cdk-local 0.26.0 → 0.28.0

package/dist/{local-list-CnAKqGmz.js → local-list-yvjjjkSy.js}

@@ -10,6 +10,7 @@ import { AssetManifestArtifact } from "@aws-cdk/cloud-assembly-api";
 import { BaseCredentials, CdkAppMultiContext, NonInteractiveIoHost, Toolkit } from "@aws-cdk/toolkit-lib";
 import { CloudFormationClient, DescribeStacksCommand, ListExportsCommand, ListStackResourcesCommand } from "@aws-sdk/client-cloudformation";
 import { GetFunctionConfigurationCommand, LambdaClient } from "@aws-sdk/client-lambda";
+import { GetParameterCommand, GetParametersCommand, SSMClient } from "@aws-sdk/client-ssm";
 import { mkdir, mkdtemp, rm, writeFile } from "node:fs/promises";
 import { Readable } from "node:stream";
 import { pipeline } from "node:stream/promises";
@@ -27,7 +28,6 @@ import { createServer as createServer$2 } from "node:https";
 import * as chokidar from "chokidar";
 import graphlib from "graphlib";
 import { GetSecretValueCommand, SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
-import { GetParameterCommand, SSMClient } from "@aws-sdk/client-ssm";
 
 //#region src/cli/options.ts
 /**
@@ -2354,6 +2354,156 @@ function resolveWatchConfig() {
 	};
 }
 
+//#endregion
+//#region src/local/ssm-parameter-resolver.ts
+/**
+* Resolve CloudFormation template `Parameters` of the SSM-backed types
+* `AWS::SSM::Parameter::Value<String>` / `AWS::SSM::Parameter::Value<List<String>>`
+* (what CDK synthesizes for `ssm.StringParameter.valueForStringParameter(...)`)
+* into their deployed values via SSM Parameter Store.
+*
+* Motivation (issue #94): a container / Lambda env var that `Ref`s such a
+* parameter cannot be resolved from the `--from-cfn-stack` state source.
+* That source is built from `ListStackResources` (deployed RESOURCES); a
+* CloudFormation PARAMETER is not a resource, so the `Ref` misses
+* `context.resources[<id>]` in `state-resolver.ts` and the env var is
+* warn-and-dropped. The synthesized template, however, carries the SSM
+* parameter NAME in each entry's `Default`:
+*
+*   "Parameters": {
+*     "SsmParameterValue...Parameter": {
+*       "Type": "AWS::SSM::Parameter::Value<String>",
+*       "Default": "/path/to/the/parameter"
+*     }
+*   }
+*
+* and the run already has working AWS credentials / region (the same ones
+* `--from-cfn-stack` uses for `ListStackResources`). This module reads each
+* parameter NAME from `Default`, batch-resolves the values via SSM
+* `GetParameters`, and returns a `logicalId -> value` map the CLI feeds
+* into the substitution context so a `Ref` to the parameter's logical id
+* resolves to the value instead of being dropped.
+*
+* Best-effort by design: on any SSM failure (no credentials, access
+* denied, throttling) the helper logs a warn and returns whatever it
+* could resolve (possibly nothing) — the caller then falls back to the
+* existing warn-and-drop behavior on the affected `Ref`s. It NEVER throws
+* out of the substitution pass.
+*/
+/** SSM-backed CFn parameter types CDK synthesizes for SSM lookups. */
+const SSM_STRING_TYPE = "AWS::SSM::Parameter::Value<String>";
+const SSM_LIST_TYPE = "AWS::SSM::Parameter::Value<List<String>>";
+/**
+* Scan a synthesized template's `Parameters` block for entries whose
+* `Type` is one of the SSM-backed parameter types AND whose `Default`
+* carries a usable SSM parameter name. Pure — no AWS calls.
+*
+* Entries without a non-empty string `Default` are skipped (CDK always
+* synthesizes the parameter name into `Default` for the
+* `valueForStringParameter` shape; a parameter declared without a default
+* has no name we can resolve, so it stays warn-and-drop).
+*
+* Exported for unit testing.
