@go-to-k/cdkd 0.210.1 → 0.211.0

package/README.md

@@ -59,7 +59,7 @@ Reproduce the first two with `./tests/benchmark/run-benchmark.sh all`. See [test
 - **Rollback on failure**: When a deploy errors mid-stack, cdkd rolls back the resources it just created so the stack state stays consistent (CloudFormation parity — but cdkd does this without round-tripping through CFn). Pass `cdkd deploy --no-rollback` to skip rollback and keep the partial state for Terraform-style inspection / repair. See [Rollback behavior](#rollback-behavior).
 - **`--no-wait` for async resources**: Skip the multi-minute wait on CloudFront / RDS / ElastiCache / NAT Gateway and return as soon as the create call returns (CloudFormation always blocks)
 - **VPC route DependsOn relaxation (on by default)**: Drop CDK-injected defensive `DependsOn` edges from VPC Lambdas onto private-subnet routes so `CloudFront::Distribution` and `Lambda::Url` start their ~3-min propagation in parallel with NAT Gateway stabilization (~50% faster on VPC + Lambda + CloudFront stacks). Pass `--no-aggressive-vpc-parallel` to opt out.
-- **Local execution** (`cdkd local invoke` / `start-api` / `run-task` / `start-service` / `start-alb` / `start-cloudfront` / `invoke-agentcore` / `start-agentcore`): run Lambdas, API Gateway routes, ECS tasks, long-running ECS services, CloudFront distributions, and Bedrock AgentCore Runtimes from your CDK code. All AWS Lambda runtimes, container Lambdas, REST v1 / HTTP v2 / Function URL routes, Service Connect / Cloud Map, AgentCore HTTP / MCP / A2A / AGUI / WebSocket protocols (one-shot `invoke-agentcore` and long-running `/ws` serve via `start-agentcore`). The Docker-backed commands work for both `cdkd deploy`-managed (`--from-state`) AND `cdk deploy`-managed (`--from-cfn-stack`) stacks; `start-cloudfront` serves the viewer-request -> S3 / Lambda Function URL origin -> viewer-response pipeline (CloudFront-Functions + S3-only distributions run in-process with no Docker). See [Local execution](#local-execution).
+- **Local execution** (`cdkd local invoke` / `start-api` / `run-task` / `start-service` / `start-alb` / `start-cloudfront` / `invoke-agentcore` / `start-agentcore`): run Lambdas, API Gateway routes, ECS tasks, long-running ECS services, CloudFront distributions, and Bedrock AgentCore Runtimes from your CDK code. All AWS Lambda runtimes, container Lambdas, REST v1 / HTTP v2 / Function URL routes, Service Connect / Cloud Map, AgentCore HTTP / MCP / A2A / AGUI / WebSocket protocols (one-shot `invoke-agentcore` and long-running warm serve via `start-agentcore`, which serves the native contract — `POST /invocations` + `GET /ping`, MCP `/mcp`, A2A `/` — plus the `/ws` bridge for HTTP / AGUI). The Docker-backed commands work for both `cdkd deploy`-managed (`--from-state`) AND `cdk deploy`-managed (`--from-cfn-stack`) stacks; `start-cloudfront` serves the viewer-request -> S3 / Lambda Function URL origin -> viewer-response pipeline (CloudFront-Functions + S3-only distributions run in-process with no Docker). See [Local execution](#local-execution).
 - **Bidirectional CloudFormation migration**: `cdkd import --migrate-from-cloudformation` adopts existing CFn stacks (including `cdk deploy`-managed) into cdkd state without re-creating resources; `cdkd export` hands a cdkd stack back to CloudFormation when production-ready. See [Importing](#importing-existing-resources) / [Exporting](#exporting-a-stack-back-to-cloudformation).
 
 > **Note**: Resource types not covered by either SDK Providers or Cloud Control API cannot be deployed with cdkd. Deployment fails with a clear error message naming the type + a 1-click issue link.
@@ -242,7 +242,7 @@ maintain, no `cdk synth | sam ...` round-trip.
 | `cdkd local run-task <target>` | ECS RunTask — every container in a task definition started on a per-task docker network |
 | `cdkd local start-service <target>` | Long-running ECS Service emulator — `DesiredCount` replicas with restart-on-exit (no local load balancer in v1) |
 | `cdkd local invoke-agentcore <target>` | One-shot Bedrock AgentCore Runtime invoke (HTTP `/invocations` / MCP `/mcp` / A2A `/a2a` / AGUI / WebSocket `--ws`) |
-| `cdkd local start-agentcore [target]` | Long-running serve of a Bedrock AgentCore Runtime's bidirectional `/ws` WebSocket (HTTP / AGUI), fronted by a host bridge that injects the session-id / Authorization a header-less browser client cannot set |
+| `cdkd local start-agentcore [target]` | Long-running serve of a Bedrock AgentCore Runtime against a warm container (all four protocols): HTTP / AGUI serve `POST /invocations` + `GET /ping` plus the `/ws` bridge (injects the session-id / Authorization a header-less browser client cannot set); MCP serves `/mcp`, A2A serves `/`. `--sigv4` / `--watch` supported |
 | `cdkd local start-alb <targets...>` | Long-running local ALB front-door (HTTP + HTTPS listeners, path / host / header / weighted / redirect / fixed-response routing, authenticate-cognito / authenticate-oidc) for ECS / Lambda backing services |
 | `cdkd local start-cloudfront [target]` | Long-running local CloudFront distribution — viewer-request -> S3 / Lambda Function URL origin -> viewer-response pipeline, CloudFront Functions run in-process (Function URL origins use Docker/RIE) |
 

