thinkwork-cli 0.9.0 → 0.9.1

package/dist/terraform/examples/greenfield/main.tf

@@ -111,6 +111,12 @@ variable "lambda_zips_dir" {
   default     = ""
 }
 
+variable "enable_workspace_orchestration" {
+  description = "Enable S3 EventBridge/SQS routing and the workspace event dispatcher for folder-native workspace orchestration."
+  type        = bool
+  default     = false
+}
+
 variable "api_auth_secret" {
   description = "Shared secret for inter-service API authentication"
   type        = string
@@ -136,26 +142,203 @@ variable "ses_inbound_domain" {
   default     = ""
 }
 
-variable "lastmile_tasks_api_url" {
+variable "stripe_price_ids_json" {
+  description = "JSON object mapping internal plan names to Stripe price IDs for this stage, e.g. {\"starter\":\"price_...\",\"team\":\"price_...\"}. Non-secret; per-stage. Exposed to Lambdas as STRIPE_PRICE_IDS_JSON env var. The secret keys themselves live in AWS Secrets Manager at thinkwork/<stage>/stripe/api-credentials — never in tfvars."
+  type        = string
+  default     = "{}"
+}
+
+variable "wiki_compile_model_id" {
+  description = <<-EOT
+    Bedrock model id the wiki-compile Lambda uses for the leaf planner,
+    aggregation planner, and section writer. Any Converse-compatible
+    model works; change without a code deploy.
+
+    Default: openai.gpt-oss-120b-1:0 (strong output quality at a lower
+    per-minute throttle risk than Claude Haiku 4.5 on shared dev
+    accounts). Swap to us.anthropic.claude-haiku-4-5-20251001-v1:0 for
+    Claude, or amazon.nova-micro-v1:0 for a low-cost spike.
+  EOT
+  type        = string
+  default     = "openai.gpt-oss-120b-1:0"
+}
+
+variable "company_brain_source_agent_model_id" {
+  description = <<-EOT
+    Bedrock model id the GraphQL Company Brain source-agent runtime uses
+    for JSON tool/action turns. Defaults to Claude Haiku 4.5 for reliable
+    action JSON while wiki compile can stay on gpt-oss for throughput.
+  EOT
+  type        = string
+  default     = "us.anthropic.claude-haiku-4-5-20251001-v1:0"
+}
+
+variable "wiki_aggregation_pass_enabled" {
+  description = <<-EOT
+    Feature flag for the wiki aggregation pass — the second LLM call
+    per compile job that builds parent/hub rollup sections and promotes
+    dense sections into their own topic pages.
+
+    Accepts a string so the Lambda reads the env var verbatim; must be
+    "true" / "1" / "yes" to enable. Set to "false" to stop the pipeline
+    after the leaf pass (no rollups, no promotions).
+  EOT
+  type        = string
+  default     = "true"
+}
+
+variable "google_places_api_key" {
+  description = <<-EOT
+    Google Places API (New) key used by wiki-compile to enrich POI records
+    with city/state/country hierarchy during compile. When empty, compile
+    gracefully degrades to metadata-only place rows (no hierarchy, no
+    backing pages), so this is opt-in. Stored as a SecureString at
+    /thinkwork/<stage>/google-places/api-key — see
+    terraform/modules/app/lambda-api/handlers.tf for the SSM resource.
+
+    The parameter's value has lifecycle.ignore_changes set, so you can
+    rotate via `aws ssm put-parameter --overwrite` without terraform
+    fighting you on the next apply.
+  EOT
+  type        = string
+  default     = ""
+  sensitive   = true
+}
+
+variable "mapbox_public_token" {
   description = <<-EOT
-    OPTIONAL fallback base URL for the LastMile Tasks REST API.
+    Mapbox public pk.* token consumed by apps/computer's MapView primitive
+    (in @thinkwork/computer-stdlib) for inline map tile rendering inside
+    generated applets. Flows through to scripts/build-computer.sh →
+    apps/computer/.env.production as VITE_MAPBOX_PUBLIC_TOKEN.
+
+    Mapbox tokens are designed to ship in public bundles; URL allowlist
+    on the Mapbox dashboard is the security boundary. Restrict the token
+    to the deployed `computer.<apex>` host (and any dev hosts).
+
+    Empty string is acceptable: MapView falls back to OpenStreetMap tiles
+    when the build-time env var is unset, so dev environments without an
+    operator-provisioned token still render maps.
+  EOT
+  type        = string
+  default     = ""
+  sensitive   = true
+}
 
