cdk-local 0.41.0 → 0.43.0

package/dist/{local-list-DDsa8FJV.js → local-list-bwZnI2pV.js}

@@ -1196,11 +1196,17 @@ function notFoundError$3(target, stack, resources) {
 */
 const AGENTCORE_RUNTIME_TYPE = "AWS::BedrockAgentCore::Runtime";
 /**
-* The only protocol `cdkl invoke-agentcore` serves in v1. AgentCore Runtimes
-* may also declare `MCP` / `A2A` / `AGUI`, which speak different wire
-* contracts and are out of scope here.
+* AgentCore Runtime protocols `cdkl invoke-agentcore` can serve.
+*
+* - `HTTP` — the agent contract (`POST /invocations` + `GET /ping` on 8080).
+* - `MCP` — Model Context Protocol over Streamable HTTP (`POST /mcp` on 8000).
+*
+* `A2A` / `AGUI` declare yet other wire contracts and are not served yet.
 */
 const AGENTCORE_HTTP_PROTOCOL = "HTTP";
+const AGENTCORE_MCP_PROTOCOL = "MCP";
+/** Protocols this CLI can run a container for. */
+const SUPPORTED_AGENTCORE_PROTOCOLS = [AGENTCORE_HTTP_PROTOCOL, "MCP"];
 var AgentCoreResolutionError = class AgentCoreResolutionError extends Error {
 	constructor(message) {
 		super(message);
@@ -1272,7 +1278,7 @@ function notFoundError$2(target, stack, resources) {
 function extractRuntimeProperties(stack, logicalId, resource, resources, imageContext) {
 	const props = resource.Properties ?? {};
 	const protocol = extractProtocol(props["ProtocolConfiguration"], logicalId, stack.stackName);
-	const containerUri = extractContainerUri(props["AgentRuntimeArtifact"], logicalId, stack.stackName, resources, stack.region, imageContext);
+	const artifact = extractArtifact(props["AgentRuntimeArtifact"], logicalId, stack.stackName, resources, stack.region, imageContext);
 	const environmentVariables = props["EnvironmentVariables"] && typeof props["EnvironmentVariables"] === "object" && !Array.isArray(props["EnvironmentVariables"]) ? props["EnvironmentVariables"] : {};
 	const roleArn = typeof props["RoleArn"] === "string" ? props["RoleArn"] : void 0;
 	const jwtAuthorizer = extractJwtAuthorizer(props["AuthorizerConfiguration"], logicalId);
@@ -1280,7 +1286,7 @@ function extractRuntimeProperties(stack, logicalId, resource, resources, imageCo
 		stack,
 		logicalId,
 		resource,
-		containerUri,
+		...artifact.kind === "container" ? { containerUri: artifact.containerUri } : { codeArtifact: artifact.codeArtifact },
 		environmentVariables,
 		protocol,
 		...roleArn !== void 0 && { roleArn },
@@ -1313,30 +1319,61 @@ function extractJwtAuthorizer(authorizerConfig, logicalId) {
 	};
 }
 /**
-* Validate `ProtocolConfiguration`. v1 serves only `HTTP`; absent is
-* treated as `HTTP` (the runtime contract's default request/response
-* shape). Any explicit non-HTTP value hard-errors.
+* Validate `ProtocolConfiguration`. Serves `HTTP` (the default when absent)
+* and `MCP`; `A2A` / `AGUI` speak other wire contracts and hard-error with a
+* pointer to the follow-up.
 */
 function extractProtocol(value, logicalId, stackName) {
 	if (value === void 0 || value === null) return AGENTCORE_HTTP_PROTOCOL;
-	if (typeof value !== "string") throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} has a non-string ProtocolConfiguration. ${getEmbedConfig().cliName} invoke-agentcore supports the ${AGENTCORE_HTTP_PROTOCOL} protocol only in v1.`);
-	if (value !== "HTTP") throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} uses the ${value} protocol. ${getEmbedConfig().cliName} invoke-agentcore supports the ${AGENTCORE_HTTP_PROTOCOL} protocol only in v1 (MCP / A2A / AGUI speak different wire contracts).`);
+	if (typeof value !== "string") throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} has a non-string ProtocolConfiguration. ${getEmbedConfig().cliName} invoke-agentcore supports the ${SUPPORTED_AGENTCORE_PROTOCOLS.join(" / ")} protocols.`);
+	if (!SUPPORTED_AGENTCORE_PROTOCOLS.includes(value)) throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} uses the ${value} protocol. ${getEmbedConfig().cliName} invoke-agentcore supports the ${SUPPORTED_AGENTCORE_PROTOCOLS.join(" / ")} protocols (A2A / AGUI speak different wire contracts and are not served yet).`);
 	return value;
 }
 /**
-* Extract + resolve the container image URI from `AgentRuntimeArtifact`.
-* Rejects the `CodeConfiguration` artifact (S3 zip + managed runtime),
-* which has no Dockerfile and is deferred from v1.
+* Resolve `AgentRuntimeArtifact` to either a container image URI or a code
+* artifact (managed runtime). A `ContainerConfiguration` yields the resolved
+* `ContainerUri`; a `CodeConfiguration` yields its `Runtime` / `EntryPoint` +
+* the cdk.out asset hash the command uses to locate the bundle source.
 */
-function extractContainerUri(artifact, logicalId, stackName, resources, region, imageContext) {
+function extractArtifact(artifact, logicalId, stackName, resources, region, imageContext) {
 	if (!artifact || typeof artifact !== "object" || Array.isArray(artifact)) throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} has no AgentRuntimeArtifact.`);
 	const art = artifact;
-	if (art["CodeConfiguration"] && !art["ContainerConfiguration"]) throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} uses a code artifact (CodeConfiguration). ${getEmbedConfig().cliName} invoke-agentcore v1 runs container artifacts only — running a managed-runtime code artifact locally needs a from-source build that is not yet supported. Build the agent as a container (e.g. AgentCoreRuntime fromAsset / a Dockerfile) to run it locally.`);
+	if (art["CodeConfiguration"] && !art["ContainerConfiguration"]) return {
+		kind: "code",
+		codeArtifact: extractCodeArtifact(art["CodeConfiguration"], logicalId, stackName)
+	};
 	const container = art["ContainerConfiguration"];
 	if (!container || typeof container !== "object" || Array.isArray(container)) throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} has no ContainerConfiguration in its AgentRuntimeArtifact.`);
 	const uri = resolveImageUri(container["ContainerUri"], resources, region, imageContext);
 	if (uri === void 0) throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} has a ContainerConfiguration.ContainerUri that ${getEmbedConfig().cliName} invoke-agentcore cannot resolve. v1 resolves a literal image URI, an Fn::Sub asset URI (the fromAsset / Dockerfile path), and an imported-ECR Fn::Join. A same-stack AWS::ECR::Repository reference is not supported — build the agent as a fromAsset image, or pin a literal / imported ECR image URI.`);
-	return uri;
+	return {
+		kind: "container",
+		containerUri: uri
+	};
+}
+/**
+* Extract a `CodeConfiguration` (managed-runtime) artifact. Reads `Runtime`,
+* `EntryPoint`, and the cdk.out file-asset hash from `Code.S3.Prefix`
+* (`<hash>.zip`, the `fromCodeAsset` shape). A non-literal `Code.S3.Prefix`
+* (an intrinsic, or a `fromS3` object key the command can't map to a local
+* asset) hard-errors — downloading a pre-existing S3 bundle is not supported
+* locally yet.
