npm - @go-to-k/cdkd - Versions diffs - 0.129.0 → 0.130.0 - Mend

@go-to-k/cdkd 0.129.0 → 0.130.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md +13 -6
package/dist/cli.js +227 -10
package/dist/cli.js.map +1 -1
package/dist/{deploy-engine-DWpeb9wT.js → deploy-engine-B-w4C_7O.js} +4 -3
package/dist/deploy-engine-B-w4C_7O.js.map +1 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +1 -1
package/package.json +1 -1
package/dist/deploy-engine-DWpeb9wT.js.map +0 -1

package/README.md CHANGED Viewed

@@ -468,14 +468,21 @@ preflight (HTTP API v2 `CorsConfiguration` + REST v1 OPTIONS MOCK
 preflight from `defaultCorsPreflightOptions`); hot reload via `--watch`;
 deploy-state-backed env var substitution via `--from-state`.
+Function URL `InvokeMode: RESPONSE_STREAM` is supported (issue #467):
+streaming Lambdas are invoked via the RIE streaming protocol and the
+response is piped to the HTTP client with `Transfer-Encoding: chunked`.
+Note that AWS's local RIE buffers the response — incremental chunk
+delivery only manifests against the deployed Lambda runtime; locally
+the response shape is correct but arrives in one block.
 Routes whose integration cdkd cannot emulate (non-AWS_PROXY REST v1
 types other than the MOCK CORS preflight subset, HTTP API v2 service
-integrations, WebSocket APIs, Function URLs with IAM auth or
-RESPONSE_STREAM, cross-stack Lambda Arn references) **do not block
-boot** — the server starts with a per-route `[warn]` summary and
-returns HTTP 501 + the reason in the JSON body if and when the route is
-hit. This lets you run the rest of your API surface locally while the
-unsupported routes stay on the deployed API.
+integrations, WebSocket APIs, Function URLs with IAM auth, cross-stack
+Lambda Arn references) **do not block boot** — the server starts with
+a per-route `[warn]` summary and returns HTTP 501 + the reason in the
+JSON body if and when the route is hit. This lets you run the rest of
+your API surface locally while the unsupported routes stay on the
+deployed API.
 ### `local run-task`

package/dist/cli.js CHANGED Viewed

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-CuHRHcyW.js";
-import { A as AssetPublisher, B as getLegacyStateBucketName, C as applyRoleArnIfSet, Ct as generateResourceNameWithFallback, D as LockManager, E as TemplateParser, F as getDockerCmd, G as resolveStateBucketWithDefaultAndSource, H as resolveCaptureObservedState, I as runDockerForeground, K as warnDeprecatedNoPrefixCliFlag, L as runDockerStreaming, M as WorkGraph, N as buildDockerImage, O as S3StateBackend, P as formatDockerLoginError, R as Synthesizer, S as IntrinsicFunctionResolver, St as generateResourceName, T as DagBuilder, Tt as withStackName, U as resolveSkipPrefix, V as resolveApp, W as resolveStateBucketWithDefault, Y as resolveBucketRegion, Z as CdkdError, _ as normalizeAwsTagsToCfn, a as withRetry, at as ResourceUpdateNotSupportedError, b as CloudControlProvider, bt as PATTERN_B_NAME_PROPERTIES, c as cyan, ct as StackTerminationProtectionError, d as red, et as LocalInvokeBuildError, f as yellow, g as matchesCdkPath, gt as getLogger, h as CDK_PATH_TAG, i as withResourceDeadline, it as ResourceTimeoutError, j as stringifyValue, k as shouldRetainResource, l as gray, m as collectInlinePolicyNamesManagedBySiblings, mt as withErrorHandling, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as PartialFailureError, o as IMPLICIT_DELETE_DEPENDENCIES, ot as RouteDiscoveryError, p as IAMRoleProvider, pt as normalizeAwsError, q as AssemblyReader, r as DeployEngine, rt as ProvisioningError, s as bold, st as StackHasActiveImportsError, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as green, v as resolveExplicitPhysicalId, vt as runStackBuffered, w as DiffCalculator, wt as withSkipPrefix, x as assertRegionMatch, xt as PATTERN_B_RESOURCE_TYPES, y as ProviderRegistry, yt as getLiveRenderer, z as getDefaultStateBucketName } from "./deploy-engine-DWpeb9wT.js";
