@go-to-k/cdkd 0.210.0 → 0.211.0

package/README.md

@@ -59,7 +59,7 @@ Reproduce the first two with `./tests/benchmark/run-benchmark.sh all`. See [test
 - **Rollback on failure**: When a deploy errors mid-stack, cdkd rolls back the resources it just created so the stack state stays consistent (CloudFormation parity — but cdkd does this without round-tripping through CFn). Pass `cdkd deploy --no-rollback` to skip rollback and keep the partial state for Terraform-style inspection / repair. See [Rollback behavior](#rollback-behavior).
 - **`--no-wait` for async resources**: Skip the multi-minute wait on CloudFront / RDS / ElastiCache / NAT Gateway and return as soon as the create call returns (CloudFormation always blocks)
 - **VPC route DependsOn relaxation (on by default)**: Drop CDK-injected defensive `DependsOn` edges from VPC Lambdas onto private-subnet routes so `CloudFront::Distribution` and `Lambda::Url` start their ~3-min propagation in parallel with NAT Gateway stabilization (~50% faster on VPC + Lambda + CloudFront stacks). Pass `--no-aggressive-vpc-parallel` to opt out.
-- **Local execution** (`cdkd local invoke` / `start-api` / `run-task` / `start-service` / `start-alb` / `start-cloudfront` / `invoke-agentcore` / `start-agentcore`): run Lambdas, API Gateway routes, ECS tasks, long-running ECS services, CloudFront distributions, and Bedrock AgentCore Runtimes from your CDK code. All AWS Lambda runtimes, container Lambdas, REST v1 / HTTP v2 / Function URL routes, Service Connect / Cloud Map, AgentCore HTTP / MCP / A2A / AGUI / WebSocket protocols (one-shot `invoke-agentcore` and long-running `/ws` serve via `start-agentcore`). The Docker-backed commands work for both `cdkd deploy`-managed (`--from-state`) AND `cdk deploy`-managed (`--from-cfn-stack`) stacks; `start-cloudfront` serves the viewer-request -> S3 / Lambda Function URL origin -> viewer-response pipeline (CloudFront-Functions + S3-only distributions run in-process with no Docker). See [Local execution](#local-execution).
+- **Local execution** (`cdkd local invoke` / `start-api` / `run-task` / `start-service` / `start-alb` / `start-cloudfront` / `invoke-agentcore` / `start-agentcore`): run Lambdas, API Gateway routes, ECS tasks, long-running ECS services, CloudFront distributions, and Bedrock AgentCore Runtimes from your CDK code. All AWS Lambda runtimes, container Lambdas, REST v1 / HTTP v2 / Function URL routes, Service Connect / Cloud Map, AgentCore HTTP / MCP / A2A / AGUI / WebSocket protocols (one-shot `invoke-agentcore` and long-running warm serve via `start-agentcore`, which serves the native contract — `POST /invocations` + `GET /ping`, MCP `/mcp`, A2A `/` — plus the `/ws` bridge for HTTP / AGUI). The Docker-backed commands work for both `cdkd deploy`-managed (`--from-state`) AND `cdk deploy`-managed (`--from-cfn-stack`) stacks; `start-cloudfront` serves the viewer-request -> S3 / Lambda Function URL origin -> viewer-response pipeline (CloudFront-Functions + S3-only distributions run in-process with no Docker). See [Local execution](#local-execution).
 - **Bidirectional CloudFormation migration**: `cdkd import --migrate-from-cloudformation` adopts existing CFn stacks (including `cdk deploy`-managed) into cdkd state without re-creating resources; `cdkd export` hands a cdkd stack back to CloudFormation when production-ready. See [Importing](#importing-existing-resources) / [Exporting](#exporting-a-stack-back-to-cloudformation).
 
 > **Note**: Resource types not covered by either SDK Providers or Cloud Control API cannot be deployed with cdkd. Deployment fails with a clear error message naming the type + a 1-click issue link.
