thinkwork-cli 0.8.2 → 0.9.1

package/dist/terraform/modules/app/sandbox-log-scrubber/main.tf

@@ -0,0 +1,200 @@
+################################################################################
+# Sandbox Log Scrubber — App Module
+#
+# Secondary (backstop) R13 layer for the AgentCore Code Interpreter sandbox
+# (plan Unit 12). Pattern-redacts known-shape OAuth tokens in AgentCore
+# APPLICATION_LOGS before they land in the long-term CloudWatch tier.
+#
+# **This is not the primary R13 layer.** The primary layer is the base-image
+# sitecustomize.py stdio wrapper (plan Unit 4, terraform/modules/app/
+# agentcore-code-interpreter) which redacts by *value* using the session-
+# scoped token set. That layer can catch any token the preamble registered,
+# regardless of shape.
+#
+# This backstop redacts by *pattern* — Authorization: Bearer, JWTs, and
+# known OAuth prefixes (gh[opsru]_, xox[abep]-, ya29.). It does not have
+# access to session token values so it cannot catch arbitrary leaks. It
+# exists to mitigate stdio-bypass classes (subprocess env dumps, os.write,
+# C-extension direct writes, multiprocessing workers) whose bytes carry a
+# recognizable token prefix.
+#
+# If the scrubber Lambda fails, source log events remain in the original
+# CloudWatch group. S3 tier is delayed, data is not lost.
+################################################################################
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0"
+    }
+  }
+}
+
+variable "stage" {
+  description = "Deployment stage (dev, prod, etc.)."
+  type        = string
+}
+
+variable "region" {
+  description = "AWS region."
+  type        = string
+}
+
+variable "account_id" {
+  description = "AWS account ID."
+  type        = string
+}
+
+variable "source_log_group_name" {
+  description = "Source CloudWatch log group to subscribe to. Typically the AgentCore runtime group, e.g. /aws/bedrock-agentcore/runtimes/<runtime-name>."
+  type        = string
+}
+
+variable "lambda_zip_path" {
+  description = "Path to the built Lambda zip. Produced by scripts/build-lambdas.sh sandbox-log-scrubber."
+  type        = string
+}
+
+variable "lambda_zip_hash" {
+  description = "source_code_hash (base64 SHA-256) for the Lambda zip. Triggers function update when the bundle changes."
+  type        = string
+  default     = ""
+}
+
+variable "retention_days" {
+  description = "CloudWatch retention on the scrubbed output log group. Matches standard runtime retention."
+  type        = number
+  default     = 90
+}
+
+################################################################################
+# Output log group — where scrubbed events land
+################################################################################
+
+resource "aws_cloudwatch_log_group" "scrubbed" {
+  name              = "/thinkwork/${var.stage}/sandbox/scrubbed"
+  retention_in_days = var.retention_days
+
+  tags = {
+    Stage   = var.stage
+    Purpose = "sandbox-log-scrubber-output"
+  }
+}
+
+################################################################################
+# Lambda execution role + policy
+################################################################################
+
+resource "aws_iam_role" "scrubber" {
+  name = "thinkwork-${var.stage}-sandbox-log-scrubber"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect    = "Allow"
+      Principal = { Service = "lambda.amazonaws.com" }
+      Action    = "sts:AssumeRole"
+    }]
+  })
+}
+
+resource "aws_iam_role_policy" "scrubber" {
+  name = "sandbox-log-scrubber"
+  role = aws_iam_role.scrubber.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "WriteScrubbedEvents"
+        Effect = "Allow"
+        Action = [
+          "logs:CreateLogStream",
+          "logs:PutLogEvents",
+          "logs:DescribeLogStreams",
+        ]
+        Resource = [
+          aws_cloudwatch_log_group.scrubbed.arn,
+          "${aws_cloudwatch_log_group.scrubbed.arn}:*",
+        ]
+      },
+      {
+        # Lambda's own execution logs (separate group managed by AWS).
+        Sid    = "SelfLogs"
+        Effect = "Allow"
+        Action = [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:PutLogEvents",
+        ]
+        Resource = "arn:aws:logs:${var.region}:${var.account_id}:log-group:/aws/lambda/thinkwork-${var.stage}-sandbox-log-scrubber:*"
+      },
+    ]
+  })
+}
+
+################################################################################
+# Lambda function
+################################################################################
+
+resource "aws_lambda_function" "scrubber" {
+  function_name    = "thinkwork-${var.stage}-sandbox-log-scrubber"
+  role             = aws_iam_role.scrubber.arn
+  handler          = "index.handler"
+  runtime          = "nodejs20.x"
+  filename         = var.lambda_zip_path
+  source_code_hash = var.lambda_zip_hash
+  timeout          = 30
+  memory_size      = 256
+
+  environment {
+    variables = {
+      OUTPUT_LOG_GROUP = aws_cloudwatch_log_group.scrubbed.name
+    }
+  }
+
+  tags = {
+    Stage   = var.stage
+    Purpose = "sandbox-log-scrubber"
+  }
+}
+
+resource "aws_lambda_permission" "allow_cloudwatch" {
+  statement_id  = "AllowExecutionFromCloudWatchLogs"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.scrubber.function_name
+  principal     = "logs.${var.region}.amazonaws.com"
+  source_arn    = "arn:aws:logs:${var.region}:${var.account_id}:log-group:${var.source_log_group_name}:*"
+}
+
+################################################################################
+# Subscription filter — fan source events into the Lambda
+################################################################################
+
+resource "aws_cloudwatch_log_subscription_filter" "source" {
+  name            = "thinkwork-${var.stage}-sandbox-scrubber"
+  log_group_name  = var.source_log_group_name
+  filter_pattern  = "" # deliver every event; the Lambda decides
+  destination_arn = aws_lambda_function.scrubber.arn
+  depends_on      = [aws_lambda_permission.allow_cloudwatch]
+}
+
+################################################################################
+# Outputs
+################################################################################
+
+output "scrubbed_log_group_name" {
+  description = "CloudWatch log group receiving scrubbed events."
+  value       = aws_cloudwatch_log_group.scrubbed.name
+}
+
+output "scrubber_function_name" {
+  description = "Scrubber Lambda function name."
+  value       = aws_lambda_function.scrubber.function_name
+}
+
+output "scrubber_role_arn" {
+  description = "Execution role ARN."
+  value       = aws_iam_role.scrubber.arn
+}

