@go-to-k/cdkd 0.132.2 → 0.132.4

package/dist/cli.js

@@ -39510,6 +39510,24 @@ const STREAM_PRELUDE_SEPARATOR = Buffer.from([
 */
 const STREAM_PRELUDE_MAX_BYTES = 1024 * 1024;
 /**
+* Maximum cumulative bytes of body the streaming Readable will push
+* before destroying itself with a clear error (defense-in-depth against
+* a buggy / malicious handler streaming gigabytes — Node's chunked-pipe
+* machinery handles per-chunk backpressure, but the running total can
+* still grow without bound on a slow consumer).
+*
+* 100 MiB is the default cap — generous enough that no realistic
+* dev-loop streaming response (token-by-token LLM output, large-file
+* download, video segment) hits it, low enough that a genuine runaway
+* surfaces locally before swap pressure kicks in. The HTTP server
+* converts the destroyed Readable to a truncated response (best-effort —
+* headers may already be on the wire).
+*
+* Consistent with {@link STREAM_PRELUDE_MAX_BYTES} (1 MiB cap on the
+* pre-body buffer); this is the post-body counterpart.
+*/
+const STREAM_BODY_MAX_BYTES = 100 * 1024 * 1024;
+/**
 * POST the event payload to RIE with the `streaming` response-mode
 * header, parse the JSON prelude out of the response bytes, and return
 * a Readable carrying the post-separator body chunks.
@@ -39525,10 +39543,26 @@ const STREAM_PRELUDE_MAX_BYTES = 1024 * 1024;
 * the header, but setting it makes the contract explicit and survives
 * future RIE behavior changes.)
 *
-* `timeoutMs` bounds the total wall time including the prelude wait —
-* the handler can stream for the full Lambda timeout, so callers should
-* pass a generous value (typically the function's configured Timeout * 2
-* with a 30s floor, matching `invokeRie`'s convention).
+* **`timeoutMs` bounds the TOTAL wall time of the entire streaming
+* exchange**, NOT just the prelude wait — the single armed `setTimeout`
+* covers both the prelude arrival AND the body drain. Once it fires,
+* `controller.abort()` destroys the underlying Readable, so a
+* legitimately long-lived streaming handler (e.g. a 15-minute AI / LLM
+* proxy) will have its connection torn down mid-stream even though
+* bytes are arriving correctly. Callers MUST size `timeoutMs` to cover
+* the longest expected handler stream, NOT just the time to first byte.
+*
+* Convention: pass `lambda.Timeout * 2` with a 30-second floor — same
+* order-of-magnitude formula as `invokeRie`, but the absolute value
+* differs because streaming handlers can intentionally run for the full
+* Lambda timeout (default 15 minutes for streaming-capable functions).
+* Splitting the bound into a strict prelude timer + a per-chunk idle
+* timer that resets on each chunk is deferred to a follow-up — see
+* issue #503 item 1 for the design discussion.
+*
+* The body Readable is additionally guarded by {@link STREAM_BODY_MAX_BYTES}
+* (100 MiB by default) so a runaway handler can't blow host memory; the
+* Readable is destroyed with a clear error when the cap trips.
