cdk-local 0.38.0 → 0.40.0

package/dist/{local-list-CVAyM_lE.js → local-list-DDsa8FJV.js}

@@ -3036,10 +3036,10 @@ function listTargets(stacks) {
 		loadBalancers: sortEntries(scanApplicationLoadBalancers(stacks))
 	};
 }
-const pathOf = (e) => e.displayPath ?? e.qualifiedId;
+const pathOf$1 = (e) => e.displayPath ?? e.qualifiedId;
 /** Stable, human-readable ordering: by display path, falling back to the qualified ID. */
 function sortEntries(entries) {
-	return [...entries].sort((a, b) => pathOf(a).localeCompare(pathOf(b)));
+	return [...entries].sort((a, b) => pathOf$1(a).localeCompare(pathOf$1(b)));
 }
 /** Display order for API surface kinds; entries are grouped in this order. */
 const API_KIND_ORDER = [
@@ -3060,7 +3060,7 @@ function sortApiEntries(entries) {
 		const ka = API_KIND_ORDER.indexOf(a.kind ?? "");
 		const kb = API_KIND_ORDER.indexOf(b.kind ?? "");
 		if (ka !== kb) return ka - kb;
-		return pathOf(a).localeCompare(pathOf(b));
+		return pathOf$1(a).localeCompare(pathOf$1(b));
 	});
 }
 /** Total number of targets across every category. */
@@ -8232,10 +8232,12 @@ function isTransientNetworkError(err) {
 }
 /**
 * POST the event body to the agent's `/invocations` endpoint with the
-* session-id header and a JSON content type. Returns the raw response body
-* (JSON or SSE) together with its status + content type — the command
-* prints it verbatim, so both the non-streaming JSON and streaming SSE
-* shapes pass through unchanged.
+* session-id header and a JSON content type, then return the response.
+*
+* A `text/event-stream` response is streamed incrementally through
+* `options.onChunk` (when given) so the user sees tokens as they arrive — the
+* result is then `streamed: true` with an empty `raw`. Any other response (or
+* a missing sink) is buffered into `raw` and returned verbatim.
 */
 async function invokeAgentCore(host, port, event, options) {
 	const url = `http://${host}:${port}${INVOCATIONS_PATH}`;
@@ -8254,11 +8256,22 @@ async function invokeAgentCore(host, port, event, options) {
 			body,
 			signal: controller.signal
 		});
+		const contentType = response.headers.get("content-type");
+		if ((contentType ?? "").includes("text/event-stream") && options.onChunk && response.body) {
+			await streamBody(response.body, options.onChunk);
+			return {
+				status: response.status,
+				contentType,
+				raw: "",
+				streamed: true
+			};
+		}
 		const raw = await response.text();
 		return {
 			status: response.status,
-			contentType: response.headers.get("content-type"),
-			raw
+			contentType,
+			raw,
+			streamed: false
 		};
 	} catch (err) {
 		if (err.name === "AbortError") throw new Error(`AgentCore invoke at ${url} timed out after ${options.timeoutMs}ms. The agent may be hung; check container logs.`);
@@ -8267,6 +8280,30 @@ async function invokeAgentCore(host, port, event, options) {
 		clearTimeout(timer);
 	}
 }
+/**
+* Decode a response body stream to UTF-8 text and push each chunk to `onChunk`
+* as it arrives. Uses the reader API (portable across Node versions) and a
+* streaming TextDecoder so a multi-byte char split across chunk boundaries is
+* not corrupted.
+*/
+async function streamBody(body, onChunk) {
+	const reader = body.getReader();
+	const decoder = new TextDecoder();
+	try {
+		for (;;) {
+			const { done, value } = await reader.read();
+			if (done) break;
+			if (value) {
+				const text = decoder.decode(value, { stream: true });
+				if (text) onChunk(text);
+			}
+		}
+		const tail = decoder.decode();
+		if (tail) onChunk(tail);
+	} finally {
+		reader.releaseLock();
+	}
+}
 
 //#endregion
 //#region src/local/cors-handler.ts
@@ -17320,6 +17357,7 @@ async function localInvokeAgentCoreCommand(target, options, extraStateProviders)
 		const result = await invokeAgentCore(containerHost, hostPort, event, {
 			sessionId,
 			timeoutMs: 12e4,
+			onChunk: (text) => process.stdout.write(text),
 			...authorization && { authorization }
 		});
 		await new Promise((r) => setTimeout(r, 250));
@@ -17496,6 +17534,10 @@ function emitResult(result) {
 		logger.warn(`Agent /invocations returned HTTP ${result.status}.`);
 		process.exitCode = 1;
 	}
+	if (result.streamed) {
+		process.stdout.write("\n");
+		return;
+	}
 	process.stdout.write(`${result.raw}\n`);
 }
 /** Map a `--platform` value to the architecture `buildContainerImage` expects. */
@@ -20188,9 +20230,15 @@ async function startFrontDoorServer(opts) {
 }
 function handleProxyRequest(req, res, opts) {
 	return new Promise((resolve) => {
-		const endpoint = opts.pool.next();
+		const pool = opts.selectPool(req.url ?? "/");
+		if (!pool) {
+			writeError(res, 404, `No listener rule matched '${req.url ?? "/"}' on ${opts.label}, and the listener has no default action forwarding to a local target.`);
+			resolve();
+			return;
+		}
+		const endpoint = pool.next();
 		if (!endpoint) {
-			writeError(res, 503, `No running replicas for service '${opts.serviceName}'. The front-door has no healthy target to forward to.`);
+			writeError(res, 503, `No running replicas behind ${opts.label} for the matched target. The front-door has no healthy target to forward to.`);
 			resolve();
 			return;
 		}
@@ -20201,6 +20249,7 @@ function handleProxyRequest(req, res, opts) {
 			resolve();
 		};
 		const headers = { ...req.headers };
+		stripHopByHopHeaders(headers);
 		appendForwardedHeaders(headers, req, opts.listenerPort);
 		const proxyReq = request({
 			host: endpoint.host,
@@ -20209,7 +20258,9 @@ function handleProxyRequest(req, res, opts) {
 			path: req.url,
 			headers
 		}, (proxyRes) => {
-			res.writeHead(proxyRes.statusCode ?? 502, proxyRes.headers);
