cdk-local 0.40.0 → 0.42.0

package/dist/{local-list-DDsa8FJV.js → local-list-qObdm4O8.js}

@@ -1196,11 +1196,17 @@ function notFoundError$3(target, stack, resources) {
 */
 const AGENTCORE_RUNTIME_TYPE = "AWS::BedrockAgentCore::Runtime";
 /**
-* The only protocol `cdkl invoke-agentcore` serves in v1. AgentCore Runtimes
-* may also declare `MCP` / `A2A` / `AGUI`, which speak different wire
-* contracts and are out of scope here.
+* AgentCore Runtime protocols `cdkl invoke-agentcore` can serve.
+*
+* - `HTTP` — the agent contract (`POST /invocations` + `GET /ping` on 8080).
+* - `MCP` — Model Context Protocol over Streamable HTTP (`POST /mcp` on 8000).
+*
+* `A2A` / `AGUI` declare yet other wire contracts and are not served yet.
 */
 const AGENTCORE_HTTP_PROTOCOL = "HTTP";
+const AGENTCORE_MCP_PROTOCOL = "MCP";
+/** Protocols this CLI can run a container for. */
+const SUPPORTED_AGENTCORE_PROTOCOLS = [AGENTCORE_HTTP_PROTOCOL, "MCP"];
 var AgentCoreResolutionError = class AgentCoreResolutionError extends Error {
 	constructor(message) {
 		super(message);
@@ -1313,14 +1319,14 @@ function extractJwtAuthorizer(authorizerConfig, logicalId) {
 	};
 }
 /**
-* Validate `ProtocolConfiguration`. v1 serves only `HTTP`; absent is
-* treated as `HTTP` (the runtime contract's default request/response
-* shape). Any explicit non-HTTP value hard-errors.
+* Validate `ProtocolConfiguration`. Serves `HTTP` (the default when absent)
+* and `MCP`; `A2A` / `AGUI` speak other wire contracts and hard-error with a
+* pointer to the follow-up.
 */
 function extractProtocol(value, logicalId, stackName) {
 	if (value === void 0 || value === null) return AGENTCORE_HTTP_PROTOCOL;
-	if (typeof value !== "string") throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} has a non-string ProtocolConfiguration. ${getEmbedConfig().cliName} invoke-agentcore supports the ${AGENTCORE_HTTP_PROTOCOL} protocol only in v1.`);
-	if (value !== "HTTP") throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} uses the ${value} protocol. ${getEmbedConfig().cliName} invoke-agentcore supports the ${AGENTCORE_HTTP_PROTOCOL} protocol only in v1 (MCP / A2A / AGUI speak different wire contracts).`);
+	if (typeof value !== "string") throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} has a non-string ProtocolConfiguration. ${getEmbedConfig().cliName} invoke-agentcore supports the ${SUPPORTED_AGENTCORE_PROTOCOLS.join(" / ")} protocols.`);
+	if (!SUPPORTED_AGENTCORE_PROTOCOLS.includes(value)) throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} uses the ${value} protocol. ${getEmbedConfig().cliName} invoke-agentcore supports the ${SUPPORTED_AGENTCORE_PROTOCOLS.join(" / ")} protocols (A2A / AGUI speak different wire contracts and are not served yet).`);
 	return value;
 }
 /**
@@ -6308,7 +6314,7 @@ async function runDetached(opts) {
 	if (opts.platform) args.push("--platform", opts.platform);
 	if (opts.extraHosts) for (const entry of opts.extraHosts) args.push("--add-host", `${entry.host}:${entry.ip}`);
 	const host = opts.host ?? "127.0.0.1";
-	args.push("-p", `${host}:${opts.hostPort}:8080`);
+	args.push("-p", `${host}:${opts.hostPort}:${opts.containerPort ?? 8080}`);
 	if (opts.debugPort !== void 0) args.push("-p", `${host}:${opts.debugPort}:${opts.debugPort}`);
 	for (const mount of opts.mounts) {
 		const ro = mount.readOnly ? ":ro" : "";
@@ -7022,7 +7028,7 @@ async function httpProbe(host, port, timeoutMs) {
 		})).text().catch(() => void 0);
 		return true;
 	} catch (err) {
-		if (isTransientNetworkError$1(err)) return false;
+		if (isTransientNetworkError$2(err)) return false;
 		throw err;
 	} finally {
 		clearTimeout(timer);
@@ -7036,7 +7042,7 @@ async function httpProbe(host, port, timeoutMs) {
 * between Docker's port forwarder accepting a TCP connection and the
 * container's RIE process being ready for HTTP.
