@go-to-k/cdkd 0.167.0 → 0.167.2

package/dist/cli.js

@@ -62,7 +62,7 @@ import { CreateVectorBucketCommand, DeleteIndexCommand, DeleteVectorBucketComman
 import { CreateNamespaceCommand, CreateTableBucketCommand, CreateTableCommand as CreateTableCommand$2, DeleteNamespaceCommand as DeleteNamespaceCommand$1, DeleteTableBucketCommand, DeleteTableCommand as DeleteTableCommand$2, GetTableBucketCommand, GetTableCommand as GetTableCommand$1, ListNamespacesCommand as ListNamespacesCommand$1, ListTableBucketsCommand, ListTablesCommand as ListTablesCommand$1, ListTagsForResourceCommand as ListTagsForResourceCommand$19, NotFoundException as NotFoundException$5, S3TablesClient } from "@aws-sdk/client-s3tables";
 import { AttachLoadBalancerTargetGroupsCommand, AttachLoadBalancersCommand, AttachTrafficSourcesCommand, AutoScalingClient, CreateAutoScalingGroupCommand, CreateOrUpdateTagsCommand, DeleteAutoScalingGroupCommand, DeleteLifecycleHookCommand, DeleteNotificationConfigurationCommand, DeleteTagsCommand as DeleteTagsCommand$1, DescribeAutoScalingGroupsCommand, DescribeLifecycleHooksCommand, DescribeNotificationConfigurationsCommand, DescribeTrafficSourcesCommand, DetachLoadBalancerTargetGroupsCommand, DetachLoadBalancersCommand, DetachTrafficSourcesCommand, DisableMetricsCollectionCommand, EnableMetricsCollectionCommand, PutLifecycleHookCommand, PutNotificationConfigurationCommand, UpdateAutoScalingGroupCommand } from "@aws-sdk/client-auto-scaling";
 import { Document, Pair, Scalar, YAMLMap, YAMLSeq, parse as parse$1, stringify } from "yaml";
-import { mkdir, mkdtemp } from "node:fs/promises";
+import { mkdir, mkdtemp, rm, writeFile } from "node:fs/promises";
 import { Readable } from "node:stream";
 import { pipeline } from "node:stream/promises";
 import { createServer } from "node:net";
@@ -46251,12 +46251,22 @@ async function invokeRieStreaming(host, port, event, timeoutMs) {
 			throw new Error(`RIE streaming response did not emit the prelude/body separator within ${STREAM_PRELUDE_MAX_BYTES} bytes. The handler likely did not call awslambda.HttpResponseStream.from(stream, metadata).`);
 		}
 	}
+	let preludeSynthesized = false;
 	if (separatorIdx < 0) {
-		clearTimeout(timer);
-		throw new Error(`RIE streaming response ended before the prelude/body separator (got ${preludeBytes.length} bytes). The handler likely threw before streaming the prelude — check container logs.`);
+		if (preludeBytes.length === 0) {
+			clearTimeout(timer);
+			throw new Error(`RIE streaming response ended with zero bytes. The handler likely threw before any write — check container logs.`);
+		}
+		preludeSynthesized = true;
+		bodyTail = preludeBytes;
+		preludeBytes = Buffer.alloc(0);
 	}
 	let prelude;
-	try {
+	if (preludeSynthesized) prelude = {
+		statusCode: 200,
+		headers: { "Content-Type": "application/octet-stream" }
+	};
+	else try {
 		prelude = parseStreamingPrelude(preludeBytes.toString("utf8"));
 	} catch (err) {
 		clearTimeout(timer);
@@ -46510,6 +46520,62 @@ function singleFlight(fn, onError) {
 	};
 }
 
+//#endregion
+//#region src/cli/commands/local-profile-credentials-file.ts
+/**
+* Path inside the container where the credentials file is mounted. Fixed
+* (not user-configurable) so the env-var injection is stable. `/cdkd-aws/`
+* is outside `/var/task` (the Lambda code mount) and outside `/root/`
+* (which the user's handler may bind-mount or modify), so there is no
+* collision risk with the user's payload.
