cdk-local 0.137.0 → 0.138.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/dist/cli.js +2 -2
- package/dist/index.d.ts +1 -1
- package/dist/index.js +1 -1
- package/dist/internal.d.ts +2 -28
- package/dist/internal.d.ts.map +1 -1
- package/dist/internal.js +2 -2
- package/dist/{local-studio-CVnRJb-b.d.ts → local-studio-CiKbBfUi.d.ts} +62 -3
- package/dist/local-studio-CiKbBfUi.d.ts.map +1 -0
- package/dist/{local-studio-DxzjQZJu.js → local-studio-Cr0YdvCb.js} +253 -38
- package/dist/local-studio-Cr0YdvCb.js.map +1 -0
- package/package.json +1 -1
- package/dist/local-studio-CVnRJb-b.d.ts.map +0 -1
- package/dist/local-studio-DxzjQZJu.js.map +0 -1
|
@@ -19486,6 +19486,33 @@ async function resolveInboundAuthorization(resolved, options) {
|
|
|
19486
19486
|
return header;
|
|
19487
19487
|
}
|
|
19488
19488
|
/**
|
|
19489
|
+
* Resolve the boot-time SigV4 signing context (`{ credentials, region }`) when
|
|
19490
|
+
* `--sigv4` is requested, or `undefined` when it is not applicable (`--sigv4`
|
|
19491
|
+
* off, or a `customJwtAuthorizer` is declared — the JWT path wins, warns).
|
|
19492
|
+
* Throws a {@link CdkLocalError} on a `--bearer-token` conflict, an unresolved
|
|
19493
|
+
* region, or no resolvable credentials.
|
|
19494
|
+
*
|
|
19495
|
+
* Extracted from {@link buildSigV4HeadersIfRequested} so both the single-shot
|
|
19496
|
+
* `cdkl invoke-agentcore` (signs ONE body) and the warm `cdkl start-agentcore`
|
|
19497
|
+
* serve (signs each forwarded body per request — issue #454) resolve the
|
|
19498
|
+
* credentials + region the SAME way. Exported so the serve boot + a unit test
|
|
19499
|
+
* can reuse it.
|
|
19500
|
+
*/
|
|
19501
|
+
async function resolveAgentCoreSigV4Context(options, resolved, loaded, stateProvider) {
|
|
19502
|
+
if (!options.sigv4) return void 0;
|
|
19503
|
+
if (options.bearerToken) throw new CdkLocalError(`--sigv4 and --bearer-token are mutually exclusive: pick one inbound auth.`, "LOCAL_INVOKE_AGENTCORE_AUTH_CONFLICT");
|
|
19504
|
+
if (resolved.jwtAuthorizer) {
|
|
19505
|
+
getLogger().warn(`Runtime '${resolved.logicalId}' declares a customJwtAuthorizer; --sigv4 ignored (JWT path takes precedence).`);
|
|
19506
|
+
return;
|
|
19507
|
+
}
|
|
19508
|
+
const region = options.region ?? options.stackRegion ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? resolved.stack.region;
|
|
19509
|
+
if (!region) throw new CdkLocalError("--sigv4: no region resolved for the AgentCore signing scope. Pass --region <region>, set AWS_REGION, or use --from-cfn-stack with a region-bound stack.", "LOCAL_INVOKE_AGENTCORE_SIGV4_NO_REGION");
|
|
19510
|
+
return {
|
|
19511
|
+
credentials: await resolveHostCredentialsForSigV4(options, resolved, loaded, region, stateProvider),
|
|
19512
|
+
region
|
|
19513
|
+
};
|
|
19514
|
+
}
|
|
19515
|
+
/**
|
|
19489
19516
|
* Compute the SigV4 headers for the `/invocations` POST when `--sigv4` is
|
|
19490
19517
|
* requested. Returns `undefined` (no header overlay) when:
|
|
19491
19518
|
*
|
|
@@ -19498,17 +19525,11 @@ async function resolveInboundAuthorization(resolved, options) {
|
|
|
19498
19525
|
* Exported so a unit test can drive the gate without the full Docker pipeline.