 */
-function isTransientNetworkError$1(err) {
+function isTransientNetworkError$2(err) {
 	if (!(err instanceof Error)) return false;
 	if (err.name === "AbortError") return true;
 	if (err.name === "TypeError" && err.message === "fetch failed") return true;
@@ -8208,7 +8214,7 @@ async function pingProbe(host, port, timeoutMs) {
 		await response.text().catch(() => void 0);
 		return response.status;
 	} catch (err) {
-		if (isTransientNetworkError(err)) return void 0;
+		if (isTransientNetworkError$1(err)) return void 0;
 		throw err;
 	} finally {
 		clearTimeout(timer);
@@ -8220,7 +8226,7 @@ async function pingProbe(host, port, timeoutMs) {
 * `ECONNRESET` / `ECONNREFUSED` / `UND_ERR_SOCKET`. Treat all of those —
 * plus an `AbortError` from the per-probe timeout — as "not ready, retry".
 */
-function isTransientNetworkError(err) {
+function isTransientNetworkError$1(err) {
 	if (!(err instanceof Error)) return false;
 	if (err.name === "AbortError") return true;
 	if (err.name === "TypeError" && err.message === "fetch failed") return true;
@@ -8305,6 +8311,191 @@ async function streamBody(body, onChunk) {
 	}
 }
 
+//#endregion
+//#region src/local/agentcore-mcp-client.ts
+/**
+* Client for the Bedrock AgentCore Runtime MCP protocol contract.
+*
+* An MCP-protocol AgentCore Runtime container listens on `0.0.0.0:8000` and
+* serves the Model Context Protocol over **Streamable HTTP** at `POST /mcp`
+* (no `GET /ping` — unlike the HTTP protocol). Each JSON-RPC message is its
+* own POST. `cdkl invoke-agentcore` performs the minimal session lifecycle:
+*
+*   1. `initialize`            — negotiate; the server MAY return an
+*                                `Mcp-Session-Id` header to echo thereafter.
+*   2. `notifications/initialized` — required before any request (202, no body).
+*   3. one request             — `tools/list` by default, or the method/params
+*                                from `--event` (e.g. `tools/call`).
+*
+* Talking to the local container is **vanilla MCP**: the
+* `X-Amzn-Bedrock-AgentCore-Runtime-Session-Id` header and the inbound OAuth
+* bearer are AgentCore managed-plane concerns the front door maps to MCP's own
+* `Mcp-Session-Id`, so a direct local client does not send them.
+*/
+/** Container port an MCP-protocol AgentCore Runtime listens on. */
+const MCP_CONTAINER_PORT = 8e3;
+/** HTTP path of the MCP Streamable-HTTP endpoint. */
+const MCP_PATH = "/mcp";
+/** MCP protocol version this client negotiates. */
+const MCP_PROTOCOL_VERSION = "2025-06-18";
+const SESSION_ID_HEADER = "mcp-session-id";
+const PROTOCOL_VERSION_HEADER = "MCP-Protocol-Version";
+/**
+* Run the MCP session lifecycle against a local container and return the
+* single request's JSON-RPC response. The initial `initialize` POST is
+* retried for `readyTimeoutMs` to absorb container boot (there is no separate
+* readiness endpoint), so this also serves as the wait-for-ready step.