+*/
+function extractCodeArtifact(codeConfig, logicalId, stackName) {
+	const cfg = codeConfig && typeof codeConfig === "object" && !Array.isArray(codeConfig) ? codeConfig : {};
+	const runtime = cfg["Runtime"];
+	if (typeof runtime !== "string" || runtime.length === 0) throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} has a CodeConfiguration with no string Runtime.`);
+	const entryPointRaw = cfg["EntryPoint"];
+	const entryPoint = Array.isArray(entryPointRaw) ? entryPointRaw.filter((x) => typeof x === "string") : [];
+	if (entryPoint.length === 0) throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} has a CodeConfiguration with no EntryPoint.`);
+	const s3 = cfg["Code"] && typeof cfg["Code"] === "object" ? cfg["Code"]["S3"] : void 0;
+	const prefix = s3 && typeof s3 === "object" ? s3["Prefix"] : void 0;
+	if (typeof prefix !== "string" || prefix.length === 0) throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} has a CodeConfiguration whose Code.S3.Prefix is not a literal string. ${getEmbedConfig().cliName} invoke-agentcore runs a local from-source build of the fromCodeAsset bundle; downloading a pre-existing S3 bundle (fromS3) is not supported yet.`);
+	return {
+		runtime,
+		entryPoint,
+		codeAssetHash: prefix.replace(/^.*\//, "").replace(/\.zip$/, "")
+	};
 }
 /**
 * Resolve a `ContainerUri` value to a string. Handles a literal string,
@@ -6308,7 +6345,7 @@ async function runDetached(opts) {
 	if (opts.platform) args.push("--platform", opts.platform);
 	if (opts.extraHosts) for (const entry of opts.extraHosts) args.push("--add-host", `${entry.host}:${entry.ip}`);
 	const host = opts.host ?? "127.0.0.1";
-	args.push("-p", `${host}:${opts.hostPort}:8080`);
+	args.push("-p", `${host}:${opts.hostPort}:${opts.containerPort ?? 8080}`);
 	if (opts.debugPort !== void 0) args.push("-p", `${host}:${opts.debugPort}:${opts.debugPort}`);
 	for (const mount of opts.mounts) {
 		const ro = mount.readOnly ? ":ro" : "";
@@ -7022,7 +7059,7 @@ async function httpProbe(host, port, timeoutMs) {
 		})).text().catch(() => void 0);
 		return true;
 	} catch (err) {
-		if (isTransientNetworkError$1(err)) return false;
+		if (isTransientNetworkError$2(err)) return false;
 		throw err;
 	} finally {
 		clearTimeout(timer);
@@ -7036,7 +7073,7 @@ async function httpProbe(host, port, timeoutMs) {
 * between Docker's port forwarder accepting a TCP connection and the
 * container's RIE process being ready for HTTP.
 */
-function isTransientNetworkError$1(err) {
+function isTransientNetworkError$2(err) {
 	if (!(err instanceof Error)) return false;
 	if (err.name === "AbortError") return true;
 	if (err.name === "TypeError" && err.message === "fetch failed") return true;
@@ -8136,6 +8173,116 @@ function createLocalInvokeCommand(opts = {}) {
 	return invoke;
 }
 
+//#endregion
+//#region src/local/agentcore-code-build.ts
+/**
+* Local from-source build for an AgentCore Runtime `CodeConfiguration`
+* (managed-runtime) artifact.
+*
+* Unlike the container artifact (which ships its own Dockerfile/image), a code
+* artifact is just source + an `EntryPoint` + a `Runtime`; AWS's managed
+* runtime runs the entrypoint, which self-serves the AgentCore HTTP contract
+* (`POST /invocations` + `GET /ping` on 8080) — typically via the
+* `bedrock-agentcore` SDK. We replicate that locally: generate a Dockerfile
+* for the runtime's base image, install the bundle's dependencies, and run the
+* entrypoint. The resulting container speaks the same 8080 contract, so the
+* existing HTTP client drives it unchanged.
+*/
+/** AgentCore CodeConfiguration `Runtime` enum → local Docker base image. */
+const RUNTIME_BASE_IMAGES = {
+	PYTHON_3_10: "public.ecr.aws/docker/library/python:3.10-slim",
+	PYTHON_3_11: "public.ecr.aws/docker/library/python:3.11-slim",
+	PYTHON_3_12: "public.ecr.aws/docker/library/python:3.12-slim",
+	PYTHON_3_13: "public.ecr.aws/docker/library/python:3.13-slim",
+	PYTHON_3_14: "public.ecr.aws/docker/library/python:3.14-slim",
+	NODE_22: "public.ecr.aws/docker/library/node:22-slim"
+};
+/** Runtimes this CLI can build a from-source image for. */
+const SUPPORTED_CODE_RUNTIMES = Object.keys(RUNTIME_BASE_IMAGES);
+/**
+* Build (or, with `noBuild`, verify) a local image for a code artifact and
+* return its tag. The generated Dockerfile is written to a temp dir and built
+* with the source dir as the context, so the cdk.out asset is never mutated.
