cdk-local 0.136.0 → 0.138.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -3448,10 +3448,14 @@ function scanByType(stacks, type) {
3448
3448
  /**
3449
3449
  * Enumerate `AWS::BedrockAgentCore::Runtime` targets, marking each with
3450
3450
  * {@link TargetEntry.agentCoreHasWs} — true for HTTP / AGUI runtimes (which
3451
- * expose a `/ws` WebSocket endpoint), false for MCP / A2A (which do not). The
3452
- * marker lets the studio `agentcore-ws` serve group list only the runtimes
3453
- * `cdkl start-agentcore` can serve. The protocol is read the same way the
3454
- * resolver reads it (`Properties.ProtocolConfiguration`, default HTTP).
3451
+ * expose a `/ws` WebSocket endpoint), false for MCP / A2A (which do not) — and
3452
+ * {@link TargetEntry.agentCoreContractPath}, the POST path the runtime's
3453
+ * protocol contract is served on (`/invocations` / `/mcp` / `/`). `cdkl
3454
+ * start-agentcore` serves every protocol (issue #454), so the studio serve
3455
+ * group lists every runtime; the `hasWs` marker decides only whether to render
3456
+ * the WebSocket console too, and the contract path seeds the HTTP composer. The
3457
+ * protocol is read the same way the resolver reads it
3458
+ * (`Properties.ProtocolConfiguration`, default HTTP).
3455
3459
  */
3456
3460
  function scanAgentCoreRuntimes(stacks) {
3457
3461
  const entries = [];
@@ -3462,6 +3466,7 @@ function scanAgentCoreRuntimes(stacks) {
3462
3466
  const entry = makeEntry(stack.stackName, logicalId, readCdkPathOrUndefined(resource));
3463
3467
  const protocol = resource.Properties?.["ProtocolConfiguration"];
3464
3468
  entry.agentCoreHasWs = protocol !== "MCP" && protocol !== "A2A";
3469
+ entry.agentCoreContractPath = protocol === "MCP" ? "/mcp" : protocol === "A2A" ? "/" : "/invocations";
3465
3470
  entries.push(entry);
3466
3471
  }
3467
3472
  }
@@ -19481,6 +19486,33 @@ async function resolveInboundAuthorization(resolved, options) {
19481
19486
  return header;
19482
19487
  }
19483
19488
  /**
19489
+ * Resolve the boot-time SigV4 signing context (`{ credentials, region }`) when
19490
+ * `--sigv4` is requested, or `undefined` when it is not applicable (`--sigv4`
19491
+ * off, or a `customJwtAuthorizer` is declared — the JWT path wins, warns).
19492
+ * Throws a {@link CdkLocalError} on a `--bearer-token` conflict, an unresolved
19493
+ * region, or no resolvable credentials.
19494
+ *
19495
+ * Extracted from {@link buildSigV4HeadersIfRequested} so both the single-shot
19496
+ * `cdkl invoke-agentcore` (signs ONE body) and the warm `cdkl start-agentcore`
19497
+ * serve (signs each forwarded body per request — issue #454) resolve the
19498
+ * credentials + region the SAME way. Exported so the serve boot + a unit test
19499
+ * can reuse it.
19500
+ */
19501
+ async function resolveAgentCoreSigV4Context(options, resolved, loaded, stateProvider) {
19502
+ if (!options.sigv4) return void 0;
19503
+ if (options.bearerToken) throw new CdkLocalError(`--sigv4 and --bearer-token are mutually exclusive: pick one inbound auth.`, "LOCAL_INVOKE_AGENTCORE_AUTH_CONFLICT");
19504
+ if (resolved.jwtAuthorizer) {
19505
+ getLogger().warn(`Runtime '${resolved.logicalId}' declares a customJwtAuthorizer; --sigv4 ignored (JWT path takes precedence).`);
19506
+ return;
19507
+ }
19508
+ const region = options.region ?? options.stackRegion ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? resolved.stack.region;
19509
+ if (!region) throw new CdkLocalError("--sigv4: no region resolved for the AgentCore signing scope. Pass --region <region>, set AWS_REGION, or use --from-cfn-stack with a region-bound stack.", "LOCAL_INVOKE_AGENTCORE_SIGV4_NO_REGION");
19510
+ return {
19511
+ credentials: await resolveHostCredentialsForSigV4(options, resolved, loaded, region, stateProvider),
19512
+ region
19513
+ };
19514
+ }
19515
+ /**
19484
19516
  * Compute the SigV4 headers for the `/invocations` POST when `--sigv4` is
19485
19517
  * requested. Returns `undefined` (no header overlay) when:
19486
19518
  *
@@ -19493,17 +19525,11 @@ async function resolveInboundAuthorization(resolved, options) {
19493
19525
  * Exported so a unit test can drive the gate without the full Docker pipeline.
19494
19526
  */
19495
19527
  async function buildSigV4HeadersIfRequested(options, resolved, loaded, host, port, event, sessionId, stateProvider) {
19496
- if (!options.sigv4) return void 0;
19497
- if (options.bearerToken) throw new CdkLocalError(`--sigv4 and --bearer-token are mutually exclusive: pick one inbound auth.`, "LOCAL_INVOKE_AGENTCORE_AUTH_CONFLICT");
19498
- if (resolved.jwtAuthorizer) {
19499
- getLogger().warn(`Runtime '${resolved.logicalId}' declares a customJwtAuthorizer; --sigv4 ignored (JWT path takes precedence).`);
19500
- return;
19501
- }
19502
- const region = options.region ?? options.stackRegion ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? resolved.stack.region;
19503
- if (!region) throw new CdkLocalError("--sigv4: no region resolved for the AgentCore signing scope. Pass --region <region>, set AWS_REGION, or use --from-cfn-stack with a region-bound stack.", "LOCAL_INVOKE_AGENTCORE_SIGV4_NO_REGION");
19528
+ const ctx = await resolveAgentCoreSigV4Context(options, resolved, loaded, stateProvider);
19529
+ if (!ctx) return void 0;
19504
19530
  const signed = await signAgentCoreInvocation({
19505
- credentials: await resolveHostCredentialsForSigV4(options, resolved, loaded, region, stateProvider),
19506
- region,
19531
+ credentials: ctx.credentials,
19532
+ region: ctx.region,
19507
19533
  host,
19508
19534
  port,
19509
19535
  path: "/invocations",
@@ -19516,7 +19542,7 @@ async function buildSigV4HeadersIfRequested(options, resolved, loaded, host, por
19516
19542
  "X-Amz-Content-Sha256": signed.amzContentSha256
19517
19543
  };
19518
19544
  if (signed.amzSecurityToken) headers["X-Amz-Security-Token"] = signed.amzSecurityToken;
19519
- getLogger().info(`Signed /invocations with SigV4 (region=${region}).`);
19545
+ getLogger().info(`Signed /invocations with SigV4 (region=${ctx.region}).`);
19520
19546
  return headers;
19521
19547
  }
19522
19548
  /**
@@ -31060,23 +31086,13 @@ const DEFAULT_ROUTES = [{
31060
31086
  path: "/ping"
31061
31087
  }];
31062
31088
  /**
31063
- * Proxy one inbound HTTP request to the warm container, injecting the
31064
- * session-id + Authorization (+ any extra) headers, and stream the response
31065
- * back. Used for both `GET /ping` and `POST /invocations`; piping the response
31066
- * preserves an SSE (`text/event-stream`) stream.
