cdk-local 0.136.0 → 0.138.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/cli.js +2 -2
- package/dist/index.d.ts +1 -1
- package/dist/index.js +1 -1
- package/dist/internal.d.ts +2 -28
- package/dist/internal.d.ts.map +1 -1
- package/dist/internal.js +2 -2
- package/dist/{local-studio-oKKN1spV.d.ts → local-studio-CiKbBfUi.d.ts} +65 -3
- package/dist/local-studio-CiKbBfUi.d.ts.map +1 -0
- package/dist/{local-studio-BqHODjfP.js → local-studio-Cr0YdvCb.js} +301 -54
- package/dist/local-studio-Cr0YdvCb.js.map +1 -0
- package/package.json +1 -1
- package/dist/local-studio-BqHODjfP.js.map +0 -1
- package/dist/local-studio-oKKN1spV.d.ts.map +0 -1
|
@@ -3448,10 +3448,14 @@ function scanByType(stacks, type) {
|
|
|
3448
3448
|
/**
|
|
3449
3449
|
* Enumerate `AWS::BedrockAgentCore::Runtime` targets, marking each with
|
|
3450
3450
|
* {@link TargetEntry.agentCoreHasWs} — true for HTTP / AGUI runtimes (which
|
|
3451
|
-
* expose a `/ws` WebSocket endpoint), false for MCP / A2A (which do not)
|
|
3452
|
-
*
|
|
3453
|
-
*
|
|
3454
|
-
*
|
|
3451
|
+
* expose a `/ws` WebSocket endpoint), false for MCP / A2A (which do not) — and
|
|
3452
|
+
* {@link TargetEntry.agentCoreContractPath}, the POST path the runtime's
|
|
3453
|
+
* protocol contract is served on (`/invocations` / `/mcp` / `/`). `cdkl
|
|
3454
|
+
* start-agentcore` serves every protocol (issue #454), so the studio serve
|
|
3455
|
+
* group lists every runtime; the `hasWs` marker decides only whether to render
|
|
3456
|
+
* the WebSocket console too, and the contract path seeds the HTTP composer. The
|
|
3457
|
+
* protocol is read the same way the resolver reads it
|
|
3458
|
+
* (`Properties.ProtocolConfiguration`, default HTTP).
|
|
3455
3459
|
*/
|
|
3456
3460
|
function scanAgentCoreRuntimes(stacks) {
|
|
3457
3461
|
const entries = [];
|
|
@@ -3462,6 +3466,7 @@ function scanAgentCoreRuntimes(stacks) {
|
|
|
3462
3466
|
const entry = makeEntry(stack.stackName, logicalId, readCdkPathOrUndefined(resource));
|
|
3463
3467
|
const protocol = resource.Properties?.["ProtocolConfiguration"];
|
|
3464
3468
|
entry.agentCoreHasWs = protocol !== "MCP" && protocol !== "A2A";
|
|
3469
|
+
entry.agentCoreContractPath = protocol === "MCP" ? "/mcp" : protocol === "A2A" ? "/" : "/invocations";
|
|
3465
3470
|
entries.push(entry);
|
|
3466
3471
|
}
|
|
3467
3472
|
}
|
|
@@ -19481,6 +19486,33 @@ async function resolveInboundAuthorization(resolved, options) {
|
|
|
19481
19486
|
return header;
|
|
19482
19487
|
}
|
|
19483
19488
|
/**
|
|
19489
|
+
* Resolve the boot-time SigV4 signing context (`{ credentials, region }`) when
|
|
19490
|
+
* `--sigv4` is requested, or `undefined` when it is not applicable (`--sigv4`
|
|
19491
|
+
* off, or a `customJwtAuthorizer` is declared — the JWT path wins, warns).
|
|
19492
|
+
* Throws a {@link CdkLocalError} on a `--bearer-token` conflict, an unresolved
|
|
19493
|
+
* region, or no resolvable credentials.
|
|
19494
|
+
*
|
|
19495
|
+
* Extracted from {@link buildSigV4HeadersIfRequested} so both the single-shot
|
|
19496
|
+
* `cdkl invoke-agentcore` (signs ONE body) and the warm `cdkl start-agentcore`
|
|
19497
|
+
* serve (signs each forwarded body per request — issue #454) resolve the
|
|
19498
|
+
* credentials + region the SAME way. Exported so the serve boot + a unit test
|
|
19499
|
+
* can reuse it.
|
|
19500
|
+
*/
|
|
19501
|
+
async function resolveAgentCoreSigV4Context(options, resolved, loaded, stateProvider) {
|
|
19502
|
+
if (!options.sigv4) return void 0;
|
|
19503
|
+
if (options.bearerToken) throw new CdkLocalError(`--sigv4 and --bearer-token are mutually exclusive: pick one inbound auth.`, "LOCAL_INVOKE_AGENTCORE_AUTH_CONFLICT");
|
|
19504
|
+
if (resolved.jwtAuthorizer) {
|
|
19505
|
+
getLogger().warn(`Runtime '${resolved.logicalId}' declares a customJwtAuthorizer; --sigv4 ignored (JWT path takes precedence).`);
|
|
19506
|
+
return;
|
|
19507
|
+
}
|
|
19508
|
+
const region = options.region ?? options.stackRegion ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? resolved.stack.region;
|
|
19509
|
+
if (!region) throw new CdkLocalError("--sigv4: no region resolved for the AgentCore signing scope. Pass --region <region>, set AWS_REGION, or use --from-cfn-stack with a region-bound stack.", "LOCAL_INVOKE_AGENTCORE_SIGV4_NO_REGION");
|
|
19510
|
+
return {
|
|
19511
|
+
credentials: await resolveHostCredentialsForSigV4(options, resolved, loaded, region, stateProvider),
|
|
19512
|
+
region
|
|
19513
|
+
};
|
|
19514
|
+
}
|
|
19515
|
+
/**
|
|
19484
19516
|
* Compute the SigV4 headers for the `/invocations` POST when `--sigv4` is
|
|
19485
19517
|
* requested. Returns `undefined` (no header overlay) when:
|
|
19486
19518
|
*
|
|
@@ -19493,17 +19525,11 @@ async function resolveInboundAuthorization(resolved, options) {
|
|
|
19493
19525
|
* Exported so a unit test can drive the gate without the full Docker pipeline.