+*/
+async function mcpInvokeOnce(host, port, request, options = {}) {
+	const fetchImpl = options.fetchImpl ?? fetch;
+	const url = `http://${host}:${port}${MCP_PATH}`;
+	const requestTimeoutMs = options.requestTimeoutMs ?? 12e4;
+	const sessionId = await initializeWithRetry(fetchImpl, url, options.readyTimeoutMs ?? 3e4);
+	await postMcp(fetchImpl, url, {
+		jsonrpc: "2.0",
+		method: "notifications/initialized"
+	}, sessionId, requestTimeoutMs);
+	const message = (await postMcp(fetchImpl, url, {
+		jsonrpc: "2.0",
+		id: 1,
+		method: request.method,
+		...request.params !== void 0 && { params: request.params }
+	}, sessionId, requestTimeoutMs)).message;
+	return {
+		ok: !(message !== null && typeof message === "object" && "error" in message),
+		raw: JSON.stringify(message ?? null, null, 2)
+	};
+}
+/**
+* POST `initialize`, retrying transient connect failures until the container
+* is up or `readyTimeoutMs` elapses. Returns the `Mcp-Session-Id` the server
+* assigned (undefined for a stateless server that omits it).
+*/
+async function initializeWithRetry(fetchImpl, url, readyTimeoutMs) {
+	const deadline = Date.now() + readyTimeoutMs;
+	const body = {
+		jsonrpc: "2.0",
+		id: 0,
+		method: "initialize",
+		params: {
+			protocolVersion: MCP_PROTOCOL_VERSION,
+			capabilities: {},
+			clientInfo: {
+				name: "cdkl",
+				version: "1"
+			}
+		}
+	};
+	let lastDetail = "";
+	while (Date.now() < deadline) {
+		const controller = new AbortController();
+		const timer = setTimeout(() => controller.abort(), 5e3);
+		try {
+			const response = await fetchImpl(url, {
+				method: "POST",
+				headers: {
+					"Content-Type": "application/json",
+					Accept: "application/json, text/event-stream"
+				},
+				body: JSON.stringify(body),
+				signal: controller.signal
+			});
+			await response.text().catch(() => void 0);
+			if (response.status >= 200 && response.status < 300) return response.headers.get(SESSION_ID_HEADER) ?? void 0;
+			lastDetail = `initialize returned HTTP ${response.status}`;
+			throw new Error(lastDetail);
+		} catch (err) {
+			if (!isTransientNetworkError(err)) {
+				if (lastDetail) throw new Error(`MCP initialize at ${url} failed: ${lastDetail}. Check 'docker logs' output.`);
+				throw err;
+			}
+			lastDetail = err instanceof Error ? err.message : String(err);
+		} finally {
+			clearTimeout(timer);
+		}
+		await setTimeout$1(150);
+	}
+	throw new Error(`MCP server did not become ready on ${url} within ${readyTimeoutMs}ms${lastDetail ? `: ${lastDetail}` : ""}. The container may have exited early or may not serve POST ${MCP_PATH} — check 'docker logs'.`);
+}
+/**
+* POST one JSON-RPC message and, for a request (one with an `id`), return the
+* parsed JSON-RPC response — handling both an `application/json` body and a
+* `text/event-stream` (the server picks either per the Streamable-HTTP spec).
+* A notification (no `id`) returns 202 with no body and yields no message.
+*/
+async function postMcp(fetchImpl, url, body, sessionId, timeoutMs) {
+	const controller = new AbortController();
+	const timer = setTimeout(() => controller.abort(), timeoutMs);
+	try {
+		const response = await fetchImpl(url, {
+			method: "POST",
+			headers: {
+				"Content-Type": "application/json",
+				Accept: "application/json, text/event-stream",
+				[PROTOCOL_VERSION_HEADER]: MCP_PROTOCOL_VERSION,
+				...sessionId && { "Mcp-Session-Id": sessionId }
+			},
+			body: JSON.stringify(body),
+			signal: controller.signal
+		});
+		const text = await response.text();
+		if (body.id === void 0) return { status: response.status };
+		const message = (response.headers.get("content-type") ?? "").includes("text/event-stream") ? parseSseForJsonRpc(text, body.id) : text ? safeJsonParse$1(text) : void 0;
+		return {
+			status: response.status,
+			message
+		};
+	} catch (err) {
+		if (err.name === "AbortError") throw new Error(`MCP request '${body.method}' at ${url} timed out after ${timeoutMs}ms. The server may be hung; check container logs.`);
+		throw err;
+	} finally {
+		clearTimeout(timer);
+	}
+}
+/**
+* Extract the JSON-RPC message matching `id` from an SSE body. Frames are
+* separated by blank lines; a frame's `data:` lines are concatenated and
+* parsed as JSON. Returns the id-matching message, else the last parseable
+* one (servers typically send a single frame carrying the response).