package/dist/terraform/modules/app/static-site/main.tf

@@ -39,12 +39,85 @@ variable "is_spa" {
   default     = false
 }
 
+# ---------------------------------------------------------------------------
+# Response-headers policy (optional, plan-012 U3)
+#
+# Two opt-in forms, both backwards compatible — existing callers
+# (computer_site, admin_site, docs_site, www_site) leave both unset and the
+# distribution is created with no response-headers policy attached:
+#
+#   - Pass `response_headers_policy_id` to attach an existing policy by id.
+#     Useful if a sibling module already minted the policy and you want to
+#     share it across distributions.
+#
+#   - Pass `inline_response_headers` (an object describing the CSP + other
+#     response headers) to have this module mint a fresh policy and attach
+#     it. Used by `computer_sandbox_site` to ship the iframe-side CSP
+#     (script-src 'self' blob:; connect-src 'none'; frame-ancestors ... etc.)
+#     alongside the dedicated sandbox distribution.
+#
+# Passing both is an error — the inline policy would be unused.
+# ---------------------------------------------------------------------------
+
+variable "response_headers_policy_id" {
+  description = "ID of an existing aws_cloudfront_response_headers_policy to attach. Mutually exclusive with inline_response_headers."
+  type        = string
+  default     = ""
+}
+
+variable "inline_response_headers" {
+  description = "When set, this module mints a new response-headers policy and attaches it. Pass null to skip. Fields: content_security_policy (string), content_type_options_override (bool), strict_transport_security (object: max_age_sec, include_subdomains, preload, override), cors (object: allow_origins, allow_methods, allow_headers, allow_credentials, max_age_sec, origin_override). Mutually exclusive with response_headers_policy_id."
+  type = object({
+    content_security_policy       = optional(string)
+    content_type_options_override = optional(bool, true)
+    strict_transport_security = optional(object({
+      max_age_sec        = number
+      include_subdomains = bool
+      preload            = bool
+      override           = bool
+    }))
+    cors = optional(object({
+      allow_origins     = list(string)
+      allow_methods     = optional(list(string), ["GET", "HEAD", "OPTIONS"])
+      allow_headers     = optional(list(string), ["*"])
+      allow_credentials = optional(bool, false)
+      max_age_sec       = optional(number, 600)
+      origin_override   = optional(bool, true)
+    }))
+  })
+  default = null
+}
+
 ################################################################################
 # S3 Bucket
 ################################################################################
 
