cdk-local 0.3.1 → 0.4.0

package/README.md

@@ -83,6 +83,8 @@ cdkl run-task MyStack/MyTask
 cdkl start-service MyStack/MyService
 ```
 
+There is no cluster command — locally, Docker is the placement target a cluster abstracts away, so there is nothing to run. Both commands accept an optional `--cluster <name>` to set the cluster name surfaced to `ECS_CONTAINER_METADATA_URI_V4` (also used as the local Docker network prefix). See [docs/cli-reference.md](docs/cli-reference.md) for the full ECS option list.
+
 Use this for fast iteration on Lambda code, API routing checks, and container task smoke tests.
 
 ### 2. Bound to a deployed stack

package/dist/cli.js

@@ -1,10 +1,10 @@
 #!/usr/bin/env node
-import { i as createLocalInvokeCommand, n as createLocalRunTaskCommand, r as createLocalStartApiCommand, t as createLocalStartServiceCommand } from "./local-start-service-EZy1JNYK.js";
+import { i as createLocalInvokeCommand, n as createLocalRunTaskCommand, r as createLocalStartApiCommand, t as createLocalStartServiceCommand } from "./local-start-service-zoDos4zT.js";
 import { Command } from "commander";
 
 //#region src/cli/index.ts
 const program = new Command();
-program.name("cdkl").description("Run AWS CDK stacks locally with Docker.").version("0.3.1");
+program.name("cdkl").description("Run AWS CDK stacks locally with Docker.").version("0.4.0");
 program.addCommand(createLocalInvokeCommand());
 program.addCommand(createLocalStartApiCommand());
 program.addCommand(createLocalRunTaskCommand());

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","names":[],"sources":["../src/types/state.ts","../src/local/state-resolver.ts","../src/local/local-state-provider.ts","../src/cli/commands/local-state-source.ts","../src/cli/commands/local-invoke.ts","../src/cli/commands/local-start-api.ts","../src/cli/commands/local-run-task.ts","../src/cli/commands/local-start-service.ts","../src/local/cfn-local-state-provider.ts"],"mappings":";;;;UAuLiB,aAAA;EAEf,UAAA;EAGA,YAAA;EAGA,UAAA,EAAY,MAAA;EAcZ,kBAAA,GAAqB,MAAA;EAGrB,UAAA,GAAa,MAAA;EAGb,YAAA;EAGA,QAAA,GAAW,MAAA;EAmBX,cAAA;EAMA,mBAAA;EAyBA,aAAA;AAAA;;;UCxIe,gBAAA;EACf,SAAA;EACA,MAAA;EACA,SAAA;EACA,SAAA;AAAA;AAAA,UAqBe,kBAAA;EAOf,aAAA,CAAc,UAAA,WAAqB,OAAA;EAQnC,qBAAA,CACE,aAAA,UACA,cAAA,UACA,UAAA,WACC,OAAA;AAAA;AAAA,UAGY,mBAAA;EAEf,SAAA,EAAW,MAAA,SAAe,aAAA;EAE1B,gBAAA,GAAmB,gBAAA;EAOnB,kBAAA,GAAqB,kBAAA;EAOrB,cAAA;AAAA;;;UCrJe,gBAAA;EAQf,SAAA,EAAW,MAAA,SAAe,aAAA;EAO1B,OAAA,EAAS,MAAA;EAOT,MAAA;AAAA;AAAA,UAsBe,kBAAA;EAAA,SAMN,KAAA;EAQT,IAAA,CAAK,SAAA,UAAmB,WAAA,uBAAkC,OAAA,CAAQ,gBAAA;EAalE,uBAAA,CAAwB,cAAA,WAAyB,OAAA,CAAQ,kBAAA;EAKzD,OAAA;AAAA;;;UC/Ee,uBAAA;EAOf,YAAA;EAEA,MAAA;EAEA,OAAA;EAMA,WAAA;EAAA,CAEC,GAAA;AAAA;AAAA,KAQS,yBAAA,IAA6B,OAAA,EAAS,uBAAA,KAA4B,kBAAA;AAAA,KAUlE,mBAAA,GAAsB,MAAA,SAAe,yBAAA;AAAA,iBAUjC,mBAAA,CAAoB,YAAA,oBAAgC,SAAA;AAAA,iBAapD,gBAAA,CAAiB,IAAA,EAAM,IAAA,CAAK,uBAAA;AAAA,iBAgB5B,gBAAA,CACd,OAAA,EAAS,IAAA,CAAK,uBAAA,6BACd,WAAA;AAAA,cAqBW,qBAAA,SAA8B,KAAA;cAC7B,OAAA;AAAA;AAAA,iBAkBE,wCAAA,CACd,OAAA,EAAS,IAAA,CAAK,uBAAA,mBACd,gBAAA;AAAA,iBAiCc,wBAAA,CACd,OAAA,EAAS,uBAAA,EACT,SAAA,UACA,WAAA,sBACA,mBAAA,GAAsB,mBAAA,GACrB,kBAAA;;;UCtEc,+BAAA;EACf,mBAAA,GAAsB,mBAAA;AAAA;AAAA,iBAu2BR,wBAAA,CAAyB,IAAA,GAAM,+BAAA,GAAuC,OAAA;;;UC5vBrE,iCAAA;EACf,mBAAA,GAAsB,mBAAA;AAAA;AAAA,iBA0wFR,0BAAA,CAA2B,IAAA,GAAM,iCAAA,GAAyC,OAAA;;;UC35FzE,gCAAA;EACf,mBAAA,GAAsB,mBAAA;AAAA;AAAA,iBAkeR,yBAAA,CAA0B,IAAA,GAAM,gCAAA,GAAwC,OAAA;;;UCtevE,qCAAA;EACf,mBAAA,GAAsB,mBAAA;AAAA;AAAA,iBA+oBR,8BAAA,CACd,IAAA,GAAM,qCAAA,GACL,OAAA;;;UC5qBc,4BAAA;EAOf,YAAA;EAKA,MAAA;EAiBA,OAAA;AAAA;AAAA,cAGW,qBAAA,YAAiC,kBAAA;EAAA,SAG5B,KAAA;EAAA,iBACC,YAAA;EAAA,iBACA,MAAA;EAAA,QAKT,MAAA;EAAA,iBACS,aAAA;EAAA,QAQT,QAAA;cAEI,IAAA,EAAM,4BAAA;EAAA,QAOV,SAAA;EA+BK,IAAA,CACX,UAAA,UACA,YAAA,uBACC,OAAA,CAAQ,gBAAA;EA8DE,uBAAA,CACX,eAAA,WACC,OAAA,CAAQ,kBAAA;EAiEJ,OAAA,CAAA;AAAA"}
+{"version":3,"file":"index.d.ts","names":[],"sources":["../src/types/state.ts","../src/local/state-resolver.ts","../src/local/local-state-provider.ts","../src/cli/commands/local-state-source.ts","../src/cli/commands/local-invoke.ts","../src/cli/commands/local-start-api.ts","../src/cli/commands/local-run-task.ts","../src/cli/commands/local-start-service.ts","../src/local/cfn-local-state-provider.ts"],"mappings":";;;;UAuLiB,aAAA;EAEf,UAAA;EAGA,YAAA;EAGA,UAAA,EAAY,MAAA;EAcZ,kBAAA,GAAqB,MAAA;EAGrB,UAAA,GAAa,MAAA;EAGb,YAAA;EAGA,QAAA,GAAW,MAAA;EAmBX,cAAA;EAMA,mBAAA;EAyBA,aAAA;AAAA;;;UCxIe,gBAAA;EACf,SAAA;EACA,MAAA;EACA,SAAA;EACA,SAAA;AAAA;AAAA,UAqBe,kBAAA;EAOf,aAAA,CAAc,UAAA,WAAqB,OAAA;EAQnC,qBAAA,CACE,aAAA,UACA,cAAA,UACA,UAAA,WACC,OAAA;AAAA;AAAA,UAGY,mBAAA;EAEf,SAAA,EAAW,MAAA,SAAe,aAAA;EAE1B,gBAAA,GAAmB,gBAAA;EAOnB,kBAAA,GAAqB,kBAAA;EAOrB,cAAA;AAAA;;;UCrJe,gBAAA;EAQf,SAAA,EAAW,MAAA,SAAe,aAAA;EAO1B,OAAA,EAAS,MAAA;EAOT,MAAA;AAAA;AAAA,UAsBe,kBAAA;EAAA,SAMN,KAAA;EAQT,IAAA,CAAK,SAAA,UAAmB,WAAA,uBAAkC,OAAA,CAAQ,gBAAA;EAalE,uBAAA,CAAwB,cAAA,WAAyB,OAAA,CAAQ,kBAAA;EAKzD,OAAA;AAAA;;;UC/Ee,uBAAA;EAOf,YAAA;EAEA,MAAA;EAEA,OAAA;EAMA,WAAA;EAAA,CAEC,GAAA;AAAA;AAAA,KAQS,yBAAA,IAA6B,OAAA,EAAS,uBAAA,KAA4B,kBAAA;AAAA,KAUlE,mBAAA,GAAsB,MAAA,SAAe,yBAAA;AAAA,iBAUjC,mBAAA,CAAoB,YAAA,oBAAgC,SAAA;AAAA,iBAapD,gBAAA,CAAiB,IAAA,EAAM,IAAA,CAAK,uBAAA;AAAA,iBAgB5B,gBAAA,CACd,OAAA,EAAS,IAAA,CAAK,uBAAA,6BACd,WAAA;AAAA,cAqBW,qBAAA,SAA8B,KAAA;cAC7B,OAAA;AAAA;AAAA,iBAkBE,wCAAA,CACd,OAAA,EAAS,IAAA,CAAK,uBAAA,mBACd,gBAAA;AAAA,iBAiCc,wBAAA,CACd,OAAA,EAAS,uBAAA,EACT,SAAA,UACA,WAAA,sBACA,mBAAA,GAAsB,mBAAA,GACrB,kBAAA;;;UCtEc,+BAAA;EACf,mBAAA,GAAsB,mBAAA;AAAA;AAAA,iBAu2BR,wBAAA,CAAyB,IAAA,GAAM,+BAAA,GAAuC,OAAA;;;UC5vBrE,iCAAA;EACf,mBAAA,GAAsB,mBAAA;AAAA;AAAA,iBA+xFR,0BAAA,CAA2B,IAAA,GAAM,iCAAA,GAAyC,OAAA;;;UCh7FzE,gCAAA;EACf,mBAAA,GAAsB,mBAAA;AAAA;AAAA,iBAkeR,yBAAA,CAA0B,IAAA,GAAM,gCAAA,GAAwC,OAAA;;;UCtevE,qCAAA;EACf,mBAAA,GAAsB,mBAAA;AAAA;AAAA,iBA+oBR,8BAAA,CACd,IAAA,GAAM,qCAAA,GACL,OAAA;;;UC5qBc,4BAAA;EAOf,YAAA;EAKA,MAAA;EAiBA,OAAA;AAAA;AAAA,cAGW,qBAAA,YAAiC,kBAAA;EAAA,SAG5B,KAAA;EAAA,iBACC,YAAA;EAAA,iBACA,MAAA;EAAA,QAKT,MAAA;EAAA,iBACS,aAAA;EAAA,QAQT,QAAA;cAEI,IAAA,EAAM,4BAAA;EAAA,QAOV,SAAA;EA+BK,IAAA,CACX,UAAA,UACA,YAAA,uBACC,OAAA,CAAQ,gBAAA;EA8DE,uBAAA,CACX,eAAA,WACC,OAAA,CAAQ,kBAAA;EAiEJ,OAAA,CAAA;AAAA"}

package/dist/index.js

@@ -1,3 +1,3 @@
-import { a as LocalStateSourceError, c as rejectExplicitCfnStackWithMultipleStacks, d as CfnLocalStateProvider, i as createLocalInvokeCommand, l as resolveCfnRegion, n as createLocalRunTaskCommand, o as createLocalStateProvider, r as createLocalStartApiCommand, s as isCfnFlagPresent, t as createLocalStartServiceCommand, u as resolveCfnStackName } from "./local-start-service-EZy1JNYK.js";
+import { a as LocalStateSourceError, c as rejectExplicitCfnStackWithMultipleStacks, d as CfnLocalStateProvider, i as createLocalInvokeCommand, l as resolveCfnRegion, n as createLocalRunTaskCommand, o as createLocalStateProvider, r as createLocalStartApiCommand, s as isCfnFlagPresent, t as createLocalStartServiceCommand, u as resolveCfnStackName } from "./local-start-service-zoDos4zT.js";
 
 export { CfnLocalStateProvider, LocalStateSourceError, createLocalInvokeCommand, createLocalRunTaskCommand, createLocalStartApiCommand, createLocalStartServiceCommand, createLocalStateProvider, isCfnFlagPresent, rejectExplicitCfnStackWithMultipleStacks, resolveCfnRegion, resolveCfnStackName };

package/dist/{local-start-service-EZy1JNYK.js → local-start-service-zoDos4zT.js}

@@ -10515,6 +10515,72 @@ function buildCorsConfigFromCloudFrontChain(template) {
 	return out;
 }
 /**
+* Determine whether a Function URL (`AWS::Lambda::Url`, identified by its
+* logical id) is fronted by a CloudFront Distribution origin that uses
+* Origin Access Control (OAC) to SIGN origin requests.