|
|
19499
19526
|
*/
|
|
19500
19527
|
async function buildSigV4HeadersIfRequested(options, resolved, loaded, host, port, event, sessionId, stateProvider) {
|
|
19501
|
-
|
|
19502
|
-
if (
|
|
19503
|
-
if (resolved.jwtAuthorizer) {
|
|
19504
|
-
getLogger().warn(`Runtime '${resolved.logicalId}' declares a customJwtAuthorizer; --sigv4 ignored (JWT path takes precedence).`);
|
|
19505
|
-
return;
|
|
19506
|
-
}
|
|
19507
|
-
const region = options.region ?? options.stackRegion ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? resolved.stack.region;
|
|
19508
|
-
if (!region) throw new CdkLocalError("--sigv4: no region resolved for the AgentCore signing scope. Pass --region <region>, set AWS_REGION, or use --from-cfn-stack with a region-bound stack.", "LOCAL_INVOKE_AGENTCORE_SIGV4_NO_REGION");
|
|
19528
|
+
const ctx = await resolveAgentCoreSigV4Context(options, resolved, loaded, stateProvider);
|
|
19529
|
+
if (!ctx) return void 0;
|
|
19509
19530
|
const signed = await signAgentCoreInvocation({
|
|
19510
|
-
credentials:
|
|
19511
|
-
region,
|
|
19531
|
+
credentials: ctx.credentials,
|
|
19532
|
+
region: ctx.region,
|
|
19512
19533
|
host,
|
|
19513
19534
|
port,
|
|
19514
19535
|
path: "/invocations",
|
|
@@ -19521,7 +19542,7 @@ async function buildSigV4HeadersIfRequested(options, resolved, loaded, host, por
|
|
|
19521
19542
|
"X-Amz-Content-Sha256": signed.amzContentSha256
|
|
19522
19543
|
};
|
|
19523
19544
|
if (signed.amzSecurityToken) headers["X-Amz-Security-Token"] = signed.amzSecurityToken;
|
|
19524
|
-
getLogger().info(`Signed /invocations with SigV4 (region=${region}).`);
|
|
19545
|
+
getLogger().info(`Signed /invocations with SigV4 (region=${ctx.region}).`);
|
|
19525
19546
|
return headers;
|
|
19526
19547
|
}
|
|
19527
19548
|
/**
|
|
@@ -31065,23 +31086,13 @@ const DEFAULT_ROUTES = [{
|
|
|
31065
31086
|
path: "/ping"
|
|
31066
31087
|
}];
|
|
31067
31088
|
/**
|
|
31068
|
-
*
|
|
31069
|
-
*
|
|
31070
|
-
*
|
|
31071
|
-
*
|
|
31089
|
+
* Wire an upstream (container-leg) request's response back to the inbound
|
|
31090
|
+
* client, piping the body so an SSE (`text/event-stream`) stream stays
|
|
31091
|
+
* incremental, and mapping an upstream error to a `502`. Shared by the
|
|
31092
|
+
* streaming and buffered (`--sigv4`) proxy paths.
|
|
31072
31093
|
*/
|
|
31073
|
-
function
|
|
31074
|
-
|
|
31075
|
-
delete headers["host"];
|
|
31076
|
-
headers[AGENTCORE_SESSION_ID_HEADER] = config.sessionId ?? randomUUID();
|
|
31077
|
-
if (config.authorization) headers["authorization"] = config.authorization;
|
|
31078
|
-
const upstream = request({
|
|
31079
|
-
host: config.containerHost,
|
|
31080
|
-
port: config.containerPort,
|
|
31081
|
-
path: upstreamPath,
|
|
31082
|
-
method: clientReq.method,
|
|
31083
|
-
headers
|
|
31084
|
-
}, (upRes) => {
|
|
31094
|
+
function wireUpstreamResponse(upstream, clientRes) {
|
|
31095
|
+
upstream.on("response", (upRes) => {
|
|
31085
31096
|
clientRes.writeHead(upRes.statusCode ?? 502, upRes.headers);
|
|
31086
31097
|
upRes.on("error", () => clientRes.destroy());
|
|
31087
31098
|
upRes.pipe(clientRes);
|
|
@@ -31091,6 +31102,79 @@ function proxyToContainer(clientReq, clientRes, config, upstreamPath) {
|
|
|
31091
31102
|
if (!clientRes.headersSent) clientRes.writeHead(502, { "content-type": "application/json" });
|
|
31092
31103
|
clientRes.end(JSON.stringify({ error: `upstream error: ${err.message}` }));
|
|
31093
31104
|
});
|
|
31105
|
+
}
|
|
31106
|
+
/**
|
|
31107
|
+
* Proxy one inbound HTTP request to the warm container, injecting the
|
|
31108
|
+
* session-id + Authorization (+ any per-request / signed) headers, and stream
|
|
31109
|
+
* the response back. Used for both `GET /ping` and `POST /invocations`; piping
|
|
31110
|
+
* the response preserves an SSE (`text/event-stream`) stream.
|
|
31111
|
+
*
|
|
31112
|
+
* `perRequest.authorization` overrides {@link AgentCoreHttpServerConfig.authorization}
|
|
31113
|
+
* with the value the per-request inbound-JWT gate verified / injected (issue
|
|
31114
|
+
* #454). When {@link AgentCoreHttpServerConfig.signRequest} is set and this is a
|
|
31115
|
+
* `POST`, the body is buffered, signed (SigV4), and forwarded — signing needs
|
|
31116
|
+
* the whole body, so the streaming fast-path is bypassed for that case only.
