thinkwork-cli 0.9.0 → 0.9.1

package/dist/terraform/modules/app/agentcore-code-interpreter/main.tf

@@ -0,0 +1,197 @@
+################################################################################
+# AgentCore Code Interpreter — App Module (stage-level)
+#
+# Stage-scoped artifacts for the AgentCore Code Interpreter sandbox:
+#   * ECR repository for the blessed sandbox base image (Python 3.12 +
+#     pinned libs + sitecustomize.py R13 scrubber baked in).
+#   * Lifecycle policy to trim old images.
+#   * Outputs the per-tenant provisioning Lambda (Unit 5) consumes to
+#     CreateCodeInterpreter for each tenant on demand.
+#
+# **Per-tenant resources live elsewhere.** AgentCore Code Interpreter
+# instances are created per-tenant by the ``agentcore-admin`` Lambda at
+# tenant-create time — see docs/adrs/per-tenant-aws-resource-fanout.md.
+# This module stops at the stage-level substrate.
+#
+# **Image build.** The Dockerfile.sandbox-base next to this file is built
+# and pushed by a CI job (scripts/build_and_push_sandbox_base.sh) — not by
+# Terraform. Terraform owns the ECR repo and IAM plumbing; the image
+# lifecycle is intentionally owned by CI so a repository bump is a
+# reviewable PR rather than a ``terraform apply`` side-effect.
+################################################################################
+
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0"
+    }
+  }
+}
+
+variable "stage" {
+  description = "Deployment stage (dev, prod, etc.) — names the ECR repo and appears in image tags."
+  type        = string
+}
+
+variable "region" {
+  description = "AWS region."
+  type        = string
+}
+
+variable "account_id" {
+  description = "AWS account ID (used to construct IAM resource ARNs)."
+  type        = string
+}
+
+variable "image_retention_count" {
+  description = "Keep the last N image tags in ECR; older ones are lifecycle-expired."
+  type        = number
+  default     = 10
+}
+
+# Environment catalog. Kept as a locals block (not a variable) because v1
+# semantics are fixed in the plan — extending requires a reviewable PR,
+# not a tfvars tweak.
+locals {
+  environments = {
+    "default-public" = {
+      description  = "Full public internet outbound; for community-CLI + pip-install workloads."
+      network_mode = "PUBLIC"
+    }
+    "internal-only" = {
+      description  = "S3 + DNS + AWS service endpoints only; no public egress."
+      network_mode = "SANDBOX"
+    }
+  }
+}
+
+################################################################################
+# ECR repository — stage-level base image
+################################################################################
+
+resource "aws_ecr_repository" "sandbox_base" {
+  name                 = "thinkwork-${var.stage}-sandbox-base"
+  image_tag_mutability = "IMMUTABLE"
+  force_delete         = true
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+
+  tags = {
+    Name    = "thinkwork-${var.stage}-sandbox-base"
+    Stage   = var.stage
+    Purpose = "agentcore-code-interpreter-base-image"
+  }
+}
+
+resource "aws_ecr_lifecycle_policy" "sandbox_base" {
+  repository = aws_ecr_repository.sandbox_base.name
+
+  policy = jsonencode({
+    rules = [{
+      rulePriority = 1
+      description  = "Keep last ${var.image_retention_count} images"
+      selection = {
+        tagStatus   = "any"
+        countType   = "imageCountMoreThan"
+        countNumber = var.image_retention_count
+      }
+      action = {
+        type = "expire"
+      }
+    }]
+  })
+}
+
+################################################################################
+# IAM policy document — per-tenant trust template
+#
+# Rendered as a JSON string so the agentcore-admin Lambda (Unit 5) can
+# substitute {tenant_id} at CreateRole time. Stored as a terraform output so
+# the Lambda reads it from SSM or environment — not hard-coded in the
+# Lambda source.
+################################################################################
+
+locals {
+  tenant_role_trust_policy_template = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect    = "Allow"
+      Principal = { Service = "bedrock-agentcore.amazonaws.com" }
+      Action    = "sts:AssumeRole"
+      Condition = {
+        StringEquals = {
+          "aws:SourceAccount" = var.account_id
+        }
+      }
+    }]
+  })
+
+  # Inline policy template: tenant-wildcard read on the sandbox SM path
+  # family. {tenant_id} is substituted at CreateRole time.