31089
+ * Wire an upstream (container-leg) request's response back to the inbound
31090
+ * client, piping the body so an SSE (`text/event-stream`) stream stays
31091
+ * incremental, and mapping an upstream error to a `502`. Shared by the
31092
+ * streaming and buffered (`--sigv4`) proxy paths.
31067
31093
  */
31068
- function proxyToContainer(clientReq, clientRes, config, upstreamPath) {
31069
- const headers = { ...clientReq.headers };
31070
- delete headers["host"];
31071
- headers[AGENTCORE_SESSION_ID_HEADER] = config.sessionId ?? randomUUID();
31072
- if (config.authorization) headers["authorization"] = config.authorization;
31073
- const upstream = request({
31074
- host: config.containerHost,
31075
- port: config.containerPort,
31076
- path: upstreamPath,
31077
- method: clientReq.method,
31078
- headers
31079
- }, (upRes) => {
31094
+ function wireUpstreamResponse(upstream, clientRes) {
31095
+ upstream.on("response", (upRes) => {
31080
31096
  clientRes.writeHead(upRes.statusCode ?? 502, upRes.headers);
31081
31097
  upRes.on("error", () => clientRes.destroy());
31082
31098
  upRes.pipe(clientRes);
@@ -31086,6 +31102,79 @@ function proxyToContainer(clientReq, clientRes, config, upstreamPath) {
31086
31102
  if (!clientRes.headersSent) clientRes.writeHead(502, { "content-type": "application/json" });
31087
31103
  clientRes.end(JSON.stringify({ error: `upstream error: ${err.message}` }));
31088
31104
  });
31105
+ }
31106
+ /**
31107
+ * Proxy one inbound HTTP request to the warm container, injecting the
31108
+ * session-id + Authorization (+ any per-request / signed) headers, and stream
31109
+ * the response back. Used for both `GET /ping` and `POST /invocations`; piping
31110
+ * the response preserves an SSE (`text/event-stream`) stream.
31111
+ *
31112
+ * `perRequest.authorization` overrides {@link AgentCoreHttpServerConfig.authorization}
31113
+ * with the value the per-request inbound-JWT gate verified / injected (issue
31114
+ * #454). When {@link AgentCoreHttpServerConfig.signRequest} is set and this is a
31115
+ * `POST`, the body is buffered, signed (SigV4), and forwarded — signing needs
31116
+ * the whole body, so the streaming fast-path is bypassed for that case only.
31117
+ */
31118
+ function proxyToContainer(clientReq, clientRes, config, upstreamPath, perRequest) {
31119
+ const sessionId = config.sessionId ?? randomUUID();
31120
+ const headers = { ...clientReq.headers };
31121
+ delete headers["host"];
31122
+ headers[AGENTCORE_SESSION_ID_HEADER] = sessionId;
31123
+ const authorization = perRequest?.authorization ?? config.authorization;
31124
+ if (authorization) headers["authorization"] = authorization;
31125
+ if (config.signRequest && clientReq.method === "POST") {
31126
+ const signRequest = config.signRequest;
31127
+ const chunks = [];
31128
+ clientReq.on("data", (c) => chunks.push(c));
31129
+ clientReq.on("error", (err) => {
31130
+ getLogger().debug(`agentcore http serve client error: ${err.message}`);
31131
+ if (!clientRes.headersSent) {
31132
+ clientRes.writeHead(400, { "content-type": "application/json" });
31133
+ clientRes.end(JSON.stringify({ error: `client error: ${err.message}` }));
31134
+ }
31135
+ });
31136
+ clientReq.on("end", () => {
31137
+ const body = Buffer.concat(chunks);
31138
+ signRequest({
31139
+ method: "POST",
31140
+ path: upstreamPath,
31141
+ body,
31142
+ sessionId
31143
+ }).then((signed) => {
31144
+ const signedHeaders = {
31145
+ ...headers,
31146
+ ...signed
31147
+ };
31148
+ delete signedHeaders["transfer-encoding"];
31149
+ signedHeaders["content-length"] = String(body.length);
31150
+ const upstream = request({
31151
+ host: config.containerHost,
31152
+ port: config.containerPort,
31153
+ path: upstreamPath,
31154
+ method: "POST",
31155
+ headers: signedHeaders
31156
+ });
31157
+ wireUpstreamResponse(upstream, clientRes);
31158
+ upstream.end(body);
31159
+ }).catch((err) => {
31160
+ const msg = err instanceof Error ? err.message : String(err);
31161
+ getLogger().debug(`agentcore http serve sigv4 sign error: ${msg}`);
31162
+ if (!clientRes.headersSent) {
31163
+ clientRes.writeHead(500, { "content-type": "application/json" });
31164
+ clientRes.end(JSON.stringify({ error: `sigv4 signing failed: ${msg}` }));
31165
+ }
31166
+ });
31167
+ });
31168
+ return;
31169
+ }
31170
+ const upstream = request({
31171
+ host: config.containerHost,
31172
+ port: config.containerPort,
31173
+ path: upstreamPath,
31174
+ method: clientReq.method,
31175
+ headers
31176
+ });
31177
+ wireUpstreamResponse(upstream, clientRes);
31089
31178
  clientReq.on("error", (err) => {
31090
31179
  getLogger().debug(`agentcore http serve client error: ${err.message}`);
31091
31180
  upstream.destroy();
@@ -31105,12 +31194,36 @@ function startAgentCoreHttpServer(config) {
31105
31194
  const httpServer = createServer$1((req, res) => {
31106
31195
  const path = (req.url ?? "/").split("?")[0];
31107
31196
  const match = routes.find((r) => r.method === req.method && r.path === path);
31108
- if (match) return proxyToContainer(req, res, config, match.path);
31109
- res.writeHead(404, { "content-type": "application/json" });