-    Prefer setting the URL per-tenant via the admin Connectors → LastMile
-    page (stored in webhooks.config.baseUrl); that value takes precedence.
-    This variable only fires when the per-tenant config is empty, and is
-    mainly useful for single-tenant dev stacks and bootstrap scenarios.
+variable "nova_act_api_key" {
+  description = <<-EOT
+    Nova Act API key used by the Strands Browser Automation tool. When empty,
+    Terraform creates /thinkwork/<stage>/agentcore/nova-act-api-key with a
+    placeholder value; populate or rotate the real key with:
+      aws ssm put-parameter --overwrite --name /thinkwork/<stage>/agentcore/nova-act-api-key --type SecureString --value <KEY>
 
-    Leave blank (default) unless you specifically need the env-var
-    fallback. Example: https://api-dev.lastmile-tei.com.
+    The parameter's value has lifecycle.ignore_changes set, so operator
+    rotation sticks across applies.
   EOT
   type        = string
   default     = ""
+  sensitive   = true
+}
+
+variable "wiki_deterministic_linking_enabled" {
+  description = <<-EOT
+    Feature flag for deterministic compile-time link emission:
+      - city/journal parent references from parent-expander candidates
+      - entity↔entity co-mention edges via wiki_section_sources
+
+    Accepts a string so the Lambda reads the env var verbatim; must be
+    "true" / "1" / "yes" to enable. Rollback is a targeted DELETE:
+    `DELETE FROM wiki_page_links WHERE context LIKE 'deterministic:%' OR
+    context LIKE 'co_mention:%'` — provenance is preserved on every row.
+  EOT
+  type        = string
+  default     = "true"
+}
+
+variable "agentcore_code_interpreter_id" {
+  description = "AgentCore Code Interpreter id used by routine-task-python for SFN python recipe states."
+  type        = string
+  default     = ""
+}
+
+variable "mcp_custom_domain" {
+  description = <<-EOT
+    MCP custom domain (e.g. "mcp.thinkwork.ai"). Empty disables the
+    custom-domain setup — the MCP endpoint stays reachable at the API
+    Gateway execute-api URL. When set, an ACM cert is created on the
+    first apply; flip `mcp_custom_domain_ready = true` on a second
+    apply after DNS validation completes. See
+    docs/solutions/patterns/mcp-custom-domain-setup-2026-04-23.md.
+  EOT
+  type        = string
+  default     = ""
+}
+
+variable "mcp_custom_domain_ready" {
+  description = <<-EOT
+    Second-apply gate for the MCP custom domain. Stays false on the
+    first apply (cert creation + DNS validation). Flip to true after
+    ACM shows the cert as ISSUED so the second apply can create the
+    API Gateway custom domain + mapping. Ignored when
+    mcp_custom_domain is empty.
+  EOT
+  type        = bool
+  default     = false
 }
 
 locals {
   www_dns_enabled = var.www_domain != "" && var.cloudflare_zone_id != ""
   docs_domain     = var.www_domain != "" ? "docs.${var.www_domain}" : ""
   admin_domain    = var.www_domain != "" ? "admin.${var.www_domain}" : ""
+  computer_domain = var.www_domain != "" ? "computer.${var.www_domain}" : ""
+  sandbox_domain  = var.www_domain != "" ? "sandbox.${var.www_domain}" : ""
+  api_domain      = var.www_domain != "" ? "api.${var.www_domain}" : ""
+}
+
+resource "aws_acm_certificate" "computer_sandbox" {
+  count = local.www_dns_enabled ? 1 : 0
+
+  domain_name       = local.sandbox_domain
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-computer-sandbox"
+  }
+}
+
+resource "cloudflare_record" "computer_sandbox_acm_validation" {
+  for_each = {
+    for dvo in flatten([
+      for cert in aws_acm_certificate.computer_sandbox : tolist(cert.domain_validation_options)
+      ]) : dvo.domain_name => {
+      name  = dvo.resource_record_name
+      value = dvo.resource_record_value
+      type  = dvo.resource_record_type
+    }
+  }
+
+  zone_id = var.cloudflare_zone_id
+  name    = trimsuffix(each.value.name, ".")
+  content = trimsuffix(each.value.value, ".")
+  type    = each.value.type
+  ttl     = 60
+  proxied = false
+  comment = "ACM DNS validation for ${each.key}"
+
+  allow_overwrite = true
+}
+
+resource "aws_acm_certificate_validation" "computer_sandbox" {
+  count = local.www_dns_enabled ? 1 : 0
+
+  certificate_arn = aws_acm_certificate.computer_sandbox[0].arn
+  validation_record_fqdns = [
+    for record in cloudflare_record.computer_sandbox_acm_validation : record.hostname
+  ]
 }
 
 module "thinkwork" {
@@ -165,14 +348,15 @@ module "thinkwork" {
   region     = var.region
   account_id = var.account_id
 