+  tenant_role_inline_policy_template = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "SandboxSecretsRead"
+        Effect = "Allow"
+        Action = [
+          "secretsmanager:GetSecretValue",
+          "secretsmanager:DescribeSecret",
+        ]
+        # Wildcard over users within the tenant. See T1b residual.
+        Resource = "arn:aws:secretsmanager:${var.region}:${var.account_id}:secret:thinkwork/${var.stage}/sandbox/{tenant_id}/*"
+      },
+      {
+        Sid    = "SandboxCloudWatchLogs"
+        Effect = "Allow"
+        Action = [
+          "logs:CreateLogStream",
+          "logs:PutLogEvents",
+        ]
+        Resource = "arn:aws:logs:${var.region}:${var.account_id}:log-group:/aws/bedrock-agentcore/runtimes/*"
+      },
+    ]
+  })
+}
+
+################################################################################
+# Outputs
+################################################################################
+
+output "ecr_repository_name" {
+  description = "Name of the sandbox base image ECR repo."
+  value       = aws_ecr_repository.sandbox_base.name
+}
+
+output "ecr_repository_url" {
+  description = "Full URL of the sandbox base image ECR repo."
+  value       = aws_ecr_repository.sandbox_base.repository_url
+}
+
+output "environment_ids" {
+  description = "Enum of valid sandbox environment identifiers."
+  value       = keys(local.environments)
+}
+
+output "environments" {
+  description = "Full environment metadata (network mode + description) for each sandbox environment."
+  value       = local.environments
+}
+
+output "tenant_role_trust_policy_template" {
+  description = "JSON trust-policy template for per-tenant sandbox IAM roles. Consumer substitutes {tenant_id}."
+  value       = local.tenant_role_trust_policy_template
+}
+
+output "tenant_role_inline_policy_template" {
+  description = "JSON inline-policy template for per-tenant sandbox IAM roles. Consumer substitutes {tenant_id}."
+  value       = local.tenant_role_inline_policy_template
+}
+
+output "stage" {
+  description = "Echo of the stage variable (convenience for downstream modules)."
+  value       = var.stage
+}

package/dist/terraform/modules/app/agentcore-code-interpreter/scripts/build_and_push_sandbox_base.sh

@@ -0,0 +1,70 @@
+#!/usr/bin/env bash
+################################################################################
+# build_and_push_sandbox_base.sh — build + push the AgentCore sandbox base
+# image to the stage's ECR repo. Invoked by CI; also safe to run locally
+# once ``thinkwork doctor`` reports green.
+#
+# Usage (from repo root):
+#   bash terraform/modules/app/agentcore-code-interpreter/scripts/build_and_push_sandbox_base.sh \
+#        --stage dev --region us-east-1
+#
+# The script:
+#   1. Reads the ECR repo URL from ``terraform output -raw`` (must be run
+#      after ``terraform apply`` lands the agentcore-code-interpreter
+#      module for the target stage).
+#   2. docker build the Dockerfile.sandbox-base with the repo root as
+#      context (so the COPY can reach packages/).
+#   3. Tags with the current git SHA (immutable tag per the ECR repo
+#      config) and ``:latest``.
+#   4. docker push both tags after ``aws ecr get-login-password``.
+################################################################################
+set -euo pipefail
+
+STAGE=""
+REGION=""
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --stage)   STAGE="$2";   shift 2 ;;
+    --region)  REGION="$2";  shift 2 ;;
+    *)         echo "unknown arg: $1" >&2; exit 2 ;;
+  esac
+done
+
+: "${STAGE:?--stage is required}"
+: "${REGION:?--region is required}"
+
+# Resolve the repo URL from terraform state. Tolerant: if the caller runs
+# this before the module applies, fall back to the deterministic name.
