@go-to-k/cdkd 0.137.0 → 0.137.2

package/dist/cli.js

@@ -41144,11 +41144,19 @@ function collectAuthRoutesForApi(apiLogicalId, template, _stackName) {
 		const props = resource.Properties ?? {};
 		if (pickRefLogicalId$2(props["ApiId"]) !== apiLogicalId) continue;
 		const authType = props["AuthorizationType"];
-		if (typeof authType !== "string" || authType.length === 0) continue;
-		if (authType === "NONE") continue;
+		if (authType === void 0) continue;
 		const routeKey = props["RouteKey"];
+		const routeKeyForReport = typeof routeKey === "string" ? routeKey : "<unknown>";
+		if (typeof authType !== "string" || authType.length === 0) {
+			result.push({
+				routeKey: routeKeyForReport,
+				authorizationType: "<intrinsic-or-malformed>"
+			});
+			continue;
+		}
+		if (authType === "NONE") continue;
 		result.push({
-			routeKey: typeof routeKey === "string" ? routeKey : "<unknown>",
+			routeKey: routeKeyForReport,
 			authorizationType: authType
 		});
 	}
@@ -41506,6 +41514,24 @@ function parseConnectionsPath(url) {
 	return { connectionId: decoded };
 }
 /**
+* Build the per-Lambda env-var URL the cdkd local server injects as
+* `AWS_ENDPOINT_URL_APIGATEWAYMANAGEMENTAPI`. The URL MUST include the
+* `/<stage>` segment to mirror the AWS-deployed apigatewaymanagementapi
+* endpoint `https://<api-id>.execute-api.<region>.amazonaws.com/<stage>`:
+* SDK clients built from `domainName + stage` produce
+* `POST /<stage>/@connections/<id>`, and the local `parseConnectionsPath`
+* regex above requires the matching prefix. Without `/<stage>` the
+* deployed-shape SDK call hits a 404 against the local parser
+* (BLOCKER B1, #526).
+*
+* Lives next to `parseConnectionsPath` so the producer + consumer of
+* the URL shape stay in lockstep — change one, the other's tests fail.
+* Issue #537 item 7.
+*/
+function buildMgmtEndpointEnvUrl(host, port, stage) {
+	return `http://${host}:${port}/${stage}`;
+}
+/**
 * `decodeURIComponent` throws `URIError` on malformed input
 * (`%`-escape with non-hex tail). We treat that as a not-found rather
 * than a server error — symmetric with AWS-deployed behavior, which
@@ -41632,6 +41658,38 @@ function writeJson(res, status, body) {
 	res.end(json);
 }
 
+//#endregion
+//#region src/local/websocket-body.ts
+/**
+* Convert a ws-emitted message buffer into the AWS-canonical event
+* body + `isBase64Encoded` discriminator. Text frames (opcode 0x1) pass
+* through as UTF-8 with `isBase64Encoded: false`; binary frames
+* (opcode 0x2) are base64-encoded with `isBase64Encoded: true`. Matches
+* AWS-deployed WebSocket API event shape exactly — handlers decode via
+* `Buffer.from(event.body, event.isBase64Encoded ? 'base64' : 'utf8')`.
+*
+* Closes the data-integrity bug where every byte > 0x7F on a binary
+* frame was silently corrupted by handlers that trusted the previously
+* hardcoded `isBase64Encoded: false` flag and UTF-8-decoded the
+* base64-encoded body.
+*
+* Lives in its own module so the B4 regression test can install a
+* `vi.fn()` spy that intercepts EVERY call — same-module references in
+* `websocket-server.ts` would bypass the export-binding spy. See
+* Issue #537 item 6.
