@go-to-k/cdkd 0.207.6 → 0.209.0

package/README.md

@@ -59,7 +59,7 @@ Reproduce the first two with `./tests/benchmark/run-benchmark.sh all`. See [test
 - **Rollback on failure**: When a deploy errors mid-stack, cdkd rolls back the resources it just created so the stack state stays consistent (CloudFormation parity — but cdkd does this without round-tripping through CFn). Pass `cdkd deploy --no-rollback` to skip rollback and keep the partial state for Terraform-style inspection / repair. See [Rollback behavior](#rollback-behavior).
 - **`--no-wait` for async resources**: Skip the multi-minute wait on CloudFront / RDS / ElastiCache / NAT Gateway and return as soon as the create call returns (CloudFormation always blocks)
 - **VPC route DependsOn relaxation (on by default)**: Drop CDK-injected defensive `DependsOn` edges from VPC Lambdas onto private-subnet routes so `CloudFront::Distribution` and `Lambda::Url` start their ~3-min propagation in parallel with NAT Gateway stabilization (~50% faster on VPC + Lambda + CloudFront stacks). Pass `--no-aggressive-vpc-parallel` to opt out.
-- **Local execution** (`cdkd local invoke` / `start-api` / `run-task` / `start-service` / `invoke-agentcore`): run Lambdas, API Gateway routes, ECS tasks, long-running ECS services, and Bedrock AgentCore Runtimes from your CDK code via Docker. All AWS Lambda runtimes, container Lambdas, REST v1 / HTTP v2 / Function URL routes, Service Connect / Cloud Map, AgentCore HTTP / MCP / A2A / AGUI / WebSocket protocols. Works for both `cdkd deploy`-managed (`--from-state`) AND `cdk deploy`-managed (`--from-cfn-stack`) stacks. See [Local execution](#local-execution).
+- **Local execution** (`cdkd local invoke` / `start-api` / `run-task` / `start-service` / `start-alb` / `start-cloudfront` / `invoke-agentcore` / `start-agentcore`): run Lambdas, API Gateway routes, ECS tasks, long-running ECS services, CloudFront distributions, and Bedrock AgentCore Runtimes from your CDK code. All AWS Lambda runtimes, container Lambdas, REST v1 / HTTP v2 / Function URL routes, Service Connect / Cloud Map, AgentCore HTTP / MCP / A2A / AGUI / WebSocket protocols (one-shot `invoke-agentcore` and long-running `/ws` serve via `start-agentcore`). The Docker-backed commands work for both `cdkd deploy`-managed (`--from-state`) AND `cdk deploy`-managed (`--from-cfn-stack`) stacks; `start-cloudfront` serves the viewer-request -> S3 / Lambda Function URL origin -> viewer-response pipeline (CloudFront-Functions + S3-only distributions run in-process with no Docker). See [Local execution](#local-execution).
 - **Bidirectional CloudFormation migration**: `cdkd import --migrate-from-cloudformation` adopts existing CFn stacks (including `cdk deploy`-managed) into cdkd state without re-creating resources; `cdkd export` hands a cdkd stack back to CloudFormation when production-ready. See [Importing](#importing-existing-resources) / [Exporting](#exporting-a-stack-back-to-cloudformation).
 
