@go-to-k/cdkd 0.132.3 → 0.133.0

package/dist/cli.js

@@ -41767,6 +41767,23 @@ function compareValues(lhs, rhs, op) {
 		case ">=": return sa >= sb;
 	}
 }
+/**
+* `==` / `!=` semantics for the VTL evaluator. Mirrors Apache Velocity's
+* lenient equality: same-type primitives compare via `===`; nested objects
+* / arrays compare structurally via canonical JSON; cross-type pairs (the
+* common case in AWS API Gateway templates, e.g. `#if($x == "true")` where
+* `$x` is a boolean from `$input.json('$.flag')`) fall back to comparing
+* each side coerced through {@link safeStringify}. The cross-type fall-back
+* is what Velocity itself does in this context, NOT JavaScript's
+* `==` operator (which has its own well-known foot-guns around `null` /
+* `undefined` / `NaN`). See the Velocity reference for the canonical
+* semantics: <https://velocity.apache.org/engine/2.0/vtl-reference.html#a3.4.4.RelationalOperators>
+* (look for the "Equivalent" / "Not Equivalent" rows).
+*
+* Both `null` and `undefined` collapse to a single sentinel — two
+* unset variables are considered equal. This matches Velocity's lenient
+* `null` handling (Issue (#507) item 8).
+*/
 function looseEqual(a, b) {
 	if (a === b) return true;
 	if (a == null || b == null) return a == null && b == null;
@@ -41807,6 +41824,19 @@ function isTruthy(v) {
 * `json(jsonPath)` returns a JSON-stringified slice of the parsed body;
 * `path(jsonPath)` returns the raw native value (primitives unquoted).
 *
+* Case-sensitivity contract (Issue (#507) item 5; mirrored on the write
+* side by `rest-v1-integrations.ts` `resolveRequestParameterValue` /
+* `applyRequestParameters`):
+*
+*   - `$input.params('<name>')` resolves PATH (case-sensitive) →
+*     QUERYSTRING (case-sensitive, last-wins on duplicates) → HEADER
+*     (case-insensitive — first the input's pre-lowercased map, then a
+*     last-resort case-insensitive scan; multi-value duplicates are
+*     comma-joined by the http-server before reaching VTL).
+*   - `$input.params('header')` / `$input.params('querystring')` /
+*     `$input.params('path')` return the raw category maps without
+*     case-folding the keys further.
+*
 * JSONPath support is minimal: supports `$` (root), `$.field`,
 * `$.field.subField`, `$.array[0]`. AWS supports more (filter
 * expressions, recursive descent); cdkd surfaces a clear error on
@@ -41815,20 +41845,24 @@ function isTruthy(v) {
 function buildVtlInput(body, headers, querystring, pathParams) {
 	let jsonBodyCache;
 	let jsonBodyParsed = false;
-	function lazyJson() {
+	let jsonBodyParseError = false;
+	function lazyJson(opts) {
 		if (!jsonBodyParsed) {
 			jsonBodyParsed = true;
-			try {
-				jsonBodyCache = body.length === 0 ? null : JSON.parse(body);
+			if (body.length === 0) jsonBodyCache = null;
+			else try {
+				jsonBodyCache = JSON.parse(body);
 			} catch {
 				jsonBodyCache = null;
+				jsonBodyParseError = true;
 			}
 		}
+		if (jsonBodyParseError && opts?.throwOnParseError) throw new VtlEvaluationError("$input.json(...) cannot be evaluated: request body is not valid JSON. On AWS API Gateway this surface returns HTTP 400 with {\"message\":\"Invalid JSON request body\"}; use $input.body or $input.path(...) when the upstream may emit non-JSON content.");
 		return jsonBodyCache;
 	}
 	function jsonFn(...args) {
 		const expr = args.length > 0 ? String(args[0]) : "$";
-		const val = applyJsonPath(lazyJson(), expr);
+		const val = applyJsonPath(lazyJson({ throwOnParseError: true }), expr);
 		return JSON.stringify(val ?? null);
 	}
 	function pathFn(...args) {
@@ -41968,12 +42002,17 @@ function selectIntegrationResponse(entries, matchTarget, fallbackStatusCode = 20
 	};
 }
 function parseStatus$1(raw, fallback) {
-	if (typeof raw === "number" && Number.isFinite(raw)) return raw;
-	if (typeof raw === "string") {
-		const parsed = Number.parseInt(raw, 10);
-		if (Number.isFinite(parsed)) return parsed;
-	}
-	return fallback;
+	if (typeof raw === "number") {
+		if (Number.isInteger(raw) && raw >= 100 && raw < 600) return raw;
+		return fallback;
+	}
+	if (typeof raw !== "string") return fallback;
+	const trimmed = raw.trim();
+	if (trimmed === "") return fallback;
+	const parsed = Number(trimmed);
+	if (!Number.isInteger(parsed)) return fallback;
+	if (parsed < 100 || parsed >= 600) return fallback;
+	return parsed;
 }
 /**
 * Evaluate `IntegrationResponse.ResponseParameters` — header literals
@@ -41985,6 +42024,17 @@ function parseStatus$1(raw, fallback) {
 * are `'literal'` (with single quotes) or mapping expressions
 * (`integration.response.body.X` / `integration.response.header.X` /
 * `context.X`). cdkd v1 supports the literal form only.
