@go-to-k/cdkd 0.127.0 → 0.129.0

package/dist/cli.js

@@ -36602,7 +36602,7 @@ function extractLambdaProperties(stack, logicalId, resource, resources) {
 	const timeoutSec = typeof props["Timeout"] === "number" ? props["Timeout"] : 3;
 	const ephemeralStorageMb = extractEphemeralStorageMb(props, logicalId);
 	const code = props["Code"] ?? {};
-	const imageUri = extractImageUri(code["ImageUri"], logicalId, stack.stackName, resources);
+	const imageUri = extractImageUri$1(code["ImageUri"], logicalId, stack.stackName, resources);
 	if (imageUri !== void 0) return extractImageLambdaProperties({
 		stack,
 		logicalId,
@@ -36699,7 +36699,7 @@ function extractEphemeralStorageMb(props, logicalId) {
 * for genuinely unrecognized shapes so the caller's downstream ZIP-vs-
 * IMAGE branching can route to its existing error path.
 */
-function extractImageUri(value, logicalId, stackName, resources) {
+function extractImageUri$1(value, logicalId, stackName, resources) {
 	if (typeof value === "string" && value.length > 0) return value;
 	if (value && typeof value === "object" && !Array.isArray(value)) {
 		const obj = value;
@@ -39795,6 +39795,398 @@ function resolveFnSubInvokeArn(arg) {
 	};
 }
 
+//#endregion
+//#region src/local/httpv2-service-integration.ts
+const logger = getLogger();
+/**
+* Full list of subtypes cdkd recognizes as supported. Mirrors AWS docs.
+*/
+const SUPPORTED_SUBTYPES = [
+	"EventBridge-PutEvents",
+	"SQS-SendMessage",
+	"SQS-ReceiveMessage",
+	"SQS-DeleteMessage",
+	"SQS-PurgeQueue",
+	"Kinesis-PutRecord",
+	"StepFunctions-StartExecution",
+	"StepFunctions-StartSyncExecution",
+	"StepFunctions-StopExecution",
+	"AppConfig-GetConfiguration"
+];
+/**
+* Type guard: is the string an AWS-recognized service-integration subtype?
+*
+* Used by route discovery to classify routes — recognized subtypes go
+* through dispatch, anything else (typo, future-AWS-subtype-not-yet-supported)
+* falls back to deferred-501.
+*/
+function isSupportedSubtype(value) {
+	return typeof value === "string" && SUPPORTED_SUBTYPES.includes(value);
+}
+/**
+* Lazy-loaded SDK clients keyed by `<service>:<region>`. SDK packages
+* are heavyweight (~5-10 MB each); per-process per-region caching
+* avoids re-instantiating the AWS Signer + middleware stack on every
+* request.
+*/
+const clientCache = /* @__PURE__ */ new Map();
+async function getClient(service, region) {
+	const key = `${service}:${region}`;
+	const cached = clientCache.get(key);
+	if (cached) return cached;
+	let client;
+	switch (service) {
+		case "sqs":
+			client = new (await (import("@aws-sdk/client-sqs"))).SQSClient({ region });
+			break;
+		case "sns":
+			client = new (await (import("@aws-sdk/client-sns"))).SNSClient({ region });
+			break;
+		case "eventbridge":
+			client = new (await (import("@aws-sdk/client-eventbridge"))).EventBridgeClient({ region });
+			break;
+		case "kinesis":
+			client = new (await (import("@aws-sdk/client-kinesis"))).KinesisClient({ region });
+			break;
+		case "sfn":
+			client = new (await (import("@aws-sdk/client-sfn"))).SFNClient({ region });
+			break;
+		case "ssm":
+			client = new (await (import("@aws-sdk/client-ssm"))).SSMClient({ region });
+			break;
+		default: throw new Error(`unknown service '${service}'`);
+	}
+	clientCache.set(key, client);
+	return client;
+}
+/**
+* Dispatch a service integration: build the SDK input from the
+* pre-resolved parameter map, invoke the SDK, translate the response
+* to HTTP shape.
+*
+* `defaultRegion` is the cdkd process's default AWS region (from
+* `AWS_REGION` / profile / `--region`). When the resolved parameter
+* map includes a non-empty `Region`, that value overrides the default
+* for this single call — matches AWS API Gateway behavior.
+*
+* Returns a `ServiceIntegrationResult` for the HTTP server to write
+* to the client. SDK-level errors are caught and translated to
+* HTTP 4xx / 5xx — never thrown.
+*/
+async function dispatchServiceIntegration(subtype, resolvedParameters, defaultRegion) {
+	const region = (resolvedParameters["Region"] || defaultRegion).trim();
+	if (!region) return errorResponse(400, "No AWS region configured. Set --region, AWS_REGION, or pass a 'Region' RequestParameter.");
+	try {
+		switch (subtype) {
+			case "EventBridge-PutEvents": return await dispatchEventBridgePutEvents(resolvedParameters, region);
+			case "SQS-SendMessage": return await dispatchSqsSendMessage(resolvedParameters, region);
+			case "SQS-ReceiveMessage": return await dispatchSqsReceiveMessage(resolvedParameters, region);
+			case "SQS-DeleteMessage": return await dispatchSqsDeleteMessage(resolvedParameters, region);
+			case "SQS-PurgeQueue": return await dispatchSqsPurgeQueue(resolvedParameters, region);
+			case "Kinesis-PutRecord": return await dispatchKinesisPutRecord(resolvedParameters, region);
+			case "StepFunctions-StartExecution": return await dispatchSfnStartExecution(resolvedParameters, region);
+			case "StepFunctions-StartSyncExecution": return await dispatchSfnStartSyncExecution(resolvedParameters, region);
+			case "StepFunctions-StopExecution": return await dispatchSfnStopExecution(resolvedParameters, region);
+			case "AppConfig-GetConfiguration": return await dispatchAppConfigGetConfiguration(resolvedParameters, region);
+		}
+	} catch (err) {
+		return translateSdkError(subtype, err);
+	}
+}
+async function dispatchEventBridgePutEvents(params, region) {
+	requireParams(params, [
+		"Detail",
+		"DetailType",
+		"Source"
+	]);
+	const mod = await import("@aws-sdk/client-eventbridge");
+	const client = await getClient("eventbridge", region);
+	const entry = {
+		Detail: params["Detail"],
+		DetailType: params["DetailType"],
+		Source: params["Source"]
+	};
+	if (params["Time"]) entry["Time"] = new Date(params["Time"]);
+	if (params["EventBusName"]) entry["EventBusName"] = params["EventBusName"];
+	if (params["Resources"]) entry["Resources"] = splitCsv(params["Resources"]);
+	if (params["TraceHeader"]) entry["TraceHeader"] = params["TraceHeader"];
+	return okJson(await client.send(new mod.PutEventsCommand({ Entries: [entry] })));
+}
+async function dispatchSqsSendMessage(params, region) {
+	requireParams(params, ["QueueUrl", "MessageBody"]);
+	const mod = await import("@aws-sdk/client-sqs");
+	const client = await getClient("sqs", region);
+	const input = {
+		QueueUrl: params["QueueUrl"],
+		MessageBody: params["MessageBody"]
+	};
+	if (params["DelaySeconds"]) input["DelaySeconds"] = Number(params["DelaySeconds"]);
+	if (params["MessageDeduplicationId"]) input["MessageDeduplicationId"] = params["MessageDeduplicationId"];
+	if (params["MessageGroupId"]) input["MessageGroupId"] = params["MessageGroupId"];
+	if (params["MessageAttributes"]) input["MessageAttributes"] = parseJsonOrEmpty(params["MessageAttributes"]);
+	if (params["MessageSystemAttributes"]) input["MessageSystemAttributes"] = parseJsonOrEmpty(params["MessageSystemAttributes"]);
+	return okJson(await client.send(new mod.SendMessageCommand(input)));
+}
+async function dispatchSqsReceiveMessage(params, region) {