+*
+* Production-correct CDK pattern (`FunctionUrlOrigin.withOriginAccessControl`):
+* the Function URL declares `AuthType: AWS_IAM`, but the END client never
+* signs as the IAM principal — CloudFront re-signs the origin request with
+* its own SigV4 credentials (service `lambda`) via the OAC, and the Function
+* URL's auto-generated resource policy trusts `cloudfront.amazonaws.com`.
+* Locally there is no CloudFront in the path, so no client signature can
+* reproduce CloudFront's. Callers use this to relax SigV4 verification
+* (warn-and-pass) for these Function URLs without forcing
+* `--allow-unverified-sigv4`.
+*
+* Detection: a CloudFront origin whose `DomainName` matches the canonical
+* `Fn::GetAtt[<fnUrlLogicalId>, 'FunctionUrl']` chain (see
+* {@link pickFnUrlLogicalIdFromOriginDomainName}) AND carries an
+* `OriginAccessControlId`. When that id resolves to an
+* `AWS::CloudFront::OriginAccessControl` whose `SigningBehavior` is
+* explicitly `never`, CloudFront does NOT sign — so we do NOT relax (the
+* AWS_IAM + never-sign combination is non-functional in production too).
+* Any other signing behavior (`always` — the CDK default — or `no-override`)
+* counts as OAC-fronted. An `OriginAccessControlId` that can't be resolved
+* to a local resource (imported literal id) also counts — its presence on a
+* Function URL origin is the signal.
+*/
+function isFunctionUrlOacFronted(template, fnUrlLogicalId) {
+	const resources = template.Resources ?? {};
+	for (const [, resource] of Object.entries(resources)) {
+		if (resource.Type !== "AWS::CloudFront::Distribution") continue;
+		const distConfig = (resource.Properties ?? {})["DistributionConfig"];
+		if (!distConfig || typeof distConfig !== "object") continue;
+		const origins = Array.isArray(distConfig["Origins"]) ? distConfig["Origins"] : [];
+		for (const origin of origins) {
+			if (!origin || typeof origin !== "object") continue;
+			const o = origin;
+			if (pickFnUrlLogicalIdFromOriginDomainName(o["DomainName"]) !== fnUrlLogicalId) continue;
+			const oacRef = o["OriginAccessControlId"];
+			if (oacRef === void 0 || oacRef === "") continue;
+			const oacLogicalId = pickOacRefLogicalId(oacRef);
+			if (!oacLogicalId) return true;
+			const oac = resources[oacLogicalId];
+			if (!oac || oac.Type !== "AWS::CloudFront::OriginAccessControl") return true;
+			const oacConfig = (oac.Properties ?? {})["OriginAccessControlConfig"];
+			if ((oacConfig && typeof oacConfig === "object" ? oacConfig["SigningBehavior"] : void 0) === "never") continue;
+			return true;
+		}
+	}
+	return false;
+}
+/**
+* Unwrap an origin's `OriginAccessControlId` to the referenced
+* `AWS::CloudFront::OriginAccessControl` logical id. CDK synthesizes this
+* as `{ "Fn::GetAtt": [<id>, "Id"] }`; `{ Ref: <id> }` is also accepted.
+* Returns undefined for a literal id string (imported OAC) or any other
+* shape.