+*/
+async function buildAgentCoreCodeImage(options) {
+	const logger = getLogger();
+	const base = RUNTIME_BASE_IMAGES[options.runtime];
+	if (!base) throw new LocalInvokeBuildError(`AgentCore CodeConfiguration runtime '${options.runtime}' is not supported for local execution. Supported runtimes: ${SUPPORTED_CODE_RUNTIMES.join(", ")}.`);
+	const isNode = options.runtime.startsWith("NODE");
+	const dockerfile = renderCodeDockerfile(base, options.entryPoint, isNode);
+	const tag = computeCodeImageTag(options.sourceDir, options.runtime, options.entryPoint, dockerfile);
+	const platform = options.architecture === "x86_64" ? "linux/amd64" : "linux/arm64";
+	if (options.noBuild === true) {
+		logger.info(`Skipping docker build (--no-build). Verifying ${tag} is in local registry...`);
+		if (!await isImageInLocalCache(tag)) throw new LocalInvokeBuildError(`image '${tag}' not in local registry and --no-build is set; remove --no-build or run the build manually first.`);
+		return tag;
+	}
+	logger.info(`Building agent image from source (runtime=${options.runtime}, platform=${platform})...`);
+	logger.debug(`Local tag: ${tag}`);
+	const buildDir = await mkdtemp(join(tmpdir(), `${getEmbedConfig().resourceNamePrefix}-agentcore-code-`));
+	const dockerfilePath = join(buildDir, "Dockerfile");
+	try {
+		await writeFile(dockerfilePath, dockerfile, "utf-8");
+		await runDockerStreaming([
+			"build",
+			"--platform",
+			platform,
+			"--tag",
+			tag,
+			"--file",
+			dockerfilePath,
+			options.sourceDir
+		]);
+	} catch (err) {
+		const stderr = err.stderr?.trim();
+		throw new LocalInvokeBuildError(`docker build failed for AgentCore code artifact (${options.sourceDir})${stderr ? `: ${stderr}` : ""}`);
+	} finally {
+		await rm(buildDir, {
+			recursive: true,
+			force: true
+		}).catch(() => void 0);
+	}
+	return tag;
+}
+/**
+* Render the generated Dockerfile. Dependencies are installed conditionally
+* (a bundle may vendor them or ship none), and the EntryPoint is mapped to a
+* CMD: a bare script (`app.py` / `server.js`) is run by the interpreter, while
+* an explicit launcher (e.g. `opentelemetry-instrument`) is run verbatim.
+*/
+function renderCodeDockerfile(base, entryPoint, isNode) {
+	const installStep = isNode ? "RUN if [ -f package.json ]; then npm install --omit=dev; fi" : "RUN if [ -f requirements.txt ]; then pip install --no-cache-dir -r requirements.txt; elif [ -f pyproject.toml ]; then pip install --no-cache-dir .; fi";
+	return [
+		`FROM ${base}`,
+		"WORKDIR /app",
+		"COPY . /app",
+		installStep,
+		"EXPOSE 8080",
+		`CMD ${JSON.stringify(toCmdArgv(entryPoint, isNode))}`
+	].join("\n") + "\n";
+}
+/**
+* Map the EntryPoint argv to a Docker CMD argv. The managed runtime execs the
+* entrypoint as the program; a bare script file is run by the language
+* interpreter (`python` / `node`), while a non-script first token (a launcher
+* already on PATH, e.g. `opentelemetry-instrument`) is run verbatim.
+*/
+function toCmdArgv(entryPoint, isNode) {
+	const first = entryPoint[0] ?? "";
+	if (!(isNode ? /\.[cm]?js$/.test(first) : /\.py$/.test(first))) return entryPoint;
+	return [isNode ? "node" : "python", ...entryPoint];
+}
+/** Deterministic local tag, stable for identical source + runtime + entrypoint. */
+function computeCodeImageTag(sourceDir, runtime, entryPoint, dockerfile) {
+	const hash = createHash("sha256").update([
+		sourceDir,
+		runtime,
+		entryPoint.join(" "),
+		dockerfile
+	].join("\0")).digest("hex").slice(0, 16);
+	return `${getEmbedConfig().resourceNamePrefix}-agentcore-code-${hash}`;
+}
+
 //#endregion
 //#region src/local/agentcore-client.ts
 /**
@@ -8208,7 +8355,7 @@ async function pingProbe(host, port, timeoutMs) {
 		await response.text().catch(() => void 0);
 		return response.status;
 	} catch (err) {
-		if (isTransientNetworkError(err)) return void 0;
+		if (isTransientNetworkError$1(err)) return void 0;
 		throw err;
 	} finally {
 		clearTimeout(timer);
@@ -8220,7 +8367,7 @@ async function pingProbe(host, port, timeoutMs) {
 * `ECONNRESET` / `ECONNREFUSED` / `UND_ERR_SOCKET`. Treat all of those —
 * plus an `AbortError` from the per-probe timeout — as "not ready, retry".
 */
-function isTransientNetworkError(err) {
+function isTransientNetworkError$1(err) {
 	if (!(err instanceof Error)) return false;
 	if (err.name === "AbortError") return true;
 	if (err.name === "TypeError" && err.message === "fetch failed") return true;
@@ -8305,6 +8452,191 @@ async function streamBody(body, onChunk) {
 	}
 }
 
+//#endregion
+//#region src/local/agentcore-mcp-client.ts
+/**
+* Client for the Bedrock AgentCore Runtime MCP protocol contract.
+*
+* An MCP-protocol AgentCore Runtime container listens on `0.0.0.0:8000` and
+* serves the Model Context Protocol over **Streamable HTTP** at `POST /mcp`
+* (no `GET /ping` — unlike the HTTP protocol). Each JSON-RPC message is its
+* own POST. `cdkl invoke-agentcore` performs the minimal session lifecycle:
+*
+*   1. `initialize`            — negotiate; the server MAY return an
+*                                `Mcp-Session-Id` header to echo thereafter.
+*   2. `notifications/initialized` — required before any request (202, no body).
+*   3. one request             — `tools/list` by default, or the method/params
+*                                from `--event` (e.g. `tools/call`).
+*
+* Talking to the local container is **vanilla MCP**: the
+* `X-Amzn-Bedrock-AgentCore-Runtime-Session-Id` header and the inbound OAuth
+* bearer are AgentCore managed-plane concerns the front door maps to MCP's own
+* `Mcp-Session-Id`, so a direct local client does not send them.
+*/
+/** Container port an MCP-protocol AgentCore Runtime listens on. */
+const MCP_CONTAINER_PORT = 8e3;
+/** HTTP path of the MCP Streamable-HTTP endpoint. */
+const MCP_PATH = "/mcp";
+/** MCP protocol version this client negotiates. */
+const MCP_PROTOCOL_VERSION = "2025-06-18";
+const SESSION_ID_HEADER = "mcp-session-id";
+const PROTOCOL_VERSION_HEADER = "MCP-Protocol-Version";
+/**
+* Run the MCP session lifecycle against a local container and return the
+* single request's JSON-RPC response. The initial `initialize` POST is
+* retried for `readyTimeoutMs` to absorb container boot (there is no separate
+* readiness endpoint), so this also serves as the wait-for-ready step.
