cdk-local 0.42.0 → 0.43.0

package/dist/{local-list-qObdm4O8.js → local-list-bwZnI2pV.js}

@@ -1278,7 +1278,7 @@ function notFoundError$2(target, stack, resources) {
 function extractRuntimeProperties(stack, logicalId, resource, resources, imageContext) {
 	const props = resource.Properties ?? {};
 	const protocol = extractProtocol(props["ProtocolConfiguration"], logicalId, stack.stackName);
-	const containerUri = extractContainerUri(props["AgentRuntimeArtifact"], logicalId, stack.stackName, resources, stack.region, imageContext);
+	const artifact = extractArtifact(props["AgentRuntimeArtifact"], logicalId, stack.stackName, resources, stack.region, imageContext);
 	const environmentVariables = props["EnvironmentVariables"] && typeof props["EnvironmentVariables"] === "object" && !Array.isArray(props["EnvironmentVariables"]) ? props["EnvironmentVariables"] : {};
 	const roleArn = typeof props["RoleArn"] === "string" ? props["RoleArn"] : void 0;
 	const jwtAuthorizer = extractJwtAuthorizer(props["AuthorizerConfiguration"], logicalId);
@@ -1286,7 +1286,7 @@ function extractRuntimeProperties(stack, logicalId, resource, resources, imageCo
 		stack,
 		logicalId,
 		resource,
-		containerUri,
+		...artifact.kind === "container" ? { containerUri: artifact.containerUri } : { codeArtifact: artifact.codeArtifact },
 		environmentVariables,
 		protocol,
 		...roleArn !== void 0 && { roleArn },
@@ -1330,19 +1330,50 @@ function extractProtocol(value, logicalId, stackName) {
 	return value;
 }
 /**
-* Extract + resolve the container image URI from `AgentRuntimeArtifact`.
-* Rejects the `CodeConfiguration` artifact (S3 zip + managed runtime),
-* which has no Dockerfile and is deferred from v1.
+* Resolve `AgentRuntimeArtifact` to either a container image URI or a code
+* artifact (managed runtime). A `ContainerConfiguration` yields the resolved
+* `ContainerUri`; a `CodeConfiguration` yields its `Runtime` / `EntryPoint` +
+* the cdk.out asset hash the command uses to locate the bundle source.
 */
-function extractContainerUri(artifact, logicalId, stackName, resources, region, imageContext) {
+function extractArtifact(artifact, logicalId, stackName, resources, region, imageContext) {
 	if (!artifact || typeof artifact !== "object" || Array.isArray(artifact)) throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} has no AgentRuntimeArtifact.`);
 	const art = artifact;
-	if (art["CodeConfiguration"] && !art["ContainerConfiguration"]) throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} uses a code artifact (CodeConfiguration). ${getEmbedConfig().cliName} invoke-agentcore v1 runs container artifacts only — running a managed-runtime code artifact locally needs a from-source build that is not yet supported. Build the agent as a container (e.g. AgentCoreRuntime fromAsset / a Dockerfile) to run it locally.`);
+	if (art["CodeConfiguration"] && !art["ContainerConfiguration"]) return {
+		kind: "code",
+		codeArtifact: extractCodeArtifact(art["CodeConfiguration"], logicalId, stackName)
+	};
 	const container = art["ContainerConfiguration"];
 	if (!container || typeof container !== "object" || Array.isArray(container)) throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} has no ContainerConfiguration in its AgentRuntimeArtifact.`);
 	const uri = resolveImageUri(container["ContainerUri"], resources, region, imageContext);
 	if (uri === void 0) throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} has a ContainerConfiguration.ContainerUri that ${getEmbedConfig().cliName} invoke-agentcore cannot resolve. v1 resolves a literal image URI, an Fn::Sub asset URI (the fromAsset / Dockerfile path), and an imported-ECR Fn::Join. A same-stack AWS::ECR::Repository reference is not supported — build the agent as a fromAsset image, or pin a literal / imported ECR image URI.`);
-	return uri;
+	return {
+		kind: "container",
+		containerUri: uri
+	};
+}
+/**
+* Extract a `CodeConfiguration` (managed-runtime) artifact. Reads `Runtime`,
+* `EntryPoint`, and the cdk.out file-asset hash from `Code.S3.Prefix`
+* (`<hash>.zip`, the `fromCodeAsset` shape). A non-literal `Code.S3.Prefix`
+* (an intrinsic, or a `fromS3` object key the command can't map to a local
+* asset) hard-errors — downloading a pre-existing S3 bundle is not supported
+* locally yet.