 */
 async function invokeRieStreaming(host, port, event, timeoutMs) {
 	const url = `http://${host}:${port}${INVOKE_PATH}`;
@@ -39562,7 +39596,7 @@ async function invokeRieStreaming(host, port, event, timeoutMs) {
 			preludeBytes = preludeBytes.subarray(0, separatorIdx);
 			break;
 		}
-		if (preludeBytes.length > STREAM_PRELUDE_MAX_BYTES) {
+		if (preludeBytes.length > 1048576) {
 			clearTimeout(timer);
 			reader.cancel().catch(() => void 0);
 			throw new Error(`RIE streaming response did not emit the prelude/body separator within ${STREAM_PRELUDE_MAX_BYTES} bytes. The handler likely did not call awslambda.HttpResponseStream.from(stream, metadata).`);
@@ -39581,13 +39615,31 @@ async function invokeRieStreaming(host, port, event, timeoutMs) {
 		throw new Error(`RIE streaming response prelude is not valid JSON: ${err instanceof Error ? err.message : String(err)}`);
 	}
 	const stream = new Readable({ read() {} });
+	let bodyBytesPushed = 0;
+	const exceedsCap = (added) => {
+		bodyBytesPushed += added;
+		return bodyBytesPushed > STREAM_BODY_MAX_BYTES;
+	};
 	(async () => {
 		try {
-			if (bodyTail && bodyTail.length > 0) stream.push(bodyTail);
+			if (bodyTail && bodyTail.length > 0) {
+				if (exceedsCap(bodyTail.length)) {
+					reader.cancel().catch(() => void 0);
+					stream.destroy(/* @__PURE__ */ new Error(`RIE streaming body exceeded ${STREAM_BODY_MAX_BYTES} bytes — destroying stream.`));
+					return;
+				}
+				stream.push(bodyTail);
+			}
 			while (true) {
 				const { value, done } = await reader.read();
 				if (done) break;
-				stream.push(Buffer.from(value));
+				const chunk = Buffer.from(value);
+				if (exceedsCap(chunk.length)) {
+					reader.cancel().catch(() => void 0);
+					stream.destroy(/* @__PURE__ */ new Error(`RIE streaming body exceeded ${STREAM_BODY_MAX_BYTES} bytes — destroying stream.`));
+					return;
+				}
+				stream.push(chunk);
 			}
 			stream.push(null);
 		} catch (err) {
@@ -41715,6 +41767,23 @@ function compareValues(lhs, rhs, op) {
 		case ">=": return sa >= sb;
 	}
 }
+/**
+* `==` / `!=` semantics for the VTL evaluator. Mirrors Apache Velocity's
+* lenient equality: same-type primitives compare via `===`; nested objects
+* / arrays compare structurally via canonical JSON; cross-type pairs (the
+* common case in AWS API Gateway templates, e.g. `#if($x == "true")` where
+* `$x` is a boolean from `$input.json('$.flag')`) fall back to comparing
+* each side coerced through {@link safeStringify}. The cross-type fall-back
+* is what Velocity itself does in this context, NOT JavaScript's
+* `==` operator (which has its own well-known foot-guns around `null` /
+* `undefined` / `NaN`). See the Velocity reference for the canonical
+* semantics: <https://velocity.apache.org/engine/2.0/vtl-reference.html#a3.4.4.RelationalOperators>
+* (look for the "Equivalent" / "Not Equivalent" rows).
+*
+* Both `null` and `undefined` collapse to a single sentinel — two
+* unset variables are considered equal. This matches Velocity's lenient
+* `null` handling (Issue (#507) item 8).
+*/
 function looseEqual(a, b) {
 	if (a === b) return true;
 	if (a == null || b == null) return a == null && b == null;
@@ -41755,6 +41824,19 @@ function isTruthy(v) {
 * `json(jsonPath)` returns a JSON-stringified slice of the parsed body;
 * `path(jsonPath)` returns the raw native value (primitives unquoted).
 *
+* Case-sensitivity contract (Issue (#507) item 5; mirrored on the write
+* side by `rest-v1-integrations.ts` `resolveRequestParameterValue` /
+* `applyRequestParameters`):
+*
+*   - `$input.params('<name>')` resolves PATH (case-sensitive) →
+*     QUERYSTRING (case-sensitive, last-wins on duplicates) → HEADER
+*     (case-insensitive — first the input's pre-lowercased map, then a
+*     last-resort case-insensitive scan; multi-value duplicates are
+*     comma-joined by the http-server before reaching VTL).
+*   - `$input.params('header')` / `$input.params('querystring')` /
+*     `$input.params('path')` return the raw category maps without
+*     case-folding the keys further.
