thinkwork-cli 0.9.0 → 0.9.1

package/dist/terraform/modules/app/lambda-api/handlers.tf

@@ -7,34 +7,56 @@
 ################################################################################
 
 locals {
-  use_local_zips = var.lambda_zips_dir != ""
-  runtime        = "nodejs20.x"
+  use_local_zips        = var.lambda_zips_dir != ""
+  eval_fanout_queue_url = local.use_local_zips ? aws_sqs_queue.eval_fanout[0].url : ""
+  runtime               = "nodejs20.x"
 
   # Common environment variables shared by all API handlers
   common_env = {
-    STAGE                   = var.stage
-    DATABASE_URL            = "postgresql://${var.db_username}:${urlencode(var.db_password)}@${var.db_cluster_endpoint}:5432/${var.database_name}?sslmode=no-verify"
-    DATABASE_SECRET_ARN     = var.graphql_db_secret_arn
-    DATABASE_HOST           = var.db_cluster_endpoint
-    DATABASE_NAME           = var.database_name
-    BUCKET_NAME             = var.bucket_name
-    USER_POOL_ID            = var.user_pool_id
-    COGNITO_USER_POOL_ID    = var.user_pool_id
-    ADMIN_CLIENT_ID         = var.admin_client_id
-    MOBILE_CLIENT_ID        = var.mobile_client_id
-    COGNITO_APP_CLIENT_IDS  = "${var.admin_client_id},${var.mobile_client_id}"
-    APPSYNC_ENDPOINT        = var.appsync_api_url
-    APPSYNC_API_KEY         = var.appsync_api_key
-    GRAPHQL_API_KEY         = var.appsync_api_key
-    API_AUTH_SECRET         = var.api_auth_secret
-    THINKWORK_API_SECRET    = var.api_auth_secret
-    EMAIL_HMAC_SECRET       = var.api_auth_secret
-    THINKWORK_API_URL       = "https://${aws_apigatewayv2_api.main.id}.execute-api.${var.region}.amazonaws.com"
-    AGENTCORE_FUNCTION_NAME = var.agentcore_function_name
-    WORKSPACE_BUCKET        = var.bucket_name
-    HINDSIGHT_ENDPOINT      = var.hindsight_endpoint
-    AGENTCORE_MEMORY_ID     = var.agentcore_memory_id
-    MEMORY_ENGINE           = var.memory_engine
+    STAGE                       = var.stage
+    DATABASE_URL                = "postgresql://${var.db_username}:${urlencode(var.db_password)}@${var.db_cluster_endpoint}:5432/${var.database_name}?sslmode=no-verify"
+    DATABASE_SECRET_ARN         = var.graphql_db_secret_arn
+    DATABASE_HOST               = var.db_cluster_endpoint
+    DATABASE_NAME               = var.database_name
+    BUCKET_NAME                 = var.bucket_name
+    USER_POOL_ID                = var.user_pool_id
+    COGNITO_USER_POOL_ID        = var.user_pool_id
+    ADMIN_CLIENT_ID             = var.admin_client_id
+    MOBILE_CLIENT_ID            = var.mobile_client_id
+    COGNITO_MCP_CLIENT_ID       = aws_cognito_user_pool_client.mcp_oauth.id
+    COGNITO_AUTH_BASE_URL       = local.mcp_oauth_cognito_base_url
+    MCP_OAUTH_CALLBACK_URL      = "${local.mcp_oauth_api_base_url}/mcp/oauth/callback"
+    MCP_OAUTH_REVOCATIONS_TABLE = aws_dynamodb_table.mcp_oauth_revocations.name
+    COGNITO_APP_CLIENT_IDS      = "${var.admin_client_id},${var.mobile_client_id}"
+    APPSYNC_ENDPOINT            = var.appsync_api_url
+    APPSYNC_API_KEY             = var.appsync_api_key
+    GRAPHQL_API_KEY             = var.appsync_api_key
+    API_AUTH_SECRET             = var.api_auth_secret
+    THINKWORK_API_SECRET        = var.api_auth_secret
+    EMAIL_HMAC_SECRET           = var.api_auth_secret
+    THINKWORK_API_URL           = "https://${aws_apigatewayv2_api.main.id}.execute-api.${var.region}.amazonaws.com"
+    # Comma-separated allowlist of caller emails permitted to invoke
+    # operator-gated mutations (updateTenantPolicy, sandbox fixture
+    # setup, etc.). Resolved against ctx.auth.email, which is pulled
+    # from the Cognito JWT for user callers and from the
+    # `x-principal-email` header for service-auth callers (see
+    # packages/api/src/lib/cognito-auth.ts). Empty ⇒ the gate
+    # rejects every call, which is the safe default pre-rollout.
+    THINKWORK_PLATFORM_OPERATOR_EMAILS = var.platform_operator_emails
+    AGENTCORE_FUNCTION_NAME            = var.agentcore_function_name
+    AGENTCORE_FLUE_FUNCTION_NAME       = var.agentcore_flue_function_name
+    # SSM parameter names for the Bedrock AgentCore Runtime IDs (one per
+    # runtime type). deploy.yml's "Update AgentCore Runtimes" job writes
+    # these in `update-agentcore-runtime-image.sh`. eval-runner reads them
+    # via `loadRuntimeId(runtimeType)` to start a Bedrock-control-plane
+    # invocation against the right runtime — pre-U3 the flue path was
+    # dead because the env var was never wired here.
+    AGENTCORE_RUNTIME_SSM_STRANDS = "/thinkwork/${var.stage}/agentcore/runtime-id-strands"
+    AGENTCORE_RUNTIME_SSM_FLUE    = "/thinkwork/${var.stage}/agentcore/runtime-id-flue"
+    WORKSPACE_BUCKET              = var.bucket_name
+    HINDSIGHT_ENDPOINT            = var.hindsight_endpoint
+    AGENTCORE_MEMORY_ID           = var.agentcore_memory_id
+    MEMORY_ENGINE                 = var.memory_engine
     # Skip the SSM indirection for cross-function ARN lookup. Terraform
     # already knows this ARN at apply time and the Lambda role's SSM
     # permission has been a recurring source of silent failures where
@@ -47,30 +69,202 @@ locals {
     ECR_REPOSITORY_URL       = var.ecr_repository_url
     AWS_ACCOUNT_ID           = var.account_id
     NODE_OPTIONS             = "--enable-source-maps"
-    # LastMile Tasks REST API base URL — feature-flags the outbound sync
-    # path. When unset, syncExternalTaskOnCreate writes sync_status='local'
-    # and the workflow picker proxy returns 503. Set to the LMI develop /
-    # staging / prod base URL per stage to enable real cross-system sync.
-    LASTMILE_TASKS_API_URL = var.lastmile_tasks_api_url
+    # Per-user OAuth wiring (Google Workspace today; Microsoft 365 follow-up).
+    # Secret ARNs are the indirection; the actual client_id/client_secret
+    # values live in Secrets Manager and are fetched by
+    # packages/api/src/lib/oauth-client-credentials.ts at cold-start.
+    # OAUTH_CALLBACK_URL is the URL registered with Google/Azure OAuth apps.
+    # REDIRECT_SUCCESS_URL is the fallback post-OAuth redirect when the
+    # caller doesn't pass a per-request returnUrl (mobile passes thinkwork://).
+    GOOGLE_PRODUCTIVITY_OAUTH_SECRET_ARN = aws_secretsmanager_secret.oauth_google_productivity.arn
+    OAUTH_CALLBACK_URL                   = "https://${aws_apigatewayv2_api.main.id}.execute-api.${var.region}.amazonaws.com/api/oauth/callback"
+    REDIRECT_SUCCESS_URL                 = var.redirect_success_url
+    COMPANY_BRAIN_SOURCE_AGENT_MODEL_ID  = var.company_brain_source_agent_model_id
+    # Stripe billing — see stripe-secrets.tf. The ARN is the indirection;
+    # the actual keys live in Secrets Manager and are fetched by
+    # packages/api/src/lib/stripe-credentials.ts at cold-start. Price IDs
+    # are non-secret per-stage config carried as a plain JSON env var so
+    # staging/prod can use different products without a secret rotation.
+    STRIPE_CREDENTIALS_SECRET_ARN = aws_secretsmanager_secret.stripe_api_credentials.arn
+    STRIPE_PRICE_IDS_JSON         = var.stripe_price_ids_json
+    STRIPE_CHECKOUT_SUCCESS_URL   = "${var.admin_url}/onboarding/welcome?session_id={CHECKOUT_SESSION_ID}"
+    STRIPE_CHECKOUT_CANCEL_URL    = "${var.www_url}/cloud"
+    WWW_URL                       = var.www_url
+    # Override the welcome email's From: address. Defaults to
+    # hello@agents.thinkwork.ai (the already-verified SES inbound domain);
+    # set to hello@thinkwork.ai once the bare-apex identity is verified in SES.
+    STRIPE_WELCOME_FROM_EMAIL = var.stripe_welcome_from_email
+  }
+
+  # Computer runtime control handlers only need database access, service-auth,
+  # the API callback URL, and ECS/EFS runtime wiring. Using the full common_env
+  # pushes computer-manager over Lambda's 4KB environment-variable limit in dev.
+  computer_runtime_control_base_env = {
+    STAGE             = var.stage
+    DATABASE_URL      = "postgresql://${var.db_username}:${urlencode(var.db_password)}@${var.db_cluster_endpoint}:5432/${var.database_name}?sslmode=no-verify"
+    API_AUTH_SECRET   = var.api_auth_secret
+    THINKWORK_API_URL = "https://${aws_apigatewayv2_api.main.id}.execute-api.${var.region}.amazonaws.com"
+    NODE_OPTIONS      = "--enable-source-maps"
+  }
+
+  computer_runtime_control_env = {
+    COMPUTER_RUNTIME_CLUSTER_NAME       = var.computer_runtime_cluster_name
+    COMPUTER_RUNTIME_EFS_FILE_SYSTEM_ID = var.computer_runtime_efs_file_system_id
+    COMPUTER_RUNTIME_SUBNET_IDS         = join(",", var.computer_runtime_subnet_ids)
+    COMPUTER_RUNTIME_ASSIGN_PUBLIC_IP   = var.computer_runtime_assign_public_ip
+    COMPUTER_RUNTIME_TASK_SG_ID         = var.computer_runtime_task_sg_id
+    COMPUTER_RUNTIME_EXECUTION_ROLE_ARN = var.computer_runtime_execution_role_arn
+    COMPUTER_RUNTIME_TASK_ROLE_ARN      = var.computer_runtime_task_role_arn
+    COMPUTER_RUNTIME_LOG_GROUP_NAME     = var.computer_runtime_log_group_name
+    COMPUTER_RUNTIME_REPOSITORY_URL     = var.computer_runtime_repository_url
+    COMPUTER_RUNTIME_DEFAULT_CPU        = tostring(var.computer_runtime_default_cpu)
+    COMPUTER_RUNTIME_DEFAULT_MEMORY     = tostring(var.computer_runtime_default_memory)
   }
 
