npm - @go-to-k/cdkd - Versions diffs - 0.131.0 → 0.132.0 - Mend

@go-to-k/cdkd 0.131.0 → 0.132.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/cli.js CHANGED Viewed

@@ -40433,20 +40433,74 @@ function discoverRestV1Method(logicalId, resource, template, stackName) {
 	};
 	const integrationType = integration["Type"];
 	if (integrationType === "MOCK") {
-		const preflight = httpMethod === "OPTIONS" ? extractRestV1MockCorsConfig(integration) : void 0;
-		if (preflight) return [{
+		if (httpMethod === "OPTIONS") {
+			const preflight = extractRestV1MockCorsConfig(integration);
+			if (preflight) return [{
+				...baseRoute,
+				method: "OPTIONS",
+				pathPattern: path,
+				lambdaLogicalId: "",
+				mockCors: preflight
+			}];
+		}
+		const config = buildMockIntegrationConfig(integration);
+		return [{
+			...baseRoute,
+			method: httpMethod,
+			pathPattern: path,
+			lambdaLogicalId: "",
+			restV1Integration: config
+		}];
+	}
+	if (integrationType === "HTTP_PROXY") {
+		const config = buildHttpProxyIntegrationConfig(integration, stackName, logicalId);
+		if (config.kind === "unsupported") return [{
+			...baseRoute,
+			method: httpMethod,
+			pathPattern: path,
+			lambdaLogicalId: "",
+			unsupported: { reason: config.reason }
+		}];
+		return [{
+			...baseRoute,
+			method: httpMethod,
+			pathPattern: path,
+			lambdaLogicalId: "",
+			restV1Integration: config.config
+		}];
+	}
+	if (integrationType === "HTTP") {
+		const config = buildHttpIntegrationConfig(integration, stackName, logicalId);
+		if (config.kind === "unsupported") return [{
 			...baseRoute,
-			method: "OPTIONS",
+			method: httpMethod,
 			pathPattern: path,
 			lambdaLogicalId: "",
-			mockCors: preflight
+			unsupported: { reason: config.reason }
 		}];
 		return [{
 			...baseRoute,
 			method: httpMethod,
 			pathPattern: path,
 			lambdaLogicalId: "",
-			unsupported: { reason: `${stackName}/${logicalId}: MOCK integration is not emulated (only the CORS preflight subset, where HttpMethod=OPTIONS and IntegrationResponses carry literal method.response.header.* values, is supported).` }
+			restV1Integration: config.config
+		}];
+	}
+	if (integrationType === "AWS") {
+		const config = buildAwsIntegrationConfig(integration, stackName, logicalId);
+		if (config.kind === "unsupported") return [{
+			...baseRoute,
+			method: httpMethod,
+			pathPattern: path,
+			lambdaLogicalId: "",
+			unsupported: { reason: config.reason }
+		}];
+		return [{
+			...baseRoute,
+			method: httpMethod,
+			pathPattern: path,
+			lambdaLogicalId: config.config.lambdaLogicalId,
+			restV1Integration: config.config
 		}];
 	}
 	if (integrationType !== "AWS_PROXY") return [{
@@ -40454,7 +40508,7 @@ function discoverRestV1Method(logicalId, resource, template, stackName) {
 		method: httpMethod,
 		pathPattern: path,
 		lambdaLogicalId: "",
-		unsupported: { reason: `${stackName}/${logicalId}: REST v1 integration type '${String(integrationType)}' is not supported (only AWS_PROXY and the MOCK CORS preflight subset).` }
+		unsupported: { reason: `${stackName}/${logicalId}: unknown REST v1 integration type '${String(integrationType)}' (expected AWS_PROXY / AWS / HTTP / HTTP_PROXY / MOCK).` }
 	}];
 	const integrationUri = integration["Uri"];
 	const arnOutcome = resolveLambdaArnOutcome(integrationUri);
@@ -40524,6 +40578,188 @@ function extractRestV1MockCorsConfig(integration) {
 	};
 }
 /**
+* Marker sequence on a Lambda invoke ARN — used to tell apart REST v1
+* `AWS` integrations whose backend is Lambda (`functions/<arn>/invocations`)
+* from other AWS-service integrations (`:s3:path/...`, `:sqs:path/...`).
+* Closes #457's AWS-vs-Lambda discrimination.
+*/
+const LAMBDA_INVOKE_PATH = ":lambda:path/2015-03-31/functions/";
+/**
+* Build a MOCK integration config for `cdkd local start-api` dispatch.
+*
+* Pulls `Integration.RequestTemplates['application/json']` (drives MOCK
+* status-code selection — AWS reads `{"statusCode": N}` from the rendered
+* template) and `Integration.IntegrationResponses[]` (drives the shaped
+* response).
+*/
+function buildMockIntegrationConfig(integration) {
+	const requestTemplate = pickStringFromRecord(integration["RequestTemplates"], "application/json");
+	const responses = readIntegrationResponses(integration);
+	return {
+		kind: "mock",
+		requestTemplate: requestTemplate ?? void 0,
+		responses
+	};
+}
+/**
+* Build a HTTP_PROXY integration config. The Uri must be a literal
+* string at template-author time — `Fn::Sub` shapes with literal
+* placeholders are rare and unsupported in v1 (surfaces as a 501 with
+* a clear reason).
+*/
+function buildHttpProxyIntegrationConfig(integration, stackName, logicalId) {
+	const uri = integration["Uri"];
+	if (typeof uri !== "string" || uri.length === 0) return {
+		kind: "unsupported",
+		reason: `${stackName}/${logicalId}: HTTP_PROXY Integration.Uri must be a literal string in v1 (cdkd local start-api does not resolve Fn::Sub / Fn::Join in HTTP_PROXY Uris); got ${shortJson$1(uri)}.`
+	};
+	const integrationHttpMethod = pickStringField(integration, "IntegrationHttpMethod");
+	const requestParameters = pickStringRecord(integration["RequestParameters"]);
+	const responses = readIntegrationResponses(integration);
+	return {
+		kind: "config",
+		config: {
+			kind: "http-proxy",
+			uri,
+			...integrationHttpMethod !== void 0 && { integrationHttpMethod },
+			...requestParameters !== void 0 && { requestParameters },
+			responses
+		}
+	};
+}
+/**
+* Build an HTTP (non-proxy) integration config. Like HTTP_PROXY but with
+* `RequestTemplates` for VTL transformation.
+*/
+function buildHttpIntegrationConfig(integration, stackName, logicalId) {
+	const uri = integration["Uri"];
+	if (typeof uri !== "string" || uri.length === 0) return {
+		kind: "unsupported",
+		reason: `${stackName}/${logicalId}: HTTP Integration.Uri must be a literal string in v1 (cdkd local start-api does not resolve Fn::Sub / Fn::Join in HTTP Uris); got ${shortJson$1(uri)}.`
+	};
+	const integrationHttpMethod = pickStringField(integration, "IntegrationHttpMethod");
+	const requestParameters = pickStringRecord(integration["RequestParameters"]);
+	const requestTemplates = pickStringRecord(integration["RequestTemplates"]);
+	const responses = readIntegrationResponses(integration);
+	return {
+		kind: "config",
+		config: {
+			kind: "http",
+			uri,
+			...integrationHttpMethod !== void 0 && { integrationHttpMethod },
+			...requestParameters !== void 0 && { requestParameters },
+			...requestTemplates !== void 0 && { requestTemplates },
+			responses
+		}
+	};
+}
+/**
+* Build an AWS integration config. Branches on whether the integration
+* targets a Lambda (`:lambda:path/2015-03-31/functions/<arn>/invocations`)
+* or a non-Lambda AWS service (`:s3:path/...` / `:sqs:action/...` etc.).
+*
+* cdkd v1 supports Lambda non-proxy AWS integrations end-to-end. Non-
+* Lambda AWS service integrations surface as deferred-501 unsupported
+* routes — they would require an AWS SDK client per service, IAM
+* credential threading, and a sizable per-service unit-test matrix.
+* See [docs/local-emulation.md](docs/local-emulation.md) for the deferred
+* AWS-service-action list.
+*/
+function buildAwsIntegrationConfig(integration, stackName, logicalId) {
+	const uri = integration["Uri"];
+	if (!uriContainsLambdaMarker(uri)) return {
+		kind: "unsupported",
+		reason: `${stackName}/${logicalId}: REST v1 AWS integration targeting a non-Lambda service (Uri ${shortJson$1(uri)}) is not emulated locally in cdkd v1. Lambda non-proxy AWS integrations are supported; direct AWS service integrations (S3 / SQS / SNS / DynamoDB) require deploying to AWS. See docs/local-emulation.md.`
+	};
+	const arnOutcome = resolveLambdaArnOutcome(uri);
+	if (arnOutcome.kind === "unsupported") return {
+		kind: "unsupported",
+		reason: `${stackName}/${logicalId}.Integration.Uri: ${arnOutcome.detail} (got ${shortJson$1(uri)}). Lambda Arn intrinsics on cross-stack / imported references are not resolvable locally.`
+	};
+	const requestTemplates = pickStringRecord(integration["RequestTemplates"]);
+	const responses = readIntegrationResponses(integration);
+	return {
+		kind: "config",
+		config: {
+			kind: "aws-lambda",
+			lambdaLogicalId: arnOutcome.logicalId,
+			...requestTemplates !== void 0 && { requestTemplates },
+			responses
+		}
+	};
+}
+/**
+* Determine whether an `Integration.Uri` references a Lambda invoke path.