+*/
+function collectSsmParameterRefs(template) {
+	const params = template?.Parameters;
+	if (!params) return [];
+	const out = [];
+	for (const [logicalId, entry] of Object.entries(params)) {
+		if (!entry || typeof entry !== "object") continue;
+		const type = entry.Type;
+		const isList = type === SSM_LIST_TYPE;
+		if (type !== SSM_STRING_TYPE && !isList) continue;
+		const ssmName = entry.Default;
+		if (typeof ssmName !== "string" || ssmName.length === 0) continue;
+		out.push({
+			logicalId,
+			ssmName,
+			isList
+		});
+	}
+	return out;
+}
+/**
+* Batch-resolve a set of {@link SsmParameterRef}s via SSM `GetParameters`
+* and return a `logicalId -> resolved value` map. `List<String>`
+* parameters are comma-joined (CloudFormation surfaces the list type as a
+* comma-delimited string when the value is consumed as a `Ref`).
+*
+* `GetParameters` accepts up to 10 names per call, so the refs are
+* chunked. Names that SSM reports as invalid (`InvalidParameters`) are
+* left out of the result map so the caller falls back to warn-and-drop
+* on the corresponding `Ref`. `WithDecryption: true` is set so Secure
+* String parameters resolve too (matching how CloudFormation resolves
+* the `AWS::SSM::Parameter::Value<String>` type at deploy time).
+*
+* Security note: a decrypted SecureString value resolved here is then
+* baked into the container's `Environment` like any other resolved env
+* value, so it follows the standard plaintext-env exposure path — it can
+* appear on the `docker run -e KEY=VALUE` argv (visible in host `ps`) and
+* is not redacted by `redactAwsCredentialsInArgs` (which only covers
+* `SENSITIVE_ENV_KEYS`). This mirrors the deployed Lambda/ECS env and is
+* the same inherent exposure documented in `docker-runner`; routing
+* SecureString-resolved values through the value-from-process-env form is
+* tracked as a follow-up.
+*
+* Best-effort: a failed `GetParameters` chunk logs a warn and is skipped
+* (the other chunks still contribute their values); the function never
+* throws.
+*
+* `label` is the state-source label (e.g. `--from-cfn-stack`) used to
+* prefix warns so the user can tell which source produced them.
+*
+* Exported for unit testing.
+*/
+async function resolveSsmParameters(client, refs, label) {
+	const out = {};
+	if (refs.length === 0) return out;
+	const logger = getLogger();
+	const CHUNK = 10;
+	const byName = /* @__PURE__ */ new Map();
+	for (const ref of refs) {
+		const list = byName.get(ref.ssmName);
+		if (list) list.push(ref);
+		else byName.set(ref.ssmName, [ref]);
+	}
+	const uniqueNames = [...byName.keys()];
+	for (let i = 0; i < uniqueNames.length; i += CHUNK) {
+		const names = uniqueNames.slice(i, i + CHUNK);
+		let resolved;
+		try {
+			const resp = await client.send(new GetParametersCommand({
+				Names: names,
+				WithDecryption: true
+			}));
+			resolved = resp.Parameters ?? [];
+			const invalid = resp.InvalidParameters ?? [];
+			if (invalid.length > 0) logger.warn(`${label}: SSM GetParameters reported invalid parameter name(s): ${invalid.join(", ")}. Ref to the matching CloudFormation parameter(s) will warn-and-drop (was the SSM parameter created?).`);
+		} catch (err) {
+			logger.warn(`${label}: SSM GetParameters(${names.join(", ")}) failed: ${formatSsmError(err)}. Ref to the matching CloudFormation parameter(s) will warn-and-drop (grant ssm:GetParameters or override via --env-vars).`);
+			continue;
+		}
+		for (const p of resolved) {
+			if (typeof p.Name !== "string" || typeof p.Value !== "string") continue;
+			const requesters = byName.get(p.Name);
+			if (!requesters) continue;
+			for (const ref of requesters) out[ref.logicalId] = p.Value;
+		}
+	}
+	return out;
+}
+/**
+* Format an SSM SDK error as `<name>: <message>` so the warn names the
+* error class (e.g. `AccessDeniedException`, `ThrottlingException`).
+* Mirrors `formatAwsErrorForWarn` in `cfn-local-state-provider.ts`.
+* Exported for unit testing.
