thinkwork-cli 0.6.2 → 0.7.0

package/dist/cli.js

@@ -776,8 +776,8 @@ function registerBootstrapCommand(program2) {
       bucket = await getTerraformOutput(cwd, "bucket_name");
       dbEndpoint = await getTerraformOutput(cwd, "db_cluster_endpoint");
       const secretArn = await getTerraformOutput(cwd, "db_secret_arn");
-      const { execSync: execSync9 } = await import("child_process");
-      const secretJson = execSync9(
+      const { execSync: execSync10 } = await import("child_process");
+      const secretJson = execSync10(
         `aws secretsmanager get-secret-value --secret-id "${secretArn}" --query SecretString --output text`,
         { encoding: "utf-8" }
       ).trim();
@@ -1852,7 +1852,46 @@ import chalk8 from "chalk";
 
 // src/api-client.ts
 import { readFileSync as readFileSync5, existsSync as existsSync8 } from "fs";
+import { execSync as execSync8 } from "child_process";
+
+// src/aws-discovery.ts
 import { execSync as execSync7 } from "child_process";
+function runAws2(cmd) {
+  try {
+    return execSync7(`aws ${cmd}`, {
+      encoding: "utf-8",
+      timeout: 15e3,
+      stdio: ["pipe", "pipe", "pipe"]
+    }).trim();
+  } catch {
+    return null;
+  }
+}
+function listDeployedStages(region) {
+  const raw = runAws2(
+    `lambda list-functions --region ${region} --query "Functions[?starts_with(FunctionName, 'thinkwork-')].FunctionName" --output json`
+  );
+  if (!raw) return [];
+  try {
+    const functions = JSON.parse(raw);
+    const stages = /* @__PURE__ */ new Set();
+    for (const fn of functions) {
+      const m = fn.match(/^thinkwork-(.+?)-api-graphql-http$/);
+      if (m) stages.add(m[1]);
+    }
+    return [...stages].sort();
+  } catch {
+    return [];
+  }
+}
+function getApiAuthSecretFromLambda(stage, region) {
+  const raw = runAws2(
+    `lambda get-function-configuration --function-name thinkwork-${stage}-api-tenants --region ${region} --query "Environment.Variables.API_AUTH_SECRET" --output text`
+  );
+  return raw && raw !== "None" ? raw : null;
+}
+
+// src/api-client.ts
 function readTfVar2(tfvarsPath, key) {
   if (!existsSync8(tfvarsPath)) return null;
   const content = readFileSync5(tfvarsPath, "utf-8");
@@ -1871,7 +1910,7 @@ function resolveTfvarsPath2(stage) {
 }
 function getApiEndpoint(stage, region) {
   try {
-    const raw = execSync7(
+    const raw = execSync8(
       `aws apigatewayv2 get-apis --region ${region} --query "Items[?Name=='thinkwork-${stage}-api'].ApiEndpoint|[0]" --output text`,
       { encoding: "utf-8", timeout: 15e3, stdio: ["pipe", "pipe", "pipe"] }
     ).trim();
@@ -1909,18 +1948,22 @@ async function apiFetchRaw(apiUrl, authSecret, path2, options = {}, extraHeaders
   const body = await res.json().catch(() => ({}));
   return { ok: res.ok, status: res.status, body };
 }
-function resolveApiConfig(stage) {
+function resolveApiConfig(stage, regionOverride) {
   const tfvarsPath = resolveTfvarsPath2(stage);
-  const authSecret = readTfVar2(tfvarsPath, "api_auth_secret");
-  if (!authSecret) {
-    printError(`Cannot read api_auth_secret from ${tfvarsPath}`);
-    return null;
-  }
-  const region = readTfVar2(tfvarsPath, "region") || "us-east-1";
+  const tfAuthSecret = readTfVar2(tfvarsPath, "api_auth_secret");
+  const tfRegion = readTfVar2(tfvarsPath, "region");
+  const region = regionOverride || tfRegion || "us-east-1";
   const apiUrl = getApiEndpoint(stage, region);
   if (!apiUrl) {
     printError(
-      `Cannot discover API endpoint for stage "${stage}". Is the stack deployed?`
+      `Cannot discover API endpoint for stage "${stage}" in ${region}. Is the stack deployed?`
+    );
+    return null;
+  }
+  const authSecret = tfAuthSecret ?? getApiAuthSecretFromLambda(stage, region);
+  if (!authSecret) {
+    printError(
+      `Cannot read api_auth_secret. Tried terraform.tfvars at ${tfvarsPath} and the \`thinkwork-${stage}-api-tenants\` Lambda env. Deploy the stack or set --profile to a role with lambda:GetFunctionConfiguration.`
     );
     return null;
   }
@@ -2257,12 +2300,12 @@ function registerToolsCommand(program2) {
 }
 