+* Recognises the canonical Lambda invoke ARN shape across the same
+* intrinsic forms `intrinsic-lambda-arn.ts` accepts (the shared resolver
+* never produces this Boolean directly, so we walk the shape here).
+*/
+function uriContainsLambdaMarker(uri) {
+	if (typeof uri === "string") return uri.includes(LAMBDA_INVOKE_PATH);
+	if (uri && typeof uri === "object" && !Array.isArray(uri)) {
+		const obj = uri;
+		if ("Fn::Sub" in obj) {
+			const v = obj["Fn::Sub"];
+			if (typeof v === "string") return v.includes(LAMBDA_INVOKE_PATH);
+			if (Array.isArray(v) && typeof v[0] === "string") return v[0].includes(LAMBDA_INVOKE_PATH);
+		}
+		if ("Fn::Join" in obj) {
+			const join = obj["Fn::Join"];
+			if (Array.isArray(join) && join.length === 2 && Array.isArray(join[1])) {
+				for (const piece of join[1]) if (typeof piece === "string" && piece.includes(LAMBDA_INVOKE_PATH)) return true;
+			}
+		}
+		if ("Ref" in obj || "Fn::GetAtt" in obj) return true;
+	}
+	return false;
+}
+/**
+* Read `Integration.IntegrationResponses[]` from a Method's Integration
+* sub-object and return the entries cdkd's dispatchers consume.
+*
+* Defensive: rejects non-object entries with a clear inline warning.
+*/
+function readIntegrationResponses(integration) {
+	const raw = integration["IntegrationResponses"];
+	if (!Array.isArray(raw)) return [];
+	const out = [];
+	for (const entry of raw) {
+		if (!entry || typeof entry !== "object") continue;
+		const obj = entry;
+		const statusCode = obj["StatusCode"];
+		if (statusCode === void 0) continue;
+		if (typeof statusCode !== "string" && typeof statusCode !== "number") continue;
+		const e = { StatusCode: String(statusCode) };
+		if (typeof obj["SelectionPattern"] === "string") e.SelectionPattern = obj["SelectionPattern"];
+		const responseParameters = pickStringRecord(obj["ResponseParameters"]);
+		if (responseParameters !== void 0) e.ResponseParameters = responseParameters;
+		const responseTemplates = pickStringRecord(obj["ResponseTemplates"]);
+		if (responseTemplates !== void 0) e.ResponseTemplates = responseTemplates;
+		if (typeof obj["ContentHandling"] === "string") e.ContentHandling = obj["ContentHandling"];
+		out.push(e);
+	}
+	return out;
+}
+function pickStringField(props, key) {
+	const v = props[key];
+	return typeof v === "string" ? v : void 0;
+}
+function pickStringRecord(value) {
+	if (!value || typeof value !== "object" || Array.isArray(value)) return void 0;
+	const out = {};
+	let any = false;
+	for (const [k, v] of Object.entries(value)) if (typeof v === "string") {
+		out[k] = v;
+		any = true;
+	}
+	return any ? out : void 0;
+}
+function pickStringFromRecord(value, key) {
+	if (!value || typeof value !== "object" || Array.isArray(value)) return void 0;
+	const v = value[key];
+	return typeof v === "string" ? v : void 0;
+}
+/**
 * Walk a chain of `AWS::ApiGateway::Resource` parent pointers up to the
 * `RestApi` root to build the full path. Each `Resource` contributes a
 * `PathPart` segment; the `RestApi` itself contributes the leading `/`.
@@ -40891,6 +41127,1354 @@ function shortJson$1(value) {
 	}
 }
+//#endregion
+//#region src/local/vtl-engine.ts
+/** Error thrown when a template references an unsupported VTL feature. */
+var VtlEvaluationError = class VtlEvaluationError extends Error {
+	constructor(message) {
+		super(message);
+		this.name = "VtlEvaluationError";
+		Object.setPrototypeOf(this, VtlEvaluationError.prototype);
+	}
+};
+/** Built-in `$util` implementation. */
+function buildDefaultUtil() {
+	const coerce = (v) => {
+		if (v == null) return "";
+		if (typeof v === "string") return v;
+		if (typeof v === "number" || typeof v === "boolean" || typeof v === "bigint") return String(v);
+		try {
+			return JSON.stringify(v);
+		} catch {
+			return "";
+		}
+	};
+	return {
+		escapeJavaScript(input) {
+			return coerce(input).replace(/\\/g, "\\\\").replace(/"/g, "\\\"").replace(/'/g, "\\'").replace(/\n/g, "\\n").replace(/\r/g, "\\r").replace(/\t/g, "\\t");
+		},
+		base64Encode(input) {
+			return Buffer.from(coerce(input), "utf-8").toString("base64");
+		},
+		base64Decode(input) {
+			return Buffer.from(coerce(input), "base64").toString("utf-8");
+		},
+		urlEncode(input) {
+			return encodeURIComponent(coerce(input));
+		},
+		urlDecode(input) {
+			try {
+				return decodeURIComponent(coerce(input));
+			} catch {
+				return coerce(input);
+			}
+		},
+		parseJson(input) {
+			const s = coerce(input);
+			try {
+				return JSON.parse(s);
+			} catch (err) {
+				throw new VtlEvaluationError(`$util.parseJson: invalid JSON input: ${err instanceof Error ? err.message : String(err)}`);
+			}
+		}
+	};
+}
+/**
+* Public entry point — evaluate a VTL template against a context and
+* return the rendered string. Throws {@link VtlEvaluationError} on any
+* unsupported syntax or runtime failure.
+*
+* Empty / undefined templates short-circuit to an empty string, matching
+* AWS API Gateway behavior when `RequestTemplates` / `ResponseTemplates`
+* is absent for the selected content type.
+*/
+function evaluateVtl(template, ctx) {
+	if (template === void 0 || template.length === 0) return "";
+	return new VtlEvaluator(ctx).evaluate(template);
+}
+/**
+* Stateful evaluator. Tokenizes + parses + renders in one pass — minimal
+* subset, so a recursive-descent walk over the template suffices. Tracks
+* a per-template scope chain for `#set` and `#foreach` bindings.
+*/
+var VtlEvaluator = class {
+	ctx;
+	scopes;
+	output = [];
+	constructor(ctx) {
+		this.ctx = ctx;
+		this.scopes = [/* @__PURE__ */ new Map()];
+	}
+	evaluate(template) {
+		this.renderBlock(template);
+		return this.output.join("");
+	}
+	/**
+	* Render a block — walks the template, interpolating `${var}` /
+	* `$var.field.method(args)` and handling `#set` / `#if` / `#foreach`
+	* directives.
+	*
+	* The walk is line-aware for directives: every `#directive` MUST start
+	* a line (after whitespace) per Velocity convention, but for ergonomics
+	* we also accept directives at the start of the template. Inline `$var`
+	* references are handled anywhere.
+	*/
+	renderBlock(block) {
+		let i = 0;
+		while (i < block.length) {
+			const ch = block[i];
+			if (ch === "#" && this.isDirectiveStart(block, i)) {
+				i = this.handleDirective(block, i);
+				continue;
+			}
+			if (ch === "$") {
+				const consumed = this.handleVariable(block, i);
+				if (consumed > 0) {
+					i += consumed;
+					continue;
+				}
+			}
+			if (ch === "\\" && i + 1 < block.length && block[i + 1] === "$") {
+				this.output.push("$");
+				i += 2;
+				continue;
+			}
+			this.output.push(ch ?? "");
+			i++;
+		}
+	}
+	isDirectiveStart(block, i) {
+		if (i + 1 >= block.length) return false;
+		const next = block[i + 1];
+		if (next === "#") return true;
+		return next !== void 0 && /[a-zA-Z]/.test(next);
+	}
+	/**
+	* Handle one directive (`#set`, `#if`, `#foreach`, etc.) — returns the
+	* NEW index in `block` (i.e. how far we consumed past the directive).
+	*/
+	handleDirective(block, start) {
+		if (block[start + 1] === "#") {
+			const eol = block.indexOf("\n", start);
+			return eol === -1 ? block.length : eol + 1;
+		}
+		const directiveMatch = /^#([a-zA-Z]+)/.exec(block.slice(start));
+		if (!directiveMatch) {
+			this.output.push("#");
+			return start + 1;
+		}
+		const name = directiveMatch[1];
+		const afterDirective = start + 1 + name.length;
+		switch (name) {
+			case "set": return this.handleSetDirective(block, afterDirective);
+			case "if": return this.handleIfDirective(block, afterDirective);
+			case "foreach": return this.handleForeachDirective(block, afterDirective);
+			case "else":
+			case "elseif":
+			case "end": throw new VtlEvaluationError(`Unexpected #${name} outside of a #if / #foreach block`);
+			default: throw new VtlEvaluationError(`Unsupported VTL directive #${name} (cdkd local start-api supports #set / #if / #elseif / #else / #foreach / #end / ##)`);
+		}
+	}
+	/**
+	* `#set($var = expression)` — assigns to the innermost scope.
+	*/
+	handleSetDirective(block, after) {
+		const { args, end } = this.readParenArgs(block, after);
+		const eq = args.indexOf("=");
+		if (eq === -1) throw new VtlEvaluationError(`#set requires '=': got #set(${args})`);
+		const left = args.slice(0, eq).trim();
+		const right = args.slice(eq + 1).trim();
+		if (!left.startsWith("$")) throw new VtlEvaluationError(`#set left side must be a $var reference (got '${left}')`);
+		const varName = left.slice(1).replace(/^\{/, "").replace(/\}$/, "");
+		const value = this.evaluateExpression(right);
+		this.scopes[this.scopes.length - 1].set(varName, value);
+		return this.skipDirectiveTrailingNewline(block, end);
+	}
+	/**
+	* `#if (cond) ... #elseif (cond) ... #else ... #end`. Renders the
+	* first true branch only; the rest are skipped (their text NOT emitted).
