cdk-local 0.12.0 → 0.13.1

package/README.md

@@ -161,18 +161,19 @@ Use this for production debugging, integration verification with real AWS resour
 
 ## `--watch` (hot reload)
 
-Pass `--watch` to `cdkl start-api` and the server hot-reloads when your CDK app's synth output (or any routed Lambda's asset directory) changes:
+Pass `--watch` to `cdkl start-api` and the server re-synths and hot-reloads when your CDK app's **source** changes — edit a handler or construct, save, and the change is live:
 
 ```bash
 cdkl start-api MyStack/MyApi --watch
 ```
 
-- 500 ms debounced [chokidar](https://github.com/paulmillr/chokidar) file watcher on `cdk.out/` + every routed Lambda's asset dir.
-- Re-synths and re-discovers routes on each firing — adding a new route to your CDK app shows up locally on save.
+- 500 ms debounced [chokidar](https://github.com/paulmillr/chokidar) file watcher on your CDK app's source tree (the directory holding `cdk.json`). Honors `cdk.json`'s `watch.include` / `watch.exclude` globs, exactly like `cdk watch`.
+- `cdk.out/`, `node_modules`, and `.git` are always excluded — the reload's own re-synth writes to `cdk.out/` never re-trigger the watcher, so there is no reload loop.
+- Re-synths and re-discovers routes on each firing — adding a new route to your CDK app shows up locally on save. No separate `cdk watch` / `cdk synth` process is needed.
 - Synth failures keep the previous version serving (warn-and-continue, never crashes the server).
-- Compatible with `--from-cfn-stack`: each reload re-reads the deployed CloudFormation stack so a deploy event picks up new ARNs without restarting the server.
+- Compatible with `--from-cfn-stack`: each reload re-reads the deployed CloudFormation stack so newly-deployed ARNs are picked up on your next source save without restarting the server.
 
-See [docs/local-emulation.md](docs/local-emulation.md#hot-reload---watch) for the full lifecycle, file-list update semantics, and known limitations.
+See [docs/local-emulation.md](docs/local-emulation.md#hot-reload---watch) for the full lifecycle, `watch.include` / `watch.exclude` semantics, and known limitations.
 
 ## Override env vars without a state source
 

package/dist/cli.js

@@ -1,10 +1,10 @@
 #!/usr/bin/env node
-import { i as createLocalStartApiCommand, k as createLocalInvokeCommand, r as createLocalRunTaskCommand, t as createLocalStartServiceCommand } from "./local-start-service-D7VpREhn.js";
+import { i as createLocalStartApiCommand, k as createLocalInvokeCommand, r as createLocalRunTaskCommand, t as createLocalStartServiceCommand } from "./local-start-service-C1AHpRo-.js";
 import { Command } from "commander";
 
 //#region src/cli/index.ts
 const program = new Command();
-program.name("cdkl").description("Run AWS CDK stacks locally with Docker.").version("0.12.0");
+program.name("cdkl").description("Run AWS CDK stacks locally with Docker.").version("0.13.1");
 program.addCommand(createLocalInvokeCommand());
 program.addCommand(createLocalStartApiCommand());
 program.addCommand(createLocalRunTaskCommand());

