thinkwork-cli 0.8.2 → 0.9.1

package/dist/terraform/modules/app/lambda-api/main.tf

@@ -9,9 +9,9 @@
 # In production this module will contain 30+ Lambda functions covering:
 # - GraphQL HTTP handler (the main API entry point)
 # - Agent invoke / chat
-# - Thread, agent, template, connector CRUD
+# - Thread, agent, and template CRUD
 # - Skills, KB, memory handlers
-# - Connectors (Slack, GitHub, Google)
+# - Webhook, MCP, and OAuth handlers
 # - Email inbound/outbound
 # - OAuth callbacks
 ################################################################################
@@ -70,6 +70,58 @@ resource "aws_apigatewayv2_api_mapping" "main" {
   stage       = aws_apigatewayv2_stage.default.id
 }
 
+################################################################################
+# MCP Custom Domain (optional) — second domain on the same HTTP API.
+#
+# Two-apply dance because ACM requires DNS validation before a Regional
+# custom domain can bind the cert. `var.mcp_custom_domain_ready = false`
+# (first apply) creates just the cert in pending-validation state and
+# surfaces the validation record via `mcp_custom_domain_validation` output.
+# The operator adds that record to Cloudflare (via `pnpm cf:sync-mcp`),
+# waits ~5 min for ACM validation, then sets `mcp_custom_domain_ready =
+# true` for the second apply, which creates the domain + API mapping.
+# A final `pnpm cf:sync-mcp --finalize` adds the `mcp.thinkwork.ai`
+# CNAME pointing at the regional domain target.
+#
+# See docs/solutions/patterns/mcp-custom-domain-setup-2026-04-23.md.
+################################################################################
+
+resource "aws_acm_certificate" "mcp" {
+  count             = var.mcp_custom_domain != "" ? 1 : 0
+  domain_name       = var.mcp_custom_domain
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-mcp-cert"
+  }
+}
+
+resource "aws_apigatewayv2_domain_name" "mcp" {
+  count       = var.mcp_custom_domain != "" && var.mcp_custom_domain_ready ? 1 : 0
+  domain_name = var.mcp_custom_domain
+
+  domain_name_configuration {
+    certificate_arn = aws_acm_certificate.mcp[0].arn
+    endpoint_type   = "REGIONAL"
+    security_policy = "TLS_1_2"
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-mcp-domain"
+  }
+}
+
+resource "aws_apigatewayv2_api_mapping" "mcp" {
+  count       = var.mcp_custom_domain != "" && var.mcp_custom_domain_ready ? 1 : 0
+  api_id      = aws_apigatewayv2_api.main.id
+  domain_name = aws_apigatewayv2_domain_name.mcp[0].id
+  stage       = aws_apigatewayv2_stage.default.id
+}
+
 ################################################################################
 # Shared Lambda Execution Role
 ################################################################################
@@ -92,6 +144,19 @@ resource "aws_iam_role_policy_attachment" "lambda_basic" {
   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
 }
 
+resource "aws_iam_role_policy_attachment" "computer_runtime_manager" {
+  # No count guard: module.computer_runtime is unconditional (see
+  # terraform/modules/thinkwork/main.tf), so the policy ARN is always
+  # populated. A `count = var.X != "" ? 1 : 0` guard fails terraform
+  # plan with "Invalid count argument" because var.X resolves from
+  # aws_iam_policy.manager.arn — a computed attribute only known at
+  # apply time, not at plan time. If a future caller wants to make
+  # this attachment conditional, gate it on a known-at-plan-time
+  # boolean variable rather than the ARN string.
+  role       = aws_iam_role.lambda.name
+  policy_arn = var.computer_runtime_manager_policy_arn
+}
+
 resource "aws_iam_role_policy" "lambda_rds" {
   name = "rds-data-api"
   role = aws_iam_role.lambda.id
@@ -129,6 +194,7 @@ resource "aws_iam_role_policy" "lambda_secrets" {
         Action = [
           "secretsmanager:CreateSecret",
           "secretsmanager:UpdateSecret",
+          "secretsmanager:DeleteSecret",
           "secretsmanager:GetSecretValue"
         ]
         Resource = "arn:aws:secretsmanager:${var.region}:${var.account_id}:secret:thinkwork/*"
@@ -196,12 +262,21 @@ resource "aws_iam_role_policy" "lambda_bedrock" {
   name = "bedrock-invoke"
   role = aws_iam_role.lambda.id
 