+*/
+function bufferToBody(raw, isBinary) {
+	const buf = Array.isArray(raw) ? Buffer.concat(raw) : Buffer.isBuffer(raw) ? raw : Buffer.from(raw);
+	if (isBinary) return {
+		body: buf.toString("base64"),
+		isBase64Encoded: true
+	};
+	return {
+		body: buf.toString("utf-8"),
+		isBase64Encoded: false
+	};
+}
+
 //#endregion
 //#region src/local/websocket-server.ts
 /**
@@ -41682,6 +41740,16 @@ function attachWebSocketServer(opts) {
 		apisByPath.set(cfg.apiPath, cfg);
 		apiPaths.push(cfg.apiPath);
 	}
+	const dispatchChainsByConnection = /* @__PURE__ */ new Map();
+	const enqueueDispatch = (connectionId, work) => {
+		const next = (dispatchChainsByConnection.get(connectionId) ?? Promise.resolve()).then(work);
+		dispatchChainsByConnection.set(connectionId, next);
+		next.finally(() => {
+			if (dispatchChainsByConnection.get(connectionId) === next) dispatchChainsByConnection.delete(connectionId);
+		});
+		return next;
+	};
+	const inFlightDisconnects = /* @__PURE__ */ new Set();
 	const upgradeListener = (req, socket, head) => {
 		const pathOnly = (req.url ?? "/").split("?", 1)[0];
 		const cfg = apisByPath.get(pathOnly);
@@ -41719,7 +41787,7 @@ function attachWebSocketServer(opts) {
 			if (preVerdictFrames.length >= MAX_PRE_VERDICT_FRAMES) {
 				if (!preVerdictOverflow) {
 					preVerdictOverflow = true;
-					logger.warn(`WebSocket connection ${connectionId}: pre-verdict message buffer overflowed (>${MAX_PRE_VERDICT_FRAMES} frames). Excess frames dropped — client is sending faster than the $connect handler can resolve.`);
+					logger.warn(`WebSocket connection ${connectionId}: pre-verdict message buffer overflowed (>${MAX_PRE_VERDICT_FRAMES} frames). Excess frames dropped — client is sending faster than the $connect handler can resolve. (api=${cfg.api.declaredAt})`);
 				}
 				return;
 			}
@@ -41761,7 +41829,7 @@ function attachWebSocketServer(opts) {
 		ws.on("message", (raw, isBinary) => {
 			const { body, isBase64Encoded } = bufferToBody(raw, isBinary);
 			logger.debug(`WebSocket message received for connection ${connectionId}: ${body.slice(0, 200)}`);
-			dispatchMessage(connectionId, cfg, body, isBase64Encoded, handshakeSnapshot).catch((err) => {
+			enqueueDispatch(connectionId, () => dispatchMessage(connectionId, cfg, body, isBase64Encoded, handshakeSnapshot).catch((err) => {
 				logger.error(`WebSocket message dispatch failed (connection ${connectionId}): ${err instanceof Error ? err.stack ?? err.message : String(err)}`);
 				try {
 					ws.send(JSON.stringify({
@@ -41770,11 +41838,16 @@ function attachWebSocketServer(opts) {
 						requestId: randomUUID()
 					}));
 				} catch {}
-			});
+			}));
 		});
 		ws.on("close", (code, reason) => {
-			onDisconnect(connectionId, cfg, handshakeSnapshot, code, reason.toString("utf-8")).catch((err) => {
+			const reasonText = reason.toString("utf-8");
+			const disconnectPromise = enqueueDispatch(connectionId, () => onDisconnect(connectionId, cfg, handshakeSnapshot, code, reasonText).catch((err) => {
 				logger.warn(`WebSocket $disconnect dispatch failed (connection ${connectionId}): ${err instanceof Error ? err.message : String(err)}`);
+			}));
+			inFlightDisconnects.add(disconnectPromise);
+			disconnectPromise.finally(() => {
+				inFlightDisconnects.delete(disconnectPromise);
 			});
 		});
 		ws.on("error", (err) => {
@@ -41782,9 +41855,9 @@ function attachWebSocketServer(opts) {
 		});
 		for (const frame of preVerdictFrames) {
 			const { body, isBase64Encoded } = bufferToBody(frame.raw, frame.isBinary);
