@go-to-k/cdkd 0.73.0 → 0.74.0

package/README.md

@@ -634,6 +634,19 @@ cdkd local invoke MyStack/Handler --debug-port 9229
 cdkd local invoke MyStack/Handler --from-state
 ```
 
+**Lambda Layers (PR 6 of #224, issue #232)** — same-stack
+`AWS::Lambda::LayerVersion` references in `Properties.Layers` are
+resolved automatically and bind-mounted at `/opt` (read-only) inside
+the container. Each layer's unzipped asset directory under `cdk.out/`
+becomes one `-v <layerAssetPath>:/opt:ro` mount; multiple layers
+stack via Docker overlay layering, and AWS's "last layer wins on
+file collision" rule is preserved by keeping the template's input
+order. Cross-stack / cross-account / cross-region layer ARNs (literal
+ARN strings in `Properties.Layers`) are out of scope for v1 — cdkd
+hard-errors with a clear pointer at the offending entry. Container
+Lambdas (`Code.ImageUri`) silently ignore `Layers` (matches AWS:
+container images bake layers at build time).
+
 See [docs/cli-reference.md](docs/cli-reference.md#local-invoke-run-lambda-functions-locally)
 for the full surface, target-resolution rules, and v1 scope notes.
 

package/dist/cli.js

@@ -70034,7 +70034,7 @@ async function captureObservedForImportedResources(stackState, providerRegistry,
 }
 
 // src/cli/commands/local-invoke.ts
-import { mkdtempSync as mkdtempSync3, mkdirSync as mkdirSync3, readFileSync as readFileSync7, rmSync as rmSync3, writeFileSync as writeFileSync6 } from "node:fs";
+import { cpSync as cpSync2, mkdtempSync as mkdtempSync3, mkdirSync as mkdirSync3, readFileSync as readFileSync7, rmSync as rmSync3, writeFileSync as writeFileSync6 } from "node:fs";
 import { tmpdir as tmpdir3 } from "node:os";
 import { dirname as dirname3 } from "node:path";
 import * as path2 from "node:path";
@@ -70169,6 +70169,7 @@ function extractLambdaProperties(stack, logicalId, resource) {
   if (!inlineCode) {
     codePath = resolveAssetCodePath(stack, logicalId, resource);
   }
+  const layers = resolveLambdaLayers(stack, logicalId, props);
   return {
     kind: "zip",
     stack,
@@ -70179,6 +70180,7 @@ function extractLambdaProperties(stack, logicalId, resource) {
     memoryMb,
     timeoutSec,
     codePath,
+    layers,
     ...inlineCode !== void 0 && { inlineCode }
   };
 }
@@ -70235,7 +70237,8 @@ function extractImageLambdaProperties(args) {
     timeoutSec,
     imageUri,
     imageConfig,
-    architecture
+    architecture,
+    layers: []
   };
 }
 function resolveAssetCodePath(stack, logicalId, resource) {
@@ -70255,6 +70258,72 @@ function resolveAssetCodePath(stack, logicalId, resource) {
   }
   return abs;
 }
+function resolveLambdaLayers(stack, logicalId, props) {
+  const layers = props["Layers"];
+  if (layers === void 0)
+    return [];
+  if (!Array.isArray(layers)) {
+    throw new LocalInvokeResolutionError(
+      `Lambda '${logicalId}' has a non-array Layers property. Expected an array of LayerVersion references.`
+    );
+  }
+  if (layers.length === 0)
+    return [];
+  const resources = stack.template.Resources ?? {};
+  const out = [];
+  for (let i = 0; i < layers.length; i++) {
+    const entry = layers[i];
+    const layerLogicalId = pickLayerLogicalId(entry);
+    if (!layerLogicalId) {
+      throw new LocalInvokeResolutionError(
+        `Lambda '${logicalId}' has a Layers entry [${i}] cdkd cannot resolve locally: ${describeLayerEntry(entry)}. Only same-stack Ref / Fn::GetAtt to an AWS::Lambda::LayerVersion are supported in v1; cross-account / cross-region / pre-existing-ARN layers are deferred to a follow-up PR.`
+      );
+    }
+    const layerResource = resources[layerLogicalId];
+    if (!layerResource) {
+      throw new LocalInvokeResolutionError(