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","names":[],"sources":["../src/types/state.ts","../src/local/state-resolver.ts","../src/local/local-state-provider.ts","../src/cli/commands/local-state-source.ts","../src/local/embed-config.ts","../src/types/resource.ts","../src/synthesis/assembly-reader.ts","../src/cli/commands/local-invoke.ts","../src/local/httpv2-service-integration.ts","../src/local/container-pool.ts","../src/local/integration-response-selector.ts","../src/local/rest-v1-integrations.ts","../src/local/route-discovery.ts","../src/local/authorizer-resolver.ts","../src/local/authorizer-cache.ts","../src/local/cognito-jwt.ts","../src/cli/commands/local-start-api.ts","../src/cli/commands/local-run-task.ts","../src/cli/commands/local-start-service.ts","../src/local/cfn-local-state-provider.ts","../src/local/intrinsic-utils.ts","../src/local/intrinsic-lambda-arn.ts","../src/local/parameter-mapping.ts","../src/local/api-gateway-response.ts","../src/local/docker-inspect.ts","../src/local/route-matcher.ts","../src/local/api-gateway-event.ts","../src/local/websocket-route-discovery.ts","../src/local/lambda-authorizer.ts"],"mappings":";;;;UAuLiB,aAAA;EAEf,UAAA;EAGA,YAAA;EAGA,UAAA,EAAY,MAAA;EAcZ,kBAAA,GAAqB,MAAA;EAGrB,UAAA,GAAa,MAAA;EAGb,YAAA;EAGA,QAAA,GAAW,MAAA;EAmBX,cAAA;EAMA,mBAAA;EAyBA,aAAA;AAAA;;;UCxIe,gBAAA;EACf,SAAA;EACA,MAAA;EACA,SAAA;EACA,SAAA;AAAA;AAAA,UAqBe,kBAAA;EAOf,aAAA,CAAc,UAAA,WAAqB,OAAA;EAQnC,qBAAA,CACE,aAAA,UACA,cAAA,UACA,UAAA,WACC,OAAA;AAAA;AAAA,UAGY,mBAAA;EAEf,SAAA,EAAW,MAAA,SAAe,aAAA;EAE1B,gBAAA,GAAmB,gBAAA;EAOnB,kBAAA,GAAqB,kBAAA;EAOrB,cAAA;AAAA;;;UCrJe,gBAAA;EAWf,SAAA,EAAW,MAAA,SAAe,aAAA;EAO1B,OAAA,EAAS,MAAA;EAOT,MAAA;AAAA;AAAA,UAsBe,kBAAA;EAAA,SAMN,KAAA;EAQT,IAAA,CAAK,SAAA,UAAmB,WAAA,uBAAkC,OAAA,CAAQ,gBAAA;EAalE,uBAAA,CAAwB,cAAA,WAAyB,OAAA,CAAQ,kBAAA;EA4BzD,0BAAA,EACE,kBAAA,WACC,OAAA,CAAQ,MAAA;EAKX,OAAA;AAAA;;;UC7Ge,uBAAA;EAOf,YAAA;EAEA,MAAA;EAEA,OAAA;EAMA,WAAA;EAAA,CAEC,GAAA;AAAA;AAAA,KAQS,yBAAA,IAA6B,OAAA,EAAS,uBAAA,KAA4B,kBAAA;AAAA,KAUlE,mBAAA,GAAsB,MAAA,SAAe,yBAAA;AAAA,iBAUjC,mBAAA,CAAoB,YAAA,oBAAgC,SAAA;AAAA,iBAapD,gBAAA,CAAiB,IAAA,EAAM,IAAA,CAAK,uBAAA;AAAA,iBAgB5B,gBAAA,CACd,OAAA,EAAS,IAAA,CAAK,uBAAA,6BACd,WAAA;AAAA,iBAqCoB,wBAAA,CACpB,OAAA,EAAS,IAAA,CAAK,uBAAA,+BACd,WAAA,uBACC,OAAA;AAAA,cAUU,qBAAA,SAA8B,KAAA;cAC7B,OAAA;AAAA;AAAA,iBAkBE,wCAAA,CACd,OAAA,EAAS,IAAA,CAAK,uBAAA,mBACd,gBAAA;AAAA,iBAiCc,wBAAA,CACd,OAAA,EAAS,uBAAA,EACT,SAAA,UACA,WAAA,sBACA,mBAAA,GAAsB,mBAAA,GACrB,kBAAA;;;UCrNc,mBAAA;EAMf,OAAA;EAOA,UAAA;EAMA,WAAA;EAOA,kBAAA;EAMA,gBAAA;EAMA,SAAA;AAAA;;;UCrDe,sBAAA;EACf,wBAAA;EACA,WAAA;EACA,UAAA,GAAa,MAAA,SAAe,iBAAA;EAC5B,SAAA,EAAW,MAAA,SAAe,gBAAA;EAC1B,OAAA,GAAU,MAAA,SAAe,cAAA;EACzB,UAAA,GAAa,MAAA;EACb,QAAA,GAAW,MAAA;EAWX,SAAA;EACA,KAAA,GAAQ,MAAA;AAAA;AAAA,UAMO,iBAAA;EACf,IAAA;EACA,OAAA;EACA,WAAA;EACA,aAAA;EACA,cAAA;EACA,qBAAA;AAAA;AAAA,UAMe,gBAAA;EACf,IAAA;EACA,UAAA,GAAa,MAAA;EACb,SAAA;EACA,SAAA;EACA,QAAA,GAAW,MAAA;EACX,cAAA,GAAiB,MAAA;EACjB,YAAA,GAAe,MAAA;EACf,cAAA;EACA,mBAAA;AAAA;AAAA,UAMe,cAAA;EACf,KAAA;EACA,WAAA;EACA,MAAA;IACE,IAAA;EAAA;AAAA;;;UCxCa,SAAA;EAEf,SAAA;EAOA,WAAA;EAGA,UAAA;EAGA,QAAA,EAAU,sBAAA;EAGV,iBAAA;EAGA,eAAA;EAGA,MAAA;EAGA,OAAA;EAOA,qBAAA;EAcA,eAAA,GAAkB,MAAA;AAAA;;;UCwEH,+BAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBAg4BA,wBAAA,CAAyB,IAAA,GAAM,+BAAA,GAAuC,OAAA;;;KC77B1E,gBAAA;;;UC7CK,eAAA;EACf,SAAA;EACA,WAAA;EACA,aAAA;EACA,QAAA;EACA,aAAA;EAEA,aAAA;AAAA;AAAA,UAgMe,aAAA;EAMf,OAAA,CAAQ,SAAA,WAAoB,OAAA,CAAQ,eAAA;EAEpC,OAAA,CAAQ,MAAA,EAAQ,eAAA;EAEhB,OAAA,IAAW,OAAA;AAAA;;;UCvMI,wBAAA;EAEf,UAAA;EAOA,gBAAA;EAaA,kBAAA,GAAqB,MAAA;EAQrB,iBAAA,GAAoB,MAAA;EAEpB,eAAA;AAAA;;;UC2Ee,qBAAA;EACf,IAAA;EAOA,eAAA;EAEA,SAAA,EAAW,wBAAA;AAAA;AAAA,UA8FI,0BAAA;EACf,IAAA;EAEA,GAAA;EAEA,qBAAA;EAMA,iBAAA,GAAoB,MAAA;EAEpB,SAAA,EAAW,wBAAA;AAAA;AAAA,UAsGI,qBAAA;EACf,IAAA;EACA,GAAA;EACA,qBAAA;EACA,iBAAA,GAAoB,MAAA;EAEpB,gBAAA,GAAmB,MAAA;EACnB,SAAA,EAAW,wBAAA;AAAA;AAAA,UA2II,0BAAA;EACf,IAAA;EAEA,eAAA;EAEA,gBAAA,GAAmB,MAAA;EAEnB,SAAA,EAAW,wBAAA;AAAA;;;KClfD,uBAAA,GACR,qBAAA,GACA,0BAAA,GACA,qBAAA,GACA,0BAAA;AAAA,UAmCa,eAAA;EAEf,MAAA;EAEA,WAAA;EAEA,eAAA;EAEA,MAAA;EAEA,UAAA;EAUA,KAAA;EAgBA,YAAA;EAQA,YAAA;EAWA,UAAA;EAOA,cAAA,GAAiB,MAAA;EAWjB,UAAA;EAsBA,WAAA;IAAgB,MAAA;EAAA;EAgBhB,QAAA;IAAa,UAAA;IAAoB,OAAA,EAAS,MAAA;EAAA;EAgB1C,kBAAA;IACE,OAAA,EAAS,gBAAA;IACT,iBAAA,EAAmB,QAAA,CAAS,MAAA;IAC5B,kBAAA,GAAqB,QAAA,CAAS,MAAA,SAAe,QAAA,CAAS,MAAA;EAAA;EAaxD,iBAAA,GAAoB,uBAAA;EAEpB,UAAA;AAAA;AAAA,iBAoBc,cAAA,CAAe,MAAA,WAAiB,SAAA,KAAc,eAAA;;;UCzL7C,qBAAA;EACf,IAAA;EAEA,SAAA;EAEA,eAAA;EAMA,WAAA;EAEA,gBAAA;EAEA,UAAA;AAAA;AAAA,UAGe,uBAAA;EACf,IAAA;EACA,SAAA;EACA,eAAA;EAEA,eAAA,EAAiB,aAAA,CAAc,sBAAA;EAE/B,gBAAA;EAEA,UAAA;EACA,UAAA;AAAA;AAAA,UASe,cAAA;EAEf,WAAA;EAEA,MAAA;EAEA,UAAA;AAAA;AAAA,UAGe,yBAAA;EACf,IAAA;EACA,SAAA;EAWA,KAAA,EAAO,aAAA,CAAc,cAAA;EAOrB,WAAA;EAEA,MAAA;EAEA,UAAA;EAYA,UAAA;AAAA;AAAA,UAGe,aAAA;EACf,IAAA;EACA,SAAA;EAEA,MAAA;EAKA,QAAA,EAAU,aAAA;EAMV,MAAA;EACA,UAAA;EACA,UAAA;AAAA;AAAA,KAuCU,sBAAA;EACN,IAAA;EAAgB,IAAA;AAAA;EAChB,IAAA;EAAe,IAAA;AAAA;EACf,IAAA;EAAiB,IAAA;AAAA;EACjB,IAAA;EAAwB,IAAA;AAAA;;;UC1Kb,sBAAA;EAcf,KAAA;EAKA,WAAA;EAMA,OAAA,GAAU,MAAA;EASV,MAAA;AAAA;AAAA,UAQe,eAAA;EAMf,GAAA,CAAI,mBAAA,UAA6B,YAAA,WAAuB,sBAAA;EAIxD,GAAA,CACE,mBAAA,UACA,YAAA,UACA,UAAA,UACA,MAAA,EAAQ,sBAAA;EAGV,KAAA;EAEA,IAAA;AAAA;AAAA,iBAQc,qBAAA,CAAsB,IAAA;EAAQ,GAAA;AAAA,IAA4B,eAAA;;;UC9DhE,OAAA;EAER,GAAA;EAEA,CAAA;EAEA,CAAA;EAEA,GAAA;EAEA,GAAA;EAEA,GAAA;AAAA;AAAA,UAGQ,cAAA;EAER,KAAA,EAAO,GAAA,SAAY,OAAA;EAEnB,SAAA;EAEA,WAAA;AAAA;AAAA,UAQe,SAAA;EACf,aAAA,CAAc,OAAA,WAAkB,OAAA,CAAQ,cAAA;EAExC,IAAA,CAAK,OAAA,WAAkB,cAAA;EACvB,KAAA;AAAA;AAAA,iBAac,eAAA,CACd,IAAA;EACE,SAAA,IACE,GAAA,aACG,OAAA;IAAU,EAAA;IAAa,MAAA;IAAgB,IAAA,QAAY,OAAA;EAAA;EACxD,GAAA;EACA,KAAA;EAEA,YAAA;AAAA,IAED,SAAA;AAAA,iBA+Ea,mBAAA,CAAoB,MAAA,UAAgB,UAAA;AAAA,iBAQpC,sBAAA,CAAuB,MAAA;AAAA,iBAsCjB,gBAAA,CACpB,UAAA,EAAY,yBAAA,EACZ,mBAAA,sBACA,SAAA,EAAW,SAAA,EACX,IAAA;EAAQ,GAAA;EAAoB,MAAA,GAAS,GAAA;AAAA,IACpC,OAAA,CAAQ,sBAAA;EAA2B,YAAA;EAAkC,UAAA;AAAA;AAAA,iBAuElD,mBAAA,CACpB,UAAA,EAAY,aAAA,EACZ,mBAAA,sBACA,SAAA,EAAW,SAAA,EACX,IAAA;EAAQ,GAAA;EAAoB,MAAA,GAAS,GAAA;AAAA,IACpC,OAAA,CAAQ,sBAAA;EAA2B,YAAA;EAAkC,UAAA;AAAA;;;UCrCvD,iCAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBA4+FA,0BAAA,CAA2B,IAAA,GAAM,iCAAA,GAAyC,OAAA;;;UCtoGzE,gCAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBAseA,yBAAA,CAA0B,IAAA,GAAM,gCAAA,GAAwC,OAAA;;;UC/evE,qCAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBAipBA,8BAAA,CACd,IAAA,GAAM,qCAAA,GACL,OAAA;;;UC1qBc,4BAAA;EAOf,YAAA;EAKA,MAAA;EAiBA,OAAA;AAAA;AAAA,cAGW,qBAAA,YAAiC,kBAAA;EAAA,SAG5B,KAAA;EAAA,iBACC,YAAA;EAAA,iBACA,MAAA;EAAA,QAKT,MAAA;EAAA,QAKA,YAAA;EAAA,iBACS,aAAA;EAAA,QAQT,QAAA;cAEI,IAAA,EAAM,4BAAA;EAAA,QAOV,SAAA;EAAA,QAmBA,eAAA;EAyBK,0BAAA,CACX,kBAAA,WACC,OAAA,CAAQ,MAAA;EAmCE,IAAA,CACX,UAAA,UACA,YAAA,uBACC,OAAA,CAAQ,gBAAA;EA4DE,uBAAA,CACX,eAAA,WACC,OAAA,CAAQ,kBAAA;EAiEJ,OAAA,CAAA;AAAA;;;iBCvVO,gBAAA,CAAiB,KAAA;;;KCmCrB,uBAAA;EACN,IAAA;EAAkB,SAAA;AAAA;EAClB,IAAA;EAAqB,MAAA;AAAA;AAAA,iBAuBX,yBAAA,CAA0B,KAAA,YAAiB,uBAAA;;;UCpB1C,uBAAA;EAEf,OAAA,EAAS,QAAA,CAAS,MAAA;EAElB,WAAA,EAAa,QAAA,CAAS,MAAA;EAEtB,cAAA,EAAgB,QAAA,CAAS,MAAA;EAEzB,WAAA;EAEA,IAAA;EAEA,OAAA,EAAS,QAAA,CAAS,MAAA;EAElB,cAAA,EAAgB,QAAA,CAAS,MAAA;EAoBzB,UAAA,GAAa,QAAA,CAAS,MAAA;AAAA;AAAA,KASZ,wBAAA;EACN,IAAA;EAAY,QAAA,EAAU,MAAA;AAAA;EACtB,IAAA;EAAe,MAAA;AAAA;AAAA,iBAQL,mCAAA,CACd,UAAA,EAAY,QAAA,CAAS,MAAA,oBACrB,GAAA,EAAK,uBAAA,GACJ,wBAAA;AAAA,iBAkCa,0BAAA,CAA2B,KAAA,UAAe,GAAA,EAAK,uBAAA;;;UCnH9C,sBAAA;EACf,UAAA;EAMA,OAAA,EAAS,MAAA;EAET,OAAA;EAEA,IAAA,EAAM,MAAA;AAAA;AAAA,iBAgBQ,uBAAA,CACd,OAAA,WACA,OAAA,gBACC,sBAAA;;;iBChCmB,qBAAA,CACpB,WAAA,UACA,WAAA,WACC,OAAA;;;UCHc,gBAAA;EACf,KAAA,EAAO,eAAA;EACP,cAAA,EAAgB,MAAA;AAAA;AAAA,iBAQF,UAAA,CACd,MAAA,UACA,WAAA,UACA,MAAA,WAAiB,eAAA,KAChB,gBAAA;;;UC5Bc,mBAAA;EAEf,MAAA;EAKA,MAAA;EAMA,OAAA,EAAS,MAAA;EAET,IAAA,EAAM,MAAA;EAEN,QAAA;EAwBA,UAAA,GAAa,MAAA;AAAA;AAAA,UAQE,mBAAA;EACf,KAAA,EAAO,eAAA;EACP,cAAA,EAAgB,MAAA;EAEhB,WAAA;AAAA;AAAA,iBA+Bc,mBAAA,CACd,GAAA,EAAK,mBAAA,EACL,GAAA,EAAK,mBAAA,EACL,IAAA;EAAQ,GAAA,SAAY,IAAA;AAAA,IACnB,MAAA;AAAA,iBA4Ea,gBAAA,CACd,GAAA,EAAK,mBAAA,EACL,GAAA,EAAK,mBAAA,EACL,IAAA;EAAQ,GAAA,SAAY,IAAA;AAAA,IACnB,MAAA;AAAA,KAiFS,sBAAA;EACN,IAAA;EAAwB,WAAA;EAAsB,OAAA,GAAU,MAAA;AAAA;EACxD,IAAA;EAAwB,WAAA;EAAsB,OAAA,GAAU,MAAA;AAAA;EACxD,IAAA;EAAyB,MAAA,EAAQ,MAAA;AAAA;EACjC,IAAA;EAAqB,MAAA,EAAQ,MAAA;EAAyB,MAAA;AAAA;AAAA,iBAY5C,sBAAA,CACd,KAAA,EAAO,MAAA,mBACP,OAAA,EAAS,sBAAA,GACR,MAAA;;;UC3Pc,sBAAA;EAEf,YAAA;EAEA,YAAA;EAEA,UAAA;EAMA,UAAA;EAQA,wBAAA;EAOA,KAAA;EAaA,MAAA,EAAQ,mBAAA;EAiBR,WAAA;IAAgB,MAAA;EAAA;AAAA;AAAA,UAID,mBAAA;EAEf,QAAA;EAEA,qBAAA;EAEA,eAAA;EAEA,UAAA;AAAA;AAAA,iBAuBc,qBAAA,CAAsB,MAAA,WAAiB,SAAA;EACrD,IAAA,EAAM,sBAAA;EACN,MAAA;AAAA;AAAA,iBA8Bc,4BAAA,CACd,MAAA,WAAiB,SAAA,KAChB,sBAAA;AAAA,iBAgJa,4BAAA,CAA6B,IAAA;;;UC3Q5B,4BAAA;EAEf,MAAA;EAEA,OAAA,EAAS,MAAA;EAET,qBAAA,EAAuB,MAAA;EAEvB,cAAA,EAAgB,MAAA;EAEhB,QAAA;EAEA,WAAA;EAEA,KAAA;AAAA;AAAA,UAGe,2BAAA;EAEf,IAAA,EAAM,aAAA;EAEN,YAAA;EAMA,SAAA;EAEA,aAAA;EAEA,SAAA;AAAA;AAAA,iBAWc,cAAA,CAAe,IAAA;EAC7B,KAAA;EACA,SAAA;EACA,MAAA;EACA,KAAA;EACA,MAAA;EACA,IAAA;AAAA;AAAA,iBAoBoB,qBAAA,CACpB,UAAA,EAAY,qBAAA,EACZ,OAAA,EAAS,4BAAA,EACT,GAAA,EAAK,2BAAA,GACJ,OAAA,CAAQ,sBAAA;EAA2B,YAAA;AAAA;AAAA,iBAyBhB,uBAAA,CACpB,UAAA,EAAY,uBAAA,EACZ,OAAA,EAAS,4BAAA,EACT,GAAA,EAAK,2BAAA,GACJ,OAAA,CAAQ,sBAAA;EAA2B,YAAA;AAAA;AAAA,iBAyEtB,0BAAA,CACd,UAAA,EAAY,uBAAA,EACZ,OAAA,EAAS,4BAAA;EACN,YAAA;EAAsB,OAAA;AAAA;AAAA,iBAmRX,0BAAA,CACd,MAAA,EAAQ,sBAAA,EACR,SAAA,WACC,sBAAA"}
+{"version":3,"file":"index.d.ts","names":[],"sources":["../src/types/state.ts","../src/local/state-resolver.ts","../src/local/local-state-provider.ts","../src/cli/commands/local-state-source.ts","../src/local/embed-config.ts","../src/types/resource.ts","../src/synthesis/assembly-reader.ts","../src/cli/commands/local-invoke.ts","../src/local/httpv2-service-integration.ts","../src/local/container-pool.ts","../src/local/integration-response-selector.ts","../src/local/rest-v1-integrations.ts","../src/local/route-discovery.ts","../src/local/authorizer-resolver.ts","../src/local/authorizer-cache.ts","../src/local/cognito-jwt.ts","../src/cli/commands/local-start-api.ts","../src/cli/commands/local-run-task.ts","../src/cli/commands/local-start-service.ts","../src/local/cfn-local-state-provider.ts","../src/local/intrinsic-utils.ts","../src/local/intrinsic-lambda-arn.ts","../src/local/parameter-mapping.ts","../src/local/api-gateway-response.ts","../src/local/docker-inspect.ts","../src/local/route-matcher.ts","../src/local/api-gateway-event.ts","../src/local/websocket-route-discovery.ts","../src/local/lambda-authorizer.ts"],"mappings":";;;;UAuLiB,aAAA;EAEf,UAAA;EAGA,YAAA;EAGA,UAAA,EAAY,MAAA;EAcZ,kBAAA,GAAqB,MAAA;EAGrB,UAAA,GAAa,MAAA;EAGb,YAAA;EAGA,QAAA,GAAW,MAAA;EAmBX,cAAA;EAMA,mBAAA;EAyBA,aAAA;AAAA;;;UCxIe,gBAAA;EACf,SAAA;EACA,MAAA;EACA,SAAA;EACA,SAAA;AAAA;AAAA,UAqBe,kBAAA;EAOf,aAAA,CAAc,UAAA,WAAqB,OAAA;EAQnC,qBAAA,CACE,aAAA,UACA,cAAA,UACA,UAAA,WACC,OAAA;AAAA;AAAA,UAGY,mBAAA;EAEf,SAAA,EAAW,MAAA,SAAe,aAAA;EAE1B,gBAAA,GAAmB,gBAAA;EAOnB,kBAAA,GAAqB,kBAAA;EAOrB,cAAA;AAAA;;;UCrJe,gBAAA;EAWf,SAAA,EAAW,MAAA,SAAe,aAAA;EAO1B,OAAA,EAAS,MAAA;EAOT,MAAA;AAAA;AAAA,UAsBe,kBAAA;EAAA,SAMN,KAAA;EAQT,IAAA,CAAK,SAAA,UAAmB,WAAA,uBAAkC,OAAA,CAAQ,gBAAA;EAalE,uBAAA,CAAwB,cAAA,WAAyB,OAAA,CAAQ,kBAAA;EA4BzD,0BAAA,EACE,kBAAA,WACC,OAAA,CAAQ,MAAA;EAKX,OAAA;AAAA;;;UC7Ge,uBAAA;EAOf,YAAA;EAEA,MAAA;EAEA,OAAA;EAMA,WAAA;EAAA,CAEC,GAAA;AAAA;AAAA,KAQS,yBAAA,IAA6B,OAAA,EAAS,uBAAA,KAA4B,kBAAA;AAAA,KAUlE,mBAAA,GAAsB,MAAA,SAAe,yBAAA;AAAA,iBAUjC,mBAAA,CAAoB,YAAA,oBAAgC,SAAA;AAAA,iBAapD,gBAAA,CAAiB,IAAA,EAAM,IAAA,CAAK,uBAAA;AAAA,iBAgB5B,gBAAA,CACd,OAAA,EAAS,IAAA,CAAK,uBAAA,6BACd,WAAA;AAAA,iBAqCoB,wBAAA,CACpB,OAAA,EAAS,IAAA,CAAK,uBAAA,+BACd,WAAA,uBACC,OAAA;AAAA,cAUU,qBAAA,SAA8B,KAAA;cAC7B,OAAA;AAAA;AAAA,iBAkBE,wCAAA,CACd,OAAA,EAAS,IAAA,CAAK,uBAAA,mBACd,gBAAA;AAAA,iBAiCc,wBAAA,CACd,OAAA,EAAS,uBAAA,EACT,SAAA,UACA,WAAA,sBACA,mBAAA,GAAsB,mBAAA,GACrB,kBAAA;;;UCrNc,mBAAA;EAMf,OAAA;EAOA,UAAA;EAMA,WAAA;EAOA,kBAAA;EAMA,gBAAA;EAMA,SAAA;AAAA;;;UCrDe,sBAAA;EACf,wBAAA;EACA,WAAA;EACA,UAAA,GAAa,MAAA,SAAe,iBAAA;EAC5B,SAAA,EAAW,MAAA,SAAe,gBAAA;EAC1B,OAAA,GAAU,MAAA,SAAe,cAAA;EACzB,UAAA,GAAa,MAAA;EACb,QAAA,GAAW,MAAA;EAWX,SAAA;EACA,KAAA,GAAQ,MAAA;AAAA;AAAA,UAMO,iBAAA;EACf,IAAA;EACA,OAAA;EACA,WAAA;EACA,aAAA;EACA,cAAA;EACA,qBAAA;AAAA;AAAA,UAMe,gBAAA;EACf,IAAA;EACA,UAAA,GAAa,MAAA;EACb,SAAA;EACA,SAAA;EACA,QAAA,GAAW,MAAA;EACX,cAAA,GAAiB,MAAA;EACjB,YAAA,GAAe,MAAA;EACf,cAAA;EACA,mBAAA;AAAA;AAAA,UAMe,cAAA;EACf,KAAA;EACA,WAAA;EACA,MAAA;IACE,IAAA;EAAA;AAAA;;;UCxCa,SAAA;EAEf,SAAA;EAOA,WAAA;EAGA,UAAA;EAGA,QAAA,EAAU,sBAAA;EAGV,iBAAA;EAGA,eAAA;EAGA,MAAA;EAGA,OAAA;EAOA,qBAAA;EAcA,eAAA,GAAkB,MAAA;AAAA;;;UCwEH,+BAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBAg4BA,wBAAA,CAAyB,IAAA,GAAM,+BAAA,GAAuC,OAAA;;;KC77B1E,gBAAA;;;UC7CK,eAAA;EACf,SAAA;EACA,WAAA;EACA,aAAA;EACA,QAAA;EACA,aAAA;EAEA,aAAA;AAAA;AAAA,UAgMe,aAAA;EAMf,OAAA,CAAQ,SAAA,WAAoB,OAAA,CAAQ,eAAA;EAEpC,OAAA,CAAQ,MAAA,EAAQ,eAAA;EAEhB,OAAA,IAAW,OAAA;AAAA;;;UCvMI,wBAAA;EAEf,UAAA;EAOA,gBAAA;EAaA,kBAAA,GAAqB,MAAA;EAQrB,iBAAA,GAAoB,MAAA;EAEpB,eAAA;AAAA;;;UC2Ee,qBAAA;EACf,IAAA;EAOA,eAAA;EAEA,SAAA,EAAW,wBAAA;AAAA;AAAA,UA8FI,0BAAA;EACf,IAAA;EAEA,GAAA;EAEA,qBAAA;EAMA,iBAAA,GAAoB,MAAA;EAEpB,SAAA,EAAW,wBAAA;AAAA;AAAA,UAsGI,qBAAA;EACf,IAAA;EACA,GAAA;EACA,qBAAA;EACA,iBAAA,GAAoB,MAAA;EAEpB,gBAAA,GAAmB,MAAA;EACnB,SAAA,EAAW,wBAAA;AAAA;AAAA,UA2II,0BAAA;EACf,IAAA;EAEA,eAAA;EAEA,gBAAA,GAAmB,MAAA;EAEnB,SAAA,EAAW,wBAAA;AAAA;;;KClfD,uBAAA,GACR,qBAAA,GACA,0BAAA,GACA,qBAAA,GACA,0BAAA;AAAA,UAmCa,eAAA;EAEf,MAAA;EAEA,WAAA;EAEA,eAAA;EAEA,MAAA;EAEA,UAAA;EAUA,KAAA;EAgBA,YAAA;EAQA,YAAA;EAWA,UAAA;EAOA,cAAA,GAAiB,MAAA;EAWjB,UAAA;EAsBA,WAAA;IAAgB,MAAA;EAAA;EAgBhB,QAAA;IAAa,UAAA;IAAoB,OAAA,EAAS,MAAA;EAAA;EAgB1C,kBAAA;IACE,OAAA,EAAS,gBAAA;IACT,iBAAA,EAAmB,QAAA,CAAS,MAAA;IAC5B,kBAAA,GAAqB,QAAA,CAAS,MAAA,SAAe,QAAA,CAAS,MAAA;EAAA;EAaxD,iBAAA,GAAoB,uBAAA;EAEpB,UAAA;AAAA;AAAA,iBAoBc,cAAA,CAAe,MAAA,WAAiB,SAAA,KAAc,eAAA;;;UCzL7C,qBAAA;EACf,IAAA;EAEA,SAAA;EAEA,eAAA;EAMA,WAAA;EAEA,gBAAA;EAEA,UAAA;AAAA;AAAA,UAGe,uBAAA;EACf,IAAA;EACA,SAAA;EACA,eAAA;EAEA,eAAA,EAAiB,aAAA,CAAc,sBAAA;EAE/B,gBAAA;EAEA,UAAA;EACA,UAAA;AAAA;AAAA,UASe,cAAA;EAEf,WAAA;EAEA,MAAA;EAEA,UAAA;AAAA;AAAA,UAGe,yBAAA;EACf,IAAA;EACA,SAAA;EAWA,KAAA,EAAO,aAAA,CAAc,cAAA;EAOrB,WAAA;EAEA,MAAA;EAEA,UAAA;EAYA,UAAA;AAAA;AAAA,UAGe,aAAA;EACf,IAAA;EACA,SAAA;EAEA,MAAA;EAKA,QAAA,EAAU,aAAA;EAMV,MAAA;EACA,UAAA;EACA,UAAA;AAAA;AAAA,KAuCU,sBAAA;EACN,IAAA;EAAgB,IAAA;AAAA;EAChB,IAAA;EAAe,IAAA;AAAA;EACf,IAAA;EAAiB,IAAA;AAAA;EACjB,IAAA;EAAwB,IAAA;AAAA;;;UC1Kb,sBAAA;EAcf,KAAA;EAKA,WAAA;EAMA,OAAA,GAAU,MAAA;EASV,MAAA;AAAA;AAAA,UAQe,eAAA;EAMf,GAAA,CAAI,mBAAA,UAA6B,YAAA,WAAuB,sBAAA;EAIxD,GAAA,CACE,mBAAA,UACA,YAAA,UACA,UAAA,UACA,MAAA,EAAQ,sBAAA;EAGV,KAAA;EAEA,IAAA;AAAA;AAAA,iBAQc,qBAAA,CAAsB,IAAA;EAAQ,GAAA;AAAA,IAA4B,eAAA;;;UC9DhE,OAAA;EAER,GAAA;EAEA,CAAA;EAEA,CAAA;EAEA,GAAA;EAEA,GAAA;EAEA,GAAA;AAAA;AAAA,UAGQ,cAAA;EAER,KAAA,EAAO,GAAA,SAAY,OAAA;EAEnB,SAAA;EAEA,WAAA;AAAA;AAAA,UAQe,SAAA;EACf,aAAA,CAAc,OAAA,WAAkB,OAAA,CAAQ,cAAA;EAExC,IAAA,CAAK,OAAA,WAAkB,cAAA;EACvB,KAAA;AAAA;AAAA,iBAac,eAAA,CACd,IAAA;EACE,SAAA,IACE,GAAA,aACG,OAAA;IAAU,EAAA;IAAa,MAAA;IAAgB,IAAA,QAAY,OAAA;EAAA;EACxD,GAAA;EACA,KAAA;EAEA,YAAA;AAAA,IAED,SAAA;AAAA,iBA+Ea,mBAAA,CAAoB,MAAA,UAAgB,UAAA;AAAA,iBAQpC,sBAAA,CAAuB,MAAA;AAAA,iBAsCjB,gBAAA,CACpB,UAAA,EAAY,yBAAA,EACZ,mBAAA,sBACA,SAAA,EAAW,SAAA,EACX,IAAA;EAAQ,GAAA;EAAoB,MAAA,GAAS,GAAA;AAAA,IACpC,OAAA,CAAQ,sBAAA;EAA2B,YAAA;EAAkC,UAAA;AAAA;AAAA,iBAuElD,mBAAA,CACpB,UAAA,EAAY,aAAA,EACZ,mBAAA,sBACA,SAAA,EAAW,SAAA,EACX,IAAA;EAAQ,GAAA;EAAoB,MAAA,GAAS,GAAA;AAAA,IACpC,OAAA,CAAQ,sBAAA;EAA2B,YAAA;EAAkC,UAAA;AAAA;;;UCpCvD,iCAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBA++FA,0BAAA,CAA2B,IAAA,GAAM,iCAAA,GAAyC,OAAA;;;UC1oGzE,gCAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBA+eA,yBAAA,CAA0B,IAAA,GAAM,gCAAA,GAAwC,OAAA;;;UCxfvE,qCAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBA0pBA,8BAAA,CACd,IAAA,GAAM,qCAAA,GACL,OAAA;;;UCnrBc,4BAAA;EAOf,YAAA;EAKA,MAAA;EAiBA,OAAA;AAAA;AAAA,cAGW,qBAAA,YAAiC,kBAAA;EAAA,SAG5B,KAAA;EAAA,iBACC,YAAA;EAAA,iBACA,MAAA;EAAA,QAKT,MAAA;EAAA,QAKA,YAAA;EAAA,iBACS,aAAA;EAAA,QAQT,QAAA;cAEI,IAAA,EAAM,4BAAA;EAAA,QAOV,SAAA;EAAA,QAmBA,eAAA;EAyBK,0BAAA,CACX,kBAAA,WACC,OAAA,CAAQ,MAAA;EAmCE,IAAA,CACX,UAAA,UACA,YAAA,uBACC,OAAA,CAAQ,gBAAA;EA4DE,uBAAA,CACX,eAAA,WACC,OAAA,CAAQ,kBAAA;EAiEJ,OAAA,CAAA;AAAA;;;iBCvVO,gBAAA,CAAiB,KAAA;;;KCmCrB,uBAAA;EACN,IAAA;EAAkB,SAAA;AAAA;EAClB,IAAA;EAAqB,MAAA;AAAA;AAAA,iBAuBX,yBAAA,CAA0B,KAAA,YAAiB,uBAAA;;;UCpB1C,uBAAA;EAEf,OAAA,EAAS,QAAA,CAAS,MAAA;EAElB,WAAA,EAAa,QAAA,CAAS,MAAA;EAEtB,cAAA,EAAgB,QAAA,CAAS,MAAA;EAEzB,WAAA;EAEA,IAAA;EAEA,OAAA,EAAS,QAAA,CAAS,MAAA;EAElB,cAAA,EAAgB,QAAA,CAAS,MAAA;EAoBzB,UAAA,GAAa,QAAA,CAAS,MAAA;AAAA;AAAA,KASZ,wBAAA;EACN,IAAA;EAAY,QAAA,EAAU,MAAA;AAAA;EACtB,IAAA;EAAe,MAAA;AAAA;AAAA,iBAQL,mCAAA,CACd,UAAA,EAAY,QAAA,CAAS,MAAA,oBACrB,GAAA,EAAK,uBAAA,GACJ,wBAAA;AAAA,iBAkCa,0BAAA,CAA2B,KAAA,UAAe,GAAA,EAAK,uBAAA;;;UCnH9C,sBAAA;EACf,UAAA;EAMA,OAAA,EAAS,MAAA;EAET,OAAA;EAEA,IAAA,EAAM,MAAA;AAAA;AAAA,iBAgBQ,uBAAA,CACd,OAAA,WACA,OAAA,gBACC,sBAAA;;;iBChCmB,qBAAA,CACpB,WAAA,UACA,WAAA,WACC,OAAA;;;UCHc,gBAAA;EACf,KAAA,EAAO,eAAA;EACP,cAAA,EAAgB,MAAA;AAAA;AAAA,iBAQF,UAAA,CACd,MAAA,UACA,WAAA,UACA,MAAA,WAAiB,eAAA,KAChB,gBAAA;;;UC5Bc,mBAAA;EAEf,MAAA;EAKA,MAAA;EAMA,OAAA,EAAS,MAAA;EAET,IAAA,EAAM,MAAA;EAEN,QAAA;EAwBA,UAAA,GAAa,MAAA;AAAA;AAAA,UAQE,mBAAA;EACf,KAAA,EAAO,eAAA;EACP,cAAA,EAAgB,MAAA;EAEhB,WAAA;AAAA;AAAA,iBA+Bc,mBAAA,CACd,GAAA,EAAK,mBAAA,EACL,GAAA,EAAK,mBAAA,EACL,IAAA;EAAQ,GAAA,SAAY,IAAA;AAAA,IACnB,MAAA;AAAA,iBA4Ea,gBAAA,CACd,GAAA,EAAK,mBAAA,EACL,GAAA,EAAK,mBAAA,EACL,IAAA;EAAQ,GAAA,SAAY,IAAA;AAAA,IACnB,MAAA;AAAA,KAiFS,sBAAA;EACN,IAAA;EAAwB,WAAA;EAAsB,OAAA,GAAU,MAAA;AAAA;EACxD,IAAA;EAAwB,WAAA;EAAsB,OAAA,GAAU,MAAA;AAAA;EACxD,IAAA;EAAyB,MAAA,EAAQ,MAAA;AAAA;EACjC,IAAA;EAAqB,MAAA,EAAQ,MAAA;EAAyB,MAAA;AAAA;AAAA,iBAY5C,sBAAA,CACd,KAAA,EAAO,MAAA,mBACP,OAAA,EAAS,sBAAA,GACR,MAAA;;;UC3Pc,sBAAA;EAEf,YAAA;EAEA,YAAA;EAEA,UAAA;EAMA,UAAA;EAQA,wBAAA;EAOA,KAAA;EAaA,MAAA,EAAQ,mBAAA;EAiBR,WAAA;IAAgB,MAAA;EAAA;AAAA;AAAA,UAID,mBAAA;EAEf,QAAA;EAEA,qBAAA;EAEA,eAAA;EAEA,UAAA;AAAA;AAAA,iBAuBc,qBAAA,CAAsB,MAAA,WAAiB,SAAA;EACrD,IAAA,EAAM,sBAAA;EACN,MAAA;AAAA;AAAA,iBA8Bc,4BAAA,CACd,MAAA,WAAiB,SAAA,KAChB,sBAAA;AAAA,iBAgJa,4BAAA,CAA6B,IAAA;;;UC3Q5B,4BAAA;EAEf,MAAA;EAEA,OAAA,EAAS,MAAA;EAET,qBAAA,EAAuB,MAAA;EAEvB,cAAA,EAAgB,MAAA;EAEhB,QAAA;EAEA,WAAA;EAEA,KAAA;AAAA;AAAA,UAGe,2BAAA;EAEf,IAAA,EAAM,aAAA;EAEN,YAAA;EAMA,SAAA;EAEA,aAAA;EAEA,SAAA;AAAA;AAAA,iBAWc,cAAA,CAAe,IAAA;EAC7B,KAAA;EACA,SAAA;EACA,MAAA;EACA,KAAA;EACA,MAAA;EACA,IAAA;AAAA;AAAA,iBAoBoB,qBAAA,CACpB,UAAA,EAAY,qBAAA,EACZ,OAAA,EAAS,4BAAA,EACT,GAAA,EAAK,2BAAA,GACJ,OAAA,CAAQ,sBAAA;EAA2B,YAAA;AAAA;AAAA,iBAyBhB,uBAAA,CACpB,UAAA,EAAY,uBAAA,EACZ,OAAA,EAAS,4BAAA,EACT,GAAA,EAAK,2BAAA,GACJ,OAAA,CAAQ,sBAAA;EAA2B,YAAA;AAAA;AAAA,iBAyEtB,0BAAA,CACd,UAAA,EAAY,uBAAA,EACZ,OAAA,EAAS,4BAAA;EACN,YAAA;EAAsB,OAAA;AAAA;AAAA,iBAmRX,0BAAA,CACd,MAAA,EAAQ,sBAAA,EACR,SAAA,WACC,sBAAA"}