+	*/
+	handleIfDirective(block, after) {
+		const { args: condExpr, end } = this.readParenArgs(block, after);
+		let rendered = false;
+		let renderedAny = false;
+		const branches = [{
+			condition: condExpr,
+			bodyStart: this.skipDirectiveTrailingNewline(block, end),
+			bodyEnd: -1
+		}];
+		let cursor = branches[0].bodyStart;
+		let depth = 1;
+		while (cursor < block.length && depth > 0) {
+			if (block[cursor] !== "#") {
+				cursor++;
+				continue;
+			}
+			const m = /^#([a-zA-Z]+)/.exec(block.slice(cursor));
+			if (!m) {
+				cursor++;
+				continue;
+			}
+			const tag = m[1];
+			const tagAfter = cursor + 1 + tag.length;
+			if (tag === "if" || tag === "foreach") {
+				depth++;
+				cursor = tagAfter;
+				continue;
+			}
+			if (tag === "end") {
+				depth--;
+				if (depth === 0) {
+					branches[branches.length - 1].bodyEnd = cursor;
+					const endIdx = this.skipDirectiveTrailingNewline(block, tagAfter);
+					for (const branch of branches) {
+						if (rendered) break;
+						const truthy = branch.condition === null ? !renderedAny : this.evaluateCondition(branch.condition);
+						if (truthy) {
+							this.renderBlock(block.slice(branch.bodyStart, branch.bodyEnd));
+							rendered = true;
+						}
+						renderedAny = renderedAny || truthy;
+					}
+					return endIdx;
+				}
+				cursor = tagAfter;
+				continue;
+			}
+			if (depth === 1 && (tag === "elseif" || tag === "else")) {
+				branches[branches.length - 1].bodyEnd = cursor;
+				if (tag === "elseif") {
+					const { args, end: elseifEnd } = this.readParenArgs(block, tagAfter);
+					branches.push({
+						condition: args,
+						bodyStart: this.skipDirectiveTrailingNewline(block, elseifEnd),
+						bodyEnd: -1
+					});
+					cursor = branches[branches.length - 1].bodyStart;
+				} else {
+					branches.push({
+						condition: null,
+						bodyStart: this.skipDirectiveTrailingNewline(block, tagAfter),
+						bodyEnd: -1
+					});
+					cursor = branches[branches.length - 1].bodyStart;
+				}
+				continue;
+			}
+			cursor = tagAfter;
+		}
+		throw new VtlEvaluationError("#if without matching #end");
+	}
+	/**
+	* `#foreach($x in $list) ... #end` — iterates a list / object's values.
+	*/
+	handleForeachDirective(block, after) {
+		const { args, end } = this.readParenArgs(block, after);
+		const m = /^\s*\$([a-zA-Z_][a-zA-Z_0-9]*)\s+in\s+(.+)$/.exec(args);
+		if (!m) throw new VtlEvaluationError(`Invalid #foreach syntax: ${args}`);
+		const varName = m[1];
+		const listExpr = m[2];
+		const listValue = this.evaluateExpression(listExpr);
+		let depth = 1;
+		let cursor = this.skipDirectiveTrailingNewline(block, end);
+		const bodyStart = cursor;
+		while (cursor < block.length && depth > 0) {
+			if (block[cursor] !== "#") {
+				cursor++;
+				continue;
+			}
+			const tm = /^#([a-zA-Z]+)/.exec(block.slice(cursor));
+			if (!tm) {
+				cursor++;
+				continue;
+			}
+			const tag = tm[1];
+			if (tag === "if" || tag === "foreach") {
+				depth++;
+				cursor += 1 + tag.length;
+				continue;
+			}
+			if (tag === "end") {
+				depth--;
+				if (depth === 0) {
+					const bodyEnd = cursor;
+					const endIdx = this.skipDirectiveTrailingNewline(block, cursor + 1 + tag.length);
+					const items = this.coerceToIterable(listValue);
+					for (const item of items) {
+						this.scopes.push(new Map([[varName, item]]));
+						try {
+							this.renderBlock(block.slice(bodyStart, bodyEnd));
+						} finally {
+							this.scopes.pop();
+						}
+					}
+					return endIdx;
+				}
+			}
+			cursor += 1 + tag.length;
+		}
+		throw new VtlEvaluationError("#foreach without matching #end");
+	}
+	/** Convert a value into an iterable sequence for `#foreach`. */
+	coerceToIterable(value) {
+		if (Array.isArray(value)) return value;
+		if (value && typeof value === "object") return Object.values(value);
+		if (value == null) return [];
+		return [value];
+	}
+	/**
+	* Skip whitespace and a single trailing newline immediately after a
+	* directive — matches Velocity's "directive eats its own newline"
+	* convention. Without this rule, every `#set(...)` line in a template
+	* would leave a blank line in the output.
+	*/
+	skipDirectiveTrailingNewline(block, after) {
+		let i = after;
+		while (i < block.length && (block[i] === " " || block[i] === "	")) i++;
+		if (block[i] === "\r") i++;
+		if (block[i] === "\n") i++;
+		return i;
+	}
+	/**
+	* Read `(...)` arguments after a directive name. Returns the inner
+	* string + the index AFTER the closing paren. Handles nested parens
+	* inside string literals / method calls.
+	*/
+	readParenArgs(block, after) {
+		let i = after;
+		while (i < block.length && (block[i] === " " || block[i] === "	")) i++;
+		if (block[i] !== "(") throw new VtlEvaluationError(`Expected '(' after directive at offset ${after}`);
+		i++;
+		let depth = 1;
+		const start = i;
+		let inString = null;
+		while (i < block.length && depth > 0) {
+			const c = block[i];
+			if (inString) {
+				if (c === "\\" && i + 1 < block.length) {
+					i += 2;
+					continue;
+				}
+				if (c === inString) inString = null;
+				i++;
+				continue;
+			}
+			if (c === "\"" || c === "'") {
+				inString = c;
+				i++;
+				continue;
+			}
+			if (c === "(") depth++;
+			else if (c === ")") depth--;
+			if (depth === 0) break;
+			i++;
+		}
+		if (depth !== 0) throw new VtlEvaluationError(`Unterminated parenthesised argument at offset ${after}`);
+		return {
+			args: block.slice(start, i),
+			end: i + 1
+		};
+	}
+	/**
+	* Handle a `$var` / `${var}` / `$obj.field.method(args)` reference.
+	* Returns the number of characters consumed (0 if not a reference —
+	* caller emits the literal `$`).
+	*/
+	handleVariable(block, start) {
+		const m = /^\$(\{[^}]+\}|[a-zA-Z_][a-zA-Z_0-9]*(?:\.[a-zA-Z_][a-zA-Z_0-9]*)*)/.exec(block.slice(start));
+		if (!m) return 0;
+		const ref = m[1];
+		const refStr = ref.startsWith("{") ? ref.slice(1, -1) : ref;
+		let consumed = m[0].length;
+		let value = this.resolveReference(refStr);
+		let pos = start + consumed;
+		while (pos < block.length) {
+			if (block[pos] === "(") {
+				const { args, end } = this.readParenArgs(block, pos);
+				value = this.callValueAsMethod(value, args, refStr);
+				consumed = end - start;
+				pos = end;
+				if (pos < block.length && block[pos] === ".") {
+					const tailMatch = /^\.([a-zA-Z_][a-zA-Z_0-9]*)/.exec(block.slice(pos));
+					if (tailMatch) {
+						const field = tailMatch[1];
+						value = lookupField(value, field);
+						consumed += tailMatch[0].length;
+						pos += tailMatch[0].length;
+						continue;
+					}
+				}
+				break;
+			}
+			break;
+		}
+		this.output.push(this.stringifyForOutput(value));
+		return consumed;
+	}
+	/**
+	* Resolve a dotted reference path against context + scopes. The first
+	* segment is matched against built-in roots (`input` / `context` / `util`
+	* / `inputRoot`) and the scope chain in order.
+	*/
+	resolveReference(path) {
+		const parts = path.split(".");
+		const first = parts[0];
+		const rest = parts.slice(1);
+		let base;
+		if (first === "input") base = this.ctx.input;
+		else if (first === "context") base = this.ctx.context;
+		else if (first === "util") base = this.ctx.util;
+		else if (first === "inputRoot") base = this.ctx.inputRoot;
+		else {
+			let found = false;
+			for (let i = this.scopes.length - 1; i >= 0; i--) {
+				const scope = this.scopes[i];
+				if (scope.has(first)) {
+					base = scope.get(first);
+					found = true;
+					break;
+				}
+			}
+			if (!found) return null;
+		}
+		return rest.reduce((acc, seg) => lookupField(acc, seg), base);
+	}
+	/**
+	* Invoke a value as a method — used after a `$ref(args)` shape. The
+	* value must be a function or a special-cased built-in.
+	*/
+	callValueAsMethod(value, argsRaw, refPath) {
+		if (typeof value !== "function") throw new VtlEvaluationError(`Reference '$${refPath}' is not callable (got ${typeof value}). cdkd supports calling $input / $util / $context method-style references only.`);
+		return value(...this.parseArgList(argsRaw));
+	}
+	/**
+	* Parse a comma-separated argument list — recursively evaluates each
+	* expression. Handles string literals, numbers, booleans, and nested
+	* `$var` refs.
