cdk-local 0.118.0 → 0.119.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,4 +1,4 @@
1
- import { a as runDockerStreaming, c as resolveConfiguredLogLevel, d as setEmbedConfig, i as runDockerForeground, l as getEmbedConfig, n as formatDockerLoginError, o as spawnStreaming, r as getDockerCmd, s as getLogger } from "./docker-cmd-GcI_cqY5.js";
1
+ import { a as runDockerStreaming, c as resolveConfiguredLogLevel, d as setEmbedConfig, i as runDockerForeground, l as getEmbedConfig, n as formatDockerLoginError, o as spawnStreaming, r as getDockerCmd, s as getLogger } from "./docker-cmd-Bo60SLE3.js";
2
2
  import { cpSync, createWriteStream, existsSync, mkdirSync, mkdtempSync, readFileSync, readdirSync, rmSync, statSync, unlinkSync, writeFileSync } from "node:fs";
3
3
  import { homedir, tmpdir } from "node:os";
4
4
  import * as path$1 from "node:path";
@@ -34,6 +34,9 @@ import { SignatureV4 } from "@smithy/signature-v4";
34
34
  import graphlib from "graphlib";
35
35
  import { GetSecretValueCommand, SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
36
36
  import * as vm from "node:vm";
37
+ import "@aws-sdk/signature-v4a";
38
+ import { CloudFrontClient, paginateListKeyValueStores } from "@aws-sdk/client-cloudfront";
39
+ import { CloudFrontKeyValueStoreClient, GetKeyCommand, ResourceNotFoundException } from "@aws-sdk/client-cloudfront-keyvaluestore";
37
40
  import { EventEmitter } from "node:events";
38
41
 
39
42
  //#region src/cli/options.ts
@@ -22422,7 +22425,7 @@ async function softReloadReplica(args) {
22422
22425
  const defaultDockerInspectWorkdirImpl = async (containerId) => {
22423
22426
  const { execFile } = await import("node:child_process");
22424
22427
  const { promisify } = await import("node:util");
22425
- const { getDockerCmd } = await import("./docker-cmd-GcI_cqY5.js").then((n) => n.t);
22428
+ const { getDockerCmd } = await import("./docker-cmd-Bo60SLE3.js").then((n) => n.t);
22426
22429
  const { stdout } = await promisify(execFile)(getDockerCmd(), [
22427
22430
  "inspect",
22428
22431
  "--format",
@@ -22441,7 +22444,7 @@ let dockerInspectWorkdirImpl = defaultDockerInspectWorkdirImpl;
22441
22444
  const defaultDockerCpImpl = async (src, dst) => {
22442
22445
  const { execFile } = await import("node:child_process");
22443
22446
  const { promisify } = await import("node:util");
22444
- const { getDockerCmd } = await import("./docker-cmd-GcI_cqY5.js").then((n) => n.t);
22447
+ const { getDockerCmd } = await import("./docker-cmd-Bo60SLE3.js").then((n) => n.t);
22445
22448
  await promisify(execFile)(getDockerCmd(), [
22446
22449
  "cp",
22447
22450
  src,
@@ -22456,7 +22459,7 @@ let dockerCpImpl = defaultDockerCpImpl;
22456
22459
  const defaultDockerRestartImpl = async (containerId) => {
22457
22460
  const { execFile } = await import("node:child_process");
22458
22461
  const { promisify } = await import("node:util");
22459
- const { getDockerCmd } = await import("./docker-cmd-GcI_cqY5.js").then((n) => n.t);
22462
+ const { getDockerCmd } = await import("./docker-cmd-Bo60SLE3.js").then((n) => n.t);
22460
22463
  await promisify(execFile)(getDockerCmd(), ["restart", containerId]);
22461
22464
  };
22462
22465
  let dockerRestartImpl = defaultDockerRestartImpl;
@@ -22496,7 +22499,7 @@ async function disconnectOldFromSharedNetwork(oldInstance) {
22496
22499
  const defaultDockerNetworkDisconnectImpl = async (networkName, containerId) => {
22497
22500
  const { execFile } = await import("node:child_process");
22498
22501
  const { promisify } = await import("node:util");
22499
- const { getDockerCmd } = await import("./docker-cmd-GcI_cqY5.js").then((n) => n.t);
22502
+ const { getDockerCmd } = await import("./docker-cmd-Bo60SLE3.js").then((n) => n.t);
22500
22503
  await promisify(execFile)(getDockerCmd(), [
22501
22504
  "network",
22502
22505
  "disconnect",
@@ -22673,7 +22676,7 @@ function pickEssentialContainerId(instance, service) {
22673
22676
  const defaultWaitForExitImpl = async (containerId) => {
22674
22677
  const { execFile } = await import("node:child_process");
22675
22678
  const { promisify } = await import("node:util");
22676
- const { getDockerCmd } = await import("./docker-cmd-GcI_cqY5.js").then((n) => n.t);
22679
+ const { getDockerCmd } = await import("./docker-cmd-Bo60SLE3.js").then((n) => n.t);
22677
22680
  const { stdout } = await promisify(execFile)(getDockerCmd(), ["wait", containerId], { maxBuffer: 1024 * 1024 });
22678
22681
  const code = parseInt(stdout.trim(), 10);
22679
22682
  return Number.isFinite(code) ? code : -1;
@@ -22693,7 +22696,7 @@ const EXIT_LOG_TAIL_LINES = 50;
22693
22696
  const defaultReadContainerLogsImpl = async (containerId) => {
22694
22697
  const { execFile } = await import("node:child_process");
22695
22698
  const { promisify } = await import("node:util");
22696
- const { getDockerCmd } = await import("./docker-cmd-GcI_cqY5.js").then((n) => n.t);
22699
+ const { getDockerCmd } = await import("./docker-cmd-Bo60SLE3.js").then((n) => n.t);
22697
22700
  const { stdout, stderr } = await promisify(execFile)(getDockerCmd(), [
22698
22701
  "logs",
22699
22702
  "--tail",
@@ -28095,6 +28098,92 @@ function addAlbSpecificOptions(cmd) {
28095
28098
  return cmd.addOption(new Option("--lb-port <listenerPort=hostPort...>", "Bind the local front-door on a specific host port (e.g. 80=8080); repeatable. Default: host port == ALB listener port. Use this on macOS to remap a privileged listener port (< 1024) to a non-privileged host port.")).addOption(new Option("--tls", "Terminate TLS locally for cloud-HTTPS listeners. Default: a cloud-HTTPS listener is served over plain HTTP locally (X-Forwarded-Proto: https is preserved so the upstream app still sees the deployed listener protocol). Implied by --tls-cert / --tls-key. Use this when local-dev cookies need Secure / SameSite=None, when the upstream app inspects TLS metadata, or for mTLS / SNI testing — otherwise plain HTTP is friendlier (no self-signed cert warnings in curl / browser).")).addOption(new Option("--tls-cert <path>", "PEM-encoded server certificate for HTTPS front-door listeners. Implies --tls. Must be set together with --tls-key. Pass --tls alone (without --tls-cert / --tls-key) to auto-generate a self-signed cert (cached under $XDG_CACHE_HOME/cdk-local/alb-https/, default ~/.cache/cdk-local/alb-https/); requires openssl on PATH. The deployed Listener Certificates[] are NOT fetched (ACM private keys are not retrievable by design). The auto-generated cert lists DNS:localhost,IP:127.0.0.1 as SubjectAltName, so a client validating a non-loopback --container-host will fail the SAN check — pass --tls-cert / --tls-key with a SAN covering that host instead.")).addOption(new Option("--tls-key <path>", "PEM-encoded server private key matching --tls-cert. Implies --tls. Must be set together with --tls-cert.")).addOption(new Option("--no-verify-auth", "Disable local enforcement of authenticate-cognito / authenticate-oidc actions. Every request is served as if the auth check passed. Useful for local dev where you do not want to mint