Skip to content
ThinkWork ThinkWork

Managed Applications

Managed applications are optional applications operated inside the customer ThinkWork AWS deployment. V1 proves the lifecycle with Cognee Knowledge Graph, Twenty CRM, and Plane.

Operators use Spaces Settings -> Managed Applications for the normal path: plan, review impact, approve, watch progress, and inspect evidence.

Managed-app jobs use the same deployment controller contract as full environment updates. A plan or apply request names the selected release manifest URL and SHA-256 digest, records a controller evidence prefix, and passes only release-verified image URIs or customer-owned secret ARNs into the runner. Base installs keep Cognee, Twenty, Plane, Slack, and Stripe disabled until an operator explicitly plans and approves the optional app.

The TEI proving environment keeps optional apps disabled in the base install. That is expected: foundation login, model catalog, runtime config, and release update proof can pass before Cognee, Twenty, or Plane are selected. The full managed-app gate is accepted only after an operator plans, approves, applies, and smokes the selected optional app through the customer controller.

Application Plugin Source

Section titled “Application Plugin Source”

First-party application plugin source lives under root plugins/<plugin-key>/ packages. Each package owns its manifest, README, local tests or fixtures, and any plugin-specific smoke scripts that have migrated. Shared deployment, API, and web packages should keep generic plugin infrastructure only; plugin-specific additions belong in the owning plugin package unless a migration allowlist explicitly documents the legacy path.

Lifecycle

Section titled “Lifecycle”
request -> plan -> approval -> apply or destroy -> smoke -> evidence

Every mutating action is represented by a deployment job. Jobs preserve the selected release manifest digest, requested action, approval decision, plan summary, destructive impact, Step Functions execution ARN, CodeBuild build id, artifact keys, and smoke evidence.

During approval the apply execution must receive the same desired config and release manifest image map that produced the approved plan digest. If the release manifest lacks a digest-pinned image for the selected app, the deploy fails before Terraform variables are produced.

Cognee

Section titled “Cognee”

Cognee is the optional Knowledge Graph runtime. Deploying Cognee provisions the runtime resources required for graph enrichment and health reporting. Destroying Cognee is destructive in v1 and removes app-owned runtime resources and data.

Run the smoke after deploy or destroy:

Terminal window
node plugins/company-brain/smoke/cognee-managed-app-smoke.mjs


SMOKE_ENABLE_COGNEE_MANAGED_APP=1 \
  SMOKE_TENANT_ID=<tenant-id> \
  SMOKE_EVIDENCE_FILE=deploy-artifacts/cognee-smoke.json \
  node plugins/company-brain/smoke/cognee-managed-app-smoke.mjs

The smoke skips cleanly when Cognee is not enabled. When Cognee is enabled, it requires either GraphQL health credentials or explicit private endpoint probing.

Twenty CRM

Section titled “Twenty CRM”

Twenty CRM is a self-hosted CRM runtime managed by ThinkWork. Deploying Twenty provisions the public CRM endpoint, server and worker ECS services, database state, cache, secrets, and the managed MCP registration path. Destroying Twenty is destructive in v1 and removes the managed runtime and app-owned state.

Run the smoke after deploy, park, redeploy, or destroy:

Terminal window
node plugins/twenty/smoke/twenty-managed-app-smoke.mjs


SMOKE_ENABLE_TWENTY_MANAGED_APP=1 \
  SMOKE_TENANT_ID=<tenant-id> \
  SMOKE_EVIDENCE_FILE=deploy-artifacts/twenty-smoke.json \
  node plugins/twenty/smoke/twenty-managed-app-smoke.mjs

The smoke skips cleanly when Twenty is unprovisioned or parked. When the runtime is enabled, it requires an HTTPS Twenty URL and a successful /healthz response.

Plane

Section titled “Plane”

Plane is a self-hosted project-management runtime packaged as the plane application plugin. Operators install it from Settings -> Plugins, then the plugin infrastructure component uses the managed-app deployment runner to provision the retained Plane substrate.

Deploying Plane provisions the public Plane endpoint, one ECS/Fargate service and task with Plane app, MCP, Redis, and RabbitMQ containers, dedicated Plane database credentials, S3-backed file storage, CloudWatch logs, and the Plane MCP endpoint. Parking Plane stops runtime capacity while retaining Plane data, files, secrets, queue/cache/storage resources, endpoint wiring, and the re-enable path. Destroying Plane is destructive and removes Plane runtime infrastructure plus app-owned database state, storage, queue/cache resources, secrets, and managed MCP rows.