+*/
+function parseSseForJsonRpc(text, id) {
+	let last;
+	for (const frame of text.split(/\r?\n\r?\n/)) {
+		const data = frame.split(/\r?\n/).filter((line) => line.startsWith("data:")).map((line) => line.slice(5).trimStart()).join("\n");
+		if (!data) continue;
+		const parsed = safeJsonParse$1(data);
+		if (parsed === void 0) continue;
+		last = parsed;
+		if (parsed !== null && typeof parsed === "object" && parsed.id === id) return parsed;
+	}
+	return last;
+}
+function safeJsonParse$1(text) {
+	try {
+		return JSON.parse(text);
+	} catch {
+		return;
+	}
+}
+/**
+* `fetch()` failures during container boot manifest as a generic
+* `TypeError: fetch failed` whose `.cause` carries the underlying
+* `ECONNRESET` / `ECONNREFUSED` / `UND_ERR_SOCKET`; an `AbortError` is the
+* per-attempt timeout. Treat all of those — plus the synthetic non-2xx retry
+* — as "not ready, retry".
+*/
+function isTransientNetworkError(err) {
+	if (!(err instanceof Error)) return false;
+	if (err.name === "AbortError") return true;
+	if (err.name === "TypeError" && err.message === "fetch failed") return true;
+	if (err.message.startsWith("initialize returned HTTP")) return true;
+	const cause = err.cause;
+	if (cause?.code === "ECONNRESET") return true;
+	if (cause?.code === "ECONNREFUSED") return true;
+	if (cause?.code === "UND_ERR_SOCKET") return true;
+	return false;
+}
+
 //#endregion
 //#region src/local/cors-handler.ts
 /**
@@ -17329,15 +17520,21 @@ async function localInvokeAgentCoreCommand(target, options, extraStateProviders)
 			onMissing: () => new CdkLocalError(`${getEmbedConfig().cliName} invoke-agentcore requires a <target> (an AgentCore Runtime display path or logical ID). Run \`${getEmbedConfig().cliName} list\` to see them, or run it in a TTY to pick interactively.`, "LOCAL_INVOKE_AGENTCORE_TARGET_REQUIRED")
 		}), stacks);
 		logger.info(`Target: ${resolved.stack.stackName}/${resolved.logicalId} (${resolved.protocol})`);
+		const isMcp = resolved.protocol === "MCP";
 		const sessionId = options.sessionId ?? randomUUID();
 		const event = await readEvent(options);
-		const authorization = await resolveInboundAuthorization(resolved, options);
+		const mcpRequest = isMcp ? buildMcpRequest(event) : void 0;
+		let authorization;
+		if (isMcp) {
+			if (resolved.jwtAuthorizer || options.bearerToken) logger.info(`MCP runtime: invoking the local container's ${MCP_PATH} directly (vanilla MCP). An inbound JWT / --bearer-token is an AgentCore managed-plane concern and is not applied locally.`);
+		} else authorization = await resolveInboundAuthorization(resolved, options);
 		const image = await resolveAgentCoreImage(resolved, options);
 		const dockerEnv = await buildContainerEnv(resolved, options, profileCredentials, profileCredsFile, extraStateProviders);
 		const hostPort = await pickFreePort();
 		const containerHost = options.containerHost;
 		const containerName = `${getEmbedConfig().resourceNamePrefix}-agentcore-${process.pid}-${Math.random().toString(36).slice(2, 8)}`;
-		logger.info(`Starting agent container (image=${image}, port=${hostPort})...`);
+		const containerPortLabel = isMcp ? `${MCP_CONTAINER_PORT}${MCP_PATH}` : "8080";
+		logger.info(`Starting agent container (image=${image}, port=${hostPort} -> ${containerPortLabel})...`);
 		containerId = await runDetached({
 			image,
 			mounts: [],
@@ -17346,22 +17543,30 @@ async function localInvokeAgentCoreCommand(target, options, extraStateProviders)
 			hostPort,
 			host: containerHost,
 			platform: options.platform,
-			name: containerName
+			name: containerName,
+			...isMcp && { containerPort: 8e3 }
 		});
 		stopLogs = streamLogs(containerId);
 		sigintHandler = () => {
 			cleanup().then(() => process.exit(130));
 		};
 		process.on("SIGINT", sigintHandler);
-		await waitForAgentCorePing(containerHost, hostPort);