 > **Note**: Resource types not covered by either SDK Providers or Cloud Control API cannot be deployed with cdkd. Deployment fails with a clear error message naming the type + a 1-click issue link.
@@ -242,13 +242,19 @@ maintain, no `cdk synth | sam ...` round-trip.
 | `cdkd local run-task <target>` | ECS RunTask — every container in a task definition started on a per-task docker network |
 | `cdkd local start-service <target>` | Long-running ECS Service emulator — `DesiredCount` replicas with restart-on-exit (no local load balancer in v1) |
 | `cdkd local invoke-agentcore <target>` | One-shot Bedrock AgentCore Runtime invoke (HTTP `/invocations` / MCP `/mcp` / A2A `/a2a` / AGUI / WebSocket `--ws`) |
+| `cdkd local start-agentcore [target]` | Long-running serve of a Bedrock AgentCore Runtime's bidirectional `/ws` WebSocket (HTTP / AGUI), fronted by a host bridge that injects the session-id / Authorization a header-less browser client cannot set |
 | `cdkd local start-alb <targets...>` | Long-running local ALB front-door (HTTP + HTTPS listeners, path / host / header / weighted / redirect / fixed-response routing, authenticate-cognito / authenticate-oidc) for ECS / Lambda backing services |
-
-Requires Docker. Pass `--from-state` (cdkd-deployed) or
-`--from-cfn-stack` (cdk-deployed / CFn-managed) to substitute deployed
-physical IDs into intrinsic-valued env vars / secrets / image URIs;
-without either, intrinsic values are dropped with a per-key warning
-(matches `sam local *`). The two flags are mutually exclusive.
+| `cdkd local start-cloudfront [target]` | Long-running local CloudFront distribution — viewer-request -> S3 / Lambda Function URL origin -> viewer-response pipeline, CloudFront Functions run in-process (Function URL origins use Docker/RIE) |
+
+The Docker-backed commands above require Docker. Pass `--from-state`
+(cdkd-deployed) or `--from-cfn-stack` (cdk-deployed / CFn-managed) to
+substitute deployed physical IDs into intrinsic-valued env vars /
+secrets / image URIs; without either, intrinsic values are dropped with
+a per-key warning (matches `sam local *`). The two flags are mutually
+exclusive. `start-cloudfront` is the partial exception: a
+CloudFront-Functions + S3-origin distribution serves entirely in-process
+(no Docker), and it carries cdk-local's `--from-cfn-stack` but not cdkd's
+`--from-state` (its factory lacks the state-provider seam — issue #766).
 
 ### `local invoke`
 
@@ -328,6 +334,28 @@ interpreted-handler source edits go through the bind-mount fast path
 (no rebuild); Dockerfile / dependency / compiled-source edits fall
 through to a rebuild + atomic front-door pool swap.
 
+### `local start-cloudfront`
+
+```bash
+cdkd local start-cloudfront                          # interactive picker
+cdkd local start-cloudfront MyStack/MyDistribution   # name the distribution
+cdkd local start-cloudfront MyStack/MyDistribution --watch   # re-synth + swap on edit
+cdkd local start-cloudfront MyStack/MyDistribution --tls      # real HTTPS termination
+```
+
+Serves a CloudFront distribution's **viewer-request -> S3 origin ->
+viewer-response** pipeline locally so a routing-function change is
+verifiable in seconds instead of a deploy round-trip. The distribution's
+`AWS::CloudFront::Function`s (URL rewrites, trailing-slash normalization,
+SPA fallback, header tweaks) run in-process in a `node:vm` sandbox; the
+S3 origin content is the `BucketDeployment` source asset resolved out of
+the cloud assembly, served with `DefaultRootObject` and
+`CustomErrorResponses`. Path patterns route across the default + ordered
+cache behaviors. Pure-local: no Docker, no AWS call — `--watch` is just
+re-synth + an in-memory routing-model swap. S3 origins only (custom /
+Lambda@Edge origins are warn-and-skip); `--origin <id>=<dir>` points an
+origin at a local directory when `BucketDeployment` resolution can't.
+
 See **[docs/local-emulation.md](docs/local-emulation.md)** for the
 full reference — runtimes, target resolution, every flag, integration
 and authorizer detail, route precedence, container pool, networking,