 locals {
   bucket_name = var.bucket_name != "" ? var.bucket_name : "thinkwork-${var.stage}-${var.site_name}"
+
+  # Mutually-exclusive validator — surface as an error during plan.
+  _conflicting_policy_inputs = var.response_headers_policy_id != "" && var.inline_response_headers != null
+
+  inline_policy_enabled = var.inline_response_headers != null
+
+  # Final policy id wired into the cache behavior. Empty string means no
+  # policy (CloudFront default). Terraform's resource attribute treats ""
+  # the same as null because we condition on it below.
+  effective_response_headers_policy_id = (
+    var.response_headers_policy_id != ""
+    ? var.response_headers_policy_id
+    : (local.inline_policy_enabled
+      ? aws_cloudfront_response_headers_policy.inline[0].id
+      : ""
+    )
+  )
+}
+
+check "policy_inputs_are_mutually_exclusive" {
+  assert {
+    condition     = !local._conflicting_policy_inputs
+    error_message = "static-site: response_headers_policy_id and inline_response_headers are mutually exclusive."
+  }
 }
 
 resource "aws_s3_bucket" "site" {
@@ -64,6 +137,68 @@ resource "aws_s3_bucket_public_access_block" "site" {
   restrict_public_buckets = true
 }
 
+################################################################################
+# CloudFront Response-Headers Policy (optional, inline-minted variant)
+################################################################################
+
+resource "aws_cloudfront_response_headers_policy" "inline" {
+  count = local.inline_policy_enabled ? 1 : 0
+
+  name    = "thinkwork-${var.stage}-${var.site_name}-headers"
+  comment = "Response-headers policy for thinkwork-${var.stage}-${var.site_name}"
+
+  dynamic "security_headers_config" {
+    for_each = var.inline_response_headers.content_security_policy != null || var.inline_response_headers.content_type_options_override != false || var.inline_response_headers.strict_transport_security != null ? [1] : []
+    content {
+      dynamic "content_security_policy" {
+        for_each = var.inline_response_headers.content_security_policy != null ? [1] : []
+        content {
+          content_security_policy = var.inline_response_headers.content_security_policy
+          override                = true
+        }
+      }
+
+      dynamic "content_type_options" {
+        for_each = var.inline_response_headers.content_type_options_override == true ? [1] : []
+        content {
+          override = true
+        }
+      }
+
+      dynamic "strict_transport_security" {
+        for_each = var.inline_response_headers.strict_transport_security != null ? [1] : []
+        content {
+          access_control_max_age_sec = var.inline_response_headers.strict_transport_security.max_age_sec
+          include_subdomains         = var.inline_response_headers.strict_transport_security.include_subdomains
+          preload                    = var.inline_response_headers.strict_transport_security.preload
+          override                   = var.inline_response_headers.strict_transport_security.override
+        }
+      }
+    }
+  }
+
+  dynamic "cors_config" {
+    for_each = var.inline_response_headers.cors != null ? [var.inline_response_headers.cors] : []
+    content {
+      access_control_allow_credentials = cors_config.value.allow_credentials
+      access_control_max_age_sec       = cors_config.value.max_age_sec
+      origin_override                  = cors_config.value.origin_override
+
+      access_control_allow_headers {
+        items = cors_config.value.allow_headers
+      }
+
+      access_control_allow_methods {
+        items = cors_config.value.allow_methods
+      }
+
+      access_control_allow_origins {
+        items = cors_config.value.allow_origins
+      }
+    }
+  }
+}
+
 ################################################################################
 # CloudFront OAC
 ################################################################################
@@ -135,11 +270,12 @@ resource "aws_cloudfront_distribution" "site" {
   }
 
   default_cache_behavior {
-    target_origin_id       = "s3-${local.bucket_name}"
-    viewer_protocol_policy = "redirect-to-https"
-    allowed_methods        = ["GET", "HEAD", "OPTIONS"]
-    cached_methods         = ["GET", "HEAD"]
-    compress               = true
+    target_origin_id           = "s3-${local.bucket_name}"
+    viewer_protocol_policy     = "redirect-to-https"
+    allowed_methods            = ["GET", "HEAD", "OPTIONS"]
+    cached_methods             = ["GET", "HEAD"]
+    compress                   = true
+    response_headers_policy_id = local.effective_response_headers_policy_id != "" ? local.effective_response_headers_policy_id : null
 
     dynamic "function_association" {
       for_each = var.is_spa ? [] : [1]
@@ -228,3 +364,8 @@ output "bucket_name" {
   description = "S3 bucket name for the site"
   value       = aws_s3_bucket.site.id
 }
+
+output "response_headers_policy_id" {
+  description = "ID of the response-headers policy attached to the default cache behavior. Empty when no policy is attached."
+  value       = local.effective_response_headers_policy_id
+}