+import { A as AssetPublisher, B as getLegacyStateBucketName, C as applyRoleArnIfSet, Ct as generateResourceNameWithFallback, D as LockManager, E as TemplateParser, F as getDockerCmd, G as resolveStateBucketWithDefaultAndSource, H as resolveCaptureObservedState, I as runDockerForeground, K as warnDeprecatedNoPrefixCliFlag, L as runDockerStreaming, M as WorkGraph, N as buildDockerImage, O as S3StateBackend, P as formatDockerLoginError, R as Synthesizer, S as IntrinsicFunctionResolver, St as generateResourceName, T as DagBuilder, Tt as withStackName, U as resolveSkipPrefix, V as resolveApp, W as resolveStateBucketWithDefault, Y as resolveBucketRegion, Z as CdkdError, _ as normalizeAwsTagsToCfn, a as withRetry, at as ResourceUpdateNotSupportedError, b as CloudControlProvider, bt as PATTERN_B_NAME_PROPERTIES, c as cyan, ct as StackTerminationProtectionError, d as red, et as LocalInvokeBuildError, f as yellow, g as matchesCdkPath, gt as getLogger, h as CDK_PATH_TAG, i as withResourceDeadline, it as ResourceTimeoutError, j as stringifyValue, k as shouldRetainResource, l as gray, m as collectInlinePolicyNamesManagedBySiblings, mt as withErrorHandling, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as PartialFailureError, o as IMPLICIT_DELETE_DEPENDENCIES, ot as RouteDiscoveryError, p as IAMRoleProvider, pt as normalizeAwsError, q as AssemblyReader, r as DeployEngine, rt as ProvisioningError, s as bold, st as StackHasActiveImportsError, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as green, v as resolveExplicitPhysicalId, vt as runStackBuffered, w as DiffCalculator, wt as withSkipPrefix, x as assertRegionMatch, xt as PATTERN_B_RESOURCE_TYPES, y as ProviderRegistry, yt as getLiveRenderer, z as getDefaultStateBucketName } from "./deploy-engine-B-w4C_7O.js";
 import { createHash, createHmac, createPublicKey, createVerify, randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
 import { AddRoleToInstanceProfileCommand, AddUserToGroupCommand, AttachGroupPolicyCommand, AttachUserPolicyCommand, CreateGroupCommand, CreateInstanceProfileCommand, CreateLoginProfileCommand, CreateUserCommand, DeleteAccessKeyCommand, DeleteGroupCommand, DeleteGroupPolicyCommand, DeleteInstanceProfileCommand, DeleteLoginProfileCommand, DeleteRolePolicyCommand, DeleteUserCommand, DeleteUserPermissionsBoundaryCommand, DeleteUserPolicyCommand, DetachGroupPolicyCommand, DetachUserPolicyCommand, GetGroupCommand, GetGroupPolicyCommand, GetInstanceProfileCommand, GetRolePolicyCommand, GetUserCommand, GetUserPolicyCommand, IAMClient, ListAccessKeysCommand, ListAttachedGroupPoliciesCommand, ListAttachedUserPoliciesCommand, ListGroupPoliciesCommand, ListGroupsForUserCommand, ListInstanceProfilesCommand, ListUserPoliciesCommand, ListUserTagsCommand, ListUsersCommand, NoSuchEntityException, PutGroupPolicyCommand, PutRolePolicyCommand, PutUserPermissionsBoundaryCommand, PutUserPolicyCommand, RemoveRoleFromInstanceProfileCommand, RemoveUserFromGroupCommand, TagUserCommand, UntagUserCommand, UpdateLoginProfileCommand } from "@aws-sdk/client-iam";
@@ -39464,13 +39464,16 @@ async function invokeRie(host, port, event, timeoutMs) {
 * something we should retry. Abort errors propagate immediately so the
 * outer timeout still wins.
 */
-async function fetchWithStartupRetry(url, body, signal) {
+async function fetchWithStartupRetry(url, body, signal, extraHeaders) {
 	const maxAttempts = 3;
 	let lastError;
 	for (let attempt = 1; attempt <= maxAttempts; attempt++) try {
 		return await fetch(url, {
 			method: "POST",
-			headers: { "Content-Type": "application/json" },
+			headers: {
+				"Content-Type": "application/json",
+				...extraHeaders
+			},
 			body,
 			signal
 		});
@@ -39482,6 +39485,157 @@ async function fetchWithStartupRetry(url, body, signal) {
 	}
 	throw lastError;
 }
+/**
+* The 8-NULL-byte separator AWS Lambda RIE writes between the JSON
+* metadata prelude and the streaming body chunks. Empirically verified
+* — see `StreamingPrelude` docstring above.