+	requireParams(params, ["QueueUrl"]);
+	const mod = await import("@aws-sdk/client-sqs");
+	const client = await getClient("sqs", region);
+	const input = { QueueUrl: params["QueueUrl"] };
+	if (params["AttributeNames"]) input["AttributeNames"] = splitCsv(params["AttributeNames"]);
+	if (params["MaxNumberOfMessages"]) input["MaxNumberOfMessages"] = Number(params["MaxNumberOfMessages"]);
+	if (params["MessageAttributeNames"]) input["MessageAttributeNames"] = splitCsv(params["MessageAttributeNames"]);
+	if (params["ReceiveRequestAttemptId"]) input["ReceiveRequestAttemptId"] = params["ReceiveRequestAttemptId"];
+	if (params["VisibilityTimeout"]) input["VisibilityTimeout"] = Number(params["VisibilityTimeout"]);
+	if (params["WaitTimeSeconds"]) input["WaitTimeSeconds"] = Number(params["WaitTimeSeconds"]);
+	return okJson(await client.send(new mod.ReceiveMessageCommand(input)));
+}
+async function dispatchSqsDeleteMessage(params, region) {
+	requireParams(params, ["QueueUrl", "ReceiptHandle"]);
+	const mod = await import("@aws-sdk/client-sqs");
+	return okJson(await (await getClient("sqs", region)).send(new mod.DeleteMessageCommand({
+		QueueUrl: params["QueueUrl"],
+		ReceiptHandle: params["ReceiptHandle"]
+	})));
+}
+async function dispatchSqsPurgeQueue(params, region) {
+	requireParams(params, ["QueueUrl"]);
+	const mod = await import("@aws-sdk/client-sqs");
+	return okJson(await (await getClient("sqs", region)).send(new mod.PurgeQueueCommand({ QueueUrl: params["QueueUrl"] })));
+}
+async function dispatchKinesisPutRecord(params, region) {
+	requireParams(params, [
+		"StreamName",
+		"Data",
+		"PartitionKey"
+	]);
+	const mod = await import("@aws-sdk/client-kinesis");
+	const client = await getClient("kinesis", region);
+	const dataBytes = decodeBase64OrUtf8(params["Data"] ?? "");
+	const input = {
+		StreamName: params["StreamName"],
+		Data: dataBytes,
+		PartitionKey: params["PartitionKey"]
+	};
+	if (params["SequenceNumberForOrdering"]) input["SequenceNumberForOrdering"] = params["SequenceNumberForOrdering"];
+	if (params["ExplicitHashKey"]) input["ExplicitHashKey"] = params["ExplicitHashKey"];
+	return okJson(await client.send(new mod.PutRecordCommand(input)));
+}
+async function dispatchSfnStartExecution(params, region) {
+	requireParams(params, ["StateMachineArn"]);
+	const mod = await import("@aws-sdk/client-sfn");
+	const client = await getClient("sfn", region);
+	const input = { stateMachineArn: params["StateMachineArn"] };
+	if (params["Name"]) input["name"] = params["Name"];
+	if (params["Input"]) input["input"] = params["Input"];
+	return okJson(await client.send(new mod.StartExecutionCommand(input)));
+}
+async function dispatchSfnStartSyncExecution(params, region) {
+	requireParams(params, ["StateMachineArn"]);
+	const mod = await import("@aws-sdk/client-sfn");
+	const client = await getClient("sfn", region);
+	const input = { stateMachineArn: params["StateMachineArn"] };
+	if (params["Name"]) input["name"] = params["Name"];
+	if (params["Input"]) input["input"] = params["Input"];
+	if (params["TraceHeader"]) input["traceHeader"] = params["TraceHeader"];
+	return okJson(await client.send(new mod.StartSyncExecutionCommand(input)));
+}
+async function dispatchSfnStopExecution(params, region) {
+	requireParams(params, ["ExecutionArn"]);
+	const mod = await import("@aws-sdk/client-sfn");
+	const client = await getClient("sfn", region);
+	const input = { executionArn: params["ExecutionArn"] };
+	if (params["Cause"]) input["cause"] = params["Cause"];
+	if (params["Error"]) input["error"] = params["Error"];
+	return okJson(await client.send(new mod.StopExecutionCommand(input)));
+}
+async function dispatchAppConfigGetConfiguration(params, region) {
+	return errorResponse(501, "AppConfig-GetConfiguration is recognized but cdkd does not yet bundle @aws-sdk/client-appconfig. Use the deployed API for this subtype, or open an issue if you need local emulation.");
+}
+function requireParams(params, required) {
+	const missing = required.filter((k) => !params[k] || params[k].trim() === "");
+	if (missing.length > 0) {
+		const err = /* @__PURE__ */ new Error(`missing required RequestParameter(s): ${missing.join(", ")}`);
+		err.statusCode = 400;
+		throw err;
+	}
+}
+function splitCsv(value) {
+	return value.split(",").map((s) => s.trim()).filter((s) => s.length > 0);
+}
+function parseJsonOrEmpty(value) {
+	try {
+		const parsed = JSON.parse(value);
+		if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) return parsed;
+		return {};
+	} catch {
+		return {};
+	}
+}
+function decodeBase64OrUtf8(value) {
+	const trimmed = value.trim();
+	if (/^[A-Za-z0-9+/]+=*$/.test(trimmed) && trimmed.length % 4 === 0 && trimmed.length > 0) try {
+		return Buffer.from(trimmed, "base64");
+	} catch {}
+	return Buffer.from(value, "utf8");
+}
+function okJson(response) {
+	const stripped = stripSdkMetadata(response);
+	return {
+		statusCode: 200,
+		body: JSON.stringify(stripped),
+		headers: { "content-type": "application/json" }
+	};
+}
+function stripSdkMetadata(obj) {
+	if (obj === null || obj === void 0 || typeof obj !== "object") return obj;
+	if (Array.isArray(obj)) return obj;
+	const { $metadata: _meta, ...rest } = obj;
+	return rest;
+}
+function errorResponse(statusCode, message) {
+	return {
+		statusCode,
+		body: JSON.stringify({ message }),
+		headers: { "content-type": "application/json" }
+	};
+}
+/**
+* Translate an AWS SDK error to an HTTP response. AWS SDK v3 surfaces
+* errors as instances carrying `$metadata.httpStatusCode` + `name`;
+* we honor the status code when present, default to 500.
+*/
+function translateSdkError(subtype, err) {
+	if (err && typeof err === "object") {
+		const e = err;
+		const status = typeof e.statusCode === "number" && e.statusCode >= 100 && e.statusCode < 600 ? e.statusCode : e.$metadata?.httpStatusCode ?? 500;
+		const body = {
+			message: e.message ?? "AWS SDK call failed",
+			code: e.name ?? "UnknownError"
+		};
+		logger.debug(`[${subtype}] SDK error (${status}): ${stringifyValue(body)}`);
+		return {
+			statusCode: status,
+			body: JSON.stringify(body),
+			headers: { "content-type": "application/json" }
+		};
+	}
+	return errorResponse(500, `Unexpected error invoking ${subtype}: ${String(err)}`);
+}
+/**
+* Apply HTTP API v2 `ResponseParameters` mapping (per AWS docs:
+* https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-parameter-mapping.html#http-api-mapping-supported-values).
+*
+* Keys are `<op>:header.<name>` or `overwrite:statuscode`. Values can
+* carry `$response.header.<name>`, `$context.<X>`, `$stageVariables.<X>`,
+* or be a static literal. JSONPath against `$response.body.X` is NOT
+* supported (would require SDK response parsing into the same shape
+* every subtype produces; deferred). Reserved headers (per AWS docs)
+* are rejected at this layer with a single-line debug log.
+*
+* Status-code lookup is by the SDK-returned `statusCode`. When the
+* exact code has no entry, the wildcard `'default'` entry is applied
+* if present (matches AWS deployed behavior).
