cdk-local 0.135.0 → 0.136.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -18469,8 +18469,8 @@ function defaultFetchObject$1(options) {
18469
18469
  * plain HTTP. `cdkl invoke-agentcore` runs the container, waits for `/ping`,
18470
18470
  * then POSTs one event to `/invocations` (invoke-once).
18471
18471
  */
18472
- const PING_PATH$1 = "/ping";
18473
- const INVOCATIONS_PATH$1 = "/invocations";
18472
+ const PING_PATH = "/ping";
18473
+ const INVOCATIONS_PATH = "/invocations";
18474
18474
  /**
18475
18475
  * Header AgentCore Runtime uses to carry the session id to the container.
18476
18476
  * Real AgentCore always sends it; we generate one (or pass the user's
@@ -18507,7 +18507,7 @@ async function waitForAgentCorePing(host, port, timeoutMs = 3e4) {
18507
18507
  await setTimeout$1(150);
18508
18508
  }
18509
18509
  const tail = lastDetail ? `: ${lastDetail}` : "";
18510
- throw new Error(`AgentCore agent did not become ready on ${host}:${port} within ${timeoutMs}ms${tail}. The container may have exited early or may not serve GET ${PING_PATH$1} — check 'docker logs' output.`);
18510
+ throw new Error(`AgentCore agent did not become ready on ${host}:${port} within ${timeoutMs}ms${tail}. The container may have exited early or may not serve GET ${PING_PATH} — check 'docker logs' output.`);
18511
18511
  }
18512
18512
  /**
18513
18513
  * Issue `GET /ping`. Returns the HTTP status on any response, undefined on
@@ -18518,7 +18518,7 @@ async function pingProbe(host, port, timeoutMs) {
18518
18518
  const controller = new AbortController();
18519
18519
  const timer = setTimeout(() => controller.abort(), timeoutMs);
18520
18520
  try {
18521
- const response = await fetch(`http://${host}:${port}${PING_PATH$1}`, {
18521
+ const response = await fetch(`http://${host}:${port}${PING_PATH}`, {
18522
18522
  method: "GET",
18523
18523
  signal: controller.signal
18524
18524
  });
@@ -18532,6 +18532,47 @@ async function pingProbe(host, port, timeoutMs) {
18532
18532
  }
18533
18533
  }
18534
18534
  /**
18535
+ * Wait until the container's HTTP server on `host:port` answers a probe `POST`
18536
+ * at `path` with ANY HTTP status, or throw after `timeoutMs`. This is the
18537
+ * readiness gate for the MCP / A2A warm serve (`cdkl start-agentcore`), which —
18538
+ * unlike the HTTP / AGUI protocol — have no `GET /ping`: an HTTP response (even
18539
+ * a 4xx for the probe's empty body) proves the app's HTTP server is bound and
18540
+ * routing the protocol path, so the warm serve can advertise its endpoint
18541
+ * without racing container boot. Only transient connect failures (the
18542
+ * container still coming up) are retried; the probe does NOT interpret the
18543
+ * protocol — the real client drives the MCP handshake / A2A JSON-RPC through
18544
+ * the serve.
18545
+ *
18546
+ * A TCP-only probe would be too early (Docker's port forwarder accepts the
18547
+ * connection before the agent's HTTP server binds); an HTTP response is the
18548
+ * honest "the app is up" signal.
18549
+ */
18550
+ async function waitForAgentCoreHttpReady(host, port, path, timeoutMs = 3e4) {
18551
+ const deadline = Date.now() + timeoutMs;
18552
+ let lastDetail = "";
18553
+ while (Date.now() < deadline) {
18554
+ const controller = new AbortController();
18555
+ const timer = setTimeout(() => controller.abort(), 1e3);
18556
+ try {
18557
+ await (await fetch(`http://${host}:${port}${path}`, {
18558
+ method: "POST",
18559
+ headers: { "content-type": "application/json" },
18560
+ body: "{}",
18561
+ signal: controller.signal
18562
+ })).text().catch(() => void 0);
18563
+ return;
18564
+ } catch (err) {
18565
+ if (!isTransientNetworkError$2(err)) throw err;
18566
+ lastDetail = err instanceof Error ? err.message : String(err);
18567
+ } finally {
18568
+ clearTimeout(timer);
18569
+ }
18570
+ await setTimeout$1(150);
18571
+ }
18572
+ const tail = lastDetail ? `: ${lastDetail}` : "";
18573
+ throw new Error(`AgentCore agent did not become ready on ${host}:${port} within ${timeoutMs}ms${tail}. The container may have exited early or may not serve POST ${path} — check 'docker logs' output.`);
18574
+ }
18575
+ /**
18535
18576
  * `fetch()` failures during container boot manifest as a generic
18536
18577
  * `TypeError: fetch failed` whose `.cause` carries the underlying Node
18537
18578
  * `ECONNRESET` / `ECONNREFUSED` / `UND_ERR_SOCKET`. Treat all of those —
@@ -18557,7 +18598,7 @@ function isTransientNetworkError$2(err) {
18557
18598
  * a missing sink) is buffered into `raw` and returned verbatim.
18558
18599
  */
18559
18600
  async function invokeAgentCore(host, port, event, options) {
18560
- const url = `http://${host}:${port}${INVOCATIONS_PATH$1}`;
18601
+ const url = `http://${host}:${port}${INVOCATIONS_PATH}`;
18561
18602
  const body = JSON.stringify(event ?? {});
18562
18603
  const controller = new AbortController();
18563
18604
  const timer = setTimeout(() => controller.abort(), options.timeoutMs);
@@ -31010,33 +31051,14 @@ function startAgentCoreWsBridge(config) {
31010
31051
 
31011
31052
  //#endregion
31012
31053
  //#region src/local/agentcore-http-server.ts
31013
- /**
31014
- * Host HTTP serve in front of a warm AgentCore runtime container, the serving
31015
- * primitive behind `cdkl start-agentcore` for HTTP / AGUI protocols (issue
31016
- * #454). Unlike the single-shot `cdkl invoke-agentcore` — which boots a
31017
- * container, POSTs ONE `/invocations`, and tears it down — this keeps the
31018
- * container warm and serves its native HTTP contract until `^C`, so a client
31019
- * can hit `POST /invocations` (and `GET /ping`) repeatedly against the SAME
31020
- * warm container. That mirrors AgentCore's deployed model, where many
31021
- * `InvokeAgentRuntime` calls on the same `runtimeSessionId` reuse one warm
31022
- * microVM.