a Bearer token at all.")).addOption(new Option("--bearer-token <jwt>", "Default Bearer JWT this command INJECTS only when an inbound request has none (the default-when-missing role) — `cdkl start-alb` is the local ALB front-door RECEIVING outside-in requests, so this token is the fallback the front-door slots in as Authorization: Bearer <jwt> if the caller did not already supply one. Verified against the same JWKS / OIDC discovery URL the deployed ALB would (signature + iss + aud + exp). Cookie pass-through (AWSELBAuthSessionCookie-*) also bypasses the guard. Contrast with `cdkl invoke-agentcore --bearer-token`, where the role is reversed — that command is the outbound client and ALWAYS presents this token (the supplier).")).addOption(new Option("--watch", "Hot-reload: re-synth + per-replica reload of every ECS service behind the ALB when the CDK source changes (honors cdk.json watch.include/exclude; cdk.out, node_modules, .git are always excluded). A per-firing classifier picks the per-replica primitive: source-only edits on interpreted-language handlers (Node/Python/Ruby/shell) take a bind-mount FAST PATH (`docker cp` the new source into each replica + `docker restart`; no rebuild, front-door pool entry unchanged since the IP/port are preserved). Dockerfile / dependency manifest / compiled-language source / ambiguous edits fall through to the rebuild rolling primitive — boot a shadow under a bumped generation suffix, wait for its container port to accept a TCP connection, atomically register it in the front-door pool, then drop the old entry and retire the old container. Either path rolls one replica at a time, so a continuous external request stream against the listener port sees zero connection refusals across the reload. The host front-door (TLS, JWKS cache, Lambda-target containers, listener sockets) stays up across the reload. Lambda target groups behind the ALB are a no-op on reload (the warm RIE container keeps its boot-time image). Off by default; existing replica(s) keep serving when synth fails mid-reload.").default(false));
28096
28099
  }
28097
28100
 
28101
+ //#endregion
28102
+ //#region src/local/cloudfront-kvs.ts
28103
+ /** Build a `cf` module backed by the resolved data sources for one function. */
28104
+ function createCloudFrontModule(sources) {
28105
+ return { kvs(kvsId) {
28106
+ return makeHandle(pickSource(sources, kvsId));
28107
+ } };
28108
+ }
28109
+ /**
28110
+ * The `cf` module bound when a function calls `cf.kvs()` but no KeyValueStore
28111
+ * binding was resolved (no `--from-cfn-stack`, no covering `--kvs-file`). The
28112
+ * handle is returned successfully so a top-level `cf.kvs()` call does not throw
28113
+ * at module-eval; the actionable error surfaces when the function actually
28114
+ * reads a key.
28115
+ */
28116
+ function createUnboundCloudFrontModule(functionLogicalId) {
28117
+ const fail = () => Promise.reject(/* @__PURE__ */ new Error(`CloudFront Function '${functionLogicalId}' reads from a KeyValueStore (cf.kvs()), but no KeyValueStore binding is available locally. Pass --from-cfn-stack to read the deployed store, or --kvs-file <id>=<file.json> to back it with a local JSON map.`));
28118
+ const handle = {
28119
+ get: () => fail(),
28120
+ exists: () => fail(),
28121
+ meta: () => fail(),
28122
+ count: () => fail()
28123
+ };
28124
+ return { kvs: () => handle };
28125
+ }
28126
+ function pickSource(sources, kvsId) {
28127
+ if (sources.length === 0) throw new Error("cf.kvs(): no KeyValueStore is associated with this function.");
28128
+ if (kvsId === void 0) return sources[0];
28129
+ const byId = sources.find((s) => s.kvsId === kvsId);
28130
+ if (byId) return byId;
28131
+ if (sources.length === 1) return sources[0];
28132
+ throw new Error(`cf.kvs('${kvsId}'): no associated KeyValueStore matches this id locally (associated: ${sources.map((s) => s.kvsId ?? s.label).join(", ")}).`);
28133
+ }
28134
+ function makeHandle(source) {
28135
+ return {
28136
+ async get(key, options) {
28137
+ const value = await source.getValue(key);
28138
+ if (value === void 0) throw new Error(`cf.kvs().get('${key}'): key not found in ${source.label}.`);
28139
+ if (options?.format === "json") try {
28140
+ return JSON.parse(value);
28141
+ } catch (err) {
28142
+ throw new Error(`cf.kvs().get('${key}', { format: 'json' }): value is not valid JSON: ${err instanceof Error ? err.message : String(err)}`);
28143
+ }
28144
+ return value;
28145
+ },
28146
+ async exists(key) {
28147
+ return await source.getValue(key) !== void 0;
28148
+ },
28149
+ meta() {
28150
+ return Promise.reject(/* @__PURE__ */ new Error("cf.kvs().meta() is not reproduced locally by cdkl start-cloudfront (only get / exists are supported)."));
28151
+ },
28152
+ count() {
28153
+ return Promise.reject(/* @__PURE__ */ new Error("cf.kvs().count() is not reproduced locally by cdkl start-cloudfront (only get / exists are supported)."));
28154
+ }
28155
+ };
28156
+ }
28157
+ /**
28158
+ * Build a {@link KvsDataSource} from a local JSON file (the `--kvs-file
28159
+ * <id>=<file.json>` escape hatch). The file is a flat `{ "key": "value" }`
28160
+ * object; non-string values are JSON-stringified (KVS values are always
28161
+ * strings). Read once at construction (boot time); a `--watch` reload rebuilds
28162
+ * it.
28163
+ */
28164
+ function createLocalFileKvsDataSource(args) {
28165
+ let raw;
28166
+ try {
28167
+ raw = readFileSync(args.filePath, "utf-8");
28168
+ } catch (err) {
28169
+ throw new Error(`--kvs-file '${args.id}=${args.filePath}': could not read the file: ${err instanceof Error ? err.message : String(err)}`);
28170
+ }
28171
+ let parsed;
28172
+ try {
28173
+ parsed = JSON.parse(raw);
28174
+ } catch (err) {
28175
+ throw new Error(`--kvs-file '${args.id}=${args.filePath}': not valid JSON: ${err instanceof Error ? err.message : String(err)}`);
28176
+ }
28177
+ if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) throw new Error(`--kvs-file '${args.id}=${args.filePath}': expected a JSON object of key -> value entries.`);
28178
+ const map = /* @__PURE__ */ new Map();
28179
+ for (const [key, value] of Object.entries(parsed)) map.set(key, typeof value === "string" ? value : JSON.stringify(value));
28180
+ return {
28181
+ label: `file:${args.filePath}`,
28182
+ kvsId: args.id,
28183
+ getValue: (key) => Promise.resolve(map.get(key))
28184
+ };
28185
+ }
28186
+
28098
28187
  //#endregion
28099
28188
  //#region src/local/cloudfront-function-runtime.ts
28100
28189
  /**
@@ -28109,21 +28198,49 @@ function addAlbSpecificOptions(cmd) {
28109
28198
  const FUNCTION_TIMEOUT_MS = 5e3;
28110
28199
  const EVENT_GLOBAL = "__cfEvent";
28111
28200
  /**
28201
+ * Regex matching the canonical CloudFront-Functions 2.0 KeyValueStore import
28202
+ * line (`import cf from 'cloudfront';`). The module is default-imported under a
28203
+ * single binding name; this is the only `cloudfront` import form the runtime
28204
+ * supports. Anchored per-line (`m` flag) so only the import statement is
28205
+ * matched, not a substring elsewhere.