+*/
+function applyResponseParameters(base, responseParameters, responseCtx) {
+	if (!responseParameters) return base;
+	const overlay = responseParameters[String(base.statusCode)] ?? responseParameters["default"] ?? void 0;
+	if (!overlay) return base;
+	let statusCode = base.statusCode;
+	const headers = { ...base.headers };
+	for (const [key, value] of Object.entries(overlay)) {
+		if (typeof value !== "string") continue;
+		const resolved = resolveResponseValue(value, responseCtx, base);
+		if (key === "overwrite:statuscode") {
+			const next = Number(resolved);
+			if (Number.isInteger(next) && next >= 100 && next < 600) statusCode = next;
+			continue;
+		}
+		const headerMatch = /^(append|overwrite|remove):header\.(.+)$/i.exec(key);
+		if (!headerMatch || !headerMatch[1] || !headerMatch[2]) continue;
+		const op = headerMatch[1].toLowerCase();
+		const name = headerMatch[2].toLowerCase();
+		if (isReservedHeader(name)) {
+			logger.debug(`ResponseParameters: header '${name}' is reserved by API Gateway and was skipped`);
+			continue;
+		}
+		if (op === "remove") delete headers[name];
+		else if (op === "overwrite") headers[name] = resolved;
+		else if (op === "append") headers[name] = headers[name] ? `${headers[name]},${resolved}` : resolved;
+	}
+	return {
+		statusCode,
+		body: base.body,
+		headers
+	};
+}
+function resolveResponseValue(value, ctx, base) {
+	if (value.startsWith("$") && !value.includes("${")) {
+		const r = resolveSingleResponseRef(value, ctx, base);
+		return r !== void 0 ? r : value;
+	}
+	if (value.includes("${")) {
+		let out = "";
+		let i = 0;
+		while (i < value.length) {
+			const next = value.indexOf("${", i);
+			if (next === -1) {
+				out += value.slice(i);
+				break;
+			}
+			out += value.slice(i, next);
+			const end = value.indexOf("}", next + 2);
+			if (end === -1) return value;
+			const r = resolveSingleResponseRef("$" + value.slice(next + 2, end), ctx, base);
+			out += r ?? "";
+			i = end + 1;
+		}
+		return out;
+	}
+	return value;
+}
+function resolveSingleResponseRef(ref, ctx, base) {
+	if (ref.startsWith("$response.header.")) {
+		const name = ref.substring(17).toLowerCase();
+		return base.headers[name] ?? "";
+	}
+	if (ref.startsWith("$context.")) return ctx.context[ref.substring(9)] ?? "";
+	if (ref.startsWith("$stageVariables.")) return ctx.stageVariables[ref.substring(16)] ?? "";
+}
+/**
+* Subset of AWS's reserved-headers list relevant to response mapping.
+* https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-parameter-mapping.html#http-api-mapping-reserved-headers
+*/
+const RESERVED_HEADER_PREFIXES = [
+	"access-control-",
+	"apigw-",
+	"x-amz-",
+	"x-amzn-"
+];
+const RESERVED_HEADER_EXACT = [
+	"authorization",
+	"connection",
+	"content-encoding",
+	"content-length",
+	"content-location",
+	"forwarded",
+	"keep-alive",
+	"origin",
+	"proxy-authenticate",
+	"proxy-authorization",
+	"te",
+	"trailers",
+	"transfer-encoding",
+	"upgrade",
+	"x-forwarded-for",
+	"x-forwarded-host",
+	"x-forwarded-proto",
+	"via"
+];
+function isReservedHeader(lowerName) {
+	if (RESERVED_HEADER_EXACT.includes(lowerName)) return true;
+	return RESERVED_HEADER_PREFIXES.some((p) => lowerName.startsWith(p));
+}
+
 //#endregion
 //#region src/local/route-discovery.ts
 /**
@@ -40090,11 +40482,7 @@ function discoverHttpApiRoute(logicalId, resource, template, stackName) {
 		lambdaLogicalId: "",
 		unsupported: { reason: `${stackName}/${logicalId}: HTTP API v2 integration type '${String(integrationType)}' is not supported (only AWS_PROXY).` }
 	}];
-	if (integrationProps["IntegrationSubtype"] !== void 0) return [{
-		...baseRoute,
-		lambdaLogicalId: "",
-		unsupported: { reason: `${stackName}/${logicalId}: HTTP API v2 service integration with IntegrationSubtype '${stringifyValue(integrationProps["IntegrationSubtype"])}' is not supported (cdkd cannot proxy directly to SQS / EventBridge / etc.).` }
-	}];
+	if (integrationProps["IntegrationSubtype"] !== void 0) return [classifyServiceIntegrationRoute(baseRoute, integrationProps, stackName, logicalId, integrationLogicalId)];
 	const arnOutcome = resolveLambdaArnOutcome(integrationProps["IntegrationUri"]);
 	if (arnOutcome.kind === "unsupported") return [{
 		...baseRoute,
@@ -40107,6 +40495,45 @@ function discoverHttpApiRoute(logicalId, resource, template, stackName) {
 	}];
 }
 /**
+* Classify an HTTP API v2 route whose `IntegrationSubtype` is set
+* (service integration, no Lambda backing). Recognized subtypes
+* become `serviceIntegration` routes the HTTP server dispatches via
+* the SDK adapter table in `httpv2-service-integration.ts`;
+* unrecognized subtypes (typo / future-AWS-subtype-cdkd-doesn't-bundle
+* an SDK for) become deferred-501 unsupported routes.
+*
+* `RequestParameters` is the load-bearing field for dispatch — it
+* carries the SDK input as a flat map keyed by SDK parameter name.
+* Missing / non-object RequestParameters surfaces as unsupported (the
+* SDK call would have nothing to send).
+*/
+function classifyServiceIntegrationRoute(baseRoute, integrationProps, stackName, routeLogicalId, integrationLogicalId) {
+	const subtypeRaw = integrationProps["IntegrationSubtype"];
+	const declaredAt = `${stackName}/${routeLogicalId}`;
+	if (!isSupportedSubtype(subtypeRaw)) return {
+		...baseRoute,
+		lambdaLogicalId: "",
+		unsupported: { reason: `${declaredAt}: HTTP API v2 service integration subtype '${stringifyValue(subtypeRaw)}' is not supported by cdkd local start-api (see https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-integrations-aws-services-reference.html for the supported list).` }
+	};
+	const requestParameters = integrationProps["RequestParameters"];
+	if (!requestParameters || typeof requestParameters !== "object" || Array.isArray(requestParameters)) return {
+		...baseRoute,
+		lambdaLogicalId: "",
+		unsupported: { reason: `${stackName}/${integrationLogicalId}: HTTP API v2 service integration '${subtypeRaw}' is missing RequestParameters or it is not an object — cannot dispatch to the SDK without input mapping.` }
+	};
+	const responseParameters = integrationProps["ResponseParameters"];
+	const validatedResponseParameters = responseParameters && typeof responseParameters === "object" && !Array.isArray(responseParameters) ? responseParameters : void 0;
+	return {
+		...baseRoute,
+		lambdaLogicalId: "",
+		serviceIntegration: {
+			subtype: subtypeRaw,
+			requestParameters,
+			...validatedResponseParameters && { responseParameters: validatedResponseParameters }
+		}
+	};
+}
+/**
 * Discover the synthetic `ANY /{proxy+}` route from an
 * `AWS::Lambda::Url` resource.
 *
@@ -40347,31 +40774,56 @@ function createContainerPool(specs, options) {
 	/**
 	* Spin up one new container for the given Lambda spec. Returns a
 	* handle the caller can write into the entry's data structures.
+	*
+	* Branches on `spec.kind`:
+	*   - `'zip'`: bind-mount the function's local code dir at
+	*     `/var/task` (or `/var/runtime` for `provided.*` runtimes),
+	*     base image from `public.ecr.aws/lambda/<lang>:<v>`, CMD =
+	*     `[<Handler>]`.