31110
- res.end(JSON.stringify({
31111
- error: "not found",
31112
- hint: notFoundHint
31113
- }));
31197
+ if (!match) {
31198
+ res.writeHead(404, { "content-type": "application/json" });
31199
+ res.end(JSON.stringify({
31200
+ error: "not found",
31201
+ hint: notFoundHint
31202
+ }));
31203
+ return;
31204
+ }
31205
+ if (config.authCheck && req.method === "POST") {
31206
+ req.on("error", (err) => getLogger().debug(`agentcore http serve client error (auth gate): ${err.message}`));
31207
+ config.authCheck(req.headers).then((result) => {
31208
+ if (!result.allow) {
31209
+ req.resume();
31210
+ res.writeHead(result.status ?? 403, { "content-type": "application/json" });
31211
+ res.end(JSON.stringify({ error: result.message ?? "forbidden" }));
31212
+ return;
31213
+ }
31214
+ proxyToContainer(req, res, config, match.path, { ...result.authorization && { authorization: result.authorization } });
31215
+ }).catch((err) => {
31216
+ const msg = err instanceof Error ? err.message : String(err);
31217
+ getLogger().debug(`agentcore http serve auth-check error: ${msg}`);
31218
+ req.resume();
31219
+ if (!res.headersSent) {
31220
+ res.writeHead(500, { "content-type": "application/json" });
31221
+ res.end(JSON.stringify({ error: `auth check failed: ${msg}` }));
31222
+ }
31223
+ });
31224
+ return;
31225
+ }
31226
+ proxyToContainer(req, res, config, match.path);
31114
31227
  });
31115
31228
  const bridge = attachWs ? attachAgentCoreWsBridge(httpServer, {
31116
31229
  containerHost: config.containerHost,
@@ -31147,6 +31260,90 @@ function buildNotFoundHint(routes, attachWs) {
31147
31260
  return attachWs ? `${base} (WebSocket: connect to /ws)` : base;
31148
31261
  }
31149
31262
 
31263
+ //#endregion
31264
+ //#region src/local/agentcore-serve-auth.ts
31265
+ /**
31266
+ * Build the per-request inbound-JWT gate for `cdkl start-agentcore`. The cloud
31267
+ * AgentCore Runtime verifies the CALLER's token against the
31268
+ * `customJwtAuthorizer` on every `InvokeAgentRuntime`; the warm local serve
31269
+ * mirrors that here — unlike the single-shot `cdkl invoke-agentcore`, which
31270
+ * verifies the `--bearer-token` ONCE at boot. This is the serve counterpart of
31271
+ * `front-door-auth`'s `buildAuthCheck` for the ALB (issue #454).
31272
+ *
31273
+ * Semantics (matching the cloud + `resolveInboundAuthorization`):
31274
+ * - `--no-verify-auth` → always allow; forward `--bearer-token` if given.
31275
+ * - inbound `Authorization` present → verify it; absent → fall back to the
31276
+ * injected `--bearer-token`; neither → 401.
31277
+ * - verify failure → 403. An unreachable / malformed discovery URL falls back
31278
+ * to pass-through accept (offline-dev fallback in {@link verifyJwtViaDiscovery}).
31279
+ *
31280
+ * Exported so a unit test can drive the gate (and a host CLI can reuse it)
31281
+ * without the Docker pipeline.
31282
+ */
31283
+ function buildAgentCoreServeAuthCheck(authorizer, opts = {}) {
31284
+ const injectedBearer = opts.bearerToken ? `Bearer ${opts.bearerToken}` : void 0;
31285
+ if (opts.noVerifyAuth === true) return async () => ({
31286
+ allow: true,
31287
+ ...injectedBearer && { authorization: injectedBearer }
31288
+ });
31289
+ const jwksCache = opts.jwksCache ?? createJwksCache();
31290
+ const warnedAt = opts.warnedAt ?? /* @__PURE__ */ new Map();
31291
+ return async (headers) => {
31292
+ const header = readAuthorizationHeader(headers) ?? injectedBearer;
31293
+ if (!header) return {
31294
+ allow: false,
31295
+ status: 401,
31296
+ message: "Missing Authorization: this runtime declares a customJwtAuthorizer. Send a Bearer JWT, or start the serve with --bearer-token / --no-verify-auth."
31297
+ };
31298
+ if (!(await verifyJwtViaDiscovery({
31299
+ discoveryUrl: authorizer.discoveryUrl,
31300
+ ...authorizer.allowedAudience && { allowedAudience: authorizer.allowedAudience },
31301
+ ...authorizer.allowedClients && { allowedClients: authorizer.allowedClients },
31302
+ ...authorizer.allowedScopes && { allowedScopes: authorizer.allowedScopes },
31303
+ ...authorizer.customClaims && { customClaims: authorizer.customClaims }
31304
+ }, header, jwksCache, { warnedAt })).allow) return {
31305
+ allow: false,
31306
+ status: 403,
31307
+ message: `Forbidden: the inbound JWT was rejected by the runtime's customJwtAuthorizer (signature / issuer / expiry / audience / scope check failed against ${authorizer.discoveryUrl}).`
31308
+ };
31309
+ return {
31310
+ allow: true,
31311
+ authorization: header
31312
+ };
31313
+ };
31314
+ }
31315
+ /**
31316
+ * Pick the warm serve's inbound-auth wiring for a runtime shape (issue #454).
31317
+ * Pure (no Docker / network) so the boot's mutually-exclusive selection —
31318
+ * per-request JWT gate vs `--sigv4` signing vs static `--bearer-token`
31319
+ * pass-through — is unit-testable. `sigv4Active` is whether
31320
+ * `resolveAgentCoreSigV4Context` resolved a signing context (it returns
31321
+ * undefined when `--sigv4` is off OR a customJwtAuthorizer is declared, so the
31322
+ * authorizer arm always wins). `buildAuthCheck` is injectable for tests.
