@go-to-k/cdkd 0.119.0 → 0.120.0

package/README.md

@@ -457,7 +457,9 @@ cdkd local start-api --from-state                 # substitute deployed env vars
 One server per discovered API — authorizers, CORS configs, and stage
 variables stay scoped to the owning API. Supports REST v1 + HTTP API +
 Function URL with AWS_PROXY integrations; Lambda TOKEN / REQUEST,
-Cognito User Pool, and HTTP v2 JWT authorizers (JWKS-verified); CORS
+Cognito User Pool, HTTP v2 JWT authorizers (JWKS-verified), and REST v1
+`AuthorizationType: 'AWS_IAM'` (SigV4 signature verification only — IAM
+policy evaluation is not emulated; see `docs/local-emulation.md`); CORS
 preflight (HTTP API v2 `CorsConfiguration` + REST v1 OPTIONS MOCK
 preflight from `defaultCorsPreflightOptions`); hot reload via `--watch`;
 deploy-state-backed env var substitution via `--from-state`.

package/dist/cli.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-CuHRHcyW.js";
 import { $ as RouteDiscoveryError, A as runDockerStreaming, B as AssemblyReader, C as AssetPublisher, D as formatDockerLoginError, E as buildDockerImage, F as resolveCaptureObservedState, H as resolveBucketRegion, I as resolveSkipPrefix, L as resolveStateBucketWithDefault, M as getDefaultStateBucketName, N as getLegacyStateBucketName, O as getDockerCmd, P as resolveApp, Q as ResourceUpdateNotSupportedError, R as resolveStateBucketWithDefaultAndSource, S as shouldRetainResource, T as WorkGraph, W as CdkdError, X as ProvisioningError, Y as PartialFailureError, Z as ResourceTimeoutError, _ as DiffCalculator, _t as withSkipPrefix, a as withRetry, b as LockManager, c as collectInlinePolicyNamesManagedBySiblings, d as normalizeAwsTagsToCfn, dt as runStackBuffered, et as StackHasActiveImportsError, f as resolveExplicitPhysicalId, ft as getLiveRenderer, g as IntrinsicFunctionResolver, gt as generateResourceNameWithFallback, h as assertRegionMatch, ht as generateResourceName, i as withResourceDeadline, j as Synthesizer, k as runDockerForeground, l as CDK_PATH_TAG, lt as getLogger, m as CloudControlProvider, mt as PATTERN_B_RESOURCE_TYPES, n as DEFAULT_RESOURCE_WARN_AFTER_MS, o as IMPLICIT_DELETE_DEPENDENCIES, ot as normalizeAwsError, p as ProviderRegistry, pt as PATTERN_B_NAME_PROPERTIES, q as LocalInvokeBuildError, r as DeployEngine, s as IAMRoleProvider, st as withErrorHandling, t as DEFAULT_RESOURCE_TIMEOUT_MS, tt as StackTerminationProtectionError, u as matchesCdkPath, v as DagBuilder, vt as withStackName, w as stringifyValue, x as S3StateBackend, y as TemplateParser, z as warnDeprecatedNoPrefixCliFlag } from "./deploy-engine-Chzg_hDE.js";
-import { createHash, createPublicKey, createVerify, randomBytes, randomUUID } from "node:crypto";
+import { createHash, createHmac, createPublicKey, createVerify, randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
 import { AddRoleToInstanceProfileCommand, AddUserToGroupCommand, AttachGroupPolicyCommand, AttachUserPolicyCommand, CreateGroupCommand, CreateInstanceProfileCommand, CreateLoginProfileCommand, CreateUserCommand, DeleteAccessKeyCommand, DeleteGroupCommand, DeleteGroupPolicyCommand, DeleteInstanceProfileCommand, DeleteLoginProfileCommand, DeleteRolePolicyCommand, DeleteUserCommand, DeleteUserPermissionsBoundaryCommand, DeleteUserPolicyCommand, DetachGroupPolicyCommand, DetachUserPolicyCommand, GetGroupCommand, GetGroupPolicyCommand, GetInstanceProfileCommand, GetRolePolicyCommand, GetUserCommand, GetUserPolicyCommand, IAMClient, ListAccessKeysCommand, ListAttachedGroupPoliciesCommand, ListAttachedUserPoliciesCommand, ListGroupPoliciesCommand, ListGroupsForUserCommand, ListInstanceProfilesCommand, ListUserPoliciesCommand, ListUserTagsCommand, ListUsersCommand, NoSuchEntityException, PutGroupPolicyCommand, PutRolePolicyCommand, PutUserPermissionsBoundaryCommand, PutUserPolicyCommand, RemoveRoleFromInstanceProfileCommand, RemoveUserFromGroupCommand, TagUserCommand, UntagUserCommand, UpdateLoginProfileCommand } from "@aws-sdk/client-iam";
 import { CreateQueueCommand, DeleteQueueCommand, GetQueueAttributesCommand, GetQueueUrlCommand, ListQueueTagsCommand, ListQueuesCommand, QueueDoesNotExist, SQSClient, SetQueueAttributesCommand, TagQueueCommand, UntagQueueCommand } from "@aws-sdk/client-sqs";
@@ -39623,7 +39623,7 @@ const MOCK_API_ID = "local";
 *     UTF-8; otherwise base64. Mirrors what API Gateway emits.
