@ function registerBootstrapCommand(program2) {
       bucket = await getTerraformOutput(cwd, "bucket_name");
       dbEndpoint = await getTerraformOutput(cwd, "db_cluster_endpoint");
       const secretArn = await getTerraformOutput(cwd, "db_secret_arn");
-      const { execSync: execSync9 } = await import("child_process");
-      const secretJson = execSync9(
+      const { execSync: execSync10 } = await import("child_process");
+      const secretJson = execSync10(
         `aws secretsmanager get-secret-value --secret-id "${secretArn}" --query SecretString --output text`,
         { encoding: "utf-8" }
       ).trim();
@@ -802,6 +802,7 @@ function registerBootstrapCommand(program2) {
 // src/commands/login.ts
 import { execSync as execSync4 } from "child_process";
 import { createInterface as createInterface2 } from "readline";
+import { select, Separator } from "@inquirer/prompts";
 import chalk5 from "chalk";
 
 // src/aws-profiles.ts
@@ -1036,33 +1037,41 @@ function describeType(type) {
   }
 }
 async function pickProfile(profiles) {
-  console.log("");
-  console.log(chalk5.bold("  Found these profiles in ~/.aws:"));
-  profiles.forEach((p, i) => {
-    const idx = String(i + 1).padStart(2, " ");
-    console.log(
-      `    ${chalk5.cyan(idx)}. ${chalk5.bold(p.name)}  ${chalk5.dim(`(${describeType(p.type)})`)}`
+  if (!process.stdin.isTTY) {
+    printError(
+      "The profile picker needs an interactive terminal. Re-run with --keys, --sso, or --profile <name>."
     );
-  });
-  const newIdx = profiles.length + 1;
-  const ssoIdx = profiles.length + 2;
-  console.log(
-    `    ${chalk5.cyan(String(newIdx).padStart(2, " "))}. Enter new access keys`
-  );
-  console.log(
-    `    ${chalk5.cyan(String(ssoIdx).padStart(2, " "))}. Log in via AWS SSO`
-  );
-  console.log("");
-  const answer = await ask(`  Pick a profile [1-${ssoIdx}] (Enter to cancel): `);
-  if (!answer) return { kind: "cancel" };
-  const n = Number.parseInt(answer, 10);
-  if (Number.isNaN(n) || n < 1 || n > ssoIdx) {
-    printError(`"${answer}" is not a valid option.`);
     return { kind: "cancel" };
   }
-  if (n === newIdx) return { kind: "keys" };
-  if (n === ssoIdx) return { kind: "sso" };
-  return { kind: "existing", name: profiles[n - 1].name };
+  const choices = profiles.map((p) => ({
+    name: `${p.name}  ${chalk5.dim(`(${describeType(p.type)})`)}`,
+    value: { kind: "existing", name: p.name }
+  }));
+  choices.push(new Separator());
+  choices.push({
+    name: "Enter new access keys",
+    value: { kind: "keys" },
+    description: "Paste an AWS Access Key ID and Secret Access Key; saved to a new profile."
+  });
+  choices.push({
+    name: "Log in via AWS SSO",
+    value: { kind: "sso" },
+    description: "Run `aws sso login` against the configured SSO profile."
+  });
+  try {
+    const picked = await select({
+      message: "Pick an AWS profile for Thinkwork:",
+      choices,
+      loop: false,
+      pageSize: Math.max(profiles.length + 2, 10)
+    });
+    return picked;
+  } catch (err) {
+    if (err instanceof Error && err.name === "ExitPromptError") {
+      return { kind: "cancel" };
+    }
+    throw err;
+  }
 }
 async function runKeyEntry(targetProfile) {
   console.log("");
@@ -1145,7 +1154,26 @@ function registerLoginCommand(program2) {
     "--profile <name>",
     "AWS profile name to configure (used when entering new keys or SSO)",
     "thinkwork"
-  ).option("--sso", "Skip the picker and go straight to SSO login").option("--keys", "Skip the picker and go straight to access-key entry").action(async (opts) => {
+  ).option("--sso", "Skip the picker and go straight to SSO login").option("--keys", "Skip the picker and go straight to access-key entry").addHelpText(
+    "after",
+    `
+Examples:
+  # Interactive picker \u2014 lists profiles from ~/.aws, verifies the one you pick,
+  # and saves it as your Thinkwork default.
