@go-to-k/cdkd 0.72.0 → 0.73.0

package/dist/cli.js

@@ -71778,6 +71778,48 @@ function buildRestV1Event(req, ctx, opts = {}) {
   };
   return event;
 }
+function applyAuthorizerOverlay(event, overlay) {
+  const requestContext = event["requestContext"] ?? {};
+  let authorizer;
+  switch (overlay.kind) {
+    case "lambda-rest-v1": {
+      authorizer = {
+        ...overlay.principalId !== void 0 && { principalId: overlay.principalId },
+        ...overlay.context ?? {}
+      };
+      break;
+    }
+    case "lambda-http-v2": {
+      authorizer = {
+        lambda: {
+          ...overlay.principalId !== void 0 && { principalId: overlay.principalId },
+          ...overlay.context ?? {}
+        }
+      };
+      break;
+    }
+    case "cognito-rest-v1": {
+      authorizer = { claims: { ...overlay.claims } };
+      break;
+    }
+    case "jwt-http-v2": {
+      authorizer = {
+        jwt: {
+          claims: { ...overlay.claims },
+          scopes: overlay.scopes ?? []
+        }
+      };
+      break;
+    }
+  }
+  return {
+    ...event,
+    requestContext: {
+      ...requestContext,
+      authorizer
+    }
+  };
+}
 function splitRawUrl(rawUrl) {
   const q = rawUrl.indexOf("?");
   if (q === -1)
@@ -72144,6 +72186,815 @@ function isPlaceholder(segment) {
   return /^\{[^/{}+]+\}$/.test(segment);
 }
 
+// src/local/authorizer-resolver.ts
+function resolveRestV1Authorizer(authorizerLogicalId, template, stackName, declaredAt) {
+  const authResource = template.Resources?.[authorizerLogicalId];
+  if (!authResource || authResource.Type !== "AWS::ApiGateway::Authorizer") {
+    throw new RouteDiscoveryError(
+      `${declaredAt}: AuthorizerId '${authorizerLogicalId}' does not point at an AWS::ApiGateway::Authorizer in stack '${stackName}'.`
+    );
+  }
+  const props = authResource.Properties ?? {};
+  const type = props["Type"];
+  if (type === "TOKEN") {
+    const lambdaLogicalId = resolveLambdaArn(
+      props["AuthorizerUri"],
+      `${stackName}/${authorizerLogicalId}.AuthorizerUri`
+    );
+    const identitySource = typeof props["IdentitySource"] === "string" ? props["IdentitySource"] : "method.request.header.Authorization";
+    const tokenHeader = parseRestV1HeaderSelector(identitySource, stackName, authorizerLogicalId);
+    const ttl = parseTtl(props["AuthorizerResultTtlInSeconds"], 300, 3600);
+    return {
+      kind: "lambda-token",
+      logicalId: authorizerLogicalId,
+      lambdaLogicalId,
+      tokenHeader,
+      resultTtlSeconds: ttl,
+      declaredAt
+    };
+  }
+  if (type === "REQUEST") {
+    const lambdaLogicalId = resolveLambdaArn(
+      props["AuthorizerUri"],
+      `${stackName}/${authorizerLogicalId}.AuthorizerUri`
+    );
+    const identitySources = parseRestV1IdentitySources(
+      typeof props["IdentitySource"] === "string" ? props["IdentitySource"] : ""
+    );
+    const ttl = parseTtl(props["AuthorizerResultTtlInSeconds"], 300, 3600);
+    return {
+      kind: "lambda-request",
+      logicalId: authorizerLogicalId,
+      lambdaLogicalId,
+      identitySources,
+      resultTtlSeconds: ttl,
+      apiVersion: "v1",
+      declaredAt
+    };
+  }
+  if (type === "COGNITO_USER_POOLS") {
+    const arns = props["ProviderARNs"];
+    if (!Array.isArray(arns) || arns.length === 0) {
+      throw new RouteDiscoveryError(
+        `${stackName}/${authorizerLogicalId}: COGNITO_USER_POOLS authorizer is missing ProviderARNs.`
+      );
+    }
+    const arn = pickStringFromArn(arns[0], `${stackName}/${authorizerLogicalId}.ProviderARNs[0]`);
+    const parsed = parseCognitoUserPoolArn(arn, `${stackName}/${authorizerLogicalId}`);
+    return {
+      kind: "cognito",
+      logicalId: authorizerLogicalId,
+      userPoolArn: arn,
+      region: parsed.region,
+      userPoolId: parsed.userPoolId,
+      declaredAt
+    };
+  }
+  throw new RouteDiscoveryError(
+    `${stackName}/${authorizerLogicalId}: AWS::ApiGateway::Authorizer.Type '${String(type)}' is not supported by cdkd local start-api (only TOKEN / REQUEST / COGNITO_USER_POOLS \u2014 IAM / mTLS authorizers are deferred to a follow-up PR).`
+  );
+}
+function resolveHttpApiAuthorizer(authorizerLogicalId, routeAuthorizationScopes, template, stackName, declaredAt) {
+  const authResource = template.Resources?.[authorizerLogicalId];
+  if (!authResource || authResource.Type !== "AWS::ApiGatewayV2::Authorizer") {
+    throw new RouteDiscoveryError(
+      `${declaredAt}: AuthorizerId '${authorizerLogicalId}' does not point at an AWS::ApiGatewayV2::Authorizer in stack '${stackName}'.`
+    );
+  }
+  const props = authResource.Properties ?? {};
+  const authType = props["AuthorizerType"];
+  if (authType === "REQUEST") {
+    const lambdaLogicalId = resolveLambdaArn(
+      props["AuthorizerUri"],
+      `${stackName}/${authorizerLogicalId}.AuthorizerUri`
+    );
+    const identitySources = parseHttpV2IdentitySources(props["IdentitySource"]);
+    const ttl = parseTtl(props["AuthorizerResultTtlInSeconds"], 0, 3600);
+    return {
+      kind: "lambda-request",
+      logicalId: authorizerLogicalId,
+      lambdaLogicalId,
+      identitySources,
+      resultTtlSeconds: ttl,
+      apiVersion: "v2",
+      declaredAt
+    };
+  }
+  if (authType === "JWT") {
+    const jwt = props["JwtConfiguration"];
+    if (!jwt || typeof jwt !== "object") {
+      throw new RouteDiscoveryError(
+        `${stackName}/${authorizerLogicalId}: AWS::ApiGatewayV2::Authorizer.JwtConfiguration is required for AuthorizerType=JWT.`
+      );
+    }
+    const obj = jwt;
+    const issuer = obj["Issuer"];
+    if (typeof issuer !== "string" || issuer.length === 0) {
+      throw new RouteDiscoveryError(
+        `${stackName}/${authorizerLogicalId}: JwtConfiguration.Issuer must be a string.`
+      );
+    }
+    const audienceRaw = obj["Audience"];
+    const audience = Array.isArray(audienceRaw) ? audienceRaw.filter((s) => typeof s === "string") : [];
+    const cognito = parseCognitoIssuer(issuer);
+    return {
+      kind: "jwt",
+      logicalId: authorizerLogicalId,
+      issuer,
+      audience,
+      ...cognito && { region: cognito.region, userPoolId: cognito.userPoolId },
+      declaredAt
+    };
+  }
+  throw new RouteDiscoveryError(