 */
 function buildHttpApiV2Event(req, ctx, opts = {}) {
-	const { rawPath, rawQueryString } = splitRawUrl(req.rawUrl);
+	const { rawPath, rawQueryString } = splitRawUrl$1(req.rawUrl);
 	const { headers, cookies } = normalizeHeadersV2(req.headers);
 	const queryStringParameters = parseQueryStringV2(rawQueryString);
 	const userAgent = headers["user-agent"] ?? "";
@@ -39683,7 +39683,7 @@ function buildHttpApiV2Event(req, ctx, opts = {}) {
 *   - `pathParameters` may be `null` when there are none (matches AWS).
 */
 function buildRestV1Event(req, ctx, opts = {}) {
-	const { rawPath, rawQueryString } = splitRawUrl(req.rawUrl);
+	const { rawPath, rawQueryString } = splitRawUrl$1(req.rawUrl);
 	const { singular: headers, multi: multiValueHeaders } = normalizeHeadersV1(req.headers);
 	const { singular: queryStringParameters, multi: multiValueQueryStringParameters } = parseQueryStringV1(rawQueryString);
 	const contentType = headers["content-type"] ?? "";
@@ -39772,7 +39772,7 @@ function applyAuthorizerOverlay(event, overlay) {
 * `rawQueryString` (everything after, or `''`). Neither component is
 * decoded — that's the whole point of "raw" per the AWS spec.
 */
-function splitRawUrl(rawUrl) {
+function splitRawUrl$1(rawUrl) {
 	const q = rawUrl.indexOf("?");
 	if (q === -1) return {
 		rawPath: rawUrl,
@@ -40468,7 +40468,7 @@ function resolveRestV1Authorizer(authorizerLogicalId, template, stackName, decla
 			declaredAt
 		};
 	}
-	throw new RouteDiscoveryError(`${stackName}/${authorizerLogicalId}: AWS::ApiGateway::Authorizer.Type '${String(type)}' is not supported by cdkd local start-api (only TOKEN / REQUEST / COGNITO_USER_POOLS — IAM / mTLS authorizers are deferred to a follow-up PR).`);
+	throw new RouteDiscoveryError(`${stackName}/${authorizerLogicalId}: AWS::ApiGateway::Authorizer.Type '${String(type)}' is not supported by cdkd local start-api (only TOKEN / REQUEST / COGNITO_USER_POOLS are accepted at the Authorizer resource).`);
 }
 /**
 * Resolve an `AWS::ApiGatewayV2::Authorizer`. HTTP v2 has only `REQUEST`
@@ -40777,9 +40777,13 @@ function detectRestV1Authorizer(methodResource, methodLogicalId, stack) {
 	const props = methodResource.Properties ?? {};
 	const authType = props["AuthorizationType"];
 	if (authType === void 0 || authType === "NONE") return void 0;
+	if (authType === "AWS_IAM") return {
+		kind: "iam",
+		logicalId: "AWS_IAM",
+		declaredAt: `${stack.stackName}/${methodLogicalId}`
+	};
 	const authorizerId = props["AuthorizerId"];
 	const refLogicalId = pickRefLogicalId$1(authorizerId);
-	if (authType === "AWS_IAM") throw new RouteDiscoveryError(`${stack.stackName}/${methodLogicalId}: REST v1 AWS_IAM authorization is not supported by cdkd local start-api (deferred follow-up PR).`);
 	if (!refLogicalId) throw new RouteDiscoveryError(`${stack.stackName}/${methodLogicalId}: AuthorizationType='${stringifyValue(authType)}' but AuthorizerId is missing or not a {Ref:...}.`);
 	return resolveRestV1Authorizer(refLogicalId, stack.template, stack.stackName, `${stack.stackName}/${methodLogicalId}`);
 }
@@ -41454,6 +41458,438 @@ function base64UrlDecodeToBuffer(input) {
 	return Buffer.from(padded + padding, "base64");
 }
 
+//#endregion
+//#region src/local/sigv4-verify.ts
+/**
+* SigV4 signature verification for REST v1 `AuthorizationType: 'AWS_IAM'`
+* authorizers (closes #447).
+*
+* # Scope
+*
+* cdkd's `cdkd local start-api` runs API Gateway routes locally. When a
+* route declares `AuthorizationType: 'AWS_IAM'`, AWS-deployed API Gateway
+* validates the request's SigV4 signature against the calling identity's
+* IAM permissions. We can't fully reproduce that locally — IAM policy
+* evaluation requires the deployed IAM data plane — so the local server
+* does the **signature-verification** half only:
+*
+*   1. Parse the `Authorization: AWS4-HMAC-SHA256 ...` header into the
+*      `(credential, signedHeaders, signature)` triple.
+*   2. Reconstruct the canonical request per
+*      <https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html>.
+*   3. Derive the signing key from the dev's **local** secret access key
+*      (via the standard AWS SDK credential chain) + the request's date /
+*      region / service scope.
+*   4. Compare the recomputed signature against the header's `signature`
+*      value (constant-time compare).
+*
+* # Local-vs-deployed semantics (per `feedback_match_aws_default_over_opinionated.md`)
+*
+* Verification can only succeed when the request was signed with the
+* **same** credentials the local server can read. When the request's
+* `Credential=AKID/...` scope names a different access-key-id than the
+* one the dev has locally, cdkd cannot reproduce the signing key — we
+* **warn-and-pass** in that case (allow + log a one-line warn), matching
+* AWS's "verify locally what we can; defer real authorization to deploy
+* time" model. Refusing would force every dev with a SigV4-signed client
+* to use the exact same credential the local server sees, which is rarely
+* what they want.
