cdk-local 0.42.0 → 0.44.0

package/dist/{local-list-qObdm4O8.js → local-list-EweOsy3A.js}

@@ -1278,7 +1278,7 @@ function notFoundError$2(target, stack, resources) {
 function extractRuntimeProperties(stack, logicalId, resource, resources, imageContext) {
 	const props = resource.Properties ?? {};
 	const protocol = extractProtocol(props["ProtocolConfiguration"], logicalId, stack.stackName);
-	const containerUri = extractContainerUri(props["AgentRuntimeArtifact"], logicalId, stack.stackName, resources, stack.region, imageContext);
+	const artifact = extractArtifact(props["AgentRuntimeArtifact"], logicalId, stack.stackName, resources, stack.region, imageContext);
 	const environmentVariables = props["EnvironmentVariables"] && typeof props["EnvironmentVariables"] === "object" && !Array.isArray(props["EnvironmentVariables"]) ? props["EnvironmentVariables"] : {};
 	const roleArn = typeof props["RoleArn"] === "string" ? props["RoleArn"] : void 0;
 	const jwtAuthorizer = extractJwtAuthorizer(props["AuthorizerConfiguration"], logicalId);
@@ -1286,7 +1286,7 @@ function extractRuntimeProperties(stack, logicalId, resource, resources, imageCo
 		stack,
 		logicalId,
 		resource,
-		containerUri,
+		...artifact.kind === "container" ? { containerUri: artifact.containerUri } : { codeArtifact: artifact.codeArtifact },
 		environmentVariables,
 		protocol,
 		...roleArn !== void 0 && { roleArn },
@@ -1330,19 +1330,50 @@ function extractProtocol(value, logicalId, stackName) {
 	return value;
 }
 /**
-* Extract + resolve the container image URI from `AgentRuntimeArtifact`.
-* Rejects the `CodeConfiguration` artifact (S3 zip + managed runtime),
-* which has no Dockerfile and is deferred from v1.
+* Resolve `AgentRuntimeArtifact` to either a container image URI or a code
+* artifact (managed runtime). A `ContainerConfiguration` yields the resolved
+* `ContainerUri`; a `CodeConfiguration` yields its `Runtime` / `EntryPoint` +
+* the cdk.out asset hash the command uses to locate the bundle source.
 */
-function extractContainerUri(artifact, logicalId, stackName, resources, region, imageContext) {
+function extractArtifact(artifact, logicalId, stackName, resources, region, imageContext) {
 	if (!artifact || typeof artifact !== "object" || Array.isArray(artifact)) throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} has no AgentRuntimeArtifact.`);
 	const art = artifact;
-	if (art["CodeConfiguration"] && !art["ContainerConfiguration"]) throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} uses a code artifact (CodeConfiguration). ${getEmbedConfig().cliName} invoke-agentcore v1 runs container artifacts only — running a managed-runtime code artifact locally needs a from-source build that is not yet supported. Build the agent as a container (e.g. AgentCoreRuntime fromAsset / a Dockerfile) to run it locally.`);
+	if (art["CodeConfiguration"] && !art["ContainerConfiguration"]) return {
+		kind: "code",
+		codeArtifact: extractCodeArtifact(art["CodeConfiguration"], logicalId, stackName)
+	};
 	const container = art["ContainerConfiguration"];
 	if (!container || typeof container !== "object" || Array.isArray(container)) throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} has no ContainerConfiguration in its AgentRuntimeArtifact.`);
 	const uri = resolveImageUri(container["ContainerUri"], resources, region, imageContext);
 	if (uri === void 0) throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} has a ContainerConfiguration.ContainerUri that ${getEmbedConfig().cliName} invoke-agentcore cannot resolve. v1 resolves a literal image URI, an Fn::Sub asset URI (the fromAsset / Dockerfile path), and an imported-ECR Fn::Join. A same-stack AWS::ECR::Repository reference is not supported — build the agent as a fromAsset image, or pin a literal / imported ECR image URI.`);
-	return uri;
+	return {
+		kind: "container",
+		containerUri: uri
+	};
+}
+/**
+* Extract a `CodeConfiguration` (managed-runtime) artifact. Reads `Runtime`,
+* `EntryPoint`, and the cdk.out file-asset hash from `Code.S3.Prefix`
+* (`<hash>.zip`, the `fromCodeAsset` shape). A non-literal `Code.S3.Prefix`
+* (an intrinsic, or a `fromS3` object key the command can't map to a local
+* asset) hard-errors — downloading a pre-existing S3 bundle is not supported
+* locally yet.
+*/
+function extractCodeArtifact(codeConfig, logicalId, stackName) {
+	const cfg = codeConfig && typeof codeConfig === "object" && !Array.isArray(codeConfig) ? codeConfig : {};
+	const runtime = cfg["Runtime"];
+	if (typeof runtime !== "string" || runtime.length === 0) throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} has a CodeConfiguration with no string Runtime.`);
+	const entryPointRaw = cfg["EntryPoint"];
+	const entryPoint = Array.isArray(entryPointRaw) ? entryPointRaw.filter((x) => typeof x === "string") : [];
+	if (entryPoint.length === 0) throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} has a CodeConfiguration with no EntryPoint.`);
+	const s3 = cfg["Code"] && typeof cfg["Code"] === "object" ? cfg["Code"]["S3"] : void 0;
+	const prefix = s3 && typeof s3 === "object" ? s3["Prefix"] : void 0;
+	if (typeof prefix !== "string" || prefix.length === 0) throw new AgentCoreResolutionError(`AgentCore Runtime '${logicalId}' in ${stackName} has a CodeConfiguration whose Code.S3.Prefix is not a literal string. ${getEmbedConfig().cliName} invoke-agentcore runs a local from-source build of the fromCodeAsset bundle; downloading a pre-existing S3 bundle (fromS3) is not supported yet.`);
+	return {
+		runtime,
+		entryPoint,
+		codeAssetHash: prefix.replace(/^.*\//, "").replace(/\.zip$/, "")
+	};
 }
 /**
 * Resolve a `ContainerUri` value to a string. Handles a literal string,
@@ -8142,6 +8173,116 @@ function createLocalInvokeCommand(opts = {}) {
 	return invoke;
 }
 
+//#endregion
+//#region src/local/agentcore-code-build.ts
+/**
+* Local from-source build for an AgentCore Runtime `CodeConfiguration`
+* (managed-runtime) artifact.
+*
+* Unlike the container artifact (which ships its own Dockerfile/image), a code
+* artifact is just source + an `EntryPoint` + a `Runtime`; AWS's managed
+* runtime runs the entrypoint, which self-serves the AgentCore HTTP contract
+* (`POST /invocations` + `GET /ping` on 8080) — typically via the
+* `bedrock-agentcore` SDK. We replicate that locally: generate a Dockerfile
+* for the runtime's base image, install the bundle's dependencies, and run the
+* entrypoint. The resulting container speaks the same 8080 contract, so the
+* existing HTTP client drives it unchanged.
+*/
+/** AgentCore CodeConfiguration `Runtime` enum → local Docker base image. */
+const RUNTIME_BASE_IMAGES = {
+	PYTHON_3_10: "public.ecr.aws/docker/library/python:3.10-slim",
+	PYTHON_3_11: "public.ecr.aws/docker/library/python:3.11-slim",
+	PYTHON_3_12: "public.ecr.aws/docker/library/python:3.12-slim",
+	PYTHON_3_13: "public.ecr.aws/docker/library/python:3.13-slim",
+	PYTHON_3_14: "public.ecr.aws/docker/library/python:3.14-slim",
+	NODE_22: "public.ecr.aws/docker/library/node:22-slim"
+};
+/** Runtimes this CLI can build a from-source image for. */
+const SUPPORTED_CODE_RUNTIMES = Object.keys(RUNTIME_BASE_IMAGES);
+/**
+* Build (or, with `noBuild`, verify) a local image for a code artifact and
+* return its tag. The generated Dockerfile is written to a temp dir and built
+* with the source dir as the context, so the cdk.out asset is never mutated.
