thinkwork-cli 0.8.2 → 0.9.1

package/dist/terraform/modules/thinkwork/outputs.tf

@@ -50,6 +50,21 @@ output "bucket_name" {
   value = module.s3.bucket_name
 }
 
+output "backups_bucket_name" {
+  description = "S3 bucket for operational backups (pre-drop snapshots from destructive migrations, via the aws_s3 Aurora extension)."
+  value       = module.s3_backups.bucket_name
+}
+
+output "backups_bucket_arn" {
+  description = "ARN of the operational backups bucket."
+  value       = module.s3_backups.bucket_arn
+}
+
+output "aurora_aws_s3_iam_role_arn" {
+  description = "IAM role ARN attached to the Aurora cluster for the aws_s3 extension. Null when backups are not wired (e.g. rds-postgres dev mode). Used in post-deploy runbooks to confirm the role association before running CREATE EXTENSION aws_s3."
+  value       = module.database.aws_s3_iam_role_arn
+}
+
 output "kb_service_role_arn" {
   value = module.bedrock_kb.kb_service_role_arn
 }
@@ -59,6 +74,11 @@ output "api_endpoint" {
   value = module.api.api_endpoint
 }
 
+output "api_id" {
+  description = "aws_apigatewayv2_api.main.id — needed by the www-dns module to map api.<domain> onto the HTTP API."
+  value       = module.api.api_id
+}
+
 output "appsync_api_url" {
   value = module.appsync.graphql_api_url
 }
@@ -77,6 +97,12 @@ output "auth_domain" {
   value       = module.cognito.auth_domain
 }
 
+output "mapbox_public_token" {
+  description = "Mapbox public token used by apps/computer MapView. Surfaced for scripts/build-computer.sh to inline as VITE_MAPBOX_PUBLIC_TOKEN at build time. MapView falls back to OSM tiles when this is empty."
+  value       = var.mapbox_public_token
+  sensitive   = true
+}
+
 output "ecr_repository_url" {
   value = module.agentcore.ecr_repository_url
 }
@@ -112,6 +138,61 @@ output "admin_bucket_name" {
   value       = module.admin_site.bucket_name
 }
 
