cdk-local 0.35.0 → 0.36.0

package/README.md

@@ -1,15 +1,45 @@
 # cdk-local
 
-Local runner for your CDK app's Lambda functions, API Gateway, and ECS tasks/services. Run it with no AWS account, or bind it to your deployed stack to hit real AWS resources and data. A native, CDK-first alternative to `sam local`.
+[![npm version](https://img.shields.io/npm/v/cdk-local.svg)](https://www.npmjs.com/package/cdk-local)
+[![CI](https://github.com/go-to-k/cdk-local/actions/workflows/ci.yml/badge.svg)](https://github.com/go-to-k/cdk-local/actions/workflows/ci.yml)
+[![License: Apache-2.0](https://img.shields.io/npm/l/cdk-local.svg)](./LICENSE)
+
+Run your CDK app's Lambda functions, API Gateway, and ECS tasks/services on your own machine — with **no AWS account**, or bound to your **deployed stack to hit real AWS resources and data**. A native, CDK-first alternative to `sam local`.
 
 ![cdkl start-api serving a local CDK app's HTTP API; curl in the right pane reaches the local Lambda](assets/cdkl-start-api.gif)
 
+## Quick start
+
+Requires **Docker** (running) and **Node.js 20+**.
+
+### 1. Run locally — no AWS account
+
+```bash
+npm install -g cdk-local      # installs the `cdkl` command
+
+cd your-cdk-app               # the directory holding cdk.json
+cdkl invoke                   # pick a Lambda from the list, then run it locally
+```
+
+`cdkl` synths your CDK app and runs the real handler inside a real `public.ecr.aws/lambda/*` container. Run any command with no target and it opens an arrow-key picker — you rarely need to type a CDK path.
+
+### 2. Bind to real AWS data — add `--from-cfn-stack`
+
+```bash
+cdkl start-api --from-cfn-stack                  # pick an API → real AWS data + real Cognito JWT
+cdkl start-api MyStack/MyApi --from-cfn-stack    # or name the API explicitly
+```
+
+cdk-local reads the deployed CloudFormation stack and injects its real ARNs, Secret values, and IAM credentials into the container — your local handler reads and writes the exact same data the deployed app does, with no `.env` to wire up and no test data to seed. Point a frontend at it and you're debugging end-to-end against production-shaped state.
+
 ## Why cdk-local
 
 Two pains, one tool:
 
 - **Zero-friction local execution.** No AWS account, no IAM access, no deploy — just Docker and your CDK app. Onboard new engineers, review a PR by actually running its code, or work on an OSS CDK sample without owning the maintainer's AWS account.
-- **Iterate against your real deployed stack — including its data.** `--from-cfn-stack` injects real ARNs, Secret values, and IAM credentials straight from CloudFormation into the local container — no `.env` file to maintain, no manual ARN copy-paste. Your local Lambda hits the same DynamoDB rows, S3 objects, Cognito users, Secret values, and anything else your IAM credentials reach through public AWS APIs that the deployed app sees. An offline emulator can fake the API surface, but you'd still own the cost of seeding it:
+- **Iterate against your real deployed stack — including its data.** `--from-cfn-stack` injects real ARNs, Secret values, and IAM credentials straight from CloudFormation into the local container — no `.env` file to maintain, no manual ARN copy-paste. Your local Lambda hits the same DynamoDB rows, S3 objects, Cognito users, Secret values, and anything else your IAM credentials reach that the deployed app sees.
+
+  An offline emulator can fake the API surface, but you'd still own the cost of seeding it:
   - dumping production data into a local DB
   - mirroring Secret values into local Secrets Manager
   - anonymizing fixtures across schema changes
@@ -17,38 +47,29 @@ Two pains, one tool:
 
   cdk-local skips all of that by keeping you on the real thing.
 
-cdk-local deliberately does NOT emulate AWS managed services. The bet is: keep dependencies real, swap only the compute layer.
-
 It also picks up where `sam local` leaves off:
 
 - **CDK-native** — point it at your CDK app's `cdk.json`. No SAM templates, no extra config files.
-- **Wider coverage** — Lambda (ZIP + container image, plus Function URL), API Gateway REST v1 / HTTP v2 / WebSocket API, ECS run-task, ECS service with Service Connect + Cloud Map.
-- **Real container images** — Lambda code runs in the real `public.ecr.aws/lambda/*` base image via Lambda Runtime Interface Emulator (RIE). ECS tasks run as real Docker containers. The only dependency is Docker.
+- **Wider coverage** — Lambda (ZIP + container image + Function URL), API Gateway REST v1 / HTTP v2 / WebSocket, ECS run-task, ECS service with Service Connect + Cloud Map, and Bedrock AgentCore Runtime agents.
+- **Real container images** — Lambda code runs in the real `public.ecr.aws/lambda/*` base image via the Lambda Runtime Interface Emulator (RIE); ECS tasks run as real Docker containers. The only dependency is Docker.
 
 ## What runs locally, what doesn't
 
-cdk-local runs your **application compute** locally in Docker, using your CDK app as the source of truth. It does NOT emulate AWS managed services.
+cdk-local runs your **application compute** locally in Docker, using your CDK app as the source of truth. It deliberately does NOT emulate AWS managed services — the bet is: keep dependencies real, swap only the compute layer.
 
 **Runs locally (application compute):**
 
 - **Lambda functions** — your code in a real `public.ecr.aws/lambda/*` container via the Lambda Runtime Interface Emulator
 - **HTTP APIs & Function URLs** — API Gateway REST v1 / HTTP v2 / WebSocket and Lambda Function URLs served by a local HTTP server
 - **ECS** — tasks and services as real Docker containers (awsvpc / Service Connect / Cloud Map registry)
+- **Bedrock AgentCore Runtime** — your agent container served over the AgentCore HTTP contract (`POST /invocations` + `GET /ping` on 8080), invoked once locally before deploy
 - **Authorizers** — Lambda authorizers, Cognito User Pool JWT verification, IAM SigV4 verification
 
 **Calls real AWS (managed services):**
 
 - DynamoDB / S3 / Secrets Manager / SSM / SNS / SQS / Kinesis / EventBridge / Step Functions / etc.
-- Your Lambda code talks to real AWS via your IAM credentials (`--assume-role` or `--from-cfn-stack` to bind to a deployed stack)
-- If you want offline emulation of managed services, pair cdk-local with a service emulator like LocalStack — cdk-local does not bundle one.
-
-## Install
-
-```bash
-npm install -g cdk-local
-```
-
-This installs the `cdkl` command.
+- Your Lambda code talks to real AWS via your IAM credentials (`--assume-role`, or `--from-cfn-stack` to bind to a deployed stack)
+- Want offline emulation of managed services too? Pair cdk-local with a service emulator like LocalStack — cdk-local does not bundle one.
 
 ## Two ways to use it
 
@@ -65,13 +86,12 @@ cdkl invoke            # pick a Lambda, then invoke it
 cdkl run-task          # pick an ECS task definition, then run it
 cdkl start-service     # multi-select one or more ECS services
 cdkl start-api         # multi-select APIs to serve (→ selects all)
+cdkl invoke-agentcore      # pick a Bedrock AgentCore Runtime, then invoke it
 ```
 
 ![cdkl invoke against a local sample CDK app — no AWS account, no deploy](assets/cdkl-invoke.gif)
 
-Omitting the target in an interactive terminal opens the picker automatically. `invoke` / `run-task` pick one; `start-service` / `start-api` open a multi-select that starts with **nothing** selected. In any multi-select, press space to toggle a row, → to select all, ← to clear all, and enter to confirm — then a Y/n confirmation runs before launch (declining returns you to the picker with your selection kept). Submitting with nothing selected asks whether to exit. For `start-api`, each selected API is served on its own port. (Outside a TTY, bare `start-api` still serves every API — see below.)
-
-Outside a TTY — CI, pipes, redirected stdin — the picker can't run. `invoke` / `run-task` / `start-service` fall back to a "target required" error; pass the target explicitly there (see [below](#passing-a-target-explicitly)). `start-api` is the exception: bare in a non-TTY it serves **every** API (its serve-all default needs no prompt), so scripts keep working unchanged.
+`invoke` / `run-task` pick one target; `start-service` / `start-api` open a multi-select (space toggles, → selects all, ← clears, enter confirms). Outside a TTY — CI, pipes, redirected stdin — the picker can't run: `invoke` / `run-task` / `start-service` need the target passed explicitly (see [below](#passing-a-target-explicitly)), while a bare `start-api` serves **every** API so scripts keep working. Full picker + non-TTY behavior: [docs/cli-reference.md](docs/cli-reference.md#interactive-target-selection).
 
 #### See what's available — `list` (alias `ls`)
 
@@ -94,6 +114,9 @@ ECS Services  ->  cdkl start-service <target...>
 
 ECS Task Definitions  ->  cdkl run-task <target>
   MyStack/WebTask
+
+AgentCore Runtimes  ->  cdkl invoke-agentcore <target>
+  MyStack/ChatAgent
 ```
 