+			const resHeaders = { ...proxyRes.headers };
+			stripHopByHopHeaders(resHeaders);
+			res.writeHead(proxyRes.statusCode ?? 502, resHeaders);
 			proxyRes.pipe(res);
 			proxyRes.on("end", done);
 			proxyRes.on("error", () => {
@@ -20218,13 +20269,13 @@ function handleProxyRequest(req, res, opts) {
 			});
 		});
 		proxyReq.setTimeout(opts.upstreamTimeoutMs ?? 3e4, () => {
-			if (!res.headersSent) writeError(res, 504, `Replica ${endpoint.host}:${endpoint.port} for service '${opts.serviceName}' did not respond in time.`);
+			if (!res.headersSent) writeError(res, 504, `Replica ${endpoint.host}:${endpoint.port} behind ${opts.label} did not respond in time.`);
 			else if (!res.writableEnded) res.destroy();
 			proxyReq.destroy();
 			done();
 		});
 		proxyReq.on("error", () => {
-			if (!res.headersSent) writeError(res, 502, `Failed to reach replica ${endpoint.host}:${endpoint.port} for service '${opts.serviceName}'.`);
+			if (!res.headersSent) writeError(res, 502, `Failed to reach replica ${endpoint.host}:${endpoint.port} behind ${opts.label}.`);
 			else if (!res.writableEnded) res.destroy();
 			done();
 		});
@@ -20234,6 +20285,33 @@ function handleProxyRequest(req, res, opts) {
 		req.pipe(proxyReq);
 	});
 }
+/** Standard hop-by-hop headers (RFC 7230 §6.1) — a proxy must not forward these. */
+const HOP_BY_HOP_HEADERS = [
+	"connection",
+	"keep-alive",
+	"proxy-authenticate",
+	"proxy-authorization",
+	"te",
+	"trailer",
+	"transfer-encoding",
+	"upgrade"
+];
+/**
+* Strip hop-by-hop headers before relaying a request to / a response from the
+* upstream, mirroring what a real ALB does. Forwarding the upstream's
+* `Transfer-Encoding` / `Connection` verbatim while Node re-frames the body can
+* produce a malformed response; the headers named in a `Connection` token list
+* are also hop-by-hop and removed. Mutates `headers` in place.
+*/
+function stripHopByHopHeaders(headers) {
+	const connection = headers["connection"];
+	const connectionValue = Array.isArray(connection) ? connection.join(",") : connection;
+	if (connectionValue) for (const token of connectionValue.split(",")) {
+		const name = token.trim().toLowerCase();
+		if (name) delete headers[name];
+	}
+	for (const name of HOP_BY_HOP_HEADERS) delete headers[name];
+}
 /**
 * Inject the ALB-style forwarding headers a downstream app may read. Appends
 * the client IP to any existing `X-Forwarded-For` chain (ALB appends rather
@@ -20252,6 +20330,49 @@ function writeError(res, statusCode, message) {
 	res.end(`${message}\n`);
 }
 
+//#endregion
+//#region src/local/alb-path-matcher.ts
+/**
+* Return the target of the highest-priority rule whose `path-pattern` matches
+* `requestPath`, or `undefined` when none match (caller uses the default).
+* Rules are evaluated in ascending priority; the input order is irrelevant.
+*/
+function matchAlbPathRule(requestPath, rules) {
+	const path = pathOf(requestPath);
+	const ordered = [...rules].sort((a, b) => a.priority - b.priority);
+	for (const rule of ordered) if (rule.pathPatterns.some((pattern) => albPathPatternMatches(pattern, path))) return rule.target;
+}
+/**
+* Whether a single ALB `path-pattern` value matches a request path. The path
+* must already be query-stripped, or pass a raw URL and it is stripped here.
+*/
+function albPathPatternMatches(pattern, requestPath) {
+	return globToRegExp(pattern).test(pathOf(requestPath));
+}
+/** Strip the query string / fragment so only the URL path is matched. */
+function pathOf(url) {
+	let end = url.length;
+	const q = url.indexOf("?");
+	if (q !== -1) end = q;
+	const h = url.indexOf("#");
+	if (h !== -1 && h < end) end = h;
+	return url.slice(0, end);
+}
+const REGEXP_META = /[.+^${}()|[\]\\]/;
+/**
+* Translate an ALB path-pattern glob into an anchored, case-sensitive RegExp:
+* `*` -> `.*`, `?` -> `.`, every other character is escaped and matched
+* literally.
+*/
+function globToRegExp(pattern) {
+	let body = "";
+	for (const ch of pattern) if (ch === "*") body += ".*";
+	else if (ch === "?") body += ".";
+	else if (REGEXP_META.test(ch)) body += `\\${ch}`;
+	else body += ch;
+	return new RegExp(`^${body}$`);
+}
+
 //#endregion
 //#region src/cli/commands/ecs-service-emulator.ts
 /**
@@ -20270,6 +20391,8 @@ async function runEcsServiceEmulator(targets, options, strategy, extraStateProvi
 	let sigintCount = 0;
 	let sharedNetwork;
 	let profileCredsFile;
+	let frontDoorServers = [];
+	let frontDoorByService = /* @__PURE__ */ new Map();
 	const cleanup = singleFlight(async () => {
 		await Promise.allSettled(perTarget.map(async (pt) => {
 			if (pt.controller) await pt.controller.shutdown();
@@ -20277,8 +20400,9 @@ async function runEcsServiceEmulator(targets, options, strategy, extraStateProvi
 				await Promise.allSettled(pt.runState.replicas.map((r) => r.inFlightBoot).filter((p) => p !== void 0));
 				await Promise.allSettled(pt.runState.replicas.map((r) => cleanupEcsRun(r.state, { keepRunning: false }).catch(() => void 0)));
 			}
-			await Promise.allSettled((pt.frontDoorServers ?? []).map((s) => s.close().catch((err) => getLogger().warn(`front-door server teardown failed: ${err instanceof Error ? err.message : String(err)}`))));
 		}));
+		await Promise.allSettled(frontDoorServers.map((s) => s.close().catch((err) => getLogger().warn(`front-door server teardown failed: ${err instanceof Error ? err.message : String(err)}`))));
+		frontDoorServers = [];
 		if (profileCredsFile) {
 			try {
 				await profileCredsFile.dispose();
@@ -20321,7 +20445,7 @@ async function runEcsServiceEmulator(targets, options, strategy, extraStateProvi
 			noun: strategy.pickerNoun,
 			onMissing: () => strategy.onMissing()
