npm - cdk-local - Versions diffs - 0.43.0 → 0.45.0 - Mend

cdk-local 0.43.0 → 0.45.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md +3 -3
package/dist/cli.js +2 -2
package/dist/index.d.ts.map +1 -1
package/dist/index.js +1 -1
package/dist/{local-list-bwZnI2pV.js → local-list-jk2HzwoN.js} +1067 -176
package/dist/local-list-jk2HzwoN.js.map +1 -0
package/package.json +1 -1
package/dist/local-list-bwZnI2pV.js.map +0 -1

package/dist/{local-list-bwZnI2pV.js → local-list-jk2HzwoN.js} RENAMED Viewed

@@ -7794,7 +7794,7 @@ async function localInvokeCommand(target, options, extraStateProviders) {
 			}
 		}
 		if (!assumeSucceeded) {
-			forwardAwsEnv$2(dockerEnv);
+			forwardAwsEnv$3(dockerEnv);
 			applyProfileCredentialsOverlay(dockerEnv, profileCredentials, false);
 			if (profileCredsFile) {
 				dockerEnv["AWS_SHARED_CREDENTIALS_FILE"] = profileCredsFile.containerPath;
@@ -7849,14 +7849,14 @@ async function localInvokeCommand(target, options, extraStateProviders) {
 	}
 }
 async function resolveImagePlan(lambda, options) {
-	if (lambda.kind === "zip") return resolveZipImagePlan(lambda, options);
-	return resolveContainerImagePlan(lambda, options);
+	if (lambda.kind === "zip") return resolveZipImagePlan$1(lambda, options);
+	return resolveContainerImagePlan$1(lambda, options);
 }
-async function resolveZipImagePlan(lambda, options) {
+async function resolveZipImagePlan$1(lambda, options) {
 	let inlineTmpDir;
 	let codeDir = lambda.codePath;
 	if (codeDir === null) {
-		inlineTmpDir = materializeInlineCode$1(lambda.handler, lambda.inlineCode ?? "", resolveRuntimeFileExtension(lambda.runtime));
+		inlineTmpDir = materializeInlineCode$2(lambda.handler, lambda.inlineCode ?? "", resolveRuntimeFileExtension(lambda.runtime));
 		codeDir = inlineTmpDir;
 	}
 	const image = resolveRuntimeImage(lambda.runtime);
@@ -7933,7 +7933,7 @@ function materializeLambdaLayers$1(layers) {
 		tmpDir
 	};
 }
-async function resolveContainerImagePlan(lambda, options) {
+async function resolveContainerImagePlan$1(lambda, options) {
 	const logger = getLogger();
 	const platform = architectureToPlatform(lambda.architecture);
 	const localBuild = await resolveLocalBuildPlan$1(lambda);
@@ -8083,7 +8083,7 @@ async function assumeLambdaExecutionRole$1(roleArn, region) {
 		sts.destroy();
 	}
 }
-function forwardAwsEnv$2(env) {
+function forwardAwsEnv$3(env) {
 	for (const key of [
 		"AWS_ACCESS_KEY_ID",
 		"AWS_SECRET_ACCESS_KEY",
@@ -8123,7 +8123,7 @@ function applyProfileCredentialsOverlay(env, profileCreds, assumeRoleActive) {
 	if (profileCreds.sessionToken) env["AWS_SESSION_TOKEN"] = profileCreds.sessionToken;
 	else delete env["AWS_SESSION_TOKEN"];
 }
-function materializeInlineCode$1(handler, source, fileExtension) {
+function materializeInlineCode$2(handler, source, fileExtension) {
 	const lastDot = handler.lastIndexOf(".");
 	if (lastDot <= 0) throw new Error(`Handler '${handler}' is malformed: expected '<modulePath>.<exportName>'.`);
 	const modulePath = handler.substring(0, lastDot);
@@ -12749,7 +12749,7 @@ const MOCK_API_ID = "local";
 *     UTF-8; otherwise base64. Mirrors what API Gateway emits.
 */
 function buildHttpApiV2Event(req, ctx, opts = {}) {
-	const { rawPath, rawQueryString } = splitRawUrl$1(req.rawUrl);
+	const { rawPath, rawQueryString } = splitRawUrl$2(req.rawUrl);
 	const { headers, cookies } = normalizeHeadersV2(req.headers);
 	const queryStringParameters = parseQueryStringV2(rawQueryString);
 	const userAgent = headers["user-agent"] ?? "";
@@ -12809,7 +12809,7 @@ function buildHttpApiV2Event(req, ctx, opts = {}) {
 *   - `pathParameters` may be `null` when there are none (matches AWS).
 */
 function buildRestV1Event(req, ctx, opts = {}) {
-	const { rawPath, rawQueryString } = splitRawUrl$1(req.rawUrl);
+	const { rawPath, rawQueryString } = splitRawUrl$2(req.rawUrl);
 	const { singular: headers, multi: multiValueHeaders } = normalizeHeadersV1(req.headers);
 	const { singular: queryStringParameters, multi: multiValueQueryStringParameters } = parseQueryStringV1(rawQueryString);
 	const contentType = headers["content-type"] ?? "";
@@ -12899,7 +12899,7 @@ function applyAuthorizerOverlay(event, overlay) {
 * `rawQueryString` (everything after, or `''`). Neither component is
 * decoded — that's the whole point of "raw" per the AWS spec.
 */
-function splitRawUrl$1(rawUrl) {
+function splitRawUrl$2(rawUrl) {
 	const q = rawUrl.indexOf("?");
 	if (q === -1) return {
 		rawPath: rawUrl,
@@ -13030,7 +13030,7 @@ function encodeBody(body, contentType) {
 		body: "",
 		isBase64Encoded: false
 	};
-	if (isTextualContentType(contentType)) return {
+	if (isTextualContentType$1(contentType)) return {
 		body: body.toString("utf-8"),
 		isBase64Encoded: false
 	};
@@ -13051,7 +13051,7 @@ const TEXT_PREFIXES = [
 * Whether the given `Content-Type` value indicates textual data (so the
 * event body should be UTF-8 instead of base64).
 */
-function isTextualContentType(contentType) {
+function isTextualContentType$1(contentType) {
 	if (!contentType) return false;
 	const lower = contentType.toLowerCase();
 	return TEXT_PREFIXES.some((p) => lower.startsWith(p));
@@ -13116,7 +13116,7 @@ function formatRequestTime(d) {
 *                  v2 separates them.
 */
 function translateLambdaResponse(payload, version) {
-	if (isErrorEnvelope(payload)) return errorEnvelopeResponse();
+	if (isErrorEnvelope$1(payload)) return errorEnvelopeResponse();
 	if (isShapedResponse(payload)) return translateShapedResponse(payload, version);
 	return autoFormatResponse(payload);
 }
@@ -13127,7 +13127,7 @@ function translateLambdaResponse(payload, version) {
 * matters because user code MAY return a Lambda Proxy response that
 * happens to have `errorMessage` as a payload field.
 */
-function isErrorEnvelope(payload) {
+function isErrorEnvelope$1(payload) {
 	if (!payload || typeof payload !== "object" || Array.isArray(payload)) return false;
 	const obj = payload;
 	if ("statusCode" in obj) return false;
@@ -13185,7 +13185,7 @@ function translateShapedResponse(payload, version) {
 	const headersIn = payload["headers"];
 	if (headersIn && typeof headersIn === "object" && !Array.isArray(headersIn)) for (const [name, value] of Object.entries(headersIn)) {
 		const lower = name.toLowerCase();
-		const stringValue = stringifyHeaderValue(value);
+		const stringValue = stringifyHeaderValue$1(value);
 		if (lower === "set-cookie") {
 			cookies.push(stringValue);
 			continue;
@@ -13197,7 +13197,7 @@ function translateShapedResponse(payload, version) {
 		if (mvh && typeof mvh === "object" && !Array.isArray(mvh)) for (const [name, values] of Object.entries(mvh)) {
 			if (!Array.isArray(values)) continue;
 			const lower = name.toLowerCase();
-			const stringified = values.map((v) => stringifyHeaderValue(v));
+			const stringified = values.map((v) => stringifyHeaderValue$1(v));
 			if (lower === "set-cookie") {
 				for (const c of stringified) cookies.push(c);
 				continue;
@@ -13242,7 +13242,7 @@ function autoFormatResponse(payload) {
 * comma-joined to match the same dup-coalesce rule used on the request
 * side.