+*
+* PR #511 review fix-back: header names are lowercased here so the
+* returned map shares the same key namespace as the dispatcher's
+* default-initialized headers (`{'content-type': '...'}`). Without
+* normalization a template that sets `Content-Type` PascalCase via
+* ResponseParameters produced a headers object carrying BOTH
+* `'content-type': 'application/json'` (default) AND
+* `'Content-Type': 'text/xml'` (overlay), which downstream HTTP
+* serialization rendered as two conflicting headers — AWS-deployed
+* only ever returns one. By lowercasing every key, overlays simply
+* overwrite the default-initializer entry like AWS does.
 */
 function evaluateResponseParameters(responseParameters, opts = {}) {
 	if (!responseParameters) return {};
@@ -41995,7 +42045,7 @@ function evaluateResponseParameters(responseParameters, opts = {}) {
 			opts.onUnsupported?.(key, value, `Only method.response.header.<name> keys are supported on REST v1 ResponseParameters; cdkd cannot map ${key}.`);
 			continue;
 		}
-		const headerName = headerMatch[1];
+		const headerName = headerMatch[1].toLowerCase();
 		if (typeof value !== "string") {
 			opts.onUnsupported?.(key, String(value), `non-string ResponseParameter value`);
 			continue;
@@ -42091,6 +42141,7 @@ function dispatchMockIntegration(config, req) {
 	}
 	const headers = { "content-type": contentType };
 	Object.assign(headers, evaluateResponseParameters(entry.ResponseParameters, { onUnsupported: (_k, _v, reason) => logger.warn(`MOCK response: ${reason}`) }));
+	if (body === "" && headers["content-type"] === contentType) delete headers["content-type"];
 	return {
 		statusCode: parseStatus(entry.StatusCode) ?? 200,
 		headers,
@@ -42113,10 +42164,7 @@ async function dispatchHttpProxyIntegration(config, req, deps) {
 		"content-length",
 		"transfer-encoding"
 	]) delete outHeaders[drop];
-	applyRequestParameters(config.requestParameters, req, {
-		headers: outHeaders,
-		urlObj: void 0
-	});
+	applyRequestParameters(config.requestParameters, req, { headers: outHeaders });
 	const fetchImpl = deps.fetch ?? globalThis.fetch;
 	const fetchInit = {
 		method,
@@ -42184,10 +42232,7 @@ async function dispatchHttpIntegration(config, req, deps) {
 		"content-length",
 		"transfer-encoding"
 	]) delete outHeaders[drop];
-	applyRequestParameters(config.requestParameters, req, {
-		headers: outHeaders,
-		urlObj: void 0
-	});
+	applyRequestParameters(config.requestParameters, req, { headers: outHeaders });
 	const fetchImpl = deps.fetch ?? globalThis.fetch;
 	const fetchInit = {
 		method,
@@ -42282,46 +42327,48 @@ async function dispatchAwsLambdaIntegration(config, req, deps) {
 			})
 		};
 	}
-	let invokeOutcome;
 	try {
-		invokeOutcome = await invokeRie(handle.containerHost, handle.hostPort, eventPayload, deps.rieTimeoutMs);
-	} catch (err) {
-		deps.pool.release(handle);
+		let invokeOutcome;
+		try {
+			invokeOutcome = await invokeRie(handle.containerHost, handle.hostPort, eventPayload, deps.rieTimeoutMs);
+		} catch (err) {
+			return {
+				statusCode: 502,
+				headers: { "content-type": "application/json" },
+				body: JSON.stringify({
+					message: "AWS Lambda non-proxy invocation failed",
+					reason: err instanceof Error ? err.message : String(err)
+				})
+			};
+		}
+		const payload = invokeOutcome.payload;
+		const isError = payload !== null && typeof payload === "object" && "errorMessage" in payload;