+*/
+async function buildAgentCoreCodeImage(options) {
+	const logger = getLogger();
+	const base = RUNTIME_BASE_IMAGES[options.runtime];
+	if (!base) throw new LocalInvokeBuildError(`AgentCore CodeConfiguration runtime '${options.runtime}' is not supported for local execution. Supported runtimes: ${SUPPORTED_CODE_RUNTIMES.join(", ")}.`);
+	const isNode = options.runtime.startsWith("NODE");
+	const dockerfile = renderCodeDockerfile(base, options.entryPoint, isNode);
+	const tag = computeCodeImageTag(options.sourceDir, options.runtime, options.entryPoint, dockerfile);
+	const platform = options.architecture === "x86_64" ? "linux/amd64" : "linux/arm64";
+	if (options.noBuild === true) {
+		logger.info(`Skipping docker build (--no-build). Verifying ${tag} is in local registry...`);
+		if (!await isImageInLocalCache(tag)) throw new LocalInvokeBuildError(`image '${tag}' not in local registry and --no-build is set; remove --no-build or run the build manually first.`);
+		return tag;
+	}
+	logger.info(`Building agent image from source (runtime=${options.runtime}, platform=${platform})...`);
+	logger.debug(`Local tag: ${tag}`);
+	const buildDir = await mkdtemp(join(tmpdir(), `${getEmbedConfig().resourceNamePrefix}-agentcore-code-`));
+	const dockerfilePath = join(buildDir, "Dockerfile");
+	try {
+		await writeFile(dockerfilePath, dockerfile, "utf-8");
+		await runDockerStreaming([
+			"build",
+			"--platform",
+			platform,
+			"--tag",
+			tag,
+			"--file",
+			dockerfilePath,
+			options.sourceDir
+		]);
+	} catch (err) {
+		const stderr = err.stderr?.trim();
+		throw new LocalInvokeBuildError(`docker build failed for AgentCore code artifact (${options.sourceDir})${stderr ? `: ${stderr}` : ""}`);
+	} finally {
+		await rm(buildDir, {
+			recursive: true,
+			force: true
+		}).catch(() => void 0);
+	}
+	return tag;
+}
+/**
+* Render the generated Dockerfile. Dependencies are installed conditionally
+* (a bundle may vendor them or ship none), and the EntryPoint is mapped to a
+* CMD: a bare script (`app.py` / `server.js`) is run by the interpreter, while
+* an explicit launcher (e.g. `opentelemetry-instrument`) is run verbatim.
+*/
+function renderCodeDockerfile(base, entryPoint, isNode) {
+	const installStep = isNode ? "RUN if [ -f package.json ]; then npm install --omit=dev; fi" : "RUN if [ -f requirements.txt ]; then pip install --no-cache-dir -r requirements.txt; elif [ -f pyproject.toml ]; then pip install --no-cache-dir .; fi";
+	return [
+		`FROM ${base}`,
+		"WORKDIR /app",
+		"COPY . /app",
+		installStep,
+		"EXPOSE 8080",
+		`CMD ${JSON.stringify(toCmdArgv(entryPoint, isNode))}`
+	].join("\n") + "\n";
+}
+/**
+* Map the EntryPoint argv to a Docker CMD argv. The managed runtime execs the
+* entrypoint as the program; a bare script file is run by the language
+* interpreter (`python` / `node`), while a non-script first token (a launcher
+* already on PATH, e.g. `opentelemetry-instrument`) is run verbatim.
+*/
+function toCmdArgv(entryPoint, isNode) {
+	const first = entryPoint[0] ?? "";
+	if (!(isNode ? /\.[cm]?js$/.test(first) : /\.py$/.test(first))) return entryPoint;
+	return [isNode ? "node" : "python", ...entryPoint];
+}
+/** Deterministic local tag, stable for identical source + runtime + entrypoint. */
+function computeCodeImageTag(sourceDir, runtime, entryPoint, dockerfile) {
+	const hash = createHash("sha256").update([
+		sourceDir,
+		runtime,
+		entryPoint.join(" "),
+		dockerfile
+	].join("\0")).digest("hex").slice(0, 16);
+	return `${getEmbedConfig().resourceNamePrefix}-agentcore-code-${hash}`;
+}
+
 //#endregion
 //#region src/local/agentcore-client.ts
 /**
@@ -17461,9 +17602,10 @@ function createLocalStartApiCommand(opts = {}) {
 * locally and invoke it once over the AgentCore HTTP contract. Resolves
 * the `AWS::BedrockAgentCore::Runtime`, pulls / builds its container,
 * starts it on port 8080, waits for `GET /ping`, POSTs the event to
-* `POST /invocations`, prints the response, and tears down. v1 covers the
-* container artifact + HTTP protocol; the agent's calls to real AWS go to
-* real AWS (credentials injected like `cdkl invoke`).
+* `POST /invocations`, prints the response, and tears down. Covers the
+* container artifact and the CodeConfiguration managed-runtime artifact
+* (fromCodeAsset, built from source) on the HTTP + MCP protocols; the agent's
+* calls to real AWS go to real AWS (credentials injected like `cdkl invoke`).
 */
 async function localInvokeAgentCoreCommand(target, options, extraStateProviders) {
 	const logger = getLogger();
@@ -17606,36 +17748,74 @@ async function resolveInboundAuthorization(resolved, options) {
 	return header;
 }
 /**
-* Acquire the agent container image. Mirrors the container-Lambda path:
-* build from a local cdk.out asset when the URI matches one, else pull
-* from ECR, else pull a plain registry image.
+* Acquire the agent image. A CODE artifact (managed runtime) is built from
+* source (generated Dockerfile over the bundle's cdk.out asset). A CONTAINER
+* artifact mirrors the container-Lambda path: build from a local cdk.out asset
+* when the URI matches one, else pull from ECR, else pull a plain registry image.
 */
 async function resolveAgentCoreImage(resolved, options) {
 	const logger = getLogger();
 	const architecture = platformToArchitecture(options.platform);
+	if (resolved.codeArtifact) return resolveAgentCoreCodeImage(resolved, resolved.codeArtifact, options, architecture);
+	const containerUri = resolved.containerUri;
+	if (containerUri === void 0) throw new CdkLocalError(`AgentCore Runtime '${resolved.logicalId}' has neither a container image nor a code artifact to run.`, "LOCAL_INVOKE_AGENTCORE_NO_ARTIFACT");
 	const manifestPath = resolved.stack.assetManifestPath;
 	if (manifestPath) {
 		const cdkOutDir = dirname(manifestPath);
 		const manifest = await new AssetManifestLoader().loadManifest(cdkOutDir, resolved.stack.stackName);
 		if (manifest) {
-			const entry = getDockerImageBySourceHash(manifest, resolved.containerUri);
+			const entry = getDockerImageBySourceHash(manifest, containerUri);
 			if (entry) return buildContainerImage(entry.asset, cdkOutDir, {
 				architecture,
 				noBuild: options.build === false
 			});
 		}
 	}
-	if (parseEcrUri(resolved.containerUri)) {
-		logger.info(`Pulling agent image from ECR: ${resolved.containerUri}`);
-		return pullEcrImage(resolved.containerUri, {
+	if (parseEcrUri(containerUri)) {
+		logger.info(`Pulling agent image from ECR: ${containerUri}`);
+		return pullEcrImage(containerUri, {
 			skipPull: options.pull === false,
 			...options.region !== void 0 && { region: options.region },
 			...options.ecrRoleArn !== void 0 && { ecrRoleArn: options.ecrRoleArn },
 			...options.profile !== void 0 && { profile: options.profile }
 		});
 	}
-	await pullImage(resolved.containerUri, options.pull === false);
-	return resolved.containerUri;
+	await pullImage(containerUri, options.pull === false);
+	return containerUri;
+}
+/**
+* Build a local image from a `CodeConfiguration` (managed-runtime) bundle:
+* locate the fromCodeAsset source dir in cdk.out via its asset hash, then run
+* the from-source build (generated Dockerfile → install deps → run EntryPoint).
+* A bundle with no local asset (fromS3) hard-errors — not supported yet.
+*/
+async function resolveAgentCoreCodeImage(resolved, code, options, architecture) {
+	const manifestPath = resolved.stack.assetManifestPath;
+	if (!manifestPath) throw new CdkLocalError(`AgentCore Runtime '${resolved.logicalId}' uses a code artifact, but its stack has no asset manifest in cdk.out to read the bundle source from.`, "LOCAL_INVOKE_AGENTCORE_CODE_NO_MANIFEST");
+	const cdkOutDir = dirname(manifestPath);
+	const loader = new AssetManifestLoader();
+	const manifest = await loader.loadManifest(cdkOutDir, resolved.stack.stackName);
+	const fileAssets = manifest ? loader.getFileAssets(manifest) : void 0;
+	const asset = fileAssets ? fileAssets.get(code.codeAssetHash) ?? findFileAssetByObjectKey(fileAssets, code.codeAssetHash) : void 0;
+	if (!asset) throw new CdkLocalError(`AgentCore Runtime '${resolved.logicalId}' code bundle (asset ${code.codeAssetHash}) was not found in the cdk.out asset manifest. ${getEmbedConfig().cliName} invoke-agentcore runs a local from-source build of a fromCodeAsset bundle; a fromS3 bundle (a pre-existing S3 object) is not supported yet.`, "LOCAL_INVOKE_AGENTCORE_CODE_ASSET_NOT_FOUND");
+	const sourceDir = loader.getAssetSourcePath(cdkOutDir, asset);
+	if (!existsSync(sourceDir) || !statSync(sourceDir).isDirectory()) throw new CdkLocalError(`AgentCore Runtime '${resolved.logicalId}' code bundle source '${sourceDir}' does not exist or is not a directory. Re-synthesize the app and retry.`, "LOCAL_INVOKE_AGENTCORE_CODE_SOURCE_MISSING");
+	return buildAgentCoreCodeImage({
+		sourceDir,
+		runtime: code.runtime,
+		entryPoint: code.entryPoint,
+		architecture,
+		noBuild: options.build === false
+	});
+}
+/**
+* Find the file asset whose destination objectKey is `<hash>.zip` (matching the
+* `Code.S3.Prefix`'s hash) when the source-hash-keyed lookup misses — covers a
+* synthesizer whose source hash differs from the destination objectKey.