 #### Passing a target explicitly
@@ -112,21 +135,24 @@ cdkl start-service MyStack/OrdersService MyStack/Frontend
 # API Gateway / Function URLs — one API, or every API in the stack
 cdkl start-api MyStack/MyApi
 cdkl start-api
+
+# Bedrock AgentCore Runtime — run the agent container, POST one event
+cdkl invoke-agentcore MyStack/ChatAgent --event ./event.json
 ```
 
-`start-api` serves your app's HTTP surface (API Gateway REST v1 / HTTP v2 / WebSocket + Lambda Function URLs) on a local HTTP server, one server per API. In a multi-stack app a bare `cdkl start-api` errors rather than serving every stack's API at once (so a side-stack's API is never booted by accident); serve them all with `--all-stacks`, or select one stack with `--stack <name>`, `--from-cfn-stack <name>`, or a stack-qualified target like `MyStack/MyApi`. `--all-stacks` is mutually exclusive with those single-target selectors (the bare `--from-cfn-stack` flag stays compatible). See [docs/cli-reference.md](docs/cli-reference.md) for the full precedence rules.
+`start-api` serves your app's HTTP surface (API Gateway REST v1 / HTTP v2 / WebSocket + Lambda Function URLs) on a local HTTP server, one server per API. In a multi-stack app a bare `cdkl start-api` errors rather than serving every stack's API at once; serve them all with `--all-stacks`, or select one with `--stack <name>`, `--from-cfn-stack <name>`, or a stack-qualified target. See [docs/cli-reference.md](docs/cli-reference.md) for the full precedence rules.
 
-For ECS there is no cluster command — locally, Docker is the placement target a cluster abstracts away. Both `run-task` and `start-service` accept an optional `--cluster <name>` (surfaced to `ECS_CONTAINER_METADATA_URI_V4` and used as the local Docker network prefix); `start-service` also wires Service Connect / Cloud Map registry. See [docs/cli-reference.md](docs/cli-reference.md) for the full ECS option list.
+For ECS there is no cluster command — locally, Docker is the placement target a cluster abstracts away. Both `run-task` and `start-service` accept an optional `--cluster <name>`; `start-service` also wires Service Connect / Cloud Map registry. See [docs/cli-reference.md](docs/cli-reference.md) for the full ECS option list.
 
-Use this for fast iteration on Lambda code, API routing checks, and container task smoke tests.
+`invoke-agentcore` runs a Bedrock AgentCore Runtime's container locally, waits for `GET /ping`, then POSTs your `--event` (or `{}`) to `POST /invocations` and prints the response — the same request/response loop AgentCore runs in the cloud, without a deploy. v1 covers container-artifact runtimes on the HTTP protocol; the agent's own calls to Bedrock models / memory / other managed services go to real AWS.
 
-### 2. Bound to a deployed stack
+Use this for fast iteration on Lambda code, API routing checks, container task smoke tests, and agent request/response checks.
 
-Once your stack is deployed to AWS (via the AWS CDK CLI or any other tool), pass `--from-cfn-stack <StackName>` and cdk-local reads the deployed CloudFormation stack to inject real ARNs, Secrets values, and IAM credentials (resolved from your current AWS profile) into the local execution.
+### 2. Bound to a deployed stack
 
-For Lambda (`invoke`, `start-api`), this also recovers env-var values that CloudFormation resolved at deploy time but `ListStackResources` does not expose — e.g. `SIBLING_ARN: Fn::GetAtt <OtherFunction>.Arn`. cdk-local reads the deployed function's own resolved `Environment.Variables` (via `lambda:GetFunctionConfiguration`) and fills those keys, so a Lambda that calls a sibling Lambda by ARN runs locally without a manual `--env-vars` entry. (These values enter the local container env in plaintext; Lambda env vars are a non-secret property, so this exposes nothing the deployed function doesn't already surface to any caller with `lambda:GetFunctionConfiguration`.)
+Once your stack is deployed to AWS (via the AWS CDK CLI or any other tool), pass `--from-cfn-stack <StackName>` and cdk-local reads the deployed CloudFormation stack to inject real ARNs, Secret values, and IAM credentials (resolved from your current AWS profile) into the local execution. Env vars that reference deploy-time CloudFormation intrinsics or SSM-backed parameters are resolved too, so a Lambda or container that depends on a sibling resource's ARN or an SSM parameter runs locally without a manual `--env-vars` entry. See [docs/local-emulation.md](docs/local-emulation.md#cloudformation-driven-env-recovery---from-cfn-stack) for the full resolution model.
 
-`--from-cfn-stack` also resolves env vars that reference an SSM-backed CloudFormation parameter — the `AWS::SSM::Parameter::Value<String>` (and `List<String>`) type CDK synthesizes for `ssm.StringParameter.valueForStringParameter(...)`. cdk-local reads the parameter's current value from SSM Parameter Store (via `ssm:GetParameters`, using the same credentials/region as the stack lookup) and injects it, so a Lambda or ECS container whose env `Ref`s such a parameter runs locally without a manual `--env-vars` entry. If the SSM read fails (no permission, parameter not created), the key falls back to the usual warn-and-drop.
+> SSM `SecureString` parameters are decrypted and injected like any other resolved value, but passed via docker's value-from-process-env form so the decrypted value never appears on the `docker run` argv.
 
 #### HTTP APIs & Function URLs — `start-api` (the headline use case)
 
@@ -143,7 +169,7 @@ cdkl start-api MyStack/MyApi --from-cfn-stack
 
 #### Lambda — `invoke`
 
-Single-function debugging against real upstreams (DynamoDB rows, S3 objects, Secrets values).
+Single-function debugging against real upstreams (DynamoDB rows, S3 objects, Secret values).
 
 ```bash
 cdkl invoke MyStack/MyFunction --event ./event.json --from-cfn-stack MyStack
@@ -168,11 +194,9 @@ Pass `--watch` to `cdkl start-api` and the server re-synths and hot-reloads when
 cdkl start-api MyStack/MyApi --watch
 ```
 
-- 500 ms debounced [chokidar](https://github.com/paulmillr/chokidar) file watcher on your CDK app's source tree (the directory holding `cdk.json`). Honors `cdk.json`'s `watch.include` / `watch.exclude` globs, exactly like `cdk watch`.
-- `cdk.out/`, `node_modules`, and `.git` are always excluded — the reload's own re-synth writes to `cdk.out/` never re-trigger the watcher, so there is no reload loop.
-- Re-synths and re-discovers routes on each firing — adding a new route to your CDK app shows up locally on save. No separate `cdk watch` / `cdk synth` process is needed.
-- Synth failures keep the previous version serving (warn-and-continue, never crashes the server).
-- Compatible with `--from-cfn-stack`: each reload re-reads the deployed CloudFormation stack so newly-deployed ARNs are picked up on your next source save without restarting the server.
+- 500 ms debounced [chokidar](https://github.com/paulmillr/chokidar) file watcher on your CDK app's source tree, honoring `cdk.json`'s `watch.include` / `watch.exclude` globs exactly like `cdk watch`. `cdk.out/`, `node_modules`, and `.git` are always excluded, so the reload's own re-synth never re-triggers the watcher.
+- Re-synths and re-discovers routes on each firing — adding a new route to your CDK app shows up locally on save, with no separate `cdk watch` / `cdk synth` process. Synth failures keep the previous version serving (warn-and-continue, never crashes the server).
+- Compatible with `--from-cfn-stack`: each reload re-reads the deployed stack so newly-deployed ARNs are picked up on your next source save without restarting the server.
 
 See [docs/local-emulation.md](docs/local-emulation.md#hot-reload---watch) for the full lifecycle, `watch.include` / `watch.exclude` semantics, and known limitations.
 
@@ -195,10 +219,9 @@ cdkl invoke MyStack/MyFunction --event ./event.json --env-vars ./env.json
 ```
 
 - `Parameters` applies to every function / container; function-specific blocks override it.
-- For Lambda (`invoke`, `start-api`), function-specific keys can be either a **CDK display path** (`MyStack/MyFunction` — recommended for new files; same form `cdkl invoke` accepts as a target) or a **CloudFormation logical ID** (`MyFunctionLogicalId1234ABCD` — named in `cdk.out/<Stack>.template.json`, the SAM-compatible form). Both coexist; if both are listed for the same function, the later JSON entry wins (matching SAM's apply-in-order semantics).
-- For ECS (`run-task`, `start-service`), function-specific keys are container names from the task definition's `ContainerDefinitions[].Name` field.
-- The file format matches `sam local invoke --env-vars`, so an existing SAM env-vars file (logical-ID keys) works unchanged.
-- Composes with `--from-cfn-stack`: the state source resolves env vars first, then `--env-vars` overrides only the keys you list (unnamed keys keep their state-resolved value). Full precedence in [docs/cli-reference.md](docs/cli-reference.md).
+- For Lambda (`invoke`, `start-api`), function-specific keys can be a **CDK display path** (`MyStack/MyFunction` — same form `cdkl invoke` accepts) or a **CloudFormation logical ID** (`MyFunctionLogicalId1234ABCD`, the SAM-compatible form). For ECS (`run-task`, `start-service`), keys are container names from the task definition.
+- The file format matches `sam local invoke --env-vars`, so an existing SAM env-vars file works unchanged.
+- Composes with `--from-cfn-stack`: the state source resolves env vars first, then `--env-vars` overrides only the keys you list. Full precedence in [docs/cli-reference.md](docs/cli-reference.md).
 
 ## Supported resources
 
@@ -212,6 +235,9 @@ cdkl invoke MyStack/MyFunction --event ./event.json --env-vars ./env.json
 | `AWS::ECS::TaskDefinition` (run-task) | ✓ |
 | `AWS::ECS::Service` (start-service) | ✓ |
 | `AWS::ServiceDiscovery::*` (Cloud Map / Service Connect) | ✓ |
+| `AWS::BedrockAgentCore::Runtime` (invoke-agentcore, container artifact + HTTP) | ✓ |
+
+Lambda runs on every current AWS Lambda runtime — Node.js (18/20/22/24), Python (3.11–3.14), Ruby (3.2/3.3), Java (8.al2/11/17/21), .NET (6/8), and the OS-only `provided.al2` / `provided.al2023`. The retired `go1.x` runtime is rejected with a pointer to migrate to `provided.al2023`.
 
