cdk-local 0.36.1 → 0.37.0

package/dist/{local-list-D1MAmo5o.js → local-list-Dklrlnu1.js}

@@ -24,7 +24,7 @@ import { setTimeout as setTimeout$1 } from "node:timers/promises";
 import { readFile } from "fs/promises";
 import { join as join$1 } from "path";
 import { WebSocketServer } from "ws";
-import { createServer as createServer$1 } from "node:http";
+import { createServer as createServer$1, request } from "node:http";
 import { createServer as createServer$2 } from "node:https";
 import * as chokidar from "chokidar";
 import graphlib from "graphlib";
@@ -794,7 +794,7 @@ function parseTarget(target) {
 function resolveLambdaTarget(target, stacks) {
 	if (stacks.length === 0) throw new LocalInvokeResolutionError("No stacks found in the synthesized assembly.");
 	const parsed = parseTarget(target);
-	const stack = pickStack$3(parsed, stacks);
+	const stack = pickStack$4(parsed, stacks);
 	const template = stack.template;
 	const resources = template.Resources ?? {};
 	let match;
@@ -828,7 +828,7 @@ function resolveLambdaTarget(target, stacks) {
 * user may omit the stack prefix. Otherwise an explicit stack pattern is
 * required.
 */
-function pickStack$3(parsed, stacks) {
+function pickStack$4(parsed, stacks) {
 	if (parsed.stackPattern === null) {
 		if (stacks.length === 1) return stacks[0];
 		throw new LocalInvokeResolutionError(`Multiple stacks in app, target '${parsed.pathOrId}' is missing a stack prefix. Use 'StackName:${parsed.pathOrId}' or 'StackName/...' (path form). Available stacks: ${stacks.map((s) => s.stackName).join(", ")}.`);
@@ -1222,7 +1222,7 @@ var AgentCoreResolutionError = class AgentCoreResolutionError extends Error {
 function resolveAgentCoreTarget(target, stacks, imageContext) {
 	if (stacks.length === 0) throw new AgentCoreResolutionError("No stacks found in the synthesized assembly.");
 	const parsed = parseTarget(target);
-	const stack = pickStack$2(parsed, stacks);
+	const stack = pickStack$3(parsed, stacks);
 	const resources = stack.template.Resources ?? {};
 	const { logicalId, resource } = matchRuntime(parsed, target, stack, resources);
 	if (resource.Type !== "AWS::BedrockAgentCore::Runtime") throw new AgentCoreResolutionError(`Resource '${logicalId}' in ${stack.stackName} is ${resource.Type}, not ${AGENTCORE_RUNTIME_TYPE}. ${getEmbedConfig().cliName} invoke-agentcore only runs Bedrock AgentCore Runtime resources.`);
@@ -1234,7 +1234,7 @@ function resolveAgentCoreTarget(target, stacks, imageContext) {
 * Mirrors the Lambda / ECS resolvers' behavior via the shared
 * stack-matcher.
 */
-function pickStack$2(parsed, stacks) {
+function pickStack$3(parsed, stacks) {
 	if (parsed.stackPattern === null) {
 		if (stacks.length === 1) return stacks[0];
 		throw new AgentCoreResolutionError(`Multiple stacks in app, target '${parsed.pathOrId}' is missing a stack prefix. Use 'StackName:${parsed.pathOrId}' or 'StackName/...' (path form). Available stacks: ${stacks.map((s) => s.stackName).join(", ")}.`);
@@ -2974,12 +2974,30 @@ function listApiSurfaces(stacks) {
 	return [...byKey.values()];
 }
 /**
-* Walk every synthesized stack and collect the resources the four
-* `cdkl` commands can run locally, grouped by command.
+* Enumerate the application Load Balancers `cdkl start-alb` can front. Only
+* `Type: application` (the default) is included — NLBs / Gateway LBs are a
+* different architecture the local front-door does not emulate.
+*/
+function scanApplicationLoadBalancers(stacks) {
+	const entries = [];
+	for (const stack of stacks) {
+		const resources = stack.template.Resources ?? {};
+		for (const [logicalId, resource] of Object.entries(resources)) {
+			if (resource.Type !== "AWS::ElasticLoadBalancingV2::LoadBalancer") continue;
+			const type = resource.Properties?.["Type"];
+			if (type !== void 0 && type !== "application") continue;
+			entries.push(makeEntry(stack.stackName, logicalId, readCdkPathOrUndefined(resource)));
+		}
+	}
+	return entries;
+}
+/**
+* Walk every synthesized stack and collect the resources the `cdkl` commands
+* can run locally, grouped by command.
 *
 * Pure over the synthesized {@link StackInfo}[] — no Docker / AWS /
-* filesystem access — so both `cdkl list` and (future) interactive
-* target pickers can share it.
+* filesystem access — so both `cdkl list` and the interactive target
+* pickers can share it.
 */
 function listTargets(stacks) {
 	return {
@@ -2987,7 +3005,8 @@ function listTargets(stacks) {
 		apis: sortApiEntries(listApiSurfaces(stacks)),
 		ecsServices: sortEntries(scanByType(stacks, "AWS::ECS::Service")),
 		ecsTaskDefinitions: sortEntries(scanByType(stacks, "AWS::ECS::TaskDefinition")),
-		agentCoreRuntimes: sortEntries(scanByType(stacks, AGENTCORE_RUNTIME_TYPE))
+		agentCoreRuntimes: sortEntries(scanByType(stacks, AGENTCORE_RUNTIME_TYPE)),
+		loadBalancers: sortEntries(scanApplicationLoadBalancers(stacks))
 	};
 }
 const pathOf = (e) => e.displayPath ?? e.qualifiedId;
@@ -3019,7 +3038,7 @@ function sortApiEntries(entries) {
 }
 /** Total number of targets across every category. */
 function countTargets(listing) {
-	return listing.lambdas.length + listing.apis.length + listing.ecsServices.length + listing.ecsTaskDefinitions.length + listing.agentCoreRuntimes.length;
+	return listing.lambdas.length + listing.apis.length + listing.ecsServices.length + listing.ecsTaskDefinitions.length + listing.agentCoreRuntimes.length + listing.loadBalancers.length;
 }
 
 //#endregion
@@ -5333,7 +5352,7 @@ function parseEcsTarget(target) {
 function resolveEcsTaskTarget(target, stacks, context) {
 	if (stacks.length === 0) throw new EcsTaskResolutionError("No stacks found in the synthesized assembly.");
 	const parsed = parseEcsTarget(target);
-	const stack = pickStack$1(parsed, stacks);
+	const stack = pickStack$2(parsed, stacks);
 	const resources = stack.template.Resources ?? {};
 	let logicalId;
 	let resource;
@@ -5354,7 +5373,7 @@ function resolveEcsTaskTarget(target, stacks, context) {
 	if (resource.Type !== "AWS::ECS::TaskDefinition") throw new EcsTaskResolutionError(`Resource '${logicalId}' in ${stack.stackName} is ${resource.Type}, not an AWS::ECS::TaskDefinition.`);
 	return extractTaskDefinitionProperties(stack, logicalId, resource, context);
 }
-function pickStack$1(parsed, stacks) {
+function pickStack$2(parsed, stacks) {
 	if (parsed.stackPattern === null) {
 		if (stacks.length === 1) return stacks[0];
 		throw new EcsTaskResolutionError(`Multiple stacks in app, target '${parsed.pathOrId}' is missing a stack prefix. Use 'StackName:${parsed.pathOrId}' or 'StackName/...' (path form). Available stacks: ${stacks.map((s) => s.stackName).join(", ")}.`);
@@ -13976,7 +13995,7 @@ async function startApiServer(opts) {
 	const requestHandler = (req, res) => {
 		handleRequest(req, res, currentState, opts).catch((err) => {
 			logger.error(`Unhandled request error: ${err instanceof Error ? err.stack ?? err.message : String(err)}`);
-			if (!res.headersSent) writeError(res, 502);
+			if (!res.headersSent) writeError$1(res, 502);
 		});
 	};
 	const server = opts.mtls ? createServer$2({
@@ -14049,7 +14068,7 @@ async function handleRequest(req, res, state, opts) {
 		if (await opts.preDispatch(req, res)) return;
 	} catch (err) {
 		logger.error(`preDispatch hook threw: ${err instanceof Error ? err.stack ?? err.message : String(err)}`);
-		if (!res.headersSent) writeError(res, 502);
+		if (!res.headersSent) writeError$1(res, 502);
 		return;
 	}
 	const bodyBuf = await readBody(req);
@@ -14059,7 +14078,7 @@ async function handleRequest(req, res, state, opts) {
 	if (method === "OPTIONS" ? maybeHandleCorsPreflight(req, res, requestPath, state) : false) return;
 	const match = matchRoute(method, requestPath, state.routes.map((r) => r.route));
 	if (!match) {
-		writeError(res, 404, "{\"message\":\"Not Found\"}");
+		writeError$1(res, 404, "{\"message\":\"Not Found\"}");
 		return;
 	}
 	const requestOrigin = pickFirstHeaderValue(collectHeaders(req), "origin") ?? void 0;
@@ -14125,7 +14144,7 @@ async function handleRequest(req, res, state, opts) {
 			logger.error(`REST v1 ${match.route.restV1Integration.kind} dispatch failed for ${match.route.declaredAt}: ${err instanceof Error ? err.message : String(err)}`);
 			if (!res.headersSent) {
 				applyCors();
-				writeError(res, 502);
+				writeError$1(res, 502);
 			} else res.end();
 		}
 		return;
@@ -14136,7 +14155,7 @@ async function handleRequest(req, res, state, opts) {
 	} catch (err) {
 		logger.error(`Failed to acquire container for ${match.route.lambdaLogicalId}: ${err instanceof Error ? err.message : String(err)}`);
 		applyCors();
-		writeError(res, 502);
+		writeError$1(res, 502);
 		return;
 	}
 	if (match.route.invokeMode === "RESPONSE_STREAM") {
@@ -14156,7 +14175,7 @@ async function handleRequest(req, res, state, opts) {
 			logger.error(`RIE streaming invoke failed for ${match.route.lambdaLogicalId}: ${err instanceof Error ? err.message : String(err)}`);
 			if (!res.headersSent) {
 				applyCors();
-				writeError(res, 502);
+				writeError$1(res, 502);
 			} else res.end();
 			state.pool.release(handle);
 			return;
@@ -14173,7 +14192,7 @@ async function handleRequest(req, res, state, opts) {
 		logger.error(`RIE invoke failed for ${match.route.lambdaLogicalId}: ${err instanceof Error ? err.message : String(err)}`);
 		if (!res.headersSent) {
 			applyCors();
-			writeError(res, 502);
+			writeError$1(res, 502);
 		} else res.end();
 	} finally {
 		state.pool.release(handle);
@@ -14582,25 +14601,25 @@ function buildOverlay(authorizer, result, routeApiVersion) {
 function writeAuthRejection(res, apiVersion, denyKind, authorizerKind) {
 	if (apiVersion === "v1" && authorizerKind === "iam") {
 		if (denyKind === "missing-identity") {
-			writeError(res, 403, "{\"message\":\"Missing Authentication Token\"}");
+			writeError$1(res, 403, "{\"message\":\"Missing Authentication Token\"}");
 			return;
 		}
-		writeError(res, 403, "{\"message\":\"Forbidden\"}");
+		writeError$1(res, 403, "{\"message\":\"Forbidden\"}");
 		return;
 	}
 	if (apiVersion === "v2" && authorizerKind === "iam") {
-		writeError(res, 403, "{\"Message\":\"Forbidden\"}");
+		writeError$1(res, 403, "{\"Message\":\"Forbidden\"}");
 		return;
 	}
 	if (apiVersion === "v2") {
-		writeError(res, 401, "{\"message\":\"Unauthorized\"}");
+		writeError$1(res, 401, "{\"message\":\"Unauthorized\"}");
 		return;
 	}
 	if (denyKind === "missing-identity") {
-		writeError(res, 401, "{\"message\":\"Unauthorized\"}");
+		writeError$1(res, 401, "{\"message\":\"Unauthorized\"}");
 		return;
 	}
-	writeError(res, 403, "{\"message\":\"Forbidden\"}");
+	writeError$1(res, 403, "{\"message\":\"Forbidden\"}");
 }
 function hashOne(value) {
 	return value;
@@ -14688,7 +14707,7 @@ function collectHeaders(req) {
 * the handler at all (no matching route, container acquire failed, RIE
 * unreachable).