28206
+ */
28207
+ const CLOUDFRONT_IMPORT_RE = /^[ \t]*import\s+(\w+)\s+from\s+['"]cloudfront['"]\s*;?[ \t]*$/m;
28208
+ /**
28209
+ * Strip the `import cf from 'cloudfront'` statement from a 2.0 function's code
28210
+ * and return the binding name, so the code compiles as a plain `vm.Script`
28211
+ * (an `import` statement is invalid outside an ES module) and the `cloudfront`
28212
+ * module can be injected as the binding-named sandbox global instead. Returns
28213
+ * the code unchanged with no binding name when the function does not import
28214
+ * `cloudfront`. The matched line is blanked (not deleted) so error line numbers
28215
+ * still line up with the source.
28216
+ */
28217
+ function stripCloudFrontImport(code) {
28218
+ const match = CLOUDFRONT_IMPORT_RE.exec(code);
28219
+ if (!match) return { code };
28220
+ return {
28221
+ code: code.replace(CLOUDFRONT_IMPORT_RE, ""),
28222
+ bindingName: match[1]
28223
+ };
28224
+ }
28225
+ /**
28112
28226
  * Compile a CloudFront Function's inline code once. Throws a clear error when
28113
28227
  * the code has a syntax error or declares no `handler` (surfaced at boot so a
28114
28228
  * malformed function never silently no-ops at request time).
28115
28229
  */
28116
28230
  function compileCloudFrontFunction(logicalId, code, runtime) {
28231
+ const { code: source, bindingName } = stripCloudFrontImport(code);
28117
28232
  let script;
28118
28233
  try {
28119
- script = new vm.Script(`${code}\n;handler(${EVENT_GLOBAL})`, { filename: `cloudfront-function-${logicalId}.js` });
28234
+ script = new vm.Script(`${source}\n;handler(${EVENT_GLOBAL})`, { filename: `cloudfront-function-${logicalId}.js` });
28120
28235
  } catch (err) {
28121
28236
  throw new Error(`CloudFront Function '${logicalId}' failed to compile: ${err instanceof Error ? err.message : String(err)}`);
28122
28237
  }
28123
28238
  let hasHandler;
28124
28239
  try {
28125
- const probeContext = vm.createContext({ console });
28126
- hasHandler = new vm.Script(`${code}\n;typeof handler === 'function'`).runInContext(probeContext, { timeout: FUNCTION_TIMEOUT_MS });
28240
+ const probeGlobals = { console };
28241
+ if (bindingName) probeGlobals[bindingName] = createUnboundCloudFrontModule(logicalId);
28242
+ const probeContext = vm.createContext(probeGlobals);
28243
+ hasHandler = new vm.Script(`${source}\n;typeof handler === 'function'`).runInContext(probeContext, { timeout: FUNCTION_TIMEOUT_MS });
28127
28244
  } catch (err) {
28128
28245
  throw new Error(`CloudFront Function '${logicalId}' failed to compile: ${err instanceof Error ? err.message : String(err)}`);
28129
28246
  }
@@ -28131,7 +28248,8 @@ function compileCloudFrontFunction(logicalId, code, runtime) {
28131
28248
  return {
28132
28249
  logicalId,
28133
28250
  runtime,
28134
- script
28251
+ script,
28252
+ ...bindingName !== void 0 && { cloudfrontBindingName: bindingName }
28135
28253
  };
28136
28254
  }
28137
28255
  /**
@@ -28142,10 +28260,12 @@ function compileCloudFrontFunction(logicalId, code, runtime) {
28142
28260
  * thrown by the handler is wrapped with the function's logical id.
28143
28261
  */
28144
28262
  async function invokeCloudFrontFunction(fn, event) {
28145
- const context = vm.createContext({
28263
+ const sandbox = {
28146
28264
  console,
28147
28265
  [EVENT_GLOBAL]: event
28148
- });
28266
+ };
28267
+ if (fn.cloudfrontBindingName) sandbox[fn.cloudfrontBindingName] = fn.cloudfrontModule ?? createUnboundCloudFrontModule(fn.logicalId);
28268
+ const context = vm.createContext(sandbox);
28149
28269
  let result;
28150
28270
  try {
28151
28271
  result = fn.script.runInContext(context, { timeout: FUNCTION_TIMEOUT_MS });
@@ -28379,11 +28499,55 @@ function compileDistributionFunctions(template) {
28379
28499
  continue;
28380
28500
  }
28381
28501
  const config = props["FunctionConfig"];
28382
- const runtime = config && typeof config === "object" && typeof config["Runtime"] === "string" ? config["Runtime"] : "cloudfront-js-1.0";
28383
- out.set(logicalId, compileCloudFrontFunction(logicalId, code, runtime));
28502
+ const configObj = config && typeof config === "object" ? config : {};
28503
+ const compiled = compileCloudFrontFunction(logicalId, code, typeof configObj["Runtime"] === "string" ? configObj["Runtime"] : "cloudfront-js-1.0");
28504
+ const kvsAssociations = extractKvsAssociations(configObj);
28505
+ if (kvsAssociations.length > 0) compiled.kvsAssociations = kvsAssociations;
28506
+ out.set(logicalId, compiled);
28384
28507
  }
28385
28508
  return out;
28386
28509
  }
28510
+ /**
28511
+ * Extract a function's `FunctionConfig.KeyValueStoreAssociations[]` into the
28512
+ * compiled-function carrier, pre-resolving each association's KVS resource
28513
+ * logical id from the `KeyValueStoreARN` intrinsic so the command layer can
28514
+ * bind it (deployed store under `--from-cfn-stack`, or a `--kvs-file` map).
28515
+ */
28516
+ function extractKvsAssociations(functionConfig) {
28517
+ const raw = Array.isArray(functionConfig["KeyValueStoreAssociations"]) ? functionConfig["KeyValueStoreAssociations"] : [];
28518
+ const out = [];
28519
+ for (const entry of raw) {
28520
+ if (!entry || typeof entry !== "object") continue;
28521
+ const arnValue = entry["KeyValueStoreARN"];
28522
+ if (arnValue === void 0) continue;
28523
+ const kvsLogicalId = pickKvsLogicalIdFromArn(arnValue);
28524
+ out.push({
28525
+ arnValue,
28526
+ ...kvsLogicalId !== void 0 && { kvsLogicalId }
28527
+ });
28528
+ }
28529
+ return out;
28530
+ }
28531
+ /**
28532
+ * Unwrap a `KeyValueStoreARN` value to the `AWS::CloudFront::KeyValueStore`
28533
+ * logical id when it is an intrinsic reference to a same-template store. CDK /
28534
+ * CloudFormation synthesize it as `Fn::GetAtt[<Kvs>, 'Arn']`, a `Ref`, or
28535
+ * `Fn::Sub: '${<Kvs>.Arn}'`. Returns `undefined` for a literal ARN string (an
28536
+ * imported / out-of-stack store).