+output "admin_url" {
+  description = "Public URL for the admin app (custom domain when set, CloudFront default otherwise)"
+  value       = var.admin_domain != "" ? "https://${var.admin_domain}" : "https://${module.admin_site.distribution_domain}"
+}
+
+# Computer static site (apps/computer — end-user surface)
+output "computer_distribution_id" {
+  description = "CloudFront distribution ID for the computer app"
+  value       = module.computer_site.distribution_id
+}
+
+output "computer_distribution_domain" {
+  description = "CloudFront domain for the computer app"
+  value       = module.computer_site.distribution_domain
+}
+
+output "computer_bucket_name" {
+  description = "S3 bucket for computer app assets"
+  value       = module.computer_site.bucket_name
+}
+
+output "computer_url" {
+  description = "Public URL for the computer app (custom domain when set, CloudFront default otherwise)"
+  value       = var.computer_domain != "" ? "https://${var.computer_domain}" : "https://${module.computer_site.distribution_domain}"
+}
+
+# Computer sandbox subdomain (plan-012 U3 / U11.5 — iframe-isolated
+# fragment substrate). Provisioned only when var.computer_sandbox_domain
+# is set. scripts/build-computer.sh reads these to sync the iframe-shell
+# bundle and invalidate the sandbox distribution.
+output "computer_sandbox_distribution_id" {
+  description = "CloudFront distribution ID for the iframe-isolated sandbox subdomain (empty when not provisioned)"
+  value       = local.computer_sandbox_enabled ? module.computer_sandbox_site[0].distribution_id : ""
+}
+
+output "computer_sandbox_distribution_domain" {
+  description = "CloudFront domain for the sandbox subdomain (empty when not provisioned)"
+  value       = local.computer_sandbox_enabled ? module.computer_sandbox_site[0].distribution_domain : ""
+}
+
+output "computer_sandbox_bucket_name" {
+  description = "S3 bucket holding the iframe-shell bundle for the sandbox subdomain (empty when not provisioned)"
+  value       = local.computer_sandbox_enabled ? module.computer_sandbox_site[0].bucket_name : ""
+}
+
+output "computer_sandbox_url" {
+  description = "Public URL for the iframe-shell host (empty when not provisioned). The host app's __SANDBOX_IFRAME_SRC__ Vite define points at <url>/iframe-shell.html."
+  value       = local.computer_sandbox_enabled ? "https://${var.computer_sandbox_domain}" : ""
+}
+
+output "computer_sandbox_allowed_parent_origins" {
+  description = "Comma-separated list of trusted parent origins for the iframe-shell. Mirrors the CSP frame-ancestors directive on the sandbox distribution and is wired into the iframe-shell's __ALLOWED_PARENT_ORIGINS__ Vite define at build time."
+  value       = var.computer_sandbox_allowed_parent_origins
+}
+
 # Docs static site
 output "docs_distribution_id" {
   description = "CloudFront distribution ID for the docs site"
@@ -159,3 +240,43 @@ output "ses_inbound_mx_target" {
   description = "MX target host for the email subdomain. Terraform already writes this into the subzone — this output is informational."
   value       = module.ses.mx_target
 }
+
+# MCP custom domain — consumed by `pnpm cf:sync-mcp`.
+output "mcp_custom_domain" {
+  description = "Configured MCP custom domain (e.g., mcp.thinkwork.ai), or empty when disabled."
+  value       = module.api.mcp_custom_domain
+}
+
+output "mcp_custom_domain_cert_arn" {
+  description = "ACM cert ARN for the MCP custom domain. Used by the CF sync script to poll validation status."
+  value       = module.api.mcp_custom_domain_cert_arn
+}
+
+output "mcp_custom_domain_validation" {
+  description = "DNS validation records that must be added to Cloudflare for ACM to issue the cert. Each record: { name, type, value }."
+  value       = module.api.mcp_custom_domain_validation
+}
+
+output "mcp_custom_domain_target" {
+  description = "Regional target for the final mcp CNAME — only populated on the second apply after mcp_custom_domain_ready=true. { target_domain_name, hosted_zone_id } or null."
+  value       = module.api.mcp_custom_domain_target
+}
+
+# Phase 3 U7 — Compliance audit-anchor bucket (S3 Object Lock). Consumed by
+# operator runbooks for post-deploy verification (`aws s3api get-object-lock-
+# configuration`) and by U8a/U8b when the anchor Lambda lands.
+
+output "compliance_anchor_bucket_arn" {
+  description = "ARN of the WORM-protected compliance audit-anchor S3 bucket."
+  value       = module.compliance_anchors.bucket_arn
+}
+
+output "compliance_anchor_bucket_name" {
+  description = "Name of the WORM-protected compliance audit-anchor S3 bucket (thinkwork-{stage}-compliance-anchors)."
+  value       = module.compliance_anchors.bucket_name
+}
+
+output "compliance_anchor_lambda_role_arn" {
+  description = "ARN of the IAM role the anchor Lambda (U8a/U8b) will assume. Inert in U7 — no Lambda function references this yet."
+  value       = module.compliance_anchors.lambda_role_arn
+}

package/dist/terraform/modules/thinkwork/variables.tf

@@ -50,6 +50,18 @@ variable "google_oauth_client_secret" {
   default     = ""
 }
 
