@go-to-k/cdkd 0.198.0 → 0.200.0

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-DWUnLza1.js";
-import { $ as uploadCfnTemplate, A as S3StateBackend, At as PATTERN_B_NAME_PROPERTIES, B as Synthesizer, C as assertRegionMatch, Ct as normalizeAwsError, D as DagBuilder, E as DiffCalculator, Et as getLogger, F as buildDockerImage, Ft as withStackName, G as resolveSkipPrefix, H as getLegacyStateBucketName, I as formatDockerLoginError, J as warnDeprecatedNoPrefixCliFlag, K as resolveStateBucketWithDefault, L as getDockerCmd, M as AssetPublisher, Mt as generateResourceName, N as stringifyValue, Nt as generateResourceNameWithFallback, O as TemplateParser, Ot as runStackBuffered, P as WorkGraph, Pt as withSkipPrefix, Q as findLargeInlineResources, R as runDockerForeground, S as CloudControlProvider, T as applyRoleArnIfSet, U as resolveApp, V as getDefaultStateBucketName, W as resolveCaptureObservedState, X as CFN_TEMPLATE_URL_LIMIT, Y as CFN_TEMPLATE_BODY_LIMIT, Z as MIGRATE_TMP_PREFIX, _ as matchesCdkPath, _t as StackHasActiveImportsError, a as withRetry, b as ProviderRegistry, c as bold, ct as LocalMigrateError, d as green, dt as MissingCdkCliError, et as AssemblyReader, f as red, ft as NestedStackChildDirectDestroyError, g as CDK_PATH_TAG, gt as ResourceUpdateNotSupportedError, h as collectInlinePolicyNamesManagedBySiblings, ht as ResourceTimeoutError, i as withResourceDeadline, it as CdkdError, j as shouldRetainResource, jt as PATTERN_B_RESOURCE_TYPES, k as LockManager, kt as getLiveRenderer, l as cyan, lt as LocalStartServiceError, m as IAMRoleProvider, mt as ProvisioningError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as resolveBucketRegion, o as IMPLICIT_DELETE_DEPENDENCIES, p as yellow, pt as PartialFailureError, q as resolveStateBucketWithDefaultAndSource, r as DeployEngine, s as formatResourceLine, st as LocalInvokeBuildError$1, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, v as normalizeAwsTagsToCfn, vt as StackTerminationProtectionError, w as IntrinsicFunctionResolver, wt as withErrorHandling, x as findActionableSilentDrops, y as resolveExplicitPhysicalId, z as runDockerStreaming } from "./deploy-engine-B3Xc-bxB.js";
+import { $ as uploadCfnTemplate, A as S3StateBackend, At as PATTERN_B_NAME_PROPERTIES, B as Synthesizer, C as assertRegionMatch, Ct as normalizeAwsError, D as DagBuilder, E as DiffCalculator, Et as getLogger, F as buildDockerImage, Ft as withStackName, G as resolveSkipPrefix, H as getLegacyStateBucketName, I as formatDockerLoginError, J as warnDeprecatedNoPrefixCliFlag, K as resolveStateBucketWithDefault, L as getDockerCmd, M as AssetPublisher, Mt as generateResourceName, N as stringifyValue, Nt as generateResourceNameWithFallback, O as TemplateParser, Ot as runStackBuffered, P as WorkGraph, Pt as withSkipPrefix, Q as findLargeInlineResources, R as runDockerForeground, S as CloudControlProvider, T as applyRoleArnIfSet, U as resolveApp, V as getDefaultStateBucketName, W as resolveCaptureObservedState, X as CFN_TEMPLATE_URL_LIMIT, Y as CFN_TEMPLATE_BODY_LIMIT, Z as MIGRATE_TMP_PREFIX, _ as matchesCdkPath, _t as StackHasActiveImportsError, a as withRetry, b as ProviderRegistry, c as bold, ct as LocalMigrateError, d as green, dt as MissingCdkCliError, et as AssemblyReader, f as red, ft as NestedStackChildDirectDestroyError, g as CDK_PATH_TAG, gt as ResourceUpdateNotSupportedError, h as collectInlinePolicyNamesManagedBySiblings, ht as ResourceTimeoutError, i as withResourceDeadline, it as CdkdError, j as shouldRetainResource, jt as PATTERN_B_RESOURCE_TYPES, k as LockManager, kt as getLiveRenderer, l as cyan, lt as LocalStartServiceError, m as IAMRoleProvider, mt as ProvisioningError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as resolveBucketRegion, o as IMPLICIT_DELETE_DEPENDENCIES, p as yellow, pt as PartialFailureError, q as resolveStateBucketWithDefaultAndSource, r as DeployEngine, s as formatResourceLine, st as LocalInvokeBuildError$1, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, v as normalizeAwsTagsToCfn, vt as StackTerminationProtectionError, w as IntrinsicFunctionResolver, wt as withErrorHandling, x as findActionableSilentDrops, y as resolveExplicitPhysicalId, z as runDockerStreaming } from "./deploy-engine-DAPAdI1e.js";
 import { AsyncLocalStorage } from "node:async_hooks";
 import { randomBytes, randomUUID } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
@@ -62,7 +62,7 @@ import { CreateNamespaceCommand, CreateTableBucketCommand, CreateTableCommand as
 import { AttachLoadBalancerTargetGroupsCommand, AttachLoadBalancersCommand, AttachTrafficSourcesCommand, AutoScalingClient, CreateAutoScalingGroupCommand, CreateOrUpdateTagsCommand, DeleteAutoScalingGroupCommand, DeleteLifecycleHookCommand, DeleteNotificationConfigurationCommand, DeleteTagsCommand as DeleteTagsCommand$1, DescribeAutoScalingGroupsCommand, DescribeLifecycleHooksCommand, DescribeNotificationConfigurationsCommand, DescribeTrafficSourcesCommand, DetachLoadBalancerTargetGroupsCommand, DetachLoadBalancersCommand, DetachTrafficSourcesCommand, DisableMetricsCollectionCommand, EnableMetricsCollectionCommand, PutLifecycleHookCommand, PutNotificationConfigurationCommand, UpdateAutoScalingGroupCommand } from "@aws-sdk/client-auto-scaling";
 import { Document, Pair, Scalar, YAMLMap, YAMLSeq, parse as parse$1, stringify } from "yaml";
 import { createLocalStateProvider, getEmbedConfig, isCfnFlagPresent, listTargets, rejectExplicitCfnStackWithMultipleStacks, resolveCfnFallbackRegion, setEmbedConfig, substituteAgainstState, substituteAgainstStateAsync, substituteEnvVarsFromState, substituteEnvVarsFromStateAsync } from "cdk-local";