|
|
19494
19526
|
*/
|
|
19495
19527
|
async function buildSigV4HeadersIfRequested(options, resolved, loaded, host, port, event, sessionId, stateProvider) {
|
|
19496
|
-
|
|
19497
|
-
if (
|
|
19498
|
-
if (resolved.jwtAuthorizer) {
|
|
19499
|
-
getLogger().warn(`Runtime '${resolved.logicalId}' declares a customJwtAuthorizer; --sigv4 ignored (JWT path takes precedence).`);
|
|
19500
|
-
return;
|
|
19501
|
-
}
|
|
19502
|
-
const region = options.region ?? options.stackRegion ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? resolved.stack.region;
|
|
19503
|
-
if (!region) throw new CdkLocalError("--sigv4: no region resolved for the AgentCore signing scope. Pass --region <region>, set AWS_REGION, or use --from-cfn-stack with a region-bound stack.", "LOCAL_INVOKE_AGENTCORE_SIGV4_NO_REGION");
|
|
19528
|
+
const ctx = await resolveAgentCoreSigV4Context(options, resolved, loaded, stateProvider);
|
|
19529
|
+
if (!ctx) return void 0;
|
|
19504
19530
|
const signed = await signAgentCoreInvocation({
|
|
19505
|
-
credentials:
|
|
19506
|
-
region,
|
|
19531
|
+
credentials: ctx.credentials,
|
|
19532
|
+
region: ctx.region,
|
|
19507
19533
|
host,
|
|
19508
19534
|
port,
|
|
19509
19535
|
path: "/invocations",
|
|
@@ -19516,7 +19542,7 @@ async function buildSigV4HeadersIfRequested(options, resolved, loaded, host, por
|
|
|
19516
19542
|
"X-Amz-Content-Sha256": signed.amzContentSha256
|
|
19517
19543
|
};
|
|
19518
19544
|
if (signed.amzSecurityToken) headers["X-Amz-Security-Token"] = signed.amzSecurityToken;
|
|
19519
|
-
getLogger().info(`Signed /invocations with SigV4 (region=${region}).`);
|
|
19545
|
+
getLogger().info(`Signed /invocations with SigV4 (region=${ctx.region}).`);
|
|
19520
19546
|
return headers;
|
|
19521
19547
|
}
|
|
19522
19548
|
/**
|
|
@@ -31060,23 +31086,13 @@ const DEFAULT_ROUTES = [{
|
|
|
31060
31086
|
path: "/ping"
|
|
31061
31087
|
}];
|
|
31062
31088
|
/**
|
|
31063
|
-
*
|
|
31064
|
-
*
|
|
31065
|
-
*
|
|
31066
|
-
*
|
|
31089
|
+
* Wire an upstream (container-leg) request's response back to the inbound
|
|
31090
|
+
* client, piping the body so an SSE (`text/event-stream`) stream stays
|
|
31091
|
+
* incremental, and mapping an upstream error to a `502`. Shared by the
|
|
31092
|
+
* streaming and buffered (`--sigv4`) proxy paths.
|
|
31067
31093
|
*/
|
|
31068
|
-
function
|
|
31069
|
-
|
|
31070
|
-
delete headers["host"];
|
|
31071
|
-
headers[AGENTCORE_SESSION_ID_HEADER] = config.sessionId ?? randomUUID();
|
|
31072
|
-
if (config.authorization) headers["authorization"] = config.authorization;
|
|
31073
|
-
const upstream = request({
|
|
31074
|
-
host: config.containerHost,
|
|
31075
|
-
port: config.containerPort,
|
|
31076
|
-
path: upstreamPath,
|
|
31077
|
-
method: clientReq.method,
|
|
31078
|
-
headers
|
|
31079
|
-
}, (upRes) => {
|
|
31094
|
+
function wireUpstreamResponse(upstream, clientRes) {
|
|
31095
|
+
upstream.on("response", (upRes) => {
|
|
31080
31096
|
clientRes.writeHead(upRes.statusCode ?? 502, upRes.headers);
|
|
31081
31097
|
upRes.on("error", () => clientRes.destroy());
|
|
31082
31098
|
upRes.pipe(clientRes);
|
|
@@ -31086,6 +31102,79 @@ function proxyToContainer(clientReq, clientRes, config, upstreamPath) {
|
|
|
31086
31102
|
if (!clientRes.headersSent) clientRes.writeHead(502, { "content-type": "application/json" });
|
|
31087
31103
|
clientRes.end(JSON.stringify({ error: `upstream error: ${err.message}` }));
|
|
31088
31104
|
});
|
|
31105
|
+
}
|
|
31106
|
+
/**
|
|
31107
|
+
* Proxy one inbound HTTP request to the warm container, injecting the
|
|
31108
|
+
* session-id + Authorization (+ any per-request / signed) headers, and stream
|
|
31109
|
+
* the response back. Used for both `GET /ping` and `POST /invocations`; piping
|
|
31110
|
+
* the response preserves an SSE (`text/event-stream`) stream.
|
|
31111
|
+
*
|
|
31112
|
+
* `perRequest.authorization` overrides {@link AgentCoreHttpServerConfig.authorization}
|
|
31113
|
+
* with the value the per-request inbound-JWT gate verified / injected (issue
|
|
31114
|
+
* #454). When {@link AgentCoreHttpServerConfig.signRequest} is set and this is a
|
|
31115
|
+
* `POST`, the body is buffered, signed (SigV4), and forwarded — signing needs
|
|
31116
|
+
* the whole body, so the streaming fast-path is bypassed for that case only.