+*
+* Genuinely missing / malformed signatures **are** rejected — those would
+* never reach the deployed API either.
+*
+* # NOT IN SCOPE
+*
+* - IAM resource / action / condition policy evaluation. The local server
+*   has no IAM data plane. Signature-verified callers reach the handler
+*   under their own identity; downstream authorization is the dev's
+*   responsibility.
+* - STS temporary credentials' session-token validation against AWS
+*   (we accept whatever session-token the dev provides locally).
+* - Multi-account / cross-account signing — we verify against the local
+*   default chain only.
+*/
+/**
+* Default credential loader: instantiates an `STSClient` (a direct cdkd
+* dependency) and asks its built-in credential provider for the dev's
+* local credentials. STSClient uses the same Node default credential
+* chain (env vars → ~/.aws/config → IMDS → ...) every other AWS SDK call
+* in cdkd uses, so this matches the deploy-time credential resolution
+* without adding a new dependency.
+*/
+function defaultCredentialsLoader() {
+	let cached;
+	return () => {
+		if (cached) return cached;
+		cached = (async () => {
+			const { STSClient } = await import("@aws-sdk/client-sts");
+			const client = new STSClient({});
+			const creds = await client.config.credentials();
+			client.destroy();
+			return {
+				accessKeyId: creds.accessKeyId,
+				secretAccessKey: creds.secretAccessKey,
+				sessionToken: creds.sessionToken
+			};
+		})();
+		return cached;
+	};
+}
+/**
+* Verify the inbound request's `Authorization: AWS4-HMAC-SHA256 ...`
+* signature against the dev's local credentials.
+*
+* Outcomes:
+*   - **No / malformed Authorization header** → `{allow: false}`. The
+*     http-server maps this to 401 (REST v1 `missing-identity`).
+*   - **Signature mismatch** under the dev's own credentials → `{allow: false}`.
+*     The http-server maps this to 403 (REST v1 `policy-deny`).
+*   - **Different `Credential` access-key-id than the dev has** →
+*     `{allow: true}` plus a one-line warn (warn-and-pass; we can't
+*     reproduce a signing key we don't have).
+*   - **Valid signature with the dev's credentials** → `{allow: true}`.
+*     The principal id surfaced to the handler is the parsed
+*     `Credential` access-key-id.
+*/
+async function verifySigV4(req, loadCredentials, opts = {}) {
+	const logger = getLogger();
+	const authHeader = pickHeader(req.headers, "authorization");
+	if (!authHeader) return {
+		allow: false,
+		identityHash: void 0
+	};
+	let parsed;
+	try {
+		parsed = parseAuthorizationHeader(authHeader);
+	} catch (err) {
+		logger.debug(`AWS_IAM authorizer: malformed Authorization header — ${err instanceof Error ? err.message : String(err)}`);
+		return {
+			allow: false,
+			identityHash: void 0
+		};
+	}
+	if (parsed.algorithm !== "AWS4-HMAC-SHA256") {
+		logger.debug(`AWS_IAM authorizer: unsupported algorithm '${parsed.algorithm}'`);
+		return {
+			allow: false,
+			identityHash: void 0
+		};
+	}
+	if (parsed.credentialTerminator !== "aws4_request") {
+		logger.debug(`AWS_IAM authorizer: invalid credential scope terminator '${parsed.credentialTerminator}'`);
+		return {
+			allow: false,
+			identityHash: void 0
+		};
+	}
+	const amzDate = pickHeader(req.headers, "x-amz-date") ?? pickHeader(req.headers, "date");
+	if (!amzDate) {
+		logger.debug("AWS_IAM authorizer: missing x-amz-date / date header");
+		return {
+			allow: false,
+			identityHash: void 0
+		};
+	}
+	if (!validateAmzDateMatchesCredentialDate(amzDate, parsed.credentialDate)) {
+		logger.debug(`AWS_IAM authorizer: x-amz-date '${amzDate}' does not match credential scope date '${parsed.credentialDate}'`);
+		return {
+			allow: false,
+			identityHash: void 0
+		};
+	}
+	if (amzDateOutsideSkew(amzDate, (opts.now ?? (() => /* @__PURE__ */ new Date()))())) {
+		logger.debug(`AWS_IAM authorizer: x-amz-date '${amzDate}' outside 15-min clock skew`);
+		return {
+			allow: false,
+			identityHash: void 0
+		};
+	}
+	let local;
+	try {
+		local = await loadCredentials();
+	} catch (err) {
+		const reason = err instanceof Error ? err.message : String(err);
+		if (!opts.allowUnverified) {
+			logger.warn(`AWS_IAM authorizer: failed to resolve local AWS credentials (${reason}). Denying request; configure AWS credentials or pass --allow-unverified-sigv4 to opt into the warn-and-pass dev behavior.`);
+			return {
+				allow: false,
+				identityHash: void 0
+			};
+		}
+		logger.warn(`AWS_IAM authorizer: failed to resolve local AWS credentials (${reason}). --allow-unverified-sigv4 is set; passing through with unverified principalId 'unverified-no-creds'. Do NOT trust event.requestContext.identity.accessKey in handler code.`);
+		return {
+			allow: true,
+			principalId: "unverified-no-creds",
+			identityHash: buildIdentityHash([parsed.signature])
+		};
+	}
+	if (local.accessKeyId.toLowerCase() !== parsed.credentialAccessKeyId.toLowerCase()) {
+		const warned = opts.warnedForeignIds;
+		const dedupKey = parsed.credentialAccessKeyId.toLowerCase();
+		if (!opts.allowUnverified) {
+			if (!warned || !warned.has(dedupKey)) {
+				logger.warn(`AWS_IAM authorizer: request signed with foreign access-key-id '${parsed.credentialAccessKeyId}'. Denying; pass --allow-unverified-sigv4 to opt into the warn-and-pass dev behavior, or call with credentials whose access-key-id matches your local one.`);