+*
 * JSONPath support is minimal: supports `$` (root), `$.field`,
 * `$.field.subField`, `$.array[0]`. AWS supports more (filter
 * expressions, recursive descent); cdkd surfaces a clear error on
@@ -41763,20 +41845,24 @@ function isTruthy(v) {
 function buildVtlInput(body, headers, querystring, pathParams) {
 	let jsonBodyCache;
 	let jsonBodyParsed = false;
-	function lazyJson() {
+	let jsonBodyParseError = false;
+	function lazyJson(opts) {
 		if (!jsonBodyParsed) {
 			jsonBodyParsed = true;
-			try {
-				jsonBodyCache = body.length === 0 ? null : JSON.parse(body);
+			if (body.length === 0) jsonBodyCache = null;
+			else try {
+				jsonBodyCache = JSON.parse(body);
 			} catch {
 				jsonBodyCache = null;
+				jsonBodyParseError = true;
 			}
 		}
+		if (jsonBodyParseError && opts?.throwOnParseError) throw new VtlEvaluationError("$input.json(...) cannot be evaluated: request body is not valid JSON. On AWS API Gateway this surface returns HTTP 400 with {\"message\":\"Invalid JSON request body\"}; use $input.body or $input.path(...) when the upstream may emit non-JSON content.");
 		return jsonBodyCache;
 	}
 	function jsonFn(...args) {
 		const expr = args.length > 0 ? String(args[0]) : "$";
-		const val = applyJsonPath(lazyJson(), expr);
+		const val = applyJsonPath(lazyJson({ throwOnParseError: true }), expr);
 		return JSON.stringify(val ?? null);
 	}
 	function pathFn(...args) {
@@ -41916,12 +42002,17 @@ function selectIntegrationResponse(entries, matchTarget, fallbackStatusCode = 20
 	};
 }
 function parseStatus$1(raw, fallback) {
-	if (typeof raw === "number" && Number.isFinite(raw)) return raw;
-	if (typeof raw === "string") {
-		const parsed = Number.parseInt(raw, 10);
-		if (Number.isFinite(parsed)) return parsed;
-	}
-	return fallback;
+	if (typeof raw === "number") {
+		if (Number.isInteger(raw) && raw >= 100 && raw < 600) return raw;
+		return fallback;
+	}
+	if (typeof raw !== "string") return fallback;
+	const trimmed = raw.trim();
+	if (trimmed === "") return fallback;
+	const parsed = Number(trimmed);
+	if (!Number.isInteger(parsed)) return fallback;
+	if (parsed < 100 || parsed >= 600) return fallback;
+	return parsed;
 }
 /**
 * Evaluate `IntegrationResponse.ResponseParameters` — header literals
@@ -41933,6 +42024,17 @@ function parseStatus$1(raw, fallback) {
 * are `'literal'` (with single quotes) or mapping expressions
 * (`integration.response.body.X` / `integration.response.header.X` /
 * `context.X`). cdkd v1 supports the literal form only.
+*
+* PR #511 review fix-back: header names are lowercased here so the
+* returned map shares the same key namespace as the dispatcher's
+* default-initialized headers (`{'content-type': '...'}`). Without
+* normalization a template that sets `Content-Type` PascalCase via
+* ResponseParameters produced a headers object carrying BOTH
+* `'content-type': 'application/json'` (default) AND
+* `'Content-Type': 'text/xml'` (overlay), which downstream HTTP
+* serialization rendered as two conflicting headers — AWS-deployed
+* only ever returns one. By lowercasing every key, overlays simply
+* overwrite the default-initializer entry like AWS does.