+	*/
+	parseArgList(raw) {
+		const trimmed = raw.trim();
+		if (trimmed.length === 0) return [];
+		const parts = [];
+		let depth = 0;
+		let inString = null;
+		let start = 0;
+		for (let i = 0; i < trimmed.length; i++) {
+			const c = trimmed[i];
+			if (inString) {
+				if (c === "\\" && i + 1 < trimmed.length) {
+					i++;
+					continue;
+				}
+				if (c === inString) inString = null;
+				continue;
+			}
+			if (c === "\"" || c === "'") {
+				inString = c;
+				continue;
+			}
+			if (c === "(" || c === "[") depth++;
+			else if (c === ")" || c === "]") depth--;
+			else if (c === "," && depth === 0) {
+				parts.push(trimmed.slice(start, i));
+				start = i + 1;
+			}
+		}
+		parts.push(trimmed.slice(start));
+		return parts.map((p) => this.evaluateExpression(p.trim()));
+	}
+	/**
+	* Evaluate a sub-expression (string literal / number / boolean / null /
+	* `$ref` / `$ref.field`). Tiny grammar — no arithmetic operators.
+	*/
+	evaluateExpression(expr) {
+		const trimmed = expr.trim();
+		if (trimmed.length === 0) return null;
+		if (trimmed === "true") return true;
+		if (trimmed === "false") return false;
+		if (trimmed === "null") return null;
+		if (trimmed.startsWith("\"") && trimmed.endsWith("\"") || trimmed.startsWith("'") && trimmed.endsWith("'")) return this.unescapeStringLiteral(trimmed.slice(1, -1));
+		if (/^-?\d+(?:\.\d+)?$/.test(trimmed)) return Number(trimmed);
+		if (trimmed.startsWith("$")) {
+			const refMatch = /^\$(\{[^}]+\}|[a-zA-Z_][a-zA-Z_0-9]*(?:\.[a-zA-Z_][a-zA-Z_0-9]*)*)$/.exec(trimmed);
+			if (refMatch) {
+				const refStr = refMatch[1];
+				const refPath = refStr.startsWith("{") ? refStr.slice(1, -1) : refStr;
+				return this.resolveReference(refPath);
+			}
+			const callMatch = /^\$([a-zA-Z_][a-zA-Z_0-9]*(?:\.[a-zA-Z_][a-zA-Z_0-9]*)*)\((.*)\)$/.exec(trimmed);
+			if (callMatch) {
+				const refPath = callMatch[1];
+				const argsRaw = callMatch[2];
+				const value = this.resolveReference(refPath);
+				return this.callValueAsMethod(value, argsRaw, refPath);
+			}
+		}
+		throw new VtlEvaluationError(`Could not evaluate VTL sub-expression: '${trimmed}'`);
+	}
+	unescapeStringLiteral(s) {
+		return s.replace(/\\n/g, "\n").replace(/\\r/g, "\r").replace(/\\t/g, "	").replace(/\\\\/g, "\\").replace(/\\"/g, "\"").replace(/\\'/g, "'");
+	}
+	/**
+	* Evaluate a `#if` / `#elseif` condition expression. Supports `&&`,
+	* `||`, `!`, comparison ops, and bare value tests (truthy/falsy).
+	*/
+	evaluateCondition(expr) {
+		const trimmed = expr.trim();
+		const orParts = splitTopLevel(trimmed, "||");
+		if (orParts.length > 1) return orParts.some((p) => this.evaluateCondition(p));
+		const andParts = splitTopLevel(trimmed, "&&");
+		if (andParts.length > 1) return andParts.every((p) => this.evaluateCondition(p));
+		if (trimmed.startsWith("!")) return !this.evaluateCondition(trimmed.slice(1).trim());
+		if (trimmed.startsWith("(") && trimmed.endsWith(")")) return this.evaluateCondition(trimmed.slice(1, -1));
+		for (const op of [
+			"==",
+			"!=",
+			"<=",
+			">=",
+			"<",
+			">"
+		]) {
+			const parts = splitTopLevel(trimmed, op);
+			if (parts.length === 2) return compareValues(this.evaluateExpression(parts[0]), this.evaluateExpression(parts[1]), op);
+		}
+		return isTruthy(this.evaluateExpression(trimmed));
+	}
+	/**
+	* Convert a value to its template output form. Mirrors Velocity's
+	* `toString` convention: `null` → empty string; objects → JSON; numbers
+	* / booleans → standard.
+	*/
+	stringifyForOutput(value) {
+		if (value === null || value === void 0) return "";
+		if (typeof value === "string") return value;
+		if (typeof value === "number" || typeof value === "boolean") return String(value);
+		return JSON.stringify(value);
+	}
+};
+/**
+* Look up `field` on `obj`. Returns `null` for missing fields (Velocity
+* silent-undefined convention).
+*/
+function lookupField(obj, field) {
+	if (obj == null) return null;
+	if (typeof obj === "object") {
+		const rec = obj;
+		if (Object.prototype.hasOwnProperty.call(rec, field)) return rec[field];
+		return null;
+	}
+	return null;
+}
+function splitTopLevel(s, sep) {
+	const out = [];
+	let depth = 0;
+	let inString = null;
+	let start = 0;
+	for (let i = 0; i < s.length; i++) {
+		const c = s[i];
+		if (inString) {
+			if (c === "\\" && i + 1 < s.length) {
+				i++;
+				continue;
+			}
+			if (c === inString) inString = null;
+			continue;
+		}
+		if (c === "\"" || c === "'") {
+			inString = c;
+			continue;
+		}
+		if (c === "(" || c === "[") depth++;
+		else if (c === ")" || c === "]") depth--;
+		else if (depth === 0 && s.startsWith(sep, i)) {
+			out.push(s.slice(start, i));
+			start = i + sep.length;
+			i += sep.length - 1;
+		}
+	}
+	out.push(s.slice(start));
+	return out;
+}
+function compareValues(lhs, rhs, op) {
+	if (op === "==") return looseEqual(lhs, rhs);
+	if (op === "!=") return !looseEqual(lhs, rhs);
+	const a = typeof lhs === "number" ? lhs : Number(lhs);
+	const b = typeof rhs === "number" ? rhs : Number(rhs);
+	if (Number.isFinite(a) && Number.isFinite(b)) switch (op) {
+		case "<": return a < b;
+		case "<=": return a <= b;
+		case ">": return a > b;
+		case ">=": return a >= b;
+	}
+	const sa = String(lhs);
+	const sb = String(rhs);
+	switch (op) {
+		case "<": return sa < sb;
+		case "<=": return sa <= sb;
+		case ">": return sa > sb;
+		case ">=": return sa >= sb;
+	}
+}
+function looseEqual(a, b) {
+	if (a === b) return true;
+	if (a == null || b == null) return a == null && b == null;
+	if (typeof a === typeof b) {
+		if (typeof a === "object") return JSON.stringify(a) === JSON.stringify(b);
+		return false;
+	}
+	return safeStringify(a) === safeStringify(b);
+}
+function safeStringify(v) {
+	if (v == null) return "";
+	if (typeof v === "string") return v;
+	if (typeof v === "number" || typeof v === "boolean" || typeof v === "bigint") return String(v);
+	try {
+		return JSON.stringify(v);
+	} catch {
+		return "";
+	}
+}
+function isTruthy(v) {
+	if (v == null) return false;
+	if (typeof v === "boolean") return v;
+	if (typeof v === "number") return v !== 0;
+	if (typeof v === "string") return v.length > 0;
+	if (Array.isArray(v)) return v.length > 0;
+	if (typeof v === "object") return Object.keys(v).length > 0;
+	return true;
+}
+/**
+* Build a `VtlInput` binding from an HTTP request snapshot + matched
+* route context. `$input` exposes the body + parameter accessors used by
+* AWS API Gateway's VTL templates.
+*
+* `params()` returns the union of header / querystring / path maps;
+* `params(name)` resolves first against path, then querystring, then
+* header (matches AWS-deployed precedence).
+*
+* `json(jsonPath)` returns a JSON-stringified slice of the parsed body;
+* `path(jsonPath)` returns the raw native value (primitives unquoted).
+*
+* JSONPath support is minimal: supports `$` (root), `$.field`,
+* `$.field.subField`, `$.array[0]`. AWS supports more (filter
+* expressions, recursive descent); cdkd surfaces a clear error on
+* unsupported expressions rather than silently producing wrong output.
+*/
+function buildVtlInput(body, headers, querystring, pathParams) {
+	let jsonBodyCache;
+	let jsonBodyParsed = false;
+	function lazyJson() {
+		if (!jsonBodyParsed) {
+			jsonBodyParsed = true;
+			try {
+				jsonBodyCache = body.length === 0 ? null : JSON.parse(body);
+			} catch {
+				jsonBodyCache = null;
+			}
+		}
+		return jsonBodyCache;
+	}
+	function jsonFn(...args) {
+		const expr = args.length > 0 ? String(args[0]) : "$";
+		const val = applyJsonPath(lazyJson(), expr);
+		return JSON.stringify(val ?? null);
+	}
+	function pathFn(...args) {
+		const expr = args.length > 0 ? String(args[0]) : "$";
+		return applyJsonPath(lazyJson(), expr);
+	}
+	function paramsFn(...args) {
+		if (args.length === 0) return {
+			header: headers,
+			querystring,
+			path: pathParams
+		};
+		const arg = String(args[0]);
+		if (arg === "header") return headers;
+		if (arg === "querystring") return querystring;
+		if (arg === "path") return pathParams;
+		if (Object.prototype.hasOwnProperty.call(pathParams, arg)) return pathParams[arg];
+		if (Object.prototype.hasOwnProperty.call(querystring, arg)) return querystring[arg];
+		if (Object.prototype.hasOwnProperty.call(headers, arg)) return headers[arg];
+		const lowerArg = arg.toLowerCase();
+		for (const [k, v] of Object.entries(headers)) if (k.toLowerCase() === lowerArg) return v;
+		return null;
+	}
+	return {
+		body,
+		get jsonBody() {
+			return lazyJson();
+		},
+		headers,
+		querystring,
+		path: pathParams,
+		json: jsonFn,
+		path: pathFn,
+		params: paramsFn
+	};
+}
+/**
+* Minimal JSONPath evaluator. Supports `$`, `$.field`, `$.field.sub`,
+* `$.array[index]`. Unsupported syntax throws so the user sees a clear
+* pointer to the gap.