package/dist/terraform/modules/app/www-dns/main.tf

@@ -29,27 +29,38 @@ terraform {
 }
 
 locals {
-  apex    = var.domain
-  www     = "www.${var.domain}"
-  docs    = "docs.${var.domain}"
-  admin   = "admin.${var.domain}"
-  name_id = replace(var.domain, ".", "-")
-
-  # ACM SANs: always include www, conditionally include docs and admin.
-  # Gated on plain bool vars (not on CloudFront outputs) to keep the
-  # dependency graph acyclic — distributions depend on the cert, so
-  # the cert mustn't depend on distribution outputs.
+  apex     = var.domain
+  www      = "www.${var.domain}"
+  docs     = "docs.${var.domain}"
+  admin    = "admin.${var.domain}"
+  computer = "computer.${var.domain}"
+  sandbox  = "sandbox.${var.domain}"
+  api      = "api.${var.domain}"
+  name_id  = replace(var.domain, ".", "-")
+
+  # ACM SANs: always include www, conditionally include docs, admin, computer,
+  # and api. The Computer iframe sandbox uses its own certificate so adding or
+  # rotating the sandbox host never forces a replacement of this shared
+  # production certificate.
+  # Gated on plain bool vars (not on CloudFront/API Gateway outputs) to keep
+  # the dependency graph acyclic — distributions / custom domain names
+  # depend on the cert, so the cert mustn't depend on those outputs.
   cert_sans = concat(
     [local.www],
     var.include_docs ? [local.docs] : [],
     var.include_admin ? [local.admin] : [],
+    var.include_computer ? [local.computer] : [],
+    var.include_api ? [local.api] : [],
   )
 
-  # CNAME records can only be created when we have the distribution
-  # domain to point at. Those inputs come after the cert is done, so
-  # they don't participate in the cert's dependency graph.
-  create_docs_record  = var.include_docs && var.docs_cloudfront_domain_name != ""
-  create_admin_record = var.include_admin && var.admin_cloudfront_domain_name != ""
+  # Existing CNAME records stay gated on non-empty targets because their target
+  # outputs are already known in the deployed stack. Newly bootstrapped records
+  # such as the sandbox CNAME must gate only on an explicit boolean so Terraform
+  # can plan the resource count before the new CloudFront distribution exists.
+  create_docs_record     = var.include_docs && var.docs_cloudfront_domain_name != ""
+  create_admin_record    = var.include_admin && var.admin_cloudfront_domain_name != ""
+  create_computer_record = var.include_computer && var.computer_cloudfront_domain_name != ""
+  create_api_record      = var.include_api && var.api_gateway_id != ""
 }
 
 ################################################################################
@@ -86,6 +97,17 @@ resource "cloudflare_record" "acm_validation" {
   ttl     = 60
   proxied = false
   comment = "ACM DNS validation for ${each.key}"
+
+  # When the cert SAN list changes (adding admin/computer/api/etc.), ACM may
+  # reissue with new validation tokens. With create_before_destroy on the cert,
+  # Terraform creates the new cert + validation records before destroying the
+  # old ones — and the Cloudflare provider rejects with "expected DNS record to
+  # not already be present but already exists" when names collide. allow_overwrite
+  # tells the provider to take ownership of an existing record by name instead
+  # of failing. Safe here because the validation records are fully managed by
+  # this resource — anything else writing _acm-challenge records on this zone
+  # would already be a conflict we'd want to overwrite.
+  allow_overwrite = true
 }
 