|
|
31117
|
+
*/
|
|
31118
|
+
function proxyToContainer(clientReq, clientRes, config, upstreamPath, perRequest) {
|
|
31119
|
+
const sessionId = config.sessionId ?? randomUUID();
|
|
31120
|
+
const headers = { ...clientReq.headers };
|
|
31121
|
+
delete headers["host"];
|
|
31122
|
+
headers[AGENTCORE_SESSION_ID_HEADER] = sessionId;
|
|
31123
|
+
const authorization = perRequest?.authorization ?? config.authorization;
|
|
31124
|
+
if (authorization) headers["authorization"] = authorization;
|
|
31125
|
+
if (config.signRequest && clientReq.method === "POST") {
|
|
31126
|
+
const signRequest = config.signRequest;
|
|
31127
|
+
const chunks = [];
|
|
31128
|
+
clientReq.on("data", (c) => chunks.push(c));
|
|
31129
|
+
clientReq.on("error", (err) => {
|
|
31130
|
+
getLogger().debug(`agentcore http serve client error: ${err.message}`);
|
|
31131
|
+
if (!clientRes.headersSent) {
|
|
31132
|
+
clientRes.writeHead(400, { "content-type": "application/json" });
|
|
31133
|
+
clientRes.end(JSON.stringify({ error: `client error: ${err.message}` }));
|
|
31134
|
+
}
|
|
31135
|
+
});
|
|
31136
|
+
clientReq.on("end", () => {
|
|
31137
|
+
const body = Buffer.concat(chunks);
|
|
31138
|
+
signRequest({
|
|
31139
|
+
method: "POST",
|
|
31140
|
+
path: upstreamPath,
|
|
31141
|
+
body,
|
|
31142
|
+
sessionId
|
|
31143
|
+
}).then((signed) => {
|
|
31144
|
+
const signedHeaders = {
|
|
31145
|
+
...headers,
|
|
31146
|
+
...signed
|
|
31147
|
+
};
|
|
31148
|
+
delete signedHeaders["transfer-encoding"];
|
|
31149
|
+
signedHeaders["content-length"] = String(body.length);
|
|
31150
|
+
const upstream = request({
|
|
31151
|
+
host: config.containerHost,
|
|
31152
|
+
port: config.containerPort,
|
|
31153
|
+
path: upstreamPath,
|
|
31154
|
+
method: "POST",
|
|
31155
|
+
headers: signedHeaders
|
|
31156
|
+
});
|
|
31157
|
+
wireUpstreamResponse(upstream, clientRes);
|
|
31158
|
+
upstream.end(body);
|
|
31159
|
+
}).catch((err) => {
|
|
31160
|
+
const msg = err instanceof Error ? err.message : String(err);
|
|
31161
|
+
getLogger().debug(`agentcore http serve sigv4 sign error: ${msg}`);
|
|
31162
|
+
if (!clientRes.headersSent) {
|
|
31163
|
+
clientRes.writeHead(500, { "content-type": "application/json" });
|
|
31164
|
+
clientRes.end(JSON.stringify({ error: `sigv4 signing failed: ${msg}` }));
|
|
31165
|
+
}
|
|
31166
|
+
});
|
|
31167
|
+
});
|
|
31168
|
+
return;
|
|
31169
|
+
}
|
|
31170
|
+
const upstream = request({
|
|
31171
|
+
host: config.containerHost,
|
|
31172
|
+
port: config.containerPort,
|
|
31173
|
+
path: upstreamPath,
|
|
31174
|
+
method: clientReq.method,
|
|
31175
|
+
headers
|
|
31176
|
+
});
|
|
31177
|
+
wireUpstreamResponse(upstream, clientRes);
|
|
31094
31178
|
clientReq.on("error", (err) => {
|
|
31095
31179
|
getLogger().debug(`agentcore http serve client error: ${err.message}`);
|
|
31096
31180
|
upstream.destroy();
|
|
@@ -31110,12 +31194,36 @@ function startAgentCoreHttpServer(config) {
|
|
|
31110
31194
|
const httpServer = createServer$1((req, res) => {
|
|
31111
31195
|
const path = (req.url ?? "/").split("?")[0];
|
|
31112
31196
|
const match = routes.find((r) => r.method === req.method && r.path === path);
|
|
31113
|
-
if (match)
|
|
31114
|
-
|
|
31115
|
-
|
|
31116
|
-
|
|
31117
|
-
|
|
31118
|
-
|
|
31197
|
+
if (!match) {
|
|
31198
|
+
res.writeHead(404, { "content-type": "application/json" });
|
|
31199
|
+
res.end(JSON.stringify({
|
|
31200
|
+
error: "not found",
|
|
31201
|
+
hint: notFoundHint
|
|
31202
|
+
}));
|
|
31203
|
+
return;
|
|
31204
|
+
}
|
|
31205
|
+
if (config.authCheck && req.method === "POST") {
|
|
31206
|
+
req.on("error", (err) => getLogger().debug(`agentcore http serve client error (auth gate): ${err.message}`));
|
|
31207
|
+
config.authCheck(req.headers).then((result) => {
|
|
31208
|
+
if (!result.allow) {
|
|
31209
|
+
req.resume();
|
|
31210
|
+
res.writeHead(result.status ?? 403, { "content-type": "application/json" });
|
|
31211
|
+
res.end(JSON.stringify({ error: result.message ?? "forbidden" }));
|
|
31212
|
+
return;
|
|
31213
|
+
}
|
|
31214
|
+
proxyToContainer(req, res, config, match.path, { ...result.authorization && { authorization: result.authorization } });
|
|
31215
|
+
}).catch((err) => {
|
|
31216
|
+
const msg = err instanceof Error ? err.message : String(err);
|
|
31217
|
+
getLogger().debug(`agentcore http serve auth-check error: ${msg}`);
|
|
31218
|
+
req.resume();
|
|
31219
|
+
if (!res.headersSent) {
|
|
31220
|
+
res.writeHead(500, { "content-type": "application/json" });
|
|
31221
|
+
res.end(JSON.stringify({ error: `auth check failed: ${msg}` }));
|
|
31222
|
+
}
|
|
31223
|
+
});
|
|
31224
|
+
return;
|
|
31225
|
+
}
|
|
31226
|
+
proxyToContainer(req, res, config, match.path);
|
|
31119
31227
|
});
|
|
31120
31228
|
const bridge = attachWs ? attachAgentCoreWsBridge(httpServer, {
|
|
31121
31229
|
containerHost: config.containerHost,
|
|
@@ -31152,6 +31260,90 @@ function buildNotFoundHint(routes, attachWs) {
|
|
|
31152
31260
|
return attachWs ? `${base} (WebSocket: connect to /ws)` : base;
|
|
31153
31261
|
}
|
|
31154
31262
|
|
|
31263
|
+
//#endregion
|
|
31264
|
+
//#region src/local/agentcore-serve-auth.ts
|
|
31265
|
+
/**
|
|
31266
|
+
* Build the per-request inbound-JWT gate for `cdkl start-agentcore`. The cloud
|
|
31267
|
+
* AgentCore Runtime verifies the CALLER's token against the
|
|
31268
|
+
* `customJwtAuthorizer` on every `InvokeAgentRuntime`; the warm local serve
|
|
31269
|
+
* mirrors that here — unlike the single-shot `cdkl invoke-agentcore`, which
|
|
31270
|
+
* verifies the `--bearer-token` ONCE at boot. This is the serve counterpart of
|
|
31271
|
+
* `front-door-auth`'s `buildAuthCheck` for the ALB (issue #454).