+REPO_URL="$(
+  terraform -chdir="terraform/examples/greenfield" output -raw \
+    sandbox_base_ecr_repository_url 2>/dev/null \
+    || echo ""
+)"
+if [[ -z "$REPO_URL" ]]; then
+  ACCOUNT_ID="$(aws sts get-caller-identity --query Account --output text)"
+  REPO_URL="${ACCOUNT_ID}.dkr.ecr.${REGION}.amazonaws.com/thinkwork-${STAGE}-sandbox-base"
+fi
+
+GIT_SHA="$(git rev-parse --short HEAD)"
+IMAGE_TAG="${GIT_SHA}"
+
+echo "[sandbox-base] repo: ${REPO_URL}"
+echo "[sandbox-base] tag:  ${IMAGE_TAG}"
+
+# ECR login
+aws ecr get-login-password --region "${REGION}" \
+  | docker login --username AWS --password-stdin "${REPO_URL%/*}"
+
+# Build with repo root as the context so COPY can reach packages/.
+docker build \
+  --platform=linux/amd64 \
+  -f terraform/modules/app/agentcore-code-interpreter/Dockerfile.sandbox-base \
+  -t "${REPO_URL}:${IMAGE_TAG}" \
+  -t "${REPO_URL}:latest" \
+  .
+
+docker push "${REPO_URL}:${IMAGE_TAG}"
+docker push "${REPO_URL}:latest"
+
+echo "[sandbox-base] pushed ${REPO_URL}:${IMAGE_TAG}"

package/dist/terraform/modules/app/agentcore-flue/README.md

@@ -0,0 +1,58 @@
+# `agentcore-flue` — Flue agent runtime
+
+Provisions the **Flue** agent runtime as a Lambda+LWA function (Plan §005 U2).
+
+The Flue runtime supersedes the in-flight `agentcore-pi` scaffolding (renamed in U1, PR #785). U2 splits the Flue Lambda + log group + IAM role + event-invoke config out of the Strands `agentcore-runtime` module into this dedicated module so Flue can carry its own permissions surface independently.
+
+## Resources owned
+
+- `aws_iam_role.agentcore_flue` (`thinkwork-${stage}-agentcore-flue-role`) — assumed by Lambda + Bedrock AgentCore Runtime principals.
+- `aws_iam_role_policy.agentcore_flue` — baseline permissions (S3 skill catalog, Bedrock model invoke, AgentCore Memory + Code Interpreter, CloudWatch Logs, X-Ray ingestion, ECR pull, SSM parameter access, memory-retain Lambda invoke). Forward-compat additions for U4-U8: Aurora Data API + Secrets Manager scoped to `thinkwork-${stage}-*`.
+- `aws_iam_role_policy.agentcore_flue_dlq_send` — `sqs:SendMessage` against the shared async DLQ (injected via `var.async_dlq_arn`).
+- `aws_cloudwatch_log_group.agentcore_flue` (`/thinkwork/${stage}/agentcore-flue`).
+- `aws_lambda_function.agentcore_flue` (`thinkwork-${stage}-agentcore-flue`) — `package_type = "Image"`, pulls `${ecr_repository_url}:flue-latest`.
+- `aws_lambda_function_event_invoke_config.agentcore_flue` — `MaximumRetryAttempts=0`, on-failure → shared DLQ.
+
+## Resources NOT owned (injected via inputs)
+
+- **ECR repository** — shared with the Strands runtime (`thinkwork-${stage}-agentcore`). The Flue runtime pulls the `flue-latest` / `${sha}-flue` image tags from this repo. Owned by `../agentcore-runtime`; URL injected via `var.ecr_repository_url`.
+- **Async DLQ** — shared with the Strands runtime so operator inspection has a single queue. Owned by `../agentcore-runtime`; ARN injected via `var.async_dlq_arn`.
+
+## State migration (U1 → U2)
+
+The Flue resources previously lived inside `module.agentcore` under the address `aws_*.agentcore_flue` (renamed from `agentcore_pi` in U1 via in-module `moved {}` blocks). U2 realigns state across modules via `moved {}` blocks declared in the parent composition (`terraform/modules/thinkwork/main.tf`):
+
+```hcl
+moved {
+  from = module.agentcore.aws_lambda_function.agentcore_flue
+  to   = module.agentcore_flue.aws_lambda_function.agentcore_flue
+}
+# (and the analogous moves for the log group + event-invoke config + IAM role)
+```
+
+The Lambda `function_name` attribute is unchanged (`thinkwork-${stage}-agentcore-flue` from U1), so the cross-module migration is pure state-address realignment without destroy+create on the underlying AWS resource.