31323
+ */
31324
+ function selectServeInboundAuth(resolved, options, sigv4Active, buildAuthCheck = buildAgentCoreServeAuthCheck) {
31325
+ const bearerHeader = options.bearerToken ? `Bearer ${options.bearerToken}` : void 0;
31326
+ if (resolved.jwtAuthorizer) return {
31327
+ authCheck: buildAuthCheck(resolved.jwtAuthorizer, {
31328
+ ...options.verifyAuth === false && { noVerifyAuth: true },
31329
+ ...options.bearerToken && { bearerToken: options.bearerToken }
31330
+ }),
31331
+ ...bearerHeader && { bridgeAuthorization: bearerHeader },
31332
+ sign: false
31333
+ };
31334
+ if (sigv4Active) return { sign: true };
31335
+ return {
31336
+ ...bearerHeader && { bridgeAuthorization: bearerHeader },
31337
+ sign: false
31338
+ };
31339
+ }
31340
+ /** Read a single `Authorization` header value (first when duplicated, undefined when empty). */
31341
+ function readAuthorizationHeader(headers) {
31342
+ const raw = headers["authorization"];
31343
+ const v = Array.isArray(raw) ? raw[0] : raw;
31344
+ return typeof v === "string" && v.length > 0 ? v : void 0;
31345
+ }
31346
+
31150
31347
  //#endregion
31151
31348
  //#region src/cli/commands/local-start-agentcore.ts
31152
31349
  /**
@@ -31290,7 +31487,9 @@ async function localStartAgentCoreCommand(target, options, extraStateProviders)
31290
31487
  const resolved = resolveAgentCoreTarget(resolvedTarget, stacks, imageContext);
31291
31488
  logger.info(`Target: ${resolved.stack.stackName}/${resolved.logicalId} (${resolved.protocol})`);
31292
31489
  const plan = resolveAgentCoreServePlan(resolved.protocol);
31293
- const authorization = await resolveInboundAuthorization(resolved, options);
31490
+ const sigv4Context = await resolveAgentCoreSigV4Context(options, resolved, loadedState, stateProvider);
31491
+ const authPlan = selectServeInboundAuth(resolved, options, sigv4Context !== void 0);
31492
+ if (authPlan.authCheck && resolved.jwtAuthorizer) logger.info(`Inbound JWT: each request verified per-request against ${resolved.jwtAuthorizer.discoveryUrl}${options.verifyAuth === false ? " (verification DISABLED via --no-verify-auth)" : ""}.`);
31294
31493
  await resolveFromS3BucketIntrinsic(resolved, stateProvider, loadedState, imageContext);
31295
31494
  const image = await resolveAgentCoreImage(resolved, options, loadedState, stateProvider);
31296
31495
  const { env: dockerEnv, sensitiveEnvKeys } = await buildContainerEnv(resolved, options, profileCredentials, profileCredsFile, stateProvider, loadedState, imageContext);
@@ -31323,6 +31522,25 @@ async function localStartAgentCoreCommand(target, options, extraStateProviders)
31323
31522
  try {
31324
31523
  if (plan.readyPath === void 0) await waitForAgentCorePing(containerHost, containerHostPort, options.timeout);
31325
31524
  else await waitForAgentCoreHttpReady(containerHost, containerHostPort, plan.readyPath, options.timeout);
31525
+ const signRequest = authPlan.sign && sigv4Context ? async ({ method, path, body, sessionId }) => {
31526
+ const signed = await signAgentCoreInvocation({
31527
+ credentials: sigv4Context.credentials,
31528
+ region: sigv4Context.region,
31529
+ host: containerHost,
31530
+ port: containerHostPort,
31531
+ path,
31532
+ body,
31533
+ sessionId,
31534
+ method
31535
+ });
31536
+ const h = {
31537
+ Authorization: signed.authorization,
31538
+ "X-Amz-Date": signed.amzDate,
31539
+ "X-Amz-Content-Sha256": signed.amzContentSha256
31540
+ };
31541
+ if (signed.amzSecurityToken) h["X-Amz-Security-Token"] = signed.amzSecurityToken;
31542
+ return h;
31543
+ } : void 0;
31326
31544
  server = await startAgentCoreHttpServer({
31327
31545
  containerHost,
31328
31546
  containerPort: containerHostPort,
@@ -31330,7 +31548,9 @@ async function localStartAgentCoreCommand(target, options, extraStateProviders)
31330
31548
  port: options.port,
31331
31549
  routes: plan.routes,
31332
31550
  attachWs: plan.attachWs,
31333
- ...authorization && { authorization },
31551
+ ...authPlan.bridgeAuthorization && { authorization: authPlan.bridgeAuthorization },
31552
+ ...authPlan.authCheck && { authCheck: authPlan.authCheck },
31553
+ ...signRequest && { signRequest },
31334
31554
  ...options.sessionId && { sessionId: options.sessionId }
31335
31555
  });
31336
31556
  } catch (err) {
@@ -31380,7 +31600,7 @@ function createLocalStartAgentCoreCommand(opts = {}) {
31380
31600
  * `.addOption(...)` blocks. Chainable: returns `cmd`.
31381
31601
  */
31382
31602
  function addStartAgentCoreSpecificOptions(cmd) {
31383
- return cmd.addOption(new Option("--port <n>", "Serve bind port the client connects to (HTTP contract + /ws on the same port). Default 0 (OS-assigned).").default(0).argParser(parsePort)).addOption(new Option("--host <ip>", "Serve bind host. Default 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--session-id <id>", "Pin one AgentCore runtime session id header value for every forwarded request / /ws connection (default: a fresh random UUID each, so each is its own session).")).addOption(new Option("--bearer-token <jwt>", "Bearer JWT to present when the runtime declares a customJwtAuthorizer. Verified against the runtime's OIDC discovery URL before the container starts, then injected as Authorization: Bearer <jwt> on every forwarded request and the container /ws upgrade.")).addOption(new Option("--no-verify-auth", "Skip inbound JWT verification even when the runtime declares a customJwtAuthorizer (local-dev escape hatch). A --bearer-token, if given, is still forwarded.")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}, \"Parameters\": {...}})")).addOption(new Option("--platform <platform>", "docker --platform for the agent container (linux/amd64 or linux/arm64). Defaults to linux/arm64 because the cloud AgentCore Runtime requires arm64.").choices(["linux/amd64", "linux/arm64"]).default("linux/arm64")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for the local-build path")).addOption(new Option("--no-build", "Skip docker build on the local-asset path (use the previously-built tag). No-op for the ECR / registry pull paths.")).addOption(new Option("--container-host <host>", "Host IP used to bind the agent container port. Must be a numeric IP. Defaults to 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--timeout <ms>", "Maximum time in milliseconds to wait for the container to become ready (the GET /ping readiness deadline). Default 120000.").default(12e4).argParser(parseTimeoutMs)).addOption(new Option("--assume-role [arn]", "Assume the runtime's execution role and forward STS-issued temp credentials to the container. (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) uses the runtime's literal RoleArn; (3) `--no-assume-role` opts out. Off by default.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack and substitute Ref / Fn::ImportValue in env vars / image URIs with the deployed physical IDs / exports. Bare form uses the resolved stack name.")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region."));