@@ -242,7 +242,7 @@ maintain, no `cdk synth | sam ...` round-trip.
 | `cdkd local run-task <target>` | ECS RunTask — every container in a task definition started on a per-task docker network |
 | `cdkd local start-service <target>` | Long-running ECS Service emulator — `DesiredCount` replicas with restart-on-exit (no local load balancer in v1) |
 | `cdkd local invoke-agentcore <target>` | One-shot Bedrock AgentCore Runtime invoke (HTTP `/invocations` / MCP `/mcp` / A2A `/a2a` / AGUI / WebSocket `--ws`) |
-| `cdkd local start-agentcore [target]` | Long-running serve of a Bedrock AgentCore Runtime's bidirectional `/ws` WebSocket (HTTP / AGUI), fronted by a host bridge that injects the session-id / Authorization a header-less browser client cannot set |
+| `cdkd local start-agentcore [target]` | Long-running serve of a Bedrock AgentCore Runtime against a warm container (all four protocols): HTTP / AGUI serve `POST /invocations` + `GET /ping` plus the `/ws` bridge (injects the session-id / Authorization a header-less browser client cannot set); MCP serves `/mcp`, A2A serves `/`. `--sigv4` / `--watch` supported |
 | `cdkd local start-alb <targets...>` | Long-running local ALB front-door (HTTP + HTTPS listeners, path / host / header / weighted / redirect / fixed-response routing, authenticate-cognito / authenticate-oidc) for ECS / Lambda backing services |
 | `cdkd local start-cloudfront [target]` | Long-running local CloudFront distribution — viewer-request -> S3 / Lambda Function URL origin -> viewer-response pipeline, CloudFront Functions run in-process (Function URL origins use Docker/RIE) |
 

package/dist/cli.js

@@ -43823,6 +43823,7 @@ function extractLambdaProperties(stack, logicalId, resource, resources) {
 		handler,
 		memoryMb,
 		timeoutSec,
+		architecture: extractArchitecture(props, logicalId),
 		codePath,
 		layers,
 		...ephemeralStorageMb !== void 0 && { ephemeralStorageMb },
@@ -43910,6 +43911,24 @@ function extractImageUri$1(value, logicalId, stackName, resources, region) {
 	}
 }
 /**
+* Parse `Properties.Architectures` into the single arch cdkd threads to
+* `--platform`. CFn types it as an array, but CDK / Lambda allow exactly
+* one entry; default `x86_64` matches the AWS-side default when the
+* property is absent. Shared by BOTH the ZIP and IMAGE variants (issue
+* #768) so the ZIP container run pins `--platform` the same way the IMAGE
+* path always has.
+*/
+function extractArchitecture(props, logicalId) {
+	const arches = props["Architectures"];
+	if (Array.isArray(arches) && arches.length > 0) {
+		const first = arches[0];
+		if (first === "arm64") return "arm64";
+		if (first === "x86_64") return "x86_64";
+		throw new LocalInvokeResolutionError(`Lambda '${logicalId}' has unsupported Architectures value '${String(first)}'. cdkd local invoke supports x86_64 and arm64.`);
+	}
+	return "x86_64";
+}
+/**
 * Build the IMAGE-variant `ResolvedLambda` from a Lambda template entry
 * with `Code.ImageUri`. `ImageConfig` and `Architectures` are both
 * optional in CFn — the defaults match the AWS-side defaults.
@@ -43921,14 +43940,6 @@ function extractImageLambdaProperties(args) {
 	if (Array.isArray(rawImageConfig["Command"])) imageConfig.command = rawImageConfig["Command"].filter((s) => typeof s === "string");
 	if (Array.isArray(rawImageConfig["EntryPoint"])) imageConfig.entryPoint = rawImageConfig["EntryPoint"].filter((s) => typeof s === "string");
 	if (typeof rawImageConfig["WorkingDirectory"] === "string") imageConfig.workingDirectory = rawImageConfig["WorkingDirectory"];
-	const arches = props["Architectures"];
-	let architecture = "x86_64";
-	if (Array.isArray(arches) && arches.length > 0) {
-		const first = arches[0];
-		if (first === "arm64") architecture = "arm64";
-		else if (first === "x86_64") architecture = "x86_64";
-		else throw new LocalInvokeResolutionError(`Lambda '${logicalId}' has unsupported Architectures value '${String(first)}'. cdkd local invoke supports x86_64 and arm64.`);
-	}
 	return {
 		kind: "image",
 		stack,
@@ -43938,7 +43949,7 @@ function extractImageLambdaProperties(args) {
 		timeoutSec,
 		imageUri,
 		imageConfig,
-		architecture,
+		architecture: extractArchitecture(props, logicalId),
 		layers: [],
 		...ephemeralStorageMb !== void 0 && { ephemeralStorageMb }
 	};
@@ -46532,6 +46543,7 @@ function createContainerPool(specs, options) {
 				hostPort,
 				host: spec.containerHost,
 				name,
+				platform: spec.platform,
 				...spec.debugPort !== void 0 && { debugPort: spec.debugPort },