+  # Cross-region inference profiles (us.anthropic.claude-*) require
+  # `bedrock:InvokeModel` on the *inference-profile* ARN AND on the
+  # underlying foundation-model ARN in *every* region the profile can
+  # route to (e.g. us-east-2 for us.anthropic.claude-haiku-4-5). The
+  # region wildcard below covers all of them. Needed by the eval-runner
+  # llm-rubric judge and any handler that calls Converse with a profile ID.
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [{
-      Effect   = "Allow"
-      Action   = ["bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream"]
-      Resource = "arn:aws:bedrock:${var.region}::foundation-model/*"
+      Effect = "Allow"
+      Action = ["bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream"]
+      Resource = [
+        "arn:aws:bedrock:*::foundation-model/*",
+        "arn:aws:bedrock:*:${var.account_id}:inference-profile/*",
+      ]
     }]
   })
 }
@@ -244,14 +319,72 @@ resource "aws_iam_role_policy" "lambda_agentcore_invoke" {
       Action = [
         "lambda:InvokeFunction",
       ]
-      Resource = [
+      Resource = compact([
         var.agentcore_function_arn,
         "${var.agentcore_function_arn}:*",
-      ]
+        var.agentcore_flue_function_arn,
+        var.agentcore_flue_function_arn != "" ? "${var.agentcore_flue_function_arn}:*" : "",
+      ])
     }]
   })
 }
 
+# Eval-runner: invoke the AgentCore Runtime data plane to run an agent
+# under test, and call AgentCore Evaluations.Evaluate to score the
+# resulting spans. Both APIs are on the bedrock-agentcore service. Also
+# allow reading spans + log events from CloudWatch Logs (aws/spans is
+# the Transaction Search destination; the runtime log groups carry the
+# OTel scope=strands.telemetry.tracer log records that EvaluateCommand
+# requires alongside the spans).
+resource "aws_iam_role_policy" "lambda_eval_runner" {
+  name = "eval-runner-bedrock-agentcore"
+  role = aws_iam_role.lambda.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid      = "AgentCoreInvokeRuntime"
+        Effect   = "Allow"
+        Action   = ["bedrock-agentcore:InvokeAgentRuntime"]
+        Resource = "arn:aws:bedrock-agentcore:${var.region}:${var.account_id}:runtime/*"
+      },
+      {
+        Sid    = "AgentCoreEvaluate"
+        Effect = "Allow"
+        Action = [
+          "bedrock-agentcore:Evaluate",
+          "bedrock-agentcore:GetEvaluator",
+          "bedrock-agentcore:ListEvaluators",
+        ]
+        Resource = "*"
+      },
+      {
+        Sid    = "EvalSpansRead"
+        Effect = "Allow"
+        Action = [
+          "logs:FilterLogEvents",
+          "logs:GetLogEvents",
+          "logs:DescribeLogGroups",
+          "logs:DescribeLogStreams",
+        ]
+        Resource = [
+          "arn:aws:logs:${var.region}:${var.account_id}:log-group:aws/spans",
+          "arn:aws:logs:${var.region}:${var.account_id}:log-group:aws/spans:*",
+          "arn:aws:logs:${var.region}:${var.account_id}:log-group:/aws/bedrock-agentcore/runtimes/*",
+          "arn:aws:logs:${var.region}:${var.account_id}:log-group:/aws/bedrock-agentcore/runtimes/*:*",
+        ]
+      },
+      {
+        Sid      = "SsmReadEvalRunnerCfg"
+        Effect   = "Allow"
+        Action   = ["ssm:GetParameter", "ssm:GetParameters"]
+        Resource = "arn:aws:ssm:${var.region}:${var.account_id}:parameter/thinkwork/${var.stage}/agentcore/runtime-id-*"
+      },
+    ]
+  })
+}
+
 # AgentCore Memory read access for the GraphQL memory resolvers.
 # memoryRecords / memorySearch call ListMemoryRecordsCommand to fetch
 # records across the tenant's agents.
@@ -291,14 +424,33 @@ resource "aws_iam_role_policy" "lambda_ssm_read" {
 