+    `${stackName}/${authorizerLogicalId}: AWS::ApiGatewayV2::Authorizer.AuthorizerType '${String(authType)}' is not supported by cdkd local start-api (only REQUEST / JWT).`
+  );
+}
+function resolveLambdaArn(value, location) {
+  if (value && typeof value === "object" && !Array.isArray(value)) {
+    const obj = value;
+    if ("Ref" in obj && typeof obj["Ref"] === "string")
+      return obj["Ref"];
+    if ("Fn::GetAtt" in obj) {
+      const arg = obj["Fn::GetAtt"];
+      if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string" && arg[1] === "Arn") {
+        return arg[0];
+      }
+    }
+    if ("Fn::Join" in obj) {
+      const join9 = obj["Fn::Join"];
+      if (Array.isArray(join9) && join9.length === 2 && Array.isArray(join9[1])) {
+        const parts = join9[1];
+        const literal = parts.filter((p) => typeof p === "string").join("");
+        if (literal.includes(":lambda:path/2015-03-31/functions/")) {
+          for (const p of parts) {
+            if (p && typeof p === "object" && !Array.isArray(p)) {
+              const inner = p;
+              const arg = inner["Fn::GetAtt"];
+              if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string" && arg[1] === "Arn") {
+                return arg[0];
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  throw new RouteDiscoveryError(
+    `${location}: only { Ref }, { Fn::GetAtt: [..., 'Arn'] }, or the REST v1 invoke-ARN Fn::Join wrapper are supported (got ${shortJson2(value)}).`
+  );
+}
+function parseRestV1HeaderSelector(identitySource, stackName, authorizerLogicalId) {
+  const m = /^method\.request\.header\.([A-Za-z0-9-_]+)$/.exec(identitySource.trim());
+  if (!m) {
+    throw new RouteDiscoveryError(
+      `${stackName}/${authorizerLogicalId}: TOKEN authorizer IdentitySource '${identitySource}' must be 'method.request.header.<HeaderName>'.`
+    );
+  }
+  return m[1].toLowerCase();
+}
+function parseRestV1IdentitySources(raw) {
+  const out = [];
+  for (const tokenRaw of raw.split(",")) {
+    const token = tokenRaw.trim();
+    if (token.length === 0)
+      continue;
+    const headerMatch = /^method\.request\.header\.([A-Za-z0-9-_]+)$/.exec(token);
+    if (headerMatch) {
+      out.push({ kind: "header", name: headerMatch[1].toLowerCase() });
+      continue;
+    }
+    const queryMatch = /^method\.request\.querystring\.([A-Za-z0-9-_]+)$/.exec(token);
+    if (queryMatch) {
+      out.push({ kind: "query", name: queryMatch[1] });
+      continue;
+    }
+    const contextMatch = /^context\.([A-Za-z0-9._-]+)$/.exec(token);
+    if (contextMatch) {
+      out.push({ kind: "context", name: contextMatch[1] });
+      continue;
+    }
+    const stageMatch = /^stageVariables\.([A-Za-z0-9._-]+)$/.exec(token);
+    if (stageMatch) {
+      out.push({ kind: "stage-variable", name: stageMatch[1] });
+      continue;
+    }
+    out.push({ kind: "header", name: token.toLowerCase() });
+  }
+  return out;
+}
+function parseHttpV2IdentitySources(raw) {
+  if (!Array.isArray(raw))
+    return [];
+  const out = [];
+  for (const entry of raw) {
+    if (typeof entry !== "string")
+      continue;
+    const headerMatch = /^\$request\.header\.([A-Za-z0-9-_]+)$/.exec(entry);
+    if (headerMatch) {
+      out.push({ kind: "header", name: headerMatch[1].toLowerCase() });
+      continue;
+    }
+    const queryMatch = /^\$request\.querystring\.([A-Za-z0-9-_]+)$/.exec(entry);
+    if (queryMatch) {
+      out.push({ kind: "query", name: queryMatch[1] });
+      continue;
+    }
+    out.push({ kind: "header", name: entry.toLowerCase() });
+  }
+  return out;
+}
+function parseCognitoUserPoolArn(arn, location) {
+  const m = /^arn:aws[a-z0-9-]*:cognito-idp:([a-z0-9-]+):[0-9]+:userpool\/(.+)$/.exec(arn);
+  if (!m) {
+    throw new RouteDiscoveryError(
+      `${location}: malformed Cognito User Pool ARN '${arn}'. Expected 'arn:aws:cognito-idp:<region>:<account>:userpool/<id>'.`
+    );
+  }
+  return { region: m[1], userPoolId: m[2] };
+}
+function parseCognitoIssuer(issuer) {
+  const m = /^https:\/\/cognito-idp\.([a-z0-9-]+)\.amazonaws\.com\/([^/]+)\/?$/.exec(issuer);
+  if (!m)
+    return void 0;
+  return { region: m[1], userPoolId: m[2] };
+}
+function pickStringFromArn(value, location) {
+  if (typeof value === "string")
+    return value;
+  if (value && typeof value === "object" && !Array.isArray(value)) {
+    const obj = value;
+    if ("Fn::GetAtt" in obj) {
+      const arg = obj["Fn::GetAtt"];
+      if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string" && arg[1] === "Arn") {
+        throw new RouteDiscoveryError(
+          `${location}: ProviderARNs[0] uses Fn::GetAtt against logical ID '${arg[0]}'. cdkd local start-api needs the literal ARN string to derive the JWKS URL \u2014 set the user pool ARN explicitly via 'authorizer.providerArns' on the CDK construct, or upgrade to JWT (HTTP v2) which encodes the pool in the Issuer URL.`
+        );
+      }
+    }
+  }
+  throw new RouteDiscoveryError(
+    `${location}: ProviderARNs[0] must be a literal string (got ${shortJson2(value)}).`
+  );
+}
+function parseTtl(raw, fallback, max) {
+  if (typeof raw !== "number" || !Number.isFinite(raw) || raw < 0)
+    return fallback;
+  return Math.min(Math.trunc(raw), max);
+}
+function buildIdentityHash(parts) {
+  return parts.map((p) => p ?? "").join("\0");
+}
+function attachAuthorizers(stacks, routes) {
+  const stackByRoute = /* @__PURE__ */ new Map();
+  for (const stack of stacks) {
+    const prefix = `${stack.stackName}/`;
+    for (const route of routes) {
+      if (route.declaredAt.startsWith(prefix))
+        stackByRoute.set(route.declaredAt, stack);
+    }
+  }
+  const out = [];
+  const errors = [];
+  for (const route of routes) {
+    const stack = stackByRoute.get(route.declaredAt);
+    if (!stack) {
+      out.push({ route });
+      continue;
+    }
+    try {
+      const authorizer = detectAuthorizer(route, stack);
+      out.push({ route, ...authorizer && { authorizer } });
+    } catch (err) {
+      errors.push(err instanceof Error ? err.message : String(err));
+    }
+  }
+  if (errors.length > 0) {
+    throw new RouteDiscoveryError(
+      `cdkd local start-api: ${errors.length} authorizer error(s):
+` + errors.map((e) => `  - ${e}`).join("\n")