+*/
+const CONTAINER_AWS_CREDENTIALS_PATH = "/cdkd-aws/credentials";
+/**
+* Write a temporary AWS shared-credentials file containing the resolved
+* `--profile <name>` credentials, ready to bind-mount into a Lambda
+* container at {@link CONTAINER_AWS_CREDENTIALS_PATH}.
+*
+* The file content is the standard `[profile-name]` INI shape:
+*
+*   [<profileName>]
+*   aws_access_key_id = <accessKeyId>
+*   aws_secret_access_key = <secretAccessKey>
+*   aws_session_token = <sessionToken>   ← only when present
+*
+* `aws_session_token` is omitted when the resolved profile produced
+* long-lived (non-STS) credentials, mirroring the same logic
+* `applyProfileCredentialsOverlay` uses for env-var injection.
+*
+* Caller is responsible for invoking `dispose()` when the container pool
+* tears down (e.g., on `SIGINT` via `singleFlight` cleanup). Leaving the
+* file behind in `/tmp` is a security smell (temp credentials live on
+* disk).
+*/
+async function writeProfileCredentialsFile(profileName, creds) {
+	if (profileName === "") throw new Error("writeProfileCredentialsFile: profile name must not be empty.");
+	if (/[\r\n[\]]/.test(profileName)) throw new Error(`writeProfileCredentialsFile: profile name '${profileName}' contains a forbidden character (any of CR, LF, '[', ']' would corrupt the INI file or the docker -e env var).`);
+	const dir = await mkdtemp(path.join(tmpdir(), "cdkd-profile-creds-"));
+	const hostPath = path.join(dir, "credentials");
+	const lines = [
+		`[${profileName}]`,
+		`aws_access_key_id = ${creds.accessKeyId}`,
+		`aws_secret_access_key = ${creds.secretAccessKey}`
+	];
+	if (creds.sessionToken) lines.push(`aws_session_token = ${creds.sessionToken}`);
+	await writeFile(hostPath, lines.join("\n") + "\n", { mode: 384 });
+	return {
+		hostPath,
+		containerPath: CONTAINER_AWS_CREDENTIALS_PATH,
+		profileName,
+		dispose: async () => {
+			await rm(dir, {
+				recursive: true,
+				force: true
+			});
+		}
+	};
+}
+
 //#endregion
 //#region src/local/intrinsic-lambda-arn.ts
 /**
@@ -50500,6 +50566,11 @@ function createContainerPool(specs, options) {
 				containerPath: "/opt",
 				readOnly: true
 			}] : [];
+			const extraMounts = spec.profileCredentialsFile ? [...optMount, {
+				hostPath: spec.profileCredentialsFile.hostPath,
+				containerPath: spec.profileCredentialsFile.containerPath,
+				readOnly: true
+			}] : optMount;
 			const containerCodePath = resolveRuntimeCodeMountPath(spec.lambda.runtime);
 			containerId = await runDetached({
 				image: resolveRuntimeImage(spec.lambda.runtime),
@@ -50508,7 +50579,7 @@ function createContainerPool(specs, options) {
 					containerPath: containerCodePath,
 					readOnly: true
 				}],
-				extraMounts: optMount,
+				extraMounts,
 				env: spec.env,
 				cmd: [spec.lambda.handler],
 				hostPort,
@@ -50521,6 +50592,11 @@ function createContainerPool(specs, options) {
 		} else containerId = await runDetached({
 			image: spec.image,
 			mounts: [],
+			...spec.profileCredentialsFile && { extraMounts: [{
+				hostPath: spec.profileCredentialsFile.hostPath,
+				containerPath: spec.profileCredentialsFile.containerPath,
+				readOnly: true
+			}] },
 			env: spec.env,
 			cmd: spec.command,
 			hostPort,
@@ -55013,6 +55089,7 @@ async function localStartApiCommand(target, options) {
 	const perLambdaConcurrency = parsePerLambdaConcurrency(options.perLambdaConcurrency);