+	*   - `'image'`: no code bind-mount (image already includes the
+	*     code), base image is the pre-built local tag, CMD =
+	*     `ImageConfig.Command` (may be empty), optional EntryPoint /
+	*     WorkingDirectory / --platform applied verbatim.
 	*/
 	async function startOne(spec) {
-		const image = resolveRuntimeImage(spec.lambda.runtime);
 		const hostPort = await pickFreePort();
 		const name = `cdkd-local-${spec.lambda.logicalId}-${process.pid}-${Math.floor(Math.random() * 1e6)}`;
-		logger.debug(`Starting container ${name} for ${spec.lambda.logicalId} on ${spec.containerHost}:${hostPort}`);
-		const optMount = spec.optDir ? [{
-			hostPath: spec.optDir,
-			containerPath: "/opt",
-			readOnly: true
-		}] : [];
-		const containerCodePath = resolveRuntimeCodeMountPath(spec.lambda.runtime);
-		const containerId = await runDetached({
-			image,
-			mounts: [{
-				hostPath: spec.codeDir,
-				containerPath: containerCodePath,
+		logger.debug(`Starting container ${name} for ${spec.lambda.logicalId} (kind=${spec.kind}) on ${spec.containerHost}:${hostPort}`);
+		let containerId;
+		if (spec.kind === "zip") {
+			const optMount = spec.optDir ? [{
+				hostPath: spec.optDir,
+				containerPath: "/opt",
 				readOnly: true
-			}],
-			extraMounts: optMount,
+			}] : [];
+			const containerCodePath = resolveRuntimeCodeMountPath(spec.lambda.runtime);
+			containerId = await runDetached({
+				image: resolveRuntimeImage(spec.lambda.runtime),
+				mounts: [{
+					hostPath: spec.codeDir,
+					containerPath: containerCodePath,
+					readOnly: true
+				}],
+				extraMounts: optMount,
+				env: spec.env,
+				cmd: [spec.lambda.handler],
+				hostPort,
+				host: spec.containerHost,
+				name,
+				...spec.debugPort !== void 0 && { debugPort: spec.debugPort },
+				...spec.tmpfs !== void 0 && { tmpfs: spec.tmpfs }
+			});
+		} else containerId = await runDetached({
+			image: spec.image,
+			mounts: [],
 			env: spec.env,
-			cmd: [spec.lambda.handler],
+			cmd: spec.command,
 			hostPort,
 			host: spec.containerHost,
 			name,
+			platform: spec.platform,
+			...spec.entryPoint !== void 0 && { entryPoint: spec.entryPoint },
+			...spec.workingDir !== void 0 && { workingDir: spec.workingDir },
 			...spec.debugPort !== void 0 && { debugPort: spec.debugPort },
 			...spec.tmpfs !== void 0 && { tmpfs: spec.tmpfs }
 		});
@@ -41736,7 +42188,7 @@ function attachAuthorizers(stacks, routes) {
 	const out = [];
 	const errors = [];
 	for (const route of routes) {
-		if (route.unsupported || route.mockCors) {
+		if (route.unsupported || route.mockCors || route.serviceIntegration) {
 			out.push({ route });
 			continue;
 		}
@@ -41766,6 +42218,45 @@ function attachAuthorizers(stacks, routes) {
 	return out;
 }
 /**
+* Walk every discovered route and return the service-integration routes
+* whose source CFn resource declares an authorizer (HTTP API v2 routes
+* with `AuthorizationType !== 'NONE'`). Service-integration routes only
+* exist on `AWS::ApiGatewayV2::Route`; REST v1 service integrations are
+* a different shape and not yet supported.
+*/
+function findIgnoredServiceIntegrationAuthorizers(stacks, routes) {
+	const stackByRoute = /* @__PURE__ */ new Map();
+	for (const stack of stacks) {
+		const prefix = `${stack.stackName}/`;
+		for (const route of routes) if (route.declaredAt.startsWith(prefix)) stackByRoute.set(route.declaredAt, stack);
+	}
+	const out = [];
+	for (const route of routes) {
+		if (!route.serviceIntegration) continue;
+		const stack = stackByRoute.get(route.declaredAt);
+		if (!stack) continue;
+		const slash = route.declaredAt.indexOf("/");
+		if (slash < 0) continue;
+		const logicalId = route.declaredAt.slice(slash + 1);
+		const resource = stack.template.Resources?.[logicalId];
+		if (!resource || resource.Type !== "AWS::ApiGatewayV2::Route") continue;
+		const props = resource.Properties ?? {};
+		const authType = props["AuthorizationType"];
+		if (typeof authType !== "string" || authType === "" || authType.toUpperCase() === "NONE") continue;
+		let authorizerName;
+		if (authType === "AWS_IAM") authorizerName = "AWS_IAM";
+		else {
+			const ref = props["AuthorizerId"];
+			authorizerName = (ref && typeof ref === "object" && "Ref" in ref && typeof ref.Ref === "string" ? ref.Ref : void 0) ?? `<authType=${authType}, AuthorizerId malformed>`;
+		}
+		out.push({
+			declaredAt: route.declaredAt,
+			authorizerName
+		});
+	}
+	return out;
+}
+/**
 * Detect the authorizer (if any) attached to a discovered route.
 * Walks the original CFn resource for the route in `stack.template`.
 */
@@ -42895,6 +43386,191 @@ function amzDateOutsideSkew(amzDate, now) {
 	return Math.abs(ts.getTime() - now.getTime()) > 900 * 1e3;
 }
 
+//#endregion
+//#region src/local/parameter-mapping.ts
+/**
+* Parameter-mapping resolver for HTTP API v2 service integrations
+* (`IntegrationSubtype` set, no Lambda).
+*
+* AWS API Gateway HTTP APIs let you wire a route directly to an AWS
+* SDK call via `RequestParameters` — a flat map whose KEY is the SDK
+* input parameter name (`QueueUrl`, `MessageBody`, `Source`, ...) and
+* whose VALUE is either a literal string or one of the dollar-prefixed
+* "selection expression" forms documented at
+* https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-parameter-mapping.html
+*
+* Supported value forms (all bare and `${...}`-wrapped variants):
+*   - `$request.header.<name>`    — case-insensitive header lookup; multi-values comma-joined
+*   - `$request.querystring.<key>` — case-SENSITIVE; multi-values comma-joined
+*   - `$request.path.<param>`     — path parameter from `{param}` route patterns
+*   - `$request.path`             — full request path (without stage)
+*   - `$request.body`             — entire request body as a string
+*   - `$request.body.<jsonpath>`  — JSONPath against the parsed JSON body
+*                                   (recursive descent `..` and filter `?()` are NOT supported)
+*   - `$context.<key>`            — supported context variables
+*                                   (requestId / accountId / domainName / identity.sourceIp / etc.)
+*   - `$stageVariables.<key>`     — values from the route's selected stage
+*
+* `${X} ${Y}` interpolation: any string containing `${...}` is treated
+* as a template literal — each placeholder is resolved independently
+* and the surrounding literal characters are preserved.
+*
+* Anything that is not a recognized selection expression AND does not
+* contain `${...}` is returned as a literal string.
+*
+* This module is **pure-functional and async-free** — every input is
+* derived from the HTTP request snapshot, route match, and the
+* pre-discovered route state. SDK invocation happens in the dispatcher
+* (see `httpv2-service-integration.ts`).
+*
+* Unresolved references (e.g. `$request.querystring.url` against a
+* request with no `url` parameter) resolve to the empty string —
+* matches deployed API Gateway behavior, which treats absent values
+* as `""` and passes them to the SDK call. The dispatcher's
+* per-subtype validator then surfaces the SDK's typed rejection.
+*/
+/**
+* Resolve a `RequestParameters` map (HTTP API v2 service integration
+* shape) against the incoming HTTP request. Keys are passed through
+* verbatim (they identify the SDK input parameter); only the VALUES
+* go through selection-expression resolution.