package/dist/index.js

@@ -1,3 +1,3 @@
-import { A as LocalStateSourceError, C as discoverWebSocketApis, D as pickRefLogicalId, E as discoverRoutes, F as resolveCfnRegion, I as resolveCfnStackName, L as CfnLocalStateProvider, M as isCfnFlagPresent, N as rejectExplicitCfnStackWithMultipleStacks, O as resolveLambdaArnIntrinsic, P as resolveCfnFallbackRegion, S as buildRestV1Event, T as parseSelectionExpressionPath, _ as invokeTokenAuthorizer, a as createAuthorizerCache, b as applyAuthorizerOverlay, c as buildCognitoJwksUrl, d as verifyCognitoJwt, f as verifyJwtAuthorizer, g as invokeRequestAuthorizer, h as evaluateCachedLambdaPolicy, i as createLocalStartApiCommand, j as createLocalStateProvider, k as createLocalInvokeCommand, l as buildJwksUrlFromIssuer, m as computeRequestIdentityHash, n as getContainerNetworkIp, o as resolveSelectionExpression, p as buildMethodArn, r as createLocalRunTaskCommand, s as resolveServiceIntegrationParameters, t as createLocalStartServiceCommand, u as createJwksCache, v as matchRoute, w as discoverWebSocketApisOrThrow, x as buildHttpApiV2Event, y as translateLambdaResponse } from "./local-start-service-D7VpREhn.js";
+import { A as LocalStateSourceError, C as discoverWebSocketApis, D as pickRefLogicalId, E as discoverRoutes, F as resolveCfnRegion, I as resolveCfnStackName, L as CfnLocalStateProvider, M as isCfnFlagPresent, N as rejectExplicitCfnStackWithMultipleStacks, O as resolveLambdaArnIntrinsic, P as resolveCfnFallbackRegion, S as buildRestV1Event, T as parseSelectionExpressionPath, _ as invokeTokenAuthorizer, a as createAuthorizerCache, b as applyAuthorizerOverlay, c as buildCognitoJwksUrl, d as verifyCognitoJwt, f as verifyJwtAuthorizer, g as invokeRequestAuthorizer, h as evaluateCachedLambdaPolicy, i as createLocalStartApiCommand, j as createLocalStateProvider, k as createLocalInvokeCommand, l as buildJwksUrlFromIssuer, m as computeRequestIdentityHash, n as getContainerNetworkIp, o as resolveSelectionExpression, p as buildMethodArn, r as createLocalRunTaskCommand, s as resolveServiceIntegrationParameters, t as createLocalStartServiceCommand, u as createJwksCache, v as matchRoute, w as discoverWebSocketApisOrThrow, x as buildHttpApiV2Event, y as translateLambdaResponse } from "./local-start-service-C1AHpRo-.js";
 
 export { CfnLocalStateProvider, LocalStateSourceError, applyAuthorizerOverlay, buildCognitoJwksUrl, buildHttpApiV2Event, buildJwksUrlFromIssuer, buildMethodArn, buildRestV1Event, computeRequestIdentityHash, createAuthorizerCache, createJwksCache, createLocalInvokeCommand, createLocalRunTaskCommand, createLocalStartApiCommand, createLocalStartServiceCommand, createLocalStateProvider, discoverRoutes, discoverWebSocketApis, discoverWebSocketApisOrThrow, evaluateCachedLambdaPolicy, getContainerNetworkIp, invokeRequestAuthorizer, invokeTokenAuthorizer, isCfnFlagPresent, matchRoute, parseSelectionExpressionPath, pickRefLogicalId, rejectExplicitCfnStackWithMultipleStacks, resolveCfnFallbackRegion, resolveCfnRegion, resolveCfnStackName, resolveLambdaArnIntrinsic, resolveSelectionExpression, resolveServiceIntegrationParameters, translateLambdaResponse, verifyCognitoJwt, verifyJwtAuthorizer };

package/dist/{local-start-service-D7VpREhn.js → local-start-service-C1AHpRo-.js}

@@ -411,6 +411,9 @@ function loadCdkJson() {
 		return null;
 	}
 }
+function normalizeGlobList(value) {
+	return (typeof value === "string" ? [value] : Array.isArray(value) ? value : []).filter((entry) => typeof entry === "string" && entry.length > 0);
+}
 /**
 * Resolve the `--app` option from CLI, `CDKL_APP` env var, or `cdk.json`.
 *
@@ -428,6 +431,26 @@ function resolveApp(cliApp) {
 	if (envApp) return envApp;
 	return loadCdkJson()?.app ?? void 0;
 }
+/**
+* Resolve the `cdk.json` `watch` block, mirroring `cdk watch`'s
+* include / exclude semantics for `cdkl start-api --watch` source-tree
+* watching.
+*
+* Defaults when the keys are absent: `include` -> `['**']` (watch the
+* whole app directory), `exclude` -> `[]`. Unlike `cdk watch`, a missing
+* `watch` block is NOT an error — `--watch` still works against the
+* defaults. The caller layers in mandatory excludes (the synth output
+* directory, `node_modules`, `.git`) so re-synth writes never re-trigger
+* a reload and large noise directories are pruned.
+*/
+function resolveWatchConfig() {
+	const watch = loadCdkJson()?.watch;
+	const include = normalizeGlobList(watch?.include);
+	return {
+		include: include.length > 0 ? include : ["**"],
+		exclude: normalizeGlobList(watch?.exclude)
+	};
+}
 
 //#endregion
 //#region src/cli/cdk-path.ts
@@ -1295,6 +1318,12 @@ function resolveImageIntrinsicAny(node, resources, context) {
 		if (resources[logicalId]?.Type !== "AWS::ECR::Repository") return void 0;
 		const cached = context?.stateResources?.[logicalId]?.attributes?.[attr];
 		if (typeof cached === "string" && cached.length > 0) return cached;
+		const physicalId = context?.stateResources?.[logicalId]?.physicalId;
+		const p = context?.pseudoParameters;
+		if (physicalId && p?.region && p.accountId) {
+			if (attr === "Arn" && p.partition) return `arn:${p.partition}:ecr:${p.region}:${p.accountId}:repository/${physicalId}`;
+			if (attr === "RepositoryUri" && p.urlSuffix) return `${p.accountId}.dkr.ecr.${p.region}.${p.urlSuffix}/${physicalId}`;
+		}
 		return;
 	}
 	if (intrinsic === "Fn::Split") {
@@ -4337,10 +4366,13 @@ async function pullEcrImage(imageUri, options) {
 		await verifyImageInLocalCache(imageUri);
 		return imageUri;
 	}
-	const callerIdentityKey = callerRegion ?? "_unset";
+	const callerIdentityKey = `${options.profile ?? "_noprofile"}|${callerRegion ?? "_unset"}`;
 	let callerAccount = CALLER_IDENTITY_CACHE.get(callerIdentityKey);
 	if (callerAccount === void 0) {
-		const sts = new STSClient({ ...callerRegion && { region: callerRegion } });
+		const sts = new STSClient({
+			...callerRegion && { region: callerRegion },
+			...options.profile && { profile: options.profile }
+		});
 		try {
 			const identity = await sts.send(new GetCallerIdentityCommand({}));
 			if (!identity.Account) throw new LocalInvokeBuildError("STS GetCallerIdentity returned no Account. Verify your AWS credentials.");
@@ -4354,13 +4386,13 @@ async function pullEcrImage(imageUri, options) {
 	const crossRegion = callerRegion !== void 0 && callerRegion !== parsed.region;
 	let assumed;
 	if (options.ecrRoleArn) {
-		const cacheKey = `${options.ecrRoleArn}|${callerRegion ?? "_unset"}`;
+		const cacheKey = `${options.profile ?? "_noprofile"}|${options.ecrRoleArn}|${callerRegion ?? "_unset"}`;
 		const cached = ASSUMED_ROLE_CACHE.get(cacheKey);
 		if (cached && isCredentialFresh(cached)) {
 			assumed = cached;
 			logger.debug(`Reusing cached AssumeRole credentials for ${options.ecrRoleArn}`);
 		} else {
-			assumed = await assumeRoleForEcr(options.ecrRoleArn, callerRegion, logger);
+			assumed = await assumeRoleForEcr(options.ecrRoleArn, callerRegion, options.profile, logger);
 			ASSUMED_ROLE_CACHE.set(cacheKey, assumed);
 			logger.info(`Assumed role ${options.ecrRoleArn} for ECR pull (account=${parsed.accountId}, region=${parsed.region})`);
 		}
@@ -4368,7 +4400,7 @@ async function pullEcrImage(imageUri, options) {
 	if (crossRegion) logger.info(`Cross-region ECR pull: image region ${parsed.region} != caller ${callerRegion ?? "(unset)"}. Authenticating against the image region directly.`);
 	const ecr = new ECRClient({
 		region: parsed.region,
-		...assumed && { credentials: assumed }
+		...assumed ? { credentials: assumed } : options.profile ? { profile: options.profile } : {}
 	});
 	try {
 		await ecrLogin(ecr, parsed.accountId, parsed.region);
@@ -4390,9 +4422,12 @@ async function pullEcrImage(imageUri, options) {
 * service so the region is informational, but threading it through
 * mirrors the convention used by `src/utils/role-arn.ts`.
 */
-async function assumeRoleForEcr(roleArn, callerRegion, logger) {
+async function assumeRoleForEcr(roleArn, callerRegion, profile, logger) {
 	logger.debug(`Assuming role ${roleArn} for ECR pull...`);
-	const sts = new STSClient({ ...callerRegion && { region: callerRegion } });
+	const sts = new STSClient({
+		...callerRegion && { region: callerRegion },
+		...profile && { profile }
+	});
 	try {
 		const creds = (await sts.send(new AssumeRoleCommand({
 			RoleArn: roleArn,
@@ -5761,6 +5796,99 @@ function createLocalInvokeCommand(opts = {}) {
 	return invoke;
 }
 