+
+## Inputs
+
+| Variable | Required | Purpose |
+|---|---|---|
+| `stage` | yes | Deployment stage (e.g., `dev`, `prod`). |
+| `account_id` | yes | AWS account ID (used in IAM resource ARNs). |
+| `region` | yes | AWS region. |
+| `bucket_name` | yes | Primary S3 bucket for skills + workspace files. |
+| `ecr_repository_url` | yes | Shared ECR repo URL from `module.agentcore.ecr_repository_url`. |
+| `async_dlq_arn` | yes | Shared async DLQ ARN from `module.agentcore.agentcore_async_dlq_arn`. |
+| `hindsight_endpoint` | no | Hindsight API endpoint when enabled; empty disables Hindsight tools. |
+| `agentcore_memory_id` | no | AgentCore Memory resource ID for auto-retention. |
+| `api_endpoint` | no | API Gateway base URL for the `/api/skills/complete` callback. |
+| `api_auth_secret` | no | Service-auth bearer for the same callback. |
+| `memory_engine` | no | `hindsight` or `agentcore`; surfaced as `MEMORY_ENGINE` env var. |
+
+## Outputs
+
+| Output | Purpose |
+|---|---|
+| `flue_function_name` | Direct SDK invoke target (passed to `chat-agent-invoke` as `AGENTCORE_FLUE_FUNCTION_NAME`). |
+| `flue_function_arn` | Granted to `chat-agent-invoke`'s `lambda:InvokeFunction` policy. |
+| `flue_runtime_role_arn` | Assumed by the Bedrock AgentCore Runtime when Flue is invoked via the Bedrock control plane. |
+| `flue_log_group_name` | Scrubber + operator inspection target. |

package/dist/terraform/modules/app/agentcore-flue/main.tf

@@ -0,0 +1,322 @@
+################################################################################
+# AgentCore Flue — App Module
+#
+# Plan §005 U2 — provisions the Flue agent runtime as a Lambda+LWA function.
+#
+# Layout note: this module owns the IAM role, log group, Lambda function, and
+# event-invoke config that are unique to Flue. The shared ECR repo and async
+# DLQ live in `../agentcore-runtime` and are injected via input variables; the
+# IAM policy here grants `sqs:SendMessage` against the shared DLQ ARN.
+#
+# State migration: the resources here previously lived inside `module.agentcore`
+# (the Strands runtime module) under the address `aws_*.agentcore_flue`. The
+# `moved {}` blocks in `terraform/modules/thinkwork/main.tf` realign state
+# across modules without destroy+create on the underlying AWS resources.
+#
+# Forward compat: U4-U8 will tighten the IAM role with Aurora Data API
+# permissions for SessionStore, Secrets Manager for resolved DB credentials,
+# and the AgentCore Code Interpreter actions that the FR-9a spike exercised.
+# U2 lays the role down with the minimum permissions Flue needs to boot —
+# subsequent units extend it as their dependencies land.
+################################################################################
+
+# memory-retain Lambda name + ARN are constructed locally rather than
+# taken as inputs to avoid a circular dependency: the lambda-api module
+# already consumes this module's output (agentcore_flue_function_name/arn).
+# Mirrors the pattern in `../agentcore-runtime/main.tf`.
+locals {
+  memory_retain_fn_name = "thinkwork-${var.stage}-api-memory-retain"
+  memory_retain_fn_arn  = "arn:aws:lambda:${var.region}:${var.account_id}:function:${local.memory_retain_fn_name}"
+}
+
+################################################################################
+# Execution Role
+################################################################################
+
+resource "aws_iam_role" "agentcore_flue" {
+  name = "thinkwork-${var.stage}-agentcore-flue-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect    = "Allow"
+      Principal = { Service = ["ecs-tasks.amazonaws.com", "lambda.amazonaws.com", "bedrock-agentcore.amazonaws.com"] }
+      Action    = "sts:AssumeRole"
+    }]
+  })
+
+  tags = {
+    Name = "thinkwork-${var.stage}-agentcore-flue-role"
+  }
+}
+
+resource "aws_iam_role_policy" "agentcore_flue" {
+  # Sibling policy: ../agentcore-runtime/main.tf `aws_iam_role_policy.agentcore`.