+*/
+function resolveServiceIntegrationParameters(parameters, ctx) {
+	const resolved = {};
+	for (const [key, rawValue] of Object.entries(parameters)) {
+		if (typeof rawValue !== "string") return {
+			kind: "error",
+			reason: `RequestParameters[${JSON.stringify(key)}] must be a string (got ${typeof rawValue}: ${stringifyValue(rawValue)}).`
+		};
+		try {
+			resolved[key] = resolveSelectionExpression(rawValue, ctx);
+		} catch (err) {
+			return {
+				kind: "error",
+				reason: `RequestParameters[${JSON.stringify(key)}]: ${err instanceof Error ? err.message : String(err)}`
+			};
+		}
+	}
+	return {
+		kind: "ok",
+		resolved
+	};
+}
+/**
+* Resolve a single selection-expression string. Public for unit
+* testing — production callers use {@link resolveServiceIntegrationParameters}.
+*
+* Three shapes:
+*   1. Pure bare reference (`$request.querystring.url`) — resolved
+*      and returned as-is. Whole-string match.
+*   2. Embedded `${...}` interpolation — every placeholder is resolved
+*      and concatenated with the surrounding literals.
+*   3. Anything else — returned verbatim as a literal.
+*/
+function resolveSelectionExpression(input, ctx) {
+	if (input.startsWith("$") && !input.includes("${")) {
+		const resolved = resolveSingleReference(input, ctx);
+		if (resolved !== void 0) return resolved;
+		return input;
+	}
+	if (input.includes("${")) return interpolate(input, ctx);
+	return input;
+}
+/**
+* Walk a `${...}`-templated string and emit the concatenated result.
+* Per AWS docs, `${X}` may contain any of the selection-expression
+* forms recognized in bare form.
+*/
+function interpolate(input, ctx) {
+	let out = "";
+	let i = 0;
+	while (i < input.length) {
+		const next = input.indexOf("${", i);
+		if (next === -1) {
+			out += input.slice(i);
+			break;
+		}
+		out += input.slice(i, next);
+		const end = input.indexOf("}", next + 2);
+		if (end === -1) throw new Error(`unclosed '\${...}' interpolation in selection expression`);
+		const resolved = resolveSingleReference("$" + input.slice(next + 2, end), ctx);
+		out += resolved ?? "";
+		i = end + 1;
+	}
+	return out;
+}
+/**
+* Resolve one selection-expression reference (without `${...}`
+* wrapping). Returns `undefined` when the reference's PREFIX is not
+* a recognized form (so the bare-form caller can fall through to
+* literal-pass-through); returns `""` when the prefix matched but
+* the referenced datum was absent (AWS-deployed behavior).
+*/
+function resolveSingleReference(ref, ctx) {
+	if (ref === "$request.body") return ctx.body;
+	if (ref === "$request.path") return ctx.requestPath;
+	if (ref.startsWith("$request.body.")) {
+		const path = ref.substring(14);
+		return resolveBodyJsonPath(ctx.body, path);
+	}
+	if (ref.startsWith("$request.header.")) {
+		const name = ref.substring(16).toLowerCase();
+		return ctx.headers[name] ?? "";
+	}
+	if (ref.startsWith("$request.querystring.")) {
+		const key = ref.substring(21);
+		return ctx.queryString[key] ?? "";
+	}
+	if (ref.startsWith("$request.path.")) {
+		const key = ref.substring(14);
+		return ctx.pathParameters[key] ?? "";
+	}
+	if (ref.startsWith("$context.")) {
+		const key = ref.substring(9);
+		return ctx.context[key] ?? "";
+	}
+	if (ref.startsWith("$stageVariables.")) {
+		const key = ref.substring(16);
+		return ctx.stageVariables[key] ?? "";
+	}
+}
+/**
+* Resolve a simple JSON path against the request body. Per AWS docs:
+*
+*   - The body is JSON-parsed (best-effort; non-JSON → empty string).
+*   - Path segments are `.`-separated. Array indexing via `[N]` is
+*     supported.
+*   - Recursive descent `..` and filter expressions `?()` are NOT
+*     supported and produce `""` (matches AWS rejection at deploy
+*     time, but we degrade gracefully at runtime).
+*
+* Non-string leaves are stringified with `JSON.stringify` so they can
+* round-trip into the SDK call's string-typed input fields.
+*/
+function resolveBodyJsonPath(body, path) {
+	if (path.startsWith(".") || path.includes("..") || path.includes("?(")) return "";
+	let parsed;
+	try {
+		parsed = JSON.parse(body);
+	} catch {
+		return "";
+	}
+	const segments = path.split(/\.|\[(\d+)\]/).filter((s) => s !== void 0 && s !== "");
+	let cursor = parsed;
+	for (const seg of segments) {
+		if (cursor === null || cursor === void 0) return "";
+		if (typeof cursor !== "object") return "";
+		if (Array.isArray(cursor)) {
+			const idx = Number(seg);
+			if (!Number.isInteger(idx)) return "";
+			cursor = cursor[idx];
+		} else cursor = cursor[seg];
+	}
+	if (cursor === void 0 || cursor === null) return "";
+	if (typeof cursor === "string") return cursor;
+	return JSON.stringify(cursor);
+}
+
 //#endregion
 //#region src/local/http-server.ts
 /**
@@ -42995,6 +43671,10 @@ async function handleRequest(req, res, state, opts) {
 		writeNotImplemented(res, match.route.unsupported.reason);
 		return;
 	}
+	if (match.route.serviceIntegration) {
+		await handleServiceIntegrationRequest(req, res, match, bodyBuf, opts);
+		return;
+	}
 	const authorizer = state.routes.find((r) => r.route.declaredAt === match.route.declaredAt && r.route.method === match.route.method)?.authorizer;
 	const clientCert = opts.mtls ? extractClientCert(req) : void 0;
 	const snapshot = {
@@ -43372,9 +44052,12 @@ function lowercaseSingularHeaders(raw) {
 	return out;
 }
 /**
-* Parse query string into a singular (last-wins) map. Used by the
-* authorizer pass — separate from api-gateway-event because the
-* authorizer needs raw header values too.
+* Parse query string into a singular map. Multi-value keys are
+* comma-joined in order of appearance (`?foo=a&foo=b` -> `foo: 'a,b'`)
+* — matches the contract documented at
+* `src/local/parameter-mapping.ts:14` ("multi-values comma-joined")
+* AND deployed API Gateway behavior. Used by both the authorizer pass
+* and the HTTP API v2 service-integration parameter mapper.
 */
 function parseQueryStringSingular(rawUrl) {
 	const q = rawUrl.indexOf("?");
@@ -43395,7 +44078,8 @@ function parseQueryStringSingular(rawUrl) {
 		try {
 			value = decodeURIComponent(rawValue);
 		} catch {}
-		out[key] = value;
+		const prev = out[key];
+		out[key] = prev === void 0 ? value : `${prev},${value}`;
 	}
 	return out;
 }
@@ -43441,6 +44125,120 @@ function writeError(res, statusCode, body = "{\"message\":\"Internal server erro
 	res.end(body);
 }
 /**
+* Handle an HTTP API v2 service-integration route (#458). The route
+* carries `serviceIntegration: { subtype, requestParameters, responseParameters? }`
+* — no Lambda backs it. Flow:
+*
+*   1. Build a {@link RequestParameterContext} from the HTTP request +
+*      route match (path parameters, query string, headers, context
+*      variables, stage variables).
+*   2. Resolve every `RequestParameters` value against that context via
+*      `parameter-mapping.ts`. Per-parameter unresolved refs degrade to
+*      `""` (matches AWS deployed behavior).
+*   3. Dispatch to the per-subtype SDK adapter in
+*      `httpv2-service-integration.ts`. Per-request `Region` parameter
+*      overrides the server's `opts.defaultRegion`; absent both surfaces
+*      a 400.
+*   4. Apply per-status-code `ResponseParameters` overlay (header /
+*      statuscode overwrites).
+*   5. Write the result to the HTTP client.
