thinkwork-cli 0.9.0 → 0.9.1

package/dist/terraform/modules/app/lambda-api/variables.tf

@@ -60,6 +60,12 @@ variable "bucket_arn" {
   type        = string
 }
 
+variable "enable_workspace_orchestration" {
+  description = "Enable S3 EventBridge/SQS routing for workspace file orchestration."
+  type        = bool
+  default     = false
+}
+
 variable "user_pool_id" {
   description = "Cognito user pool ID"
   type        = string
@@ -80,6 +86,12 @@ variable "mobile_client_id" {
   type        = string
 }
 
+variable "cognito_auth_domain" {
+  description = "Cognito hosted UI domain prefix, e.g. thinkwork-dev. Empty disables MCP OAuth login."
+  type        = string
+  default     = ""
+}
+
 variable "appsync_api_url" {
   description = "AppSync subscriptions endpoint URL"
   type        = string
@@ -134,6 +146,19 @@ variable "api_auth_secret" {
   default     = ""
 }
 
+variable "extension_proxy_backends_json" {
+  description = "JSON map of enabled Admin extension ids to allowlisted backend base URLs. Example: {\"customer-module\":{\"baseUrl\":\"https://extension.example.com\"}}"
+  type        = string
+  default     = "{}"
+}
+
+variable "extension_proxy_signing_secret" {
+  description = "Shared HMAC secret used by the generic Admin extension proxy to sign actor context for extension backends."
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+
 variable "hindsight_endpoint" {
   description = "Hindsight API endpoint (empty when enable_hindsight = false)"
   type        = string
@@ -162,12 +187,118 @@ variable "agentcore_function_name" {
   default     = ""
 }
 
+variable "agentcore_flue_function_name" {
+  description = "Flue AgentCore Lambda function name (for direct SDK invoke); empty until the Flue runtime is provisioned for the stage."
+  type        = string
+  default     = ""
+}
+
 variable "agentcore_function_arn" {
   description = "AgentCore Lambda function ARN (used to grant lambda:InvokeFunction)"
   type        = string
   default     = ""
 }
 
+variable "agentcore_flue_function_arn" {
+  description = "Flue AgentCore Lambda function ARN (used to grant lambda:InvokeFunction)"
+  type        = string
+  default     = ""
+}
+
+variable "computer_runtime_cluster_name" {
+  description = "ECS cluster name for ThinkWork Computer runtime services"
+  type        = string
+  default     = ""
+}
+
+variable "computer_runtime_cluster_arn" {
+  description = "ECS cluster ARN for ThinkWork Computer runtime services"
+  type        = string
+  default     = ""
+}
+
+variable "computer_runtime_efs_file_system_id" {
+  description = "Shared EFS file system ID for Computer live workspaces"
+  type        = string
+  default     = ""
+}
+
+variable "computer_runtime_subnet_ids" {
+  description = "Subnets for Computer runtime ECS services"
+  type        = list(string)
+  default     = []
+}
+
+variable "computer_runtime_assign_public_ip" {
+  description = "ENABLED or DISABLED for Computer runtime ECS task public IP assignment"
+  type        = string
+  default     = "DISABLED"
+  validation {
+    condition     = contains(["ENABLED", "DISABLED"], var.computer_runtime_assign_public_ip)
+    error_message = "computer_runtime_assign_public_ip must be ENABLED or DISABLED."
+  }
+}
+
+variable "computer_runtime_task_sg_id" {
+  description = "Security group for Computer runtime ECS tasks"
+  type        = string
+  default     = ""
+}
+
+variable "computer_runtime_execution_role_arn" {
+  description = "ECS execution role ARN for Computer runtime tasks"
+  type        = string
+  default     = ""
+}
+
+variable "computer_runtime_task_role_arn" {
+  description = "ECS task role ARN for Computer runtime tasks"
+  type        = string
+  default     = ""
+}
+
+variable "computer_runtime_log_group_name" {
+  description = "CloudWatch log group for Computer runtime tasks"
+  type        = string
+  default     = ""
+}
+
+variable "computer_runtime_repository_url" {
+  description = "ECR repository URL for the Computer runtime image"
+  type        = string
+  default     = ""
+}
+
+variable "computer_runtime_default_cpu" {
+  description = "Default Fargate CPU units for Computer runtime tasks"
+  type        = number
+  default     = 256
+}
+
+variable "computer_runtime_default_memory" {
+  description = "Default Fargate memory MB for Computer runtime tasks"
+  type        = number
+  default     = 512
+}
+
+variable "computer_runtime_manager_policy_arn" {
+  description = "IAM policy ARN granting Computer manager access to ECS/EFS runtime resources"
+  type        = string
+  default     = ""
+}
+
+variable "workspace_admin_efs_access_point_arn" {
+  description = "Shared EFS access point ARN consumed by the workspace-files-efs Lambda. Rooted at /tenants on the Computer runtime EFS file system so a single Lambda can resolve any (tenantId, computerId) at request time."
+  type        = string
+  default     = ""
+}
+
+variable "workspace_admin_lambda_sg_id" {
+  description = "Security group ID assigned to the workspace-files-efs Lambda. Allowed NFS into the Computer runtime EFS security group via a sibling ingress rule defined in the computer-runtime module."
+  type        = string
+  default     = ""
+}
+
 variable "admin_url" {
   description = "Admin app URL (e.g. https://d3li9vbqnhv7w.cloudfront.net)"
   type        = string
@@ -180,6 +311,24 @@ variable "docs_url" {
   default     = ""
 }
 