 ## Programmatic use
 

package/dist/cli.js

@@ -1,11 +1,12 @@
 #!/usr/bin/env node
-import { c as createLocalStartApiCommand, ot as createLocalInvokeCommand, r as createLocalStartServiceCommand, s as createLocalRunTaskCommand, t as createLocalListCommand } from "./local-list-BvDCmBir.js";
+import { c as createLocalInvokeAgentCoreCommand, l as createLocalStartApiCommand, r as createLocalStartServiceCommand, s as createLocalRunTaskCommand, t as createLocalListCommand, ut as createLocalInvokeCommand } from "./local-list-BUgCsVoM.js";
 import { Command } from "commander";
 
 //#region src/cli/index.ts
 const program = new Command();
-program.name("cdkl").description("Run AWS CDK stacks locally with Docker.").version("0.35.0");
+program.name("cdkl").description("Run AWS CDK stacks locally with Docker.").version("0.36.0");
 program.addCommand(createLocalInvokeCommand());
+program.addCommand(createLocalInvokeAgentCoreCommand());
 program.addCommand(createLocalStartApiCommand());
 program.addCommand(createLocalRunTaskCommand());
 program.addCommand(createLocalStartServiceCommand());

package/dist/cli.js.map

@@ -1 +1 @@
-{"version":3,"file":"cli.js","names":[],"sources":["../src/cli/index.ts"],"sourcesContent":["#!/usr/bin/env node\n\nimport { Command } from 'commander';\nimport { createLocalInvokeCommand } from './commands/local-invoke.js';\nimport { createLocalStartApiCommand } from './commands/local-start-api.js';\nimport { createLocalRunTaskCommand } from './commands/local-run-task.js';\nimport { createLocalStartServiceCommand } from './commands/local-start-service.js';\nimport { createLocalListCommand } from './commands/local-list.js';\n\ndeclare const __CDK_LOCAL_VERSION__: string;\n\nconst program = new Command();\nprogram\n  .name('cdkl')\n  .description('Run AWS CDK stacks locally with Docker.')\n  .version(__CDK_LOCAL_VERSION__);\n\nprogram.addCommand(createLocalInvokeCommand());\nprogram.addCommand(createLocalStartApiCommand());\nprogram.addCommand(createLocalRunTaskCommand());\nprogram.addCommand(createLocalStartServiceCommand());\nprogram.addCommand(createLocalListCommand());\n\nvoid program.parseAsync(process.argv);\n"],"mappings":";;;;;AAWA,MAAM,UAAU,IAAI,SAAS;AAC7B,QACG,KAAK,OAAO,CACZ,YAAY,0CAA0C,CACtD,iBAA8B;AAEjC,QAAQ,WAAW,0BAA0B,CAAC;AAC9C,QAAQ,WAAW,4BAA4B,CAAC;AAChD,QAAQ,WAAW,2BAA2B,CAAC;AAC/C,QAAQ,WAAW,gCAAgC,CAAC;AACpD,QAAQ,WAAW,wBAAwB,CAAC;AAEvC,QAAQ,WAAW,QAAQ,KAAK"}
+{"version":3,"file":"cli.js","names":[],"sources":["../src/cli/index.ts"],"sourcesContent":["#!/usr/bin/env node\n\nimport { Command } from 'commander';\nimport { createLocalInvokeCommand } from './commands/local-invoke.js';\nimport { createLocalInvokeAgentCoreCommand } from './commands/local-invoke-agentcore.js';\nimport { createLocalStartApiCommand } from './commands/local-start-api.js';\nimport { createLocalRunTaskCommand } from './commands/local-run-task.js';\nimport { createLocalStartServiceCommand } from './commands/local-start-service.js';\nimport { createLocalListCommand } from './commands/local-list.js';\n\ndeclare const __CDK_LOCAL_VERSION__: string;\n\nconst program = new Command();\nprogram\n  .name('cdkl')\n  .description('Run AWS CDK stacks locally with Docker.')\n  .version(__CDK_LOCAL_VERSION__);\n\nprogram.addCommand(createLocalInvokeCommand());\nprogram.addCommand(createLocalInvokeAgentCoreCommand());\nprogram.addCommand(createLocalStartApiCommand());\nprogram.addCommand(createLocalRunTaskCommand());\nprogram.addCommand(createLocalStartServiceCommand());\nprogram.addCommand(createLocalListCommand());\n\nvoid program.parseAsync(process.argv);\n"],"mappings":";;;;;AAYA,MAAM,UAAU,IAAI,SAAS;AAC7B,QACG,KAAK,OAAO,CACZ,YAAY,0CAA0C,CACtD,iBAA8B;AAEjC,QAAQ,WAAW,0BAA0B,CAAC;AAC9C,QAAQ,WAAW,mCAAmC,CAAC;AACvD,QAAQ,WAAW,4BAA4B,CAAC;AAChD,QAAQ,WAAW,2BAA2B,CAAC;AAC/C,QAAQ,WAAW,gCAAgC,CAAC;AACpD,QAAQ,WAAW,wBAAwB,CAAC;AAEvC,QAAQ,WAAW,QAAQ,KAAK"}

package/dist/{docker-cmd--8TRSn9z.js → docker-cmd-voNPrcRh.js}

@@ -206,7 +206,7 @@ var docker_cmd_exports = /* @__PURE__ */ __exportAll({
 *
 * Two parity decisions with `aws-cdk-cli`'s `cdk-assets-lib`:
 *   1. `CDK_DOCKER` env var swaps the binary so podman / finch users can
-*      run cdk-local without code changes (`CDK_DOCKER=podman cdkd deploy`).
+*      run cdk-local without code changes (`CDK_DOCKER=podman cdkl invoke`).
 *   2. `runDockerStreaming` uses streaming spawn rather than `execFile`'s
 *      buffered `maxBuffer` ceiling. BuildKit's progress output can run to
 *      tens of MB on multi-stage builds with `# syntax=docker/dockerfile:1`
@@ -390,4 +390,4 @@ function mergeEnv(overrides) {
 
 //#endregion
 export { runDockerStreaming as a, getEmbedConfig as c, runDockerForeground as i, resetEmbedConfig as l, formatDockerLoginError as n, spawnStreaming as o, getDockerCmd as r, getLogger as s, docker_cmd_exports as t, setEmbedConfig as u };
-//# sourceMappingURL=docker-cmd--8TRSn9z.js.map
+//# sourceMappingURL=docker-cmd-voNPrcRh.js.map