+*/
+async function mcpInvokeOnce(host, port, request, options = {}) {
+	const fetchImpl = options.fetchImpl ?? fetch;
+	const url = `http://${host}:${port}${MCP_PATH}`;
+	const requestTimeoutMs = options.requestTimeoutMs ?? 12e4;
+	const sessionId = await initializeWithRetry(fetchImpl, url, options.readyTimeoutMs ?? 3e4);
+	await postMcp(fetchImpl, url, {
+		jsonrpc: "2.0",
+		method: "notifications/initialized"
+	}, sessionId, requestTimeoutMs);
+	const message = (await postMcp(fetchImpl, url, {
+		jsonrpc: "2.0",
+		id: 1,
+		method: request.method,
+		...request.params !== void 0 && { params: request.params }
+	}, sessionId, requestTimeoutMs)).message;
+	return {
+		ok: !(message !== null && typeof message === "object" && "error" in message),
+		raw: JSON.stringify(message ?? null, null, 2)
+	};
+}
+/**
+* POST `initialize`, retrying transient connect failures until the container
+* is up or `readyTimeoutMs` elapses. Returns the `Mcp-Session-Id` the server
+* assigned (undefined for a stateless server that omits it).
+*/
+async function initializeWithRetry(fetchImpl, url, readyTimeoutMs) {
+	const deadline = Date.now() + readyTimeoutMs;
+	const body = {
+		jsonrpc: "2.0",
+		id: 0,
+		method: "initialize",
+		params: {
+			protocolVersion: MCP_PROTOCOL_VERSION,
+			capabilities: {},
+			clientInfo: {
+				name: "cdkl",
+				version: "1"
+			}
+		}
+	};
+	let lastDetail = "";
+	while (Date.now() < deadline) {
+		const controller = new AbortController();
+		const timer = setTimeout(() => controller.abort(), 5e3);
+		try {
+			const response = await fetchImpl(url, {
+				method: "POST",
+				headers: {
+					"Content-Type": "application/json",
+					Accept: "application/json, text/event-stream"
+				},
+				body: JSON.stringify(body),
+				signal: controller.signal
+			});
+			await response.text().catch(() => void 0);
+			if (response.status >= 200 && response.status < 300) return response.headers.get(SESSION_ID_HEADER) ?? void 0;
+			lastDetail = `initialize returned HTTP ${response.status}`;
+			throw new Error(lastDetail);
+		} catch (err) {
+			if (!isTransientNetworkError(err)) {
+				if (lastDetail) throw new Error(`MCP initialize at ${url} failed: ${lastDetail}. Check 'docker logs' output.`);
+				throw err;
+			}
+			lastDetail = err instanceof Error ? err.message : String(err);
+		} finally {
+			clearTimeout(timer);
+		}
+		await setTimeout$1(150);
+	}
+	throw new Error(`MCP server did not become ready on ${url} within ${readyTimeoutMs}ms${lastDetail ? `: ${lastDetail}` : ""}. The container may have exited early or may not serve POST ${MCP_PATH} — check 'docker logs'.`);
+}
+/**
+* POST one JSON-RPC message and, for a request (one with an `id`), return the
+* parsed JSON-RPC response — handling both an `application/json` body and a
+* `text/event-stream` (the server picks either per the Streamable-HTTP spec).
+* A notification (no `id`) returns 202 with no body and yields no message.
+*/
+async function postMcp(fetchImpl, url, body, sessionId, timeoutMs) {
+	const controller = new AbortController();
+	const timer = setTimeout(() => controller.abort(), timeoutMs);
+	try {
+		const response = await fetchImpl(url, {
+			method: "POST",
+			headers: {
+				"Content-Type": "application/json",
+				Accept: "application/json, text/event-stream",
+				[PROTOCOL_VERSION_HEADER]: MCP_PROTOCOL_VERSION,
+				...sessionId && { "Mcp-Session-Id": sessionId }
+			},
+			body: JSON.stringify(body),
+			signal: controller.signal
+		});
+		const text = await response.text();
+		if (body.id === void 0) return { status: response.status };
+		const message = (response.headers.get("content-type") ?? "").includes("text/event-stream") ? parseSseForJsonRpc(text, body.id) : text ? safeJsonParse$1(text) : void 0;
+		return {
+			status: response.status,
+			message
+		};
+	} catch (err) {
+		if (err.name === "AbortError") throw new Error(`MCP request '${body.method}' at ${url} timed out after ${timeoutMs}ms. The server may be hung; check container logs.`);
+		throw err;
+	} finally {
+		clearTimeout(timer);
+	}
+}
+/**
+* Extract the JSON-RPC message matching `id` from an SSE body. Frames are
+* separated by blank lines; a frame's `data:` lines are concatenated and
+* parsed as JSON. Returns the id-matching message, else the last parseable
+* one (servers typically send a single frame carrying the response).
+*/
+function parseSseForJsonRpc(text, id) {
+	let last;
+	for (const frame of text.split(/\r?\n\r?\n/)) {
+		const data = frame.split(/\r?\n/).filter((line) => line.startsWith("data:")).map((line) => line.slice(5).trimStart()).join("\n");
+		if (!data) continue;
+		const parsed = safeJsonParse$1(data);
+		if (parsed === void 0) continue;
+		last = parsed;
+		if (parsed !== null && typeof parsed === "object" && parsed.id === id) return parsed;
+	}
+	return last;
+}
+function safeJsonParse$1(text) {
+	try {
+		return JSON.parse(text);
+	} catch {
+		return;
+	}
+}
+/**
+* `fetch()` failures during container boot manifest as a generic
+* `TypeError: fetch failed` whose `.cause` carries the underlying
+* `ECONNRESET` / `ECONNREFUSED` / `UND_ERR_SOCKET`; an `AbortError` is the
+* per-attempt timeout. Treat all of those — plus the synthetic non-2xx retry
+* — as "not ready, retry".