 // src/commands/update.ts
-import { execSync as execSync8 } from "child_process";
+import { execSync as execSync9 } from "child_process";
 import { realpathSync } from "fs";
 import chalk10 from "chalk";
 function getLatestVersion() {
   try {
-    return execSync8("npm view thinkwork-cli version", {
+    return execSync9("npm view thinkwork-cli version", {
       encoding: "utf-8",
       timeout: 1e4,
       stdio: ["pipe", "pipe", "pipe"]
@@ -2273,7 +2316,7 @@ function getLatestVersion() {
 }
 function detectInstallMethod() {
   try {
-    const which = execSync8("which thinkwork", {
+    const which = execSync9("which thinkwork", {
       encoding: "utf-8",
       timeout: 5e3,
       stdio: ["pipe", "pipe", "pipe"]
@@ -2333,7 +2376,7 @@ function registerUpdateCommand(program2) {
     console.log(chalk10.dim(`  $ ${cmd}`));
     console.log("");
     try {
-      execSync8(cmd, { stdio: "inherit", timeout: 12e4 });
+      execSync9(cmd, { stdio: "inherit", timeout: 12e4 });
       console.log("");
       console.log(chalk10.green(`  \u2713 Upgraded to thinkwork-cli@${latest}`));
     } catch {
@@ -2347,6 +2390,7 @@ function registerUpdateCommand(program2) {
 