+    );
+  }
+  return out;
+}
+function detectAuthorizer(route, stack) {
+  const slash = route.declaredAt.indexOf("/");
+  if (slash < 0)
+    return void 0;
+  const logicalId = route.declaredAt.slice(slash + 1);
+  const resource = stack.template.Resources?.[logicalId];
+  if (!resource)
+    return void 0;
+  if (resource.Type === "AWS::ApiGateway::Method") {
+    return detectRestV1Authorizer(resource, logicalId, stack);
+  }
+  if (resource.Type === "AWS::ApiGatewayV2::Route") {
+    return detectHttpApiAuthorizer(resource, logicalId, stack);
+  }
+  return void 0;
+}
+function detectRestV1Authorizer(methodResource, methodLogicalId, stack) {
+  const props = methodResource.Properties ?? {};
+  const authType = props["AuthorizationType"];
+  if (authType === void 0 || authType === "NONE")
+    return void 0;
+  const authorizerId = props["AuthorizerId"];
+  const refLogicalId = pickRefLogicalId2(authorizerId);
+  if (authType === "AWS_IAM") {
+    throw new RouteDiscoveryError(
+      `${stack.stackName}/${methodLogicalId}: REST v1 AWS_IAM authorization is not supported by cdkd local start-api (deferred follow-up PR).`
+    );
+  }
+  if (!refLogicalId) {
+    throw new RouteDiscoveryError(
+      `${stack.stackName}/${methodLogicalId}: AuthorizationType='${String(authType)}' but AuthorizerId is missing or not a {Ref:...}.`
+    );
+  }
+  return resolveRestV1Authorizer(
+    refLogicalId,
+    stack.template,
+    stack.stackName,
+    `${stack.stackName}/${methodLogicalId}`
+  );
+}
+function detectHttpApiAuthorizer(routeResource, routeLogicalId, stack) {
+  const props = routeResource.Properties ?? {};
+  const authType = props["AuthorizationType"];
+  if (authType === void 0 || authType === "NONE")
+    return void 0;
+  const authorizerId = props["AuthorizerId"];
+  const refLogicalId = pickRefLogicalId2(authorizerId);
+  if (!refLogicalId) {
+    throw new RouteDiscoveryError(
+      `${stack.stackName}/${routeLogicalId}: AuthorizationType='${String(authType)}' but AuthorizerId is missing or not a {Ref:...}.`
+    );
+  }
+  const scopesRaw = props["AuthorizationScopes"];
+  const scopes = Array.isArray(scopesRaw) ? scopesRaw.filter((s) => typeof s === "string") : void 0;
+  return resolveHttpApiAuthorizer(
+    refLogicalId,
+    scopes,
+    stack.template,
+    stack.stackName,
+    `${stack.stackName}/${routeLogicalId}`
+  );
+}
+function pickRefLogicalId2(value) {
+  if (value && typeof value === "object" && !Array.isArray(value)) {
+    const ref = value["Ref"];
+    if (typeof ref === "string")
+      return ref;
+  }
+  return null;
+}
+function shortJson2(value) {
+  try {
+    const s = JSON.stringify(value);
+    return s.length > 200 ? `${s.slice(0, 200)}\u2026` : s;
+  } catch {
+    return String(value);
+  }
+}
+
+// src/local/lambda-authorizer.ts
+function buildMethodArn(opts) {
+  const region = opts.region ?? "local";
+  const trimmedPath = opts.path.replace(/^\//, "");
+  return `arn:aws:execute-api:${region}:${opts.accountId}:${opts.apiId}/${opts.stage}/${opts.method.toUpperCase()}/${trimmedPath}`;
+}
+async function invokeTokenAuthorizer(authorizer, request, ctx) {
+  const token = request.headers[authorizer.tokenHeader];
+  if (!token || token.length === 0) {
+    return { allow: false, identityHash: void 0 };
+  }
+  const event = {
+    type: "TOKEN",
+    authorizationToken: token,
+    methodArn: ctx.methodArn
+  };
+  const identityHash = buildIdentityHash([token]);
+  const result = await invokeAuthorizerLambda(authorizer.lambdaLogicalId, event, ctx);
+  return parseLambdaAuthorizerResponse(result, ctx.methodArn, identityHash);
+}
+async function invokeRequestAuthorizer(authorizer, request, ctx) {
+  const { identityHash, missing } = computeRequestIdentityHash(authorizer, request);
+  if (missing) {
+    return { allow: false, identityHash: void 0 };
+  }
+  const event = authorizer.apiVersion === "v1" ? buildRequestEventV1(authorizer, request, ctx) : buildRequestEventV2(authorizer, request, ctx);
+  const result = await invokeAuthorizerLambda(authorizer.lambdaLogicalId, event, ctx);
+  if (authorizer.apiVersion === "v2") {
+    return parseHttpV2RequestResponse(result, ctx.methodArn, identityHash);
+  }
+  return parseLambdaAuthorizerResponse(result, ctx.methodArn, identityHash);
+}
+function extractIdentityValue(sel, request) {
+  switch (sel.kind) {
+    case "header":
+      return request.headers[sel.name];
+    case "query":
+      return request.queryStringParameters[sel.name];
+    case "context":
+      return void 0;
+    case "stage-variable":
+      return void 0;
+  }
+}
+function computeRequestIdentityHash(authorizer, request) {
+  const identityValues = authorizer.identitySources.map(
+    (sel) => extractIdentityValue(sel, request)
+  );
+  const missing = authorizer.apiVersion === "v1" && authorizer.identitySources.length > 0 && identityValues.every((v) => v === void 0 || v === "");
+  return { identityHash: buildIdentityHash(identityValues), missing };
+}
+function buildRequestEventV1(authorizer, request, ctx) {
+  return {
+    type: "REQUEST",
+    methodArn: ctx.methodArn,
+    resource: request.matchedPath,
+    path: request.matchedPath,
+    httpMethod: request.method,
+    headers: request.headers,
+    multiValueHeaders: Object.fromEntries(
+      Object.entries(request.headers).map(([k, v]) => [k, v.split(",")])
+    ),
+    queryStringParameters: request.queryStringParameters,
+    multiValueQueryStringParameters: Object.fromEntries(
+      Object.entries(request.queryStringParameters).map(([k, v]) => [k, [v]])
+    ),
+    pathParameters: request.pathParameters,
+    stageVariables: null,
+    requestContext: {
+      accountId: ctx.mockAccountId,
+      apiId: ctx.mockApiId,
+      httpMethod: request.method,
+      identity: { sourceIp: request.sourceIp },
+      path: `/${request.stage}${request.matchedPath}`,
+      stage: request.stage
+    },
+    authorizationToken: request.headers[authorizer.identitySources[0]?.name ?? "authorization"]
+  };
+}
+function buildRequestEventV2(_authorizer, request, ctx) {
+  return {
+    version: "2.0",
+    type: "REQUEST",
+    routeArn: ctx.methodArn,
+    identitySource: [],
+    // Honored by AWS but not interpreted by user code.