 */
-function stringifyHeaderValue(value) {
+function stringifyHeaderValue$1(value) {
 	if (value === null || value === void 0) return "";
 	if (Array.isArray(value)) return value.map((v) => stringifyValue(v)).join(",");
 	return stringifyValue(value);
@@ -14040,7 +14040,7 @@ function parseAuthorizationHeader(value) {
 *   Signature  = HexEncode(HMAC(SigningKey, StringToSign))
 */
 function computeSignature(req, parsed, secretAccessKey, amzDate) {
-	const { path, query } = splitRawUrl(req.rawUrl);
+	const { path, query } = splitRawUrl$1(req.rawUrl);
 	const canonicalUri = canonicalizePath(path);
 	const canonicalQuery = canonicalizeQueryString(query);
 	const headerLines = [];
@@ -14081,7 +14081,7 @@ function sha256Hex(buf) {
 * Important: keep the path RAW for canonicalization — the canonicalizer
 * does its own URI-encoding so we do NOT decode here.
 */
-function splitRawUrl(rawUrl) {
+function splitRawUrl$1(rawUrl) {
 	const q = rawUrl.indexOf("?");
 	if (q < 0) return {
 		path: rawUrl,
@@ -16669,7 +16669,7 @@ async function buildContainerSpec(args) {
 	let imageRef;
 	let platform;
 	if (lambda.kind === "zip") {
-		codeDir = lambda.codePath ?? materializeInlineCode(lambda.handler, lambda.inlineCode ?? "", resolveRuntimeFileExtension(lambda.runtime), inlineTmpDirs);
+		codeDir = lambda.codePath ?? materializeInlineCode$1(lambda.handler, lambda.inlineCode ?? "", resolveRuntimeFileExtension(lambda.runtime), inlineTmpDirs);
 		optDir = await materializeLambdaLayers(lambda.layers, layerTmpDirs, layerRoleArn);
 	} else {
 		imageRef = (await resolveContainerImageForStartApi(lambda, skipPull, args.profile)).imageRef;
@@ -16729,7 +16729,7 @@ async function buildContainerSpec(args) {
 		dockerEnv["AWS_SESSION_TOKEN"] = creds.sessionToken;
 		if (stsRegion) dockerEnv["AWS_REGION"] = stsRegion;
 	} else {
-		forwardAwsEnv$1(dockerEnv);
+		forwardAwsEnv$2(dockerEnv);
 		if (profileCredentials) {
 			dockerEnv["AWS_ACCESS_KEY_ID"] = profileCredentials.accessKeyId;
 			dockerEnv["AWS_SECRET_ACCESS_KEY"] = profileCredentials.secretAccessKey;
@@ -17071,7 +17071,7 @@ function formatRestV1IntegrationLabel(integration) {
 * them. (`cdkl invoke` runs once and `--rm` is the right model;
 * `cdkl start-api` lives across requests, so leaks compound.)
 */
-function materializeInlineCode(handler, source, fileExtension, tmpDirsOut) {
+function materializeInlineCode$1(handler, source, fileExtension, tmpDirsOut) {
 	const lastDot = handler.lastIndexOf(".");
 	if (lastDot <= 0) throw new Error(`Handler '${handler}' is malformed: expected '<modulePath>.<exportName>'.`);
 	const modulePath = handler.substring(0, lastDot);
@@ -17113,7 +17113,7 @@ function readEnvOverridesFile$3(filePath) {
 * handler's AWS SDK calls can authenticate. Used when --assume-role is
 * NOT set for that Lambda — SAM-compatible default.
 */
-function forwardAwsEnv$1(env) {
+function forwardAwsEnv$2(env) {
 	for (const key of [
 		"AWS_ACCESS_KEY_ID",
 		"AWS_SECRET_ACCESS_KEY",
@@ -17893,7 +17893,7 @@ async function applyAgentCoreCredentialEnv(dockerEnv, args) {
 		}
 	}
 	if (!assumeSucceeded) {
-		forwardAwsEnv(dockerEnv);
+		forwardAwsEnv$1(dockerEnv);
 		applyProfileCredentialsOverlay(dockerEnv, args.profileCredentials, false);
 		if (args.profileCredsFile) {
 			dockerEnv["AWS_SHARED_CREDENTIALS_FILE"] = args.profileCredsFile.containerPath;
@@ -17962,7 +17962,7 @@ function emitMcpResult(result) {
 function platformToArchitecture(platform) {
 	return platform === "linux/amd64" ? "x86_64" : "arm64";
 }
-function forwardAwsEnv(env) {
+function forwardAwsEnv$1(env) {
 	for (const key of [
 		"AWS_ACCESS_KEY_ID",
 		"AWS_SECRET_ACCESS_KEY",
@@ -20606,6 +20606,203 @@ var FrontDoorEndpointPool = class {
 	}
 };
+//#endregion
+//#region src/local/alb-lambda-event.ts
+/** Content types ALB treats as text (body sent verbatim, `isBase64Encoded: false`). */
+function isTextualContentType(contentType) {
+	const ct = contentType.toLowerCase();
+	return ct.startsWith("text/") || ct.startsWith("application/json") || ct.startsWith("application/javascript") || ct.startsWith("application/xml");
+}
+/**
+* Build a `AlbHttpRequestSnapshot` from a live `node:http` request plus the
+* already-buffered body. Header values arrive as `string | string[]`; this
+* normalizes them to `string[]` (preserving multi-value) the builder expects.
+*/
+function snapshotFromIncoming(req, body) {
+	const headers = {};
+	for (const [name, value] of Object.entries(req.headers)) {
+		if (value === void 0) continue;
+		headers[name] = Array.isArray(value) ? value : [value];
+	}
+	return {
+		method: (req.method ?? "GET").toUpperCase(),
+		rawUrl: req.url ?? "/",
+		headers,
+		body
+	};
+}
+/** Split a raw URL into its path (query-stripped, not decoded) and raw query string. */
+function splitRawUrl(rawUrl) {
+	const hashIdx = rawUrl.indexOf("#");
+	const noHash = hashIdx === -1 ? rawUrl : rawUrl.slice(0, hashIdx);
+	const qIdx = noHash.indexOf("?");
+	if (qIdx === -1) return {
+		path: noHash,
+		rawQuery: ""
+	};
+	return {
+		path: noHash.slice(0, qIdx),
+		rawQuery: noHash.slice(qIdx + 1)
+	};
+}
+/**
+* Parse a raw query string into single + multi-value maps. ALB does NOT decode
+* query parameters (the docs explicitly say "If the query parameters are
+* URL-encoded, the load balancer does not decode them"), so values are kept
+* verbatim. A bare `?flag` key yields the empty string value.
+*/
+function parseQuery(rawQuery) {
+	const single = {};
+	const multi = {};
+	if (rawQuery.length === 0) return {
+		single,
+		multi
+	};
+	for (const pair of rawQuery.split("&")) {
+		if (pair.length === 0) continue;
+		const eq = pair.indexOf("=");
+		const key = eq === -1 ? pair : pair.slice(0, eq);
+		const value = eq === -1 ? "" : pair.slice(eq + 1);
+		single[key] = value;
+		(multi[key] ??= []).push(value);
+	}
+	return {
+		single,
+		multi
+	};
+}
+/**
+* Build the single + multi-value header maps. Names are lowercased; the single
+* map keeps the LAST value (ALB default-format), the multi map keeps every
+* value in arrival order.
+*/
+function buildHeaderMaps(headers) {
+	const single = {};
+	const multi = {};
+	for (const [name, values] of Object.entries(headers)) {
+		const lower = name.toLowerCase();
+		const list = values.slice();
+		multi[lower] = list;
+		if (list.length > 0) single[lower] = list[list.length - 1];
+	}
+	return {
+		single,
+		multi
+	};
+}
+/** Header lookup that tolerates the case-folded multi-value request map. */
+function firstHeader(headers, name) {
+	const lower = name.toLowerCase();
+	for (const [k, v] of Object.entries(headers)) if (k.toLowerCase() === lower) return v[0];
+}
+/**
+* Build the ALB Lambda-target invocation event from an HTTP request snapshot.
+* Emits exactly the single-value OR multi-value variant per
+* `opts.multiValueHeaders`.