+//#endregion
+//#region src/utils/glob-match.ts
+/**
+* Normalize a glob and split it into path-segment tokens. Returns
+* `null` for an empty pattern (callers skip it). A slash-free pattern is
+* prefixed with a `**` token so it matches its basename at any depth.
+*/
+function compilePattern(glob) {
+	const g = glob.replace(/\\/g, "/").replace(/^\.\//, "").replace(/\/+$/, "");
+	if (g === "") return null;
+	if (!g.includes("/")) return ["**", g];
+	return g.split("/");
+}
+/**
+* Linear wildcard match for ONE path segment (no `/`). `*` matches any
+* run of characters, `?` matches exactly one. Classic two-pointer
+* algorithm with single backtrack pointer — O(len(pat) * len(str)),
+* never exponential.
+*/
+function matchSegment(pat, str) {
+	let s = 0;
+	let p = 0;
+	let starP = -1;
+	let starS = 0;
+	while (s < str.length) {
+		const pc = pat[p];
+		if (p < pat.length && (pc === str[s] || pc === "?")) {
+			s++;
+			p++;
+		} else if (pc === "*") {
+			starP = p;
+			starS = s;
+			p++;
+		} else if (starP !== -1) {
+			p = starP + 1;
+			starS++;
+			s = starS;
+		} else return false;
+	}
+	while (pat[p] === "*") p++;
+	return p === pat.length;
+}
+/**
+* Match a compiled pattern's segment tokens against a path's segments. A
+* `**` token matches zero or more path segments; every other token
+* matches exactly one segment via {@link matchSegment}. The pattern
+* matches when it consumes a PREFIX of the path (the contents rule), so
+* a directory pattern also matches everything beneath it. Single
+* backtrack pointer over `**` — O(patSegs * pathSegs), never
+* exponential.
+*/
+function matchSegments(pat, path) {
+	let pi = 0;
+	let si = 0;
+	let starPi = -1;
+	let starSi = 0;
+	while (si < path.length) {
+		if (pi === pat.length) return true;
+		if (pat[pi] === "**") {
+			starPi = pi;
+			starSi = si;
+			pi++;
+		} else if (matchSegment(pat[pi], path[si])) {
+			pi++;
+			si++;
+		} else if (starPi !== -1) {
+			pi = starPi + 1;
+			starSi++;
+			si = starSi;
+		} else return false;
+	}
+	if (pi === pat.length) return true;
+	while (pi < pat.length && pat[pi] === "**") pi++;
+	return pi === pat.length;
+}
+/**
+* Compile a list of globs into a single matcher. The returned predicate
+* is `true` when the (relative, POSIX-normalized) path matches ANY
+* pattern. An empty or all-invalid pattern list yields a matcher that
+* never matches.
+*/
+function createGlobMatcher(patterns) {
+	const compiled = [];
+	for (const p of patterns) {
+		const segs = compilePattern(p);
+		if (segs) compiled.push(segs);
+	}
+	return (relPath) => {
+		const pathSegs = relPath.replace(/\\/g, "/").split("/");
+		return compiled.some((pat) => matchSegments(pat, pathSegs));
+	};
+}
+
 //#endregion
 //#region src/local/intrinsic-lambda-arn.ts
 /**
@@ -14308,7 +14436,8 @@ function createFileWatcher(options) {
 	const watcher = chokidar.watch([...options.paths], {
 		ignoreInitial,
 		followSymlinks: false,
-		ignorePermissionErrors: true
+		ignorePermissionErrors: true,
+		...options.ignored && { ignored: options.ignored }
 	});
 	let timer = null;
 	let closed = false;
@@ -14326,34 +14455,24 @@ function createFileWatcher(options) {
 		}, debounceMs);
 		timer.unref?.();
 	};
-	watcher.on("add", fire);
-	watcher.on("change", fire);
-	watcher.on("unlink", fire);
+	const onEvent = (path) => {
+		if (options.shouldTrigger && !options.shouldTrigger(path)) return;
+		fire();
+	};
+	watcher.on("add", onEvent);
+	watcher.on("change", onEvent);
+	watcher.on("unlink", onEvent);
 	watcher.on("error", (err) => {
 		logger.debug(`chokidar error: ${err instanceof Error ? err.message : String(err)}. Continuing.`);
 	});
-	let currentPaths = new Set(options.paths);
-	return {
-		update: (paths) => {
-			if (closed) return;
-			const next = new Set(paths);
-			const toAdd = [];
-			const toRemove = [];
-			for (const p of next) if (!currentPaths.has(p)) toAdd.push(p);
-			for (const p of currentPaths) if (!next.has(p)) toRemove.push(p);
-			if (toAdd.length > 0) watcher.add(toAdd);
-			if (toRemove.length > 0) watcher.unwatch(toRemove);
-			currentPaths = next;
-		},
-		close: async () => {
-			closed = true;
-			if (timer) {
-				clearTimeout(timer);
-				timer = null;
-			}
-			await watcher.close();
+	return { close: async () => {
+		closed = true;
+		if (timer) {
+			clearTimeout(timer);
+			timer = null;
 		}
-	};
+		await watcher.close();
+	} };
 }
 