package/dist/docker-cmd-voNPrcRh.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"docker-cmd-voNPrcRh.js","names":[],"sources":["../src/local/embed-config.ts","../src/utils/logger.ts","../src/utils/docker-cmd.ts"],"sourcesContent":["/**\n * Embed-time branding configuration.\n *\n * cdk-local hardcodes its own branding (`cdkl` binary, `cdk-local`\n * product name, `cdkl-*` Docker / AWS resource names, `/cdk-local-aws`\n * credential bind-mount) into user-visible error messages and resource\n * identifiers. A host that embeds cdk-local's Commander factories (e.g.\n * cdkd, whose binary is `cdkd` and whose subcommand group is\n * `cdkd local`) passes a {@link CdkLocalEmbedConfig} so those strings\n * read in the host's own branding instead.\n *\n * The four command factories call {@link setEmbedConfig} before building\n * their Commander option tree, so both construction-time strings (option\n * descriptions / defaults) and action-time strings (errors, resource\n * names) read the resolved config via {@link getEmbedConfig}. When no\n * config is supplied every field falls back to cdk-local's own defaults,\n * leaving native `cdkl` behavior byte-identical.\n */\nexport interface CdkLocalEmbedConfig {\n  /**\n   * Command prefix for subcommand references in user-facing strings, e.g.\n   * `${cliName} invoke` / `${cliName} start-api`. Default `'cdkl'`; cdkd\n   * passes `'cdkd local'`.\n   */\n  cliName?: string;\n  /**\n   * Bare executable / process name for standalone references, e.g.\n   * `${binaryName} is exiting` / `${binaryName} could not determine ...`,\n   * the local request id, and the hyphen-free Cognito user-pool\n   * placeholder id. Default `'cdkl'`; cdkd passes `'cdkd'`.\n   */\n  binaryName?: string;\n  /**\n   * Product name for prose references, e.g. `${productName} supports ...`.\n   * Also seeds the profile-credentials tmpdir prefix. Default\n   * `'cdk-local'`; cdkd passes `'cdkd'`.\n   */\n  productName?: string;\n  /**\n   * Prefix for generated Docker / AWS resource identifiers — container,\n   * volume, network, image-tag, tmpdir names, STS `RoleSessionName`s, and\n   * the example Cloud Map namespace. Default `'cdkl'`; cdkd passes\n   * `'cdkd-local'`.\n   */\n  resourceNamePrefix?: string;\n  /**\n   * Container directory the host AWS shared-credentials file is\n   * bind-mounted under. Default `'/cdk-local-aws'`; cdkd passes\n   * `'/cdkd-aws'`.\n   */\n  awsBindMountPath?: string;\n  /**\n   * Prefix for the environment variables this CLI reads — `${envPrefix}_APP`\n   * (the `--app` fallback) and `${envPrefix}_ROLE_ARN` (the `--role-arn`\n   * fallback). Default `'CDKL'`; cdkd passes `'CDKD'`.\n   */\n  envPrefix?: string;\n  /**\n   * Whether this host fails-closed by default on unverifiable AWS_IAM SigV4\n   * requests. cdk-local's default is warn-and-pass (`false`); a host like\n   * cdkd that ships fail-closed-by-default passes `true`. Drives the polarity\n   * of the SigV4 warn-message advice (whether the strictness flag reads as an\n   * opt-IN or opt-OUT). Default `false`.\n   */\n  sigV4StrictByDefault?: boolean;\n  /**\n   * The CLI flag a user toggles to change SigV4 strictness. With\n   * `sigV4StrictByDefault: false` it is an opt-IN flag (`'--strict-sigv4'`,\n   * the default); with `sigV4StrictByDefault: true` it is the host's opt-OUT\n   * flag (cdkd passes `'--allow-unverified-sigv4'`). Default `'--strict-sigv4'`.\n   */\n  sigV4OptFlag?: string;\n}\n\nexport interface ResolvedEmbedConfig {\n  cliName: string;\n  binaryName: string;\n  productName: string;\n  resourceNamePrefix: string;\n  awsBindMountPath: string;\n  envPrefix: string;\n  sigV4StrictByDefault: boolean;\n  sigV4OptFlag: string;\n}\n\nconst DEFAULTS: ResolvedEmbedConfig = {\n  cliName: 'cdkl',\n  binaryName: 'cdkl',\n  productName: 'cdk-local',\n  resourceNamePrefix: 'cdkl',\n  awsBindMountPath: '/cdk-local-aws',\n  envPrefix: 'CDKL',\n  sigV4StrictByDefault: false,\n  sigV4OptFlag: '--strict-sigv4',\n};\n\nlet current: ResolvedEmbedConfig = DEFAULTS;\n\n/**\n * Resolve and install the active embed config. Called once per command\n * factory with the host's overrides (or `undefined` for native cdkl\n * behavior). Idempotent: re-calling with the same overrides is a no-op,\n * which is why all four factories may safely set the same config.\n */\nexport function setEmbedConfig(config?: CdkLocalEmbedConfig): void {\n  current = {\n    cliName: config?.cliName ?? DEFAULTS.cliName,\n    binaryName: config?.binaryName ?? DEFAULTS.binaryName,\n    productName: config?.productName ?? DEFAULTS.productName,\n    resourceNamePrefix: config?.resourceNamePrefix ?? DEFAULTS.resourceNamePrefix,\n    awsBindMountPath: config?.awsBindMountPath ?? DEFAULTS.awsBindMountPath,\n    envPrefix: config?.envPrefix ?? DEFAULTS.envPrefix,\n    sigV4StrictByDefault: config?.sigV4StrictByDefault ?? DEFAULTS.sigV4StrictByDefault,\n    sigV4OptFlag: config?.sigV4OptFlag ?? DEFAULTS.sigV4OptFlag,\n  };\n}\n\n/** The active resolved embed config. */\nexport function getEmbedConfig(): ResolvedEmbedConfig {\n  return current;\n}\n\n/** Restore cdk-local defaults. Primarily a test-isolation helper. */\nexport function resetEmbedConfig(): void {\n  current = DEFAULTS;\n}\n","/**\n * Logger interface and console implementation for cdk-local.\n *\n * A minimal `Logger` / `LogLevel` interface with a `ConsoleLogger`\n * (`getLogger()` / `setLogger()` exports, `child(prefix)` for prefixed\n * sub-loggers). cdk-local invokes a single Lambda / API / task at a time,\n * so there is no parallel multi-stack output to interleave — a plain\n * console logger with no output buffer or live progress renderer suffices.\n */\n\nexport type LogLevel = 'debug' | 'info' | 'warn' | 'error';\n\nexport interface Logger {\n  debug(message: string, ...args: unknown[]): void;\n  info(message: string, ...args: unknown[]): void;\n  warn(message: string, ...args: unknown[]): void;\n  error(message: string, ...args: unknown[]): void;\n  setLevel(level: LogLevel): void;\n  getLevel(): LogLevel;\n  child(prefix: string): Logger;\n}\n\n/**\n * ANSI color codes\n *\n * Kept internal — `ConsoleLogger.formatMessage` references these for the\n * verbose/compact mode level prefixes.\n */\nconst colors = {\n  reset: '\\x1b[0m',\n  bright: '\\x1b[1m',\n  dim: '\\x1b[2m',\n  red: '\\x1b[31m',\n  green: '\\x1b[32m',\n  yellow: '\\x1b[33m',\n  blue: '\\x1b[34m',\n  cyan: '\\x1b[36m',\n  gray: '\\x1b[90m',\n} as const;\n\nfunction formatTimestamp(): string {\n  const now = new Date();\n  return now.toISOString();\n}\n\n/**\n * Console logger implementation\n *\n * Supports two output modes:\n * - verbose (debug level): timestamps, module prefixes, all details\n * - compact (info level): clean output without timestamps or prefixes\n */\nexport class ConsoleLogger implements Logger {\n  private level: LogLevel;\n  private useColors: boolean;\n\n  constructor(level: LogLevel = 'info', useColors: boolean = true) {\n    this.level = level;\n    this.useColors = useColors;\n  }\n\n  private shouldLog(level: LogLevel): boolean {\n    const levels: LogLevel[] = ['debug', 'info', 'warn', 'error'];\n    const currentLevelIndex = levels.indexOf(this.level);\n    const messageLevelIndex = levels.indexOf(level);\n    return messageLevelIndex >= currentLevelIndex;\n  }\n\n  private formatMessage(level: LogLevel, message: string, ...args: unknown[]): string {\n    const formattedArgs = args.length > 0 ? ' ' + args.map((a) => JSON.stringify(a)).join(' ') : '';\n\n    if (this.level === 'debug') {\n      const timestamp = formatTimestamp();\n      const levelStr = level.toUpperCase().padEnd(5);\n\n      if (this.useColors) {\n        const levelColorMap: Record<LogLevel, string> = {\n          debug: colors.gray,\n          info: colors.blue,\n          warn: colors.yellow,\n          error: colors.red,\n        };\n        const levelColor = levelColorMap[level];\n\n        return `${colors.dim}${timestamp}${colors.reset} ${levelColor}${levelStr}${colors.reset} ${message}${formattedArgs}`;\n      }\n\n      return `${timestamp} ${levelStr} ${message}${formattedArgs}`;\n    }\n\n    if (this.useColors) {\n      if (level === 'error') {\n        return `${colors.red}${message}${formattedArgs}${colors.reset}`;\n      }\n      if (level === 'warn') {\n        return `${colors.yellow}${message}${formattedArgs}${colors.reset}`;\n      }\n      return `${message}${formattedArgs}`;\n    }\n\n    return `${message}${formattedArgs}`;\n  }\n\n  private emit(level: LogLevel, formatted: string): void {\n    if (level === 'error') console.error(formatted);\n    else if (level === 'warn') console.warn(formatted);\n    else if (level === 'info') console.info(formatted);\n    else console.debug(formatted);\n  }\n\n  debug(message: string, ...args: unknown[]): void {\n    if (this.shouldLog('debug')) {\n      this.emit('debug', this.formatMessage('debug', message, ...args));\n    }\n  }\n\n  info(message: string, ...args: unknown[]): void {\n    if (this.shouldLog('info')) {\n      this.emit('info', this.formatMessage('info', message, ...args));\n    }\n  }\n\n  warn(message: string, ...args: unknown[]): void {\n    if (this.shouldLog('warn')) {\n      this.emit('warn', this.formatMessage('warn', message, ...args));\n    }\n  }\n\n  error(message: string, ...args: unknown[]): void {\n    if (this.shouldLog('error')) {\n      this.emit('error', this.formatMessage('error', message, ...args));\n    }\n  }\n\n  setLevel(level: LogLevel): void {\n    this.level = level;\n  }\n\n  getLevel(): LogLevel {\n    return this.level;\n  }\n\n  child(prefix: string): ChildLogger {\n    return new ChildLogger(prefix, this.useColors);\n  }\n}\n\n/**\n * Child logger that always syncs level from global