31023
- *
31024
- * One host `http.Server` serves all three:
31025
- * - `GET /ping` -> proxied to the container's `/ping`
31026
- * - `POST /invocations` -> proxied to the container's `/invocations`
31027
- * (request body streamed up, response — JSON or SSE — streamed back)
31028
- * - `/ws` upgrade -> the existing header-injecting bridge
31029
- * ({@link attachAgentCoreWsBridge}) on the same port, so a header-less
31030
- * browser `WebSocket` still works exactly as before.
31031
- *
31032
- * Auth parity: the boot-resolved `authorization` (the `--bearer-token`
31033
- * validated once at boot under a `customJwtAuthorizer`, or the `--sigv4`
31034
- * header set) is injected on every forwarded request — the same model the
31035
- * `/ws` bridge uses. Per-request inbound JWT verification is out of scope for
31036
- * this slice.
31037
- */
31038
- const PING_PATH = "/ping";
31039
- const INVOCATIONS_PATH = "/invocations";
31054
+ /** Default routing table — the HTTP / AGUI contract (POST /invocations + GET /ping). */
31055
+ const DEFAULT_ROUTES = [{
31056
+ method: "POST",
31057
+ path: "/invocations"
31058
+ }, {
31059
+ method: "GET",
31060
+ path: "/ping"
31061
+ }];
31040
31062
  /**
31041
31063
  * Proxy one inbound HTTP request to the warm container, injecting the
31042
31064
  * session-id + Authorization (+ any extra) headers, and stream the response
@@ -31077,22 +31099,25 @@ function proxyToContainer(clientReq, clientRes, config, upstreamPath) {
31077
31099
  */
31078
31100
  function startAgentCoreHttpServer(config) {
31079
31101
  const host = config.host ?? "127.0.0.1";
31102
+ const routes = config.routes ?? DEFAULT_ROUTES;
31103
+ const attachWs = config.attachWs ?? true;
31104
+ const notFoundHint = buildNotFoundHint(routes, attachWs);
31080
31105
  const httpServer = createServer$1((req, res) => {
31081
31106
  const path = (req.url ?? "/").split("?")[0];
31082
- if (req.method === "GET" && path === PING_PATH) return proxyToContainer(req, res, config, PING_PATH);
31083
- if (req.method === "POST" && path === INVOCATIONS_PATH) return proxyToContainer(req, res, config, INVOCATIONS_PATH);
31107
+ const match = routes.find((r) => r.method === req.method && r.path === path);
31108
+ if (match) return proxyToContainer(req, res, config, match.path);
31084
31109
  res.writeHead(404, { "content-type": "application/json" });
31085
31110
  res.end(JSON.stringify({
31086
31111
  error: "not found",
31087
- hint: "POST /invocations or GET /ping (WebSocket: connect to /ws)"
31112
+ hint: notFoundHint
31088
31113
  }));
31089
31114
  });
31090
- const bridge = attachAgentCoreWsBridge(httpServer, {
31115
+ const bridge = attachWs ? attachAgentCoreWsBridge(httpServer, {
31091
31116
  containerHost: config.containerHost,
31092
31117
  containerPort: config.containerPort,
31093
31118
  ...config.sessionId && { sessionId: config.sessionId },
31094
31119
  ...config.authorization && { authorization: config.authorization }
31095
- });
31120
+ }) : void 0;
31096
31121
  return new Promise((resolve, reject) => {
31097
31122
  httpServer.once("error", reject);
31098
31123
  httpServer.listen(config.port ?? 0, host, () => {
@@ -31101,15 +31126,26 @@ function startAgentCoreHttpServer(config) {
31101
31126
  const port = httpServer.address().port;
31102
31127
  resolve({
31103
31128
  httpUrl: `http://${host}:${port}`,
31104
- wsUrl: `ws://${host}:${port}${bridge.path}`,
31129
+ ...bridge && { wsUrl: `ws://${host}:${port}${bridge.path}` },
31105
31130
  port,
31106
31131
  close: () => new Promise((res) => {
31107
- bridge.close().then(() => httpServer.close(() => res()));
31132
+ if (bridge) bridge.close().then(() => httpServer.close(() => res()));
31133
+ else httpServer.close(() => res());
31108
31134
  })
31109
31135
  });
31110
31136
  });
31111
31137
  });
31112
31138
  }
31139
+ /**
31140
+ * Build the 404 hint from the served routes, appending the `/ws` pointer when
31141
+ * the WebSocket bridge is attached. e.g. HTTP / AGUI ->
31142
+ * `POST /invocations or GET /ping (WebSocket: connect to /ws)`; MCP ->
31143
+ * `POST /mcp`.
31144
+ */
31145
+ function buildNotFoundHint(routes, attachWs) {
31146
+ const base = routes.map((r) => `${r.method} ${r.path}`).join(" or ");
31147
+ return attachWs ? `${base} (WebSocket: connect to /ws)` : base;
31148
+ }
31113
31149
 
31114
31150
  //#endregion
31115
31151
  //#region src/cli/commands/local-start-agentcore.ts
@@ -31122,31 +31158,66 @@ function parsePort(raw) {
31122
31158
  return n;
31123
31159
  }
31124
31160
  /**
31125
- * Reject MCP / A2A runtimes: the `/ws` WebSocket endpoint this command serves
31126
- * exists only on the HTTP / AGUI protocols. MCP (`POST /mcp`) and A2A
31127
- * (`POST /`) are single-shot request/response contracts with no bidirectional
31128
- * socket. Exported so a unit test can drive the gate without the Docker
31129
- * pipeline.