+    routeKey: `${request.method} ${request.matchedPath}`,
+    rawPath: request.matchedPath,
+    rawQueryString: "",
+    headers: request.headers,
+    queryStringParameters: request.queryStringParameters,
+    pathParameters: request.pathParameters,
+    stageVariables: null,
+    requestContext: {
+      accountId: ctx.mockAccountId,
+      apiId: ctx.mockApiId,
+      domainName: "localhost",
+      domainPrefix: "local",
+      http: {
+        method: request.method,
+        path: request.matchedPath,
+        protocol: "HTTP/1.1",
+        sourceIp: request.sourceIp,
+        userAgent: request.headers["user-agent"] ?? ""
+      },
+      requestId: "local-authorizer",
+      routeKey: `${request.method} ${request.matchedPath}`,
+      stage: request.stage,
+      time: "",
+      timeEpoch: 0
+    }
+  };
+}
+async function invokeAuthorizerLambda(lambdaLogicalId, event, ctx) {
+  const handle = await ctx.pool.acquire(lambdaLogicalId);
+  try {
+    const result = await invokeRie(handle.containerHost, handle.hostPort, event, ctx.rieTimeoutMs);
+    return result.payload;
+  } finally {
+    ctx.pool.release(handle);
+  }
+}
+function parseLambdaAuthorizerResponse(payload, methodArn, identityHash) {
+  if (!payload || typeof payload !== "object" || Array.isArray(payload)) {
+    return { allow: false, identityHash };
+  }
+  const obj = payload;
+  const principalId = typeof obj["principalId"] === "string" ? obj["principalId"] : void 0;
+  const context = obj["context"] && typeof obj["context"] === "object" && !Array.isArray(obj["context"]) ? obj["context"] : void 0;
+  const policy = obj["policyDocument"];
+  if (!policy || typeof policy !== "object") {
+    return {
+      allow: false,
+      identityHash,
+      ...principalId !== void 0 && { principalId },
+      ...context && { context }
+    };
+  }
+  const stmts = policy["Statement"];
+  if (!Array.isArray(stmts)) {
+    return {
+      allow: false,
+      identityHash,
+      ...principalId !== void 0 && { principalId },
+      ...context && { context },
+      policy
+    };
+  }
+  const allow = stmts.some((stmt) => {
+    if (!stmt || typeof stmt !== "object" || Array.isArray(stmt))
+      return false;
+    const s = stmt;
+    if (s["Effect"] !== "Allow")
+      return false;
+    const resources = Array.isArray(s["Resource"]) ? s["Resource"] : [s["Resource"]];
+    return resources.some((r) => typeof r === "string" && resourceMatches(r, methodArn));
+  });
+  return {
+    allow,
+    identityHash,
+    ...principalId !== void 0 && { principalId },
+    ...context && { context },
+    policy
+  };
+}
+function parseHttpV2RequestResponse(payload, methodArn, identityHash) {
+  if (payload && typeof payload === "object" && !Array.isArray(payload)) {
+    const obj = payload;
+    if (typeof obj["isAuthorized"] === "boolean") {
+      const context = obj["context"] && typeof obj["context"] === "object" && !Array.isArray(obj["context"]) ? obj["context"] : void 0;
+      return {
+        allow: obj["isAuthorized"],
+        identityHash,
+        ...context && { context }
+      };
+    }
+  }
+  return parseLambdaAuthorizerResponse(payload, methodArn, identityHash);
+}
+function resourceMatches(pattern, methodArn) {
+  if (pattern === methodArn)
+    return true;
+  if (!pattern.includes("*") && !pattern.includes("?"))
+    return false;
+  const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*/g, ".*").replace(/\?/g, ".");
+  const re = new RegExp(`^${escaped}$`);
+  return re.test(methodArn);
+}
+function evaluateCachedLambdaPolicy(cached, methodArn) {
+  const policy = cached.policy;
+  if (!policy || typeof policy !== "object") {
+    return { ...cached, allow: false };
+  }
+  const stmts = policy["Statement"];
+  if (!Array.isArray(stmts)) {
+    return { ...cached, allow: false };
+  }
+  const allow = stmts.some((stmt) => {
+    if (!stmt || typeof stmt !== "object" || Array.isArray(stmt))
+      return false;
+    const s = stmt;
+    if (s["Effect"] !== "Allow")
+      return false;
+    const resources = Array.isArray(s["Resource"]) ? s["Resource"] : [s["Resource"]];
+    return resources.some((r) => typeof r === "string" && resourceMatches(r, methodArn));
+  });
+  return { ...cached, allow };
+}
+
+// src/local/cognito-jwt.ts
+import { createPublicKey, createVerify } from "node:crypto";
+var DEFAULT_JWKS_TTL_MS = 60 * 60 * 1e3;
+var FAILURE_JWKS_TTL_MS = 60 * 1e3;
+function createJwksCache(opts = {}) {
+  const fetchImpl = opts.fetchImpl ?? (async (url) => globalThis.fetch(url));
+  const now = opts.now ?? (() => Date.now());
+  const ttlMs = opts.ttlMs ?? DEFAULT_JWKS_TTL_MS;
+  const failureTtlMs = opts.failureTtlMs ?? FAILURE_JWKS_TTL_MS;
+  const map = /* @__PURE__ */ new Map();
+  return {
+    async fetchAndCache(jwksUrl) {
+      const cached = map.get(jwksUrl);
+      if (cached && cached.expiresAt > now())
+        return cached;
+      const logger = getLogger().child("cognito-jwt");
+      try {
+        const response = await fetchImpl(jwksUrl);
+        if (!response.ok) {
+          throw new Error(`JWKS fetch returned HTTP ${response.status}`);
+        }
+        const body = await response.text();
+        const parsed = JSON.parse(body);
+        const keys = Array.isArray(parsed.keys) ? parsed.keys : [];
+        const byKid = /* @__PURE__ */ new Map();
+        for (const k of keys) {
+          if (!k || typeof k !== "object" || Array.isArray(k))
+            continue;
+          const obj = k;
+          if (typeof obj["kid"] === "string" && typeof obj["n"] === "string" && typeof obj["e"] === "string" && typeof obj["kty"] === "string") {
+            byKid.set(obj["kid"], {
+              kid: obj["kid"],
+              n: obj["n"],
+              e: obj["e"],
+              kty: obj["kty"],
+              ...typeof obj["alg"] === "string" && { alg: obj["alg"] },
+              ...typeof obj["use"] === "string" && { use: obj["use"] }
+            });
+          }
+        }
+        const entry = {
+          byKid,
+          expiresAt: now() + ttlMs,
+          passThrough: false
+        };