+*
+* Authorizer pass: NOT yet wired (current scope is dispatch only). When
+* a service-integration route carries an authorizer, the discovery layer
+* leaves it in place but the server short-circuits to dispatch BEFORE the
+* auth pass. A follow-up PR can hoist the auth pass earlier — keeping it
+* out of this PR limits the blast radius.
+*/
+async function handleServiceIntegrationRequest(req, res, match, bodyBuf, opts) {
+	const route = match.route;
+	const svc = route.serviceIntegration;
+	if (!svc) {
+		writeError(res, 500);
+		return;
+	}
+	const rawUrl = req.url ?? "/";
+	const headersFlat = flattenHeadersForMapping(req);
+	const queryString = parseQueryStringSingular(rawUrl);
+	const requestPath = rawUrl.split("?")[0] ?? "/";
+	const context = buildServiceIntegrationContextVars(req, route);
+	const ctx = {
+		headers: headersFlat,
+		queryString,
+		pathParameters: match.pathParameters,
+		requestPath,
+		body: bodyBuf.toString("utf8"),
+		context,
+		stageVariables: route.stageVariables ?? {}
+	};
+	const outcome = resolveServiceIntegrationParameters(svc.requestParameters, ctx);
+	if (outcome.kind === "error") {
+		getLogger().warn(`[${route.declaredAt}] ${outcome.reason}`);
+		const body = JSON.stringify({
+			message: "Invalid integration mapping",
+			reason: outcome.reason
+		});
+		res.statusCode = 500;
+		res.setHeader("content-type", "application/json");
+		res.setHeader("content-length", String(Buffer.byteLength(body, "utf-8")));
+		res.end(body);
+		return;
+	}
+	const result = await dispatchServiceIntegration(svc.subtype, outcome.resolved, opts.defaultRegion ?? "");
+	const responseCtx = {
+		context,
+		stageVariables: route.stageVariables ?? {}
+	};
+	const finalResult = applyResponseParameters(result, svc.responseParameters, responseCtx);
+	res.statusCode = finalResult.statusCode;
+	for (const [name, value] of Object.entries(finalResult.headers)) res.setHeader(name, value);
+	res.setHeader("content-length", String(Buffer.byteLength(finalResult.body, "utf-8")));
+	res.end(finalResult.body);
+}
+/**
+* Flatten Node's `req.headers` to the single-string-per-key shape the
+* parameter-mapping resolver expects (`$request.header.<name>` is
+* documented as comma-joined multi-value). Header NAMES are lowercased
+* because AWS docs document `$request.header.<name>` as case-insensitive.
+*/
+function flattenHeadersForMapping(req) {
+	const out = {};
+	for (const [name, value] of Object.entries(req.headers)) {
+		const lower = name.toLowerCase();
+		if (Array.isArray(value)) out[lower] = value.join(", ");
+		else if (typeof value === "string") out[lower] = value;
+	}
+	return out;
+}
+/**
+* Build the subset of AWS context variables the service-integration
+* parameter-mapping resolver needs to surface (per AWS docs
+* https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-logging-variables.html).
+*
+* We populate the most-commonly-referenced fields with realistic values
+* (`requestId` is fresh per call, `accountId` / `domainName` are mock
+* but stable). Selection expressions against context variables we
+* don't model resolve to `""` — matches the AWS-deployed behavior of
+* absent values.
+*/
+function buildServiceIntegrationContextVars(req, route) {
+	const requestId = `cdkd-${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 10)}`;
+	const sourceIp = req.socket.remoteAddress ?? "127.0.0.1";
+	return {
+		requestId,
+		accountId: "123456789012",
+		apiId: route.apiLogicalId ?? "local",
+		stage: route.stage,
+		"identity.sourceIp": sourceIp,
+		"identity.userAgent": Array.isArray(req.headers["user-agent"]) || typeof req.headers["user-agent"] === "string" ? String(req.headers["user-agent"]) : "",
+		domainName: "localhost",
+		httpMethod: req.method ?? "GET",
+		path: (req.url ?? "/").split("?")[0] ?? "/",
+		protocol: "HTTP/1.1",
+		requestTime: (/* @__PURE__ */ new Date()).toISOString(),
+		requestTimeEpoch: String(Date.now())
+	};
+}
+/**
 * Write the 501 Not Implemented response surfaced for routes the
 * discovery layer flagged as `unsupported`. The integration's reason
 * (e.g. "MOCK integration is not emulated", "WebSocket APIs are not
@@ -44142,12 +44940,13 @@ async function localStartApiCommand(target, options) {
 				inlineTmpDirs,
 				layerTmpDirs,
 				stateByStack,
+				skipPull: options.pull === false,
 				...options.layerRoleArn !== void 0 && { layerRoleArn: options.layerRoleArn }
 			});
 			specs.set(logicalId, spec);
 		}
 		const distinctImages = /* @__PURE__ */ new Set();
-		for (const spec of specs.values()) distinctImages.add(resolveRuntimeImage(spec.lambda.runtime));
+		for (const spec of specs.values()) if (spec.kind === "zip") distinctImages.add(resolveRuntimeImage(spec.lambda.runtime));
 		for (const image of distinctImages) await pullImage(image, options.pull === false);
 		return {
 			routes: routesWithAuth,
@@ -44176,13 +44975,23 @@ async function localStartApiCommand(target, options) {
 	/**
 	* Compute the watched-asset list from a spec map. Pure helper —
 	* keeps the side-effect (`lastAssetPaths.value = ...`) confined to
-	* the post-swap call sites (initial boot + post-reload). `codeDir`
-	* is either the unzipped asset directory or the inline-code tmpdir;
-	* both are watch-worthy.
+	* the post-swap call sites (initial boot + post-reload). For ZIP
+	* Lambdas `codeDir` is either the unzipped asset directory or the
+	* inline-code tmpdir; both are watch-worthy. IMAGE Lambdas
+	* (`kind: 'image'`) don't have a host-side bind-mount source — the
+	* code is baked into the docker image at build time. Their build
+	* context (Dockerfile + source directory) is rebuilt on every
+	* reload via `synthesizeAndBuild` → `buildContainerSpec` →
+	* `resolveContainerImageForStartApi`, so a source edit DOES trigger
+	* rebuild AND the deterministic `image` tag changes — but watching
+	* the build-context dir explicitly here is deferred to a follow-up
+	* (the watched-asset list is currently sourced from `cdk.out/`
+	* which transitively covers most container-Lambda asset dirs since
+	* `cdk synth` re-stages them on every synth call).