+*/
+function extractCodeArtifact(codeConfig, logicalId, stackName) {
+	const cfg = codeConfig && typeof codeConfig === "object" && !Array.isArray(codeConfig) ? codeConfig : {};
+	const runtime = cfg["Runtime"];
+	if (typeof runtime !== "string" || runtime.length === 0) throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} has a CodeConfiguration with no string Runtime.`);
+	const entryPointRaw = cfg["EntryPoint"];
+	const entryPoint = Array.isArray(entryPointRaw) ? entryPointRaw.filter((x) => typeof x === "string") : [];
+	if (entryPoint.length === 0) throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} has a CodeConfiguration with no EntryPoint.`);
+	const s3 = cfg["Code"] && typeof cfg["Code"] === "object" ? cfg["Code"]["S3"] : void 0;
+	const prefix = s3 && typeof s3 === "object" ? s3["Prefix"] : void 0;
+	if (typeof prefix !== "string" || prefix.length === 0) throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} has a CodeConfiguration whose Code.S3.Prefix is not a literal string. ${getEmbedConfig().cliName} invoke-agentcore runs a local from-source build of the fromCodeAsset bundle; downloading a pre-existing S3 bundle (fromS3) is not supported yet.`);
+	return {
+		runtime,
+		entryPoint,
+		codeAssetHash: prefix.replace(/^.*\//, "").replace(/\.zip$/, "")
+	};
 }
 /**
 * Resolve a `ContainerUri` value to a string. Handles a literal string,
@@ -8142,6 +8173,116 @@ function createLocalInvokeCommand(opts = {}) {
 	return invoke;
 }
 
+//#endregion
+//#region src/local/agentcore-code-build.ts
+/**
+* Local from-source build for an AgentCore Runtime `CodeConfiguration`
+* (managed-runtime) artifact.
+*
+* Unlike the container artifact (which ships its own Dockerfile/image), a code
+* artifact is just source + an `EntryPoint` + a `Runtime`; AWS's managed
+* runtime runs the entrypoint, which self-serves the AgentCore HTTP contract
+* (`POST /invocations` + `GET /ping` on 8080) — typically via the
+* `bedrock-agentcore` SDK. We replicate that locally: generate a Dockerfile
+* for the runtime's base image, install the bundle's dependencies, and run the
+* entrypoint. The resulting container speaks the same 8080 contract, so the
+* existing HTTP client drives it unchanged.
+*/
+/** AgentCore CodeConfiguration `Runtime` enum → local Docker base image. */
+const RUNTIME_BASE_IMAGES = {
+	PYTHON_3_10: "public.ecr.aws/docker/library/python:3.10-slim",
+	PYTHON_3_11: "public.ecr.aws/docker/library/python:3.11-slim",
+	PYTHON_3_12: "public.ecr.aws/docker/library/python:3.12-slim",
+	PYTHON_3_13: "public.ecr.aws/docker/library/python:3.13-slim",
+	PYTHON_3_14: "public.ecr.aws/docker/library/python:3.14-slim",
+	NODE_22: "public.ecr.aws/docker/library/node:22-slim"
+};
+/** Runtimes this CLI can build a from-source image for. */
+const SUPPORTED_CODE_RUNTIMES = Object.keys(RUNTIME_BASE_IMAGES);
+/**
+* Build (or, with `noBuild`, verify) a local image for a code artifact and
+* return its tag. The generated Dockerfile is written to a temp dir and built
+* with the source dir as the context, so the cdk.out asset is never mutated.