 				...spec.tmpfs !== void 0 && { tmpfs: spec.tmpfs },
 				...spec.extraHosts !== void 0 && { extraHosts: spec.extraHosts }
@@ -47464,6 +47476,7 @@ async function buildContainerSpec(args) {
 	if (lambda.kind === "zip") {
 		codeDir = lambda.codePath ?? materializeInlineCode$1(lambda.handler, lambda.inlineCode ?? "", resolveRuntimeFileExtension(lambda.runtime), inlineTmpDirs);
 		optDir = await materializeLambdaLayers$1(lambda.layers, layerTmpDirs, layerRoleArn);
+		platform = architectureToPlatform(lambda.architecture);
 	} else {
 		imageRef = (await resolveContainerImageForStartApi(lambda, skipPull)).imageRef;
 		platform = architectureToPlatform(lambda.architecture);
@@ -47530,6 +47543,7 @@ async function buildContainerSpec(args) {
 		kind: "zip",
 		lambda,
 		codeDir,
+		platform,
 		env: dockerEnv,
 		containerHost,
 		...optDir !== void 0 && { optDir },
@@ -47681,6 +47695,7 @@ function resolveLambdaByLogicalId(logicalId, stacks) {
 		if (!inlineCode) codePath = resolveAssetCodePath(stack, logicalId, resource);
 		const layers = resolveLambdaLayers(stack, logicalId, props);
 		const ephemeralStorageMb = extractEphemeralStorageMb(props, logicalId);
+		const architecture = extractStartApiArchitecture(props, logicalId);
 		return {
 			kind: "zip",
 			stack,
@@ -47692,6 +47707,7 @@ function resolveLambdaByLogicalId(logicalId, stacks) {
 			timeoutSec,
 			codePath,
 			layers,
+			architecture,
 			...inlineCode !== void 0 && { inlineCode },
 			...ephemeralStorageMb !== void 0 && { ephemeralStorageMb }
 		};
@@ -47741,6 +47757,23 @@ function extractImageUri(value, logicalId, stackName, resources, region) {
 	}
 }
 /**
+* Parse `Properties.Architectures` into the single arch cdkd threads to
+* `--platform`. Defaults to `x86_64` (the AWS default) when absent; CDK
+* only ever sets one entry. Shared by BOTH the ZIP and IMAGE start-api
+* resolvers (issue #768) so the ZIP container run pins `--platform` the
+* same way the IMAGE path always has.
+*/
+function extractStartApiArchitecture(props, logicalId) {
+	const arches = props["Architectures"];
+	if (Array.isArray(arches) && arches.length > 0) {
+		const first = arches[0];
+		if (first === "arm64") return "arm64";
+		if (first === "x86_64") return "x86_64";
+		throw new Error(`Lambda '${logicalId}' has unsupported Architectures value '${String(first)}'. cdkd local start-api supports x86_64 and arm64.`);
+	}
+	return "x86_64";
+}
+/**
 * Build the IMAGE-variant `ResolvedStartApiLambda` from a Lambda
 * template entry with `Code.ImageUri`. Mirrors
 * `lambda-resolver.ts:extractImageLambdaProperties` but trimmed to the
@@ -47753,14 +47786,7 @@ function resolveImageLambda(args) {
 	if (Array.isArray(rawImageConfig["Command"])) imageConfig.command = rawImageConfig["Command"].filter((s) => typeof s === "string");
 	if (Array.isArray(rawImageConfig["EntryPoint"])) imageConfig.entryPoint = rawImageConfig["EntryPoint"].filter((s) => typeof s === "string");
 	if (typeof rawImageConfig["WorkingDirectory"] === "string") imageConfig.workingDirectory = rawImageConfig["WorkingDirectory"];
-	const arches = props["Architectures"];
-	let architecture = "x86_64";
-	if (Array.isArray(arches) && arches.length > 0) {
-		const first = arches[0];
-		if (first === "arm64") architecture = "arm64";
-		else if (first === "x86_64") architecture = "x86_64";
-		else throw new Error(`Lambda '${logicalId}' has unsupported Architectures value '${String(first)}'. cdkd local start-api supports x86_64 and arm64.`);
-	}
+	const architecture = extractStartApiArchitecture(props, logicalId);
 	const ephemeralStorageMb = extractEphemeralStorageMb(props, logicalId);
 	return {
 		kind: "image",
@@ -50791,23 +50817,36 @@ function createLocalInvokeAgentCoreCommand() {
 //#region src/cli/commands/local-start-agentcore.ts
 /**
 * `cdkd local start-agentcore <target>` — long-running serve for a Bedrock
-* AgentCore Runtime's bidirectional `/ws` WebSocket endpoint. Boots the
-* `AWS::BedrockAgentCore::Runtime` container (same image / env / credential
-* resolution as `invoke-agentcore`) and fronts its `/ws` endpoint with a host
-* WebSocket bridge that injects the AgentCore session-id (and `Authorization`
-* under a `customJwtAuthorizer`) on the container upgrade, so a header-less
-* client (e.g. a browser) can hold an interactive multi-frame session. HTTP /
-* AGUI protocols only. The serve counterpart of the single-shot
-* `cdkd local invoke-agentcore`. Inherited from cdk-local
-* (go-to-k/cdk-local#420).