+*/
+function pickOacRefLogicalId(value) {
+	if (!value || typeof value !== "object") return void 0;
+	const obj = value;
+	const ref = obj["Ref"];
+	if (typeof ref === "string" && ref.length > 0) return ref;
+	const getAtt = obj["Fn::GetAtt"];
+	if (Array.isArray(getAtt) && getAtt.length === 2 && typeof getAtt[0] === "string") return getAtt[0];
+}
+/**
 * Detect the canonical CDK 2.x `DomainName` shape that points a
 * CloudFront Origin at a Function URL:
 *   {Fn::Select: [2, {Fn::Split: ['/', {Fn::GetAtt: [<id>, 'FunctionUrl']}]}]}
@@ -11151,7 +11217,8 @@ function detectFunctionUrlAuthorizer(urlResource, urlLogicalId, stack) {
 	return {
 		kind: "iam",
 		logicalId: "AWS_IAM",
-		declaredAt: `${stack.stackName}/${urlLogicalId}`
+		declaredAt: `${stack.stackName}/${urlLogicalId}`,
+		...isFunctionUrlOacFronted(stack.template, urlLogicalId) && { oacFronted: true }
 	};
 }
 function detectRestV1Authorizer(methodResource, methodLogicalId, stack) {
@@ -11919,11 +11986,16 @@ function defaultCredentialsLoader() {
 *   - **Signature mismatch** under the dev's own credentials → `{allow: false}`.
 *     The http-server maps this to 403 (REST v1 `policy-deny`).
 *   - **Different `Credential` access-key-id than the dev has** →
-*     `{allow: true}` plus a one-line warn (warn-and-pass; we can't
-*     reproduce a signing key we don't have).
+*     `{allow: false}` by default (we can't reproduce a signing key we
+*     don't have). With `allowUnverified` (the `--allow-unverified-sigv4`
+*     flag, or `oacFronted` routes) → `{allow: true}` plus a one-line warn
+*     (warn-and-pass).
 *   - **Valid signature with the dev's credentials** → `{allow: true}`.
 *     The principal id surfaced to the handler is the parsed
 *     `Credential` access-key-id.
+*   - **`oacFronted` route** → the caller forces `allowUnverified` on, so
+*     foreign / no-creds requests pass through (CloudFront re-signs origin
+*     requests in production) and the warn lines reference CloudFront OAC.
 */
 async function verifySigV4(req, loadCredentials, opts = {}) {
 	const logger = getLogger();
@@ -11990,7 +12062,7 @@ async function verifySigV4(req, loadCredentials, opts = {}) {
 				identityHash: void 0
 			};
 		}
-		logger.warn(`AWS_IAM authorizer: failed to resolve local AWS credentials (${reason}). --allow-unverified-sigv4 is set; passing through with unverified principalId 'unverified-no-creds'. Do NOT trust event.requestContext.identity.accessKey in handler code.`);
+		logger.warn(opts.oacFronted ? `AWS_IAM authorizer: Function URL is fronted by CloudFront OAC (CloudFront re-signs origin requests in production), and local AWS credentials could not be resolved (${reason}). Passing through with unverified principalId 'unverified-no-creds'. Do NOT trust event.requestContext.identity.accessKey in handler code.` : `AWS_IAM authorizer: failed to resolve local AWS credentials (${reason}). --allow-unverified-sigv4 is set; passing through with unverified principalId 'unverified-no-creds'. Do NOT trust event.requestContext.identity.accessKey in handler code.`);
 		return {
 			allow: true,
 			principalId: "unverified-no-creds",
@@ -12011,7 +12083,7 @@ async function verifySigV4(req, loadCredentials, opts = {}) {
 			};
 		}
 		if (!warned || !warned.has(dedupKey)) {
-			logger.warn(`AWS_IAM authorizer: request signed with foreign access-key-id '${parsed.credentialAccessKeyId}'. --allow-unverified-sigv4 is set; passing through with unverified principalId 'unverified-foreign-identity'. Do NOT trust event.requestContext.authorizer.principalId in handler code.`);