-			dispatchMessage(connectionId, cfg, body, isBase64Encoded, handshakeSnapshot).catch((err) => {
+			enqueueDispatch(connectionId, () => dispatchMessage(connectionId, cfg, body, isBase64Encoded, handshakeSnapshot).catch((err) => {
 				logger.error(`WebSocket buffered-message dispatch failed (connection ${connectionId}): ${err instanceof Error ? err.stack ?? err.message : String(err)}`);
-			});
+			}));
 		}
 		preVerdictFrames.length = 0;
 	};
@@ -41830,6 +41903,7 @@ function attachWebSocketServer(opts) {
 		});
 		await invokeRoute(disconnectRoute.targetLambdaLogicalId, event, opts.pool, rieTimeoutMs);
 	};
+	const SHUTDOWN_DRAIN_MS = 5e3;
 	let closed = false;
 	return {
 		registry,
@@ -41852,6 +41926,11 @@ function attachWebSocketServer(opts) {
 				}, 5e3).unref();
 			}));
 			await Promise.all(closes);
+			if (inFlightDisconnects.size > 0) {
+				const drainStartCount = inFlightDisconnects.size;
+				const drainComplete = Promise.allSettled(Array.from(inFlightDisconnects));
+				if (await Promise.race([drainComplete.then(() => "complete"), new Promise((resolve) => setTimeout(() => resolve("timeout"), SHUTDOWN_DRAIN_MS).unref())]) === "timeout" && inFlightDisconnects.size > 0) logger.warn(`WebSocket graceful shutdown drained for ${SHUTDOWN_DRAIN_MS}ms; ${inFlightDisconnects.size}/${drainStartCount} $disconnect handlers still in flight — leaking past shutdown.`);
+			}
 			await new Promise((resolve) => {
 				wss.close(() => resolve());
 			});
@@ -42015,28 +42094,93 @@ function safeDecode$1(s) {
 		return null;
 	}
 }
+
+//#endregion
+//#region src/local/docker-version.ts
+/**
+* Lower bound for `--add-host=<name>:host-gateway` support. The
+* `host-gateway` magic alias was introduced in Docker 20.10 (October
+* 2020) and is the load-bearing primitive cdkd uses to let Lambda
+* containers reach the host's `cdkd local start-api` server on Linux
+* native dockerd. Without it, the AWS_ENDPOINT_URL_APIGATEWAYMANAGEMENTAPI
+* override fails with `ENOTFOUND host.docker.internal` at SDK-call time.
+*
+* Docker Desktop (macOS / Windows) ships `host.docker.internal` as
+* a built-in alias regardless of the engine version, but the probe
+* still fires there to keep the error path uniform — the `host-gateway`
+* flag itself is harmless on Docker Desktop.
+*
+* Issue #527 M2.
+*/
+const HOST_GATEWAY_MIN_VERSION = {
+	major: 20,
+	minor: 10,
+	patch: 0
+};
 /**
-* Convert a ws-emitted message buffer into the AWS-canonical event
-* body + `isBase64Encoded` discriminator. Text frames (opcode 0x1) pass
-* through as UTF-8 with `isBase64Encoded: false`; binary frames
-* (opcode 0x2) are base64-encoded with `isBase64Encoded: true`. Matches
-* AWS-deployed WebSocket API event shape exactly — handlers decode via
-* `Buffer.from(event.body, event.isBase64Encoded ? 'base64' : 'utf8')`.
-*
-* Closes the data-integrity bug where every byte > 0x7F on a binary
-* frame was silently corrupted by handlers that trusted the previously
-* hardcoded `isBase64Encoded: false` flag and UTF-8-decoded the
-* base64-encoded body.
+* Parse a Docker server version string (`20.10.21` / `24.0.7-rd` /
+* `27.3.1+podman` etc.) into a comparable `{major, minor, patch}` tuple.
+* Returns `null` on any unparseable input — the caller treats that as
+* "version unknown, skip the comparison and let the user proceed with
+* a warn" rather than hard-failing on a Docker-compatible CLI binary
+* that doesn't follow Docker's version-string conventions
+* (e.g. podman / finch).