   # Per-handler env-var overrides. ARNs are constructed from the naming
   # pattern (same trick as lambda_api_cross_invoke in main.tf) so we don't
   # introduce a self-referential dependency inside the handler for_each.
+  slack_handler_env = {
+    SLACK_APP_CREDENTIALS_SECRET_ARN = aws_secretsmanager_secret.slack_app_credentials.arn
+  }
+
   handler_extra_env = {
+    "extension-proxy" = {
+      EXTENSION_PROXY_BACKENDS_JSON  = var.extension_proxy_backends_json
+      EXTENSION_PROXY_SIGNING_SECRET = var.extension_proxy_signing_secret
+    }
     "job-schedule-manager" = {
       JOB_TRIGGER_ARN      = "arn:aws:lambda:${var.region}:${var.account_id}:function:thinkwork-${var.stage}-api-job-trigger"
       JOB_TRIGGER_ROLE_ARN = var.job_scheduler_role_arn
     }
-    # Compounding Memory compile Lambda. Claude Haiku 4.5 via Bedrock; the
-    # planner + section-writer cap themselves at ~500 records / 25 new pages
-    # per invocation, so a 480 s timeout covers the worst case comfortably.
+    # Compounding Memory compile Lambda. Any Converse-compatible Bedrock
+    # model works; the planner + section-writer cap themselves at ~500
+    # records / 25 new pages per invocation so a 480 s timeout covers
+    # the worst case comfortably. Env vars come from variables so
+    # unrelated deploys don't wipe them back to defaults (the aggregation
+    # flag got reset on every terraform apply before this was pinned).
     "wiki-compile" = {
-      BEDROCK_MODEL_ID = "us.anthropic.claude-haiku-4-5-20251001-v1:0"
+      BEDROCK_MODEL_ID                   = var.wiki_compile_model_id
+      WIKI_AGGREGATION_PASS_ENABLED      = var.wiki_aggregation_pass_enabled
+      WIKI_DETERMINISTIC_LINKING_ENABLED = var.wiki_deterministic_linking_enabled
+      # Name (not value) of the SecureString SSM parameter that holds the
+      # Google Places API key. wiki-compile fetches + caches on cold start.
+      # The parameter may contain a placeholder value at apply time — the
+      # Lambda logs and degrades gracefully if decryption returns empty.
+      GOOGLE_PLACES_SSM_PARAM_NAME = "/thinkwork/${var.stage}/google-places/api-key"
     }
     "wiki-export" = {
       WIKI_EXPORT_BUCKET = aws_s3_bucket.wiki_exports.bucket
     }
+    # workspace-files invokes the workspace-files-efs sidecar (Request
+    # Response) for Computer-target list/get to bypass the computer_tasks
+    # queue. ARN constructed from the naming pattern to avoid a self-
+    # referential dependency on the standalone Lambda resource defined at
+    # the bottom of this file.
+    "workspace-files" = {
+      WORKSPACE_FILES_EFS_FN_ARN = "arn:aws:lambda:${var.region}:${var.account_id}:function:thinkwork-${var.stage}-api-workspace-files-efs"
+    }
+    "oauth-authorize"     = local.slack_handler_env
+    "oauth-callback"      = local.slack_handler_env
+    "slack-events"        = local.slack_handler_env
+    "slack-slash-command" = local.slack_handler_env
+    "slack-interactivity" = local.slack_handler_env
+    "slack-oauth-install" = local.slack_handler_env
+    "slack-dispatch"      = local.slack_handler_env
+    # computer-terminal-start needs the cluster name to scope its
+    # ECS ListTasks / DescribeTasks / ExecuteCommand calls.
+    "computer-terminal-start" = {
+      COMPUTER_RUNTIME_CLUSTER_NAME = var.computer_runtime_cluster_name
+    }
+    # computer-manager and computer-runtime-reconciler consume ECS/EFS task
+    # config from packages/api/src/lib/computers/runtime-control.ts.
+    # Scoping the COMPUTER_RUNTIME_* variables here (instead of in
+    # local.common_env_vars) keeps the per-Lambda env-var payload under
+    # the AWS 4KB hard limit — they were previously dumped into every
+    # handler and pushed ~70 Lambdas over quota.
+    "computer-manager"            = local.computer_runtime_control_env
+    "computer-runtime-reconciler" = local.computer_runtime_control_env
+    "mcp-context-engine" = {
+      CONTEXT_ENGINE_MEMORY_QUERY_MODE = "reflect"
+      CONTEXT_ENGINE_MEMORY_TIMEOUT_MS = "20000"
+    }
+    # routine-task-python (Phase B U6) needs the AgentCore code-interpreter
+    # id + the per-stage S3 routine-output bucket. The interpreter id is
+    # provisioned by the agentcore-code-interpreter module and exposed via
+    # the agentcore_code_interpreter_id input variable; the bucket name
+    # follows the per-stage naming convention from the routines-stepfunctions
+    # module (Phase A U1).
+    "routine-task-python" = {
+      SANDBOX_INTERPRETER_ID       = var.agentcore_code_interpreter_id
+      ROUTINE_OUTPUT_BUCKET        = "thinkwork-${var.stage}-routine-output"
+      ROUTINE_PYTHON_ENV_ALLOWLIST = "TENANT_ID,ROUTINE_ID,EXECUTION_ID"
+    }
+    # graphql-http hosts the createRoutine / publishRoutineVersion / etc.
+    # resolvers (Phase B U7) AND the routine-approval-bridge (Phase B
+    # U8) which invokes routine-resume via the AWS SDK.
+    "graphql-http" = {
+      ROUTINES_EXECUTION_ROLE_ARN = var.routines_execution_role_arn
+      ROUTINES_LOG_GROUP_ARN      = var.routines_log_group_arn
+      AWS_ACCOUNT_ID              = var.account_id
+      # routine-approval-bridge (Phase B U8) calls this function name
+      # via the AWS SDK Lambda Invoke after a HITL decideInboxItem.
+      # The bridge throws if unset — terraform wiring is mandatory.
+      ROUTINE_RESUME_FUNCTION_NAME = "thinkwork-${var.stage}-api-routine-resume"
+      # triggerRoutineRun seeds this into the SFN execution input so the
+      # inbox_approval recipe Task can find the callback Lambda via
+      # $$.Execution.Input.inboxApprovalFunctionName.
+      ROUTINE_APPROVAL_CALLBACK_FUNCTION_NAME = "thinkwork-${var.stage}-api-routine-approval-callback"
+      EMAIL_SEND_FUNCTION_NAME                = "thinkwork-${var.stage}-api-email-send"
+      ROUTINE_TASK_PYTHON_FUNCTION_NAME       = "thinkwork-${var.stage}-api-routine-task-python"
+      ADMIN_OPS_MCP_FUNCTION_NAME             = "thinkwork-${var.stage}-api-admin-ops-mcp"
+      SLACK_SEND_FUNCTION_NAME                = "thinkwork-${var.stage}-api-slack-send"
+      # Phase 3 U10 — compliance read resolvers (complianceEvents,
+      # complianceEvent, complianceEventByHash) connect to Aurora as
+      # the compliance_reader role. The existing lambda_secrets policy
+      # in main.tf grants secretsmanager:GetSecretValue on the
+      # thinkwork/* wildcard, so no new IAM resource is needed.
+      COMPLIANCE_READER_SECRET_ARN = var.compliance_reader_secret_arn
+      # Phase 3 U11.U2 — createComplianceExport mutation dispatches a
+      # jobId to a known-name SQS queue. We do NOT pass the queue URL
+      # as an env var here: graphql-http's env block is already at the
+      # AWS 4 KB ceiling, and adding another URL pushed the deploy over
+      # the limit. The mutation derives the URL from STAGE + AWS_REGION
+      # + AWS_ACCOUNT_ID, which the Lambda already has. The runner
+      # Lambda (separate function below) keeps an explicit
+      # COMPLIANCE_EXPORTS_QUEUE_URL because its env is small.
+    }
+    # U2 eval fan-out substrate. eval-runner does not dispatch to this
+    # queue until U3; eval-worker is a throwing inert stub that redrives
+    # accidental traffic to the DLQ.
+    "eval-runner" = {
+      EVAL_FANOUT_QUEUE_URL                = local.eval_fanout_queue_url
+      EVAL_DIRECT_AGENTCORE_MESSAGE_SHARDS = "20"
+    }
+    "eval-worker" = {
+      EVAL_FANOUT_QUEUE_URL     = local.eval_fanout_queue_url
+      EVAL_AGENTCORE_EVALUATORS = "disabled"
+    }
+    # job-trigger fires scheduled routine runs via SFN.StartExecution
+    # (Phase B U7) — the alias ARN comes from the row, but the Lambda
+    # also reads AWS_ACCOUNT_ID for diagnostic logging. It also passes
+    # the routine-approval-callback function name in the SFN execution
+    # input so the inbox_approval recipe can fanout to it on .waitForTaskToken.
+    "job-trigger" = {
+      AWS_ACCOUNT_ID                          = var.account_id
+      ROUTINE_APPROVAL_CALLBACK_FUNCTION_NAME = "thinkwork-${var.stage}-api-routine-approval-callback"
+      EMAIL_SEND_FUNCTION_NAME                = "thinkwork-${var.stage}-api-email-send"
+      ROUTINE_TASK_PYTHON_FUNCTION_NAME       = "thinkwork-${var.stage}-api-routine-task-python"
+      ADMIN_OPS_MCP_FUNCTION_NAME             = "thinkwork-${var.stage}-api-admin-ops-mcp"
+      SLACK_SEND_FUNCTION_NAME                = "thinkwork-${var.stage}-api-slack-send"
+    }
+    # Phase 3 U4 Compliance outbox drainer.
+    # Connects to Aurora as the compliance_drainer role (provisioned in
+    # U2). The DATABASE_SECRET_ARN-style indirection is via
+    # COMPLIANCE_DRAINER_SECRET_ARN so the drainer's connection cache is
+    # isolated from the master `getDb()` cache used by other handlers.
+    "compliance-outbox-drainer" = {
+      COMPLIANCE_DRAINER_SECRET_ARN = var.compliance_drainer_secret_arn
+    }
   }
 }
 
