cdk-local 0.11.3 → 0.13.0

package/dist/{local-start-service-Oxi200hs.js → local-start-service-CorTpgvY.js}

@@ -164,15 +164,15 @@ async function applyRoleArnIfSet(opts) {
 /**
 * Base error class for cdk-local
 */
-var CdkdError = class CdkdError extends Error {
+var CdkLocalError = class CdkLocalError extends Error {
 	code;
 	cause;
 	constructor(message, code, cause) {
 		super(message);
 		this.code = code;
 		this.cause = cause;
-		this.name = "CdkdError";
-		Object.setPrototypeOf(this, CdkdError.prototype);
+		this.name = "CdkLocalError";
+		Object.setPrototypeOf(this, CdkLocalError.prototype);
 	}
 };
 /**
@@ -181,12 +181,10 @@ var CdkdError = class CdkdError extends Error {
 * Surfaces the stderr captured from `docker build` so the user can
 * re-run the same command directly to debug Dockerfile syntax errors
 * or missing build context. Used by `src/local/docker-image-builder.ts`
-* (PR 5) for container Lambdas; the parallel `AssetError` covers the
-* `cdkd publish-assets` / `cdkd deploy` build path. Kept distinct from
-* `AssetError` so `cdkl invoke` failures don't show up under the
-* "asset" error class.
+* for container Lambdas. Kept distinct from a generic asset/build error
+* so `cdkl invoke` failures don't show up under an unrelated error class.
 */
-var LocalInvokeBuildError = class LocalInvokeBuildError extends CdkdError {
+var LocalInvokeBuildError = class LocalInvokeBuildError extends CdkLocalError {
 	constructor(message, cause) {
 		super(message, "LOCAL_INVOKE_BUILD_ERROR", cause);
 		this.name = "LocalInvokeBuildError";
@@ -200,14 +198,13 @@ var LocalInvokeBuildError = class LocalInvokeBuildError extends CdkdError {
 * unrecognized `AuthType` (anything other than `'NONE'` / `'AWS_IAM'`),
 * or an unsupported intrinsic function in `IntegrationUri`. (Lambda::Url
 * with `InvokeMode: RESPONSE_STREAM` is a normal route dispatched via
-* the streaming protocol — #467. Lambda::Url with `AuthType: 'AWS_IAM'`
-* is a normal route verified through the SigV4 pipeline — #621.)
+* the streaming protocol. Lambda::Url with `AuthType: 'AWS_IAM'`
+* is a normal route verified through the SigV4 pipeline.)
 *
-* The message names every offending route and points the user at the
-* deferred follow-up PR (8b for authorizers, etc.). Hard-error at
-* discovery so the server never starts in a half-working state.
+* The message names every offending route. Hard-error at discovery so
+* the server never starts in a half-working state.
 */
-var RouteDiscoveryError = class RouteDiscoveryError extends CdkdError {
+var RouteDiscoveryError = class RouteDiscoveryError extends CdkLocalError {
 	constructor(message, cause) {
 		super(message, "ROUTE_DISCOVERY_ERROR", cause);
 		this.name = "RouteDiscoveryError";
@@ -215,13 +212,13 @@ var RouteDiscoveryError = class RouteDiscoveryError extends CdkdError {
 	}
 };
 /**
-* Signals a `cdkl start-service` orchestration failure (Phase 2
-* of #262 — `AWS::ECS::Service` emulator). Distinct from
-* `LocalRunTaskError` because the service runner has its own lifecycle
-* (long-running replica pool, restart-on-exit), so a failure inside it
-* carries different operator semantics than a one-shot task failure.
+* Signals a `cdkl start-service` orchestration failure
+* (`AWS::ECS::Service` emulator). The service runner has its own
+* lifecycle (long-running replica pool, restart-on-exit), so a failure
+* inside it carries different operator semantics than a one-shot task
+* failure.
 */
-var LocalStartServiceError = class LocalStartServiceError extends CdkdError {
+var LocalStartServiceError = class LocalStartServiceError extends CdkLocalError {
 	constructor(message, cause) {
 		super(message, "LOCAL_START_SERVICE_ERROR", cause);
 		this.name = "LocalStartServiceError";
@@ -231,14 +228,14 @@ var LocalStartServiceError = class LocalStartServiceError extends CdkdError {
 /**
 * Check if error is a cdk-local error
 */
-function isCdkdError(error) {
-	return error instanceof CdkdError;
+function isCdkLocalError(error) {
+	return error instanceof CdkLocalError;
 }
 /**
 * Format error for display
 */
 function formatError(error) {
-	if (isCdkdError(error)) {
+	if (isCdkLocalError(error)) {
 		let message = `${error.name}: ${error.message}`;
 		if (error.cause) message += `\nCaused by: ${error.cause.message}`;
 		return message;
@@ -249,20 +246,21 @@ function formatError(error) {
 /**
 * Global error handler
 *
-* Default exit code is 1 (general error). `PartialFailureError`
-* overrides it to 2 so callers can distinguish "command crashed /
-* unauthorized / bad arguments" from "command completed but some
-* resources are still in an error state, re-run to clean up".