+        `Lambda '${logicalId}' Layers entry [${i}] references '${layerLogicalId}', but no resource with that logical ID exists in stack '${stack.stackName}'.`
+      );
+    }
+    if (layerResource.Type !== "AWS::Lambda::LayerVersion") {
+      throw new LocalInvokeResolutionError(
+        `Lambda '${logicalId}' Layers entry [${i}] references '${layerLogicalId}' (${layerResource.Type}), which is not an AWS::Lambda::LayerVersion.`
+      );
+    }
+    const assetPath = resolveAssetCodePath(stack, layerLogicalId, layerResource);
+    out.push({ logicalId: layerLogicalId, assetPath });
+  }
+  return out;
+}
+function pickLayerLogicalId(entry) {
+  if (entry === null || typeof entry !== "object" || Array.isArray(entry))
+    return void 0;
+  const obj = entry;
+  if (typeof obj["Ref"] === "string")
+    return obj["Ref"];
+  if ("Fn::GetAtt" in obj) {
+    const arg = obj["Fn::GetAtt"];
+    if (Array.isArray(arg) && typeof arg[0] === "string")
+      return arg[0];
+    if (typeof arg === "string")
+      return arg.split(".")[0];
+  }
+  return void 0;
+}
+function describeLayerEntry(entry) {
+  if (typeof entry === "string")
+    return `literal ARN '${entry}'`;
+  if (entry === null)
+    return "null";
+  if (typeof entry !== "object")
+    return String(entry);
+  try {
+    const json = JSON.stringify(entry);
+    return json.length > 120 ? json.substring(0, 117) + "..." : json;
+  } catch {
+    return Object.prototype.toString.call(entry);
+  }
+}
 function notFoundError(target, stack, resources) {
   const lambdas = [];
   for (const [logicalId, resource] of Object.entries(resources)) {
@@ -70578,6 +70647,12 @@ async function runDetached(opts) {
     const ro = mount.readOnly ? ":ro" : "";
     args.push("-v", `${mount.hostPath}:${mount.containerPath}${ro}`);
   }
+  if (opts.extraMounts) {
+    for (const mount of opts.extraMounts) {
+      const ro = mount.readOnly ? ":ro" : "";
+      args.push("-v", `${mount.hostPath}:${mount.containerPath}${ro}`);
+    }
+  }
   for (const [k, v] of Object.entries(opts.env)) {
     args.push("-e", `${k}=${v}`);
   }
@@ -71089,7 +71164,7 @@ function extractHashFromImageUri(imageUri) {
 init_aws_clients();
 
 // src/cli/commands/local-start-api.ts
-import { mkdirSync as mkdirSync2, mkdtempSync as mkdtempSync2, readFileSync as readFileSync6, rmSync as rmSync2, writeFileSync as writeFileSync5 } from "node:fs";
+import { cpSync, mkdirSync as mkdirSync2, mkdtempSync as mkdtempSync2, readFileSync as readFileSync6, rmSync as rmSync2, writeFileSync as writeFileSync5 } from "node:fs";
 import { tmpdir as tmpdir2 } from "node:os";
 import * as path from "node:path";
 import { Command as Command14, Option as Option7 } from "commander";
@@ -71480,9 +71555,11 @@ function createContainerPool(specs, options) {
     logger.debug(
       `Starting container ${name} for ${spec.lambda.logicalId} on ${spec.containerHost}:${hostPort}`
     );
+    const optMount = spec.optDir ? [{ hostPath: spec.optDir, containerPath: "/opt", readOnly: true }] : [];
     const containerId = await runDetached({
       image,
       mounts: [{ hostPath: spec.codeDir, containerPath: "/var/task", readOnly: true }],
+      extraMounts: optMount,
       env: spec.env,
       cmd: [spec.lambda.handler],
       hostPort,
@@ -73465,6 +73542,7 @@ async function localStartApiCommand(options) {
   const debugPortBase = options.debugPortBase ? parseDebugPort(options.debugPortBase) : void 0;
   const specs = /* @__PURE__ */ new Map();
   const inlineTmpDirs = /* @__PURE__ */ new Set();
+  const layerTmpDirs = /* @__PURE__ */ new Set();
   for (let i = 0; i < lambdaIds.length; i++) {
     const logicalId = lambdaIds[i];