+*/
+function buildAlbLambdaEvent(req, opts) {
+	const { path, rawQuery } = splitRawUrl(req.rawUrl);
+	const query = parseQuery(rawQuery);
+	const headerMaps = buildHeaderMaps(req.headers);
+	const contentEncoding = firstHeader(req.headers, "content-encoding");
+	const contentType = firstHeader(req.headers, "content-type") ?? "";
+	const isBase64Encoded = req.body.length > 0 && (contentEncoding !== void 0 ? true : !isTextualContentType(contentType));
+	const body = isBase64Encoded ? req.body.toString("base64") : req.body.toString("utf-8");
+	const event = {
+		requestContext: { elb: { targetGroupArn: opts.targetGroupArn } },
+		httpMethod: req.method,
+		path,
+		isBase64Encoded,
+		body
+	};
+	if (opts.multiValueHeaders) {
+		event["multiValueHeaders"] = headerMaps.multi;
+		event["multiValueQueryStringParameters"] = query.multi;
+	} else {
+		event["headers"] = headerMaps.single;
+		event["queryStringParameters"] = query.single;
+	}
+	return event;
+}
+/** A Lambda RIE error envelope (`{errorMessage, errorType, ...}`) with no statusCode. */
+function isErrorEnvelope(payload) {
+	if (!payload || typeof payload !== "object" || Array.isArray(payload)) return false;
+	const obj = payload;
+	if ("statusCode" in obj) return false;
+	return typeof obj["errorMessage"] === "string";
+}
+/**
+* The canonical 502 a real ALB returns when a Lambda target's response is
+* malformed (missing/invalid `statusCode`, non-object payload, or a runtime
+* error envelope). Plain-text body, mirroring ALB's own 502 page shape closely
+* enough for local dev.
+*/
+function badGatewayResponse() {
+	const body = Buffer.from("<html><body><h1>502 Bad Gateway</h1></body></html>", "utf-8");
+	return {
+		statusCode: 502,
+		statusDescription: "502 Bad Gateway",
+		headers: {
+			"content-type": ["text/html"],
+			"content-length": [String(body.length)]
+		},
+		body
+	};
+}
+function stringifyHeaderValue(value) {
+	if (value === null || value === void 0) return "";
+	if (typeof value === "string") return value;
+	if (typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") return String(value);
+	return JSON.stringify(value) ?? "";
+}
+/**
+* Translate a Lambda ALB-target response payload into HTTP components.
+*
+* A well-formed response is an object with a numeric `statusCode`. Headers come
+* from `headers` (single-value) and/or `multiValueHeaders` (array-valued); ALB
+* accepts either regardless of the request-side multi-value setting, so both
+* are honored here (multiValueHeaders extend / append to the single map).
+* `body` is optional; `isBase64Encoded: true` means the body is base64 and is
+* decoded to raw bytes.
+*
+* Anything else -> 502 (matching a real ALB), incl. a runtime error envelope.
+*/
+function translateAlbLambdaResponse(payload) {
+	if (isErrorEnvelope(payload)) return badGatewayResponse();
+	if (!payload || typeof payload !== "object" || Array.isArray(payload)) return badGatewayResponse();
+	const obj = payload;
+	const statusRaw = obj["statusCode"];
+	if (typeof statusRaw !== "number" || !Number.isFinite(statusRaw)) return badGatewayResponse();
+	const statusCode = Math.trunc(statusRaw);
+	const isBase64 = obj["isBase64Encoded"] === true;
+	const rawBody = obj["body"];
+	let body;
+	if (rawBody === void 0 || rawBody === null) body = Buffer.alloc(0);
+	else if (typeof rawBody === "string") body = isBase64 ? Buffer.from(rawBody, "base64") : Buffer.from(rawBody, "utf-8");
+	else body = Buffer.from(JSON.stringify(rawBody), "utf-8");
+	const headers = {};
+	const addHeader = (name, value) => {
+		const lower = name.toLowerCase();
+		(headers[lower] ??= []).push(value);
+	};
+	const singleHeaders = obj["headers"];
+	if (singleHeaders && typeof singleHeaders === "object" && !Array.isArray(singleHeaders)) for (const [name, value] of Object.entries(singleHeaders)) addHeader(name, stringifyHeaderValue(value));
+	const multiHeaders = obj["multiValueHeaders"];
+	if (multiHeaders && typeof multiHeaders === "object" && !Array.isArray(multiHeaders)) for (const [name, values] of Object.entries(multiHeaders)) {
+		if (!Array.isArray(values)) continue;
+		for (const v of values) addHeader(name, stringifyHeaderValue(v));
+	}
+	headers["content-length"] = [String(body.length)];
+	const result = {
+		statusCode,
+		headers,
+		body
+	};
+	const statusDescription = obj["statusDescription"];
+	if (typeof statusDescription === "string" && statusDescription.length > 0) result.statusDescription = statusDescription;
+	return result;
+}
 //#endregion
 //#region src/local/front-door-server.ts
 /** Default per-request upstream timeout — a hung replica yields a 504, not a hang. */
@@ -20646,14 +20843,56 @@ async function startFrontDoorServer(opts) {
 		}
 	};
 }
+/**
+* Resolve the dispatch target for a request path from whichever selector the
+* caller supplied. `selectTarget` (#123, ECS-or-Lambda) wins over the
+* pool-only `selectPool`; a `selectPool` hit is adapted to a `kind: 'pool'`
+* target so the request handler has a single code path.
+*/
+function resolveDispatchTarget(opts, requestPath) {
+	if (opts.selectTarget) return opts.selectTarget(requestPath);
+	if (opts.selectPool) {
+		const pool = opts.selectPool(requestPath);
+		return pool ? {
+			kind: "pool",
+			pool
+		} : void 0;
+	}
+}
 function handleProxyRequest(req, res, opts) {
+	const url = req.url ?? "/";
+	if (opts.route) {
+		const action = opts.route({
+			path: url,
+			...hostHeader(req)
+		});
+		if (!action) return reply404(req, res, opts);
+		if (action.kind === "redirect" || action.kind === "fixed-response") {
+			req.resume();
+			if (action.kind === "redirect") writeRedirect(res, action, req, opts.listenerPort);
+			else writeFixedResponse(res, action);
+			return Promise.resolve();
+		}
+		const picked = pickWeightedTarget(action.pools);
+		if (!picked) {
+			writeError(res, 502, `No forward target selected behind ${opts.label} (every weighted target has weight 0).`);
+			return Promise.resolve();
+		}
+		if ("lambda" in picked) return handleLambdaRequest(req, res, picked.lambda, opts);
+		return handlePoolRequest(req, res, picked.pool, opts);
+	}
+	const target = resolveDispatchTarget(opts, url);
+	if (!target) return reply404(req, res, opts);
+	if (target.kind === "lambda") return handleLambdaRequest(req, res, target.lambda, opts);
+	return handlePoolRequest(req, res, target.pool, opts);
+}
+/** Reply 404 — an ALB listener with no matching rule and no default action. */
+function reply404(req, res, opts) {
+	writeError(res, 404, `No listener rule matched '${req.url ?? "/"}' on ${opts.label}, and the listener has no default action forwarding to a local target.`);
+	return Promise.resolve();
+}
+function handlePoolRequest(req, res, pool, opts) {
 	return new Promise((resolve) => {
-		const pool = opts.selectPool(req.url ?? "/");
-		if (!pool) {
-			writeError(res, 404, `No listener rule matched '${req.url ?? "/"}' on ${opts.label}, and the listener has no default action forwarding to a local target.`);
-			resolve();
-			return;
-		}
 		const endpoint = pool.next();
 		if (!endpoint) {
 			writeError(res, 503, `No running replicas behind ${opts.label} for the matched target. The front-door has no healthy target to forward to.`);
@@ -20703,6 +20942,154 @@ function handleProxyRequest(req, res, opts) {
 		req.pipe(proxyReq);
 	});
 }
+/** Extract the request `Host` header (string) for host-header rule matching. */
+function hostHeader(req) {
+	const raw = req.headers.host;
+	const host = Array.isArray(raw) ? raw[0] : raw;
+	return host ? { host } : {};
+}
+/**
+* Pick one weighted target from a forward set: weighted random over the
+* non-zero weights. A single-entry set short-circuits to that entry. Returns
+* `undefined` when every weight is 0 (an ALB-valid but un-routable forward).
+* Used for forwards that may mix ECS pools and Lambda invokers.
+*/
+function pickWeightedTarget(targets) {
+	if (targets.length === 0) return void 0;
+	if (targets.length === 1) return targets[0].weight > 0 ? targets[0] : void 0;
+	const total = targets.reduce((sum, t) => sum + Math.max(0, t.weight), 0);
+	if (total <= 0) return void 0;
+	let roll = Math.random() * total;
+	for (const t of targets) {
+		const w = Math.max(0, t.weight);
+		if (w === 0) continue;
+		roll -= w;
+		if (roll < 0) return t;
+	}
+	for (let i = targets.length - 1; i >= 0; i--) if (Math.max(0, targets[i].weight) > 0) return targets[i];
+}
+/**
+* Synthesize an ALB-style redirect (301 / 302). ALB builds the `Location` from
+* the action fields with `#{protocol}` / `#{host}` / `#{port}` / `#{path}` /
+* `#{query}` placeholders filled from the incoming request. We resolve those
+* placeholders against the request the front-door received.