 */
-function writeError(res, statusCode, body = "{\"message\":\"Internal server error\"}") {
+function writeError$1(res, statusCode, body = "{\"message\":\"Internal server error\"}") {
 	res.statusCode = statusCode;
 	res.setHeader("content-type", "application/json");
 	res.setHeader("content-length", String(Buffer.byteLength(body, "utf-8")));
@@ -14723,7 +14742,7 @@ async function handleServiceIntegrationRequest(req, res, match, bodyBuf, opts, a
 	const route = match.route;
 	const svc = route.serviceIntegration;
 	if (!svc) {
-		writeError(res, 500);
+		writeError$1(res, 500);
 		return;
 	}
 	const rawUrl = req.url ?? "/";
@@ -18007,6 +18026,7 @@ async function runEcsTask(task, options, state) {
 			sidecarIp: state.network.sidecarIp,
 			...options.skipHostPortPublish ? { skipHostPortPublish: true } : {},
 			...options.hostPortOverrides ? { hostPortOverrides: options.hostPortOverrides } : {},
+			...options.ephemeralPublishContainerPorts && options.ephemeralPublishContainerPorts.length > 0 ? { ephemeralPublishContainerPorts: options.ephemeralPublishContainerPorts } : {},
 			...options.addHostFlags && options.addHostFlags.length > 0 ? { addHostFlags: options.addHostFlags } : {},
 			...(options.networkAliasesByContainer?.get(container.name)?.length ?? 0) > 0 ? { networkAliases: options.networkAliasesByContainer.get(container.name) } : {},
 			...options.profileCredentialsFile && { profileCredentialsFile: options.profileCredentialsFile }
@@ -18368,12 +18388,22 @@ function buildDockerRunArgs(opts) {
 	if (opts.addHostFlags && opts.addHostFlags.length > 0) for (const f of opts.addHostFlags) args.push(f);
 	if (opts.platformOverride) args.push("--platform", opts.platformOverride);
 	else if (task.runtimePlatform) args.push("--platform", task.runtimePlatform.cpuArchitecture === "ARM64" ? "linux/arm64" : "linux/amd64");
+	const ephemeralPorts = new Set(opts.ephemeralPublishContainerPorts ?? []);
 	if (!opts.skipHostPortPublish) for (const pm of container.portMappings) {
+		if (ephemeralPorts.has(pm.containerPort)) continue;
 		const declaredHostPort = pm.hostPort ?? pm.containerPort;
 		const hostPort = opts.hostPortOverrides?.[pm.containerPort] ?? declaredHostPort;
 		if (hostPort !== declaredHostPort) getLogger().child("ecs").info(`Container '${container.name}' container port ${pm.containerPort} published on ${containerHost}:${hostPort} (--host-port override). Reach it at ${containerHost}:${hostPort}.`);
 		args.push("-p", `${containerHost}:${hostPort}:${pm.containerPort}/${pm.protocol}`);
 	}
+	if (ephemeralPorts.size > 0) {
+		const alreadyEphemeral = /* @__PURE__ */ new Set();
+		for (const pm of container.portMappings) {
+			if (!ephemeralPorts.has(pm.containerPort) || alreadyEphemeral.has(pm.containerPort)) continue;
+			alreadyEphemeral.add(pm.containerPort);
+			args.push("-p", `${containerHost}::${pm.containerPort}/${pm.protocol}`);
+		}
+	}
 	if (opts.profileCredentialsFile) args.push("-v", `${opts.profileCredentialsFile.hostPath}:${opts.profileCredentialsFile.containerPath}:ro`);
 	for (const mp of container.mountPoints) {
 		const v = volumeByName.get(mp.sourceVolume);
@@ -18772,7 +18802,7 @@ function createLocalRunTaskCommand(opts = {}) {
 function resolveEcsServiceTarget(target, stacks, context) {
 	if (stacks.length === 0) throw new EcsTaskResolutionError("No stacks found in the synthesized assembly.");
 	const parsed = parseEcsTarget(target);
-	const stack = pickStack(parsed, stacks);
+	const stack = pickStack$1(parsed, stacks);
 	const resources = stack.template.Resources ?? {};
 	let serviceLogicalId;
 	let serviceResource;
@@ -18974,7 +19004,7 @@ function parseServiceName(raw, serviceLogicalId) {
 * service-specific extensions (e.g. cross-stack service-to-task refs)
 * can diverge without breaking the run-task code path.
 */
-function pickStack(parsed, stacks) {
+function pickStack$1(parsed, stacks) {
 	if (parsed.stackPattern === null) {
 		if (stacks.length === 1) return stacks[0];
 		throw new EcsTaskResolutionError(`Target has no stack prefix, and the assembly contains ${stacks.length} stacks: ${stacks.map((s) => s.stackName).join(", ")}. Pass the target as 'Stack/Path' or 'Stack:LogicalId'.`);
@@ -19042,6 +19072,35 @@ async function getContainerNetworkIp(containerId, networkName) {
 		return;
 	}
 }
+/**
+* Issue #86 v1 helper — read back the docker-assigned host port a container
+* port was published on. The local ALB front-door publishes each replica's
+* target container port on an ephemeral host port (`-p <host>::<containerPort>`)
+* and round-robins to `127.0.0.1:<hostPort>`; this resolves that host port
+* after the replica boots.
+*
+* Uses a nil-safe Go template (`with index`) so a container that did NOT
+* publish the port yields empty output instead of a template error. Returns
+* `undefined` when the port is unpublished, the container vanished, or the
+* value isn't a parseable port.