-		const result = await invokeAgentCore(containerHost, hostPort, event, {
-			sessionId,
-			timeoutMs: 12e4,
-			onChunk: (text) => process.stdout.write(text),
-			...authorization && { authorization }
-		});
-		await new Promise((r) => setTimeout(r, 250));
-		emitResult(result);
+		if (isMcp && mcpRequest) {
+			logger.info(`MCP request: ${mcpRequest.method}`);
+			const mcp = await mcpInvokeOnce(containerHost, hostPort, mcpRequest);
+			await new Promise((r) => setTimeout(r, 250));
+			emitMcpResult(mcp);
+		} else {
+			await waitForAgentCorePing(containerHost, hostPort);
+			const result = await invokeAgentCore(containerHost, hostPort, event, {
+				sessionId,
+				timeoutMs: 12e4,
+				onChunk: (text) => process.stdout.write(text),
+				...authorization && { authorization }
+			});
+			await new Promise((r) => setTimeout(r, 250));
+			emitResult(result);
+		}
 	} finally {
 		if (sigintHandler) process.off("SIGINT", sigintHandler);
 		await cleanup();
@@ -17540,6 +17745,39 @@ function emitResult(result) {
 	}
 	process.stdout.write(`${result.raw}\n`);
 }
+/**
+* Build the JSON-RPC request to send to an MCP runtime from `--event`:
+*   - no `--event` (empty object) → `tools/list` (discover the server's tools),
+*   - an object with a string `method` → that method + its `params`,
+*   - anything else → a fail-fast error.
+*
+* Exported for unit testing.
+*/
+function buildMcpRequest(event) {
+	if (event === void 0 || event === null) return {
+		method: "tools/list",
+		params: {}
+	};
+	if (typeof event !== "object" || Array.isArray(event)) throw new CdkLocalError("MCP --event must be a JSON object describing a JSON-RPC request (e.g. {\"method\":\"tools/call\",\"params\":{\"name\":\"...\",\"arguments\":{...}}}).", "LOCAL_INVOKE_AGENTCORE_MCP_EVENT_INVALID");
+	const obj = event;
+	if (Object.keys(obj).length === 0) return {
+		method: "tools/list",
+		params: {}
+	};
+	if (typeof obj["method"] !== "string") throw new CdkLocalError(`MCP --event must include a string "method" (a JSON-RPC method such as "tools/list" or "tools/call"). Got keys: ${Object.keys(obj).join(", ")}.`, "LOCAL_INVOKE_AGENTCORE_MCP_EVENT_INVALID");
+	return {
+		method: obj["method"],
+		...obj["params"] !== void 0 && { params: obj["params"] }
+	};
+}
+/** Print the MCP JSON-RPC response; exit 1 when it carried a JSON-RPC error. */
+function emitMcpResult(result) {
+	if (!result.ok) {
+		getLogger().warn("MCP server returned a JSON-RPC error.");
+		process.exitCode = 1;
+	}
+	process.stdout.write(`${result.raw}\n`);
+}
 /** Map a `--platform` value to the architecture `buildContainerImage` expects. */
 function platformToArchitecture(platform) {
 	return platform === "linux/amd64" ? "x86_64" : "arm64";
@@ -17620,7 +17858,7 @@ function readEnvOverridesFile$2(filePath) {
 }
 function createLocalInvokeAgentCoreCommand(opts = {}) {
 	setEmbedConfig(opts.embedConfig);
-	const cmd = new Command("invoke-agentcore").description("Run a Bedrock AgentCore Runtime container locally and invoke it once over the AgentCore HTTP contract (POST /invocations + GET /ping on port 8080). Resolves the AWS::BedrockAgentCore::Runtime, pulls/builds its container, injects env vars + AWS credentials, and prints the response. Target accepts a CDK display path (MyStack/MyAgent) or stack-qualified logical ID (MyStack:MyAgentRuntime1234). Single-stack apps may omit the stack prefix. Omit <target> in an interactive terminal to pick from a list. v1 supports the container artifact + HTTP protocol; the agent calls real AWS for managed services.").argument("[target]", "CDK display path or stack-qualified logical ID of the AgentCore Runtime to invoke (omit to pick interactively in a TTY)").addOption(new Option("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option("--event-stdin", "Read event JSON from