+  $ thinkwork login
+
+  # Skip the picker, enter fresh access keys into a named profile
+  $ thinkwork login --keys --profile thinkwork
+
+  # Skip the picker, log in via AWS SSO
+  $ thinkwork login --sso --profile work-sso
+
+After login, commands resolve the AWS profile in this order:
+  1. --profile <name>            (per-command override)
+  2. $AWS_PROFILE env var
+  3. defaultProfile from ~/.thinkwork/config.json  (set by this command)
+`
+  ).action(async (opts) => {
     printHeader("login", opts.profile);
     const awsOk = await ensureAwsCli();
     if (!awsOk) process.exit(1);
@@ -1744,7 +1772,30 @@ function printStageDetail(info) {
 function registerStatusCommand(program2) {
   program2.command("status").alias("list").alias("ls").description(
     "Show all Thinkwork environments / deployments (AWS + local). Aliases: list, ls"
-  ).option("-s, --stage <name>", "Show details for a specific stage").option("--region <region>", "AWS region to scan", "us-east-1").action(async (opts) => {
+  ).option("-s, --stage <name>", "Show details for a specific stage").option("--region <region>", "AWS region to scan", "us-east-1").addHelpText(
+    "after",
+    `
+Examples:
+  # List every deployment in the current AWS account (us-east-1)
+  $ thinkwork list
+
+  # Same thing, tighter verb
+  $ thinkwork ls
+
+  # Deep-dive on one stage (same info but scoped)
+  $ thinkwork list -s dev
+
+  # Scan a different region
+  $ thinkwork list --region us-west-2
+
+  # Use a specific AWS profile for this call only
+  $ thinkwork --profile work-sso list
+
+Discovers stages by looking for \`thinkwork-<stage>-api-graphql-http\`
+Lambdas and fans out to API Gateway, AppSync, S3, RDS, ECS, CloudFront,
+and AgentCore for per-stage detail.
+`
+  ).action(async (opts) => {
     const identity = getAwsIdentity();
     printHeader("status", opts.stage || "all", identity);
     if (!identity) {
@@ -1801,7 +1852,46 @@ import chalk8 from "chalk";
 
 // src/api-client.ts
 import { readFileSync as readFileSync5, existsSync as existsSync8 } from "fs";
+import { execSync as execSync8 } from "child_process";
+
+// src/aws-discovery.ts
 import { execSync as execSync7 } from "child_process";
+function runAws2(cmd) {
+  try {
+    return execSync7(`aws ${cmd}`, {
+      encoding: "utf-8",
+      timeout: 15e3,
+      stdio: ["pipe", "pipe", "pipe"]
+    }).trim();
+  } catch {
+    return null;
+  }
+}
+function listDeployedStages(region) {
+  const raw = runAws2(
+    `lambda list-functions --region ${region} --query "Functions[?starts_with(FunctionName, 'thinkwork-')].FunctionName" --output json`
+  );
+  if (!raw) return [];
+  try {
+    const functions = JSON.parse(raw);
+    const stages = /* @__PURE__ */ new Set();
+    for (const fn of functions) {
+      const m = fn.match(/^thinkwork-(.+?)-api-graphql-http$/);
+      if (m) stages.add(m[1]);
+    }
+    return [...stages].sort();
+  } catch {
+    return [];
+  }
+}
+function getApiAuthSecretFromLambda(stage, region) {
+  const raw = runAws2(
+    `lambda get-function-configuration --function-name thinkwork-${stage}-api-tenants --region ${region} --query "Environment.Variables.API_AUTH_SECRET" --output text`
+  );
+  return raw && raw !== "None" ? raw : null;
+}
+
+// src/api-client.ts
 function readTfVar2(tfvarsPath, key) {
   if (!existsSync8(tfvarsPath)) return null;
   const content = readFileSync5(tfvarsPath, "utf-8");
@@ -1820,7 +1910,7 @@ function resolveTfvarsPath2(stage) {
 }
 function getApiEndpoint(stage, region) {
   try {
-    const raw = execSync7(
+    const raw = execSync8(
       `aws apigatewayv2 get-apis --region ${region} --query "Items[?Name=='thinkwork-${stage}-api'].ApiEndpoint|[0]" --output text`,
       { encoding: "utf-8", timeout: 15e3, stdio: ["pipe", "pipe", "pipe"] }
     ).trim();
@@ -1858,18 +1948,22 @@ async function apiFetchRaw(apiUrl, authSecret, path2, options = {}, extraHeaders
   const body = await res.json().catch(() => ({}));
   return { ok: res.ok, status: res.status, body };
 }
-function resolveApiConfig(stage) {
+function resolveApiConfig(stage, regionOverride) {
   const tfvarsPath = resolveTfvarsPath2(stage);