31161
+ * Map a resolved runtime's protocol to its warm-serve plan. All four protocols
31162
+ * are served (issue #454): HTTP / AGUI on 8080 (`POST /invocations` + `GET
31163
+ * /ping` + the `/ws` bridge), MCP on 8000 (`POST /mcp`), A2A on 9000
31164
+ * (`POST /`). MCP / A2A are pure request/response pass-through with no `/ws`.
31130
31165
  */
31131
- function assertAgentCoreWsServable(resolved) {
31132
- if (resolved.protocol === "MCP" || resolved.protocol === "A2A") throw new CdkLocalError(`${getEmbedConfig().cliName} start-agentcore serves the HTTP / AGUI /ws WebSocket endpoint, but '${resolved.logicalId}' is a ${resolved.protocol} runtime, which has no /ws. Use \`${getEmbedConfig().cliName} invoke-agentcore\` for ${resolved.protocol} runtimes.`, "LOCAL_START_AGENTCORE_PROTOCOL_UNSUPPORTED");
31166
+ function resolveAgentCoreServePlan(protocol) {
31167
+ if (protocol === "MCP") return {
31168
+ containerPort: MCP_CONTAINER_PORT,
31169
+ containerPortLabel: `${MCP_CONTAINER_PORT}${MCP_PATH}`,
31170
+ routes: [{
31171
+ method: "POST",
31172
+ path: MCP_PATH
31173
+ }],
31174
+ attachWs: false,
31175
+ readyPath: MCP_PATH
31176
+ };
31177
+ if (protocol === "A2A") return {
31178
+ containerPort: A2A_CONTAINER_PORT,
31179
+ containerPortLabel: `${A2A_CONTAINER_PORT}${"/"}`,
31180
+ routes: [{
31181
+ method: "POST",
31182
+ path: "/"
31183
+ }],
31184
+ attachWs: false,
31185
+ readyPath: "/"
31186
+ };
31187
+ return {
31188
+ containerPort: void 0,
31189
+ containerPortLabel: "8080",
31190
+ routes: [{
31191
+ method: "POST",
31192
+ path: "/invocations"
31193
+ }, {
31194
+ method: "GET",
31195
+ path: "/ping"
31196
+ }],
31197
+ attachWs: true,
31198
+ readyPath: void 0
31199
+ };
31133
31200
  }
31134
31201
  /**
31135
31202
  * `cdkl start-agentcore <target>` — boot a Bedrock AgentCore Runtime container
31136
- * locally and serve its bidirectional `/ws` WebSocket endpoint behind a
31137
- * long-running host bridge, so a browser (or any WebSocket client) can hold an
31138
- * interactive multi-frame session against it.
31139
- *
31140
- * Why a bridge rather than the published container port directly: the
31141
- * AgentCore `/ws` upgrade requires the session-id (and, under a
31142
- * `customJwtAuthorizer`, `Authorization`) header, which a browser `WebSocket`
31143
- * cannot set. The bridge accepts a header-less client and injects those
31144
- * headers on the container leg. HTTP / AGUI protocols only — MCP / A2A
31145
- * runtimes have no `/ws`.
31203
+ * locally ONCE, keep it warm, and serve its native contract on one host port
31204
+ * until SIGINT / SIGTERM, so a client can hit the agent repeatedly against the
31205
+ * SAME warm container (issue #454).
31206
+ *
31207
+ * All four protocols are served (the proxy is protocol-agnostic; only the
31208
+ * routing + readiness differ per {@link resolveAgentCoreServePlan}):
31209
+ * - HTTP / AGUI (8080): `POST /invocations` + `GET /ping`, plus the
31210
+ * bidirectional `/ws` endpoint behind a host bridge. The `/ws` upgrade
31211
+ * requires the session-id (and, under a `customJwtAuthorizer`,
31212
+ * `Authorization`) header a browser `WebSocket` cannot set, so the bridge
31213
+ * accepts a header-less client and injects those headers on the container
31214
+ * leg.
31215
+ * - MCP (8000): `POST /mcp`. A2A (9000): `POST /`. No `/ws` — pure
31216
+ * request/response pass-through (the client drives the handshake).
31146
31217
  *
31147
31218
  * The container is booted once via the SAME image / env / auth resolution as
31148
31219
  * `cdkl invoke-agentcore`; the process then blocks until SIGINT / SIGTERM,
31149
- * tearing down the bridge and the container.
31220
+ * tearing down the serve and the container.