31603
+ return cmd.addOption(new Option("--port <n>", "Serve bind port the client connects to (HTTP contract + /ws on the same port). Default 0 (OS-assigned).").default(0).argParser(parsePort)).addOption(new Option("--host <ip>", "Serve bind host. Default 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--session-id <id>", "Pin one AgentCore runtime session id header value for every forwarded request / /ws connection (default: a fresh random UUID each, so each is its own session).")).addOption(new Option("--bearer-token <jwt>", "Bearer JWT to present when the runtime declares a customJwtAuthorizer. Verified against the runtime's OIDC discovery URL before the container starts, then injected as Authorization: Bearer <jwt> on every forwarded request and the container /ws upgrade.")).addOption(new Option("--no-verify-auth", "Skip inbound JWT verification even when the runtime declares a customJwtAuthorizer (local-dev escape hatch). A --bearer-token, if given, is still forwarded.")).addOption(new Option("--sigv4", "Sign each forwarded request with AWS SigV4 (service bedrock-agentcore) when the runtime declares NO customJwtAuthorizer, so the warm container sees the same Authorization / X-Amz-* headers the cloud receives. Mutually exclusive with --bearer-token; ignored (with a warning) when a customJwtAuthorizer is declared.")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}, \"Parameters\": {...}})")).addOption(new Option("--platform <platform>", "docker --platform for the agent container (linux/amd64 or linux/arm64). Defaults to linux/arm64 because the cloud AgentCore Runtime requires arm64.").choices(["linux/amd64", "linux/arm64"]).default("linux/arm64")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for the local-build path")).addOption(new Option("--no-build", "Skip docker build on the local-asset path (use the previously-built tag). No-op for the ECR / registry pull paths.")).addOption(new Option("--container-host <host>", "Host IP used to bind the agent container port. Must be a numeric IP. Defaults to 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--timeout <ms>", "Maximum time in milliseconds to wait for the container to become ready (the GET /ping readiness deadline). Default 120000.").default(12e4).argParser(parseTimeoutMs)).addOption(new Option("--assume-role [arn]", "Assume the runtime's execution role and forward STS-issued temp credentials to the container. (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) uses the runtime's literal RoleArn; (3) `--no-assume-role` opts out. Off by default.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack and substitute Ref / Fn::ImportValue in env vars / image URIs with the deployed physical IDs / exports. Bare form uses the resolved stack name.")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region."));
31384
31604
  }
31385
31605
 
31386
31606
  //#endregion
@@ -32398,8 +32618,8 @@ const STUDIO_CSS = `
32398
32618
  font: 12px ui-monospace, Menlo, monospace; }
32399
32619
  `;
32400
32620
  const STUDIO_SCRIPT = `
32401
- const KIND_LABEL = { lambda: 'Lambda', api: 'API', alb: 'ALB', ecs: 'ECS Service', 'ecs-task': 'ECS Task', cloudfront: 'CloudFront', agentcore: 'AgentCore', 'agentcore-ws': 'AgentCore WS' };
32402
- const SERVE_KINDS = ['api', 'alb', 'ecs', 'ecs-task', 'cloudfront', 'agentcore-ws']; // long-running serve targets (ecs-task = run-task; agentcore-ws = start-agentcore /ws bridge)
32621
+ const KIND_LABEL = { lambda: 'Lambda', api: 'API', alb: 'ALB', ecs: 'ECS Service', 'ecs-task': 'ECS Task', cloudfront: 'CloudFront', agentcore: 'AgentCore', 'agentcore-ws': 'AgentCore serve' };
32622
+ const SERVE_KINDS = ['api', 'alb', 'ecs', 'ecs-task', 'cloudfront', 'agentcore-ws']; // long-running serve targets (ecs-task = run-task; agentcore-ws = start-agentcore warm serve)
32403
32623
  const INVOKE_KINDS = ['lambda', 'agentcore']; // single-shot invoke targets (event composer)
32404
32624
  const rowsById = new Map(); // invocationId -> timeline row element
32405
32625
  const invById = new Map(); // invocationId -> latest invocation event
@@ -32940,6 +33160,8 @@ const STUDIO_SCRIPT = `
32940
33160
  kind: group.kind,
32941
33161
  pinned: entry.pinned === true,
32942
33162
  backingPinnedServices: entry.backingPinnedServices || [],
33163
+ agentCoreHasWs: entry.agentCoreHasWs === true,
33164
+ agentCoreContractPath: entry.agentCoreContractPath || null,
32943
33165
  });
32944
33166
  updateServeRow(entry.id);
32945
33167
  }
@@ -33377,13 +33599,25 @@ const STUDIO_SCRIPT = `
33377
33599
  : null;
33378
33600
  if (httpBase) {
33379
33601
  const captured = (st.endpoints || []).indexOf(httpBase) >= 0;
33380
- ws.appendChild(renderRequestComposer(id, httpBase, captured));
33602
+ // An agentcore serve's contract is POST-only on a fixed path
33603
+ // (/invocations | /mcp | /), so seed the composer with that method + path
33604
+ // instead of the generic GET / (issue #454). Other serves default to GET /.
33605
+ const composerDefaults =
33606
+ meta && meta.kind === 'agentcore-ws'
33607
+ ? { method: 'POST', path: meta.agentCoreContractPath || '/invocations' }
33608
+ : null;
33609
+ ws.appendChild(renderRequestComposer(id, httpBase, captured, composerDefaults));
33381
33610
  }
33382
33611
 
33383
- // A served WebSocket API exposes a ws:// endpoint attach a WebSocket
33384
- // console so the browser can connect + exchange frames (issue #303).
33612
+ // A served WebSocket endpoint (an API Gateway WebSocket API, or an HTTP /
33613
+ // AGUI AgentCore runtime's /ws bridge) gets a WebSocket console so the
33614
+ // browser can connect + exchange frames (issue #303). For an agentcore
33615
+ // serve the console is gated on agentCoreHasWs (HTTP / AGUI expose /ws;
33616
+ // MCP / A2A do not — issue #454); the ws:// endpoint the serve advertises
33617
+ // already encodes that, so this guard is belt-and-suspenders with the spec.
33385
33618
  const wsEndpoint = running ? (st.endpoints || []).find((u) => /^wss?:/.test(u)) : null;
33386
- if (wsEndpoint) {
33619
+ const wsServable = !meta || meta.kind !== 'agentcore-ws' || meta.agentCoreHasWs === true;
33620
+ if (wsEndpoint && wsServable) {
33387
33621
  ws.appendChild(renderWsConsole(wsEndpoint));
33388
33622
  }
33389
33623
 
@@ -33598,7 +33832,7 @@ const STUDIO_SCRIPT = `
33598
33832
  return sec;
33599
33833
  }
33600
33834
 
33601
- function renderRequestComposer(id, baseUrl, captured) {
33835
+ function renderRequestComposer(id, baseUrl, captured, defaults) {
33602
33836
  const sec = el('div', 'section req-composer');
33603
33837
  sec.appendChild(el('h3', null, 'Request'));
33604
33838
  const row = el('div', 'req-row');
@@ -33608,9 +33842,12 @@ const STUDIO_SCRIPT = `
33608
33842
  o.value = m;
33609
33843
  method.appendChild(o);
33610
33844
  });
33845
+ // Per-kind defaults (issue #454): an agentcore serve seeds POST + the
33846
+ // protocol contract path; otherwise GET / (the generic default).