|
|
31272
|
+
*
|
|
31273
|
+
* Semantics (matching the cloud + `resolveInboundAuthorization`):
|
|
31274
|
+
* - `--no-verify-auth` → always allow; forward `--bearer-token` if given.
|
|
31275
|
+
* - inbound `Authorization` present → verify it; absent → fall back to the
|
|
31276
|
+
* injected `--bearer-token`; neither → 401.
|
|
31277
|
+
* - verify failure → 403. An unreachable / malformed discovery URL falls back
|
|
31278
|
+
* to pass-through accept (offline-dev fallback in {@link verifyJwtViaDiscovery}).
|
|
31279
|
+
*
|
|
31280
|
+
* Exported so a unit test can drive the gate (and a host CLI can reuse it)
|
|
31281
|
+
* without the Docker pipeline.
|
|
31282
|
+
*/
|
|
31283
|
+
function buildAgentCoreServeAuthCheck(authorizer, opts = {}) {
|
|
31284
|
+
const injectedBearer = opts.bearerToken ? `Bearer ${opts.bearerToken}` : void 0;
|
|
31285
|
+
if (opts.noVerifyAuth === true) return async () => ({
|
|
31286
|
+
allow: true,
|
|
31287
|
+
...injectedBearer && { authorization: injectedBearer }
|
|
31288
|
+
});
|
|
31289
|
+
const jwksCache = opts.jwksCache ?? createJwksCache();
|
|
31290
|
+
const warnedAt = opts.warnedAt ?? /* @__PURE__ */ new Map();
|
|
31291
|
+
return async (headers) => {
|
|
31292
|
+
const header = readAuthorizationHeader(headers) ?? injectedBearer;
|
|
31293
|
+
if (!header) return {
|
|
31294
|
+
allow: false,
|
|
31295
|
+
status: 401,
|
|
31296
|
+
message: "Missing Authorization: this runtime declares a customJwtAuthorizer. Send a Bearer JWT, or start the serve with --bearer-token / --no-verify-auth."
|
|
31297
|
+
};
|
|
31298
|
+
if (!(await verifyJwtViaDiscovery({
|
|
31299
|
+
discoveryUrl: authorizer.discoveryUrl,
|
|
31300
|
+
...authorizer.allowedAudience && { allowedAudience: authorizer.allowedAudience },
|
|
31301
|
+
...authorizer.allowedClients && { allowedClients: authorizer.allowedClients },
|
|
31302
|
+
...authorizer.allowedScopes && { allowedScopes: authorizer.allowedScopes },
|
|
31303
|
+
...authorizer.customClaims && { customClaims: authorizer.customClaims }
|
|
31304
|
+
}, header, jwksCache, { warnedAt })).allow) return {
|
|
31305
|
+
allow: false,
|
|
31306
|
+
status: 403,
|
|
31307
|
+
message: `Forbidden: the inbound JWT was rejected by the runtime's customJwtAuthorizer (signature / issuer / expiry / audience / scope check failed against ${authorizer.discoveryUrl}).`
|
|
31308
|
+
};
|
|
31309
|
+
return {
|
|
31310
|
+
allow: true,
|
|
31311
|
+
authorization: header
|
|
31312
|
+
};
|
|
31313
|
+
};
|
|
31314
|
+
}
|
|
31315
|
+
/**
|
|
31316
|
+
* Pick the warm serve's inbound-auth wiring for a runtime shape (issue #454).