+*/
+async function buildAgentCoreCodeImage(options) {
+	const logger = getLogger();
+	const base = RUNTIME_BASE_IMAGES[options.runtime];
+	if (!base) throw new LocalInvokeBuildError(`AgentCore CodeConfiguration runtime '${options.runtime}' is not supported for local execution. Supported runtimes: ${SUPPORTED_CODE_RUNTIMES.join(", ")}.`);
+	const isNode = options.runtime.startsWith("NODE");
+	const dockerfile = renderCodeDockerfile(base, options.entryPoint, isNode);
+	const tag = computeCodeImageTag(options.sourceDir, options.runtime, options.entryPoint, dockerfile);
+	const platform = options.architecture === "x86_64" ? "linux/amd64" : "linux/arm64";
+	if (options.noBuild === true) {
+		logger.info(`Skipping docker build (--no-build). Verifying ${tag} is in local registry...`);
+		if (!await isImageInLocalCache(tag)) throw new LocalInvokeBuildError(`image '${tag}' not in local registry and --no-build is set; remove --no-build or run the build manually first.`);
+		return tag;
+	}
+	logger.info(`Building agent image from source (runtime=${options.runtime}, platform=${platform})...`);
+	logger.debug(`Local tag: ${tag}`);
+	const buildDir = await mkdtemp(join(tmpdir(), `${getEmbedConfig().resourceNamePrefix}-agentcore-code-`));
+	const dockerfilePath = join(buildDir, "Dockerfile");
+	try {
+		await writeFile(dockerfilePath, dockerfile, "utf-8");
+		await runDockerStreaming([
+			"build",
+			"--platform",
+			platform,
+			"--tag",
+			tag,
+			"--file",
+			dockerfilePath,
+			options.sourceDir
+		]);
+	} catch (err) {
+		const stderr = err.stderr?.trim();
+		throw new LocalInvokeBuildError(`docker build failed for AgentCore code artifact (${options.sourceDir})${stderr ? `: ${stderr}` : ""}`);
+	} finally {
+		await rm(buildDir, {
+			recursive: true,
+			force: true
+		}).catch(() => void 0);
+	}
+	return tag;
+}
+/**
+* Render the generated Dockerfile. Dependencies are installed conditionally
+* (a bundle may vendor them or ship none), and the EntryPoint is mapped to a
+* CMD: a bare script (`app.py` / `server.js`) is run by the interpreter, while
+* an explicit launcher (e.g. `opentelemetry-instrument`) is run verbatim.
+*/
+function renderCodeDockerfile(base, entryPoint, isNode) {
+	const installStep = isNode ? "RUN if [ -f package.json ]; then npm install --omit=dev; fi" : "RUN if [ -f requirements.txt ]; then pip install --no-cache-dir -r requirements.txt; elif [ -f pyproject.toml ]; then pip install --no-cache-dir .; fi";
+	return [
+		`FROM ${base}`,
+		"WORKDIR /app",
+		"COPY . /app",
+		installStep,
+		"EXPOSE 8080",
+		`CMD ${JSON.stringify(toCmdArgv(entryPoint, isNode))}`
+	].join("\n") + "\n";
+}
+/**
+* Map the EntryPoint argv to a Docker CMD argv. The managed runtime execs the
+* entrypoint as the program; a bare script file is run by the language
+* interpreter (`python` / `node`), while a non-script first token (a launcher
+* already on PATH, e.g. `opentelemetry-instrument`) is run verbatim.
+*/
+function toCmdArgv(entryPoint, isNode) {
+	const first = entryPoint[0] ?? "";
+	if (!(isNode ? /\.[cm]?js$/.test(first) : /\.py$/.test(first))) return entryPoint;
+	return [isNode ? "node" : "python", ...entryPoint];
+}
+/** Deterministic local tag, stable for identical source + runtime + entrypoint. */
+function computeCodeImageTag(sourceDir, runtime, entryPoint, dockerfile) {
+	const hash = createHash("sha256").update([
+		sourceDir,
+		runtime,
+		entryPoint.join(" "),
+		dockerfile
+	].join("\0")).digest("hex").slice(0, 16);
+	return `${getEmbedConfig().resourceNamePrefix}-agentcore-code-${hash}`;
+}
+
 //#endregion
 //#region src/local/agentcore-client.ts
 /**
@@ -17461,9 +17602,10 @@ function createLocalStartApiCommand(opts = {}) {
 * locally and invoke it once over the AgentCore HTTP contract. Resolves
 * the `AWS::BedrockAgentCore::Runtime`, pulls / builds its container,
 * starts it on port 8080, waits for `GET /ping`, POSTs the event to
-* `POST /invocations`, prints the response, and tears down. v1 covers the
-* container artifact + HTTP protocol; the agent's calls to real AWS go to
-* real AWS (credentials injected like `cdkl invoke`).