+variable "www_url" {
+  description = "Marketing site URL (e.g. https://thinkwork.ai). Used for Stripe Checkout cancel_url and CORS origin."
+  type        = string
+  default     = ""
+}
+
+variable "stripe_price_ids_json" {
+  description = "JSON object mapping internal plan names to Stripe price IDs for this stage, e.g. {\"starter\":\"price_...\",\"team\":\"price_...\"}. Non-secret; per-stage. Default is an empty object so Lambdas boot even before pricing is configured."
+  type        = string
+  default     = "{}"
+}
+
+variable "stripe_welcome_from_email" {
+  description = "Override From: address on the Stripe post-checkout welcome email. Must be an SES-verified identity. Empty string falls back to the in-code default (hello@agents.thinkwork.ai, which uses the already-verified SES inbound domain). Set to hello@thinkwork.ai once the bare-apex sender identity is verified."
+  type        = string
+  default     = ""
+}
+
 variable "appsync_realtime_url" {
   description = "AppSync realtime/WebSocket endpoint URL"
   type        = string
@@ -204,8 +353,206 @@ variable "job_scheduler_role_arn" {
   default     = ""
 }
 
-variable "lastmile_tasks_api_url" {
-  description = "Base URL of the LastMile Tasks REST API used by the outbound sync path (POST /tasks, GET /workflows, etc). Leave blank to feature-flag the integration off; mobile-created tasks then land in sync_status='local' until the URL is set."
+variable "wiki_compile_model_id" {
+  description = "Bedrock model id the wiki-compile Lambda uses for the leaf planner, aggregation planner, and section writer. Any Converse-compatible model works. Override per-env if you want to spike a different model without re-deploying code."
+  type        = string
+  default     = "openai.gpt-oss-120b-1:0"
+}
+
+variable "company_brain_source_agent_model_id" {
+  description = "Bedrock model id the GraphQL context-engine Company Brain source-agent runtime uses for JSON tool/action turns. Kept separate from the high-throughput wiki compiler model so source agents can use a model tuned for reliable action JSON."
+  type        = string
+  default     = "us.anthropic.claude-haiku-4-5-20251001-v1:0"
+}
+
+variable "wiki_aggregation_pass_enabled" {
+  description = "Feature flag for the wiki aggregation pass (parent section rollups + section promotion). Pipeline stops after leaf compile when this is off and never populates hub rollups. Stored as a string because the Lambda reads it verbatim from env; must be 'true' / '1' / 'yes' to enable."
+  type        = string
+  default     = "true"
+}
+
+variable "wiki_deterministic_linking_enabled" {
+  description = "Feature flag for deterministic compile-time link emission (parent-expander-driven city/journal references + entity↔entity co-mention edges). When off, the compile pipeline never calls the deterministic linkers and `links_written_deterministic` / `links_written_co_mention` stay at 0 in metrics. Stored as a string because the Lambda reads it verbatim from env; must be 'true' / '1' / 'yes' to enable."
+  type        = string
+  default     = "true"
+}
+
+variable "google_places_api_key" {
+  description = "Google Places API (New) key used by wiki-compile for POI → city/state/country hierarchy enrichment. Stored as a SecureString SSM parameter at /thinkwork/<stage>/google-places/api-key. Empty default creates the parameter with a placeholder value; operator populates via `aws ssm put-parameter --overwrite`. The parameter's value has lifecycle.ignore_changes set so CLI rotation sticks across terraform applies. Compile gracefully degrades when the key is absent (metadata-only place rows) — never fails compile."
+  type        = string
+  default     = ""
+  sensitive   = true
+}
+
+# ---------------------------------------------------------------------------
+# Per-user OAuth client credentials
+# ---------------------------------------------------------------------------
+
+variable "google_oauth_client_id" {
+  description = "Google Workspace OAuth 2.0 client ID (for per-user Gmail/Calendar integration). Stored in Secrets Manager via aws_secretsmanager_secret_version; fetched by Lambdas at cold-start via oauth-client-credentials.ts."
+  type        = string
+  default     = ""
+}
+
+variable "google_oauth_client_secret" {
