cdk-local 0.120.0 → 0.121.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -18100,7 +18100,7 @@ function computeCodeImageTag(sourceDir, runtime, entryPoint, dockerfile) {
18100
18100
  async function downloadAndExtractS3Bundle(location, options = {}) {
18101
18101
  const ref = formatRef(location);
18102
18102
  getLogger().info(`Downloading fromS3 code bundle ${ref}...`);
18103
- const bytes = await (options.fetchObject ?? defaultFetchObject(options))(location);
18103
+ const bytes = await (options.fetchObject ?? defaultFetchObject$1(options))(location);
18104
18104
  let files;
18105
18105
  try {
18106
18106
  files = unzipSync(bytes);
@@ -18147,7 +18147,7 @@ function resolveSafeEntryPath(root, entry) {
18147
18147
  if (dest !== root && !dest.startsWith(rootWithSep)) throw new CdkLocalError(`Refusing to extract a fromS3 bundle entry that escapes the target dir: '${entry}'.`, "LOCAL_INVOKE_AGENTCORE_S3_BUNDLE_ZIP_SLIP");
18148
18148
  return dest;
18149
18149
  }
18150
- function defaultFetchObject(options) {
18150
+ function defaultFetchObject$1(options) {
18151
18151
  return async (location) => {
18152
18152
  const { S3Client, GetObjectCommand } = await import("@aws-sdk/client-s3");
18153
18153
  const client = new S3Client({
@@ -29182,15 +29182,11 @@ function serveFromStaticOrigin(input) {
29182
29182
  headers: { "content-type": contentTypeForKey(key) },
29183
29183
  body: direct
29184
29184
  };
29185
- const errorResponses = input.customErrorResponses ?? [];
29186
- for (const code of [403, 404]) {
29187
- const match = errorResponses.find((e) => e.errorCode === code);
29188
- if (!match || !match.responsePagePath) continue;
29189
- const errorKey = stripLeadingSlash(match.responsePagePath);
29190
- const body = readKey(input.localDirs, errorKey);
29185
+ for (const candidate of resolveErrorResponseCandidates(input.customErrorResponses)) {
29186
+ const body = readKey(input.localDirs, candidate.errorKey);
29191
29187
  if (body) return {
29192
- statusCode: match.responseCode ?? code,
29193
- headers: { "content-type": contentTypeForKey(errorKey) },
29188
+ statusCode: candidate.responseCode,
29189
+ headers: { "content-type": contentTypeForKey(candidate.errorKey) },
29194
29190
  body
29195
29191
  };
29196
29192
  }
@@ -29201,6 +29197,27 @@ function serveFromStaticOrigin(input) {
29201
29197
  };
29202
29198
  }
29203
29199
  /**
29200
+ * Resolve the ordered list of custom-error-page candidates to try when an
29201
+ * origin object is missing/forbidden, shared by the local-dir static origin and
29202
+ * the deployed-S3 read-through origin so the 403-then-404 priority + the
29203
+ * `ResponseCode` mapping live in ONE place. We try 403 first then 404 because a
29204
+ * missing key on an OAC-fronted private bucket returns 403 AccessDenied (the
29205
+ * common static-site setup), but an app that mapped 404 instead is also honored.
29206
+ */
29207
+ function resolveErrorResponseCandidates(customErrorResponses) {
29208
+ const errorResponses = customErrorResponses ?? [];
29209
+ const out = [];
29210
+ for (const code of [403, 404]) {
29211
+ const match = errorResponses.find((e) => e.errorCode === code);
29212
+ if (!match || !match.responsePagePath) continue;
29213
+ out.push({
29214
+ errorKey: stripLeadingSlash(match.responsePagePath),
29215
+ responseCode: match.responseCode ?? code
29216
+ });
29217
+ }
29218
+ return out;
29219
+ }
29220
+ /**
29204
29221
  * Map a request URI to an S3 object key. The query string / fragment is
29205
29222
  * dropped, the leading slash is removed, and the root path (`/` or empty)
29206
29223
  * resolves to the default root object. A URI ending in `/` is NOT auto-indexed
@@ -29297,9 +29314,10 @@ async function startCloudFrontServer(options) {
29297
29314
  const logger = getLogger().child("cloudfront");
29298
29315
  const lambdaInvokers = options.lambdaInvokers ?? /* @__PURE__ */ new Map();
29299
29316
  const edgeInvokers = options.edgeInvokers ?? /* @__PURE__ */ new Map();
29317
+ const s3OriginReaders = options.s3OriginReaders ?? /* @__PURE__ */ new Map();
29300
29318
  const state = { distribution: options.distribution };
29301
29319
  const handler = (req, res) => {
29302
- handleRequest$1(req, res, state, lambdaInvokers, edgeInvokers, logger).catch((err) => {
29320
+ handleRequest$1(req, res, state, lambdaInvokers, edgeInvokers, s3OriginReaders, logger).catch((err) => {
29303
29321
  logger.warn(`Request handling failed: ${err instanceof Error ? err.message : String(err)}`);
29304
29322
  if (!res.headersSent) {
29305
29323
  res.statusCode = 500;
@@ -29329,7 +29347,7 @@ async function startCloudFrontServer(options) {
29329
29347
  };
29330
29348
  }
29331
29349
  /** The per-request pipeline: behavior match -> viewer-request -> origin -> viewer-response. */
29332
- async function handleRequest$1(req, res, state, lambdaInvokers, edgeInvokers, logger) {
29350
+ async function handleRequest$1(req, res, state, lambdaInvokers, edgeInvokers, s3OriginReaders, logger) {
29333
29351
  const distribution = state.distribution;
29334
29352
  const rawUrl = req.url ?? "/";
29335
29353
  const queryIdx = rawUrl.indexOf("?");
@@ -29420,6 +29438,7 @@ async function handleRequest$1(req, res, state, lambdaInvokers, edgeInvokers, lo
29420
29438
  sourceIp: clientIp,
29421
29439
  distribution,
29422
29440
  lambdaInvokers,
29441
+ s3OriginReaders,
29423
29442
  logger
29424
29443
  });
29425
29444
  if (!originResult) return writePlain(res, 502, originUnavailableMessage(origin, behavior));
@@ -29591,6 +29610,20 @@ async function serveFromOrigin(origin, args) {
29591
29610