-import { A2A_CONTAINER_PORT, A2A_PATH, AGENTCORE_A2A_PROTOCOL, AGENTCORE_AGUI_PROTOCOL, AGENTCORE_MCP_PROTOCOL, ConnectionRegistry, EcsTaskResolutionError, HOST_GATEWAY_MIN_VERSION, LocalInvokeBuildError, MCP_CONTAINER_PORT, MCP_PATH, a2aInvokeOnce, addCommonEcsServiceOptions, architectureToPlatform, attachAuthorizers, attachStageContext, availableApiIdentifiers, bufferToBody, buildAgentCoreCodeImage, buildCognitoJwksUrl, buildConnectEvent, buildContainerImage, buildCorsConfigByApiId, buildCorsConfigFromCloudFrontChain, buildDisconnectEvent, buildJwksUrlFromIssuer, buildMessageEvent, buildMgmtEndpointEnvUrl, buildStageMap, createAuthorizerCache, createFileWatcher, createJwksCache, createWatchPredicates, defaultCredentialsLoader, derivePseudoParametersFromRegion, discoverRoutes, discoverWebSocketApis, downloadAndExtractS3Bundle, filterRoutesByApiIdentifier, groupRoutesByServer, handleConnectionsRequest, invokeAgentCore, invokeAgentCoreWs, isApplicationLoadBalancer, materializeLayerFromArn, mcpInvokeOnce, parseConnectionsPath, parseSelectionExpressionPath, pickAgentCoreCandidateStack, probeHostGatewaySupport, readMtlsMaterialsFromDisk, resolveAgentCoreTarget, resolveAlbFrontDoor, resolveEnvVars, resolveRuntimeCodeMountPath, resolveRuntimeFileExtension, resolveRuntimeImage, resolveSingleTarget, resolveWatchConfig, runEcsServiceEmulator, signAgentCoreInvocation, startApiServer, substituteImagePlaceholders, tryResolveImageFnJoin, verifyJwtViaDiscovery, waitForAgentCorePing } from "cdk-local/internal";
+import { A2A_CONTAINER_PORT, A2A_PATH, AGENTCORE_A2A_PROTOCOL, AGENTCORE_AGUI_PROTOCOL, AGENTCORE_MCP_PROTOCOL, ConnectionRegistry, EcsTaskResolutionError, HOST_GATEWAY_MIN_VERSION, LocalInvokeBuildError, MCP_CONTAINER_PORT, MCP_PATH, a2aInvokeOnce, addAlbSpecificOptions, addCommonEcsServiceOptions, albStrategy, architectureToPlatform, attachAuthorizers, attachStageContext, availableApiIdentifiers, bufferToBody, buildAgentCoreCodeImage, buildCognitoJwksUrl, buildConnectEvent, buildContainerImage, buildCorsConfigByApiId, buildCorsConfigFromCloudFrontChain, buildDisconnectEvent, buildJwksUrlFromIssuer, buildMessageEvent, buildMgmtEndpointEnvUrl, buildStageMap, createAuthorizerCache, createFileWatcher, createJwksCache, createWatchPredicates, defaultCredentialsLoader, derivePseudoParametersFromRegion, discoverRoutes, discoverWebSocketApis, downloadAndExtractS3Bundle, filterRoutesByApiIdentifier, groupRoutesByServer, handleConnectionsRequest, invokeAgentCore, invokeAgentCoreWs, materializeLayerFromArn, mcpInvokeOnce, parseConnectionsPath, parseSelectionExpressionPath, pickAgentCoreCandidateStack, probeHostGatewaySupport, readMtlsMaterialsFromDisk, resolveAgentCoreTarget, resolveEnvVars, resolveRuntimeCodeMountPath, resolveRuntimeFileExtension, resolveRuntimeImage, resolveSingleTarget, resolveWatchConfig, runEcsServiceEmulator, signAgentCoreInvocation, startApiServer, substituteImagePlaceholders, tryResolveImageFnJoin, verifyJwtViaDiscovery, waitForAgentCorePing } from "cdk-local/internal";
 import { createServer } from "node:net";
 import { promisify } from "node:util";
 import { setTimeout as setTimeout$1 } from "node:timers/promises";
@@ -8360,7 +8360,14 @@ var LambdaEventSourceMappingProvider = class {
 		"AmazonManagedKafkaEventSourceConfig",
 		"DocumentDBEventSourceConfig",
 		"ScalingConfig",
-		"Tags"
+		"Tags",
+		"KmsKeyArn",
+		"LoggingConfig",
+		"MetricsConfig",
+		"ProvisionedPollerConfig",
+		"Queues",
+		"Topics",
+		"StartingPositionTimestamp"
 	])]]);
 	constructor() {
 		const awsClients = getAwsClients();
@@ -8398,6 +8405,16 @@ var LambdaEventSourceMappingProvider = class {
 				const cfnTags = properties["Tags"];
 				params.Tags = Object.fromEntries(cfnTags.map((t) => [t.Key, t.Value]));
 			}
+			if (properties["KmsKeyArn"] !== void 0) params.KMSKeyArn = properties["KmsKeyArn"];
+			if (properties["LoggingConfig"] !== void 0) params.LoggingConfig = properties["LoggingConfig"];
+			if (properties["MetricsConfig"] !== void 0) params.MetricsConfig = properties["MetricsConfig"];
+			if (properties["ProvisionedPollerConfig"] !== void 0) params.ProvisionedPollerConfig = properties["ProvisionedPollerConfig"];
+			if (properties["Queues"]) params.Queues = properties["Queues"];
+			if (properties["Topics"]) params.Topics = properties["Topics"];
+			if (properties["StartingPositionTimestamp"] !== void 0) {
+				const raw = properties["StartingPositionTimestamp"];
+				params.StartingPositionTimestamp = typeof raw === "number" ? /* @__PURE__ */ new Date(raw * 1e3) : raw instanceof Date ? raw : new Date(raw);
+			}
 			const uuid = (await this.lambdaClient.send(new CreateEventSourceMappingCommand(params))).UUID;
 			if (!uuid) throw new Error("CreateEventSourceMapping did not return UUID");
 			this.logger.debug(`Successfully created event source mapping ${logicalId}: ${uuid}`);
@@ -8433,6 +8450,10 @@ var LambdaEventSourceMappingProvider = class {
 		if (properties["SourceAccessConfigurations"] !== void 0) updateParams.SourceAccessConfigurations = properties["SourceAccessConfigurations"];
 		if (properties["ScalingConfig"] !== void 0) updateParams.ScalingConfig = properties["ScalingConfig"];
 		if (properties["DocumentDBEventSourceConfig"] !== void 0) updateParams.DocumentDBEventSourceConfig = properties["DocumentDBEventSourceConfig"];
+		if (properties["KmsKeyArn"] !== void 0) updateParams.KMSKeyArn = properties["KmsKeyArn"];
+		if (properties["LoggingConfig"] !== void 0) updateParams.LoggingConfig = properties["LoggingConfig"];
+		if (properties["MetricsConfig"] !== void 0) updateParams.MetricsConfig = properties["MetricsConfig"];
+		if (properties["ProvisionedPollerConfig"] !== void 0) updateParams.ProvisionedPollerConfig = properties["ProvisionedPollerConfig"];
 		const eventSourceMappingArn = (await this.lambdaClient.send(new UpdateEventSourceMappingCommand(updateParams))).EventSourceMappingArn;
 		if (eventSourceMappingArn) await this.applyTagDiff(eventSourceMappingArn, previousProperties["Tags"], properties["Tags"]);
 		this.logger.debug(`Successfully updated event source mapping ${logicalId}`);
@@ -8565,6 +8586,17 @@ var LambdaEventSourceMappingProvider = class {
 		if (resp.AmazonManagedKafkaEventSourceConfig !== void 0) result["AmazonManagedKafkaEventSourceConfig"] = resp.AmazonManagedKafkaEventSourceConfig;
 		if (resp.DocumentDBEventSourceConfig !== void 0) result["DocumentDBEventSourceConfig"] = resp.DocumentDBEventSourceConfig;
 		if (resp.ScalingConfig !== void 0) result["ScalingConfig"] = resp.ScalingConfig;
+		if (resp.KMSKeyArn !== void 0) result["KmsKeyArn"] = resp.KMSKeyArn;