 //#endregion
@@ -14427,7 +14546,6 @@ async function localStartApiCommand(target, options, extraStateProviders) {
 	const inlineTmpDirs = /* @__PURE__ */ new Set();
 	const layerTmpDirs = /* @__PURE__ */ new Set();
 	let profileCredsFile;
-	const lastAssetPaths = { value: [] };
 	const authorizerCache = createAuthorizerCache();
 	const jwksCache = createJwksCache();
 	const jwksWarnedUrls = /* @__PURE__ */ new Set();
@@ -14556,30 +14674,7 @@ async function localStartApiCommand(target, options, extraStateProviders) {
 		});
 		return pool;
 	};
-	/**
-	* Compute the watched-asset list from a spec map. Pure helper —
-	* keeps the side-effect (`lastAssetPaths.value = ...`) confined to
-	* the post-swap call sites (initial boot + post-reload). For ZIP
-	* Lambdas `codeDir` is either the unzipped asset directory or the
-	* inline-code tmpdir; both are watch-worthy. IMAGE Lambdas
-	* (`kind: 'image'`) don't have a host-side bind-mount source — the
-	* code is baked into the docker image at build time. Their build
-	* context (Dockerfile + source directory) is rebuilt on every
-	* reload via `synthesizeAndBuild` → `buildContainerSpec` →
-	* `resolveContainerImageForStartApi`, so a source edit DOES trigger
-	* rebuild AND the deterministic `image` tag changes — but watching
-	* the build-context dir explicitly here is deferred to a follow-up
-	* (the watched-asset list is currently sourced from `cdk.out/`
-	* which transitively covers most container-Lambda asset dirs since
-	* `cdk synth` re-stages them on every synth call).
-	*/
-	const computeAssetPaths = (specs) => {
-		const assetPaths = /* @__PURE__ */ new Set();
-		for (const spec of specs.values()) if (spec.kind === "zip") assetPaths.add(spec.codeDir);
-		return [...assetPaths];
-	};
 	const initialMaterial = await synthesizeAndBuild();
-	lastAssetPaths.value = computeAssetPaths(initialMaterial.specs);
 	await prewarmJwks(initialMaterial.routes, jwksCache);
 	warnVpcConfigLambdas(initialMaterial.routes, initialMaterial.stacks ?? []);
 	sigV4CredentialsLoader = defaultCredentialsLoader();
@@ -14720,23 +14815,27 @@ async function localStartApiCommand(target, options, extraStateProviders) {
 	let watcher;
 	let reloadChain = Promise.resolve();
 	if (options.watch) {
+		const watchRoot = process.cwd();
+		const { ignored, shouldTrigger, excludePatterns } = createWatchPredicates({
+			watchRoot,
+			output: options.output,
+			watchConfig: resolveWatchConfig()
+		});
 		watcher = createFileWatcher({
-			paths: [options.output, ...lastAssetPaths.value],
+			paths: [watchRoot],
+			ignored,
+			shouldTrigger,
 			onChange: () => {
-				logger.info("Detected file change; reloading...");
+				logger.info("Detected source change; reloading...");
 				reloadChain = reloadChain.then(() => reloadAllServers({
 					synthesizeAndBuild,
 					servers,
 					buildPool,
-					computeAssetPaths,
-					lastAssetPaths,
-					watcher,
-					output: options.output,
 					logger
 				})).catch(() => void 0);
 			}
 		});
-		logger.info(`Watching ${options.output} (and ${lastAssetPaths.value.length} asset dir(s))`);
+		logger.info(`Watching ${watchRoot} for source changes (excluding ${excludePatterns.join(", ")}).`);
 	}
 	let shutdownStarted = false;
 	let firstSignal;
@@ -14838,6 +14937,52 @@ async function localStartApiCommand(target, options, extraStateProviders) {
 	await new Promise(() => void 0);
 }
 /**
+* Build the `--watch` file-watcher predicates for a source tree rooted
+* at `watchRoot` (the synth working directory).
+*
+* The synth output directory is always excluded so the reload's own
+* re-synth writes never re-trigger the watcher (no loop); `node_modules`
+* / `.git` are excluded for traversal cost. `cdk.json` `watch.exclude`
+* globs layer on top, and `watch.include` gates which changes fire a
+* reload. The output dir is only added as a glob when it lives UNDER the
+* watch root — when it equals the root (`''`) or sits outside it
+* (`..`-prefixed), a watcher rooted at `watchRoot` never traverses it,
+* so no exclude entry is needed (and a `''` / `..` glob is meaningless).
+*
+* `@internal` exported for unit tests (the exclude/include composition +
+* the output-dir relativization edge cases).
+*/
+function createWatchPredicates(args) {
+	const { watchRoot, output, watchConfig } = args;
+	const toRel = (abs) => path.relative(watchRoot, abs).split(path.sep).join("/");
+	const outputRel = toRel(path.resolve(watchRoot, output));
+	const excludePatterns = [
+		...outputRel !== "" && !outputRel.startsWith("..") ? [outputRel] : [],
+		"node_modules",
+		".git",
+		...watchConfig.exclude
+	];
+	const excludeMatcher = createGlobMatcher(excludePatterns);
+	const includeMatcher = createGlobMatcher(watchConfig.include);
+	const ignored = (absPath) => {
+		const rel = toRel(absPath);
+		if (rel === "") return false;
+		if (rel.startsWith("..")) return true;
+		return excludeMatcher(rel);
+	};
+	const shouldTrigger = (absPath) => {
+		const rel = toRel(absPath);
+		if (rel === "" || rel.startsWith("..")) return false;
+		if (excludeMatcher(rel)) return false;
+		return includeMatcher(rel);
+	};
+	return {
+		ignored,
+		shouldTrigger,
+		excludePatterns
+	};
+}
+/**
 * Match the `--stack` pattern (or single-stack auto-detect) to a list
 * of stacks the route-discovery walks. Mirrors the deploy/diff matcher
 * routing rules.
@@ -15739,7 +15884,7 @@ function warnSsrfRiskyIntegrations(routes, logger) {
 *      server restart in v1.
 */
 async function reloadAllServers(args) {
-	const { synthesizeAndBuild, servers, buildPool, computeAssetPaths, lastAssetPaths, watcher, output, logger } = args;
+	const { synthesizeAndBuild, servers, buildPool, logger } = args;
 	let material;
 	try {
 		material = await synthesizeAndBuild();
@@ -15770,8 +15915,6 @@ async function reloadAllServers(args) {
 			logger.debug(`Previous pool dispose() failed for ${group.displayName}: ${err instanceof Error ? err.message : String(err)}`);
 		});
 	}
-	lastAssetPaths.value = computeAssetPaths(material.specs);
-	if (watcher) watcher.update([output, ...lastAssetPaths.value]);
 	printPerServerRouteTables(servers);
 	const allRoutes = servers.flatMap((s) => s.group.routes.map((r) => r.route));
 	warnUnsupportedRoutes(allRoutes, logger);
@@ -15955,7 +16098,7 @@ function resolveMtlsConfig(options) {
 */
 function createLocalStartApiCommand(opts = {}) {
 	setEmbedConfig(opts.embedConfig);
-	const startApi = new Command("start-api").description("Run a long-running local HTTP server that maps API Gateway routes (REST v1, HTTP API, Function URL) to Lambda invocations against the AWS Lambda Runtime Interface Emulator (Docker required). Supports Lambda TOKEN/REQUEST authorizers, Cognito User Pool / HTTP v2 JWT authorizers, and AWS_IAM auth (REST v1 `AuthorizationType: AWS_IAM` and Function URL `AuthType: AWS_IAM` — SigV4 signature verification only; IAM policy evaluation is NOT emulated). When JWKS is unreachable, JWT authorizers fall back to pass-through (every token accepted) with a warn line — local dev fallback. VPC-config Lambdas run locally and surface a warn line at startup; their containers do NOT get attached to the deployed VPC subnets, so calls to private RDS / ElastiCache will fail.").argument("[target]", `Optional API filter. Accepts the bare CDK logical id ('MyHttpApi'; single-stack apps only), stack-qualified logical id ('MyStack:MyHttpApi'), full CDK Construct path ('MyStack/MyHttpApi/Resource'), or an ancestor Construct path that prefix-matches ('MyStack/MyHttpApi'). When omitted, every discovered API gets its own server. Mirrors \`${getEmbedConfig().cliName} invoke\` / \`${getEmbedConfig().cliName} run-task\` target syntax.`).addOption(new Option("--port <port>", "HTTP server port (default: auto-allocate)").default("0")).addOption(new Option("--host <host>", "Bind address").default("127.0.0.1")).addOption(new Option("--stack <name>", "Stack to start (single-stack apps auto-detect)")).addOption(new Option("--all-stacks", "Serve every stack's API in a multi-stack app (each API on its own port) instead of erroring out. Mutually exclusive with a positional target, --stack, and an explicit --from-cfn-stack <name>; the bare --from-cfn-stack flag stays compatible (binds each routed stack to its own CFn stack).").default(false)).addOption(new Option("--warm", "Pre-start one container per Lambda at server boot").default(false)).addOption(new Option("--per-lambda-concurrency <n>", "Pool size cap per Lambda (default 2, max 4)").default("2")).addOption(new Option("--no-pull", "Skip docker pull (cached image)")).addOption(new Option("--container-host <host>", "IP the host uses to bind/probe the RIE port (must be a numeric IP — `docker run -p <ip>:<port>:8080` rejects hostnames). Defaults to 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--debug-port-base <port>", "Reserve a contiguous --debug-port range (one per Lambda)")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}, \"Parameters\": {...}})")).addOption(new Option("--assume-role <arn-or-pair>", "Assume the Lambda's execution role and forward STS-issued temp creds. Bare <arn> = global default; <LogicalId>=<arn> = per-Lambda override (repeatable). Per-Lambda > global > unset (developer creds passed through).").argParser((raw, prev) => parseAssumeRoleToken(raw, prev))).addOption(new Option("--watch", "Hot-reload: re-synth + re-discover routes when cdk.out/ or asset directories change. Off by default; the server keeps the previous version serving when synth fails mid-reload.").default(false)).addOption(new Option("--stage <name>", "Select an API Gateway Stage by its 'StageName'. Default: the first Stage attached to each API. Drives event.stageVariables for both REST v1 and HTTP API v2. NOTE: For HTTP API v2 routes, requestContext.stage is always '$default' regardless of this flag (AWS-side limitation — HTTP API only exposes one stage to the integration event); only event.stageVariables is affected for v2 routes. For REST v1 routes the selected StageName is also threaded into requestContext.stage.")).addOption(new Option("--api <id>", "DEPRECATED — use the positional <target> argument instead. Same accepted forms (bare logical id, stack-qualified, Construct path, ancestor prefix). Will be removed in a future major release.")).addOption(new Option("--layer-role-arn <arn>", "Role to sts:AssumeRole before calling lambda:GetLayerVersion on every literal-ARN entry in Properties.Layers (issue #448). Use only when the dev credentials cannot read the layer — typically cross-account layers. AWS-published public layers (e.g. Lambda Powertools) are readable from every account and need no role.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in Lambda env vars with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (`cdk deploy`). Bare form uses the resolved stack name per routed stack; pass an explicit value when a single CFn stack should serve every routed stack. Fn::GetAtt is warn-and-dropped in v1 (CFn ListStackResources does not return per-attribute values).")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).addOption(new Option("--mtls-truststore <path>", `PEM-encoded CA bundle for client-certificate verification (mutual TLS). When set, the local server switches from HTTP to HTTPS and the TLS handshake rejects clients whose certificate doesn't chain to one of these CAs. Verified certs are surfaced on the Lambda event under requestContext.identity.clientCert (REST v1) / requestContext.authentication.clientCert (HTTP API v2). Must be set together with --mtls-cert + --mtls-key; partial flag sets are rejected. Generate a CA + server + client cert for local dev: openssl req -x509 -newkey rsa:2048 -nodes -keyout ca-key.pem -out ca.pem -subj "/CN=${getEmbedConfig().resourceNamePrefix}-ca" -days 365; openssl req -newkey rsa:2048 -nodes -keyout server-key.pem -out server-csr.pem -subj "/CN=localhost"; openssl x509 -req -in server-csr.pem -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -days 365; openssl req -newkey rsa:2048 -nodes -keyout client-key.pem -out client-csr.pem -subj "/CN=client"; openssl x509 -req -in client-csr.pem -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -days 365; curl --cacert ca.pem --cert client-cert.pem --key client-key.pem https://localhost:<port>/...`)).addOption(new Option("--mtls-cert <path>", "PEM-encoded server certificate for mutual TLS. Self-signed is fine for local dev. Must be set together with --mtls-truststore + --mtls-key.")).addOption(new Option("--mtls-key <path>", "PEM-encoded server private key matching --mtls-cert. Must be set together with --mtls-truststore + --mtls-cert.")).addOption(new Option("--strict-sigv4", "Opt-in: DENY AWS_IAM SigV4 requests that cannot be cryptographically verified (foreign access-key-id — e.g. a federated / Cognito Identity Pool / cross-account signer — OR no local AWS credentials configured) instead of the default warn-and-pass. DEFAULT off: cdk-local warn-and-passes unverifiable IAM requests with a placeholder principalId so local dev exercises app logic without reproducing an auth boundary it cannot fully emulate. OAC-fronted Function URLs always warn-and-pass regardless.").default(false)).action(withErrorHandling(async (target, options) => {
+	const startApi = new Command("start-api").description("Run a long-running local HTTP server that maps API Gateway routes (REST v1, HTTP API, Function URL) to Lambda invocations against the AWS Lambda Runtime Interface Emulator (Docker required). Supports Lambda TOKEN/REQUEST authorizers, Cognito User Pool / HTTP v2 JWT authorizers, and AWS_IAM auth (REST v1 `AuthorizationType: AWS_IAM` and Function URL `AuthType: AWS_IAM` — SigV4 signature verification only; IAM policy evaluation is NOT emulated). When JWKS is unreachable, JWT authorizers fall back to pass-through (every token accepted) with a warn line — local dev fallback. VPC-config Lambdas run locally and surface a warn line at startup; their containers do NOT get attached to the deployed VPC subnets, so calls to private RDS / ElastiCache will fail.").argument("[target]", `Optional API filter. Accepts the bare CDK logical id ('MyHttpApi'; single-stack apps only), stack-qualified logical id ('MyStack:MyHttpApi'), full CDK Construct path ('MyStack/MyHttpApi/Resource'), or an ancestor Construct path that prefix-matches ('MyStack/MyHttpApi'). When omitted, every discovered API gets its own server. Mirrors \`${getEmbedConfig().cliName} invoke\` / \`${getEmbedConfig().cliName} run-task\` target syntax.`).addOption(new Option("--port <port>", "HTTP server port (default: auto-allocate)").default("0")).addOption(new Option("--host <host>", "Bind address").default("127.0.0.1")).addOption(new Option("--stack <name>", "Stack to start (single-stack apps auto-detect)")).addOption(new Option("--all-stacks", "Serve every stack's API in a multi-stack app (each API on its own port) instead of erroring out. Mutually exclusive with a positional target, --stack, and an explicit --from-cfn-stack <name>; the bare --from-cfn-stack flag stays compatible (binds each routed stack to its own CFn stack).").default(false)).addOption(new Option("--warm", "Pre-start one container per Lambda at server boot").default(false)).addOption(new Option("--per-lambda-concurrency <n>", "Pool size cap per Lambda (default 2, max 4)").default("2")).addOption(new Option("--no-pull", "Skip docker pull (cached image)")).addOption(new Option("--container-host <host>", "IP the host uses to bind/probe the RIE port (must be a numeric IP — `docker run -p <ip>:<port>:8080` rejects hostnames). Defaults to 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--debug-port-base <port>", "Reserve a contiguous --debug-port range (one per Lambda)")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}, \"Parameters\": {...}})")).addOption(new Option("--assume-role <arn-or-pair>", "Assume the Lambda's execution role and forward STS-issued temp creds. Bare <arn> = global default; <LogicalId>=<arn> = per-Lambda override (repeatable). Per-Lambda > global > unset (developer creds passed through).").argParser((raw, prev) => parseAssumeRoleToken(raw, prev))).addOption(new Option("--watch", "Hot-reload: re-synth + re-discover routes when the CDK app's source changes (honors cdk.json watch.include/exclude; cdk.out, node_modules, .git are always excluded). Off by default; the server keeps the previous version serving when synth fails mid-reload.").default(false)).addOption(new Option("--stage <name>", "Select an API Gateway Stage by its 'StageName'. Default: the first Stage attached to each API. Drives event.stageVariables for both REST v1 and HTTP API v2. NOTE: For HTTP API v2 routes, requestContext.stage is always '$default' regardless of this flag (AWS-side limitation — HTTP API only exposes one stage to the integration event); only event.stageVariables is affected for v2 routes. For REST v1 routes the selected StageName is also threaded into requestContext.stage.")).addOption(new Option("--api <id>", "DEPRECATED — use the positional <target> argument instead. Same accepted forms (bare logical id, stack-qualified, Construct path, ancestor prefix). Will be removed in a future major release.")).addOption(new Option("--layer-role-arn <arn>", "Role to sts:AssumeRole before calling lambda:GetLayerVersion on every literal-ARN entry in Properties.Layers (issue #448). Use only when the dev credentials cannot read the layer — typically cross-account layers. AWS-published public layers (e.g. Lambda Powertools) are readable from every account and need no role.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in Lambda env vars with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (`cdk deploy`). Bare form uses the resolved stack name per routed stack; pass an explicit value when a single CFn stack should serve every routed stack. Fn::GetAtt is warn-and-dropped in v1 (CFn ListStackResources does not return per-attribute values).")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).addOption(new Option("--mtls-truststore <path>", `PEM-encoded CA bundle for client-certificate verification (mutual TLS). When set, the local server switches from HTTP to HTTPS and the TLS handshake rejects clients whose certificate doesn't chain to one of these CAs. Verified certs are surfaced on the Lambda event under requestContext.identity.clientCert (REST v1) / requestContext.authentication.clientCert (HTTP API v2). Must be set together with --mtls-cert + --mtls-key; partial flag sets are rejected. Generate a CA + server + client cert for local dev: openssl req -x509 -newkey rsa:2048 -nodes -keyout ca-key.pem -out ca.pem -subj "/CN=${getEmbedConfig().resourceNamePrefix}-ca" -days 365; openssl req -newkey rsa:2048 -nodes -keyout server-key.pem -out server-csr.pem -subj "/CN=localhost"; openssl x509 -req -in server-csr.pem -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -days 365; openssl req -newkey rsa:2048 -nodes -keyout client-key.pem -out client-csr.pem -subj "/CN=client"; openssl x509 -req -in client-csr.pem -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -days 365; curl --cacert ca.pem --cert client-cert.pem --key client-key.pem https://localhost:<port>/...`)).addOption(new Option("--mtls-cert <path>", "PEM-encoded server certificate for mutual TLS. Self-signed is fine for local dev. Must be set together with --mtls-truststore + --mtls-key.")).addOption(new Option("--mtls-key <path>", "PEM-encoded server private key matching --mtls-cert. Must be set together with --mtls-truststore + --mtls-cert.")).addOption(new Option("--strict-sigv4", "Opt-in: DENY AWS_IAM SigV4 requests that cannot be cryptographically verified (foreign access-key-id — e.g. a federated / Cognito Identity Pool / cross-account signer — OR no local AWS credentials configured) instead of the default warn-and-pass. DEFAULT off: cdk-local warn-and-passes unverifiable IAM requests with a placeholder principalId so local dev exercises app logic without reproducing an auth boundary it cannot fully emulate. OAC-fronted Function URLs always warn-and-pass regardless.").default(false)).action(withErrorHandling(async (target, options) => {
 		await localStartApiCommand(target, options, opts.extraStateProviders);
 	}));
 	[
@@ -16659,7 +16802,8 @@ async function prepareOneImage(task, container, options) {
 		case "ecr": return pullEcrImage(image.uri, {
 			skipPull: options.skipPull,
 			...options.region !== void 0 && { region: options.region },
-			...options.ecrRoleArn !== void 0 && { ecrRoleArn: options.ecrRoleArn }
+			...options.ecrRoleArn !== void 0 && { ecrRoleArn: options.ecrRoleArn },
+			...options.profile !== void 0 && { profile: options.profile }
 		});
 		case "cdk-asset": {
 			const cdkOutDir = task.stack.assetManifestPath ? dirname(task.stack.assetManifestPath) : void 0;
@@ -16952,6 +17096,7 @@ async function localRunTaskCommand(target, options, extraStateProviders) {
 		if (options.platform) runOpts.platformOverride = options.platform;
 		if (options.region) runOpts.region = options.region;
 		if (options.ecrRoleArn) runOpts.ecrRoleArn = options.ecrRoleArn;
+		if (options.profile) runOpts.profile = options.profile;
 		if (profileCredsFile) runOpts.profileCredentialsFile = {
 			hostPath: profileCredsFile.hostPath,
 			containerPath: profileCredsFile.containerPath,
@@ -17028,7 +17173,7 @@ async function buildEcsImageResolutionContext$1(candidate, stateProvider, option
 		if (!region) logger.warn(`Resolver references \${AWS::Region} but ${getEmbedConfig().binaryName} could not determine the target region. Pass --region, set AWS_REGION, or declare env.region on the CDK stack.`);
 		let accountId;
 		try {
-			accountId = await resolveCallerAccountId$1(region);
+			accountId = await resolveCallerAccountId$1(region, options.profile);
 		} catch (err) {
 			logger.warn(`Resolver needs \${AWS::AccountId} but STS GetCallerIdentity failed: ${err instanceof Error ? err.message : String(err)}. Substitution will be skipped; affected env / secret entries will be dropped with per-key warnings.`);
 		}
@@ -17058,9 +17203,12 @@ function pickCandidateStack$1(stackPattern, stacks) {
 	const matched = matchStacks(stacks, [stackPattern]);
 	if (matched.length === 1) return matched[0];
 }
-async function resolveCallerAccountId$1(region) {
+async function resolveCallerAccountId$1(region, profile) {
 	const { STSClient, GetCallerIdentityCommand } = await import("@aws-sdk/client-sts");
-	const sts = new STSClient({ ...region && { region } });
+	const sts = new STSClient({
+		...region && { region },
+		...profile && { profile }
+	});
 	try {
 		return (await sts.send(new GetCallerIdentityCommand({}))).Account;
 	} finally {
@@ -18361,6 +18509,7 @@ async function runOneTarget(target, runState, stacks, options, discovery, skipPu
 	if (options.platform) taskOpts.platformOverride = options.platform;
 	if (options.region) taskOpts.region = options.region;
 	if (options.ecrRoleArn) taskOpts.ecrRoleArn = options.ecrRoleArn;
+	if (options.profile) taskOpts.profile = options.profile;
 	if (profileCredsFile && !assumedCredentials) taskOpts.profileCredentialsFile = {
 		hostPath: profileCredsFile.hostPath,
 		containerPath: profileCredsFile.containerPath,
@@ -18420,7 +18569,7 @@ async function buildEcsImageResolutionContext(target, stacks, options, stateProv
 		if (!region) logger.warn(`Resolver references \${AWS::Region} but ${getEmbedConfig().binaryName} could not determine the target region. Pass --region, set AWS_REGION, or declare env.region on the CDK stack.`);
 		let accountId;
 		try {
-			accountId = await resolveCallerAccountId(region);
+			accountId = await resolveCallerAccountId(region, options.profile);
 		} catch (err) {
 			logger.warn(`Resolver needs \${AWS::AccountId} but STS GetCallerIdentity failed: ${err instanceof Error ? err.message : String(err)}. Substitution will be skipped; affected env / secret entries will be dropped with per-key warnings.`);
 		}
@@ -18450,9 +18599,12 @@ function pickCandidateStack(stackPattern, stacks) {
 	const matched = matchStacks(stacks, [stackPattern]);
 	if (matched.length === 1) return matched[0];
 }
-async function resolveCallerAccountId(region) {
+async function resolveCallerAccountId(region, profile) {
 	const { STSClient, GetCallerIdentityCommand } = await import("@aws-sdk/client-sts");
-	const sts = new STSClient({ ...region && { region } });
+	const sts = new STSClient({
+		...region && { region },
+		...profile && { profile }
+	});
 	try {
 		return (await sts.send(new GetCallerIdentityCommand({}))).Account;
 	} finally {
@@ -18539,4 +18691,4 @@ function createLocalStartServiceCommand(opts = {}) {
 