logger\n */\nclass ChildLogger extends ConsoleLogger {\n  private readonly prefix: string;\n\n  constructor(prefix: string, useColors: boolean) {\n    super('info', useColors);\n    this.prefix = prefix;\n  }\n\n  private syncLevel(): void {\n    if (globalLogger) {\n      this.setLevel(globalLogger.getLevel());\n    }\n  }\n\n  override debug(message: string, ...args: unknown[]): void {\n    this.syncLevel();\n    super.debug(`[${this.prefix}] ${message}`, ...args);\n  }\n\n  override info(message: string, ...args: unknown[]): void {\n    this.syncLevel();\n    const msg = this.getLevel() === 'debug' ? `[${this.prefix}] ${message}` : message;\n    super.info(msg, ...args);\n  }\n\n  override warn(message: string, ...args: unknown[]): void {\n    this.syncLevel();\n    const msg = this.getLevel() === 'debug' ? `[${this.prefix}] ${message}` : message;\n    super.warn(msg, ...args);\n  }\n\n  override error(message: string, ...args: unknown[]): void {\n    this.syncLevel();\n    const msg = this.getLevel() === 'debug' ? `[${this.prefix}] ${message}` : message;\n    super.error(msg, ...args);\n  }\n}\n\nlet globalLogger: ConsoleLogger | null = null;\n\nexport function getLogger(): ConsoleLogger {\n  if (!globalLogger) {\n    globalLogger = new ConsoleLogger();\n  }\n  return globalLogger;\n}\n\nexport function setLogger(logger: ConsoleLogger): void {\n  globalLogger = logger;\n}\n","import { spawn } from 'node:child_process';\nimport { getLogger } from './logger.js';\nimport { getEmbedConfig } from '../local/embed-config.js';\n\n/**\n * Shared helpers for invoking the docker-compatible CLI binary across cdk-local.\n *\n * Two parity decisions with `aws-cdk-cli`'s `cdk-assets-lib`:\n *   1. `CDK_DOCKER` env var swaps the binary so podman / finch users can\n *      run cdk-local without code changes (`CDK_DOCKER=podman cdkl invoke`).\n *   2. `runDockerStreaming` uses streaming spawn rather than `execFile`'s\n *      buffered `maxBuffer` ceiling. BuildKit's progress output can run to\n *      tens of MB on multi-stage builds with `# syntax=docker/dockerfile:1`\n *      frontend downloads + heredoc / `RUN --mount=...` features; the 50 MB\n *      `execFile` ceiling cdk-local used to set silently killed those builds\n *      with `ERR_CHILD_PROCESS_STDIO_MAXBUFFER`.\n *\n * Output handling: stdout/stderr are collected in memory unconditionally so\n * `runDockerStreaming` can return them to the caller for error wrapping.\n * When the logger is at debug level (i.e. the user passed `--verbose`),\n * the chunks are ALSO mirrored to `process.stdout` / `process.stderr` so\n * the user sees live build progress.\n */\n\n/**\n * Return the docker-compatible CLI binary to invoke. Matches CDK CLI:\n * `CDK_DOCKER` env var overrides the default `docker` so users on\n * podman / finch / nerdctl can swap without changing cdk-local code.\n */\nexport function getDockerCmd(): string {\n  const override = process.env['CDK_DOCKER'];\n  return override && override.length > 0 ? override : 'docker';\n}\n\nexport interface SpawnResult {\n  stdout: string;\n  stderr: string;\n}\n\nexport interface SpawnError extends Error {\n  /** Captured stderr at the time of failure. */\n  stderr: string;\n  /** Captured stdout at the time of failure. */\n  stdout: string;\n  /** Process exit code (null when the process was killed by signal). */\n  exitCode: number | null;\n}\n\nexport interface RunDockerOptions {\n  /** Optional working directory for the subprocess. */\n  cwd?: string;\n  /**\n   * Additional environment variables to set. Merged on top of `process.env`\n   * (so the user's `DOCKER_BUILDKIT=1` and friends propagate through).\n   */\n  env?: Record<string, string | undefined>;\n  /** When set, written to stdin (used by `docker login --password-stdin`). */\n  input?: string;\n  /**\n   * When true, mirror stdout/stderr chunks to `process.stdout` / `process.stderr`\n   * as they arrive. Useful for `docker pull` / `docker build` where live\n   * progress is desirable. Defaults to \"true when the logger is at debug\n   * level\" — matches the existing `--verbose` UX.\n   */\n  streamLive?: boolean;\n}\n\n/**\n * Spawn a docker-compatible CLI binary (resolved via `getDockerCmd`) with\n * streaming I/O. Collects stdout/stderr in memory and resolves with both\n * on exit code 0; rejects with a `SpawnError` carrying both streams on any\n * non-zero exit so the caller can wrap with its own error class without\n * losing the upstream output.\n *\n * No `maxBuffer` ceiling: BuildKit progress output frequently exceeds the\n * `child_process.execFile` default of 1 MB (cdk-local previously bumped to 50 MB\n * but BuildKit + frontend pulls can still exceed that on first-time builds).\n */\nexport async function runDockerStreaming(\n  args: string[],\n  options: RunDockerOptions = {}\n): Promise<SpawnResult> {\n  return spawnStreaming(getDockerCmd(), args, options);\n}\n\n/**\n * Generic streaming spawn — used by `runDockerStreaming` AND by the\n * `executable` source mode in `docker-build.ts` (which runs an arbitrary\n * user-supplied build command, not docker).\n */\nexport async function spawnStreaming(\n  cmd: string,\n  args: string[],\n  options: RunDockerOptions = {}\n): Promise<SpawnResult> {\n  const streamLive = options.streamLive ?? getLogger().getLevel() === 'debug';\n  const env = options.env ? mergeEnv(options.env) : undefined;\n\n  return new Promise<SpawnResult>((resolve, reject) => {\n    const child = spawn(cmd, args, {\n      cwd: options.cwd,\n      env,\n      stdio: [options.input ? 'pipe' : 'ignore', 'pipe', 'pipe'],\n    });\n\n    const stdoutChunks: Buffer[] = [];\n    const stderrChunks: Buffer[] = [];\n\n    child.stdout!.on('data', (chunk: Buffer) => {\n      stdoutChunks.push(chunk);\n      if (streamLive) process.stdout.write(chunk);\n    });\n    child.stderr!.on('data', (chunk: Buffer) => {\n      stderrChunks.push(chunk);\n      if (streamLive) process.stderr.write(chunk);\n    });\n\n    child.once('error', (err: NodeJS.ErrnoException) => {\n      if (err.code === 'ENOENT') {\n        const usingOverride = process.env['CDK_DOCKER'] === cmd && cmd !== 'docker';\n        reject(\n          new Error(\n            usingOverride\n              ? `Failed to find and execute '${cmd}' (resolved via CDK_DOCKER). ` +\n                  `Install '${cmd}' or unset CDK_DOCKER to fall back to 'docker'.`\n              : `Failed to find and execute '${cmd}'. Install Docker (or set the ` +\n                  `'CDK_DOCKER' environment variable to a compatible binary such as podman / finch).`\n          )\n        );\n      } else {\n        reject(err);\n      }\n    });\n\n    child.once('close', (code) => {\n      const stdout = Buffer.concat(stdoutChunks).toString('utf-8');\n      const stderr = Buffer.concat(stderrChunks).toString('utf-8');\n      if (code === 0) {\n        resolve({ stdout, stderr });\n      } else {\n        const message =\n          stderr.trim() || stdout.trim() || `${cmd} ${args[0] ?? ''} exited with code ${code}`;\n        const err = new Error(message) as SpawnError;\n        err.stderr = stderr;\n        err.stdout = stdout;\n        err.exitCode = code;\n        reject(err);\n      }\n    });\n\n    if (options.input !== undefined) {\n      // Defensive: when spawn() fails (e.g. ENOENT race), the synchronous\n      // write below could emit a stream 'error' event before the close /\n      // error handlers above fire. Without a listener, Node escalates that\n      // to \"Unhandled 'error' event\" on some versions. cdk-local's only `input`\n      // call site is `docker login --password-stdin` with short payloads\n      // that complete well within the syscall, so this is unlikely to fire\n      // in practice — but the no-op listener is free.\n      child.stdin!.on('error', () => {\n        /* surfaced via the outer error/close handlers above */\n      });\n      child.stdin!.write(options.input);\n      child.stdin!.end();\n    }\n  });\n}\n\n/**\n * Spawn a docker-compatible CLI binary (resolved via `getDockerCmd`) attached\n * to the parent process's stdio so the user sees live output (`docker pull`\n * layer progress, `docker login` interactive prompts that should never fire\n * with `--password-stdin` but still safe to inherit, etc.). Resolves on exit\n * code 0; rejects with a plain `Error` carrying the exit code on any non-zero\n * exit, so the caller can wrap with its own error class.\n *\n * Differs from {@link runDockerStreaming} in two ways:\n *   1. `stdio: 'inherit'` — output is NOT captured, so terminal control codes\n *      (color, progress bar overwrites) flow through unchanged. This is the\n *      load-bearing reason for the split: `docker pull`'s progress bars only\n *      animate properly when stdout is a real TTY connected to the parent.\n *   2. No `input` / `streamLive` options — inherit-mode has nothing to\n *      capture and nothing to mirror.\n *\n * Used by the `--verbose`-mode `docker pull` plumbing in `docker-runner.ts`\n * and `ecr-puller.ts` (visible layer progress). Non-verbose pulls go through\n * {@link runDockerStreaming} so stderr can be folded into the error message.\n */\nexport async function runDockerForeground(\n  args: string[],\n  options: ForegroundOptions = {}\n): Promise<void> {\n  return spawnForeground(getDockerCmd(), args, options);\n}\n\nexport interface ForegroundOptions {\n  /** Optional working directory for the subprocess. */\n  cwd?: string;\n  /**\n   * Additional environment variables to set. Merged on top of `process.env`\n   * (same semantics as {@link RunDockerOptions.env}).\n   */\n  env?: Record<string, string | undefined>;\n}\n\n/**\n * Foreground (stdio-inherit) spawn — the inherit-mode counterpart to\n * {@link spawnStreaming}. Used by {@link runDockerForeground} for docker-CLI\n * subprocesses.