+				warned?.add(dedupKey);
+			}
+			return {
+				allow: false,
+				identityHash: void 0
+			};
+		}
+		if (!warned || !warned.has(dedupKey)) {
+			logger.warn(`AWS_IAM authorizer: request signed with foreign access-key-id '${parsed.credentialAccessKeyId}'. --allow-unverified-sigv4 is set; passing through with unverified principalId 'unverified-foreign-identity'. Do NOT trust event.requestContext.authorizer.principalId in handler code.`);
+			warned?.add(dedupKey);
+		}
+		return {
+			allow: true,
+			principalId: "unverified-foreign-identity",
+			identityHash: buildIdentityHash([parsed.signature])
+		};
+	}
+	const recomputed = computeSignature(req, parsed, local.secretAccessKey, amzDate);
+	if (!constantTimeEqual(recomputed, parsed.signature)) {
+		logger.debug(`AWS_IAM authorizer: signature mismatch (expected '${recomputed}', got '${parsed.signature}')`);
+		return {
+			allow: false,
+			identityHash: void 0
+		};
+	}
+	return {
+		allow: true,
+		principalId: parsed.credentialAccessKeyId,
+		identityHash: buildIdentityHash([parsed.signature])
+	};
+}
+/**
+* Parse `AWS4-HMAC-SHA256 Credential=..., SignedHeaders=..., Signature=...`.
+* Rejects every other shape (including legacy `AWS4-HMAC-SHA256-...`
+* variants and HTTP/1.0-style multi-line values).
+*/
+function parseAuthorizationHeader(value) {
+	const spaceIdx = value.indexOf(" ");
+	if (spaceIdx < 0) throw new Error("expected algorithm followed by parameters");
+	const algorithm = value.slice(0, spaceIdx).trim();
+	const parts = value.slice(spaceIdx + 1).trim().split(",").map((s) => s.trim());
+	const fields = {};
+	for (const part of parts) {
+		const eq = part.indexOf("=");
+		if (eq < 0) throw new Error(`malformed parameter '${part}'`);
+		const key = part.slice(0, eq).trim();
+		fields[key] = part.slice(eq + 1).trim();
+	}
+	const credential = fields["Credential"];
+	const signedHeaders = fields["SignedHeaders"];
+	const signature = fields["Signature"];
+	if (!credential) throw new Error("missing Credential");
+	if (!signedHeaders) throw new Error("missing SignedHeaders");
+	if (!signature) throw new Error("missing Signature");
+	const credParts = credential.split("/");
+	if (credParts.length !== 5) throw new Error(`malformed Credential '${credential}' (expected 5 slash-separated segments)`);
+	const [accessKeyId, date, region, service, terminator] = credParts;
+	if (!/^[0-9]{8}$/.test(date)) throw new Error(`malformed credential date '${date}' (expected YYYYMMDD)`);
+	return {
+		algorithm,
+		credentialAccessKeyId: accessKeyId,
+		credentialDate: date,
+		credentialRegion: region,
+		credentialService: service,
+		credentialTerminator: terminator,
+		signedHeaders: signedHeaders.split(";").map((h) => h.trim().toLowerCase()),
+		signature: signature.toLowerCase()
+	};
+}
+/**
+* AWS SigV4 canonical-request computation. Per
+* <https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html>:
+*
+*   CanonicalRequest =
+*     HTTPRequestMethod + '\n' +
+*     CanonicalURI + '\n' +
+*     CanonicalQueryString + '\n' +
+*     CanonicalHeaders + '\n' +
+*     SignedHeaders + '\n' +
+*     HexEncode(Hash(RequestPayload))
+*
+* Then:
+*   StringToSign = "AWS4-HMAC-SHA256\n" + AmzDate + "\n" +
+*                  CredentialScope + "\n" +
+*                  HexEncode(Hash(CanonicalRequest))
+*
+*   SigningKey = HMAC(HMAC(HMAC(HMAC("AWS4"+Secret, Date), Region), Service), "aws4_request")
+*   Signature  = HexEncode(HMAC(SigningKey, StringToSign))
+*/
+function computeSignature(req, parsed, secretAccessKey, amzDate) {
+	const { path, query } = splitRawUrl(req.rawUrl);
+	const canonicalUri = canonicalizePath(path);
+	const canonicalQuery = canonicalizeQueryString(query);
+	const headerLines = [];
+	for (const name of parsed.signedHeaders) {
+		const raw = pickHeader(req.headers, name);
+		if (raw === void 0) return "missing-signed-header";
+		headerLines.push(`${name}:${normalizeHeaderValue(raw)}\n`);
+	}
+	const canonicalHeaders = headerLines.join("");
+	const signedHeadersStr = parsed.signedHeaders.join(";");
+	const xAmzContentSha = pickHeader(req.headers, "x-amz-content-sha256");
+	const payloadHash = xAmzContentSha && (xAmzContentSha === "UNSIGNED-PAYLOAD" || /^[0-9a-f]{64}$/i.test(xAmzContentSha)) ? xAmzContentSha.toLowerCase() : sha256Hex(req.body);
+	const canonicalRequest = [
+		req.method.toUpperCase(),
+		canonicalUri,
+		canonicalQuery,
+		canonicalHeaders,
+		signedHeadersStr,
+		payloadHash
+	].join("\n");
+	const stringToSign = [
+		"AWS4-HMAC-SHA256",
+		amzDate,
+		`${parsed.credentialDate}/${parsed.credentialRegion}/${parsed.credentialService}/${parsed.credentialTerminator}`,
+		sha256Hex(Buffer.from(canonicalRequest, "utf8"))
+	].join("\n");
+	return hmac(hmac(hmac(hmac(hmac(`AWS4${secretAccessKey}`, parsed.credentialDate), parsed.credentialRegion), parsed.credentialService), "aws4_request"), stringToSign).toString("hex");
+}
+function hmac(key, data) {
+	return createHmac("sha256", key).update(data, "utf8").digest();
+}
+function sha256Hex(buf) {
+	return createHash("sha256").update(buf).digest("hex");
+}
+/**
+* Split a raw URL into (decoded path, raw query string).