+*/
+function formatSsmError(err) {
+	if (!(err instanceof Error)) return String(err);
+	const name = err.name && err.name !== "Error" ? err.name : void 0;
+	return name !== void 0 ? `${name}: ${err.message}` : err.message;
+}
+
 //#endregion
 //#region src/local/cfn-local-state-provider.ts
 /**
@@ -2425,6 +2575,7 @@ var CfnLocalStateProvider = class {
 	region;
 	client;
 	lambdaClient;
+	ssmClient;
 	clientOptions;
 	disposed = false;
 	constructor(opts) {
@@ -2449,6 +2600,31 @@ var CfnLocalStateProvider = class {
 		});
 		return this.lambdaClient;
 	}
+	getSsmClient() {
+		if (this.disposed) throw new Error("CfnLocalStateProvider used after dispose()");
+		if (!this.ssmClient) this.ssmClient = new SSMClient({
+			region: this.region,
+			...this.clientOptions.profile !== void 0 && { profile: this.clientOptions.profile }
+		});
+		return this.ssmClient;
+	}
+	/**
+	* Resolve the synthesized template's SSM-backed `Parameters`
+	* (`AWS::SSM::Parameter::Value<String>` /
+	* `AWS::SSM::Parameter::Value<List<String>>`) into a
+	* `parameterLogicalId -> value` map via SSM Parameter Store. See
+	* {@link LocalStateProvider.resolveTemplateSsmParameters}.
+	*
+	* Returns an empty map (and opens no SSM client) when the template
+	* declares no SSM-backed parameters. Best-effort: SSM failures are
+	* absorbed inside {@link resolveSsmParameters} with a per-chunk warn.
+	*/
+	async resolveTemplateSsmParameters(template) {
+		if (this.disposed) throw new Error("CfnLocalStateProvider used after dispose()");
+		const refs = collectSsmParameterRefs(template);
+		if (refs.length === 0) return {};
+		return resolveSsmParameters(this.getSsmClient(), refs, this.label);
+	}
 	/**
 	* Read a deployed Lambda function's already-resolved
 	* `Environment.Variables` via `lambda:GetFunctionConfiguration`. See
@@ -2560,6 +2736,10 @@ var CfnLocalStateProvider = class {
 			this.lambdaClient.destroy();
 			this.lambdaClient = void 0;
 		}
+		if (this.ssmClient) {
+			this.ssmClient.destroy();
+			this.ssmClient = void 0;
+		}
 	}
 };
 /**
@@ -3983,14 +4163,19 @@ function resolveRef(arg, context) {
 	};
 	if (arg.startsWith("AWS::")) return resolvePseudoParameter(arg, context.pseudoParameters);
 	const resource = context.resources[arg];
-	if (!resource) return {
-		kind: "unresolved",
-		reason: `Ref '${arg}': no record in the state source (was the resource deployed?)`
-	};
-	return {
+	if (resource) return {
 		kind: "literal",
 		value: resource.physicalId
 	};
+	const parameterValue = context.parameters?.[arg];
+	if (parameterValue !== void 0) return {
+		kind: "literal",
+		value: parameterValue
+	};
+	return {
+		kind: "unresolved",
+		reason: `Ref '${arg}': no record in the state source (was the resource deployed, or is it a CloudFormation parameter that could not be resolved — e.g. an SSM-backed AWS::SSM::Parameter::Value parameter whose SSM value was not readable?)`
+	};
 }
 function resolvePseudoParameter(name, pseudo) {
 	if (!pseudo) return {
@@ -5110,6 +5295,7 @@ function buildSubstitutionContextFromImageContext(context) {
 	if (!context?.stateResources) return void 0;
 	const subContext = { resources: context.stateResources };
 	if (context.pseudoParameters) subContext.pseudoParameters = { ...context.pseudoParameters };
+	if (context.stateParameters) subContext.parameters = { ...context.stateParameters };
 	return subContext;
 }
 /**
@@ -7139,6 +7325,10 @@ async function localInvokeCommand(target, options, extraStateProviders) {
 					const pseudo = await resolvePseudoParametersForInvoke(lambda.stack.region, options);