\n *\n * The ENOENT branch crafts a docker-specific install hint (\"Install Docker\n * (or set CDK_DOCKER ...)\"), so non-docker callers reusing this helper\n * would see a misleading error on missing-binary failures. Keep the binary\n * docker-shaped, or update the ENOENT message before adding a non-docker\n * call site.\n */\nexport async function spawnForeground(\n  cmd: string,\n  args: string[],\n  options: ForegroundOptions = {}\n): Promise<void> {\n  const env = options.env ? mergeEnv(options.env) : undefined;\n  return new Promise<void>((resolve, reject) => {\n    const child = spawn(cmd, args, {\n      cwd: options.cwd,\n      env,\n      stdio: 'inherit',\n    });\n    child.once('error', (err: NodeJS.ErrnoException) => {\n      if (err.code === 'ENOENT') {\n        const usingOverride = process.env['CDK_DOCKER'] === cmd && cmd !== 'docker';\n        reject(\n          new Error(\n            usingOverride\n              ? `Failed to find and execute '${cmd}' (resolved via CDK_DOCKER). ` +\n                  `Install '${cmd}' or unset CDK_DOCKER to fall back to 'docker'.`\n              : `Failed to find and execute '${cmd}'. Install Docker (or set the ` +\n                  `'CDK_DOCKER' environment variable to a compatible binary such as podman / finch).`\n          )\n        );\n      } else {\n        reject(new Error(`${cmd} failed: ${err.message}`));\n      }\n    });\n    child.once('close', (code) => {\n      if (code === 0) {\n        resolve();\n      } else {\n        reject(new Error(`${cmd} exited with code ${code}`));\n      }\n    });\n  });\n}\n\n/**\n * Format the stderr from a failed `docker login` so the surfaced cdk-local\n * error gives the user an actionable workaround when the underlying\n * failure is a credential-helper persistence bug (which has nothing to\n * do with cdk-local, AWS, or IAM perms — the docker CLI itself fails to\n * save the auth token to the platform's credential store). The most\n * common shape is `osxkeychain` on macOS rejecting an overwrite for\n * an existing entry, but `wincred` (Windows), `pass` (Linux), and\n * `secretservice` (Linux) hit the same class of `Error saving\n * credentials` failure, so the rewritten message stays platform-\n * agnostic — `docker logout <endpoint>` is the correct recovery on\n * every backend.\n *\n * Detected docker / docker-credential-* output patterns:\n *   - `error storing credentials - err: exit status 1, out: \\`The\n *     specified item already exists in the keychain.\\`` (osxkeychain)\n *   - `Error saving credentials: ...` (any backend)\n *\n * Non-matching failures (genuine IAM / network / endpoint problems)\n * pass through with just the stderr trimmed — the original message\n * stays load-bearing for diagnosis.\n */\nexport function formatDockerLoginError(stderr: string, endpoint: string): string {\n  const trimmed = stderr.trim();\n  const isCredentialHelperFailure =\n    trimmed.includes('already exists in the keychain') ||\n    trimmed.includes('Error saving credentials');\n  if (isCredentialHelperFailure) {\n    return (\n      `docker's credential helper (osxkeychain on macOS / wincred on Windows / pass / secretservice on Linux) ` +\n      `failed to persist the ECR auth token. The \"already exists in the keychain\" / \"Error saving credentials\" ` +\n      `output is a known docker-credential-helpers issue — unrelated to ${getEmbedConfig().productName}, AWS credentials, or IAM perms. ` +\n      `Quick fix: run \\`docker logout ${endpoint}\\` to clear the stale entry, then retry the ${getEmbedConfig().productName} command. ` +\n      `Permanent fix: edit ~/.docker/config.json and remove (or empty) the platform-specific \"credsStore\" entry ` +\n      `(e.g. \"osxkeychain\" → \"\" or \"desktop\" on macOS Docker Desktop). ` +\n      `Original docker stderr: ${trimmed}`\n    );\n  }\n  return trimmed;\n}\n\nfunction mergeEnv(overrides: Record<string, string | undefined>): NodeJS.ProcessEnv {\n  const merged: NodeJS.ProcessEnv = { ...process.env };\n  for (const [k, v] of Object.entries(overrides)) {\n    if (v === undefined) {\n      delete merged[k];\n    } else {\n      merged[k] = v;\n    }\n  }\n  return merged;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAqFA,MAAM,WAAgC;CACpC,SAAS;CACT,YAAY;CACZ,aAAa;CACb,oBAAoB;CACpB,kBAAkB;CAClB,WAAW;CACX,sBAAsB;CACtB,cAAc;CACf;AAED,IAAI,UAA+B;;;;;;;AAQnC,SAAgB,eAAe,QAAoC;CACjE,UAAU;EACR,SAAS,QAAQ,WAAW,SAAS;EACrC,YAAY,QAAQ,cAAc,SAAS;EAC3C,aAAa,QAAQ,eAAe,SAAS;EAC7C,oBAAoB,QAAQ,sBAAsB,SAAS;EAC3D,kBAAkB,QAAQ,oBAAoB,SAAS;EACvD,WAAW,QAAQ,aAAa,SAAS;EACzC,sBAAsB,QAAQ,wBAAwB,SAAS;EAC/D,cAAc,QAAQ,gBAAgB,SAAS;EAChD;;;AAIH,SAAgB,iBAAsC;CACpD,OAAO;;;AAIT,SAAgB,mBAAyB;CACvC,UAAU;;;;;;;;;;;AChGZ,MAAM,SAAS;CACb,OAAO;CACP,QAAQ;CACR,KAAK;CACL,KAAK;CACL,OAAO;CACP,QAAQ;CACR,MAAM;CACN,MAAM;CACN,MAAM;CACP;AAED,SAAS,kBAA0B;CAEjC,wBAAO,IADS,MACN,EAAC,aAAa;;;;;;;;;AAU1B,IAAa,gBAAb,MAA6C;CAC3C,AAAQ;CACR,AAAQ;CAER,YAAY,QAAkB,QAAQ,YAAqB,MAAM;EAC/D,KAAK,QAAQ;EACb,KAAK,YAAY;;CAGnB,AAAQ,UAAU,OAA0B;EAC1C,MAAM,SAAqB;GAAC;GAAS;GAAQ;GAAQ;GAAQ;EAC7D,MAAM,oBAAoB,OAAO,QAAQ,KAAK,MAAM;EAEpD,OAD0B,OAAO,QAAQ,MACjB,IAAI;;CAG9B,AAAQ,cAAc,OAAiB,SAAiB,GAAG,MAAyB;EAClF,MAAM,gBAAgB,KAAK,SAAS,IAAI,MAAM,KAAK,KAAK,MAAM,KAAK,UAAU,EAAE,CAAC,CAAC,KAAK,IAAI,GAAG;EAE7F,IAAI,KAAK,UAAU,SAAS;GAC1B,MAAM,YAAY,iBAAiB;GACnC,MAAM,WAAW,MAAM,aAAa,CAAC,OAAO,EAAE;GAE9C,IAAI,KAAK,WAAW;IAOlB,MAAM,aAAa;KALjB,OAAO,OAAO;KACd,MAAM,OAAO;KACb,MAAM,OAAO;KACb,OAAO,OAAO;KAEgB,CAAC;IAEjC,OAAO,GAAG,OAAO,MAAM,YAAY,OAAO,MAAM,GAAG,aAAa,WAAW,OAAO,MAAM,GAAG,UAAU;;GAGvG,OAAO,GAAG,UAAU,GAAG,SAAS,GAAG,UAAU;;EAG/C,IAAI,KAAK,WAAW;GAClB,IAAI,UAAU,SACZ,OAAO,GAAG,OAAO,MAAM,UAAU,gBAAgB,OAAO;GAE1D,IAAI,UAAU,QACZ,OAAO,GAAG,OAAO,SAAS,UAAU,gBAAgB,OAAO;GAE7D,OAAO,GAAG,UAAU;;EAGtB,OAAO,GAAG,UAAU;;CAGtB,AAAQ,KAAK,OAAiB,WAAyB;EACrD,IAAI,UAAU,SAAS,QAAQ,MAAM,UAAU;OAC1C,IAAI,UAAU,QAAQ,QAAQ,KAAK,UAAU;OAC7C,IAAI,UAAU,QAAQ,QAAQ,KAAK,UAAU;OAC7C,QAAQ,MAAM,UAAU;;CAG/B,MAAM,SAAiB,GAAG,MAAuB;EAC/C,IAAI,KAAK,UAAU,QAAQ,EACzB,KAAK,KAAK,SAAS,KAAK,cAAc,SAAS,SAAS,GAAG,KAAK,CAAC;;CAIrE,KAAK,SAAiB,GAAG,MAAuB;EAC9C,IAAI,KAAK,UAAU,OAAO,EACxB,KAAK,KAAK,QAAQ,KAAK,cAAc,QAAQ,SAAS,GAAG,KAAK,CAAC;;CAInE,KAAK,SAAiB,GAAG,MAAuB;EAC9C,IAAI,KAAK,UAAU,OAAO,EACxB,KAAK,KAAK,QAAQ,KAAK,cAAc,QAAQ,SAAS,GAAG,KAAK,CAAC;;CAInE,MAAM,SAAiB,GAAG,MAAuB;EAC/C,IAAI,KAAK,UAAU,QAAQ,EACzB,KAAK,KAAK,SAAS,KAAK,cAAc,SAAS,SAAS,GAAG,KAAK,CAAC;;CAIrE,SAAS,OAAuB;EAC9B,KAAK,QAAQ;;CAGf,WAAqB;EACnB,OAAO,KAAK;;CAGd,MAAM,QAA6B;EACjC,OAAO,IAAI,YAAY,QAAQ,KAAK,UAAU;;;;;;AAOlD,IAAM,cAAN,cAA0B,cAAc;CACtC,AAAiB;CAEjB,YAAY,QAAgB,WAAoB;EAC9C,MAAM,QAAQ,UAAU;EACxB,KAAK,SAAS;;CAGhB,AAAQ,YAAkB;EACxB,IAAI,cACF,KAAK,SAAS,aAAa,UAAU,CAAC;;CAI1C,AAAS,MAAM,SAAiB,GAAG,MAAuB;EACxD,KAAK,WAAW;EAChB,MAAM,MAAM,IAAI,KAAK,OAAO,IAAI,WAAW,GAAG,KAAK;;CAGrD,AAAS,KAAK,SAAiB,GAAG,MAAuB;EACvD,KAAK,WAAW;EAChB,MAAM,MAAM,KAAK,UAAU,KAAK,UAAU,IAAI,KAAK,OAAO,IAAI,YAAY;EAC1E,MAAM,KAAK,KAAK,GAAG,KAAK;;CAG1B,AAAS,KAAK,SAAiB,GAAG,MAAuB;EACvD,KAAK,WAAW;EAChB,MAAM,MAAM,KAAK,UAAU,KAAK,UAAU,IAAI,KAAK,OAAO,IAAI,YAAY;EAC1E,MAAM,KAAK,KAAK,GAAG,KAAK;;CAG1B,AAAS,MAAM,SAAiB,GAAG,MAAuB;EACxD,KAAK,WAAW;EAChB,MAAM,MAAM,KAAK,UAAU,KAAK,UAAU,IAAI,KAAK,OAAO,IAAI,YAAY;EAC1E,MAAM,MAAM,KAAK,GAAG,KAAK;;;AAI7B,IAAI,eAAqC;AAEzC,SAAgB,YAA2B;CACzC,IAAI,CAAC,cACH,eAAe,IAAI,eAAe;CAEpC,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACrKT,SAAgB,eAAuB;CACrC,MAAM,WAAW,QAAQ,IAAI;CAC7B,OAAO,YAAY,SAAS,SAAS,IAAI,WAAW;;;;;;;;;;;;;AA+CtD,eAAsB,mBACpB,MACA,UAA4B,EAAE,EACR;CACtB,OAAO,eAAe,cAAc,EAAE,MAAM,QAAQ;;;;;;;AAQtD,eAAsB,eACpB,KACA,MACA,UAA4B,EAAE,EACR;CACtB,MAAM,aAAa,QAAQ,cAAc,WAAW,CAAC,UAAU,KAAK;CACpE,MAAM,MAAM,QAAQ,MAAM,SAAS,QAAQ,IAAI,GAAG;CAElD,OAAO,IAAI,SAAsB,SAAS,WAAW;EACnD,MAAM,QAAQ,MAAM,KAAK,MAAM;GAC7B,KAAK,QAAQ;GACb;GACA,OAAO;IAAC,QAAQ,QAAQ,SAAS;IAAU;IAAQ;IAAO;GAC3D,CAAC;EAEF,MAAM,eAAyB,EAAE;EACjC,MAAM,eAAyB,EAAE;EAEjC,MAAM,OAAQ,GAAG,SAAS,UAAkB;GAC1C,aAAa,KAAK,MAAM;GACxB,IAAI,YAAY,QAAQ,OAAO,MAAM,MAAM;IAC3C;EACF,MAAM,OAAQ,GAAG,SAAS,UAAkB;GAC1C,aAAa,KAAK,MAAM;GACxB,IAAI,YAAY,QAAQ,OAAO,MAAM,MAAM;IAC3C;EAEF,MAAM,KAAK,UAAU,QAA+B;GAClD,IAAI,IAAI,SAAS,UAAU;IACzB,MAAM,gBAAgB,QAAQ,IAAI,kBAAkB,OAAO,QAAQ;IACnE,uBACE,IAAI,MACF,gBACI,+BAA+B,IAAI,wCACrB,IAAI,mDAClB,+BAA+B,IAAI,iHAExC,CACF;UAED,OAAO,IAAI;IAEb;EAEF,MAAM,KAAK,UAAU,SAAS;GAC5B,MAAM,SAAS,OAAO,OAAO,aAAa,CAAC,SAAS,QAAQ;GAC5D,MAAM,SAAS,OAAO,OAAO,aAAa,CAAC,SAAS,QAAQ;GAC5D,IAAI,SAAS,GACX,QAAQ;IAAE;IAAQ;IAAQ,CAAC;QACtB;IACL,MAAM,UACJ,OAAO,MAAM,IAAI,OAAO,MAAM,IAAI,GAAG,IAAI,GAAG,KAAK,MAAM,GAAG,oBAAoB;IAChF,MAAM,MAAM,IAAI,MAAM,QAAQ;IAC9B,IAAI,SAAS;IACb,IAAI,SAAS;IACb,IAAI,WAAW;IACf,OAAO,IAAI;;IAEb;EAEF,IAAI,QAAQ,UAAU,QAAW;GAQ/B,MAAM,MAAO,GAAG,eAAe,GAE7B;GACF,MAAM,MAAO,MAAM,QAAQ,MAAM;GACjC,MAAM,MAAO,KAAK;;GAEpB;;;;;;;;;;;;;;;;;;;;;;AAuBJ,eAAsB,oBACpB,MACA,UAA6B,EAAE,EAChB;CACf,OAAO,gBAAgB,cAAc,EAAE,MAAM,QAAQ;;;;;;;;;;;;;AAwBvD,eAAsB,gBACpB,KACA,MACA,UAA6B,EAAE,EAChB;CACf,MAAM,MAAM,QAAQ,MAAM,SAAS,QAAQ,IAAI,GAAG;CAClD,OAAO,IAAI,SAAe,SAAS,WAAW;EAC5C,MAAM,QAAQ,MAAM,KAAK,MAAM;GAC7B,KAAK,QAAQ;GACb;GACA,OAAO;GACR,CAAC;EACF,MAAM,KAAK,UAAU,QAA+B;GAClD,IAAI,IAAI,SAAS,UAAU;IACzB,MAAM,gBAAgB,QAAQ,IAAI,kBAAkB,OAAO,QAAQ;IACnE,uBACE,IAAI,MACF,gBACI,+BAA+B,IAAI,wCACrB,IAAI,mDAClB,+BAA+B,IAAI,iHAExC,CACF;UAED,uBAAO,IAAI,MAAM,GAAG,IAAI,WAAW,IAAI,UAAU,CAAC;IAEpD;EACF,MAAM,KAAK,UAAU,SAAS;GAC5B,IAAI,SAAS,GACX,SAAS;QAET,uBAAO,IAAI,MAAM,GAAG,IAAI,oBAAoB,OAAO,CAAC;IAEtD;GACF;;;;;;;;;;;;;;;;;;;;;;;;AAyBJ,SAAgB,uBAAuB,QAAgB,UAA0B;CAC/E,MAAM,UAAU,OAAO,MAAM;CAI7B,IAFE,QAAQ,SAAS,iCAAiC,IAClD,QAAQ,SAAS,2BAA2B,EAE5C,OACE,mRAEoE,gBAAgB,CAAC,YAAY,kEAC/D,SAAS,8CAA8C,gBAAgB,CAAC,YAAY,6MAG3F;CAG/B,OAAO;;AAGT,SAAS,SAAS,WAAkE;CAClF,MAAM,SAA4B,EAAE,GAAG,QAAQ,KAAK;CACpD,KAAK,MAAM,CAAC,GAAG,MAAM,OAAO,QAAQ,UAAU,EAC5C,IAAI,MAAM,QACR,OAAO,OAAO;MAEd,OAAO,KAAK;CAGhB,OAAO"}