28537
+ */
28538
+ function pickKvsLogicalIdFromArn(value) {
28539
+ if (!value || typeof value !== "object") return void 0;
28540
+ const obj = value;
28541
+ const getAtt = obj["Fn::GetAtt"];
28542
+ if (Array.isArray(getAtt) && getAtt.length === 2 && typeof getAtt[0] === "string") return getAtt[0];
28543
+ if (typeof obj["Ref"] === "string") return obj["Ref"];
28544
+ const sub = obj["Fn::Sub"];
28545
+ const subTemplate = typeof sub === "string" ? sub : Array.isArray(sub) ? sub[0] : void 0;
28546
+ if (typeof subTemplate === "string") {
28547
+ const match = /^\$\{([A-Za-z0-9]+)(?:\.[A-Za-z0-9]+)?\}$/.exec(subTemplate.trim());
28548
+ if (match) return match[1];
28549
+ }
28550
+ }
28387
28551
  function resolveBehaviors(dc, functions, distLogicalId, template) {
28388
28552
  const behaviors = [];
28389
28553
  const def = dc["DefaultCacheBehavior"];
@@ -29073,6 +29237,130 @@ function listen(server, host, port) {
29073
29237
  });
29074
29238
  }
29075
29239
 
29240
+ //#endregion
29241
+ //#region src/local/cloudfront-kvs-client.ts
29242
+ /**
29243
+ * Build a {@link KvsDataSource} backed by the deployed store's `GetKey` API.
29244
+ * A missing key resolves to `undefined` (the `ResourceNotFoundException` is
29245
+ * caught) so the `cf` shim can surface a clean "key not found" — any other
29246
+ * error (access denied, throttling) propagates so the user sees the real cause.
29247
+ */
29248
+ function createDeployedKvsDataSource(options) {
29249
+ const client = new CloudFrontKeyValueStoreClient({
29250
+ region: options.region ?? "us-east-1",
29251
+ ...options.credentials !== void 0 && { credentials: options.credentials }
29252
+ });
29253
+ return {
29254
+ label: `deployed:${options.kvsArn}`,
29255
+ ...options.kvsId !== void 0 && { kvsId: options.kvsId },
29256
+ async getValue(key) {
29257
+ try {
29258
+ return (await client.send(new GetKeyCommand({
29259
+ KvsARN: options.kvsArn,
29260
+ Key: key
29261
+ }))).Value;
29262
+ } catch (err) {
29263
+ if (isKeyNotFound(err)) return void 0;
29264
+ throw new Error(`cf.kvs().get('${key}') against ${options.kvsArn} failed: ${err instanceof Error ? err.message : String(err)}`);
29265
+ }
29266
+ }
29267
+ };
29268
+ }
29269
+ /**
29270
+ * Resolve a deployed KeyValueStore's ARN (+ Id) from its NAME via the
29271
+ * CloudFront control-plane `ListKeyValueStores` API. Needed because
29272
+ * `--from-cfn-stack` reads the store's physical id from `ListStackResources`,
29273
+ * and for `AWS::CloudFront::KeyValueStore` that physical id is the store NAME
29274
+ * (the `Ref` value) — NOT the ARN. The data-plane `GetKey` needs the ARN (which
29275
+ * embeds the store's UUID Id), so we look the name up against the account's
29276
+ * stores. CloudFront is global, so the client defaults to `us-east-1`. Returns
29277
+ * `undefined` on any miss (no match, access denied) so the caller falls back to
29278
+ * the unbound-KVS warning.
29279
+ */
29280
+ async function resolveDeployedKvsArnByName(name, options = {}) {
29281
+ const client = new CloudFrontClient({
29282
+ region: options.region ?? "us-east-1",
29283
+ ...options.credentials !== void 0 && { credentials: options.credentials }
29284
+ });
29285
+ try {
29286
+ for await (const page of paginateListKeyValueStores({ client }, {})) for (const item of page.KeyValueStoreList?.Items ?? []) if (item.Name === name && item.ARN) return {
29287
+ arn: item.ARN,
29288
+ ...item.Id !== void 0 && { id: item.Id }
29289
+ };
29290
+ } catch (err) {
29291
+ getLogger().debug(`ListKeyValueStores lookup for '${name}' failed: ${err instanceof Error ? err.message : String(err)}`);
29292
+ }
29293
+ }
29294
+ /** True when a GetKey error means the key (or store) was not found, not a real failure. */
29295
+ function isKeyNotFound(err) {
29296
+ if (err instanceof ResourceNotFoundException) return true;
29297
+ if (err && typeof err === "object") {
29298
+ if (err.name === "ResourceNotFoundException") return true;
29299
+ if (err.$metadata?.httpStatusCode === 404) return true;
29300
+ }
29301
+ return false;
29302
+ }
29303
+
29304
+ //#endregion
29305
+ //#region src/local/cloudfront-kvs-binding.ts
29306
+ /**
29307
+ * Build + attach the `cf` module to every KVS-reading function in the
29308
+ * distribution. Returns boot warnings for associations that resolved to no
29309
+ * binding (the runtime then injects an unbound module so the read fails with a
29310
+ * clear actionable error). Idempotent per call — overwrites
29311
+ * `cloudfrontModule` so a `--watch` reload rebinds.