+        map.set(jwksUrl, entry);
+        return entry;
+      } catch (err) {
+        logger.warn(
+          `JWKS unreachable at ${jwksUrl}: ${err instanceof Error ? err.message : String(err)}. JWT validation will allow all tokens \u2014 local dev fallback. Configure network access to the JWKS URL to enable real signature verification.`
+        );
+        const entry = {
+          byKid: /* @__PURE__ */ new Map(),
+          expiresAt: now() + failureTtlMs,
+          passThrough: true
+        };
+        map.set(jwksUrl, entry);
+        return entry;
+      }
+    },
+    peek(jwksUrl) {
+      return map.get(jwksUrl);
+    },
+    clear() {
+      map.clear();
+    }
+  };
+}
+function buildCognitoJwksUrl(region, userPoolId) {
+  return `https://cognito-idp.${region}.amazonaws.com/${userPoolId}/.well-known/jwks.json`;
+}
+function buildJwksUrlFromIssuer(issuer) {
+  const stripped = issuer.replace(/\/+$/, "");
+  return `${stripped}/.well-known/jwks.json`;
+}
+async function verifyCognitoJwt(authorizer, authorizationHeader, jwksCache, opts = {}) {
+  const now = opts.now ?? (() => Date.now());
+  const token = extractBearer(authorizationHeader);
+  if (!token) {
+    return { allow: false, identityHash: void 0, ttlSeconds: 0 };
+  }
+  const jwksUrl = buildCognitoJwksUrl(authorizer.region, authorizer.userPoolId);
+  const expectedIssuer = `https://cognito-idp.${authorizer.region}.amazonaws.com/${authorizer.userPoolId}`;
+  return verifyAndShape(token, jwksUrl, expectedIssuer, void 0, jwksCache, opts.warned, now);
+}
+async function verifyJwtAuthorizer(authorizer, authorizationHeader, jwksCache, opts = {}) {
+  const now = opts.now ?? (() => Date.now());
+  const token = extractBearer(authorizationHeader);
+  if (!token) {
+    return { allow: false, identityHash: void 0, ttlSeconds: 0 };
+  }
+  const jwksUrl = authorizer.region && authorizer.userPoolId ? buildCognitoJwksUrl(authorizer.region, authorizer.userPoolId) : buildJwksUrlFromIssuer(authorizer.issuer);
+  return verifyAndShape(
+    token,
+    jwksUrl,
+    authorizer.issuer.replace(/\/+$/, ""),
+    authorizer.audience,
+    jwksCache,
+    opts.warned,
+    now
+  );
+}
+async function verifyAndShape(token, jwksUrl, expectedIssuer, expectedAudience, jwksCache, warned, now) {
+  const identityHash = buildIdentityHash([token]);
+  const jwks = await jwksCache.fetchAndCache(jwksUrl);
+  if (jwks.passThrough) {
+    if (warned && !warned.has(jwksUrl)) {
+      warned.add(jwksUrl);
+      getLogger().child("cognito-jwt").warn(
+        `JWKS pass-through mode for ${jwksUrl}: token accepted without signature verification.`
+      );
+    }
+    const parsed2 = parseJwt(token);
+    if (parsed2) {
+      return shapeAllowResult(parsed2, identityHash, now);
+    }
+    return {
+      allow: true,
+      principalId: "unknown",
+      context: {},
+      identityHash,
+      ttlSeconds: 0
+    };
+  }
+  const parsed = parseJwt(token);
+  if (!parsed) {
+    return { allow: false, identityHash, ttlSeconds: 0 };
+  }
+  const kid = parsed.header["kid"];
+  if (typeof kid !== "string") {
+    return { allow: false, identityHash, ttlSeconds: 0 };
+  }
+  const key = jwks.byKid.get(kid);
+  if (!key) {
+    return { allow: false, identityHash, ttlSeconds: 0 };
+  }
+  if (!verifyRs256(token, key)) {
+    return { allow: false, identityHash, ttlSeconds: 0 };
+  }
+  const claims = parsed.payload;
+  if (typeof claims["exp"] !== "number" || claims["exp"] * 1e3 <= now()) {
+    return { allow: false, identityHash, ttlSeconds: 0 };
+  }
+  if (typeof claims["iss"] !== "string" || claims["iss"].replace(/\/+$/, "") !== expectedIssuer) {
+    return { allow: false, identityHash, ttlSeconds: 0 };
+  }
+  if (expectedAudience && expectedAudience.length > 0) {
+    const aud = claims["aud"];
+    const clientId = claims["client_id"];
+    const audValues = Array.isArray(aud) ? aud : aud !== void 0 ? [aud] : [];
+    const matches = audValues.some((v) => typeof v === "string" && expectedAudience.includes(v)) || typeof clientId === "string" && expectedAudience.includes(clientId);
+    if (!matches) {
+      return { allow: false, identityHash, ttlSeconds: 0 };
+    }
+  }
+  return shapeAllowResult(parsed, identityHash, now);
+}
+function shapeAllowResult(parsed, identityHash, now) {
+  const claims = parsed.payload;
+  const principalId = pickStringClaim(claims, "sub") ?? pickStringClaim(claims, "cognito:username") ?? pickStringClaim(claims, "username") ?? "unknown";
+  const expMs = typeof claims["exp"] === "number" ? claims["exp"] * 1e3 : 0;
+  const remainingSeconds = Math.max(0, Math.floor((expMs - now()) / 1e3));
+  const ttlSeconds = Math.min(300, remainingSeconds);
+  return {
+    allow: true,
+    principalId,
+    context: claims,
+    identityHash,
+    ttlSeconds
+  };
+}
+function pickStringClaim(claims, key) {
+  const v = claims[key];
+  return typeof v === "string" ? v : void 0;
+}
+function extractBearer(header) {
+  if (!header)
+    return void 0;
+  const m = /^\s*Bearer\s+(.+)\s*$/i.exec(header);
+  if (!m)
+    return void 0;
+  return m[1].trim();
+}
+function parseJwt(token) {
+  const parts = token.split(".");
+  if (parts.length !== 3)
+    return void 0;
+  try {
+    const headerJson = base64UrlDecodeToString(parts[0]);
+    const payloadJson = base64UrlDecodeToString(parts[1]);
+    const header = JSON.parse(headerJson);
+    const payload = JSON.parse(payloadJson);
+    return {
+      header,
+      payload,
+      signingInput: `${parts[0]}.${parts[1]}`,
+      signatureB64: parts[2]
+    };
+  } catch {
+    return void 0;
+  }
+}
+function verifyRs256(token, key) {
+  const parts = token.split(".");
+  if (parts.length !== 3)
+    return false;
+  const signingInput = `${parts[0]}.${parts[1]}`;
+  const signature = base64UrlDecodeToBuffer(parts[2]);
+  try {
+    const publicKey = createPublicKey({
+      key: { kty: key.kty, n: key.n, e: key.e },
+      format: "jwk"
+    });
+    const verifier = createVerify("RSA-SHA256");
+    verifier.update(signingInput);
+    verifier.end();
+    return verifier.verify(publicKey, signature);