  ...result.cookies.length > 0 && { setCookies: result.cookies }
29592
29611
  };
29593
29612
  }
29613
+ if (origin.kind === "s3-deployed") {
29614
+ const reader = args.s3OriginReaders.get(origin.originId);
29615
+ if (!reader) return void 0;
29616
+ const result = await reader({
29617
+ uri: args.uri,
29618
+ ...distribution.defaultRootObject !== void 0 && { defaultRootObject: distribution.defaultRootObject },
29619
+ customErrorResponses: distribution.customErrorResponses
29620
+ });
29621
+ return {
29622
+ statusCode: result.statusCode,
29623
+ headers: result.headers,
29624
+ body: result.body
29625
+ };
29626
+ }
29594
29627
  if (origin.kind !== "s3") return void 0;
29595
29628
  const result = serveFromStaticOrigin({
29596
29629
  localDirs: origin.localDirs,
@@ -29608,6 +29641,8 @@ function originUnavailableMessage(origin, behavior) {
29608
29641
  if (!origin) return `Behavior ${behavior.pathPattern ?? "(default)"} targets unknown origin '${behavior.targetOriginId}'.\n`;
29609
29642
  if (origin.kind === "lambda-url") return `Origin '${origin.originId}' is a Lambda Function URL origin whose backing function '${origin.functionLogicalId}' was not booted (it was added after start-up). Restart start-cloudfront.\n`;
29610
29643
  if (origin.kind === "custom") return `Origin '${origin.originId}' is a custom (non-S3) origin (${origin.domainName}). cdkl start-cloudfront serves S3 origins and Lambda Function URL origins only.
29644
+ `;
29645
+ if (origin.kind === "s3-deployed") return `Origin '${origin.originId}' is a deployed-S3 origin (bucket '${origin.bucketName}') whose reader was not booted (it was promoted after start-up). Restart start-cloudfront.
29611
29646
  `;
29612
29647
  return `Origin '${origin.originId}' is an S3 origin with no resolvable local source. Point it at a directory with --origin ${origin.originId}=<dir>.\n`;
29613
29648
  }
@@ -29663,6 +29698,101 @@ function listen(server, host, port) {
29663
29698
  });
29664
29699
  }
29665
29700
 
29701
+ //#endregion
29702
+ //#region src/local/cloudfront-s3-origin.ts
29703
+ /**
29704
+ * Build a reader that serves a deployed S3 bucket on demand. The S3 client is
29705
+ * created lazily on first read (and reused) so an all-local distribution never
29706
+ * touches the SDK. Boot-time bound to one `bucketName`; one reader per origin.
29707
+ */
29708
+ function createS3OriginReader(bucketName, options = {}) {
29709
+ const fetchObject = options.fetchObject ?? defaultFetchObject(bucketName, options);
29710
+ let deniedWarned = false;
29711
+ return async (input) => {
29712
+ const key = uriToKey(input.uri, input.defaultRootObject);
29713
+ if (key !== "") {
29714
+ const direct = await fetchObject(key);
29715
+ if (direct.kind === "found") return {
29716
+ statusCode: 200,
29717
+ headers: { "content-type": contentTypeForKey(key) },
29718
+ body: direct.body
29719
+ };
29720
+ if (direct.kind === "denied" && !deniedWarned) {
29721
+ deniedWarned = true;
29722
+ getLogger().warn(`S3 denied reading '${key}' from bucket '${bucketName}'. If this is an OAC-locked / private bucket your credentials cannot read, point the origin at a local directory with --origin <originId>=<dir> (or use credentials with s3:GetObject on the bucket). ${getEmbedConfig().cliName} start-cloudfront reads the origin from real S3.`);
29723
+ }
29724
+ if (direct.kind === "error") getLogger().warn(`S3 read of '${key}' from bucket '${bucketName}' failed: ${direct.message}`);
29725
+ }
29726
+ for (const candidate of resolveErrorResponseCandidates(input.customErrorResponses)) {
29727
+ const page = await fetchObject(candidate.errorKey);
29728
+ if (page.kind === "found") return {
29729
+ statusCode: candidate.responseCode,
29730
+ headers: { "content-type": contentTypeForKey(candidate.errorKey) },
29731
+ body: page.body
29732
+ };
29733
+ }
29734
+ return {
29735
+ statusCode: 404,
29736
+ headers: { "content-type": "text/plain; charset=utf-8" },
29737
+ body: Buffer.from(`Not found: ${input.uri}\n`)
29738
+ };
29739
+ };
29740
+ }
29741
+ /** The default fetcher: a real S3 `GetObject`, classifying the SDK error into the outcome union. */
29742
+ function defaultFetchObject(bucketName, options) {
29743
+ let init = null;
29744
+ const getAccess = () => {
29745
+ if (!init) init = (async () => {
29746
+ const { S3Client, GetObjectCommand } = await import("@aws-sdk/client-s3");
29747
+ return {
29748
+ client: new S3Client({
29749
+ ...options.region && { region: options.region },
29750
+ ...options.credentials && { credentials: {
29751
+ accessKeyId: options.credentials.accessKeyId,
29752
+ secretAccessKey: options.credentials.secretAccessKey,
29753
+ ...options.credentials.sessionToken && { sessionToken: options.credentials.sessionToken }
29754
+ } }
29755
+ }),
29756
+ GetObjectCommand
29757
+ };
29758
+ })();
29759
+ return init;
29760
+ };
29761
+ return async (key) => {
29762
+ try {
29763
+ const { client, GetObjectCommand } = await getAccess();
29764
+ const res = await client.send(new GetObjectCommand({
29765
+ Bucket: bucketName,
29766
+ Key: key
29767
+ }));
29768
+ if (!res.Body) return { kind: "not-found" };
29769
+ const bytes = await res.Body.transformToByteArray();
29770
+ return {
29771
+ kind: "found",
29772
+ body: Buffer.from(bytes)
29773
+ };
29774
+ } catch (err) {
29775
+ return classifyS3Error(err);
29776
+ }
29777
+ };
29778
+ }
29779
+ /**
29780
+ * Classify an S3 SDK error: a missing key (`NoSuchKey` / 404) is `not-found`
29781
+ * (try the SPA fallback), an `AccessDenied` / 403 is `denied` (a credential /
29782
+ * OAC config problem), anything else is `error`.