stdin").default(false)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}})")).addOption(new Option("--session-id <id>", "AgentCore runtime session id header value (default: a random UUID)")).addOption(new Option("--bearer-token <jwt>", "Bearer JWT to present when the runtime declares a customJwtAuthorizer. Verified against the runtime OIDC discovery URL (signature / issuer / expiry / audience) before the container starts, then forwarded to /invocations as Authorization: Bearer <jwt>.")).addOption(new Option("--no-verify-auth", "Skip inbound JWT verification even when the runtime declares a customJwtAuthorizer (local-dev escape hatch). A --bearer-token, if given, is still forwarded.")).addOption(new Option("--platform <platform>", "docker --platform for the agent container (linux/amd64 or linux/arm64)").choices(["linux/amd64", "linux/arm64"]).default("linux/arm64")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for the local-build path")).addOption(new Option("--no-build", "Skip docker build on the local-asset path (use the previously-built tag). No-op for the ECR / registry pull paths.")).addOption(new Option("--container-host <host>", "Host to bind the agent port to").default("127.0.0.1")).addOption(new Option("--assume-role [arn]", "Assume the runtime's execution role and forward STS-issued temp credentials to the container so the agent runs with the deployed role. Three forms: (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) uses the runtime's RoleArn when it is a literal ARN; (3) `--no-assume-role` opts out. Off by default — the developer's shell credentials are forwarded unchanged.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in env vars with the deployed physical IDs / exports. Bare form uses the resolved stack name; pass an explicit value when the CFn stack name differs.")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).action(withErrorHandling(async (target, options) => {
+	const cmd = new Command("invoke-agentcore").description("Run a Bedrock AgentCore Runtime container locally and invoke it once over its protocol contract: HTTP (POST /invocations + GET /ping on 8080) or MCP (POST /mcp Streamable HTTP on 8000). Resolves the AWS::BedrockAgentCore::Runtime, pulls/builds its container, injects env vars + AWS credentials, and prints the response. For an MCP runtime, runs the session handshake then sends one JSON-RPC request (tools/list by default, or the method/params from --event). Target accepts a CDK display path (MyStack/MyAgent) or stack-qualified logical ID (MyStack:MyAgentRuntime1234). Single-stack apps may omit the stack prefix. Omit <target> in an interactive terminal to pick from a list. Supports the container artifact on the HTTP + MCP protocols; the agent calls real AWS for managed services.").argument("[target]", "CDK display path or stack-qualified logical ID of the AgentCore Runtime to invoke (omit to pick interactively in a TTY)").addOption(new Option("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option("--event-stdin", "Read event JSON from stdin").default(false)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}})")).addOption(new Option("--session-id <id>", "AgentCore runtime session id header value (default: a random UUID)")).addOption(new Option("--bearer-token <jwt>", "Bearer JWT to present when the runtime declares a customJwtAuthorizer. Verified against the runtime OIDC discovery URL (signature / issuer / expiry / audience) before the container starts, then forwarded to /invocations as Authorization: Bearer <jwt>.")).addOption(new Option("--no-verify-auth", "Skip inbound JWT verification even when the runtime declares a customJwtAuthorizer (local-dev escape hatch). A --bearer-token, if given, is still forwarded.")).addOption(new Option("--platform <platform>", "docker --platform for the agent container (linux/amd64 or