+* Default exit code is 1 (general error). A {@link CdkLocalError}
+* subclass may override it by declaring a custom `exitCode` field so
+* callers can distinguish "command crashed / unauthorized / bad
+* arguments" from "command completed but some resources are still in an
+* error state, re-run to clean up".
 *
-* A {@link CdkdError} subclass may set `silent = true` to suppress the
-* default `logger.error` line — used by `cdkd drift` where the command
-* has already printed a richer report and only needs the exit code.
+* A {@link CdkLocalError} subclass may set `silent = true` to suppress
+* the default `logger.error` line — used when the command has already
+* printed a richer report and only needs the exit code.
 */
 function handleError(error) {
 	const logger = getLogger();
-	if (!(error instanceof CdkdError && error.silent)) logger.error(formatError(error));
+	if (!(error instanceof CdkLocalError && error.silent)) logger.error(formatError(error));
 	if (error instanceof Error && error.stack) logger.debug("Stack trace:", error.stack);
-	const customExitCode = error instanceof CdkdError ? error.exitCode : void 0;
+	const customExitCode = error instanceof CdkLocalError ? error.exitCode : void 0;
 	const exitCode = typeof customExitCode === "number" ? customExitCode : 1;
 	process.exit(exitCode);
 }
@@ -413,6 +411,9 @@ function loadCdkJson() {
 		return null;
 	}
 }
+function normalizeGlobList(value) {
+	return (typeof value === "string" ? [value] : Array.isArray(value) ? value : []).filter((entry) => typeof entry === "string" && entry.length > 0);
+}
 /**
 * Resolve the `--app` option from CLI, `CDKL_APP` env var, or `cdk.json`.
 *
@@ -430,6 +431,26 @@ function resolveApp(cliApp) {
 	if (envApp) return envApp;
 	return loadCdkJson()?.app ?? void 0;
 }
+/**
+* Resolve the `cdk.json` `watch` block, mirroring `cdk watch`'s
+* include / exclude semantics for `cdkl start-api --watch` source-tree
+* watching.
+*
+* Defaults when the keys are absent: `include` -> `['**']` (watch the
+* whole app directory), `exclude` -> `[]`. Unlike `cdk watch`, a missing
+* `watch` block is NOT an error — `--watch` still works against the
+* defaults. The caller layers in mandatory excludes (the synth output
+* directory, `node_modules`, `.git`) so re-synth writes never re-trigger
+* a reload and large noise directories are pruned.
+*/
+function resolveWatchConfig() {
+	const watch = loadCdkJson()?.watch;
+	const include = normalizeGlobList(watch?.include);
+	return {
+		include: include.length > 0 ? include : ["**"],
+		exclude: normalizeGlobList(watch?.exclude)
+	};
+}
 
 //#endregion
 //#region src/cli/cdk-path.ts
@@ -1297,6 +1318,12 @@ function resolveImageIntrinsicAny(node, resources, context) {
 		if (resources[logicalId]?.Type !== "AWS::ECR::Repository") return void 0;
 		const cached = context?.stateResources?.[logicalId]?.attributes?.[attr];
 		if (typeof cached === "string" && cached.length > 0) return cached;
+		const physicalId = context?.stateResources?.[logicalId]?.physicalId;
+		const p = context?.pseudoParameters;
+		if (physicalId && p?.region && p.accountId) {
+			if (attr === "Arn" && p.partition) return `arn:${p.partition}:ecr:${p.region}:${p.accountId}:repository/${physicalId}`;
+			if (attr === "RepositoryUri" && p.urlSuffix) return `${p.accountId}.dkr.ecr.${p.region}.${p.urlSuffix}/${physicalId}`;
+		}
 		return;
 	}
 	if (intrinsic === "Fn::Split") {
@@ -5763,6 +5790,99 @@ function createLocalInvokeCommand(opts = {}) {
 	return invoke;
 }
 
+//#endregion
+//#region src/utils/glob-match.ts
+/**
+* Normalize a glob and split it into path-segment tokens. Returns
+* `null` for an empty pattern (callers skip it). A slash-free pattern is
+* prefixed with a `**` token so it matches its basename at any depth.