29783
+ */
29784
+ function classifyS3Error(err) {
29785
+ const e = err;
29786
+ const status = e?.$metadata?.httpStatusCode;
29787
+ const name = e?.name;
29788
+ if (status === 404 || name === "NoSuchKey" || name === "NotFound") return { kind: "not-found" };
29789
+ if (status === 403 || name === "AccessDenied" || name === "Forbidden") return { kind: "denied" };
29790
+ return {
29791
+ kind: "error",
29792
+ message: err instanceof Error ? err.message : String(err)
29793
+ };
29794
+ }
29795
+
29666
29796
  //#endregion
29667
29797
  //#region src/local/cloudfront-kvs-client.ts
29668
29798
  /**
@@ -29995,7 +30125,72 @@ async function bootLambdaEdgeFunctions(distribution, stacks, opts) {
29995
30125
  function warnUnsupported(distribution) {
29996
30126
  const logger = getLogger();
29997
30127
  for (const origin of distribution.origins.values()) if (origin.kind === "custom") logger.warn(`Origin '${origin.originId}' is a custom (non-S3, non-Lambda-Function-URL) origin (${origin.domainName}); ${getEmbedConfig().cliName} start-cloudfront serves S3 origins and Lambda Function URL origins only. Requests routed to it return 502.`);
29998
- else if (origin.kind === "s3-unresolved") logger.warn(`Origin '${origin.originId}' is an S3 origin with no resolvable local source (no BucketDeployment found, or its source could not be located in the cloud assembly). Point it at a directory with --origin ${origin.originId}=<dir>. Requests routed to it return 502.`);
30128
+ else if (origin.kind === "s3-unresolved") logger.warn(`Origin '${origin.originId}' is an S3 origin with no resolvable local source (no BucketDeployment found, or its source could not be located in the cloud assembly). Pass --from-cfn-stack to serve the deployed bucket from real S3 on demand, or point it at a local directory with --origin ${origin.originId}=<dir>. Requests routed to it return 502.`);
30129
+ }
30130
+ /**
30131
+ * Promote each S3 origin with no local BucketDeployment source (`s3-unresolved`)
30132
+ * to a deployed-S3 read-through origin (issue #405), building one
30133
+ * {@link S3OriginReader} per origin. This is the front/back-split path: the CDK
30134
+ * repo defines the distribution + bucket but the static files were uploaded out
30135
+ * of band, so there is nothing in the cloud assembly to serve locally. Under
30136
+ * `--from-cfn-stack`, the bucket's physical NAME is resolved from deployed state
30137
+ * (`ListStackResources`) and the reader serves it from real S3 on demand.
30138
+ *
30139
+ * Returns the readers (keyed by origin id, handed to the server) + the
30140
+ * origin-id -> bucket-name map (re-applied on each `--watch` reload via
30141
+ * {@link annotateDeployedS3Origins}, since the pure resolver re-emits the origin
30142
+ * as `s3-unresolved`). A no-op without `--from-cfn-stack` or when the bucket's
30143
+ * physical id is not in state (the origin stays `s3-unresolved` -> the existing
30144
+ * boot WARN + 502, with `--origin <id>=<dir>` as the escape hatch).