linux/arm64)").choices(["linux/amd64", "linux/arm64"]).default("linux/arm64")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for the local-build path")).addOption(new Option("--no-build", "Skip docker build on the local-asset path (use the previously-built tag). No-op for the ECR / registry pull paths.")).addOption(new Option("--container-host <host>", "Host to bind the agent port to").default("127.0.0.1")).addOption(new Option("--assume-role [arn]", "Assume the runtime's execution role and forward STS-issued temp credentials to the container so the agent runs with the deployed role. Three forms: (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) uses the runtime's RoleArn when it is a literal ARN; (3) `--no-assume-role` opts out. Off by default — the developer's shell credentials are forwarded unchanged.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in env vars with the deployed physical IDs / exports. Bare form uses the resolved stack name; pass an explicit value when the CFn stack name differs.")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).action(withErrorHandling(async (target, options) => {
 		await localInvokeAgentCoreCommand(target, options, opts.extraStateProviders);
 	}));
 	[
@@ -21354,5 +21592,5 @@ function createLocalListCommand(opts = {}) {
 }
 
 //#endregion
-export { createJwksCache as $, invokeTokenAuthorizer as A, resolveCfnRegion as At, VtlEvaluationError as B, parseSelectionExpressionPath as Bt, resolveSelectionExpression as C, resolveEnvVars as Ct, computeRequestIdentityHash as D, isCfnFlagPresent as Dt, buildMethodArn as E, createLocalStateProvider as Et, buildRestV1Event as F, resolveWatchConfig as Ft, buildMgmtEndpointEnvUrl as G, AGENTCORE_RUNTIME_TYPE as Gt, probeHostGatewaySupport as H, pickRefLogicalId as Ht, evaluateResponseParameters as I, countTargets as It, buildConnectEvent as J, derivePseudoParametersFromRegion as Jt, handleConnectionsRequest as K, AgentCoreResolutionError as Kt, pickResponseTemplate as L, listTargets as Lt, translateLambdaResponse as M, CfnLocalStateProvider as Mt, applyAuthorizerOverlay as N, collectSsmParameterRefs as Nt, evaluateCachedLambdaPolicy as O, rejectExplicitCfnStackWithMultipleStacks as Ot, buildHttpApiV2Event as P, resolveSsmParameters as Pt, buildJwksUrlFromIssuer as Q, selectIntegrationResponse as R, discoverWebSocketApis as Rt, startApiServer as S, substituteEnvVarsFromStateAsync as St, defaultCredentialsLoader as T, LocalStateSourceError as Tt, bufferToBody as U, resolveLambdaArnIntrinsic as Ut, HOST_GATEWAY_MIN_VERSION as V, discoverRoutes as Vt, ConnectionRegistry as W, AGENTCORE_HTTP_PROTOCOL as Wt, buildMessageEvent as X, tryResolveImageFnJoin as Xt, buildDisconnectEvent as Y, substituteImagePlaceholders as Yt, buildCognitoJwksUrl as Z, LocalInvokeBuildError as Zt, availableApiIdentifiers as _, resolveRuntimeImage as _t, buildCloudMapIndex as a, buildCorsConfigByApiId as at, groupRoutesByServer as b, substituteAgainstStateAsync as bt, createLocalRunTaskCommand as c, matchPreflight as ct, createWatchPredicates as d, waitForAgentCorePing as dt, verifyCognitoJwt as et, resolveApiTargetSubset as f, createLocalInvokeCommand as ft, buildStageMap as g, resolveRuntimeFileExtension as gt, attachStageContext as h, resolveRuntimeCodeMountPath as ht, createLocalStartServiceCommand as i, applyCorsResponseHeaders as it, matchRoute as j, resolveCfnStackName as jt, invokeRequestAuthorizer as k, resolveCfnFallbackRegion as kt, createLocalInvokeAgentCoreCommand as l, AGENTCORE_SESSION_ID_HEADER as lt, createFileWatcher as m, buildContainerImage as mt, formatTargetListing as n, verifyJwtViaDiscovery as nt, CloudMapRegistry as o, buildCorsConfigFromCloudFrontChain as ot, createAuthorizerCache as p, architectureToPlatform as pt, parseConnectionsPath as q, resolveAgentCoreTarget as qt, createLocalStartAlbCommand as r, attachAuthorizers as rt, getContainerNetworkIp as s, isFunctionUrlOacFronted as st, createLocalListCommand as t, verifyJwtAuthorizer as tt, createLocalStartApiCommand as u, invokeAgentCore as ut, filterRoutesByApiIdentifier as v, EcsTaskResolutionError as vt, resolveServiceIntegrationParameters as w, materializeLayerFromArn as wt, readMtlsMaterialsFromDisk as x, substituteEnvVarsFromState as xt, filterRoutesByApiIdentifiers as y, substituteAgainstState as yt, tryParseStatus as z, discoverWebSocketApisOrThrow as zt };