+variable "redirect_success_url" {
+  description = "Default OAuth-callback redirect target when no per-request returnUrl is supplied. Mobile callers pass thinkwork:// custom scheme; web falls through to this."
+  type        = string
+  default     = "https://app.thinkwork.ai/settings/credentials"
+}
+
+variable "platform_operator_emails" {
+  description = "Comma-separated allowlist of emails permitted to invoke operator-gated GraphQL mutations (updateTenantPolicy, sandbox fixture setup, etc.). Forwarded to graphql-http as THINKWORK_PLATFORM_OPERATOR_EMAILS. Empty ⇒ the gate rejects every call."
+  type        = string
+  default     = ""
+}
+
 # ---------------------------------------------------------------------------
 # BYO Foundation (all optional — defaults to creating everything)
 # ---------------------------------------------------------------------------
@@ -167,6 +179,12 @@ variable "agentcore_memory_id" {
   default     = ""
 }
 
+variable "enable_workspace_orchestration" {
+  description = "Enable S3 EventBridge/SQS routing for folder-native workspace orchestration. Also requires the per-tenant workspace_orchestration_enabled database flag before tenant events wake agents."
+  type        = bool
+  default     = false
+}
+
 # ---------------------------------------------------------------------------
 # Naming / Buckets
 # ---------------------------------------------------------------------------
@@ -217,13 +235,21 @@ variable "api_auth_secret" {
 # ---------------------------------------------------------------------------
 
 variable "admin_callback_urls" {
-  type    = list(string)
-  default = ["http://localhost:5174", "http://localhost:5174/auth/callback"]
+  type = list(string)
+  default = [
+    "http://localhost:5174",
+    "http://localhost:5174/auth/callback",
+    "http://localhost:5175",
+    "http://localhost:5175/auth/callback",
+  ]
 }
 
 variable "admin_logout_urls" {
-  type    = list(string)
-  default = ["http://localhost:5174"]
+  type = list(string)
+  default = [
+    "http://localhost:5174",
+    "http://localhost:5175",
+  ]
 }
 
 variable "mobile_callback_urls" {
@@ -294,6 +320,56 @@ variable "admin_certificate_arn" {
   default     = ""
 }
 
+variable "computer_domain" {
+  description = "Custom domain for the computer SPA (e.g. computer.thinkwork.ai). Leave empty for CloudFront default."
+  type        = string
+  default     = ""
+}
+
+variable "computer_certificate_arn" {
+  description = "ACM certificate ARN for the computer domain (us-east-1, required for CloudFront custom domains)."
+  type        = string
+  default     = ""
+}
+
+variable "computer_sandbox_domain" {
+  description = "Custom domain for the LLM-fragment iframe substrate (e.g. sandbox.thinkwork.ai). Cross-origin from the computer SPA — load-bearing for the iframe-isolation security boundary documented in docs/specs/computer-ai-elements-contract-v1.md. Leave empty to skip provisioning the sandbox distribution."
+  type        = string
+  default     = ""
+}
+
+variable "computer_sandbox_certificate_arn" {
+  description = "ACM certificate ARN for the sandbox domain (us-east-1, required for CloudFront custom domains)."
+  type        = string
+  default     = ""
+}
+
+variable "computer_sandbox_allowed_parent_origins" {
+  description = "Comma-separated list of trusted parent origins that may frame the sandbox iframe (e.g. 'https://thinkwork.ai,https://dev.thinkwork.ai'). Wired into the sandbox CSP frame-ancestors directive AND mirrored at iframe-shell build time as __ALLOWED_PARENT_ORIGINS__. The two trust sets MUST stay in sync. Leave empty to allow no parents (effectively disabling the sandbox)."
+  type        = string
+  default     = ""
+}
+
+# ---------------------------------------------------------------------------
+# API Gateway (custom domain — optional)
+# ---------------------------------------------------------------------------
+
+variable "api_domain" {
+  description = "Custom domain for the HTTP API Gateway (e.g. api.thinkwork.ai). Leave empty to keep only the default execute-api URL. When set, the www-dns module adds a SAN to the shared ACM cert and creates a Cloudflare CNAME pointing at the API Gateway regional domain."
+  type        = string
+  default     = ""
+}
+
+# ---------------------------------------------------------------------------
+# Stripe billing
+# ---------------------------------------------------------------------------
+
+variable "stripe_price_ids_json" {
+  description = "JSON object mapping internal plan names to Stripe price IDs for this stage, e.g. {\"starter\":\"price_...\",\"team\":\"price_...\"}. Non-secret; per-stage. Exposed to Lambdas as STRIPE_PRICE_IDS_JSON env var. The secret_key, publishable_key, and webhook_signing_secret live in Secrets Manager at thinkwork/<stage>/stripe/api-credentials — never in tfvars."
+  type        = string
+  default     = "{}"
+}
+
 # ---------------------------------------------------------------------------
 # SES inbound email (delegated subzone — Option A)
 # ---------------------------------------------------------------------------
@@ -310,8 +386,91 @@ variable "ses_manage_active_rule_set" {
   default     = true
 }
 