package/dist/cli.js

@@ -61,7 +61,7 @@ import { CreateVectorBucketCommand, DeleteIndexCommand, DeleteVectorBucketComman
 import { CreateNamespaceCommand, CreateTableBucketCommand, CreateTableCommand as CreateTableCommand$2, DeleteNamespaceCommand as DeleteNamespaceCommand$1, DeleteTableBucketCommand, DeleteTableCommand as DeleteTableCommand$2, GetTableBucketCommand, GetTableCommand as GetTableCommand$1, ListNamespacesCommand as ListNamespacesCommand$1, ListTableBucketsCommand, ListTablesCommand as ListTablesCommand$1, ListTagsForResourceCommand as ListTagsForResourceCommand$19, NotFoundException as NotFoundException$5, S3TablesClient, TagResourceCommand as TagResourceCommand$16, UntagResourceCommand as UntagResourceCommand$15 } from "@aws-sdk/client-s3tables";
 import { AttachLoadBalancerTargetGroupsCommand, AttachLoadBalancersCommand, AttachTrafficSourcesCommand, AutoScalingClient, CreateAutoScalingGroupCommand, CreateOrUpdateTagsCommand, DeleteAutoScalingGroupCommand, DeleteLifecycleHookCommand, DeleteNotificationConfigurationCommand, DeleteTagsCommand as DeleteTagsCommand$1, DescribeAutoScalingGroupsCommand, DescribeLifecycleHooksCommand, DescribeNotificationConfigurationsCommand, DescribeTrafficSourcesCommand, DetachLoadBalancerTargetGroupsCommand, DetachLoadBalancersCommand, DetachTrafficSourcesCommand, DisableMetricsCollectionCommand, EnableMetricsCollectionCommand, PutLifecycleHookCommand, PutNotificationConfigurationCommand, UpdateAutoScalingGroupCommand } from "@aws-sdk/client-auto-scaling";
 import { Document, Pair, Scalar, YAMLMap, YAMLSeq, parse as parse$1, stringify } from "yaml";
-import { createLocalStateProvider, getEmbedConfig, isCfnFlagPresent, listTargets, rejectExplicitCfnStackWithMultipleStacks, resolveCfnFallbackRegion, setEmbedConfig, substituteAgainstState, substituteAgainstStateAsync, substituteEnvVarsFromState, substituteEnvVarsFromStateAsync } from "cdk-local";
+import { createLocalStartAgentCoreCommand, createLocalStartCloudFrontCommand, createLocalStateProvider, getEmbedConfig, isCfnFlagPresent, listTargets, rejectExplicitCfnStackWithMultipleStacks, resolveCfnFallbackRegion, setEmbedConfig, substituteAgainstState, substituteAgainstStateAsync, substituteEnvVarsFromState, substituteEnvVarsFromStateAsync } from "cdk-local";
 import { A2A_CONTAINER_PORT, A2A_PATH, AGENTCORE_A2A_PROTOCOL, AGENTCORE_AGUI_PROTOCOL, AGENTCORE_MCP_PROTOCOL, ConnectionRegistry, EcsTaskResolutionError, HOST_GATEWAY_MIN_VERSION, LocalInvokeBuildError, MCP_CONTAINER_PORT, MCP_PATH, a2aInvokeOnce, addAlbSpecificOptions, addCommonEcsServiceOptions, addStartServiceSpecificOptions, albStrategy, architectureToPlatform, attachAuthorizers, attachStageContext, availableApiIdentifiers, bufferToBody, buildAgentCoreCodeImage, buildCognitoJwksUrl, buildConnectEvent, buildContainerImage, buildCorsConfigByApiId, buildCorsConfigFromCloudFrontChain, buildDisconnectEvent, buildJwksUrlFromIssuer, buildMessageEvent, buildMgmtEndpointEnvUrl, buildStageMap, classifySourceChange, createAuthorizerCache, createFileWatcher, createFileWatcher as createFileWatcher$1, createJwksCache, createWatchPredicates, defaultCredentialsLoader, derivePseudoParametersFromRegion, discoverRoutes, discoverWebSocketApis, downloadAndExtractS3Bundle, filterRoutesByApiIdentifier, groupRoutesByServer, handleConnectionsRequest, invokeAgentCore, invokeAgentCoreWs, materializeLayerFromArn, mcpInvokeOnce, parseConnectionsPath, parseSelectionExpressionPath, pickAgentCoreCandidateStack, pickAgentCoreCandidateStack as pickAgentCoreCandidateStack$1, probeHostGatewaySupport, readMtlsMaterialsFromDisk, resolveAgentCoreTarget, resolveEnvVars, resolveRuntimeCodeMountPath, resolveRuntimeFileExtension, resolveRuntimeImage, resolveSingleTarget, resolveWatchConfig, runEcsServiceEmulator, signAgentCoreInvocation, startApiServer, substituteImagePlaceholders, tryResolveImageFnJoin, verifyJwtViaDiscovery, waitForAgentCorePing } from "cdk-local/internal";
 import { createServer } from "node:net";
 import { promisify } from "node:util";
@@ -50787,6 +50787,54 @@ function createLocalInvokeAgentCoreCommand() {
 	return cmd;
 }
 