+		if (resp.LoggingConfig !== void 0) result["LoggingConfig"] = resp.LoggingConfig;
+		if (resp.MetricsConfig !== void 0) result["MetricsConfig"] = resp.MetricsConfig;
+		if (resp.ProvisionedPollerConfig !== void 0) result["ProvisionedPollerConfig"] = resp.ProvisionedPollerConfig;
+		if (resp.Queues !== void 0) result["Queues"] = [...resp.Queues];
+		if (resp.Topics !== void 0) result["Topics"] = [...resp.Topics];
+		if (resp.StartingPositionTimestamp !== void 0) {
+			const raw = resp.StartingPositionTimestamp;
+			const date = raw instanceof Date ? raw : new Date(raw);
+			result["StartingPositionTimestamp"] = Math.floor(date.getTime() / 1e3);
+		}
 		if (resp.State !== void 0) result["Enabled"] = resp.State === "Enabled" || resp.State === "Enabling" || resp.State === "Updating";
 		let tags = [];
 		if (resp.EventSourceMappingArn) try {
@@ -19791,7 +19823,15 @@ var RDSProvider = class {
 			"DBClusterIdentifier",
 			"DBSubnetGroupName",
 			"PubliclyAccessible",
-			"Tags"
+			"Tags",
+			"AllocatedStorage",
+			"DeletionProtection",
+			"EngineVersion",
+			"MasterUsername",
+			"MasterUserPassword",
+			"Port",
+			"StorageEncrypted",
+			"VPCSecurityGroups"
 		])]
 	]);
 	unhandledByDesign = new Map([["AWS::RDS::DBCluster", new Map([["DeleteAutomatedBackups", "cdkd hardcodes SkipFinalSnapshot=true on destroy; this CFn lifecycle flag has no equivalent on the runtime path"]])], ["AWS::RDS::DBInstance", new Map([
@@ -20045,6 +20085,14 @@ var RDSProvider = class {
 				DBClusterIdentifier: properties["DBClusterIdentifier"],
 				DBSubnetGroupName: properties["DBSubnetGroupName"],
 				PubliclyAccessible: properties["PubliclyAccessible"],
+				...properties["AllocatedStorage"] !== void 0 && { AllocatedStorage: Number(properties["AllocatedStorage"]) },
+				...properties["MasterUsername"] !== void 0 && { MasterUsername: properties["MasterUsername"] },
+				...properties["DeletionProtection"] !== void 0 && { DeletionProtection: properties["DeletionProtection"] },
+				...properties["EngineVersion"] !== void 0 && { EngineVersion: properties["EngineVersion"] },
+				...properties["Port"] !== void 0 && { Port: Number(properties["Port"]) },
+				...properties["MasterUserPassword"] !== void 0 && { MasterUserPassword: properties["MasterUserPassword"] },
+				...properties["StorageEncrypted"] !== void 0 && { StorageEncrypted: properties["StorageEncrypted"] },
+				...properties["VPCSecurityGroups"] !== void 0 && { VpcSecurityGroupIds: properties["VPCSecurityGroups"] },
 				...tags.length > 0 && { Tags: tags }
 			}))).DBInstance) throw new Error("CreateDBInstance did not return DBInstance");
 			this.logger.debug(`Successfully created DBInstance ${logicalId}: ${dbInstanceIdentifier}`);
@@ -20067,11 +20115,23 @@ var RDSProvider = class {
 	async updateDBInstance(logicalId, physicalId, resourceType, properties, previousProperties) {
 		this.logger.debug(`Updating DBInstance ${logicalId}: ${physicalId}`);
 		try {
+			const newEngineVersion = properties["EngineVersion"];
+			const prevEngineVersion = previousProperties["EngineVersion"];
+			const allowMajorVersionUpgrade = newEngineVersion !== void 0 && newEngineVersion !== prevEngineVersion && prevEngineVersion !== void 0 && newEngineVersion.split(".")[0] !== prevEngineVersion.split(".")[0];
 			await this.getClient().send(new ModifyDBInstanceCommand({
 				DBInstanceIdentifier: physicalId,
 				DBInstanceClass: properties["DBInstanceClass"],
 				PubliclyAccessible: properties["PubliclyAccessible"],
-				ApplyImmediately: true
+				ApplyImmediately: true,
+				...properties["AllocatedStorage"] !== void 0 && { AllocatedStorage: Number(properties["AllocatedStorage"]) },
+				...properties["DeletionProtection"] !== void 0 && { DeletionProtection: properties["DeletionProtection"] },
+				...newEngineVersion !== void 0 && {
+					EngineVersion: newEngineVersion,
+					...allowMajorVersionUpgrade && { AllowMajorVersionUpgrade: true }
+				},
+				...properties["Port"] !== void 0 && { DBPortNumber: Number(properties["Port"]) },
+				...properties["MasterUserPassword"] !== void 0 && { MasterUserPassword: properties["MasterUserPassword"] },
+				...properties["VPCSecurityGroups"] !== void 0 && { VpcSecurityGroupIds: properties["VPCSecurityGroups"] }
 			}));
 			this.logger.debug(`Successfully updated DBInstance ${logicalId}`);
 			const described = await this.describeDBInstance(physicalId);
@@ -20304,6 +20364,14 @@ var RDSProvider = class {
 		if (inst.DBClusterIdentifier !== void 0) result["DBClusterIdentifier"] = inst.DBClusterIdentifier;
 		if (inst.DBSubnetGroup?.DBSubnetGroupName !== void 0) result["DBSubnetGroupName"] = inst.DBSubnetGroup.DBSubnetGroupName;
 		if (inst.PubliclyAccessible !== void 0) result["PubliclyAccessible"] = inst.PubliclyAccessible;
+		if (inst.AllocatedStorage !== void 0) result["AllocatedStorage"] = inst.AllocatedStorage;
+		if (inst.MasterUsername !== void 0) result["MasterUsername"] = inst.MasterUsername;
+		if (inst.DeletionProtection !== void 0) result["DeletionProtection"] = inst.DeletionProtection;
+		if (inst.EngineVersion !== void 0) result["EngineVersion"] = inst.EngineVersion;
+		if (inst.Endpoint?.Port !== void 0) result["Port"] = inst.Endpoint.Port;
+		if (inst.StorageEncrypted !== void 0) result["StorageEncrypted"] = inst.StorageEncrypted;
+		const sgIds = (inst.VpcSecurityGroups ?? []).map((sg) => sg.VpcSecurityGroupId).filter((id) => !!id);
+		if (sgIds.length > 0) result["VPCSecurityGroups"] = sgIds;
 		if (inst.DBInstanceArn) await this.attachTags(result, inst.DBInstanceArn);
 		return result;
 	}
@@ -43276,7 +43344,7 @@ function parseTarget(target) {
 function resolveLambdaTarget(target, stacks) {
 	if (stacks.length === 0) throw new LocalInvokeResolutionError("No stacks found in the synthesized assembly.");
 	const parsed = parseTarget(target);
-	const stack = pickStack$2(parsed, stacks);
+	const stack = pickStack$1(parsed, stacks);
 	const template = stack.template;
 	const resources = template.Resources ?? {};
 	let match;
@@ -43310,7 +43378,7 @@ function resolveLambdaTarget(target, stacks) {
 * user may omit the stack prefix. Otherwise an explicit stack pattern is
 * required.