+*/
+function compilePattern(glob) {
+	const g = glob.replace(/\\/g, "/").replace(/^\.\//, "").replace(/\/+$/, "");
+	if (g === "") return null;
+	if (!g.includes("/")) return ["**", g];
+	return g.split("/");
+}
+/**
+* Linear wildcard match for ONE path segment (no `/`). `*` matches any
+* run of characters, `?` matches exactly one. Classic two-pointer
+* algorithm with single backtrack pointer — O(len(pat) * len(str)),
+* never exponential.
+*/
+function matchSegment(pat, str) {
+	let s = 0;
+	let p = 0;
+	let starP = -1;
+	let starS = 0;
+	while (s < str.length) {
+		const pc = pat[p];
+		if (p < pat.length && (pc === str[s] || pc === "?")) {
+			s++;
+			p++;
+		} else if (pc === "*") {
+			starP = p;
+			starS = s;
+			p++;
+		} else if (starP !== -1) {
+			p = starP + 1;
+			starS++;
+			s = starS;
+		} else return false;
+	}
+	while (pat[p] === "*") p++;
+	return p === pat.length;
+}
+/**
+* Match a compiled pattern's segment tokens against a path's segments. A
+* `**` token matches zero or more path segments; every other token
+* matches exactly one segment via {@link matchSegment}. The pattern
+* matches when it consumes a PREFIX of the path (the contents rule), so
+* a directory pattern also matches everything beneath it. Single
+* backtrack pointer over `**` — O(patSegs * pathSegs), never
+* exponential.
+*/
+function matchSegments(pat, path) {
+	let pi = 0;
+	let si = 0;
+	let starPi = -1;
+	let starSi = 0;
+	while (si < path.length) {
+		if (pi === pat.length) return true;
+		if (pat[pi] === "**") {
+			starPi = pi;
+			starSi = si;
+			pi++;
+		} else if (matchSegment(pat[pi], path[si])) {
+			pi++;
+			si++;
+		} else if (starPi !== -1) {
+			pi = starPi + 1;
+			starSi++;
+			si = starSi;
+		} else return false;
+	}
+	if (pi === pat.length) return true;
+	while (pi < pat.length && pat[pi] === "**") pi++;
+	return pi === pat.length;
+}
+/**
+* Compile a list of globs into a single matcher. The returned predicate
+* is `true` when the (relative, POSIX-normalized) path matches ANY
+* pattern. An empty or all-invalid pattern list yields a matcher that
+* never matches.
+*/
+function createGlobMatcher(patterns) {
+	const compiled = [];
+	for (const p of patterns) {
+		const segs = compilePattern(p);
+		if (segs) compiled.push(segs);
+	}
+	return (relPath) => {
+		const pathSegs = relPath.replace(/\\/g, "/").split("/");
+		return compiled.some((pat) => matchSegments(pat, pathSegs));
+	};
+}
+
 //#endregion
 //#region src/local/intrinsic-lambda-arn.ts
 /**
@@ -14310,7 +14430,8 @@ function createFileWatcher(options) {
 	const watcher = chokidar.watch([...options.paths], {
 		ignoreInitial,
 		followSymlinks: false,
-		ignorePermissionErrors: true
+		ignorePermissionErrors: true,
+		...options.ignored && { ignored: options.ignored }
 	});
 	let timer = null;
 	let closed = false;
@@ -14328,34 +14449,24 @@ function createFileWatcher(options) {
 		}, debounceMs);
 		timer.unref?.();
 	};
-	watcher.on("add", fire);
-	watcher.on("change", fire);
-	watcher.on("unlink", fire);
+	const onEvent = (path) => {
+		if (options.shouldTrigger && !options.shouldTrigger(path)) return;
+		fire();
+	};
+	watcher.on("add", onEvent);
+	watcher.on("change", onEvent);
+	watcher.on("unlink", onEvent);
 	watcher.on("error", (err) => {
 		logger.debug(`chokidar error: ${err instanceof Error ? err.message : String(err)}. Continuing.`);
 	});
-	let currentPaths = new Set(options.paths);
-	return {
-		update: (paths) => {
-			if (closed) return;
-			const next = new Set(paths);
-			const toAdd = [];
-			const toRemove = [];
-			for (const p of next) if (!currentPaths.has(p)) toAdd.push(p);
-			for (const p of currentPaths) if (!next.has(p)) toRemove.push(p);
-			if (toAdd.length > 0) watcher.add(toAdd);
-			if (toRemove.length > 0) watcher.unwatch(toRemove);
-			currentPaths = next;
-		},
-		close: async () => {
-			closed = true;
-			if (timer) {
-				clearTimeout(timer);
-				timer = null;
-			}
-			await watcher.close();
+	return { close: async () => {
+		closed = true;
+		if (timer) {
+			clearTimeout(timer);
+			timer = null;
 		}
-	};
+		await watcher.close();