+//#endregion
+//#region src/cli/commands/local-start-agentcore.ts
+/**
+* `cdkd local start-agentcore <target>` — long-running serve for a Bedrock
+* AgentCore Runtime's bidirectional `/ws` WebSocket endpoint. Boots the
+* `AWS::BedrockAgentCore::Runtime` container (same image / env / credential
+* resolution as `invoke-agentcore`) and fronts its `/ws` endpoint with a host
+* WebSocket bridge that injects the AgentCore session-id (and `Authorization`
+* under a `customJwtAuthorizer`) on the container upgrade, so a header-less
+* client (e.g. a browser) can hold an interactive multi-frame session. HTTP /
+* AGUI protocols only. The serve counterpart of the single-shot
+* `cdkd local invoke-agentcore`. Inherited from cdk-local
+* (go-to-k/cdk-local#420).
+*
+* Like `start-cloudfront`, this is a THIN pass-through to cdk-local's factory —
+* the serve behavior and the `start-agentcore`-only option block (`--port` /
+* `--host` / `--session-id` / `--bearer-token` / `--no-verify-auth` /
+* `--env-vars` / `--platform` / `--no-pull` / `--no-build` / `--container-host`
+* / `--timeout` / `--assume-role` / `--ecr-role-arn` / `--from-cfn-stack` /
+* `--stack-region`) live in cdk-local's `addStartAgentCoreSpecificOptions` and
+* are auto-inherited.
+*
+* UNLIKE `start-cloudfront`, this command DOES bind deployed state: cdk-local's
+* factory accepts an `extraStateProviders` option (the same seam the
+* heavy-wrapper `cdkd local *` commands use), so cdkd threads its S3-backed
+* `--from-state` factory in via `cdkdExtraStateProviders` and layers the
+* cdkd-specific `--from-state` / `--state-bucket` / `--state-prefix` flags on
+* top of cdk-local's inherited `--from-cfn-stack` / `--stack-region` (issue
+* #766). The factory's internal `createLocalStateProvider` call picks cdkd's
+* `fromState` factory transparently when `--from-state` is passed.
+*
+* The active cdkd embed config is re-handed to the factory so branding stays
+* cdkd: cdk-local's factory calls `setEmbedConfig(opts.embedConfig)`, and
+* passing the current config (set once by `createLocalCommand` before the
+* subcommands are built) keeps it as a no-op re-set rather than a reset back to
+* cdk-local's `cdkl` defaults.
+*/
+function createLocalStartAgentCoreCommand$1() {
+	const cmd = createLocalStartAgentCoreCommand({
+		embedConfig: getEmbedConfig(),
+		extraStateProviders: cdkdExtraStateProviders
+	});
+	cmd.addOption(new Option("--from-state", "Read cdkd's S3 state for the target stack and substitute Ref / Fn::GetAtt / Fn::Sub / Fn::ImportValue / Fn::GetStackOutput intrinsics in the AgentCore runtime container image and environment variables. Mutually exclusive with --from-cfn-stack.").default(false));
+	cmd.addOption(new Option("--state-bucket <bucket>", "S3 bucket for --from-state. Falls back to CDKD_STATE_BUCKET env or cdk.json context.cdkd.stateBucket."));
+	cmd.addOption(new Option("--state-prefix <prefix>", "S3 key prefix for --from-state state files.").default("cdkd"));
+	return cmd;
+}
+
 //#endregion
 //#region src/cli/commands/local-start-alb.ts
 /**
@@ -50804,6 +50852,46 @@ function createLocalStartAlbCommand() {
 	return addCommonEcsServiceOptions(cmd);
 }
 