 					if (pseudo) subContext.pseudoParameters = pseudo;
 				}
+				if (envHasIntrinsicValue$1(templateEnv) && stateProvider.resolveTemplateSsmParameters) {
+					const ssmParams = await stateProvider.resolveTemplateSsmParameters(lambda.stack.template);
+					if (Object.keys(ssmParams).length > 0) subContext.parameters = ssmParams;
+				}
 				if (envHasCrossStackIntrinsic(templateEnv)) {
 					const resolver = await stateProvider.buildCrossStackResolver(loaded.region);
 					if (resolver) subContext.crossStackResolver = resolver;
@@ -15468,6 +15658,7 @@ async function buildContainerSpec(args) {
 	if (stateBundle) {
 		const context = { resources: stateBundle.state.resources };
 		if (stateBundle.pseudoParameters) context.pseudoParameters = stateBundle.pseudoParameters;
+		if (stateBundle.ssmParameters) context.parameters = stateBundle.ssmParameters;
 		const { env, audit } = substituteEnvVarsFromState(templateEnv, context);
 		templateEnv = env;
 		for (const key of audit.resolvedKeys) getLogger().debug(`Lambda ${logicalId}: state source substituted env var ${key}`);
@@ -16277,6 +16468,10 @@ async function loadStateForRoutedStacks(stacks, routes, routesWithAuth, options,
 				}
 				if (deployedEnvByLambda.size > 0) bundle.deployedEnvByLambda = deployedEnvByLambda;
 			}
+			if (stackHasIntrinsicEnv(stackName) && provider.resolveTemplateSsmParameters) {
+				const ssmParameters = await provider.resolveTemplateSsmParameters(stack.template);
+				if (Object.keys(ssmParameters).length > 0) bundle.ssmParameters = ssmParameters;
+			}
 			out.set(stackName, bundle);
 			logger.debug(`${provider.label}: loaded state for ${stackName} (${loaded.region})`);
 		} finally {
@@ -16402,18 +16597,18 @@ const METADATA_ENDPOINT_IP = "169.254.170.2";
 const DEFAULT_METADATA_ENDPOINT_SUBNET = "169.254.170.0/24";
 /**
 * Pure-functional subnet allocator. `cdkl run-task` uses the
-* default subnet; `cdkl start-service` walks `subnetOctet=170,
-* 171, 172, ...` (one per replica) to keep parallel docker networks
-* from clashing. The link-local 169.254.0.0/16 space is reserved AWS-
-* wide for cloud metadata so collisions with user workloads are
-* unlikely, but each replica still gets its own /24 to ensure
-* docker's `--subnet` allocator does not reject "Pool overlaps".
+* default subnet (octet 170); `cdkl start-service` uses a SINGLE
+* shared network at the fixed octet `SHARED_SVC_SUBNET_OCTET = 171`
+* (one octet up from run-task so the two CLI variants can coexist on
+* the same host). The link-local 169.254.0.0/16 space is reserved
+* AWS-wide for cloud metadata so collisions with user workloads are
+* unlikely, but the fixed /24 still keeps docker's `--subnet`
+* allocator from rejecting "Pool overlaps".
 *
 * `subnetOctet` is the second-from-last byte of the network: 170 →
 * 169.254.170.0/24 (default), 171 → 169.254.171.0/24, etc. Valid
-* range is 1..254; the runner clamps to `(170 + replicaIndex) % 84`
-* + 170 in practice (rolling window) — exported here so the runner
-* keeps the allocation logic in one place.
+* range is 1..254 — exported here so callers keep the CIDR /
+* sidecar-IP derivation in one place.
 */
 function buildEndpointSubnet(subnetOctet) {
 	if (subnetOctet < 1 || subnetOctet > 254 || !Number.isInteger(subnetOctet)) throw new Error(`buildEndpointSubnet: subnetOctet must be an integer in 1..254 (got ${subnetOctet}).`);
@@ -16445,7 +16640,9 @@ const SHARED_SVC_SUBNET_OCTET = 171;
 * CLI tears down ONCE at the end of the run.