+*/
+async function getPublishedHostPort(containerId, containerPort, protocol = "tcp") {
+	const format = `{{with index .NetworkSettings.Ports "${`${containerPort}/${protocol}`}"}}{{with index . 0}}{{.HostPort}}{{end}}{{end}}`;
+	try {
+		const { stdout } = await execFileAsync(getDockerCmd(), [
+			"inspect",
+			"--format",
+			format,
+			containerId
+		]);
+		const raw = stdout.trim();
+		if (!raw) return void 0;
+		const port = parseInt(raw, 10);
+		return Number.isInteger(port) && port >= 1 && port <= 65535 ? port : void 0;
+	} catch {
+		return;
+	}
+}
 
 //#endregion
 //#region src/local/ecs-service-runner.ts
@@ -19172,7 +19231,8 @@ async function startEcsService(service, options, runState) {
 			restartCount: 0,
 			shuttingDown: false,
 			inFlightBoot: void 0,
-			cloudMapHandles: []
+			cloudMapHandles: [],
+			frontDoorOwnerKey: void 0
 		};
 		runState.replicas.push(instance);
 		const bootPromise = bootReplica(service, options, instance);
@@ -19260,6 +19320,7 @@ var ServiceController = class {
 				} catch {}
 				instance.cloudMapHandles = [];
 			}
+			unregisterReplicaFromFrontDoor(instance, this.options.frontDoor);
 			try {
 				await cleanupEcsRun(instance.state, { keepRunning: this.options.taskOptions.keepRunning });
 			} catch (err) {
@@ -19316,6 +19377,7 @@ async function bootReplica(service, options, instance) {
 	const sharedNetwork = options.discovery?.sharedNetwork;
 	const networkAliasesByContainer = buildNetworkAliasesByContainer(service);
 	const skipHostPortPublish = computeReplicaCount(service.desiredCount, options.maxTasks) > 1;
+	const ephemeralPublishContainerPorts = options.frontDoor ? [...new Set(options.frontDoor.pools.map((p) => p.targetContainerPort))] : [];
 	const perReplicaTaskOptions = {
 		...options.taskOptions,
 		cluster: perReplicaCluster,
@@ -19323,11 +19385,13 @@ async function bootReplica(service, options, instance) {
 		...skipHostPortPublish ? { skipHostPortPublish: true } : {},
 		...sharedNetwork ? { existingNetwork: sharedNetwork } : { subnetOctet: pickSubnetOctet(instance.index) },
 		...addHostFlags.length > 0 ? { addHostFlags } : {},
-		...networkAliasesByContainer.size > 0 ? { networkAliasesByContainer } : {}
+		...networkAliasesByContainer.size > 0 ? { networkAliasesByContainer } : {},
+		...ephemeralPublishContainerPorts.length > 0 ? { ephemeralPublishContainerPorts } : {}
 	};
 	logger.info(`Booting replica ${instance.index} (${perReplicaCluster})`);
 	await runEcsTask(service.task, perReplicaTaskOptions, instance.state);
 	if (options.discovery) await publishReplicaToCloudMap(service, instance, options.discovery, ownerKeyPrefix);
+	if (options.frontDoor) await publishReplicaToFrontDoor(service, instance, options.frontDoor, options.taskOptions.containerHost, ownerKeyPrefix);
 }
 /**
 * After the replica's main container is up, discover its docker
@@ -19408,6 +19472,57 @@ async function publishReplicaToCloudMap(service, instance, discovery, ownerKeyPr
 	}
 }
 /**
+* Issue #86 v1 — register this replica's host-reachable endpoint into every
+* front-door pool. For each pool, find the target container's docker id, read
+* back the ephemeral host port docker assigned to its target container port
+* (`-p <host>::<port>`), and register `<containerHost>:<hostPort>` under the
+* per-replica owner key.
+*
+* Best-effort, mirroring `publishReplicaToCloudMap`: a missing container / port
+* logs a warn and skips that pool rather than aborting the replica (the
+* replica is alive; the front-door just can't route to it until it re-boots).
+* The owner key is stamped on the instance so the restart / shutdown paths can
+* `pool.unregister` symmetrically.
+*/
+async function publishReplicaToFrontDoor(service, instance, frontDoor, containerHost, ownerKeyPrefix) {
+	const logger = getLogger().child("ecs-service");
+	instance.frontDoorOwnerKey = ownerKeyPrefix;
+	for (const target of frontDoor.pools) {
+		const started = instance.state.startedContainers.find((c) => c.name === target.targetContainerName);
+		if (!started) {
+			logger.warn(`ECS Service '${service.serviceLogicalId}' front-door: container '${target.targetContainerName}' did not start for replica ${instance.index}; the front-door cannot route to it.`);
+			continue;
+		}
+		let hostPort;
+		try {
+			hostPort = await getPublishedHostPort(started.id, target.targetContainerPort);
+		} catch (err) {
+			logger.warn(`Replica ${instance.index}: docker inspect failed before front-door publish: ${err instanceof Error ? err.message : String(err)}`);
+			continue;
+		}
+		if (hostPort === void 0) {
+			logger.warn(`Replica ${instance.index}: container port ${target.targetContainerPort} on '${target.targetContainerName}' was not published on a host port; skipping front-door registration for this replica.`);
+			continue;
+		}
+		target.pool.register(ownerKeyPrefix, {
+			host: containerHost,
+			port: hostPort
+		});
+		logger.debug(`Front-door: replica ${instance.index} registered at ${containerHost}:${hostPort} (container ${target.targetContainerName}:${target.targetContainerPort}).`);
+	}
+}
+/**
+* Drop this replica's endpoint from every front-door pool. Idempotent; called
+* from the watcher restart branch and the controller shutdown path so a
+* dying / restarting replica is removed from round-robin before its container
+* is torn down.
+*/
+function unregisterReplicaFromFrontDoor(instance, frontDoor) {
+	if (!frontDoor || !instance.frontDoorOwnerKey) return;
+	for (const target of frontDoor.pools) target.pool.unregister(instance.frontDoorOwnerKey);
+	instance.frontDoorOwnerKey = void 0;
+}
+/**
 * Long-running watcher loop for one replica. Polls the essential
 * container's exit code via `docker wait`; on exit, decides whether to
 * restart per `restartPolicy` + applies exponential backoff. The loop
@@ -19447,6 +19562,7 @@ async function watchReplica(service, options, instance, runState) {
 			} catch {}
 			instance.cloudMapHandles = [];
 		}
+		unregisterReplicaFromFrontDoor(instance, options.frontDoor);
 		try {
 			await cleanupEcsRun(instance.state, { keepRunning: false });
 		} catch (err) {
@@ -19859,14 +19975,176 @@ function extractDnsRecords(serviceProps) {
 }
 
 //#endregion
-//#region src/cli/commands/local-start-service.ts
+//#region src/local/front-door-pool.ts
+var FrontDoorEndpointPool = class {
+	entries = [];
+	/** Monotonic counter; `next()` rotates over the current entries by index. */
+	cursor = 0;
+	/**
+	* Register (or idempotently replace) the endpoint for `ownerKey`. A replica
+	* restart calls this again with the same key and the new ephemeral port; the
+	* prior entry for that key is replaced rather than duplicated.
+	*/
+	register(ownerKey, endpoint) {
+		if (!ownerKey) throw new Error("FrontDoorEndpointPool.register: ownerKey must be non-empty.");
+		const next = this.entries.filter((e) => e.ownerKey !== ownerKey);
+		next.push({
+			ownerKey,
+			host: endpoint.host,
+			port: endpoint.port
+		});
+		this.entries = next;
+	}
+	/** Drop the endpoint for `ownerKey`. Idempotent; returns whether one was removed. */
+	unregister(ownerKey) {
+		const next = this.entries.filter((e) => e.ownerKey !== ownerKey);
+		const removed = next.length !== this.entries.length;
+		this.entries = next;
+		return removed;
+	}
+	/**
+	* Round-robin the next live endpoint, or `undefined` when the pool is empty
+	* (the front-door server replies 503 in that case). The cursor advances per
+	* call; modulo by the current length tolerates entries being added / removed
+	* between calls.
+	*/
+	next() {
+		if (this.entries.length === 0) return void 0;
+		const entry = this.entries[this.cursor % this.entries.length];
+		this.cursor = (this.cursor + 1) % Number.MAX_SAFE_INTEGER;
+		return {
+			host: entry.host,
+			port: entry.port
+		};
+	}
+	/** Snapshot of the current endpoints (for diagnostics / tests). */
+	list() {
+		return this.entries.map((e) => ({
+			host: e.host,
+			port: e.port
+		}));
+	}
+	/** Number of live endpoints. */
+	size() {
+		return this.entries.length;
+	}
+};
+
+//#endregion
+//#region src/local/front-door-server.ts
+/** Default per-request upstream timeout — a hung replica yields a 504, not a hang. */
+const DEFAULT_UPSTREAM_TIMEOUT_MS = 3e4;
+async function startFrontDoorServer(opts) {
+	const logger = getLogger().child("front-door");
+	const host = opts.host ?? "127.0.0.1";
+	const server = createServer$1((req, res) => {
+		handleProxyRequest(req, res, opts).catch((err) => {
+			logger.debug(`front-door request error: ${err instanceof Error ? err.message : String(err)}`);
+			if (!res.headersSent) writeError(res, 502, "Bad Gateway");
+		});
+	});
+	server.on("connection", (socket) => socket.setNoDelay(true));
+	const boundPort = await new Promise((resolve, reject) => {
+		server.once("error", reject);
+		server.listen(opts.port, host, () => {
+			const addr = server.address();
+			if (addr === null || typeof addr === "string") {
+				reject(/* @__PURE__ */ new Error("Could not determine front-door listening address"));
+				return;
+			}
+			resolve(addr.port);
+		});
+	});
+	let closed = false;
+	return {
+		port: boundPort,
+		host,
+		server,
+		close: async () => {
+			if (closed) return;
+			closed = true;
+			await new Promise((resolve) => {
+				server.close(() => resolve());
+				server.closeAllConnections?.();
+			});
+		}
+	};
+}
+function handleProxyRequest(req, res, opts) {
+	return new Promise((resolve) => {
+		const endpoint = opts.pool.next();
+		if (!endpoint) {
+			writeError(res, 503, `No running replicas for service '${opts.serviceName}'. The front-door has no healthy target to forward to.`);
+			resolve();
+			return;
+		}
+		let settled = false;
+		const done = () => {
+			if (settled) return;
+			settled = true;
+			resolve();
+		};
+		const headers = { ...req.headers };
+		appendForwardedHeaders(headers, req, opts.listenerPort);
+		const proxyReq = request({
+			host: endpoint.host,
+			port: endpoint.port,
+			method: req.method,
+			path: req.url,
+			headers
+		}, (proxyRes) => {
+			res.writeHead(proxyRes.statusCode ?? 502, proxyRes.headers);
+			proxyRes.pipe(res);
+			proxyRes.on("end", done);
+			proxyRes.on("error", () => {
+				if (!res.writableEnded) res.destroy();
+				done();
+			});
+		});
+		proxyReq.setTimeout(opts.upstreamTimeoutMs ?? 3e4, () => {
+			if (!res.headersSent) writeError(res, 504, `Replica ${endpoint.host}:${endpoint.port} for service '${opts.serviceName}' did not respond in time.`);
+			else if (!res.writableEnded) res.destroy();
+			proxyReq.destroy();
+			done();
+		});
+		proxyReq.on("error", () => {
+			if (!res.headersSent) writeError(res, 502, `Failed to reach replica ${endpoint.host}:${endpoint.port} for service '${opts.serviceName}'.`);
+			else if (!res.writableEnded) res.destroy();
+			done();
+		});
+		res.on("close", () => {
+			if (!res.writableEnded) proxyReq.destroy();
+		});
+		req.pipe(proxyReq);
+	});
+}
 /**
-* `cdkl start-service <Stack/Service>` — Phase 2 of #262. Spins up
-* `DesiredCount` task replicas locally (clamped by `--max-tasks`) using
-* the existing `ecs-task-runner` per replica. Long-running; ^C cleans
-* every replica + sidecar + per-task network.