+//#endregion
+//#region src/cli/commands/local-start-cloudfront.ts
+/**
+* `cdkd local start-cloudfront <distribution>` — serve a CloudFront distribution
+* locally: its S3 origin content (resolved from the BucketDeployment source in
+* the cloud assembly) AND its Lambda Function URL origins (the backing Lambda is
+* run locally via RIE), plus its viewer-request / viewer-response CloudFront
+* Functions, reproducing the distribution routing so a rewrite / routing change
+* is verifiable in seconds. Inherited from cdk-local (go-to-k/cdk-local#363,
+* Lambda Function URL + deployed-S3 origins added in #380).
+*
+* Like the `start-agentcore` wrapper, this command is a THIN pass-through to
+* cdk-local's factory. The serve behavior and the option block (`--port` /
+* `--host` / `--origin <originId>=<dir>` / `--kvs-file` / `--cache-origin` /
+* `--no-pull` / `--tls` / `--tls-cert` / `--tls-key` / `--watch`, plus
+* cdk-local's own `--from-cfn-stack` / `--stack-region` / `--assume-role` for
+* binding a Function URL origin's backing Lambda + a deployed-S3 origin's bucket
+* name to deployed state) live in cdk-local and are auto-inherited.
+*
+* UNLIKE `start-agentcore` / `start-alb` / `start-service`, this command does
+* NOT thread cdkd's S3-backed `--from-state` source: cdk-local's
+* `CreateLocalStartCloudFrontCommandOptions` accepts only `embedConfig`, not the
+* `extraStateProviders` seam (the factory's internal `createLocalStateProvider`
+* calls pass no fourth argument). So `--from-state` / `--state-bucket` /
+* `--state-prefix` and `cdkdExtraStateProviders` threading are intentionally
+* absent here — start-cloudfront stays exempt from issue #766 until cdk-local
+* adds `extraStateProviders` to its start-cloudfront factory. Until then the
+* `--from-cfn-stack` flag (CloudFormation-backed deployed state) is the only
+* state source on this command.
+*
+* The active cdkd embed config is re-handed to the factory so branding stays
+* cdkd: cdk-local's factory calls `setEmbedConfig(opts.embedConfig)`, and
+* passing the current config (set once by `createLocalCommand` before the
+* subcommands are built) keeps it as a no-op re-set rather than a reset back to
+* cdk-local's `cdkl` defaults.
+*/
+function createLocalStartCloudFrontCommand$1() {
+	return createLocalStartCloudFrontCommand({ embedConfig: getEmbedConfig() });
+}
+
 //#endregion
 //#region src/cli/commands/local-invoke.ts
 /**
@@ -51607,7 +51695,9 @@ function createLocalCommand() {
 	local.addCommand(createLocalRunTaskCommand());
 	local.addCommand(createLocalStartServiceCommand());
 	local.addCommand(createLocalInvokeAgentCoreCommand());
+	local.addCommand(createLocalStartAgentCoreCommand$1());
 	local.addCommand(createLocalStartAlbCommand());
+	local.addCommand(createLocalStartCloudFrontCommand$1());
 	return local;
 }
 
@@ -52746,7 +52836,7 @@ function reorderArgs(argv) {
 async function main() {
 	installPipeCloseHandler();
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.207.6");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.209.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());