+	} };
 }
 
 //#endregion
@@ -14429,7 +14540,6 @@ async function localStartApiCommand(target, options, extraStateProviders) {
 	const inlineTmpDirs = /* @__PURE__ */ new Set();
 	const layerTmpDirs = /* @__PURE__ */ new Set();
 	let profileCredsFile;
-	const lastAssetPaths = { value: [] };
 	const authorizerCache = createAuthorizerCache();
 	const jwksCache = createJwksCache();
 	const jwksWarnedUrls = /* @__PURE__ */ new Set();
@@ -14558,30 +14668,7 @@ async function localStartApiCommand(target, options, extraStateProviders) {
 		});
 		return pool;
 	};
-	/**
-	* Compute the watched-asset list from a spec map. Pure helper —
-	* keeps the side-effect (`lastAssetPaths.value = ...`) confined to
-	* the post-swap call sites (initial boot + post-reload). For ZIP
-	* Lambdas `codeDir` is either the unzipped asset directory or the
-	* inline-code tmpdir; both are watch-worthy. IMAGE Lambdas
-	* (`kind: 'image'`) don't have a host-side bind-mount source — the
-	* code is baked into the docker image at build time. Their build
-	* context (Dockerfile + source directory) is rebuilt on every
-	* reload via `synthesizeAndBuild` → `buildContainerSpec` →
-	* `resolveContainerImageForStartApi`, so a source edit DOES trigger
-	* rebuild AND the deterministic `image` tag changes — but watching
-	* the build-context dir explicitly here is deferred to a follow-up
-	* (the watched-asset list is currently sourced from `cdk.out/`
-	* which transitively covers most container-Lambda asset dirs since
-	* `cdk synth` re-stages them on every synth call).
-	*/
-	const computeAssetPaths = (specs) => {
-		const assetPaths = /* @__PURE__ */ new Set();
-		for (const spec of specs.values()) if (spec.kind === "zip") assetPaths.add(spec.codeDir);
-		return [...assetPaths];
-	};
 	const initialMaterial = await synthesizeAndBuild();
-	lastAssetPaths.value = computeAssetPaths(initialMaterial.specs);
 	await prewarmJwks(initialMaterial.routes, jwksCache);
 	warnVpcConfigLambdas(initialMaterial.routes, initialMaterial.stacks ?? []);
 	sigV4CredentialsLoader = defaultCredentialsLoader();
@@ -14722,23 +14809,27 @@ async function localStartApiCommand(target, options, extraStateProviders) {
 	let watcher;
 	let reloadChain = Promise.resolve();
 	if (options.watch) {
+		const watchRoot = process.cwd();
+		const { ignored, shouldTrigger, excludePatterns } = createWatchPredicates({
+			watchRoot,
+			output: options.output,
+			watchConfig: resolveWatchConfig()
+		});
 		watcher = createFileWatcher({
-			paths: [options.output, ...lastAssetPaths.value],
+			paths: [watchRoot],
+			ignored,
+			shouldTrigger,
 			onChange: () => {
-				logger.info("Detected file change; reloading...");
+				logger.info("Detected source change; reloading...");
 				reloadChain = reloadChain.then(() => reloadAllServers({
 					synthesizeAndBuild,
 					servers,
 					buildPool,
-					computeAssetPaths,
-					lastAssetPaths,
-					watcher,
-					output: options.output,
 					logger
 				})).catch(() => void 0);
 			}
 		});
-		logger.info(`Watching ${options.output} (and ${lastAssetPaths.value.length} asset dir(s))`);
+		logger.info(`Watching ${watchRoot} for source changes (excluding ${excludePatterns.join(", ")}).`);
 	}
 	let shutdownStarted = false;
 	let firstSignal;
@@ -14840,6 +14931,52 @@ async function localStartApiCommand(target, options, extraStateProviders) {
 	await new Promise(() => void 0);
 }
 /**
+* Build the `--watch` file-watcher predicates for a source tree rooted
+* at `watchRoot` (the synth working directory).
+*
+* The synth output directory is always excluded so the reload's own
+* re-synth writes never re-trigger the watcher (no loop); `node_modules`
+* / `.git` are excluded for traversal cost. `cdk.json` `watch.exclude`
+* globs layer on top, and `watch.include` gates which changes fire a
+* reload. The output dir is only added as a glob when it lives UNDER the
+* watch root — when it equals the root (`''`) or sits outside it
+* (`..`-prefixed), a watcher rooted at `watchRoot` never traverses it,
+* so no exclude entry is needed (and a `''` / `..` glob is meaningless).