30145
+ */
30146
+ async function resolveDeployedS3Origins(distribution, stacks, options, profileCredentials, logger) {
30147
+ const readers = /* @__PURE__ */ new Map();
30148
+ const buckets = /* @__PURE__ */ new Map();
30149
+ if (!isCfnFlagPresent(options)) return {
30150
+ readers,
30151
+ buckets
30152
+ };
30153
+ const synthRegion = stacks.find((s) => s.stackName === distribution.stackName)?.region;
30154
+ const region = options.stackRegion ?? options.region ?? synthRegion;
30155
+ const provider = createLocalStateProvider(options, distribution.stackName, synthRegion);
30156
+ const record = provider ? await provider.load(distribution.stackName, synthRegion) : void 0;
30157
+ for (const origin of [...distribution.origins.values()]) {
30158
+ if (origin.kind !== "s3-unresolved" || origin.bucketLogicalId === void 0) continue;
30159
+ const bucketName = record?.resources[origin.bucketLogicalId]?.physicalId;
30160
+ if (!bucketName) continue;
30161
+ readers.set(origin.originId, createS3OriginReader(bucketName, {
30162
+ ...region !== void 0 && { region },
30163
+ ...profileCredentials !== void 0 && { credentials: profileCredentials }
30164
+ }));
30165
+ buckets.set(origin.originId, bucketName);
30166
+ distribution.origins.set(origin.originId, {
30167
+ kind: "s3-deployed",
30168
+ originId: origin.originId,
30169
+ bucketName
30170
+ });
30171
+ logger.info(`Origin '${origin.originId}': no local BucketDeployment source; serving from deployed S3 (bucket=${bucketName}) on demand under --from-cfn-stack.`);
30172
+ }
30173
+ return {
30174
+ readers,
30175
+ buckets
30176
+ };
30177
+ }
30178
+ /**
30179
+ * Re-apply the boot-time deployed-S3 promotion to a freshly re-synthed
30180
+ * distribution on a `--watch` reload: the pure resolver re-emits the origin as
30181
+ * `s3-unresolved`, so rewrite it back to `s3-deployed` (same bucket name) so it
30182
+ * dispatches to the boot-time reader. The S3 readers themselves are boot-time
30183
+ * only (like the Function URL origin containers), so nothing is rebuilt here.
30184
+ */
30185
+ function annotateDeployedS3Origins(distribution, buckets) {
30186
+ for (const [originId, bucketName] of buckets) {
30187
+ const origin = distribution.origins.get(originId);
30188
+ if (origin && origin.kind === "s3-unresolved") distribution.origins.set(originId, {
30189
+ kind: "s3-deployed",
30190
+ originId,
30191
+ bucketName
30192
+ });
30193
+ }
29999
30194
  }
30000
30195
  async function localStartCloudFrontCommand(target, options) {
30001
30196
  const logger = getLogger();
@@ -30041,8 +30236,9 @@ async function localStartCloudFrontCommand(target, options) {
30041
30236
  };
30042
30237
  };
30043
30238
  const initial = await synthAndResolve();
30044
- warnUnsupported(initial.distribution);
30045
30239
  const profileCredentials = options.profile ? await resolveProfileCredentials(options.profile) : void 0;
30240
+ const deployedS3 = await resolveDeployedS3Origins(initial.distribution, initial.stacks, options, profileCredentials, logger);
30241
+ warnUnsupported(initial.distribution);
30046
30242
  const envOptions = {
30047
30243
  ...options.fromCfnStack !== void 0 && { fromCfnStack: options.fromCfnStack },
30048
30244
  ...options.assumeRole !== void 0 && { assumeRole: options.assumeRole },
@@ -30072,7 +30268,8 @@ async function localStartCloudFrontCommand(target, options) {
30072
30268
  port: basePort,
30073
30269
  ...tls && { tls },
30074
30270
  ...lambdaInvokers.size > 0 && { lambdaInvokers },
30075
- ...edgeInvokers.size > 0 && { edgeInvokers }
30271
+ ...edgeInvokers.size > 0 && { edgeInvokers },
30272
+ ...deployedS3.readers.size > 0 && { s3OriginReaders: deployedS3.readers }
30076
30273
  });
30077
30274
  } catch (err) {
30078
30275
  await Promise.all([...lambdaRunners, ...edgeRunners].map((r) => r.stop().catch(() => void 0)));
@@ -30098,6 +30295,7 @@ async function localStartCloudFrontCommand(target, options) {
30098
30295
  reloadChain = reloadChain.then(async () => {
30099
30296
  try {
30100
30297
  const reloaded = await synthAndResolve();
30298
+ annotateDeployedS3Origins(reloaded.distribution, deployedS3.buckets);
30101
30299
  warnUnsupported(reloaded.distribution);
30102
30300
  await attachKvsModules(reloaded.distribution, reloaded.stacks, options, profileCredentials, logger);
30103
30301
  server.update(reloaded.distribution);
@@ -30153,7 +30351,7 @@ function createLocalStartCloudFrontCommand(opts = {}) {
30153
30351
  * `cmd`.