+  description = "Google Workspace OAuth 2.0 client secret (for per-user Gmail/Calendar integration). Stored in Secrets Manager alongside the client_id; Lambdas fetch both values at cold-start."
+  type        = string
+  default     = ""
+  sensitive   = true
+}
+
+variable "redirect_success_url" {
+  description = "Default OAuth-callback redirect target used when the caller doesn't supply a returnUrl. Mobile callers pass a thinkwork:// custom scheme; web (admin) falls through to this default."
+  type        = string
+  default     = "https://app.thinkwork.ai/settings/credentials"
+}
+
+variable "platform_operator_emails" {
+  description = "Comma-separated allowlist of emails permitted to invoke operator-gated GraphQL mutations (updateTenantPolicy, sandbox fixture setup, etc.). Compared against ctx.auth.email — pulled from the Cognito JWT for user callers and from the x-principal-email header for service-auth callers. Empty ⇒ the gate rejects every call."
+  type        = string
+  default     = ""
+}
+
+# ---------------------------------------------------------------------------
+# MCP custom domain (optional) — e.g., mcp.thinkwork.ai
+# ---------------------------------------------------------------------------
+
+variable "mcp_custom_domain" {
+  description = "Custom domain for the MCP endpoint (e.g., 'mcp.thinkwork.ai'). Empty disables the custom-domain setup entirely. When set, an ACM cert is created; flip mcp_custom_domain_ready=true on the second apply to attach the domain + API mapping after DNS validation completes. See docs/solutions/patterns/mcp-custom-domain-setup-2026-04-23.md for the workflow."
+  type        = string
+  default     = ""
+}
+
+variable "mcp_custom_domain_ready" {
+  description = "Two-apply gate for the MCP custom domain. Leave false on the first apply (cert-only). After running `pnpm cf:sync-mcp` + waiting for ACM validation, flip to true and re-apply to create the API Gateway domain + mapping."
+  type        = bool
+  default     = false
+}
+
+# ---------------------------------------------------------------------------
+# Routines runtime (Phase B U6) — code-interpreter id for routine-task-python
+# ---------------------------------------------------------------------------
+
+variable "agentcore_code_interpreter_id" {
+  description = "AgentCore Code Interpreter id used by routine-task-python (Phase B U6) for SFN `python` recipe states. Default empty — the Lambda fails closed with sandbox_misconfigured when unset, which is the correct behavior until Phase B U7 provisions a routines-dedicated interpreter. Operations sets this via tfvars once the interpreter is created."
+  type        = string
+  default     = ""
+}
+
+variable "routines_execution_role_arn" {
+  description = "ARN of the Step Functions execution role newly-created routine state machines run under (Phase B U7). Wired from the routines-stepfunctions module's execution_role_arn output. createRoutine passes this as RoleArn on CreateStateMachine; the lambda-api role's RoutinePassExecutionRole grant is scoped to exactly this ARN."
+  type        = string
+  default     = ""
+}
+
+variable "routines_log_group_arn" {
+  description = "ARN of the routines-stepfunctions CloudWatch log group (Phase B U7). Surfaced to the publish flow for future LoggingConfiguration on CreateStateMachine."
+  type        = string
+  default     = ""
+}
+
+# ---------------------------------------------------------------------------
+# Phase 3 U4 — compliance-outbox-drainer Aurora credentials
+# ---------------------------------------------------------------------------
+
+variable "compliance_drainer_secret_arn" {
+  description = "ARN of the Secrets Manager secret holding the `compliance_drainer` Aurora role credentials (Phase 3 U2 / PR #887). Wired from `module.database.compliance_drainer_secret_arn`. The compliance-outbox-drainer Lambda resolves this at module load to connect with INSERT-only access on `compliance.audit_events`."
+  type        = string
+  default     = ""
+}
+
+# ---------------------------------------------------------------------------
+# Phase 3 U7 — compliance audit-anchor bucket (S3 Object Lock)
+# Default empty until U8a wires the anchor Lambda. The variables exist so
+# U8a can reference them without forcing this PR to also wire a Lambda body.
+# ---------------------------------------------------------------------------
+