+* AgentCore Runtime against a WARM container. Boots the
+* `AWS::BedrockAgentCore::Runtime` container ONCE (same image / env / credential
+* resolution as `invoke-agentcore`) and keeps it warm, serving the runtime's
+* native protocol contract so a client can hit it repeatedly:
+*
+* - **HTTP / AGUI** runtimes serve `POST /invocations` + `GET /ping` proxied to
+*   the warm container (session-id / boot-resolved `Authorization` injected,
+*   request/response — incl. SSE — streamed) AND the bidirectional `/ws`
+*   endpoint behind a host WebSocket bridge (injects the AgentCore session-id,
+*   and `Authorization` under a `customJwtAuthorizer`, so a header-less client
+*   such as a browser can hold an interactive multi-frame session), both on the
+*   SAME host port.
+* - **MCP** runtimes serve `POST /mcp`; **A2A** runtimes serve `POST /` (no
+*   `/ws` bridge).
+*
+* The serve counterpart of the single-shot `cdkd local invoke-agentcore`.
+* Inherited from cdk-local (go-to-k/cdk-local#420; warm HTTP serve + all four
+* protocols + per-request inbound JWT + `--sigv4` + `--watch` from #454 slices
+* 1/2/4a/4b, cdk-local#458/#459/#461/#462).
 *
 * Like `start-cloudfront`, this is a THIN pass-through to cdk-local's factory —
 * the serve behavior and the `start-agentcore`-only option block (`--port` /
 * `--host` / `--session-id` / `--bearer-token` / `--no-verify-auth` /
-* `--env-vars` / `--platform` / `--no-pull` / `--no-build` / `--container-host`
-* / `--timeout` / `--assume-role` / `--ecr-role-arn` / `--from-cfn-stack` /
-* `--stack-region`) live in cdk-local's `addStartAgentCoreSpecificOptions` and
-* are auto-inherited.
+* `--sigv4` / `--watch` / `--env-vars` / `--platform` / `--no-pull` /
+* `--no-build` / `--container-host` / `--timeout` / `--assume-role` /
+* `--ecr-role-arn` / `--from-cfn-stack` / `--stack-region`) live in cdk-local's
+* `addStartAgentCoreSpecificOptions` and are auto-inherited. Under a
+* `customJwtAuthorizer` the inbound JWT is now verified PER REQUEST on the warm
+* serve (401 missing / 403 invalid / forwarded on pass; `GET /ping` is
+* unauthenticated), with `--bearer-token` as the default-when-missing fallback.
 *
 * Like `start-cloudfront` / `start-alb` / `start-service`, this command binds
 * deployed state through cdk-local's `extraStateProviders` seam: the factory
@@ -51203,6 +51242,7 @@ async function resolveZipImagePlan(lambda, options) {
 		}],
 		extraMounts: layerPlan.mount ? [layerPlan.mount] : [],
 		cmd: [lambda.handler],
+		platform: architectureToPlatform(lambda.architecture),
 		...inlineTmpDir !== void 0 && { inlineTmpDir },
 		...layerPlan.tmpDir !== void 0 && { layersTmpDir: layerPlan.tmpDir },
 		...layerPlan.extraTmpDirs.length > 0 && { layerArnTmpDirs: layerPlan.extraTmpDirs },
@@ -52847,7 +52887,7 @@ function reorderArgs(argv) {
 async function main() {
 	installPipeCloseHandler();
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.210.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.211.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());