 */
 async function createSharedSvcNetwork(options = {}) {
-	const networkName = `${options.prefix ?? getEmbedConfig().resourceNamePrefix}-svc-${randomBytes(4).toString("hex")}`;
+	const prefix = options.prefix ?? getEmbedConfig().resourceNamePrefix;
+	await sweepOrphanedSvcNetworks(prefix);
+	const networkName = `${prefix}-svc-${randomBytes(4).toString("hex")}`;
 	const { cidr, sidecarIp } = buildEndpointSubnet(171);
 	return {
 		networkName,
@@ -16462,6 +16659,81 @@ async function createSharedSvcNetwork(options = {}) {
 	};
 }
 /**
+* Startup orphan sweep for the shared `cdkl start-service` network
+* (Issue #93, design Option 1). When a `start-service` run is interrupted
+* before its end-of-run teardown, the shared `<prefix>-svc-<rand>` network
+* and its `<prefix>-svc-<rand>-metadata` sidecar LEAK. Because
+* `start-service` pins a single fixed subnet (`SHARED_SVC_SUBNET_OCTET`),
+* the next run's `docker network create` always fails with
+* "Pool overlaps with other one on this address space" — a state that,
+* unlike a port conflict, never self-heals. This sweep detects and removes
+* leaked `<prefix>-svc-*` networks that have NO live owner before the next
+* run re-creates the network.
+*
+* Classification heuristic: a `<prefix>-svc-*` network is ORPHANED when its
+* only attached container is its own `<name>-metadata` sidecar (or it has
+* zero attached containers). A network that still has a non-metadata
+* (user replica) container attached is a live concurrent run and is LEFT
+* untouched. Caveat: "only the metadata sidecar attached ⇒ orphan" can
+* misclassify a network in the sub-second window between sidecar start and
+* the first replica attach — so a second `start-service` launched in that
+* window could reclaim a concurrently-starting run's network out from under
+* it. This is an accepted limitation, not a benign one: start-service pins a
+* single fixed subnet, so two concurrent same-prefix runs were never
+* supported (the second run's `docker network create` already fails with
+* "Pool overlaps"). The sweep therefore cannot regress a
+* previously-working scenario.
+*
+* Resilient by design: a `docker network ls` / `inspect` failure must not
+* abort the run — it logs at debug and skips, matching the idempotent
+* teardown style in this file. Returns the list of swept network names.
+*/
+async function sweepOrphanedSvcNetworks(prefix) {
+	const logger = getLogger().child("ecs-network");
+	const filter = `${prefix}-svc-`;
+	let names;
+	try {
+		const { stdout } = await execFileAsync$2(getDockerCmd(), [
+			"network",
+			"ls",
+			"--filter",
+			`name=${filter}`,
+			"--format",
+			"{{.Name}}"
+		]);
+		names = stdout.split("\n").map((n) => n.trim()).filter((n) => n.length > 0);
+	} catch (err) {
+		const e = err;
+		logger.debug(`docker network ls (sweep) failed: ${e.stderr || e.message || String(err)}`);
+		return [];
+	}
+	const swept = [];
+	for (const name of names) {
+		let attached;
+		try {
+			const { stdout } = await execFileAsync$2(getDockerCmd(), [
+				"network",
+				"inspect",
+				name,
+				"--format",
+				"{{range .Containers}}{{.Name}} {{end}}"
+			]);
+			attached = stdout.split(/\s+/).map((c) => c.trim()).filter((c) => c.length > 0);
+		} catch (err) {
+			const e = err;
+			logger.debug(`docker network inspect ${name} (sweep) failed: ${e.stderr || e.message || String(err)}`);
+			continue;
+		}
+		const sidecarName = `${name}-metadata`;
+		if (attached.some((c) => c !== sidecarName)) continue;
+		logger.info(`Reclaiming orphaned shared network ${name} (no live owner)...`);
+		await removeContainer(sidecarName);
+		await destroyNetworkOnly(name);
+		swept.push(name);
+	}
+	return swept;
+}
+/**
 * Internal helper shared by `createTaskNetwork` (per-task) and
 * `createSharedSvcNetwork` (per-CLI-run). Creates the docker network,
 * pulls the sidecar image, and starts the sidecar at the documented
@@ -17364,6 +17636,7 @@ async function localRunTaskCommand(target, options, extraStateProviders) {