31150
31221
  */
31151
31222
  async function localStartAgentCoreCommand(target, options, extraStateProviders) {
31152
31223
  const logger = getLogger();
@@ -31218,7 +31289,7 @@ async function localStartAgentCoreCommand(target, options, extraStateProviders)
31218
31289
  };
31219
31290
  const resolved = resolveAgentCoreTarget(resolvedTarget, stacks, imageContext);
31220
31291
  logger.info(`Target: ${resolved.stack.stackName}/${resolved.logicalId} (${resolved.protocol})`);
31221
- assertAgentCoreWsServable(resolved);
31292
+ const plan = resolveAgentCoreServePlan(resolved.protocol);
31222
31293
  const authorization = await resolveInboundAuthorization(resolved, options);
31223
31294
  await resolveFromS3BucketIntrinsic(resolved, stateProvider, loadedState, imageContext);
31224
31295
  const image = await resolveAgentCoreImage(resolved, options, loadedState, stateProvider);
@@ -31226,7 +31297,7 @@ async function localStartAgentCoreCommand(target, options, extraStateProviders)
31226
31297
  const containerHostPort = await pickFreePort();
31227
31298
  const containerHost = options.containerHost;
31228
31299
  const containerName = `${getEmbedConfig().resourceNamePrefix}-agentcore-${process.pid}-${Math.random().toString(36).slice(2, 8)}`;
31229
- logger.info(`Starting agent container (image=${image}, port=${containerHostPort} -> 8080)...`);
31300
+ logger.info(`Starting agent container (image=${image}, port=${containerHostPort} -> ${plan.containerPortLabel})...`);
31230
31301
  containerId = await runDetached({
31231
31302
  image,
31232
31303
  mounts: [],
@@ -31236,6 +31307,7 @@ async function localStartAgentCoreCommand(target, options, extraStateProviders)
31236
31307
  host: containerHost,
31237
31308
  platform: options.platform,
31238
31309
  name: containerName,
31310
+ ...plan.containerPort !== void 0 && { containerPort: plan.containerPort },
31239
31311
  ...sensitiveEnvKeys.size > 0 && { sensitiveEnvKeys }
31240
31312
  });
31241
31313
  stopLogs = streamLogs(containerId);
@@ -31249,12 +31321,15 @@ async function localStartAgentCoreCommand(target, options, extraStateProviders)
31249
31321
  process.on("SIGINT", () => void shutdown("SIGINT", 130));
31250
31322
  process.on("SIGTERM", () => void shutdown("SIGTERM", 0));
31251
31323
  try {
31252
- await waitForAgentCorePing(containerHost, containerHostPort, options.timeout);
31324
+ if (plan.readyPath === void 0) await waitForAgentCorePing(containerHost, containerHostPort, options.timeout);
31325
+ else await waitForAgentCoreHttpReady(containerHost, containerHostPort, plan.readyPath, options.timeout);
31253
31326
  server = await startAgentCoreHttpServer({
31254
31327
  containerHost,
31255
31328
  containerPort: containerHostPort,
31256
31329
  host: options.host,
31257
31330
  port: options.port,
31331
+ routes: plan.routes,
31332
+ attachWs: plan.attachWs,
31258
31333
  ...authorization && { authorization },
31259
31334
  ...options.sessionId && { sessionId: options.sessionId }
31260
31335
  });
@@ -31262,21 +31337,30 @@ async function localStartAgentCoreCommand(target, options, extraStateProviders)
31262
31337
  await teardown();
31263
31338
  throw err;
31264
31339
  }
31265
- logger.info(`Server listening on ${server.wsUrl} (${resolved.logicalId} (AgentCore WebSocket))`);
31266
- logger.info(`HTTP contract served on ${server.httpUrl} — POST ${server.httpUrl}/invocations, GET ${server.httpUrl}/ping`);
31340
+ if (server.wsUrl) {
31341
+ logger.info(`Server listening on ${server.wsUrl} (${resolved.logicalId} (AgentCore WebSocket))`);
31342
+ logger.info(`HTTP contract served on ${server.httpUrl} — POST ${server.httpUrl}/invocations, GET ${server.httpUrl}/ping`);
31343
+ } else {
31344
+ const contractPath = plan.routes[0]?.path ?? "/";
31345
+ const contractUrl = `${server.httpUrl}${contractPath}`;
31346
+ logger.info(`Server listening on ${server.httpUrl} (${resolved.logicalId})`);
31347
+ logger.info(`${resolved.protocol} contract served on ${contractUrl} — POST ${contractUrl}`);
31348
+ }
31267
31349
  logger.info("Press ^C to shut down.");
31268
31350
  await new Promise(() => void 0);
31269
31351
  }
31270
31352
  /**
31271
- * `cdkl start-agentcore <target>` — long-running serve for a Bedrock AgentCore
31272
- * Runtime's `/ws` WebSocket endpoint, fronted by a host bridge that injects the
31273
- * session-id / Authorization upgrade headers a browser `WebSocket` cannot set.
31274
- * The serve counterpart of the single-shot `cdkl invoke-agentcore`; the studio
31353
+ * `cdkl start-agentcore <target>` — long-running warm serve for a Bedrock
31354
+ * AgentCore Runtime. Boots the container once and serves its native contract on
31355
+ * one host port: HTTP / AGUI get `POST /invocations` + `GET /ping` plus the
31356
+ * `/ws` bridge (which injects the session-id / Authorization upgrade headers a
31357
+ * browser `WebSocket` cannot set), MCP gets `POST /mcp`, A2A gets `POST /`. The
31358
+ * serve counterpart of the single-shot `cdkl invoke-agentcore`; the studio
31275
31359
  * `agentcore-ws` serve kind spawns this command.
31276
31360
  */
31277
31361
  function createLocalStartAgentCoreCommand(opts = {}) {
31278
31362
  setEmbedConfig(opts.embedConfig);
31279
- const cmd = new Command("start-agentcore").description("Serve a Bedrock AgentCore Runtime's bidirectional /ws WebSocket endpoint locally for an interactive multi-frame session. Boots the AWS::BedrockAgentCore::Runtime container (same image / env / credential resolution as invoke-agentcore), then runs a host WebSocket bridge that injects the AgentCore session-id (and Authorization under a customJwtAuthorizer) on the container upgrade so a header-less client (e.g. a browser) can connect. HTTP / AGUI protocols only (MCP / A2A runtimes have no /ws). Target accepts a CDK display path (MyStack/MyAgent) or stack-qualified logical ID; single-stack apps may omit the prefix. Omit <target> in a TTY to pick from a list. Runs until ^C.").argument("[target]", "CDK display path or stack-qualified logical ID of the AgentCore Runtime to serve (omit to pick interactively in a TTY)").action(withErrorHandling(async (target, options) => {
31363
+ const cmd = new Command("start-agentcore").description("Serve a Bedrock AgentCore Runtime's contract locally against a warm container. Boots the AWS::BedrockAgentCore::Runtime container ONCE (same image / env / credential resolution as invoke-agentcore) and keeps it warm, so a client can hit it repeatedly. HTTP / AGUI runtimes serve POST /invocations + GET /ping plus the bidirectional /ws endpoint behind a host bridge (injects the AgentCore session-id, and Authorization under a customJwtAuthorizer, so a header-less client like a browser can connect); MCP runtimes serve POST /mcp, A2A POST /. Target accepts a CDK display path (MyStack/MyAgent) or stack-qualified logical ID; single-stack apps may omit the prefix. Omit <target> in a TTY to pick from a list. Runs until ^C.").argument("[target]", "CDK display path or stack-qualified logical ID of the AgentCore Runtime to serve (omit to pick interactively in a TTY)").action(withErrorHandling(async (target, options) => {
31280
31364
  await localStartAgentCoreCommand(target, options, opts.extraStateProviders);
31281
31365
  }));
31282
31366
  addStartAgentCoreSpecificOptions(cmd);
@@ -31296,7 +31380,7 @@ function createLocalStartAgentCoreCommand(opts = {}) {
31296
31380
  * `.addOption(...)` blocks. Chainable: returns `cmd`.