-  db_password                = var.db_password
-  database_engine            = var.database_engine
-  enable_hindsight           = var.enable_hindsight
-  google_oauth_client_id     = var.google_oauth_client_id
-  google_oauth_client_secret = var.google_oauth_client_secret
-  pre_signup_lambda_zip      = var.pre_signup_lambda_zip
-  lambda_zips_dir            = var.lambda_zips_dir
-  api_auth_secret            = var.api_auth_secret
+  db_password                    = var.db_password
+  database_engine                = var.database_engine
+  enable_hindsight               = var.enable_hindsight
+  google_oauth_client_id         = var.google_oauth_client_id
+  google_oauth_client_secret     = var.google_oauth_client_secret
+  pre_signup_lambda_zip          = var.pre_signup_lambda_zip
+  lambda_zips_dir                = var.lambda_zips_dir
+  enable_workspace_orchestration = var.enable_workspace_orchestration
+  api_auth_secret                = var.api_auth_secret
 
   # Public website custom domain (optional — wired only when www_domain is set)
   www_domain          = var.www_domain
@@ -188,12 +372,46 @@ module "thinkwork" {
   admin_domain          = local.www_dns_enabled ? local.admin_domain : ""
   admin_certificate_arn = local.www_dns_enabled ? module.www_dns[0].certificate_arn : ""
 
+  # Computer SPA custom domain (derived from www_domain — computer.<apex>).
+  # Same ACM cert covers it via the include_computer SAN gate on www_dns.
+  computer_domain          = local.www_dns_enabled ? local.computer_domain : ""
+  computer_certificate_arn = local.www_dns_enabled ? module.www_dns[0].certificate_arn : ""
+
+  # Computer iframe sandbox (derived from www_domain — sandbox.<apex>).
+  # Uses its own ACM certificate so sandbox bootstrap/rotation cannot replace
+  # the shared apex/www/docs/admin/computer/api certificate.
+  computer_sandbox_domain                 = local.www_dns_enabled ? local.sandbox_domain : ""
+  computer_sandbox_certificate_arn        = local.www_dns_enabled ? aws_acm_certificate_validation.computer_sandbox[0].certificate_arn : ""
+  computer_sandbox_allowed_parent_origins = local.www_dns_enabled ? "https://${local.computer_domain},https://${local.admin_domain}" : ""
+
   # SES inbound email subdomain (delegated Route53 subzone).
   ses_inbound_domain = var.ses_inbound_domain
 
-  # LastMile Tasks REST API base URL — feature-flags the outbound task
-  # sync. Empty string keeps mobile-created tasks in sync_status='local'.
-  lastmile_tasks_api_url = var.lastmile_tasks_api_url
+  # Wiki compile Lambda config. Pinned so unrelated terraform applies
+  # don't wipe the Bedrock model or the aggregation flag back to
+  # whatever the Lambda env defaults to.
+  wiki_compile_model_id               = var.wiki_compile_model_id
+  company_brain_source_agent_model_id = var.company_brain_source_agent_model_id
+  wiki_aggregation_pass_enabled       = var.wiki_aggregation_pass_enabled
+  wiki_deterministic_linking_enabled  = var.wiki_deterministic_linking_enabled
+  google_places_api_key               = var.google_places_api_key
+  nova_act_api_key                    = var.nova_act_api_key
+  agentcore_code_interpreter_id       = var.agentcore_code_interpreter_id
+
+  # Mapbox public token for apps/computer MapView primitive. Flows through
+  # to scripts/build-computer.sh → VITE_MAPBOX_PUBLIC_TOKEN.
+  mapbox_public_token = var.mapbox_public_token
+
+  # Stripe billing — internal-plan → price-id map (per-stage, non-secret).
+  stripe_price_ids_json = var.stripe_price_ids_json
+
+  # MCP custom domain (e.g. mcp.thinkwork.ai). Two-apply flow: the first
+  # apply creates the ACM cert (mcp_custom_domain_ready=false), the
+  # second apply attaches the domain + API mapping after DNS validation
+  # (mcp_custom_domain_ready=true). Runbook:
+  # docs/solutions/patterns/mcp-custom-domain-setup-2026-04-23.md
+  mcp_custom_domain       = var.mcp_custom_domain
+  mcp_custom_domain_ready = var.mcp_custom_domain_ready
 