 		});
-		const { boots, warnings } = strategy.resolveBoots(stacks, resolvedTargets);
+		const { boots, frontDoor, warnings } = strategy.resolveBoots(stacks, resolvedTargets);
 		for (const w of warnings) logger.warn(w);
 		if (boots.length === 0) throw new LocalStartServiceError(`No runnable ECS service resolved from ${resolvedTargets.join(", ")}.`);
 		rejectExplicitCfnStackWithMultipleStacks(options, boots.length);
@@ -20353,6 +20477,11 @@ async function runEcsServiceEmulator(targets, options, strategy, extraStateProvi
 			cloudMapIndexByStack,
 			sharedNetwork
 		};
+		if (frontDoor && frontDoor.listeners.length > 0) {
+			const built = await buildFrontDoor(frontDoor, options.containerHost, logger);
+			frontDoorServers = built.servers;
+			frontDoorByService = built.frontDoorByService;
+		}
 		sigintHandler = () => {
 			sigintCount += 1;
 			if (sigintCount >= 2) {
@@ -20364,11 +20493,7 @@ async function runEcsServiceEmulator(targets, options, strategy, extraStateProvi
 		};
 		process.on("SIGINT", sigintHandler);
 		process.on("SIGTERM", sigintHandler);
-		for (const pt of perTarget) {
-			const booted = await bootOneTarget(pt.boot, pt.runState, stacks, options, discovery, skipPull, extraStateProviders, profileCredsFile, strategy.lbPortOverrides);
-			pt.controller = booted.controller;
-			pt.frontDoorServers = booted.frontDoorServers;
-		}
+		for (const pt of perTarget) pt.controller = await bootOneTarget(pt.boot, pt.runState, stacks, options, discovery, skipPull, extraStateProviders, profileCredsFile, frontDoorByService.get(pt.boot.target));
 		const summary = perTarget.map((pt) => `${pt.controller.service.serviceName} (${pt.controller.activeReplicaCount()} replica(s))`).join(", ");
 		logger.info(`Service(s) running: ${summary}.`);
 		logger.info("Press ^C to shut down.");
@@ -20381,16 +20506,16 @@ async function runEcsServiceEmulator(targets, options, strategy, extraStateProvi
 		await cleanup();
 	}
 }
-async function bootOneTarget(boot, runState, stacks, options, discovery, skipPull, extraStateProviders, profileCredsFile, lbPortOverrides) {
+async function bootOneTarget(boot, runState, stacks, options, discovery, skipPull, extraStateProviders, profileCredsFile, frontDoorPools) {
 	const candidate = pickCandidateStack(parseEcsTarget(boot.target).stackPattern, stacks);
 	const stateProvider = createLocalStateProvider(options, candidate?.stackName ?? "", await resolveCfnFallbackRegion(options, candidate?.region), extraStateProviders);
 	try {
-		return await runOneTarget(boot, runState, stacks, options, discovery, skipPull, stateProvider, profileCredsFile, lbPortOverrides);
+		return await runOneTarget(boot, runState, stacks, options, discovery, skipPull, stateProvider, profileCredsFile, frontDoorPools);
 	} finally {
 		if (stateProvider) stateProvider.dispose();
 	}
 }
-async function runOneTarget(boot, runState, stacks, options, discovery, skipPull, stateProvider, profileCredsFile, lbPortOverrides) {
+async function runOneTarget(boot, runState, stacks, options, discovery, skipPull, stateProvider, profileCredsFile, frontDoorPools) {
 	const logger = getLogger();
 	const target = boot.target;
 	const imageContext = await buildEcsImageResolutionContext(target, stacks, options, stateProvider);
@@ -20446,73 +20571,89 @@ async function runOneTarget(boot, runState, stacks, options, discovery, skipPull
 		containerPath: profileCredsFile.containerPath,
 		profileName: profileCredsFile.profileName
 	};
-	const { frontDoorContext, frontDoorServers } = await startFrontDoorServers(boot.frontDoorTargets, service, options.containerHost, lbPortOverrides, logger);
-	const runnerOpts = {
+	return startEcsService(service, {
 		maxTasks: options.maxTasks,
 		restartPolicy: options.restartPolicy,
 		taskOptions: taskOpts,
 		discovery,
-		...frontDoorContext ? { frontDoor: frontDoorContext } : {}
-	};
-	let controller;
-	try {
-		controller = await startEcsService(service, runnerOpts, runState);
-	} catch (err) {
-		await Promise.allSettled(frontDoorServers.map((s) => s.close()));
-		throw err;
-	}
-	return {
-		controller,
-		frontDoorServers
-	};
+		...frontDoorPools && frontDoorPools.length > 0 ? { frontDoor: { pools: frontDoorPools } } : {}
+	}, runState);
 }
 /**
-* Issue #86 v1 — stand up one host-side reverse-proxy server per resolved
-* front-door listener and return the {@link FrontDoorRunnerContext} to thread
-* into the runner (so each replica publishes + registers its ephemeral
-* endpoint), plus the started servers for teardown. Pure front-door MECHANISM:
-* the ALB-specific resolution that produced `frontDoorTargets` lives in the
-* `start-alb` command. Returns an undefined context + empty servers when there
-* are no front-door targets (the pure-compute path).
+* Stand up one host-side reverse-proxy server PER LISTENER PORT from the
+* resolved {@link FrontDoorPlan}, path-routing each request across the services
+* the listener fronts, and return the started servers (for teardown) plus a
+* per-service-target pool list to thread into each service's runner (so every
+* replica publishes + registers its ephemeral endpoint into the right pool).
+*
+* One `FrontDoorEndpointPool` is created per distinct (service, container,
+* port) forward target and SHARED between the listener's routing table and the
+* owning service's runner context — same object on both sides, so a replica
+* registering itself is immediately reachable through the front-door.
 *
 * On a bind failure (e.g. EACCES on a privileged listener port, or the port is
 * already in use) every server started so far is closed and the error is
 * re-thrown with a `--lb-port` hint.