29312
+ */
29313
+ async function resolveKvsModulesForDistribution(distribution, options) {
29314
+ const warnings = [];
29315
+ for (const fn of collectKvsFunctions(distribution)) {
29316
+ const sources = [];
29317
+ for (const assoc of fn.kvsAssociations ?? []) {
29318
+ const source = await buildSourceForAssociation(assoc, options);
29319
+ if (source) sources.push(source);
29320
+ else {
29321
+ const ref = assoc.kvsLogicalId ?? "<store>";
29322
+ warnings.push(`CloudFront Function '${fn.logicalId}' reads KeyValueStore '${ref}', but no binding resolved it — cf.kvs() reads will fail. Pass --from-cfn-stack to read the deployed store, or --kvs-file ${ref}=<file.json> for a local map.`);
29323
+ }
29324
+ }
29325
+ if (sources.length > 0) fn.cloudfrontModule = createCloudFrontModule(sources);
29326
+ else delete fn.cloudfrontModule;
29327
+ }
29328
+ return { warnings };
29329
+ }
29330
+ /** Collect the unique compiled functions in the distribution that read a KVS. */
29331
+ function collectKvsFunctions(distribution) {
29332
+ const byLogicalId = /* @__PURE__ */ new Map();
29333
+ for (const behavior of distribution.behaviors) for (const fn of [behavior.viewerRequest, behavior.viewerResponse]) if (fn && fn.kvsAssociations && fn.kvsAssociations.length > 0) byLogicalId.set(fn.logicalId, fn);
29334
+ return [...byLogicalId.values()];
29335
+ }
29336
+ async function buildSourceForAssociation(assoc, options) {
29337
+ if (assoc.kvsLogicalId !== void 0) {
29338
+ const filePath = options.kvsFiles?.get(assoc.kvsLogicalId);
29339
+ if (filePath !== void 0) return createLocalFileKvsDataSource({
29340
+ id: assoc.kvsLogicalId,
29341
+ filePath
29342
+ });
29343
+ }
29344
+ if (typeof assoc.arnValue === "string" && assoc.arnValue.startsWith("arn:")) return makeDeployedSource(assoc.arnValue, idFromArn(assoc.arnValue), options);
29345
+ if (assoc.kvsLogicalId !== void 0 && options.resolveDeployedKvs) {
29346
+ const ref = await options.resolveDeployedKvs(assoc.kvsLogicalId);
29347
+ if (ref) return makeDeployedSource(ref.arn, ref.id, options);
29348
+ }
29349
+ }
29350
+ function makeDeployedSource(arn, id, options) {
29351
+ return createDeployedKvsDataSource({
29352
+ kvsArn: arn,
29353
+ ...id !== void 0 && { kvsId: id },
29354
+ ...options.region !== void 0 && { region: options.region },
29355
+ ...options.credentials !== void 0 && { credentials: options.credentials }
29356
+ });
29357
+ }
29358
+ /** The KeyValueStore Id is the ARN's last `/`-segment. */
29359
+ function idFromArn(arn) {
29360
+ const slash = arn.lastIndexOf("/");
29361
+ return slash >= 0 && slash < arn.length - 1 ? arn.slice(slash + 1) : void 0;
29362
+ }
29363
+
29076
29364
  //#endregion
29077
29365
  //#region src/cli/commands/local-start-cloudfront.ts
29078
29366
  /** Error thrown by `cdkl start-cloudfront` for target / option problems. */
@@ -29097,6 +29385,55 @@ function parseOriginOverrides(values) {
29097
29385
  return out;
29098
29386
  }
29099
29387
  /**
29388
+ * Parse the repeatable `--kvs-file <kvsLogicalId>=<file.json>` overrides into a
29389
+ * map. Each entry backs a CloudFront Function's `cf.kvs()` reads with a local
29390
+ * JSON map instead of the deployed store — the AWS-free escape hatch for KVS,
29391
+ * symmetric with `--origin <id>=<dir>`. The key is the
29392
+ * `AWS::CloudFront::KeyValueStore` resource logical id (surfaced in the
29393
+ * unbound-KVS boot warning when missing).
29394
+ */
29395
+ function parseKvsFileOverrides(values) {
29396
+ const out = /* @__PURE__ */ new Map();
29397
+ for (const raw of values ?? []) {
29398
+ const eq = raw.indexOf("=");
29399
+ if (eq <= 0 || eq === raw.length - 1) throw new LocalStartCloudFrontError(`Invalid --kvs-file '${raw}'. Expected <kvsLogicalId>=<file.json> (e.g. MyKvsStore=./kvs.json).`);
29400
+ out.set(raw.slice(0, eq).trim(), raw.slice(eq + 1).trim());
29401
+ }
29402
+ return out;
29403
+ }
29404
+ /**
29405
+ * Resolve + attach the `cf` KeyValueStore module to every KVS-reading
29406
+ * CloudFront Function in the distribution (run after each synth, initial +
29407
+ * `--watch` reload). A `--kvs-file` map wins; otherwise `--from-cfn-stack`
29408
+ * resolves the deployed store's ARN from state and `cf.kvs().get()` reads it
29409
+ * via the `GetKey` API. Unresolved associations log an actionable WARN (the
29410
+ * runtime then fails the read with the same guidance).
29411
+ */
29412
+ async function attachKvsModules(distribution, stacks, options, profileCredentials, logger) {
29413
+ const kvsFiles = parseKvsFileOverrides(options.kvsFile);
29414
+ const synthRegion = stacks.find((s) => s.stackName === distribution.stackName)?.region;
29415
+ const resolveDeployedKvs = isCfnFlagPresent(options) ? async (kvsLogicalId) => {
29416
+ const provider = createLocalStateProvider(options, distribution.stackName, synthRegion);
29417
+ if (!provider) return void 0;
29418
+ const physicalId = (await provider.load(distribution.stackName, synthRegion))?.resources[kvsLogicalId]?.physicalId;
29419
+ if (!physicalId) return void 0;
29420
+ if (physicalId.startsWith("arn:")) {
29421
+ const id = idFromArn(physicalId);
29422
+ return {
29423
+ arn: physicalId,
29424
+ ...id !== void 0 && { id }
29425
+ };
29426
+ }
29427
+ return resolveDeployedKvsArnByName(physicalId, { ...profileCredentials !== void 0 && { credentials: profileCredentials } });
29428
+ } : void 0;
29429
+ const { warnings } = await resolveKvsModulesForDistribution(distribution, {
29430
+ ...kvsFiles.size > 0 && { kvsFiles },
29431
+ ...resolveDeployedKvs !== void 0 && { resolveDeployedKvs },
29432
+ ...profileCredentials !== void 0 && { credentials: profileCredentials }
29433
+ });
29434
+ for (const warning of warnings) logger.warn(warning);
29435
+ }
29436
+ /**
29100
29437
  * Resolve a CloudFront target string (`Stack/Path` display path or
29101
29438
  * `Stack:LogicalId`) to its stack + `AWS::CloudFront::Distribution` logical id.
29102
29439
  * Mirrors the ALB / ECS resolver target grammar.
@@ -29241,6 +29578,7 @@ async function localStartCloudFrontCommand(target, options) {
29241
29578
  ...options.profile !== void 0 && { profile: options.profile },
29242
29579
  ...options.stackRegion !== void 0 && { stackRegion: options.stackRegion }
29243
29580
  };
29581
+ await attachKvsModules(initial.distribution, initial.stacks, options, profileCredentials, logger);
29244
29582
  const { invokers: lambdaInvokers, runners: lambdaRunners } = await bootLambdaUrlOrigins(initial.distribution, initial.stacks, {
29245
29583
  containerHost: options.host,
29246
29584
  skipPull: options.pull === false,
@@ -29280,6 +29618,7 @@ async function localStartCloudFrontCommand(target, options) {
29280
29618
  try {
29281
29619
  const reloaded = await synthAndResolve();
29282
29620
  warnUnsupported(reloaded.distribution);
29621
+ await attachKvsModules(reloaded.distribution, reloaded.stacks, options, profileCredentials, logger);
29283
29622
  server.update(reloaded.distribution);
29284
29623
  logger.info("Reload complete.");
29285
29624
  } catch (err) {
@@ -29333,7 +29672,7 @@ function createLocalStartCloudFrontCommand(opts = {}) {
29333
29672
  * `cmd`.