 	const inlineTmpDirs = /* @__PURE__ */ new Set();
 	const layerTmpDirs = /* @__PURE__ */ new Set();
+	let profileCredsFile;
 	const lastAssetPaths = { value: [] };
 	const authorizerCache = createAuthorizerCache();
 	const jwksCache = createJwksCache();
@@ -55084,6 +55161,7 @@ async function localStartApiCommand(target, options) {
 		}
 		const stateByStack = options.fromState || isCfnFlagPresent(options) ? await loadStateForRoutedStacks(targetStacks, routes, routesWithAuth, options) : /* @__PURE__ */ new Map();
 		const profileCredentials = options.profile ? await resolveProfileCredentials(options.profile) : void 0;
+		if (options.profile && profileCredentials && !profileCredsFile) profileCredsFile = await writeProfileCredentialsFile(options.profile, profileCredentials);
 		const lambdaIds = uniqueLambdaIds(routes, routesWithAuth, webSocketApis);
 		const specs = /* @__PURE__ */ new Map();
 		for (let i = 0; i < lambdaIds.length; i++) {
@@ -55101,7 +55179,8 @@ async function localStartApiCommand(target, options) {
 				stateByStack,
 				skipPull: options.pull === false,
 				...options.layerRoleArn !== void 0 && { layerRoleArn: options.layerRoleArn },
-				...profileCredentials && { profileCredentials }
+				...profileCredentials && { profileCredentials },
+				...profileCredsFile && { profileCredsFile }
 			});
 			specs.set(logicalId, spec);
 		}
@@ -55377,6 +55456,11 @@ async function localStartApiCommand(target, options) {
 		} catch (err) {
 			logger.warn(`Failed to remove merged-layers tmpdir ${dir}: ${err instanceof Error ? err.message : String(err)}`);
 		}
+		if (profileCredsFile) try {
+			await profileCredsFile.dispose();
+		} catch (err) {
+			logger.warn(`Failed to remove profile credentials tmpdir ${profileCredsFile.hostPath}: ${err instanceof Error ? err.message : String(err)}`);
+		}
 	});
 	const shutdown = async (signal, exitCode) => {
 		if (shutdownStarted) {
@@ -55535,7 +55619,7 @@ function warnIamRoutes(routesWithAuth) {
 * missing, runtime not supported).
 */
 async function buildContainerSpec(args) {
-	const { logicalId, stacks, overrides, assumeRole, containerHost, debugPort, stsRegion, inlineTmpDirs, layerTmpDirs, stateByStack, skipPull, layerRoleArn, profileCredentials } = args;
+	const { logicalId, stacks, overrides, assumeRole, containerHost, debugPort, stsRegion, inlineTmpDirs, layerTmpDirs, stateByStack, skipPull, layerRoleArn, profileCredentials, profileCredsFile } = args;
 	const lambda = resolveLambdaByLogicalId(logicalId, stacks);
 	let codeDir;
 	let optDir;
@@ -55589,6 +55673,10 @@ async function buildContainerSpec(args) {
 			if (profileCredentials.sessionToken) dockerEnv["AWS_SESSION_TOKEN"] = profileCredentials.sessionToken;
 			else delete dockerEnv["AWS_SESSION_TOKEN"];
 		}
+		if (profileCredsFile) {
+			dockerEnv["AWS_SHARED_CREDENTIALS_FILE"] = profileCredsFile.containerPath;
+			dockerEnv["AWS_PROFILE"] = profileCredsFile.profileName;
+		}
 	}
 	if (debugPort !== void 0) dockerEnv["NODE_OPTIONS"] = `--inspect-brk=0.0.0.0:${debugPort}`;
 	const tmpfs = lambda.ephemeralStorageMb !== void 0 ? {
@@ -55603,7 +55691,11 @@ async function buildContainerSpec(args) {
 		containerHost,
 		...optDir !== void 0 && { optDir },
 		...debugPort !== void 0 && { debugPort },
-		...tmpfs !== void 0 && { tmpfs }
+		...tmpfs !== void 0 && { tmpfs },
+		...profileCredsFile && { profileCredentialsFile: {