 */
-async function startFrontDoorServers(frontDoorTargets, service, containerHost, lbPortOverrides, logger) {
-	if (frontDoorTargets.length === 0) return {
-		frontDoorContext: void 0,
-		frontDoorServers: []
+async function buildFrontDoor(plan, containerHost, logger) {
+	const servers = [];
+	const registry = /* @__PURE__ */ new Map();
+	const poolFor = (t) => {
+		const key = `${t.serviceTarget} ${t.targetContainerName} ${t.targetContainerPort}`;
+		let entry = registry.get(key);
+		if (!entry) {
+			entry = {
+				pool: new FrontDoorEndpointPool(),
+				target: t
+			};
+			registry.set(key, entry);
+		}
+		return entry.pool;
 	};
-	const frontDoorServers = [];
-	const pools = [];
 	try {
-		for (const t of frontDoorTargets) {
-			const pool = new FrontDoorEndpointPool();
+		for (const listener of plan.listeners) {
+			const defaultPool = listener.defaultTarget ? poolFor(listener.defaultTarget) : void 0;
+			const ruleRoutes = listener.rules.map((r) => ({
+				priority: r.priority,
+				pathPatterns: r.pathPatterns,
+				target: poolFor(r.target)
+			}));
+			const selectPool = (requestPath) => matchAlbPathRule(requestPath, ruleRoutes) ?? defaultPool;
 			const server = await startFrontDoorServer({
-				pool,
-				port: lbPortOverrides[t.listenerPort] ?? t.listenerPort,
+				selectPool,
+				port: listener.hostPort,
 				host: containerHost,
-				listenerPort: t.listenerPort,
-				serviceName: service.serviceName
+				listenerPort: listener.listenerPort,
+				label: `listener port ${listener.listenerPort}`
 			});
-			frontDoorServers.push(server);
-			pools.push({
-				pool,
-				targetContainerName: t.targetContainerName,
-				targetContainerPort: t.targetContainerPort
-			});
-			logger.info(`ALB front-door: http://${server.host}:${server.port} -> ${service.serviceName} (listener port ${t.listenerPort} -> container ${t.targetContainerName}:${t.targetContainerPort}, round-robin across replicas)`);
+			servers.push(server);
+			logger.info(`ALB front-door: http://${server.host}:${server.port} (listener port ${listener.listenerPort})`);
+			if (listener.defaultTarget) logger.info(`  default -> ${describeTarget(listener.defaultTarget)} (round-robin)`);
+			for (const r of [...listener.rules].sort((a, b) => a.priority - b.priority)) logger.info(`  path ${r.pathPatterns.join(", ")} (priority ${r.priority}) -> ${describeTarget(r.target)}`);
+			if (!listener.defaultTarget) logger.info("  (no default action: unmatched paths return 404)");
 		}
 	} catch (err) {
-		await Promise.allSettled(frontDoorServers.map((s) => s.close()));
-		throw new LocalStartServiceError(`Failed to start ALB front-door for service '${service.serviceName}': ${err instanceof Error ? err.message : String(err)}. If the listener port is privileged (< 1024), remap it to a non-privileged host port with --lb-port <listenerPort>=<hostPort> (e.g. --lb-port 80=8080).`);
+		await Promise.allSettled(servers.map((s) => s.close()));
+		throw new LocalStartServiceError(`Failed to start ALB front-door: ${err instanceof Error ? err.message : String(err)}. If a listener port is privileged (< 1024), remap it to a non-privileged host port with --lb-port <listenerPort>=<hostPort> (e.g. --lb-port 80=8080).`);
+	}
+	const frontDoorByService = /* @__PURE__ */ new Map();
+	for (const { pool, target } of registry.values()) {
+		const list = frontDoorByService.get(target.serviceTarget) ?? [];
+		list.push({
+			pool,
+			targetContainerName: target.targetContainerName,
+			targetContainerPort: target.targetContainerPort
+		});
+		frontDoorByService.set(target.serviceTarget, list);
 	}
 	return {
-		frontDoorContext: { pools },
-		frontDoorServers
+		servers,
+		frontDoorByService
 	};
 }
+function describeTarget(t) {
+	return `${t.serviceTarget} (container ${t.targetContainerName}:${t.targetContainerPort})`;
+}
 async function resolvePlaceholderAccount(arn, region) {
 	if (!arn.includes("${AWS::AccountId}")) return arn;
 	const { STSClient, GetCallerIdentityCommand } = await import("@aws-sdk/client-sts");
@@ -20687,10 +20828,7 @@ function serviceStrategy() {
 		pickerNoun: "ECS services",
 		onMissing: () => new LocalStartServiceError(`${getEmbedConfig().cliName} start-service requires at least one <target>. Pass one or more service paths like 'Stack/Orders' 'Stack/Frontend', or run it in a TTY to pick interactively.`),
 		resolveBoots: (_stacks, chosenTargets) => ({
-			boots: chosenTargets.map((target) => ({
-				target,
-				frontDoorTargets: []
-			})),
+			boots: chosenTargets.map((target) => ({ target })),
 			warnings: []
 		}),
 		lbPortOverrides: {}
@@ -20713,47 +20851,57 @@ function createLocalStartServiceCommand(opts = {}) {
 //#endregion
 //#region src/local/elb-front-door-resolver.ts
 /**
-* Issue #86 v1 — resolve an `AWS::ElasticLoadBalancingV2::LoadBalancer` (an
-* ALB) into the backing ECS service(s) and the host listener port(s) a local
-* front-door should expose for each. This is the `cdkl start-alb` entry: you
-* name the ALB, and cdk-local discovers the services behind it (mirroring how
-* `start-api` names the API and discovers the backing Lambdas).
+* Resolve an `AWS::ElasticLoadBalancingV2::LoadBalancer` (an ALB) into the
+* backing ECS service(s) and the host listener port(s) a local front-door
+* should expose. This is the `cdkl start-alb` entry: you name the ALB, and
+* cdk-local discovers the services behind it (mirroring how `start-api` names
+* the API and discovers the backing Lambdas).