+  } catch {
+    return false;
+  }
+}
+function base64UrlDecodeToString(input) {
+  return base64UrlDecodeToBuffer(input).toString("utf-8");
+}
+function base64UrlDecodeToBuffer(input) {
+  const padded = input.replace(/-/g, "+").replace(/_/g, "/");
+  const padding = padded.length % 4 === 0 ? "" : "=".repeat(4 - padded.length % 4);
+  return Buffer.from(padded + padding, "base64");
+}
+
 // src/local/http-server.ts
 async function startApiServer(opts) {
   const logger = getLogger().child("start-api");
@@ -72195,11 +73046,16 @@ async function handleRequest(req, res, opts) {
   const rawUrl = req.url ?? "/";
   const method = (req.method ?? "GET").toUpperCase();
   const requestPath = rawUrl.split("?")[0] ?? "/";
-  const match = matchRoute(method, requestPath, opts.routes);
+  const flatRoutes = opts.routes.map((r) => r.route);
+  const match = matchRoute(method, requestPath, flatRoutes);
   if (!match) {
     writeError(res, 404, '{"message":"Not Found"}');
     return;
   }
+  const matchedEntry = opts.routes.find(
+    (r) => r.route.declaredAt === match.route.declaredAt && r.route.method === match.route.method
+  );
+  const authorizer = matchedEntry?.authorizer;
   const snapshot = {
     method,
     rawUrl,
@@ -72212,7 +73068,35 @@ async function handleRequest(req, res, opts) {
     pathParameters: match.pathParameters,
     matchedPath: requestPath
   };
-  const event = match.route.apiVersion === "v1" ? buildRestV1Event(snapshot, matchCtx) : buildHttpApiV2Event(snapshot, matchCtx);
+  let baseEvent = match.route.apiVersion === "v1" ? buildRestV1Event(snapshot, matchCtx) : buildHttpApiV2Event(snapshot, matchCtx);
+  let authResult;
+  if (authorizer) {
+    let outcome;
+    try {
+      outcome = await runAuthorizerPass(
+        authorizer,
+        snapshot,
+        matchCtx,
+        opts,
+        baseEvent["requestContext"]
+      );
+    } catch (err) {
+      logger.error(
+        `Authorizer ${authorizer.logicalId} threw for ${match.route.declaredAt}: ${err instanceof Error ? err.message : String(err)}`
+      );
+      writeAuthRejection(res, match.route.apiVersion, "policy-deny");
+      return;
+    }
+    if (!outcome.result.allow) {
+      writeAuthRejection(res, match.route.apiVersion, outcome.denyKind ?? "policy-deny");
+      return;
+    }
+    authResult = outcome.result;
+    const overlay = buildOverlay(authorizer, authResult);
+    if (overlay) {
+      baseEvent = applyAuthorizerOverlay(baseEvent, overlay);
+    }
+  }
   let handle;
   try {
     handle = await opts.pool.acquire(match.route.lambdaLogicalId);
@@ -72227,7 +73111,7 @@ async function handleRequest(req, res, opts) {
     const invokeResult = await invokeRie(
       handle.containerHost,
       handle.hostPort,
-      event,
+      baseEvent,
       opts.rieTimeoutMs
     );
     const translated = translateLambdaResponse(invokeResult.payload, match.route.apiVersion);
@@ -72252,6 +73136,227 @@ async function handleRequest(req, res, opts) {
     opts.pool.release(handle);
   }
 }
+async function runAuthorizerPass(authorizer, snapshot, matchCtx, opts, requestContextV2) {
+  const headers = lowercaseSingularHeaders(snapshot.headers);
+  const queryStringParameters = parseQueryStringSingular(snapshot.rawUrl);
+  const sourceIp = pickSourceIp(matchCtx.route.apiVersion, requestContextV2, snapshot);
+  const reqSnap = {
+    method: snapshot.method.toUpperCase(),
+    headers,
+    queryStringParameters,
+    pathParameters: matchCtx.pathParameters,
+    sourceIp,
+    matchedPath: matchCtx.matchedPath,
+    stage: matchCtx.route.stage
+  };
+  const methodArn = buildMethodArn({
+    apiId: "local",
+    accountId: "123456789012",
+    stage: matchCtx.route.stage,
+    method: snapshot.method,
+    path: matchCtx.matchedPath
+  });
+  const cache2 = opts.authorizerCache;
+  if (authorizer.kind === "lambda-token") {
+    const token = headers[authorizer.tokenHeader];
+    if (!token) {
+      return { result: { allow: false }, denyKind: "missing-identity" };
+    }
+    if (cache2) {
+      const cached = cache2.get(authorizer.logicalId, hashOne(token));
+      if (cached) {
+        if (cached.policy !== void 0) {
+          return shapeOutcome(evaluateCachedLambdaPolicy(cached, methodArn));
+        }
+        return shapeOutcome(cached);
+      }
+    }
+    const result2 = await invokeTokenAuthorizer(authorizer, reqSnap, {
+      pool: opts.pool,
+      rieTimeoutMs: opts.rieTimeoutMs,
+      methodArn,
+      mockAccountId: "123456789012",
+      mockApiId: "local"
+    });
+    if (cache2 && result2.identityHash !== void 0) {
+      cache2.set(
+        authorizer.logicalId,
+        result2.identityHash,
+        authorizer.resultTtlSeconds,
+        stripHash(result2)
+      );
+    }
+    return shapeOutcome(stripHash(result2));
+  }
+  if (authorizer.kind === "lambda-request") {
+    const { identityHash, missing } = computeRequestIdentityHash(authorizer, reqSnap);
+    if (missing) {
+      return { result: { allow: false }, denyKind: "missing-identity" };
+    }
+    if (cache2 && authorizer.resultTtlSeconds > 0) {
+      const cached = cache2.get(authorizer.logicalId, identityHash);
+      if (cached) {
+        if (cached.policy !== void 0) {
+          return shapeOutcome(evaluateCachedLambdaPolicy(cached, methodArn));
+        }
+        return shapeOutcome(cached);
+      }
+    }
+    const result2 = await invokeRequestAuthorizer(authorizer, reqSnap, {
+      pool: opts.pool,
+      rieTimeoutMs: opts.rieTimeoutMs,
+      methodArn,
+      mockAccountId: "123456789012",
+      mockApiId: "local"
+    });
+    if (cache2 && result2.identityHash !== void 0 && authorizer.resultTtlSeconds > 0) {
+      cache2.set(
+        authorizer.logicalId,
+        result2.identityHash,
+        authorizer.resultTtlSeconds,
+        stripHash(result2)
+      );
+    }
+    return shapeOutcome(stripHash(result2));
+  }
+  if (!opts.jwksCache) {
+    return { result: { allow: false }, denyKind: "policy-deny" };
+  }
+  const authHeader = headers["authorization"];