30154
30352
  */
30155
30353
  function addStartCloudFrontSpecificOptions(cmd) {
30156
- return cmd.addOption(new Option("--port <port>", "HTTP server port (default: auto-allocate)").default("0")).addOption(new Option("--host <host>", "Bind address").default("127.0.0.1")).addOption(new Option("--origin <originId=dir>", "Point a distribution origin at a local directory (repeatable). Use when cdk-local cannot resolve the origin's BucketDeployment source automatically (content uploaded out of band, or a non-CDK bucket).").argParser((value, prev) => [...prev ?? [], value])).addOption(new Option("--kvs-file <kvsLogicalId=file.json>", "Back a CloudFront Function's KeyValueStore reads (cf.kvs().get()) with a local JSON map (repeatable). The key is the AWS::CloudFront::KeyValueStore resource logical id; the file is a flat { \"key\": \"value\" } object. The AWS-free alternative to --from-cfn-stack, which instead reads the deployed store via the GetKey API.").argParser((value, prev) => [...prev ?? [], value])).addOption(new Option("--tls", "Terminate real TLS (HTTPS). Uses --tls-cert / --tls-key when supplied, else an auto-generated self-signed cert.").default(false)).addOption(new Option("--tls-cert <path>", "PEM server certificate for --tls (implies --tls).")).addOption(new Option("--tls-key <path>", "PEM server private key for --tls (implies --tls).")).addOption(new Option("--no-pull", "Skip 'docker pull' for a Lambda Function URL origin's base image (use the locally cached image).")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Bind a Lambda Function URL origin's backing Lambda to a deployed CloudFormation stack so its env vars resolve to the deployed physical IDs / exports (ListStackResources). Use for CDK apps deployed via the upstream CDK CLI (`cdk deploy`). Bare form uses the resolved stack name; pass a value when the CFn stack name differs. No effect on a pure-S3 distribution.")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).addOption(new Option("--assume-role [arn]", "Assume a Lambda Function URL origin's deployed execution role and forward STS-issued temp credentials into its container so the handler runs with the deployed permissions. Three forms: `--assume-role <arn>` (explicit ARN); `--assume-role` (bare, auto-resolves from state — requires --from-cfn-stack); `--no-assume-role` (opt out). Off by default (the dev shell credentials are forwarded).")).addOption(new Option("--watch", "Hot-reload: re-synth + re-resolve the distribution when the CDK app's source changes (honors cdk.json watch.include/exclude; cdk.out, node_modules, .git are always excluded). The server keeps the previous version serving when synth fails mid-reload.").default(false));
30354
+ return cmd.addOption(new Option("--port <port>", "HTTP server port (default: auto-allocate)").default("0")).addOption(new Option("--host <host>", "Bind address").default("127.0.0.1")).addOption(new Option("--origin <originId=dir>", "Point a distribution origin at a local directory (repeatable). Use when cdk-local cannot resolve the origin's BucketDeployment source automatically (content uploaded out of band, or a non-CDK bucket).").argParser((value, prev) => [...prev ?? [], value])).addOption(new Option("--kvs-file <kvsLogicalId=file.json>", "Back a CloudFront Function's KeyValueStore reads (cf.kvs().get()) with a local JSON map (repeatable). The key is the AWS::CloudFront::KeyValueStore resource logical id; the file is a flat { \"key\": \"value\" } object. The AWS-free alternative to --from-cfn-stack, which instead reads the deployed store via the GetKey API.").argParser((value, prev) => [...prev ?? [], value])).addOption(new Option("--tls", "Terminate real TLS (HTTPS). Uses --tls-cert / --tls-key when supplied, else an auto-generated self-signed cert.").default(false)).addOption(new Option("--tls-cert <path>", "PEM server certificate for --tls (implies --tls).")).addOption(new Option("--tls-key <path>", "PEM server private key for --tls (implies --tls).")).addOption(new Option("--no-pull", "Skip 'docker pull' for a Lambda Function URL origin's base image (use the locally cached image).")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Bind to a deployed CloudFormation stack (ListStackResources). Resolves an S3 origin that has no local BucketDeployment source to its deployed bucket and serves it from real S3 on demand (the front/back-split case: files uploaded out of band), and resolves a Lambda Function URL / Lambda@Edge function's env vars to the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (`cdk deploy`). Bare form uses the resolved stack name; pass a value when the CFn stack name differs.")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).addOption(new Option("--assume-role [arn]", "Assume a Lambda Function URL origin's deployed execution role and forward STS-issued temp credentials into its container so the handler runs with the deployed permissions. Three forms: `--assume-role <arn>` (explicit ARN); `--assume-role` (bare, auto-resolves from state — requires --from-cfn-stack); `--no-assume-role` (opt out). Off by default (the dev shell credentials are forwarded).")).addOption(new Option("--watch", "Hot-reload: re-synth + re-resolve the distribution when the CDK app's source changes (honors cdk.json watch.include/exclude; cdk.out, node_modules, .git are always excluded). The server keeps the previous version serving when synth fails mid-reload.").default(false));