+*/
+function isTransientNetworkError(err) {
+	if (!(err instanceof Error)) return false;
+	if (err.name === "AbortError") return true;
+	if (err.name === "TypeError" && err.message === "fetch failed") return true;
+	if (err.message.startsWith("initialize returned HTTP")) return true;
+	const cause = err.cause;
+	if (cause?.code === "ECONNRESET") return true;
+	if (cause?.code === "ECONNREFUSED") return true;
+	if (cause?.code === "UND_ERR_SOCKET") return true;
+	return false;
+}
+
 //#endregion
 //#region src/local/cors-handler.ts
 /**
@@ -17270,9 +17602,10 @@ function createLocalStartApiCommand(opts = {}) {
 * locally and invoke it once over the AgentCore HTTP contract. Resolves
 * the `AWS::BedrockAgentCore::Runtime`, pulls / builds its container,
 * starts it on port 8080, waits for `GET /ping`, POSTs the event to
-* `POST /invocations`, prints the response, and tears down. v1 covers the
-* container artifact + HTTP protocol; the agent's calls to real AWS go to
-* real AWS (credentials injected like `cdkl invoke`).
+* `POST /invocations`, prints the response, and tears down. Covers the
+* container artifact and the CodeConfiguration managed-runtime artifact
+* (fromCodeAsset, built from source) on the HTTP + MCP protocols; the agent's
+* calls to real AWS go to real AWS (credentials injected like `cdkl invoke`).
 */
 async function localInvokeAgentCoreCommand(target, options, extraStateProviders) {
 	const logger = getLogger();
@@ -17329,15 +17662,21 @@ async function localInvokeAgentCoreCommand(target, options, extraStateProviders)
 			onMissing: () => new CdkLocalError(`${getEmbedConfig().cliName} invoke-agentcore requires a <target> (an AgentCore Runtime display path or logical ID). Run \`${getEmbedConfig().cliName} list\` to see them, or run it in a TTY to pick interactively.`, "LOCAL_INVOKE_AGENTCORE_TARGET_REQUIRED")
 		}), stacks);
 		logger.info(`Target: ${resolved.stack.stackName}/${resolved.logicalId} (${resolved.protocol})`);
+		const isMcp = resolved.protocol === "MCP";
 		const sessionId = options.sessionId ?? randomUUID();
 		const event = await readEvent(options);
-		const authorization = await resolveInboundAuthorization(resolved, options);
+		const mcpRequest = isMcp ? buildMcpRequest(event) : void 0;
+		let authorization;
+		if (isMcp) {
+			if (resolved.jwtAuthorizer || options.bearerToken) logger.info(`MCP runtime: invoking the local container's ${MCP_PATH} directly (vanilla MCP). An inbound JWT / --bearer-token is an AgentCore managed-plane concern and is not applied locally.`);
+		} else authorization = await resolveInboundAuthorization(resolved, options);
 		const image = await resolveAgentCoreImage(resolved, options);
 		const dockerEnv = await buildContainerEnv(resolved, options, profileCredentials, profileCredsFile, extraStateProviders);
 		const hostPort = await pickFreePort();
 		const containerHost = options.containerHost;
 		const containerName = `${getEmbedConfig().resourceNamePrefix}-agentcore-${process.pid}-${Math.random().toString(36).slice(2, 8)}`;
-		logger.info(`Starting agent container (image=${image}, port=${hostPort})...`);
+		const containerPortLabel = isMcp ? `${MCP_CONTAINER_PORT}${MCP_PATH}` : "8080";
+		logger.info(`Starting agent container (image=${image}, port=${hostPort} -> ${containerPortLabel})...`);
 		containerId = await runDetached({
 			image,
 			mounts: [],
@@ -17346,22 +17685,30 @@ async function localInvokeAgentCoreCommand(target, options, extraStateProviders)
 			hostPort,
 			host: containerHost,
 			platform: options.platform,
-			name: containerName
+			name: containerName,
+			...isMcp && { containerPort: 8e3 }
 		});
 		stopLogs = streamLogs(containerId);
 		sigintHandler = () => {
 			cleanup().then(() => process.exit(130));
 		};
 		process.on("SIGINT", sigintHandler);
-		await waitForAgentCorePing(containerHost, hostPort);
-		const result = await invokeAgentCore(containerHost, hostPort, event, {
-			sessionId,
-			timeoutMs: 12e4,
-			onChunk: (text) => process.stdout.write(text),
-			...authorization && { authorization }
-		});
-		await new Promise((r) => setTimeout(r, 250));
-		emitResult(result);
+		if (isMcp && mcpRequest) {
+			logger.info(`MCP request: ${mcpRequest.method}`);
+			const mcp = await mcpInvokeOnce(containerHost, hostPort, mcpRequest);
+			await new Promise((r) => setTimeout(r, 250));
+			emitMcpResult(mcp);
+		} else {
+			await waitForAgentCorePing(containerHost, hostPort);
+			const result = await invokeAgentCore(containerHost, hostPort, event, {
+				sessionId,
+				timeoutMs: 12e4,
+				onChunk: (text) => process.stdout.write(text),
+				...authorization && { authorization }
+			});
+			await new Promise((r) => setTimeout(r, 250));
+			emitResult(result);
+		}
 	} finally {
 		if (sigintHandler) process.off("SIGINT", sigintHandler);
 		await cleanup();
@@ -17401,36 +17748,74 @@ async function resolveInboundAuthorization(resolved, options) {
 	return header;
 }
 /**
-* Acquire the agent container image. Mirrors the container-Lambda path:
-* build from a local cdk.out asset when the URI matches one, else pull
-* from ECR, else pull a plain registry image.
+* Acquire the agent image. A CODE artifact (managed runtime) is built from
+* source (generated Dockerfile over the bundle's cdk.out asset). A CONTAINER
+* artifact mirrors the container-Lambda path: build from a local cdk.out asset
+* when the URI matches one, else pull from ECR, else pull a plain registry image.