+* Inject the ALB-style forwarding headers a downstream app may read. Appends
+* the client IP to any existing `X-Forwarded-For` chain (ALB appends rather
+* than replaces) and stamps the scheme / listener port.
+*/
+function appendForwardedHeaders(headers, req, listenerPort) {
+	const clientIp = req.socket.remoteAddress ?? "";
+	const existing = headers["x-forwarded-for"];
+	const chain = Array.isArray(existing) ? existing.join(", ") : existing;
+	headers["x-forwarded-for"] = chain ? `${chain}, ${clientIp}` : clientIp;
+	headers["x-forwarded-proto"] = "http";
+	headers["x-forwarded-port"] = String(listenerPort);
+}
+function writeError(res, statusCode, message) {
+	res.writeHead(statusCode, { "content-type": "text/plain; charset=utf-8" });
+	res.end(`${message}\n`);
+}
+
+//#endregion
+//#region src/cli/commands/ecs-service-emulator.ts
+/**
+* Long-running ECS-service emulator. Synths the app, resolves the strategy's
+* targets into service boots, boots every replica pool (with optional
+* front-door), and blocks until `^C`. Idempotent single-flight cleanup tears
+* down every replica + front-door server + the shared network + sidecar.
 */
-async function localStartServiceCommand(targets, options, extraStateProviders) {
+async function runEcsServiceEmulator(targets, options, strategy, extraStateProviders) {
 	const logger = getLogger();
 	if (options.verbose) logger.setLevel("debug");
 	warnIfDeprecatedRegion(options);
@@ -19883,6 +20161,7 @@ async function localStartServiceCommand(targets, options, extraStateProviders) {
 				await Promise.allSettled(pt.runState.replicas.map((r) => r.inFlightBoot).filter((p) => p !== void 0));
 				await Promise.allSettled(pt.runState.replicas.map((r) => cleanupEcsRun(r.state, { keepRunning: false }).catch(() => void 0)));
 			}
+			await Promise.allSettled((pt.frontDoorServers ?? []).map((s) => s.close().catch((err) => getLogger().warn(`front-door server teardown failed: ${err instanceof Error ? err.message : String(err)}`))));
 		}));
 		if (profileCredsFile) {
 			try {
@@ -19921,14 +20200,17 @@ async function localStartServiceCommand(targets, options, extraStateProviders) {
 		};
 		const { stacks } = await synthesizer.synthesize(synthOpts);
 		const resolvedTargets = await resolveMultiTarget(targets, {
-			entries: listTargets(stacks).ecsServices,
-			message: "Select one or more ECS services to run",
-			noun: "ECS services",
-			onMissing: () => new LocalStartServiceError(`${getEmbedConfig().cliName} start-service requires at least one <target>. Pass one or more service paths like 'Stack/Orders' 'Stack/Frontend', or run it in a TTY to pick interactively.`)
+			entries: strategy.pickEntries(stacks),
+			message: strategy.pickerMessage,
+			noun: strategy.pickerNoun,
+			onMissing: () => strategy.onMissing()
 		});
-		rejectExplicitCfnStackWithMultipleStacks(options, resolvedTargets.length);
-		perTarget = resolvedTargets.map((t) => ({
-			target: t,
+		const { boots, warnings } = strategy.resolveBoots(stacks, resolvedTargets);
+		for (const w of warnings) logger.warn(w);
+		if (boots.length === 0) throw new LocalStartServiceError(`No runnable ECS service resolved from ${resolvedTargets.join(", ")}.`);
+		rejectExplicitCfnStackWithMultipleStacks(options, boots.length);
+		perTarget = boots.map((boot) => ({
+			boot,
 			runState: createServiceRunState()
 		}));
 		const cloudMapIndexByStack = /* @__PURE__ */ new Map();
@@ -19966,7 +20248,11 @@ async function localStartServiceCommand(targets, options, extraStateProviders) {
 		};
 		process.on("SIGINT", sigintHandler);
 		process.on("SIGTERM", sigintHandler);
-		for (const pt of perTarget) pt.controller = await bootOneTarget(pt.target, pt.runState, stacks, options, discovery, skipPull, extraStateProviders, profileCredsFile);
+		for (const pt of perTarget) {
+			const booted = await bootOneTarget(pt.boot, pt.runState, stacks, options, discovery, skipPull, extraStateProviders, profileCredsFile, strategy.lbPortOverrides);
+			pt.controller = booted.controller;
+			pt.frontDoorServers = booted.frontDoorServers;
+		}
 		const summary = perTarget.map((pt) => `${pt.controller.service.serviceName} (${pt.controller.activeReplicaCount()} replica(s))`).join(", ");
 		logger.info(`Service(s) running: ${summary}.`);
 		logger.info("Press ^C to shut down.");
@@ -19979,21 +20265,18 @@ async function localStartServiceCommand(targets, options, extraStateProviders) {
 		await cleanup();
 	}
 }
-/**
-* Boot one target. Returns the started controller for the outer code
-* to wait + tear down.
-*/
-async function bootOneTarget(target, runState, stacks, options, discovery, skipPull, extraStateProviders, profileCredsFile) {
-	const candidate = pickCandidateStack(parseEcsTarget(target).stackPattern, stacks);
+async function bootOneTarget(boot, runState, stacks, options, discovery, skipPull, extraStateProviders, profileCredsFile, lbPortOverrides) {
+	const candidate = pickCandidateStack(parseEcsTarget(boot.target).stackPattern, stacks);
 	const stateProvider = createLocalStateProvider(options, candidate?.stackName ?? "", await resolveCfnFallbackRegion(options, candidate?.region), extraStateProviders);
 	try {
-		return await runOneTarget(target, runState, stacks, options, discovery, skipPull, stateProvider, profileCredsFile);
+		return await runOneTarget(boot, runState, stacks, options, discovery, skipPull, stateProvider, profileCredsFile, lbPortOverrides);
 	} finally {
 		if (stateProvider) stateProvider.dispose();
 	}
 }
-async function runOneTarget(target, runState, stacks, options, discovery, skipPull, stateProvider, profileCredsFile) {
+async function runOneTarget(boot, runState, stacks, options, discovery, skipPull, stateProvider, profileCredsFile, lbPortOverrides) {
 	const logger = getLogger();
+	const target = boot.target;
 	const imageContext = await buildEcsImageResolutionContext(target, stacks, options, stateProvider);
 	const service = resolveEcsServiceTarget(target, stacks, imageContext);
 	logger.info(`Target: ${service.stack.stackName}/${service.serviceLogicalId} (service=${service.serviceName}, desiredCount=${service.desiredCount}, task=${service.task.taskDefinitionLogicalId})`);
@@ -20047,12 +20330,72 @@ async function runOneTarget(target, runState, stacks, options, discovery, skipPu
 		containerPath: profileCredsFile.containerPath,
 		profileName: profileCredsFile.profileName
 	};
-	return startEcsService(service, {
+	const { frontDoorContext, frontDoorServers } = await startFrontDoorServers(boot.frontDoorTargets, service, options.containerHost, lbPortOverrides, logger);
+	const runnerOpts = {
 		maxTasks: options.maxTasks,
 		restartPolicy: options.restartPolicy,
 		taskOptions: taskOpts,
-		discovery
-	}, runState);
+		discovery,
+		...frontDoorContext ? { frontDoor: frontDoorContext } : {}
+	};
+	let controller;
+	try {
+		controller = await startEcsService(service, runnerOpts, runState);
+	} catch (err) {
+		await Promise.allSettled(frontDoorServers.map((s) => s.close()));
+		throw err;
+	}
+	return {
+		controller,
+		frontDoorServers
+	};
+}
+/**
+* Issue #86 v1 — stand up one host-side reverse-proxy server per resolved
+* front-door listener and return the {@link FrontDoorRunnerContext} to thread
+* into the runner (so each replica publishes + registers its ephemeral
+* endpoint), plus the started servers for teardown. Pure front-door MECHANISM:
+* the ALB-specific resolution that produced `frontDoorTargets` lives in the
+* `start-alb` command. Returns an undefined context + empty servers when there
+* are no front-door targets (the pure-compute path).
+*
+* On a bind failure (e.g. EACCES on a privileged listener port, or the port is
+* already in use) every server started so far is closed and the error is
+* re-thrown with a `--lb-port` hint.
+*/
+async function startFrontDoorServers(frontDoorTargets, service, containerHost, lbPortOverrides, logger) {
+	if (frontDoorTargets.length === 0) return {
+		frontDoorContext: void 0,
+		frontDoorServers: []
+	};
+	const frontDoorServers = [];
+	const pools = [];
+	try {
+		for (const t of frontDoorTargets) {
+			const pool = new FrontDoorEndpointPool();
+			const server = await startFrontDoorServer({
+				pool,
+				port: lbPortOverrides[t.listenerPort] ?? t.listenerPort,
+				host: containerHost,
+				listenerPort: t.listenerPort,
+				serviceName: service.serviceName
+			});
+			frontDoorServers.push(server);
+			pools.push({
+				pool,
+				targetContainerName: t.targetContainerName,
+				targetContainerPort: t.targetContainerPort
+			});
+			logger.info(`ALB front-door: http://${server.host}:${server.port} -> ${service.serviceName} (listener port ${t.listenerPort} -> container ${t.targetContainerName}:${t.targetContainerPort}, round-robin across replicas)`);
+		}
+	} catch (err) {
+		await Promise.allSettled(frontDoorServers.map((s) => s.close()));
+		throw new LocalStartServiceError(`Failed to start ALB front-door for service '${service.serviceName}': ${err instanceof Error ? err.message : String(err)}. If the listener port is privileged (< 1024), remap it to a non-privileged host port with --lb-port <listenerPort>=<hostPort> (e.g. --lb-port 80=8080).`);
+	}
+	return {
+		frontDoorContext: { pools },
+		frontDoorServers
+	};
 }
 async function resolvePlaceholderAccount(arn, region) {
 	if (!arn.includes("${AWS::AccountId}")) return arn;
@@ -20086,11 +20429,9 @@ async function assumeTaskRole(roleArn, region) {
 	}
 }
 /**
-* Build the substitution context the ECS resolver consumes.