 // src/commands/user.ts
 import { spawn as spawn3 } from "child_process";
+import { input, select as select2 } from "@inquirer/prompts";
 function getTerraformOutput2(cwd, key) {
   return new Promise((resolve3, reject) => {
     const proc = spawn3("terraform", ["output", "-raw", key], {
@@ -2389,74 +2433,166 @@ function runAwsCognitoReset(userPoolId, username, region) {
     proc.on("close", (code) => resolve3({ code: code ?? 1, stdout, stderr }));
   });
 }
+function isCancellation(err) {
+  return err instanceof Error && err.name === "ExitPromptError";
+}
+function requireTty(label) {
+  if (!process.stdin.isTTY) {
+    printError(
+      `${label} is required. Pass it as a flag or re-run in an interactive terminal.`
+    );
+    process.exit(1);
+  }
+}
+async function promptEmail() {
+  requireTty("Email");
+  return await input({
+    message: "Email address of the person to invite:",
+    validate: (v) => v.trim().includes("@") ? true : "That doesn't look like an email."
+  });
+}
+async function promptStage(region) {
+  requireTty("Stage");
+  const stages = listDeployedStages(region);
+  if (stages.length === 0) {
+    printError(
+      `No Thinkwork deployments found in ${region}. Run \`thinkwork list\` or pass --region.`
+    );
+    process.exit(1);
+  }
+  if (stages.length === 1) {
+    console.log(`  Using the only deployed stage: ${stages[0]}`);
+    return stages[0];
+  }
+  return await select2({
+    message: "Which stage?",
+    choices: stages.map((s) => ({ name: s, value: s })),
+    loop: false
+  });
+}
+async function promptTenant(apiUrl, authSecret) {
+  requireTty("Tenant");
+  const list = await apiFetch(apiUrl, authSecret, "/api/tenants");
+  if (!list || list.length === 0) {
+    printError(
+      "No tenants exist in this stage yet. Create one in the admin UI first."
+    );
+    process.exit(1);
+  }
+  if (list.length === 1) {
+    console.log(`  Using the only tenant: ${list[0].name} (${list[0].slug})`);
+    return list[0].slug;
+  }
+  return await select2({
+    message: "Which tenant?",
+    choices: list.map((t) => ({
+      name: `${t.name}  (slug: ${t.slug})`,
+      value: t.slug
+    })),
+    loop: false
+  });
+}
+async function promptOptionalName() {
+  if (!process.stdin.isTTY) return void 0;
+  const answer = await input({
+    message: "Display name (optional, press Enter to skip):",
+    default: ""
+  });
+  return answer.trim() || void 0;
+}
+async function promptRole() {
+  if (!process.stdin.isTTY) return "member";
+  return await select2({
+    message: "Role:",
+    choices: [
+      { name: "member \u2014 regular access", value: "member" },
+      { name: "admin \u2014 can manage members and settings", value: "admin" },
+      { name: "owner \u2014 full control", value: "owner" }
+    ],
+    default: "member",
+    loop: false
+  });
+}
 function registerUserCommand(program2) {
   const user = program2.command("user").description("User-management utilities for a deployed Thinkwork stack");
-  user.command("invite <email>").description(
-    "Invite a teammate to a tenant. Creates the Cognito user (Cognito emails a temporary password) and adds them as a tenant member."
-  ).requiredOption("-s, --stage <name>", "Deployment stage (e.g. dev, prod)").requiredOption(
+  user.command("invite [email]").description(
+    "Invite a teammate to a tenant. Creates the Cognito user (Cognito emails a temporary password) and adds them as a tenant member. Prompts interactively for any missing fields."
+  ).option("-s, --stage <name>", "Deployment stage (e.g. dev, prod)").option(
     "--tenant <slug>",
     "Tenant slug (the URL-safe tenant id, e.g. acme)"
   ).option("--name <name>", "Display name for the invited user").option(
     "--role <role>",
-    'Tenant member role: "member", "admin", or "owner"',
-    "member"
-  ).addHelpText(
+    'Tenant member role: "member", "admin", or "owner"'
+  ).option("--region <region>", "AWS region to scan", "us-east-1").addHelpText(
     "after",
     `
 Examples:
-  # Invite a teammate as a regular member
+  # Fully interactive \u2014 prompts for email, stage, tenant, name, role.
+  $ thinkwork user invite
+
+  # Scriptable (no prompts) \u2014 all fields via flags.
   $ thinkwork user invite alice@example.com --tenant acme -s dev
 
-  # Invite with a display name and admin role
+  # Mix: pass the email, prompt for everything else.
+  $ thinkwork user invite alice@example.com
+
+  # With display name and admin role.
   $ thinkwork user invite bob@example.com --tenant acme -s dev \\
       --name "Bob Smith" --role admin
 
-  # Re-inviting someone who's already a member is a no-op (no second email)
-  $ thinkwork user invite alice@example.com --tenant acme -s dev
-  \u26A0  alice@example.com is already a member of "acme" (role: member). No email sent.
-
 What happens:
   1. A Cognito user is created (or reused if the email already exists).
   2. Cognito emails the user a temporary password.
   3. The user is added to the tenant with the given role.
   4. On first sign-in they're prompted to set a real password.
 