-  const authSecret = readTfVar2(tfvarsPath, "api_auth_secret");
-  if (!authSecret) {
-    printError(`Cannot read api_auth_secret from ${tfvarsPath}`);
-    return null;
-  }
-  const region = readTfVar2(tfvarsPath, "region") || "us-east-1";
+  const tfAuthSecret = readTfVar2(tfvarsPath, "api_auth_secret");
+  const tfRegion = readTfVar2(tfvarsPath, "region");
+  const region = regionOverride || tfRegion || "us-east-1";
   const apiUrl = getApiEndpoint(stage, region);
   if (!apiUrl) {
     printError(
-      `Cannot discover API endpoint for stage "${stage}". Is the stack deployed?`
+      `Cannot discover API endpoint for stage "${stage}" in ${region}. Is the stack deployed?`
+    );
+    return null;
+  }
+  const authSecret = tfAuthSecret ?? getApiAuthSecretFromLambda(stage, region);
+  if (!authSecret) {
+    printError(
+      `Cannot read api_auth_secret. Tried terraform.tfvars at ${tfvarsPath} and the \`thinkwork-${stage}-api-tenants\` Lambda env. Deploy the stack or set --profile to a role with lambda:GetFunctionConfiguration.`
     );
     return null;
   }
@@ -2206,12 +2300,12 @@ function registerToolsCommand(program2) {
 }
 
 // src/commands/update.ts
-import { execSync as execSync8 } from "child_process";
+import { execSync as execSync9 } from "child_process";
 import { realpathSync } from "fs";
 import chalk10 from "chalk";
 function getLatestVersion() {
   try {
-    return execSync8("npm view thinkwork-cli version", {
+    return execSync9("npm view thinkwork-cli version", {
       encoding: "utf-8",
       timeout: 1e4,
       stdio: ["pipe", "pipe", "pipe"]
@@ -2222,7 +2316,7 @@ function getLatestVersion() {
 }
 function detectInstallMethod() {
   try {
-    const which = execSync8("which thinkwork", {
+    const which = execSync9("which thinkwork", {
       encoding: "utf-8",
       timeout: 5e3,
       stdio: ["pipe", "pipe", "pipe"]
@@ -2282,7 +2376,7 @@ function registerUpdateCommand(program2) {
     console.log(chalk10.dim(`  $ ${cmd}`));
     console.log("");
     try {
-      execSync8(cmd, { stdio: "inherit", timeout: 12e4 });
+      execSync9(cmd, { stdio: "inherit", timeout: 12e4 });
       console.log("");
       console.log(chalk10.green(`  \u2713 Upgraded to thinkwork-cli@${latest}`));
     } catch {
@@ -2296,6 +2390,7 @@ function registerUpdateCommand(program2) {
 
 // src/commands/user.ts
 import { spawn as spawn3 } from "child_process";
+import { input, select as select2 } from "@inquirer/prompts";
 function getTerraformOutput2(cwd, key) {
   return new Promise((resolve3, reject) => {
     const proc = spawn3("terraform", ["output", "-raw", key], {
@@ -2338,43 +2433,166 @@ function runAwsCognitoReset(userPoolId, username, region) {
     proc.on("close", (code) => resolve3({ code: code ?? 1, stdout, stderr }));
   });
 }
+function isCancellation(err) {
+  return err instanceof Error && err.name === "ExitPromptError";
+}
+function requireTty(label) {
+  if (!process.stdin.isTTY) {
+    printError(
+      `${label} is required. Pass it as a flag or re-run in an interactive terminal.`
+    );
+    process.exit(1);
+  }
+}
+async function promptEmail() {
+  requireTty("Email");
+  return await input({
+    message: "Email address of the person to invite:",
+    validate: (v) => v.trim().includes("@") ? true : "That doesn't look like an email."
+  });
+}
+async function promptStage(region) {
+  requireTty("Stage");
+  const stages = listDeployedStages(region);
+  if (stages.length === 0) {
+    printError(
+      `No Thinkwork deployments found in ${region}. Run \`thinkwork list\` or pass --region.`
+    );
+    process.exit(1);
+  }
+  if (stages.length === 1) {
+    console.log(`  Using the only deployed stage: ${stages[0]}`);
+    return stages[0];
+  }
+  return await select2({
+    message: "Which stage?",
+    choices: stages.map((s) => ({ name: s, value: s })),
+    loop: false
+  });
+}
+async function promptTenant(apiUrl, authSecret) {
+  requireTty("Tenant");
+  const list = await apiFetch(apiUrl, authSecret, "/api/tenants");
+  if (!list || list.length === 0) {
+    printError(
+      "No tenants exist in this stage yet. Create one in the admin UI first."