+*/
+function applyJsonPath(root, expr) {
+	const trimmed = expr.trim();
+	if (trimmed === "$" || trimmed.length === 0) return root;
+	if (!trimmed.startsWith("$")) throw new VtlEvaluationError(`JSONPath must start with '$': got '${trimmed}'`);
+	let cursor = root;
+	let i = 1;
+	while (i < trimmed.length) {
+		const c = trimmed[i];
+		if (c === ".") {
+			i++;
+			const m = /^[a-zA-Z_][a-zA-Z_0-9]*/.exec(trimmed.slice(i));
+			if (!m) throw new VtlEvaluationError(`Unsupported JSONPath syntax at position ${i}: '${trimmed}' (cdkd supports $, $.field, $.field.sub, $.array[index] only).`);
+			cursor = lookupField(cursor, m[0]);
+			i += m[0].length;
+			continue;
+		}
+		if (c === "[") {
+			const close = trimmed.indexOf("]", i);
+			if (close === -1) throw new VtlEvaluationError(`Unterminated [ in JSONPath: '${trimmed}'`);
+			const inside = trimmed.slice(i + 1, close).trim();
+			if (/^-?\d+$/.test(inside)) {
+				const idx = Number(inside);
+				if (Array.isArray(cursor)) cursor = cursor[idx];
+				else cursor = null;
+			} else if (inside.startsWith("\"") && inside.endsWith("\"") || inside.startsWith("'") && inside.endsWith("'")) cursor = lookupField(cursor, inside.slice(1, -1));
+			else throw new VtlEvaluationError(`Unsupported JSONPath bracket expression: '${inside}' (cdkd supports integer indices and quoted string keys only).`);
+			i = close + 1;
+			continue;
+		}
+		throw new VtlEvaluationError(`Unexpected character in JSONPath at position ${i}: '${trimmed}'`);
+	}
+	return cursor;
+}
+/**
+* Build a `$context` binding from a request snapshot + matched route.
+* The mapping mirrors what AWS API Gateway exposes (see AWS docs:
+* https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html).
+*/
+function buildVtlRequestContext(args) {
+	return {
+		requestId: args.requestId,
+		httpMethod: args.httpMethod,
+		resourcePath: args.resourcePath,
+		stage: args.stage,
+		identity: {
+			sourceIp: args.sourceIp,
+			userAgent: args.userAgent
+		}
+	};
+}
+//#endregion
+//#region src/local/integration-response-selector.ts
+/**
+* Pick the right `IntegrationResponses[]` entry for the given outcome.
+*
+* Per AWS docs, `SelectionPattern` is matched against the backend
+* outcome regardless of whether the backend returned success or error —
+* a `SelectionPattern: '200'` entry IS expected to match an HTTP 200
+* upstream response. cdkd ALWAYS runs the regex loop first and only
+* falls to the default entry when no pattern matches; pre-#505-review
+* the success branch short-circuited to the default entry without
+* running the regex loop, which silently dropped success-side selection.
+*
+* @param entries - The `IntegrationResponses[]` array from the template
+*   (already extracted from the route's Integration property).
+* @param matchTarget - The string AWS would match `SelectionPattern`
+*   against. For HTTP / HTTP_PROXY this is `String(upstream.status)`;
+*   for Lambda this is the `errorMessage` field on the parsed payload,
+*   or the sentinel `'success'` when the payload has no `errorMessage`.
+*   For MOCK this is unused (MOCK dispatch picks by `StatusCode`).
+* @param fallbackStatusCode - Status code to use when `entries` is empty
+*   or no entry matches AND no default entry exists. HTTP / HTTP_PROXY
+*   pass the upstream status; Lambda passes 200 on success / 500 on
+*   error.
+*/
+function selectIntegrationResponse(entries, matchTarget, fallbackStatusCode = 200) {
+	if (!entries || entries.length === 0) return {
+		entry: null,
+		statusCode: fallbackStatusCode
+	};
+	const defaultEntry = entries.find((e) => e.SelectionPattern === void 0 || e.SelectionPattern === "");
+	for (const entry of entries) {
+		if (entry.SelectionPattern === void 0 || entry.SelectionPattern === "") continue;
+		try {
+			if (new RegExp(`^${entry.SelectionPattern}$`).test(matchTarget)) return {
+				entry,
+				statusCode: parseStatus$1(entry.StatusCode, fallbackStatusCode)
+			};
+		} catch {}
+	}
+	const entry = defaultEntry ?? null;
+	return {
+		entry,
+		statusCode: entry !== null ? parseStatus$1(entry.StatusCode, fallbackStatusCode) : fallbackStatusCode
+	};
+}
+function parseStatus$1(raw, fallback) {
+	if (typeof raw === "number" && Number.isFinite(raw)) return raw;
+	if (typeof raw === "string") {
+		const parsed = Number.parseInt(raw, 10);
+		if (Number.isFinite(parsed)) return parsed;
+	}
+	return fallback;
+}
+/**
+* Evaluate `IntegrationResponse.ResponseParameters` — header literals
+* mapped onto the HTTP response. Returns `{name: value}` for every entry
+* we could resolve; unresolvable entries (non-literal / mapping
+* expression) get a warning via `onUnsupported` and are skipped.
+*
+* AWS format: keys are `method.response.header.<HeaderName>`; values
+* are `'literal'` (with single quotes) or mapping expressions
+* (`integration.response.body.X` / `integration.response.header.X` /
+* `context.X`). cdkd v1 supports the literal form only.
+*/
+function evaluateResponseParameters(responseParameters, opts = {}) {
+	if (!responseParameters) return {};
+	const out = {};
+	for (const [key, value] of Object.entries(responseParameters)) {
+		const headerMatch = /^method\.response\.header\.(.+)$/.exec(key);
+		if (!headerMatch) {
+			opts.onUnsupported?.(key, value, `Only method.response.header.<name> keys are supported on REST v1 ResponseParameters; cdkd cannot map ${key}.`);
+			continue;
+		}
+		const headerName = headerMatch[1];
+		if (typeof value !== "string") {
+			opts.onUnsupported?.(key, String(value), `non-string ResponseParameter value`);
+			continue;
+		}
+		if (value.length >= 2 && value.startsWith("'") && value.endsWith("'")) {
+			out[headerName] = value.slice(1, -1);
+			continue;
+		}
+		opts.onUnsupported?.(key, value, `ResponseParameter value '${value}' is a mapping expression (integration.response.* / context.*) which cdkd local start-api does not emulate. Only single-quoted literals are honored.`);
+	}
+	return out;
+}
+/**
+* Pick the response template AWS would render for the given Accept
+* header. AWS uses content negotiation; cdkd picks `application/json`
+* first, then any other entry. Returns `undefined` when no template is
+* configured (caller emits the backend body verbatim).
+*
+* The chosen template's content-type is also returned so the dispatcher
+* can emit a matching `Content-Type` header (matches AWS-deployed
+* behavior).
+*/
+function pickResponseTemplate(responseTemplates, accept) {
+	if (!responseTemplates) return void 0;
+	const entries = Object.entries(responseTemplates);
+	if (entries.length === 0) return void 0;
+	if (accept) {
+		const acceptTypes = accept.split(",").map((s) => s.split(";")[0].trim()).filter(Boolean);
+		for (const acceptType of acceptTypes) for (const [ct, template] of entries) if (ct === acceptType) return {
+			template,
+			contentType: ct
+		};
+	}
+	const jsonEntry = responseTemplates["application/json"];
+	if (jsonEntry !== void 0) return {
+		template: jsonEntry,
+		contentType: "application/json"
+	};
+	const first = entries[0];
+	return {
+		template: first[1],
+		contentType: first[0]
+	};
+}
+//#endregion
+//#region src/local/rest-v1-integrations.ts
+/**
+* Dispatch a MOCK integration. AWS MOCK semantics:
+*
+*   1. Render `RequestTemplates['application/json']` (VTL) against the
+*      request — yields a JSON object like `{"statusCode": 200}`.
+*   2. Parse the rendered JSON; pick the `IntegrationResponses[]` entry
+*      whose `StatusCode` equals the parsed `statusCode` (string compare,
+*      mirroring AWS).
+*   3. Render the picked entry's `ResponseTemplates[<content-type>]`
+*      against an empty body context and emit it.
+*   4. Apply `ResponseParameters` header literals.
+*
+* When no request template is configured AWS defaults to picking the
+* `IntegrationResponses[]` entry with `SelectionPattern === ''` (or the
+* first entry).