 resource "aws_acm_certificate_validation" "www" {
@@ -243,3 +265,84 @@ resource "cloudflare_record" "admin" {
   proxied = false
   comment = "thinkwork-${var.stage} admin → CloudFront"
 }
+
+################################################################################
+# computer.<domain> → computer CloudFront distribution (optional)
+################################################################################
+
+resource "cloudflare_record" "computer" {
+  count = local.create_computer_record ? 1 : 0
+
+  zone_id = var.cloudflare_zone_id
+  name    = local.computer
+  content = var.computer_cloudfront_domain_name
+  type    = "CNAME"
+  ttl     = 300
+  proxied = false
+  comment = "thinkwork-${var.stage} computer → CloudFront"
+}
+
+################################################################################
+# sandbox.<domain> → Computer iframe sandbox CloudFront distribution (optional)
+################################################################################
+
+resource "cloudflare_record" "computer_sandbox" {
+  count = var.include_computer_sandbox ? 1 : 0
+
+  zone_id = var.cloudflare_zone_id
+  name    = local.sandbox
+  content = var.computer_sandbox_cloudfront_domain_name
+  type    = "CNAME"
+  ttl     = 300
+  proxied = false
+  comment = "thinkwork-${var.stage} sandbox → Computer iframe sandbox CloudFront"
+}
+
+################################################################################
+# api.<domain> → HTTP API Gateway (optional)
+#
+# API Gateway v2 HTTP APIs support regional custom domains. The cert lives in
+# the same region as the API (us-east-1 here) and the domain name maps the
+# target stage under the root base path ("") so routes defined on the API
+# (/api/stripe/webhook, /graphql, etc.) are reachable at the vanity domain.
+#
+# Cloudflare must stay DNS-only (proxied=false). API Gateway presents the
+# ACM cert directly; a proxied CNAME would mess with the TLS handshake.
+################################################################################
+
+resource "aws_apigatewayv2_domain_name" "api" {
+  count = var.include_api ? 1 : 0
+
+  domain_name = local.api
+
+  domain_name_configuration {
+    certificate_arn = aws_acm_certificate_validation.www.certificate_arn
+    endpoint_type   = "REGIONAL"
+    security_policy = "TLS_1_2"
+  }
+
+  tags = {
+    Name  = "thinkwork-${var.stage}-api-custom-domain"
+    Stage = var.stage
+  }
+}
+
+resource "aws_apigatewayv2_api_mapping" "api" {
+  count = local.create_api_record ? 1 : 0
+
+  api_id      = var.api_gateway_id
+  domain_name = aws_apigatewayv2_domain_name.api[0].id
+  stage       = var.api_gateway_stage_name
+}
+
+resource "cloudflare_record" "api" {
+  count = local.create_api_record ? 1 : 0
+
+  zone_id = var.cloudflare_zone_id
+  name    = local.api
+  content = aws_apigatewayv2_domain_name.api[0].domain_name_configuration[0].target_domain_name
+  type    = "CNAME"
+  ttl     = 300
+  proxied = false
+  comment = "thinkwork-${var.stage} api → API Gateway v2 regional domain"
+}

package/dist/terraform/modules/app/www-dns/outputs.tf

@@ -12,3 +12,13 @@ output "www_redirect_distribution_domain" {
   description = "CloudFront distribution domain for the www→apex redirect"
   value       = aws_cloudfront_distribution.www_redirect.domain_name
 }
+
+output "api_custom_domain_name" {
+  description = "Custom domain name for the HTTP API (e.g. api.thinkwork.ai). Empty string when include_api is false."
+  value       = var.include_api ? aws_apigatewayv2_domain_name.api[0].domain_name : ""
+}
+
+output "api_custom_domain_target" {
+  description = "API Gateway regional target domain to CNAME to (useful for external DNS configuration). Empty string when include_api is false."
+  value       = var.include_api ? aws_apigatewayv2_domain_name.api[0].domain_name_configuration[0].target_domain_name : ""
+}

package/dist/terraform/modules/app/www-dns/variables.tf

@@ -41,3 +41,45 @@ variable "admin_cloudfront_domain_name" {
   type        = string
   default     = ""
 }
+
+variable "include_computer" {
+  description = "When true, add computer.<domain> to the ACM cert SANs and create a Cloudflare CNAME for it. Same cycle-avoidance rationale as include_docs."
+  type        = bool
+  default     = false
+}
+
+variable "computer_cloudfront_domain_name" {
+  description = "CloudFront distribution domain name for the computer SPA. Used as the target for the computer.<domain> Cloudflare CNAME when include_computer is true."
+  type        = string
+  default     = ""
+}
+
+variable "include_computer_sandbox" {
+  description = "When true, add sandbox.<domain> to the ACM cert SANs and create a Cloudflare CNAME for it. Same cycle-avoidance rationale as include_docs."
+  type        = bool
+  default     = false
+}
+
+variable "computer_sandbox_cloudfront_domain_name" {
+  description = "CloudFront distribution domain name for the Computer iframe sandbox host. Used as the target for the sandbox.<domain> Cloudflare CNAME when include_computer_sandbox is true."
+  type        = string
+  default     = ""
+}
+
+variable "include_api" {
+  description = "When true, add api.<domain> to the ACM cert SANs, create an API Gateway v2 custom domain name + base-path mapping, and create a Cloudflare CNAME pointing api.<domain> at the API Gateway regional domain. The API Gateway must be in the same region as this module since regional custom domains require a cert in the same region."
+  type        = bool
+  default     = false
+}
+
+variable "api_gateway_id" {
+  description = "aws_apigatewayv2_api.id of the HTTP API to expose at api.<domain>. Required when include_api is true."
+  type        = string
+  default     = ""
+}
+
+variable "api_gateway_stage_name" {
+  description = "aws_apigatewayv2_stage.name to map under the root base path on the custom domain. Defaults to the auto-deployed `$default` stage."
+  type        = string
+  default     = "$default"
+}