29334
29673
  */
29335
29674
  function addStartCloudFrontSpecificOptions(cmd) {
29336
- return cmd.addOption(new Option("--port <port>", "HTTP server port (default: auto-allocate)").default("0")).addOption(new Option("--host <host>", "Bind address").default("127.0.0.1")).addOption(new Option("--origin <originId=dir>", "Point a distribution origin at a local directory (repeatable). Use when cdk-local cannot resolve the origin's BucketDeployment source automatically (content uploaded out of band, or a non-CDK bucket).").argParser((value, prev) => [...prev ?? [], value])).addOption(new Option("--tls", "Terminate real TLS (HTTPS). Uses --tls-cert / --tls-key when supplied, else an auto-generated self-signed cert.").default(false)).addOption(new Option("--tls-cert <path>", "PEM server certificate for --tls (implies --tls).")).addOption(new Option("--tls-key <path>", "PEM server private key for --tls (implies --tls).")).addOption(new Option("--no-pull", "Skip 'docker pull' for a Lambda Function URL origin's base image (use the locally cached image).")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Bind a Lambda Function URL origin's backing Lambda to a deployed CloudFormation stack so its env vars resolve to the deployed physical IDs / exports (ListStackResources). Use for CDK apps deployed via the upstream CDK CLI (`cdk deploy`). Bare form uses the resolved stack name; pass a value when the CFn stack name differs. No effect on a pure-S3 distribution.")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).addOption(new Option("--assume-role [arn]", "Assume a Lambda Function URL origin's deployed execution role and forward STS-issued temp credentials into its container so the handler runs with the deployed permissions. Three forms: `--assume-role <arn>` (explicit ARN); `--assume-role` (bare, auto-resolves from state — requires --from-cfn-stack); `--no-assume-role` (opt out). Off by default (the dev shell credentials are forwarded).")).addOption(new Option("--watch", "Hot-reload: re-synth + re-resolve the distribution when the CDK app's source changes (honors cdk.json watch.include/exclude; cdk.out, node_modules, .git are always excluded). The server keeps the previous version serving when synth fails mid-reload.").default(false));
29675
+ return cmd.addOption(new Option("--port <port>", "HTTP server port (default: auto-allocate)").default("0")).addOption(new Option("--host <host>", "Bind address").default("127.0.0.1")).addOption(new Option("--origin <originId=dir>", "Point a distribution origin at a local directory (repeatable). Use when cdk-local cannot resolve the origin's BucketDeployment source automatically (content uploaded out of band, or a non-CDK bucket).").argParser((value, prev) => [...prev ?? [], value])).addOption(new Option("--kvs-file <kvsLogicalId=file.json>", "Back a CloudFront Function's KeyValueStore reads (cf.kvs().get()) with a local JSON map (repeatable). The key is the AWS::CloudFront::KeyValueStore resource logical id; the file is a flat { \"key\": \"value\" } object. The AWS-free alternative to --from-cfn-stack, which instead reads the deployed store via the GetKey API.").argParser((value, prev) => [...prev ?? [], value])).addOption(new Option("--tls", "Terminate real TLS (HTTPS). Uses --tls-cert / --tls-key when supplied, else an auto-generated self-signed cert.").default(false)).addOption(new Option("--tls-cert <path>", "PEM server certificate for --tls (implies --tls).")).addOption(new Option("--tls-key <path>", "PEM server private key for --tls (implies --tls).")).addOption(new Option("--no-pull", "Skip 'docker pull' for a Lambda Function URL origin's base image (use the locally cached image).")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Bind a Lambda Function URL origin's backing Lambda to a deployed CloudFormation stack so its env vars resolve to the deployed physical IDs / exports (ListStackResources). Use for CDK apps deployed via the upstream CDK CLI (`cdk deploy`). Bare form uses the resolved stack name; pass a value when the CFn stack name differs. No effect on a pure-S3 distribution.")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).addOption(new Option("--assume-role [arn]", "Assume a Lambda Function URL origin's deployed execution role and forward STS-issued temp credentials into its container so the handler runs with the deployed permissions. Three forms: `--assume-role <arn>` (explicit ARN); `--assume-role` (bare, auto-resolves from state — requires --from-cfn-stack); `--no-assume-role` (opt out). Off by default (the dev shell credentials are forwarded).")).addOption(new Option("--watch", "Hot-reload: re-synth + re-resolve the distribution when the CDK app's source changes (honors cdk.json watch.include/exclude; cdk.out, node_modules, .git are always excluded). The server keeps the previous version serving when synth fails mid-reload.").default(false));
29337
29676
  }
29338
29677
 
29339
29678
  //#endregion
@@ -33415,7 +33754,13 @@ function createStudioServeManager(config) {
33415
33754
  const envFile = envDir ? join(envDir, "env-vars.json") : void 0;
33416
33755
  let child;
33417
33756
  try {
33418
- child = spawnFn(nodeBin, [config.cliEntry, ...buildArgs(req, spec, envFile)], { cwd });
33757
+ child = spawnFn(nodeBin, [config.cliEntry, ...buildArgs(req, spec, envFile)], {
33758
+ cwd,
33759
+ env: {
33760
+ ...process.env,
33761
+ CDKL_LOG_STREAM: "stdout"
33762
+ }
33763
+ });
33419
33764
  } catch (err) {
33420
33765
  if (envDir) try {
33421
33766
  rmSync(envDir, {
@@ -34362,5 +34707,5 @@ function addStudioSpecificOptions(cmd) {
34362
34707
  }
34363
34708
 
34364
34709
  //#endregion
34365