package/dist/index.d.ts

@@ -78,6 +78,8 @@ interface CrossStackResolver {
 interface SubstitutionContext {
   resources: Record<string, ResourceState>;
   parameters?: Record<string, string>;
+  sensitiveParameters?: ReadonlySet<string>;
+  onSensitiveParameterConsumed?: (logicalId: string) => void;
   pseudoParameters?: PseudoParameters;
   crossStackResolver?: CrossStackResolver;
   consumerRegion?: string;
@@ -90,6 +92,7 @@ interface StateEnvSubstitutionAudit {
     key: string;
     reason: string;
   }>;
+  sensitiveKeys: string[];
 }
 declare function substituteEnvVarsFromState(templateEnv: Record<string, unknown> | undefined, contextOrResources: SubstitutionContext | Record<string, ResourceState>): {
   env: Record<string, unknown>;
@@ -100,6 +103,19 @@ declare function substituteEnvVarsFromStateAsync(templateEnv: Record<string, unk
   audit: StateEnvSubstitutionAudit;
 }>;
 //#endregion
+//#region src/local/ssm-parameter-resolver.d.ts
+interface SsmParameterRef {
+  logicalId: string;
+  ssmName: string;
+  isList: boolean;
+}
+interface ResolvedSsmParameters {
+  values: Record<string, string>;
+  secureStringLogicalIds: string[];
+}
+declare function collectSsmParameterRefs(template: Pick<CloudFormationTemplate, 'Parameters'> | undefined): SsmParameterRef[];
+declare function resolveSsmParameters(client: SSMClient, refs: readonly SsmParameterRef[], label: string): Promise<ResolvedSsmParameters>;
+//#endregion
 //#region src/local/local-state-provider.d.ts
 interface LocalStateRecord {
   resources: Record<string, ResourceState>;
@@ -111,7 +127,7 @@ interface LocalStateProvider {
   load(stackName: string, synthRegion: string | undefined): Promise<LocalStateRecord | undefined>;
   buildCrossStackResolver(consumerRegion: string): Promise<CrossStackResolver | undefined>;
   resolveDeployedFunctionEnv?(functionPhysicalId: string): Promise<Record<string, string> | undefined>;
-  resolveTemplateSsmParameters?(template: CloudFormationTemplate): Promise<Record<string, string>>;
+  resolveTemplateSsmParameters?(template: CloudFormationTemplate): Promise<ResolvedSsmParameters>;
   dispose(): void;
 }
 //#endregion
@@ -192,6 +208,77 @@ interface CreateLocalInvokeCommandOptions {
 }
 declare function createLocalInvokeCommand(opts?: CreateLocalInvokeCommandOptions): Command;
 //#endregion
+//#region src/local/intrinsic-image.d.ts
+interface ImageResolutionContext {
+  pseudoParameters?: {
+    accountId?: string;
+    region?: string;
+    partition?: string;
+    urlSuffix?: string;
+  };
+  stateResources?: Record<string, ResourceState>;
+  stateParameters?: Record<string, string>;
+  stateSensitiveParameters?: readonly string[];
+}
+declare function derivePseudoParametersFromRegion(region: string | undefined, accountId?: string): {
+  accountId?: string;
+  region: string;
+  partition: string;
+  urlSuffix: string;
+} | undefined;
+type FnJoinResolveOutcome = {
+  kind: 'not-applicable';
+} | {
+  kind: 'resolved';
+  uri: string;
+} | {
+  kind: 'needs-state';
+  repoLogicalId: string;
+} | {
+  kind: 'unsupported-join';
+  reason: string;
+};
+declare function tryResolveImageFnJoin(raw: unknown, resources: Record<string, TemplateResource>, context: ImageResolutionContext | undefined): FnJoinResolveOutcome;
+declare function substituteImagePlaceholders(flat: string, resources: Record<string, TemplateResource>, context: ImageResolutionContext | undefined): string;
+//#endregion
+//#region src/local/agentcore-resolver.d.ts
+declare const AGENTCORE_RUNTIME_TYPE = "AWS::BedrockAgentCore::Runtime";
+declare const AGENTCORE_HTTP_PROTOCOL = "HTTP";
+interface ResolvedAgentCoreRuntime {
+  stack: StackInfo;
+  logicalId: string;
+  resource: TemplateResource;
+  containerUri: string;
+  environmentVariables: Record<string, unknown>;
+  roleArn?: string;
+  protocol: string;
+}
+declare class AgentCoreResolutionError extends Error {
+  constructor(message: string);
+}
+declare function resolveAgentCoreTarget(target: string, stacks: StackInfo[], imageContext?: ImageResolutionContext): ResolvedAgentCoreRuntime;
+//#endregion
+//#region src/local/agentcore-client.d.ts
+declare const AGENTCORE_SESSION_ID_HEADER = "X-Amzn-Bedrock-AgentCore-Runtime-Session-Id";
+interface AgentCoreInvokeResult {
+  status: number;
+  contentType: string | null;
+  raw: string;
+}
+declare function waitForAgentCorePing(host: string, port: number, timeoutMs?: number): Promise<void>;
+interface InvokeAgentCoreOptions {
+  sessionId: string;
+  timeoutMs: number;
+}
+declare function invokeAgentCore(host: string, port: number, event: unknown, options: InvokeAgentCoreOptions): Promise<AgentCoreInvokeResult>;
+//#endregion
+//#region src/cli/commands/local-invoke-agentcore.d.ts
+interface CreateLocalInvokeAgentCoreCommandOptions {
+  extraStateProviders?: ExtraStateProviders;
+  embedConfig?: CdkLocalEmbedConfig;
+}
+declare function createLocalInvokeAgentCoreCommand(opts?: CreateLocalInvokeAgentCoreCommandOptions): Command;
+//#endregion
 //#region src/cli/config-loader.d.ts
 interface CdkWatchConfig {
   include: string[];
@@ -528,38 +615,6 @@ interface ApiTargetSubset {
 declare function resolveApiTargetSubset(routes: readonly RouteWithAuth[], identifiers: readonly string[], stackNames: readonly string[]): ApiTargetSubset;
 declare function createLocalStartApiCommand(opts?: CreateLocalStartApiCommandOptions): Command;
 //#endregion
-//#region src/local/intrinsic-image.d.ts
-interface ImageResolutionContext {
-  pseudoParameters?: {
-    accountId?: string;
-    region?: string;
-    partition?: string;
-    urlSuffix?: string;
-  };
-  stateResources?: Record<string, ResourceState>;
-  stateParameters?: Record<string, string>;
-}
-declare function derivePseudoParametersFromRegion(region: string | undefined, accountId?: string): {
-  accountId?: string;
-  region: string;
-  partition: string;
-  urlSuffix: string;
-} | undefined;
-type FnJoinResolveOutcome = {
-  kind: 'not-applicable';
-} | {
-  kind: 'resolved';
-  uri: string;
-} | {
-  kind: 'needs-state';
-  repoLogicalId: string;
-} | {
-  kind: 'unsupported-join';
-  reason: string;
-};
-declare function tryResolveImageFnJoin(raw: unknown, resources: Record<string, TemplateResource>, context: ImageResolutionContext | undefined): FnJoinResolveOutcome;
-declare function substituteImagePlaceholders(flat: string, resources: Record<string, TemplateResource>, context: ImageResolutionContext | undefined): string;
-//#endregion
 //#region src/local/ecs-task-resolver.d.ts
 declare class EcsTaskResolutionError extends Error {
   constructor(message: string);
@@ -592,6 +647,7 @@ interface TargetListing {
   apis: TargetEntry[];
   ecsServices: TargetEntry[];
   ecsTaskDefinitions: TargetEntry[];
+  agentCoreRuntimes: TargetEntry[];
 }
 declare function listTargets(stacks: readonly StackInfo[]): TargetListing;
 declare function countTargets(listing: TargetListing): number;
@@ -625,22 +681,13 @@ declare class CfnLocalStateProvider implements LocalStateProvider {
   private getClient;
   private getLambdaClient;
   private getSsmClient;
-  resolveTemplateSsmParameters(template: CloudFormationTemplate): Promise<Record<string, string>>;
+  resolveTemplateSsmParameters(template: CloudFormationTemplate): Promise<ResolvedSsmParameters>;
   resolveDeployedFunctionEnv(functionPhysicalId: string): Promise<Record<string, string> | undefined>;
   load(_stackName: string, _synthRegion: string | undefined): Promise<LocalStateRecord | undefined>;
   buildCrossStackResolver(_consumerRegion: string): Promise<CrossStackResolver | undefined>;
   dispose(): void;
 }
 //#endregion
-//#region src/local/ssm-parameter-resolver.d.ts
-interface SsmParameterRef {
-  logicalId: string;
-  ssmName: string;
-  isList: boolean;
-}
-declare function collectSsmParameterRefs(template: Pick<CloudFormationTemplate, 'Parameters'> | undefined): SsmParameterRef[];
-declare function resolveSsmParameters(client: SSMClient, refs: readonly SsmParameterRef[], label: string): Promise<Record<string, string>>;
-//#endregion
 //#region src/local/intrinsic-utils.d.ts
 declare function pickRefLogicalId(value: unknown): string | null;
 //#endregion