   policy = jsonencode({
     Version = "2012-10-17"
-    Statement = [{
-      Effect = "Allow"
-      Action = [
-        "ssm:GetParameter",
-        "ssm:GetParameters",
-      ]
-      Resource = "arn:aws:ssm:${var.region}:${var.account_id}:parameter/thinkwork/${var.stage}/*"
-    }]
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "ssm:GetParameter",
+          "ssm:GetParameters",
+        ]
+        Resource = "arn:aws:ssm:${var.region}:${var.account_id}:parameter/thinkwork/${var.stage}/*"
+      },
+      # SecureString parameters (e.g. /thinkwork/<stage>/google-places/api-key)
+      # are encrypted with the default AWS-managed SSM key. The default key's
+      # resource policy auto-grants Decrypt to any IAM principal with
+      # ssm:GetParameter on the parameter via `kms:ViaService = ssm.*`, so
+      # this explicit grant is a belt-and-suspenders clarification. If we
+      # later move to a customer-managed KMS key, this is the scope that
+      # needs updating.
+      {
+        Effect   = "Allow"
+        Action   = ["kms:Decrypt"]
+        Resource = "*"
+        Condition = {
+          StringEquals = {
+            "kms:ViaService" = "ssm.${var.region}.amazonaws.com"
+          }
+        }
+      },
+    ]
   })
 }
 
@@ -362,11 +514,143 @@ resource "aws_iam_role_policy" "lambda_api_cross_invoke" {
         "arn:aws:lambda:${var.region}:${var.account_id}:function:thinkwork-${var.stage}-api-chat-agent-invoke",
         "arn:aws:lambda:${var.region}:${var.account_id}:function:thinkwork-${var.stage}-api-knowledge-base-manager",
         "arn:aws:lambda:${var.region}:${var.account_id}:function:thinkwork-${var.stage}-api-job-schedule-manager",
+        # eval-runner: graphql-http's startEvalRun mutation Event-invokes
+        # this asynchronously after inserting the eval_runs row.
+        "arn:aws:lambda:${var.region}:${var.account_id}:function:thinkwork-${var.stage}-api-eval-runner",
+        # wiki-compile: memory-retain Event-invokes this after a successful
+        # retainTurn when the tenant's wiki_compile_enabled flag is on.
+        # compileWikiNow admin mutation also Event-invokes.
+        "arn:aws:lambda:${var.region}:${var.account_id}:function:thinkwork-${var.stage}-api-wiki-compile",
+        # wiki-bootstrap-import: bootstrapJournalImport admin mutation
+        # Event-invokes this for the long-running ingest path.
+        "arn:aws:lambda:${var.region}:${var.account_id}:function:thinkwork-${var.stage}-api-wiki-bootstrap-import",
+        # routine-resume: routine-approval-bridge (Phase B U8) invokes
+        # this with RequestResponse after a HITL decideInboxItem
+        # decision. Calls SendTaskSuccess/SendTaskFailure on the SFN
+        # task token; idempotent on already-consumed tokens.
+        "arn:aws:lambda:${var.region}:${var.account_id}:function:thinkwork-${var.stage}-api-routine-resume",
+        # workspace-files-efs: workspace-files invokes this (RequestResponse)
+        # for Computer-target list/get to bypass the computer_tasks queue
+        # and read EFS directly. Standalone resource below.
+        "arn:aws:lambda:${var.region}:${var.account_id}:function:thinkwork-${var.stage}-api-workspace-files-efs",
       ]
     }]
   })
 }
 