+  # The two policies share ~83% of statements (S3, Bedrock, AgentCore Memory,
+  # Code Interpreter, Logs, X-Ray, ECR, SSM, MemoryRetain). Flue adds Aurora
+  # Data API + Secrets Manager for U4 SessionStore. Keep both surfaces in
+  # sync for shared statements; let Flue-only additions diverge here.
+  name = "agentcore-flue-permissions"
+  role = aws_iam_role.agentcore_flue.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "S3Access"
+        Effect = "Allow"
+        Action = ["s3:GetObject", "s3:PutObject", "s3:ListBucket"]
+        Resource = [
+          "arn:aws:s3:::${var.bucket_name}",
+          "arn:aws:s3:::${var.bucket_name}/*",
+        ]
+      },
+      {
+        # Bedrock invoke spans foundation models, inference profiles, and
+        # cross-region routing. The original
+        # `arn:aws:bedrock:${region}::foundation-model/*` only covered
+        # foundation models in the primary region — but a
+        # `us.anthropic.claude-sonnet-...` inference profile (the default
+        # routing path used by chat-agent-invoke) lives at
+        # `arn:aws:bedrock:${region}:${account}:inference-profile/*` AND
+        # dispatches the actual InvokeModel call to the foundation model
+        # in whatever region the profile resolves to (us-east-1,
+        # us-east-2, us-west-2). The narrow ARN caused every agent turn
+        # to fail with AccessDenied silently inside pi-ai's Bedrock
+        # provider, surfacing as an empty assistant message with zero
+        # token usage. Strands uses `Resource = "*"` for the same actions;
+        # we match that posture.
+        Sid      = "BedrockInvoke"
+        Effect   = "Allow"
+        Action   = ["bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream", "bedrock:InvokeAgent"]
+        Resource = "*"
+      },
+      {
+        # Automatic memory retention — every agent turn calls CreateEvent
+        # to feed AgentCore's background strategies. Also needs read access
+        # so the recall() tool can fetch previously extracted records and
+        # so forget() can soft-archive old records. Mirrors the Strands role.
+        Sid    = "AgentCoreMemoryReadWrite"
+        Effect = "Allow"
+        Action = [
+          "bedrock-agentcore:CreateEvent",
+          "bedrock-agentcore:ListEvents",
+          "bedrock-agentcore:GetEvent",
+          "bedrock-agentcore:ListMemoryRecords",
+          "bedrock-agentcore:RetrieveMemoryRecords",
+          "bedrock-agentcore:GetMemoryRecord",
+          "bedrock-agentcore:BatchCreateMemoryRecords",
+          "bedrock-agentcore:BatchUpdateMemoryRecords",
+        ]
+        Resource = "*"
+      },
+      {
+        # AgentCore Code Interpreter — Flue's primary sandbox per the FR-9a
+        # integration spike (`packages/flue-aws/connectors/agentcore-
+        # codeinterpreter.ts`). Per-tenant interpreters live under
+        # `code-interpreter-custom/*`; sessions are started, exec'd against,
+        # and stopped per Flue invocation.
+        Sid    = "AgentCoreCodeInterpreter"
+        Effect = "Allow"
+        Action = [
+          "bedrock-agentcore:StartCodeInterpreterSession",
+          "bedrock-agentcore:StopCodeInterpreterSession",
+          "bedrock-agentcore:InvokeCodeInterpreter",
+          "bedrock-agentcore:GetCodeInterpreterSession",
+          "bedrock-agentcore:ListCodeInterpreterSessions",
+          "bedrock-agentcore:GetCodeInterpreter",
+        ]
+        Resource = "arn:aws:bedrock-agentcore:${var.region}:${var.account_id}:code-interpreter-custom/*"
+      },
+      {
+        Sid    = "CloudWatchLogs"
+        Effect = "Allow"
+        Action = [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:DescribeLogGroups",
+          "logs:DescribeLogStreams",
+          "logs:PutLogEvents",
+        ]
+        # Lambda log group + AgentCore Runtime container log groups + the
+        # account-wide aws/spans log group (CloudWatch Transaction Search
+        # destination — required for AgentCore Evaluations to read spans).