 */
-function bufferToBody(raw, isBinary) {
-	const buf = Array.isArray(raw) ? Buffer.concat(raw) : Buffer.isBuffer(raw) ? raw : Buffer.from(raw);
-	if (isBinary) return {
-		body: buf.toString("base64"),
-		isBase64Encoded: true
+function parseDockerVersion(raw) {
+	const trimmed = raw.trim();
+	const match = /^(\d+)\.(\d+)(?:\.(\d+))?/.exec(trimmed);
+	if (!match) return null;
+	return {
+		major: Number(match[1]),
+		minor: Number(match[2]),
+		patch: match[3] !== void 0 ? Number(match[3]) : 0
+	};
+}
+/**
+* Compare two `ParsedDockerVersion` tuples. Returns negative when `a <
+* b`, zero when equal, positive when `a > b`. Patch-level differences
+* are part of the ordering so a future bump (e.g. 20.10.0 -> 20.10.5
+* to fix a CVE-related regression) can be expressed if needed.
+*/
+function compareDockerVersions(a, b) {
+	if (a.major !== b.major) return a.major - b.major;
+	if (a.minor !== b.minor) return a.minor - b.minor;
+	return a.patch - b.patch;
+}
+/**
+* Probe the Docker server's version to gate the `--add-host=...:host-gateway`
+* mapping that WebSocket Lambda containers need to reach the host
+* server. Issued ONCE per `cdkd local start-api` invocation at WebSocket
+* attach time — HTTP-only / REST-only sessions skip the probe entirely.
+*
+* Throws when:
+*   1. The docker subprocess itself fails (binary missing, daemon down,
+*      permission error) — the caller's catch surfaces the original
+*      error so the user knows to install / start Docker.
+*   2. The probe succeeds but the parsed version is < the supported
+*      minimum — caller decides whether to error or warn (the WebSocket
+*      attach loop errors; HTTP-only sessions never call this).
+*
+* Implementation: `docker version --format '{{.Server.Version}}'`
+* returns the daemon's version (not the client's) so a brand-new
+* client against an old daemon is still caught.
+*/
+async function probeHostGatewaySupport() {
+	const rawVersion = (await runDockerStreaming([
+		"version",
+		"--format",
+		"{{.Server.Version}}"
+	], { streamLive: false })).stdout.trim();
+	const parsed = parseDockerVersion(rawVersion);
+	if (rawVersion === "") return {
+		rawVersion,
+		parsed: null,
+		supported: false
 	};
 	return {
-		body: buf.toString("utf-8"),
-		isBase64Encoded: false
+		rawVersion,
+		parsed,
+		supported: parsed === null || compareDockerVersions(parsed, HOST_GATEWAY_MIN_VERSION) >= 0
 	};
 }
 
@@ -48007,6 +48151,11 @@ async function localStartApiCommand(target, options) {
 	const wsServers = [];
 	const initialWsApis = initialMaterial.webSocketApis ?? [];
 	warnUnsupportedWebSocketApis(initialWsApis, logger);
+	if (initialWsApis.filter((api) => !api.unsupported).length > 0) {
+		const probe = await probeHostGatewaySupport();
+		if (!probe.supported) throw new Error(`cdkd local start-api requires Docker ${HOST_GATEWAY_MIN_VERSION.major}.${HOST_GATEWAY_MIN_VERSION.minor}+ for WebSocket API support (--add-host=host.docker.internal:host-gateway needs the 20.10 host-gateway alias). Detected server version: ${probe.rawVersion || "<empty — daemon unreachable or output stripped>"}. Upgrade Docker, or remove the WebSocket API from this app to fall back to HTTP-only start-api.`);
+		if (probe.parsed === null) logger.warn(`Docker server version "${probe.rawVersion}" did not match the canonical "<major>.<minor>" shape; assuming host-gateway support. If WebSocket containers fail to reach the local server, verify your Docker-compatible CLI honors --add-host=host.docker.internal:host-gateway.`);
+	}
 	for (const api of initialWsApis) {
 		if (api.unsupported) continue;
 		const wsLambdaIds = new Set(api.routes.map((r) => r.targetLambdaLogicalId));
@@ -48052,7 +48201,7 @@ async function localStartApiCommand(target, options) {
 			}]
 		});
 		registryRef = attached;
-		const mgmtEndpoint = `http://host.docker.internal:${started.port}/${api.stage}`;
+		const mgmtEndpoint = buildMgmtEndpointEnvUrl("host.docker.internal", started.port, api.stage);
 		const hostGatewayMapping = [{
 			host: "host.docker.internal",
 			ip: "host-gateway"
@@ -53981,7 +54130,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.137.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.137.2");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());