+*/
+function findFileAssetByObjectKey(fileAssets, hash) {
+	const zip = `${hash}.zip`;
+	for (const asset of fileAssets.values()) if (Object.values(asset.destinations).some((d) => d.objectKey === zip || d.objectKey.endsWith(`/${zip}`))) return asset;
 }
 /**
 * Build the container env: resolved template env vars (+ `--env-vars`
@@ -17858,7 +18038,7 @@ function readEnvOverridesFile$2(filePath) {
 }
 function createLocalInvokeAgentCoreCommand(opts = {}) {
 	setEmbedConfig(opts.embedConfig);
-	const cmd = new Command("invoke-agentcore").description("Run a Bedrock AgentCore Runtime container locally and invoke it once over its protocol contract: HTTP (POST /invocations + GET /ping on 8080) or MCP (POST /mcp Streamable HTTP on 8000). Resolves the AWS::BedrockAgentCore::Runtime, pulls/builds its container, injects env vars + AWS credentials, and prints the response. For an MCP runtime, runs the session handshake then sends one JSON-RPC request (tools/list by default, or the method/params from --event). Target accepts a CDK display path (MyStack/MyAgent) or stack-qualified logical ID (MyStack:MyAgentRuntime1234). Single-stack apps may omit the stack prefix. Omit <target> in an interactive terminal to pick from a list. Supports the container artifact on the HTTP + MCP protocols; the agent calls real AWS for managed services.").argument("[target]", "CDK display path or stack-qualified logical ID of the AgentCore Runtime to invoke (omit to pick interactively in a TTY)").addOption(new Option("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option("--event-stdin", "Read event JSON from stdin").default(false)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}})")).addOption(new Option("--session-id <id>", "AgentCore runtime session id header value (default: a random UUID)")).addOption(new Option("--bearer-token <jwt>", "Bearer JWT to present when the runtime declares a customJwtAuthorizer. Verified against the runtime OIDC discovery URL (signature / issuer / expiry / audience) before the container starts, then forwarded to /invocations as Authorization: Bearer <jwt>.")).addOption(new Option("--no-verify-auth", "Skip inbound JWT verification even when the runtime declares a customJwtAuthorizer (local-dev escape hatch). A --bearer-token, if given, is still forwarded.")).addOption(new Option("--platform <platform>", "docker --platform for the agent container (linux/amd64 or linux/arm64)").choices(["linux/amd64", "linux/arm64"]).default("linux/arm64")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for the local-build path")).addOption(new Option("--no-build", "Skip docker build on the local-asset path (use the previously-built tag). No-op for the ECR / registry pull paths.")).addOption(new Option("--container-host <host>", "Host to bind the agent port to").default("127.0.0.1")).addOption(new Option("--assume-role [arn]", "Assume the runtime's execution role and forward STS-issued temp credentials to the container so the agent runs with the deployed role. Three forms: (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) uses the runtime's RoleArn when it is a literal ARN; (3) `--no-assume-role` opts out. Off by default — the developer's shell credentials are forwarded unchanged.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in env vars with the deployed physical IDs / exports. Bare form uses the resolved stack name; pass an explicit value when the CFn stack name differs.")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).action(withErrorHandling(async (target, options) => {
+	const cmd = new Command("invoke-agentcore").description("Run a Bedrock AgentCore Runtime container locally and invoke it once over its protocol contract: HTTP (POST /invocations + GET /ping on 8080) or MCP (POST /mcp Streamable HTTP on 8000). Resolves the AWS::BedrockAgentCore::Runtime, pulls/builds its container, injects env vars + AWS credentials, and prints the response. For an MCP runtime, runs the session handshake then sends one JSON-RPC request (tools/list by default, or the method/params from --event). Target accepts a CDK display path (MyStack/MyAgent) or stack-qualified logical ID (MyStack:MyAgentRuntime1234). Single-stack apps may omit the stack prefix. Omit <target> in an interactive terminal to pick from a list. Supports the container artifact and the CodeConfiguration managed-runtime artifact (fromCodeAsset, built from source) on the HTTP + MCP protocols; the agent calls real AWS for managed services.").argument("[target]", "CDK display path or stack-qualified logical ID of the AgentCore Runtime to invoke (omit to pick interactively in a TTY)").addOption(new Option("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option("--event-stdin", "Read event JSON from stdin").default(false)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}})")).addOption(new Option("--session-id <id>", "AgentCore runtime session id header value (default: a random UUID)")).addOption(new Option("--bearer-token <jwt>", "Bearer JWT to present when the runtime declares a customJwtAuthorizer. Verified against the runtime OIDC discovery URL (signature / issuer / expiry / audience) before the container starts, then forwarded to /invocations as Authorization: Bearer <jwt>.")).addOption(new Option("--no-verify-auth", "Skip inbound JWT verification even when the runtime declares a customJwtAuthorizer (local-dev escape hatch). A --bearer-token, if given, is still forwarded.")).addOption(new Option("--platform <platform>", "docker --platform for the agent container (linux/amd64 or linux/arm64)").choices(["linux/amd64", "linux/arm64"]).default("linux/arm64")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for the local-build path")).addOption(new Option("--no-build", "Skip docker build on the local-asset path (use the previously-built tag). No-op for the ECR / registry pull paths.")).addOption(new Option("--container-host <host>", "Host to bind the agent port to").default("127.0.0.1")).addOption(new Option("--assume-role [arn]", "Assume the runtime's execution role and forward STS-issued temp credentials to the container so the agent runs with the deployed role. Three forms: (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) uses the runtime's RoleArn when it is a literal ARN; (3) `--no-assume-role` opts out. Off by default — the developer's shell credentials are forwarded unchanged.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in env vars with the deployed physical IDs / exports. Bare form uses the resolved stack name; pass an explicit value when the CFn stack name differs.")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).action(withErrorHandling(async (target, options) => {
 		await localInvokeAgentCoreCommand(target, options, opts.extraStateProviders);
 	}));
 	[
@@ -20468,9 +20648,26 @@ async function startFrontDoorServer(opts) {
 }
 function handleProxyRequest(req, res, opts) {
 	return new Promise((resolve) => {
-		const pool = opts.selectPool(req.url ?? "/");
+		const url = req.url ?? "/";
+		const action = opts.route({
+			path: url,
+			...hostHeader(req)
+		});
+		if (!action) {
+			writeError(res, 404, `No listener rule matched '${url}' on ${opts.label}, and the listener has no default action forwarding to a local target.`);
+			resolve();
+			return;
+		}
+		if (action.kind === "redirect" || action.kind === "fixed-response") {
+			req.resume();
+			if (action.kind === "redirect") writeRedirect(res, action, req, opts.listenerPort);
+			else writeFixedResponse(res, action);
+			resolve();
+			return;
+		}
+		const pool = pickWeightedPool(action.pools);
 		if (!pool) {
-			writeError(res, 404, `No listener rule matched '${req.url ?? "/"}' on ${opts.label}, and the listener has no default action forwarding to a local target.`);
+			writeError(res, 502, `No forward target selected behind ${opts.label} (every weighted target has weight 0).`);
 			resolve();
 			return;
 		}
@@ -20523,6 +20720,77 @@ function handleProxyRequest(req, res, opts) {
 		req.pipe(proxyReq);
 	});
 }
+/** Extract the request `Host` header (string) for host-header rule matching. */
+function hostHeader(req) {
+	const raw = req.headers.host;
+	const host = Array.isArray(raw) ? raw[0] : raw;
+	return host ? { host } : {};
+}
+/**
+* Pick one pool from a weighted set: weighted random over the non-zero weights.
+* A single-entry set short-circuits to that pool. Returns `undefined` when
+* every weight is 0 (an ALB-valid but un-routable forward).
+*/
+function pickWeightedPool(pools) {
+	if (pools.length === 0) return void 0;
+	if (pools.length === 1) return pools[0].weight > 0 ? pools[0].pool : void 0;
+	const total = pools.reduce((sum, p) => sum + Math.max(0, p.weight), 0);
+	if (total <= 0) return void 0;
+	let roll = Math.random() * total;
+	for (const p of pools) {
+		const w = Math.max(0, p.weight);
+		if (w === 0) continue;
+		roll -= w;
+		if (roll < 0) return p.pool;
+	}
+	for (let i = pools.length - 1; i >= 0; i--) if (Math.max(0, pools[i].weight) > 0) return pools[i].pool;
+}
+/**
+* Synthesize an ALB-style redirect (301 / 302). ALB builds the `Location` from
+* the action fields with `#{protocol}` / `#{host}` / `#{port}` / `#{path}` /
+* `#{query}` placeholders filled from the incoming request. We resolve those
+* placeholders against the request the front-door received.