|
|
31317
|
+
* Pure (no Docker / network) so the boot's mutually-exclusive selection —
|
|
31318
|
+
* per-request JWT gate vs `--sigv4` signing vs static `--bearer-token`
|
|
31319
|
+
* pass-through — is unit-testable. `sigv4Active` is whether
|
|
31320
|
+
* `resolveAgentCoreSigV4Context` resolved a signing context (it returns
|
|
31321
|
+
* undefined when `--sigv4` is off OR a customJwtAuthorizer is declared, so the
|
|
31322
|
+
* authorizer arm always wins). `buildAuthCheck` is injectable for tests.
|
|
31323
|
+
*/
|
|
31324
|
+
function selectServeInboundAuth(resolved, options, sigv4Active, buildAuthCheck = buildAgentCoreServeAuthCheck) {
|
|
31325
|
+
const bearerHeader = options.bearerToken ? `Bearer ${options.bearerToken}` : void 0;
|
|
31326
|
+
if (resolved.jwtAuthorizer) return {
|
|
31327
|
+
authCheck: buildAuthCheck(resolved.jwtAuthorizer, {
|
|
31328
|
+
...options.verifyAuth === false && { noVerifyAuth: true },
|
|
31329
|
+
...options.bearerToken && { bearerToken: options.bearerToken }
|
|
31330
|
+
}),
|
|
31331
|
+
...bearerHeader && { bridgeAuthorization: bearerHeader },
|
|
31332
|
+
sign: false
|
|
31333
|
+
};
|
|
31334
|
+
if (sigv4Active) return { sign: true };
|
|
31335
|
+
return {
|
|
31336
|
+
...bearerHeader && { bridgeAuthorization: bearerHeader },
|
|
31337
|
+
sign: false
|
|
31338
|
+
};
|
|
31339
|
+
}
|
|
31340
|
+
/** Read a single `Authorization` header value (first when duplicated, undefined when empty). */
|
|
31341
|
+
function readAuthorizationHeader(headers) {
|
|
31342
|
+
const raw = headers["authorization"];
|
|
31343
|
+
const v = Array.isArray(raw) ? raw[0] : raw;
|
|
31344
|
+
return typeof v === "string" && v.length > 0 ? v : void 0;
|
|
31345
|
+
}
|
|
31346
|
+
|
|
31155
31347
|
//#endregion
|
|
31156
31348
|
//#region src/cli/commands/local-start-agentcore.ts
|
|
31157
31349
|
/**
|
|
@@ -31295,7 +31487,9 @@ async function localStartAgentCoreCommand(target, options, extraStateProviders)
|
|
|
31295
31487
|
const resolved = resolveAgentCoreTarget(resolvedTarget, stacks, imageContext);
|
|
31296
31488
|
logger.info(`Target: ${resolved.stack.stackName}/${resolved.logicalId} (${resolved.protocol})`);
|
|
31297
31489
|
const plan = resolveAgentCoreServePlan(resolved.protocol);
|
|
31298
|
-
const
|
|
31490
|
+
const sigv4Context = await resolveAgentCoreSigV4Context(options, resolved, loadedState, stateProvider);
|
|
31491
|
+
const authPlan = selectServeInboundAuth(resolved, options, sigv4Context !== void 0);
|
|
31492
|
+
if (authPlan.authCheck && resolved.jwtAuthorizer) logger.info(`Inbound JWT: each request verified per-request against ${resolved.jwtAuthorizer.discoveryUrl}${options.verifyAuth === false ? " (verification DISABLED via --no-verify-auth)" : ""}.`);
|
|
31299
31493
|
await resolveFromS3BucketIntrinsic(resolved, stateProvider, loadedState, imageContext);
|
|
31300
31494
|
const image = await resolveAgentCoreImage(resolved, options, loadedState, stateProvider);
|
|
31301
31495
|
const { env: dockerEnv, sensitiveEnvKeys } = await buildContainerEnv(resolved, options, profileCredentials, profileCredsFile, stateProvider, loadedState, imageContext);
|
|
@@ -31328,6 +31522,25 @@ async function localStartAgentCoreCommand(target, options, extraStateProviders)
|
|
|
31328
31522
|
try {
|
|
31329
31523
|
if (plan.readyPath === void 0) await waitForAgentCorePing(containerHost, containerHostPort, options.timeout);
|
|
31330
31524
|
else await waitForAgentCoreHttpReady(containerHost, containerHostPort, plan.readyPath, options.timeout);
|
|
31525
|
+
const signRequest = authPlan.sign && sigv4Context ? async ({ method, path, body, sessionId }) => {
|
|
31526
|
+
const signed = await signAgentCoreInvocation({
|
|
31527
|
+
credentials: sigv4Context.credentials,
|
|
31528
|
+
region: sigv4Context.region,
|
|
31529
|
+
host: containerHost,
|
|
31530
|
+
port: containerHostPort,
|
|
31531
|
+
path,
|
|
31532
|
+
body,
|
|
31533
|
+
sessionId,
|
|
31534
|
+
method
|
|
31535
|
+
});
|
|
31536
|
+
const h = {
|
|
31537
|
+
Authorization: signed.authorization,
|
|
31538
|
+
"X-Amz-Date": signed.amzDate,
|
|
31539
|
+
"X-Amz-Content-Sha256": signed.amzContentSha256
|
|
31540
|
+
};
|
|
31541
|
+
if (signed.amzSecurityToken) h["X-Amz-Security-Token"] = signed.amzSecurityToken;
|
|
31542
|
+
return h;
|
|
31543
|
+
} : void 0;
|
|
31331
31544
|
server = await startAgentCoreHttpServer({
|
|
31332
31545
|
containerHost,
|
|
31333
31546
|
containerPort: containerHostPort,
|
|
@@ -31335,7 +31548,9 @@ async function localStartAgentCoreCommand(target, options, extraStateProviders)
|
|
|
31335
31548
|
port: options.port,
|
|
31336
31549
|
routes: plan.routes,
|
|
31337
31550
|
attachWs: plan.attachWs,
|
|
31338
|
-
...