 */
 function evaluateResponseParameters(responseParameters, opts = {}) {
 	if (!responseParameters) return {};
@@ -41943,7 +42045,7 @@ function evaluateResponseParameters(responseParameters, opts = {}) {
 			opts.onUnsupported?.(key, value, `Only method.response.header.<name> keys are supported on REST v1 ResponseParameters; cdkd cannot map ${key}.`);
 			continue;
 		}
-		const headerName = headerMatch[1];
+		const headerName = headerMatch[1].toLowerCase();
 		if (typeof value !== "string") {
 			opts.onUnsupported?.(key, String(value), `non-string ResponseParameter value`);
 			continue;
@@ -42039,6 +42141,7 @@ function dispatchMockIntegration(config, req) {
 	}
 	const headers = { "content-type": contentType };
 	Object.assign(headers, evaluateResponseParameters(entry.ResponseParameters, { onUnsupported: (_k, _v, reason) => logger.warn(`MOCK response: ${reason}`) }));
+	if (body === "" && headers["content-type"] === contentType) delete headers["content-type"];
 	return {
 		statusCode: parseStatus(entry.StatusCode) ?? 200,
 		headers,
@@ -42061,10 +42164,7 @@ async function dispatchHttpProxyIntegration(config, req, deps) {
 		"content-length",
 		"transfer-encoding"
 	]) delete outHeaders[drop];
-	applyRequestParameters(config.requestParameters, req, {
-		headers: outHeaders,
-		urlObj: void 0
-	});
+	applyRequestParameters(config.requestParameters, req, { headers: outHeaders });
 	const fetchImpl = deps.fetch ?? globalThis.fetch;
 	const fetchInit = {
 		method,
@@ -42132,10 +42232,7 @@ async function dispatchHttpIntegration(config, req, deps) {
 		"content-length",
 		"transfer-encoding"
 	]) delete outHeaders[drop];
-	applyRequestParameters(config.requestParameters, req, {
-		headers: outHeaders,
-		urlObj: void 0
-	});
+	applyRequestParameters(config.requestParameters, req, { headers: outHeaders });
 	const fetchImpl = deps.fetch ?? globalThis.fetch;
 	const fetchInit = {
 		method,
@@ -42230,46 +42327,48 @@ async function dispatchAwsLambdaIntegration(config, req, deps) {
 			})
 		};
 	}
-	let invokeOutcome;
 	try {
-		invokeOutcome = await invokeRie(handle.containerHost, handle.hostPort, eventPayload, deps.rieTimeoutMs);
-	} catch (err) {
-		deps.pool.release(handle);
+		let invokeOutcome;
+		try {
+			invokeOutcome = await invokeRie(handle.containerHost, handle.hostPort, eventPayload, deps.rieTimeoutMs);
+		} catch (err) {
+			return {
+				statusCode: 502,
+				headers: { "content-type": "application/json" },
+				body: JSON.stringify({
+					message: "AWS Lambda non-proxy invocation failed",
+					reason: err instanceof Error ? err.message : String(err)
+				})
+			};
+		}
+		const payload = invokeOutcome.payload;
+		const isError = payload !== null && typeof payload === "object" && "errorMessage" in payload;
+		const matchTarget = isError ? String(payload["errorMessage"]) : "success";
+		const selected = selectIntegrationResponse(config.responses, matchTarget, isError ? 500 : 200);
+		const respCtx = buildVtlContextFromRequest(req, JSON.stringify(payload ?? null), payload);
+		let body = "";
+		let contentType = "application/json";
+		if (selected.entry) {
+			const picked = pickResponseTemplate(selected.entry.ResponseTemplates, req.headers["accept"]);
+			if (picked) {
+				try {
+					body = evaluateVtl(picked.template, respCtx);
+				} catch (err) {
+					return vtlFailure("response", err, picked.template);
+				}
+				contentType = picked.contentType;
+			} else body = JSON.stringify(payload ?? null);
+		} else body = JSON.stringify(payload ?? null);
+		const headers = { "content-type": contentType };
+		Object.assign(headers, evaluateResponseParameters(selected.entry?.ResponseParameters, { onUnsupported: (_k, _v, reason) => logger.warn(`AWS Lambda non-proxy response: ${reason}`) }));
 		return {
-			statusCode: 502,
-			headers: { "content-type": "application/json" },
-			body: JSON.stringify({
-				message: "AWS Lambda non-proxy invocation failed",
-				reason: err instanceof Error ? err.message : String(err)
-			})
+			statusCode: selected.statusCode,
+			headers,
+			body
 		};
+	} finally {
+		deps.pool.release(handle);
 	}
-	deps.pool.release(handle);
-	const payload = invokeOutcome.payload;
-	const isError = payload !== null && typeof payload === "object" && "errorMessage" in payload;
-	const matchTarget = isError ? String(payload["errorMessage"]) : "success";
-	const selected = selectIntegrationResponse(config.responses, matchTarget, isError ? 500 : 200);
-	const respCtx = buildVtlContextFromRequest(req, JSON.stringify(payload ?? null), payload);
-	let body = "";
-	let contentType = "application/json";
-	if (selected.entry) {
-		const picked = pickResponseTemplate(selected.entry.ResponseTemplates, req.headers["accept"]);
-		if (picked) {
-			try {
-				body = evaluateVtl(picked.template, respCtx);
-			} catch (err) {
-				return vtlFailure("response", err, picked.template);
-			}
-			contentType = picked.contentType;
-		} else body = JSON.stringify(payload ?? null);
-	} else body = JSON.stringify(payload ?? null);
-	const headers = { "content-type": contentType };
-	Object.assign(headers, evaluateResponseParameters(selected.entry?.ResponseParameters, { onUnsupported: (_k, _v, reason) => logger.warn(`AWS Lambda non-proxy response: ${reason}`) }));
-	return {
-		statusCode: selected.statusCode,
-		headers,
-		body
-	};
 }
 function buildVtlContextFromRequest(req, body, inputRoot) {
 	return {
@@ -42310,29 +42409,57 @@ function pickRequestTemplate(requestTemplates, contentType) {
 /**
 * Extract `{"statusCode": <N>}` from a rendered MOCK request template.