@@ -83,18 +277,28 @@ resource "aws_lambda_function" "handler" {
     "graphql-http",
     "chat-agent-invoke",
     "wakeup-processor",
+    "workspace-event-dispatcher",
     "agents",
     "agent-actions",
     "messages",
     "connections",
     "oauth-authorize",
     "oauth-callback",
+    "stripe-checkout",
+    "stripe-webhook",
+    "stripe-portal",
+    "stripe-subscription",
+    "auth-me",
+    "extension-proxy",
     "teams",
     "team-members",
     "tenants",
     "users",
     "invites",
     "skills",
+    "mcp-oauth",
+    "mcp-user-memory",
+    "mcp-context-engine",
     "activity",
     "routines",
     "budgets",
@@ -102,14 +306,24 @@ resource "aws_lambda_function" "handler" {
     "scheduled-jobs",
     "job-schedule-manager",
     "job-trigger",
+    "routine-task-weather-email",
     "webhooks",
     "webhooks-admin",
     "webhook-deliveries-cleanup",
+    "skill-runs-reconciler",
+    "cron-stall-monitor",
+    "webhook-crm-opportunity",
+    "webhook-task-event",
     "workspace-files",
     "knowledge-base-manager",
     "knowledge-base-files",
     "email-send",
     "email-inbound",
+    "slack-events",
+    "slack-slash-command",
+    "slack-interactivity",
+    "slack-oauth-install",
+    "slack-dispatch",
     "github-app",
     "github-repos",
     "memory",
@@ -122,8 +336,148 @@ resource "aws_lambda_function" "handler" {
     "recipe-refresh",
     "agent-skills-list",
     "bootstrap-workspaces",
+    "migrate-agents-to-computers",
+    "computer-runtime",
+    "computer-manager",
+    "computer-runtime-reconciler",
+    # Admin Terminal tab — POST /api/computers/{computerId}/terminal/start.
+    # Returns the SSM Session Manager session envelope (sessionId,
+    # streamUrl, tokenValue) so the browser can open a direct WebSocket
+    # to ssmmessages. Plan:
+    # docs/plans/2026-05-13-004-feat-computer-terminal-ecs-exec-plan.md.
+    "computer-terminal-start",
     "code-factory",
     "eval-runner",
+    "eval-worker",
+    "eval-runs-reconciler",
+    # AgentCore Code Sandbox narrow REST endpoints (plan Unit 10 + Unit 11).
+    # Both are service-endpoint shape: the Strands container POSTs with
+    # Bearer API_AUTH_SECRET. No GraphQL resolver involvement, no extra IAM.
+    "sandbox-quota-check",
+    "sandbox-invocation-log",
+    # Routines Step Functions ASL validator (plan
+    # docs/plans/2026-05-01-004-feat-routines-phase-a-substrate-plan.md §U5).
+    # Bearer API_AUTH_SECRET; chat builder + publish flow call this before
+    # accepting LLM-emitted ASL. Needs states:ValidateStateMachineDefinition
+    # IAM grant — see main.tf.
+    "routine-asl-validator",
+    # Routines Step Functions Task wrappers (plan
+    # docs/plans/2026-05-01-005-feat-routines-phase-b-runtime-plan.md §U6).
+    # routine-task-python: SFN-invoked Lambda that runs `python` recipe
+    # states in the AgentCore code interpreter, offloading stdout/stderr
+    # to the per-stage routine-output bucket. Needs bedrock-agentcore
+    # (Start/Invoke/Stop CodeInterpreterSession) + S3 PutObject IAM —
+    # see main.tf.
+    "routine-task-python",
+    # routine-resume: SDK-invoked by routine-approval-bridge (Phase B
+    # U8) after a HITL decision. Calls SendTaskSuccess/SendTaskFailure;
+    # idempotent on already-consumed tokens. Needs states:SendTaskSuccess
+    # + states:SendTaskFailure IAM (already granted in U1's substrate).
+    "routine-resume",
+    # routine-approval-callback: SFN's inbox_approval Task invokes this
+    # via .waitForTaskToken (plan 2026-05-01-005 §U8). Creates the
+    # inbox_items row + persists the task token in routine_approval_tokens.
+    # No additional IAM beyond the lambda execution role's DB access —
+    # the trust boundary is the routines-stepfunctions execution role's
+    # lambda:InvokeFunction grant scoped to this Lambda's ARN.
+    "routine-approval-callback",
+    # routine-step-callback + routine-execution-callback (Phase B U9).
+    # Bearer API_AUTH_SECRET ingest endpoints — Task wrappers and the
+    # EventBridge SFN-state-change rule POST here. routine-step-callback
+    # writes routine_step_events; routine-execution-callback updates
+    # routine_executions lifecycle status. Idempotent on the dedup index
+    # for steps + on the conditional UPDATE for executions.
+    "routine-step-callback",
+    "routine-execution-callback",
+    # Skill-run dispatcher runtime-config fetch (plan
+    # docs/plans/2026-04-24-008-feat-skill-run-dispatcher-plan.md §U1). The
+    # Strands container's `kind=run_skill` handler calls this with Bearer
+    # API_AUTH_SECRET to pull the agent's template + skills + MCP + KBs
+    # before building the headless agent turn.
+    "agents-runtime-config",
+    # Admin-Ops MCP — JSON-RPC endpoint at POST /mcp/admin, exposes the
+    # @thinkwork/admin-ops package as MCP tools for Strands agents.
+    "admin-ops-mcp",
+    # MCP admin key management — per-tenant Bearer tokens for admin-ops.
+    # Admin-ops-mcp authenticates incoming tokens by sha256-hash lookup
+    # against tenant_mcp_admin_keys, populated by this handler's routes.
+    "mcp-admin-keys",
+    # One-shot tenant provisioning: mints a tkm_ key + stores in Secrets
+    # Manager at thinkwork/<stage>/mcp/<tenantId>/admin-ops + upserts
+    # tenant_mcp_servers. SM IAM is already granted on thinkwork/* by
+    # aws_iam_role_policy.lambda_secrets in main.tf (Create/Update/Get).
+    "mcp-admin-provision",
+    # Plugin-installed MCP server admin approval (plan §U11, SI-5). Cognito
+    # JWT admin caller → approve/reject. Approve computes url_hash =
+    # sha256(canonical(url, auth_config)) and pins it; any subsequent
+    # mutation to those fields reverts the row to 'pending'.
+    "mcp-approval",
+    # Daily sweeper: auto-rejects MCP servers pending > 30 days. Triggered
+    # by EventBridge schedule (mcp-approval-sweeper-daily).
+    "mcp-approval-sweeper",
+    # Plugin upload REST handler (plan §U10). Four routes:
+    # POST /api/plugins/presign + /upload, GET /api/plugins (+ /:uploadId).
+    # Cognito JWT; admin-role gated. Needs WORKSPACE_BUCKET env for S3.
+    "plugin-upload",
+    # Finance pilot U2 — thread-attachment upload (presign + finalize).
+    # presign issues a 5-min PUT URL the end-user client uses to push
+    # Excel/CSV bytes directly to S3; finalize sniffs magic bytes, scans
+    # OOXML containers (rejects macros + external links), inserts
+    # thread_attachments, and emits attachment.received audit event.
+    # Cognito JWT (end-user-facing — NOT admin-gated); tenant pinned via
+    # threads.tenant_id lookup. Needs WORKSPACE_BUCKET env for S3.
+    "thread-attachments-presign",
+    "thread-attachments-finalize",
+    # U9-remainder of finance pilot — tenant-pinned download endpoint.
+    # GET /api/threads/{tid}/attachments/{aid}/download returns a 302
+    # to a 5-minute presigned S3 GET URL with ResponseContentDisposition:
+    # attachment so browsers download rather than render inline. Same
+    # tenant-pin discipline as presign/finalize.
+    "thread-attachment-download",
+    # Folder bundle import (fat-folder plan Phase D). Admin uploads a zip
+    # or GitHub ref and the handler normalizes vendor folder layouts into
+    # the agent workspace.
+    "folder-bundle-import",
+    # Hourly sweeper: reaps orphan S3 staging from failed / interrupted
+    # plugin install sagas + marks matching plugin_uploads rows 'failed'.
+    "plugin-staging-sweeper",
+    # Resolved Capability Manifest write endpoint (plan §U15). Strands
+    # container POSTs one row per agent-session-start. Shared
+    # API_AUTH_SECRET bearer (runtime→API; no tenant OAuth).
+    "manifest-log",
+    # SI-7 catalog-list read endpoint (plan §U15 pt 3/3). Strands
+    # container fetches the allowed builtin-tool slug set once per
+    # session-start + feature-flag-gated enforcement filter drops
+    # catalog-missing tools before Agent(tools=...). Shared
+    # API_AUTH_SECRET bearer.
+    "capability-catalog-list",
+    # Brain v0 narrow write endpoint. Strands calls this with
+    # Bearer API_AUTH_SECRET; GraphQL remains user/admin-facing only.
+    "brain-agent-write",
+    # Phase 3 U4 of the Compliance audit-event log
+    # (docs/plans/2026-05-07-004-feat-compliance-u4-outbox-drainer-plan.md).
+    # Single-writer drainer with reserved_concurrent_executions=1 (set
+    # below). Connects to Aurora as `compliance_drainer` role via the
+    # COMPLIANCE_DRAINER_SECRET_ARN env var (compliance secret created in
+    # U2). EventBridge rate(1 minute) schedule + DLQ + MaxRetryAttempts=0
+    # (defined in dedicated resources below).
+    "compliance-outbox-drainer",
+    # Phase 3 U6 of the Compliance audit-event log
+    # (docs/plans/2026-05-07-007-feat-compliance-u6-strands-emit-path-plan.md).
+    # Cross-runtime emit endpoint POST /api/compliance/events — Bearer
+    # API_AUTH_SECRET, Strands Python client posts here with a
+    # client-supplied UUIDv7 event_id for idempotency. Connects to
+    # Aurora via the master DATABASE_SECRET_ARN like every other narrow
+    # handler (compliance_writer role is reserved for future hardening).
+    "compliance-events",
+    # Phase 3 U8b watchdog moved out of for_each into a standalone
+    # aws_lambda_function resource (see below). It now uses a sibling
+    # IAM role (kms:DescribeKey only on the CMK; s3:ListBucket scoped
+    # to anchors/) instead of the shared aws_iam_role.lambda — the
+    # widened S3+KMS grant on the shared role would have leaked into
+    # 60+ unrelated handlers. Pre-merge step: `terraform state mv`
+    # the existing handler["compliance-anchor-watchdog"] address to the
+    # new standalone resource (see U8b plan operator-step section).
   ]) : toset([])
 
   function_name = "thinkwork-${var.stage}-api-${each.key}"
@@ -136,15 +490,25 @@ resource "aws_lambda_function" "handler" {
   # wiki-bootstrap-import runs a full Hindsight ingest for ~3,000 records;
   # the LLM-backed retain path makes it the longest-running Lambda in the
   # set. 900 s is Lambda's per-invocation max and matches eval-runner's ceiling.
-  timeout     = each.key == "wakeup-processor" ? 300 : each.key == "chat-agent-invoke" ? 300 : each.key == "eval-runner" ? 900 : each.key == "wiki-compile" ? 480 : each.key == "wiki-lint" ? 300 : each.key == "wiki-export" ? 600 : each.key == "wiki-bootstrap-import" ? 900 : 30
-  memory_size = each.key == "graphql-http" ? 512 : each.key == "wakeup-processor" ? 512 : each.key == "eval-runner" ? 512 : each.key == "wiki-compile" ? 1024 : each.key == "wiki-export" ? 1024 : each.key == "wiki-bootstrap-import" ? 1024 : 256
+  # routine-task-python wraps a 300s sandbox session and needs headroom
+  # for the Start/Invoke/Stop/S3-offload round trip; 360s leaves ~60s
+  # for AWS-call setup and offload after the sandbox's own ceiling.
+  timeout     = each.key == "wakeup-processor" ? 300 : each.key == "chat-agent-invoke" ? 300 : each.key == "workspace-event-dispatcher" ? 60 : each.key == "eval-runner" ? 900 : each.key == "eval-worker" ? 240 : each.key == "wiki-compile" ? 480 : each.key == "wiki-lint" ? 300 : each.key == "wiki-export" ? 600 : each.key == "wiki-bootstrap-import" ? 900 : each.key == "folder-bundle-import" ? 300 : each.key == "routine-task-python" ? 360 : 30
+  memory_size = each.key == "graphql-http" ? 512 : each.key == "wakeup-processor" ? 512 : each.key == "workspace-event-dispatcher" ? 512 : each.key == "eval-runner" ? 512 : each.key == "eval-worker" ? 512 : each.key == "wiki-compile" ? 1024 : each.key == "wiki-export" ? 1024 : each.key == "wiki-bootstrap-import" ? 1024 : each.key == "folder-bundle-import" ? 1024 : 256
 
   filename         = "${var.lambda_zips_dir}/${each.key}.zip"
   source_code_hash = filebase64sha256("${var.lambda_zips_dir}/${each.key}.zip")
 