-variable "lastmile_tasks_api_url" {
-  description = "Base URL of the LastMile Tasks REST API (e.g. https://api-dev.lastmile-tei.com for develop). Feature-flags the outbound task sync — leave blank to keep mobile-created tasks in sync_status='local'."
+variable "wiki_compile_model_id" {
+  description = "Bedrock model id used by the wiki-compile Lambda (leaf planner + aggregation planner + section writer). Any Converse-compatible model works; change without a code deploy."
+  type        = string
+  default     = "openai.gpt-oss-120b-1:0"
+}
+
+variable "company_brain_source_agent_model_id" {
+  description = "Bedrock model id used by GraphQL Company Brain source agents for JSON tool/action turns. Defaults to Claude Haiku for reliable action output while the wiki compiler can remain on gpt-oss for throughput."
+  type        = string
+  default     = "us.anthropic.claude-haiku-4-5-20251001-v1:0"
+}
+
+variable "wiki_aggregation_pass_enabled" {
+  description = "Feature flag for the wiki aggregation pass (parent section rollups + section promotion). 'true' to enable, anything else disables. Pinned in terraform so unrelated deploys don't reset it."
+  type        = string
+  default     = "true"
+}
+
+variable "wiki_deterministic_linking_enabled" {
+  description = "Feature flag for deterministic compile-time link emission — parent-expander-derived city/journal links plus entity↔entity co-mention links. 'true' to enable, anything else disables. Precision-bounded: rollback is `DELETE FROM wiki_page_links WHERE context LIKE 'deterministic:%' OR context LIKE 'co_mention:%'`."
+  type        = string
+  default     = "true"
+}
+
+variable "google_places_api_key" {
+  description = "Google Places API (New) key used by wiki-compile for POI → city/state/country hierarchy enrichment. Stored as SSM SecureString at /thinkwork/<stage>/google-places/api-key. Empty string = parameter created with a placeholder; operator populates via `aws ssm put-parameter --overwrite`. Compile gracefully degrades to metadata-only rows when the key is absent — never fails compile."
+  type        = string
+  default     = ""
+  sensitive   = true
+}
+
+variable "mapbox_public_token" {
+  description = "Mapbox public pk.* token consumed by apps/computer's MapView primitive (in @thinkwork/computer-stdlib) for inline map tile rendering inside generated applets. Flows from this variable → terraform output → scripts/build-computer.sh → apps/computer/.env.production as VITE_MAPBOX_PUBLIC_TOKEN. URL-restrict on the Mapbox dashboard to the deployed `computer.<apex>` host (and any dev hosts) — the token ships in the public Vite bundle, so URL allowlist is the security boundary. Empty string is acceptable: MapView falls back to OpenStreetMap tiles when the env var is unset, so dev environments without an operator-provisioned token still render maps."
+  type        = string
+  default     = ""
+  sensitive   = true
+}
+
+variable "nova_act_api_key" {
+  description = "Nova Act API key used by the Strands Browser Automation tool. Stored as SSM SecureString at /thinkwork/<stage>/agentcore/nova-act-api-key. Empty string = parameter created with a placeholder; operator populates via `aws ssm put-parameter --overwrite`."
   type        = string
   default     = ""
+  sensitive   = true
+}
+
+variable "agentcore_code_interpreter_id" {
+  description = "AgentCore Code Interpreter id used by routine-task-python for SFN python recipe states. Leave empty to fail closed until the stage has a routines-capable interpreter."
+  type        = string
+  default     = ""
+}
+
+variable "mcp_custom_domain" {
+  description = "MCP custom domain (e.g., 'mcp.thinkwork.ai'). Empty disables custom-domain setup — the MCP endpoint stays reachable at the API Gateway execute-api URL. When set, an ACM cert is created on the first apply; flip `mcp_custom_domain_ready = true` on a second apply after DNS validation completes. See docs/solutions/patterns/mcp-custom-domain-setup-2026-04-23.md."
+  type        = string
+  default     = ""
+}
+
+variable "mcp_custom_domain_ready" {
+  description = "Two-apply gate for the MCP custom domain. Leave false on the first apply (cert-only). After running `pnpm cf:sync-mcp` + waiting ~5 min for ACM validation, flip to true and re-apply to create the API Gateway domain + mapping."
+  type        = bool
+  default     = false
+}
+
+# ---------------------------------------------------------------------------
+# Phase 3 U7 — Compliance audit-anchor bucket (S3 Object Lock)
+# ---------------------------------------------------------------------------
+
+variable "compliance_anchor_object_lock_mode" {
+  description = "S3 Object Lock retention mode for the compliance audit-anchor bucket. GOVERNANCE allows a privileged role with s3:BypassGovernanceRetention to delete or shorten retention; COMPLIANCE is irreversible (even AWS root cannot delete or shorten until retention expires). Default GOVERNANCE per master plan Decision #2; flip to COMPLIANCE in prod tfvars at audit-engagement time."
+  type        = string
+  default     = "GOVERNANCE"
+
+  validation {
+    condition     = contains(["GOVERNANCE", "COMPLIANCE"], var.compliance_anchor_object_lock_mode)
+    error_message = "compliance_anchor_object_lock_mode must be either GOVERNANCE or COMPLIANCE."
+  }
+}
+
+variable "compliance_anchor_retention_days" {
+  description = "Default Object Lock retention in days for the compliance audit-anchor bucket. SOC2 Type 1 baseline is 12 months (365)."
+  type        = number
+  default     = 365
+
+  validation {
+    condition     = var.compliance_anchor_retention_days > 0
+    error_message = "compliance_anchor_retention_days must be greater than 0."
+  }
 }