 * AWS uses this single key to drive `IntegrationResponses[]` selection.
+*
+* Returns `undefined` when the rendered template is not JSON OR does not
+* carry a `{statusCode: N}` object OR the value is not a positive integer
+* (Issue (#507) item 6 — `Number.isInteger` rejects `"200abc"` /
+* fractional values that `Number.parseInt` would silently accept). On any
+* fallback case the caller falls back to the default `IntegrationResponses[]`
+* entry. The fallback path is logged at debug (Issue (#507) item 3) so
+* users diagnosing a MOCK dispatch see what AWS would have seen.
 */
 function extractStatusCodeFromRendered(rendered) {
+	const logFallback = (reason) => {
+		const truncated = rendered.length > 200 ? rendered.slice(0, 200) + "..." : rendered;
+		getLogger().child("start-api").debug(`MOCK request template did not yield a statusCode selection driver (${reason}); falling back to the default IntegrationResponses[] entry. Rendered output: ${truncated}`);
+	};
+	let parsed;
 	try {
-		const parsed = JSON.parse(rendered);
-		if (parsed && typeof parsed === "object" && "statusCode" in parsed) {
-			const val = parsed["statusCode"];
-			if (typeof val === "number") return val;
-			if (typeof val === "string") {
-				const n = Number.parseInt(val, 10);
-				if (Number.isFinite(n)) return n;
-			}
-		}
-	} catch {}
+		parsed = JSON.parse(rendered);
+	} catch {
+		return logFallback("rendered output is not valid JSON");
+	}
+	if (!parsed || typeof parsed !== "object" || !("statusCode" in parsed)) return logFallback("rendered output has no statusCode field");
+	const val = parsed["statusCode"];
+	if (typeof val === "number") {
+		if (Number.isInteger(val) && val >= 100 && val < 600) return val;
+		return logFallback(`statusCode ${val} is out of HTTP range [100, 600)`);
+	}
+	if (typeof val === "string") {
+		const trimmed = val.trim();
+		if (trimmed === "") return logFallback("statusCode is empty / whitespace");
+		const n = Number(trimmed);
+		if (!Number.isInteger(n)) return logFallback(`statusCode '${val}' is not a valid integer`);
+		if (n < 100 || n >= 600) return logFallback(`statusCode ${n} is out of HTTP range [100, 600)`);
+		return n;
+	}
+	return logFallback(`statusCode has unexpected type '${typeof val}'`);
 }
 function defaultResponseEntry(entries) {
 	return entries.find((e) => e.SelectionPattern === void 0 || e.SelectionPattern === "") ?? null;
 }
 function parseStatus(raw) {
-	if (typeof raw === "number" && Number.isFinite(raw)) return raw;
-	if (typeof raw === "string") {
-		const n = Number.parseInt(raw, 10);
-		if (Number.isFinite(n)) return n;
+	if (typeof raw === "number") {
+		if (Number.isInteger(raw) && raw >= 100 && raw < 600) return raw;
+		return;
 	}
+	if (typeof raw !== "string") return void 0;
+	const trimmed = raw.trim();
+	if (trimmed === "") return void 0;
+	const n = Number(trimmed);
+	if (!Number.isInteger(n)) return void 0;
+	if (n < 100 || n >= 600) return void 0;
+	return n;
 }
 /**
 * Heuristic: is the given HTTP `Content-Type` header value likely to
@@ -42411,10 +42538,12 @@ function safeJsonParse(s) {
 *
 * Supported key shapes:
 *   - `integration.request.header.<name>` → outgoing header
-*   - `integration.request.querystring.<name>` → query string param
-*   - `integration.request.path.<name>` → path placeholder substitution
+*   - `integration.request.querystring.<name>` → query string param (warn-and-skip)
+*   - `integration.request.path.<name>` → path placeholder substitution (warn-and-skip)
 *
-* Supported value shapes:
+* Supported value shapes (header case-insensitive + multi-value comma-joined,
+* querystring case-sensitive + last-wins; see {@link resolveRequestParameterValue}
+* and `vtl-engine.ts` `$input.params` for the matching read-side semantics):
 *   - `method.request.header.<name>` → read incoming header
 *   - `method.request.querystring.<name>` → read incoming query param
 *   - `method.request.path.<name>` → read path parameter
@@ -42422,6 +42551,12 @@ function safeJsonParse(s) {
 *
 * Unsupported mapping expressions are logged at warn and skipped (matches
 * the ResponseParameters handling in `integration-response-selector.ts`).