+  # Per-handler reserved concurrency. compliance-outbox-drainer is a
+  # single-writer (per-tenant hash chain integrity depends on it — two
+  # concurrent drainers would race the chain head SELECT and produce
+  # orphan prev_hash links). All other handlers run with the default
+  # account-level concurrency pool.
+  reserved_concurrent_executions = each.key == "compliance-outbox-drainer" ? 1 : each.key == "eval-worker" ? 20 : -1
+
   environment {
     variables = merge(
-      local.common_env,
+      contains(["computer-manager", "computer-runtime-reconciler"], each.key) ? local.computer_runtime_control_base_env : local.common_env,
       { FUNCTION_NAME = each.key },
       lookup(local.handler_extra_env, each.key, {}),
     )
@@ -156,6 +520,161 @@ resource "aws_lambda_function" "handler" {
   }
 }
 
+# ---------------------------------------------------------------------------
+# wiki-compile async retry config + DLQ
+# ---------------------------------------------------------------------------
+#
+# AWS Lambda's default async invoke retries the function 2 times with a
+# 1-minute delay before sending failures to a DLQ (or dropping). For
+# wiki-compile, retries duplicate Bedrock cost AND can produce duplicate
+# user-visible threads + workspace_runs (the brain-enrichment draft path
+# in particular — see plan 2026-05-01-002 U5/U6 and
+# docs/solutions/architecture-patterns/async-retry-idempotency-lessons).
+#
+# Pin retries to 0 and route failures to a dedicated DLQ. The runner's
+# job-status short-circuit (running/succeeded/failed/skipped) is the
+# in-process protection against duplicate writebacks; this is the
+# infrastructure-level belt-and-suspenders.
+
+resource "aws_sqs_queue" "wiki_compile_dlq" {
+  count                     = local.use_local_zips ? 1 : 0
+  name                      = "thinkwork-${var.stage}-wiki-compile-dlq"
+  message_retention_seconds = 1209600 # 14 days
+
+  tags = {
+    Name = "thinkwork-${var.stage}-wiki-compile-dlq"
+  }
+}
+
+resource "aws_iam_role_policy" "wiki_compile_dlq_send" {
+  count = local.use_local_zips ? 1 : 0
+  name  = "thinkwork-${var.stage}-wiki-compile-dlq-send"
+  role  = aws_iam_role.lambda.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect   = "Allow"
+      Action   = ["sqs:SendMessage"]
+      Resource = aws_sqs_queue.wiki_compile_dlq[0].arn
+    }]
+  })
+}
+
+resource "aws_lambda_function_event_invoke_config" "wiki_compile" {
+  count                        = local.use_local_zips ? 1 : 0
+  function_name                = aws_lambda_function.handler["wiki-compile"].function_name
+  maximum_retry_attempts       = 0
+  maximum_event_age_in_seconds = 3600
+
+  destination_config {
+    on_failure {
+      destination = aws_sqs_queue.wiki_compile_dlq[0].arn
+    }
+  }
+}
+
+# Phase B U8: SFN's inbox_approval Task invokes routine-approval-callback
+# directly via .waitForTaskToken. Lambda's default async-retry policy
+# (2 attempts) is incompatible with the callback's two-insert flow —
+# even though the inserts are now wrapped in db.transaction(), AWS
+# Lambda's own retry-after-error semantics multiply with SFN's task
+# Retry policy and create thundering-herd attempts on transient
+# failures. SFN is the canonical retry path; Lambda async retries are
+# off. Per project_async_retry_idempotency_lessons.
+resource "aws_lambda_function_event_invoke_config" "routine_approval_callback" {
+  count                        = local.use_local_zips ? 1 : 0
+  function_name                = aws_lambda_function.handler["routine-approval-callback"].function_name
+  maximum_retry_attempts       = 0
+  maximum_event_age_in_seconds = 3600
+}
+
+# Per-turn auto-retain: the runtime (Strands + Flue) Event-invokes
+# memory-retain after every chat turn. AWS Lambda's default async-retry
+# policy is 2 attempts; without overriding it, a transient failure on the
+# canonical-transcript fetch or adapter write retries the entire writeback
+# and can multi-write the same per-turn document into Hindsight. The
+# longest-suffix-prefix merge in memory-retain.ts dedupes content but the
+# retain-cost path (Bedrock tokens charged in adapter.retainConversation)
+# is NOT idempotent — retries multiply LLM cost. Per
+# project_async_retry_idempotency_lessons.
+resource "aws_lambda_function_event_invoke_config" "memory_retain" {
+  count                        = local.use_local_zips ? 1 : 0
+  function_name                = aws_lambda_function.handler["memory-retain"].function_name
+  maximum_retry_attempts       = 0
+  maximum_event_age_in_seconds = 3600
+}
+
+# ---------------------------------------------------------------------------
+# Phase 3 U4: compliance-outbox-drainer DLQ + async retry config
+#
+# AWS Lambda's default async-retry policy is 2 attempts. The drainer's
+# INSERT ... ON CONFLICT (outbox_id) DO NOTHING makes per-row replay
+# safe, but reserved-concurrency=1 + retry-0 is the architectural
+# guarantee that we never have two drainers racing the chain head.
+# Per project_async_retry_idempotency_lessons.
+# ---------------------------------------------------------------------------
+
+resource "aws_sqs_queue" "compliance_drainer_dlq" {
+  count                     = local.use_local_zips ? 1 : 0
+  name                      = "thinkwork-${var.stage}-compliance-drainer-dlq"
+  message_retention_seconds = 1209600 # 14 days
+
+  tags = {
+    Name = "thinkwork-${var.stage}-compliance-drainer-dlq"
+  }
+}
+
+resource "aws_iam_role_policy" "compliance_drainer_dlq_send" {
+  count = local.use_local_zips ? 1 : 0
+  name  = "compliance-drainer-dlq-send"
+  role  = aws_iam_role.lambda.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect   = "Allow"
+      Action   = ["sqs:SendMessage"]
+      Resource = aws_sqs_queue.compliance_drainer_dlq[0].arn
+    }]
+  })
+}
+
+resource "aws_lambda_function_event_invoke_config" "compliance_outbox_drainer" {
+  count                        = local.use_local_zips ? 1 : 0
+  function_name                = aws_lambda_function.handler["compliance-outbox-drainer"].function_name
+  maximum_retry_attempts       = 0
+  maximum_event_age_in_seconds = 3600
+
+  destination_config {
+    on_failure {
+      destination = aws_sqs_queue.compliance_drainer_dlq[0].arn
+    }
+  }
+}
+
+# ---------------------------------------------------------------------------
+# Phase 3 U4: compliance-outbox-drainer EventBridge schedule (every 1 min)
+# ---------------------------------------------------------------------------
+
+resource "aws_scheduler_schedule" "compliance_outbox_drainer" {
+  count = local.use_local_zips ? 1 : 0
+
+  name                = "thinkwork-${var.stage}-compliance-outbox-drainer"
+  group_name          = "default"
+  schedule_expression = "rate(1 minutes)"
+  state               = "ENABLED"
+
+  flexible_time_window {
+    mode = "OFF"
+  }
+
+  target {
+    arn      = aws_lambda_function.handler["compliance-outbox-drainer"].arn
+    role_arn = aws_iam_role.scheduler.arn
+  }
+}
+
 # ---------------------------------------------------------------------------
 # API Gateway routes → Lambda integrations
 # ---------------------------------------------------------------------------
@@ -198,10 +717,35 @@ locals {
     "ANY /api/invites/{proxy+}" = "invites"
     "ANY /api/invites"          = "invites"
 
+    # Compliance audit-event emit (Phase 3 U6) — narrow Bearer
+    # API_AUTH_SECRET endpoint, Strands Python client posts here.
+    "POST /api/compliance/events" = "compliance-events"
+
     # Skills
     "ANY /api/skills/{proxy+}" = "skills"
     "ANY /api/skills"          = "skills"
 
+    # User Memory MCP OAuth/resource-server unblocker. These endpoints are
+    # enough for `codex mcp login thinkwork-user-memory-dev` to discover OAuth,
+    # register as a public PKCE client, sign the user in through Cognito, and
+    # receive a bearer token for the User Memory MCP resource.
+    "GET /.well-known/oauth-protected-resource"          = "mcp-oauth"
+    "GET /.well-known/oauth-protected-resource/{proxy+}" = "mcp-oauth"
+    "GET /.well-known/oauth-authorization-server"        = "mcp-oauth"
+    "GET /.well-known/openid-configuration"              = "mcp-oauth"
+    "GET /mcp/oauth/jwks"                                = "mcp-oauth"
+    "POST /mcp/oauth/register"                           = "mcp-oauth"
+    "GET /mcp/oauth/authorize"                           = "mcp-oauth"
+    "GET /mcp/oauth/callback"                            = "mcp-oauth"
+    "POST /mcp/oauth/token"                              = "mcp-oauth"
+    "POST /mcp/oauth/revoke"                             = "mcp-oauth"
+    "ANY /mcp/user-memory"                               = "mcp-user-memory"
+    "ANY /mcp/context-engine"                            = "mcp-context-engine"
+
+    # Brain v0 service-auth writeback.
+    "POST /api/brain/agent-write"    = "brain-agent-write"
+    "OPTIONS /api/brain/agent-write" = "brain-agent-write"
+
     # Activity
     "ANY /api/activity/{proxy+}" = "activity"
     "ANY /api/activity"          = "activity"
@@ -212,6 +756,20 @@ locals {
     "GET /api/oauth/authorize"      = "oauth-authorize"
     "GET /api/oauth/callback"       = "oauth-callback"
 