 */
-function pickStack$2(parsed, stacks) {
+function pickStack$1(parsed, stacks) {
 	if (parsed.stackPattern === null) {
 		if (stacks.length === 1) return stacks[0];
 		throw new LocalInvokeResolutionError(`Multiple stacks in app, target '${parsed.pathOrId}' is missing a stack prefix. Use 'StackName:${parsed.pathOrId}' or 'StackName/...' (path form). Available stacks: ${stacks.map((s) => s.stackName).join(", ")}.`);
@@ -43933,7 +44001,7 @@ function parseEcsTarget(target) {
 function resolveEcsTaskTarget(target, stacks, context) {
 	if (stacks.length === 0) throw new EcsTaskResolutionError("No stacks found in the synthesized assembly.");
 	const parsed = parseEcsTarget(target);
-	const stack = pickStack$1(parsed, stacks);
+	const stack = pickStack(parsed, stacks);
 	const resources = stack.template.Resources ?? {};
 	let logicalId;
 	let resource;
@@ -43954,7 +44022,7 @@ function resolveEcsTaskTarget(target, stacks, context) {
 	if (resource.Type !== "AWS::ECS::TaskDefinition") throw new EcsTaskResolutionError(`Resource '${logicalId}' in ${stack.stackName} is ${resource.Type}, not an AWS::ECS::TaskDefinition.`);
 	return extractTaskDefinitionProperties(stack, logicalId, resource, context);
 }
-function pickStack$1(parsed, stacks) {
+function pickStack(parsed, stacks) {
 	if (parsed.stackPattern === null) {
 		if (stacks.length === 1) return stacks[0];
 		throw new EcsTaskResolutionError(`Multiple stacks in app, target '${parsed.pathOrId}' is missing a stack prefix. Use 'StackName:${parsed.pathOrId}' or 'StackName/...' (path form). Available stacks: ${stacks.map((s) => s.stackName).join(", ")}.`);
@@ -46548,7 +46616,7 @@ async function localStartApiCommand(target, options) {
 			jwksWarnedUrls,
 			sigV4CredentialsLoader,
 			sigV4WarnedForeignIds,
-			sigV4Strict: options.allowUnverifiedSigv4 !== true,
+			sigV4Strict: options.strictSigv4 === true,
 			...defaultRegion && { defaultRegion }
 		});
 		servers.push({
@@ -46594,7 +46662,7 @@ async function localStartApiCommand(target, options) {
 			jwksCache,
 			jwksWarnedUrls,
 			sigV4WarnedForeignIds,
-			sigV4Strict: options.allowUnverifiedSigv4 !== true,
+			sigV4Strict: options.strictSigv4 === true,
 			preDispatch: async (req, res) => {
 				if (!registryRef) return false;
 				return handleManagementRequest(req, res, registryRef.registry);
@@ -47755,7 +47823,7 @@ function resolveMtlsConfig(options) {
 * Builder for the `start-api` subcommand. Wired up by `local.ts`.
 */
 function createLocalStartApiCommand() {
-	const startApi = new Command("start-api").description("Run a long-running local HTTP server that maps API Gateway routes (REST v1, HTTP API, Function URL) to Lambda invocations against the AWS Lambda Runtime Interface Emulator (Docker required). Supports Lambda TOKEN/REQUEST authorizers, Cognito User Pool / HTTP v2 JWT authorizers, and AWS_IAM auth (REST v1 `AuthorizationType: AWS_IAM` and Function URL `AuthType: AWS_IAM` — SigV4 signature verification only; IAM policy evaluation is NOT emulated; see https://github.com/go-to-k/cdkd/blob/main/docs/local-emulation.md). When JWKS is unreachable, JWT authorizers fall back to pass-through (every token accepted) with a warn line — local dev fallback. VPC-config Lambdas run locally and surface a warn line at startup; their containers do NOT get attached to the deployed VPC subnets, so calls to private RDS / ElastiCache will fail.").argument("[target]", "Optional API filter. Accepts the bare CDK logical id ('MyHttpApi'; single-stack apps only), stack-qualified logical id ('MyStack:MyHttpApi'), full CDK Construct path ('MyStack/MyHttpApi/Resource'), or an ancestor Construct path that prefix-matches ('MyStack/MyHttpApi'). When omitted, every discovered API gets its own server. Mirrors `cdkd local invoke` / `cdkd local run-task` target syntax.").addOption(new Option("--port <port>", "HTTP server port (default: auto-allocate)").default("0")).addOption(new Option("--host <host>", "Bind address").default("127.0.0.1")).addOption(new Option("--stack <name>", "Stack to start (single-stack apps auto-detect)")).addOption(new Option("--warm", "Pre-start one container per Lambda at server boot").default(false)).addOption(new Option("--per-lambda-concurrency <n>", "Pool size cap per Lambda (default 2, max 4)").default("2")).addOption(new Option("--no-pull", "Skip docker pull (cached image)")).addOption(new Option("--container-host <host>", "IP the host uses to bind/probe the RIE port (must be a numeric IP — `docker run -p <ip>:<port>:8080` rejects hostnames). Defaults to 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--debug-port-base <port>", "Reserve a contiguous --debug-port range (one per Lambda)")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}, \"Parameters\": {...}})")).addOption(new Option("--assume-role <arn-or-pair>", "Assume the Lambda's execution role and forward STS-issued temp creds. Bare <arn> = global default; <LogicalId>=<arn> = per-Lambda override (repeatable). Per-Lambda > global > unset (developer creds passed through).").argParser((raw, prev) => parseAssumeRoleToken(raw, prev))).addOption(new Option("--watch", "Hot-reload: watch the CDK app source tree and re-synth + re-discover routes on a source edit (cdk.out / node_modules / .git excluded; honors cdk.json watch.include / watch.exclude). Off by default; the server keeps the previous version serving when synth fails mid-reload.").default(false)).addOption(new Option("--stage <name>", "Select an API Gateway Stage by its 'StageName'. Default: the first Stage attached to each API. Drives event.stageVariables for both REST v1 and HTTP API v2. NOTE: For HTTP API v2 routes, requestContext.stage is always '$default' regardless of this flag (AWS-side limitation — HTTP API only exposes one stage to the integration event); only event.stageVariables is affected for v2 routes. For REST v1 routes the selected StageName is also threaded into requestContext.stage.")).addOption(new Option("--api <id>", "DEPRECATED — use the positional <target> argument instead. Same accepted forms (bare logical id, stack-qualified, Construct path, ancestor prefix). Will be removed in a future major release.")).addOption(new Option("--layer-role-arn <arn>", "Role to sts:AssumeRole before calling lambda:GetLayerVersion on every literal-ARN entry in Properties.Layers (issue #448). Use only when the dev credentials cannot read the layer — typically cross-account layers. AWS-published public layers (e.g. Lambda Powertools) are readable from every account and need no role.")).addOption(new Option("--from-state", "Read cdkd S3 state for every routed stack and substitute Ref / Fn::GetAtt / Fn::Sub / Fn::Join (and AWS pseudo parameters) in Lambda env vars with the deployed physical IDs / attributes. Off by default — pre-PR warn-and-drop semantics are preserved. Turn on for stacks already deployed via cdkd deploy. Mirrors `cdkd local invoke --from-state` / `cdkd local run-task --from-state`. Re-runs against fresh state on every hot-reload firing (--watch).").default(false)).