     const spec = await buildContainerSpec({
@@ -73475,7 +73553,8 @@ async function localStartApiCommand(options) {
       containerHost: options.containerHost,
       ...debugPortBase !== void 0 && { debugPort: debugPortBase + i },
       stsRegion: options.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"],
-      inlineTmpDirs
+      inlineTmpDirs,
+      layerTmpDirs
     });
     specs.set(logicalId, spec);
   }
@@ -73570,6 +73649,15 @@ async function localStartApiCommand(options) {
         );
       }
     }
+    for (const dir of layerTmpDirs) {
+      try {
+        rmSync2(dir, { recursive: true, force: true });
+      } catch (err) {
+        logger.warn(
+          `Failed to remove merged-layers tmpdir ${dir}: ${err instanceof Error ? err.message : String(err)}`
+        );
+      }
+    }
     process.exit(exitCode);
   };
   process.on("SIGINT", () => {
@@ -73683,7 +73771,8 @@ async function buildContainerSpec(args) {
     containerHost,
     debugPort,
     stsRegion,
-    inlineTmpDirs
+    inlineTmpDirs,
+    layerTmpDirs
   } = args;
   const lambda = resolveLambdaByLogicalId(logicalId, stacks);
   const codeDir = lambda.codePath ?? materializeInlineCode(
@@ -73692,6 +73781,7 @@ async function buildContainerSpec(args) {
     resolveRuntimeFileExtension(lambda.runtime),
     inlineTmpDirs
   );
+  const optDir = materializeLambdaLayers(lambda.layers, layerTmpDirs);
   const templateEnv = getTemplateEnv(lambda.resource);
   const envResult = resolveEnvVars(logicalId, templateEnv, overrides);
   for (const key of envResult.unresolved) {
@@ -73727,10 +73817,23 @@ async function buildContainerSpec(args) {
     codeDir,
     env: dockerEnv,
     containerHost,
+    ...optDir !== void 0 && { optDir },
     ...debugPort !== void 0 && { debugPort }
   };
   return spec;
 }
+function materializeLambdaLayers(layers, layerTmpDirs) {
+  if (layers.length === 0)
+    return void 0;
+  if (layers.length === 1)
+    return layers[0].assetPath;
+  const dir = mkdtempSync2(path.join(tmpdir2(), "cdkd-local-start-api-layers-"));
+  for (const layer of layers) {
+    cpSync(layer.assetPath, dir, { recursive: true, force: true });
+  }
+  layerTmpDirs.add(dir);
+  return dir;
+}
 function resolveLambdaByLogicalId(logicalId, stacks) {
   for (const stack of stacks) {
     const resource = stack.template.Resources?.[logicalId];
@@ -73761,6 +73864,7 @@ function resolveLambdaByLogicalId(logicalId, stacks) {
     if (!inlineCode) {
       codePath = resolveAssetCodePath2(stack, logicalId, resource);
     }
+    const layers = resolveLambdaLayers(stack, logicalId, props);
     return {
       kind: "zip",
       stack,
@@ -73771,6 +73875,7 @@ function resolveLambdaByLogicalId(logicalId, stacks) {
       memoryMb,
       timeoutSec,
       codePath,
+      layers,
       ...inlineCode !== void 0 && { inlineCode }
     };
   }
@@ -73957,123 +74062,170 @@ async function localInvokeCommand(target, options) {
     logger.setLevel("debug");
   }
   warnIfDeprecatedRegion(options);
-  await applyRoleArnIfSet({ roleArn: options.roleArn, region: options.region });
-  await ensureDockerAvailable();
-  const appCmd = resolveApp(options.app);
-  if (!appCmd) {
-    throw new Error('No CDK app specified. Pass --app, set CDKD_APP, or add "app" to cdk.json.');
-  }
-  logger.info("Synthesizing CDK app...");
-  const synthesizer = new Synthesizer();
-  const context = parseContextOptions(options.context);
-  const synthOpts = {
-    app: appCmd,
-    output: options.output,
-    ...options.region && { region: options.region },
-    ...options.profile && { profile: options.profile },
-    ...Object.keys(context).length > 0 && { context }
-  };