-//# sourceMappingURL=local-list-DDsa8FJV.js.map
+export { createJwksCache as $, resolveAgentCoreTarget as $t, invokeTokenAuthorizer as A, LocalStateSourceError as At, VtlEvaluationError as B, resolveWatchConfig as Bt, resolveSelectionExpression as C, EcsTaskResolutionError as Ct, computeRequestIdentityHash as D, substituteEnvVarsFromStateAsync as Dt, buildMethodArn as E, substituteEnvVarsFromState as Et, buildRestV1Event as F, resolveCfnRegion as Ft, buildMgmtEndpointEnvUrl as G, parseSelectionExpressionPath as Gt, probeHostGatewaySupport as H, listTargets as Ht, evaluateResponseParameters as I, resolveCfnStackName as It, buildConnectEvent as J, resolveLambdaArnIntrinsic as Jt, handleConnectionsRequest as K, discoverRoutes as Kt, pickResponseTemplate as L, CfnLocalStateProvider as Lt, translateLambdaResponse as M, isCfnFlagPresent as Mt, applyAuthorizerOverlay as N, rejectExplicitCfnStackWithMultipleStacks as Nt, evaluateCachedLambdaPolicy as O, resolveEnvVars as Ot, buildHttpApiV2Event as P, resolveCfnFallbackRegion as Pt, buildJwksUrlFromIssuer as Q, AgentCoreResolutionError as Qt, selectIntegrationResponse as R, collectSsmParameterRefs as Rt, startApiServer as S, resolveRuntimeImage as St, defaultCredentialsLoader as T, substituteAgainstStateAsync as Tt, bufferToBody as U, discoverWebSocketApis as Ut, HOST_GATEWAY_MIN_VERSION as V, countTargets as Vt, ConnectionRegistry as W, discoverWebSocketApisOrThrow as Wt, buildMessageEvent as X, AGENTCORE_MCP_PROTOCOL as Xt, buildDisconnectEvent as Y, AGENTCORE_HTTP_PROTOCOL as Yt, buildCognitoJwksUrl as Z, AGENTCORE_RUNTIME_TYPE as Zt, availableApiIdentifiers as _, createLocalInvokeCommand as _t, buildCloudMapIndex as a, buildCorsConfigByApiId as at, groupRoutesByServer as b, resolveRuntimeCodeMountPath as bt, createLocalRunTaskCommand as c, matchPreflight as ct, createWatchPredicates as d, MCP_PROTOCOL_VERSION as dt, derivePseudoParametersFromRegion as en, verifyCognitoJwt as et, resolveApiTargetSubset as f, mcpInvokeOnce as ft, buildStageMap as g, waitForAgentCorePing as gt, attachStageContext as h, invokeAgentCore as ht, createLocalStartServiceCommand as i, applyCorsResponseHeaders as it, matchRoute as j, createLocalStateProvider as jt, invokeRequestAuthorizer as k, materializeLayerFromArn as kt, createLocalInvokeAgentCoreCommand as l, MCP_CONTAINER_PORT as lt, createFileWatcher as m, AGENTCORE_SESSION_ID_HEADER as mt, formatTargetListing as n, tryResolveImageFnJoin as nn, verifyJwtViaDiscovery as nt, CloudMapRegistry as o, buildCorsConfigFromCloudFrontChain as ot, createAuthorizerCache as p, parseSseForJsonRpc as pt, parseConnectionsPath as q, pickRefLogicalId as qt, createLocalStartAlbCommand as r, LocalInvokeBuildError as rn, attachAuthorizers as rt, getContainerNetworkIp as s, isFunctionUrlOacFronted as st, createLocalListCommand as t, substituteImagePlaceholders as tn, verifyJwtAuthorizer as tt, createLocalStartApiCommand as u, MCP_PATH as ut, filterRoutesByApiIdentifier as v, architectureToPlatform as vt, resolveServiceIntegrationParameters as w, substituteAgainstState as wt, readMtlsMaterialsFromDisk as x, resolveRuntimeFileExtension as xt, filterRoutesByApiIdentifiers as y, buildContainerImage as yt, tryParseStatus as z, resolveSsmParameters as zt };
+//# sourceMappingURL=local-list-qObdm4O8.js.map