+*/
+function writeRedirect(res, action, req, listenerPort) {
+	const location = buildRedirectLocation(action, req, listenerPort);
+	res.writeHead(action.statusCode, {
+		location,
+		"content-type": "text/plain; charset=utf-8",
+		"content-length": "0"
+	});
+	res.end();
+}
+/** Build the `Location` URL for a redirect action, resolving ALB `#{...}` placeholders. */
+function buildRedirectLocation(action, req, listenerPort) {
+	const url = req.url ?? "/";
+	const qIndex = url.indexOf("?");
+	const reqPath = qIndex === -1 ? url : url.slice(0, qIndex);
+	const reqQuery = qIndex === -1 ? "" : url.slice(qIndex + 1);
+	const rawHost = req.headers["host"];
+	const placeholders = {
+		protocol: "http",
+		host: ((Array.isArray(rawHost) ? rawHost[0] : rawHost) ?? "").split(":")[0] ?? "",
+		port: String(listenerPort),
+		path: reqPath.replace(/^\//, ""),
+		query: reqQuery
+	};
+	const fill = (template) => template.replace(/#\{(protocol|host|port|path|query)\}/g, (_m, key) => placeholders[key] ?? "");
+	const protocol = (action.protocol ? fill(action.protocol) : placeholders["protocol"]).toLowerCase();
+	const host = action.host ? fill(action.host) : placeholders["host"];
+	const port = action.port ? fill(action.port) : placeholders["port"];
+	const path = fill(action.path ?? "/#{path}");
+	const query = fill(action.query ?? "#{query}");
+	return `${protocol}://${protocol === "http" && port === "80" || protocol === "https" && port === "443" || port === "" ? host : `${host}:${port}`}${path.startsWith("/") ? path : `/${path}`}${query ? `?${query}` : ""}`;
+}
+/** Synthesize an ALB-style fixed-response. */
+function writeFixedResponse(res, action) {
+	const body = action.messageBody ?? "";
+	res.writeHead(action.statusCode, {
+		"content-type": action.contentType ?? "text/plain; charset=utf-8",
+		"content-length": String(Buffer.byteLength(body))
+	});
+	res.end(body);
+}
+/** Maximum request body the ALB Lambda-target path buffers (ALB's own limit is 1 MB). */
+const ALB_LAMBDA_MAX_BODY_BYTES = 1024 * 1024;
+/**
+* Serve a request that resolved to a Lambda forward target (#123). Buffers the
+* request body (ALB caps the Lambda-target request body at 1 MB), translates
+* the request into the ALB Lambda-target event, invokes the function locally,
+* and writes the translated response. A malformed handler response or an
+* invoke failure surfaces as 502 — mirroring a real ALB.
+*/
+function handleLambdaRequest(req, res, lambda, opts) {
+	const logger = getLogger().child("front-door");
+	return new Promise((resolve) => {
+		let settled = false;
+		const done = () => {
+			if (settled) return;
+			settled = true;
+			resolve();
+		};
+		const chunks = [];
+		let total = 0;
+		let aborted = false;
+		req.on("data", (chunk) => {
+			if (aborted) return;
+			total += chunk.length;
+			if (total > ALB_LAMBDA_MAX_BODY_BYTES) {
+				aborted = true;
+				writeError(res, 413, `Request body exceeds the ${ALB_LAMBDA_MAX_BODY_BYTES}-byte Lambda-target limit on ${opts.label}.`);
+				req.destroy();
+				done();
+				return;
+			}
+			chunks.push(chunk);
+		});
+		req.on("error", () => {
+			if (!res.headersSent) writeError(res, 400, `Failed to read request body on ${opts.label}.`);
+			done();
+		});
+		req.on("end", () => {
+			if (aborted) return;
+			const serveLambda = async () => {
+				try {
+					const body = Buffer.concat(chunks);
+					const forwardHeaders = { ...req.headers };
+					stripHopByHopHeaders(forwardHeaders);
+					appendForwardedHeaders(forwardHeaders, req, opts.listenerPort);
+					const snapshot = snapshotFromIncoming(req, body);
+					for (const [name, value] of Object.entries(forwardHeaders)) {
+						if (value === void 0) continue;
+						snapshot.headers[name] = Array.isArray(value) ? value : [value];
+					}
+					const event = buildAlbLambdaEvent(snapshot, {
+						targetGroupArn: lambda.targetGroupArn,
+						multiValueHeaders: lambda.multiValueHeaders
+					});
+					const translated = translateAlbLambdaResponse(await lambda.invoke(event));
+					if (res.headersSent || res.writableEnded) {
+						done();
+						return;
+					}
+					const outHeaders = {};
+					for (const [name, values] of Object.entries(translated.headers)) outHeaders[name] = values.length === 1 ? values[0] : values;
+					if (translated.statusDescription) res.writeHead(translated.statusCode, translated.statusDescription, outHeaders);
+					else res.writeHead(translated.statusCode, outHeaders);
+					res.end(translated.body);
+					done();
+				} catch (err) {
+					logger.debug(`Lambda target '${lambda.label}' request failed: ${err instanceof Error ? err.message : String(err)}`);
+					if (!res.headersSent) writeError(res, 502, `Lambda target '${lambda.label}' behind ${opts.label} failed.`);
+					else if (!res.writableEnded) res.destroy();
+					done();
+				}
+			};
+			serveLambda();
+		});
+	});
+}
 /** Standard hop-by-hop headers (RFC 7230 §6.1) — a proxy must not forward these. */
 const HOP_BY_HOP_HEADERS = [
 	"connection",
@@ -20751,21 +21138,39 @@ function writeError(res, statusCode, message) {
 //#endregion
 //#region src/local/alb-path-matcher.ts
 /**
-* Return the target of the highest-priority rule whose `path-pattern` matches
-* `requestPath`, or `undefined` when none match (caller uses the default).
-* Rules are evaluated in ascending priority; the input order is irrelevant.
+* Return the target of the highest-priority rule whose conditions all match
+* `req`, or `undefined` when none match (caller uses the default). Rules are
+* evaluated in ascending priority; the input order is irrelevant.
+*
+* Accepts either a request facts object or a bare path string (the path-only
+* form keeps the original signature working for callers that have no Host).
 */
-function matchAlbPathRule(requestPath, rules) {
-	const path = pathOf(requestPath);
+function matchAlbPathRule(req, rules) {
+	const { path, host } = typeof req === "string" ? {
+		path: req,
+		host: void 0
+	} : req;
+	const requestPath = pathOf(path);
+	const requestHost = host !== void 0 ? hostOf(host) : void 0;
 	const ordered = [...rules].sort((a, b) => a.priority - b.priority);
-	for (const rule of ordered) if (rule.pathPatterns.some((pattern) => albPathPatternMatches(pattern, path))) return rule.target;
+	for (const rule of ordered) if (ruleMatches(rule, requestPath, requestHost)) return rule.target;
 }
 /**
-* Whether a single ALB `path-pattern` value matches a request path. The path
-* must already be query-stripped, or pass a raw URL and it is stripped here.
+* Whether a single rule's conditions all match. A `path-pattern` /
+* `host-header` condition is satisfied when ANY of its values match (OR); a
+* rule with both fields requires both to match (AND). An empty pattern list
+* for a field means "no constraint on that field" (the condition was absent).
 */
-function albPathPatternMatches(pattern, requestPath) {
-	return globToRegExp(pattern).test(pathOf(requestPath));
+function ruleMatches(rule, requestPath, requestHost) {
+	if (rule.pathPatterns.length > 0) {
+		if (!rule.pathPatterns.some((pattern) => globToRegExp(pattern, false).test(requestPath))) return false;
+	}
+	const hostPatterns = rule.hostPatterns ?? [];
+	if (hostPatterns.length > 0) {
+		if (requestHost === void 0) return false;
+		if (!hostPatterns.some((pattern) => globToRegExp(pattern, true).test(requestHost))) return false;
+	}
+	return true;
 }
 /** Strip the query string / fragment so only the URL path is matched. */
 function pathOf(url) {
@@ -20776,21 +21181,219 @@ function pathOf(url) {
 	if (h !== -1 && h < end) end = h;
 	return url.slice(0, end);
 }
+/**
+* Normalize a `Host` header for matching: drop any `:port` suffix and lower-case
+* it (DNS hostnames are case-insensitive). IPv6 literals (`[::1]:8080`) keep the
+* bracketed address and only the trailing port is removed.