 	*/
 	const computeAssetPaths = (specs) => {
 		const assetPaths = /* @__PURE__ */ new Set();
-		for (const spec of specs.values()) assetPaths.add(spec.codeDir);
+		for (const spec of specs.values()) if (spec.kind === "zip") assetPaths.add(spec.codeDir);
 		return [...assetPaths];
 	};
 	const initialMaterial = await synthesizeAndBuild();
@@ -44191,6 +45000,7 @@ async function localStartApiCommand(target, options) {
 	warnVpcConfigLambdas(initialMaterial.routes, initialMaterial.stacks ?? []);
 	sigV4CredentialsLoader = defaultCredentialsLoader();
 	warnIamRoutes(initialMaterial.routes);
+	warnIgnoredServiceIntegrationAuthorizers(initialMaterial.routes, initialMaterial.stacks ?? []);
 	let maxTimeoutSec = 0;
 	for (const spec of initialMaterial.specs.values()) if (spec.lambda.timeoutSec > maxTimeoutSec) maxTimeoutSec = spec.lambda.timeoutSec;
 	const rieTimeoutMs = Math.max(3e4, maxTimeoutSec * 2 * 1e3);
@@ -44215,6 +45025,7 @@ async function localStartApiCommand(target, options) {
 			for (const result of handles) if (result.status === "fulfilled") groupPool.release(result.value);
 			else logger.warn(`Pre-warm failed for one Lambda in ${group.displayName} (cold start cost will apply on first request): ${result.reason instanceof Error ? result.reason.message : String(result.reason)}`);
 		}
+		const defaultRegion = options.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? void 0;
 		const started = await startApiServer({
 			state: groupState,
 			rieTimeoutMs,
@@ -44226,7 +45037,8 @@ async function localStartApiCommand(target, options) {
 			jwksWarnedUrls,
 			sigV4CredentialsLoader,
 			sigV4WarnedForeignIds,
-			sigV4AllowUnverified: options.allowUnverifiedSigv4 === true
+			sigV4AllowUnverified: options.allowUnverifiedSigv4 === true,
+			...defaultRegion && { defaultRegion }
 		});
 		servers.push({
 			group,
@@ -44355,7 +45167,7 @@ function uniqueLambdaIds(routes, routesWithAuth) {
 	const seen = /* @__PURE__ */ new Set();
 	const out = [];
 	for (const r of routes) {
-		if (r.unsupported || r.mockCors) continue;
+		if (r.unsupported || r.mockCors || r.serviceIntegration) continue;
 		if (r.lambdaLogicalId.length === 0) continue;
 		if (!seen.has(r.lambdaLogicalId)) {
 			seen.add(r.lambdaLogicalId);
@@ -44363,7 +45175,7 @@ function uniqueLambdaIds(routes, routesWithAuth) {
 		}
 	}
 	for (const entry of routesWithAuth) {
-		if (entry.route.unsupported || entry.route.mockCors) continue;
+		if (entry.route.unsupported || entry.route.mockCors || entry.route.serviceIntegration) continue;
 		const auth = entry.authorizer;
 		if (!auth) continue;
 		if (auth.kind === "lambda-token" || auth.kind === "lambda-request") {
@@ -44448,6 +45260,27 @@ function warnIamRoutes(routesWithAuth) {
 	return true;
 }
 /**
+* #458 / PR #500 review: emit a one-line warn naming every service-
+* integration route whose source CFn resource declares an authorizer
+* (HTTP API v2 routes with `AuthorizationType !== 'NONE'`). The
+* dispatcher in `http-server.ts` runs the SDK call BEFORE the
+* authorizer pass would fire, so without this warn a CDK app that
+* wires JWT / Lambda / Cognito / IAM authorizers onto service
+* integrations would silently let every local request reach the SDK
+* call without auth. Threading the auth pass through the
+* service-integration dispatcher is a follow-up issue. Returns the
+* number of warned routes so tests can assert the firing path; the
+* value is otherwise unused.
+*/
+function warnIgnoredServiceIntegrationAuthorizers(routesWithAuth, stacks) {
+	const logger = getLogger();
+	const ignored = findIgnoredServiceIntegrationAuthorizers(stacks, routesWithAuth.map((entry) => entry.route));
+	if (ignored.length === 0) return 0;
+	logger.warn(`${ignored.length} HTTP API v2 service-integration route(s) declare an authorizer but cdkd local start-api dispatches the SDK call BEFORE the authorizer pass — every local request reaches the SDK call WITHOUT authentication. This is a deferred feature; see https://github.com/go-to-k/cdkd/issues/502 for the follow-up tracking issue.`);
+	for (const entry of ignored) logger.warn(`  - ${entry.declaredAt}: authorizer '${entry.authorizerName}' is configured but ignored`);
+	return ignored.length;
+}
+/**
 * Build the per-Lambda container spec — code dir, env vars (template +
 * --env-vars overlay), STS-issued creds when --assume-role names this
 * Lambda, optional --debug-port reservation. Errors out with a clear
@@ -44455,10 +45288,19 @@ function warnIamRoutes(routesWithAuth) {
 * missing, runtime not supported).
 */
 async function buildContainerSpec(args) {
-	const { logicalId, stacks, overrides, assumeRole, containerHost, debugPort, stsRegion, inlineTmpDirs, layerTmpDirs, stateByStack, layerRoleArn } = args;
+	const { logicalId, stacks, overrides, assumeRole, containerHost, debugPort, stsRegion, inlineTmpDirs, layerTmpDirs, stateByStack, skipPull, layerRoleArn } = args;
 	const lambda = resolveLambdaByLogicalId(logicalId, stacks);
-	const codeDir = lambda.codePath ?? materializeInlineCode$1(lambda.handler, lambda.inlineCode ?? "", resolveRuntimeFileExtension(lambda.runtime), inlineTmpDirs);
-	const optDir = await materializeLambdaLayers$1(lambda.layers, layerTmpDirs, layerRoleArn);
+	let codeDir;
+	let optDir;
+	let imageRef;
+	let platform;
+	if (lambda.kind === "zip") {
+		codeDir = lambda.codePath ?? materializeInlineCode$1(lambda.handler, lambda.inlineCode ?? "", resolveRuntimeFileExtension(lambda.runtime), inlineTmpDirs);
+		optDir = await materializeLambdaLayers$1(lambda.layers, layerTmpDirs, layerRoleArn);
+	} else {
+		imageRef = (await resolveContainerImageForStartApi(lambda, skipPull)).imageRef;
+		platform = architectureToPlatform(lambda.architecture);
+	}
 	let templateEnv = getTemplateEnv$1(lambda.resource);
 	const stateBundle = stateByStack.get(lambda.stack.stackName);
 	let stateAudit;
@@ -44498,7 +45340,8 @@ async function buildContainerSpec(args) {
 		target: "/tmp",
 		sizeMb: lambda.ephemeralStorageMb
 	} : void 0;
-	return {
+	if (lambda.kind === "zip") return {
+		kind: "zip",
 		lambda,
 		codeDir,
 		env: dockerEnv,
@@ -44507,6 +45350,60 @@ async function buildContainerSpec(args) {
 		...debugPort !== void 0 && { debugPort },
 		...tmpfs !== void 0 && { tmpfs }
 	};
+	return {
+		kind: "image",
+		lambda,
+		image: imageRef,
+		platform,
+		command: lambda.imageConfig.command ?? [],
+		...lambda.imageConfig.entryPoint !== void 0 && lambda.imageConfig.entryPoint.length > 0 && { entryPoint: lambda.imageConfig.entryPoint },
+		...lambda.imageConfig.workingDirectory !== void 0 && { workingDir: lambda.imageConfig.workingDirectory },
+		env: dockerEnv,
+		containerHost,
+		...debugPort !== void 0 && { debugPort },
+		...tmpfs !== void 0 && { tmpfs }
+	};
+}
+/**
+* Resolve a container Lambda's local docker image — local build from
+* `cdk.out` asset manifest first, ECR-pull fallback when the asset
+* manifest has no matching entry. Mirrors `cdkd local invoke`'s
+* `resolveContainerImagePlan` shape; the start-api server doesn't
+* need the no-build flag (deterministic-tag cache reuse is automatic
+* across reloads because the per-Lambda tag is content-addressed).
+*
+* Same-account / same-region only on the ECR-pull path (matches the
+* `cdkd local invoke` PR 5 of #224 boundary). Cross-account /
+* cross-region ECR pull is the W2-1 deferred follow-up.
+*/
+async function resolveContainerImageForStartApi(lambda, skipPull) {
+	const logger = getLogger();
+	const localBuild = await resolveLocalBuildPlan$1(lambda);
+	if (localBuild) return { imageRef: await buildContainerImage(localBuild.asset, localBuild.cdkOutDir, { architecture: lambda.architecture }) };
+	if (!parseEcrUri(lambda.imageUri)) throw new Error(`Container Lambda '${lambda.logicalId}' has no matching asset in cdk.out, and Code.ImageUri '${lambda.imageUri}' is not an ECR URI cdkd can authenticate against. Re-synthesize the CDK app (so cdk.out includes the build context) or deploy the image to ECR first.`);
+	logger.info(`No matching cdk.out asset for ${lambda.imageUri}; falling back to ECR pull (same-acct/region only)...`);
+	return { imageRef: await pullEcrImage(lambda.imageUri, { skipPull }) };
+}
+/**
+* Look up the docker image asset that backs a container Lambda.