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via DescribeStackResources and substitute Ref / Fn::ImportValue in Lambda env vars with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (`cdk deploy`). Bare form uses the cdkd stack name per routed stack; pass an explicit value when a single CFn stack should serve every routed stack. Mutually exclusive with --from-state. Fn::GetAtt is warn-and-dropped in v1 (CFn DescribeStackResources does not return per-attribute values).")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-state when the same stack name has state in multiple regions, and with --from-cfn-stack as the CFn client region (cdkd does not have a separate --cfn-stack-region flag).")).addOption(new Option("--mtls-truststore <path>", "PEM-encoded CA bundle for client-certificate verification (mutual TLS). When set, the local server switches from HTTP to HTTPS and the TLS handshake rejects clients whose certificate doesn't chain to one of these CAs. Verified certs are surfaced on the Lambda event under requestContext.identity.clientCert (REST v1) / requestContext.authentication.clientCert (HTTP API v2). Must be set together with --mtls-cert + --mtls-key; partial flag sets are rejected. Generate a CA + server + client cert for local dev: openssl req -x509 -newkey rsa:2048 -nodes -keyout ca-key.pem -out ca.pem -subj \"/CN=cdkd-local-ca\" -days 365; openssl req -newkey rsa:2048 -nodes -keyout server-key.pem -out server-csr.pem -subj \"/CN=localhost\"; openssl x509 -req -in server-csr.pem -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -days 365; openssl req -newkey rsa:2048 -nodes -keyout client-key.pem -out client-csr.pem -subj \"/CN=client\"; openssl x509 -req -in client-csr.pem -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -days 365; curl --cacert ca.pem --cert client-cert.pem --key client-key.pem https://localhost:<port>/...")).addOption(new Option("--mtls-cert <path>", "PEM-encoded server certificate for mutual TLS. Self-signed is fine for local dev. Must be set together with --mtls-truststore + --mtls-key.")).addOption(new Option("--mtls-key <path>", "PEM-encoded server private key matching --mtls-cert. Must be set together with --mtls-truststore + --mtls-cert.")).addOption(new Option("--allow-unverified-sigv4", "Opt-in: allow AWS_IAM SigV4 requests that cannot be cryptographically verified (foreign access-key-id, OR no local AWS credentials configured) to pass through with a placeholder principalId. DEFAULT off — fail-closed so unauthenticated bypass is impossible against `event.requestContext.identity.accessKey`-trusting handler code. Use only in dev loops where you understand the risk.").default(false)).action(withErrorHandling(localStartApiCommand));
+	const startApi = new Command("start-api").description("Run a long-running local HTTP server that maps API Gateway routes (REST v1, HTTP API, Function URL) to Lambda invocations against the AWS Lambda Runtime Interface Emulator (Docker required). Supports Lambda TOKEN/REQUEST authorizers, Cognito User Pool / HTTP v2 JWT authorizers, and AWS_IAM auth (REST v1 `AuthorizationType: AWS_IAM` and Function URL `AuthType: AWS_IAM` — SigV4 signature verification only; IAM policy evaluation is NOT emulated; see https://github.com/go-to-k/cdkd/blob/main/docs/local-emulation.md). When JWKS is unreachable, JWT authorizers fall back to pass-through (every token accepted) with a warn line — local dev fallback. VPC-config Lambdas run locally and surface a warn line at startup; their containers do NOT get attached to the deployed VPC subnets, so calls to private RDS / ElastiCache will fail.").argument("[target]", "Optional API filter. Accepts the bare CDK logical id ('MyHttpApi'; single-stack apps only), stack-qualified logical id ('MyStack:MyHttpApi'), full CDK Construct path ('MyStack/MyHttpApi/Resource'), or an ancestor Construct path that prefix-matches ('MyStack/MyHttpApi'). When omitted, every discovered API gets its own server. Mirrors `cdkd local invoke` / `cdkd local run-task` target syntax.").addOption(new Option("--port <port>", "HTTP server port (default: auto-allocate)").default("0")).addOption(new Option("--host <host>", "Bind address").default("127.0.0.1")).addOption(new Option("--stack <name>", "Stack to start (single-stack apps auto-detect)")).addOption(new Option("--warm", "Pre-start one container per Lambda at server boot").default(false)).addOption(new Option("--per-lambda-concurrency <n>", "Pool size cap per Lambda (default 2, max 4)").default("2")).addOption(new Option("--no-pull", "Skip docker pull (cached image)")).addOption(new Option("--container-host <host>", "IP the host uses to bind/probe the RIE port (must be a numeric IP — `docker run -p <ip>:<port>:8080` rejects hostnames). Defaults to 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--debug-port-base <port>", "Reserve a contiguous --debug-port range (one per Lambda)")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}, \"Parameters\": {...