30157
30355
  }
30158
30356
 
30159
30357
  //#endregion
@@ -35188,5 +35386,5 @@ function addStudioSpecificOptions(cmd) {
35188
35386
  }
35189
35387
 
35190
35388
  //#endregion
35191
- export { resolveCloudFrontDistribution as $, matchPreflight as $n, AGENTCORE_A2A_PROTOCOL as $r, MCP_CONTAINER_PORT as $t, parseOriginOverrides as A, filterRoutesByApiIdentifiers as An, LocalStateSourceError as Ar, ImageOverrideError as At, applyEdgeRequestResult as B, verifyCognitoJwt as Bn, resolveWatchConfig as Br, buildCloudMapIndex as Bt, addListSpecificOptions as C, createFileWatcher as Cn, resolveRuntimeFileExtension as Cr, buildEcsImageResolutionContext$1 as Ct, addStartCloudFrontSpecificOptions as D, resolveEnvVars$1 as Dn, substituteAgainstStateAsync as Dr, resolveEcsAssumeRoleOption as Dt, LocalStartCloudFrontError as E, materializeLayerFromArn as En, substituteAgainstState as Er, parseRestartPolicy as Et, resolveDeployedKvsArnByName as F, resolveServiceIntegrationParameters as Fn, resolveCfnRegion as Fr, resolveImageOverrides as Ft, httpHeadersToEdge as G, evaluateCachedLambdaPolicy as Gn, discoverWebSocketApis as Gr, getContainerNetworkIp as Gt, buildEdgeRequestEvent as H, verifyJwtViaDiscovery as Hn, countTargets as Hr, DEFAULT_SHADOW_READY_TIMEOUT_MS as Ht, matchBehavior as I, defaultCredentialsLoader as In, resolveCfnStackName as Ir, runImageOverrideBuilds as It, isCloudFrontDistribution as J, attachAuthorizers as Jn, parseSelectionExpressionPath as Jr, createLocalInvokeAgentCoreCommand as Jt, CLOUDFRONT_DISTRIBUTION_TYPE as K, invokeRequestAuthorizer as Kn, discoverWebSocketApisOrThrow as Kr, attachContainerLogStreamer as Kt, startCloudFrontServer as L, buildCognitoJwksUrl as Ln, CfnLocalStateProvider as Lr, describePinnedImageUri as Lt, idFromArn as M, readMtlsMaterialsFromDisk as Mn, isCfnFlagPresent as Mr, enforceImageOverrideOrphans as Mt, resolveKvsModulesForDistribution as N, startApiServer as Nn, rejectExplicitCfnStackWithMultipleStacks as Nr, mergeForService as Nt, createLocalStartCloudFrontCommand as O, availableApiIdentifiers as On, substituteEnvVarsFromState as Or, resolveSharedSidecarCredentials as Ot, createDeployedKvsDataSource as P, resolveSelectionExpression as Pn, resolveCfnFallbackRegion as Pr, parseImageOverrideFlags as Pt, pickTargetFunctionLogicalId as Q, isFunctionUrlOacFronted as Qn, resolveLambdaArnIntrinsic as Qr, a2aInvokeOnce as Qt, serveFromStaticOrigin as R, buildJwksUrlFromIssuer as Rn, collectSsmParameterRefs as Rr, isLocalCdkAssetImage as Rt, StudioEventBus as S, createAuthorizerCache as Sn, resolveRuntimeCodeMountPath as Sr, addImageOverrideOptions as St, formatTargetListing as T, buildStageMap as Tn, EcsTaskResolutionError as Tr, parseMaxTasks as Tt, buildEdgeResponseEvent as U, buildMethodArn as Un, listTargets as Ur, SOFT_RELOAD_COMPLETION_LOG_SUFFIX as Ut, applyEdgeResponseResult as V, verifyJwtAuthorizer as Vn, resolveSingleTarget as Vr, CloudMapRegistry as Vt, edgeHeadersToHttp as W, computeRequestIdentityHash as Wn, availableWebSocketApiIdentifiers as Wr, setShadowReadyTimeoutMs as Wt, pickKvsLogicalIdFromArn as X, buildCorsConfigByApiId as Xn, discoverRoutes as Xr, A2A_CONTAINER_PORT as Xt, pickFunctionUrlLogicalIdFromOrigin as Y, applyCorsResponseHeaders as Yn, webSocketApiMatchesIdentifier as Yr, invokeAgentCoreWs as Yt, pickLambdaEdgeFunctionLogicalId as Z, buildCorsConfigFromCloudFrontChain as Zn, pickRefLogicalId as Zr, A2A_PATH as Zt, filterStudioTargetGroups as _, createLocalInvokeCommand as _n, buildConnectEvent as _r, addRunTaskSpecificOptions as _t, createLocalStudioCommand as a, pickAgentCoreCandidateStack as ai, signAgentCoreInvocation as an, evaluateResponseParameters as ar, createLocalFileKvsDataSource as at, renderStudioHtml as b, createWatchPredicates as bn, architectureToPlatform as br, addCommonEcsServiceOptions as bt, startStudioProxy as c, formatStateRemedy as ci, waitForAgentCorePing as cn, tryParseStatus as cr, albStrategy as ct, createStudioDispatcher as d, LocalInvokeBuildError as di, buildAgentCoreCodeImage as dn, probeHostGatewaySupport as dr, resolveAlbTarget as dt, AGENTCORE_AGUI_PROTOCOL as ei, MCP_PATH as en, matchRoute as er, compileCloudFrontFunction as et, filterStudioCustomResources as f, buildStsClientConfig