31297
31381
  */
31298
31382
  function addStartAgentCoreSpecificOptions(cmd) {
31299
- return cmd.addOption(new Option("--port <n>", "Bridge-server bind port the client (browser) connects to. Default 0 (OS-assigned).").default(0).argParser(parsePort)).addOption(new Option("--host <ip>", "Bridge-server bind host. Default 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--session-id <id>", "Pin one AgentCore runtime session id header value for every connection (default: a fresh random UUID per connection, so each client is its own session).")).addOption(new Option("--bearer-token <jwt>", "Bearer JWT to present when the runtime declares a customJwtAuthorizer. Verified against the runtime's OIDC discovery URL before the container starts, then injected as Authorization: Bearer <jwt> on the container /ws upgrade for every bridged connection.")).addOption(new Option("--no-verify-auth", "Skip inbound JWT verification even when the runtime declares a customJwtAuthorizer (local-dev escape hatch). A --bearer-token, if given, is still forwarded.")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}, \"Parameters\": {...}})")).addOption(new Option("--platform <platform>", "docker --platform for the agent container (linux/amd64 or linux/arm64). Defaults to linux/arm64 because the cloud AgentCore Runtime requires arm64.").choices(["linux/amd64", "linux/arm64"]).default("linux/arm64")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for the local-build path")).addOption(new Option("--no-build", "Skip docker build on the local-asset path (use the previously-built tag). No-op for the ECR / registry pull paths.")).addOption(new Option("--container-host <host>", "Host IP used to bind the agent container port. Must be a numeric IP. Defaults to 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--timeout <ms>", "Maximum time in milliseconds to wait for the container to become ready (the GET /ping readiness deadline). Default 120000.").default(12e4).argParser(parseTimeoutMs)).addOption(new Option("--assume-role [arn]", "Assume the runtime's execution role and forward STS-issued temp credentials to the container. (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) uses the runtime's literal RoleArn; (3) `--no-assume-role` opts out. Off by default.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack and substitute Ref / Fn::ImportValue in env vars / image URIs with the deployed physical IDs / exports. Bare form uses the resolved stack name.")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region."));
31383
+ return cmd.addOption(new Option("--port <n>", "Serve bind port the client connects to (HTTP contract + /ws on the same port). Default 0 (OS-assigned).").default(0).argParser(parsePort)).addOption(new Option("--host <ip>", "Serve bind host. Default 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--session-id <id>", "Pin one AgentCore runtime session id header value for every forwarded request / /ws connection (default: a fresh random UUID each, so each is its own session).")).addOption(new Option("--bearer-token <jwt>", "Bearer JWT to present when the runtime declares a customJwtAuthorizer. Verified against the runtime's OIDC discovery URL before the container starts, then injected as Authorization: Bearer <jwt> on every forwarded request and the container /ws upgrade.")).addOption(new Option("--no-verify-auth", "Skip inbound JWT verification even when the runtime declares a customJwtAuthorizer (local-dev escape hatch). A --bearer-token, if given, is still forwarded.")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}, \"Parameters\": {...}})")).addOption(new Option("--platform <platform>", "docker --platform for the agent container (linux/amd64 or linux/arm64). Defaults to linux/arm64 because the cloud AgentCore Runtime requires arm64.").choices(["linux/amd64", "linux/arm64"]).default("linux/arm64")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for the local-build path")).addOption(new Option("--no-build", "Skip docker build on the local-asset path (use the previously-built tag). No-op for the ECR / registry pull paths.")).addOption(new Option("--container-host <host>", "Host IP used to bind the agent container port. Must be a numeric IP. Defaults to 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--timeout <ms>", "Maximum time in milliseconds to wait for the container to become ready (the GET /ping readiness deadline). Default 120000.").default(12e4).argParser(parseTimeoutMs)).addOption(new Option("--assume-role [arn]", "Assume the runtime's execution role and forward STS-issued temp credentials to the container. (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) uses the runtime's literal RoleArn; (3) `--no-assume-role` opts out. Off by default.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack and substitute Ref / Fn::ImportValue in env vars / image URIs with the deployed physical IDs / exports. Bare form uses the resolved stack name.")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region."));