+*
+* `@internal` exported for unit tests (the exclude/include composition +
+* the output-dir relativization edge cases).
+*/
+function createWatchPredicates(args) {
+	const { watchRoot, output, watchConfig } = args;
+	const toRel = (abs) => path.relative(watchRoot, abs).split(path.sep).join("/");
+	const outputRel = toRel(path.resolve(watchRoot, output));
+	const excludePatterns = [
+		...outputRel !== "" && !outputRel.startsWith("..") ? [outputRel] : [],
+		"node_modules",
+		".git",
+		...watchConfig.exclude
+	];
+	const excludeMatcher = createGlobMatcher(excludePatterns);
+	const includeMatcher = createGlobMatcher(watchConfig.include);
+	const ignored = (absPath) => {
+		const rel = toRel(absPath);
+		if (rel === "") return false;
+		if (rel.startsWith("..")) return true;
+		return excludeMatcher(rel);
+	};
+	const shouldTrigger = (absPath) => {
+		const rel = toRel(absPath);
+		if (rel === "" || rel.startsWith("..")) return false;
+		if (excludeMatcher(rel)) return false;
+		return includeMatcher(rel);
+	};
+	return {
+		ignored,
+		shouldTrigger,
+		excludePatterns
+	};
+}
+/**
 * Match the `--stack` pattern (or single-stack auto-detect) to a list
 * of stacks the route-discovery walks. Mirrors the deploy/diff matcher
 * routing rules.
@@ -15741,7 +15878,7 @@ function warnSsrfRiskyIntegrations(routes, logger) {
 *      server restart in v1.
 */
 async function reloadAllServers(args) {
-	const { synthesizeAndBuild, servers, buildPool, computeAssetPaths, lastAssetPaths, watcher, output, logger } = args;
+	const { synthesizeAndBuild, servers, buildPool, logger } = args;
 	let material;
 	try {
 		material = await synthesizeAndBuild();
@@ -15772,8 +15909,6 @@ async function reloadAllServers(args) {
 			logger.debug(`Previous pool dispose() failed for ${group.displayName}: ${err instanceof Error ? err.message : String(err)}`);
 		});
 	}
-	lastAssetPaths.value = computeAssetPaths(material.specs);
-	if (watcher) watcher.update([output, ...lastAssetPaths.value]);
 	printPerServerRouteTables(servers);
 	const allRoutes = servers.flatMap((s) => s.group.routes.map((r) => r.route));
 	warnUnsupportedRoutes(allRoutes, logger);
@@ -15957,7 +16092,7 @@ function resolveMtlsConfig(options) {
 */
 function createLocalStartApiCommand(opts = {}) {
 	setEmbedConfig(opts.embedConfig);
-	const startApi = new Command("start-api").description("Run a long-running local HTTP server that maps API Gateway routes (REST v1, HTTP API, Function URL) to Lambda invocations against the AWS Lambda Runtime Interface Emulator (Docker required). Supports Lambda TOKEN/REQUEST authorizers, Cognito User Pool / HTTP v2 JWT authorizers, and AWS_IAM auth (REST v1 `AuthorizationType: AWS_IAM` and Function URL `AuthType: AWS_IAM` — SigV4 signature verification only; IAM policy evaluation is NOT emulated). When JWKS is unreachable, JWT authorizers fall back to pass-through (every token accepted) with a warn line — local dev fallback. VPC-config Lambdas run locally and surface a warn line at startup; their containers do NOT get attached to the deployed VPC subnets, so calls to private RDS / ElastiCache will fail.").argument("[target]", `Optional API filter. Accepts the bare CDK logical id ('MyHttpApi'; single-stack apps only), stack-qualified logical id ('MyStack:MyHttpApi'), full CDK Construct path ('MyStack/MyHttpApi/Resource'), or an ancestor Construct path that prefix-matches ('MyStack/MyHttpApi'). When omitted, every discovered API gets its own server. Mirrors \`${getEmbedConfig().cliName} invoke\` / \`${getEmbedConfig().cliName} run-task\` target syntax.`).addOption(new Option("--port <port>", "HTTP server port (default: auto-allocate)").default("0")).addOption(new Option("--host <host>", "Bind address").default("127.0.0.1")).addOption(new Option("--stack <name>", "Stack to start (single-stack apps auto-detect)")).addOption(new Option("--all-stacks", "Serve every stack's API in a multi-stack app (each API on its own port) instead of erroring out. Mutually exclusive with a positional target, --stack, and an explicit --from-cfn-stack <name>; the bare --from-cfn-stack flag stays compatible (binds each routed stack to its own CFn stack).").default(false)).addOption(new Option("--warm", "Pre-start one container per Lambda at server boot").default(false)).addOption(new Option("--per-lambda-concurrency <n>", "Pool size cap per Lambda (default 2, max 4)").default("2")).addOption(new Option("--no-pull", "Skip docker pull (cached image)")).addOption(new Option("--container-host <host>", "IP the host uses to bind/probe the RIE port (must be a numeric IP — `docker run -p <ip>:<port>:8080` rejects hostnames). Defaults to 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--debug-port-base <port>", "Reserve a contiguous --debug-port range (one per Lambda)")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}, \"Parameters\": {...