-*
-* Exported for the site-level binding test that locks the `--from-cfn-stack`
-* SSM-parameter resolution call (issue #94) into this start-service call site
-* (mirrors `local-run-task`'s exported helper).
+* Build the substitution context the ECS resolver consumes. Exported for the
+* site-level binding test that locks the `--from-cfn-stack` SSM-parameter
+* resolution call (issue #94).
 */
 async function buildEcsImageResolutionContext(target, stacks, options, stateProvider) {
 	const logger = getLogger();
@@ -20175,9 +20516,8 @@ function parsePositiveInt(raw, flagName) {
 	return parsed;
 }
 /**
-* Hard cap on `--max-tasks` driven by the per-replica subnet allocator
-* in `ecs-service-runner.ts:pickSubnetOctet`. The allocator walks the
-* link-local /24 range `169.254.170.0..169.254.253.0` and skips 171.
+* Hard cap on `--max-tasks` driven by the per-replica subnet allocator in
+* `ecs-service-runner.ts:pickSubnetOctet`.
 */
 const MAX_TASKS_SUBNET_RANGE_CAP = 83;
 function parseMaxTasks(raw) {
@@ -20190,37 +20530,23 @@ function parseRestartPolicy(raw) {
 	throw new LocalStartServiceError(`--restart-policy must be one of 'on-failure', 'always', or 'none' (got '${raw}').`);
 }
 /**
-* Pick the credentials forwarded to the AWS-published
-* `amazon-ecs-local-container-endpoints` sidecar. `cdkl start-service`'s
-* sidecar is SHARED across every replica boot in one CLI invocation, so
-* this resolves ONCE at startup. Precedence:
-*   1. `--profile <p>` → resolved via {@link resolveProfileCredentials}
-*      (the SDK's default credential provider chain — SSO / IAM
-*      Identity Center / fromIni / role-assumption). NEW in this PR.
-*   2. Not set → `undefined`; the sidecar runs with its own default
-*      credential chain (typically empty inside a fresh container —
-*      user containers will get 4xx from the credentials endpoint).
-*
-* Note: per-service `--assume-task-role <Service>=<arn>` overrides are
-* INTENTIONALLY NOT consulted here. The shared sidecar has no concept
-* of per-service IAM — per-service `TaskRoleArn` flows into each
-* container's env via `buildMetadataEnv` at boot time, where the
-* sidecar's `/role/<role-arn>` path resolves per-request. The shared
-* sidecar's OWN startup credentials govern only the fallback path
-* (containers that did not bind a `TaskRoleArn`).
-*
-* Extracted as an exported helper so a unit test can exercise both
-* branches without having to mock the full Synth + Docker + AWS
-* pipeline (the strategy used for the Lambda container path).
+* Resolve the credentials forwarded to the AWS-published metadata-endpoints
+* sidecar (shared across every replica boot in one CLI invocation). `--profile`
+* resolves via the SDK default chain; unset yields `undefined`. Per-service
+* `--assume-task-role` overrides are intentionally NOT consulted here. Exported
+* for a unit test that exercises both branches.
 */
 async function resolveSharedSidecarCredentials(options) {
 	if (options.profile) return resolveProfileCredentials(options.profile);
 }
-function createLocalStartServiceCommand(opts = {}) {
-	setEmbedConfig(opts.embedConfig);
-	const cmd = new Command("start-service").description(`Run one or more AWS::ECS::Service resources locally as a long-running emulator. Spins up DesiredCount task replicas per service (clamped by --max-tasks) using the same per-task docker network + metadata sidecar pattern as \`${getEmbedConfig().cliName} run-task\`, then keeps each replica running and restarts it on exit per --restart-policy. ^C tears every replica + sidecar + network down. Each <target> accepts a CDK display path (MyStack/MyService) or stack-qualified logical ID (MyStack:MyServiceXYZ); single-stack apps may omit the stack prefix. When two or more <target>s are supplied, every service is booted into a shared Cloud Map / Service Connect registry so peer services discover each other via docker --add-host overlay. Omit <targets> in an interactive terminal to multi-select the services from a list.`).argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ECS::Service resources to run (omit to multi-select interactively in a TTY)").addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default(getEmbedConfig().resourceNamePrefix)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--host-port <containerPort=hostPort...>", "Publish a container port on a specific host port (e.g. 80=8080); repeatable. Default: host port == container port. Use this on macOS to map a privileged container port (< 1024) to a non-privileged host port and avoid the Docker Desktop admin-password prompt. (Single-replica services only — multi-replica services do not publish host ports.)")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed task role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries.")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--max-tasks <n>", `Hard cap on local replica count. Caps the template DesiredCount so local dev machines don't run an unbounded number of containers. Cannot exceed ${83} due to the per-replica link-local /24 subnet allocator's range.`).default(3).argParser(parseMaxTasks)).addOption(new Option("--restart-policy <policy>", "How to react when an essential container exits. 'on-failure' (default) restarts only on non-zero exit; 'always' restarts on every exit; 'none' shuts the replica down and runs the service degraded.").default("on-failure").argParser(parseRestartPolicy)).addOption(new Option("--from-cfn-stack [cfn-stack-name]", `Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in container env vars / secrets / image URIs with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (\`cdk deploy\`). Bare form uses the ${getEmbedConfig().binaryName} stack name; pass an explicit value when the CFn stack name differs. Fn::GetAtt is warn-and-dropped in v1 (CFn ListStackResources does not return per-attribute values).`)).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).action(withErrorHandling(async (targets, options) => {
-		await localStartServiceCommand(targets, options, opts.extraStateProviders);
-	}));
+/**
+* Add the CLI options shared by both ECS-service commands (`start-service` and
+* `start-alb`) to a command. The command-specific argument / description and
+* the one unique option (`--host-port` vs `--lb-port`) are added by each
+* factory.
+*/
+function addCommonEcsServiceOptions(cmd) {
+	cmd.addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default(getEmbedConfig().resourceNamePrefix)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed task role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries.")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--max-tasks <n>", `Hard cap on local replica count. Caps the template DesiredCount so local dev machines don't run an unbounded number of containers. Cannot exceed ${83} due to the per-replica link-local /24 subnet allocator's range.`).default(3).argParser(parseMaxTasks)).addOption(new Option("--restart-policy <policy>", "How to react when an essential container exits. 'on-failure' (default) restarts only on non-zero exit; 'always' restarts on every exit; 'none' shuts the replica down and runs the service degraded.").default("on-failure").argParser(parseRestartPolicy)).addOption(new Option("--from-cfn-stack [cfn-stack-name]", `Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in container env vars / secrets / image URIs with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (\`cdk deploy\`). Bare form uses the ${getEmbedConfig().binaryName} stack name; pass an explicit value when the CFn stack name differs. Fn::GetAtt is warn-and-dropped in v1 (CFn ListStackResources does not return per-attribute values).`)).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region."));
 	[
 		...commonOptions(),
 		...appOptions(),
@@ -20230,6 +20556,359 @@ function createLocalStartServiceCommand(opts = {}) {
 	return cmd;
 }
 
+//#endregion
+//#region src/cli/commands/local-start-service.ts
+/**
+* `cdkl start-service` strategy — a pure ECS replica runner. It picks
+* `AWS::ECS::Service` targets and boots each with NO front-door (the ALB
+* front-door is its own command, `cdkl start-alb`). This keeps `start-service`
+* a leaf compute runner, symmetric with `invoke` / `run-task`.
+*/
+function serviceStrategy() {
+	return {
+		pickEntries: (stacks) => listTargets(stacks).ecsServices,
+		pickerMessage: "Select one or more ECS services to run",
+		pickerNoun: "ECS services",
+		onMissing: () => new LocalStartServiceError(`${getEmbedConfig().cliName} start-service requires at least one <target>. Pass one or more service paths like 'Stack/Orders' 'Stack/Frontend', or run it in a TTY to pick interactively.`),
+		resolveBoots: (_stacks, chosenTargets) => ({
+			boots: chosenTargets.map((target) => ({
+				target,
+				frontDoorTargets: []
+			})),
+			warnings: []
+		}),
+		lbPortOverrides: {}
+	};
+}
+/**
+* `cdkl start-service <Stack/Service>` — Phase 2 of #262. Spins up
+* `DesiredCount` task replicas locally (clamped by `--max-tasks`) using the
+* existing `ecs-task-runner` per replica. Long-running; ^C cleans every replica
+* + sidecar + shared network. Pure compute: to put a local ALB front-door in
+* front of an ALB-fronted service, use `cdkl start-alb`.