 			if (resolver) await applyCrossStackResolverToTask(task, {
 				resources: imageContext?.stateResources ?? {},
 				...imageContext?.pseudoParameters && { pseudoParameters: imageContext.pseudoParameters },
+				...imageContext?.stateParameters && { parameters: imageContext.stateParameters },
 				consumerRegion,
 				crossStackResolver: resolver
 			});
@@ -17501,6 +17774,10 @@ async function buildEcsImageResolutionContext$1(candidate, stateProvider, option
 	if (stateProvider && wantsState) {
 		const loaded = await stateProvider.load(candidate.stackName, candidate.region);
 		if (loaded) ctx.stateResources = loaded.resources;
+		if (needs.needsEnvOrSecretSubstitution && stateProvider.resolveTemplateSsmParameters) {
+			const ssmParameters = await stateProvider.resolveTemplateSsmParameters(candidate.template);
+			if (Object.keys(ssmParameters).length > 0) ctx.stateParameters = ssmParameters;
+		}
 	} else if (!stateProvider && needs.needsStateResources) logger.warn("Container Image references a same-stack AWS::ECR::Repository. Pass a state-source flag (e.g. --from-cfn-stack or a host-provided extension) to substitute the deployed repository URI. Otherwise the resolver will surface its existing error.");
 	else if (!stateProvider && needs.needsEnvOrSecretSubstitution) logger.warn("Container Environment / Secrets entries contain CloudFormation intrinsics (Ref / Fn::GetAtt / Fn::Sub / Fn::Join). Pass a state-source flag (e.g. --from-cfn-stack or a host-provided extension) to substitute them against deployed state. Without a state source these entries are dropped (per-key warnings will follow).");
 	return ctx;
@@ -18840,6 +19117,7 @@ async function runOneTarget(target, runState, stacks, options, discovery, skipPu
 			const subContext = {
 				resources: imageContext?.stateResources ?? {},
 				...imageContext?.pseudoParameters && { pseudoParameters: imageContext.pseudoParameters },
+				...imageContext?.stateParameters && { parameters: imageContext.stateParameters },
 				consumerRegion,
 				crossStackResolver: resolver
 			};
@@ -18918,6 +19196,10 @@ async function assumeTaskRole(roleArn, region) {
 }
 /**
 * Build the substitution context the ECS resolver consumes.
+*
+* Exported for the site-level binding test that locks the `--from-cfn-stack`
+* SSM-parameter resolution call (issue #94) into this start-service call site
+* (mirrors `local-run-task`'s exported helper).
 */
 async function buildEcsImageResolutionContext(target, stacks, options, stateProvider) {
 	const logger = getLogger();
@@ -18950,6 +19232,10 @@ async function buildEcsImageResolutionContext(target, stacks, options, stateProv
 	if (stateProvider && wantsState) {
 		const loaded = await stateProvider.load(candidate.stackName, candidate.region);
 		if (loaded) ctx.stateResources = loaded.resources;
+		if (needs.needsEnvOrSecretSubstitution && stateProvider.resolveTemplateSsmParameters) {
+			const ssmParameters = await stateProvider.resolveTemplateSsmParameters(candidate.template);
+			if (Object.keys(ssmParameters).length > 0) ctx.stateParameters = ssmParameters;
+		}
 	} else if (!stateProvider && needs.needsStateResources) logger.warn("Container Image references a same-stack AWS::ECR::Repository. Pass a state-source flag (e.g. --from-cfn-stack or a host-provided extension) to substitute the deployed repository URI.");
 	else if (!stateProvider && needs.needsEnvOrSecretSubstitution) logger.warn("Container Environment / Secrets entries contain CloudFormation intrinsics. Pass a state-source flag (e.g. --from-cfn-stack or a host-provided extension) to substitute them against the deployed state.");
 	return ctx;
@@ -19122,5 +19408,5 @@ function createLocalListCommand(opts = {}) {
 }
 
 //#endregion