+  const jwksOpts = { ...opts.jwksWarnedUrls && { warned: opts.jwksWarnedUrls } };
+  if (authorizer.kind === "cognito") {
+    if (cache2 && authHeader !== void 0) {
+      const cached = cache2.get(authorizer.logicalId, hashOne(authHeader));
+      if (cached)
+        return shapeOutcome(cached);
+    }
+    const result2 = await verifyCognitoJwt(authorizer, authHeader, opts.jwksCache, jwksOpts);
+    if (cache2 && result2.identityHash !== void 0 && result2.ttlSeconds > 0) {
+      cache2.set(
+        authorizer.logicalId,
+        result2.identityHash,
+        result2.ttlSeconds,
+        stripHashAndTtl(result2)
+      );
+    }
+    if (!result2.allow && authHeader === void 0) {
+      return { result: stripHashAndTtl(result2), denyKind: "missing-identity" };
+    }
+    return shapeOutcome(stripHashAndTtl(result2));
+  }
+  if (cache2 && authHeader !== void 0) {
+    const cached = cache2.get(authorizer.logicalId, hashOne(authHeader));
+    if (cached)
+      return shapeOutcome(cached);
+  }
+  const result = await verifyJwtAuthorizer(authorizer, authHeader, opts.jwksCache, jwksOpts);
+  if (cache2 && result.identityHash !== void 0 && result.ttlSeconds > 0) {
+    cache2.set(
+      authorizer.logicalId,
+      result.identityHash,
+      result.ttlSeconds,
+      stripHashAndTtl(result)
+    );
+  }
+  if (!result.allow && authHeader === void 0) {
+    return { result: stripHashAndTtl(result), denyKind: "missing-identity" };
+  }
+  return shapeOutcome(stripHashAndTtl(result));
+}
+function shapeOutcome(result) {
+  if (result.allow)
+    return { result };
+  return { result, denyKind: "policy-deny" };
+}
+function pickSourceIp(apiVersion, requestContext, snapshot) {
+  if (apiVersion === "v1") {
+    const identity = requestContext["identity"];
+    if (identity && typeof identity === "object" && !Array.isArray(identity) && typeof identity["sourceIp"] === "string") {
+      return identity["sourceIp"];
+    }
+  } else {
+    const http = requestContext["http"];
+    if (http && typeof http === "object" && !Array.isArray(http) && typeof http["sourceIp"] === "string") {
+      return http["sourceIp"];
+    }
+  }
+  return snapshot.sourceIp ?? "127.0.0.1";
+}
+function buildOverlay(authorizer, result) {
+  if (authorizer.kind === "lambda-token" || authorizer.kind === "lambda-request") {
+    const isV2 = authorizer.kind === "lambda-request" && authorizer.apiVersion === "v2";
+    return isV2 ? {
+      kind: "lambda-http-v2",
+      ...result.principalId !== void 0 && { principalId: result.principalId },
+      ...result.context && { context: result.context }
+    } : {
+      kind: "lambda-rest-v1",
+      ...result.principalId !== void 0 && { principalId: result.principalId },
+      ...result.context && { context: result.context }
+    };
+  }
+  if (authorizer.kind === "cognito") {
+    return { kind: "cognito-rest-v1", claims: result.context ?? {} };
+  }
+  return { kind: "jwt-http-v2", claims: result.context ?? {} };
+}
+function writeAuthRejection(res, apiVersion, denyKind) {
+  if (apiVersion === "v2") {
+    writeError(res, 401, '{"message":"Unauthorized"}');
+    return;
+  }
+  if (denyKind === "missing-identity") {
+    writeError(res, 401, '{"message":"Unauthorized"}');
+    return;
+  }
+  writeError(res, 403, '{"message":"Forbidden"}');
+}
+function hashOne(value) {
+  return value;
+}
+function stripHash(r) {
+  const { identityHash, ...rest } = r;
+  return rest;
+}
+function stripHashAndTtl(r) {
+  const { identityHash, ttlSeconds, ...rest } = r;
+  return rest;
+}
+function lowercaseSingularHeaders(raw) {
+  const out = {};
+  for (const [name, values] of Object.entries(raw)) {
+    out[name.toLowerCase()] = values.join(",");
+  }
+  return out;
+}
+function parseQueryStringSingular(rawUrl) {
+  const q = rawUrl.indexOf("?");
+  if (q < 0)
+    return {};
+  const raw = rawUrl.slice(q + 1);
+  if (raw.length === 0)
+    return {};
+  const out = {};
+  for (const pair of raw.split("&")) {
+    if (pair.length === 0)
+      continue;
+    const eq = pair.indexOf("=");
+    const rawKey = eq === -1 ? pair : pair.slice(0, eq);
+    const rawValue = eq === -1 ? "" : pair.slice(eq + 1);
+    let key = rawKey;
+    let value = rawValue;
+    try {
+      key = decodeURIComponent(rawKey);
+    } catch {
+    }
+    try {
+      value = decodeURIComponent(rawValue);
+    } catch {
+    }
+    out[key] = value;
+  }
+  return out;
+}
 function readBody(req) {
   return new Promise((resolveBody, rejectBody) => {
     const chunks = [];
@@ -72280,6 +73385,46 @@ function writeError(res, statusCode, body = '{"message":"Internal server error"}
   res.end(body);
 }
 
+// src/local/authorizer-cache.ts
+function createAuthorizerCache(opts = {}) {
+  const now = opts.now ?? (() => Date.now());
+  const map = /* @__PURE__ */ new Map();
+  const buildKey = (auth, identity) => `${auth}\0${identity}`;
+  const sweep = () => {
+    const t = now();
+    for (const [k, v] of map) {
+      if (v.expiresAt <= t)
+        map.delete(k);
+    }
+  };
+  return {
+    get(authorizerLogicalId, identityHash) {
+      const key = buildKey(authorizerLogicalId, identityHash);
+      const entry = map.get(key);
+      if (!entry)
+        return void 0;
+      if (entry.expiresAt <= now()) {
+        map.delete(key);
+        return void 0;
+      }
+      return entry.result;
+    },
+    set(authorizerLogicalId, identityHash, ttlSeconds, result) {
+      if (ttlSeconds <= 0)
+        return;
+      const key = buildKey(authorizerLogicalId, identityHash);
+      map.set(key, { expiresAt: now() + ttlSeconds * 1e3, result });
+    },
+    clear() {
+      map.clear();
+    },
+    size() {
+      sweep();
+      return map.size;
+    }
+  };
+}
+
 // src/cli/commands/local-start-api.ts
 async function localStartApiCommand(options) {
   const logger = getLogger();
@@ -72314,7 +73459,8 @@ async function localStartApiCommand(options) {
       "No supported API routes were discovered. cdkd local start-api supports AWS::ApiGateway::* (REST v1), AWS::ApiGatewayV2::* (HTTP), and AWS::Lambda::Url (Function URL) with AWS_PROXY integrations only."