package/dist/terraform/schema.graphql

@@ -4,6 +4,7 @@
 # Source: packages/database-pg/graphql/types/subscriptions.graphql
 
 scalar AWSDateTime
+scalar AWSJSON
 
 schema {
   query: Query
@@ -78,6 +79,13 @@ type ThreadTurnUpdateEvent {
   updatedAt: AWSDateTime!
 }
 
+type ComputerThreadChunkEvent {
+  threadId: ID!
+  chunk: AWSJSON
+  seq: Int
+  publishedAt: AWSDateTime!
+}
+
 type OrgUpdateEvent {
   tenantId: ID!
   changeType: String!
@@ -96,6 +104,19 @@ type CostRecordedEvent {
   updatedAt: AWSDateTime!
 }
 
+type EvalRunUpdateEvent {
+  runId: ID!
+  tenantId: ID!
+  agentId: ID
+  status: String!
+  totalTests: Int
+  passed: Int
+  failed: Int
+  passRate: Float
+  errorMessage: String
+  updatedAt: AWSDateTime!
+}
+
 # ────────────────────────────────────────────────────────────────────
 # Notification mutations
 #
@@ -154,6 +175,12 @@ type Mutation {
     triggerName: String
   ): ThreadTurnUpdateEvent @aws_api_key @aws_cognito_user_pools @aws_iam
 