}})")).addOption(new Option("--assume-role <arn-or-pair>", "Assume the Lambda's execution role and forward STS-issued temp creds. Bare <arn> = global default; <LogicalId>=<arn> = per-Lambda override (repeatable). Per-Lambda > global > unset (developer creds passed through).").argParser((raw, prev) => parseAssumeRoleToken(raw, prev))).addOption(new Option("--watch", "Hot-reload: watch the CDK app source tree and re-synth + re-discover routes on a source edit (cdk.out / node_modules / .git excluded; honors cdk.json watch.include / watch.exclude). Off by default; the server keeps the previous version serving when synth fails mid-reload.").default(false)).addOption(new Option("--stage <name>", "Select an API Gateway Stage by its 'StageName'. Default: the first Stage attached to each API. Drives event.stageVariables for both REST v1 and HTTP API v2. NOTE: For HTTP API v2 routes, requestContext.stage is always '$default' regardless of this flag (AWS-side limitation — HTTP API only exposes one stage to the integration event); only event.stageVariables is affected for v2 routes. For REST v1 routes the selected StageName is also threaded into requestContext.stage.")).addOption(new Option("--api <id>", "DEPRECATED — use the positional <target> argument instead. Same accepted forms (bare logical id, stack-qualified, Construct path, ancestor prefix). Will be removed in a future major release.")).addOption(new Option("--layer-role-arn <arn>", "Role to sts:AssumeRole before calling lambda:GetLayerVersion on every literal-ARN entry in Properties.Layers (issue #448). Use only when the dev credentials cannot read the layer — typically cross-account layers. AWS-published public layers (e.g. Lambda Powertools) are readable from every account and need no role.")).addOption(new Option("--from-state", "Read cdkd S3 state for every routed stack and substitute Ref / Fn::GetAtt / Fn::Sub / Fn::Join (and AWS pseudo parameters) in Lambda env vars with the deployed physical IDs / attributes. Off by default — pre-PR warn-and-drop semantics are preserved. Turn on for stacks already deployed via cdkd deploy. Mirrors `cdkd local invoke --from-state` / `cdkd local run-task --from-state`. Re-runs against fresh state on every hot-reload firing (--watch).").default(false)).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via DescribeStackResources and substitute Ref / Fn::ImportValue in Lambda env vars with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (`cdk deploy`). Bare form uses the cdkd stack name per routed stack; pass an explicit value when a single CFn stack should serve every routed stack. Mutually exclusive with --from-state. Fn::GetAtt is warn-and-dropped in v1 (CFn DescribeStackResources does not return per-attribute values).")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-state when the same stack name has state in multiple regions, and with --from-cfn-stack as the CFn client region (cdkd does not have a separate --cfn-stack-region flag).")).addOption(new Option("--mtls-truststore <path>", "PEM-encoded CA bundle for client-certificate verification (mutual TLS). When set, the local server switches from HTTP to HTTPS and the TLS handshake rejects clients whose certificate doesn't chain to one of these CAs. Verified certs are surfaced on the Lambda event under requestContext.identity.clientCert (REST v1) / requestContext.authentication.clientCert (HTTP API v2). Must be set together with --mtls-cert + --mtls-key; partial flag sets are rejected. Generate a CA + server + client cert for local dev: openssl req -x509 -newkey rsa:2048 -nodes -keyout ca-key.pem -out ca.pem -subj \"/CN=cdkd-local-ca\" -days 365; openssl req -newkey rsa:2048 -nodes -keyout server-key.pem -out server-csr.pem -subj \"/CN=localhost\"; openssl x509 -req -in server-csr.pem -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -days 365; openssl req -newkey rsa:2048 -nodes -keyout client-key.pem -out client-csr.pem -subj \"/CN=client\"; openssl x509 -req -in client-csr.pem -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -days 365; curl --cacert ca.pem --cert client-cert.pem --key client-key.pem https://localhost:<port>/...")).addOption(new Option("--mtls-cert <path>", "PEM-encoded server certificate for mutual TLS. Self-signed is fine for local dev. Must be set together with --mtls-truststore + --mtls-key.")).addOption(new Option("--mtls-key <path>", "PEM-encoded server private key matching --mtls-cert. Must be set together with --mtls-truststore + --mtls-cert.")).addOption(new Option("--strict-sigv4", "Opt-in: enforce strict AWS_IAM SigV4 verification. When set, requests whose signature cannot be cryptographically verified (foreign access-key-id, OR no local AWS credentials configured) are denied. DEFAULT off — warn-and-pass with a placeholder principalId, matching cdk-local's `cdkl start-api`. Enable this when you want local parity with the deployed API Gateway's signature enforcement.").default(false)).action(withErrorHandling(localStartApiCommand));
 	[
 		...commonOptions,
 		...appOptions,
@@ -49728,174 +49796,6 @@ function createLocalInvokeAgentCoreCommand() {
 //#endregion
 //#region src/cli/commands/local-start-alb.ts
 /**
-* Issue #86 v1 — parse `--lb-port <listenerPort>=<hostPort>` overrides into a
-* `listenerPort -> hostPort` map. The local ALB front-door binds the listener
-* port on the host by default, but a privileged listener port (e.g. 80 / 443)
-* fails to bind as non-root on macOS, so the user opts in to a non-privileged
-* host port (e.g. `--lb-port 80=8080`). Repeatable; each value is
-* `<listenerPort>=<hostPort>` with both in 1-65535.
-*/
-function parseLbPortOverrides(values) {
-	const out = {};
-	for (const raw of values ?? []) {
-		const m = /^(\d+)=(\d+)$/.exec(raw.trim());
-		if (!m) throw new LocalStartServiceError(`Invalid --lb-port '${raw}'. Expected <listenerPort>=<hostPort> (e.g. 80=8080).`);
-		const listenerPort = Number(m[1]);
-		const hostPort = Number(m[2]);
-		for (const [label, p] of [["listener", listenerPort], ["host", hostPort]]) if (p < 1 || p > 65535) throw new LocalStartServiceError(`Invalid --lb-port '${raw}': ${label} port must be 1-65535.`);
-		out[listenerPort] = hostPort;
-	}
-	return out;
-}
-/**
-* Resolve an ALB target string (`Stack/Path` display path or `Stack:LogicalId`)
-* to its stack + `AWS::ElasticLoadBalancingV2::LoadBalancer` logical id. Mirrors
-* the ECS service resolver's target grammar.