+*/
+function writeRedirect(res, action, req, listenerPort) {
+	const location = buildRedirectLocation(action, req, listenerPort);
+	res.writeHead(action.statusCode, {
+		location,
+		"content-type": "text/plain; charset=utf-8",
+		"content-length": "0"
+	});
+	res.end();
+}
+/** Build the `Location` URL for a redirect action, resolving ALB `#{...}` placeholders. */
+function buildRedirectLocation(action, req, listenerPort) {
+	const url = req.url ?? "/";
+	const qIndex = url.indexOf("?");
+	const reqPath = qIndex === -1 ? url : url.slice(0, qIndex);
+	const reqQuery = qIndex === -1 ? "" : url.slice(qIndex + 1);
+	const rawHost = req.headers["host"];
+	const placeholders = {
+		protocol: "http",
+		host: ((Array.isArray(rawHost) ? rawHost[0] : rawHost) ?? "").split(":")[0] ?? "",
+		port: String(listenerPort),
+		path: reqPath.replace(/^\//, ""),
+		query: reqQuery
+	};
+	const fill = (template) => template.replace(/#\{(protocol|host|port|path|query)\}/g, (_m, key) => placeholders[key] ?? "");
+	const protocol = (action.protocol ? fill(action.protocol) : placeholders["protocol"]).toLowerCase();
+	const host = action.host ? fill(action.host) : placeholders["host"];
+	const port = action.port ? fill(action.port) : placeholders["port"];
+	const path = fill(action.path ?? "/#{path}");
+	const query = fill(action.query ?? "#{query}");
+	return `${protocol}://${protocol === "http" && port === "80" || protocol === "https" && port === "443" || port === "" ? host : `${host}:${port}`}${path.startsWith("/") ? path : `/${path}`}${query ? `?${query}` : ""}`;
+}
+/** Synthesize an ALB-style fixed-response. */
+function writeFixedResponse(res, action) {
+	const body = action.messageBody ?? "";
+	res.writeHead(action.statusCode, {
+		"content-type": action.contentType ?? "text/plain; charset=utf-8",
+		"content-length": String(Buffer.byteLength(body))
+	});
+	res.end(body);
+}
 /** Standard hop-by-hop headers (RFC 7230 §6.1) — a proxy must not forward these. */
 const HOP_BY_HOP_HEADERS = [
 	"connection",
@@ -20571,21 +20839,39 @@ function writeError(res, statusCode, message) {
 //#endregion
 //#region src/local/alb-path-matcher.ts
 /**
-* Return the target of the highest-priority rule whose `path-pattern` matches
-* `requestPath`, or `undefined` when none match (caller uses the default).
-* Rules are evaluated in ascending priority; the input order is irrelevant.
+* Return the target of the highest-priority rule whose conditions all match
+* `req`, or `undefined` when none match (caller uses the default). Rules are
+* evaluated in ascending priority; the input order is irrelevant.
+*
+* Accepts either a request facts object or a bare path string (the path-only
+* form keeps the original signature working for callers that have no Host).
 */
-function matchAlbPathRule(requestPath, rules) {
-	const path = pathOf(requestPath);
+function matchAlbPathRule(req, rules) {
+	const { path, host } = typeof req === "string" ? {
+		path: req,
+		host: void 0
+	} : req;
+	const requestPath = pathOf(path);
+	const requestHost = host !== void 0 ? hostOf(host) : void 0;
 	const ordered = [...rules].sort((a, b) => a.priority - b.priority);
-	for (const rule of ordered) if (rule.pathPatterns.some((pattern) => albPathPatternMatches(pattern, path))) return rule.target;
+	for (const rule of ordered) if (ruleMatches(rule, requestPath, requestHost)) return rule.target;
 }
 /**
-* Whether a single ALB `path-pattern` value matches a request path. The path
-* must already be query-stripped, or pass a raw URL and it is stripped here.
+* Whether a single rule's conditions all match. A `path-pattern` /
+* `host-header` condition is satisfied when ANY of its values match (OR); a
+* rule with both fields requires both to match (AND). An empty pattern list
+* for a field means "no constraint on that field" (the condition was absent).
 */
-function albPathPatternMatches(pattern, requestPath) {
-	return globToRegExp(pattern).test(pathOf(requestPath));
+function ruleMatches(rule, requestPath, requestHost) {
+	if (rule.pathPatterns.length > 0) {
+		if (!rule.pathPatterns.some((pattern) => globToRegExp(pattern, false).test(requestPath))) return false;
+	}
+	const hostPatterns = rule.hostPatterns ?? [];
+	if (hostPatterns.length > 0) {
+		if (requestHost === void 0) return false;
+		if (!hostPatterns.some((pattern) => globToRegExp(pattern, true).test(requestHost))) return false;
+	}
+	return true;
 }
 /** Strip the query string / fragment so only the URL path is matched. */
 function pathOf(url) {
@@ -20596,15 +20882,33 @@ function pathOf(url) {
 	if (h !== -1 && h < end) end = h;
 	return url.slice(0, end);
 }
+/**
+* Normalize a `Host` header for matching: drop any `:port` suffix and lower-case
+* it (DNS hostnames are case-insensitive). IPv6 literals (`[::1]:8080`) keep the
+* bracketed address and only the trailing port is removed.
+*/
+function hostOf(host) {
+	const trimmed = host.trim();
+	if (trimmed.startsWith("[")) {
+		const close = trimmed.indexOf("]");
+		if (close !== -1) return trimmed.slice(0, close + 1).toLowerCase();
+		return trimmed.toLowerCase();
+	}
+	const colon = trimmed.indexOf(":");
+	return (colon === -1 ? trimmed : trimmed.slice(0, colon)).toLowerCase();
+}
 const REGEXP_META = /[.+^${}()|[\]\\]/;
 /**
-* Translate an ALB path-pattern glob into an anchored, case-sensitive RegExp:
-* `*` -> `.*`, `?` -> `.`, every other character is escaped and matched
-* literally.
+* Translate an ALB `*` / `?` glob into an anchored RegExp: `*` -> `.*`,
+* `?` -> `.`, every other character is escaped and matched literally. Host
+* patterns match case-insensitively (the `i` flag) and the pattern is
+* lower-cased to pair with the lower-cased host; path patterns are
+* case-sensitive.
 */
-function globToRegExp(pattern) {
+function globToRegExp(pattern, caseInsensitive) {
+	const source = caseInsensitive ? pattern.toLowerCase() : pattern;
 	let body = "";
-	for (const ch of pattern) if (ch === "*") body += ".*";
+	for (const ch of source) if (ch === "*") body += ".*";
 	else if (ch === "?") body += ".";
 	else if (REGEXP_META.test(ch)) body += `\\${ch}`;
 	else body += ch;
@@ -20848,17 +21152,42 @@ async function buildFrontDoor(plan, containerHost, logger) {
 		}
 		return entry.pool;
 	};
+	const toRouteAction = (action) => {
+		if (action.kind === "forward") return {
+			kind: "forward",
+			pools: action.targets.map((t) => ({
+				pool: poolFor(t),
+				weight: t.weight
+			}))
+		};
+		if (action.kind === "redirect") return {
+			kind: "redirect",
+			statusCode: action.statusCode,
+			...action.protocol !== void 0 && { protocol: action.protocol },
+			...action.host !== void 0 && { host: action.host },
+			...action.port !== void 0 && { port: action.port },
+			...action.path !== void 0 && { path: action.path },
+			...action.query !== void 0 && { query: action.query }
+		};
+		return {
+			kind: "fixed-response",
+			statusCode: action.statusCode,
+			...action.contentType !== void 0 && { contentType: action.contentType },
+			...action.messageBody !== void 0 && { messageBody: action.messageBody }
+		};
+	};
 	try {
 		for (const listener of plan.listeners) {
-			const defaultPool = listener.defaultTarget ? poolFor(listener.defaultTarget) : void 0;
+			const defaultRoute = listener.defaultAction ? toRouteAction(listener.defaultAction) : void 0;
 			const ruleRoutes = listener.rules.map((r) => ({
 				priority: r.priority,
 				pathPatterns: r.pathPatterns,
-				target: poolFor(r.target)
+				hostPatterns: r.hostPatterns,
+				target: toRouteAction(r.action)
 			}));
-			const selectPool = (requestPath) => matchAlbPathRule(requestPath, ruleRoutes) ?? defaultPool;
+			const route = (req) => matchAlbPathRule(req, ruleRoutes) ?? defaultRoute;
 			const server = await startFrontDoorServer({
-				selectPool,
+				route,
 				port: listener.hostPort,
 				host: containerHost,
 				listenerPort: listener.listenerPort,
@@ -20866,9 +21195,9 @@ async function buildFrontDoor(plan, containerHost, logger) {
 			});
 			servers.push(server);
 			logger.info(`ALB front-door: http://${server.host}:${server.port} (listener port ${listener.listenerPort})`);
-			if (listener.defaultTarget) logger.info(`  default -> ${describeTarget(listener.defaultTarget)} (round-robin)`);
-			for (const r of [...listener.rules].sort((a, b) => a.priority - b.priority)) logger.info(`  path ${r.pathPatterns.join(", ")} (priority ${r.priority}) -> ${describeTarget(r.target)}`);
-			if (!listener.defaultTarget) logger.info("  (no default action: unmatched paths return 404)");
+			if (listener.defaultAction) logger.info(`  default -> ${describeAction(listener.defaultAction)}`);
+			for (const r of [...listener.rules].sort((a, b) => a.priority - b.priority)) logger.info(`  ${describeConditions(r)} (priority ${r.priority}) -> ${describeAction(r.action)}`);
+			if (!listener.defaultAction) logger.info("  (no default action: unmatched requests return 404)");
 		}
 	} catch (err) {
 		await Promise.allSettled(servers.map((s) => s.close()));
@@ -20889,8 +21218,22 @@ async function buildFrontDoor(plan, containerHost, logger) {
 		frontDoorByService
 	};
 }
-function describeTarget(t) {
-	return `${t.serviceTarget} (container ${t.targetContainerName}:${t.targetContainerPort})`;
+/** Human-readable summary of a planned rule's path / host conditions (for the boot banner). */
+function describeConditions(rule) {
+	const parts = [];
+	if (rule.pathPatterns.length > 0) parts.push(`path ${rule.pathPatterns.join(", ")}`);
+	if (rule.hostPatterns.length > 0) parts.push(`host ${rule.hostPatterns.join(", ")}`);
+	return parts.join(" AND ") || "(no condition)";
+}
+/** Human-readable summary of a planned action (for the boot banner). */
+function describeAction(action) {
+	if (action.kind === "redirect") return `redirect ${action.statusCode}`;
+	if (action.kind === "fixed-response") return `fixed-response ${action.statusCode}`;
+	if (action.targets.length === 1) {
+		const t = action.targets[0];
+		return `${t.serviceTarget} (container ${t.targetContainerName}:${t.targetContainerPort}) (round-robin)`;
+	}
+	return `weighted forward [${action.targets.map((t) => `${t.serviceTarget}@${t.weight}`).join(", ")}]`;
 }
 async function resolvePlaceholderAccount(arn, region) {
 	if (!arn.includes("${AWS::AccountId}")) return arn;
@@ -21095,33 +21438,41 @@ function createLocalStartServiceCommand(opts = {}) {
 * cdk-local discovers the services behind it (mirroring how `start-api` names
 * the API and discovers the backing Lambdas).