+* Returns `undefined` when the asset manifest has no matching entry —
+* the caller falls back to the ECR-pull path.
+*
+* Mirrors `local-invoke.ts:resolveLocalBuildPlan`; kept separate so
+* the two commands evolve their asset-lookup heuristics independently.
+*/
+async function resolveLocalBuildPlan$1(lambda) {
+	const manifestPath = lambda.stack.assetManifestPath;
+	if (!manifestPath) return void 0;
+	const cdkOutDir = path.dirname(manifestPath);
+	const manifest = await new AssetManifestLoader().loadManifest(cdkOutDir, lambda.stack.stackName);
+	if (!manifest) return void 0;
+	const entry = getDockerImageBySourceHash(manifest, lambda.imageUri);
+	if (!entry) return void 0;
+	return {
+		asset: entry.asset,
+		cdkOutDir
+	};
 }
 /**
 * Build the `/opt` bind-mount source for a Lambda's layers. Mirrors
@@ -44568,15 +45465,23 @@ function resolveLambdaByLogicalId(logicalId, stacks) {
 		const resource = stack.template.Resources?.[logicalId];
 		if (!resource || resource.Type !== "AWS::Lambda::Function") continue;
 		const props = resource.Properties ?? {};
-		const runtime = typeof props["Runtime"] === "string" ? props["Runtime"] : "";
-		const handler = typeof props["Handler"] === "string" ? props["Handler"] : "";
 		const memoryMb = typeof props["MemorySize"] === "number" ? props["MemorySize"] : 128;
 		const timeoutSec = typeof props["Timeout"] === "number" ? props["Timeout"] : 3;
-		if (!runtime) throw new Error(`Lambda '${logicalId}' has no Runtime property. Container-image Lambdas (Code.ImageUri) are not supported in cdkd local start-api v1.`);
-		if (!handler) throw new Error(`Lambda '${logicalId}' has no Handler property.`);
 		const code = props["Code"] ?? {};
-		const imageUri = code["ImageUri"];
-		if (typeof imageUri === "string" || typeof imageUri === "object" && imageUri !== null && "Fn::Sub" in imageUri) throw new Error(`Lambda '${logicalId}' uses Code.ImageUri (container-image Lambda). 'cdkd local start-api' v1 supports ZIP Lambdas only — container-image support is deferred to a follow-up PR. Use 'cdkd local invoke' to exercise this function locally.`);
+		const imageUri = extractImageUri(code["ImageUri"]);
+		if (imageUri !== void 0) return resolveImageLambda({
+			stack,
+			logicalId,
+			resource,
+			props,
+			memoryMb,
+			timeoutSec,
+			imageUri
+		});
+		const runtime = typeof props["Runtime"] === "string" ? props["Runtime"] : "";
+		const handler = typeof props["Handler"] === "string" ? props["Handler"] : "";
+		if (!runtime) throw new Error(`Lambda '${logicalId}' has no Runtime property and no Code.ImageUri. cdkd local start-api cannot tell if this is a ZIP or a container Lambda.`);
+		if (!handler) throw new Error(`Lambda '${logicalId}' has no Handler property.`);
 		const inlineCode = typeof code["ZipFile"] === "string" ? code["ZipFile"] : void 0;
 		let codePath = null;
 		if (!inlineCode) codePath = resolveAssetCodePath(stack, logicalId, resource);
@@ -44600,6 +45505,66 @@ function resolveLambdaByLogicalId(logicalId, stacks) {
 	throw new Error(`No AWS::Lambda::Function resource named '${logicalId}' found in target stacks. This is likely a synthesis bug — the route-discovery phase resolved a route to this logical ID.`);
 }
 /**
+* Extract `Code.ImageUri` across the shapes CDK actually synthesizes.
+* Mirrors the simpler subset of `lambda-resolver.ts:extractImageUri`
+* scoped to the shapes `cdkd local start-api` consumes — flat string
+* and `Fn::Sub` (the canonical asset shape for
+* `lambda.DockerImageCode.fromImageAsset`). `Fn::Join` shapes for
+* `lambda.DockerImageCode.fromEcr` are deferred to a follow-up: the
+* start-api boot flow doesn't yet load cdkd state up front, and the
+* `Fn::Join` resolver needs it to recover same-stack ECR repository
+* URIs. When the user hits the unsupported shape, the downstream
+* resolveLocalBuildPlan / pullEcrImage path surfaces a clear error.
+*
+* Returns `undefined` when the field is absent or non-recognized,
+* which routes the caller to the ZIP branch (with its existing
+* "no Runtime / no Handler" validations).
+*/
+function extractImageUri(value) {
+	if (typeof value === "string" && value.length > 0) return value;
+	if (value && typeof value === "object" && !Array.isArray(value)) {
+		const sub = value["Fn::Sub"];
+		if (typeof sub === "string" && sub.length > 0) return sub;
+		if (Array.isArray(sub) && typeof sub[0] === "string") return sub[0];
+	}
+}
+/**
+* Build the IMAGE-variant `ResolvedStartApiLambda` from a Lambda
+* template entry with `Code.ImageUri`. Mirrors
+* `lambda-resolver.ts:extractImageLambdaProperties` but trimmed to the
+* fields `cdkd local start-api` actually consumes.
+*/
+function resolveImageLambda(args) {
+	const { stack, logicalId, resource, props, memoryMb, timeoutSec, imageUri } = args;
+	const rawImageConfig = props["ImageConfig"] ?? {};
+	const imageConfig = {};
+	if (Array.isArray(rawImageConfig["Command"])) imageConfig.command = rawImageConfig["Command"].filter((s) => typeof s === "string");
+	if (Array.isArray(rawImageConfig["EntryPoint"])) imageConfig.entryPoint = rawImageConfig["EntryPoint"].filter((s) => typeof s === "string");
+	if (typeof rawImageConfig["WorkingDirectory"] === "string") imageConfig.workingDirectory = rawImageConfig["WorkingDirectory"];
+	const arches = props["Architectures"];
+	let architecture = "x86_64";
+	if (Array.isArray(arches) && arches.length > 0) {
+		const first = arches[0];
+		if (first === "arm64") architecture = "arm64";
+		else if (first === "x86_64") architecture = "x86_64";
+		else throw new Error(`Lambda '${logicalId}' has unsupported Architectures value '${String(first)}'. cdkd local start-api supports x86_64 and arm64.`);
+	}
+	const ephemeralStorageMb = extractEphemeralStorageMb(props, logicalId);
+	return {
+		kind: "image",
+		stack,
+		logicalId,
+		resource,
+		memoryMb,
+		timeoutSec,
+		imageUri,
+		imageConfig,
+		architecture,
+		layers: [],
+		...ephemeralStorageMb !== void 0 && { ephemeralStorageMb }
+	};
+}
+/**
 * Locate the Lambda's local code directory using the CDK-blessed
 * `Metadata['aws:asset:path']` hint. Bind-mounted directly at
 * `/var/task` (read-only) by the docker-runner.
@@ -44631,7 +45596,7 @@ function printRouteTable(routes) {
 	process.stdout.write("Discovered routes:\n");
 	for (const r of sorted) {
 		const sourceLabel = r.source === "http-api" ? "HTTP API" : r.source === "rest-v1" ? `REST v1, stage '${r.stage}'` : "Function URL";
-		const target = r.mockCors ? "[MOCK CORS preflight]" : r.unsupported ? "[501 Not Implemented]" : r.lambdaLogicalId;
+		const target = r.mockCors ? "[MOCK CORS preflight]" : r.unsupported ? "[501 Not Implemented]" : r.serviceIntegration ? `[${r.serviceIntegration.subtype}]` : r.lambdaLogicalId;
 		process.stdout.write(`  ${r.method.padEnd(methodWidth)}  ${r.pathPattern.padEnd(pathWidth)}  -> ${target}  (${sourceLabel})\n`);
 	}
 	process.stdout.write("\n");
@@ -48129,7 +49094,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.127.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.129.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());