+		const matchTarget = isError ? String(payload["errorMessage"]) : "success";
+		const selected = selectIntegrationResponse(config.responses, matchTarget, isError ? 500 : 200);
+		const respCtx = buildVtlContextFromRequest(req, JSON.stringify(payload ?? null), payload);
+		let body = "";
+		let contentType = "application/json";
+		if (selected.entry) {
+			const picked = pickResponseTemplate(selected.entry.ResponseTemplates, req.headers["accept"]);
+			if (picked) {
+				try {
+					body = evaluateVtl(picked.template, respCtx);
+				} catch (err) {
+					return vtlFailure("response", err, picked.template);
+				}
+				contentType = picked.contentType;
+			} else body = JSON.stringify(payload ?? null);
+		} else body = JSON.stringify(payload ?? null);
+		const headers = { "content-type": contentType };
+		Object.assign(headers, evaluateResponseParameters(selected.entry?.ResponseParameters, { onUnsupported: (_k, _v, reason) => logger.warn(`AWS Lambda non-proxy response: ${reason}`) }));
 		return {
-			statusCode: 502,
-			headers: { "content-type": "application/json" },
-			body: JSON.stringify({
-				message: "AWS Lambda non-proxy invocation failed",
-				reason: err instanceof Error ? err.message : String(err)
-			})
+			statusCode: selected.statusCode,
+			headers,
+			body
 		};
+	} finally {
+		deps.pool.release(handle);
 	}
-	deps.pool.release(handle);
-	const payload = invokeOutcome.payload;
-	const isError = payload !== null && typeof payload === "object" && "errorMessage" in payload;
-	const matchTarget = isError ? String(payload["errorMessage"]) : "success";
-	const selected = selectIntegrationResponse(config.responses, matchTarget, isError ? 500 : 200);
-	const respCtx = buildVtlContextFromRequest(req, JSON.stringify(payload ?? null), payload);
-	let body = "";
-	let contentType = "application/json";
-	if (selected.entry) {
-		const picked = pickResponseTemplate(selected.entry.ResponseTemplates, req.headers["accept"]);
-		if (picked) {
-			try {
-				body = evaluateVtl(picked.template, respCtx);
-			} catch (err) {
-				return vtlFailure("response", err, picked.template);
-			}
-			contentType = picked.contentType;
-		} else body = JSON.stringify(payload ?? null);
-	} else body = JSON.stringify(payload ?? null);
-	const headers = { "content-type": contentType };
-	Object.assign(headers, evaluateResponseParameters(selected.entry?.ResponseParameters, { onUnsupported: (_k, _v, reason) => logger.warn(`AWS Lambda non-proxy response: ${reason}`) }));
-	return {
-		statusCode: selected.statusCode,
-		headers,
-		body
-	};
 }
 function buildVtlContextFromRequest(req, body, inputRoot) {
 	return {
@@ -42362,29 +42409,57 @@ function pickRequestTemplate(requestTemplates, contentType) {
 /**
 * Extract `{"statusCode": <N>}` from a rendered MOCK request template.
 * AWS uses this single key to drive `IntegrationResponses[]` selection.
+*
+* Returns `undefined` when the rendered template is not JSON OR does not
+* carry a `{statusCode: N}` object OR the value is not a positive integer
+* (Issue (#507) item 6 — `Number.isInteger` rejects `"200abc"` /
+* fractional values that `Number.parseInt` would silently accept). On any
+* fallback case the caller falls back to the default `IntegrationResponses[]`
+* entry. The fallback path is logged at debug (Issue (#507) item 3) so
+* users diagnosing a MOCK dispatch see what AWS would have seen.