 *
-* The synthesized linkage (confirmed against real `cdk synth` of
-* `ApplicationLoadBalancedFargateService` + an `addAction` path rule):
+* The synthesized linkage (confirmed against real `cdk synth` of an
+* `ApplicationLoadBalancer` + `addAction` rules):
 *
 * ```
 * ElasticLoadBalancingV2::LoadBalancer  (the ALB you name)
 * ElasticLoadBalancingV2::Listener      : { LoadBalancerArn:{Ref:<ALB>}, Port, Protocol,
-*     DefaultActions:[{ Type:"forward", TargetGroupArn:{Ref:<TG>} }] }
+*     DefaultActions:[ <action> ] }
 * ElasticLoadBalancingV2::ListenerRule  : { ListenerArn:{Ref:<Listener>}, Priority,
-*     Conditions:[{ Field:"path-pattern", PathPatternConfig:{ Values:["/api/*"] } }],
-*     Actions:[{ Type:"forward", TargetGroupArn:{Ref:<TG>} }] }
+*     Conditions:[{ Field:"path-pattern", PathPatternConfig:{ Values:["/api/*"] } },
+*                 { Field:"host-header",  HostHeaderConfig:{ Values:["api.example.com"] } }],
+*     Actions:[ <action> ] }
 * ElasticLoadBalancingV2::TargetGroup   : { Port, Protocol, TargetType:"ip" }
 * ECS::Service.LoadBalancers[]          -> { ContainerName, ContainerPort, TargetGroupArn:{Ref:<TG>} }
 * ```
 *
+* Each `<action>` is one of:
+*   - `forward` — `{ Type:"forward", TargetGroupArn:{Ref} }` (single target) OR
+*     `{ Type:"forward", ForwardConfig:{ TargetGroups:[{ TargetGroupArn:{Ref}, Weight }] } }`
+*     (one or more weighted targets);
+*   - `redirect` — `{ Type:"redirect", RedirectConfig:{ Protocol/Host/Port/Path/Query/StatusCode } }`;
+*   - `fixed-response` — `{ Type:"fixed-response", FixedResponseConfig:{ StatusCode/ContentType/MessageBody } }`.
+*
 * Resolution walks ALB -> listeners (by `LoadBalancerArn` Ref) -> their default
-* `forward` action AND any `path-pattern` ListenerRules -> the ECS Service whose
+* action AND any ListenerRules -> for each `forward`, the ECS Service whose
 * `LoadBalancers[]` references each target group (a reverse scan; there is no
 * direct TG -> service pointer). Output is a per-listener routing table: a
-* default forward target (when the default action is a resolvable forward) plus
-* the ordered path-pattern rules.
+* default action plus the ordered rules, each carrying its resolved action and
+* its path / host conditions.
 *
-* Scope: HTTP listeners, `path-pattern` conditions, single-target `forward`
-* actions to ECS services. Skipped with a warning: HTTPS/TLS listeners,
-* `TargetType:"lambda"` target groups, weighted (multi-target) forwards, rules
-* with non-`path-pattern` conditions (host-header / http-header / query-string
-* / etc.), and `redirect` / `fixed-response` / `authenticate-*` actions. Those
-* remaining listener-rule features are tracked in #123.
+* Scope: HTTP listeners; `path-pattern` + `host-header` conditions; `forward`
+* (single or weighted) to ECS services; `redirect` / `fixed-response` actions.
+* Skipped with a warning: HTTPS/TLS listeners, `TargetType:"lambda"` target
+* groups, the other condition fields (http-header / http-request-method /
+* query-string / source-ip), and `authenticate-cognito` / `authenticate-oidc`
+* actions. Those remaining listener-rule features are tracked in #123.
 */
 const ALB_TYPE = "AWS::ElasticLoadBalancingV2::LoadBalancer";
 const LISTENER_TYPE = "AWS::ElasticLoadBalancingV2::Listener";
@@ -21151,31 +21502,32 @@ function resolveAlbFrontDoor(stack, albLogicalId) {
 			warnings.push(`Listener '${listenerLogicalId}' on port ${port} uses protocol ${protocol}; the local ALB front-door supports HTTP listeners only (TLS termination is deferred). Skipping it.`);
 			continue;
 		}
-		const defaultTarget = resolveForwardTarget(props["DefaultActions"], resources, tgToService, stackName, `Listener '${listenerLogicalId}' (port ${port}) default action`, warnings);
+		const defaultAction = resolveAction(props["DefaultActions"], resources, tgToService, stackName, `Listener '${listenerLogicalId}' (port ${port}) default action`, warnings);
 		const rules = [];
 		for (const { ruleLogicalId, ruleProps } of rulesByListener.get(listenerLogicalId) ?? []) {
 			const priority = parsePriority(ruleProps["Priority"]);
 			const ruleLabel = `Listener rule '${ruleLogicalId}' (priority ${priority})`;
-			const { patterns, unsupported } = parseRulePathPatterns(ruleProps["Conditions"]);
+			const { pathPatterns, hostPatterns, unsupported } = parseRuleConditions(ruleProps["Conditions"]);
 			if (unsupported.length > 0) {
-				warnings.push(`${ruleLabel} uses unsupported condition(s): ${unsupported.join(", ")}. The local ALB front-door supports path-pattern conditions only (host-header / http-header / query-string / http-request-method / source-ip deferred). Skipping it.`);
+				warnings.push(`${ruleLabel} uses unsupported condition(s): ${unsupported.join(", ")}. The local ALB front-door supports path-pattern and host-header conditions only (http-header / query-string / http-request-method / source-ip deferred). Skipping it.`);
 				continue;
 			}
-			if (patterns.length === 0) continue;
-			const target = resolveForwardTarget(ruleProps["Actions"], resources, tgToService, stackName, `${ruleLabel} action`, warnings);
-			if (!target) continue;
+			if (pathPatterns.length === 0 && hostPatterns.length === 0) continue;
+			const action = resolveAction(ruleProps["Actions"], resources, tgToService, stackName, `${ruleLabel} action`, warnings);
+			if (!action) continue;
 			rules.push({
 				priority,
-				pathPatterns: patterns,
-				target
+				pathPatterns,
+				hostPatterns,
+				action
 			});
 		}
-		if (!defaultTarget && rules.length === 0) continue;
+		if (!defaultAction && rules.length === 0) continue;
 		listeners.push({
 			listenerPort: port,
 			listenerProtocol: "HTTP",
 			listenerLogicalId,
-			...defaultTarget ? { defaultTarget } : {},
+			...defaultAction ? { defaultAction } : {},
 			rules
 		});
 	}
@@ -21191,41 +21543,102 @@ function isApplicationLoadBalancer(resource) {
 	return type === void 0 || type === "application";
 }
 /**
-* Resolve a listener / rule `Actions` (or `DefaultActions`) array to a single
-* ECS-service forward target, or `undefined` when it is not a resolvable
-* single forward (warning emitted for the cases worth surfacing).
+* Resolve a listener / rule `Actions` (or `DefaultActions`) array to the single
+* action the local front-door serves, or `undefined` when it is not resolvable
+* (a warning is emitted for the cases worth surfacing). ALB allows exactly one
+* non-authenticate terminal action per action set, optionally preceded by
+* authenticate-* actions (which the local front-door does not enforce — they
+* are skipped with a warning and the terminal action is honored).