 *
 * The synthesized linkage (confirmed against real `cdk synth` of
-* `ApplicationLoadBalancedFargateService`):
+* `ApplicationLoadBalancedFargateService` + an `addAction` path rule):
 *
 * ```
 * ElasticLoadBalancingV2::LoadBalancer  (the ALB you name)
 * ElasticLoadBalancingV2::Listener      : { LoadBalancerArn:{Ref:<ALB>}, Port, Protocol,
 *     DefaultActions:[{ Type:"forward", TargetGroupArn:{Ref:<TG>} }] }
+* ElasticLoadBalancingV2::ListenerRule  : { ListenerArn:{Ref:<Listener>}, Priority,
+*     Conditions:[{ Field:"path-pattern", PathPatternConfig:{ Values:["/api/*"] } }],
+*     Actions:[{ Type:"forward", TargetGroupArn:{Ref:<TG>} }] }
 * ElasticLoadBalancingV2::TargetGroup   : { Port, Protocol, TargetType:"ip" }
 * ECS::Service.LoadBalancers[]          -> { ContainerName, ContainerPort, TargetGroupArn:{Ref:<TG>} }
 * ```
 *
-* Resolution walks ALB -> listeners (by `LoadBalancerArn` Ref) -> default
-* `forward` target groups -> the ECS Service whose `LoadBalancers[]` references
-* that target group (a reverse scan; there is no direct TG -> service pointer).
+* Resolution walks ALB -> listeners (by `LoadBalancerArn` Ref) -> their default
+* `forward` action AND any `path-pattern` ListenerRules -> the ECS Service whose
+* `LoadBalancers[]` references each target group (a reverse scan; there is no
+* direct TG -> service pointer). Output is a per-listener routing table: a
+* default forward target (when the default action is a resolvable forward) plus
+* the ordered path-pattern rules.
 *
-* v1 scope (single forward): only listener `DefaultActions` are honored.
-* `AWS::ElasticLoadBalancingV2::ListenerRule` (path / host / weighted routing)
-* is ignored — tracked in #123. HTTPS / TLS listeners and `TargetType:"lambda"`
-* target groups are skipped with a warning.
+* Scope: HTTP listeners, `path-pattern` conditions, single-target `forward`
+* actions to ECS services. Skipped with a warning: HTTPS/TLS listeners,
+* `TargetType:"lambda"` target groups, weighted (multi-target) forwards, rules
+* with non-`path-pattern` conditions (host-header / http-header / query-string
+* / etc.), and `redirect` / `fixed-response` / `authenticate-*` actions. Those
+* remaining listener-rule features are tracked in #123.
 */
 const ALB_TYPE = "AWS::ElasticLoadBalancingV2::LoadBalancer";
 const LISTENER_TYPE = "AWS::ElasticLoadBalancingV2::Listener";
+const LISTENER_RULE_TYPE = "AWS::ElasticLoadBalancingV2::ListenerRule";
 const TARGET_GROUP_TYPE = "AWS::ElasticLoadBalancingV2::TargetGroup";
 const SERVICE_TYPE = "AWS::ECS::Service";
 /**
-* Resolve an ALB into its backing services + front-door targets. Pure — reads
-* only the supplied stack template. Returns an empty `services` array (with
+* Resolve an ALB into its front-door listeners + routing tables. Pure — reads
+* only the supplied stack template. Returns an empty `listeners` array (with
 * warnings) when the ALB fronts nothing cdk-local can serve locally.
 */
 function resolveAlbFrontDoor(stack, albLogicalId) {
 	const warnings = [];
 	const resources = stack.template.Resources ?? {};
+	const stackName = stack.stackName;
 	const tgToService = indexTargetGroupToService(resources);
-	const byService = /* @__PURE__ */ new Map();
-	const seenPortsByService = /* @__PURE__ */ new Map();
+	const rulesByListener = indexRulesByListener(resources);
+	const listeners = [];
 	for (const [listenerLogicalId, resource] of Object.entries(resources)) {
 		if (resource.Type !== LISTENER_TYPE) continue;
 		const props = resource.Properties ?? {};
@@ -20761,54 +20909,40 @@ function resolveAlbFrontDoor(stack, albLogicalId) {
 		const port = parsePort(props["Port"]);
 		if (port === void 0) continue;
 		const protocol = typeof props["Protocol"] === "string" ? props["Protocol"] : "HTTP";
-		const tgRefs = collectForwardTargetGroupRefs(props["DefaultActions"]);
-		if (tgRefs.size === 0) {
-			if (hasUnresolvableForward(props["DefaultActions"])) warnings.push(`Listener '${listenerLogicalId}' on port ${port} forwards to a non-Ref TargetGroupArn (literal / cross-stack / imported); the local front-door only supports in-stack target groups. Skipping it.`);
-			continue;
-		}
 		if (protocol !== "HTTP") {
-			warnings.push(`Listener '${listenerLogicalId}' on port ${port} uses protocol ${protocol}; the local ALB front-door supports HTTP listeners only in v1 (TLS termination is deferred). Skipping it.`);
+			warnings.push(`Listener '${listenerLogicalId}' on port ${port} uses protocol ${protocol}; the local ALB front-door supports HTTP listeners only (TLS termination is deferred). Skipping it.`);
 			continue;
 		}
-		for (const tgRef of tgRefs) {
-			const tg = resources[tgRef];
-			if (!tg || tg.Type !== TARGET_GROUP_TYPE) {
-				warnings.push(`Listener '${listenerLogicalId}' forwards to target group '${tgRef}', but no ${TARGET_GROUP_TYPE} with that logical id exists in ${stack.stackName}. Skipping it.`);
-				continue;
-			}
-			if (tg.Properties?.["TargetType"] === "lambda") {
-				warnings.push(`Target group '${tgRef}' is a Lambda target (TargetType: lambda). The local ALB front-door supports ECS targets only in v1; Lambda targets are deferred to a follow-up. Skipping it.`);
-				continue;
-			}
-			const backing = tgToService.get(tgRef);
-			if (!backing) {
-				warnings.push(`Target group '${tgRef}' (listener '${listenerLogicalId}', port ${port}) is not referenced by any ${SERVICE_TYPE}.LoadBalancers[] in ${stack.stackName}; cdk-local has no ECS service to front behind it. Skipping it.`);