+*/
+function createLocalStartServiceCommand(opts = {}) {
+	setEmbedConfig(opts.embedConfig);
+	return addCommonEcsServiceOptions(new Command("start-service").description(`Run one or more AWS::ECS::Service resources locally as a long-running emulator. Spins up DesiredCount task replicas per service (clamped by --max-tasks) using the same per-task docker network + metadata sidecar pattern as \`${getEmbedConfig().cliName} run-task\`, then keeps each replica running and restarts it on exit per --restart-policy. ^C tears every replica + sidecar + network down. Each <target> accepts a CDK display path (MyStack/MyService) or stack-qualified logical ID (MyStack:MyServiceXYZ); single-stack apps may omit the stack prefix. When two or more <target>s are supplied, every service is booted into a shared Cloud Map / Service Connect registry so peer services discover each other via docker --add-host overlay. Omit <targets> in an interactive terminal to multi-select the services from a list. To put a local ALB front-door in front of an ALB-fronted service, use \`${getEmbedConfig().cliName} start-alb\` instead.`).argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ECS::Service resources to run (omit to multi-select interactively in a TTY)").addOption(new Option("--host-port <containerPort=hostPort...>", "Publish a container port on a specific host port (e.g. 80=8080); repeatable. Default: host port == container port. Use this on macOS to map a privileged container port (< 1024) to a non-privileged host port and avoid the Docker Desktop admin-password prompt. (Single-replica services only — multi-replica services do not publish host ports.)")).action(withErrorHandling(async (targets, options) => {
+		await runEcsServiceEmulator(targets, options, serviceStrategy(), opts.extraStateProviders);
+	})));
+}
+
+//#endregion
+//#region src/local/elb-front-door-resolver.ts
+/**
+* Issue #86 v1 — resolve an `AWS::ElasticLoadBalancingV2::LoadBalancer` (an
+* ALB) into the backing ECS service(s) and the host listener port(s) a local
+* front-door should expose for each. This is the `cdkl start-alb` entry: you
+* name the ALB, and cdk-local discovers the services behind it (mirroring how
+* `start-api` names the API and discovers the backing Lambdas).
+*
+* The synthesized linkage (confirmed against real `cdk synth` of
+* `ApplicationLoadBalancedFargateService`):
+*
+* ```
+* ElasticLoadBalancingV2::LoadBalancer  (the ALB you name)
+* ElasticLoadBalancingV2::Listener      : { LoadBalancerArn:{Ref:<ALB>}, Port, Protocol,
+*     DefaultActions:[{ Type:"forward", TargetGroupArn:{Ref:<TG>} }] }
+* ElasticLoadBalancingV2::TargetGroup   : { Port, Protocol, TargetType:"ip" }
+* ECS::Service.LoadBalancers[]          -> { ContainerName, ContainerPort, TargetGroupArn:{Ref:<TG>} }
+* ```
+*
+* Resolution walks ALB -> listeners (by `LoadBalancerArn` Ref) -> default
+* `forward` target groups -> the ECS Service whose `LoadBalancers[]` references
+* that target group (a reverse scan; there is no direct TG -> service pointer).
+*
+* v1 scope (single forward): only listener `DefaultActions` are honored.
+* `AWS::ElasticLoadBalancingV2::ListenerRule` (path / host / weighted routing)
+* is ignored — tracked in #123. HTTPS / TLS listeners and `TargetType:"lambda"`
+* target groups are skipped with a warning.
+*/
+const ALB_TYPE = "AWS::ElasticLoadBalancingV2::LoadBalancer";
+const LISTENER_TYPE = "AWS::ElasticLoadBalancingV2::Listener";
+const TARGET_GROUP_TYPE = "AWS::ElasticLoadBalancingV2::TargetGroup";
+const SERVICE_TYPE = "AWS::ECS::Service";
+/**
+* Resolve an ALB into its backing services + front-door targets. Pure — reads
+* only the supplied stack template. Returns an empty `services` array (with
+* warnings) when the ALB fronts nothing cdk-local can serve locally.
+*/
+function resolveAlbFrontDoor(stack, albLogicalId) {
+	const warnings = [];
+	const resources = stack.template.Resources ?? {};
+	const tgToService = indexTargetGroupToService(resources);
+	const byService = /* @__PURE__ */ new Map();
+	const seenPortsByService = /* @__PURE__ */ new Map();
+	for (const [listenerLogicalId, resource] of Object.entries(resources)) {
+		if (resource.Type !== LISTENER_TYPE) continue;
+		const props = resource.Properties ?? {};
+		if (refOf(props["LoadBalancerArn"]) !== albLogicalId) continue;
+		const port = parsePort(props["Port"]);
+		if (port === void 0) continue;
+		const protocol = typeof props["Protocol"] === "string" ? props["Protocol"] : "HTTP";
+		const tgRefs = collectForwardTargetGroupRefs(props["DefaultActions"]);
+		if (tgRefs.size === 0) {
+			if (hasUnresolvableForward(props["DefaultActions"])) warnings.push(`Listener '${listenerLogicalId}' on port ${port} forwards to a non-Ref TargetGroupArn (literal / cross-stack / imported); the local front-door only supports in-stack target groups. Skipping it.`);
+			continue;
+		}
+		if (protocol !== "HTTP") {
+			warnings.push(`Listener '${listenerLogicalId}' on port ${port} uses protocol ${protocol}; the local ALB front-door supports HTTP listeners only in v1 (TLS termination is deferred). Skipping it.`);
+			continue;
+		}
+		for (const tgRef of tgRefs) {
+			const tg = resources[tgRef];
+			if (!tg || tg.Type !== TARGET_GROUP_TYPE) {
+				warnings.push(`Listener '${listenerLogicalId}' forwards to target group '${tgRef}', but no ${TARGET_GROUP_TYPE} with that logical id exists in ${stack.stackName}. Skipping it.`);
+				continue;
+			}
+			if (tg.Properties?.["TargetType"] === "lambda") {
+				warnings.push(`Target group '${tgRef}' is a Lambda target (TargetType: lambda). The local ALB front-door supports ECS targets only in v1; Lambda targets are deferred to a follow-up. Skipping it.`);
+				continue;
+			}
+			const backing = tgToService.get(tgRef);
+			if (!backing) {
+				warnings.push(`Target group '${tgRef}' (listener '${listenerLogicalId}', port ${port}) is not referenced by any ${SERVICE_TYPE}.LoadBalancers[] in ${stack.stackName}; cdk-local has no ECS service to front behind it. Skipping it.`);
+				continue;
+			}
+			const seenPorts = seenPortsByService.get(backing.serviceLogicalId) ?? /* @__PURE__ */ new Set();
+			if (seenPorts.has(port)) {
+				warnings.push(`Service '${backing.serviceLogicalId}' is fronted by more than one listener on host port ${port}; the local front-door fronts only the first.`);
+				continue;
+			}
+			seenPorts.add(port);
+			seenPortsByService.set(backing.serviceLogicalId, seenPorts);
+			const targets = byService.get(backing.serviceLogicalId) ?? [];
+			targets.push({
+				listenerPort: port,
+				listenerProtocol: "HTTP",
+				targetContainerName: backing.containerName,
+				targetContainerPort: backing.containerPort,
+				targetGroupLogicalId: tgRef,
+				listenerLogicalId
+			});
+			byService.set(backing.serviceLogicalId, targets);
+		}
+	}
+	return {
+		services: [...byService.entries()].map(([serviceLogicalId, targets]) => ({
+			serviceLogicalId,
+			targets
+		})),
+		warnings
+	};
+}
+/** True when the resource is an application Load Balancer (the `start-alb` target type). */
+function isApplicationLoadBalancer(resource) {
+	if (resource.Type !== ALB_TYPE) return false;
+	const type = resource.Properties?.["Type"];
+	return type === void 0 || type === "application";
+}
+/**
+* Build a `targetGroupLogicalId -> backing ECS service` index by scanning every
+* `AWS::ECS::Service.LoadBalancers[]`. First service wins on a shared target
+* group (unusual; would only happen with a hand-rolled template).
+*/
+function indexTargetGroupToService(resources) {
+	const index = /* @__PURE__ */ new Map();
+	for (const [serviceLogicalId, resource] of Object.entries(resources)) {
+		if (resource.Type !== SERVICE_TYPE) continue;
+		const lbs = resource.Properties?.["LoadBalancers"];
+		if (!Array.isArray(lbs)) continue;
+		for (const entry of lbs) {
+			if (!entry || typeof entry !== "object") continue;
+			const e = entry;
+			const tgRef = refOf(e["TargetGroupArn"]);
+			const containerName = typeof e["ContainerName"] === "string" ? e["ContainerName"] : void 0;
+			const containerPort = parseContainerPort(e["ContainerPort"]);
+			if (!tgRef || !containerName || containerPort === void 0) continue;
+			if (!index.has(tgRef)) index.set(tgRef, {
+				serviceLogicalId,
+				containerName,
+				containerPort
+			});
+		}
+	}
+	return index;
+}
+function collectForwardTargetGroupRefs(defaultActions) {
+	const refs = /* @__PURE__ */ new Set();
+	if (!Array.isArray(defaultActions)) return refs;
+	for (const action of defaultActions) {
+		if (!action || typeof action !== "object") continue;
+		const a = action;
+		if (a["Type"] !== "forward") continue;
+		const direct = refOf(a["TargetGroupArn"]);
+		if (direct) refs.add(direct);
+		const forwardConfig = a["ForwardConfig"];
+		if (forwardConfig && typeof forwardConfig === "object") {
+			const groups = forwardConfig["TargetGroups"];
+			if (Array.isArray(groups)) for (const g of groups) {
+				if (!g || typeof g !== "object") continue;
+				const ref = refOf(g["TargetGroupArn"]);
+				if (ref) refs.add(ref);
+			}
+		}
+	}
+	return refs;
+}
+/**
+* True when `DefaultActions` has at least one `forward` action that references
+* a target group via a NON-`Ref` arn (literal / `Fn::GetAtt` / cross-stack) —
+* i.e. a forward we could not resolve to an in-stack target group. Used to warn
+* rather than silently skip such a listener.