33847
+ if (defaults && defaults.method) method.value = defaults.method;
33611
33848
  row.appendChild(method);
33612
33849
  const path = el('input', 'req-path');
33613
- path.value = '/';
33850
+ path.value = defaults && defaults.path ? defaults.path : '/';
33614
33851
  path.placeholder = '/path?query';
33615
33852
  row.appendChild(path);
33616
33853
  sec.appendChild(row);
@@ -34592,8 +34829,13 @@ function toStudioTargetGroups(listing) {
34592
34829
  },
34593
34830
  {
34594
34831
  kind: "agentcore-ws",
34595
- title: "AgentCore WebSocket",
34596
- entries: map(listing.agentCoreRuntimes.filter((e) => e.agentCoreHasWs))
34832
+ title: "AgentCore (serve)",
34833
+ entries: map(listing.agentCoreRuntimes).map((t, i) => {
34834
+ const src = listing.agentCoreRuntimes[i];
34835
+ if (src?.agentCoreHasWs !== void 0) t.agentCoreHasWs = src.agentCoreHasWs;
34836
+ if (src?.agentCoreContractPath !== void 0) t.agentCoreContractPath = src.agentCoreContractPath;
34837
+ return t;
34838
+ })
34597
34839
  },
34598
34840
  {
34599
34841
  kind: "alb",
@@ -35722,8 +35964,9 @@ const SERVE_SPECS = {
35722
35964
  "--host",
35723
35965
  "127.0.0.1"
35724
35966
  ],
35725
- readyRe: /Server listening on (ws:\/\/\S+)/,
35726
- capturesHttp: false
35967
+ readyRe: /Server listening on (\S+)/,
35968
+ capturesHttp: true,
35969
+ extraEndpointRe: /HTTP contract served on (https?:\/\/\S+)/
35727
35970
  }
35728
35971
  };
35729
35972
  /**
@@ -35935,6 +36178,10 @@ function createStudioServeManager(config) {
35935
36178
  streamLines(child.stdout, (line) => {
35936
36179
  const m = spec.readyRe.exec(line);
35937
36180
  if (m) onReady(m[1]);
36181
+ if (spec.extraEndpointRe) {
36182
+ const me = spec.extraEndpointRe.exec(line);
36183
+ if (me) onReady(me[1]);
36184
+ }
35938
36185
  if (req.kind === "ecs" && entry.hostUrl === void 0) {
35939
36186
  const endpoint = parsePublishedHostEndpoint(line);
35940
36187
  if (endpoint) {
@@ -36932,5 +37179,5 @@ function addStudioSpecificOptions(cmd) {
36932
37179
  }
36933
37180
 
36934
37181
  //#endregion
36935
- export { edgeHeadersToHttp as $, verifyJwtAuthorizer as $n, resolveSingleTarget as $r, SOFT_RELOAD_COMPLETION_LOG_SUFFIX as $t, startAgentCoreWsBridge as A, addStartApiSpecificOptions as An, buildDisconnectEvent as Ar, addCommonEcsServiceOptions as At, resolveDeployedKvsArnByName as B, availableApiIdentifiers as Bn, substituteEnvVarsFromState as Br, ImageOverrideError as Bt, addListSpecificOptions as C, LocalInvokeBuildError as Ci, buildAgentCoreCodeImage as Cn, probeHostGatewaySupport as Cr, resolveAlbFrontDoor as Ct, createLocalStartAgentCoreCommand as D, classifySourceChange as Dn, handleConnectionsRequest as Dr, addRunTaskSpecificOptions as Dt, addStartAgentCoreSpecificOptions as E, toCmdArgv as En, buildMgmtEndpointEnvUrl as Er, serviceStrategy as Et, parseOriginOverrides as F, createFileWatcher as Fn, resolveRuntimeFileExtension as Fr, parseMaxTasks as Ft, startCloudFrontServer as G, startApiServer as Gn, rejectExplicitCfnStackWithMultipleStacks as Gr, resolveImageOverrides as Gt, classifyS3Error as H, filterRoutesByApiIdentifiers as Hn, LocalStateSourceError as Hr, enforceImageOverrideOrphans as Ht, resolveCloudFrontTarget as I, attachStageContext as In, resolveRuntimeImage as Ir, parseRestartPolicy as It, serveLambdaUrlOrigin as J, defaultCredentialsLoader as Jn, resolveCfnStackName as Jr, isLocalCdkAssetImage as Jt, resolveErrorResponseCandidates as K, resolveSelectionExpression as Kn, resolveCfnFallbackRegion as Kr, runImageOverrideBuilds as Kt, idFromArn as L, buildStageMap as Ln, EcsTaskResolutionError as Lr, resolveEcsAssumeRoleOption as Lt, addStartCloudFrontSpecificOptions as M, createWatchPredicates as Mn, architectureToPlatform as Mr, addImageOverrideOptions as Mt, createLocalStartCloudFrontCommand as N, resolveApiTargetSubset as Nn, buildContainerImage as Nr, buildEcsImageResolutionContext$1 as Nt, startAgentCoreHttpServer as O, addInvokeSpecificOptions as On, parseConnectionsPath as Or, createLocalRunTaskCommand as Ot, parseKvsFileOverrides as P, createAuthorizerCache as Pn, resolveRuntimeCodeMountPath as Pr, ecsClusterOption as Pt, buildEdgeResponseEvent as Q, verifyCognitoJwt as Qn, resolveWatchConfig as Qr, DEFAULT_SHADOW_READY_TIMEOUT_MS as Qt, resolveKvsModulesForDistribution as R, materializeLayerFromArn as Rn, substituteAgainstState as Rr, resolveSharedSidecarCredentials as Rt, StudioEventBus as S, tryResolveImageFnJoin as Si, SUPPORTED_CODE_RUNTIMES as Sn, HOST_GATEWAY_MIN_VERSION as Sr, isApplicationLoadBalancer as St, formatTargetListing as T, resolveProfileCredentials as Ti, renderCodeDockerfile as Tn, ConnectionRegistry as Tr, createLocalStartServiceCommand as Tt, createS3OriginReader as U, groupRoutesByServer as Un, createLocalStateProvider as Ur, mergeForService as Ut, resolveDeployedOriginBucket as V, filterRoutesByApiIdentifier as Vn, substituteEnvVarsFromStateAsync as Vr, buildImageOverrideTag as Vt, matchBehavior as W, readMtlsMaterialsFromDisk as Wn, isCfnFlagPresent as Wr, parseImageOverrideFlags as Wt, applyEdgeResponseResult as X, buildJwksUrlFromIssuer as Xn, collectSsmParameterRefs as Xr, buildCloudMapIndex as Xt, applyEdgeRequestResult as Y, buildCognitoJwksUrl as Yn, CfnLocalStateProvider as Yr, listPinnedTargets as Yt, buildEdgeRequestEvent as Z, createJwksCache as Zn, resolveSsmParameters as Zr, CloudMapRegistry as Zt, filterStudioTargetGroups as _, pickAgentCoreCandidateStack as _i, AGENTCORE_SESSION_ID_HEADER as _n, evaluateResponseParameters as _r, addAlbSpecificOptions as _t, createLocalStudioCommand as a, filterWebSocketApisByIdentifiers as ai, bridgeAgentCoreWs as an, invokeTokenAuthorizer as ar, pickFunctionUrlLogicalIdFromOrigin as at, renderStudioHtml as b, formatStateRemedy as bi, waitForAgentCorePing as bn, tryParseStatus as br, parseLbPortOverrides as bt, startStudioProxy as c, discoverRoutes as ci, A2A_PATH as cn, buildCorsConfigByApiId as cr, pickTargetFunctionLogicalId as ct, createStudioDispatcher as d, AGENTCORE_A2A_PROTOCOL as di, MCP_PATH as dn, matchPreflight as dr, runViewerRequest as dt, countTargets as ei, setShadowReadyTimeoutMs as en, verifyJwtViaDiscovery as er, httpHeadersToEdge as et, filterStudioCustomResources as f, AGENTCORE_AGUI_PROTOCOL as fi, MCP_PROTOCOL_VERSION as fn, matchRoute as fr, runViewerResponse as ft, annotatePinnedEcsTargets as g, AgentCoreResolutionError as gi, signAgentCoreInvocation as gn, buildRestV1Event as gr, createUnboundCloudFrontModule as gt, annotateEcsTaskPinnedTargets as h, AGENTCORE_RUNTIME_TYPE as hi, AGENTCORE_SIGV4_SERVICE as hn, buildHttpApiV2Event as hr, createLocalFileKvsDataSource as ht, coerceStopRequest as i, discoverWebSocketApisOrThrow as ii, createLocalInvokeAgentCoreCommand as in, invokeRequestAuthorizer as ir, isCloudFrontDistribution as it, LocalStartCloudFrontError as j, createLocalStartApiCommand as jn, buildMessageEvent as jr, addEcsAssumeRoleOptions as jt, attachAgentCoreWsBridge as k, createLocalInvokeCommand as kn, buildConnectEvent as kr, MAX_TASKS_SUBNET_RANGE_CAP as kt, relayServeRequest as l, pickRefLogicalId as li, a2aInvokeOnce as ln, buildCorsConfigFromCloudFrontChain as lr, resolveCloudFrontDistribution as lt, annotateAlbPinnedBackingServices as m, AGENTCORE_MCP_PROTOCOL as mi, parseSseForJsonRpc as mn, applyAuthorizerOverlay as mr, createCloudFrontModule as mt, coerceRunRequest as n, availableWebSocketApiIdentifiers as ni, attachContainerLogStreamer as nn, computeRequestIdentityHash as nr, describeS3OriginDomain as nt, resolveServeBaseUrl as o, parseSelectionExpressionPath as oi, invokeAgentCoreWs as on, attachAuthorizers as or, pickKvsLogicalIdFromArn as ot, isCustomResourceLambdaTarget as p, AGENTCORE_HTTP_PROTOCOL as pi, mcpInvokeOnce as pn, translateLambdaResponse as pr, stripCloudFrontImport as pt, serveFromStaticOrigin as q, resolveServiceIntegrationParameters as qn, resolveCfnRegion as qr, describePinnedImageUri as qt, coerceServeRequest as r, discoverWebSocketApis as ri, addInvokeAgentCoreSpecificOptions as rn, evaluateCachedLambdaPolicy as rr, extractKvsAssociations as rt, createStudioServeManager as s, webSocketApiMatchesIdentifier as si, A2A_CONTAINER_PORT as sn, applyCorsResponseHeaders as sr, pickLambdaEdgeFunctionLogicalId as st, addStudioSpecificOptions as t, listTargets as ti, getContainerNetworkIp as tn, buildMethodArn as tr, CLOUDFRONT_DISTRIBUTION_TYPE as tt, reinvoke as u, resolveLambdaArnIntrinsic as ui, MCP_CONTAINER_PORT as un, isFunctionUrlOacFronted as ur, compileCloudFrontFunction as ut, startStudioServer as v, resolveAgentCoreTarget as vi, invokeAgentCore as vn, pickResponseTemplate as vr, albStrategy as vt, createLocalListCommand as w, buildStsClientConfig as wi, computeCodeImageTag as wn, bufferToBody as wr, addStartServiceSpecificOptions as wt, createStudioStore as x, substituteImagePlaceholders as xi, downloadAndExtractS3Bundle as xn, VtlEvaluationError as xr, resolveAlbTarget as xt, toStudioTargetGroups as y, derivePseudoParametersFromRegion as yi, waitForAgentCoreHttpReady as yn, selectIntegrationResponse as yr, createLocalStartAlbCommand as yt, createDeployedKvsDataSource as z, resolveEnvVars$1 as zn, substituteAgainstStateAsync as zr, runEcsServiceEmulator as zt };
36936
- //# sourceMappingURL=local-studio-BqHODjfP.js.map
37182
+ export { buildEdgeRequestEvent as $, createJwksCache as $n, resolveSsmParameters as $r, CloudMapRegistry as $t, startAgentCoreHttpServer as A, addInvokeSpecificOptions as An, parseConnectionsPath as Ar, createLocalRunTaskCommand as At, resolveKvsModulesForDistribution as B, materializeLayerFromArn as Bn, substituteAgainstState as Br, resolveSharedSidecarCredentials as Bt, addListSpecificOptions as C, substituteImagePlaceholders as Ci, downloadAndExtractS3Bundle as Cn, VtlEvaluationError as Cr, resolveAlbTarget as Ct, createLocalStartAgentCoreCommand as D, resolveProfileCredentials as Di, renderCodeDockerfile as Dn, ConnectionRegistry as Dr, createLocalStartServiceCommand as Dt, addStartAgentCoreSpecificOptions as E, buildStsClientConfig as Ei, computeCodeImageTag as En, bufferToBody as Er, addStartServiceSpecificOptions as Et, createLocalStartCloudFrontCommand as F, resolveApiTargetSubset as Fn, buildContainerImage as Fr, buildEcsImageResolutionContext$1 as Ft, createS3OriginReader as G, groupRoutesByServer as Gn, createLocalStateProvider as Gr, mergeForService as Gt, resolveDeployedKvsArnByName as H, availableApiIdentifiers as Hn, substituteEnvVarsFromState as Hr, ImageOverrideError as Ht, parseKvsFileOverrides as I, createAuthorizerCache as In, resolveRuntimeCodeMountPath as Ir, ecsClusterOption as It, resolveErrorResponseCandidates as J, resolveSelectionExpression as Jn, resolveCfnFallbackRegion as Jr, runImageOverrideBuilds as Jt, matchBehavior as K, readMtlsMaterialsFromDisk as Kn, isCfnFlagPresent as Kr, parseImageOverrideFlags as Kt, parseOriginOverrides as L, createFileWatcher as Ln, resolveRuntimeFileExtension as Lr, parseMaxTasks as Lt, startAgentCoreWsBridge as M, addStartApiSpecificOptions as Mn, buildDisconnectEvent