+    # Stripe billing (unauthenticated — checkout is pre-signup; webhook is
+    # server-to-server with Stripe signature verification).
+    "POST /api/stripe/checkout-session"          = "stripe-checkout"
+    "OPTIONS /api/stripe/checkout-session"       = "stripe-checkout"
+    "POST /api/stripe/webhook"                   = "stripe-webhook"
+    "POST /api/stripe/portal-session"            = "stripe-portal"
+    "OPTIONS /api/stripe/portal-session"         = "stripe-portal"
+    "GET /api/stripe/subscription"               = "stripe-subscription"
+    "OPTIONS /api/stripe/subscription"           = "stripe-subscription"
+    "GET /api/auth/me"                           = "auth-me"
+    "OPTIONS /api/auth/me"                       = "auth-me"
+    "ANY /api/extensions/{extensionId}"          = "extension-proxy"
+    "ANY /api/extensions/{extensionId}/{proxy+}" = "extension-proxy"
+
     # Routines
     "ANY /api/routines/{proxy+}" = "routines"
     "ANY /api/routines"          = "routines"
@@ -234,7 +792,15 @@ locals {
     "ANY /api/job-schedules/{proxy+}" = "job-schedule-manager"
     "ANY /api/job-schedules"          = "job-schedule-manager"
 
-    # Webhooks (public trigger)
+    # Integration webhooks (Unit 8 — composable-skills). Each integration
+    # has its own Lambda + a specific route under /webhooks/{integration}/
+    # {tenantId}. Specific routes take precedence over the {proxy+}
+    # catch-all below, which still owns the legacy PRD-19 webhook-token
+    # surface.
+    "POST /webhooks/crm-opportunity/{tenantId}" = "webhook-crm-opportunity"
+    "POST /webhooks/task-event/{tenantId}"      = "webhook-task-event"
+
+    # Webhooks (public trigger) — legacy PRD-19 tokenized webhooks.
     "POST /webhooks/{proxy+}" = "webhooks"
 
     # Webhooks admin
@@ -244,12 +810,25 @@ locals {
     # Workspace files
     "ANY /api/workspaces/{proxy+}" = "workspace-files"
 
+    # Phase-one Computer migration. Service-auth only; operator tooling calls
+    # dry-run first and apply only after conflict review.
+    "POST /api/migrations/agents-to-computers"    = "migrate-agents-to-computers"
+    "OPTIONS /api/migrations/agents-to-computers" = "migrate-agents-to-computers"
+
     # Knowledge bases
     "ANY /api/knowledge-bases/{proxy+}" = "knowledge-base-files"
 
     # Email
     "POST /api/email/send" = "email-send"
 
+    # Slack workspace app ingress. These unauthenticated public endpoints
+    # verify Slack signatures in handler code before any tenant work happens.
+    "POST /slack/events"        = "slack-events"
+    "POST /slack/slash-command" = "slack-slash-command"
+    "POST /slack/interactivity" = "slack-interactivity"
+    "GET /slack/oauth/install"  = "slack-oauth-install"
+    "POST /slack/oauth/install" = "slack-oauth-install"
+
     # Memory
     "ANY /api/memory/{proxy+}" = "memory"
 
@@ -262,6 +841,121 @@ locals {
     # GitHub App
     "ANY /api/github-app/{proxy+}" = "github-app"
     "POST /api/github/webhook"     = "github-app"
+
+    # AgentCore Code Sandbox (plan Unit 10 + Unit 11). Strands container
+    # calls both with Bearer API_AUTH_SECRET before + after every
+    # executeCode. 429 on quota denial, 201 on audit-row insert.
+    "POST /api/sandbox/quota/check-and-increment" = "sandbox-quota-check"
+    "POST /api/sandbox/invocations"               = "sandbox-invocation-log"
+
+    # Routines ASL validator (plan 2026-05-01-004 §U5). Bearer
+    # API_AUTH_SECRET. Chat builder + publish flow POST the candidate
+    # ASL document; returns { valid, errors, warnings }.
+    "POST /api/routines/validate"    = "routine-asl-validator"
+    "OPTIONS /api/routines/validate" = "routine-asl-validator"
+
+    # Routines step-event ingest (plan 2026-05-01-005 §U9). Task wrappers
+    # (routine-task-python, routine-resume) POST per-step status
+    # transitions; the EventBridge rule in routines-stepfunctions/main.tf
+    # POSTs SFN execution-state-change events here for the agent_invoke
+    # recipe path (no wrapper Lambda). Bearer API_AUTH_SECRET. Idempotent
+    # via partial unique index on (execution_id, node_id, status,
+    # started_at) — see migration 0056.
+    "POST /api/routines/step"         = "routine-step-callback"
+    "OPTIONS /api/routines/step"      = "routine-step-callback"
+    "POST /api/routines/execution"    = "routine-execution-callback"
+    "OPTIONS /api/routines/execution" = "routine-execution-callback"
+
+    # Skill-run dispatcher runtime-config fetch. Service-auth GET.
+    "GET /api/agents/runtime-config" = "agents-runtime-config"
+
+    # ThinkWork Computer runtime callback API. ECS tasks call outbound with
+    # Bearer API_AUTH_SECRET to fetch config, heartbeat, claim one task, append
+    # product/audit events, and complete/fail tasks.
+    "ANY /api/computers/runtime/{proxy+}" = "computer-runtime"
+
+    # Admin Terminal tab — opens an ECS Exec session into the running
+    # Computer task and returns {sessionId, streamUrl, tokenValue} to the
+    # browser, which then connects WebSocket directly to ssmmessages.
+    "POST /api/computers/{computerId}/terminal/start"    = "computer-terminal-start"
+    "OPTIONS /api/computers/{computerId}/terminal/start" = "computer-terminal-start"
+
+    # ThinkWork Computer manager API. Internal service-auth endpoint used by
+    # admin operations to reconcile per-Computer ECS service desired state.
+    "POST /api/computers/manager"    = "computer-manager"
+    "OPTIONS /api/computers/manager" = "computer-manager"
+
+    # Admin-Ops MCP server — single JSON-RPC endpoint. Strands agents
+    # (and anyone else) POST with Bearer <tenant-scoped token> issued by
+    # the mcp-admin-keys handler below. The shared API_AUTH_SECRET is
+    # retained as a break-glass superuser path for bootstrap/debug.
+    "POST /mcp/admin" = "admin-ops-mcp"
+
+    # MCP admin key management — per-tenant Bearer token CRUD. Tokens
+    # are shown ONCE at creation (POST returns raw value); server stores
+    # sha256 hash only. These specific routes take precedence over the
+    # existing `ANY /api/tenants/{proxy+}` route (tenants handler) per
+    # API Gateway v2's most-specific-match rule.
+    "POST /api/tenants/{tenantId}/mcp-admin-keys"           = "mcp-admin-keys"
+    "GET /api/tenants/{tenantId}/mcp-admin-keys"            = "mcp-admin-keys"
+    "DELETE /api/tenants/{tenantId}/mcp-admin-keys/{keyId}" = "mcp-admin-keys"
+
+    # One-shot tenant provisioning for the admin-ops MCP. Mints a fresh
+    # tkm_ key + stores it in Secrets Manager at
+    # thinkwork/<stage>/mcp/<tenantId>/admin-ops + upserts the
+    # tenant_mcp_servers row so the runtime picks the server up for
+    # any agent that gets it assigned via agent_mcp_servers.
+    "POST /api/tenants/{tenantId}/mcp-admin-provision" = "mcp-admin-provision"
+
+    # MCP server admin approval (plan §U11, SI-5). Plugin-uploaded MCP
+    # servers land with status='pending'; these routes flip them to
+    # approved/rejected. Cognito JWT only (mcp-approval handler rejects
+    # apikey callers) — the admin SPA is the sole UI surface.
+    "POST /api/tenants/{tenantId}/mcp-servers/{serverId}/approve"    = "mcp-approval"
+    "OPTIONS /api/tenants/{tenantId}/mcp-servers/{serverId}/approve" = "mcp-approval"
+    "POST /api/tenants/{tenantId}/mcp-servers/{serverId}/reject"     = "mcp-approval"
+    "OPTIONS /api/tenants/{tenantId}/mcp-servers/{serverId}/reject"  = "mcp-approval"
+
+    # Plugin upload admin surface (plan §U10). Admin SPA drives the full
+    # flow: POST /presign → browser PUT to presigned S3 URL → POST /upload
+    # (validator + three-phase install saga). GET routes back the admin's
+    # plugin history view. handleCors() short-circuits OPTIONS before auth
+    # — required for the browser to preflight successfully.
+    "POST /api/plugins/presign"       = "plugin-upload"
+    "OPTIONS /api/plugins/presign"    = "plugin-upload"
+    "POST /api/plugins/upload"        = "plugin-upload"
+    "OPTIONS /api/plugins/upload"     = "plugin-upload"
+    "GET /api/plugins"                = "plugin-upload"
+    "OPTIONS /api/plugins"            = "plugin-upload"
+    "GET /api/plugins/{uploadId}"     = "plugin-upload"
+    "OPTIONS /api/plugins/{uploadId}" = "plugin-upload"
+
+    # Finance pilot U2 — thread-attachment upload (presign + finalize).
+    # Cognito JWT; tenant pinned via threads.tenant_id lookup. OPTIONS
+    # is handled inside the Lambda before auth.
+    "POST /api/threads/{threadId}/attachments/presign"     = "thread-attachments-presign"
+    "OPTIONS /api/threads/{threadId}/attachments/presign"  = "thread-attachments-presign"
+    "POST /api/threads/{threadId}/attachments/finalize"    = "thread-attachments-finalize"
+    "OPTIONS /api/threads/{threadId}/attachments/finalize" = "thread-attachments-finalize"
+
+    # U9-remainder of finance pilot — tenant-pinned download endpoint.
+    "GET /api/threads/{threadId}/attachments/{attachmentId}/download"     = "thread-attachment-download"
+    "OPTIONS /api/threads/{threadId}/attachments/{attachmentId}/download" = "thread-attachment-download"
+
+    # Fat-folder bundle import. OPTIONS is handled inside the Lambda before auth.
+    "POST /api/agents/{agentId}/import-bundle"    = "folder-bundle-import"
+    "OPTIONS /api/agents/{agentId}/import-bundle" = "folder-bundle-import"
+
+    # Resolved Capability Manifest write endpoint (plan §U15). Strands
+    # container posts one row per agent-session-start. Shared
+    # API_AUTH_SECRET; no tenant OAuth.
+    "POST /api/runtime/manifests"    = "manifest-log"
+    "OPTIONS /api/runtime/manifests" = "manifest-log"
+
+    # SI-7 catalog-list read (plan §U15 pt 3/3). Strands container fetches
+    # the allowed slug set once per session-start. Shared API_AUTH_SECRET.
+    "GET /api/runtime/capability-catalog"     = "capability-catalog-list"
+    "OPTIONS /api/runtime/capability-catalog" = "capability-catalog-list"
   } : {}
 }
 