+*/
+function dispatchMockIntegration(config, req) {
+	const logger = getLogger().child("start-api");
+	const ctx = buildVtlContextFromRequest(req, "");
+	let pickedStatus;
+	if (config.requestTemplate !== void 0 && config.requestTemplate.trim().length > 0) try {
+		pickedStatus = extractStatusCodeFromRendered(evaluateVtl(config.requestTemplate, ctx));
+	} catch (err) {
+		return vtlFailure("request", err, config.requestTemplate);
+	}
+	let entry = null;
+	if (pickedStatus !== void 0) entry = config.responses.find((e) => parseStatus(e.StatusCode) === pickedStatus) ?? defaultResponseEntry(config.responses);
+	else entry = defaultResponseEntry(config.responses);
+	if (!entry) return {
+		statusCode: pickedStatus ?? 200,
+		headers: { "content-type": "application/json" },
+		body: ""
+	};
+	const accept = req.headers["accept"];
+	const picked = pickResponseTemplate(entry.ResponseTemplates, accept);
+	const respCtx = buildVtlContextFromRequest(req, "", null);
+	let body = "";
+	let contentType = "application/json";
+	if (picked) {
+		try {
+			body = evaluateVtl(picked.template, respCtx);
+		} catch (err) {
+			return vtlFailure("response", err, picked.template);
+		}
+		contentType = picked.contentType;
+	}
+	const headers = { "content-type": contentType };
+	Object.assign(headers, evaluateResponseParameters(entry.ResponseParameters, { onUnsupported: (_k, _v, reason) => logger.warn(`MOCK response: ${reason}`) }));
+	return {
+		statusCode: parseStatus(entry.StatusCode) ?? 200,
+		headers,
+		body
+	};
+}
+/**
+* Dispatch an HTTP_PROXY integration. The request is forwarded verbatim
+* with `RequestParameters` mappings applied; the response is also
+* forwarded verbatim (AWS does NOT apply ResponseTemplates on HTTP_PROXY,
+* only IntegrationResponses[].SelectionPattern routes the status code).
+*/
+async function dispatchHttpProxyIntegration(config, req, deps) {
+	const url = substituteUriPlaceholders(config.uri, req);
+	const method = config.integrationHttpMethod ?? req.method;
+	const outHeaders = { ...req.headers };
+	for (const drop of [
+		"host",
+		"connection",
+		"content-length",
+		"transfer-encoding"
+	]) delete outHeaders[drop];
+	applyRequestParameters(config.requestParameters, req, {
+		headers: outHeaders,
+		urlObj: void 0
+	});
+	const fetchImpl = deps.fetch ?? globalThis.fetch;
+	const fetchInit = {
+		method,
+		headers: outHeaders
+	};
+	if (req.body.length > 0) fetchInit.body = new Uint8Array(req.body);
+	let upstream;
+	try {
+		upstream = await fetchImpl(url, fetchInit);
+	} catch (err) {
+		return {
+			statusCode: 502,
+			headers: { "content-type": "application/json" },
+			body: JSON.stringify({
+				message: "HTTP_PROXY upstream unreachable",
+				url,
+				reason: err instanceof Error ? err.message : String(err)
+			})
+		};
+	}
+	const upstreamBody = Buffer.from(await upstream.arrayBuffer());
+	const selected = selectIntegrationResponse(config.responses, String(upstream.status), upstream.status);
+	const headers = {};
+	upstream.headers.forEach((value, name) => {
+		headers[name.toLowerCase()] = value;
+	});
+	delete headers["content-encoding"];
+	delete headers["content-length"];
+	const logger = getLogger().child("start-api");
+	Object.assign(headers, evaluateResponseParameters(selected.entry?.ResponseParameters, { onUnsupported: (_k, _v, reason) => logger.warn(`HTTP_PROXY response: ${reason}`) }));
+	return {
+		statusCode: selected.entry ? selected.statusCode : upstream.status,
+		headers,
+		body: upstreamBody
+	};
+}
+/**
+* Dispatch an HTTP (non-proxy) integration: HTTP_PROXY + VTL on both
+* directions. Same upstream-call shape; the request body is transformed
+* via VTL, and the response body is transformed via VTL too.
+*/
+async function dispatchHttpIntegration(config, req, deps) {
+	const logger = getLogger().child("start-api");
+	const url = substituteUriPlaceholders(config.uri, req);
+	const method = config.integrationHttpMethod ?? req.method;
+	const ctx = buildVtlContextFromRequest(req, req.body.toString("utf-8"));
+	const reqTemplate = pickRequestTemplate(config.requestTemplates, req.headers["content-type"]);
+	let outBody;
+	let outContentType = req.headers["content-type"] ?? "application/json";
+	if (reqTemplate) {
+		try {
+			outBody = evaluateVtl(reqTemplate.template, ctx);
+		} catch (err) {
+			return vtlFailure("request", err, reqTemplate.template);
+		}
+		outContentType = reqTemplate.contentType;
+	} else outBody = req.body.toString("utf-8");
+	const outHeaders = {
+		...req.headers,
+		"content-type": outContentType
+	};
+	for (const drop of [
+		"host",
+		"connection",
+		"content-length",
+		"transfer-encoding"
+	]) delete outHeaders[drop];
+	applyRequestParameters(config.requestParameters, req, {
+		headers: outHeaders,
+		urlObj: void 0
+	});
+	const fetchImpl = deps.fetch ?? globalThis.fetch;
+	const fetchInit = {
+		method,
+		headers: outHeaders
+	};
+	if (outBody !== void 0 && outBody.length > 0) fetchInit.body = outBody;
+	let upstream;
+	try {
+		upstream = await fetchImpl(url, fetchInit);
+	} catch (err) {
+		return {
+			statusCode: 502,
+			headers: { "content-type": "application/json" },
+			body: JSON.stringify({
+				message: "HTTP upstream unreachable",
+				url,
+				reason: err instanceof Error ? err.message : String(err)
+			})
+		};
+	}
+	const upstreamContentType = upstream.headers.get("content-type") ?? "application/octet-stream";
+	const isUpstreamTextLike = isTextLikeContentType(upstreamContentType);
+	let upstreamText;
+	let upstreamBinary;
+	if (isUpstreamTextLike) upstreamText = await upstream.text();
+	else upstreamBinary = Buffer.from(await upstream.arrayBuffer());
+	const selected = selectIntegrationResponse(config.responses, String(upstream.status), upstream.status);
+	let body;
+	let contentType = upstreamContentType;
+	if (selected.entry) {
+		const picked = pickResponseTemplate(selected.entry.ResponseTemplates, req.headers["accept"]);
+		if (picked) if (upstreamText === void 0) {
+			logger.warn(`HTTP response: ResponseTemplates set but upstream Content-Type '${upstreamContentType}' is binary; passing body through unchanged.`);
+			body = upstreamBinary;
+		} else {
+			const respCtx = buildVtlContextFromRequest(req, upstreamText, safeJsonParse(upstreamText));
+			try {
+				body = evaluateVtl(picked.template, respCtx);
+			} catch (err) {
+				return vtlFailure("response", err, picked.template);
+			}
+			contentType = picked.contentType;
+		}
+		else body = upstreamText ?? upstreamBinary;
+	} else body = upstreamText ?? upstreamBinary;
+	const headers = { "content-type": contentType };
+	Object.assign(headers, evaluateResponseParameters(selected.entry?.ResponseParameters, { onUnsupported: (_k, _v, reason) => logger.warn(`HTTP response: ${reason}`) }));
+	return {
+		statusCode: selected.statusCode,
+		headers,
+		body
+	};
+}
+/**
+* Dispatch an AWS (Lambda non-proxy) integration. The request body is
+* transformed via VTL into the Lambda event; the Lambda is invoked via
+* RIE; the return value is transformed via ResponseTemplates.
+*
+* AWS error routing: when the Lambda returns an object with an
+* `errorMessage` field (Node Lambda runtime convention), AWS treats it
+* as an error and matches `SelectionPattern` against the
+* `errorMessage`. Otherwise success.