+variable "compliance_anchor_bucket_arn" {
+  description = "ARN of the WORM-protected compliance audit-anchor S3 bucket. Default empty until U8a wires the anchor Lambda."
+  type        = string
+  default     = ""
+}
+
+variable "compliance_anchor_bucket_name" {
+  description = "Name of the WORM-protected compliance audit-anchor S3 bucket. Default empty until U8a wires the anchor Lambda."
+  type        = string
+  default     = ""
+}
+
+variable "compliance_anchor_lambda_role_arn" {
+  description = "ARN of the IAM role the anchor Lambda will assume. Default empty until U8a wires the anchor Lambda."
+  type        = string
+  default     = ""
+}
+
+variable "compliance_anchor_lambda_role_name" {
+  description = "Name of the IAM role the anchor Lambda assumes (extracted from the role resource for inline-policy attachments like the U8a DLQ SendMessage grant)."
+  type        = string
+  default     = ""
+}
+
+# ---------------------------------------------------------------------------
+# Phase 3 U8a — compliance anchor Lambda runtime config
+# ---------------------------------------------------------------------------
+
+variable "compliance_reader_secret_arn" {
+  description = "ARN of the Secrets Manager secret holding the `compliance_reader` Aurora role credentials. Wired from `module.database.compliance_reader_secret_arn`. The U8a anchor Lambda uses this for least-privilege SELECT on `compliance.audit_events`."
+  type        = string
+  default     = ""
+}
+
+variable "compliance_anchor_object_lock_retention_days" {
+  description = "Default Object Lock retention for the compliance anchor bucket, in days. Forwarded to the anchor Lambda as COMPLIANCE_ANCHOR_RETENTION_DAYS (consumed by U8b's live function; pre-plumbed in U8a). Master plan baseline: 365."
+  type        = number
+  default     = 365
+}
+
+# ---------------------------------------------------------------------------
+# Phase 3 U8b — anchor Lambda live config
+# ---------------------------------------------------------------------------
+
+variable "compliance_anchor_kms_key_arn" {
+  description = "ARN of the customer-managed CMK used for SSE-KMS encryption of anchor objects. Forwarded to the anchor Lambda as COMPLIANCE_ANCHOR_KMS_KEY_ARN (required by `_anchor_fn_live` for the SSE-KMS PutObject)."
+  type        = string
+  default     = ""
+}
+
+variable "compliance_anchor_object_lock_mode" {
+  description = "Object Lock retention mode applied per-object to anchor PutObjects. GOVERNANCE in dev/staging; COMPLIANCE in prod (irreversible). Forwarded to the anchor Lambda as COMPLIANCE_ANCHOR_OBJECT_LOCK_MODE."
+  type        = string
+  default     = "GOVERNANCE"
+}
+
+variable "compliance_anchor_watchdog_role_arn" {
+  description = "ARN of the sibling IAM role the watchdog Lambda assumes (Phase 3 U8b). Decrypt-less: kms:DescribeKey only on the bucket CMK; s3:ListBucket prefix-scoped to anchors/."
+  type        = string
+  default     = ""
+}
+
+variable "compliance_anchor_watchdog_role_name" {
+  description = "Name of the sibling watchdog IAM role. Used for any future inline-policy attachments (e.g., DLQ SendMessage) without re-deriving the name from the ARN."
+  type        = string
+  default     = ""
+}
+
+# ---------------------------------------------------------------------------
+# Phase 3 U11.U2 — compliance export runner Lambda
+# ---------------------------------------------------------------------------
+
+variable "compliance_exports_bucket_name" {
+  description = "Name of the compliance-exports S3 bucket. Forwarded to the runner Lambda as COMPLIANCE_EXPORTS_BUCKET so the U11.U3 live body knows where to write CSV/NDJSON artifacts. Default empty — the runner function still deploys but the live body throws on boot."
+  type        = string
+  default     = ""
+}
+
+variable "compliance_exports_runner_role_arn" {
+  description = "ARN of the IAM role the U11 export runner Lambda assumes. Wired from `module.compliance_exports.runner_role_arn`. Default empty until U11.U2 ships."
+  type        = string
+  default     = ""
+}
+
+variable "compliance_exports_runner_role_name" {
+  description = "Name of the IAM role the U11 export runner Lambda assumes (extracted from the role resource for inline-policy attachments — DLQ SendMessage, SQS receive)."
   type        = string
   default     = ""
 }