+# Step Functions admin operations — for createRoutine / publishRoutineVersion
+# / triggerRoutineRun / updateRoutine resolvers (Phase B U7) and the
+# routine-asl-validator Lambda (Phase A U5). State-machine ARNs follow the
+# naming convention `thinkwork-${stage}-routine-*`; aliases follow the
+# state-machine ARN with a colon-separated alias name.
+resource "aws_iam_role_policy" "lambda_routines_stepfunctions" {
+  name = "routines-step-functions"
+  role = aws_iam_role.lambda.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "RoutineStateMachineLifecycle"
+        Effect = "Allow"
+        Action = [
+          "states:CreateStateMachine",
+          "states:UpdateStateMachine",
+          "states:DeleteStateMachine",
+          "states:DescribeStateMachine",
+          "states:ListStateMachines",
+          "states:TagResource",
+          "states:UntagResource",
+          "states:PublishStateMachineVersion",
+          "states:DeleteStateMachineVersion",
+          "states:ListStateMachineVersions",
+          "states:CreateStateMachineAlias",
+          "states:UpdateStateMachineAlias",
+          "states:DeleteStateMachineAlias",
+          "states:DescribeStateMachineAlias",
+          "states:ListStateMachineAliases",
+          "states:DescribeStateMachineForExecution",
+        ]
+        Resource = "arn:aws:states:${var.region}:${var.account_id}:stateMachine:thinkwork-${var.stage}-routine-*"
+      },
+      {
+        Sid    = "RoutineExecution"
+        Effect = "Allow"
+        Action = [
+          "states:StartExecution",
+          "states:StartSyncExecution",
+          "states:StopExecution",
+          "states:DescribeExecution",
+          "states:ListExecutions",
+          "states:GetExecutionHistory",
+        ]
+        Resource = [
+          "arn:aws:states:${var.region}:${var.account_id}:stateMachine:thinkwork-${var.stage}-routine-*",
+          "arn:aws:states:${var.region}:${var.account_id}:execution:thinkwork-${var.stage}-routine-*:*",
+        ]
+      },
+      {
+        Sid    = "RoutineTaskTokens"
+        Effect = "Allow"
+        Action = [
+          "states:SendTaskSuccess",
+          "states:SendTaskFailure",
+          "states:SendTaskHeartbeat",
+        ]
+        Resource = "*"
+      },
+      {
+        Sid      = "RoutineValidate"
+        Effect   = "Allow"
+        Action   = ["states:ValidateStateMachineDefinition"]
+        Resource = "*"
+      },
+      {
+        # PassRole so the createRoutine resolver can hand the routines
+        # execution role to a newly-created state machine. Scoped to the
+        # specific role created by the routines-stepfunctions module.
+        Sid      = "RoutinePassExecutionRole"
+        Effect   = "Allow"
+        Action   = ["iam:PassRole"]
+        Resource = "arn:aws:iam::${var.account_id}:role/thinkwork-${var.stage}-routines-execution-role"
+        Condition = {
+          StringEquals = {
+            "iam:PassedToService" = "states.amazonaws.com"
+          }
+        }
+      },
+      {
+        # routine-task-python (Phase B U6) wraps the AgentCore code
+        # interpreter so SFN can run `python` recipe states. Three calls
+        # per Task: Start session, Invoke, Stop. Resource is `*` because
+        # interpreter sessions are runtime-scoped, not provisioned.
+        Sid    = "RoutineTaskPythonCodeInterpreter"
+        Effect = "Allow"
+        Action = [
+          "bedrock-agentcore:StartCodeInterpreterSession",
+          "bedrock-agentcore:InvokeCodeInterpreter",
+          "bedrock-agentcore:StopCodeInterpreterSession",
+          "bedrock-agentcore:GetCodeInterpreterSession",
+        ]
+        Resource = "*"
+      },
+      {
+        # routine-task-python S3 offload — full stdout/stderr land in
+        # the per-stage routine-output bucket under
+        # <tenantId>/<sfn-execution-id>/<nodeId>/{stdout,stderr}.log.
+        # PutObject only — the read path is GraphQL-fronted and runs
+        # under the graphql-http handler's role, not this one.
+        Sid    = "RoutineTaskPythonS3Offload"
+        Effect = "Allow"
+        Action = [
+          "s3:PutObject",
+        ]
+        Resource = "arn:aws:s3:::thinkwork-${var.stage}-routine-output/*"
+      },
+    ]
+  })
+}
+
 ################################################################################
 # Placeholder Lambda — proves the infrastructure works
 #