     );
   }
-  const lambdaIds = uniqueLambdaIds(routes);
+  const routesWithAuth = attachAuthorizers(targetStacks, routes);
+  const lambdaIds = uniqueLambdaIds(routes, routesWithAuth);
   const overrides = readEnvOverridesFile(options.envVars);
   const debugPortBase = options.debugPortBase ? parseDebugPort(options.debugPortBase) : void 0;
   const specs = /* @__PURE__ */ new Map();
@@ -72368,12 +73514,20 @@ async function localStartApiCommand(options) {
   if (!Number.isFinite(port) || port < 0 || port > 65535) {
     throw new Error(`--port must be 0..65535 (got ${options.port}).`);
   }
+  const authorizerCache = createAuthorizerCache();
+  const jwksCache = createJwksCache();
+  const jwksWarnedUrls = /* @__PURE__ */ new Set();
+  await prewarmJwks(routesWithAuth, jwksCache);
+  warnVpcConfigLambdas(routesWithAuth, targetStacks);
   const server = await startApiServer({
-    routes,
+    routes: routesWithAuth,
     pool,
     rieTimeoutMs,
     host: options.host,
-    port
+    port,
+    authorizerCache,
+    jwksCache,
+    jwksWarnedUrls
   });
   printRouteTable(routes);
   logger.info(
@@ -72450,7 +73604,7 @@ function pickTargetStacks(stacks, pattern) {
     `Multi-stack app: pass --stack <name> to pick a target. Available stacks: ${stacks.map((s) => s.stackName).join(", ")}.`
   );
 }
-function uniqueLambdaIds(routes) {
+function uniqueLambdaIds(routes, routesWithAuth) {
   const seen = /* @__PURE__ */ new Set();
   const out = [];
   for (const r of routes) {
@@ -72459,8 +73613,67 @@ function uniqueLambdaIds(routes) {
       out.push(r.lambdaLogicalId);
     }
   }
+  for (const entry of routesWithAuth) {
+    const auth = entry.authorizer;
+    if (!auth)
+      continue;
+    if (auth.kind === "lambda-token" || auth.kind === "lambda-request") {
+      if (!seen.has(auth.lambdaLogicalId)) {
+        seen.add(auth.lambdaLogicalId);
+        out.push(auth.lambdaLogicalId);
+      }
+    }
+  }
   return out;
 }
+async function prewarmJwks(routesWithAuth, jwksCache) {
+  const urls = /* @__PURE__ */ new Set();
+  for (const entry of routesWithAuth) {
+    const auth = entry.authorizer;
+    if (!auth)
+      continue;
+    if (auth.kind === "cognito") {
+      urls.add(buildCognitoJwksUrl(auth.region, auth.userPoolId));
+    } else if (auth.kind === "jwt") {
+      const url = auth.region && auth.userPoolId ? buildCognitoJwksUrl(auth.region, auth.userPoolId) : buildJwksUrlFromIssuer(auth.issuer);
+      urls.add(url);
+    }
+  }
+  await Promise.all([...urls].map((u) => jwksCache.fetchAndCache(u)));
+}
+function warnVpcConfigLambdas(routesWithAuth, stacks) {
+  const logger = getLogger();
+  const seen = /* @__PURE__ */ new Set();
+  const reachable = [];
+  for (const entry of routesWithAuth) {
+    if (!seen.has(entry.route.lambdaLogicalId)) {
+      seen.add(entry.route.lambdaLogicalId);
+      reachable.push(entry.route.lambdaLogicalId);
+    }
+    const auth = entry.authorizer;
+    if (auth && (auth.kind === "lambda-token" || auth.kind === "lambda-request")) {
+      if (!seen.has(auth.lambdaLogicalId)) {
+        seen.add(auth.lambdaLogicalId);
+        reachable.push(auth.lambdaLogicalId);
+      }
+    }
+  }
+  for (const logicalId of reachable) {
+    for (const stack of stacks) {
+      const resource = stack.template.Resources?.[logicalId];
+      if (!resource || resource.Type !== "AWS::Lambda::Function")
+        continue;
+      const props = resource.Properties ?? {};
+      const vpcConfig = props["VpcConfig"];
+      if (vpcConfig && typeof vpcConfig === "object" && Object.keys(vpcConfig).length > 0) {
+        logger.warn(
+          `Lambda ${logicalId} has VpcConfig \u2014 local container will reach external services via the host's network, NOT through the deployed VPC's NAT/private subnets. Calls to private RDS/ElastiCache will fail. See docs/cli-reference.md (cdkd local start-api \u2014 Limitations) for details.`
+        );
+      }
+      break;
+    }
+  }
+}
 async function buildContainerSpec(args) {
   const {
     logicalId,
@@ -72701,7 +73914,7 @@ function parseDebugPort(raw) {
 }
 function createLocalStartApiCommand() {
   const startApi = new Command14("start-api").description(
-    "Run a long-running local HTTP server that maps API Gateway routes (REST v1, HTTP API, Function URL) to Lambda invocations against the AWS Lambda Runtime Interface Emulator (Docker required)."
+    "Run a long-running local HTTP server that maps API Gateway routes (REST v1, HTTP API, Function URL) to Lambda invocations against the AWS Lambda Runtime Interface Emulator (Docker required). Supports Lambda TOKEN/REQUEST authorizers and Cognito User Pool / HTTP v2 JWT authorizers; when JWKS is unreachable, JWT authorizers fall back to pass-through (every token accepted) with a warn line \u2014 local dev fallback. VPC-config Lambdas run locally and surface a warn line at startup; their containers do NOT get attached to the deployed VPC subnets, so calls to private RDS / ElastiCache will fail."
   ).addOption(
     new Option7("--port <port>", "HTTP server port (default: auto-allocate)").default("0")
   ).addOption(new Option7("--host <host>", "Bind address").default("127.0.0.1")).addOption(new Option7("--stack <name>", "Stack to start (single-stack apps auto-detect)")).addOption(
@@ -73256,7 +74469,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command16();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.72.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.73.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());