+*/
+function hasUnresolvableForward(defaultActions) {
+	if (!Array.isArray(defaultActions)) return false;
+	for (const action of defaultActions) {
+		if (!action || typeof action !== "object") continue;
+		const a = action;
+		if (a["Type"] !== "forward") continue;
+		if (a["TargetGroupArn"] !== void 0 && refOf(a["TargetGroupArn"]) === void 0) return true;
+		const forwardConfig = a["ForwardConfig"];
+		if (forwardConfig && typeof forwardConfig === "object") {
+			const groups = forwardConfig["TargetGroups"];
+			if (Array.isArray(groups)) for (const g of groups) {
+				if (!g || typeof g !== "object") continue;
+				const arn = g["TargetGroupArn"];
+				if (arn !== void 0 && refOf(arn) === void 0) return true;
+			}
+		}
+	}
+	return false;
+}
+function refOf(raw) {
+	if (raw && typeof raw === "object" && !Array.isArray(raw)) {
+		const ref = raw["Ref"];
+		if (typeof ref === "string" && ref.length > 0) return ref;
+	}
+}
+function parsePort(raw) {
+	if (typeof raw === "number" && Number.isInteger(raw) && raw >= 1 && raw <= 65535) return raw;
+	if (typeof raw === "string" && /^\d+$/.test(raw)) {
+		const n = parseInt(raw, 10);
+		if (n >= 1 && n <= 65535) return n;
+	}
+}
+function parseContainerPort(raw) {
+	return parsePort(raw);
+}
+
+//#endregion
+//#region src/cli/commands/local-start-alb.ts
+/**
+* Issue #86 v1 — parse `--lb-port <listenerPort>=<hostPort>` overrides into a
+* `listenerPort -> hostPort` map. The local ALB front-door binds the listener
+* port on the host by default, but a privileged listener port (e.g. 80 / 443)
+* fails to bind as non-root on macOS, so the user opts in to a non-privileged
+* host port (e.g. `--lb-port 80=8080`). Repeatable; each value is
+* `<listenerPort>=<hostPort>` with both in 1-65535.
+*/
+function parseLbPortOverrides(values) {
+	const out = {};
+	for (const raw of values ?? []) {
+		const m = /^(\d+)=(\d+)$/.exec(raw.trim());
+		if (!m) throw new LocalStartServiceError(`Invalid --lb-port '${raw}'. Expected <listenerPort>=<hostPort> (e.g. 80=8080).`);
+		const listenerPort = Number(m[1]);
+		const hostPort = Number(m[2]);
+		for (const [label, p] of [["listener", listenerPort], ["host", hostPort]]) if (p < 1 || p > 65535) throw new LocalStartServiceError(`Invalid --lb-port '${raw}': ${label} port must be 1-65535.`);
+		out[listenerPort] = hostPort;
+	}
+	return out;
+}
+/**
+* Resolve an ALB target string (`Stack/Path` display path or `Stack:LogicalId`)
+* to its stack + `AWS::ElasticLoadBalancingV2::LoadBalancer` logical id. Mirrors
+* the ECS service resolver's target grammar.
+*/
+function resolveAlbTarget(target, stacks) {
+	if (stacks.length === 0) throw new LocalStartServiceError("No stacks found in the synthesized assembly.");
+	const parsed = parseEcsTarget(target);
+	const stack = pickStack(parsed.stackPattern, stacks, target);
+	const resources = stack.template.Resources ?? {};
+	if (parsed.isPath) {
+		const index = buildCdkPathIndex(stack.template);
+		const albs = resolveCdkPathToLogicalIds(parsed.pathOrId, index).filter(({ logicalId }) => {
+			const r = resources[logicalId];
+			return r !== void 0 && isApplicationLoadBalancer(r);
+		});
+		if (albs.length === 0) throw notFound(target, stack, resources);
+		if (albs.length > 1) throw new LocalStartServiceError(`Target '${target}' matches ${albs.length} load balancers in ${stack.stackName}: ${albs.map((a) => a.logicalId).join(", ")}. Refine the path or use the stack:LogicalId form.`);
+		return {
+			stack,
+			albLogicalId: albs[0].logicalId
+		};
+	}
+	const res = resources[parsed.pathOrId];
+	if (!res || !isApplicationLoadBalancer(res)) throw notFound(target, stack, resources);
+	return {
+		stack,
+		albLogicalId: parsed.pathOrId
+	};
+}
+function pickStack(stackPattern, stacks, target) {
+	if (stackPattern === null) {
+		if (stacks.length === 1) return stacks[0];
+		throw new LocalStartServiceError(`Target '${target}' has no stack prefix, and the assembly contains ${stacks.length} stacks: ${stacks.map((s) => s.stackName).join(", ")}. Pass it as 'Stack/Path' or 'Stack:LogicalId'.`);
+	}
+	const matched = matchStacks(stacks, [stackPattern]);
+	if (matched.length === 0) throw new LocalStartServiceError(`No stack matches '${stackPattern}'. Available stacks: ${stacks.map((s) => s.stackName).join(", ")}.`);
+	if (matched.length > 1) throw new LocalStartServiceError(`Multiple stacks match '${stackPattern}': ${matched.map((s) => s.stackName).join(", ")}. Refine the pattern.`);
+	return matched[0];
+}
+function notFound(target, stack, resources) {
+	const albs = Object.entries(resources).filter(([, r]) => r.Type === "AWS::ElasticLoadBalancingV2::LoadBalancer").map(([logicalId]) => logicalId);
+	const available = albs.length > 0 ? ` Available load balancers in ${stack.stackName}: ${albs.join(", ")}.` : ` ${stack.stackName} declares no AWS::ElasticLoadBalancingV2::LoadBalancer resources.`;
+	return new LocalStartServiceError(`Target '${target}' did not match an application Load Balancer in ${stack.stackName}.${available}`);
+}
+/**
+* `cdkl start-alb` strategy — name the ALB, boot the ECS service(s) behind it,
+* and expose each listener via a local front-door. Mirrors how `start-api`
+* names the API and serves its backing Lambdas.
+*/
+function albStrategy(options) {
+	return {
+		pickEntries: (stacks) => listTargets(stacks).loadBalancers,
+		pickerMessage: "Select one or more Application Load Balancers to run",
+		pickerNoun: "Application Load Balancers",
+		onMissing: () => new LocalStartServiceError(`${getEmbedConfig().cliName} start-alb requires at least one <target>. Pass one or more ALB paths like 'Stack/MyAlb', or run it in a TTY to pick interactively.`),
+		resolveBoots: (stacks, chosenTargets) => {
+			const byServiceTarget = /* @__PURE__ */ new Map();
+			const warnings = [];
+			for (const albTarget of chosenTargets) {
+				const { stack, albLogicalId } = resolveAlbTarget(albTarget, stacks);
+				const resolution = resolveAlbFrontDoor(stack, albLogicalId);
+				warnings.push(...resolution.warnings);
+				for (const svc of resolution.services) {
+					const target = `${stack.stackName}:${svc.serviceLogicalId}`;
+					const existing = byServiceTarget.get(target);
+					if (existing) existing.frontDoorTargets.push(...svc.targets);
+					else byServiceTarget.set(target, {
+						target,
+						frontDoorTargets: [...svc.targets]
+					});
+				}
+			}
+			return {
+				boots: [...byServiceTarget.values()],
+				warnings
+			};
+		},
+		lbPortOverrides: parseLbPortOverrides(options.lbPort)
+	};
+}
+/**
+* `cdkl start-alb <Stack/Alb>` — Issue #86 v1. Names an
+* `AWS::ElasticLoadBalancingV2::LoadBalancer`, discovers the ECS service(s)
+* behind its HTTP `forward` listeners, boots their replicas, and stands up a
+* local front-door on each listener port that round-robins across the replicas.
+* The symmetric ALB counterpart of `start-api`.
+*/
+function createLocalStartAlbCommand(opts = {}) {
+	setEmbedConfig(opts.embedConfig);
+	return addCommonEcsServiceOptions(new Command("start-alb").description("Run an Application Load Balancer locally: name the ALB, and cdk-local boots the ECS service(s) behind its HTTP forward listeners and stands up a local front-door on each listener port that round-robins across the running replicas — a single stable host endpoint, like behind a real load balancer. The symmetric ALB counterpart of `start-api`. Each <target> accepts a CDK display path (MyStack/MyAlb) or stack-qualified logical ID; single-stack apps may omit the stack prefix. v1 supports a single default-action forward to an HTTP listener; HTTPS listeners and Lambda target groups are skipped with a warning, and listener-rule routing is tracked separately. Omit <targets> in an interactive terminal to multi-select the load balancers from a list.").argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ElasticLoadBalancingV2::LoadBalancer resources to run (omit to multi-select interactively in a TTY)").addOption(new Option("--lb-port <listenerPort=hostPort...>", "Bind the local front-door on a specific host port (e.g. 80=8080); repeatable. Default: host port == ALB listener port. Use this on macOS to remap a privileged listener port (< 1024) to a non-privileged host port.")).action(withErrorHandling(async (targets, options) => {
+		await runEcsServiceEmulator(targets, options, albStrategy(options), opts.extraStateProviders);
+	})));
+}
+
 //#endregion
 //#region src/cli/commands/local-list.ts
 async function localListCommand(options) {
@@ -20265,14 +20944,15 @@ async function localListCommand(options) {
 * without running synthesis.