 */
 async function resolveAgentCoreImage(resolved, options) {
 	const logger = getLogger();
 	const architecture = platformToArchitecture(options.platform);
+	if (resolved.codeArtifact) return resolveAgentCoreCodeImage(resolved, resolved.codeArtifact, options, architecture);
+	const containerUri = resolved.containerUri;
+	if (containerUri === void 0) throw new CdkLocalError(`AgentCore Runtime '${resolved.logicalId}' has neither a container image nor a code artifact to run.`, "LOCAL_INVOKE_AGENTCORE_NO_ARTIFACT");
 	const manifestPath = resolved.stack.assetManifestPath;
 	if (manifestPath) {
 		const cdkOutDir = dirname(manifestPath);
 		const manifest = await new AssetManifestLoader().loadManifest(cdkOutDir, resolved.stack.stackName);
 		if (manifest) {
-			const entry = getDockerImageBySourceHash(manifest, resolved.containerUri);
+			const entry = getDockerImageBySourceHash(manifest, containerUri);
 			if (entry) return buildContainerImage(entry.asset, cdkOutDir, {
 				architecture,
 				noBuild: options.build === false
 			});
 		}
 	}
-	if (parseEcrUri(resolved.containerUri)) {
-		logger.info(`Pulling agent image from ECR: ${resolved.containerUri}`);
-		return pullEcrImage(resolved.containerUri, {
+	if (parseEcrUri(containerUri)) {
+		logger.info(`Pulling agent image from ECR: ${containerUri}`);
+		return pullEcrImage(containerUri, {
 			skipPull: options.pull === false,
 			...options.region !== void 0 && { region: options.region },
 			...options.ecrRoleArn !== void 0 && { ecrRoleArn: options.ecrRoleArn },
 			...options.profile !== void 0 && { profile: options.profile }
 		});
 	}
-	await pullImage(resolved.containerUri, options.pull === false);
-	return resolved.containerUri;
+	await pullImage(containerUri, options.pull === false);
+	return containerUri;
+}
+/**
+* Build a local image from a `CodeConfiguration` (managed-runtime) bundle:
+* locate the fromCodeAsset source dir in cdk.out via its asset hash, then run
+* the from-source build (generated Dockerfile → install deps → run EntryPoint).
+* A bundle with no local asset (fromS3) hard-errors — not supported yet.
+*/
+async function resolveAgentCoreCodeImage(resolved, code, options, architecture) {
+	const manifestPath = resolved.stack.assetManifestPath;
+	if (!manifestPath) throw new CdkLocalError(`AgentCore Runtime '${resolved.logicalId}' uses a code artifact, but its stack has no asset manifest in cdk.out to read the bundle source from.`, "LOCAL_INVOKE_AGENTCORE_CODE_NO_MANIFEST");
+	const cdkOutDir = dirname(manifestPath);
+	const loader = new AssetManifestLoader();
+	const manifest = await loader.loadManifest(cdkOutDir, resolved.stack.stackName);
+	const fileAssets = manifest ? loader.getFileAssets(manifest) : void 0;
+	const asset = fileAssets ? fileAssets.get(code.codeAssetHash) ?? findFileAssetByObjectKey(fileAssets, code.codeAssetHash) : void 0;
+	if (!asset) throw new CdkLocalError(`AgentCore Runtime '${resolved.logicalId}' code bundle (asset ${code.codeAssetHash}) was not found in the cdk.out asset manifest. ${getEmbedConfig().cliName} invoke-agentcore runs a local from-source build of a fromCodeAsset bundle; a fromS3 bundle (a pre-existing S3 object) is not supported yet.`, "LOCAL_INVOKE_AGENTCORE_CODE_ASSET_NOT_FOUND");
+	const sourceDir = loader.getAssetSourcePath(cdkOutDir, asset);
+	if (!existsSync(sourceDir) || !statSync(sourceDir).isDirectory()) throw new CdkLocalError(`AgentCore Runtime '${resolved.logicalId}' code bundle source '${sourceDir}' does not exist or is not a directory. Re-synthesize the app and retry.`, "LOCAL_INVOKE_AGENTCORE_CODE_SOURCE_MISSING");
+	return buildAgentCoreCodeImage({
+		sourceDir,
+		runtime: code.runtime,
+		entryPoint: code.entryPoint,
+		architecture,
+		noBuild: options.build === false
+	});
+}
+/**
+* Find the file asset whose destination objectKey is `<hash>.zip` (matching the
+* `Code.S3.Prefix`'s hash) when the source-hash-keyed lookup misses — covers a
+* synthesizer whose source hash differs from the destination objectKey.
+*/
+function findFileAssetByObjectKey(fileAssets, hash) {
+	const zip = `${hash}.zip`;
+	for (const asset of fileAssets.values()) if (Object.values(asset.destinations).some((d) => d.objectKey === zip || d.objectKey.endsWith(`/${zip}`))) return asset;
 }
 /**
 * Build the container env: resolved template env vars (+ `--env-vars`
@@ -17540,6 +17925,39 @@ function emitResult(result) {
 	}
 	process.stdout.write(`${result.raw}\n`);
 }
+/**
+* Build the JSON-RPC request to send to an MCP runtime from `--event`:
+*   - no `--event` (empty object) → `tools/list` (discover the server's tools),
+*   - an object with a string `method` → that method + its `params`,
+*   - anything else → a fail-fast error.
+*
+* Exported for unit testing.
+*/
+function buildMcpRequest(event) {
+	if (event === void 0 || event === null) return {
+		method: "tools/list",
+		params: {}
+	};
+	if (typeof event !== "object" || Array.isArray(event)) throw new CdkLocalError("MCP --event must be a JSON object describing a JSON-RPC request (e.g. {\"method\":\"tools/call\",\"params\":{\"name\":\"...\",\"arguments\":{...}}}).", "LOCAL_INVOKE_AGENTCORE_MCP_EVENT_INVALID");
+	const obj = event;
+	if (Object.keys(obj).length === 0) return {
+		method: "tools/list",
+		params: {}
+	};
+	if (typeof obj["method"] !== "string") throw new CdkLocalError(`MCP --event must include a string "method" (a JSON-RPC method such as "tools/list" or "tools/call"). Got keys: ${Object.keys(obj).join(", ")}.`, "LOCAL_INVOKE_AGENTCORE_MCP_EVENT_INVALID");
+	return {
+		method: obj["method"],
+		...obj["params"] !== void 0 && { params: obj["params"] }
+	};
+}
+/** Print the MCP JSON-RPC response; exit 1 when it carried a JSON-RPC error. */
+function emitMcpResult(result) {
+	if (!result.ok) {
+		getLogger().warn("MCP server returned a JSON-RPC error.");
+		process.exitCode = 1;
+	}
+	process.stdout.write(`${result.raw}\n`);
+}
 /** Map a `--platform` value to the architecture `buildContainerImage` expects. */
 function platformToArchitecture(platform) {
 	return platform === "linux/amd64" ? "x86_64" : "arm64";
@@ -17620,7 +18038,7 @@ function readEnvOverridesFile$2(filePath) {
 }
 function createLocalInvokeAgentCoreCommand(opts = {}) {
 	setEmbedConfig(opts.embedConfig);