+*/
+const STREAM_PRELUDE_SEPARATOR = Buffer.from([
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0,
+	0
+]);
+/**
+* Maximum bytes we'll buffer searching for the prelude separator before
+* giving up. 1 MiB is far past anything Lambda's streamifyResponse would
+* emit as metadata (typical preludes are <500 bytes) — a runaway here
+* indicates the handler didn't call `HttpResponseStream.from` at all, in
+* which case we want to fail fast rather than buffer the whole body.
+*/
+const STREAM_PRELUDE_MAX_BYTES = 1024 * 1024;
+/**
+* POST the event payload to RIE with the `streaming` response-mode
+* header, parse the JSON prelude out of the response bytes, and return
+* a Readable carrying the post-separator body chunks.
+*
+* Why a separate function from `invokeRie`: the prelude/separator/body
+* framing is incompatible with the buffered-response `text()` consumer.
+* Buffered routes still use `invokeRie`; only Function URLs with
+* `InvokeMode: RESPONSE_STREAM` use this path.
+*
+* The `Lambda-Runtime-Function-Response-Mode: streaming` request header
+* tells RIE we want the streaming protocol. (RIE happens to emit the
+* same protocol for `streamifyResponse`-wrapped handlers regardless of
+* the header, but setting it makes the contract explicit and survives
+* future RIE behavior changes.)
+*
+* `timeoutMs` bounds the total wall time including the prelude wait —
+* the handler can stream for the full Lambda timeout, so callers should
+* pass a generous value (typically the function's configured Timeout * 2
+* with a 30s floor, matching `invokeRie`'s convention).
+*/
+async function invokeRieStreaming(host, port, event, timeoutMs) {
+	const url = `http://${host}:${port}${INVOKE_PATH}`;
+	const body = JSON.stringify(event ?? {});
+	const controller = new AbortController();
+	const timer = setTimeout(() => controller.abort(), timeoutMs);
+	let response;
+	try {
+		response = await fetchWithStartupRetry(url, body, controller.signal, { "Lambda-Runtime-Function-Response-Mode": "streaming" });
+	} catch (err) {
+		clearTimeout(timer);
+		if (err.name === "AbortError") throw new Error(`RIE streaming invoke at ${url} timed out after ${timeoutMs}ms. The handler may be hung; check container logs.`);
+		throw err;
+	}
+	if (!response.body) {
+		clearTimeout(timer);
+		throw new Error(`RIE streaming invoke at ${url} returned no response body.`);
+	}
+	const reader = response.body.getReader();
+	let preludeBytes = Buffer.alloc(0);
+	let bodyTail;
+	let separatorIdx = -1;
+	while (separatorIdx < 0) {
+		const { value, done } = await reader.read();
+		if (done) break;
+		const chunk = Buffer.from(value);
+		preludeBytes = Buffer.concat([preludeBytes, chunk]);
+		separatorIdx = preludeBytes.indexOf(STREAM_PRELUDE_SEPARATOR);
+		if (separatorIdx >= 0) {
+			bodyTail = preludeBytes.subarray(separatorIdx + STREAM_PRELUDE_SEPARATOR.length);
+			preludeBytes = preludeBytes.subarray(0, separatorIdx);
+			break;
+		}
+		if (preludeBytes.length > STREAM_PRELUDE_MAX_BYTES) {
+			clearTimeout(timer);
+			reader.cancel().catch(() => void 0);
+			throw new Error(`RIE streaming response did not emit the prelude/body separator within ${STREAM_PRELUDE_MAX_BYTES} bytes. The handler likely did not call awslambda.HttpResponseStream.from(stream, metadata).`);
+		}
+	}
+	if (separatorIdx < 0) {
+		clearTimeout(timer);
+		throw new Error(`RIE streaming response ended before the prelude/body separator (got ${preludeBytes.length} bytes). The handler likely threw before streaming the prelude — check container logs.`);
+	}
+	let prelude;
+	try {
+		prelude = parseStreamingPrelude(preludeBytes.toString("utf8"));
+	} catch (err) {
+		clearTimeout(timer);
+		reader.cancel().catch(() => void 0);
+		throw new Error(`RIE streaming response prelude is not valid JSON: ${err instanceof Error ? err.message : String(err)}`);
+	}
+	const stream = new Readable({ read() {} });
+	(async () => {
+		try {
+			if (bodyTail && bodyTail.length > 0) stream.push(bodyTail);
+			while (true) {
+				const { value, done } = await reader.read();
+				if (done) break;
+				stream.push(Buffer.from(value));
+			}
+			stream.push(null);
+		} catch (err) {
+			stream.destroy(err instanceof Error ? err : new Error(String(err)));
+		} finally {
+			clearTimeout(timer);
+		}
+	})();
+	return {
+		prelude,
+		body: stream
+	};
+}
+/**
+* Parse a streaming prelude payload (JSON text). Normalizes the shape
+* the http-server consumes: `statusCode` is coerced to a number (RIE
+* sometimes emits it as a string), `headers` is always an object (the
+* handler may omit it), `cookies` is preserved only when an array.