+*
+* Important: keep the path RAW for canonicalization — the canonicalizer
+* does its own URI-encoding so we do NOT decode here.
+*/
+function splitRawUrl(rawUrl) {
+	const q = rawUrl.indexOf("?");
+	if (q < 0) return {
+		path: rawUrl,
+		query: ""
+	};
+	return {
+		path: rawUrl.slice(0, q),
+		query: rawUrl.slice(q + 1)
+	};
+}
+/**
+* Canonicalize the request path per the AWS SigV4 spec:
+*
+*   - URI-encode each path segment (reserved chars are percent-encoded
+*     EXCEPT `-_.~` which stay literal).
+*   - Encode `/` between segments unchanged.
+*   - Empty path → `/`.
+*
+* This matches the `execute-api` service's signing rules (no double-
+* encoding).
+*/
+function canonicalizePath(path) {
+	if (!path || path === "") return "/";
+	return path.split("/").map((seg) => {
+		try {
+			return decodeURIComponent(seg);
+		} catch {
+			return seg;
+		}
+	}).join("/").split("/").map((seg) => sigV4EncodePathSegment(seg)).join("/");
+}
+/**
+* Encode a single path segment per the SigV4 unreserved-set rules:
+* `A-Za-z0-9-_.~` stay literal; everything else is percent-encoded.
+*/
+function sigV4EncodePathSegment(seg) {
+	return seg.replace(/[^A-Za-z0-9\-_.~]/g, (ch) => {
+		return encodeURIComponent(ch).replace(/%[0-9a-f]{2}/g, (s) => s.toUpperCase());
+	});
+}
+/**
+* Canonicalize the query string per SigV4: parse `key=value` pairs,
+* SORT by key (then by value on collisions), URI-encode each side
+* with upper-case hex, join with `&`.
+*/
+function canonicalizeQueryString(query) {
+	if (!query) return "";
+	const pairs = [];
+	for (const raw of query.split("&")) {
+		if (!raw) continue;
+		const eq = raw.indexOf("=");
+		const [k, v] = eq < 0 ? [raw, ""] : [raw.slice(0, eq), raw.slice(eq + 1)];
+		let dk;
+		let dv;
+		try {
+			dk = decodeURIComponent(k.replace(/\+/g, " "));
+		} catch {
+			dk = k;
+		}
+		try {
+			dv = decodeURIComponent(v.replace(/\+/g, " "));
+		} catch {
+			dv = v;
+		}
+		pairs.push([sigV4EncodeQuery(dk), sigV4EncodeQuery(dv)]);
+	}
+	pairs.sort((a, b) => {
+		if (a[0] !== b[0]) return a[0] < b[0] ? -1 : 1;
+		return a[1] < b[1] ? -1 : a[1] > b[1] ? 1 : 0;
+	});
+	return pairs.map(([k, v]) => `${k}=${v}`).join("&");
+}
+function sigV4EncodeQuery(s) {
+	return s.replace(/[^A-Za-z0-9\-_.~]/g, (ch) => {
+		return encodeURIComponent(ch).replace(/%[0-9a-f]{2}/g, (m) => m.toUpperCase());
+	});
+}
+/**
+* Trim leading/trailing whitespace and collapse internal runs of
+* whitespace to a single space, per the SigV4 spec.
+*/
+function normalizeHeaderValue(value) {
+	return value.trim().replace(/\s+/g, " ");
+}
+function pickHeader(headers, name) {
+	const lower = name.toLowerCase();
+	for (const [k, v] of Object.entries(headers)) if (k.toLowerCase() === lower) return v;
+}
+/**
+* Compare two hex-encoded signatures in constant time. Returns false
+* when the lengths differ (the standard short-circuit, since timing
+* leaks on length are inherent to comparing values of different sizes).