 */
-function resolveForwardTarget(actions, resources, tgToService, stackName, label, warnings) {
-	const tgRefs = collectForwardTargetGroupRefs(actions);
-	if (tgRefs.size === 0) {
-		if (hasUnresolvableForward(actions)) warnings.push(`${label} forwards to a non-Ref TargetGroupArn (literal / cross-stack / imported); the local front-door only supports in-stack target groups. Skipping it.`);
-		return;
-	}
-	if (tgRefs.size > 1) {
-		warnings.push(`${label} is a weighted forward (multiple target groups); the local front-door supports a single target group per action (weighted routing deferred). Skipping it.`);
-		return;
+function resolveAction(actions, resources, tgToService, stackName, label, warnings) {
+	if (!Array.isArray(actions)) return void 0;
+	let sawAuthenticate = false;
+	for (const action of actions) {
+		if (!action || typeof action !== "object") continue;
+		const a = action;
+		const type = a["Type"];
+		if (type === "authenticate-cognito" || type === "authenticate-oidc") {
+			sawAuthenticate = true;
+			continue;
+		}
+		if (type === "forward") return resolveForwardAction(a, resources, tgToService, stackName, label, warnings);
+		if (type === "redirect") {
+			const redirect = resolveRedirectAction(a, label, warnings);
+			if (redirect) return redirect;
+			continue;
+		}
+		if (type === "fixed-response") return resolveFixedResponseAction(a);
+		if (typeof type === "string") warnings.push(`${label} uses an unsupported action type '${type}'. The local ALB front-door supports forward / redirect / fixed-response actions only. Skipping it.`);
 	}
-	const tgRef = [...tgRefs][0];
-	const tg = resources[tgRef];
-	if (!tg || tg.Type !== TARGET_GROUP_TYPE) {
-		warnings.push(`${label} forwards to target group '${tgRef}', but no ${TARGET_GROUP_TYPE} with that logical id exists in ${stackName}. Skipping it.`);
+	if (sawAuthenticate) warnings.push(`${label} is an authenticate-* action with no local-servable terminal action. The local ALB front-door does not enforce authenticate-cognito / authenticate-oidc; skipping it.`);
+}
+/** Resolve a `forward` action into one or more weighted ECS-service targets. */
+function resolveForwardAction(action, resources, tgToService, stackName, label, warnings) {
+	const refs = collectForwardTargetGroupRefs(action);
+	if (refs.length === 0) {
+		if (hasUnresolvableForward(action)) warnings.push(`${label} forwards to a non-Ref TargetGroupArn (literal / cross-stack / imported); the local front-door only supports in-stack target groups. Skipping it.`);
 		return;
 	}
-	if (tg.Properties?.["TargetType"] === "lambda") {
-		warnings.push(`${label} forwards to a Lambda target group '${tgRef}' (TargetType: lambda). The local ALB front-door supports ECS targets only; Lambda targets are deferred. Skipping it.`);
-		return;
+	const targets = [];
+	for (const { tgRef, weight } of refs) {
+		const tg = resources[tgRef];
+		if (!tg || tg.Type !== TARGET_GROUP_TYPE) {
+			warnings.push(`${label} forwards to target group '${tgRef}', but no ${TARGET_GROUP_TYPE} with that logical id exists in ${stackName}. Skipping that target group.`);
+			continue;
+		}
+		if (tg.Properties?.["TargetType"] === "lambda") {
+			warnings.push(`${label} forwards to a Lambda target group '${tgRef}' (TargetType: lambda). The local ALB front-door supports ECS targets only; Lambda targets are deferred. Skipping that target group.`);
+			continue;
+		}
+		const backing = tgToService.get(tgRef);
+		if (!backing) {
+			warnings.push(`${label} forwards to target group '${tgRef}', which is not referenced by any ${SERVICE_TYPE}.LoadBalancers[] in ${stackName}; cdk-local has no ECS service to front behind it. Skipping that target group.`);
+			continue;
+		}
+		targets.push({
+			serviceLogicalId: backing.serviceLogicalId,
+			targetContainerName: backing.containerName,
+			targetContainerPort: backing.containerPort,
+			targetGroupLogicalId: tgRef,
+			weight
+		});
 	}
-	const backing = tgToService.get(tgRef);
-	if (!backing) {
-		warnings.push(`${label} forwards to target group '${tgRef}', which is not referenced by any ${SERVICE_TYPE}.LoadBalancers[] in ${stackName}; cdk-local has no ECS service to front behind it. Skipping it.`);
+	if (targets.length === 0) return void 0;
+	return {
+		kind: "forward",
+		targets
+	};
+}
+/** Resolve a `redirect` action into its `Location`-template fields + status code. */
+function resolveRedirectAction(action, label, warnings) {
+	const cfg = action["RedirectConfig"];
+	if (!cfg || typeof cfg !== "object") {
+		warnings.push(`${label} is a redirect with no RedirectConfig; skipping it.`);
 		return;
 	}
-	return {
-		serviceLogicalId: backing.serviceLogicalId,
-		targetContainerName: backing.containerName,
-		targetContainerPort: backing.containerPort,
-		targetGroupLogicalId: tgRef
+	const c = cfg;
+	const out = {
+		kind: "redirect",
+		statusCode: parseRedirectStatusCode(c["StatusCode"])
+	};
+	if (typeof c["Protocol"] === "string") out.protocol = c["Protocol"];
+	if (typeof c["Host"] === "string") out.host = c["Host"];
+	if (typeof c["Port"] === "string") out.port = c["Port"];
+	if (typeof c["Path"] === "string") out.path = c["Path"];
+	if (typeof c["Query"] === "string") out.query = c["Query"];
+	return out;
+}
+/** Resolve a `fixed-response` action into its status / content-type / body. */
+function resolveFixedResponseAction(action) {
+	const cfg = action["FixedResponseConfig"];
+	const c = cfg && typeof cfg === "object" ? cfg : {};
+	const out = {
+		kind: "fixed-response",
+		statusCode: parseFixedResponseStatusCode(c["StatusCode"])
 	};
+	if (typeof c["ContentType"] === "string") out.contentType = c["ContentType"];
+	if (typeof c["MessageBody"] === "string") out.messageBody = c["MessageBody"];
+	return out;
 }
 /**
 * Build a `targetGroupLogicalId -> backing ECS service` index by scanning every
@@ -21272,78 +21685,81 @@ function indexRulesByListener(resources) {
 	return index;
 }
 /**
-* Parse a ListenerRule's `Conditions` into its `path-pattern` values plus the
-* field names of any non-`path-pattern` conditions (which make the rule
-* unsupported in this version). A rule is only usable when every condition is a
-* `path-pattern` — ALB ANDs conditions together, and we cannot honor the others
-* locally yet.
+* Parse a ListenerRule's `Conditions` into its supported `path-pattern` and
+* `host-header` values plus the field names of any unsupported conditions
+* (which make the rule unsupported). ALB ANDs conditions of different fields,
+* so a rule with an unsupported field cannot be honored locally. Multiple
+* conditions of the same field merge their values (each field OR-matches).
 */
-function parseRulePathPatterns(conditions) {
-	const patterns = [];
+function parseRuleConditions(conditions) {
+	const pathPatterns = [];
+	const hostPatterns = [];
 	const unsupported = [];
 	if (!Array.isArray(conditions)) return {
-		patterns,
+		pathPatterns,
+		hostPatterns,
 		unsupported
 	};
 	for (const cond of conditions) {
 		if (!cond || typeof cond !== "object") continue;
 		const c = cond;
 		const field = typeof c["Field"] === "string" ? c["Field"] : "(unknown)";
-		if (field !== "path-pattern") {
-			unsupported.push(field);
-			continue;
-		}
-		const cfg = c["PathPatternConfig"];
-		const values = cfg && typeof cfg === "object" && Array.isArray(cfg["Values"]) ? cfg["Values"] : Array.isArray(c["Values"]) ? c["Values"] : [];
-		for (const v of values) if (typeof v === "string") patterns.push(v);
+		if (field === "path-pattern") pathPatterns.push(...conditionValues(c, "PathPatternConfig"));
+		else if (field === "host-header") hostPatterns.push(...conditionValues(c, "HostHeaderConfig"));
+		else unsupported.push(field);
 	}
 	return {
-		patterns,
+		pathPatterns,
+		hostPatterns,
 		unsupported
 	};
 }
-function collectForwardTargetGroupRefs(actions) {
-	const refs = /* @__PURE__ */ new Set();
-	if (!Array.isArray(actions)) return refs;
-	for (const action of actions) {
-		if (!action || typeof action !== "object") continue;
-		const a = action;
-		if (a["Type"] !== "forward") continue;
-		const direct = refOf(a["TargetGroupArn"]);
-		if (direct) refs.add(direct);
-		const forwardConfig = a["ForwardConfig"];
-		if (forwardConfig && typeof forwardConfig === "object") {
-			const groups = forwardConfig["TargetGroups"];
-			if (Array.isArray(groups)) for (const g of groups) {
-				if (!g || typeof g !== "object") continue;
-				const ref = refOf(g["TargetGroupArn"]);
-				if (ref) refs.add(ref);
-			}
+/**
+* Extract a condition's string values from either the typed `<Field>Config`
+* sub-object's `Values` or the legacy top-level `Values` array.