+    );
+    process.exit(1);
+  }
+  if (list.length === 1) {
+    console.log(`  Using the only tenant: ${list[0].name} (${list[0].slug})`);
+    return list[0].slug;
+  }
+  return await select2({
+    message: "Which tenant?",
+    choices: list.map((t) => ({
+      name: `${t.name}  (slug: ${t.slug})`,
+      value: t.slug
+    })),
+    loop: false
+  });
+}
+async function promptOptionalName() {
+  if (!process.stdin.isTTY) return void 0;
+  const answer = await input({
+    message: "Display name (optional, press Enter to skip):",
+    default: ""
+  });
+  return answer.trim() || void 0;
+}
+async function promptRole() {
+  if (!process.stdin.isTTY) return "member";
+  return await select2({
+    message: "Role:",
+    choices: [
+      { name: "member \u2014 regular access", value: "member" },
+      { name: "admin \u2014 can manage members and settings", value: "admin" },
+      { name: "owner \u2014 full control", value: "owner" }
+    ],
+    default: "member",
+    loop: false
+  });
+}
 function registerUserCommand(program2) {
   const user = program2.command("user").description("User-management utilities for a deployed Thinkwork stack");
-  user.command("invite <email>").description(
-    "Invite a teammate to a tenant. Creates the Cognito user (Cognito emails a temporary password) and adds them as a tenant member."
-  ).requiredOption("-s, --stage <name>", "Deployment stage").requiredOption("--tenant <slug>", "Tenant slug").option("--name <name>", "Display name for the invited user").option("--role <role>", "Tenant member role", "member").action(
-    async (email, opts) => {
-      const stageCheck = validateStage(opts.stage);
-      if (!stageCheck.valid) {
-        printError(stageCheck.error);
-        process.exit(1);
-      }
-      const trimmed = email.trim().toLowerCase();
-      if (!trimmed || !trimmed.includes("@")) {
-        printError(
-          `"${email}" doesn't look like an email address. Pass the user's sign-in email.`
-        );
-        process.exit(1);
-      }
-      const api = resolveApiConfig(opts.stage);
-      if (!api) process.exit(1);
-      printHeader("user invite", opts.stage);
-      console.log(`  Tenant: ${opts.tenant}`);
-      console.log(`  Email:  ${trimmed}`);
-      if (opts.name) console.log(`  Name:   ${opts.name}`);
-      console.log(`  Role:   ${opts.role}`);
-      console.log("");
+  user.command("invite [email]").description(
+    "Invite a teammate to a tenant. Creates the Cognito user (Cognito emails a temporary password) and adds them as a tenant member. Prompts interactively for any missing fields."
+  ).option("-s, --stage <name>", "Deployment stage (e.g. dev, prod)").option(
+    "--tenant <slug>",
+    "Tenant slug (the URL-safe tenant id, e.g. acme)"
+  ).option("--name <name>", "Display name for the invited user").option(
+    "--role <role>",
+    'Tenant member role: "member", "admin", or "owner"'
+  ).option("--region <region>", "AWS region to scan", "us-east-1").addHelpText(
+    "after",
+    `
+Examples:
+  # Fully interactive \u2014 prompts for email, stage, tenant, name, role.
+  $ thinkwork user invite
+
+  # Scriptable (no prompts) \u2014 all fields via flags.
+  $ thinkwork user invite alice@example.com --tenant acme -s dev
+
+  # Mix: pass the email, prompt for everything else.
+  $ thinkwork user invite alice@example.com
+
+  # With display name and admin role.
+  $ thinkwork user invite bob@example.com --tenant acme -s dev \\
+      --name "Bob Smith" --role admin
+
+What happens:
+  1. A Cognito user is created (or reused if the email already exists).
+  2. Cognito emails the user a temporary password.
+  3. The user is added to the tenant with the given role.
+  4. On first sign-in they're prompted to set a real password.
+
+Re-inviting someone who's already a member is a no-op (no second email).
+Agents / scripts that pass all flags stay non-interactive.