   # Greenfield: create everything (all defaults are true)
 }
@@ -221,6 +439,27 @@ module "www_dns" {
   # Admin: same cycle-avoidance pattern.
   include_admin                = true
   admin_cloudfront_domain_name = module.thinkwork.admin_distribution_domain
+
+  # Computer: same cycle-avoidance pattern as docs/admin. Phase one of the
+  # two-phase first apply (#971) used a static empty string here to dodge an
+  # "Invalid count argument" plan error while module.thinkwork.computer_site
+  # didn't yet exist in state. Now that the distribution is created and its
+  # domain is known, this can read the real output — `!= ""` resolves to a
+  # static true and the Cloudflare CNAME for computer.<domain> gets created
+  # on this apply.
+  include_computer                = true
+  computer_cloudfront_domain_name = module.thinkwork.computer_distribution_domain
+
+  # Computer iframe sandbox: same cycle-avoidance pattern as computer.
+  include_computer_sandbox                = true
+  computer_sandbox_cloudfront_domain_name = module.thinkwork.computer_sandbox_distribution_domain
+
+  # API custom domain (api.<apex>). Same cycle-avoidance — the ACM cert SAN
+  # list is gated on include_api (a plain bool), while api_gateway_id (which
+  # the cert doesn't depend on) is read at record-creation time.
+  include_api            = true
+  api_gateway_id         = module.thinkwork.api_id
+  api_gateway_stage_name = "$default"
 }
 
 ################################################################################
@@ -257,6 +496,11 @@ output "api_endpoint" {
   value       = module.thinkwork.api_endpoint
 }
 
+output "api_domain" {
+  description = "Custom domain for the HTTP API (e.g. api.thinkwork.ai). Empty string when www_domain/cloudflare_zone_id aren't configured. Read by scripts/build-www.sh to set PUBLIC_API_URL at build time."
+  value       = local.www_dns_enabled ? local.api_domain : ""
+}
+
 output "appsync_api_url" {
   description = "AppSync GraphQL URL"
   value       = module.thinkwork.appsync_api_url
@@ -273,6 +517,12 @@ output "appsync_api_key" {
   sensitive   = true
 }
 
+output "mapbox_public_token" {
+  description = "Mapbox public token used by apps/computer MapView. Read by scripts/build-computer.sh to inline VITE_MAPBOX_PUBLIC_TOKEN at build time; empty string lets MapView fall back to OpenStreetMap tiles."
+  value       = module.thinkwork.mapbox_public_token
+  sensitive   = true
+}
+
 output "auth_domain" {
   description = "Cognito hosted UI domain"
   value       = module.thinkwork.auth_domain
@@ -348,6 +598,41 @@ output "admin_bucket_name" {
   value       = module.thinkwork.admin_bucket_name
 }
 
+output "computer_url" {
+  description = "Computer app URL"
+  value       = local.www_dns_enabled ? "https://${local.computer_domain}" : "https://${module.thinkwork.computer_distribution_domain}"
+}
+
+output "computer_distribution_id" {
+  description = "CloudFront distribution ID for computer (for cache invalidation)"
+  value       = module.thinkwork.computer_distribution_id
+}
+
+output "computer_bucket_name" {
+  description = "S3 bucket for computer app assets"
+  value       = module.thinkwork.computer_bucket_name
+}
+
+output "computer_sandbox_distribution_id" {
+  description = "CloudFront distribution ID for the Computer iframe sandbox (for cache invalidation)"
+  value       = module.thinkwork.computer_sandbox_distribution_id
+}
+
+output "computer_sandbox_bucket_name" {
+  description = "S3 bucket for the Computer iframe sandbox shell assets"
+  value       = module.thinkwork.computer_sandbox_bucket_name
+}
+
+output "computer_sandbox_url" {
+  description = "Computer iframe sandbox URL"
+  value       = module.thinkwork.computer_sandbox_url
+}
+
+output "computer_sandbox_allowed_parent_origins" {
+  description = "Trusted parent origins for the Computer iframe sandbox"
+  value       = module.thinkwork.computer_sandbox_allowed_parent_origins
+}
+
 output "docs_url" {
   description = "Docs site URL"
   value       = local.www_dns_enabled ? "https://${local.docs_domain}" : "https://${module.thinkwork.docs_distribution_domain}"
@@ -397,3 +682,24 @@ output "ses_inbound_mx_target" {
   description = "MX target host for the email subdomain. Already written into the subzone by Terraform — informational."
   value       = module.thinkwork.ses_inbound_mx_target
 }
+
+# MCP custom domain — consumed by `pnpm cf:sync-mcp`.
+output "mcp_custom_domain" {
+  description = "Configured MCP custom domain (e.g., mcp.thinkwork.ai), or empty when disabled."
+  value       = module.thinkwork.mcp_custom_domain
+}
+
+output "mcp_custom_domain_cert_arn" {
+  description = "ACM cert ARN for the MCP custom domain. Pass to `pnpm cf:sync-mcp --cert-arn` in direct-args mode."
+  value       = module.thinkwork.mcp_custom_domain_cert_arn
+}
+
+output "mcp_custom_domain_validation" {
+  description = "DNS validation records to add to Cloudflare for ACM to issue the cert. Each record: { name, type, value }."
+  value       = module.thinkwork.mcp_custom_domain_validation
+}
+
+output "mcp_custom_domain_target" {
+  description = "Regional target for the final mcp CNAME — only populated on the second apply after mcp_custom_domain_ready=true. { target_domain_name, hosted_zone_id } or null."
+  value       = module.thinkwork.mcp_custom_domain_target
+}