+*/
+function hostOf(host) {
+	const trimmed = host.trim();
+	if (trimmed.startsWith("[")) {
+		const close = trimmed.indexOf("]");
+		if (close !== -1) return trimmed.slice(0, close + 1).toLowerCase();
+		return trimmed.toLowerCase();
+	}
+	const colon = trimmed.indexOf(":");
+	return (colon === -1 ? trimmed : trimmed.slice(0, colon)).toLowerCase();
+}
 const REGEXP_META = /[.+^${}()|[\]\\]/;
 /**
-* Translate an ALB path-pattern glob into an anchored, case-sensitive RegExp:
-* `*` -> `.*`, `?` -> `.`, every other character is escaped and matched
-* literally.
+* Translate an ALB `*` / `?` glob into an anchored RegExp: `*` -> `.*`,
+* `?` -> `.`, every other character is escaped and matched literally. Host
+* patterns match case-insensitively (the `i` flag) and the pattern is
+* lower-cased to pair with the lower-cased host; path patterns are
+* case-sensitive.
 */
-function globToRegExp(pattern) {
+function globToRegExp(pattern, caseInsensitive) {
+	const source = caseInsensitive ? pattern.toLowerCase() : pattern;
 	let body = "";
-	for (const ch of pattern) if (ch === "*") body += ".*";
+	for (const ch of source) if (ch === "*") body += ".*";
 	else if (ch === "?") body += ".";
 	else if (REGEXP_META.test(ch)) body += `\\${ch}`;
 	else body += ch;
 	return new RegExp(`^${body}$`);
 }
+//#endregion
+//#region src/local/front-door-lambda-runner.ts
+/** Forward the dev shell's AWS credential / region env into the Lambda container. */
+function forwardAwsEnv() {
+	const env = {};
+	for (const key of [
+		"AWS_ACCESS_KEY_ID",
+		"AWS_SECRET_ACCESS_KEY",
+		"AWS_SESSION_TOKEN",
+		"AWS_REGION",
+		"AWS_DEFAULT_REGION"
+	]) {
+		const value = process.env[key];
+		if (value !== void 0) env[key] = value;
+	}
+	return env;
+}
+/**
+* Materialize an inline (`Code.ZipFile`) ZIP Lambda's source into a temp dir at
+* the path implied by `handler`, returning the dir to bind-mount. Mirrors
+* `local-invoke.ts:materializeInlineCode`.
+*/
+function materializeInlineCode(handler, source, fileExtension) {
+	const lastDot = handler.lastIndexOf(".");
+	if (lastDot <= 0) throw new Error(`Handler '${handler}' is malformed: expected '<modulePath>.<exportName>'.`);
+	const modulePath = handler.substring(0, lastDot);
+	const dir = mkdtempSync(path.join(tmpdir(), `${getEmbedConfig().resourceNamePrefix}-alb-lambda-`));
+	const filePath = path.join(dir, `${modulePath}${fileExtension}`);
+	mkdirSync(path.dirname(filePath), { recursive: true });
+	writeFileSync(filePath, source, "utf-8");
+	return dir;
+}
+async function resolveZipImagePlan(lambda, opts) {
+	let inlineTmpDir;
+	let codeDir = lambda.codePath;
+	if (codeDir === null) {
+		inlineTmpDir = materializeInlineCode(lambda.handler, lambda.inlineCode ?? "", resolveRuntimeFileExtension(lambda.runtime));
+		codeDir = inlineTmpDir;
+	}
+	const image = resolveRuntimeImage(lambda.runtime);
+	await pullImage(image, opts.skipPull === true);
+	const containerCodePath = resolveRuntimeCodeMountPath(lambda.runtime);
+	return {
+		image,
+		mounts: [{
+			hostPath: codeDir,
+			containerPath: containerCodePath,
+			readOnly: true
+		}],
+		cmd: [lambda.handler],
+		...inlineTmpDir !== void 0 && { inlineTmpDir }
+	};
+}
+async function resolveContainerImagePlan(lambda, opts) {
+	const logger = getLogger().child("front-door-lambda");
+	const platform = opts.platformOverride ?? architectureToPlatform(lambda.architecture);
+	const manifestPath = lambda.stack.assetManifestPath;
+	let imageRef;
+	let localBuilt = false;
+	if (manifestPath) {
+		const cdkOutDir = path.dirname(manifestPath);
+		const manifest = await new AssetManifestLoader().loadManifest(cdkOutDir, lambda.stack.stackName);
+		const entry = manifest ? getDockerImageBySourceHash(manifest, lambda.imageUri) : void 0;
+		if (entry) {
+			imageRef = await buildContainerImage(entry.asset, cdkOutDir, { architecture: lambda.architecture });
+			localBuilt = true;
+		}
+	}
+	if (!localBuilt) {
+		if (!parseEcrUri(lambda.imageUri)) throw new Error(`Container Lambda '${lambda.logicalId}' has no matching asset in cdk.out, and Code.ImageUri '${lambda.imageUri}' is not an ECR URI ${getEmbedConfig().binaryName} can authenticate against. Re-synthesize the CDK app or deploy the image to ECR first.`);
+		logger.info(`No matching cdk.out asset for ${lambda.imageUri}; falling back to ECR pull...`);
+		imageRef = await pullEcrImage(lambda.imageUri, {
+			skipPull: opts.skipPull === true,
+			...opts.region !== void 0 && { region: opts.region },
+			...opts.ecrRoleArn !== void 0 && { ecrRoleArn: opts.ecrRoleArn }
+		});
+	}
+	return {
+		image: imageRef,
+		mounts: [],
+		cmd: lambda.imageConfig.command ?? [],
+		platform,
+		...lambda.imageConfig.entryPoint && lambda.imageConfig.entryPoint.length > 0 && { entryPoint: lambda.imageConfig.entryPoint },
+		...lambda.imageConfig.workingDirectory !== void 0 && { workingDir: lambda.imageConfig.workingDirectory }
+	};
+}
+/**
+* Build a {@link FrontDoorLambdaRunner} for a resolved Lambda. Construction is
+* pure (no docker work); `start()` does the boot. The invoke timeout defaults
+* to `max(30s, timeoutSec * 2 * 1000)` — same formula as `cdkl invoke`.
+*/
+function createFrontDoorLambdaRunner(lambda, opts) {
+	const logger = getLogger().child("front-door-lambda");
+	const defaultTimeoutMs = Math.max(3e4, lambda.timeoutSec * 2 * 1e3);
+	let plan;
+	let containerId;
+	let hostPort;
+	let stopLogStream;
+	let starting;
+	let stopped = false;
+	async function doStart() {
+		plan = lambda.kind === "zip" ? await resolveZipImagePlan(lambda, opts) : await resolveContainerImagePlan(lambda, opts);
+		const port = await pickFreePort();
+		hostPort = port;
+		const name = `${getEmbedConfig().resourceNamePrefix}-alblambda-${lambda.logicalId}-${process.pid}-${Math.floor(Math.random() * 1e6)}`;
+		const env = {
+			AWS_LAMBDA_FUNCTION_NAME: lambda.logicalId,
+			AWS_LAMBDA_FUNCTION_MEMORY_SIZE: String(lambda.memoryMb),
+			AWS_LAMBDA_FUNCTION_TIMEOUT: String(lambda.timeoutSec),
+			AWS_LAMBDA_FUNCTION_VERSION: "$LATEST",
+			AWS_LAMBDA_LOG_GROUP_NAME: `/aws/lambda/${lambda.logicalId}`,
+			AWS_LAMBDA_LOG_STREAM_NAME: "local",
+			...forwardAwsEnv()
+		};
+		logger.info(`Starting Lambda target container for ${lambda.logicalId} (image=${plan.image}, port=${port})...`);
+		const id = await runDetached({
+			image: plan.image,
+			mounts: plan.mounts,
+			env,
+			cmd: plan.cmd,
+			hostPort: port,
+			host: opts.containerHost,
+			name,
+			...plan.platform !== void 0 && { platform: plan.platform },
+			...plan.entryPoint !== void 0 && { entryPoint: plan.entryPoint },
+			...plan.workingDir !== void 0 && { workingDir: plan.workingDir }
+		});
+		containerId = id;
+		stopLogStream = opts.streamLogs === false ? void 0 : streamLogs(id);
+		try {
+			await waitForRieReady(opts.containerHost, port, 3e4);
+		} catch (err) {
+			try {
+				stopLogStream?.();
+			} catch {}
+			await removeContainer(id).catch(() => void 0);
+			containerId = void 0;
+			throw err;
+		}
+	}
+	return {
+		logicalId: lambda.logicalId,
+		async start() {
+			if (stopped) throw new Error("FrontDoorLambdaRunner.start called after stop");
+			if (containerId) return;
+			if (!starting) starting = doStart();
+			await starting;
+		},
+		async invoke(event, timeoutMs) {
+			if (!containerId || hostPort === void 0) throw new Error(`FrontDoorLambdaRunner('${lambda.logicalId}').invoke called before start() completed.`);
+			return (await invokeRie(opts.containerHost, hostPort, event, timeoutMs ?? defaultTimeoutMs)).payload;
+		},
+		async stop() {
+			if (stopped) return;
+			stopped = true;
+			try {
+				stopLogStream?.();