-  const { stacks } = await synthesizer.synthesize(synthOpts);
-  const lambda = resolveLambdaTarget(target, stacks);
-  const targetLabel = lambda.kind === "zip" ? lambda.runtime : "container image";
-  logger.info(`Target: ${lambda.stack.stackName}/${lambda.logicalId} (${targetLabel})`);
-  const imagePlan = await resolveImagePlan(lambda, options);
-  let stateAudit;
-  let templateEnv = getTemplateEnv2(lambda.resource);
-  let stateForRoleHint;
-  if (options.fromState) {
-    const loaded = await loadStateForStack(lambda.stack.stackName, lambda.stack.region, {
-      ...options.stackRegion !== void 0 && { stackRegion: options.stackRegion },
-      ...options.stateBucket !== void 0 && { stateBucket: options.stateBucket },
-      statePrefix: options.statePrefix,
-      ...options.region !== void 0 && { region: options.region },
-      ...options.profile !== void 0 && { profile: options.profile }
-    });
-    if (loaded) {
-      stateForRoleHint = loaded.state;
-      const { env, audit } = substituteEnvVarsFromState(templateEnv, loaded.state.resources);
-      templateEnv = env;
-      stateAudit = audit;
-      for (const key of audit.resolvedKeys) {
-        logger.debug(`--from-state: substituted env var ${key} from cdkd state`);
-      }
-      for (const { key, reason } of audit.unresolved) {
-        logger.warn(
-          `--from-state: could not substitute env var ${key} (${reason}). Override it via --env-vars or it will be dropped.`
+  let imagePlan;
+  let containerId;
+  let stopLogs;
+  let sigintHandler;
+  const cleanup = async () => {
+    if (stopLogs) {
+      try {
+        stopLogs();
+      } catch (err) {
+        getLogger().debug(
+          `streamLogs stop failed: ${err instanceof Error ? err.message : String(err)}`
+        );
+      }
+    }
+    if (containerId) {
+      try {
+        await removeContainer(containerId);
+      } catch (err) {
+        getLogger().debug(
+          `removeContainer(${containerId}) failed: ${err instanceof Error ? err.message : String(err)}`
+        );
+      }
+    }
+    if (imagePlan?.inlineTmpDir) {
+      try {
+        rmSync3(imagePlan.inlineTmpDir, { recursive: true, force: true });
+      } catch (err) {
+        getLogger().debug(
+          `Failed to remove inline-code tmpdir ${imagePlan.inlineTmpDir}: ${err instanceof Error ? err.message : String(err)}`
+        );
+      }
+    }
+    if (imagePlan?.layersTmpDir) {
+      try {
+        rmSync3(imagePlan.layersTmpDir, { recursive: true, force: true });
+      } catch (err) {
+        getLogger().debug(
+          `Failed to remove merged-layers tmpdir ${imagePlan.layersTmpDir}: ${err instanceof Error ? err.message : String(err)}`
         );
       }
     }
-  }
-  const overrides = readEnvOverridesFile2(options.envVars);
-  const envResult = resolveEnvVars(lambda.logicalId, templateEnv, overrides);
-  for (const key of envResult.unresolved) {
-    if (stateAudit && stateAudit.unresolved.some((u) => u.key === key))
-      continue;
-    logger.warn(
-      `Environment variable ${key} contains a CloudFormation intrinsic and was dropped. Override it with --env-vars (e.g. {"${lambda.logicalId}":{"${key}":"<literal>"}}) or pass --from-state to recover deployed values.`
-    );
-  }
-  if (options.fromState && !options.assumeRole && stateForRoleHint) {
-    suggestAssumeRoleFromState(stateForRoleHint, lambda.logicalId);
-  }
-  const event = await readEvent(options);
-  const dockerEnv = {
-    AWS_LAMBDA_FUNCTION_NAME: lambda.logicalId,
-    AWS_LAMBDA_FUNCTION_MEMORY_SIZE: String(lambda.memoryMb),
-    AWS_LAMBDA_FUNCTION_TIMEOUT: String(lambda.timeoutSec),
-    AWS_LAMBDA_FUNCTION_VERSION: "$LATEST",