-	const cmd = new Command("invoke-agentcore").description("Run a Bedrock AgentCore Runtime container locally and invoke it once over the AgentCore HTTP contract (POST /invocations + GET /ping on port 8080). Resolves the AWS::BedrockAgentCore::Runtime, pulls/builds its container, injects env vars + AWS credentials, and prints the response. Target accepts a CDK display path (MyStack/MyAgent) or stack-qualified logical ID (MyStack:MyAgentRuntime1234). Single-stack apps may omit the stack prefix. Omit <target> in an interactive terminal to pick from a list. v1 supports the container artifact + HTTP protocol; the agent calls real AWS for managed services.").argument("[target]", "CDK display path or stack-qualified logical ID of the AgentCore Runtime to invoke (omit to pick interactively in a TTY)").addOption(new Option("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option("--event-stdin", "Read event JSON from stdin").default(false)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}})")).addOption(new Option("--session-id <id>", "AgentCore runtime session id header value (default: a random UUID)")).addOption(new Option("--bearer-token <jwt>", "Bearer JWT to present when the runtime declares a customJwtAuthorizer. Verified against the runtime OIDC discovery URL (signature / issuer / expiry / audience) before the container starts, then forwarded to /invocations as Authorization: Bearer <jwt>.")).addOption(new Option("--no-verify-auth", "Skip inbound JWT verification even when the runtime declares a customJwtAuthorizer (local-dev escape hatch). A --bearer-token, if given, is still forwarded.")).addOption(new Option("--platform <platform>", "docker --platform for the agent container (linux/amd64 or linux/arm64)").choices(["linux/amd64", "linux/arm64"]).default("linux/arm64")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for the local-build path")).addOption(new Option("--no-build", "Skip docker build on the local-asset path (use the previously-built tag). No-op for the ECR / registry pull paths.")).addOption(new Option("--container-host <host>", "Host to bind the agent port to").default("127.0.0.1")).addOption(new Option("--assume-role [arn]", "Assume the runtime's execution role and forward STS-issued temp credentials to the container so the agent runs with the deployed role. Three forms: (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) uses the runtime's RoleArn when it is a literal ARN; (3) `--no-assume-role` opts out. Off by default — the developer's shell credentials are forwarded unchanged.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in env vars with the deployed physical IDs / exports. Bare form uses the resolved stack name; pass an explicit value when the CFn stack name differs.")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).action(withErrorHandling(async (target, options) => {
+	const cmd = new Command("invoke-agentcore").description("Run a Bedrock AgentCore Runtime container locally and invoke it once over its protocol contract: HTTP (POST /invocations + GET /ping on 8080) or MCP (POST /mcp Streamable HTTP on 8000). Resolves the AWS::BedrockAgentCore::Runtime, pulls/builds its container, injects env vars + AWS credentials, and prints the response. For an MCP runtime, runs the session handshake then sends one JSON-RPC request (tools/list by default, or the method/params from --event). Target accepts a CDK display path (MyStack/MyAgent) or stack-qualified logical ID (MyStack:MyAgentRuntime1234). Single-stack apps may omit the stack prefix. Omit <target> in an interactive terminal to pick from a list. Supports the container artifact and the CodeConfiguration managed-runtime artifact (fromCodeAsset, built from source) on the HTTP + MCP protocols; the agent calls real AWS for managed services.").argument("[target]", "CDK display path or stack-qualified logical ID of the AgentCore Runtime to invoke (omit to pick interactively in a TTY)").addOption(new Option("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option("--event-stdin", "Read event JSON from stdin").default(false)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}})")).addOption(new Option("--session-id <id>", "AgentCore runtime session id header value (default: a random UUID)")).addOption(new Option("--bearer-token <jwt>", "Bearer JWT to present when the runtime declares a customJwtAuthorizer. Verified against the runtime OIDC discovery URL (signature / issuer / expiry / audience) before the container starts, then forwarded to /invocations as Authorization: Bearer <jwt>.")).addOption(new Option("--no-verify-auth", "Skip inbound JWT verification even when the runtime declares a customJwtAuthorizer (local-dev escape hatch). A --bearer-token, if given, is still forwarded.")).addOption(new Option("--platform <platform>", "docker --platform for the agent container (linux/amd64 or linux/arm64)").choices(["linux/amd64", "linux/arm64"]).default("linux/arm64")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for the local-build path")).addOption(new Option("--no-build", "Skip docker build on the local-asset path (use the previously-built tag). No-op for the ECR / registry pull paths.")).addOption(new Option("--container-host <host>", "Host to bind the agent port to").default("127.0.0.1")).addOption(new Option("--assume-role [arn]", "Assume the runtime's execution role and forward STS-issued temp credentials to the container so the agent runs with the deployed role. Three forms: (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) uses the runtime's RoleArn when it is a literal ARN; (3) `--no-assume-role` opts out. Off by default — the developer's shell credentials are forwarded unchanged.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in env vars with the deployed physical IDs / exports. Bare form uses the resolved stack name; pass an explicit value when the CFn stack name differs.")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).action(withErrorHandling(async (target, options) => {
 		await localInvokeAgentCoreCommand(target, options, opts.extraStateProviders);
 	}));
 	[
@@ -21354,5 +21772,5 @@ function createLocalListCommand(opts = {}) {
 }
 
 //#endregion