 */
 function extractStatusCodeFromRendered(rendered) {
+	const logFallback = (reason) => {
+		const truncated = rendered.length > 200 ? rendered.slice(0, 200) + "..." : rendered;
+		getLogger().child("start-api").debug(`MOCK request template did not yield a statusCode selection driver (${reason}); falling back to the default IntegrationResponses[] entry. Rendered output: ${truncated}`);
+	};
+	let parsed;
 	try {
-		const parsed = JSON.parse(rendered);
-		if (parsed && typeof parsed === "object" && "statusCode" in parsed) {
-			const val = parsed["statusCode"];
-			if (typeof val === "number") return val;
-			if (typeof val === "string") {
-				const n = Number.parseInt(val, 10);
-				if (Number.isFinite(n)) return n;
-			}
-		}
-	} catch {}
+		parsed = JSON.parse(rendered);
+	} catch {
+		return logFallback("rendered output is not valid JSON");
+	}
+	if (!parsed || typeof parsed !== "object" || !("statusCode" in parsed)) return logFallback("rendered output has no statusCode field");
+	const val = parsed["statusCode"];
+	if (typeof val === "number") {
+		if (Number.isInteger(val) && val >= 100 && val < 600) return val;
+		return logFallback(`statusCode ${val} is out of HTTP range [100, 600)`);
+	}
+	if (typeof val === "string") {
+		const trimmed = val.trim();
+		if (trimmed === "") return logFallback("statusCode is empty / whitespace");
+		const n = Number(trimmed);
+		if (!Number.isInteger(n)) return logFallback(`statusCode '${val}' is not a valid integer`);
+		if (n < 100 || n >= 600) return logFallback(`statusCode ${n} is out of HTTP range [100, 600)`);
+		return n;
+	}
+	return logFallback(`statusCode has unexpected type '${typeof val}'`);
 }
 function defaultResponseEntry(entries) {
 	return entries.find((e) => e.SelectionPattern === void 0 || e.SelectionPattern === "") ?? null;
 }
 function parseStatus(raw) {
-	if (typeof raw === "number" && Number.isFinite(raw)) return raw;
-	if (typeof raw === "string") {
-		const n = Number.parseInt(raw, 10);
-		if (Number.isFinite(n)) return n;
+	if (typeof raw === "number") {
+		if (Number.isInteger(raw) && raw >= 100 && raw < 600) return raw;
+		return;
 	}
+	if (typeof raw !== "string") return void 0;
+	const trimmed = raw.trim();
+	if (trimmed === "") return void 0;
+	const n = Number(trimmed);
+	if (!Number.isInteger(n)) return void 0;
+	if (n < 100 || n >= 600) return void 0;
+	return n;
 }
 /**
 * Heuristic: is the given HTTP `Content-Type` header value likely to
@@ -42463,10 +42538,12 @@ function safeJsonParse(s) {
 *
 * Supported key shapes:
 *   - `integration.request.header.<name>` → outgoing header
-*   - `integration.request.querystring.<name>` → query string param
-*   - `integration.request.path.<name>` → path placeholder substitution
+*   - `integration.request.querystring.<name>` → query string param (warn-and-skip)
+*   - `integration.request.path.<name>` → path placeholder substitution (warn-and-skip)
 *
-* Supported value shapes:
+* Supported value shapes (header case-insensitive + multi-value comma-joined,
+* querystring case-sensitive + last-wins; see {@link resolveRequestParameterValue}
+* and `vtl-engine.ts` `$input.params` for the matching read-side semantics):
 *   - `method.request.header.<name>` → read incoming header
 *   - `method.request.querystring.<name>` → read incoming query param
 *   - `method.request.path.<name>` → read path parameter
@@ -42474,6 +42551,12 @@ function safeJsonParse(s) {
 *
 * Unsupported mapping expressions are logged at warn and skipped (matches
 * the ResponseParameters handling in `integration-response-selector.ts`).
+*
+* Note: querystring / path-rewrite branches currently warn-and-skip; cdkd
+* relies on `{paramName}` URI substitution for the canonical case (see
+* {@link substituteUriPlaceholders}). The previous `urlObj` parameter was
+* never used by the unimplemented querystring rewrite branch and has been
+* dropped (Issue (#507) item 2).
 */
 function applyRequestParameters(requestParameters, req, out) {
 	if (!requestParameters) return;
@@ -42493,6 +42576,22 @@ function applyRequestParameters(requestParameters, req, out) {
 		else logger.warn(`Unsupported RequestParameter key '${key}'; skipping.`);
 	}
 }
+/**
+* Resolve a single `RequestParameters` value to a string.