+*/
+function conditionValues(cond, configKey) {
+	const cfg = cond[configKey];
+	return (cfg && typeof cfg === "object" && Array.isArray(cfg["Values"]) ? cfg["Values"] : Array.isArray(cond["Values"]) ? cond["Values"] : []).filter((v) => typeof v === "string");
+}
+/** Collect a forward action's `(targetGroupRef, weight)` pairs (single + ForwardConfig forms). */
+function collectForwardTargetGroupRefs(action) {
+	const out = [];
+	const direct = refOf(action["TargetGroupArn"]);
+	if (direct) out.push({
+		tgRef: direct,
+		weight: 1
+	});
+	const forwardConfig = action["ForwardConfig"];
+	if (forwardConfig && typeof forwardConfig === "object") {
+		const groups = forwardConfig["TargetGroups"];
+		if (Array.isArray(groups)) for (const g of groups) {
+			if (!g || typeof g !== "object") continue;
+			const gObj = g;
+			const ref = refOf(gObj["TargetGroupArn"]);
+			if (ref) out.push({
+				tgRef: ref,
+				weight: parseWeight(gObj["Weight"])
+			});
 		}
 	}
-	return refs;
+	return out;
 }
 /**
-* True when `actions` has at least one `forward` action that references a target
-* group via a NON-`Ref` arn (literal / `Fn::GetAtt` / cross-stack) — i.e. a
-* forward we could not resolve to an in-stack target group. Used to warn rather
-* than silently skip such a listener / rule.
+* True when `action` is a `forward` that references a target group via a
+* NON-`Ref` arn (literal / `Fn::GetAtt` / cross-stack) — i.e. a forward we
+* could not resolve to an in-stack target group. Used to warn rather than
+* silently skip.
 */
-function hasUnresolvableForward(actions) {
-	if (!Array.isArray(actions)) return false;
-	for (const action of actions) {
-		if (!action || typeof action !== "object") continue;
-		const a = action;
-		if (a["Type"] !== "forward") continue;
-		if (a["TargetGroupArn"] !== void 0 && refOf(a["TargetGroupArn"]) === void 0) return true;
-		const forwardConfig = a["ForwardConfig"];
-		if (forwardConfig && typeof forwardConfig === "object") {
-			const groups = forwardConfig["TargetGroups"];
-			if (Array.isArray(groups)) for (const g of groups) {
-				if (!g || typeof g !== "object") continue;
-				const arn = g["TargetGroupArn"];
-				if (arn !== void 0 && refOf(arn) === void 0) return true;
-			}
+function hasUnresolvableForward(action) {
+	if (action["TargetGroupArn"] !== void 0 && refOf(action["TargetGroupArn"]) === void 0) return true;
+	const forwardConfig = action["ForwardConfig"];
+	if (forwardConfig && typeof forwardConfig === "object") {
+		const groups = forwardConfig["TargetGroups"];
+		if (Array.isArray(groups)) for (const g of groups) {
+			if (!g || typeof g !== "object") continue;
+			const arn = g["TargetGroupArn"];
+			if (arn !== void 0 && refOf(arn) === void 0) return true;
 		}
 	}
 	return false;
@@ -21365,6 +21781,27 @@ function parseContainerPort(raw) {
 	return parsePort(raw);
 }
 /**
+* Parse a `ForwardConfig.TargetGroups[].Weight`. ALB weights are 0-999; a
+* missing weight defaults to 1 (CDK's `weightedForward` always emits one, but
+* a hand-rolled template may omit it). Negative / non-numeric clamps to 0.
+*/
+function parseWeight(raw) {
+	if (typeof raw === "number" && Number.isFinite(raw)) return raw < 0 ? 0 : raw;
+	if (typeof raw === "string" && /^\d+$/.test(raw)) return parseInt(raw, 10);
+	return 1;
+}
+/** ALB emits redirect status as `HTTP_301` / `HTTP_302`; default to 302 when absent / unknown. */
+function parseRedirectStatusCode(raw) {
+	if (raw === "HTTP_301" || raw === "301" || raw === 301) return 301;
+	return 302;
+}
+/** Parse a `FixedResponseConfig.StatusCode` (a numeric string); default 200 when absent. */
+function parseFixedResponseStatusCode(raw) {
+	if (typeof raw === "number" && Number.isInteger(raw)) return raw;
+	if (typeof raw === "string" && /^\d+$/.test(raw)) return parseInt(raw, 10);
+	return 200;
+}
+/**
 * Parse a ListenerRule `Priority` (ALB priorities are 1-50000, lower = higher
 * precedence). A missing / unparseable priority sorts last so an explicitly
 * prioritized rule always wins over it.
@@ -21463,13 +21900,34 @@ function albStrategy(options) {
 				const { stack, albLogicalId } = resolveAlbTarget(albTarget, stacks);
 				const resolution = resolveAlbFrontDoor(stack, albLogicalId);
 				warnings.push(...resolution.warnings);
-				const qualify = (t) => {
-					const serviceTarget = `${stack.stackName}:${t.serviceLogicalId}`;
-					serviceTargets.add(serviceTarget);
+				const qualify = (action) => {
+					if (action.kind === "forward") return {
+						kind: "forward",
+						targets: action.targets.map((t) => {
+							const serviceTarget = `${stack.stackName}:${t.serviceLogicalId}`;
+							serviceTargets.add(serviceTarget);
+							return {
+								serviceTarget,
+								targetContainerName: t.targetContainerName,
+								targetContainerPort: t.targetContainerPort,
+								weight: t.weight
+							};
+						})
+					};
+					if (action.kind === "redirect") return {
+						kind: "redirect",
+						statusCode: action.statusCode,
+						...action.protocol !== void 0 && { protocol: action.protocol },
+						...action.host !== void 0 && { host: action.host },
+						...action.port !== void 0 && { port: action.port },
+						...action.path !== void 0 && { path: action.path },
+						...action.query !== void 0 && { query: action.query }
+					};
 					return {
-						serviceTarget,
-						targetContainerName: t.targetContainerName,
-						targetContainerPort: t.targetContainerPort
+						kind: "fixed-response",
+						statusCode: action.statusCode,
+						...action.contentType !== void 0 && { contentType: action.contentType },
+						...action.messageBody !== void 0 && { messageBody: action.messageBody }
 					};
 				};
 				for (const listener of resolution.listeners) {
@@ -21483,11 +21941,12 @@ function albStrategy(options) {
 					listeners.push({
 						listenerPort: listener.listenerPort,
 						hostPort,
-						...listener.defaultTarget ? { defaultTarget: qualify(listener.defaultTarget) } : {},
+						...listener.defaultAction ? { defaultAction: qualify(listener.defaultAction) } : {},
 						rules: listener.rules.map((r) => ({
 							priority: r.priority,
 							pathPatterns: r.pathPatterns,
-							target: qualify(r.target)
+							hostPatterns: r.hostPatterns,
+							action: qualify(r.action)
 						}))
 					});
 				}
@@ -21516,7 +21975,7 @@ function albStrategy(options) {
 */
 function createLocalStartAlbCommand(opts = {}) {
 	setEmbedConfig(opts.embedConfig);
-	return addCommonEcsServiceOptions(new Command("start-alb").description("Run an Application Load Balancer locally: name the ALB, and cdk-local boots the ECS service(s) behind its HTTP listeners and stands up a local front-door on each listener port that round-robins across the running replicas and path-routes its path-pattern rules across the backing services — a stable host endpoint, like behind a real load balancer. The symmetric ALB counterpart of `start-api`. Each <target> accepts a CDK display path (MyStack/MyAlb) or stack-qualified logical ID; single-stack apps may omit the stack prefix. Supports HTTP listeners, single-target forward actions, and path-pattern rules; HTTPS listeners, Lambda target groups, weighted forwards, other rule conditions, and redirect/fixed-response actions are skipped with a warning. Omit <targets> in an interactive terminal to multi-select the load balancers from a list.").argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ElasticLoadBalancingV2::LoadBalancer resources to run (omit to multi-select interactively in a TTY)").addOption(new Option("--lb-port <listenerPort=hostPort...>", "Bind the local front-door on a specific host port (e.g. 80=8080); repeatable. Default: host port == ALB listener port. Use this on macOS to remap a privileged listener port (< 1024) to a non-privileged host port.")).action(withErrorHandling(async (targets, options) => {