-*/
-function resolveAlbTarget(target, stacks) {
-	if (stacks.length === 0) throw new LocalStartServiceError("No stacks found in the synthesized assembly.");
-	const parsed = parseEcsTarget(target);
-	const stack = pickStack(parsed.stackPattern, stacks, target);
-	const resources = stack.template.Resources ?? {};
-	if (parsed.isPath) {
-		const index = buildCdkPathIndex(stack.template);
-		const albs = resolveCdkPathToLogicalIds(parsed.pathOrId, index).filter(({ logicalId }) => {
-			const r = resources[logicalId];
-			return r !== void 0 && isApplicationLoadBalancer(r);
-		});
-		if (albs.length === 0) throw notFound(target, stack, resources);
-		if (albs.length > 1) throw new LocalStartServiceError(`Target '${target}' matches ${albs.length} load balancers in ${stack.stackName}: ${albs.map((a) => a.logicalId).join(", ")}. Refine the path or use the stack:LogicalId form.`);
-		return {
-			stack,
-			albLogicalId: albs[0].logicalId
-		};
-	}
-	const res = resources[parsed.pathOrId];
-	if (!res || !isApplicationLoadBalancer(res)) throw notFound(target, stack, resources);
-	return {
-		stack,
-		albLogicalId: parsed.pathOrId
-	};
-}
-function pickStack(stackPattern, stacks, target) {
-	if (stackPattern === null) {
-		if (stacks.length === 1) return stacks[0];
-		throw new LocalStartServiceError(`Target '${target}' has no stack prefix, and the assembly contains ${stacks.length} stacks: ${stacks.map((s) => s.stackName).join(", ")}. Pass it as 'Stack/Path' or 'Stack:LogicalId'.`);
-	}
-	const matched = matchStacks(stacks, [stackPattern]);
-	if (matched.length === 0) throw new LocalStartServiceError(`No stack matches '${stackPattern}'. Available stacks: ${stacks.map((s) => s.stackName).join(", ")}.`);
-	if (matched.length > 1) throw new LocalStartServiceError(`Multiple stacks match '${stackPattern}': ${matched.map((s) => s.stackName).join(", ")}. Refine the pattern.`);
-	return matched[0];
-}
-function notFound(target, stack, resources) {
-	const albs = Object.entries(resources).filter(([, r]) => r.Type === "AWS::ElasticLoadBalancingV2::LoadBalancer").map(([logicalId]) => logicalId);
-	const available = albs.length > 0 ? ` Available load balancers in ${stack.stackName}: ${albs.join(", ")}.` : ` ${stack.stackName} declares no AWS::ElasticLoadBalancingV2::LoadBalancer resources.`;
-	return new LocalStartServiceError(`Target '${target}' did not match an application Load Balancer in ${stack.stackName}.${available}`);
-}
-/**
-* `cdkl start-alb` strategy — name the ALB, boot the ECS service(s) behind it,
-* and expose each listener via a local front-door. Mirrors how `start-api`
-* names the API and serves its backing Lambdas.
-*/
-function albStrategy(options) {
-	const lbPortOverrides = parseLbPortOverrides(options.lbPort);
-	return {
-		pickEntries: (stacks) => listTargets(stacks).loadBalancers,
-		pickerMessage: "Select one or more Application Load Balancers to run",
-		pickerNoun: "Application Load Balancers",
-		onMissing: () => new LocalStartServiceError(`${getEmbedConfig().cliName} start-alb requires at least one <target>. Pass one or more ALB paths like 'Stack/MyAlb', or run it in a TTY to pick interactively.`),
-		resolveBoots: (stacks, chosenTargets) => {
-			const warnings = [];
-			const serviceTargets = /* @__PURE__ */ new Set();
-			const listeners = [];
-			const claimedHostPorts = /* @__PURE__ */ new Map();
-			for (const albTarget of chosenTargets) {
-				const { stack, albLogicalId } = resolveAlbTarget(albTarget, stacks);
-				const resolution = resolveAlbFrontDoor(stack, albLogicalId);
-				warnings.push(...resolution.warnings);
-				const qualifyTarget = (t) => {
-					if (t.kind === "lambda") return {
-						kind: "lambda",
-						lambda: resolveLambdaTarget(`${stack.stackName}:${t.lambdaLogicalId}`, stacks),
-						targetGroupArn: `${stack.stackName}:${t.targetGroupLogicalId}`,
-						multiValueHeaders: t.multiValueHeaders,
-						weight: t.weight
-					};
-					const serviceTarget = `${stack.stackName}:${t.serviceLogicalId}`;
-					serviceTargets.add(serviceTarget);
-					return {
-						kind: "ecs",
-						serviceTarget,
-						targetContainerName: t.targetContainerName,
-						targetContainerPort: t.targetContainerPort,
-						weight: t.weight
-					};
-				};
-				const qualify = (action) => {
-					if (action.kind === "forward") return {
-						kind: "forward",
-						targets: action.targets.map(qualifyTarget)
-					};
-					if (action.kind === "redirect") return {
-						kind: "redirect",
-						statusCode: action.statusCode,
-						...action.protocol !== void 0 && { protocol: action.protocol },
-						...action.host !== void 0 && { host: action.host },
-						...action.port !== void 0 && { port: action.port },
-						...action.path !== void 0 && { path: action.path },
-						...action.query !== void 0 && { query: action.query }
-					};
-					return {
-						kind: "fixed-response",
-						statusCode: action.statusCode,
-						...action.contentType !== void 0 && { contentType: action.contentType },
-						...action.messageBody !== void 0 && { messageBody: action.messageBody }
-					};
-				};
-				for (const listener of resolution.listeners) {
-					const hostPort = lbPortOverrides[listener.listenerPort] ?? listener.listenerPort;
-					const claimedBy = claimedHostPorts.get(hostPort);
-					if (claimedBy !== void 0) {
-						warnings.push(`Listener port ${listener.listenerPort} would bind host port ${hostPort}, already claimed by listener port ${claimedBy}; the local front-door fronts only the first. Use --lb-port to remap one of them.`);
-						continue;
-					}
-					claimedHostPorts.set(hostPort, listener.listenerPort);
-					listeners.push({
-						listenerPort: listener.listenerPort,
-						hostPort,
-						protocol: listener.listenerProtocol,
-						...listener.defaultAction ? { defaultAction: qualify(listener.defaultAction) } : {},
-						...listener.defaultAuthGuard ? { defaultAuthGuard: listener.defaultAuthGuard } : {},
-						rules: listener.rules.map((r) => ({
-							priority: r.priority,
-							pathPatterns: r.pathPatterns,
-							hostPatterns: r.hostPatterns,
-							httpHeaderConditions: r.httpHeaderConditions,
-							httpRequestMethods: r.httpRequestMethods,
-							queryStringConditions: r.queryStringConditions,
-							sourceIpCidrs: r.sourceIpCidrs,
-							action: qualify(r.action),
-							...r.authGuard ? { authGuard: r.authGuard } : {}
-						}))
-					});
-				}
-			}
-			const boots = [...serviceTargets].map((target) => ({ target }));
-			const resolvedPorts = new Set(listeners.map((l) => l.listenerPort));
-			for (const portStr of Object.keys(lbPortOverrides)) {
-				const port = Number(portStr);
-				if (!resolvedPorts.has(port)) warnings.push(`--lb-port override for listener port ${port} matched no ALB listener resolved for the named target(s); it was ignored.`);
-			}
-			return {
-				boots,
-				...listeners.length > 0 ? { frontDoor: { listeners } } : {},
-				warnings
-			};
-		},
-		lbPortOverrides
-	};
-}
-/**
 * `cdkl start-alb <Stack/Alb>` — Issue #86 v1. Names an
 * `AWS::ElasticLoadBalancingV2::LoadBalancer`, discovers the ECS service(s)
 * behind its HTTP `forward` listeners, boots their replicas, and stands up a
@@ -49903,9 +49803,11 @@ function albStrategy(options) {
 * The symmetric ALB counterpart of `start-api`.