Plane user access is intentionally per-user. Each user activates the plugin with their own Plane personal access token and workspace slug; ThinkWork stores those values as user-scoped activation secrets and emits them as Authorization: Bearer <PAT> plus the x-workspace-slug header only for that requester. Do not create a tenant-wide Plane API key as a shortcut.

Run the managed-app smoke after deploy, park, redeploy, or destroy:

Terminal window
node plugins/plane/smoke/plane-managed-app-smoke.mjs


SMOKE_ENABLE_PLANE_MANAGED_APP=1 \
  SMOKE_TENANT_ID=<tenant-id> \
  SMOKE_EVIDENCE_FILE=deploy-artifacts/plane-smoke.json \
  node plugins/plane/smoke/plane-managed-app-smoke.mjs

The smoke skips cleanly when Plane is unprovisioned or parked. When the runtime is enabled, it requires an HTTPS Plane URL and a successful public health-path response. The default health path is /; override it with SMOKE_PLANE_HEALTH_PATH if the deployed Plane version exposes a narrower health endpoint.

After Plane is deployed and a user has activated the plugin, run the MCP seed/write smoke. Direct mode proves the Plane MCP server; proxy mode proves ThinkWork activation and runtime bearer plus header injection:

Terminal window
SMOKE_ENABLE_PLANE_MCP=1 \
  SMOKE_PLANE_MCP_WRITE=1 \
  SMOKE_PLANE_MCP_URL=https://plane.example.com/mcp \
  SMOKE_PLANE_API_KEY=<plane-pat> \
  SMOKE_PLANE_WORKSPACE_SLUG=<workspace-slug> \
  node plugins/plane/smoke/plane-mcp-smoke.mjs


SMOKE_ENABLE_PLANE_MCP=1 \
  SMOKE_PLANE_THINKWORK_PROXY=1 \
  SMOKE_API_BASE_URL=<api-url> \
  SMOKE_COGNITO_ID_TOKEN=<activated-user-token> \
  SMOKE_AGENT_ID=<agent-id> \
  node plugins/plane/smoke/plane-mcp-smoke.mjs

Write mode is opt-in with SMOKE_PLANE_MCP_WRITE=1. Without it, the smoke can list tools and prove read paths without creating or commenting on work items.

Known limits for Plane v1:

  • Plane is not a custom ThinkWork issue tracker. Users complete Plane’s native workspace/user setup in Plane.
  • ThinkWork does not provide tenant-wide Plane credentials. Every user who wants agents to operate Plane work items must activate the Plane plugin with their own PAT and workspace slug.
  • Agent write safety depends on the bundled plane--issue-loop skill: context-first reads, narrow writes, comments for progress, and readable-id to UUID resolution before UUID-only tool calls.
  • Live MCP write smoke intentionally requires SMOKE_PLANE_MCP_WRITE=1 so read-only verification cannot create or comment on work items by accident.

Evidence Fields

Section titled “Evidence Fields”

Managed-app evidence should include:

  • app key and requested action
  • release version and manifest digest
  • Step Functions execution ARN
  • CodeBuild build ARN/id
  • Terraform plan/apply/destroy artifact keys
  • app endpoint and runtime status
  • managed MCP state when the app owns a control connector
  • plugin activation/auth posture when the app exposes user-scoped MCP tools
  • destructive impact summary for destroy
  • smoke result
  • CloudWatch Logs URL when available

Support Runbook

Section titled “Support Runbook”
FailureAction
Plan failedInspect CodeBuild logs and the plan artifact. Fix configuration before retrying.
Awaiting approvalConfirm the plan digest, release manifest digest, action, and destructive impact before approving.
Apply failedInspect Step Functions event history first, then CodeBuild logs. Keep the failed job for evidence.
Smoke failedUse the app smoke JSON and endpoint status. Do not mark the app healthy until a smoke passes.
Control MCP missingUse the app-specific settings page to install or repair the managed MCP row, then rerun its smoke.
App not enabledTreat explicit skip evidence as success for stages where the app is intentionally disabled.
Destroy impact changedRe-plan and require a fresh approval before destroy.

Recovery CLI

Section titled “Recovery CLI”

The CLI may expose recovery commands for support, but the default operator path remains Spaces. Use CLI recovery to inspect or retry customer AWS jobs, not to bypass approval or evidence capture.