-    AWS_LAMBDA_LOG_GROUP_NAME: `/aws/lambda/${lambda.logicalId}`,
-    AWS_LAMBDA_LOG_STREAM_NAME: "local",
-    ...envResult.resolved
   };
-  if (options.assumeRole) {
-    const stsRegion = options.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"];
-    const creds = await assumeLambdaExecutionRole2(options.assumeRole, stsRegion);
-    dockerEnv["AWS_ACCESS_KEY_ID"] = creds.accessKeyId;
-    dockerEnv["AWS_SECRET_ACCESS_KEY"] = creds.secretAccessKey;
-    dockerEnv["AWS_SESSION_TOKEN"] = creds.sessionToken;
-    if (stsRegion)
-      dockerEnv["AWS_REGION"] = stsRegion;
-  } else {
-    forwardAwsEnv2(dockerEnv);
-  }
-  let debugPort;
-  if (options.debugPort) {
-    debugPort = Number(options.debugPort);
-    if (!Number.isInteger(debugPort) || debugPort <= 0 || debugPort > 65535) {
-      throw new Error(`--debug-port must be an integer in 1..65535, got '${options.debugPort}'`);
+  try {
+    await applyRoleArnIfSet({ roleArn: options.roleArn, region: options.region });
+    await ensureDockerAvailable();
+    const appCmd = resolveApp(options.app);
+    if (!appCmd) {
+      throw new Error('No CDK app specified. Pass --app, set CDKD_APP, or add "app" to cdk.json.');
     }
-    dockerEnv["NODE_OPTIONS"] = `--inspect-brk=0.0.0.0:${debugPort}`;
-    if (lambda.kind === "image") {
+    logger.info("Synthesizing CDK app...");
+    const synthesizer = new Synthesizer();
+    const context = parseContextOptions(options.context);
+    const synthOpts = {
+      app: appCmd,
+      output: options.output,
+      ...options.region && { region: options.region },
+      ...options.profile && { profile: options.profile },
+      ...Object.keys(context).length > 0 && { context }
+    };
+    const { stacks } = await synthesizer.synthesize(synthOpts);
+    const lambda = resolveLambdaTarget(target, stacks);
+    const targetLabel = lambda.kind === "zip" ? lambda.runtime : "container image";
+    logger.info(`Target: ${lambda.stack.stackName}/${lambda.logicalId} (${targetLabel})`);
+    imagePlan = await resolveImagePlan(lambda, options);
+    let stateAudit;
+    let templateEnv = getTemplateEnv2(lambda.resource);
+    let stateForRoleHint;
+    if (options.fromState) {
+      const loaded = await loadStateForStack(lambda.stack.stackName, lambda.stack.region, {
+        ...options.stackRegion !== void 0 && { stackRegion: options.stackRegion },
+        ...options.stateBucket !== void 0 && { stateBucket: options.stateBucket },
+        statePrefix: options.statePrefix,
+        ...options.region !== void 0 && { region: options.region },
+        ...options.profile !== void 0 && { profile: options.profile }
+      });
+      if (loaded) {
+        stateForRoleHint = loaded.state;
+        const { env, audit } = substituteEnvVarsFromState(templateEnv, loaded.state.resources);
+        templateEnv = env;
+        stateAudit = audit;
+        for (const key of audit.resolvedKeys) {
+          logger.debug(`--from-state: substituted env var ${key} from cdkd state`);
+        }
+        for (const { key, reason } of audit.unresolved) {
+          logger.warn(
+            `--from-state: could not substitute env var ${key} (${reason}). Override it via --env-vars or it will be dropped.`
+          );
+        }
+      }
+    }
+    const overrides = readEnvOverridesFile2(options.envVars);
+    const envResult = resolveEnvVars(lambda.logicalId, templateEnv, overrides);
+    for (const key of envResult.unresolved) {
+      if (stateAudit && stateAudit.unresolved.some((u) => u.key === key))
+        continue;
       logger.warn(
-        "--debug-port sets NODE_OPTIONS unconditionally on container Lambdas. If the image's runtime is not Node.js, this flag is a no-op."