+	return addCommonEcsServiceOptions(new Command("start-alb").description("Run an Application Load Balancer locally: name the ALB, and cdk-local boots the ECS service(s) behind its HTTP listeners and stands up a local front-door on each listener port that round-robins across the running replicas and routes its listener rules across the backing services — a stable host endpoint, like behind a real load balancer. The symmetric ALB counterpart of `start-api`. Each <target> accepts a CDK display path (MyStack/MyAlb) or stack-qualified logical ID; single-stack apps may omit the stack prefix. Supports HTTP listeners; path-pattern and host-header rule conditions; forward (single and weighted), redirect, and fixed-response actions. HTTPS listeners, Lambda target groups, the other rule conditions (http-header / query-string / source-ip / http-request-method), and authenticate-* actions are skipped with a warning. Omit <targets> in an interactive terminal to multi-select the load balancers from a list.").argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ElasticLoadBalancingV2::LoadBalancer resources to run (omit to multi-select interactively in a TTY)").addOption(new Option("--lb-port <listenerPort=hostPort...>", "Bind the local front-door on a specific host port (e.g. 80=8080); repeatable. Default: host port == ALB listener port. Use this on macOS to remap a privileged listener port (< 1024) to a non-privileged host port.")).action(withErrorHandling(async (targets, options) => {
 		await runEcsServiceEmulator(targets, options, albStrategy(options), opts.extraStateProviders);
 	})));
 }
@@ -21592,5 +22051,5 @@ function createLocalListCommand(opts = {}) {
 }
 
 //#endregion
-export { createJwksCache as $, resolveAgentCoreTarget as $t, invokeTokenAuthorizer as A, LocalStateSourceError as At, VtlEvaluationError as B, resolveWatchConfig as Bt, resolveSelectionExpression as C, EcsTaskResolutionError as Ct, computeRequestIdentityHash as D, substituteEnvVarsFromStateAsync as Dt, buildMethodArn as E, substituteEnvVarsFromState as Et, buildRestV1Event as F, resolveCfnRegion as Ft, buildMgmtEndpointEnvUrl as G, parseSelectionExpressionPath as Gt, probeHostGatewaySupport as H, listTargets as Ht, evaluateResponseParameters as I, resolveCfnStackName as It, buildConnectEvent as J, resolveLambdaArnIntrinsic as Jt, handleConnectionsRequest as K, discoverRoutes as Kt, pickResponseTemplate as L, CfnLocalStateProvider as Lt, translateLambdaResponse as M, isCfnFlagPresent as Mt, applyAuthorizerOverlay as N, rejectExplicitCfnStackWithMultipleStacks as Nt, evaluateCachedLambdaPolicy as O, resolveEnvVars as Ot, buildHttpApiV2Event as P, resolveCfnFallbackRegion as Pt, buildJwksUrlFromIssuer as Q, AgentCoreResolutionError as Qt, selectIntegrationResponse as R, collectSsmParameterRefs as Rt, startApiServer as S, resolveRuntimeImage as St, defaultCredentialsLoader as T, substituteAgainstStateAsync as Tt, bufferToBody as U, discoverWebSocketApis as Ut, HOST_GATEWAY_MIN_VERSION as V, countTargets as Vt, ConnectionRegistry as W, discoverWebSocketApisOrThrow as Wt, buildMessageEvent as X, AGENTCORE_MCP_PROTOCOL as Xt, buildDisconnectEvent as Y, AGENTCORE_HTTP_PROTOCOL as Yt, buildCognitoJwksUrl as Z, AGENTCORE_RUNTIME_TYPE as Zt, availableApiIdentifiers as _, createLocalInvokeCommand as _t, buildCloudMapIndex as a, buildCorsConfigByApiId as at, groupRoutesByServer as b, resolveRuntimeCodeMountPath as bt, createLocalRunTaskCommand as c, matchPreflight as ct, createWatchPredicates as d, MCP_PROTOCOL_VERSION as dt, derivePseudoParametersFromRegion as en, verifyCognitoJwt as et, resolveApiTargetSubset as f, mcpInvokeOnce as ft, buildStageMap as g, waitForAgentCorePing as gt, attachStageContext as h, invokeAgentCore as ht, createLocalStartServiceCommand as i, applyCorsResponseHeaders as it, matchRoute as j, createLocalStateProvider as jt, invokeRequestAuthorizer as k, materializeLayerFromArn as kt, createLocalInvokeAgentCoreCommand as l, MCP_CONTAINER_PORT as lt, createFileWatcher as m, AGENTCORE_SESSION_ID_HEADER as mt, formatTargetListing as n, tryResolveImageFnJoin as nn, verifyJwtViaDiscovery as nt, CloudMapRegistry as o, buildCorsConfigFromCloudFrontChain as ot, createAuthorizerCache as p, parseSseForJsonRpc as pt, parseConnectionsPath as q, pickRefLogicalId as qt, createLocalStartAlbCommand as r, LocalInvokeBuildError as rn, attachAuthorizers as rt, getContainerNetworkIp as s, isFunctionUrlOacFronted as st, createLocalListCommand as t, substituteImagePlaceholders as tn, verifyJwtAuthorizer as tt, createLocalStartApiCommand as u, MCP_PATH as ut, filterRoutesByApiIdentifier as v, architectureToPlatform as vt, resolveServiceIntegrationParameters as w, substituteAgainstState as wt, readMtlsMaterialsFromDisk as x, resolveRuntimeFileExtension as xt, filterRoutesByApiIdentifiers as y, buildContainerImage as yt, tryParseStatus as z, resolveSsmParameters as zt };
-//# sourceMappingURL=local-list-qObdm4O8.js.map
+export { createJwksCache as $, resolveLambdaArnIntrinsic as $t, invokeTokenAuthorizer as A, substituteAgainstStateAsync as At, VtlEvaluationError as B, resolveCfnRegion as Bt, resolveSelectionExpression as C, architectureToPlatform as Ct, computeRequestIdentityHash as D, resolveRuntimeImage as Dt, buildMethodArn as E, resolveRuntimeFileExtension as Et, buildRestV1Event as F, LocalStateSourceError as Ft, buildMgmtEndpointEnvUrl as G, resolveWatchConfig as Gt, probeHostGatewaySupport as H, CfnLocalStateProvider as Ht, evaluateResponseParameters as I, createLocalStateProvider as It, buildConnectEvent as J, discoverWebSocketApis as Jt, handleConnectionsRequest as K, countTargets as Kt, pickResponseTemplate as L, isCfnFlagPresent as Lt, translateLambdaResponse as M, substituteEnvVarsFromStateAsync as Mt, applyAuthorizerOverlay as N, resolveEnvVars as Nt, evaluateCachedLambdaPolicy as O, EcsTaskResolutionError as Ot, buildHttpApiV2Event as P, materializeLayerFromArn as Pt, buildJwksUrlFromIssuer as Q, pickRefLogicalId as Qt, selectIntegrationResponse as R, rejectExplicitCfnStackWithMultipleStacks as Rt, startApiServer as S, createLocalInvokeCommand as St, defaultCredentialsLoader as T, resolveRuntimeCodeMountPath as Tt, bufferToBody as U, collectSsmParameterRefs as Ut, HOST_GATEWAY_MIN_VERSION as V, resolveCfnStackName as Vt, ConnectionRegistry as W, resolveSsmParameters as Wt, buildMessageEvent as X, parseSelectionExpressionPath as Xt, buildDisconnectEvent as Y, discoverWebSocketApisOrThrow as Yt, buildCognitoJwksUrl as Z, discoverRoutes as Zt, availableApiIdentifiers as _, SUPPORTED_CODE_RUNTIMES as _t, buildCloudMapIndex as a, derivePseudoParametersFromRegion as an, buildCorsConfigByApiId as at, groupRoutesByServer as b, renderCodeDockerfile as bt, createLocalRunTaskCommand as c, LocalInvokeBuildError as cn, matchPreflight as ct, createWatchPredicates as d, MCP_PROTOCOL_VERSION as dt, AGENTCORE_HTTP_PROTOCOL as en, verifyCognitoJwt as et, resolveApiTargetSubset as f, mcpInvokeOnce as ft, buildStageMap as g, waitForAgentCorePing as gt, attachStageContext as h, invokeAgentCore as ht, createLocalStartServiceCommand as i, resolveAgentCoreTarget as in, applyCorsResponseHeaders as it, matchRoute as j, substituteEnvVarsFromState as jt, invokeRequestAuthorizer as k, substituteAgainstState as kt, createLocalInvokeAgentCoreCommand as l, MCP_CONTAINER_PORT as lt, createFileWatcher as m, AGENTCORE_SESSION_ID_HEADER as mt, formatTargetListing as n, AGENTCORE_RUNTIME_TYPE as nn, verifyJwtViaDiscovery as nt, CloudMapRegistry as o, substituteImagePlaceholders as on, buildCorsConfigFromCloudFrontChain as ot, createAuthorizerCache as p, parseSseForJsonRpc as pt, parseConnectionsPath as q, listTargets as qt, createLocalStartAlbCommand as r, AgentCoreResolutionError as rn, attachAuthorizers as rt, getContainerNetworkIp as s, tryResolveImageFnJoin as sn, isFunctionUrlOacFronted as st, createLocalListCommand as t, AGENTCORE_MCP_PROTOCOL as tn, verifyJwtAuthorizer as tt, createLocalStartApiCommand as u, MCP_PATH as ut, filterRoutesByApiIdentifier as v, buildAgentCoreCodeImage as vt, resolveServiceIntegrationParameters as w, buildContainerImage as wt, readMtlsMaterialsFromDisk as x, toCmdArgv as xt, filterRoutesByApiIdentifiers as y, computeCodeImageTag as yt, tryParseStatus as z, resolveCfnFallbackRegion as zt };
+//# sourceMappingURL=local-list-EweOsy3A.js.map