31300
31384
  }
31301
31385
 
31302
31386
  //#endregion
@@ -36848,5 +36932,5 @@ function addStudioSpecificOptions(cmd) {
36848
36932
  }
36849
36933
 
36850
36934
  //#endregion
36851
- export { edgeHeadersToHttp as $, verifyJwtViaDiscovery as $n, countTargets as $r, SOFT_RELOAD_COMPLETION_LOG_SUFFIX as $t, startAgentCoreWsBridge as A, createLocalStartApiCommand as An, buildMessageEvent as Ar, addCommonEcsServiceOptions as At, resolveDeployedKvsArnByName as B, filterRoutesByApiIdentifier as Bn, substituteEnvVarsFromStateAsync as Br, ImageOverrideError as Bt, addListSpecificOptions as C, buildStsClientConfig as Ci, computeCodeImageTag as Cn, bufferToBody as Cr, resolveAlbFrontDoor as Ct, createLocalStartAgentCoreCommand as D, addInvokeSpecificOptions as Dn, parseConnectionsPath as Dr, addRunTaskSpecificOptions as Dt, addStartAgentCoreSpecificOptions as E, classifySourceChange as En, handleConnectionsRequest as Er, serviceStrategy as Et, parseOriginOverrides as F, attachStageContext as Fn, resolveRuntimeImage as Fr, parseMaxTasks as Ft, startCloudFrontServer as G, resolveSelectionExpression as Gn, resolveCfnFallbackRegion as Gr, resolveImageOverrides as Gt, classifyS3Error as H, groupRoutesByServer as Hn, createLocalStateProvider as Hr, enforceImageOverrideOrphans as Ht, resolveCloudFrontTarget as I, buildStageMap as In, EcsTaskResolutionError as Ir, parseRestartPolicy as It, serveLambdaUrlOrigin as J, buildCognitoJwksUrl as Jn, CfnLocalStateProvider as Jr, isLocalCdkAssetImage as Jt, resolveErrorResponseCandidates as K, resolveServiceIntegrationParameters as Kn, resolveCfnRegion as Kr, runImageOverrideBuilds as Kt, idFromArn as L, materializeLayerFromArn as Ln, substituteAgainstState as Lr, resolveEcsAssumeRoleOption as Lt, addStartCloudFrontSpecificOptions as M, resolveApiTargetSubset as Mn, buildContainerImage as Mr, addImageOverrideOptions as Mt, createLocalStartCloudFrontCommand as N, createAuthorizerCache as Nn, resolveRuntimeCodeMountPath as Nr, buildEcsImageResolutionContext$1 as Nt, startAgentCoreHttpServer as O, createLocalInvokeCommand as On, buildConnectEvent as Or, createLocalRunTaskCommand as Ot, parseKvsFileOverrides as P, createFileWatcher as Pn, resolveRuntimeFileExtension as Pr, ecsClusterOption as Pt, buildEdgeResponseEvent as Q, verifyJwtAuthorizer as Qn, resolveSingleTarget as Qr, DEFAULT_SHADOW_READY_TIMEOUT_MS as Qt, resolveKvsModulesForDistribution as R, resolveEnvVars$1 as Rn, substituteAgainstStateAsync as Rr, resolveSharedSidecarCredentials as Rt, StudioEventBus as S, LocalInvokeBuildError as Si, buildAgentCoreCodeImage as Sn, probeHostGatewaySupport as Sr, isApplicationLoadBalancer as St, formatTargetListing as T, toCmdArgv as Tn, buildMgmtEndpointEnvUrl as Tr, createLocalStartServiceCommand as Tt, createS3OriginReader as U, readMtlsMaterialsFromDisk as Un, isCfnFlagPresent as Ur, mergeForService as Ut, resolveDeployedOriginBucket as V, filterRoutesByApiIdentifiers as Vn, LocalStateSourceError as Vr, buildImageOverrideTag as Vt, matchBehavior as W, startApiServer as Wn, rejectExplicitCfnStackWithMultipleStacks as Wr, parseImageOverrideFlags as Wt, applyEdgeResponseResult as X, createJwksCache as Xn, resolveSsmParameters as Xr, buildCloudMapIndex as Xt, applyEdgeRequestResult as Y, buildJwksUrlFromIssuer as Yn, collectSsmParameterRefs as Yr, listPinnedTargets as Yt, buildEdgeRequestEvent as Z, verifyCognitoJwt as Zn, resolveWatchConfig as Zr, CloudMapRegistry as Zt, filterStudioTargetGroups as _, resolveAgentCoreTarget as _i, AGENTCORE_SESSION_ID_HEADER as _n, pickResponseTemplate as _r, addAlbSpecificOptions as _t, createLocalStudioCommand as a, parseSelectionExpressionPath as ai, bridgeAgentCoreWs as an, attachAuthorizers as ar, pickFunctionUrlLogicalIdFromOrigin as at, renderStudioHtml as b, substituteImagePlaceholders as bi, downloadAndExtractS3Bundle as bn, VtlEvaluationError as br, parseLbPortOverrides as bt, startStudioProxy as c, pickRefLogicalId as ci, A2A_PATH as cn, buildCorsConfigFromCloudFrontChain as cr, pickTargetFunctionLogicalId as ct, createStudioDispatcher as d, AGENTCORE_AGUI_PROTOCOL as di, MCP_PATH as dn, matchRoute as dr, runViewerRequest as dt, listTargets as ei, setShadowReadyTimeoutMs as en, buildMethodArn as er, httpHeadersToEdge as et, filterStudioCustomResources as f, AGENTCORE_HTTP_PROTOCOL as fi, MCP_PROTOCOL_VERSION as fn, translateLambdaResponse as fr, runViewerResponse as ft, annotatePinnedEcsTargets as g, pickAgentCoreCandidateStack as gi, signAgentCoreInvocation as gn, evaluateResponseParameters as gr, createUnboundCloudFrontModule as gt, annotateEcsTaskPinnedTargets as h, AgentCoreResolutionError as hi, AGENTCORE_SIGV4_SERVICE as hn, buildRestV1Event as hr, createLocalFileKvsDataSource as ht, coerceStopRequest as i, filterWebSocketApisByIdentifiers