+			} catch (err) {
+				logger.debug(`stopLogStream(${lambda.logicalId}) failed: ${err instanceof Error ? err.message : String(err)}`);
+			}
+			if (containerId) {
+				try {
+					await removeContainer(containerId);
+				} catch (err) {
+					logger.warn(`Failed to remove Lambda target container for ${lambda.logicalId}: ${err instanceof Error ? err.message : String(err)}. Continuing cleanup.`);
+				}
+				containerId = void 0;
+			}
+			if (plan?.inlineTmpDir) try {
+				rmSync(plan.inlineTmpDir, {
+					recursive: true,
+					force: true
+				});
+			} catch (err) {
+				logger.debug(`Failed to remove inline-code tmpdir ${plan.inlineTmpDir}: ${err instanceof Error ? err.message : String(err)}`);
+			}
+		}
+	};
+}
 //#endregion
 //#region src/cli/commands/ecs-service-emulator.ts
 /**
@@ -20811,6 +21414,7 @@ async function runEcsServiceEmulator(targets, options, strategy, extraStateProvi
 	let profileCredsFile;
 	let frontDoorServers = [];
 	let frontDoorByService = /* @__PURE__ */ new Map();
+	let frontDoorLambdaRunners = [];
 	const cleanup = singleFlight(async () => {
 		await Promise.allSettled(perTarget.map(async (pt) => {
 			if (pt.controller) await pt.controller.shutdown();
@@ -20821,6 +21425,8 @@ async function runEcsServiceEmulator(targets, options, strategy, extraStateProvi
 		}));
 		await Promise.allSettled(frontDoorServers.map((s) => s.close().catch((err) => getLogger().warn(`front-door server teardown failed: ${err instanceof Error ? err.message : String(err)}`))));
 		frontDoorServers = [];
+		await Promise.allSettled(frontDoorLambdaRunners.map((r) => r.stop().catch((err) => getLogger().warn(`front-door Lambda target teardown failed: ${err instanceof Error ? err.message : String(err)}`))));
+		frontDoorLambdaRunners = [];
 		if (profileCredsFile) {
 			try {
 				await profileCredsFile.dispose();
@@ -20865,7 +21471,8 @@ async function runEcsServiceEmulator(targets, options, strategy, extraStateProvi
 		});
 		const { boots, frontDoor, warnings } = strategy.resolveBoots(stacks, resolvedTargets);
 		for (const w of warnings) logger.warn(w);
-		if (boots.length === 0) throw new LocalStartServiceError(`No runnable ECS service resolved from ${resolvedTargets.join(", ")}.`);
+		const hasFrontDoorListeners = !!frontDoor && frontDoor.listeners.length > 0;
+		if (boots.length === 0 && !hasFrontDoorListeners) throw new LocalStartServiceError(`No runnable target resolved from ${resolvedTargets.join(", ")}.`);
 		rejectExplicitCfnStackWithMultipleStacks(options, boots.length);
 		perTarget = boots.map((boot) => ({
 			boot,
@@ -20896,9 +21503,10 @@ async function runEcsServiceEmulator(targets, options, strategy, extraStateProvi
 			sharedNetwork
 		};
 		if (frontDoor && frontDoor.listeners.length > 0) {
-			const built = await buildFrontDoor(frontDoor, options.containerHost, logger);
+			const built = await buildFrontDoor(frontDoor, options, logger);
 			frontDoorServers = built.servers;
 			frontDoorByService = built.frontDoorByService;
+			frontDoorLambdaRunners = built.lambdaRunners;
 		}
 		sigintHandler = () => {
 			sigintCount += 1;
@@ -20912,10 +21520,13 @@ async function runEcsServiceEmulator(targets, options, strategy, extraStateProvi
 		process.on("SIGINT", sigintHandler);
 		process.on("SIGTERM", sigintHandler);
 		for (const pt of perTarget) pt.controller = await bootOneTarget(pt.boot, pt.runState, stacks, options, discovery, skipPull, extraStateProviders, profileCredsFile, frontDoorByService.get(pt.boot.target));
-		const summary = perTarget.map((pt) => `${pt.controller.service.serviceName} (${pt.controller.activeReplicaCount()} replica(s))`).join(", ");
-		logger.info(`Service(s) running: ${summary}.`);
+		if (perTarget.length > 0) {
+			const summary = perTarget.map((pt) => `${pt.controller.service.serviceName} (${pt.controller.activeReplicaCount()} replica(s))`).join(", ");
+			logger.info(`Service(s) running: ${summary}.`);
+		} else logger.info(`Service(s) running: ${frontDoorLambdaRunners.length} Lambda target(s) behind the ALB front-door.`);
 		logger.info("Press ^C to shut down.");
-		await Promise.all(perTarget.map((pt) => pt.controller.waitForShutdown()));
+		if (perTarget.length > 0) await Promise.all(perTarget.map((pt) => pt.controller.waitForShutdown()));
+		else await new Promise(() => {});
 	} finally {
 		if (sigintHandler) {
 			process.off("SIGINT", sigintHandler);
@@ -21013,32 +21624,92 @@ async function runOneTarget(boot, runState, stacks, options, discovery, skipPull
 * already in use) every server started so far is closed and the error is
 * re-thrown with a `--lb-port` hint.
 */
-async function buildFrontDoor(plan, containerHost, logger) {
+async function buildFrontDoor(plan, options, logger) {
+	const containerHost = options.containerHost;
 	const servers = [];
-	const registry = /* @__PURE__ */ new Map();
-	const poolFor = (t) => {
+	const poolRegistry = /* @__PURE__ */ new Map();
+	const lambdaRegistry = /* @__PURE__ */ new Map();
+	const dispatchFor = (t) => {
+		if (t.kind === "lambda") {
+			let runner = lambdaRegistry.get(t.lambda.logicalId);
+			if (!runner) {
+				runner = createFrontDoorLambdaRunner(t.lambda, {
+					containerHost,
+					skipPull: options.pull === false,
+					...options.platform !== void 0 && { platformOverride: options.platform },
+					...options.ecrRoleArn !== void 0 && { ecrRoleArn: options.ecrRoleArn },
+					...options.region !== void 0 && { region: options.region }
+				});
+				lambdaRegistry.set(t.lambda.logicalId, runner);
+			}
+			const boundRunner = runner;
+			return {
+				kind: "lambda",
+				lambda: {
+					targetGroupArn: t.targetGroupArn,
+					multiValueHeaders: t.multiValueHeaders,
+					label: t.lambda.logicalId,
+					invoke: (event) => boundRunner.invoke(event)
+				}
+			};
+		}
 		const key = `${t.serviceTarget} ${t.targetContainerName} ${t.targetContainerPort}`;
-		let entry = registry.get(key);
+		let entry = poolRegistry.get(key);
 		if (!entry) {
 			entry = {
 				pool: new FrontDoorEndpointPool(),
 				target: t
 			};
-			registry.set(key, entry);
+			poolRegistry.set(key, entry);
 		}
-		return entry.pool;
+		return {
+			kind: "pool",
+			pool: entry.pool
+		};
+	};
+	const weightedTargetFor = (t) => {
+		const dispatch = dispatchFor(t);
+		return dispatch.kind === "lambda" ? {
+			lambda: dispatch.lambda,
+			weight: t.weight
+		} : {
+			pool: dispatch.pool,
+			weight: t.weight
+		};
+	};
+	const toRouteAction = (action) => {
+		if (action.kind === "forward") return {
+			kind: "forward",
+			pools: action.targets.map(weightedTargetFor)
+		};
+		if (action.kind === "redirect") return {
+			kind: "redirect",
+			statusCode: action.statusCode,
+			...action.protocol !== void 0 && { protocol: action.protocol },
+			...action.host !== void 0 && { host: action.host },
+			...action.port !== void 0 && { port: action.port },
+			...action.path !== void 0 && { path: action.path },
+			...action.query !== void 0 && { query: action.query }
+		};
+		return {
+			kind: "fixed-response",
+			statusCode: action.statusCode,
+			...action.contentType !== void 0 && { contentType: action.contentType },
+			...action.messageBody !== void 0 && { messageBody: action.messageBody }
+		};
 	};
 	try {
 		for (const listener of plan.listeners) {
-			const defaultPool = listener.defaultTarget ? poolFor(listener.defaultTarget) : void 0;
+			const defaultRoute = listener.defaultAction ? toRouteAction(listener.defaultAction) : void 0;
 			const ruleRoutes = listener.rules.map((r) => ({
 				priority: r.priority,
 				pathPatterns: r.pathPatterns,
-				target: poolFor(r.target)