 */
 function formatTargetListing(listing, cliName, options = {}) {
-	if (countTargets(listing) === 0) return `No runnable targets (Lambda functions, APIs, ECS services / tasks, AgentCore Runtimes) found in this CDK app.`;
+	if (countTargets(listing) === 0) return `No runnable targets (Lambda functions, APIs, ECS services / tasks, AgentCore Runtimes, load balancers) found in this CDK app.`;
 	const long = options.long ?? false;
 	return "\n" + [
 		formatSection("Lambda Functions", `${cliName} invoke <target>`, listing.lambdas, long),
 		formatSection("APIs", `${cliName} start-api [target...]`, listing.apis, long),
 		formatSection("ECS Services", `${cliName} start-service <target...>`, listing.ecsServices, long),
 		formatSection("ECS Task Definitions", `${cliName} run-task <target>`, listing.ecsTaskDefinitions, long),
-		formatSection("AgentCore Runtimes", `${cliName} invoke-agentcore <target>`, listing.agentCoreRuntimes, long)
+		formatSection("AgentCore Runtimes", `${cliName} invoke-agentcore <target>`, listing.agentCoreRuntimes, long),
+		formatSection("Application Load Balancers", `${cliName} start-alb <target...>`, listing.loadBalancers, long)
 	].filter((lines) => lines.length > 0).map((lines) => lines.join("\n")).join("\n\n");
 }
 function formatSection(title, command, entries, long) {
@@ -20287,7 +20967,7 @@ function formatSection(title, command, entries, long) {
 }
 function createLocalListCommand(opts = {}) {
 	setEmbedConfig(opts.embedConfig);
-	const cmd = new Command("list").alias("ls").description("List the runnable targets in the synthesized CDK app, grouped by the command that runs them: Lambda functions (invoke), API Gateway REST v1 / HTTP v2 / Function URL / WebSocket surfaces (start-api), ECS services (start-service), ECS task definitions (run-task), and AgentCore Runtimes (invoke-agentcore). Each target is shown by its CDK display path; pass -l to also print the stack-qualified logical ID. Tip: you usually do not need to copy these — just run the command (e.g. `invoke`) with no target in a terminal and pick from the list.").addOption(new Option("-l, --long", "Also print each target's stack-qualified logical ID (<Stack>:<LogicalId>) beneath it").default(false)).action(withErrorHandling(async (options) => {
+	const cmd = new Command("list").alias("ls").description("List the runnable targets in the synthesized CDK app, grouped by the command that runs them: Lambda functions (invoke), API Gateway REST v1 / HTTP v2 / Function URL / WebSocket surfaces (start-api), ECS services (start-service), ECS task definitions (run-task), AgentCore Runtimes (invoke-agentcore), and Application Load Balancers (start-alb). Each target is shown by its CDK display path; pass -l to also print the stack-qualified logical ID. Tip: you usually do not need to copy these — just run the command (e.g. `invoke`) with no target in a terminal and pick from the list.").addOption(new Option("-l, --long", "Also print each target's stack-qualified logical ID (<Stack>:<LogicalId>) beneath it").default(false)).action(withErrorHandling(async (options) => {
 		await localListCommand(options);
 	}));
 	[
@@ -20300,5 +20980,5 @@ function createLocalListCommand(opts = {}) {
 }
 
 //#endregion
-export { bufferToBody as $, buildMethodArn as A, CfnLocalStateProvider as At, matchPreflight as B, pickRefLogicalId as Bt, resolveServiceIntegrationParameters as C, LocalStateSourceError as Ct, createJwksCache as D, resolveCfnFallbackRegion as Dt, buildJwksUrlFromIssuer as E, rejectExplicitCfnStackWithMultipleStacks as Et, attachAuthorizers as F, listTargets as Ft, buildRestV1Event as G, resolveAgentCoreTarget as Gt, translateLambdaResponse as H, AGENTCORE_HTTP_PROTOCOL as Ht, applyCorsResponseHeaders as I, discoverWebSocketApis as It, selectIntegrationResponse as J, tryResolveImageFnJoin as Jt, evaluateResponseParameters as K, derivePseudoParametersFromRegion as Kt, buildCorsConfigByApiId as L, discoverWebSocketApisOrThrow as Lt, evaluateCachedLambdaPolicy as M, resolveSsmParameters as Mt, invokeRequestAuthorizer as N, resolveWatchConfig as Nt, verifyCognitoJwt as O, resolveCfnRegion as Ot, invokeTokenAuthorizer as P, countTargets as Pt, probeHostGatewaySupport as Q, buildCorsConfigFromCloudFrontChain as R, parseSelectionExpressionPath as Rt, resolveSelectionExpression as S, materializeLayerFromArn as St, buildCognitoJwksUrl as T, isCfnFlagPresent as Tt, applyAuthorizerOverlay as U, AGENTCORE_RUNTIME_TYPE as Ut, matchRoute as V, resolveLambdaArnIntrinsic as Vt, buildHttpApiV2Event as W, AgentCoreResolutionError as Wt, VtlEvaluationError as X, tryParseStatus as Y, LocalInvokeBuildError as Yt, HOST_GATEWAY_MIN_VERSION as Z, filterRoutesByApiIdentifier as _, substituteAgainstState as _t, CloudMapRegistry as a, buildDisconnectEvent as at, readMtlsMaterialsFromDisk as b, substituteEnvVarsFromStateAsync as bt, createLocalInvokeAgentCoreCommand as c, invokeAgentCore as ct, resolveApiTargetSubset as d, architectureToPlatform as dt, ConnectionRegistry as et, createAuthorizerCache as f, buildContainerImage as ft, availableApiIdentifiers as g, EcsTaskResolutionError as gt, buildStageMap as h, resolveRuntimeImage as ht, buildCloudMapIndex as i, buildConnectEvent as it, computeRequestIdentityHash as j, collectSsmParameterRefs as jt, verifyJwtAuthorizer as k, resolveCfnStackName as kt, createLocalStartApiCommand as l, waitForAgentCorePing as lt, attachStageContext as m, resolveRuntimeFileExtension as mt, formatTargetListing as n, handleConnectionsRequest as nt, getContainerNetworkIp as o, buildMessageEvent as ot, createFileWatcher as p, resolveRuntimeCodeMountPath as pt, pickResponseTemplate as q, substituteImagePlaceholders as qt, createLocalStartServiceCommand as r, parseConnectionsPath as rt, createLocalRunTaskCommand as s, AGENTCORE_SESSION_ID_HEADER as st, createLocalListCommand as t, buildMgmtEndpointEnvUrl as tt, createWatchPredicates as u, createLocalInvokeCommand as ut, filterRoutesByApiIdentifiers as v, substituteAgainstStateAsync as vt, defaultCredentialsLoader as w, createLocalStateProvider as wt, startApiServer as x, resolveEnvVars as xt, groupRoutesByServer as y, substituteEnvVarsFromState as yt, isFunctionUrlOacFronted as z, discoverRoutes as zt };
-//# sourceMappingURL=local-list-D1MAmo5o.js.map
+export { probeHostGatewaySupport as $, verifyJwtAuthorizer as A, resolveCfnStackName as At, isFunctionUrlOacFronted as B, discoverRoutes as Bt, resolveSelectionExpression as C, materializeLayerFromArn as Ct, buildJwksUrlFromIssuer as D, rejectExplicitCfnStackWithMultipleStacks as Dt, buildCognitoJwksUrl as E, isCfnFlagPresent as Et, invokeTokenAuthorizer as F, countTargets as Ft, buildHttpApiV2Event as G, AgentCoreResolutionError as Gt, matchRoute as H, resolveLambdaArnIntrinsic as Ht, attachAuthorizers as I, listTargets as It, pickResponseTemplate as J, substituteImagePlaceholders as Jt, buildRestV1Event as K, resolveAgentCoreTarget as Kt, applyCorsResponseHeaders as L, discoverWebSocketApis as Lt, computeRequestIdentityHash as M, collectSsmParameterRefs as Mt, evaluateCachedLambdaPolicy as N, resolveSsmParameters as Nt, createJwksCache as O, resolveCfnFallbackRegion as Ot, invokeRequestAuthorizer as P, resolveWatchConfig as Pt, HOST_GATEWAY_MIN_VERSION as Q, buildCorsConfigByApiId as R, discoverWebSocketApisOrThrow as Rt, startApiServer as S, resolveEnvVars as St, defaultCredentialsLoader as T, createLocalStateProvider as Tt, translateLambdaResponse as U, AGENTCORE_HTTP_PROTOCOL as Ut, matchPreflight as V, pickRefLogicalId as Vt, applyAuthorizerOverlay as W, AGENTCORE_RUNTIME_TYPE as Wt, tryParseStatus as X, LocalInvokeBuildError as Xt, selectIntegrationResponse as Y, tryResolveImageFnJoin as Yt, VtlEvaluationError as Z, availableApiIdentifiers as _, EcsTaskResolutionError as _t, buildCloudMapIndex as a, buildConnectEvent as at, groupRoutesByServer as b, substituteEnvVarsFromState as bt, createLocalRunTaskCommand as c, AGENTCORE_SESSION_ID_HEADER as ct, createWatchPredicates as d, createLocalInvokeCommand as dt, bufferToBody as et, resolveApiTargetSubset as f, architectureToPlatform as ft, buildStageMap as g, resolveRuntimeImage as gt, attachStageContext as h, resolveRuntimeFileExtension as ht, createLocalStartServiceCommand as i, parseConnectionsPath as it, buildMethodArn as j, CfnLocalStateProvider as jt, verifyCognitoJwt as k, resolveCfnRegion as kt, createLocalInvokeAgentCoreCommand as l, invokeAgentCore as lt, createFileWatcher as m, resolveRuntimeCodeMountPath as mt, formatTargetListing as n, buildMgmtEndpointEnvUrl as nt, CloudMapRegistry as o, buildDisconnectEvent as ot, createAuthorizerCache as p, buildContainerImage as pt, evaluateResponseParameters as q, derivePseudoParametersFromRegion as qt, createLocalStartAlbCommand as r, handleConnectionsRequest as rt, getContainerNetworkIp as s, buildMessageEvent as st, createLocalListCommand as t, ConnectionRegistry as tt, createLocalStartApiCommand as u, waitForAgentCorePing as ut, filterRoutesByApiIdentifier as v, substituteAgainstState as vt, resolveServiceIntegrationParameters as w, LocalStateSourceError as wt, readMtlsMaterialsFromDisk as x, substituteEnvVarsFromStateAsync as xt, filterRoutesByApiIdentifiers as y, substituteAgainstStateAsync as yt, buildCorsConfigFromCloudFrontChain as z, parseSelectionExpressionPath as zt };
+//# sourceMappingURL=local-list-Dklrlnu1.js.map