+* `POST /invocations`, prints the response, and tears down. Covers the
+* container artifact and the CodeConfiguration managed-runtime artifact
+* (fromCodeAsset, built from source) on the HTTP + MCP protocols; the agent's
+* calls to real AWS go to real AWS (credentials injected like `cdkl invoke`).
 */
 async function localInvokeAgentCoreCommand(target, options, extraStateProviders) {
 	const logger = getLogger();
@@ -17606,36 +17748,74 @@ async function resolveInboundAuthorization(resolved, options) {
 	return header;
 }
 /**
-* Acquire the agent container image. Mirrors the container-Lambda path:
-* build from a local cdk.out asset when the URI matches one, else pull
-* from ECR, else pull a plain registry image.
+* Acquire the agent image. A CODE artifact (managed runtime) is built from
+* source (generated Dockerfile over the bundle's cdk.out asset). A CONTAINER
+* artifact mirrors the container-Lambda path: build from a local cdk.out asset
+* when the URI matches one, else pull from ECR, else pull a plain registry image.
 */
 async function resolveAgentCoreImage(resolved, options) {
 	const logger = getLogger();
 	const architecture = platformToArchitecture(options.platform);
+	if (resolved.codeArtifact) return resolveAgentCoreCodeImage(resolved, resolved.codeArtifact, options, architecture);
+	const containerUri = resolved.containerUri;
+	if (containerUri === void 0) throw new CdkLocalError(`AgentCore Runtime '${resolved.logicalId}' has neither a container image nor a code artifact to run.`, "LOCAL_INVOKE_AGENTCORE_NO_ARTIFACT");
 	const manifestPath = resolved.stack.assetManifestPath;
 	if (manifestPath) {
 		const cdkOutDir = dirname(manifestPath);
 		const manifest = await new AssetManifestLoader().loadManifest(cdkOutDir, resolved.stack.stackName);
 		if (manifest) {
-			const entry = getDockerImageBySourceHash(manifest, resolved.containerUri);
+			const entry = getDockerImageBySourceHash(manifest, containerUri);
 			if (entry) return buildContainerImage(entry.asset, cdkOutDir, {
 				architecture,
 				noBuild: options.build === false
 			});
 		}
 	}
-	if (parseEcrUri(resolved.containerUri)) {
-		logger.info(`Pulling agent image from ECR: ${resolved.containerUri}`);
-		return pullEcrImage(resolved.containerUri, {
+	if (parseEcrUri(containerUri)) {
+		logger.info(`Pulling agent image from ECR: ${containerUri}`);
+		return pullEcrImage(containerUri, {
 			skipPull: options.pull === false,
 			...options.region !== void 0 && { region: options.region },
 			...options.ecrRoleArn !== void 0 && { ecrRoleArn: options.ecrRoleArn },
 			...options.profile !== void 0 && { profile: options.profile }
 		});
 	}
-	await pullImage(resolved.containerUri, options.pull === false);
-	return resolved.containerUri;
+	await pullImage(containerUri, options.pull === false);
+	return containerUri;
+}
+/**
+* Build a local image from a `CodeConfiguration` (managed-runtime) bundle:
+* locate the fromCodeAsset source dir in cdk.out via its asset hash, then run
+* the from-source build (generated Dockerfile → install deps → run EntryPoint).
+* A bundle with no local asset (fromS3) hard-errors — not supported yet.