|
|
31117
|
+
*/
|
|
31118
|
+
function proxyToContainer(clientReq, clientRes, config, upstreamPath, perRequest) {
|
|
31119
|
+
const sessionId = config.sessionId ?? randomUUID();
|
|
31120
|
+
const headers = { ...clientReq.headers };
|
|
31121
|
+
delete headers["host"];
|
|
31122
|
+
headers[AGENTCORE_SESSION_ID_HEADER] = sessionId;
|
|
31123
|
+
const authorization = perRequest?.authorization ?? config.authorization;
|
|
31124
|
+
if (authorization) headers["authorization"] = authorization;
|
|
31125
|
+
if (config.signRequest && clientReq.method === "POST") {
|
|
31126
|
+
const signRequest = config.signRequest;
|
|
31127
|
+
const chunks = [];
|
|
31128
|
+
clientReq.on("data", (c) => chunks.push(c));
|
|
31129
|
+
clientReq.on("error", (err) => {
|
|
31130
|
+
getLogger().debug(`agentcore http serve client error: ${err.message}`);
|
|
31131
|
+
if (!clientRes.headersSent) {
|
|
31132
|
+
clientRes.writeHead(400, { "content-type": "application/json" });
|
|
31133
|
+
clientRes.end(JSON.stringify({ error: `client error: ${err.message}` }));
|
|
31134
|
+
}
|
|
31135
|
+
});
|
|
31136
|
+
clientReq.on("end", () => {
|
|
31137
|
+
const body = Buffer.concat(chunks);
|
|
31138
|
+
signRequest({
|
|
31139
|
+
method: "POST",
|
|
31140
|
+
path: upstreamPath,
|
|
31141
|
+
body,
|
|
31142
|
+
sessionId
|
|
31143
|
+
}).then((signed) => {
|
|
31144
|
+
const signedHeaders = {
|
|
31145
|
+
...headers,
|
|
31146
|
+
...signed
|
|
31147
|
+
};
|
|
31148
|
+
delete signedHeaders["transfer-encoding"];
|
|
31149
|
+
signedHeaders["content-length"] = String(body.length);
|
|
31150
|
+
const upstream = request({
|
|
31151
|
+
host: config.containerHost,
|
|
31152
|
+
port: config.containerPort,
|
|
31153
|
+
path: upstreamPath,
|
|
31154
|
+
method: "POST",
|
|
31155
|
+
headers: signedHeaders
|
|
31156
|
+
});
|
|
31157
|
+
wireUpstreamResponse(upstream, clientRes);
|
|
31158
|
+
upstream.end(body);
|
|
31159
|
+
}).catch((err) => {
|
|
31160
|
+
const msg = err instanceof Error ? err.message : String(err);
|
|
31161
|
+
getLogger().debug(`agentcore http serve sigv4 sign error: ${msg}`);
|
|
31162
|
+
if (!clientRes.headersSent) {
|
|
31163
|
+
clientRes.writeHead(500, { "content-type": "application/json" });
|
|
31164
|
+
clientRes.end(JSON.stringify({ error: `sigv4 signing failed: ${msg}` }));
|
|
31165
|
+
}
|
|
31166
|
+
});
|
|
31167
|
+
});
|
|
31168
|
+
return;
|
|
31169
|
+
}
|
|
31170
|
+
const upstream = request({
|
|
31171
|
+
host: config.containerHost,
|
|
31172
|
+
port: config.containerPort,
|
|
31173
|
+
path: upstreamPath,
|
|
31174
|
+
method: clientReq.method,
|
|
31175
|
+
headers
|
|
31176
|
+
});
|
|
31177
|
+
wireUpstreamResponse(upstream, clientRes);
|
|
31089
31178
|
clientReq.on("error", (err) => {
|
|
31090
31179
|
getLogger().debug(`agentcore http serve client error: ${err.message}`);
|
|
31091
31180
|
upstream.destroy();
|
|
@@ -31105,12 +31194,36 @@ function startAgentCoreHttpServer(config) {
|
|
|
31105
31194
|
const httpServer = createServer$1((req, res) => {
|
|
31106
31195
|
const path = (req.url ?? "/").split("?")[0];
|
|
31107
31196
|
const match = routes.find((r) => r.method === req.method && r.path === path);
|
|
31108
|
-
if (match)
|
|
31109
|
-
|
|
31110
|
-
|
|
31111
|
-
|
|
31112
|
-
|
|
31113
|
-
|
|
31197
|
+
if (!match) {
|
|
31198
|
+
res.writeHead(404, { "content-type": "application/json" });
|
|
31199
|
+
res.end(JSON.stringify({
|
|
31200
|
+
error: "not found",
|
|
31201
|
+
hint: notFoundHint
|
|
31202
|
+
}));
|
|
31203
|
+
return;
|
|
31204
|
+
}
|
|
31205
|
+
if (config.authCheck && req.method === "POST") {
|
|
31206
|
+
req.on("error", (err) => getLogger().debug(`agentcore http serve client error (auth gate): ${err.message}`));
|
|
31207
|
+
config.authCheck(req.headers).then((result) => {
|
|
31208
|
+
if (!result.allow) {
|
|
31209
|
+
req.resume();
|
|
31210
|
+
res.writeHead(result.status ?? 403, { "content-type": "application/json" });
|
|
31211
|
+
res.end(JSON.stringify({ error: result.message ?? "forbidden" }));
|
|
31212
|
+
return;
|
|
31213
|
+
}
|
|
31214
|
+
proxyToContainer(req, res, config, match.path, { ...result.authorization && { authorization: result.authorization } });
|
|
31215
|
+
}).catch((err) => {
|
|
31216
|
+
const msg = err instanceof Error ? err.message : String(err);
|
|
31217
|
+
getLogger().debug(`agentcore http serve auth-check error: ${msg}`);
|
|
31218
|
+
req.resume();
|
|
31219
|
+
if (!res.headersSent) {
|
|
31220
|
+
res.writeHead(500, { "content-type": "application/json" });
|
|
31221
|
+
res.end(JSON.stringify({ error: `auth check failed: ${msg}` }));
|
|
31222
|
+
}
|
|
31223
|
+
});
|
|
31224
|
+
return;
|
|
31225
|
+
}
|
|
31226
|
+
proxyToContainer(req, res, config, match.path);
|
|
31114
31227
|
});
|
|
31115
31228
|
const bridge = attachWs ? attachAgentCoreWsBridge(httpServer, {
|
|
31116
31229
|
containerHost: config.containerHost,
|
|
@@ -31147,6 +31260,90 @@ function buildNotFoundHint(routes, attachWs) {
|
|
|
31147
31260
|
return attachWs ? `${base} (WebSocket: connect to /ws)` : base;
|
|
31148
31261
|
}
|
|
31149
31262
|
|
|
31263
|
+
//#endregion
|
|
31264
|
+
//#region src/local/agentcore-serve-auth.ts
|
|
31265
|
+
/**
|
|
31266
|
+
* Build the per-request inbound-JWT gate for `cdkl start-agentcore`. The cloud
|
|
31267
|
+
* AgentCore Runtime verifies the CALLER's token against the
|
|
31268
|
+
* `customJwtAuthorizer` on every `InvokeAgentRuntime`; the warm local serve
|
|
31269
|
+
* mirrors that here — unlike the single-shot `cdkl invoke-agentcore`, which
|
|
31270
|
+
* verifies the `--bearer-token` ONCE at boot. This is the serve counterpart of
|
|
31271
|
+
* `front-door-auth`'s `buildAuthCheck` for the ALB (issue #454).
|
|
31272
|
+
*
|
|
31273
|
+
* Semantics (matching the cloud + `resolveInboundAuthorization`):
|
|
31274
|
+
* - `--no-verify-auth` → always allow; forward `--bearer-token` if given.
|
|
31275
|
+
* - inbound `Authorization` present → verify it; absent → fall back to the
|
|
31276
|
+
* injected `--bearer-token`; neither → 401.