@@ -336,10 +1030,197 @@ resource "aws_scheduler_schedule" "webhook_deliveries_cleanup" {
   }
 }
 
+# ---------------------------------------------------------------------------
+# Plugin staging sweeper — hourly orphan-S3 cleanup for interrupted install
+# sagas (plan §U10). WORKSPACE_BUCKET env on the Lambda role already grants
+# the list+delete IAM; this schedule is the hourly trigger. The sweeper's
+# own cutoff constant (60 min) is independent of this cron cadence.
+# ---------------------------------------------------------------------------
+
+resource "aws_scheduler_schedule" "plugin_staging_sweeper" {
+  count = local.use_local_zips ? 1 : 0
+
+  name                = "thinkwork-${var.stage}-plugin-staging-sweeper"
+  group_name          = "default"
+  schedule_expression = "rate(1 hour)"
+  state               = "ENABLED"
+
+  flexible_time_window {
+    mode = "OFF"
+  }
+
+  target {
+    arn      = aws_lambda_function.handler["plugin-staging-sweeper"].arn
+    role_arn = aws_iam_role.scheduler.arn
+  }
+}
+
+# ---------------------------------------------------------------------------
+# MCP approval TTL sweeper — daily auto-reject of pending rows > 30 days old
+# (plan §U11). A plugin whose MCP sat uncurated for a month is stale: clear
+# pending to keep the admin queue honest and surface the reject action in
+# the audit log.
+# ---------------------------------------------------------------------------
+
+resource "aws_scheduler_schedule" "mcp_approval_sweeper" {
+  count = local.use_local_zips ? 1 : 0
+
+  name                = "thinkwork-${var.stage}-mcp-approval-sweeper"
+  group_name          = "default"
+  schedule_expression = "cron(15 4 * * ? *)" # daily at 04:15 UTC (offset from webhook cleanup)
+  state               = "ENABLED"
+
+  flexible_time_window {
+    mode = "OFF"
+  }
+
+  target {
+    arn      = aws_lambda_function.handler["mcp-approval-sweeper"].arn
+    role_arn = aws_iam_role.scheduler.arn
+  }
+}
+
+# ---------------------------------------------------------------------------
+# skill_runs reconciler — transitions stuck-running rows to failed every 5 min.
+# Guards against agentcore Lambda crashes / OOMs that drop the
+# /api/skills/complete writeback and leave the row at 'running' forever,
+# which in turn blocks the dedup partial unique index from letting retries
+# through.
+# ---------------------------------------------------------------------------
+
+resource "aws_scheduler_schedule" "skill_runs_reconciler" {
+  count = local.use_local_zips ? 1 : 0
+
+  name                = "thinkwork-${var.stage}-skill-runs-reconciler"
+  group_name          = "default"
+  schedule_expression = "rate(5 minutes)"
+  state               = "ENABLED"
+
+  flexible_time_window {
+    mode = "OFF"
+  }
+
+  target {
+    arn      = aws_lambda_function.handler["skill-runs-reconciler"].arn
+    role_arn = aws_iam_role.scheduler.arn
+  }
+}
+
+# ---------------------------------------------------------------------------
+# eval_runs reconciler — finalizes stuck-running eval runs every 5 min.
+# Guards against worker crashes/timeouts that occur before a per-case result
+# row is written. Missing category-selected cases are recorded as error rows,
+# then the run is finalized so the Admin UI cannot remain "running" forever.
+# ---------------------------------------------------------------------------
+
+resource "aws_scheduler_schedule" "eval_runs_reconciler" {
+  count = local.use_local_zips ? 1 : 0
+
+  name                = "thinkwork-${var.stage}-eval-runs-reconciler"
+  group_name          = "default"
+  schedule_expression = "rate(5 minutes)"
+  state               = "ENABLED"
+
+  flexible_time_window {
+    mode = "OFF"
+  }
+
+  target {
+    arn      = aws_lambda_function.handler["eval-runs-reconciler"].arn
+    role_arn = aws_iam_role.scheduler.arn
+  }
+}
+
+# ---------------------------------------------------------------------------
+# Stall monitor — marks stalled thread turns and runbook steps failed every
+# minute. This is the global backstop for agent/runtime crashes; the Computer
+# heartbeat also reconciles its own stale runbook tasks while it is alive.
+# ---------------------------------------------------------------------------
+
+resource "aws_scheduler_schedule" "stall_monitor" {
+  count = local.use_local_zips ? 1 : 0
+
+  name                = "thinkwork-${var.stage}-stall-monitor"
+  group_name          = "default"
+  schedule_expression = "rate(1 minutes)"
+  state               = "ENABLED"
+
+  flexible_time_window {
+    mode = "OFF"
+  }
+
+  target {
+    arn      = aws_lambda_function.handler["cron-stall-monitor"].arn
+    role_arn = aws_iam_role.scheduler.arn
+  }
+}
+
+# ---------------------------------------------------------------------------
+# ThinkWork Computer runtime reconciler — keeps active Computers aligned with
+# desired_runtime_status by provisioning/starting/stopping ECS services in
+# bounded batches. The handler is conservative and records per-Computer events
+# for every attempted action.
+# ---------------------------------------------------------------------------
+
+resource "aws_scheduler_schedule" "computer_runtime_reconciler" {
+  count = local.use_local_zips ? 1 : 0
+
+  name                = "thinkwork-${var.stage}-computer-runtime-reconciler"
+  group_name          = "default"
+  schedule_expression = "rate(5 minutes)"
+  state               = "ENABLED"
+
+  flexible_time_window {
+    mode = "OFF"
+  }
+
+  target {
+    arn      = aws_lambda_function.handler["computer-runtime-reconciler"].arn
+    role_arn = aws_iam_role.scheduler.arn
+  }
+}
+
+resource "aws_scheduler_schedule" "slack_dispatch" {
+  count = local.use_local_zips ? 1 : 0
+
+  name                = "thinkwork-${var.stage}-slack-dispatch"
+  group_name          = "default"
+  schedule_expression = "rate(1 minute)"
+  state               = "ENABLED"
+
+  flexible_time_window {
+    mode = "OFF"
+  }
+
+  target {
+    arn      = aws_lambda_function.handler["slack-dispatch"].arn
+    role_arn = aws_iam_role.scheduler.arn
+    input    = jsonencode({ limit = 25 })
+  }
+}
+
 # ---------------------------------------------------------------------------
 # Compounding Memory — nightly hygiene + export
 # ---------------------------------------------------------------------------
 
+resource "aws_scheduler_schedule" "wiki_compile_drainer" {
+  count = local.use_local_zips ? 1 : 0
+
+  name                = "thinkwork-${var.stage}-wiki-compile-drainer"
+  group_name          = "default"
+  schedule_expression = "rate(1 minutes)"
+  state               = "ENABLED"
+
+  flexible_time_window {
+    mode = "OFF"
+  }
+
+  target {
+    arn      = aws_lambda_function.handler["wiki-compile"].arn
+    role_arn = aws_iam_role.scheduler.arn
+  }
+}
+
 resource "aws_scheduler_schedule" "wiki_lint" {
   count = local.use_local_zips ? 1 : 0
 
@@ -417,8 +1298,8 @@ resource "aws_iam_role_policy" "lambda_wiki_exports_s3" {
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [{
-      Effect = "Allow"
-      Action = ["s3:PutObject", "s3:AbortMultipartUpload"]
+      Effect   = "Allow"
+      Action   = ["s3:PutObject", "s3:AbortMultipartUpload"]
       Resource = "${aws_s3_bucket.wiki_exports.arn}/*"
     }]
   })
@@ -427,12 +1308,22 @@ resource "aws_iam_role_policy" "lambda_wiki_exports_s3" {
 resource "aws_iam_role" "scheduler" {
   name = "thinkwork-${var.stage}-scheduler-role"
 
+  # Phase 3 U8a — `aws:SourceAccount` confused-deputy guard. Without
+  # this condition, a foreign-account principal who learns the role ARN
+  # could potentially construct cross-account Scheduler events. The
+  # guard applies to ALL handlers the scheduler invokes; defense-in-depth
+  # alongside per-Lambda `aws:SourceArn` pins like the U7 anchor role.
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
     Statement = [{
       Effect    = "Allow"
       Principal = { Service = "scheduler.amazonaws.com" }
       Action    = "sts:AssumeRole"
+      Condition = {
+        StringEquals = {
+          "aws:SourceAccount" = var.account_id
+        }
+      }
     }]
   })
 }
@@ -444,9 +1335,22 @@ resource "aws_iam_role_policy" "scheduler_invoke" {
   policy = jsonencode({
     Version = "2012-10-17"
     Statement = [{
-      Effect   = "Allow"
-      Action   = ["lambda:InvokeFunction"]
-      Resource = local.use_local_zips ? [for k, v in aws_lambda_function.handler : v.arn] : []
+      Effect = "Allow"
+      Action = ["lambda:InvokeFunction"]
+      # Includes every for_each handler PLUS the standalone Phase 3 U8a
+      # anchor Lambda (which is intentionally outside the for_each set
+      # because it uses the U7 IAM role, not the shared aws_iam_role.lambda).
+      # Splat (`[*]`) expansion handles count=0 cleanly when local.use_local_zips
+      # is false; an indexed reference (`[0].arn`) would throw on graph eval.
+      # Phase 3 U8b — watchdog moved to standalone resource; its ARN must
+      # be added to the splat list explicitly (SEC-U8B-005). The splat
+      # `[*].arn` form handles count = 0 cleanly when local.use_local_zips
+      # is false; an indexed `[0].arn` would throw on graph eval.
+      Resource = local.use_local_zips ? concat(
+        [for k, v in aws_lambda_function.handler : v.arn],
+        aws_lambda_function.compliance_anchor[*].arn,
+        aws_lambda_function.compliance_anchor_watchdog[*].arn,
+      ) : []
     }]
   })
 }
@@ -455,6 +1359,34 @@ resource "aws_iam_role_policy" "scheduler_invoke" {
 # SSM Parameters — Lambda ARNs for cross-function invocation
 # ---------------------------------------------------------------------------
 