|
|
31551
|
+
...authPlan.bridgeAuthorization && { authorization: authPlan.bridgeAuthorization },
|
|
31552
|
+
...authPlan.authCheck && { authCheck: authPlan.authCheck },
|
|
31553
|
+
...signRequest && { signRequest },
|
|
31339
31554
|
...options.sessionId && { sessionId: options.sessionId }
|
|
31340
31555
|
});
|
|
31341
31556
|
} catch (err) {
|
|
@@ -31385,7 +31600,7 @@ function createLocalStartAgentCoreCommand(opts = {}) {
|
|
|
31385
31600
|
* `.addOption(...)` blocks. Chainable: returns `cmd`.
|
|
31386
31601
|
*/
|
|
31387
31602
|
function addStartAgentCoreSpecificOptions(cmd) {
|
|
31388
|
-
return cmd.addOption(new Option("--port <n>", "Serve bind port the client connects to (HTTP contract + /ws on the same port). Default 0 (OS-assigned).").default(0).argParser(parsePort)).addOption(new Option("--host <ip>", "Serve bind host. Default 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--session-id <id>", "Pin one AgentCore runtime session id header value for every forwarded request / /ws connection (default: a fresh random UUID each, so each is its own session).")).addOption(new Option("--bearer-token <jwt>", "Bearer JWT to present when the runtime declares a customJwtAuthorizer. Verified against the runtime's OIDC discovery URL before the container starts, then injected as Authorization: Bearer <jwt> on every forwarded request and the container /ws upgrade.")).addOption(new Option("--no-verify-auth", "Skip inbound JWT verification even when the runtime declares a customJwtAuthorizer (local-dev escape hatch). A --bearer-token, if given, is still forwarded.")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}, \"Parameters\": {...}})")).addOption(new Option("--platform <platform>", "docker --platform for the agent container (linux/amd64 or linux/arm64). Defaults to linux/arm64 because the cloud AgentCore Runtime requires arm64.").choices(["linux/amd64", "linux/arm64"]).default("linux/arm64")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for the local-build path")).addOption(new Option("--no-build", "Skip docker build on the local-asset path (use the previously-built tag). No-op for the ECR / registry pull paths.")).addOption(new Option("--container-host <host>", "Host IP used to bind the agent container port. Must be a numeric IP. Defaults to 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--timeout <ms>", "Maximum time in milliseconds to wait for the container to become ready (the GET /ping readiness deadline). Default 120000.").default(12e4).argParser(parseTimeoutMs)).addOption(new Option("--assume-role [arn]", "Assume the runtime's execution role and forward STS-issued temp credentials to the container. (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) uses the runtime's literal RoleArn; (3) `--no-assume-role` opts out. Off by default.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack and substitute Ref / Fn::ImportValue in env vars / image URIs with the deployed physical IDs / exports. Bare form uses the resolved stack name.")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region."));
|
|
31603
|
+
return cmd.addOption(new Option("--port <n>", "Serve bind port the client connects to (HTTP contract + /ws on the same port). Default 0 (OS-assigned).").default(0).argParser(parsePort)).addOption(new Option("--host <ip>", "Serve bind host. Default 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--session-id <id>", "Pin one AgentCore runtime session id header value for every forwarded request / /ws connection (default: a fresh random UUID each, so each is its own session).")).addOption(new Option("--bearer-token <jwt>", "Bearer JWT to present when the runtime declares a customJwtAuthorizer. Verified against the runtime's OIDC discovery URL before the container starts, then injected as Authorization: Bearer <jwt> on every forwarded request and the container /ws upgrade.")).addOption(new Option("--no-verify-auth", "Skip inbound JWT verification even when the runtime declares a customJwtAuthorizer (local-dev escape hatch). A --bearer-token, if given, is still forwarded.")).addOption(new Option("--sigv4", "Sign each forwarded request with AWS SigV4 (service bedrock-agentcore) when the runtime declares NO customJwtAuthorizer, so the warm container sees the same Authorization / X-Amz-* headers the cloud receives. Mutually exclusive with --bearer-token; ignored (with a warning) when a customJwtAuthorizer is declared.")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}, \"Parameters\": {...