-Requires the stack to be deployed (the CLI discovers the API Gateway URL
-and reads api_auth_secret from terraform.tfvars for the stage).
+Re-inviting someone who's already a member is a no-op (no second email).
+Agents / scripts that pass all flags stay non-interactive.
 `
   ).action(
-    async (email, opts) => {
-      const stageCheck = validateStage(opts.stage);
-      if (!stageCheck.valid) {
-        printError(stageCheck.error);
-        process.exit(1);
-      }
-      const trimmed = email.trim().toLowerCase();
-      if (!trimmed || !trimmed.includes("@")) {
-        printError(
-          `"${email}" doesn't look like an email address. Pass the user's sign-in email.`
-        );
-        process.exit(1);
-      }
-      const api = resolveApiConfig(opts.stage);
-      if (!api) process.exit(1);
-      printHeader("user invite", opts.stage);
-      console.log(`  Tenant: ${opts.tenant}`);
-      console.log(`  Email:  ${trimmed}`);
-      if (opts.name) console.log(`  Name:   ${opts.name}`);
-      console.log(`  Role:   ${opts.role}`);
-      console.log("");
+    async (emailArg, opts) => {
       try {
+        let email = emailArg ?? "";
+        if (!email) email = await promptEmail();
+        email = email.trim().toLowerCase();
+        if (!email.includes("@")) {
+          printError(
+            `"${emailArg}" doesn't look like an email address. Pass the user's sign-in email.`
+          );
+          process.exit(1);
+        }
+        let stage = opts.stage;
+        if (!stage) stage = await promptStage(opts.region);
+        const stageCheck = validateStage(stage);
+        if (!stageCheck.valid) {
+          printError(stageCheck.error);
+          process.exit(1);
+        }
+        const api = resolveApiConfig(stage, opts.region);
+        if (!api) process.exit(1);
+        let tenant = opts.tenant;
+        if (!tenant) tenant = await promptTenant(api.apiUrl, api.authSecret);
+        let name = opts.name;
+        if (name === void 0 && !emailArg) name = await promptOptionalName();
+        let role = opts.role;
+        if (!role && !emailArg) role = await promptRole();
+        role = role || "member";
+        printHeader("user invite", stage);
+        console.log(`  Tenant: ${tenant}`);
+        console.log(`  Email:  ${email}`);
+        if (name) console.log(`  Name:   ${name}`);
+        console.log(`  Role:   ${role}`);
+        console.log("");
         const result = await apiFetchRaw(
           api.apiUrl,
           api.authSecret,
-          `/api/tenants/${encodeURIComponent(opts.tenant)}/members`,
+          `/api/tenants/${encodeURIComponent(tenant)}/invites`,
           {
             method: "POST",
             body: JSON.stringify({
-              email: trimmed,
-              name: opts.name ?? null,
-              role: opts.role
+              email,
+              name: name ?? null,
+              role
             })
           }
         );
@@ -2467,14 +2603,19 @@ and reads api_auth_secret from terraform.tfvars for the stage).
         }
         if (result.body.alreadyMember) {
           printWarning(
-            `${trimmed} is already a member of "${opts.tenant}" (role: ${result.body.role}). No email sent.`
+            `${email} is already a member of "${tenant}" (role: ${result.body.role}). No email sent.`
           );
           return;
         }
         printSuccess(
-          `Invited ${trimmed} to "${opts.tenant}" (role: ${result.body.role}). Cognito has emailed a temporary password; the user sets a new password on first sign-in.`
+          `Invited ${email} to "${tenant}" (role: ${result.body.role}). Cognito has emailed a temporary password; the user sets a new password on first sign-in.`
         );
       } catch (err) {
+        if (isCancellation(err)) {
+          console.log("");
+          console.log("  Cancelled.");
+          return;
+        }
         printError(
           `Invite failed: ${err instanceof Error ? err.message : String(err)}`
         );

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "thinkwork-cli",
-  "version": "0.6.2",
+  "version": "0.7.0",
   "description": "Thinkwork CLI — deploy, manage, and interact with your Thinkwork stack",
   "license": "MIT",
   "type": "module",