+########################################################################
+# SecureString parameter for the Google Places API key. wiki-compile reads
+# this on cold start via loadGooglePlacesClientFromSsm() and caches the
+# client at module scope. When google_places_api_key is empty (the
+# default), we seed the parameter with a placeholder so the Lambda init
+# path can distinguish "unconfigured" (skip Google entirely, degrade
+# gracefully) from "configured but wrong" (log + skip). lifecycle.ignore_
+# changes on `value` lets ops rotate via
+#   aws ssm put-parameter --overwrite \
+#     --name /thinkwork/<stage>/google-places/api-key \
+#     --type SecureString --value <KEY>
+# without terraform fighting it on the next apply.
+########################################################################
+
+resource "aws_ssm_parameter" "google_places_api_key" {
+  name        = "/thinkwork/${var.stage}/google-places/api-key"
+  type        = "SecureString"
+  value       = var.google_places_api_key != "" ? var.google_places_api_key : "PLACEHOLDER_SET_VIA_CLI"
+  description = "Google Places API (New) key consumed by wiki-compile. See docs/plans/2026-04-21-005-feat-wiki-place-capability-v2-plan.md Unit 4."
+
+  lifecycle {
+    # Allow `aws ssm put-parameter --overwrite` to stick across applies.
+    # New-key rotation or initial population by ops should happen via CLI,
+    # not via terraform var.
+    ignore_changes = [value]
+  }
+}
+
 resource "aws_ssm_parameter" "lambda_arns" {
   for_each = local.use_local_zips ? {
     "chat-agent-invoke-fn-arn"    = aws_lambda_function.handler["chat-agent-invoke"].arn
@@ -462,9 +1394,488 @@ resource "aws_ssm_parameter" "lambda_arns" {
     "job-schedule-manager-fn-arn" = aws_lambda_function.handler["job-schedule-manager"].arn
     "memory-retain-fn-arn"        = aws_lambda_function.handler["memory-retain"].arn
     "eval-runner-fn-arn"          = aws_lambda_function.handler["eval-runner"].arn
+    "eval-worker-fn-arn"          = aws_lambda_function.handler["eval-worker"].arn
   } : {}
 