|
|
31277
|
+
* - verify failure → 403. An unreachable / malformed discovery URL falls back
|
|
31278
|
+
* to pass-through accept (offline-dev fallback in {@link verifyJwtViaDiscovery}).
|
|
31279
|
+
*
|
|
31280
|
+
* Exported so a unit test can drive the gate (and a host CLI can reuse it)
|
|
31281
|
+
* without the Docker pipeline.
|
|
31282
|
+
*/
|
|
31283
|
+
function buildAgentCoreServeAuthCheck(authorizer, opts = {}) {
|
|
31284
|
+
const injectedBearer = opts.bearerToken ? `Bearer ${opts.bearerToken}` : void 0;
|
|
31285
|
+
if (opts.noVerifyAuth === true) return async () => ({
|
|
31286
|
+
allow: true,
|
|
31287
|
+
...injectedBearer && { authorization: injectedBearer }
|
|
31288
|
+
});
|
|
31289
|
+
const jwksCache = opts.jwksCache ?? createJwksCache();
|
|
31290
|
+
const warnedAt = opts.warnedAt ?? /* @__PURE__ */ new Map();
|
|
31291
|
+
return async (headers) => {
|
|
31292
|
+
const header = readAuthorizationHeader(headers) ?? injectedBearer;
|
|
31293
|
+
if (!header) return {
|
|
31294
|
+
allow: false,
|
|
31295
|
+
status: 401,
|
|
31296
|
+
message: "Missing Authorization: this runtime declares a customJwtAuthorizer. Send a Bearer JWT, or start the serve with --bearer-token / --no-verify-auth."
|
|
31297
|
+
};
|
|
31298
|
+
if (!(await verifyJwtViaDiscovery({
|
|
31299
|
+
discoveryUrl: authorizer.discoveryUrl,
|
|
31300
|
+
...authorizer.allowedAudience && { allowedAudience: authorizer.allowedAudience },
|
|
31301
|
+
...authorizer.allowedClients && { allowedClients: authorizer.allowedClients },
|
|
31302
|
+
...authorizer.allowedScopes && { allowedScopes: authorizer.allowedScopes },
|
|
31303
|
+
...authorizer.customClaims && { customClaims: authorizer.customClaims }
|
|
31304
|
+
}, header, jwksCache, { warnedAt })).allow) return {
|
|
31305
|
+
allow: false,
|
|
31306
|
+
status: 403,
|
|
31307
|
+
message: `Forbidden: the inbound JWT was rejected by the runtime's customJwtAuthorizer (signature / issuer / expiry / audience / scope check failed against ${authorizer.discoveryUrl}).`
|
|
31308
|
+
};
|
|
31309
|
+
return {
|
|
31310
|
+
allow: true,
|
|
31311
|
+
authorization: header
|
|
31312
|
+
};
|
|
31313
|
+
};
|
|
31314
|
+
}
|
|
31315
|
+
/**
|
|
31316
|
+
* Pick the warm serve's inbound-auth wiring for a runtime shape (issue #454).
|
|
31317
|
+
* Pure (no Docker / network) so the boot's mutually-exclusive selection —
|
|
31318
|
+
* per-request JWT gate vs `--sigv4` signing vs static `--bearer-token`
|
|
31319
|
+
* pass-through — is unit-testable. `sigv4Active` is whether
|
|
31320
|
+
* `resolveAgentCoreSigV4Context` resolved a signing context (it returns
|
|
31321
|
+
* undefined when `--sigv4` is off OR a customJwtAuthorizer is declared, so the
|
|
31322
|
+
* authorizer arm always wins). `buildAuthCheck` is injectable for tests.
|
|
31323
|
+
*/
|
|
31324
|
+
function selectServeInboundAuth(resolved, options, sigv4Active, buildAuthCheck = buildAgentCoreServeAuthCheck) {
|
|
31325
|
+
const bearerHeader = options.bearerToken ? `Bearer ${options.bearerToken}` : void 0;
|
|
31326
|
+
if (resolved.jwtAuthorizer) return {
|
|
31327
|
+
authCheck: buildAuthCheck(resolved.jwtAuthorizer, {
|
|
31328
|
+
...options.verifyAuth === false && { noVerifyAuth: true },
|
|
31329
|
+
...options.bearerToken && { bearerToken: options.bearerToken }
|
|
31330
|
+
}),
|
|
31331
|
+
...bearerHeader && { bridgeAuthorization: bearerHeader },
|
|
31332
|
+
sign: false
|
|
31333
|
+
};
|
|
31334
|
+
if (sigv4Active) return { sign: true };
|
|
31335
|
+
return {
|
|
31336
|
+
...bearerHeader && { bridgeAuthorization: bearerHeader },
|
|
31337
|
+
sign: false
|
|
31338
|
+
};
|
|
31339
|
+
}
|
|
31340
|
+
/** Read a single `Authorization` header value (first when duplicated, undefined when empty). */
|
|
31341
|
+
function readAuthorizationHeader(headers) {
|
|
31342
|
+
const raw = headers["authorization"];
|
|
31343
|
+
const v = Array.isArray(raw) ? raw[0] : raw;
|
|
31344
|
+
return typeof v === "string" && v.length > 0 ? v : void 0;
|
|
31345
|
+
}
|
|
31346
|
+
|
|
31150
31347
|
//#endregion
|
|
31151
31348
|
//#region src/cli/commands/local-start-agentcore.ts
|
|
31152
31349
|
/**
|
|
@@ -31290,7 +31487,9 @@ async function localStartAgentCoreCommand(target, options, extraStateProviders)
|
|
|
31290
31487
|
const resolved = resolveAgentCoreTarget(resolvedTarget, stacks, imageContext);
|
|
31291
31488
|
logger.info(`Target: ${resolved.stack.stackName}/${resolved.logicalId} (${resolved.protocol})`);
|
|
31292
31489
|
const plan = resolveAgentCoreServePlan(resolved.protocol);
|
|
31293
|
-
const
|
|
31490
|
+
const sigv4Context = await resolveAgentCoreSigV4Context(options, resolved, loadedState, stateProvider);
|
|
31491
|
+
const authPlan = selectServeInboundAuth(resolved, options, sigv4Context !== void 0);
|
|
31492
|
+
if (authPlan.authCheck && resolved.jwtAuthorizer) logger.info(`Inbound JWT: each request verified per-request against ${resolved.jwtAuthorizer.discoveryUrl}${options.verifyAuth === false ? " (verification DISABLED via --no-verify-auth)" : ""}.`);
|
|
31294
31493
|
await resolveFromS3BucketIntrinsic(resolved, stateProvider, loadedState, imageContext);
|
|
31295
31494
|
const image = await resolveAgentCoreImage(resolved, options, loadedState, stateProvider);
|
|
31296
31495
|
const { env: dockerEnv, sensitiveEnvKeys } = await buildContainerEnv(resolved, options, profileCredentials, profileCredsFile, stateProvider, loadedState, imageContext);
|
|
@@ -31323,6 +31522,25 @@ async function localStartAgentCoreCommand(target, options, extraStateProviders)
|
|
|
31323
31522
|
try {
|
|
31324
31523
|
if (plan.readyPath === void 0) await waitForAgentCorePing(containerHost, containerHostPort, options.timeout);
|
|
31325