-export { createJwksCache as $, invokeTokenAuthorizer as A, resolveCfnRegion as At, VtlEvaluationError as B, parseSelectionExpressionPath as Bt, resolveSelectionExpression as C, resolveEnvVars as Ct, computeRequestIdentityHash as D, isCfnFlagPresent as Dt, buildMethodArn as E, createLocalStateProvider as Et, buildRestV1Event as F, resolveWatchConfig as Ft, buildMgmtEndpointEnvUrl as G, AGENTCORE_RUNTIME_TYPE as Gt, probeHostGatewaySupport as H, pickRefLogicalId as Ht, evaluateResponseParameters as I, countTargets as It, buildConnectEvent as J, derivePseudoParametersFromRegion as Jt, handleConnectionsRequest as K, AgentCoreResolutionError as Kt, pickResponseTemplate as L, listTargets as Lt, translateLambdaResponse as M, CfnLocalStateProvider as Mt, applyAuthorizerOverlay as N, collectSsmParameterRefs as Nt, evaluateCachedLambdaPolicy as O, rejectExplicitCfnStackWithMultipleStacks as Ot, buildHttpApiV2Event as P, resolveSsmParameters as Pt, buildJwksUrlFromIssuer as Q, selectIntegrationResponse as R, discoverWebSocketApis as Rt, startApiServer as S, substituteEnvVarsFromStateAsync as St, defaultCredentialsLoader as T, LocalStateSourceError as Tt, bufferToBody as U, resolveLambdaArnIntrinsic as Ut, HOST_GATEWAY_MIN_VERSION as V, discoverRoutes as Vt, ConnectionRegistry as W, AGENTCORE_HTTP_PROTOCOL as Wt, buildMessageEvent as X, tryResolveImageFnJoin as Xt, buildDisconnectEvent as Y, substituteImagePlaceholders as Yt, buildCognitoJwksUrl as Z, LocalInvokeBuildError as Zt, availableApiIdentifiers as _, resolveRuntimeImage as _t, buildCloudMapIndex as a, buildCorsConfigByApiId as at, groupRoutesByServer as b, substituteAgainstStateAsync as bt, createLocalRunTaskCommand as c, matchPreflight as ct, createWatchPredicates as d, waitForAgentCorePing as dt, verifyCognitoJwt as et, resolveApiTargetSubset as f, createLocalInvokeCommand as ft, buildStageMap as g, resolveRuntimeFileExtension as gt, attachStageContext as h, resolveRuntimeCodeMountPath as ht, createLocalStartServiceCommand as i, applyCorsResponseHeaders as it, matchRoute as j, resolveCfnStackName as jt, invokeRequestAuthorizer as k, resolveCfnFallbackRegion as kt, createLocalInvokeAgentCoreCommand as l, AGENTCORE_SESSION_ID_HEADER as lt, createFileWatcher as m, buildContainerImage as mt, formatTargetListing as n, verifyJwtViaDiscovery as nt, CloudMapRegistry as o, buildCorsConfigFromCloudFrontChain as ot, createAuthorizerCache as p, architectureToPlatform as pt, parseConnectionsPath as q, resolveAgentCoreTarget as qt, createLocalStartAlbCommand as r, attachAuthorizers as rt, getContainerNetworkIp as s, isFunctionUrlOacFronted as st, createLocalListCommand as t, verifyJwtAuthorizer as tt, createLocalStartApiCommand as u, invokeAgentCore as ut, filterRoutesByApiIdentifier as v, EcsTaskResolutionError as vt, resolveServiceIntegrationParameters as w, materializeLayerFromArn as wt, readMtlsMaterialsFromDisk as x, substituteEnvVarsFromState as xt, filterRoutesByApiIdentifiers as y, substituteAgainstState as yt, tryParseStatus as z, discoverWebSocketApisOrThrow as zt };
-//# sourceMappingURL=local-list-DDsa8FJV.js.map
+export { createJwksCache as $, resolveLambdaArnIntrinsic as $t, invokeTokenAuthorizer as A, substituteAgainstStateAsync as At, VtlEvaluationError as B, resolveCfnRegion as Bt, resolveSelectionExpression as C, architectureToPlatform as Ct, computeRequestIdentityHash as D, resolveRuntimeImage as Dt, buildMethodArn as E, resolveRuntimeFileExtension as Et, buildRestV1Event as F, LocalStateSourceError as Ft, buildMgmtEndpointEnvUrl as G, resolveWatchConfig as Gt, probeHostGatewaySupport as H, CfnLocalStateProvider as Ht, evaluateResponseParameters as I, createLocalStateProvider as It, buildConnectEvent as J, discoverWebSocketApis as Jt, handleConnectionsRequest as K, countTargets as Kt, pickResponseTemplate as L, isCfnFlagPresent as Lt, translateLambdaResponse as M, substituteEnvVarsFromStateAsync as Mt, applyAuthorizerOverlay as N, resolveEnvVars as Nt, evaluateCachedLambdaPolicy as O, EcsTaskResolutionError as Ot, buildHttpApiV2Event as P, materializeLayerFromArn as Pt, buildJwksUrlFromIssuer as Q, pickRefLogicalId as Qt, selectIntegrationResponse as R, rejectExplicitCfnStackWithMultipleStacks as Rt, startApiServer as S, createLocalInvokeCommand as St, defaultCredentialsLoader as T, resolveRuntimeCodeMountPath as Tt, bufferToBody as U, collectSsmParameterRefs as Ut, HOST_GATEWAY_MIN_VERSION as V, resolveCfnStackName as Vt, ConnectionRegistry as W, resolveSsmParameters as Wt, buildMessageEvent as X, parseSelectionExpressionPath as Xt, buildDisconnectEvent as Y, discoverWebSocketApisOrThrow as Yt, buildCognitoJwksUrl as Z, discoverRoutes as Zt, availableApiIdentifiers as _, SUPPORTED_CODE_RUNTIMES as _t, buildCloudMapIndex as a, derivePseudoParametersFromRegion as an, buildCorsConfigByApiId as at, groupRoutesByServer as b, renderCodeDockerfile as bt, createLocalRunTaskCommand as c, LocalInvokeBuildError as cn, matchPreflight as ct, createWatchPredicates as d, MCP_PROTOCOL_VERSION as dt, AGENTCORE_HTTP_PROTOCOL as en, verifyCognitoJwt as et, resolveApiTargetSubset as f, mcpInvokeOnce as ft, buildStageMap as g, waitForAgentCorePing as gt, attachStageContext as h, invokeAgentCore as ht, createLocalStartServiceCommand as i, resolveAgentCoreTarget as in, applyCorsResponseHeaders as it, matchRoute as j, substituteEnvVarsFromState as jt, invokeRequestAuthorizer as k, substituteAgainstState as kt, createLocalInvokeAgentCoreCommand as l, MCP_CONTAINER_PORT as lt, createFileWatcher as m, AGENTCORE_SESSION_ID_HEADER as mt, formatTargetListing as n, AGENTCORE_RUNTIME_TYPE as nn, verifyJwtViaDiscovery as nt, CloudMapRegistry as o, substituteImagePlaceholders as on, buildCorsConfigFromCloudFrontChain as ot, createAuthorizerCache as p, parseSseForJsonRpc as pt, parseConnectionsPath as q, listTargets as qt, createLocalStartAlbCommand as r, AgentCoreResolutionError as rn, attachAuthorizers as rt, getContainerNetworkIp as s, tryResolveImageFnJoin as sn, isFunctionUrlOacFronted as st, createLocalListCommand as t, AGENTCORE_MCP_PROTOCOL as tn, verifyJwtAuthorizer as tt, createLocalStartApiCommand as u, MCP_PATH as ut, filterRoutesByApiIdentifier as v, buildAgentCoreCodeImage as vt, resolveServiceIntegrationParameters as w, buildContainerImage as wt, readMtlsMaterialsFromDisk as x, toCmdArgv as xt, filterRoutesByApiIdentifiers as y, computeCodeImageTag as yt, tryParseStatus as z, resolveCfnFallbackRegion as zt };
+//# sourceMappingURL=local-list-bwZnI2pV.js.map