+			logger.warn(opts.oacFronted ? `AWS_IAM authorizer: Function URL is fronted by CloudFront OAC — in production CloudFront re-signs the origin request, so the local client's signature (access-key-id '${parsed.credentialAccessKeyId}') cannot be verified. Passing through with unverified principalId 'unverified-foreign-identity'. Do NOT trust event.requestContext.authorizer.principalId in handler code.` : `AWS_IAM authorizer: request signed with foreign access-key-id '${parsed.credentialAccessKeyId}'. --allow-unverified-sigv4 is set; passing through with unverified principalId 'unverified-foreign-identity'. Do NOT trust event.requestContext.authorizer.principalId in handler code.`);
 			warned?.add(dedupKey);
 		}
 		return {
@@ -12974,6 +13046,7 @@ async function runAuthorizerPass(authorizer, snapshot, matchCtx, state, opts, re
 				denyKind: "policy-deny"
 			};
 		}
+		const oacFronted = authorizer.oacFronted === true;
 		const sigResult = await verifySigV4({
 			method: snapshot.method,
 			rawUrl: snapshot.rawUrl,
@@ -12981,7 +13054,8 @@ async function runAuthorizerPass(authorizer, snapshot, matchCtx, state, opts, re
 			body: snapshot.body
 		}, opts.sigV4CredentialsLoader, {
 			...opts.sigV4WarnedForeignIds && { warnedForeignIds: opts.sigV4WarnedForeignIds },
-			...opts.sigV4AllowUnverified !== void 0 && { allowUnverified: opts.sigV4AllowUnverified }
+			allowUnverified: oacFronted || opts.sigV4AllowUnverified === true,
+			...oacFronted && { oacFronted: true }
 		});
 		if (!sigResult.allow) return {
 			result: { allow: false },
@@ -14497,10 +14571,21 @@ function warnVpcConfigLambdas(routesWithAuth, stacks) {
 function warnIamRoutes(routesWithAuth) {
 	const logger = getLogger();
 	const iamRoutes = [];
-	for (const entry of routesWithAuth) if (entry.authorizer?.kind === "iam") iamRoutes.push(entry.route.declaredAt);
-	if (iamRoutes.length === 0) return false;
-	logger.warn(`${iamRoutes.length} route(s) declare AuthorizationType: AWS_IAM — cdkl start-api verifies SigV4 signatures against your local AWS credentials, but does NOT emulate IAM policy evaluation (resource / action / condition rules). Signature-verified callers reach the handler under their own identity; downstream authorization is the dev's responsibility.`);
-	for (const declaredAt of iamRoutes) logger.warn(`  - ${declaredAt}`);
+	const oacRoutes = [];
+	for (const entry of routesWithAuth) {
+		if (entry.authorizer?.kind !== "iam") continue;
+		if (entry.authorizer.oacFronted === true) oacRoutes.push(entry.route.declaredAt);
+		else iamRoutes.push(entry.route.declaredAt);
+	}
+	if (iamRoutes.length === 0 && oacRoutes.length === 0) return false;
+	if (iamRoutes.length > 0) {
+		logger.warn(`${iamRoutes.length} route(s) declare AuthorizationType: AWS_IAM — cdkl start-api verifies SigV4 signatures against your local AWS credentials, but does NOT emulate IAM policy evaluation (resource / action / condition rules). Signature-verified callers reach the handler under their own identity; downstream authorization is the dev's responsibility.`);
+		for (const declaredAt of iamRoutes) logger.warn(`  - ${declaredAt}`);
+	}
+	if (oacRoutes.length > 0) {
+		logger.warn(`${oacRoutes.length} Function URL route(s) with AuthType: AWS_IAM are fronted by a CloudFront Origin Access Control. In production CloudFront re-signs the origin request, so no local client signature can be verified — cdkl start-api passes these through (warn-and-pass) WITHOUT requiring --allow-unverified-sigv4. Do NOT trust the request identity in handler code.`);
+		for (const declaredAt of oacRoutes) logger.warn(`  - ${declaredAt}`);
+	}
 	return true;
 }
 /**
@@ -17888,4 +17973,4 @@ function createLocalStartServiceCommand(opts = {}) {
 
 //#endregion
 export { LocalStateSourceError as a, rejectExplicitCfnStackWithMultipleStacks as c, CfnLocalStateProvider as d, createLocalInvokeCommand as i, resolveCfnRegion as l, createLocalRunTaskCommand as n, createLocalStateProvider as o, createLocalStartApiCommand as r, isCfnFlagPresent as s, createLocalStartServiceCommand as t, resolveCfnStackName as u };
-//# sourceMappingURL=local-start-service-EZy1JNYK.js.map
+//# sourceMappingURL=local-start-service-zoDos4zT.js.map