31524
|
else await waitForAgentCoreHttpReady(containerHost, containerHostPort, plan.readyPath, options.timeout);
|
|
31525
|
+
const signRequest = authPlan.sign && sigv4Context ? async ({ method, path, body, sessionId }) => {
|
|
31526
|
+
const signed = await signAgentCoreInvocation({
|
|
31527
|
+
credentials: sigv4Context.credentials,
|
|
31528
|
+
region: sigv4Context.region,
|
|
31529
|
+
host: containerHost,
|
|
31530
|
+
port: containerHostPort,
|
|
31531
|
+
path,
|
|
31532
|
+
body,
|
|
31533
|
+
sessionId,
|
|
31534
|
+
method
|
|
31535
|
+
});
|
|
31536
|
+
const h = {
|
|
31537
|
+
Authorization: signed.authorization,
|
|
31538
|
+
"X-Amz-Date": signed.amzDate,
|
|
31539
|
+
"X-Amz-Content-Sha256": signed.amzContentSha256
|
|
31540
|
+
};
|
|
31541
|
+
if (signed.amzSecurityToken) h["X-Amz-Security-Token"] = signed.amzSecurityToken;
|
|
31542
|
+
return h;
|
|
31543
|
+
} : void 0;
|
|
31326
31544
|
server = await startAgentCoreHttpServer({
|
|
31327
31545
|
containerHost,
|
|
31328
31546
|
containerPort: containerHostPort,
|
|
@@ -31330,7 +31548,9 @@ async function localStartAgentCoreCommand(target, options, extraStateProviders)
|
|
|
31330
31548
|
port: options.port,
|
|
31331
31549
|
routes: plan.routes,
|
|
31332
31550
|
attachWs: plan.attachWs,
|
|
31333
|
-
...
|
|
31551
|
+
...authPlan.bridgeAuthorization && { authorization: authPlan.bridgeAuthorization },
|
|
31552
|
+
...authPlan.authCheck && { authCheck: authPlan.authCheck },
|
|
31553
|
+
...signRequest && { signRequest },
|
|
31334
31554
|
...options.sessionId && { sessionId: options.sessionId }
|
|
31335
31555
|
});
|
|
31336
31556
|
} catch (err) {
|
|
@@ -31380,7 +31600,7 @@ function createLocalStartAgentCoreCommand(opts = {}) {
|
|
|
31380
31600
|
* `.addOption(...)` blocks. Chainable: returns `cmd`.
|
|
31381
31601
|
*/
|
|
31382
31602
|
function addStartAgentCoreSpecificOptions(cmd) {
|
|
31383
|
-
return cmd.addOption(new Option("--port <n>", "Serve bind port the client connects to (HTTP contract + /ws on the same port). Default 0 (OS-assigned).").default(0).argParser(parsePort)).addOption(new Option("--host <ip>", "Serve bind host. Default 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--session-id <id>", "Pin one AgentCore runtime session id header value for every forwarded request / /ws connection (default: a fresh random UUID each, so each is its own session).")).addOption(new Option("--bearer-token <jwt>", "Bearer JWT to present when the runtime declares a customJwtAuthorizer. Verified against the runtime's OIDC discovery URL before the container starts, then injected as Authorization: Bearer <jwt> on every forwarded request and the container /ws upgrade.")).addOption(new Option("--no-verify-auth", "Skip inbound JWT verification even when the runtime declares a customJwtAuthorizer (local-dev escape hatch). A --bearer-token, if given, is still forwarded.")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}, \"Parameters\": {...}})")).addOption(new Option("--platform <platform>", "docker --platform for the agent container (linux/amd64 or linux/arm64). Defaults to linux/arm64 because the cloud AgentCore Runtime requires arm64.").choices(["linux/amd64", "linux/arm64"]).default("linux/arm64")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for the local-build path")).addOption(new Option("--no-build", "Skip docker build on the local-asset path (use the previously-built tag). No-op for the ECR / registry pull paths.")).addOption(new Option("--container-host <host>", "Host IP used to bind the agent container port. Must be a numeric IP. Defaults to 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--timeout <ms>", "Maximum time in milliseconds to wait for the container to become ready (the GET /ping readiness deadline). Default 120000.").default(12e4).argParser(parseTimeoutMs)).addOption(new Option("--assume-role [arn]", "Assume the runtime's execution role and forward STS-issued temp credentials to the container. (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) uses the runtime's literal RoleArn; (3) `--no-assume-role` opts out. Off by default.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack and substitute Ref / Fn::ImportValue in env vars / image URIs with the deployed physical IDs / exports. Bare form uses the resolved stack name.")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region."));
|
|
31603
|
+
return cmd.addOption(new Option("--port <n>", "Serve bind port the client connects to (HTTP contract + /ws on the same port). Default 0 (OS-assigned).").default(0).argParser(parsePort)).addOption(new Option("--host <ip>", "Serve bind host. Default 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--session-id <id>", "Pin one AgentCore runtime session id header value for every forwarded request / /ws connection (default: a fresh random UUID each, so each is its own session).")).addOption(new Option("--bearer-token <jwt>", "Bearer JWT to present when the runtime declares a customJwtAuthorizer. Verified against the runtime's OIDC discovery URL before the container starts, then injected as Authorization: Bearer <jwt> on every forwarded request and the container /ws upgrade.")).addOption(new Option("--no-verify-auth", "Skip inbound JWT verification even when the runtime declares a customJwtAuthorizer (local-dev escape hatch). A --bearer-token, if given, is still forwarded.")).addOption(new Option("--sigv4", "Sign each forwarded request with AWS SigV4 (service bedrock-agentcore) when the runtime declares NO customJwtAuthorizer, so the warm container sees the same Authorization / X-Amz-* headers the cloud receives. Mutually exclusive with --bearer-token; ignored (with a warning) when a customJwtAuthorizer is declared.")