+*/
+async function dispatchAwsLambdaIntegration(config, req, deps) {
+	const logger = getLogger().child("start-api");
+	const ctx = buildVtlContextFromRequest(req, req.body.toString("utf-8"));
+	const template = pickRequestTemplate(config.requestTemplates, req.headers["content-type"]);
+	let eventPayload;
+	if (template) {
+		let rendered;
+		try {
+			rendered = evaluateVtl(template.template, ctx);
+		} catch (err) {
+			return vtlFailure("request", err, template.template);
+		}
+		try {
+			eventPayload = JSON.parse(rendered);
+		} catch {
+			eventPayload = rendered;
+		}
+	} else eventPayload = safeJsonParse(req.body.toString("utf-8")) ?? req.body.toString("utf-8");
+	let handle;
+	try {
+		handle = await deps.pool.acquire(config.lambdaLogicalId);
+	} catch (err) {
+		return {
+			statusCode: 502,
+			headers: { "content-type": "application/json" },
+			body: JSON.stringify({
+				message: "Failed to acquire RIE container for AWS Lambda non-proxy integration",
+				reason: err instanceof Error ? err.message : String(err)
+			})
+		};
+	}
+	let invokeOutcome;
+	try {
+		invokeOutcome = await invokeRie(handle.containerHost, handle.hostPort, eventPayload, deps.rieTimeoutMs);
+	} catch (err) {
+		deps.pool.release(handle);
+		return {
+			statusCode: 502,
+			headers: { "content-type": "application/json" },
+			body: JSON.stringify({
+				message: "AWS Lambda non-proxy invocation failed",
+				reason: err instanceof Error ? err.message : String(err)
+			})
+		};
+	}
+	deps.pool.release(handle);
+	const payload = invokeOutcome.payload;
+	const isError = payload !== null && typeof payload === "object" && "errorMessage" in payload;
+	const matchTarget = isError ? String(payload["errorMessage"]) : "success";
+	const selected = selectIntegrationResponse(config.responses, matchTarget, isError ? 500 : 200);
+	const respCtx = buildVtlContextFromRequest(req, JSON.stringify(payload ?? null), payload);
+	let body = "";
+	let contentType = "application/json";
+	if (selected.entry) {
+		const picked = pickResponseTemplate(selected.entry.ResponseTemplates, req.headers["accept"]);
+		if (picked) {
+			try {
+				body = evaluateVtl(picked.template, respCtx);
+			} catch (err) {
+				return vtlFailure("response", err, picked.template);
+			}
+			contentType = picked.contentType;
+		} else body = JSON.stringify(payload ?? null);
+	} else body = JSON.stringify(payload ?? null);
+	const headers = { "content-type": contentType };
+	Object.assign(headers, evaluateResponseParameters(selected.entry?.ResponseParameters, { onUnsupported: (_k, _v, reason) => logger.warn(`AWS Lambda non-proxy response: ${reason}`) }));
+	return {
+		statusCode: selected.statusCode,
+		headers,
+		body
+	};
+}
+function buildVtlContextFromRequest(req, body, inputRoot) {
+	return {
+		input: buildVtlInput(body, req.headers, req.querystring, req.pathParameters),
+		context: buildVtlRequestContext({
+			requestId: req.requestId,
+			httpMethod: req.method,
+			resourcePath: req.resourcePath,
+			stage: req.stage,
+			sourceIp: req.sourceIp,
+			userAgent: req.userAgent
+		}),
+		util: buildDefaultUtil(),
+		...inputRoot !== void 0 && { inputRoot }
+	};
+}
+function pickRequestTemplate(requestTemplates, contentType) {
+	if (!requestTemplates) return void 0;
+	const entries = Object.entries(requestTemplates);
+	if (entries.length === 0) return void 0;
+	if (contentType) {
+		const primary = contentType.split(";")[0].trim();
+		if (requestTemplates[primary] !== void 0) return {
+			template: requestTemplates[primary],
+			contentType: primary
+		};
+	}
+	if (requestTemplates["application/json"] !== void 0) return {
+		template: requestTemplates["application/json"],
+		contentType: "application/json"
+	};
+	const first = entries[0];
+	return {
+		template: first[1],
+		contentType: first[0]
+	};
+}
+/**
+* Extract `{"statusCode": <N>}` from a rendered MOCK request template.
+* AWS uses this single key to drive `IntegrationResponses[]` selection.
+*/
+function extractStatusCodeFromRendered(rendered) {
+	try {
+		const parsed = JSON.parse(rendered);
+		if (parsed && typeof parsed === "object" && "statusCode" in parsed) {
+			const val = parsed["statusCode"];
+			if (typeof val === "number") return val;
+			if (typeof val === "string") {
+				const n = Number.parseInt(val, 10);
+				if (Number.isFinite(n)) return n;
+			}
+		}
+	} catch {}
+}
+function defaultResponseEntry(entries) {
+	return entries.find((e) => e.SelectionPattern === void 0 || e.SelectionPattern === "") ?? null;
+}
+function parseStatus(raw) {
+	if (typeof raw === "number" && Number.isFinite(raw)) return raw;
+	if (typeof raw === "string") {
+		const n = Number.parseInt(raw, 10);
+		if (Number.isFinite(n)) return n;
+	}
+}
+/**
+* Heuristic: is the given HTTP `Content-Type` header value likely to
+* carry text content that VTL ResponseTemplates can safely render
+* against? Used by `dispatchHttpIntegration` to branch the upstream
+* body read between `.text()` (text-like) and `.arrayBuffer()` (binary
+* pass-through). Charset parameters are stripped before matching.
+*
+* Exported for unit testing.
+*/
+function isTextLikeContentType(contentType) {
+	const primary = contentType.split(";")[0].trim().toLowerCase();
+	if (primary.startsWith("text/")) return true;
+	if (primary === "application/json" || primary === "application/xml" || primary === "application/x-www-form-urlencoded" || primary === "application/javascript" || primary === "application/ld+json") return true;
+	if (primary.startsWith("application/") && (primary.endsWith("+json") || primary.endsWith("+xml"))) return true;
+	return false;
+}
+/**
+* Classify a hostname or IP literal against well-known internal address
+* spaces. Used by `warnSsrfRiskyUri` at server boot to surface a warn
+* line per HTTP / HTTP_PROXY integration whose URI points at a
+* potentially-sensitive destination. Best-effort; does NOT do DNS
+* resolution — only matches hostname literals that are already an IP.
+*
+* Returns `undefined` when the host appears safe (public DNS name) OR
+* cannot be classified (DNS name that may resolve to an internal IP
+* the helper cannot see without async DNS).
+*
+* Exported for unit testing.
+*/
+function classifyInternalHost(host) {
+	const h = host.replace(/^\[|\]$/g, "");
+	if (h === "169.254.169.254" || h === "[fd00:ec2::254]" || h === "fd00:ec2::254") return "AWS IMDS (169.254.169.254) — credentials exfiltration risk";
+	if (/^127\.\d+\.\d+\.\d+$/.test(h)) return "IPv4 loopback (127.0.0.0/8)";
+	if (h === "::1") return "IPv6 loopback (::1)";
+	if (/^169\.254\.\d+\.\d+$/.test(h)) return "IPv4 link-local (169.254.0.0/16)";
+	if (/^fe[89ab][0-9a-f]?:/i.test(h)) return "IPv6 link-local (fe80::/10)";
+	if (/^10\.\d+\.\d+\.\d+$/.test(h)) return "RFC1918 private (10.0.0.0/8)";
+	if (/^192\.168\.\d+\.\d+$/.test(h)) return "RFC1918 private (192.168.0.0/16)";
+	const m = /^172\.(\d+)\.\d+\.\d+$/.exec(h);
+	if (m && Number(m[1]) >= 16 && Number(m[1]) <= 31) return "RFC1918 private (172.16.0.0/12)";
+}
+/**
+* Emit a `logger.warn` line for each HTTP / HTTP_PROXY integration
+* whose `Integration.Uri` parses to a hostname classified as internal
+* by `classifyInternalHost`. Called once at server boot from
+* `cdkd local start-api`'s discovery pass; per-route deduplicated.
+*
+* cdkd does NOT block the URI — this is a developer-loop tool, not a
+* security boundary, and warn-and-proceed matches the precedent set by
+* the cognito JWKS pass-through fallback. The right v2 follow-up is an
+* `--allow-internal-uri` flag (and an opposite default block) once the
+* surface is well-understood.
+*/
+function warnSsrfRiskyUri(uri, routeLabel, warn) {
+	let host;
+	try {
+		const sanitized = uri.replace(/\{[^/{}]+\}/g, "x");
+		host = new URL(sanitized).hostname;
+	} catch {
+		return;
+	}
+	const classification = classifyInternalHost(host);
+	if (classification !== void 0) warn(`Integration URI for ${routeLabel} points at ${host} — ${classification}. cdkd does NOT block this; ensure the upstream is intentional.`);
+}
+function safeJsonParse(s) {
+	try {
+		return JSON.parse(s);
+	} catch {
+		return null;
+	}
+}
+/**
+* Apply `Integration.RequestParameters` mappings — header / query / path
+* rewrites that copy from `method.request.X` to `integration.request.Y`.
+*
+* Supported key shapes:
+*   - `integration.request.header.<name>` → outgoing header
+*   - `integration.request.querystring.<name>` → query string param
+*   - `integration.request.path.<name>` → path placeholder substitution
+*
+* Supported value shapes:
+*   - `method.request.header.<name>` → read incoming header
+*   - `method.request.querystring.<name>` → read incoming query param
+*   - `method.request.path.<name>` → read path parameter
+*   - `'literal'` → single-quoted literal
+*
+* Unsupported mapping expressions are logged at warn and skipped (matches
+* the ResponseParameters handling in `integration-response-selector.ts`).
+*/
+function applyRequestParameters(requestParameters, req, out) {
+	if (!requestParameters) return;
+	const logger = getLogger().child("start-api");
+	for (const [key, value] of Object.entries(requestParameters)) {
+		const resolved = resolveRequestParameterValue(value, req);
+		if (resolved === void 0) {
+			logger.warn(`RequestParameter '${key}' value '${value}' is not a recognized mapping; skipping.`);
+			continue;
+		}
+		const headerMatch = /^integration\.request\.header\.(.+)$/.exec(key);
+		const queryMatch = /^integration\.request\.querystring\.(.+)$/.exec(key);
+		const pathMatch = /^integration\.request\.path\.(.+)$/.exec(key);
+		if (headerMatch) out.headers[headerMatch[1].toLowerCase()] = resolved;
+		else if (queryMatch) logger.warn(`RequestParameter '${key}' (querystring rewrite) is recognized but cdkd applies querystring rewrites only via URI placeholder substitution; ignoring.`);
+		else if (pathMatch) logger.warn(`RequestParameter '${key}' (path rewrite) is recognized but cdkd substitutes path placeholders via {param} in the URI; ignoring.`);
+		else logger.warn(`Unsupported RequestParameter key '${key}'; skipping.`);
+	}
+}
+function resolveRequestParameterValue(raw, req) {
+	if (raw.length >= 2 && raw.startsWith("'") && raw.endsWith("'")) return raw.slice(1, -1);
+	const headerMatch = /^method\.request\.header\.(.+)$/.exec(raw);
+	if (headerMatch) return req.headers[headerMatch[1].toLowerCase()];
+	const queryMatch = /^method\.request\.querystring\.(.+)$/.exec(raw);
+	if (queryMatch) return req.querystring[queryMatch[1]];
+	const pathMatch = /^method\.request\.path\.(.+)$/.exec(raw);
+	if (pathMatch) return req.pathParameters[pathMatch[1]];
+}
+/**
+* Substitute `{paramName}` placeholders in a URI string with the value
+* of the matching path parameter on the request. Used by HTTP_PROXY /
+* HTTP integrations whose `Integration.Uri` may contain such
+* placeholders (e.g. `https://upstream.example.com/users/{userId}`).