+*/
+function constantTimeEqual(a, b) {
+	if (a.length !== b.length) return false;
+	const ab = Buffer.from(a, "hex");
+	const bb = Buffer.from(b, "hex");
+	if (ab.length !== bb.length || ab.length === 0) return false;
+	return timingSafeEqual(ab, bb);
+}
+/**
+* AWS SigV4 expects `x-amz-date` in ISO8601 basic form `YYYYMMDDTHHMMSSZ`.
+* The credential scope encodes only the date portion. We accept both
+* `x-amz-date` and the legacy `date` header (RFC 7231) for compat.
+*/
+function validateAmzDateMatchesCredentialDate(amzDate, credentialDate) {
+	const isoMatch = /^(\d{8})T\d{6}Z$/.exec(amzDate);
+	if (isoMatch) return isoMatch[1] === credentialDate;
+	try {
+		const parsed = new Date(amzDate);
+		if (Number.isNaN(parsed.getTime())) return false;
+		return `${parsed.getUTCFullYear().toString().padStart(4, "0")}${(parsed.getUTCMonth() + 1).toString().padStart(2, "0")}${parsed.getUTCDate().toString().padStart(2, "0")}` === credentialDate;
+	} catch {
+		return false;
+	}
+}
+/**
+* Reject SigV4 timestamps more than 15 minutes off the local clock —
+* matches AWS-deployed behavior (the `RequestTimeTooSkewed` error).
+*/
+function amzDateOutsideSkew(amzDate, now) {
+	const iso = /^(\d{4})(\d{2})(\d{2})T(\d{2})(\d{2})(\d{2})Z$/.exec(amzDate);
+	let ts;
+	if (iso) ts = new Date(Date.UTC(Number(iso[1]), Number(iso[2]) - 1, Number(iso[3]), Number(iso[4]), Number(iso[5]), Number(iso[6])));
+	else ts = new Date(amzDate);
+	if (Number.isNaN(ts.getTime())) return true;
+	return Math.abs(ts.getTime() - now.getTime()) > 900 * 1e3;
+}
+
 //#endregion
 //#region src/local/http-server.ts
 /**
@@ -41770,6 +42206,32 @@ async function runAuthorizerPass(authorizer, snapshot, matchCtx, state, opts, re
 		if (cache && result.identityHash !== void 0 && authorizer.resultTtlSeconds > 0) cache.set(authorizer.logicalId, result.identityHash, authorizer.resultTtlSeconds, stripHash(result));
 		return shapeOutcome(stripHash(result));
 	}
+	if (authorizer.kind === "iam") {
+		if (!opts.sigV4CredentialsLoader) {
+			getLogger().debug(`AWS_IAM authorizer for ${matchCtx.route.declaredAt}: no SigV4 credentials loader configured — denying.`);
+			return {
+				result: { allow: false },
+				denyKind: "policy-deny"
+			};
+		}
+		const sigResult = await verifySigV4({
+			method: snapshot.method,
+			rawUrl: snapshot.rawUrl,
+			headers,
+			body: snapshot.body
+		}, opts.sigV4CredentialsLoader, {
+			...opts.sigV4WarnedForeignIds && { warnedForeignIds: opts.sigV4WarnedForeignIds },
+			...opts.sigV4AllowUnverified !== void 0 && { allowUnverified: opts.sigV4AllowUnverified }
+		});
+		if (!sigResult.allow) return {
+			result: { allow: false },
+			denyKind: headers["authorization"] !== void 0 ? "policy-deny" : "missing-identity"
+		};
+		return shapeOutcome({
+			allow: true,
+			...sigResult.principalId !== void 0 && { principalId: sigResult.principalId }
+		});
+	}
 	if (!opts.jwksCache) return {
 		result: { allow: false },
 		denyKind: "policy-deny"
@@ -41844,6 +42306,10 @@ function buildOverlay(authorizer, result) {
 		kind: "cognito-rest-v1",
 		claims: result.context ?? {}
 	};
+	if (authorizer.kind === "iam") return {
+		kind: "lambda-rest-v1",
+		...result.principalId !== void 0 && { principalId: result.principalId }
+	};
 	return {
 		kind: "jwt-http-v2",
 		claims: result.context ?? {}
@@ -42457,6 +42923,8 @@ async function localStartApiCommand(target, options) {
 	const authorizerCache = createAuthorizerCache();
 	const jwksCache = createJwksCache();
 	const jwksWarnedUrls = /* @__PURE__ */ new Set();
+	let sigV4CredentialsLoader;
+	const sigV4WarnedForeignIds = /* @__PURE__ */ new Set();
 	/**
 	* One synth + discover + build pass. Returns the next-state
 	* material. Reused on initial boot AND every hot-reload firing.
@@ -42575,6 +43043,8 @@ async function localStartApiCommand(target, options) {
 	lastAssetPaths.value = computeAssetPaths(initialMaterial.specs);
 	await prewarmJwks(initialMaterial.routes, jwksCache);
 	warnVpcConfigLambdas(initialMaterial.routes, initialMaterial.stacks ?? []);
+	sigV4CredentialsLoader = defaultCredentialsLoader();
+	warnIamRoutes(initialMaterial.routes);
 	let maxTimeoutSec = 0;
 	for (const spec of initialMaterial.specs.values()) if (spec.lambda.timeoutSec > maxTimeoutSec) maxTimeoutSec = spec.lambda.timeoutSec;
 	const rieTimeoutMs = Math.max(3e4, maxTimeoutSec * 2 * 1e3);
@@ -42604,7 +43074,10 @@ async function localStartApiCommand(target, options) {
 			port: basePort === 0 ? 0 : nextPort,
 			authorizerCache,
 			jwksCache,
-			jwksWarnedUrls
+			jwksWarnedUrls,
+			sigV4CredentialsLoader,
+			sigV4WarnedForeignIds,
+			sigV4AllowUnverified: options.allowUnverifiedSigv4 === true
 		});
 		servers.push({
 			group,
@@ -42806,6 +43279,26 @@ function warnVpcConfigLambdas(routesWithAuth, stacks) {
 	}
 }
 /**
+* Walk the discovered routes for `AuthorizationType: 'AWS_IAM'` and emit
+* a one-line warn naming the affected routes. Returns `true` when at
+* least one IAM route is present so the caller wires the SigV4
+* credentials loader. Re-runs across hot reloads are silent — the warn
+* fires only at initial boot (matches `warnVpcConfigLambdas`'s policy).