+		const defaultTarget = resolveForwardTarget(props["DefaultActions"], resources, tgToService, stackName, `Listener '${listenerLogicalId}' (port ${port}) default action`, warnings);
+		const rules = [];
+		for (const { ruleLogicalId, ruleProps } of rulesByListener.get(listenerLogicalId) ?? []) {
+			const priority = parsePriority(ruleProps["Priority"]);
+			const ruleLabel = `Listener rule '${ruleLogicalId}' (priority ${priority})`;
+			const { patterns, unsupported } = parseRulePathPatterns(ruleProps["Conditions"]);
+			if (unsupported.length > 0) {
+				warnings.push(`${ruleLabel} uses unsupported condition(s): ${unsupported.join(", ")}. The local ALB front-door supports path-pattern conditions only (host-header / http-header / query-string / http-request-method / source-ip deferred). Skipping it.`);
 				continue;
 			}
-			const seenPorts = seenPortsByService.get(backing.serviceLogicalId) ?? /* @__PURE__ */ new Set();
-			if (seenPorts.has(port)) {
-				warnings.push(`Service '${backing.serviceLogicalId}' is fronted by more than one listener on host port ${port}; the local front-door fronts only the first.`);
-				continue;
-			}
-			seenPorts.add(port);
-			seenPortsByService.set(backing.serviceLogicalId, seenPorts);
-			const targets = byService.get(backing.serviceLogicalId) ?? [];
-			targets.push({
-				listenerPort: port,
-				listenerProtocol: "HTTP",
-				targetContainerName: backing.containerName,
-				targetContainerPort: backing.containerPort,
-				targetGroupLogicalId: tgRef,
-				listenerLogicalId
+			if (patterns.length === 0) continue;
+			const target = resolveForwardTarget(ruleProps["Actions"], resources, tgToService, stackName, `${ruleLabel} action`, warnings);
+			if (!target) continue;
+			rules.push({
+				priority,
+				pathPatterns: patterns,
+				target
 			});
-			byService.set(backing.serviceLogicalId, targets);
 		}
+		if (!defaultTarget && rules.length === 0) continue;
+		listeners.push({
+			listenerPort: port,
+			listenerProtocol: "HTTP",
+			listenerLogicalId,
+			...defaultTarget ? { defaultTarget } : {},
+			rules
+		});
 	}
 	return {
-		services: [...byService.entries()].map(([serviceLogicalId, targets]) => ({
-			serviceLogicalId,
-			targets
-		})),
+		listeners,
 		warnings
 	};
 }
@@ -20819,6 +20953,43 @@ function isApplicationLoadBalancer(resource) {
 	return type === void 0 || type === "application";
 }
 /**
+* Resolve a listener / rule `Actions` (or `DefaultActions`) array to a single
+* ECS-service forward target, or `undefined` when it is not a resolvable
+* single forward (warning emitted for the cases worth surfacing).
+*/
+function resolveForwardTarget(actions, resources, tgToService, stackName, label, warnings) {
+	const tgRefs = collectForwardTargetGroupRefs(actions);
+	if (tgRefs.size === 0) {
+		if (hasUnresolvableForward(actions)) warnings.push(`${label} forwards to a non-Ref TargetGroupArn (literal / cross-stack / imported); the local front-door only supports in-stack target groups. Skipping it.`);
+		return;
+	}
+	if (tgRefs.size > 1) {
+		warnings.push(`${label} is a weighted forward (multiple target groups); the local front-door supports a single target group per action (weighted routing deferred). Skipping it.`);
+		return;
+	}
+	const tgRef = [...tgRefs][0];
+	const tg = resources[tgRef];
+	if (!tg || tg.Type !== TARGET_GROUP_TYPE) {
+		warnings.push(`${label} forwards to target group '${tgRef}', but no ${TARGET_GROUP_TYPE} with that logical id exists in ${stackName}. Skipping it.`);
+		return;
+	}
+	if (tg.Properties?.["TargetType"] === "lambda") {
+		warnings.push(`${label} forwards to a Lambda target group '${tgRef}' (TargetType: lambda). The local ALB front-door supports ECS targets only; Lambda targets are deferred. Skipping it.`);
+		return;
+	}
+	const backing = tgToService.get(tgRef);
+	if (!backing) {
+		warnings.push(`${label} forwards to target group '${tgRef}', which is not referenced by any ${SERVICE_TYPE}.LoadBalancers[] in ${stackName}; cdk-local has no ECS service to front behind it. Skipping it.`);
+		return;
+	}
+	return {
+		serviceLogicalId: backing.serviceLogicalId,
+		targetContainerName: backing.containerName,
+		targetContainerPort: backing.containerPort,
+		targetGroupLogicalId: tgRef
+	};
+}
+/**
 * Build a `targetGroupLogicalId -> backing ECS service` index by scanning every
 * `AWS::ECS::Service.LoadBalancers[]`. First service wins on a shared target
 * group (unusual; would only happen with a hand-rolled template).
@@ -20845,10 +21016,58 @@ function indexTargetGroupToService(resources) {
 	}
 	return index;
 }
-function collectForwardTargetGroupRefs(defaultActions) {
+/** Group every `AWS::ElasticLoadBalancingV2::ListenerRule` by the listener it references. */
+function indexRulesByListener(resources) {
+	const index = /* @__PURE__ */ new Map();
+	for (const [ruleLogicalId, resource] of Object.entries(resources)) {
+		if (resource.Type !== LISTENER_RULE_TYPE) continue;
+		const ruleProps = resource.Properties ?? {};
+		const listenerRef = refOf(ruleProps["ListenerArn"]);
+		if (!listenerRef) continue;
+		const list = index.get(listenerRef) ?? [];
+		list.push({
+			ruleLogicalId,
+			ruleProps
+		});
+		index.set(listenerRef, list);
+	}
+	return index;
+}
+/**
+* Parse a ListenerRule's `Conditions` into its `path-pattern` values plus the
+* field names of any non-`path-pattern` conditions (which make the rule
+* unsupported in this version). A rule is only usable when every condition is a
+* `path-pattern` — ALB ANDs conditions together, and we cannot honor the others
+* locally yet.