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}, \"Parameters\": {...}})")).addOption(new Option("--platform <platform>", "docker --platform for the agent container (linux/amd64 or linux/arm64). Defaults to linux/arm64 because the cloud AgentCore Runtime requires arm64.").choices(["linux/amd64", "linux/arm64"]).default("linux/arm64")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for the local-build path")).addOption(new Option("--no-build", "Skip docker build on the local-asset path (use the previously-built tag). No-op for the ECR / registry pull paths.")).addOption(new Option("--container-host <host>", "Host IP used to bind the agent container port. Must be a numeric IP. Defaults to 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--timeout <ms>", "Maximum time in milliseconds to wait for the container to become ready (the GET /ping readiness deadline). Default 120000.").default(12e4).argParser(parseTimeoutMs)).addOption(new Option("--assume-role [arn]", "Assume the runtime's execution role and forward STS-issued temp credentials to the container. (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) uses the runtime's literal RoleArn; (3) `--no-assume-role` opts out. Off by default.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack and substitute Ref / Fn::ImportValue in env vars / image URIs with the deployed physical IDs / exports. Bare form uses the resolved stack name.")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region."));
|
|
31384
31604
|
}
|
|
31385
31605
|
|
|
31386
31606
|
//#endregion
|
|
@@ -32398,8 +32618,8 @@ const STUDIO_CSS = `
|
|
|
32398
32618
|
font: 12px ui-monospace, Menlo, monospace; }
|
|
32399
32619
|
`;
|
|
32400
32620
|
const STUDIO_SCRIPT = `
|
|
32401
|
-
const KIND_LABEL = { lambda: 'Lambda', api: 'API', alb: 'ALB', ecs: 'ECS Service', 'ecs-task': 'ECS Task', cloudfront: 'CloudFront', agentcore: 'AgentCore', 'agentcore-ws': 'AgentCore
|
|
32402
|
-
const SERVE_KINDS = ['api', 'alb', 'ecs', 'ecs-task', 'cloudfront', 'agentcore-ws']; // long-running serve targets (ecs-task = run-task; agentcore-ws = start-agentcore
|
|
32621
|
+
const KIND_LABEL = { lambda: 'Lambda', api: 'API', alb: 'ALB', ecs: 'ECS Service', 'ecs-task': 'ECS Task', cloudfront: 'CloudFront', agentcore: 'AgentCore', 'agentcore-ws': 'AgentCore serve' };
|
|
32622
|
+
const SERVE_KINDS = ['api', 'alb', 'ecs', 'ecs-task', 'cloudfront', 'agentcore-ws']; // long-running serve targets (ecs-task = run-task; agentcore-ws = start-agentcore warm serve)
|
|
32403
32623
|
const INVOKE_KINDS = ['lambda', 'agentcore']; // single-shot invoke targets (event composer)
|
|
32404
32624
|
const rowsById = new Map(); // invocationId -> timeline row element
|
|
32405
32625
|
const invById = new Map(); // invocationId -> latest invocation event
|
|
@@ -32940,6 +33160,8 @@ const STUDIO_SCRIPT = `
|
|
|
32940
33160
|
kind: group.kind,
|
|
32941
33161
|
pinned: entry.pinned === true,
|
|
32942
33162
|
backingPinnedServices: entry.backingPinnedServices || [],
|
|
33163
|
+
agentCoreHasWs: entry.agentCoreHasWs === true,
|
|
33164
|
+
agentCoreContractPath: entry.agentCoreContractPath || null,
|
|
32943
33165
|
});
|
|
32944
33166
|
updateServeRow(entry.id);
|
|
32945
33167
|
}
|
|
@@ -33377,13 +33599,25 @@ const STUDIO_SCRIPT = `
|
|
|
33377
33599
|
: null;
|
|
33378
33600
|
if (httpBase) {
|
|
33379
33601
|
const captured = (st.endpoints || []).indexOf(httpBase) >= 0;
|
|
33380
|
-
|
|
33602
|
+
// An agentcore serve's contract is POST-only on a fixed path
|
|
33603
|
+
// (/invocations | /mcp | /), so seed the composer with that method + path
|
|
33604
|
+
// instead of the generic GET / (issue #454). Other serves default to GET /.
|
|
33605
|
+
const composerDefaults =
|
|
33606
|
+
meta && meta.kind === 'agentcore-ws'
|
|
33607
|
+
? { method: 'POST', path: meta.agentCoreContractPath || '/invocations' }
|
|
33608
|
+
: null;
|
|
33609
|
+
ws.appendChild(renderRequestComposer(id, httpBase, captured, composerDefaults));
|
|
33381
33610
|
}
|
|
33382
33611
|
|
|
33383
|
-
// A served WebSocket API
|
|
33384
|
-
//
|
|
33612
|
+
// A served WebSocket endpoint (an API Gateway WebSocket API, or an HTTP /
|
|
33613
|
+
// AGUI AgentCore runtime's /ws bridge) gets a WebSocket console so the
|
|
33614
|
+
// browser can connect + exchange frames (issue #303). For an agentcore
|
|
33615
|
+
// serve the console is gated on agentCoreHasWs (HTTP / AGUI expose /ws;
|
|
33616
|
+
// MCP / A2A do not — issue #454); the ws:// endpoint the serve advertises
|
|
33617
|
+
// already encodes that, so this guard is belt-and-suspenders with the spec.
|
|
33385
33618
|
const wsEndpoint = running ? (st.endpoints || []).find((u) => /^wss?:/.test(u)) : null;
|
|
33386
|
-
|
|
33619
|
+
const wsServable = !meta || meta.kind !== 'agentcore-ws' || meta.agentCoreHasWs === true;
|
|
33620
|
+
if (wsEndpoint && wsServable) {
|
|
33387
33621
|
ws.appendChild(renderWsConsole(wsEndpoint));
|
|
33388
33622
|
}
|
|
33389
33623
|
|
|
@@ -33598,7 +33832,7 @@ const STUDIO_SCRIPT = `
|
|
|
33598
33832
|
return sec;
|
|
33599
33833
|
}
|
|
33600
33834
|
|
|
33601
|
-
function renderRequestComposer(id, baseUrl, captured) {
|
|
33835
|
+
function renderRequestComposer(id, baseUrl, captured, defaults) {
|
|
33602
33836
|
const sec = el('div', 'section req-composer');
|
|
33603
33837
|
sec.appendChild(el('h3', null, 'Request'));
|
|
33604
33838
|
const row = el('div', 'req-row');
|
|
@@ -33608,9 +33842,12 @@ const STUDIO_SCRIPT = `
|
|
|
33608
33842
|
o.value = m;
|
|
33609
33843
|
method.appendChild(o);
|
|
33610
33844
|
});
|
|
33845
|
+
// Per-kind defaults (issue #454): an agentcore serve seeds POST + the
|
|
33846
|
+
// protocol contract path; otherwise GET / (the generic default).