+*/
+async function resolveAgentCoreCodeImage(resolved, code, options, architecture) {
+	const manifestPath = resolved.stack.assetManifestPath;
+	if (!manifestPath) throw new CdkLocalError(`AgentCore Runtime '${resolved.logicalId}' uses a code artifact, but its stack has no asset manifest in cdk.out to read the bundle source from.`, "LOCAL_INVOKE_AGENTCORE_CODE_NO_MANIFEST");
+	const cdkOutDir = dirname(manifestPath);
+	const loader = new AssetManifestLoader();
+	const manifest = await loader.loadManifest(cdkOutDir, resolved.stack.stackName);
+	const fileAssets = manifest ? loader.getFileAssets(manifest) : void 0;
+	const asset = fileAssets ? fileAssets.get(code.codeAssetHash) ?? findFileAssetByObjectKey(fileAssets, code.codeAssetHash) : void 0;
+	if (!asset) throw new CdkLocalError(`AgentCore Runtime '${resolved.logicalId}' code bundle (asset ${code.codeAssetHash}) was not found in the cdk.out asset manifest. ${getEmbedConfig().cliName} invoke-agentcore runs a local from-source build of a fromCodeAsset bundle; a fromS3 bundle (a pre-existing S3 object) is not supported yet.`, "LOCAL_INVOKE_AGENTCORE_CODE_ASSET_NOT_FOUND");
+	const sourceDir = loader.getAssetSourcePath(cdkOutDir, asset);
+	if (!existsSync(sourceDir) || !statSync(sourceDir).isDirectory()) throw new CdkLocalError(`AgentCore Runtime '${resolved.logicalId}' code bundle source '${sourceDir}' does not exist or is not a directory. Re-synthesize the app and retry.`, "LOCAL_INVOKE_AGENTCORE_CODE_SOURCE_MISSING");
+	return buildAgentCoreCodeImage({
+		sourceDir,
+		runtime: code.runtime,
+		entryPoint: code.entryPoint,
+		architecture,
+		noBuild: options.build === false
+	});
+}
+/**
+* Find the file asset whose destination objectKey is `<hash>.zip` (matching the
+* `Code.S3.Prefix`'s hash) when the source-hash-keyed lookup misses — covers a
+* synthesizer whose source hash differs from the destination objectKey.
+*/
+function findFileAssetByObjectKey(fileAssets, hash) {
+	const zip = `${hash}.zip`;
+	for (const asset of fileAssets.values()) if (Object.values(asset.destinations).some((d) => d.objectKey === zip || d.objectKey.endsWith(`/${zip}`))) return asset;
 }
 /**
 * Build the container env: resolved template env vars (+ `--env-vars`
@@ -17858,7 +18038,7 @@ function readEnvOverridesFile$2(filePath) {
 }
 function createLocalInvokeAgentCoreCommand(opts = {}) {
 	setEmbedConfig(opts.embedConfig);
-	const cmd = new Command("invoke-agentcore").description("Run a Bedrock AgentCore Runtime container locally and invoke it once over its protocol contract: HTTP (POST /invocations + GET /ping on 8080) or MCP (POST /mcp Streamable HTTP on 8000). Resolves the AWS::BedrockAgentCore::Runtime, pulls/builds its container, injects env vars + AWS credentials, and prints the response. For an MCP runtime, runs the session handshake then sends one JSON-RPC request (tools/list by default, or the method/params from --event). Target accepts a CDK display path (MyStack/MyAgent) or stack-qualified logical ID (MyStack:MyAgentRuntime1234). Single-stack apps may omit the stack prefix. Omit <target> in an interactive terminal to pick from a list. Supports the container artifact on the HTTP + MCP protocols; the agent calls real AWS for managed services.").argument("[target]", "CDK display path or stack-qualified logical ID of the AgentCore Runtime to invoke (omit to pick interactively in a TTY)").addOption(new Option("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option("--event-stdin", "Read event JSON from stdin").default(false)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}})")).addOption(new Option("--session-id <id>", "AgentCore runtime session id header value (default: a random UUID)")).addOption(new Option("--bearer-token <jwt>", "Bearer JWT to present when the runtime declares a customJwtAuthorizer. Verified against the runtime OIDC