@@ -1084,5 +1131,5 @@ interface FileWatcherOptions {
 }
 declare function createFileWatcher(options: FileWatcherOptions): FileWatcher;
 //#endregion
-export { type ApiServerGroup, type ApiTargetSubset, type AuthorizerCache, type AuthorizerEventOverlay, type AuthorizerInfo, type BuildContainerImageOptions, type CachedAuthorizerResult, type CdkLocalEmbedConfig, type CdkWatchConfig, CfnLocalStateProvider, type CfnLocalStateProviderOptions, type CloudMapIndex, CloudMapRegistry, ConnectionRegistry, type ConnectionRegistryEntry, type CorsConfig, type CreateLocalInvokeCommandOptions, type CreateLocalListCommandOptions, type CreateLocalRunTaskCommandOptions, type CreateLocalStartApiCommandOptions, type CreateLocalStartServiceCommandOptions, type CredentialsLoader, type CrossStackResolver, type DiscoveredRoute, type DiscoveredWebSocketApi, EcsTaskResolutionError, type EnvOverrideFile, type ExtraStateProviders, type FileWatcher, type FileWatcherOptions, type FormatTargetListingOptions, HOST_GATEWAY_MIN_VERSION, type HttpRequestSnapshot, type ImageResolutionContext, type IntegrationResponseEntry, type JwksCache, type LambdaArnResolveOutcome, LocalInvokeBuildError, type LocalStateProvider, type LocalStateProviderFactory, type LocalStateRecord, LocalStateSourceError, type LocalStateSourceOptions, type MatchedRouteContext, type MtlsServerConfig, type PseudoParameters, type RegistrationHandle, type RequestParameterContext, type ResolveParametersOutcome, type ResolvedStage, type RestV1IntegrationConfig, type RouteMatchResult, type RouteWithAuth, type ServerState, type SsmParameterRef, type StartedApiServer, type StateEnvSubstitutionAudit, type SubstitutionContext, type TargetEntry, type TargetListing, type TranslatedHttpResponse, VtlEvaluationError, type WatchPredicates, type WebSocketHandshakeSnapshot, type WebSocketLambdaEvent, type WebSocketRouteEntry, applyAuthorizerOverlay, applyCorsResponseHeaders, architectureToPlatform, attachAuthorizers, attachStageContext, availableApiIdentifiers, bufferToBody, buildCloudMapIndex, buildCognitoJwksUrl, buildConnectEvent, buildContainerImage, buildCorsConfigByApiId, buildCorsConfigFromCloudFrontChain, buildDisconnectEvent, buildHttpApiV2Event, buildJwksUrlFromIssuer, buildMessageEvent, buildMethodArn, buildMgmtEndpointEnvUrl, buildRestV1Event, buildStageMap, collectSsmParameterRefs, computeRequestIdentityHash, countTargets, createAuthorizerCache, createFileWatcher, createJwksCache, createLocalInvokeCommand, createLocalListCommand, createLocalRunTaskCommand, createLocalStartApiCommand, createLocalStartServiceCommand, createLocalStateProvider, createWatchPredicates, defaultCredentialsLoader, derivePseudoParametersFromRegion, discoverRoutes, discoverWebSocketApis, discoverWebSocketApisOrThrow, evaluateCachedLambdaPolicy, evaluateResponseParameters, filterRoutesByApiIdentifier, filterRoutesByApiIdentifiers, formatTargetListing, getContainerNetworkIp, getEmbedConfig, groupRoutesByServer, handleConnectionsRequest, invokeRequestAuthorizer, invokeTokenAuthorizer, isCfnFlagPresent, isFunctionUrlOacFronted, listTargets, matchPreflight, matchRoute, materializeLayerFromArn, parseConnectionsPath, parseSelectionExpressionPath, pickRefLogicalId, pickResponseTemplate, probeHostGatewaySupport, readMtlsMaterialsFromDisk, rejectExplicitCfnStackWithMultipleStacks, resetEmbedConfig, resolveApiTargetSubset, resolveCfnFallbackRegion, resolveCfnRegion, resolveCfnStackName, resolveEnvVars, resolveLambdaArnIntrinsic, resolveRuntimeCodeMountPath, resolveRuntimeFileExtension, resolveRuntimeImage, resolveSelectionExpression, resolveServiceIntegrationParameters, resolveSsmParameters, resolveWatchConfig, selectIntegrationResponse, setEmbedConfig, startApiServer, substituteAgainstState, substituteAgainstStateAsync, substituteEnvVarsFromState, substituteEnvVarsFromStateAsync, substituteImagePlaceholders, translateLambdaResponse, tryParseStatus, tryResolveImageFnJoin, verifyCognitoJwt, verifyJwtAuthorizer };
+export { AGENTCORE_HTTP_PROTOCOL, AGENTCORE_RUNTIME_TYPE, AGENTCORE_SESSION_ID_HEADER, type AgentCoreInvokeResult, AgentCoreResolutionError, type ApiServerGroup, type ApiTargetSubset, type AuthorizerCache, type AuthorizerEventOverlay, type AuthorizerInfo, type BuildContainerImageOptions, type CachedAuthorizerResult, type CdkLocalEmbedConfig, type CdkWatchConfig, CfnLocalStateProvider, type CfnLocalStateProviderOptions, type CloudMapIndex, CloudMapRegistry, ConnectionRegistry, type ConnectionRegistryEntry, type CorsConfig, type CreateLocalInvokeAgentCoreCommandOptions, type CreateLocalInvokeCommandOptions, type CreateLocalListCommandOptions, type CreateLocalRunTaskCommandOptions, type CreateLocalStartApiCommandOptions, type CreateLocalStartServiceCommandOptions, type CredentialsLoader, type CrossStackResolver, type DiscoveredRoute, type DiscoveredWebSocketApi, EcsTaskResolutionError, type EnvOverrideFile, type ExtraStateProviders, type FileWatcher, type FileWatcherOptions, type FormatTargetListingOptions, HOST_GATEWAY_MIN_VERSION, type HttpRequestSnapshot, type ImageResolutionContext, type IntegrationResponseEntry, type InvokeAgentCoreOptions, type JwksCache, type LambdaArnResolveOutcome, LocalInvokeBuildError, type LocalStateProvider, type LocalStateProviderFactory, type LocalStateRecord, LocalStateSourceError, type LocalStateSourceOptions, type MatchedRouteContext, type MtlsServerConfig, type PseudoParameters, type RegistrationHandle, type RequestParameterContext, type ResolveParametersOutcome, type ResolvedAgentCoreRuntime, type ResolvedSsmParameters, type ResolvedStage, type RestV1IntegrationConfig, type RouteMatchResult, type RouteWithAuth, type ServerState, type SsmParameterRef, type StartedApiServer, type StateEnvSubstitutionAudit, type SubstitutionContext, type TargetEntry, type TargetListing, type TranslatedHttpResponse, VtlEvaluationError, type WatchPredicates, type WebSocketHandshakeSnapshot, type WebSocketLambdaEvent, type WebSocketRouteEntry, applyAuthorizerOverlay, applyCorsResponseHeaders, architectureToPlatform, attachAuthorizers, attachStageContext, availableApiIdentifiers, bufferToBody, buildCloudMapIndex, buildCognitoJwksUrl, buildConnectEvent, buildContainerImage, buildCorsConfigByApiId, buildCorsConfigFromCloudFrontChain, buildDisconnectEvent, buildHttpApiV2Event, buildJwksUrlFromIssuer, buildMessageEvent, buildMethodArn, buildMgmtEndpointEnvUrl, buildRestV1Event, buildStageMap, collectSsmParameterRefs, computeRequestIdentityHash, countTargets, createAuthorizerCache, createFileWatcher, createJwksCache, createLocalInvokeAgentCoreCommand, createLocalInvokeCommand, createLocalListCommand, createLocalRunTaskCommand, createLocalStartApiCommand, createLocalStartServiceCommand, createLocalStateProvider, createWatchPredicates, defaultCredentialsLoader, derivePseudoParametersFromRegion, discoverRoutes, discoverWebSocketApis, discoverWebSocketApisOrThrow, evaluateCachedLambdaPolicy, evaluateResponseParameters, filterRoutesByApiIdentifier, filterRoutesByApiIdentifiers, formatTargetListing, getContainerNetworkIp, getEmbedConfig, groupRoutesByServer, handleConnectionsRequest, invokeAgentCore, invokeRequestAuthorizer, invokeTokenAuthorizer, isCfnFlagPresent, isFunctionUrlOacFronted, listTargets, matchPreflight, matchRoute, materializeLayerFromArn, parseConnectionsPath, parseSelectionExpressionPath, pickRefLogicalId, pickResponseTemplate, probeHostGatewaySupport, readMtlsMaterialsFromDisk, rejectExplicitCfnStackWithMultipleStacks, resetEmbedConfig, resolveAgentCoreTarget, resolveApiTargetSubset, resolveCfnFallbackRegion, resolveCfnRegion, resolveCfnStackName, resolveEnvVars, resolveLambdaArnIntrinsic, resolveRuntimeCodeMountPath, resolveRuntimeFileExtension, resolveRuntimeImage, resolveSelectionExpression, resolveServiceIntegrationParameters, resolveSsmParameters, resolveWatchConfig, selectIntegrationResponse, setEmbedConfig, startApiServer, substituteAgainstState, substituteAgainstStateAsync, substituteEnvVarsFromState, substituteEnvVarsFromStateAsync, substituteImagePlaceholders, translateLambdaResponse, tryParseStatus, tryResolveImageFnJoin, verifyCognitoJwt, verifyJwtAuthorizer, waitForAgentCorePing };
 //# sourceMappingURL=index.d.ts.map