+*
+* Case-sensitivity contract (Issue (#507) item 5; mirrored on the VTL
+* read side by `vtl-engine.ts` `$input.params`):
+*
+*   - Header lookups are **case-insensitive** (the incoming-header map is
+*     pre-lowercased by the http-server) and multi-value duplicates are
+*     comma-joined.
+*   - Querystring lookups are **case-sensitive** (matches AWS API Gateway's
+*     deployed behavior) and multi-value duplicates surface only the
+*     last-wins string (the http-server's request snapshot collapses
+*     duplicates at parse time).
+*   - Path parameters are case-sensitive (CFn template `{paramName}`
+*     placeholders are case-sensitive by construction).
+*/
 function resolveRequestParameterValue(raw, req) {
 	if (raw.length >= 2 && raw.startsWith("'") && raw.endsWith("'")) return raw.slice(1, -1);
 	const headerMatch = /^method\.request\.header\.(.+)$/.exec(raw);
@@ -43986,7 +44085,7 @@ function attachAuthorizers(stacks, routes) {
 	const out = [];
 	const errors = [];
 	for (const route of routes) {
-		if (route.unsupported || route.mockCors || route.serviceIntegration) {
+		if (route.unsupported || route.mockCors) {
 			out.push({ route });
 			continue;
 		}
@@ -44016,45 +44115,6 @@ function attachAuthorizers(stacks, routes) {
 	return out;
 }
 /**
-* Walk every discovered route and return the service-integration routes
-* whose source CFn resource declares an authorizer (HTTP API v2 routes
-* with `AuthorizationType !== 'NONE'`). Service-integration routes only
-* exist on `AWS::ApiGatewayV2::Route`; REST v1 service integrations are
-* a different shape and not yet supported.
-*/
-function findIgnoredServiceIntegrationAuthorizers(stacks, routes) {
-	const stackByRoute = /* @__PURE__ */ new Map();
-	for (const stack of stacks) {
-		const prefix = `${stack.stackName}/`;
-		for (const route of routes) if (route.declaredAt.startsWith(prefix)) stackByRoute.set(route.declaredAt, stack);
-	}
-	const out = [];
-	for (const route of routes) {
-		if (!route.serviceIntegration) continue;
-		const stack = stackByRoute.get(route.declaredAt);
-		if (!stack) continue;
-		const slash = route.declaredAt.indexOf("/");
-		if (slash < 0) continue;
-		const logicalId = route.declaredAt.slice(slash + 1);
-		const resource = stack.template.Resources?.[logicalId];
-		if (!resource || resource.Type !== "AWS::ApiGatewayV2::Route") continue;
-		const props = resource.Properties ?? {};
-		const authType = props["AuthorizationType"];
-		if (typeof authType !== "string" || authType === "" || authType.toUpperCase() === "NONE") continue;
-		let authorizerName;
-		if (authType === "AWS_IAM") authorizerName = "AWS_IAM";
-		else {
-			const ref = props["AuthorizerId"];
-			authorizerName = (ref && typeof ref === "object" && "Ref" in ref && typeof ref.Ref === "string" ? ref.Ref : void 0) ?? `<authType=${authType}, AuthorizerId malformed>`;
-		}
-		out.push({
-			declaredAt: route.declaredAt,
-			authorizerName
-		});
-	}
-	return out;
-}
-/**
 * Detect the authorizer (if any) attached to a discovered route.
 * Walks the original CFn resource for the route in `stack.template`.
 */
@@ -45325,6 +45385,11 @@ function resolveSingleReference(ref, ctx) {
 	}
 	if (ref.startsWith("$context.")) {
 		const key = ref.substring(9);
+		if (key === "authorizer" || key.startsWith("authorizer.")) {
+			if (!ctx.authorizer) return "";
+			if (key === "authorizer") return JSON.stringify(ctx.authorizer);
+			return resolveAuthorizerPath(ctx.authorizer, key.substring(11));
+		}
 		return ctx.context[key] ?? "";
 	}
 	if (ref.startsWith("$stageVariables.")) {
@@ -45368,6 +45433,36 @@ function resolveBodyJsonPath(body, path) {
 	if (typeof cursor === "string") return cursor;
 	return JSON.stringify(cursor);
 }
+/**
+* Walk a dot-separated path against the authorizer verdict map (#502).
+* Used by `$context.authorizer.X` selection expressions on
+* service-integration routes. Mirrors `resolveBodyJsonPath`'s shape:
+*   - Empty leaf / undefined → `""`.