+*
+* Note: querystring / path-rewrite branches currently warn-and-skip; cdkd
+* relies on `{paramName}` URI substitution for the canonical case (see
+* {@link substituteUriPlaceholders}). The previous `urlObj` parameter was
+* never used by the unimplemented querystring rewrite branch and has been
+* dropped (Issue (#507) item 2).
 */
 function applyRequestParameters(requestParameters, req, out) {
 	if (!requestParameters) return;
@@ -42441,6 +42576,22 @@ function applyRequestParameters(requestParameters, req, out) {
 		else logger.warn(`Unsupported RequestParameter key '${key}'; skipping.`);
 	}
 }
+/**
+* Resolve a single `RequestParameters` value to a string.
+*
+* Case-sensitivity contract (Issue (#507) item 5; mirrored on the VTL
+* read side by `vtl-engine.ts` `$input.params`):
+*
+*   - Header lookups are **case-insensitive** (the incoming-header map is
+*     pre-lowercased by the http-server) and multi-value duplicates are
+*     comma-joined.
+*   - Querystring lookups are **case-sensitive** (matches AWS API Gateway's
+*     deployed behavior) and multi-value duplicates surface only the
+*     last-wins string (the http-server's request snapshot collapses
+*     duplicates at parse time).
+*   - Path parameters are case-sensitive (CFn template `{paramName}`
+*     placeholders are case-sensitive by construction).
+*/
 function resolveRequestParameterValue(raw, req) {
 	if (raw.length >= 2 && raw.startsWith("'") && raw.endsWith("'")) return raw.slice(1, -1);
 	const headerMatch = /^method\.request\.header\.(.+)$/.exec(raw);
@@ -45522,11 +45673,26 @@ async function handleRequest(req, res, state, opts) {
 *
 * Cookies in the prelude are emitted as multiple `Set-Cookie` headers
 * (HTTP API v2 semantics — matching the buffered path's behavior).
+*
+* **Conflicting headers stripped**: `Content-Length` and
+* `Transfer-Encoding` (case-insensitive) are removed from the prelude
+* before `res.writeHead(...)` — some handlers set these defensively,
+* but doing so either crashes Node (Content-Length doesn't match the
+* actual bytes that arrive on the chunked body) or produces a
+* corrupted Content-Length-but-actually-chunked wire response. Node
+* automatically emits `Transfer-Encoding: chunked` when no
+* Content-Length is set, which is what streaming Function URLs
+* always want.
 */
 function writeStreamingResponse(res, result, releasePool) {
 	const logger = getLogger().child("start-api");
 	const { prelude, body } = result;
-	const headersOut = { ...prelude.headers };
+	const headersOut = {};
+	for (const [key, value] of Object.entries(prelude.headers)) {
+		const lower = key.toLowerCase();
+		if (lower === "content-length" || lower === "transfer-encoding") continue;
+		headersOut[key] = value;
+	}
 	if (prelude.cookies && prelude.cookies.length > 0) headersOut["set-cookie"] = prelude.cookies;
 	res.writeHead(prelude.statusCode, headersOut);
 	let released = false;
@@ -51707,7 +51873,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.132.2");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.132.4");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());