   name  = "/thinkwork/${var.stage}/${each.key}"
   type  = "String"
   value = each.value
 }
+
+# ===========================================================================
+# Phase 3 U8a — Compliance Anchor Lambda (STANDALONE) + Watchdog wiring
+# ===========================================================================
+# Plan: docs/plans/2026-05-07-010-feat-compliance-u8a-anchor-lambda-inert-plan.md
+#
+# The anchor Lambda is INTENTIONALLY OUTSIDE the for_each handler set
+# because its execution role is the U7 IAM role (`compliance-anchor-
+# lambda-role`), not the shared `aws_iam_role.lambda`. Adding a per-key
+# `role` ternary on the for_each set is the highest-blast-radius single
+# expression in this PR (any expression error silently downgrades 60+
+# unrelated handlers); a standalone resource isolates blast radius.
+#
+# The watchdog DOES live in the for_each set — it uses the shared
+# execution role (only needs AWSLambdaBasicExecutionRole + a small inline
+# policy below for ComplianceAnchorWatchdogHeartbeat metric emit).
+# ===========================================================================
+
+resource "aws_lambda_function" "compliance_anchor" {
+  count = local.use_local_zips ? 1 : 0
+
+  function_name                  = "thinkwork-${var.stage}-api-compliance-anchor"
+  role                           = var.compliance_anchor_lambda_role_arn
+  handler                        = "index.handler"
+  runtime                        = local.runtime
+  timeout                        = 60
+  memory_size                    = 1024
+  filename                       = "${var.lambda_zips_dir}/compliance-anchor.zip"
+  source_code_hash               = filebase64sha256("${var.lambda_zips_dir}/compliance-anchor.zip")
+  reserved_concurrent_executions = 1
+
+  environment {
+    variables = {
+      STAGE                               = var.stage
+      AWS_NODEJS_CONNECTION_REUSE_ENABLED = "1"
+      COMPLIANCE_READER_SECRET_ARN        = var.compliance_reader_secret_arn
+      COMPLIANCE_DRAINER_SECRET_ARN       = var.compliance_drainer_secret_arn
+      COMPLIANCE_ANCHOR_BUCKET_NAME       = var.compliance_anchor_bucket_name
+      COMPLIANCE_ANCHOR_RETENTION_DAYS    = tostring(var.compliance_anchor_object_lock_retention_days)
+      # Phase 3 U8b — required by `_anchor_fn_live`. The Lambda throws on
+      # boot if either of these is empty; the U8b composite root wires
+      # both from `module.compliance_anchors` outputs.
+      COMPLIANCE_ANCHOR_KMS_KEY_ARN      = var.compliance_anchor_kms_key_arn
+      COMPLIANCE_ANCHOR_OBJECT_LOCK_MODE = var.compliance_anchor_object_lock_mode
+    }
+  }
+}
+
+resource "aws_sqs_queue" "compliance_anchor_dlq" {
+  count                     = local.use_local_zips ? 1 : 0
+  name                      = "thinkwork-${var.stage}-compliance-anchor-dlq"
+  message_retention_seconds = 1209600 # 14 days, matches the drainer DLQ
+  sqs_managed_sse_enabled   = true
+}
+
+resource "aws_iam_role_policy" "compliance_anchor_dlq_send" {
+  count = local.use_local_zips ? 1 : 0
+  name  = "compliance-anchor-dlq-send"
+  # Attached to the U7 anchor role (which the standalone anchor Lambda assumes).
+  role = var.compliance_anchor_lambda_role_name
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect   = "Allow"
+      Action   = ["sqs:SendMessage"]
+      Resource = aws_sqs_queue.compliance_anchor_dlq[0].arn
+    }]
+  })
+}
+
+resource "aws_lambda_function_event_invoke_config" "compliance_anchor" {
+  count                        = local.use_local_zips ? 1 : 0
+  function_name                = aws_lambda_function.compliance_anchor[0].function_name
+  maximum_retry_attempts       = 0
+  maximum_event_age_in_seconds = 3600
+
+  destination_config {
+    on_failure {
+      destination = aws_sqs_queue.compliance_anchor_dlq[0].arn
+    }
+  }
+}
+
+# ---------------------------------------------------------------------------
+# Phase 3 U8b — Watchdog Lambda (STANDALONE).
+#
+# Moves OFF the shared aws_iam_role.lambda onto a dedicated sibling role
+# (kms:DescribeKey only on the CMK, s3:ListBucket prefix-conditioned on
+# anchors/, no kms:Decrypt — the watchdog never reads object bodies).
+# The shared role's prior compliance_watchdog_metrics inline policy is
+# removed (its function is now on the sibling role).
+#
+# Operator pre-merge: `terraform state mv` the existing
+# `aws_lambda_function.handler["compliance-anchor-watchdog"]` address to
+# `aws_lambda_function.compliance_anchor_watchdog[0]`. Without it, apply
+# fails with ResourceConflictException on the function name.
+# ---------------------------------------------------------------------------
+
+resource "aws_lambda_function" "compliance_anchor_watchdog" {
+  count = local.use_local_zips ? 1 : 0
+
+  function_name    = "thinkwork-${var.stage}-api-compliance-anchor-watchdog"
+  role             = var.compliance_anchor_watchdog_role_arn
+  handler          = "index.handler"
+  runtime          = local.runtime
+  timeout          = 30
+  memory_size      = 512
+  filename         = "${var.lambda_zips_dir}/compliance-anchor-watchdog.zip"
+  source_code_hash = filebase64sha256("${var.lambda_zips_dir}/compliance-anchor-watchdog.zip")
+
+  environment {
+    variables = {
+      STAGE                               = var.stage
+      AWS_NODEJS_CONNECTION_REUSE_ENABLED = "1"
+      COMPLIANCE_ANCHOR_BUCKET_NAME       = var.compliance_anchor_bucket_name
+    }
+  }
+
+  tags = {
+    Name    = "thinkwork-${var.stage}-api-compliance-anchor-watchdog"
+    Handler = "compliance-anchor-watchdog"
+  }
+}
+
+# ---------------------------------------------------------------------------
+# Schedules — retry_policy is nested inside target { ... }, NOT at the
+# schedule top level. Verified against AWS provider schema.
+# ---------------------------------------------------------------------------
+
+resource "aws_scheduler_schedule" "compliance_anchor" {
+  count = local.use_local_zips ? 1 : 0
+
+  name                = "thinkwork-${var.stage}-compliance-anchor"
+  group_name          = "default"
+  schedule_expression = "rate(15 minutes)"
+  state               = "ENABLED"
+
+  flexible_time_window {
+    mode = "OFF"
+  }
+
+  target {
+    arn      = aws_lambda_function.compliance_anchor[0].arn
+    role_arn = aws_iam_role.scheduler.arn
+
+    retry_policy {
+      maximum_retry_attempts = 0
+    }
+  }
+}
+
+resource "aws_scheduler_schedule" "compliance_anchor_watchdog" {
+  count = local.use_local_zips ? 1 : 0
+
+  name                = "thinkwork-${var.stage}-compliance-anchor-watchdog"
+  group_name          = "default"
+  schedule_expression = "rate(5 minutes)"
+  state               = "ENABLED"
+
+  flexible_time_window {
+    mode = "OFF"
+  }
+
+  target {
+    # Phase 3 U8b — points at the standalone watchdog resource (was
+    # aws_lambda_function.handler["compliance-anchor-watchdog"] before
+    # the for_each split-out).
+    arn      = aws_lambda_function.compliance_anchor_watchdog[0].arn
+    role_arn = aws_iam_role.scheduler.arn
+
+    retry_policy {
+      maximum_retry_attempts = 0
+    }
+  }
+}
+
+# ---------------------------------------------------------------------------
+# CloudWatch alarms — Phase 3 U8b
+#
+# Two alarms split the failure space:
+#
+#   1. compliance-anchor-gap (treat_missing_data = "breaching"). Fires
+#      when ComplianceAnchorGap >= 1 for two consecutive 5-min periods
+#      OR when the watchdog stops emitting the metric entirely (IAM
+#      regression, code crash, S3 ListObjectsV2 perma-fail).
+#
+#   2. compliance-anchor-watchdog-heartbeat-missing
+#      (treat_missing_data = "notBreaching" born-state). Distinguishes
+#      "real anchor gap" from "watchdog metric path broken". Born-state
+#      is notBreaching to give Greenfield deploys a window before the
+#      first heartbeat lands; flip to breaching in a follow-up after
+#      first soak (Decision #7 / ADV-004).
+# ---------------------------------------------------------------------------
+
+resource "aws_cloudwatch_metric_alarm" "compliance_anchor_gap" {
+  count = local.use_local_zips ? 1 : 0
+
+  alarm_name          = "thinkwork-${var.stage}-compliance-anchor-gap"
+  alarm_description   = "Anchor cadence gap exceeded threshold. LIVE in U8b — fires on >=1 ComplianceAnchorGap=1 OR missing metric (means watchdog broken)."
+  namespace           = "Thinkwork/Compliance"
+  metric_name         = "ComplianceAnchorGap"
+  statistic           = "Maximum"
+  period              = 300
+  evaluation_periods  = 2
+  threshold           = 1
+  comparison_operator = "GreaterThanOrEqualToThreshold"
+  treat_missing_data  = "breaching"
+  alarm_actions       = []
+
+  dimensions = {
+    Stage = var.stage
+  }
+}
+
+resource "aws_cloudwatch_metric_alarm" "compliance_anchor_watchdog_heartbeat_missing" {
+  count = local.use_local_zips ? 1 : 0
+
+  alarm_name          = "thinkwork-${var.stage}-compliance-anchor-watchdog-heartbeat-missing"
+  alarm_description   = "Watchdog heartbeat metric is missing. LIVE in U8b — born with treat_missing_data = notBreaching to absorb deploy-time gaps; promote to breaching in a follow-up after first soak."
+  namespace           = "Thinkwork/Compliance"
+  metric_name         = "ComplianceAnchorWatchdogHeartbeat"
+  statistic           = "Sum"
+  period              = 300
+  evaluation_periods  = 2
+  threshold           = 1
+  comparison_operator = "LessThanThreshold"
+  treat_missing_data  = "notBreaching"
+  alarm_actions       = []
+
+  dimensions = {
+    Stage = var.stage
+  }
+}
+
+# ---------------------------------------------------------------------------
+# Phase 3 U11.U2 — Compliance export runner (STANDALONE, INERT)
+#
+# The U11.U1 createComplianceExport mutation (PR #944) inserts a queued
+# row into compliance.export_jobs and dispatches `{jobId}` to this SQS
+# queue. The runner Lambda below has a STUB body in U11.U2 (throws
+# "not implemented") — U11.U3 swaps in the live body that streams
+# CSV/NDJSON to the exports S3 bucket and publishes a 15-minute
+# presigned URL.
+#
+# Inert-substrate posture (per `feedback_ship_inert_pattern`):
+#   - SQS messages from the U11.U1 mutation accumulate.
+#   - After maxReceiveCount=3 attempts the stub throw routes them to
+#     the DLQ.
+#   - The DLQ depth alarm signals operators that the runner needs U11.U3.
+#   - This is the visible inert state — silent no-op stubs are an
+#     anti-pattern (queued jobs would stay QUEUED forever with no signal).
+#
+# Standalone Lambda (NOT in the for_each pool) — isolates the runner's
+# bucket-scoped IAM role from the 60+ unrelated handlers. Mirrors the
+# U8a anchor Lambda's standalone-resource pattern.
+# ---------------------------------------------------------------------------
+
+resource "aws_sqs_queue" "compliance_exports_dlq" {
+  count                     = local.use_local_zips ? 1 : 0
+  name                      = "thinkwork-${var.stage}-compliance-exports-dlq"
+  message_retention_seconds = 1209600 # 14 days
+  sqs_managed_sse_enabled   = true
+
+  tags = {
+    Name = "thinkwork-${var.stage}-compliance-exports-dlq"
+  }
+}
+
+resource "aws_sqs_queue" "compliance_exports" {
+  count                      = local.use_local_zips ? 1 : 0
+  name                       = "thinkwork-${var.stage}-compliance-exports"
+  visibility_timeout_seconds = 900   # matches Lambda 15-min timeout
+  message_retention_seconds  = 86400 # 1 day; DLQ holds longer-stuck messages
+  sqs_managed_sse_enabled    = true
+
+  redrive_policy = jsonencode({
+    deadLetterTargetArn = aws_sqs_queue.compliance_exports_dlq[0].arn
+    maxReceiveCount     = 3
+  })
+
+  tags = {
+    Name = "thinkwork-${var.stage}-compliance-exports"
+  }
+}
+
+# graphql-http needs sqs:SendMessage on the new queue to dispatch jobIds
+# from the createComplianceExport mutation. Attached to the shared
+# lambda role (which graphql-http assumes); scope is queue-specific.
+resource "aws_iam_role_policy" "compliance_exports_send" {
+  count = local.use_local_zips ? 1 : 0
+  name  = "compliance-exports-send"
+  role  = aws_iam_role.lambda.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect   = "Allow"
+      Action   = ["sqs:SendMessage"]
+      Resource = aws_sqs_queue.compliance_exports[0].arn
+    }]
+  })
+}
+
+# Runner role's SQS receive grants — only the runner consumes the queue.
+resource "aws_iam_role_policy" "compliance_exports_runner_sqs" {
+  count = local.use_local_zips ? 1 : 0
+  name  = "compliance-exports-runner-sqs"
+  role  = var.compliance_exports_runner_role_name
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "RunnerSqsReceive"
+        Effect = "Allow"
+        Action = [
+          "sqs:ReceiveMessage",
+          "sqs:DeleteMessage",
+          "sqs:GetQueueAttributes",
+          "sqs:ChangeMessageVisibility",
+        ]
+        Resource = aws_sqs_queue.compliance_exports[0].arn
+      },
+      {
+        Sid      = "RunnerDlqSend"
+        Effect   = "Allow"
+        Action   = ["sqs:SendMessage"]
+        Resource = aws_sqs_queue.compliance_exports_dlq[0].arn
+      },
+    ]
+  })
+}
+
+resource "aws_lambda_function" "compliance_export_runner" {
+  count = local.use_local_zips ? 1 : 0
+
+  function_name                  = "thinkwork-${var.stage}-api-compliance-export-runner"
+  role                           = var.compliance_exports_runner_role_arn
+  handler                        = "index.handler"
+  runtime                        = local.runtime
+  timeout                        = 900
+  memory_size                    = 1024
+  filename                       = "${var.lambda_zips_dir}/compliance-export-runner.zip"
+  source_code_hash               = filebase64sha256("${var.lambda_zips_dir}/compliance-export-runner.zip")
+  reserved_concurrent_executions = 2
+
+  environment {
+    variables = {
+      STAGE                               = var.stage
+      AWS_NODEJS_CONNECTION_REUSE_ENABLED = "1"
+      COMPLIANCE_EXPORTS_BUCKET           = var.compliance_exports_bucket_name
+      COMPLIANCE_EXPORTS_QUEUE_URL        = aws_sqs_queue.compliance_exports[0].url
+      # Phase 3 U11.U3 — the live runner connects to Aurora as the
+      # writer pool (existing app role) for INSERT/UPDATE on
+      # compliance.export_jobs and SELECT on compliance.audit_events.
+      DATABASE_URL_SECRET_ARN = var.graphql_db_secret_arn
+      # The writer-pool secret stores only {username, password}; the
+      # runner constructs the URL from these env vars + the secret.
+      # Mirrors the fallback in packages/database-pg/src/db.ts's
+      # `resolveDatabaseUrlFromSecrets` (deploy run 25563132057
+      # surfaced this as "Invalid URL" when only the ARN was wired).
+      DATABASE_HOST = var.db_cluster_endpoint
+      DATABASE_NAME = var.database_name
+    }
+  }
+}
+
+# SQS → Lambda event source mapping. batch_size=1 so each export is a
+# discrete invocation; ReportBatchItemFailures lets the runner mark
+# individual messages failed without re-enqueuing the whole batch.
+# Concurrency is bounded by the Lambda function's
+# reserved_concurrent_executions=2 (set above) — the
+# `maximum_concurrency` argument on the event-source mapping requires a
+# newer aws provider version than this codebase currently pins, and the
+# function-level reservation gives the equivalent ceiling at v1 scale.
+resource "aws_lambda_event_source_mapping" "compliance_exports" {
+  count = local.use_local_zips ? 1 : 0
+
+  event_source_arn        = aws_sqs_queue.compliance_exports[0].arn
+  function_name           = aws_lambda_function.compliance_export_runner[0].function_name
+  batch_size              = 1
+  enabled                 = true
+  function_response_types = ["ReportBatchItemFailures"]
+}
+
+resource "aws_cloudwatch_metric_alarm" "compliance_exports_dlq_depth" {
+  count = local.use_local_zips ? 1 : 0
+
+  alarm_name          = "thinkwork-${var.stage}-compliance-exports-dlq-depth"
+  alarm_description   = "Compliance exports DLQ has messages — runner Lambda crashed (or is inert pre-U11.U3); operator must inspect."
+  namespace           = "AWS/SQS"
+  metric_name         = "ApproximateNumberOfMessagesVisible"
+  statistic           = "Maximum"
+  period              = 60
+  evaluation_periods  = 1
+  threshold           = 1
+  comparison_operator = "GreaterThanOrEqualToThreshold"
+  treat_missing_data  = "notBreaching"
+  alarm_actions       = []
+
+  dimensions = {
+    QueueName = aws_sqs_queue.compliance_exports_dlq[0].name
+  }
+}
+
+# ---------------------------------------------------------------------------
+# workspace-files-efs — STANDALONE Lambda that reads any Computer's workspace
+# files directly off the shared EFS file system. Bypasses the
+# computer_tasks queue for list/get operations so the admin Computer
+# Workspace tab is independent of runtime liveness or write-queue backlog.
+#
+# Plan: docs/plans/2026-05-13-XXX-feat-admin-computer-efs-listing-plan.md
+#
+# The Lambda mounts the `workspace_admin` access point at /mnt/efs. That
+# access point is rooted at /tenants on the shared EFS, so the handler
+# can address any Computer's workspace as
+#   /mnt/efs/<tenantId>/computers/<computerId>/<path...>
+# (matches the layout written by `computerWorkspacePath` in
+# packages/api/src/lib/computers/runtime-control.ts:40).
+#
+# VPC config: same subnet set the Computer ECS tasks use (so the mount
+# targets are reachable). Dedicated security group with an EFS-SG ingress
+# rule defined as a sibling of the task-SG rule in the computer-runtime
+# module — keeps Lambda traffic auditable separately.
+#
+# Writes intentionally stay on the existing computer_tasks queue path.
+# Mutations have ordering semantics with the runtime's in-process state;
+# changing them is out of scope for this PR.
+# ---------------------------------------------------------------------------
+
+resource "aws_lambda_function" "workspace_files_efs" {
+  count = local.use_local_zips ? 1 : 0
+
+  function_name = "thinkwork-${var.stage}-api-workspace-files-efs"
+  role          = aws_iam_role.lambda.arn
+  handler       = "index.handler"
+  runtime       = local.runtime
+  timeout       = 30
+  memory_size   = 512
+
+  filename         = "${var.lambda_zips_dir}/workspace-files-efs.zip"
+  source_code_hash = filebase64sha256("${var.lambda_zips_dir}/workspace-files-efs.zip")
+
+  vpc_config {
+    subnet_ids         = var.computer_runtime_subnet_ids
+    security_group_ids = [var.workspace_admin_lambda_sg_id]
+  }
+
+  file_system_config {
+    arn              = var.workspace_admin_efs_access_point_arn
+    local_mount_path = "/mnt/efs"
+  }
+
+  environment {
+    variables = {
+      STAGE                               = var.stage
+      AWS_NODEJS_CONNECTION_REUSE_ENABLED = "1"
+      WORKSPACE_EFS_ROOT                  = "/mnt/efs"
+    }
+  }
+
+  tags = {
+    Name    = "thinkwork-${var.stage}-api-workspace-files-efs"
+    Handler = "workspace-files-efs"
+  }
+}
+
+# VPC-attached Lambdas need permission to manage ENIs. The shared lambda
+# role doesn't grant this by default because most handlers run outside a
+# VPC. AWSLambdaVPCAccessExecutionRole gives Create/Describe/DeleteNetwork
+# Interface — minimum scope for VPC Lambdas.
+resource "aws_iam_role_policy_attachment" "lambda_vpc_access" {
+  count = local.use_local_zips ? 1 : 0
+
+  role       = aws_iam_role.lambda.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+}