package/dist/terraform/examples/greenfield/terraform.tfvars.example

@@ -30,6 +30,20 @@ db_password = "CHANGE_ME_strong_password_here"
 # Pre-signup Lambda (optional — leave empty if not using custom pre-signup logic)
 # pre_signup_lambda_zip = "./lambdas/pre-signup.zip"
 
+# Google Places API key (optional — leave empty to run compile pipeline
+# without live place-hierarchy enrichment; records fall back to
+# metadata-only rows and no country/city backing pages are auto-created).
+#
+# When set, terraform creates a SSM SecureString parameter at
+# /thinkwork/<stage>/google-places/api-key and the wiki-compile Lambda
+# reads it on cold start. Alternative: leave blank here and set the key
+# manually after apply via:
+#   aws ssm put-parameter --type SecureString --overwrite \
+#     --name /thinkwork/<stage>/google-places/api-key --value <KEY>
+# (terraform's lifecycle.ignore_changes on the value keeps your manual
+# value from being overwritten on future applies.)
+# google_places_api_key = ""
+
 # Public website (apps/www) custom domain.
 # Leave www_domain empty to skip the custom domain and serve on the raw
 # CloudFront URL. When set, you must also provide cloudflare_zone_id below —

package/dist/terraform/modules/app/agentcore-code-interpreter/Dockerfile.sandbox-base

@@ -0,0 +1,61 @@
+# Sandbox base image for the AgentCore Code Interpreter.
+#
+# Builds a Python 3.12 container with a small, pinned set of libraries
+# template authors can rely on without paying the first-turn `pip install`
+# tax. Installs sitecustomize.py so the stdout/stderr token redactor is
+# active before any user code or framework traceback runs on cold start.
+#
+# Image tagging is CI-driven (see scripts/build_and_push_sandbox_base.sh).
+# Tags are immutable; a bump ships as a reviewable PR.
+#
+# Build context is the repository root so the COPY line can reach the
+# Python source under packages/agentcore-strands/agent-container-sandbox/.
+#
+#   docker build -f terraform/modules/app/agentcore-code-interpreter/Dockerfile.sandbox-base .
+
+FROM python:3.12-slim AS base
+
+# ---------------------------------------------------------------------------
+# System packages — minimal. The sandbox runs agent code, not a full distro.
+# ---------------------------------------------------------------------------
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        ca-certificates \
+        curl \
+        git \
+    && rm -rf /var/lib/apt/lists/*
+
+# ---------------------------------------------------------------------------
+# Blessed Python libraries — pinned to explicit versions per plan R14/R24.
+# Bumps happen in reviewable PRs. Runtime `pip install` is still allowed
+# (per R15; T2 residual is named), but these baseline packages install once
+# at image bake and don't pay the per-turn cost.
+# ---------------------------------------------------------------------------
+RUN pip install --no-cache-dir \
+        pandas==2.2.3 \
+        numpy==2.1.3 \
+        requests==2.32.3 \
+        boto3==1.38.0 \
+        httpx==0.28.1 \
+        pyyaml==6.0.2 \
+        openpyxl==3.1.5 \
+        python-dateutil==2.9.0.post0
+
+# ---------------------------------------------------------------------------
+# sitecustomize.py — the R13 stdout/stderr token redactor. Python
+# auto-imports any module named "sitecustomize" on interpreter startup, so
+# placing it in site-packages makes the redactor load before any user code
+# (and before the framework traceback on cold start). See the module
+# docstring for the honestly-scoped invariant and named residual gaps.
+# ---------------------------------------------------------------------------
+COPY packages/agentcore-strands/agent-container-sandbox/sitecustomize.py \
+     /usr/local/lib/python3.12/site-packages/sitecustomize.py
+
+# ---------------------------------------------------------------------------
+# Startup assertion — fail loudly if the module isn't wired up or
+# THINKWORK_SANDBOX_SCRUBBER=off slips through to prod. Runs in the same
+# image smoke-test CI job that pushes the tag.
+# ---------------------------------------------------------------------------
+RUN python -c "import sitecustomize; assert sitecustomize.installed(), 'sitecustomize did not install its stdio wrapper on import'; print('sitecustomize: OK')"
+
+# AgentCore Code Interpreter supplies its own entrypoint; we provide the
+# libraries + scrubber only. No CMD/ENTRYPOINT override.