- export { addRunTaskSpecificOptions as $, buildConnectEvent as $n, createLocalInvokeCommand as $t, resolveCloudFrontTarget as A, attachAuthorizers as An, parseSelectionExpressionPath as Ar, createLocalInvokeAgentCoreCommand as At, compileCloudFrontFunction as B, buildRestV1Event as Bn, AgentCoreResolutionError as Br, AGENTCORE_SIGV4_SERVICE as Bt, addListSpecificOptions as C, verifyJwtAuthorizer as Cn, resolveSingleTarget as Cr, CloudMapRegistry as Ct, addStartCloudFrontSpecificOptions as D, evaluateCachedLambdaPolicy as Dn, discoverWebSocketApis as Dr, getContainerNetworkIp as Dt, LocalStartCloudFrontError as E, computeRequestIdentityHash as En, availableWebSocketApiIdentifiers as Er, setShadowReadyTimeoutMs as Et, CLOUDFRONT_DISTRIBUTION_TYPE as F, matchPreflight as Fn, AGENTCORE_A2A_PROTOCOL as Fr, MCP_CONTAINER_PORT as Ft, createLocalStartAlbCommand as G, VtlEvaluationError as Gn, substituteImagePlaceholders as Gr, downloadAndExtractS3Bundle as Gt, runViewerResponse as H, pickResponseTemplate as Hn, resolveAgentCoreTarget as Hr, AGENTCORE_SESSION_ID_HEADER as Ht, isCloudFrontDistribution as I, matchRoute as In, AGENTCORE_AGUI_PROTOCOL as Ir, MCP_PATH as It, isApplicationLoadBalancer as J, bufferToBody as Jn, buildStsClientConfig as Jr, computeCodeImageTag as Jt, parseLbPortOverrides as K, HOST_GATEWAY_MIN_VERSION as Kn, tryResolveImageFnJoin as Kr, SUPPORTED_CODE_RUNTIMES as Kt, pickFunctionUrlLogicalIdFromOrigin as L, translateLambdaResponse as Ln, AGENTCORE_HTTP_PROTOCOL as Lr, MCP_PROTOCOL_VERSION as Lt, startCloudFrontServer as M, buildCorsConfigByApiId as Mn, discoverRoutes as Mr, A2A_CONTAINER_PORT as Mt, serveFromStaticOrigin as N, buildCorsConfigFromCloudFrontChain as Nn, pickRefLogicalId as Nr, A2A_PATH as Nt, createLocalStartCloudFrontCommand as O, invokeRequestAuthorizer as On, discoverWebSocketApisOrThrow as Or, attachContainerLogStreamer as Ot, serveLambdaUrlOrigin as P, isFunctionUrlOacFronted as Pn, resolveLambdaArnIntrinsic as Pr, a2aInvokeOnce as Pt, serviceStrategy as Q, parseConnectionsPath as Qn, addInvokeSpecificOptions as Qt, pickTargetFunctionLogicalId as R, applyAuthorizerOverlay as Rn, AGENTCORE_MCP_PROTOCOL as Rr, mcpInvokeOnce as Rt, StudioEventBus as S, verifyCognitoJwt as Sn, resolveWatchConfig as Sr, buildCloudMapIndex as St, formatTargetListing as T, buildMethodArn as Tn, listTargets as Tr, SOFT_RELOAD_COMPLETION_LOG_SUFFIX as Tt, addAlbSpecificOptions as U, selectIntegrationResponse as Un, derivePseudoParametersFromRegion as Ur, invokeAgentCore as Ut, runViewerRequest as V, evaluateResponseParameters as Vn, pickAgentCoreCandidateStack as Vr, signAgentCoreInvocation as Vt, albStrategy as W, tryParseStatus as Wn, formatStateRemedy as Wr, waitForAgentCorePing as Wt, addStartServiceSpecificOptions as X, buildMgmtEndpointEnvUrl as Xn, toCmdArgv as Xt, resolveAlbFrontDoor as Y, ConnectionRegistry as Yn, resolveProfileCredentials as Yr, renderCodeDockerfile as Yt, createLocalStartServiceCommand as Z, handleConnectionsRequest as Zn, classifySourceChange as Zt, filterStudioTargetGroups as _, resolveServiceIntegrationParameters as _n, resolveCfnRegion as _r, resolveImageOverrides as _t, createLocalStudioCommand as a, createFileWatcher as an, resolveRuntimeFileExtension as ar, buildEcsImageResolutionContext$1 as at, renderStudioHtml as b, buildJwksUrlFromIssuer as bn, collectSsmParameterRefs as br, isLocalCdkAssetImage as bt, startStudioProxy as c, materializeLayerFromArn as cn, substituteAgainstState as cr, parseRestartPolicy as ct, createStudioDispatcher as d, filterRoutesByApiIdentifier as dn, substituteEnvVarsFromStateAsync as dr, runEcsServiceEmulator as dt, addStartApiSpecificOptions as en, buildDisconnectEvent as er, createLocalRunTaskCommand as et, filterStudioCustomResources as f, filterRoutesByApiIdentifiers as fn, LocalStateSourceError as fr, ImageOverrideError as ft, annotatePinnedEcsTargets as g, resolveSelectionExpression as gn, resolveCfnFallbackRegion as gr, parseImageOverrideFlags as gt, annotateEcsTaskPinnedTargets as h, startApiServer as hn, rejectExplicitCfnStackWithMultipleStacks as hr, mergeForService as ht, coerceStopRequest as i, createAuthorizerCache as in, resolveRuntimeCodeMountPath as ir, addImageOverrideOptions as it, matchBehavior as j, applyCorsResponseHeaders as jn, webSocketApiMatchesIdentifier as jr, invokeAgentCoreWs as jt, parseOriginOverrides as k, invokeTokenAuthorizer as kn, filterWebSocketApisByIdentifiers as kr, addInvokeAgentCoreSpecificOptions as kt, relayServeRequest as l, resolveEnvVars$1 as ln, substituteAgainstStateAsync as lr, resolveEcsAssumeRoleOption as lt, annotateAlbPinnedBackingServices as m, readMtlsMaterialsFromDisk as mn, isCfnFlagPresent as mr, enforceImageOverrideOrphans as mt, coerceRunRequest as n, createWatchPredicates as nn, architectureToPlatform as nr, addCommonEcsServiceOptions as nt, resolveServeBaseUrl as o, attachStageContext as on, resolveRuntimeImage as or, ecsClusterOption as ot, isCustomResourceLambdaTarget as p, groupRoutesByServer as pn, createLocalStateProvider as pr, buildImageOverrideTag as pt, resolveAlbTarget as q, probeHostGatewaySupport as qn, LocalInvokeBuildError as qr, buildAgentCoreCodeImage as qt, coerceServeRequest as r, resolveApiTargetSubset as rn, buildContainerImage as rr, addEcsAssumeRoleOptions as rt, createStudioServeManager as s, buildStageMap as sn, EcsTaskResolutionError as sr, parseMaxTasks as st, addStudioSpecificOptions as t, createLocalStartApiCommand as tn, buildMessageEvent as tr, MAX_TASKS_SUBNET_RANGE_CAP as tt, reinvoke as u, availableApiIdentifiers as un, substituteEnvVarsFromState as ur, resolveSharedSidecarCredentials as ut, startStudioServer as v, defaultCredentialsLoader as vn, resolveCfnStackName as vr, runImageOverrideBuilds as vt, createLocalListCommand as w, verifyJwtViaDiscovery as wn, countTargets as wr, DEFAULT_SHADOW_READY_TIMEOUT_MS as wt, createStudioStore as x, createJwksCache as xn, resolveSsmParameters as xr, listPinnedTargets as xt, toStudioTargetGroups as y, buildCognitoJwksUrl as yn, CfnLocalStateProvider as yr, describePinnedImageUri as yt, resolveCloudFrontDistribution as z, buildHttpApiV2Event as zn, AGENTCORE_RUNTIME_TYPE as zr, parseSseForJsonRpc as zt };
34366
- //# sourceMappingURL=local-studio-DnX9LpCF.js.map
34710