as ii, createLocalInvokeAgentCoreCommand as in, invokeTokenAuthorizer as ir, isCloudFrontDistribution as it, LocalStartCloudFrontError as j, createWatchPredicates as jn, architectureToPlatform as jr, addEcsAssumeRoleOptions as jt, attachAgentCoreWsBridge as k, addStartApiSpecificOptions as kn, buildDisconnectEvent as kr, MAX_TASKS_SUBNET_RANGE_CAP as kt, relayServeRequest as l, resolveLambdaArnIntrinsic as li, a2aInvokeOnce as ln, isFunctionUrlOacFronted as lr, resolveCloudFrontDistribution as lt, annotateAlbPinnedBackingServices as m, AGENTCORE_RUNTIME_TYPE as mi, parseSseForJsonRpc as mn, buildHttpApiV2Event as mr, createCloudFrontModule as mt, coerceRunRequest as n, discoverWebSocketApis as ni, attachContainerLogStreamer as nn, evaluateCachedLambdaPolicy as nr, describeS3OriginDomain as nt, resolveServeBaseUrl as o, webSocketApiMatchesIdentifier as oi, invokeAgentCoreWs as on, applyCorsResponseHeaders as or, pickKvsLogicalIdFromArn as ot, isCustomResourceLambdaTarget as p, AGENTCORE_MCP_PROTOCOL as pi, mcpInvokeOnce as pn, applyAuthorizerOverlay as pr, stripCloudFrontImport as pt, serveFromStaticOrigin as q, defaultCredentialsLoader as qn, resolveCfnStackName as qr, describePinnedImageUri as qt, coerceServeRequest as r, discoverWebSocketApisOrThrow as ri, addInvokeAgentCoreSpecificOptions as rn, invokeRequestAuthorizer as rr, extractKvsAssociations as rt, createStudioServeManager as s, discoverRoutes as si, A2A_CONTAINER_PORT as sn, buildCorsConfigByApiId as sr, pickLambdaEdgeFunctionLogicalId as st, addStudioSpecificOptions as t, availableWebSocketApiIdentifiers as ti, getContainerNetworkIp as tn, computeRequestIdentityHash as tr, CLOUDFRONT_DISTRIBUTION_TYPE as tt, reinvoke as u, AGENTCORE_A2A_PROTOCOL as ui, MCP_CONTAINER_PORT as un, matchPreflight as ur, compileCloudFrontFunction as ut, startStudioServer as v, derivePseudoParametersFromRegion as vi, invokeAgentCore as vn, selectIntegrationResponse as vr, albStrategy as vt, createLocalListCommand as w, resolveProfileCredentials as wi, renderCodeDockerfile as wn, ConnectionRegistry as wr, addStartServiceSpecificOptions as wt, createStudioStore as x, tryResolveImageFnJoin as xi, SUPPORTED_CODE_RUNTIMES as xn, HOST_GATEWAY_MIN_VERSION as xr, resolveAlbTarget as xt, toStudioTargetGroups as y, formatStateRemedy as yi, waitForAgentCorePing as yn, tryParseStatus as yr, createLocalStartAlbCommand as yt, createDeployedKvsDataSource as z, availableApiIdentifiers as zn, substituteEnvVarsFromState as zr, runEcsServiceEmulator as zt };
36852
- //# sourceMappingURL=local-studio-CdpdUbIA.js.map
36935
+ export { edgeHeadersToHttp as $, verifyJwtAuthorizer as $n, resolveSingleTarget as $r, SOFT_RELOAD_COMPLETION_LOG_SUFFIX as $t, startAgentCoreWsBridge as A, addStartApiSpecificOptions as An, buildDisconnectEvent as Ar, addCommonEcsServiceOptions as At, resolveDeployedKvsArnByName as B, availableApiIdentifiers as Bn, substituteEnvVarsFromState as Br, ImageOverrideError as Bt, addListSpecificOptions as C, LocalInvokeBuildError as Ci, buildAgentCoreCodeImage as Cn, probeHostGatewaySupport as Cr, resolveAlbFrontDoor as Ct, createLocalStartAgentCoreCommand as D, classifySourceChange as Dn, handleConnectionsRequest as Dr, addRunTaskSpecificOptions as Dt, addStartAgentCoreSpecificOptions as E, toCmdArgv as En, buildMgmtEndpointEnvUrl as Er, serviceStrategy as Et, parseOriginOverrides as F, createFileWatcher as Fn, resolveRuntimeFileExtension as Fr, parseMaxTasks as Ft, startCloudFrontServer as G, startApiServer as Gn, rejectExplicitCfnStackWithMultipleStacks as Gr, resolveImageOverrides as Gt, classifyS3Error as H, filterRoutesByApiIdentifiers as Hn, LocalStateSourceError as Hr, enforceImageOverrideOrphans as Ht, resolveCloudFrontTarget as I, attachStageContext as In, resolveRuntimeImage as Ir, parseRestartPolicy as It, serveLambdaUrlOrigin as J, defaultCredentialsLoader as Jn, resolveCfnStackName as Jr, isLocalCdkAssetImage as Jt, resolveErrorResponseCandidates as K, resolveSelectionExpression as Kn, resolveCfnFallbackRegion as Kr, runImageOverrideBuilds as Kt, idFromArn as L, buildStageMap as Ln, EcsTaskResolutionError as Lr, resolveEcsAssumeRoleOption as Lt, addStartCloudFrontSpecificOptions as M, createWatchPredicates as Mn, architectureToPlatform as Mr, addImageOverrideOptions as Mt, createLocalStartCloudFrontCommand as N, resolveApiTargetSubset as Nn, buildContainerImage as Nr, buildEcsImageResolutionContext$1 as Nt, startAgentCoreHttpServer as O, addInvokeSpecificOptions as On, parseConnectionsPath as Or, createLocalRunTaskCommand as Ot, parseKvsFileOverrides as P, createAuthorizerCache as Pn, resolveRuntimeCodeMountPath as Pr, ecsClusterOption as Pt, buildEdgeResponseEvent as Q, verifyCognitoJwt as Qn, resolveWatchConfig as Qr, DEFAULT_SHADOW_READY_TIMEOUT_MS as Qt, resolveKvsModulesForDistribution as R, materializeLayerFromArn as Rn, substituteAgainstState as