-export { materializeLayerFromArn as $, matchRoute as A, parseConnectionsPath as B, evaluateCachedLambdaPolicy as C, buildCorsConfigByApiId as D, applyCorsResponseHeaders as E, HOST_GATEWAY_MIN_VERSION as F, resolveRuntimeCodeMountPath as G, buildDisconnectEvent as H, probeHostGatewaySupport as I, substituteAgainstState as J, resolveRuntimeFileExtension as K, ConnectionRegistry as L, applyAuthorizerOverlay as M, buildHttpApiV2Event as N, buildCorsConfigFromCloudFrontChain as O, buildRestV1Event as P, resolveEnvVars as Q, buildMgmtEndpointEnvUrl as R, computeRequestIdentityHash as S, invokeTokenAuthorizer as T, buildMessageEvent as U, buildConnectEvent as V, createLocalInvokeCommand as W, substituteEnvVarsFromState as X, substituteAgainstStateAsync as Y, substituteEnvVarsFromStateAsync as Z, buildJwksUrlFromIssuer as _, pickRefLogicalId as _t, getContainerNetworkIp as a, isCfnFlagPresent as at, verifyJwtAuthorizer as b, createAuthorizerCache as c, resolveCfnRegion as ct, availableApiIdentifiers as d, countTargets as dt, derivePseudoParametersFromRegion as et, filterRoutesByApiIdentifier as f, listTargets as ft, buildCognitoJwksUrl as g, discoverRoutes as gt, resolveServiceIntegrationParameters as h, parseSelectionExpressionPath as ht, CloudMapRegistry as i, createLocalStateProvider as it, translateLambdaResponse as j, matchPreflight as k, attachStageContext as l, resolveCfnStackName as lt, resolveSelectionExpression as m, discoverWebSocketApisOrThrow as mt, formatTargetListing as n, tryResolveImageFnJoin as nt, createLocalRunTaskCommand as o, rejectExplicitCfnStackWithMultipleStacks as ot, groupRoutesByServer as p, discoverWebSocketApis as pt, resolveRuntimeImage as q, createLocalStartServiceCommand as r, LocalStateSourceError as rt, createLocalStartApiCommand as s, resolveCfnFallbackRegion as st, createLocalListCommand as t, substituteImagePlaceholders as tt, buildStageMap as u, CfnLocalStateProvider as ut, createJwksCache as v, resolveLambdaArnIntrinsic as vt, invokeRequestAuthorizer as w, buildMethodArn as x, verifyCognitoJwt as y, handleConnectionsRequest as z };
-//# sourceMappingURL=local-list-CnAKqGmz.js.map
+export { materializeLayerFromArn as $, matchRoute as A, parseConnectionsPath as B, evaluateCachedLambdaPolicy as C, buildCorsConfigByApiId as D, applyCorsResponseHeaders as E, HOST_GATEWAY_MIN_VERSION as F, resolveRuntimeCodeMountPath as G, buildDisconnectEvent as H, probeHostGatewaySupport as I, substituteAgainstState as J, resolveRuntimeFileExtension as K, ConnectionRegistry as L, applyAuthorizerOverlay as M, buildHttpApiV2Event as N, buildCorsConfigFromCloudFrontChain as O, buildRestV1Event as P, resolveEnvVars as Q, buildMgmtEndpointEnvUrl as R, computeRequestIdentityHash as S, invokeTokenAuthorizer as T, buildMessageEvent as U, buildConnectEvent as V, createLocalInvokeCommand as W, substituteEnvVarsFromState as X, substituteAgainstStateAsync as Y, substituteEnvVarsFromStateAsync as Z, buildJwksUrlFromIssuer as _, parseSelectionExpressionPath as _t, getContainerNetworkIp as a, isCfnFlagPresent as at, verifyJwtAuthorizer as b, resolveLambdaArnIntrinsic as bt, createAuthorizerCache as c, resolveCfnRegion as ct, availableApiIdentifiers as d, collectSsmParameterRefs as dt, derivePseudoParametersFromRegion as et, filterRoutesByApiIdentifier as f, resolveSsmParameters as ft, buildCognitoJwksUrl as g, discoverWebSocketApisOrThrow as gt, resolveServiceIntegrationParameters as h, discoverWebSocketApis as ht, CloudMapRegistry as i, createLocalStateProvider as it, translateLambdaResponse as j, matchPreflight as k, attachStageContext as l, resolveCfnStackName as lt, resolveSelectionExpression as m, listTargets as mt, formatTargetListing as n, tryResolveImageFnJoin as nt, createLocalRunTaskCommand as o, rejectExplicitCfnStackWithMultipleStacks as ot, groupRoutesByServer as p, countTargets as pt, resolveRuntimeImage as q, createLocalStartServiceCommand as r, LocalStateSourceError as rt, createLocalStartApiCommand as s, resolveCfnFallbackRegion as st, createLocalListCommand as t, substituteImagePlaceholders as tt, buildStageMap as u, CfnLocalStateProvider as ut, createJwksCache as v, discoverRoutes as vt, invokeRequestAuthorizer as w, buildMethodArn as x, verifyCognitoJwt as y, pickRefLogicalId as yt, handleConnectionsRequest as z };
+//# sourceMappingURL=local-list-yvjjjkSy.js.map