+*   - String leaf → returned verbatim.
+*   - Non-string leaf → `JSON.stringify`'d (matches AWS-deployed
+*     behavior; `$context.authorizer.jwt.claims` resolves to the JSON
+*     object as a string).
+*
+* Array indexing via `[N]` is supported (rare for authorizer
+* verdicts but cheap to support).
+*/
+function resolveAuthorizerPath(authorizer, path) {
+	if (path === "") return "";
+	const segments = path.split(/\.|\[(\d+)\]/).filter((s) => s !== void 0 && s !== "");
+	let cursor = authorizer;
+	for (const seg of segments) {
+		if (cursor === null || cursor === void 0) return "";
+		if (typeof cursor !== "object") return "";
+		if (Array.isArray(cursor)) {
+			const idx = Number(seg);
+			if (!Number.isInteger(idx)) return "";
+			cursor = cursor[idx];
+		} else cursor = cursor[seg];
+	}
+	if (cursor === void 0 || cursor === null) return "";
+	if (typeof cursor === "string") return cursor;
+	return JSON.stringify(cursor);
+}
 
 //#endregion
 //#region src/local/http-server.ts
@@ -45469,10 +45564,6 @@ async function handleRequest(req, res, state, opts) {
 		writeNotImplemented(res, match.route.unsupported.reason);
 		return;
 	}
-	if (match.route.serviceIntegration) {
-		await handleServiceIntegrationRequest(req, res, match, bodyBuf, opts);
-		return;
-	}
 	const authorizer = state.routes.find((r) => r.route.declaredAt === match.route.declaredAt && r.route.method === match.route.method)?.authorizer;
 	const clientCert = opts.mtls ? extractClientCert(req) : void 0;
 	const snapshot = {
@@ -45507,6 +45598,10 @@ async function handleRequest(req, res, state, opts) {
 		const overlay = buildOverlay(authorizer, authResult);
 		if (overlay) baseEvent = applyAuthorizerOverlay(baseEvent, overlay);
 	}
+	if (match.route.serviceIntegration) {
+		await handleServiceIntegrationRequest(req, res, match, bodyBuf, opts, authorizer, authResult);
+		return;
+	}
 	if (match.route.restV1Integration) {
 		try {
 			writeIntegrationOutcome(res, await dispatchRestV1Integration(match.route.restV1Integration, snapshot, matchCtx, state, opts));
@@ -46072,7 +46167,7 @@ function writeError(res, statusCode, body = "{\"message\":\"Internal server erro
 * auth pass. A follow-up PR can hoist the auth pass earlier — keeping it
 * out of this PR limits the blast radius.
 */
-async function handleServiceIntegrationRequest(req, res, match, bodyBuf, opts) {
+async function handleServiceIntegrationRequest(req, res, match, bodyBuf, opts, authorizer, authResult) {
 	const route = match.route;
 	const svc = route.serviceIntegration;
 	if (!svc) {
@@ -46084,6 +46179,7 @@ async function handleServiceIntegrationRequest(req, res, match, bodyBuf, opts) {
 	const queryString = parseQueryStringSingular(rawUrl);
 	const requestPath = rawUrl.split("?")[0] ?? "/";
 	const context = buildServiceIntegrationContextVars(req, route);
+	const authorizerCtx = buildAuthorizerContextForServiceIntegration(authorizer, authResult);
 	const ctx = {
 		headers: headersFlat,
 		queryString,
@@ -46091,7 +46187,8 @@ async function handleServiceIntegrationRequest(req, res, match, bodyBuf, opts) {
 		requestPath,
 		body: bodyBuf.toString("utf8"),
 		context,
-		stageVariables: route.stageVariables ?? {}
+		stageVariables: route.stageVariables ?? {},
+		...authorizerCtx && { authorizer: authorizerCtx }
 	};
 	const outcome = resolveServiceIntegrationParameters(svc.requestParameters, ctx);
 	if (outcome.kind === "error") {
@@ -46162,6 +46259,44 @@ function buildServiceIntegrationContextVars(req, route) {
 	};
 }
 /**
+* Build the `authorizer` field for the parameter-mapping context on
+* service-integration routes (#502). Surfaces the authorizer's verdict
+* in the same shape `applyAuthorizerOverlay` writes onto the Lambda
+* event so users can reference `$context.authorizer.X` /
+* `$context.authorizer.jwt.claims.X` / `$context.authorizer.claims.X`
+* in `RequestParameters`.