}})")).addOption(new Option("--assume-role <arn-or-pair>", "Assume the Lambda's execution role and forward STS-issued temp creds. Bare <arn> = global default; <LogicalId>=<arn> = per-Lambda override (repeatable). Per-Lambda > global > unset (developer creds passed through).").argParser((raw, prev) => parseAssumeRoleToken(raw, prev))).addOption(new Option("--watch", "Hot-reload: re-synth + re-discover routes when cdk.out/ or asset directories change. Off by default; the server keeps the previous version serving when synth fails mid-reload.").default(false)).addOption(new Option("--stage <name>", "Select an API Gateway Stage by its 'StageName'. Default: the first Stage attached to each API. Drives event.stageVariables for both REST v1 and HTTP API v2. NOTE: For HTTP API v2 routes, requestContext.stage is always '$default' regardless of this flag (AWS-side limitation — HTTP API only exposes one stage to the integration event); only event.stageVariables is affected for v2 routes. For REST v1 routes the selected StageName is also threaded into requestContext.stage.")).addOption(new Option("--api <id>", "DEPRECATED — use the positional <target> argument instead. Same accepted forms (bare logical id, stack-qualified, Construct path, ancestor prefix). Will be removed in a future major release.")).addOption(new Option("--layer-role-arn <arn>", "Role to sts:AssumeRole before calling lambda:GetLayerVersion on every literal-ARN entry in Properties.Layers (issue #448). Use only when the dev credentials cannot read the layer — typically cross-account layers. AWS-published public layers (e.g. Lambda Powertools) are readable from every account and need no role.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in Lambda env vars with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (`cdk deploy`). Bare form uses the resolved stack name per routed stack; pass an explicit value when a single CFn stack should serve every routed stack. Fn::GetAtt is warn-and-dropped in v1 (CFn ListStackResources does not return per-attribute values).")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).addOption(new Option("--mtls-truststore <path>", `PEM-encoded CA bundle for client-certificate verification (mutual TLS). When set, the local server switches from HTTP to HTTPS and the TLS handshake rejects clients whose certificate doesn't chain to one of these CAs. Verified certs are surfaced on the Lambda event under requestContext.identity.clientCert (REST v1) / requestContext.authentication.clientCert (HTTP API v2). Must be set together with --mtls-cert + --mtls-key; partial flag sets are rejected. Generate a CA + server + client cert for local dev: openssl req -x509 -newkey rsa:2048 -nodes -keyout ca-key.pem -out ca.pem -subj "/CN=${getEmbedConfig().resourceNamePrefix}-ca" -days 365; openssl req -newkey rsa:2048 -nodes -keyout server-key.pem -out server-csr.pem -subj "/CN=localhost"; openssl x509 -req -in server-csr.pem -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -days 365; openssl req -newkey rsa:2048 -nodes -keyout client-key.pem -out client-csr.pem -subj "/CN=client"; openssl x509 -req -in client-csr.pem -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -days 365; curl --cacert ca.pem --cert client-cert.pem --key client-key.pem https://localhost:<port>/...`)).addOption(new Option("--mtls-cert <path>", "PEM-encoded server certificate for mutual TLS. Self-signed is fine for local dev. Must be set together with --mtls-truststore + --mtls-key.")).addOption(new Option("--mtls-key <path>", "PEM-encoded server private key matching --mtls-cert. Must be set together with --mtls-truststore + --mtls-cert.")).addOption(new Option("--strict-sigv4", "Opt-in: DENY AWS_IAM SigV4 requests that cannot be cryptographically verified (foreign access-key-id — e.g. a federated / Cognito Identity Pool / cross-account signer — OR no local AWS credentials configured) instead of the default warn-and-pass. DEFAULT off: cdk-local warn-and-passes unverifiable IAM requests with a placeholder principalId so local dev exercises app logic without reproducing an auth boundary it cannot fully emulate. OAC-fronted Function URLs always warn-and-pass regardless.").default(false)).action(withErrorHandling(async (target, options) => {