+        Resource = [
+          "arn:aws:logs:${var.region}:${var.account_id}:log-group:/aws/lambda/thinkwork-${var.stage}-*",
+          "arn:aws:logs:${var.region}:${var.account_id}:log-group:/aws/lambda/thinkwork-${var.stage}-*:*",
+          "arn:aws:logs:${var.region}:${var.account_id}:log-group:/aws/bedrock-agentcore/runtimes/*",
+          "arn:aws:logs:${var.region}:${var.account_id}:log-group:/aws/bedrock-agentcore/runtimes/*:*",
+          "arn:aws:logs:${var.region}:${var.account_id}:log-group:aws/spans",
+          "arn:aws:logs:${var.region}:${var.account_id}:log-group:aws/spans:*",
+        ]
+      },
+      {
+        # X-Ray ingestion — ADOT exporters publish spans here, which then
+        # flow to aws/spans via the Transaction Search policy. AgentCore
+        # Evaluations queries those spans by session.id when scoring runs.
+        Sid    = "XRayIngest"
+        Effect = "Allow"
+        Action = [
+          "xray:PutTraceSegments",
+          "xray:PutTelemetryRecords",
+          "xray:GetSamplingRules",
+          "xray:GetSamplingTargets",
+        ]
+        Resource = [
+          "arn:aws:xray:${var.region}:${var.account_id}:*",
+          "*",
+        ]
+      },
+      {
+        Sid      = "ECRPull"
+        Effect   = "Allow"
+        Action   = ["ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage"]
+        Resource = "arn:aws:ecr:${var.region}:${var.account_id}:repository/thinkwork-${var.stage}-*"
+      },
+      {
+        Sid      = "ECRAuth"
+        Effect   = "Allow"
+        Action   = ["ecr:GetAuthorizationToken"]
+        Resource = "*"
+      },
+      {
+        Sid      = "SSMParameterAccess"
+        Effect   = "Allow"
+        Action   = ["ssm:GetParameter", "ssm:PutParameter"]
+        Resource = "arn:aws:ssm:${var.region}:${var.account_id}:parameter/thinkwork/${var.stage}/agentcore/*"
+      },
+      {
+        # Async-invoke the memory-retain Lambda after every chat turn so
+        # the API's normalized memory layer can run the active engine's
+        # retainTurn() path (Hindsight POST /memories or AgentCore
+        # CreateEvent). InvocationType=Event from the runtime; this Lambda
+        # is the only target.
+        Sid      = "MemoryRetainInvoke"
+        Effect   = "Allow"
+        Action   = ["lambda:InvokeFunction"]
+        Resource = local.memory_retain_fn_arn
+      },
+      {
+        # Aurora Data API — U4 SessionStore writes thread/message rows via
+        # the RDS Data API rather than long-lived Postgres connections.
+        # The cluster ARN and credentials secret are wired through the API
+        # Lambda's env (Plan §005 U4); listed here as broad cluster scope
+        # because the cluster ARN isn't an input to this module yet.
+        Sid    = "AuroraDataAPI"
+        Effect = "Allow"
+        Action = [
+          "rds-data:ExecuteStatement",
+          "rds-data:BatchExecuteStatement",
+          "rds-data:BeginTransaction",
+          "rds-data:CommitTransaction",
+          "rds-data:RollbackTransaction",
+        ]
+        Resource = "arn:aws:rds:${var.region}:${var.account_id}:cluster:thinkwork-${var.stage}-db-*"
+      },
+      {
+        # Secrets Manager — Flue resolves db credentials and other runtime
+        # secrets at invocation time per `feedback_completion_callback_
+        # snapshot_pattern`. Scoped to `/thinkwork/${stage}/*` per the
+        # existing convention.