package/dist/terraform/modules/app/lambda-api/mcp-oauth.tf

@@ -0,0 +1,118 @@
+locals {
+  mcp_oauth_api_base_url       = "https://${aws_apigatewayv2_api.main.id}.execute-api.${var.region}.amazonaws.com"
+  mcp_oauth_cognito_base_url   = var.cognito_auth_domain != "" ? "https://${var.cognito_auth_domain}.auth.${var.region}.amazoncognito.com" : ""
+  mcp_oauth_identity_providers = var.google_oauth_client_id != "" ? ["Google", "COGNITO"] : ["COGNITO"]
+  mcp_oauth_logo_path          = "${path.module}/../../../../apps/admin/public/logo.png"
+}
+
+resource "aws_dynamodb_table" "mcp_oauth_revocations" {
+  name         = "thinkwork-${var.stage}-mcp-oauth-revocations"
+  billing_mode = "PAY_PER_REQUEST"
+  hash_key     = "token_id_hash"
+
+  attribute {
+    name = "token_id_hash"
+    type = "S"
+  }
+
+  ttl {
+    attribute_name = "expires_at"
+    enabled        = true
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-mcp-oauth-revocations"
+  }
+}
+
+resource "aws_cognito_user_pool_client" "mcp_oauth" {
+  name         = "ThinkworkMcpOAuth"
+  user_pool_id = var.user_pool_id
+
+  allowed_oauth_flows_user_pool_client = true
+  allowed_oauth_flows                  = ["code"]
+  allowed_oauth_scopes                 = ["openid", "email", "profile"]
+
+  supported_identity_providers = local.mcp_oauth_identity_providers
+
+  callback_urls = ["${local.mcp_oauth_api_base_url}/mcp/oauth/callback"]
+  logout_urls   = [local.mcp_oauth_api_base_url]
+
+  access_token_validity = 1
+  id_token_validity     = 1
+
+  token_validity_units {
+    access_token = "hours"
+    id_token     = "hours"
+  }
+}
+
+resource "aws_cognito_user_pool_ui_customization" "mcp_oauth" {
+  user_pool_id = var.user_pool_id
+  client_id    = aws_cognito_user_pool_client.mcp_oauth.id
+  image_file   = fileexists(local.mcp_oauth_logo_path) ? filebase64(local.mcp_oauth_logo_path) : null
+
+  css = <<-CSS
+    .background-customizable {
+      background-color: #080808;
+    }
+
+    .banner-customizable {
+      background-color: #080808;
+      padding: 32px 0 18px;
+    }
+
+    .label-customizable {
+      color: #f5f5f5;
+    }
+
+    .legalText-customizable {
+      color: #f5f5f5;
+    }
+
+    .inputField-customizable {
+      background-color: #232323;
+      border: 1px solid #555555;
+      border-radius: 8px;
+      color: #ffffff;
+      min-height: 48px;
+    }
+
+    .inputField-customizable:focus {
+      border-color: #d8d8d8;
+      box-shadow: 0 0 0 3px rgba(216, 216, 216, 0.2);
+    }
+
+    .submitButton-customizable {
+      background-color: #f4f4f4;
+      border: 0;
+      border-radius: 8px;
+      color: #111111;
+      font-weight: 700;
+      min-height: 48px;
+    }
+
+    .submitButton-customizable:hover {
+      background-color: #ffffff;
+    }
+  CSS
+}
+
+resource "aws_iam_role_policy" "lambda_mcp_oauth_revocations" {
+  name = "mcp-oauth-revocations"
+  role = aws_iam_role.lambda.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "dynamodb:GetItem",
+          "dynamodb:PutItem"
+        ]
+        Resource = aws_dynamodb_table.mcp_oauth_revocations.arn
+      }
+    ]
+  })
+}