+	const startApi = new Command("start-api").description("Run a long-running local HTTP server that maps API Gateway routes (REST v1, HTTP API, Function URL) to Lambda invocations against the AWS Lambda Runtime Interface Emulator (Docker required). Supports Lambda TOKEN/REQUEST authorizers, Cognito User Pool / HTTP v2 JWT authorizers, and AWS_IAM auth (REST v1 `AuthorizationType: AWS_IAM` and Function URL `AuthType: AWS_IAM` — SigV4 signature verification only; IAM policy evaluation is NOT emulated). When JWKS is unreachable, JWT authorizers fall back to pass-through (every token accepted) with a warn line — local dev fallback. VPC-config Lambdas run locally and surface a warn line at startup; their containers do NOT get attached to the deployed VPC subnets, so calls to private RDS / ElastiCache will fail.").argument("[target]", `Optional API filter. Accepts the bare CDK logical id ('MyHttpApi'; single-stack apps only), stack-qualified logical id ('MyStack:MyHttpApi'), full CDK Construct path ('MyStack/MyHttpApi/Resource'), or an ancestor Construct path that prefix-matches ('MyStack/MyHttpApi'). When omitted, every discovered API gets its own server. Mirrors \`${getEmbedConfig().cliName} invoke\` / \`${getEmbedConfig().cliName} run-task\` target syntax.`).addOption(new Option("--port <port>", "HTTP server port (default: auto-allocate)").default("0")).addOption(new Option("--host <host>", "Bind address").default("127.0.0.1")).addOption(new Option("--stack <name>", "Stack to start (single-stack apps auto-detect)")).addOption(new Option("--all-stacks", "Serve every stack's API in a multi-stack app (each API on its own port) instead of erroring out. Mutually exclusive with a positional target, --stack, and an explicit --from-cfn-stack <name>; the bare --from-cfn-stack flag stays compatible (binds each routed stack to its own CFn stack).").default(false)).addOption(new Option("--warm", "Pre-start one container per Lambda at server boot").default(false)).addOption(new Option("--per-lambda-concurrency <n>", "Pool size cap per Lambda (default 2, max 4)").default("2")).addOption(new Option("--no-pull", "Skip docker pull (cached image)")).addOption(new Option("--container-host <host>", "IP the host uses to bind/probe the RIE port (must be a numeric IP — `docker run -p <ip>:<port>:8080` rejects hostnames). Defaults to 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--debug-port-base <port>", "Reserve a contiguous --debug-port range (one per Lambda)")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}, \"Parameters\": {...}})")).addOption(new Option("--assume-role <arn-or-pair>", "Assume the Lambda's execution role and forward STS-issued temp creds. Bare <arn> = global default; <LogicalId>=<arn> = per-Lambda override (repeatable). Per-Lambda > global > unset (developer creds passed through).").argParser((raw, prev) => parseAssumeRoleToken(raw, prev))).addOption(new Option("--watch", "Hot-reload: re-synth + re-discover routes when the CDK app's source changes (honors cdk.json watch.include/exclude; cdk.out, node_modules, .git are always excluded). Off by default; the server keeps the previous version serving when synth fails mid-reload.").default(false)).addOption(new Option("--stage <name>", "Select an API Gateway Stage by its 'StageName'. Default: the first Stage attached to each API. Drives event.stageVariables for both REST v1 and HTTP API v2. NOTE: For HTTP API v2 routes, requestContext.stage is always '$default' regardless of this flag (AWS-side limitation — HTTP API only exposes one stage to the integration event); only event.stageVariables is affected for v2 routes. For REST v1 routes the selected StageName is also threaded into requestContext.stage.")).addOption(new Option("--api <id>", "DEPRECATED — use the positional <target> argument instead. Same accepted forms (bare logical id, stack-qualified, Construct path, ancestor prefix). Will be removed in a future major release.")).addOption(new Option("--layer-role-arn <arn>", "Role to sts:AssumeRole before calling lambda:GetLayerVersion on every literal-ARN entry in Properties.Layers (issue #448). Use only when the dev credentials cannot read the layer — typically cross-account layers. AWS-published public layers (e.g. Lambda Powertools) are readable from every account and need no role.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in Lambda env vars with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (`cdk deploy`). Bare form uses the resolved stack name per routed stack; pass an explicit value when a single CFn stack should serve every routed stack. Fn::GetAtt is warn-and-dropped in v1 (CFn ListStackResources does not return per-attribute values).")