discovery URL (signature / issuer / expiry / audience) before the container starts, then forwarded to /invocations as Authorization: Bearer <jwt>.")).addOption(new Option("--no-verify-auth", "Skip inbound JWT verification even when the runtime declares a customJwtAuthorizer (local-dev escape hatch). A --bearer-token, if given, is still forwarded.")).addOption(new Option("--platform <platform>", "docker --platform for the agent container (linux/amd64 or linux/arm64)").choices(["linux/amd64", "linux/arm64"]).default("linux/arm64")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for the local-build path")).addOption(new Option("--no-build", "Skip docker build on the local-asset path (use the previously-built tag). No-op for the ECR / registry pull paths.")).addOption(new Option("--container-host <host>", "Host to bind the agent port to").default("127.0.0.1")).addOption(new Option("--assume-role [arn]", "Assume the runtime's execution role and forward STS-issued temp credentials to the container so the agent runs with the deployed role. Three forms: (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) uses the runtime's RoleArn when it is a literal ARN; (3) `--no-assume-role` opts out. Off by default — the developer's shell credentials are forwarded unchanged.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in env vars with the deployed physical IDs / exports. Bare form uses the resolved stack name; pass an explicit value when the CFn stack name differs.")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).action(withErrorHandling(async (target, options) => {
+	const cmd = new Command("invoke-agentcore").description("Run a Bedrock AgentCore Runtime container locally and invoke it once over its protocol contract: HTTP (POST /invocations + GET /ping on 8080) or MCP (POST /mcp Streamable HTTP on 8000). Resolves the AWS::BedrockAgentCore::Runtime, pulls/builds its container, injects env vars + AWS credentials, and prints the response. For an MCP runtime, runs the session handshake then sends one JSON-RPC request (tools/list by default, or the method/params from --event). Target accepts a CDK display path (MyStack/MyAgent) or stack-qualified logical ID (MyStack:MyAgentRuntime1234). Single-stack apps may omit the stack prefix. Omit <target> in an interactive terminal to pick from a list. Supports the container artifact and the CodeConfiguration managed-runtime artifact (fromCodeAsset, built from source) on the HTTP + MCP protocols; the agent calls real AWS for managed services.").argument("[target]", "CDK display path or stack-qualified logical ID of the AgentCore Runtime to invoke (omit to pick interactively in a TTY)").addOption(new Option("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option("--event-stdin", "Read event JSON from stdin").default(false)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}})")).addOption(new Option("--session-id <id>", "AgentCore runtime session id header value (default: a random UUID)")).addOption(new Option("--bearer-token <jwt>", "Bearer JWT to present when the runtime declares a customJwtAuthorizer. Verified against the runtime OIDC discovery URL (signature / issuer / expiry / audience) before the container starts, then forwarded to /invocations as Authorization: Bearer <jwt>.")).addOption(new Option("--no-verify-auth", "Skip inbound JWT verification even when the runtime declares a customJwtAuthorizer (local-dev escape hatch). A --bearer-token, if given, is still forwarded.")).addOption(new Option("--platform <platform>", "docker --platform for the agent container (linux/amd64 or linux/arm64)").choices(["linux/amd64", "linux/arm64"]).default("linux/arm64")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for the local-build path")).addOption(new Option("--no-build", "Skip docker build on the local-asset path (use the previously-built tag). No-op for the ECR / registry pull paths.")).addOption(new Option("--container-host <host>", "Host to bind the agent port to").default("127.0.0.1")).addOption(new Option("--assume-role [arn]", "Assume the runtime's execution role and forward STS-issued temp credentials to the container so the agent runs with the deployed role. Three forms: (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) uses the runtime's RoleArn when it is a literal ARN; (3) `--no-assume-role` opts out. Off by default — the developer's shell credentials are forwarded unchanged.