as fi, computeCodeImageTag as fn, bufferToBody as fr, isApplicationLoadBalancer as ft, annotatePinnedEcsTargets as g, addInvokeSpecificOptions as gn, parseConnectionsPath as gr, serviceStrategy as gt, annotateEcsTaskPinnedTargets as h, classifySourceChange as hn, handleConnectionsRequest as hr, createLocalStartServiceCommand as ht, coerceStopRequest as i, AgentCoreResolutionError as ii, AGENTCORE_SIGV4_SERVICE as in, buildRestV1Event as ir, createCloudFrontModule as it, resolveCloudFrontTarget as j, groupRoutesByServer as jn, createLocalStateProvider as jr, buildImageOverrideTag as jt, parseKvsFileOverrides as k, filterRoutesByApiIdentifier as kn, substituteEnvVarsFromStateAsync as kr, runEcsServiceEmulator as kt, relayServeRequest as l, substituteImagePlaceholders as li, downloadAndExtractS3Bundle as ln, VtlEvaluationError as lr, createLocalStartAlbCommand as lt, annotateAlbPinnedBackingServices as m, toCmdArgv as mn, buildMgmtEndpointEnvUrl as mr, addStartServiceSpecificOptions as mt, coerceRunRequest as n, AGENTCORE_MCP_PROTOCOL as ni, mcpInvokeOnce as nn, applyAuthorizerOverlay as nr, runViewerResponse as nt, resolveServeBaseUrl as o, resolveAgentCoreTarget as oi, AGENTCORE_SESSION_ID_HEADER as on, pickResponseTemplate as or, createUnboundCloudFrontModule as ot, isCustomResourceLambdaTarget as p, resolveProfileCredentials as pi, renderCodeDockerfile as pn, ConnectionRegistry as pr, resolveAlbFrontDoor as pt, extractKvsAssociations as q, invokeTokenAuthorizer as qn, filterWebSocketApisByIdentifiers as qr, addInvokeAgentCoreSpecificOptions as qt, coerceServeRequest as r, AGENTCORE_RUNTIME_TYPE as ri, parseSseForJsonRpc as rn, buildHttpApiV2Event as rr, stripCloudFrontImport as rt, createStudioServeManager as s, derivePseudoParametersFromRegion as si, invokeAgentCore as sn, selectIntegrationResponse as sr, addAlbSpecificOptions as st, addStudioSpecificOptions as t, AGENTCORE_HTTP_PROTOCOL as ti, MCP_PROTOCOL_VERSION as tn, translateLambdaResponse as tr, runViewerRequest as tt, reinvoke as u, tryResolveImageFnJoin as ui, SUPPORTED_CODE_RUNTIMES as un, HOST_GATEWAY_MIN_VERSION as ur, parseLbPortOverrides as ut, startStudioServer as v, addStartApiSpecificOptions as vn, buildDisconnectEvent as vr, createLocalRunTaskCommand as vt, createLocalListCommand as w, attachStageContext as wn, resolveRuntimeImage as wr, ecsClusterOption as wt, createStudioStore as x, resolveApiTargetSubset as xn, buildContainerImage as xr, addEcsAssumeRoleOptions as xt, toStudioTargetGroups as y, createLocalStartApiCommand as yn, buildMessageEvent as yr, MAX_TASKS_SUBNET_RANGE_CAP as yt, serveLambdaUrlOrigin as z, createJwksCache as zn, resolveSsmParameters as zr, listPinnedTargets as zt };
35192
- //# sourceMappingURL=local-studio--ndMb9dM.js.map
35389
+ export { pickKvsLogicalIdFromArn as $, buildCorsConfigByApiId as $n, discoverRoutes as $r, A2A_CONTAINER_PORT as $t, parseOriginOverrides as A, resolveEnvVars$1 as An, substituteAgainstStateAsync as Ar, resolveEcsAssumeRoleOption as At, resolveErrorResponseCandidates as B, buildCognitoJwksUrl as Bn, CfnLocalStateProvider as Br, describePinnedImageUri as Bt, addListSpecificOptions as C, createWatchPredicates as Cn, architectureToPlatform as Cr, addCommonEcsServiceOptions as Ct, addStartCloudFrontSpecificOptions as D, attachStageContext as Dn, resolveRuntimeImage as Dr, ecsClusterOption as Dt, LocalStartCloudFrontError as E, createFileWatcher as En, resolveRuntimeFileExtension as Er, buildEcsImageResolutionContext$1 as Et, resolveDeployedKvsArnByName as F, readMtlsMaterialsFromDisk as Fn, isCfnFlagPresent as Fr, enforceImageOverrideOrphans as Ft, buildEdgeRequestEvent as G, verifyJwtViaDiscovery as Gn, countTargets as Gr, DEFAULT_SHADOW_READY_TIMEOUT_MS as Gt, serveLambdaUrlOrigin as H, createJwksCache as Hn, resolveSsmParameters as Hr, listPinnedTargets as Ht, classifyS3Error as I, startApiServer as In, rejectExplicitCfnStackWithMultipleStacks as Ir, mergeForService as It, httpHeadersToEdge as J, evaluateCachedLambdaPolicy as Jn, discoverWebSocketApis as Jr, getContainerNetworkIp as Jt, buildEdgeResponseEvent as K, buildMethodArn as Kn, listTargets as Kr, SOFT_RELOAD_COMPLETION_LOG_SUFFIX as Kt, createS3OriginReader as L, resolveSelectionExpression as Ln, resolveCfnFallbackRegion as Lr, parseImageOverrideFlags as Lt, idFromArn as M, filterRoutesByApiIdentifier as Mn, substituteEnvVarsFromStateAsync as Mr, runEcsServiceEmulator as Mt, resolveKvsModulesForDistribution as N, filterRoutesByApiIdentifiers as Nn, LocalStateSourceError as Nr, ImageOverrideError as Nt, createLocalStartCloudFrontCommand as O, buildStageMap as On, EcsTaskResolutionError as Or, parseMaxTasks as Ot, createDeployedKvsDataSource as P, groupRoutesByServer as Pn, createLocalStateProvider as Pr, buildImageOverrideTag as Pt, pickFunctionUrlLogicalIdFromOrigin as