+ export { createUnboundCloudFrontModule as $, pickResponseTemplate as $n, resolveAgentCoreTarget as $r, AGENTCORE_SESSION_ID_HEADER as $t, parseOriginOverrides as A, buildCognitoJwksUrl as An, CfnLocalStateProvider as Ar, describePinnedImageUri as At, CLOUDFRONT_DISTRIBUTION_TYPE as B, invokeTokenAuthorizer as Bn, filterWebSocketApisByIdentifiers as Br, addInvokeAgentCoreSpecificOptions as Bt, addListSpecificOptions as C, filterRoutesByApiIdentifiers as Cn, LocalStateSourceError as Cr, ImageOverrideError as Ct, addStartCloudFrontSpecificOptions as D, resolveSelectionExpression as Dn, resolveCfnFallbackRegion as Dr, parseImageOverrideFlags as Dt, LocalStartCloudFrontError as E, startApiServer as En, rejectExplicitCfnStackWithMultipleStacks as Er, mergeForService as Et, resolveDeployedKvsArnByName as F, verifyJwtViaDiscovery as Fn, countTargets as Fr, DEFAULT_SHADOW_READY_TIMEOUT_MS as Ft, pickTargetFunctionLogicalId as G, isFunctionUrlOacFronted as Gn, resolveLambdaArnIntrinsic as Gr, a2aInvokeOnce as Gt, isCloudFrontDistribution as H, applyCorsResponseHeaders as Hn, webSocketApiMatchesIdentifier as Hr, invokeAgentCoreWs as Ht, matchBehavior as I, buildMethodArn as In, listTargets as Ir, SOFT_RELOAD_COMPLETION_LOG_SUFFIX as It, runViewerRequest as J, translateLambdaResponse as Jn, AGENTCORE_HTTP_PROTOCOL as Jr, MCP_PROTOCOL_VERSION as Jt, resolveCloudFrontDistribution as K, matchPreflight as Kn, AGENTCORE_A2A_PROTOCOL as Kr, MCP_CONTAINER_PORT as Kt, startCloudFrontServer as L, computeRequestIdentityHash as Ln, availableWebSocketApiIdentifiers as Lr, setShadowReadyTimeoutMs as Lt, idFromArn as M, createJwksCache as Mn, resolveSsmParameters as Mr, listPinnedTargets as Mt, resolveKvsModulesForDistribution as N, verifyCognitoJwt as Nn, resolveWatchConfig as Nr, buildCloudMapIndex as Nt, createLocalStartCloudFrontCommand as O, resolveServiceIntegrationParameters as On, resolveCfnRegion as Or, resolveImageOverrides as Ot, createDeployedKvsDataSource as P, verifyJwtAuthorizer as Pn, resolveSingleTarget as Pr, CloudMapRegistry as Pt, createLocalFileKvsDataSource as Q, evaluateResponseParameters as Qn, pickAgentCoreCandidateStack as Qr, signAgentCoreInvocation as Qt, serveFromStaticOrigin as R, evaluateCachedLambdaPolicy as Rn, discoverWebSocketApis as Rr, getContainerNetworkIp as Rt, StudioEventBus as S, filterRoutesByApiIdentifier as Sn, substituteEnvVarsFromStateAsync as Sr, runEcsServiceEmulator as St, formatTargetListing as T, readMtlsMaterialsFromDisk as Tn, isCfnFlagPresent as Tr, enforceImageOverrideOrphans as Tt, pickFunctionUrlLogicalIdFromOrigin as U, buildCorsConfigByApiId as Un, discoverRoutes as Ur, A2A_CONTAINER_PORT as Ut, extractKvsAssociations as V, attachAuthorizers as Vn, parseSelectionExpressionPath as Vr, createLocalInvokeAgentCoreCommand as Vt, pickKvsLogicalIdFromArn as W, buildCorsConfigFromCloudFrontChain as Wn, pickRefLogicalId as Wr, A2A_PATH as Wt, stripCloudFrontImport as X, buildHttpApiV2Event as Xn, AGENTCORE_RUNTIME_TYPE as Xr, parseSseForJsonRpc as Xt, runViewerResponse as Y, applyAuthorizerOverlay as Yn, AGENTCORE_MCP_PROTOCOL as Yr, mcpInvokeOnce as Yt, createCloudFrontModule as Z, buildRestV1Event as Zn, AgentCoreResolutionError as Zr, AGENTCORE_SIGV4_SERVICE as Zt, filterStudioTargetGroups as _, attachStageContext as _n, resolveRuntimeImage as _r, ecsClusterOption as _t, createLocalStudioCommand as a, buildStsClientConfig as ai, computeCodeImageTag as an, bufferToBody as ar, isApplicationLoadBalancer as at, renderStudioHtml as b, resolveEnvVars$1 as bn, substituteAgainstStateAsync as br, resolveEcsAssumeRoleOption as bt, startStudioProxy as c, classifySourceChange as cn, handleConnectionsRequest as cr, createLocalStartServiceCommand as ct, createStudioDispatcher as d, addStartApiSpecificOptions as dn, buildDisconnectEvent as dr, createLocalRunTaskCommand as dt, derivePseudoParametersFromRegion as ei, invokeAgentCore as en, selectIntegrationResponse as er, addAlbSpecificOptions as et, filterStudioCustomResources as f, createLocalStartApiCommand as fn, buildMessageEvent as fr, MAX_TASKS_SUBNET_RANGE_CAP as ft, annotatePinnedEcsTargets as g, createFileWatcher as gn, resolveRuntimeFileExtension as gr, buildEcsImageResolutionContext$1 as gt, annotateEcsTaskPinnedTargets as h, createAuthorizerCache as hn, resolveRuntimeCodeMountPath as hr, addImageOverrideOptions as ht, coerceStopRequest as i, LocalInvokeBuildError as ii, buildAgentCoreCodeImage as in, probeHostGatewaySupport as ir, resolveAlbTarget as it, resolveCloudFrontTarget as j, buildJwksUrlFromIssuer as jn, collectSsmParameterRefs as jr, isLocalCdkAssetImage as jt, parseKvsFileOverrides as k, defaultCredentialsLoader as kn, resolveCfnStackName as kr, runImageOverrideBuilds as kt, relayServeRequest as l, addInvokeSpecificOptions as ln, parseConnectionsPath as lr, serviceStrategy as lt, annotateAlbPinnedBackingServices as m, resolveApiTargetSubset as mn, buildContainerImage as mr, addEcsAssumeRoleOptions as mt, coerceRunRequest as n, substituteImagePlaceholders as ni, downloadAndExtractS3Bundle as nn, VtlEvaluationError as nr, createLocalStartAlbCommand as nt, resolveServeBaseUrl as o, resolveProfileCredentials as oi, renderCodeDockerfile as on, ConnectionRegistry as or, resolveAlbFrontDoor as ot, isCustomResourceLambdaTarget as p, createWatchPredicates as pn, architectureToPlatform as pr, addCommonEcsServiceOptions as pt, compileCloudFrontFunction as q, matchRoute as qn, AGENTCORE_AGUI_PROTOCOL as qr, MCP_PATH as qt, coerceServeRequest as r, tryResolveImageFnJoin as ri, SUPPORTED_CODE_RUNTIMES as rn, HOST_GATEWAY_MIN_VERSION as rr, parseLbPortOverrides as rt, createStudioServeManager as s, toCmdArgv as sn, buildMgmtEndpointEnvUrl as sr, addStartServiceSpecificOptions as st, addStudioSpecificOptions as t, formatStateRemedy as ti, waitForAgentCorePing as tn, tryParseStatus as tr, albStrategy as tt, reinvoke as u, createLocalInvokeCommand as un, buildConnectEvent as ur, addRunTaskSpecificOptions as ut, startStudioServer as v, buildStageMap as vn, EcsTaskResolutionError as vr, parseMaxTasks as vt, createLocalListCommand as w, groupRoutesByServer as wn, createLocalStateProvider as wr, buildImageOverrideTag as wt, createStudioStore as x, availableApiIdentifiers as xn, substituteEnvVarsFromState as xr, resolveSharedSidecarCredentials as xt, toStudioTargetGroups as y, materializeLayerFromArn as yn, substituteAgainstState as yr, parseRestartPolicy as yt, serveLambdaUrlOrigin as z, invokeRequestAuthorizer as zn, discoverWebSocketApisOrThrow as zr, attachContainerLogStreamer as zt };
34711
+ //# sourceMappingURL=local-studio-DPEUB-rH.js.map