+        `Environment variable ${key} contains a CloudFormation intrinsic and was dropped. Override it with --env-vars (e.g. {"${lambda.logicalId}":{"${key}":"<literal>"}}) or pass --from-state to recover deployed values.`
       );
     }
-  }
-  const hostPort = await pickFreePort();
-  const containerHost = options.containerHost;
-  logger.info(`Starting container (image=${imagePlan.image}, port=${hostPort})...`);
-  const containerId = await runDetached({
-    image: imagePlan.image,
-    mounts: imagePlan.mounts,
-    env: dockerEnv,
-    cmd: imagePlan.cmd,
-    hostPort,
-    host: containerHost,
-    ...debugPort !== void 0 && { debugPort },
-    ...imagePlan.platform !== void 0 && { platform: imagePlan.platform },
-    ...imagePlan.entryPoint !== void 0 && { entryPoint: imagePlan.entryPoint },
-    ...imagePlan.workingDir !== void 0 && { workingDir: imagePlan.workingDir }
-  });
-  const stopLogs = streamLogs(containerId);
-  const sigintHandler = () => {
-    stopLogs();
-    void removeContainer(containerId).then(() => {
-      process.exit(130);
-    });
-  };
-  process.on("SIGINT", sigintHandler);
-  try {
+    if (options.fromState && !options.assumeRole && stateForRoleHint) {
+      suggestAssumeRoleFromState(stateForRoleHint, lambda.logicalId);
+    }
+    const event = await readEvent(options);
+    const dockerEnv = {
+      AWS_LAMBDA_FUNCTION_NAME: lambda.logicalId,
+      AWS_LAMBDA_FUNCTION_MEMORY_SIZE: String(lambda.memoryMb),
+      AWS_LAMBDA_FUNCTION_TIMEOUT: String(lambda.timeoutSec),
+      AWS_LAMBDA_FUNCTION_VERSION: "$LATEST",
+      AWS_LAMBDA_LOG_GROUP_NAME: `/aws/lambda/${lambda.logicalId}`,
+      AWS_LAMBDA_LOG_STREAM_NAME: "local",
+      ...envResult.resolved
+    };
+    if (options.assumeRole) {
+      const stsRegion = options.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"];
+      const creds = await assumeLambdaExecutionRole2(options.assumeRole, stsRegion);
+      dockerEnv["AWS_ACCESS_KEY_ID"] = creds.accessKeyId;
+      dockerEnv["AWS_SECRET_ACCESS_KEY"] = creds.secretAccessKey;
+      dockerEnv["AWS_SESSION_TOKEN"] = creds.sessionToken;
+      if (stsRegion)
+        dockerEnv["AWS_REGION"] = stsRegion;
+    } else {
+      forwardAwsEnv2(dockerEnv);
+    }
+    let debugPort;
+    if (options.debugPort) {
+      debugPort = Number(options.debugPort);
+      if (!Number.isInteger(debugPort) || debugPort <= 0 || debugPort > 65535) {
+        throw new Error(`--debug-port must be an integer in 1..65535, got '${options.debugPort}'`);
+      }
+      dockerEnv["NODE_OPTIONS"] = `--inspect-brk=0.0.0.0:${debugPort}`;
+      if (lambda.kind === "image") {
+        logger.warn(
+          "--debug-port sets NODE_OPTIONS unconditionally on container Lambdas. If the image's runtime is not Node.js, this flag is a no-op."