+*/
+function parseRulePathPatterns(conditions) {
+	const patterns = [];
+	const unsupported = [];
+	if (!Array.isArray(conditions)) return {
+		patterns,
+		unsupported
+	};
+	for (const cond of conditions) {
+		if (!cond || typeof cond !== "object") continue;
+		const c = cond;
+		const field = typeof c["Field"] === "string" ? c["Field"] : "(unknown)";
+		if (field !== "path-pattern") {
+			unsupported.push(field);
+			continue;
+		}
+		const cfg = c["PathPatternConfig"];
+		const values = cfg && typeof cfg === "object" && Array.isArray(cfg["Values"]) ? cfg["Values"] : Array.isArray(c["Values"]) ? c["Values"] : [];
+		for (const v of values) if (typeof v === "string") patterns.push(v);
+	}
+	return {
+		patterns,
+		unsupported
+	};
+}
+function collectForwardTargetGroupRefs(actions) {
 	const refs = /* @__PURE__ */ new Set();
-	if (!Array.isArray(defaultActions)) return refs;
-	for (const action of defaultActions) {
+	if (!Array.isArray(actions)) return refs;
+	for (const action of actions) {
 		if (!action || typeof action !== "object") continue;
 		const a = action;
 		if (a["Type"] !== "forward") continue;
@@ -20867,14 +21086,14 @@ function collectForwardTargetGroupRefs(defaultActions) {
 	return refs;
 }
 /**
-* True when `DefaultActions` has at least one `forward` action that references
-* a target group via a NON-`Ref` arn (literal / `Fn::GetAtt` / cross-stack) —
-* i.e. a forward we could not resolve to an in-stack target group. Used to warn
-* rather than silently skip such a listener.
+* True when `actions` has at least one `forward` action that references a target
+* group via a NON-`Ref` arn (literal / `Fn::GetAtt` / cross-stack) — i.e. a
+* forward we could not resolve to an in-stack target group. Used to warn rather
+* than silently skip such a listener / rule.
 */
-function hasUnresolvableForward(defaultActions) {
-	if (!Array.isArray(defaultActions)) return false;
-	for (const action of defaultActions) {
+function hasUnresolvableForward(actions) {
+	if (!Array.isArray(actions)) return false;
+	for (const action of actions) {
 		if (!action || typeof action !== "object") continue;
 		const a = action;
 		if (a["Type"] !== "forward") continue;
@@ -20907,6 +21126,16 @@ function parsePort(raw) {
 function parseContainerPort(raw) {
 	return parsePort(raw);
 }
+/**
+* Parse a ListenerRule `Priority` (ALB priorities are 1-50000, lower = higher
+* precedence). A missing / unparseable priority sorts last so an explicitly
+* prioritized rule always wins over it.
+*/
+function parsePriority(raw) {
+	if (typeof raw === "number" && Number.isFinite(raw)) return raw;
+	if (typeof raw === "string" && /^\d+$/.test(raw)) return parseInt(raw, 10);
+	return Number.MAX_SAFE_INTEGER;
+}
 
 //#endregion
 //#region src/cli/commands/local-start-alb.ts
@@ -20988,31 +21217,52 @@ function albStrategy(options) {
 		pickerNoun: "Application Load Balancers",
 		onMissing: () => new LocalStartServiceError(`${getEmbedConfig().cliName} start-alb requires at least one <target>. Pass one or more ALB paths like 'Stack/MyAlb', or run it in a TTY to pick interactively.`),
 		resolveBoots: (stacks, chosenTargets) => {
-			const byServiceTarget = /* @__PURE__ */ new Map();
 			const warnings = [];
+			const serviceTargets = /* @__PURE__ */ new Set();
+			const listeners = [];
+			const claimedHostPorts = /* @__PURE__ */ new Map();
 			for (const albTarget of chosenTargets) {
 				const { stack, albLogicalId } = resolveAlbTarget(albTarget, stacks);
 				const resolution = resolveAlbFrontDoor(stack, albLogicalId);
 				warnings.push(...resolution.warnings);
-				for (const svc of resolution.services) {
-					const target = `${stack.stackName}:${svc.serviceLogicalId}`;
-					const existing = byServiceTarget.get(target);
-					if (existing) existing.frontDoorTargets.push(...svc.targets);
-					else byServiceTarget.set(target, {
-						target,
-						frontDoorTargets: [...svc.targets]
+				const qualify = (t) => {
+					const serviceTarget = `${stack.stackName}:${t.serviceLogicalId}`;
+					serviceTargets.add(serviceTarget);
+					return {
+						serviceTarget,
+						targetContainerName: t.targetContainerName,
+						targetContainerPort: t.targetContainerPort
+					};
+				};
+				for (const listener of resolution.listeners) {
+					const hostPort = lbPortOverrides[listener.listenerPort] ?? listener.listenerPort;
+					const claimedBy = claimedHostPorts.get(hostPort);
+					if (claimedBy !== void 0) {
+						warnings.push(`Listener port ${listener.listenerPort} would bind host port ${hostPort}, already claimed by listener port ${claimedBy}; the local front-door fronts only the first. Use --lb-port to remap one of them.`);
+						continue;
+					}
+					claimedHostPorts.set(hostPort, listener.listenerPort);
+					listeners.push({
+						listenerPort: listener.listenerPort,
+						hostPort,
+						...listener.defaultTarget ? { defaultTarget: qualify(listener.defaultTarget) } : {},
+						rules: listener.rules.map((r) => ({
+							priority: r.priority,
+							pathPatterns: r.pathPatterns,
+							target: qualify(r.target)
+						}))
 					});
 				}
 			}
-			const boots = [...byServiceTarget.values()];
-			const resolvedPorts = /* @__PURE__ */ new Set();
-			for (const b of boots) for (const t of b.frontDoorTargets) resolvedPorts.add(t.listenerPort);
+			const boots = [...serviceTargets].map((target) => ({ target }));
+			const resolvedPorts = new Set(listeners.map((l) => l.listenerPort));
 			for (const portStr of Object.keys(lbPortOverrides)) {
 				const port = Number(portStr);
 				if (!resolvedPorts.has(port)) warnings.push(`--lb-port override for listener port ${port} matched no ALB listener resolved for the named target(s); it was ignored.`);
 			}
 			return {
 				boots,
+				...listeners.length > 0 ? { frontDoor: { listeners } } : {},
 				warnings
 			};
 		},
@@ -21028,7 +21278,7 @@ function albStrategy(options) {
 */
 function createLocalStartAlbCommand(opts = {}) {
 	setEmbedConfig(opts.embedConfig);