 */
 function createLocalStartAlbCommand() {
-	return addCommonEcsServiceOptions(new Command("start-alb").description("Run an Application Load Balancer locally: name the ALB, and cdk-local boots the ECS service(s) behind its listeners and stands up a local front-door on each listener port that round-robins across the running replicas and routes its listener rules across the backing services — a stable host endpoint, like behind a real load balancer. The symmetric ALB counterpart of `start-api`. Each <target> accepts a CDK display path (MyStack/MyAlb) or stack-qualified logical ID; single-stack apps may omit the stack prefix. Supports HTTP and HTTPS listeners (TLS terminated locally with --tls-cert/--tls-key or an auto-generated self-signed cert); all six ALB rule-condition fields (path-pattern / host-header / http-header / http-request-method / query-string / source-ip); forward (single and weighted), redirect, and fixed-response actions; and ECS or Lambda targets (a Lambda target group is invoked locally via the Lambda RIE). authenticate-cognito / authenticate-oidc actions enforce a local Bearer-JWT check (or AWSELBAuthSessionCookie pass-through) against the same JWKS / OIDC discovery URL the deployed ALB would; use --bearer-token <jwt> to inject a default token or --no-verify-auth to disable the guard. Omit <targets> in an interactive terminal to multi-select the load balancers from a list.").argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ElasticLoadBalancingV2::LoadBalancer resources to run (omit to multi-select interactively in a TTY)").addOption(new Option("--lb-port <listenerPort=hostPort...>", "Bind the local front-door on a specific host port (e.g. 80=8080); repeatable. Default: host port == ALB listener port. Use this on macOS to remap a privileged listener port (< 1024) to a non-privileged host port.")).addOption(new Option("--tls-cert <path>", "PEM-encoded server certificate for HTTPS front-door listeners. Must be set together with --tls-key. Omit both flags to auto-generate a self-signed cert (cached under $XDG_CACHE_HOME/cdk-local/alb-https/, default ~/.cache/cdk-local/alb-https/); requires openssl on PATH. The deployed Listener Certificates[] are NOT fetched (ACM private keys are not retrievable by design). The auto-generated cert lists DNS:localhost,IP:127.0.0.1 as SubjectAltName, so a client validating a non-loopback --container-host will fail the SAN check — pass --tls-cert / --tls-key with a SAN covering that host instead.")).addOption(new Option("--tls-key <path>", "PEM-encoded server private key matching --tls-cert. Must be set together with --tls-cert.")).addOption(new Option("--no-verify-auth", "Disable local enforcement of authenticate-cognito / authenticate-oidc actions. Every request is served as if the auth check passed. Useful for local dev where you do not want to mint a Bearer token at all.")).addOption(new Option("--bearer-token <jwt>", "Default Bearer JWT injected as Authorization: Bearer <jwt> when the inbound request has none. Verified against the same JWKS / OIDC discovery URL the deployed ALB would (signature + iss + aud + exp). Local-dev convenience; cookie pass-through (AWSELBAuthSessionCookie-*) also works.")).addOption(new Option("--from-state", "Read cdkd's S3 state for the target stack and substitute Ref / Fn::GetAtt / Fn::Sub / Fn::ImportValue / Fn::GetStackOutput intrinsics in container images, environment variables, secrets, role ARNs, and volumes of the ECS services behind the ALB. Mutually exclusive with --from-cfn-stack.").default(false)).addOption(new Option("--state-bucket <bucket>", "S3 bucket for --from-state. Falls back to CDKD_STATE_BUCKET env or cdk.json context.cdkd.stateBucket.")).addOption(new Option("--state-prefix <prefix>", "S3 key prefix for --from-state state files.").default("cdkd")).action(withErrorHandling(async (targets, options) => {
+	const cmd = new Command("start-alb").description("Run an Application Load Balancer locally: name the ALB, and cdk-local boots the ECS service(s) behind its listeners and stands up a local front-door on each listener port that round-robins across the running replicas and routes its listener rules across the backing services — a stable host endpoint, like behind a real load balancer. The symmetric ALB counterpart of `start-api`. Each <target> accepts a CDK display path (MyStack/MyAlb) or stack-qualified logical ID; single-stack apps may omit the stack prefix. Supports HTTP and HTTPS listeners — by default a cloud-HTTPS listener is served over plain HTTP locally (with X-Forwarded-Proto: https preserved). Pass --tls (or --tls-cert / --tls-key) to terminate TLS locally with a self-signed or user-supplied cert. All six ALB rule-condition fields are honored (path-pattern / host-header / http-header / http-request-method / query-string / source-ip); forward (single and weighted), redirect, and fixed-response actions; and ECS or Lambda targets (a Lambda target group is invoked locally via the Lambda RIE). authenticate-cognito / authenticate-oidc actions enforce a local Bearer-JWT check (or AWSELBAuthSessionCookie pass-through) against the same JWKS / OIDC discovery URL the deployed ALB would; use --bearer-token <jwt> to inject a default token or --no-verify-auth to disable the guard. Omit <targets> in an interactive terminal to multi-select the load balancers from a list.").argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ElasticLoadBalancingV2::LoadBalancer resources to run (omit to multi-select interactively in a TTY)").addOption(new Option("--from-state", "Read cdkd's S3 state for the target stack and substitute Ref / Fn::GetAtt / Fn::Sub / Fn::ImportValue / Fn::GetStackOutput intrinsics in container images, environment variables, secrets, role ARNs, and volumes of the ECS services behind the ALB. Mutually exclusive with --from-cfn-stack.").default(false)).addOption(new Option("--state-bucket <bucket>", "S3 bucket for --from-state. Falls back to CDKD_STATE_BUCKET env or cdk.json context.cdkd.stateBucket.")).addOption(new Option("--state-prefix <prefix>", "S3 key prefix for --from-state state files.").default("cdkd")).action(withErrorHandling(async (targets, options) => {
 		await runEcsServiceEmulator(targets, options, albStrategy(options), cdkdExtraStateProviders);
-	})));
+	}));
+	addAlbSpecificOptions(cmd);
+	return addCommonEcsServiceOptions(cmd);
 }
 
 //#endregion
@@ -49926,8 +49828,8 @@ const CDKD_EMBED_CONFIG = {
 	resourceNamePrefix: "cdkd-local",
 	awsBindMountPath: "/cdkd-aws",
 	envPrefix: "CDKD",
-	sigV4StrictByDefault: true,
-	sigV4OptFlag: "--allow-unverified-sigv4"
+	sigV4StrictByDefault: false,
+	sigV4OptFlag: "--strict-sigv4"
 };
 /**
 * `cdkd local invoke <target>` — run a Lambda function locally inside a
@@ -51824,7 +51726,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.198.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.200.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());