+			hostPath: profileCredsFile.hostPath,
+			containerPath: profileCredsFile.containerPath
+		} }
 	};
 	return {
 		kind: "image",
@@ -55616,7 +55708,11 @@ async function buildContainerSpec(args) {
 		env: dockerEnv,
 		containerHost,
 		...debugPort !== void 0 && { debugPort },
-		...tmpfs !== void 0 && { tmpfs }
+		...tmpfs !== void 0 && { tmpfs },
+		...profileCredsFile && { profileCredentialsFile: {
+			hostPath: profileCredsFile.hostPath,
+			containerPath: profileCredsFile.containerPath
+		} }
 	};
 }
 /**
@@ -58918,6 +59014,7 @@ async function localInvokeCommand(target, options) {
 	let containerId;
 	let stopLogs;
 	let sigintHandler;
+	let profileCredsFile;
 	/**
 	* Unified cleanup for both the success / failure unwind path AND the
 	* SIGINT handler. Idempotent — every step guards on its own undefined
@@ -58966,6 +59063,11 @@ async function localInvokeCommand(target, options) {
 		} catch (err) {
 			getLogger().debug(`Failed to remove ARN-layer tmpdir ${dir}: ${err instanceof Error ? err.message : String(err)}`);
 		}
+		if (profileCredsFile) try {
+			await profileCredsFile.dispose();
+		} catch (err) {
+			getLogger().debug(`Failed to remove profile credentials tmpdir ${profileCredsFile.hostPath}: ${err instanceof Error ? err.message : String(err)}`);
+		}
 	}, (err) => {
 		getLogger().debug(`cleanup failed: ${err instanceof Error ? err.message : String(err)}`);
 	});
@@ -58976,6 +59078,7 @@ async function localInvokeCommand(target, options) {
 		});
 		await ensureDockerAvailable();
 		const profileCredentials = options.profile ? await resolveProfileCredentials(options.profile) : void 0;
+		if (options.profile && profileCredentials) profileCredsFile = await writeProfileCredentialsFile(options.profile, profileCredentials);
 		const appCmd = resolveApp(options.app);
 		if (!appCmd) throw new Error("No CDK app specified. Pass --app, set CDKD_APP, or add \"app\" to cdk.json.");
 		logger.info("Synthesizing CDK app...");
@@ -59076,6 +59179,10 @@ async function localInvokeCommand(target, options) {
 		if (!assumeSucceeded) {
 			forwardAwsEnv(dockerEnv);
 			applyProfileCredentialsOverlay(dockerEnv, profileCredentials, false);
+			if (profileCredsFile) {
+				dockerEnv["AWS_SHARED_CREDENTIALS_FILE"] = profileCredsFile.containerPath;
+				dockerEnv["AWS_PROFILE"] = profileCredsFile.profileName;
+			}
 		}
 		let debugPort;
 		if (options.debugPort) {
@@ -59088,10 +59195,15 @@ async function localInvokeCommand(target, options) {
 		const containerHost = options.containerHost;
 		if (lambda.layers.length > 0) logger.info(`Mounting ${lambda.layers.length} Lambda layer${lambda.layers.length === 1 ? "" : "s"} at /opt`);
 		logger.info(`Starting container (image=${imagePlan.image}, port=${hostPort})...`);
+		const extraMountsWithProfile = profileCredsFile ? [...imagePlan.extraMounts ?? [], {
+			hostPath: profileCredsFile.hostPath,
+			containerPath: profileCredsFile.containerPath,
+			readOnly: true
+		}] : imagePlan.extraMounts;
 		containerId = await runDetached({
 			image: imagePlan.image,
 			mounts: imagePlan.mounts,
-			extraMounts: imagePlan.extraMounts,
+			extraMounts: extraMountsWithProfile,
 			env: dockerEnv,
 			cmd: imagePlan.cmd,
 			hostPort,
@@ -60770,7 +60882,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.167.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.167.2");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());