+        );
+      }
+    }
+    const hostPort = await pickFreePort();
+    const containerHost = options.containerHost;
+    if (lambda.layers.length > 0) {
+      logger.info(
+        `Mounting ${lambda.layers.length} Lambda layer${lambda.layers.length === 1 ? "" : "s"} at /opt`
+      );
+    }
+    logger.info(`Starting container (image=${imagePlan.image}, port=${hostPort})...`);
+    containerId = await runDetached({
+      image: imagePlan.image,
+      mounts: imagePlan.mounts,
+      extraMounts: imagePlan.extraMounts,
+      env: dockerEnv,
+      cmd: imagePlan.cmd,
+      hostPort,
+      host: containerHost,
+      ...debugPort !== void 0 && { debugPort },
+      ...imagePlan.platform !== void 0 && { platform: imagePlan.platform },
+      ...imagePlan.entryPoint !== void 0 && { entryPoint: imagePlan.entryPoint },
+      ...imagePlan.workingDir !== void 0 && { workingDir: imagePlan.workingDir }
+    });
+    stopLogs = streamLogs(containerId);
+    sigintHandler = () => {
+      void cleanup().then(() => {
+        process.exit(130);
+      });
+    };
+    process.on("SIGINT", sigintHandler);
     await waitForRieReady(containerHost, hostPort, 5e3);
     const invokeTimeoutMs = Math.max(3e4, lambda.timeoutSec * 2 * 1e3);
     const result = await invokeRie(containerHost, hostPort, event, invokeTimeoutMs);
@@ -74081,18 +74233,9 @@ async function localInvokeCommand(target, options) {
     process.stdout.write(`${result.raw}
 `);
   } finally {
-    process.off("SIGINT", sigintHandler);
-    stopLogs();
-    await removeContainer(containerId);
-    if (imagePlan.inlineTmpDir) {
-      try {
-        rmSync3(imagePlan.inlineTmpDir, { recursive: true, force: true });
-      } catch (err) {
-        getLogger().debug(
-          `Failed to remove inline-code tmpdir ${imagePlan.inlineTmpDir}: ${err instanceof Error ? err.message : String(err)}`
-        );
-      }
-    }
+    if (sigintHandler)
+      process.off("SIGINT", sigintHandler);
+    await cleanup();
   }
 }
 async function resolveImagePlan(lambda, options) {
@@ -74114,11 +74257,31 @@ async function resolveZipImagePlan(lambda, options) {
   }
   const image = resolveRuntimeImage(lambda.runtime);
   await pullImage(image, options.pull === false);
+  const layerPlan = materializeLambdaLayers2(lambda.layers);
   return {
     image,
     mounts: [{ hostPath: codeDir, containerPath: "/var/task", readOnly: true }],
+    extraMounts: layerPlan.mount ? [layerPlan.mount] : [],
     cmd: [lambda.handler],
-    ...inlineTmpDir !== void 0 && { inlineTmpDir }
+    ...inlineTmpDir !== void 0 && { inlineTmpDir },
+    ...layerPlan.tmpDir !== void 0 && { layersTmpDir: layerPlan.tmpDir }
+  };
+}
+function materializeLambdaLayers2(layers) {
+  if (layers.length === 0)
+    return {};
+  if (layers.length === 1) {
+    return {
+      mount: { hostPath: layers[0].assetPath, containerPath: "/opt", readOnly: true }
+    };
+  }
+  const tmpDir = mkdtempSync3(path2.join(tmpdir3(), "cdkd-local-invoke-layers-"));
+  for (const layer of layers) {
+    cpSync2(layer.assetPath, tmpDir, { recursive: true, force: true });
+  }
+  return {
+    mount: { hostPath: tmpDir, containerPath: "/opt", readOnly: true },
+    tmpDir
   };
 }
 async function resolveContainerImagePlan(lambda, options) {
@@ -74151,6 +74314,7 @@ async function resolveContainerImagePlan(lambda, options) {
   return {
     image: imageRef,
     mounts: [],
+    extraMounts: [],
     cmd: lambda.imageConfig.command ?? [],
     platform,
     ...lambda.imageConfig.entryPoint && lambda.imageConfig.entryPoint.length > 0 && {
@@ -74469,7 +74633,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command16();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.73.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.74.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());