+        Sid    = "SecretsManagerRead"
+        Effect = "Allow"
+        Action = [
+          "secretsmanager:GetSecretValue",
+          "secretsmanager:DescribeSecret",
+        ]
+        Resource = "arn:aws:secretsmanager:${var.region}:${var.account_id}:secret:thinkwork-${var.stage}-*"
+      },
+    ]
+  })
+}
+
+resource "aws_iam_role_policy" "agentcore_flue_dlq_send" {
+  name = "agentcore-flue-dlq-send"
+  role = aws_iam_role.agentcore_flue.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect   = "Allow"
+      Action   = ["sqs:SendMessage"]
+      Resource = var.async_dlq_arn
+    }]
+  })
+}
+
+################################################################################
+# CloudWatch Log Group
+################################################################################
+
+resource "aws_cloudwatch_log_group" "agentcore_flue" {
+  name              = "/thinkwork/${var.stage}/agentcore-flue"
+  retention_in_days = 30
+
+  tags = {
+    Name = "thinkwork-${var.stage}-agentcore-flue-logs"
+  }
+}
+
+################################################################################
+# Lambda Container Image
+################################################################################
+
+resource "aws_lambda_function" "agentcore_flue" {
+  function_name = "thinkwork-${var.stage}-agentcore-flue"
+  role          = aws_iam_role.agentcore_flue.arn
+  package_type  = "Image"
+  image_uri     = "${var.ecr_repository_url}:flue-latest"
+  timeout       = 900
+  memory_size   = 2048
+
+  environment {
+    variables = {
+      PORT                   = "8080"
+      AWS_LWA_PORT           = "8080"
+      AGENTCORE_MEMORY_ID    = var.agentcore_memory_id
+      AGENTCORE_FILES_BUCKET = var.bucket_name
+      MEMORY_ENGINE          = var.memory_engine
+      MEMORY_RETAIN_FN_NAME  = local.memory_retain_fn_name
+      HINDSIGHT_ENDPOINT     = var.hindsight_endpoint
+      THINKWORK_API_URL      = var.api_endpoint
+      API_AUTH_SECRET        = var.api_auth_secret
+      # Plan §005 U4 — AuroraSessionStore uses the RDS Data API to persist
+      # Flue's SessionData blobs against threads.session_data. Empty during
+      # the first greenfield apply (DB cluster doesn't exist yet); the
+      # constructor fail-closes if either is missing at runtime.
+      DB_CLUSTER_ARN = var.db_cluster_arn
+      DB_SECRET_ARN  = var.db_secret_arn
+    }
+  }
+
+  logging_config {
+    log_group  = aws_cloudwatch_log_group.agentcore_flue.name
+    log_format = "Text"
+  }
+
+  tags = {
+    Name = "thinkwork-${var.stage}-agentcore-flue"
+  }
+}
+
+################################################################################
+# Async-invoke hardening — MaximumRetryAttempts=0 + DLQ
+#
+# Mirrors the Strands runtime's invoke-config in `../agentcore-runtime/main.tf`.
+# AWS Lambda async-invoke defaults to 2 retries; the agent loop is not
+# idempotent (Bedrock tokens get re-burned, partial deliverables can
+# overwrite the first), so retries are disabled and failed invokes land in
+# the shared DLQ for operator visibility.
+################################################################################
+
+resource "aws_lambda_function_event_invoke_config" "agentcore_flue" {
+  function_name                = aws_lambda_function.agentcore_flue.function_name
+  maximum_retry_attempts       = 0
+  maximum_event_age_in_seconds = 3600
+
+  destination_config {
+    on_failure {
+      destination = var.async_dlq_arn
+    }
+  }
+}

package/dist/terraform/modules/app/agentcore-flue/outputs.tf

@@ -0,0 +1,23 @@
+################################################################################
+# AgentCore Flue — App Module (outputs)
+################################################################################
+
+output "agentcore_flue_function_name" {
+  description = "Flue AgentCore Lambda function name (for direct SDK invoke from chat-agent-invoke)"
+  value       = aws_lambda_function.agentcore_flue.function_name
+}
+
+output "agentcore_flue_function_arn" {
+  description = "Flue AgentCore Lambda function ARN (for IAM policy on callers; used to grant lambda:InvokeFunction)"
+  value       = aws_lambda_function.agentcore_flue.arn
+}
+
+output "agentcore_flue_runtime_role_arn" {
+  description = "IAM role ARN for the Flue agent runtime (assumed by Lambda + Bedrock AgentCore Runtime principals)"
+  value       = aws_iam_role.agentcore_flue.arn
+}
+
+output "agentcore_flue_log_group_name" {
+  description = "CloudWatch log group name for the Flue Lambda. Useful for log scrubbing and operator inspection."
+  value       = aws_cloudwatch_log_group.agentcore_flue.name
+}