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in env vars with the deployed physical IDs / exports. Bare form uses the resolved stack name; pass an explicit value when the CFn stack name differs.")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).action(withErrorHandling(async (target, options) => {
 		await localInvokeAgentCoreCommand(target, options, opts.extraStateProviders);
 	}));
 	[
@@ -21592,5 +21772,5 @@ function createLocalListCommand(opts = {}) {
 }
 
 //#endregion
-export { createJwksCache as $, resolveAgentCoreTarget as $t, invokeTokenAuthorizer as A, LocalStateSourceError as At, VtlEvaluationError as B, resolveWatchConfig as Bt, resolveSelectionExpression as C, EcsTaskResolutionError as Ct, computeRequestIdentityHash as D, substituteEnvVarsFromStateAsync as Dt, buildMethodArn as E, substituteEnvVarsFromState as Et, buildRestV1Event as F, resolveCfnRegion as Ft, buildMgmtEndpointEnvUrl as G, parseSelectionExpressionPath as Gt, probeHostGatewaySupport as H, listTargets as Ht, evaluateResponseParameters as I, resolveCfnStackName as It, buildConnectEvent as J, resolveLambdaArnIntrinsic as Jt, handleConnectionsRequest as K, discoverRoutes as Kt, pickResponseTemplate as L, CfnLocalStateProvider as Lt, translateLambdaResponse as M, isCfnFlagPresent as Mt, applyAuthorizerOverlay as N, rejectExplicitCfnStackWithMultipleStacks as Nt, evaluateCachedLambdaPolicy as O, resolveEnvVars as Ot, buildHttpApiV2Event as P, resolveCfnFallbackRegion as Pt, buildJwksUrlFromIssuer as Q, AgentCoreResolutionError as Qt, selectIntegrationResponse as R, collectSsmParameterRefs as Rt, startApiServer as S, resolveRuntimeImage as St, defaultCredentialsLoader as T, substituteAgainstStateAsync as Tt, bufferToBody as U, discoverWebSocketApis as Ut, HOST_GATEWAY_MIN_VERSION as V, countTargets as Vt, ConnectionRegistry as W, discoverWebSocketApisOrThrow as Wt, buildMessageEvent as X, AGENTCORE_MCP_PROTOCOL as Xt, buildDisconnectEvent as Y, AGENTCORE_HTTP_PROTOCOL as Yt, buildCognitoJwksUrl as Z, AGENTCORE_RUNTIME_TYPE as Zt, availableApiIdentifiers as _, createLocalInvokeCommand as _t, buildCloudMapIndex as a, buildCorsConfigByApiId as at, groupRoutesByServer as b, resolveRuntimeCodeMountPath as bt, createLocalRunTaskCommand as c, matchPreflight as ct, createWatchPredicates as d, MCP_PROTOCOL_VERSION as dt, derivePseudoParametersFromRegion as en, verifyCognitoJwt as et, resolveApiTargetSubset as f, mcpInvokeOnce as ft, buildStageMap as g, waitForAgentCorePing as gt, attachStageContext as h, invokeAgentCore as ht, createLocalStartServiceCommand as i, applyCorsResponseHeaders as it, matchRoute as j, createLocalStateProvider as jt, invokeRequestAuthorizer as k, materializeLayerFromArn as kt, createLocalInvokeAgentCoreCommand as l, MCP_CONTAINER_PORT as lt, createFileWatcher as m, AGENTCORE_SESSION_ID_HEADER as mt, formatTargetListing as n, tryResolveImageFnJoin as nn, verifyJwtViaDiscovery as nt, CloudMapRegistry as o, buildCorsConfigFromCloudFrontChain as ot, createAuthorizerCache as p, parseSseForJsonRpc as pt, parseConnectionsPath as q, pickRefLogicalId as qt, createLocalStartAlbCommand as r, LocalInvokeBuildError as rn, attachAuthorizers as rt, getContainerNetworkIp as s, isFunctionUrlOacFronted as st, createLocalListCommand as t, substituteImagePlaceholders as tn, verifyJwtAuthorizer as tt, createLocalStartApiCommand as u, MCP_PATH as ut, filterRoutesByApiIdentifier as v, architectureToPlatform as vt, resolveServiceIntegrationParameters as w, substituteAgainstState as wt, readMtlsMaterialsFromDisk as x, resolveRuntimeFileExtension as xt, filterRoutesByApiIdentifiers as y, buildContainerImage as yt, tryParseStatus as z, resolveSsmParameters as zt };