+*/
+function substituteUriPlaceholders(uri, req) {
+	return uri.replace(/\{([^/{}]+)\}/g, (_, name) => {
+		const val = req.pathParameters[name];
+		return val !== void 0 ? encodeURIComponent(val) : "";
+	});
+}
+function vtlFailure(direction, err, template) {
+	const reason = err instanceof VtlEvaluationError ? err.message : err instanceof Error ? err.message : String(err);
+	return {
+		statusCode: 502,
+		headers: { "content-type": "application/json" },
+		body: JSON.stringify({
+			message: `VTL ${direction}-template evaluation failed`,
+			reason,
+			template: template.length > 200 ? template.slice(0, 200) + "..." : template
+		})
+	};
+}
 //#endregion
 //#region src/local/container-pool.ts
 const DEFAULT_IDLE_MS = 6e4;
@@ -43871,6 +45455,16 @@ async function handleRequest(req, res, state, opts) {
 		const overlay = buildOverlay(authorizer, authResult);
 		if (overlay) baseEvent = applyAuthorizerOverlay(baseEvent, overlay);
 	}
+	if (match.route.restV1Integration) {
+		try {
+			writeIntegrationOutcome(res, await dispatchRestV1Integration(match.route.restV1Integration, snapshot, matchCtx, state, opts));
+		} catch (err) {
+			logger.error(`REST v1 ${match.route.restV1Integration.kind} dispatch failed for ${match.route.declaredAt}: ${err instanceof Error ? err.message : String(err)}`);
+			if (!res.headersSent) writeError(res, 502);
+			else res.end();
+		}
+		return;
+	}
 	let handle;
 	try {
 		handle = await state.pool.acquire(match.route.lambdaLogicalId);
@@ -43950,6 +45544,50 @@ function writeStreamingResponse(res, result, releasePool) {
 	body.pipe(res);
 }
 /**
+* Dispatch a REST v1 non-AWS_PROXY integration to the matching handler.
+* Built once per request from the matched route + request snapshot.
+*
+* Returns a {@link RestV1IntegrationOutcome} — the caller writes it
+* onto the `ServerResponse` via {@link writeIntegrationOutcome}.
+*/
+async function dispatchRestV1Integration(integration, snapshot, matchCtx, state, opts) {
+	const headers = lowercaseSingularHeaders(snapshot.headers);
+	const querystring = parseQueryStringSingular(snapshot.rawUrl);
+	const sourceIp = snapshot.sourceIp ?? "127.0.0.1";
+	const userAgent = headers["user-agent"] ?? "";
+	const req = {
+		method: snapshot.method.toUpperCase(),
+		matchedPath: matchCtx.matchedPath,
+		pathParameters: matchCtx.pathParameters,
+		querystring,
+		headers,
+		body: snapshot.body,
+		sourceIp,
+		userAgent,
+		stage: matchCtx.route.stage,
+		resourcePath: matchCtx.route.pathPattern,
+		requestId: randomUUID()
+	};
+	const deps = {
+		pool: state.pool,
+		rieTimeoutMs: opts.rieTimeoutMs
+	};
+	switch (integration.kind) {
+		case "mock": return dispatchMockIntegration(integration, req);
+		case "http-proxy": return await dispatchHttpProxyIntegration(integration, req, deps);
+		case "http": return await dispatchHttpIntegration(integration, req, deps);
+		case "aws-lambda": return await dispatchAwsLambdaIntegration(integration, req, deps);
+	}
+}
+/**
+* Write a {@link RestV1IntegrationOutcome} to the HTTP response.
+*/
+function writeIntegrationOutcome(res, outcome) {
+	res.statusCode = outcome.statusCode;
+	for (const [name, value] of Object.entries(outcome.headers)) res.setHeader(name, value);
+	res.end(outcome.body);
+}
+/**
 * Attempt CORS preflight interception. Returns `true` when the
 * preflight response was written (caller must NOT continue to route
 * dispatch); `false` when no preflight match (caller falls through to
@@ -45265,7 +46903,9 @@ async function localStartApiCommand(target, options) {
 		if (basePort !== 0) nextPort += 1;
 	}
 	printPerServerRouteTables(servers);
-	warnUnsupportedRoutes(servers.flatMap((s) => s.group.routes.map((r) => r.route)), logger);
+	const allRoutes = servers.flatMap((s) => s.group.routes.map((r) => r.route));
+	warnUnsupportedRoutes(allRoutes, logger);
+	warnSsrfRiskyIntegrations(allRoutes, logger);
 	logger.info(`Per-Lambda concurrency: ${perLambdaConcurrency} (override with --per-lambda-concurrency)`);
 	for (const { group, server } of servers) process.stdout.write(`Server listening on ${server.scheme}://${server.host}:${server.port}  (${group.displayName})\n`);
 	process.stdout.write("^C to stop and clean up containers.\n");
@@ -45814,12 +47454,26 @@ function printRouteTable(routes) {
 	process.stdout.write("Discovered routes:\n");
 	for (const r of sorted) {
 		const sourceLabel = r.source === "http-api" ? "HTTP API" : r.source === "rest-v1" ? `REST v1, stage '${r.stage}'` : "Function URL";
-		const target = r.mockCors ? "[MOCK CORS preflight]" : r.unsupported ? "[501 Not Implemented]" : r.serviceIntegration ? `[${r.serviceIntegration.subtype}]` : r.lambdaLogicalId;
+		const target = r.mockCors ? "[MOCK CORS preflight]" : r.unsupported ? "[501 Not Implemented]" : r.serviceIntegration ? `[${r.serviceIntegration.subtype}]` : r.restV1Integration ? formatRestV1IntegrationLabel(r.restV1Integration) : r.lambdaLogicalId;
 		process.stdout.write(`  ${r.method.padEnd(methodWidth)}  ${r.pathPattern.padEnd(pathWidth)}  -> ${target}  (${sourceLabel})\n`);
 	}
 	process.stdout.write("\n");
 }
 /**
+* Format the route-table label for a REST v1 non-AWS_PROXY integration.
+* `MOCK` / `HTTP` / `HTTP_PROXY` show their integration kind directly;
+* `AWS` (Lambda non-proxy) shows the Lambda logical id with an `[AWS]`
+* suffix so it's distinguishable from AWS_PROXY rows. Closes #457.
+*/
+function formatRestV1IntegrationLabel(integration) {
+	switch (integration.kind) {
+		case "mock": return "[MOCK]";
+		case "http-proxy": return `[HTTP_PROXY ${integration.uri}]`;
+		case "http": return `[HTTP ${integration.uri}]`;
+		case "aws-lambda": return `${integration.lambdaLogicalId} [AWS]`;
+	}
+}
+/**
 * Materialize an inline Lambda body (`Code.ZipFile`) to a tmpdir and
 * return the directory the container should mount at /var/task.
 * Mirrors `cdkd local invoke`'s implementation; the only divergence is
@@ -45973,6 +47627,26 @@ function warnUnsupportedRoutes(routes, logger) {
 	return unsupported.length;
 }
 /**
+* Surface a one-line warn per HTTP / HTTP_PROXY integration whose
+* `Integration.Uri` points at a well-known internal address space
+* (AWS IMDS, loopback, link-local, RFC1918). PR #505 / issue #457
+* follow-up: cdkd does NOT block these — warn-and-proceed matches the
+* cognito JWKS pass-through pattern — but the user should see the
+* destination at boot so a malicious / typo'd template Uri does not
+* silently exfiltrate credentials in CI. Deduplicated per-Uri.
+*/
+function warnSsrfRiskyIntegrations(routes, logger) {
+	const seen = /* @__PURE__ */ new Set();
+	for (const r of routes) {
+		const integ = r.restV1Integration;
+		if (!integ) continue;
+		if (integ.kind !== "http" && integ.kind !== "http-proxy") continue;
+		if (seen.has(integ.uri)) continue;
+		seen.add(integ.uri);
+		warnSsrfRiskyUri(integ.uri, `${r.method} ${r.pathPattern}`, (msg) => logger.warn(msg));
+	}
+}
+/**
 * One reload cycle for the multi-server topology (issue #260). The
 * watcher serializes calls via a chain promise; this function:
 *
@@ -46021,7 +47695,9 @@ async function reloadAllServers(args) {
 	lastAssetPaths.value = computeAssetPaths(material.specs);
 	if (watcher) watcher.update([output, ...lastAssetPaths.value]);
 	printPerServerRouteTables(servers);
-	warnUnsupportedRoutes(servers.flatMap((s) => s.group.routes.map((r) => r.route)), logger);
+	const allRoutes = servers.flatMap((s) => s.group.routes.map((r) => r.route));
+	warnUnsupportedRoutes(allRoutes, logger);
+	warnSsrfRiskyIntegrations(allRoutes, logger);
 }
 /**
 * Returns true when any value in the function's template env map is a
@@ -50031,7 +51707,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.131.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.132.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());