package/dist/cli.js

@@ -50817,23 +50817,36 @@ function createLocalInvokeAgentCoreCommand() {
 //#region src/cli/commands/local-start-agentcore.ts
 /**
 * `cdkd local start-agentcore <target>` — long-running serve for a Bedrock
-* AgentCore Runtime's bidirectional `/ws` WebSocket endpoint. Boots the
-* `AWS::BedrockAgentCore::Runtime` container (same image / env / credential
-* resolution as `invoke-agentcore`) and fronts its `/ws` endpoint with a host
-* WebSocket bridge that injects the AgentCore session-id (and `Authorization`
-* under a `customJwtAuthorizer`) on the container upgrade, so a header-less
-* client (e.g. a browser) can hold an interactive multi-frame session. HTTP /
-* AGUI protocols only. The serve counterpart of the single-shot
-* `cdkd local invoke-agentcore`. Inherited from cdk-local
-* (go-to-k/cdk-local#420).
+* AgentCore Runtime against a WARM container. Boots the
+* `AWS::BedrockAgentCore::Runtime` container ONCE (same image / env / credential
+* resolution as `invoke-agentcore`) and keeps it warm, serving the runtime's
+* native protocol contract so a client can hit it repeatedly:
+*
+* - **HTTP / AGUI** runtimes serve `POST /invocations` + `GET /ping` proxied to
+*   the warm container (session-id / boot-resolved `Authorization` injected,
+*   request/response — incl. SSE — streamed) AND the bidirectional `/ws`
+*   endpoint behind a host WebSocket bridge (injects the AgentCore session-id,
+*   and `Authorization` under a `customJwtAuthorizer`, so a header-less client
+*   such as a browser can hold an interactive multi-frame session), both on the
+*   SAME host port.
+* - **MCP** runtimes serve `POST /mcp`; **A2A** runtimes serve `POST /` (no
+*   `/ws` bridge).
+*
+* The serve counterpart of the single-shot `cdkd local invoke-agentcore`.
+* Inherited from cdk-local (go-to-k/cdk-local#420; warm HTTP serve + all four
+* protocols + per-request inbound JWT + `--sigv4` + `--watch` from #454 slices
+* 1/2/4a/4b, cdk-local#458/#459/#461/#462).
 *
 * Like `start-cloudfront`, this is a THIN pass-through to cdk-local's factory —
 * the serve behavior and the `start-agentcore`-only option block (`--port` /
 * `--host` / `--session-id` / `--bearer-token` / `--no-verify-auth` /
-* `--env-vars` / `--platform` / `--no-pull` / `--no-build` / `--container-host`
-* / `--timeout` / `--assume-role` / `--ecr-role-arn` / `--from-cfn-stack` /
-* `--stack-region`) live in cdk-local's `addStartAgentCoreSpecificOptions` and
-* are auto-inherited.
+* `--sigv4` / `--watch` / `--env-vars` / `--platform` / `--no-pull` /
+* `--no-build` / `--container-host` / `--timeout` / `--assume-role` /
+* `--ecr-role-arn` / `--from-cfn-stack` / `--stack-region`) live in cdk-local's
+* `addStartAgentCoreSpecificOptions` and are auto-inherited. Under a
+* `customJwtAuthorizer` the inbound JWT is now verified PER REQUEST on the warm
+* serve (401 missing / 403 invalid / forwarded on pass; `GET /ping` is
+* unauthenticated), with `--bearer-token` as the default-when-missing fallback.
 *
 * Like `start-cloudfront` / `start-alb` / `start-service`, this command binds
 * deployed state through cdk-local's `extraStateProviders` seam: the factory
@@ -52874,7 +52887,7 @@ function reorderArgs(argv) {
 async function main() {
 	installPipeCloseHandler();
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.210.1");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.211.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());