+				hostPatterns: r.hostPatterns,
+				target: toRouteAction(r.action)
 			}));
-			const selectPool = (requestPath) => matchAlbPathRule(requestPath, ruleRoutes) ?? defaultPool;
+			const route = (req) => matchAlbPathRule(req, ruleRoutes) ?? defaultRoute;
 			const server = await startFrontDoorServer({
-				selectPool,
+				route,
 				port: listener.hostPort,
 				host: containerHost,
 				listenerPort: listener.listenerPort,
@@ -21046,16 +21717,21 @@ async function buildFrontDoor(plan, containerHost, logger) {
 			});
 			servers.push(server);
 			logger.info(`ALB front-door: http://${server.host}:${server.port} (listener port ${listener.listenerPort})`);
-			if (listener.defaultTarget) logger.info(`  default -> ${describeTarget(listener.defaultTarget)} (round-robin)`);
-			for (const r of [...listener.rules].sort((a, b) => a.priority - b.priority)) logger.info(`  path ${r.pathPatterns.join(", ")} (priority ${r.priority}) -> ${describeTarget(r.target)}`);
-			if (!listener.defaultTarget) logger.info("  (no default action: unmatched paths return 404)");
+			if (listener.defaultAction) logger.info(`  default -> ${describeAction(listener.defaultAction)}`);
+			for (const r of [...listener.rules].sort((a, b) => a.priority - b.priority)) logger.info(`  ${describeConditions(r)} (priority ${r.priority}) -> ${describeAction(r.action)}`);
+			if (!listener.defaultAction) logger.info("  (no default action: unmatched requests return 404)");
+		}
+		for (const runner of lambdaRegistry.values()) {
+			logger.info(`Booting Lambda target '${runner.logicalId}' behind the ALB front-door...`);
+			await runner.start();
 		}
 	} catch (err) {
 		await Promise.allSettled(servers.map((s) => s.close()));
+		await Promise.allSettled([...lambdaRegistry.values()].map((r) => r.stop()));
 		throw new LocalStartServiceError(`Failed to start ALB front-door: ${err instanceof Error ? err.message : String(err)}. If a listener port is privileged (< 1024), remap it to a non-privileged host port with --lb-port <listenerPort>=<hostPort> (e.g. --lb-port 80=8080).`);
 	}
 	const frontDoorByService = /* @__PURE__ */ new Map();
-	for (const { pool, target } of registry.values()) {
+	for (const { pool, target } of poolRegistry.values()) {
 		const list = frontDoorByService.get(target.serviceTarget) ?? [];
 		list.push({
 			pool,
@@ -21066,11 +21742,32 @@ async function buildFrontDoor(plan, containerHost, logger) {
 	}
 	return {
 		servers,
-		frontDoorByService
+		frontDoorByService,
+		lambdaRunners: [...lambdaRegistry.values()]
 	};
 }
+/** Human-readable summary of a planned rule's path / host conditions (for the boot banner). */
+function describeConditions(rule) {
+	const parts = [];
+	if (rule.pathPatterns.length > 0) parts.push(`path ${rule.pathPatterns.join(", ")}`);
+	if (rule.hostPatterns.length > 0) parts.push(`host ${rule.hostPatterns.join(", ")}`);
+	return parts.join(" AND ") || "(no condition)";
+}
+/** Human-readable summary of a planned action (for the boot banner). */
+function describeAction(action) {
+	if (action.kind === "redirect") return `redirect ${action.statusCode}`;
+	if (action.kind === "fixed-response") return `fixed-response ${action.statusCode}`;
+	if (action.targets.length === 1) return describeTarget(action.targets[0]);
+	return `weighted forward [${action.targets.map((t) => `${describeTargetShort(t)}@${t.weight}`).join(", ")}]`;
+}
+/** One forward target, described in full (for a single-target forward banner). */
 function describeTarget(t) {
-	return `${t.serviceTarget} (container ${t.targetContainerName}:${t.targetContainerPort})`;
+	if (t.kind === "lambda") return `Lambda ${t.lambda.logicalId} (invoke)`;
+	return `${t.serviceTarget} (container ${t.targetContainerName}:${t.targetContainerPort}) (round-robin)`;
+}
+/** One forward target, described compactly (for a weighted-forward banner). */
+function describeTargetShort(t) {
+	return t.kind === "lambda" ? `Lambda ${t.lambda.logicalId}` : t.serviceTarget;
 }
 async function resolvePlaceholderAccount(arn, region) {
 	if (!arn.includes("${AWS::AccountId}")) return arn;
@@ -21275,39 +21972,50 @@ function createLocalStartServiceCommand(opts = {}) {
 * cdk-local discovers the services behind it (mirroring how `start-api` names
 * the API and discovers the backing Lambdas).
 *
-* The synthesized linkage (confirmed against real `cdk synth` of
-* `ApplicationLoadBalancedFargateService` + an `addAction` path rule):
+* The synthesized linkage (confirmed against real `cdk synth` of an
+* `ApplicationLoadBalancer` + `addAction` rules):
 *
 * ```
 * ElasticLoadBalancingV2::LoadBalancer  (the ALB you name)
 * ElasticLoadBalancingV2::Listener      : { LoadBalancerArn:{Ref:<ALB>}, Port, Protocol,
-*     DefaultActions:[{ Type:"forward", TargetGroupArn:{Ref:<TG>} }] }
+*     DefaultActions:[ <action> ] }
 * ElasticLoadBalancingV2::ListenerRule  : { ListenerArn:{Ref:<Listener>}, Priority,
-*     Conditions:[{ Field:"path-pattern", PathPatternConfig:{ Values:["/api/*"] } }],
-*     Actions:[{ Type:"forward", TargetGroupArn:{Ref:<TG>} }] }
+*     Conditions:[{ Field:"path-pattern", PathPatternConfig:{ Values:["/api/*"] } },
+*                 { Field:"host-header",  HostHeaderConfig:{ Values:["api.example.com"] } }],
+*     Actions:[ <action> ] }
 * ElasticLoadBalancingV2::TargetGroup   : { Port, Protocol, TargetType:"ip" }
 * ECS::Service.LoadBalancers[]          -> { ContainerName, ContainerPort, TargetGroupArn:{Ref:<TG>} }
 * ```
 *
+* Each `<action>` is one of:
+*   - `forward` — `{ Type:"forward", TargetGroupArn:{Ref} }` (single target) OR
+*     `{ Type:"forward", ForwardConfig:{ TargetGroups:[{ TargetGroupArn:{Ref}, Weight }] } }`
+*     (one or more weighted targets);
+*   - `redirect` — `{ Type:"redirect", RedirectConfig:{ Protocol/Host/Port/Path/Query/StatusCode } }`;
+*   - `fixed-response` — `{ Type:"fixed-response", FixedResponseConfig:{ StatusCode/ContentType/MessageBody } }`.
+*
 * Resolution walks ALB -> listeners (by `LoadBalancerArn` Ref) -> their default
-* `forward` action AND any `path-pattern` ListenerRules -> the ECS Service whose
+* action AND any ListenerRules -> for each `forward`, the ECS Service whose
 * `LoadBalancers[]` references each target group (a reverse scan; there is no
 * direct TG -> service pointer). Output is a per-listener routing table: a
-* default forward target (when the default action is a resolvable forward) plus
-* the ordered path-pattern rules.
-*
-* Scope: HTTP listeners, `path-pattern` conditions, single-target `forward`
-* actions to ECS services. Skipped with a warning: HTTPS/TLS listeners,
-* `TargetType:"lambda"` target groups, weighted (multi-target) forwards, rules
-* with non-`path-pattern` conditions (host-header / http-header / query-string
-* / etc.), and `redirect` / `fixed-response` / `authenticate-*` actions. Those
-* remaining listener-rule features are tracked in #123.
+* default action plus the ordered rules, each carrying its resolved action and
+* its path / host conditions.
+*
+* Scope: HTTP listeners; `path-pattern` + `host-header` conditions; `forward`
+* (single or weighted) to ECS services AND/OR Lambda functions
+* (`TargetType:"lambda"` target groups — #123: the TG -> backing
+* `AWS::Lambda::Function` is resolved and the front-door invokes it locally per
+* request); `redirect` / `fixed-response` actions. A single weighted forward may
+* mix ECS and Lambda targets. Skipped with a warning: HTTPS/TLS listeners, the
+* other condition fields (http-header / http-request-method / query-string /
+* source-ip), and `authenticate-cognito` / `authenticate-oidc` actions.