+*
+* Implementation note: signature verification only — IAM policy
+* evaluation (resource / action / condition) is NOT emulated. See
+* `src/local/sigv4-verify.ts` and the help text in `docs/cli-reference.md`.
+*/
+function warnIamRoutes(routesWithAuth) {
+	const logger = getLogger();
+	const iamRoutes = [];
+	for (const entry of routesWithAuth) if (entry.authorizer?.kind === "iam") iamRoutes.push(entry.route.declaredAt);
+	if (iamRoutes.length === 0) return false;
+	logger.warn(`${iamRoutes.length} route(s) declare AuthorizationType: AWS_IAM — cdkd local start-api verifies SigV4 signatures against your local AWS credentials, but does NOT emulate IAM policy evaluation (resource / action / condition rules). Signature-verified callers reach the handler under their own identity; downstream authorization is the dev's responsibility. See docs/cli-reference.md (cdkd local start-api — AWS_IAM authorizer) for details.`);
+	for (const declaredAt of iamRoutes) logger.warn(`  - ${declaredAt}`);
+	return true;
+}
+/**
 * Build the per-Lambda container spec — code dir, env vars (template +
 * --env-vars overlay), STS-issued creds when --assume-role names this
 * Lambda, optional --debug-port reservation. Errors out with a clear
@@ -43295,7 +43788,7 @@ function parseDebugPort(raw) {
 * Builder for the `start-api` subcommand. Wired up by `local.ts`.
 */
 function createLocalStartApiCommand() {
-	const startApi = new Command("start-api").description("Run a long-running local HTTP server that maps API Gateway routes (REST v1, HTTP API, Function URL) to Lambda invocations against the AWS Lambda Runtime Interface Emulator (Docker required). Supports Lambda TOKEN/REQUEST authorizers and Cognito User Pool / HTTP v2 JWT authorizers; when JWKS is unreachable, JWT authorizers fall back to pass-through (every token accepted) with a warn line — local dev fallback. VPC-config Lambdas run locally and surface a warn line at startup; their containers do NOT get attached to the deployed VPC subnets, so calls to private RDS / ElastiCache will fail.").argument("[target]", "Optional API filter. Accepts the bare CDK logical id ('MyHttpApi'; single-stack apps only), stack-qualified logical id ('MyStack:MyHttpApi'), full CDK Construct path ('MyStack/MyHttpApi/Resource'), or an ancestor Construct path that prefix-matches ('MyStack/MyHttpApi'). When omitted, every discovered API gets its own server. Mirrors `cdkd local invoke` / `cdkd local run-task` target syntax.").addOption(new Option("--port <port>", "HTTP server port (default: auto-allocate)").default("0")).addOption(new Option("--host <host>", "Bind address").default("127.0.0.1")).addOption(new Option("--stack <name>", "Stack to start (single-stack apps auto-detect)")).addOption(new Option("--warm", "Pre-start one container per Lambda at server boot").default(false)).addOption(new Option("--per-lambda-concurrency <n>", "Pool size cap per Lambda (default 2, max 4)").default("2")).addOption(new Option("--no-pull", "Skip docker pull (cached image)")).addOption(new Option("--container-host <host>", "IP the host uses to bind/probe the RIE port (must be a numeric IP — `docker run -p <ip>:<port>:8080` rejects hostnames). Defaults to 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--debug-port-base <port>", "Reserve a contiguous --debug-port range (one per Lambda)")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}, \"Parameters\": {...}})")).addOption(new Option("--assume-role <arn-or-pair>", "Assume the Lambda's execution role and forward STS-issued temp creds. Bare <arn> = global default; <LogicalId>=<arn> = per-Lambda override (repeatable). Per-Lambda > global > unset (developer creds passed through).").argParser((raw, prev) => parseAssumeRoleToken(raw, prev))).addOption(new Option("--watch", "Hot-reload: re-synth + re-discover routes when cdk.out/ or asset directories change. Off by default; the server keeps the previous version serving when synth fails mid-reload.").default(false)).addOption(new Option("--stage <name>", "Select an API Gateway Stage by its 'StageName'. Default: the first Stage attached to each API. Drives event.stageVariables for both REST v1 and HTTP API v2. NOTE: For HTTP API v2 routes, requestContext.stage is always '$default' regardless of this flag (AWS-side limitation — HTTP API only exposes one stage to the integration event); only event.stageVariables is affected for v2 routes. For REST v1 routes the selected StageName is also threaded into requestContext.stage.")).addOption(new Option("--api <id>", "DEPRECATED — use the positional <target> argument instead. Same accepted forms (bare logical id, stack-qualified, Construct path, ancestor prefix). Will be removed in a future major release.")).addOption(new Option("--from-state", "Read cdkd S3 state for every routed stack and substitute Ref / Fn::GetAtt / Fn::Sub / Fn::Join (and AWS pseudo parameters) in Lambda env vars with the deployed physical IDs / attributes. Off by default — pre-PR warn-and-drop semantics are preserved. Turn on for stacks already deployed via cdkd deploy. Mirrors `cdkd local invoke --from-state` / `cdkd local run-task --from-state`. Re-runs against fresh state on every hot-reload firing (--watch).").default(false)).addOption(new Option("--stack-region <region>", "Region of the cdkd state record to read (used with --from-state when the same stack name has state in multiple regions).")).action(withErrorHandling(localStartApiCommand));