+  publishComputerThreadChunk(
+    threadId: ID!
+    chunk: AWSJSON!
+    seq: Int!
+  ): ComputerThreadChunkEvent! @aws_api_key @aws_cognito_user_pools @aws_iam
+
   notifyOrgUpdate(
     tenantId: ID!
     changeType: String!
@@ -169,6 +196,18 @@ type Mutation {
     amountUsd: Float!
     model: String
   ): CostRecordedEvent @aws_api_key @aws_cognito_user_pools @aws_iam
+
+  notifyEvalRunUpdate(
+    runId: ID!
+    tenantId: ID!
+    agentId: ID
+    status: String!
+    totalTests: Int
+    passed: Int
+    failed: Int
+    passRate: Float
+    errorMessage: String
+  ): EvalRunUpdateEvent @aws_api_key @aws_cognito_user_pools @aws_iam
 }
 
 type Subscription {
@@ -191,9 +230,15 @@ type Subscription {
   onThreadTurnUpdated(tenantId: ID!): ThreadTurnUpdateEvent @aws_api_key @aws_cognito_user_pools @aws_iam
     @aws_subscribe(mutations: ["notifyThreadTurnUpdate"])
 
+  onComputerThreadChunk(threadId: ID!): ComputerThreadChunkEvent @aws_api_key @aws_cognito_user_pools @aws_iam
+    @aws_subscribe(mutations: ["publishComputerThreadChunk"])
+
   onOrgUpdated(tenantId: ID!): OrgUpdateEvent @aws_api_key @aws_cognito_user_pools @aws_iam
     @aws_subscribe(mutations: ["notifyOrgUpdate"])
 
   onCostRecorded(tenantId: ID!): CostRecordedEvent @aws_api_key @aws_cognito_user_pools @aws_iam
     @aws_subscribe(mutations: ["notifyCostRecorded"])
+
+  onEvalRunUpdated(tenantId: ID!): EvalRunUpdateEvent @aws_api_key @aws_cognito_user_pools @aws_iam
+    @aws_subscribe(mutations: ["notifyEvalRunUpdate"])
 }

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "thinkwork-cli",
-  "version": "0.8.2",
+  "version": "0.9.1",
   "description": "Thinkwork CLI — deploy, manage, and interact with your Thinkwork stack",
-  "license": "MIT",
+  "license": "Apache-2.0",
   "type": "module",
   "bin": {
     "thinkwork": "dist/cli.js"
@@ -10,15 +10,6 @@
   "files": [
     "dist"
   ],
-  "scripts": {
-    "build": "tsup src/cli.ts --format esm --dts --clean && node scripts/bundle-terraform.js",
-    "dev": "tsx src/cli.ts",
-    "codegen": "graphql-codegen --config codegen.ts",
-    "typecheck": "tsc --noEmit",
-    "test": "vitest run",
-    "lint": "echo 'lint: skipped (eslint not configured)'",
-    "prepublishOnly": "npm run build && npm run typecheck"
-  },
   "dependencies": {
     "@graphql-typed-document-node/core": "^3.2.0",
     "@inquirer/prompts": "^8.4.1",
@@ -26,7 +17,9 @@
     "chalk": "^5.6.2",
     "commander": "^12.0.0",
     "graphql": "^16.10.0",
-    "ora": "^9.3.0"
+    "jszip": "^3.10.1",
+    "ora": "^9.3.0",
+    "@thinkwork/admin-ops": "0.0.0"
   },
   "devDependencies": {
     "@graphql-codegen/cli": "^5.0.6",
@@ -52,5 +45,13 @@
     "agents",
     "terraform",
     "cli"
-  ]
-}
+  ],
+  "scripts": {
+    "build": "tsup src/cli.ts --format esm --dts --clean && node scripts/bundle-terraform.js",
+    "dev": "tsx src/cli.ts",
+    "codegen": "graphql-codegen --config codegen.ts",
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run",
+    "lint": "echo 'lint: skipped (eslint not configured)'"
+  }
+}