package/dist/terraform/modules/app/lambda-api/oauth-secrets.tf

@@ -0,0 +1,49 @@
+################################################################################
+# Per-user OAuth client credentials (Google Workspace, Microsoft 365)
+#
+# Stored in Secrets Manager as JSON blobs `{"client_id","client_secret"}`.
+# Fetched by oauth-authorize, oauth-callback, oauth-token at Lambda cold-start
+# via packages/api/src/lib/oauth-client-credentials.ts, which caches values in
+# module scope so warm containers pay zero additional round-trips.
+#
+# Secret names use the existing `thinkwork/${stage}/...` prefix so the shared
+# Lambda role's `secretsmanager:GetSecretValue` policy on `thinkwork/*`
+# (main.tf:128-135) covers them — no new IAM attachment needed.
+#
+# Security posture vs. the prior common_env env-var approach: client secrets
+# are no longer baked into Lambda configuration (invisible in
+# `aws lambda get-function-configuration`, in CloudWatch event streams, and
+# in terraform state for the Lambda resource). The secret value itself is
+# still readable by any Lambda using the shared role — per-consumer-role
+# scoping is a separate (larger) refactor tracked for prod.
+################################################################################
+
+resource "aws_secretsmanager_secret" "oauth_google_productivity" {
+  name        = "thinkwork/${var.stage}/oauth/google-productivity"
+  description = "Google Workspace OAuth client credentials (per-user Gmail/Calendar integration). Fetched at Lambda cold-start by oauth-client-credentials.ts."
+  tags = {
+    Name     = "thinkwork-${var.stage}-oauth-google-productivity"
+    Stage    = var.stage
+    Provider = "google_productivity"
+  }
+}
+
+resource "aws_secretsmanager_secret_version" "oauth_google_productivity" {
+  secret_id = aws_secretsmanager_secret.oauth_google_productivity.id
+  secret_string = jsonencode({
+    client_id     = var.google_oauth_client_id
+    client_secret = var.google_oauth_client_secret
+  })
+
+  # If the operator rotates the secret via AWS console / CLI without touching
+  # tfvars, terraform shouldn't clobber it on next apply. Matches the pattern
+  # used for google_places_api_key in the wiki-compile handler.
+  lifecycle {
+    ignore_changes = [secret_string]
+  }
+}
+
+# Microsoft 365 deferred to a follow-up — needs Azure app registration first.
+# When ready, mirror the google-productivity resources + add
+# `microsoft_oauth_client_id` / `_secret` variables to this module and the
+# thinkwork module, then add MICROSOFT_OAUTH_SECRET_ARN to common_env.

package/dist/terraform/modules/app/lambda-api/outputs.tf

@@ -13,6 +13,11 @@ output "api_execution_arn" {
   value       = aws_apigatewayv2_api.main.execution_arn
 }
 