package/dist/terraform/modules/app/lambda-api/workspace-events.tf

@@ -0,0 +1,125 @@
+locals {
+  workspace_event_enabled = var.enable_workspace_orchestration && local.use_local_zips
+  # EventBridge rejects the more precise per-folder S3 wildcard rules as too
+  # complex. Keep broad workspace/catalog families in separate rules and let the
+  # dispatcher keep the canonical allowlist in code.
+  workspace_event_patterns = {
+    workspace = [
+      "tenants/*/agents/*/workspace/*",
+    ]
+    catalog_skills = [
+      "tenants/*/agents/_catalog/*/workspace/skills/*",
+    ]
+  }
+}
+
+resource "aws_sqs_queue" "workspace_event_dlq" {
+  for_each = local.workspace_event_enabled ? local.workspace_event_patterns : {}
+
+  name                      = "thinkwork-${var.stage}-workspace-events-${each.key}-dlq"
+  message_retention_seconds = 1209600
+  sqs_managed_sse_enabled   = true
+}
+
+resource "aws_sqs_queue" "workspace_event" {
+  for_each = local.workspace_event_enabled ? local.workspace_event_patterns : {}
+
+  name                       = "thinkwork-${var.stage}-workspace-events-${each.key}"
+  visibility_timeout_seconds = 180
+  sqs_managed_sse_enabled    = true
+
+  redrive_policy = jsonencode({
+    deadLetterTargetArn = aws_sqs_queue.workspace_event_dlq[each.key].arn
+    maxReceiveCount     = 1
+  })
+}
+
+resource "aws_cloudwatch_event_rule" "workspace_event" {
+  for_each = local.workspace_event_enabled ? local.workspace_event_patterns : {}
+
+  name        = "thinkwork-${var.stage}-workspace-event-${each.key}"
+  description = "Workspace orchestration S3 ${each.key} object events"
+
+  event_pattern = jsonencode({
+    source        = ["aws.s3"]
+    "detail-type" = ["Object Created", "Object Deleted"]
+    detail = {
+      bucket = {
+        name = [var.bucket_name]
+      }
+      object = {
+        key = [for pattern in each.value : { wildcard = pattern }]
+      }
+    }
+  })
+}
+
+resource "aws_cloudwatch_event_target" "workspace_event" {
+  for_each = local.workspace_event_enabled ? local.workspace_event_patterns : {}
+
+  rule = aws_cloudwatch_event_rule.workspace_event[each.key].name
+  arn  = aws_sqs_queue.workspace_event[each.key].arn
+}
+
+resource "aws_sqs_queue_policy" "workspace_event" {
+  for_each = local.workspace_event_enabled ? local.workspace_event_patterns : {}
+
+  queue_url = aws_sqs_queue.workspace_event[each.key].id
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Principal = {
+          Service = "events.amazonaws.com"
+        }
+        Action   = "sqs:SendMessage"
+        Resource = aws_sqs_queue.workspace_event[each.key].arn
+        Condition = {
+          ArnEquals = {
+            "aws:SourceArn" = aws_cloudwatch_event_rule.workspace_event[each.key].arn
+          }
+        }
+      },
+    ]
+  })
+}
+
+resource "aws_lambda_event_source_mapping" "workspace_event_dispatcher" {
+  for_each = local.workspace_event_enabled ? local.workspace_event_patterns : {}
+
+  event_source_arn        = aws_sqs_queue.workspace_event[each.key].arn
+  function_name           = aws_lambda_function.handler["workspace-event-dispatcher"].arn
+  batch_size              = 10
+  function_response_types = ["ReportBatchItemFailures"]
+
+  scaling_config {
+    maximum_concurrency = 5
+  }
+}
+
+resource "aws_iam_role_policy" "lambda_workspace_events_sqs" {
+  count = local.workspace_event_enabled ? 1 : 0
+
+  name = "thinkwork-${var.stage}-lambda-workspace-events-sqs"
+  role = aws_iam_role.lambda.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "sqs:ReceiveMessage",
+          "sqs:DeleteMessage",
+          "sqs:GetQueueAttributes",
+          "sqs:ChangeMessageVisibility",
+        ]
+        Resource = concat(
+          [for q in aws_sqs_queue.workspace_event : q.arn],
+          [for q in aws_sqs_queue.workspace_event_dlq : q.arn],
+        )
+      },
+    ]
+  })
+}