}})")).addOption(new Option("--platform <platform>", "docker --platform for the agent container (linux/amd64 or linux/arm64). Defaults to linux/arm64 because the cloud AgentCore Runtime requires arm64.").choices(["linux/amd64", "linux/arm64"]).default("linux/arm64")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for the local-build path")).addOption(new Option("--no-build", "Skip docker build on the local-asset path (use the previously-built tag). No-op for the ECR / registry pull paths.")).addOption(new Option("--container-host <host>", "Host IP used to bind the agent container port. Must be a numeric IP. Defaults to 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--timeout <ms>", "Maximum time in milliseconds to wait for the container to become ready (the GET /ping readiness deadline). Default 120000.").default(12e4).argParser(parseTimeoutMs)).addOption(new Option("--assume-role [arn]", "Assume the runtime's execution role and forward STS-issued temp credentials to the container. (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) uses the runtime's literal RoleArn; (3) `--no-assume-role` opts out. Off by default.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack and substitute Ref / Fn::ImportValue in env vars / image URIs with the deployed physical IDs / exports. Bare form uses the resolved stack name.")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region."));
|
|
31389
31604
|
}
|
|
31390
31605
|
|
|
31391
31606
|
//#endregion
|
|
@@ -36964,5 +37179,5 @@ function addStudioSpecificOptions(cmd) {
|
|
|
36964
37179
|
}
|
|
36965
37180
|
|
|
36966
37181
|
//#endregion
|
|
36967
|
-
export {
|
|
36968
|
-
//# sourceMappingURL=local-studio-
|
|
37182
|
+
export { buildEdgeRequestEvent as $, createJwksCache as $n, resolveSsmParameters as $r, CloudMapRegistry as $t, startAgentCoreHttpServer as A, addInvokeSpecificOptions as An, parseConnectionsPath as Ar, createLocalRunTaskCommand as At, resolveKvsModulesForDistribution as B, materializeLayerFromArn as Bn, substituteAgainstState as Br, resolveSharedSidecarCredentials as Bt, addListSpecificOptions as C, substituteImagePlaceholders as Ci, downloadAndExtractS3Bundle as Cn, VtlEvaluationError as Cr, resolveAlbTarget as Ct, createLocalStartAgentCoreCommand as D, resolveProfileCredentials as Di, renderCodeDockerfile as Dn, ConnectionRegistry as Dr, createLocalStartServiceCommand as Dt, addStartAgentCoreSpecificOptions as E, buildStsClientConfig as Ei, computeCodeImageTag as En, bufferToBody as Er, addStartServiceSpecificOptions as Et, createLocalStartCloudFrontCommand as F, resolveApiTargetSubset as Fn, buildContainerImage as Fr, buildEcsImageResolutionContext$1 as Ft, createS3OriginReader as G, groupRoutesByServer as Gn, createLocalStateProvider as Gr, mergeForService as Gt, resolveDeployedKvsArnByName as H, availableApiIdentifiers as Hn, substituteEnvVarsFromState as Hr, ImageOverrideError as Ht, parseKvsFileOverrides as I, createAuthorizerCache as In, resolveRuntimeCodeMountPath as Ir, ecsClusterOption as It, resolveErrorResponseCandidates as J, resolveSelectionExpression as Jn, resolveCfnFallbackRegion as Jr, runImageOverrideBuilds as Jt, matchBehavior as K, readMtlsMaterialsFromDisk as Kn, isCfnFlagPresent as Kr, parseImageOverrideFlags as Kt, parseOriginOverrides as L, createFileWatcher as Ln, resolveRuntimeFileExtension as Lr, parseMaxTasks as Lt, startAgentCoreWsBridge as M, addStartApiSpecificOptions as Mn, buildDisconnectEvent as Mr, addCommonEcsServiceOptions as Mt, LocalStartCloudFrontError as N, createLocalStartApiCommand as Nn, buildMessageEvent as Nr, addEcsAssumeRoleOptions as Nt, buildAgentCoreServeAuthCheck as O, toCmdArgv as On, buildMgmtEndpointEnvUrl as Or, serviceStrategy as Ot, addStartCloudFrontSpecificOptions as P, createWatchPredicates as Pn, architectureToPlatform as Pr, addImageOverrideOptions as Pt, applyEdgeResponseResult as Q, buildJwksUrlFromIssuer as Qn, collectSsmParameterRefs as Qr, buildCloudMapIndex as Qt, resolveCloudFrontTarget as R, attachStageContext as Rn, resolveRuntimeImage as Rr, parseRestartPolicy as Rt, StudioEventBus as S, formatStateRemedy as Si, waitForAgentCorePing as Sn, tryParseStatus as Sr, parseLbPortOverrides as St, formatTargetListing as T, LocalInvokeBuildError as Ti, buildAgentCoreCodeImage as Tn, probeHostGatewaySupport as Tr, resolveAlbFrontDoor as Tt, resolveDeployedOriginBucket as U, filterRoutesByApiIdentifier as Un, substituteEnvVarsFromStateAsync as Ur, buildImageOverrideTag as