Q, applyCorsResponseHeaders as Qn, webSocketApiMatchesIdentifier as Qr, invokeAgentCoreWs as Qt, matchBehavior as R, resolveServiceIntegrationParameters as Rn, resolveCfnRegion as Rr, resolveImageOverrides as Rt, StudioEventBus as S, createLocalStartApiCommand as Sn, buildMessageEvent as Sr, MAX_TASKS_SUBNET_RANGE_CAP as St, formatTargetListing as T, createAuthorizerCache as Tn, resolveRuntimeCodeMountPath as Tr, addImageOverrideOptions as Tt, applyEdgeRequestResult as U, verifyCognitoJwt as Un, resolveWatchConfig as Ur, buildCloudMapIndex as Ut, serveFromStaticOrigin as V, buildJwksUrlFromIssuer as Vn, collectSsmParameterRefs as Vr, isLocalCdkAssetImage as Vt, applyEdgeResponseResult as W, verifyJwtAuthorizer as Wn, resolveSingleTarget as Wr, CloudMapRegistry as Wt, extractKvsAssociations as X, invokeTokenAuthorizer as Xn, filterWebSocketApisByIdentifiers as Xr, addInvokeAgentCoreSpecificOptions as Xt, CLOUDFRONT_DISTRIBUTION_TYPE as Y, invokeRequestAuthorizer as Yn, discoverWebSocketApisOrThrow as Yr, attachContainerLogStreamer as Yt, isCloudFrontDistribution as Z, attachAuthorizers as Zn, parseSelectionExpressionPath as Zr, createLocalInvokeAgentCoreCommand as Zt, filterStudioTargetGroups as _, toCmdArgv as _n, buildMgmtEndpointEnvUrl as _r, addStartServiceSpecificOptions as _t, createLocalStudioCommand as a, AGENTCORE_MCP_PROTOCOL as ai, mcpInvokeOnce as an, applyAuthorizerOverlay as ar, runViewerResponse as at, renderStudioHtml as b, createLocalInvokeCommand as bn, buildConnectEvent as br, addRunTaskSpecificOptions as bt, startStudioProxy as c, pickAgentCoreCandidateStack as ci, signAgentCoreInvocation as cn, evaluateResponseParameters as cr, createLocalFileKvsDataSource as ct, createStudioDispatcher as d, formatStateRemedy as di, waitForAgentCorePing as dn, tryParseStatus as dr, albStrategy as dt, pickRefLogicalId as ei, A2A_PATH as en, buildCorsConfigFromCloudFrontChain as er, pickLambdaEdgeFunctionLogicalId as et, filterStudioCustomResources as f, substituteImagePlaceholders as fi, downloadAndExtractS3Bundle as fn, VtlEvaluationError as fr, createLocalStartAlbCommand as ft, annotatePinnedEcsTargets as g, resolveProfileCredentials as gi, renderCodeDockerfile as gn, ConnectionRegistry as gr, resolveAlbFrontDoor as gt, annotateEcsTaskPinnedTargets as h, buildStsClientConfig as hi, computeCodeImageTag as hn, bufferToBody as hr, isApplicationLoadBalancer as ht, coerceStopRequest as i, AGENTCORE_HTTP_PROTOCOL as ii, MCP_PROTOCOL_VERSION as in, translateLambdaResponse as ir, runViewerRequest as it, resolveCloudFrontTarget as j, availableApiIdentifiers as jn, substituteEnvVarsFromState as jr, resolveSharedSidecarCredentials as jt, parseKvsFileOverrides as k, materializeLayerFromArn as kn, substituteAgainstState as kr, parseRestartPolicy as kt, relayServeRequest as l, resolveAgentCoreTarget as li, AGENTCORE_SESSION_ID_HEADER as ln, pickResponseTemplate as lr, createUnboundCloudFrontModule as lt, annotateAlbPinnedBackingServices as m, LocalInvokeBuildError as mi, buildAgentCoreCodeImage as mn, probeHostGatewaySupport as mr, resolveAlbTarget as mt, coerceRunRequest as n, AGENTCORE_A2A_PROTOCOL as ni, MCP_CONTAINER_PORT as nn, matchPreflight as nr, resolveCloudFrontDistribution as nt, resolveServeBaseUrl as o, AGENTCORE_RUNTIME_TYPE as oi, parseSseForJsonRpc as on, buildHttpApiV2Event as or, stripCloudFrontImport as ot, isCustomResourceLambdaTarget as p, tryResolveImageFnJoin as pi, SUPPORTED_CODE_RUNTIMES as pn, HOST_GATEWAY_MIN_VERSION as pr, parseLbPortOverrides as pt, edgeHeadersToHttp as q, computeRequestIdentityHash as qn, availableWebSocketApiIdentifiers as qr, setShadowReadyTimeoutMs as qt, coerceServeRequest as r, AGENTCORE_AGUI_PROTOCOL as ri, MCP_PATH as rn, matchRoute as rr, compileCloudFrontFunction as rt, createStudioServeManager as s, AgentCoreResolutionError as si, AGENTCORE_SIGV4_SERVICE as sn, buildRestV1Event as sr, createCloudFrontModule as st, addStudioSpecificOptions as t, resolveLambdaArnIntrinsic as ti, a2aInvokeOnce as tn, isFunctionUrlOacFronted as tr, pickTargetFunctionLogicalId as tt, reinvoke as u, derivePseudoParametersFromRegion as ui, invokeAgentCore as un, selectIntegrationResponse as ur, addAlbSpecificOptions as ut, startStudioServer as v, classifySourceChange as vn, handleConnectionsRequest as vr, createLocalStartServiceCommand as vt, createLocalListCommand as w, resolveApiTargetSubset as wn, buildContainerImage as wr, addEcsAssumeRoleOptions as wt, createStudioStore as x, addStartApiSpecificOptions as xn, buildDisconnectEvent as xr, createLocalRunTaskCommand as xt, toStudioTargetGroups as y, addInvokeSpecificOptions as yn, parseConnectionsPath as yr, serviceStrategy as yt, startCloudFrontServer as z, defaultCredentialsLoader as zn, resolveCfnStackName as zr, runImageOverrideBuilds as zt };
35390
+ //# sourceMappingURL=local-studio-D7SkLbCO.js.map