+*
+* Exported for unit tests. Throws on invalid JSON or a non-numeric
+* statusCode (cdkd cannot map that to HTTP).
+*/
+function parseStreamingPrelude(text) {
+	const trimmed = text.trim();
+	if (trimmed.length === 0) throw new Error("empty prelude");
+	const raw = JSON.parse(trimmed);
+	if (!raw || typeof raw !== "object") throw new Error("prelude is not a JSON object");
+	const obj = raw;
+	const statusRaw = obj["statusCode"];
+	let statusCode;
+	if (typeof statusRaw === "number" && Number.isFinite(statusRaw)) statusCode = Math.trunc(statusRaw);
+	else if (typeof statusRaw === "string" && /^[0-9]+$/.test(statusRaw)) statusCode = Number.parseInt(statusRaw, 10);
+	else throw new Error(`statusCode must be a number (got ${typeof statusRaw})`);
+	const headers = {};
+	const headersRaw = obj["headers"];
+	if (headersRaw && typeof headersRaw === "object") for (const [k, v] of Object.entries(headersRaw)) {
+		if (v === null || v === void 0) continue;
+		if (typeof v === "string") headers[k] = v;
+		else if (typeof v === "number" || typeof v === "boolean" || typeof v === "bigint") headers[k] = String(v);
+		else headers[k] = JSON.stringify(v) ?? "";
+	}
+	const result = {
+		statusCode,
+		headers
+	};
+	const cookiesRaw = obj["cookies"];
+	if (Array.isArray(cookiesRaw)) result.cookies = cookiesRaw.map((c) => String(c));
+	return result;
+}
 //#endregion
 //#region src/assets/asset-manifest-loader.ts
@@ -40538,12 +40692,15 @@ function classifyServiceIntegrationRoute(baseRoute, integrationProps, stackName,
 * `AWS::Lambda::Url` resource.
 *
 * Per-shape classification:
-*   - `AuthType === 'NONE'` + `InvokeMode !== 'RESPONSE_STREAM'` → normal route.
+*   - `AuthType === 'NONE'` + `InvokeMode === 'BUFFERED'` (or unset) → normal route.
+*   - `AuthType === 'NONE'` + `InvokeMode === 'RESPONSE_STREAM'` → normal route
+*     dispatched via the RIE streaming protocol (the response body is a
+*     JSON prelude — `{statusCode, headers, cookies?}` — followed by 8
+*     NULL bytes and then the raw body chunks). The HTTP server pipes
+*     the chunks to the client with `Transfer-Encoding: chunked` (#467).
 *   - `AuthType !== 'NONE'` (e.g. `AWS_IAM`) → deferred-error
 *     unsupported. Boot proceeds; HTTP 501 + `reason` at request time.
 *     IAM auth would need SigV4 verification cdkd cannot emulate.
-*   - `InvokeMode === 'RESPONSE_STREAM'` → deferred-error unsupported.
-*     The RIE container does not implement `InvokeWithResponseStream`.