|
|
33847
|
+
if (defaults && defaults.method) method.value = defaults.method;
|
|
33611
33848
|
row.appendChild(method);
|
|
33612
33849
|
const path = el('input', 'req-path');
|
|
33613
|
-
path.value = '/';
|
|
33850
|
+
path.value = defaults && defaults.path ? defaults.path : '/';
|
|
33614
33851
|
path.placeholder = '/path?query';
|
|
33615
33852
|
row.appendChild(path);
|
|
33616
33853
|
sec.appendChild(row);
|
|
@@ -34592,8 +34829,13 @@ function toStudioTargetGroups(listing) {
|
|
|
34592
34829
|
},
|
|
34593
34830
|
{
|
|
34594
34831
|
kind: "agentcore-ws",
|
|
34595
|
-
title: "AgentCore
|
|
34596
|
-
entries: map(listing.agentCoreRuntimes.
|
|
34832
|
+
title: "AgentCore (serve)",
|
|
34833
|
+
entries: map(listing.agentCoreRuntimes).map((t, i) => {
|
|
34834
|
+
const src = listing.agentCoreRuntimes[i];
|
|
34835
|
+
if (src?.agentCoreHasWs !== void 0) t.agentCoreHasWs = src.agentCoreHasWs;
|
|
34836
|
+
if (src?.agentCoreContractPath !== void 0) t.agentCoreContractPath = src.agentCoreContractPath;
|
|
34837
|
+
return t;
|
|
34838
|
+
})
|
|
34597
34839
|
},
|
|
34598
34840
|
{
|
|
34599
34841
|
kind: "alb",
|
|
@@ -35722,8 +35964,9 @@ const SERVE_SPECS = {
|
|
|
35722
35964
|
"--host",
|
|
35723
35965
|
"127.0.0.1"
|
|
35724
35966
|
],
|
|
35725
|
-
readyRe: /Server listening on (
|
|
35726
|
-
capturesHttp:
|
|
35967
|
+
readyRe: /Server listening on (\S+)/,
|
|
35968
|
+
capturesHttp: true,
|
|
35969
|
+
extraEndpointRe: /HTTP contract served on (https?:\/\/\S+)/
|
|
35727
35970
|
}
|
|
35728
35971
|
};
|
|
35729
35972
|
/**
|
|
@@ -35935,6 +36178,10 @@ function createStudioServeManager(config) {
|
|
|
35935
36178
|
streamLines(child.stdout, (line) => {
|
|
35936
36179
|
const m = spec.readyRe.exec(line);
|
|
35937
36180
|
if (m) onReady(m[1]);
|
|
36181
|
+
if (spec.extraEndpointRe) {
|
|
36182
|
+
const me = spec.extraEndpointRe.exec(line);
|
|
36183
|
+
if (me) onReady(me[1]);
|
|
36184
|
+
}
|
|
35938
36185
|
if (req.kind === "ecs" && entry.hostUrl === void 0) {
|
|
35939
36186
|
const endpoint = parsePublishedHostEndpoint(line);
|
|
35940
36187
|
if (endpoint) {
|
|
@@ -36932,5 +37179,5 @@ function addStudioSpecificOptions(cmd) {
|
|
|
36932
37179
|
}
|
|
36933
37180
|
|
|
36934
37181
|
//#endregion
|
|
36935
|
-
export {
|
|
36936
|
-
//# sourceMappingURL=local-studio-
|
|
37182
|
+
export { buildEdgeRequestEvent as $, createJwksCache as $n, resolveSsmParameters as $r, CloudMapRegistry as $t, startAgentCoreHttpServer as A, addInvokeSpecificOptions as An, parseConnectionsPath as Ar, createLocalRunTaskCommand as At, resolveKvsModulesForDistribution as B, materializeLayerFromArn as Bn, substituteAgainstState as Br, resolveSharedSidecarCredentials as Bt, addListSpecificOptions as C, substituteImagePlaceholders as Ci, downloadAndExtractS3Bundle as Cn, VtlEvaluationError as Cr, resolveAlbTarget as Ct, createLocalStartAgentCoreCommand as D, resolveProfileCredentials as Di, renderCodeDockerfile as Dn, ConnectionRegistry as Dr, createLocalStartServiceCommand as Dt, addStartAgentCoreSpecificOptions as E, buildStsClientConfig as Ei, computeCodeImageTag as En, bufferToBody as Er, addStartServiceSpecificOptions as Et, createLocalStartCloudFrontCommand as F, resolveApiTargetSubset as Fn, buildContainerImage as Fr, buildEcsImageResolutionContext$1 as Ft, createS3OriginReader as G, groupRoutesByServer as Gn, createLocalStateProvider as Gr, mergeForService as Gt, resolveDeployedKvsArnByName as H, availableApiIdentifiers as Hn, substituteEnvVarsFromState as Hr, ImageOverrideError as Ht, parseKvsFileOverrides as I, createAuthorizerCache as In, resolveRuntimeCodeMountPath as Ir, ecsClusterOption as It, resolveErrorResponseCandidates as J, resolveSelectionExpression as Jn, resolveCfnFallbackRegion as Jr, runImageOverrideBuilds as Jt, matchBehavior as K, readMtlsMaterialsFromDisk as Kn, isCfnFlagPresent as Kr, parseImageOverrideFlags as Kt, parseOriginOverrides as L, createFileWatcher as Ln, resolveRuntimeFileExtension as Lr, parseMaxTasks as Lt, startAgentCoreWsBridge as M, addStartApiSpecificOptions as Mn, buildDisconnectEvent as Mr, addCommonEcsServiceOptions as Mt, LocalStartCloudFrontError as N, createLocalStartApiCommand as Nn, buildMessageEvent as Nr, addEcsAssumeRoleOptions as Nt, buildAgentCoreServeAuthCheck as O, toCmdArgv as On, buildMgmtEndpointEnvUrl as Or, serviceStrategy as Ot, addStartCloudFrontSpecificOptions as P, createWatchPredicates as Pn, architectureToPlatform as Pr, addImageOverrideOptions as Pt, applyEdgeResponseResult as Q, buildJwksUrlFromIssuer as Qn, collectSsmParameterRefs as Qr, buildCloudMapIndex as Qt, resolveCloudFrontTarget as R, attachStageContext as Rn, resolveRuntimeImage as Rr, parseRestartPolicy as Rt, StudioEventBus as S, formatStateRemedy as Si, waitForAgentCorePing as Sn, tryParseStatus as