as Mr, addCommonEcsServiceOptions as Mt, LocalStartCloudFrontError as N, createLocalStartApiCommand as Nn, buildMessageEvent as Nr, addEcsAssumeRoleOptions as Nt, buildAgentCoreServeAuthCheck as O, toCmdArgv as On, buildMgmtEndpointEnvUrl as Or, serviceStrategy as Ot, addStartCloudFrontSpecificOptions as P, createWatchPredicates as Pn, architectureToPlatform as Pr, addImageOverrideOptions as Pt, applyEdgeResponseResult as Q, buildJwksUrlFromIssuer as Qn, collectSsmParameterRefs as Qr, buildCloudMapIndex as Qt, resolveCloudFrontTarget as R, attachStageContext as Rn, resolveRuntimeImage as Rr, parseRestartPolicy as Rt, StudioEventBus as S, formatStateRemedy as Si, waitForAgentCorePing as Sn, tryParseStatus as Sr, parseLbPortOverrides as St, formatTargetListing as T, LocalInvokeBuildError as Ti, buildAgentCoreCodeImage as Tn, probeHostGatewaySupport as Tr, resolveAlbFrontDoor as Tt, resolveDeployedOriginBucket as U, filterRoutesByApiIdentifier as Un, substituteEnvVarsFromStateAsync as Ur, buildImageOverrideTag as Ut, createDeployedKvsDataSource as V, resolveEnvVars$1 as Vn, substituteAgainstStateAsync as Vr, runEcsServiceEmulator as Vt, classifyS3Error as W, filterRoutesByApiIdentifiers as Wn, LocalStateSourceError as Wr, enforceImageOverrideOrphans as Wt, serveLambdaUrlOrigin as X, defaultCredentialsLoader as Xn, resolveCfnStackName as Xr, isLocalCdkAssetImage as Xt, serveFromStaticOrigin as Y, resolveServiceIntegrationParameters as Yn, resolveCfnRegion as Yr, describePinnedImageUri as Yt, applyEdgeRequestResult as Z, buildCognitoJwksUrl as Zn, CfnLocalStateProvider as Zr, listPinnedTargets as Zt, filterStudioTargetGroups as _, AGENTCORE_RUNTIME_TYPE as _i, AGENTCORE_SIGV4_SERVICE as _n, buildHttpApiV2Event as _r, createLocalFileKvsDataSource as _t, createLocalStudioCommand as a, discoverWebSocketApis as ai, addInvokeAgentCoreSpecificOptions as an, evaluateCachedLambdaPolicy as ar, extractKvsAssociations as at, renderStudioHtml as b, resolveAgentCoreTarget as bi, invokeAgentCore as bn, pickResponseTemplate as br, albStrategy as bt, startStudioProxy as c, parseSelectionExpressionPath as ci, invokeAgentCoreWs as cn, attachAuthorizers as cr, pickKvsLogicalIdFromArn as ct, createStudioDispatcher as d, pickRefLogicalId as di, a2aInvokeOnce as dn, buildCorsConfigFromCloudFrontChain as dr, resolveCloudFrontDistribution as dt, resolveWatchConfig as ei, DEFAULT_SHADOW_READY_TIMEOUT_MS as en, verifyCognitoJwt as er, buildEdgeResponseEvent as et, filterStudioCustomResources as f, resolveLambdaArnIntrinsic as fi, MCP_CONTAINER_PORT as fn, isFunctionUrlOacFronted as fr, compileCloudFrontFunction as ft, annotatePinnedEcsTargets as g, AGENTCORE_MCP_PROTOCOL as gi, parseSseForJsonRpc as gn, applyAuthorizerOverlay as gr, createCloudFrontModule as gt, annotateEcsTaskPinnedTargets as h, AGENTCORE_HTTP_PROTOCOL as hi, mcpInvokeOnce as hn, translateLambdaResponse as hr, stripCloudFrontImport as ht, coerceStopRequest as i, availableWebSocketApiIdentifiers as ii, attachContainerLogStreamer as in, computeRequestIdentityHash as ir, describeS3OriginDomain as it, attachAgentCoreWsBridge as j, createLocalInvokeCommand as jn, buildConnectEvent as jr, MAX_TASKS_SUBNET_RANGE_CAP as jt, selectServeInboundAuth as k, classifySourceChange as kn, handleConnectionsRequest as kr, addRunTaskSpecificOptions as kt, relayServeRequest as l, webSocketApiMatchesIdentifier as li, A2A_CONTAINER_PORT as ln, applyCorsResponseHeaders as lr, pickLambdaEdgeFunctionLogicalId as lt, annotateAlbPinnedBackingServices as m, AGENTCORE_AGUI_PROTOCOL as mi, MCP_PROTOCOL_VERSION as mn, matchRoute as mr, runViewerResponse as mt, coerceRunRequest as n, countTargets as ni, setShadowReadyTimeoutMs as nn, verifyJwtViaDiscovery as nr, httpHeadersToEdge as nt, resolveServeBaseUrl as o, discoverWebSocketApisOrThrow as oi, createLocalInvokeAgentCoreCommand as on, invokeRequestAuthorizer as or, isCloudFrontDistribution as ot, isCustomResourceLambdaTarget as p, AGENTCORE_A2A_PROTOCOL as pi, MCP_PATH as pn, matchPreflight as pr, runViewerRequest as pt, startCloudFrontServer as q, startApiServer as qn, rejectExplicitCfnStackWithMultipleStacks as qr, resolveImageOverrides as qt, coerceServeRequest as r, listTargets as ri, getContainerNetworkIp as rn, buildMethodArn as rr, CLOUDFRONT_DISTRIBUTION_TYPE as rt, createStudioServeManager as s, filterWebSocketApisByIdentifiers as si, bridgeAgentCoreWs as sn, invokeTokenAuthorizer as sr, pickFunctionUrlLogicalIdFromOrigin as st, addStudioSpecificOptions as t, resolveSingleTarget as ti, SOFT_RELOAD_COMPLETION_LOG_SUFFIX as tn, verifyJwtAuthorizer as tr, edgeHeadersToHttp as tt, reinvoke as u, discoverRoutes as ui, A2A_PATH as un, buildCorsConfigByApiId as ur, pickTargetFunctionLogicalId as ut, startStudioServer as v, AgentCoreResolutionError as vi, signAgentCoreInvocation as vn, buildRestV1Event as vr, createUnboundCloudFrontModule as vt, createLocalListCommand as w, tryResolveImageFnJoin as wi, SUPPORTED_CODE_RUNTIMES as wn, HOST_GATEWAY_MIN_VERSION as wr, isApplicationLoadBalancer as wt, createStudioStore as x, derivePseudoParametersFromRegion as xi, waitForAgentCoreHttpReady as xn, selectIntegrationResponse as xr, createLocalStartAlbCommand as xt, toStudioTargetGroups as y, pickAgentCoreCandidateStack as yi, AGENTCORE_SESSION_ID_HEADER as yn, evaluateResponseParameters as yr, addAlbSpecificOptions as yt, idFromArn as z, buildStageMap as zn, EcsTaskResolutionError as zr, resolveEcsAssumeRoleOption as zt };
37183
+ //# sourceMappingURL=local-studio-Cr0YdvCb.js.map