+*
+* Per-kind shape:
+*   - Lambda authorizers (`lambda-token` / `lambda-request` / `iam`):
+*     `principalId` + flat `context` fields land at the top level
+*     (`$context.authorizer.principalId`, `$context.authorizer.<key>`).
+*   - Cognito (REST v1): claims under `$context.authorizer.claims.X`.
+*   - JWT (HTTP v2): claims under `$context.authorizer.jwt.claims.X` +
+*     `$context.authorizer.jwt.scopes`.
+*
+* Returns `undefined` when no authorizer fired (route had
+* `AuthorizationType: NONE` / no authorizer attached).
+*/
+function buildAuthorizerContextForServiceIntegration(authorizer, result) {
+	if (!authorizer || !result) return void 0;
+	if (authorizer.kind === "lambda-token" || authorizer.kind === "lambda-request") {
+		const ctx = {};
+		if (result.principalId !== void 0) ctx["principalId"] = result.principalId;
+		if (result.context) Object.assign(ctx, result.context);
+		return ctx;
+	}
+	if (authorizer.kind === "iam") {
+		const ctx = {};
+		if (result.principalId !== void 0) ctx["principalId"] = result.principalId;
+		return ctx;
+	}
+	if (authorizer.kind === "cognito") return { claims: { ...result.context ?? {} } };
+	return { jwt: {
+		claims: { ...result.context ?? {} },
+		scopes: []
+	} };
+}
+/**
 * Write the 501 Not Implemented response surfaced for routes the
 * discovery layer flagged as `unsupported`. The integration's reason
 * (e.g. "MOCK integration is not emulated", "WebSocket APIs are not
@@ -46923,7 +47058,6 @@ async function localStartApiCommand(target, options) {
 	warnVpcConfigLambdas(initialMaterial.routes, initialMaterial.stacks ?? []);
 	sigV4CredentialsLoader = defaultCredentialsLoader();
 	warnIamRoutes(initialMaterial.routes);
-	warnIgnoredServiceIntegrationAuthorizers(initialMaterial.routes, initialMaterial.stacks ?? []);
 	let maxTimeoutSec = 0;
 	for (const spec of initialMaterial.specs.values()) if (spec.lambda.timeoutSec > maxTimeoutSec) maxTimeoutSec = spec.lambda.timeoutSec;
 	const rieTimeoutMs = Math.max(3e4, maxTimeoutSec * 2 * 1e3);
@@ -47185,27 +47319,6 @@ function warnIamRoutes(routesWithAuth) {
 	return true;
 }
 /**
-* #458 / PR #500 review: emit a one-line warn naming every service-
-* integration route whose source CFn resource declares an authorizer
-* (HTTP API v2 routes with `AuthorizationType !== 'NONE'`). The
-* dispatcher in `http-server.ts` runs the SDK call BEFORE the
-* authorizer pass would fire, so without this warn a CDK app that
-* wires JWT / Lambda / Cognito / IAM authorizers onto service
-* integrations would silently let every local request reach the SDK
-* call without auth. Threading the auth pass through the
-* service-integration dispatcher is a follow-up issue. Returns the
-* number of warned routes so tests can assert the firing path; the
-* value is otherwise unused.
-*/
-function warnIgnoredServiceIntegrationAuthorizers(routesWithAuth, stacks) {
-	const logger = getLogger();
-	const ignored = findIgnoredServiceIntegrationAuthorizers(stacks, routesWithAuth.map((entry) => entry.route));
-	if (ignored.length === 0) return 0;
-	logger.warn(`${ignored.length} HTTP API v2 service-integration route(s) declare an authorizer but cdkd local start-api dispatches the SDK call BEFORE the authorizer pass — every local request reaches the SDK call WITHOUT authentication. This is a deferred feature; see https://github.com/go-to-k/cdkd/issues/502 for the follow-up tracking issue.`);
-	for (const entry of ignored) logger.warn(`  - ${entry.declaredAt}: authorizer '${entry.authorizerName}' is configured but ignored`);
-	return ignored.length;
-}
-/**
 * Build the per-Lambda container spec — code dir, env vars (template +
 * --env-vars overlay), STS-issued creds when --assume-role names this
 * Lambda, optional --debug-port reservation. Errors out with a clear
@@ -51774,7 +51887,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.132.3");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.133.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());