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).addOption(new Option("--mtls-truststore <path>", `PEM-encoded CA bundle for client-certificate verification (mutual TLS). When set, the local server switches from HTTP to HTTPS and the TLS handshake rejects clients whose certificate doesn't chain to one of these CAs. Verified certs are surfaced on the Lambda event under requestContext.identity.clientCert (REST v1) / requestContext.authentication.clientCert (HTTP API v2). Must be set together with --mtls-cert + --mtls-key; partial flag sets are rejected. Generate a CA + server + client cert for local dev: openssl req -x509 -newkey rsa:2048 -nodes -keyout ca-key.pem -out ca.pem -subj "/CN=${getEmbedConfig().resourceNamePrefix}-ca" -days 365; openssl req -newkey rsa:2048 -nodes -keyout server-key.pem -out server-csr.pem -subj "/CN=localhost"; openssl x509 -req -in server-csr.pem -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -days 365; openssl req -newkey rsa:2048 -nodes -keyout client-key.pem -out client-csr.pem -subj "/CN=client"; openssl x509 -req -in client-csr.pem -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -days 365; curl --cacert ca.pem --cert client-cert.pem --key client-key.pem https://localhost:<port>/...`)).addOption(new Option("--mtls-cert <path>", "PEM-encoded server certificate for mutual TLS. Self-signed is fine for local dev. Must be set together with --mtls-truststore + --mtls-key.")).addOption(new Option("--mtls-key <path>", "PEM-encoded server private key matching --mtls-cert. Must be set together with --mtls-truststore + --mtls-cert.")).addOption(new Option("--strict-sigv4", "Opt-in: DENY AWS_IAM SigV4 requests that cannot be cryptographically verified (foreign access-key-id — e.g. a federated / Cognito Identity Pool / cross-account signer — OR no local AWS credentials configured) instead of the default warn-and-pass. DEFAULT off: cdk-local warn-and-passes unverifiable IAM requests with a placeholder principalId so local dev exercises app logic without reproducing an auth boundary it cannot fully emulate. OAC-fronted Function URLs always warn-and-pass regardless.").default(false)).action(withErrorHandling(async (target, options) => {
 		await localStartApiCommand(target, options, opts.extraStateProviders);
 	}));
 	[
@@ -18540,5 +18675,5 @@ function createLocalStartServiceCommand(opts = {}) {
 }
 
 //#endregion
-export { resolveCfnFallbackRegion as C, CfnLocalStateProvider as E, rejectExplicitCfnStackWithMultipleStacks as S, resolveCfnStackName as T, resolveLambdaArnIntrinsic as _, resolveSelectionExpression as a, createLocalStateProvider as b, translateLambdaResponse as c, buildRestV1Event as d, discoverWebSocketApis as f, pickRefLogicalId as g, discoverRoutes as h, createLocalStartApiCommand as i, applyAuthorizerOverlay as l, parseSelectionExpressionPath as m, getContainerNetworkIp as n, resolveServiceIntegrationParameters as o, discoverWebSocketApisOrThrow as p, createLocalRunTaskCommand as r, matchRoute as s, createLocalStartServiceCommand as t, buildHttpApiV2Event as u, createLocalInvokeCommand as v, resolveCfnRegion as w, isCfnFlagPresent as x, LocalStateSourceError as y };
-//# sourceMappingURL=local-start-service-Oxi200hs.js.map
+export { LocalStateSourceError as A, discoverWebSocketApis as C, pickRefLogicalId as D, discoverRoutes as E, resolveCfnRegion as F, resolveCfnStackName as I, CfnLocalStateProvider as L, isCfnFlagPresent as M, rejectExplicitCfnStackWithMultipleStacks as N, resolveLambdaArnIntrinsic as O, resolveCfnFallbackRegion as P, buildRestV1Event as S, parseSelectionExpressionPath as T, invokeTokenAuthorizer as _, createAuthorizerCache as a, applyAuthorizerOverlay as b, buildCognitoJwksUrl as c, verifyCognitoJwt as d, verifyJwtAuthorizer as f, invokeRequestAuthorizer as g, evaluateCachedLambdaPolicy as h, createLocalStartApiCommand as i, createLocalStateProvider as j, createLocalInvokeCommand as k, buildJwksUrlFromIssuer as l, computeRequestIdentityHash as m, getContainerNetworkIp as n, resolveSelectionExpression as o, buildMethodArn as p, createLocalRunTaskCommand as r, resolveServiceIntegrationParameters as s, createLocalStartServiceCommand as t, createJwksCache as u, matchRoute as v, discoverWebSocketApisOrThrow as w, buildHttpApiV2Event as x, translateLambdaResponse as y };
+//# sourceMappingURL=local-start-service-CorTpgvY.js.map