package/dist/terraform/modules/app/agentcore-code-interpreter/README.md

@@ -0,0 +1,54 @@
+# `agentcore-code-interpreter` — stage-level base image substrate
+
+Stage-scoped artifacts for the AgentCore Code Interpreter sandbox. **Per-tenant
+Code Interpreter instances are created at runtime** by the `agentcore-admin`
+Lambda (see `docs/adrs/per-tenant-aws-resource-fanout.md`) — this module
+stops at the substrate everything else depends on.
+
+## What it creates
+
+- **ECR repository** `thinkwork-{stage}-sandbox-base` — immutable tags, last 10
+  kept, scan-on-push.
+- **Outputs** consumed by downstream modules + the provisioning Lambda:
+  - `ecr_repository_url` — where the blessed image lives.
+  - `environment_ids` + `environments` — the v1 environment catalog (`default-public`,
+    `internal-only`) with network modes.
+  - `tenant_role_trust_policy_template` / `tenant_role_inline_policy_template` —
+    JSON templates the provisioning Lambda substitutes `{tenant_id}` into at
+    `CreateRole` time (plan Unit 5).
+
+## Files
+
+| File | Purpose |
+|---|---|
+| `main.tf` | ECR + outputs. No per-tenant resources. |
+| `Dockerfile.sandbox-base` | Python 3.12 + pinned libs + `sitecustomize.py`. Build context is the **repo root** so the COPY can reach `packages/agentcore-strands/agent-container-sandbox/sitecustomize.py`. |
+| `scripts/build_and_push_sandbox_base.sh` | CI builds + pushes. Not called from Terraform — image lifecycle is a reviewable-PR concern. |
+
+The Python source `sitecustomize.py` and its pytest suite `test_sitecustomize.py`
+live under `packages/agentcore-strands/agent-container-sandbox/` (colocated with
+the rest of the Strands agent-container Python, per handoff P2 #10). That's
+where `uv run pytest` finds them without extra config.
+
+## What this module does **not** do
+
+- Create per-tenant Code Interpreter instances — that's Unit 5 (agentcore-admin Lambda).
+- Build or push the Docker image — that's CI, via the shell script above.
+- Grant the provisioning Lambda IAM permissions on the new resources — that's added in Unit 5 when the Lambda resource lands.
+
+## Bumping the image
+
+1. Edit `Dockerfile.sandbox-base` (pin a new pandas / add a lib / etc.).
+2. Edit `packages/agentcore-strands/agent-container-sandbox/sitecustomize.py` if the R13 invariant or its coverage gaps shift.
+3. PR. CI runs `pytest` on the scrubber plus a build-then-startup-assertion smoke test.
+4. After merge, `build_and_push_sandbox_base.sh` tags with the merge-commit SHA.
+
+## Named residual
+
+The R13 invariant this module's scrubber enforces is **honestly scoped** to
+Python-stdio-mediated writes + known-shape CloudWatch patterns. See the
+brainstorm and the `sitecustomize.py` module docstring for the full list of
+stdio-bypass classes (os.write, subprocess env dumps, C-extension direct
+writes, multiprocessing workers, adversarial split-writes) that the Unit 12
+pattern backstop catches partially and the v2 in-process credential proxy
+addresses structurally.