+output "extension_proxy_route_prefix" {
+  description = "Route prefix private Admin extensions call through for tenant-scoped backend proxying."
+  value       = "/api/extensions"
+}
+
 output "lambda_role_arn" {
   description = "Shared Lambda execution role ARN (for other modules that add routes)"
   value       = aws_iam_role.lambda.arn
@@ -42,3 +47,36 @@ output "email_inbound_fn_name" {
   description = "email-inbound Lambda function name. Used by the SES module for lambda:InvokeFunction permissions."
   value       = local.use_local_zips ? aws_lambda_function.handler["email-inbound"].function_name : ""
 }
+
+# ---------------------------------------------------------------------------
+# MCP custom domain — outputs consumed by `pnpm cf:sync-mcp`.
+# ---------------------------------------------------------------------------
+
+output "mcp_custom_domain" {
+  description = "Configured MCP custom domain (e.g., mcp.thinkwork.ai), or empty string when disabled. The CF sync script reads this to know the target hostname."
+  value       = var.mcp_custom_domain
+}
+
+output "mcp_custom_domain_cert_arn" {
+  description = "ACM certificate ARN for the MCP custom domain, or empty when disabled. The sync script can use this to poll ACM validation status via aws acm describe-certificate."
+  value       = var.mcp_custom_domain != "" ? aws_acm_certificate.mcp[0].arn : ""
+}
+
+output "mcp_custom_domain_validation" {
+  description = "List of ACM DNS-validation records that must exist in Cloudflare before the cert is issued. Each record is { name, type, value }. Consumed by scripts/cloudflare-sync-mcp.ts."
+  value = var.mcp_custom_domain != "" ? [
+    for dvo in aws_acm_certificate.mcp[0].domain_validation_options : {
+      name  = dvo.resource_record_name
+      type  = dvo.resource_record_type
+      value = dvo.resource_record_value
+    }
+  ] : []
+}
+
+output "mcp_custom_domain_target" {
+  description = "Regional target for the final mcp.thinkwork.ai → API Gateway CNAME. Only populated on the second apply (when mcp_custom_domain_ready = true). Includes { target_domain_name, hosted_zone_id } so the CF sync script can upsert the record."
+  value = var.mcp_custom_domain != "" && var.mcp_custom_domain_ready ? {
+    target_domain_name = aws_apigatewayv2_domain_name.mcp[0].domain_name_configuration[0].target_domain_name
+    hosted_zone_id     = aws_apigatewayv2_domain_name.mcp[0].domain_name_configuration[0].hosted_zone_id
+  } : null
+}

package/dist/terraform/modules/app/lambda-api/slack-app-secrets.tf

@@ -0,0 +1,43 @@
+################################################################################
+# Slack workspace app credentials
+#
+# Stored in Secrets Manager as a JSON blob with three fields:
+#
+#   {
+#     "signing_secret": "Slack request signing secret",
+#     "client_id":      "Slack OAuth client id",
+#     "client_secret":  "Slack OAuth client secret"
+#   }
+#
+# Slack request handlers and the OAuth install handler receive only this secret
+# ARN in Lambda configuration. The shared Lambda role already has access to the
+# `thinkwork/*` prefix, so no additional IAM attachment is needed.
+#
+# Operators populate the real value out-of-band. Terraform creates an initial
+# empty version so Lambdas fail with a clear missing-field error before setup,
+# and lifecycle.ignore_changes prevents later applies from overwriting rotated
+# credentials.
+################################################################################
+
+resource "aws_secretsmanager_secret" "slack_app_credentials" {
+  name        = "thinkwork/${var.stage}/slack/app"
+  description = "Slack workspace app credentials (signing_secret, client_id, client_secret). Populate via Secrets Manager; never via tfvars."
+  tags = {
+    Name     = "thinkwork-${var.stage}-slack-app"
+    Stage    = var.stage
+    Provider = "slack"
+  }
+}
+
+resource "aws_secretsmanager_secret_version" "slack_app_credentials_initial" {
+  secret_id = aws_secretsmanager_secret.slack_app_credentials.id
+  secret_string = jsonencode({
+    signing_secret = ""
+    client_id      = ""
+    client_secret  = ""
+  })
+
+  lifecycle {
+    ignore_changes = [secret_string]
+  }
+}