 //#endregion
 export { LocalStateSourceError as A, discoverWebSocketApis as C, pickRefLogicalId as D, discoverRoutes as E, resolveCfnRegion as F, resolveCfnStackName as I, CfnLocalStateProvider as L, isCfnFlagPresent as M, rejectExplicitCfnStackWithMultipleStacks as N, resolveLambdaArnIntrinsic as O, resolveCfnFallbackRegion as P, buildRestV1Event as S, parseSelectionExpressionPath as T, invokeTokenAuthorizer as _, createAuthorizerCache as a, applyAuthorizerOverlay as b, buildCognitoJwksUrl as c, verifyCognitoJwt as d, verifyJwtAuthorizer as f, invokeRequestAuthorizer as g, evaluateCachedLambdaPolicy as h, createLocalStartApiCommand as i, createLocalStateProvider as j, createLocalInvokeCommand as k, buildJwksUrlFromIssuer as l, computeRequestIdentityHash as m, getContainerNetworkIp as n, resolveSelectionExpression as o, buildMethodArn as p, createLocalRunTaskCommand as r, resolveServiceIntegrationParameters as s, createLocalStartServiceCommand as t, createJwksCache as u, matchRoute as v, discoverWebSocketApisOrThrow as w, buildHttpApiV2Event as x, translateLambdaResponse as y };
-//# sourceMappingURL=local-start-service-D7VpREhn.js.map
+//# sourceMappingURL=local-start-service-C1AHpRo-.js.map