 *
 * The Lambda Arn intrinsic resolution still **hard-errors** when it
 * cannot pin down a same-template Lambda — Function URLs have no other
@@ -40573,14 +40730,18 @@ function discoverFunctionUrl(logicalId, resource, template, stackName) {
 		lambdaLogicalId,
 		unsupported: { reason: `${stackName}/${logicalId}: AuthType '${String(authType)}' is not supported (only NONE — IAM auth requires SigV4 verification cdkd cannot emulate locally).` }
 	}];
-	if (props["InvokeMode"] === "RESPONSE_STREAM") return [{
+	const invokeModeRaw = props["InvokeMode"];
+	let invokeMode = "BUFFERED";
+	if (invokeModeRaw === "RESPONSE_STREAM") invokeMode = "RESPONSE_STREAM";
+	else if (invokeModeRaw !== void 0 && invokeModeRaw !== "BUFFERED") return [{
 		...baseRoute,
 		lambdaLogicalId,
-		unsupported: { reason: `${stackName}/${logicalId}: InvokeMode RESPONSE_STREAM is not supported (cdkd's RIE container does not implement InvokeWithResponseStream).` }
+		unsupported: { reason: `${stackName}/${logicalId}: InvokeMode ${shortJson$1(invokeModeRaw)} is not a recognized value (expected 'BUFFERED' or 'RESPONSE_STREAM').` }
 	}];
 	return [{
 		...baseRoute,
-		lambdaLogicalId
+		lambdaLogicalId,
+		invokeMode
 	}];
 }
 /**
@@ -43717,6 +43878,26 @@ async function handleRequest(req, res, state, opts) {
 		writeError(res, 502);
 		return;
 	}
+	if (match.route.invokeMode === "RESPONSE_STREAM") {
+		let streamResult;
+		try {
+			streamResult = await invokeRieStreaming(handle.containerHost, handle.hostPort, baseEvent, opts.rieTimeoutMs);
+			try {
+				writeStreamingResponse(res, streamResult, () => state.pool.release(handle));
+			} catch (writeErr) {
+				streamResult.body.on("error", () => {});
+				streamResult.body.destroy(writeErr instanceof Error ? writeErr : new Error(String(writeErr)));
+				throw writeErr;
+			}
+			return;
+		} catch (err) {
+			logger.error(`RIE streaming invoke failed for ${match.route.lambdaLogicalId}: ${err instanceof Error ? err.message : String(err)}`);
+			if (!res.headersSent) writeError(res, 502);
+			else res.end();
+			state.pool.release(handle);
+			return;
+		}
+	}
 	try {
 		const translated = translateLambdaResponse((await invokeRie(handle.containerHost, handle.hostPort, baseEvent, opts.rieTimeoutMs)).payload, match.route.apiVersion);
 		res.statusCode = translated.statusCode;
@@ -43732,6 +43913,42 @@ async function handleRequest(req, res, state, opts) {
 	}
 }
 /**
+* Pipe a streaming RIE response into an `http.ServerResponse`. The
+* prelude's status + headers are written via `res.writeHead(...)`; the
+* body Readable is `pipe`'d through to the response so Node's
+* `Transfer-Encoding: chunked` machinery handles backpressure +
+* chunked framing automatically.
+*
+* `releasePool` runs in a `finally`-equivalent path so the warm
+* container is returned to the pool whether the stream ends cleanly
+* (`'end'` event) or errors mid-body (`'error'` event). Errors after
+* the prelude has been written can no longer be reported as HTTP
+* status — the stream is destroyed and the connection aborts.
+*
+* Cookies in the prelude are emitted as multiple `Set-Cookie` headers
+* (HTTP API v2 semantics — matching the buffered path's behavior).
+*/
+function writeStreamingResponse(res, result, releasePool) {
+	const logger = getLogger().child("start-api");
+	const { prelude, body } = result;
+	const headersOut = { ...prelude.headers };
+	if (prelude.cookies && prelude.cookies.length > 0) headersOut["set-cookie"] = prelude.cookies;
+	res.writeHead(prelude.statusCode, headersOut);
+	let released = false;
+	const releaseOnce = () => {
+		if (released) return;
+		released = true;
+		releasePool();
+	};
+	body.on("error", (err) => {
+		logger.error(`Streaming Lambda response body errored mid-stream: ${err instanceof Error ? err.message : String(err)}`);
+		res.destroy(err);
+		releaseOnce();
+	});
+	res.on("close", releaseOnce);
+	body.pipe(res);
+}
+/**
 * Attempt CORS preflight interception. Returns `true` when the
 * preflight response was written (caller must NOT continue to route
 * dispatch); `false` when no preflight match (caller falls through to
@@ -49094,7 +49311,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.129.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.130.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());