Rr, resolveSharedSidecarCredentials as Rt, StudioEventBus as S, tryResolveImageFnJoin as Si, SUPPORTED_CODE_RUNTIMES as Sn, HOST_GATEWAY_MIN_VERSION as Sr, isApplicationLoadBalancer as St, formatTargetListing as T, resolveProfileCredentials as Ti, renderCodeDockerfile as Tn, ConnectionRegistry as Tr, createLocalStartServiceCommand as Tt, createS3OriginReader as U, groupRoutesByServer as Un, createLocalStateProvider as Ur, mergeForService as Ut, resolveDeployedOriginBucket as V, filterRoutesByApiIdentifier as Vn, substituteEnvVarsFromStateAsync as Vr, buildImageOverrideTag as Vt, matchBehavior as W, readMtlsMaterialsFromDisk as Wn, isCfnFlagPresent as Wr, parseImageOverrideFlags as Wt, applyEdgeResponseResult as X, buildJwksUrlFromIssuer as Xn, collectSsmParameterRefs as Xr, buildCloudMapIndex as Xt, applyEdgeRequestResult as Y, buildCognitoJwksUrl as Yn, CfnLocalStateProvider as Yr, listPinnedTargets as Yt, buildEdgeRequestEvent as Z, createJwksCache as Zn, resolveSsmParameters as Zr, CloudMapRegistry as Zt, filterStudioTargetGroups as _, pickAgentCoreCandidateStack as _i, AGENTCORE_SESSION_ID_HEADER as _n, evaluateResponseParameters as _r, addAlbSpecificOptions as _t, createLocalStudioCommand as a, filterWebSocketApisByIdentifiers as ai, bridgeAgentCoreWs as an, invokeTokenAuthorizer as ar, pickFunctionUrlLogicalIdFromOrigin as at, renderStudioHtml as b, formatStateRemedy as bi, waitForAgentCorePing as bn, tryParseStatus as br, parseLbPortOverrides as bt, startStudioProxy as c, discoverRoutes as ci, A2A_PATH as cn, buildCorsConfigByApiId as cr, pickTargetFunctionLogicalId as ct, createStudioDispatcher as d, AGENTCORE_A2A_PROTOCOL as di, MCP_PATH as dn, matchPreflight as dr, runViewerRequest as dt, countTargets as ei, setShadowReadyTimeoutMs as en, verifyJwtViaDiscovery as er, httpHeadersToEdge as et, filterStudioCustomResources as f, AGENTCORE_AGUI_PROTOCOL as fi, MCP_PROTOCOL_VERSION as fn, matchRoute as fr, runViewerResponse as ft, annotatePinnedEcsTargets as g, AgentCoreResolutionError as gi, signAgentCoreInvocation as gn, buildRestV1Event as gr, createUnboundCloudFrontModule as gt, annotateEcsTaskPinnedTargets as h, AGENTCORE_RUNTIME_TYPE as hi, AGENTCORE_SIGV4_SERVICE as hn, buildHttpApiV2Event as hr, createLocalFileKvsDataSource as ht, coerceStopRequest as i, discoverWebSocketApisOrThrow as ii, createLocalInvokeAgentCoreCommand as in, invokeRequestAuthorizer as ir, isCloudFrontDistribution as it, LocalStartCloudFrontError as j, createLocalStartApiCommand as jn, buildMessageEvent as jr, addEcsAssumeRoleOptions as jt, attachAgentCoreWsBridge as k, createLocalInvokeCommand as kn, buildConnectEvent as kr, MAX_TASKS_SUBNET_RANGE_CAP as kt, relayServeRequest as l, pickRefLogicalId as li, a2aInvokeOnce as ln, buildCorsConfigFromCloudFrontChain as lr, resolveCloudFrontDistribution as lt, annotateAlbPinnedBackingServices as m, AGENTCORE_MCP_PROTOCOL as mi, parseSseForJsonRpc as mn, applyAuthorizerOverlay as mr, createCloudFrontModule as mt, coerceRunRequest as n, availableWebSocketApiIdentifiers as ni, attachContainerLogStreamer as nn, computeRequestIdentityHash as nr, describeS3OriginDomain as nt, resolveServeBaseUrl as o, parseSelectionExpressionPath as oi, invokeAgentCoreWs as on, attachAuthorizers as or, pickKvsLogicalIdFromArn as ot, isCustomResourceLambdaTarget as p, AGENTCORE_HTTP_PROTOCOL as pi, mcpInvokeOnce as pn, translateLambdaResponse as pr, stripCloudFrontImport as pt, serveFromStaticOrigin as q, resolveServiceIntegrationParameters as qn, resolveCfnRegion as qr, describePinnedImageUri as qt, coerceServeRequest as r, discoverWebSocketApis as ri, addInvokeAgentCoreSpecificOptions as rn, evaluateCachedLambdaPolicy as rr, extractKvsAssociations as rt, createStudioServeManager as s, webSocketApiMatchesIdentifier as si, A2A_CONTAINER_PORT as sn, applyCorsResponseHeaders as sr, pickLambdaEdgeFunctionLogicalId as st, addStudioSpecificOptions as t, listTargets as ti, getContainerNetworkIp as tn, buildMethodArn as tr, CLOUDFRONT_DISTRIBUTION_TYPE as tt, reinvoke as u, resolveLambdaArnIntrinsic as ui, MCP_CONTAINER_PORT as un, isFunctionUrlOacFronted as ur, compileCloudFrontFunction as ut, startStudioServer as v, resolveAgentCoreTarget as vi, invokeAgentCore as vn, pickResponseTemplate as vr, albStrategy as vt, createLocalListCommand as w, buildStsClientConfig as wi, computeCodeImageTag as wn, bufferToBody as wr, addStartServiceSpecificOptions as wt, createStudioStore as x, substituteImagePlaceholders as xi, downloadAndExtractS3Bundle as xn, VtlEvaluationError as xr, resolveAlbTarget as xt, toStudioTargetGroups as y, derivePseudoParametersFromRegion as yi, waitForAgentCoreHttpReady as yn, selectIntegrationResponse as yr, createLocalStartAlbCommand as yt, createDeployedKvsDataSource as z, resolveEnvVars$1 as zn, substituteAgainstStateAsync as zr, runEcsServiceEmulator as zt };
36936
+ //# sourceMappingURL=local-studio-BqHODjfP.js.map