+	const startApi = new Command("start-api").description("Run a long-running local HTTP server that maps API Gateway routes (REST v1, HTTP API, Function URL) to Lambda invocations against the AWS Lambda Runtime Interface Emulator (Docker required). Supports Lambda TOKEN/REQUEST authorizers, Cognito User Pool / HTTP v2 JWT authorizers, and REST v1 AWS_IAM (SigV4 signature verification only — IAM policy evaluation is NOT emulated; see docs/local-emulation.md). When JWKS is unreachable, JWT authorizers fall back to pass-through (every token accepted) with a warn line — local dev fallback. VPC-config Lambdas run locally and surface a warn line at startup; their containers do NOT get attached to the deployed VPC subnets, so calls to private RDS / ElastiCache will fail.").argument("[target]", "Optional API filter. Accepts the bare CDK logical id ('MyHttpApi'; single-stack apps only), stack-qualified logical id ('MyStack:MyHttpApi'), full CDK Construct path ('MyStack/MyHttpApi/Resource'), or an ancestor Construct path that prefix-matches ('MyStack/MyHttpApi'). When omitted, every discovered API gets its own server. Mirrors `cdkd local invoke` / `cdkd local run-task` target syntax.").addOption(new Option("--port <port>", "HTTP server port (default: auto-allocate)").default("0")).addOption(new Option("--host <host>", "Bind address").default("127.0.0.1")).addOption(new Option("--stack <name>", "Stack to start (single-stack apps auto-detect)")).addOption(new Option("--warm", "Pre-start one container per Lambda at server boot").default(false)).addOption(new Option("--per-lambda-concurrency <n>", "Pool size cap per Lambda (default 2, max 4)").default("2")).addOption(new Option("--no-pull", "Skip docker pull (cached image)")).addOption(new Option("--container-host <host>", "IP the host uses to bind/probe the RIE port (must be a numeric IP — `docker run -p <ip>:<port>:8080` rejects hostnames). Defaults to 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--debug-port-base <port>", "Reserve a contiguous --debug-port range (one per Lambda)")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}, \"Parameters\": {...}})")).addOption(new Option("--assume-role <arn-or-pair>", "Assume the Lambda's execution role and forward STS-issued temp creds. Bare <arn> = global default; <LogicalId>=<arn> = per-Lambda override (repeatable). Per-Lambda > global > unset (developer creds passed through).").argParser((raw, prev) => parseAssumeRoleToken(raw, prev))).addOption(new Option("--watch", "Hot-reload: re-synth + re-discover routes when cdk.out/ or asset directories change. Off by default; the server keeps the previous version serving when synth fails mid-reload.").default(false)).addOption(new Option("--stage <name>", "Select an API Gateway Stage by its 'StageName'. Default: the first Stage attached to each API. Drives event.stageVariables for both REST v1 and HTTP API v2. NOTE: For HTTP API v2 routes, requestContext.stage is always '$default' regardless of this flag (AWS-side limitation — HTTP API only exposes one stage to the integration event); only event.stageVariables is affected for v2 routes. For REST v1 routes the selected StageName is also threaded into requestContext.stage.")).addOption(new Option("--api <id>", "DEPRECATED — use the positional <target> argument instead. Same accepted forms (bare logical id, stack-qualified, Construct path, ancestor prefix). Will be removed in a future major release.")).addOption(new Option("--from-state", "Read cdkd S3 state for every routed stack and substitute Ref / Fn::GetAtt / Fn::Sub / Fn::Join (and AWS pseudo parameters) in Lambda env vars with the deployed physical IDs / attributes. Off by default — pre-PR warn-and-drop semantics are preserved. Turn on for stacks already deployed via cdkd deploy. Mirrors `cdkd local invoke --from-state` / `cdkd local run-task --from-state`. Re-runs against fresh state on every hot-reload firing (--watch).").default(false)).addOption(new Option("--stack-region <region>", "Region of the cdkd state record to read (used with --from-state when the same stack name has state in multiple regions).")).addOption(new Option("--allow-unverified-sigv4", "Opt-in: allow AWS_IAM SigV4 requests that cannot be cryptographically verified (foreign access-key-id, OR no local AWS credentials configured) to pass through with a placeholder principalId. DEFAULT off — fail-closed so unauthenticated bypass is impossible against `event.requestContext.identity.accessKey`-trusting handler code. Use only in dev loops where you understand the risk.").default(false)).action(withErrorHandling(localStartApiCommand));
 	[
 		...commonOptions,
 		...appOptions,
@@ -46224,7 +46717,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.119.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.120.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());