Sr, parseLbPortOverrides as St, formatTargetListing as T, LocalInvokeBuildError as Ti, buildAgentCoreCodeImage as Tn, probeHostGatewaySupport as Tr, resolveAlbFrontDoor as Tt, resolveDeployedOriginBucket as U, filterRoutesByApiIdentifier as Un, substituteEnvVarsFromStateAsync as Ur, buildImageOverrideTag as Ut, createDeployedKvsDataSource as V, resolveEnvVars$1 as Vn, substituteAgainstStateAsync as Vr, runEcsServiceEmulator as Vt, classifyS3Error as W, filterRoutesByApiIdentifiers as Wn, LocalStateSourceError as Wr, enforceImageOverrideOrphans as Wt, serveLambdaUrlOrigin as X, defaultCredentialsLoader as Xn, resolveCfnStackName as Xr, isLocalCdkAssetImage as Xt, serveFromStaticOrigin as Y, resolveServiceIntegrationParameters as Yn, resolveCfnRegion as Yr, describePinnedImageUri as Yt, applyEdgeRequestResult as Z, buildCognitoJwksUrl as Zn, CfnLocalStateProvider as Zr, listPinnedTargets as Zt, filterStudioTargetGroups as _, AGENTCORE_RUNTIME_TYPE as _i, AGENTCORE_SIGV4_SERVICE as _n, buildHttpApiV2Event as _r, createLocalFileKvsDataSource as _t, createLocalStudioCommand as a, discoverWebSocketApis as ai, addInvokeAgentCoreSpecificOptions as an, evaluateCachedLambdaPolicy as ar, extractKvsAssociations as at, renderStudioHtml as b, resolveAgentCoreTarget as bi, invokeAgentCore as bn, pickResponseTemplate as br, albStrategy as bt, startStudioProxy as c, parseSelectionExpressionPath as ci, invokeAgentCoreWs as cn, attachAuthorizers as cr, pickKvsLogicalIdFromArn as ct, createStudioDispatcher as d, pickRefLogicalId as di, a2aInvokeOnce as dn, buildCorsConfigFromCloudFrontChain as dr, resolveCloudFrontDistribution as dt, resolveWatchConfig as ei, DEFAULT_SHADOW_READY_TIMEOUT_MS as en, verifyCognitoJwt as er, buildEdgeResponseEvent as et, filterStudioCustomResources as f, resolveLambdaArnIntrinsic as fi, MCP_CONTAINER_PORT as fn, isFunctionUrlOacFronted as fr, compileCloudFrontFunction as ft, annotatePinnedEcsTargets as g, AGENTCORE_MCP_PROTOCOL as gi, parseSseForJsonRpc as gn, applyAuthorizerOverlay as gr, createCloudFrontModule as gt, annotateEcsTaskPinnedTargets as h, AGENTCORE_HTTP_PROTOCOL as hi, mcpInvokeOnce as hn, translateLambdaResponse as hr, stripCloudFrontImport as ht, coerceStopRequest as i, availableWebSocketApiIdentifiers as ii, attachContainerLogStreamer as in, computeRequestIdentityHash as ir, describeS3OriginDomain as it, attachAgentCoreWsBridge as j, createLocalInvokeCommand as jn, buildConnectEvent as jr, MAX_TASKS_SUBNET_RANGE_CAP as jt, selectServeInboundAuth as k, classifySourceChange as kn, handleConnectionsRequest as kr, addRunTaskSpecificOptions as kt, relayServeRequest as l, webSocketApiMatchesIdentifier as li, A2A_CONTAINER_PORT as ln, applyCorsResponseHeaders as lr, pickLambdaEdgeFunctionLogicalId as lt, annotateAlbPinnedBackingServices as m, AGENTCORE_AGUI_PROTOCOL as mi, MCP_PROTOCOL_VERSION as mn, matchRoute as mr, runViewerResponse as mt, coerceRunRequest as n, countTargets as ni, setShadowReadyTimeoutMs as nn, verifyJwtViaDiscovery as nr, httpHeadersToEdge as nt, resolveServeBaseUrl as o, discoverWebSocketApisOrThrow as oi, createLocalInvokeAgentCoreCommand as on, invokeRequestAuthorizer as or, isCloudFrontDistribution as ot, isCustomResourceLambdaTarget as p, AGENTCORE_A2A_PROTOCOL as pi, MCP_PATH as pn, matchPreflight as pr, runViewerRequest as pt, startCloudFrontServer as q, startApiServer as qn, rejectExplicitCfnStackWithMultipleStacks as qr, resolveImageOverrides as qt, coerceServeRequest as r, listTargets as ri, getContainerNetworkIp as rn, buildMethodArn as rr, CLOUDFRONT_DISTRIBUTION_TYPE as rt, createStudioServeManager as s, filterWebSocketApisByIdentifiers as si, bridgeAgentCoreWs as sn, invokeTokenAuthorizer as sr, pickFunctionUrlLogicalIdFromOrigin as st, addStudioSpecificOptions as t, resolveSingleTarget as ti, SOFT_RELOAD_COMPLETION_LOG_SUFFIX as tn, verifyJwtAuthorizer as tr, edgeHeadersToHttp as tt, reinvoke as u, discoverRoutes as ui, A2A_PATH as un, buildCorsConfigByApiId as ur, pickTargetFunctionLogicalId as ut, startStudioServer as v, AgentCoreResolutionError as vi, signAgentCoreInvocation as vn, buildRestV1Event as vr, createUnboundCloudFrontModule as vt, createLocalListCommand as w, tryResolveImageFnJoin as wi, SUPPORTED_CODE_RUNTIMES as wn, HOST_GATEWAY_MIN_VERSION as wr, isApplicationLoadBalancer as wt, createStudioStore as x, derivePseudoParametersFromRegion as xi, waitForAgentCoreHttpReady as xn, selectIntegrationResponse as xr, createLocalStartAlbCommand as xt, toStudioTargetGroups as y, pickAgentCoreCandidateStack as yi, AGENTCORE_SESSION_ID_HEADER as yn, evaluateResponseParameters as yr, addAlbSpecificOptions as yt, idFromArn as z, buildStageMap as zn, EcsTaskResolutionError as zr, resolveEcsAssumeRoleOption as zt };
|
|
37183
|
+
//# sourceMappingURL=local-studio-Cr0YdvCb.js.map
|