-	return addCommonEcsServiceOptions(new Command("start-alb").description("Run an Application Load Balancer locally: name the ALB, and cdk-local boots the ECS service(s) behind its HTTP forward listeners and stands up a local front-door on each listener port that round-robins across the running replicas — a single stable host endpoint, like behind a real load balancer. The symmetric ALB counterpart of `start-api`. Each <target> accepts a CDK display path (MyStack/MyAlb) or stack-qualified logical ID; single-stack apps may omit the stack prefix. v1 supports a single default-action forward to an HTTP listener; HTTPS listeners and Lambda target groups are skipped with a warning, and listener-rule routing is tracked separately. Omit <targets> in an interactive terminal to multi-select the load balancers from a list.").argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ElasticLoadBalancingV2::LoadBalancer resources to run (omit to multi-select interactively in a TTY)").addOption(new Option("--lb-port <listenerPort=hostPort...>", "Bind the local front-door on a specific host port (e.g. 80=8080); repeatable. Default: host port == ALB listener port. Use this on macOS to remap a privileged listener port (< 1024) to a non-privileged host port.")).action(withErrorHandling(async (targets, options) => {
+	return addCommonEcsServiceOptions(new Command("start-alb").description("Run an Application Load Balancer locally: name the ALB, and cdk-local boots the ECS service(s) behind its HTTP listeners and stands up a local front-door on each listener port that round-robins across the running replicas and path-routes its path-pattern rules across the backing services — a stable host endpoint, like behind a real load balancer. The symmetric ALB counterpart of `start-api`. Each <target> accepts a CDK display path (MyStack/MyAlb) or stack-qualified logical ID; single-stack apps may omit the stack prefix. Supports HTTP listeners, single-target forward actions, and path-pattern rules; HTTPS listeners, Lambda target groups, weighted forwards, other rule conditions, and redirect/fixed-response actions are skipped with a warning. Omit <targets> in an interactive terminal to multi-select the load balancers from a list.").argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ElasticLoadBalancingV2::LoadBalancer resources to run (omit to multi-select interactively in a TTY)").addOption(new Option("--lb-port <listenerPort=hostPort...>", "Bind the local front-door on a specific host port (e.g. 80=8080); repeatable. Default: host port == ALB listener port. Use this on macOS to remap a privileged listener port (< 1024) to a non-privileged host port.")).action(withErrorHandling(async (targets, options) => {
 		await runEcsServiceEmulator(targets, options, albStrategy(options), opts.extraStateProviders);
 	})));
 }
@@ -21105,4 +21355,4 @@ function createLocalListCommand(opts = {}) {
 
 //#endregion
 export { createJwksCache as $, invokeTokenAuthorizer as A, resolveCfnRegion as At, VtlEvaluationError as B, parseSelectionExpressionPath as Bt, resolveSelectionExpression as C, resolveEnvVars as Ct, computeRequestIdentityHash as D, isCfnFlagPresent as Dt, buildMethodArn as E, createLocalStateProvider as Et, buildRestV1Event as F, resolveWatchConfig as Ft, buildMgmtEndpointEnvUrl as G, AGENTCORE_RUNTIME_TYPE as Gt, probeHostGatewaySupport as H, pickRefLogicalId as Ht, evaluateResponseParameters as I, countTargets as It, buildConnectEvent as J, derivePseudoParametersFromRegion as Jt, handleConnectionsRequest as K, AgentCoreResolutionError as Kt, pickResponseTemplate as L, listTargets as Lt, translateLambdaResponse as M, CfnLocalStateProvider as Mt, applyAuthorizerOverlay as N, collectSsmParameterRefs as Nt, evaluateCachedLambdaPolicy as O, rejectExplicitCfnStackWithMultipleStacks as Ot, buildHttpApiV2Event as P, resolveSsmParameters as Pt, buildJwksUrlFromIssuer as Q, selectIntegrationResponse as R, discoverWebSocketApis as Rt, startApiServer as S, substituteEnvVarsFromStateAsync as St, defaultCredentialsLoader as T, LocalStateSourceError as Tt, bufferToBody as U, resolveLambdaArnIntrinsic as Ut, HOST_GATEWAY_MIN_VERSION as V, discoverRoutes as Vt, ConnectionRegistry as W, AGENTCORE_HTTP_PROTOCOL as Wt, buildMessageEvent as X, tryResolveImageFnJoin as Xt, buildDisconnectEvent as Y, substituteImagePlaceholders as Yt, buildCognitoJwksUrl as Z, LocalInvokeBuildError as Zt, availableApiIdentifiers as _, resolveRuntimeImage as _t, buildCloudMapIndex as a, buildCorsConfigByApiId as at, groupRoutesByServer as b, substituteAgainstStateAsync as bt, createLocalRunTaskCommand as c, matchPreflight as ct, createWatchPredicates as d, waitForAgentCorePing as dt, verifyCognitoJwt as et, resolveApiTargetSubset as f, createLocalInvokeCommand as ft, buildStageMap as g, resolveRuntimeFileExtension as gt, attachStageContext as h, resolveRuntimeCodeMountPath as ht, createLocalStartServiceCommand as i, applyCorsResponseHeaders as it, matchRoute as j, resolveCfnStackName as jt, invokeRequestAuthorizer as k, resolveCfnFallbackRegion as kt, createLocalInvokeAgentCoreCommand as l, AGENTCORE_SESSION_ID_HEADER as lt, createFileWatcher as m, buildContainerImage as mt, formatTargetListing as n, verifyJwtViaDiscovery as nt, CloudMapRegistry as o, buildCorsConfigFromCloudFrontChain as ot, createAuthorizerCache as p, architectureToPlatform as pt, parseConnectionsPath as q, resolveAgentCoreTarget as qt, createLocalStartAlbCommand as r, attachAuthorizers as rt, getContainerNetworkIp as s, isFunctionUrlOacFronted as st, createLocalListCommand as t, verifyJwtAuthorizer as tt, createLocalStartApiCommand as u, invokeAgentCore as ut, filterRoutesByApiIdentifier as v, EcsTaskResolutionError as vt, resolveServiceIntegrationParameters as w, materializeLayerFromArn as wt, readMtlsMaterialsFromDisk as x, substituteEnvVarsFromState as xt, filterRoutesByApiIdentifiers as y, substituteAgainstState as yt, tryParseStatus as z, discoverWebSocketApisOrThrow as zt };
-//# sourceMappingURL=local-list-CVAyM_lE.js.map
+//# sourceMappingURL=local-list-DDsa8FJV.js.map