-//# sourceMappingURL=local-list-qObdm4O8.js.map
+export { createJwksCache as $, resolveLambdaArnIntrinsic as $t, invokeTokenAuthorizer as A, substituteAgainstStateAsync as At, VtlEvaluationError as B, resolveCfnRegion as Bt, resolveSelectionExpression as C, architectureToPlatform as Ct, computeRequestIdentityHash as D, resolveRuntimeImage as Dt, buildMethodArn as E, resolveRuntimeFileExtension as Et, buildRestV1Event as F, LocalStateSourceError as Ft, buildMgmtEndpointEnvUrl as G, resolveWatchConfig as Gt, probeHostGatewaySupport as H, CfnLocalStateProvider as Ht, evaluateResponseParameters as I, createLocalStateProvider as It, buildConnectEvent as J, discoverWebSocketApis as Jt, handleConnectionsRequest as K, countTargets as Kt, pickResponseTemplate as L, isCfnFlagPresent as Lt, translateLambdaResponse as M, substituteEnvVarsFromStateAsync as Mt, applyAuthorizerOverlay as N, resolveEnvVars as Nt, evaluateCachedLambdaPolicy as O, EcsTaskResolutionError as Ot, buildHttpApiV2Event as P, materializeLayerFromArn as Pt, buildJwksUrlFromIssuer as Q, pickRefLogicalId as Qt, selectIntegrationResponse as R, rejectExplicitCfnStackWithMultipleStacks as Rt, startApiServer as S, createLocalInvokeCommand as St, defaultCredentialsLoader as T, resolveRuntimeCodeMountPath as Tt, bufferToBody as U, collectSsmParameterRefs as Ut, HOST_GATEWAY_MIN_VERSION as V, resolveCfnStackName as Vt, ConnectionRegistry as W, resolveSsmParameters as Wt, buildMessageEvent as X, parseSelectionExpressionPath as Xt, buildDisconnectEvent as Y, discoverWebSocketApisOrThrow as Yt, buildCognitoJwksUrl as Z, discoverRoutes as Zt, availableApiIdentifiers as _, SUPPORTED_CODE_RUNTIMES as _t, buildCloudMapIndex as a, derivePseudoParametersFromRegion as an, buildCorsConfigByApiId as at, groupRoutesByServer as b, renderCodeDockerfile as bt, createLocalRunTaskCommand as c, LocalInvokeBuildError as cn, matchPreflight as ct, createWatchPredicates as d, MCP_PROTOCOL_VERSION as dt, AGENTCORE_HTTP_PROTOCOL as en, verifyCognitoJwt as et, resolveApiTargetSubset as f, mcpInvokeOnce as ft, buildStageMap as g, waitForAgentCorePing as gt, attachStageContext as h, invokeAgentCore as ht, createLocalStartServiceCommand as i, resolveAgentCoreTarget as in, applyCorsResponseHeaders as it, matchRoute as j, substituteEnvVarsFromState as jt, invokeRequestAuthorizer as k, substituteAgainstState as kt, createLocalInvokeAgentCoreCommand as l, MCP_CONTAINER_PORT as lt, createFileWatcher as m, AGENTCORE_SESSION_ID_HEADER as mt, formatTargetListing as n, AGENTCORE_RUNTIME_TYPE as nn, verifyJwtViaDiscovery as nt, CloudMapRegistry as o, substituteImagePlaceholders as on, buildCorsConfigFromCloudFrontChain as ot, createAuthorizerCache as p, parseSseForJsonRpc as pt, parseConnectionsPath as q, listTargets as qt, createLocalStartAlbCommand as r, AgentCoreResolutionError as rn, attachAuthorizers as rt, getContainerNetworkIp as s, tryResolveImageFnJoin as sn, isFunctionUrlOacFronted as st, createLocalListCommand as t, AGENTCORE_MCP_PROTOCOL as tn, verifyJwtAuthorizer as tt, createLocalStartApiCommand as u, MCP_PATH as ut, filterRoutesByApiIdentifier as v, buildAgentCoreCodeImage as vt, resolveServiceIntegrationParameters as w, buildContainerImage as wt, readMtlsMaterialsFromDisk as x, toCmdArgv as xt, filterRoutesByApiIdentifiers as y, computeCodeImageTag as yt, tryParseStatus as z, resolveCfnFallbackRegion as zt };
+//# sourceMappingURL=local-list-bwZnI2pV.js.map