+`
+  ).action(
+    async (emailArg, opts) => {
       try {
+        let email = emailArg ?? "";
+        if (!email) email = await promptEmail();
+        email = email.trim().toLowerCase();
+        if (!email.includes("@")) {
+          printError(
+            `"${emailArg}" doesn't look like an email address. Pass the user's sign-in email.`
+          );
+          process.exit(1);
+        }
+        let stage = opts.stage;
+        if (!stage) stage = await promptStage(opts.region);
+        const stageCheck = validateStage(stage);
+        if (!stageCheck.valid) {
+          printError(stageCheck.error);
+          process.exit(1);
+        }
+        const api = resolveApiConfig(stage, opts.region);
+        if (!api) process.exit(1);
+        let tenant = opts.tenant;
+        if (!tenant) tenant = await promptTenant(api.apiUrl, api.authSecret);
+        let name = opts.name;
+        if (name === void 0 && !emailArg) name = await promptOptionalName();
+        let role = opts.role;
+        if (!role && !emailArg) role = await promptRole();
+        role = role || "member";
+        printHeader("user invite", stage);
+        console.log(`  Tenant: ${tenant}`);
+        console.log(`  Email:  ${email}`);
+        if (name) console.log(`  Name:   ${name}`);
+        console.log(`  Role:   ${role}`);
+        console.log("");
         const result = await apiFetchRaw(
           api.apiUrl,
           api.authSecret,
-          `/api/tenants/${encodeURIComponent(opts.tenant)}/members`,
+          `/api/tenants/${encodeURIComponent(tenant)}/invites`,
           {
             method: "POST",
             body: JSON.stringify({
-              email: trimmed,
-              name: opts.name ?? null,
-              role: opts.role
+              email,
+              name: name ?? null,
+              role
             })
           }
         );
@@ -2385,14 +2603,19 @@ function registerUserCommand(program2) {
         }
         if (result.body.alreadyMember) {
           printWarning(
-            `${trimmed} is already a member of "${opts.tenant}" (role: ${result.body.role}). No email sent.`
+            `${email} is already a member of "${tenant}" (role: ${result.body.role}). No email sent.`
           );
           return;
         }
         printSuccess(
-          `Invited ${trimmed} to "${opts.tenant}" (role: ${result.body.role}). Cognito has emailed a temporary password; the user sets a new password on first sign-in.`
+          `Invited ${email} to "${tenant}" (role: ${result.body.role}). Cognito has emailed a temporary password; the user sets a new password on first sign-in.`
         );
       } catch (err) {
+        if (isCancellation(err)) {
+          console.log("");
+          console.log("  Cancelled.");
+          return;
+        }
         printError(
           `Invite failed: ${err instanceof Error ? err.message : String(err)}`
         );
@@ -2402,9 +2625,24 @@ function registerUserCommand(program2) {
   );
   user.command("reset-password <email>").description(
     "Trigger Cognito's forgot-password flow for a user (admin-initiated). Sends them a verification code email."
-  ).option("-p, --profile <name>", "AWS profile").requiredOption("-s, --stage <name>", "Deployment stage").option(
+  ).option("-p, --profile <name>", "AWS profile").requiredOption("-s, --stage <name>", "Deployment stage (e.g. dev, prod)").option(
     "-r, --region <name>",
     "AWS region (defaults to AWS CLI default / AWS_REGION)"
+  ).addHelpText(
+    "after",
+    `
+Examples:
+  # Admin-triggered password reset \u2014 works even if the account is locked
+  $ thinkwork user reset-password alice@example.com -s dev
+
+  # Target a specific AWS profile + region
+  $ thinkwork user reset-password alice@example.com -s prod \\
+      --profile thinkwork --region us-east-1
+
+Cognito emails the user a verification code; they set a new password on
+next sign-in. Use this instead of \`forgot-password\` when the user is in
+FORCE_CHANGE_PASSWORD or has been disabled.
+`
   ).action(
     async (email, opts) => {
       const stageCheck = validateStage(opts.stage);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thinkwork-cli",
-  "version": "0.6.1",
+  "version": "0.7.0",
   "description": "Thinkwork CLI — deploy, manage, and interact with your Thinkwork stack",
   "license": "MIT",
   "type": "module",
@@ -19,6 +19,7 @@
     "prepublishOnly": "npm run build && npm run typecheck"
   },
   "dependencies": {
+    "@inquirer/prompts": "^8.4.1",
     "chalk": "^5.6.2",
     "commander": "^12.0.0",
     "ora": "^9.3.0"