Ut, createDeployedKvsDataSource as V, resolveEnvVars$1 as Vn, substituteAgainstStateAsync as Vr, runEcsServiceEmulator as Vt, classifyS3Error as W, filterRoutesByApiIdentifiers as Wn, LocalStateSourceError as Wr, enforceImageOverrideOrphans as Wt, serveLambdaUrlOrigin as X, defaultCredentialsLoader as Xn, resolveCfnStackName as Xr, isLocalCdkAssetImage as Xt, serveFromStaticOrigin as Y, resolveServiceIntegrationParameters as Yn, resolveCfnRegion as Yr, describePinnedImageUri as Yt, applyEdgeRequestResult as Z, buildCognitoJwksUrl as Zn, CfnLocalStateProvider as Zr, listPinnedTargets as Zt, filterStudioTargetGroups as _, AGENTCORE_RUNTIME_TYPE as _i, AGENTCORE_SIGV4_SERVICE as _n, buildHttpApiV2Event as _r, createLocalFileKvsDataSource as _t, createLocalStudioCommand as a, discoverWebSocketApis as ai, addInvokeAgentCoreSpecificOptions as an, evaluateCachedLambdaPolicy as ar, extractKvsAssociations as at, renderStudioHtml as b, resolveAgentCoreTarget as bi, invokeAgentCore as bn, pickResponseTemplate as br, albStrategy as bt, startStudioProxy as c, parseSelectionExpressionPath as ci, invokeAgentCoreWs as cn, attachAuthorizers as cr, pickKvsLogicalIdFromArn as ct, createStudioDispatcher as d, pickRefLogicalId as di, a2aInvokeOnce as dn, buildCorsConfigFromCloudFrontChain as dr, resolveCloudFrontDistribution as dt, resolveWatchConfig as ei, DEFAULT_SHADOW_READY_TIMEOUT_MS as en, verifyCognitoJwt as er, buildEdgeResponseEvent as et, filterStudioCustomResources as f, resolveLambdaArnIntrinsic as fi, MCP_CONTAINER_PORT as fn, isFunctionUrlOacFronted as fr, compileCloudFrontFunction as ft, annotatePinnedEcsTargets as g, AGENTCORE_MCP_PROTOCOL as gi, parseSseForJsonRpc as gn, applyAuthorizerOverlay as gr, createCloudFrontModule as gt, annotateEcsTaskPinnedTargets as h, AGENTCORE_HTTP_PROTOCOL as hi, mcpInvokeOnce as hn, translateLambdaResponse as hr, stripCloudFrontImport as ht, coerceStopRequest as i, availableWebSocketApiIdentifiers as ii, attachContainerLogStreamer as in, computeRequestIdentityHash as ir, describeS3OriginDomain as it, attachAgentCoreWsBridge as j, createLocalInvokeCommand as jn, buildConnectEvent as jr, MAX_TASKS_SUBNET_RANGE_CAP as jt, selectServeInboundAuth as k, classifySourceChange as kn, handleConnectionsRequest as kr, addRunTaskSpecificOptions as kt, relayServeRequest as l, webSocketApiMatchesIdentifier as li, A2A_CONTAINER_PORT as ln, applyCorsResponseHeaders as lr, pickLambdaEdgeFunctionLogicalId as lt, annotateAlbPinnedBackingServices as m, AGENTCORE_AGUI_PROTOCOL as mi, MCP_PROTOCOL_VERSION as mn, matchRoute as mr, runViewerResponse as mt, coerceRunRequest as n, countTargets as ni, setShadowReadyTimeoutMs as nn, verifyJwtViaDiscovery as nr, httpHeadersToEdge as nt, resolveServeBaseUrl as o, discoverWebSocketApisOrThrow as oi, createLocalInvokeAgentCoreCommand as on, invokeRequestAuthorizer as or, isCloudFrontDistribution as ot, isCustomResourceLambdaTarget as p, AGENTCORE_A2A_PROTOCOL as pi, MCP_PATH as pn, matchPreflight as pr, runViewerRequest as pt, startCloudFrontServer as q, startApiServer as qn, rejectExplicitCfnStackWithMultipleStacks as qr, resolveImageOverrides as qt, coerceServeRequest as r, listTargets as ri, getContainerNetworkIp as rn, buildMethodArn as rr, CLOUDFRONT_DISTRIBUTION_TYPE as rt, createStudioServeManager as s, filterWebSocketApisByIdentifiers as si, bridgeAgentCoreWs as sn, invokeTokenAuthorizer as sr, pickFunctionUrlLogicalIdFromOrigin as st, addStudioSpecificOptions as t, resolveSingleTarget as ti, SOFT_RELOAD_COMPLETION_LOG_SUFFIX as tn, verifyJwtAuthorizer as tr, edgeHeadersToHttp as tt, reinvoke as u, discoverRoutes as ui, A2A_PATH as un, buildCorsConfigByApiId as ur, pickTargetFunctionLogicalId as ut, startStudioServer as v, AgentCoreResolutionError as vi, signAgentCoreInvocation as vn, buildRestV1Event as vr, createUnboundCloudFrontModule as vt, createLocalListCommand as w, tryResolveImageFnJoin as wi, SUPPORTED_CODE_RUNTIMES as wn, HOST_GATEWAY_MIN_VERSION as wr, isApplicationLoadBalancer as wt, createStudioStore as x, derivePseudoParametersFromRegion as xi, waitForAgentCoreHttpReady as xn, selectIntegrationResponse as xr, createLocalStartAlbCommand as xt, toStudioTargetGroups as y, pickAgentCoreCandidateStack as yi, AGENTCORE_SESSION_ID_HEADER as yn, evaluateResponseParameters as yr, addAlbSpecificOptions as yt, idFromArn as z, buildStageMap as zn, EcsTaskResolutionError as zr, resolveEcsAssumeRoleOption as zt };
|
|
37183
|
+
//# sourceMappingURL=local-studio-Cr0YdvCb.js.map
|