 */
 const ALB_TYPE = "AWS::ElasticLoadBalancingV2::LoadBalancer";
 const LISTENER_TYPE = "AWS::ElasticLoadBalancingV2::Listener";
 const LISTENER_RULE_TYPE = "AWS::ElasticLoadBalancingV2::ListenerRule";
 const TARGET_GROUP_TYPE = "AWS::ElasticLoadBalancingV2::TargetGroup";
 const SERVICE_TYPE = "AWS::ECS::Service";
+const LAMBDA_FUNCTION_TYPE = "AWS::Lambda::Function";
 /**
 * Resolve an ALB into its front-door listeners + routing tables. Pure — reads
 * only the supplied stack template. Returns an empty `listeners` array (with
@@ -21331,31 +22039,32 @@ function resolveAlbFrontDoor(stack, albLogicalId) {
 			warnings.push(`Listener '${listenerLogicalId}' on port ${port} uses protocol ${protocol}; the local ALB front-door supports HTTP listeners only (TLS termination is deferred). Skipping it.`);
 			continue;
 		}
-		const defaultTarget = resolveForwardTarget(props["DefaultActions"], resources, tgToService, stackName, `Listener '${listenerLogicalId}' (port ${port}) default action`, warnings);
+		const defaultAction = resolveAction(props["DefaultActions"], resources, tgToService, stackName, `Listener '${listenerLogicalId}' (port ${port}) default action`, warnings);
 		const rules = [];
 		for (const { ruleLogicalId, ruleProps } of rulesByListener.get(listenerLogicalId) ?? []) {
 			const priority = parsePriority(ruleProps["Priority"]);
 			const ruleLabel = `Listener rule '${ruleLogicalId}' (priority ${priority})`;
-			const { patterns, unsupported } = parseRulePathPatterns(ruleProps["Conditions"]);
+			const { pathPatterns, hostPatterns, unsupported } = parseRuleConditions(ruleProps["Conditions"]);
 			if (unsupported.length > 0) {
-				warnings.push(`${ruleLabel} uses unsupported condition(s): ${unsupported.join(", ")}. The local ALB front-door supports path-pattern conditions only (host-header / http-header / query-string / http-request-method / source-ip deferred). Skipping it.`);
+				warnings.push(`${ruleLabel} uses unsupported condition(s): ${unsupported.join(", ")}. The local ALB front-door supports path-pattern and host-header conditions only (http-header / query-string / http-request-method / source-ip deferred). Skipping it.`);
 				continue;
 			}
-			if (patterns.length === 0) continue;
-			const target = resolveForwardTarget(ruleProps["Actions"], resources, tgToService, stackName, `${ruleLabel} action`, warnings);
-			if (!target) continue;
+			if (pathPatterns.length === 0 && hostPatterns.length === 0) continue;
+			const action = resolveAction(ruleProps["Actions"], resources, tgToService, stackName, `${ruleLabel} action`, warnings);
+			if (!action) continue;
 			rules.push({
 				priority,
-				pathPatterns: patterns,
-				target
+				pathPatterns,
+				hostPatterns,
+				action
 			});
 		}
-		if (!defaultTarget && rules.length === 0) continue;
+		if (!defaultAction && rules.length === 0) continue;
 		listeners.push({
 			listenerPort: port,
 			listenerProtocol: "HTTP",
 			listenerLogicalId,
-			...defaultTarget ? { defaultTarget } : {},
+			...defaultAction ? { defaultAction } : {},
 			rules
 		});
 	}
@@ -21371,41 +22080,168 @@ function isApplicationLoadBalancer(resource) {
 	return type === void 0 || type === "application";
 }
 /**
-* Resolve a listener / rule `Actions` (or `DefaultActions`) array to a single
-* ECS-service forward target, or `undefined` when it is not a resolvable
-* single forward (warning emitted for the cases worth surfacing).
+* Resolve a listener / rule `Actions` (or `DefaultActions`) array to the single
+* action the local front-door serves, or `undefined` when it is not resolvable
+* (a warning is emitted for the cases worth surfacing). ALB allows exactly one
+* non-authenticate terminal action per action set, optionally preceded by
+* authenticate-* actions (which the local front-door does not enforce — they
+* are skipped with a warning and the terminal action is honored).
 */
-function resolveForwardTarget(actions, resources, tgToService, stackName, label, warnings) {
-	const tgRefs = collectForwardTargetGroupRefs(actions);
-	if (tgRefs.size === 0) {
-		if (hasUnresolvableForward(actions)) warnings.push(`${label} forwards to a non-Ref TargetGroupArn (literal / cross-stack / imported); the local front-door only supports in-stack target groups. Skipping it.`);
-		return;
+function resolveAction(actions, resources, tgToService, stackName, label, warnings) {
+	if (!Array.isArray(actions)) return void 0;
+	let sawAuthenticate = false;
+	for (const action of actions) {
+		if (!action || typeof action !== "object") continue;
+		const a = action;
+		const type = a["Type"];
+		if (type === "authenticate-cognito" || type === "authenticate-oidc") {
+			sawAuthenticate = true;
+			continue;
+		}
+		if (type === "forward") return resolveForwardAction(a, resources, tgToService, stackName, label, warnings);
+		if (type === "redirect") {
+			const redirect = resolveRedirectAction(a, label, warnings);
+			if (redirect) return redirect;
+			continue;
+		}
+		if (type === "fixed-response") return resolveFixedResponseAction(a);
+		if (typeof type === "string") warnings.push(`${label} uses an unsupported action type '${type}'. The local ALB front-door supports forward / redirect / fixed-response actions only. Skipping it.`);
 	}
-	if (tgRefs.size > 1) {
-		warnings.push(`${label} is a weighted forward (multiple target groups); the local front-door supports a single target group per action (weighted routing deferred). Skipping it.`);
+	if (sawAuthenticate) warnings.push(`${label} is an authenticate-* action with no local-servable terminal action. The local ALB front-door does not enforce authenticate-cognito / authenticate-oidc; skipping it.`);
+}
+/**
+* Resolve a `forward` action into one or more weighted targets. Each target
+* group is either an ECS service (the original `start-alb` path) or a
+* `TargetType: lambda` group backed by an in-stack Lambda (#123); a single
+* weighted forward may mix both.
+*/
+function resolveForwardAction(action, resources, tgToService, stackName, label, warnings) {
+	const refs = collectForwardTargetGroupRefs(action);
+	if (refs.length === 0) {
+		if (hasUnresolvableForward(action)) warnings.push(`${label} forwards to a non-Ref TargetGroupArn (literal / cross-stack / imported); the local front-door only supports in-stack target groups. Skipping it.`);
 		return;
 	}
-	const tgRef = [...tgRefs][0];
-	const tg = resources[tgRef];
-	if (!tg || tg.Type !== TARGET_GROUP_TYPE) {
-		warnings.push(`${label} forwards to target group '${tgRef}', but no ${TARGET_GROUP_TYPE} with that logical id exists in ${stackName}. Skipping it.`);
-		return;
+	const targets = [];
+	for (const { tgRef, weight } of refs) {
+		const tg = resources[tgRef];
+		if (!tg || tg.Type !== TARGET_GROUP_TYPE) {
+			warnings.push(`${label} forwards to target group '${tgRef}', but no ${TARGET_GROUP_TYPE} with that logical id exists in ${stackName}. Skipping that target group.`);
+			continue;
+		}
+		const tgProps = tg.Properties ?? {};
+		if (tgProps["TargetType"] === "lambda") {
+			const lambdaTarget = resolveLambdaForwardTarget(tgProps, tgRef, resources, stackName, label, warnings);
+			if (lambdaTarget) targets.push({
+				...lambdaTarget,
+				weight
+			});
+			continue;
+		}
+		const backing = tgToService.get(tgRef);
+		if (!backing) {
+			warnings.push(`${label} forwards to target group '${tgRef}', which is not referenced by any ${SERVICE_TYPE}.LoadBalancers[] in ${stackName}; cdk-local has no ECS service to front behind it. Skipping that target group.`);
+			continue;
+		}
+		targets.push({
+			kind: "ecs",
+			serviceLogicalId: backing.serviceLogicalId,
+			targetContainerName: backing.containerName,
+			targetContainerPort: backing.containerPort,
+			targetGroupLogicalId: tgRef,
+			weight
+		});
 	}
-	if (tg.Properties?.["TargetType"] === "lambda") {
-		warnings.push(`${label} forwards to a Lambda target group '${tgRef}' (TargetType: lambda). The local ALB front-door supports ECS targets only; Lambda targets are deferred. Skipping it.`);
+	if (targets.length === 0) return void 0;
+	return {
+		kind: "forward",
+		targets
+	};
+}
+/**
+* Resolve a `TargetType: lambda` target group into its `FrontDoorLambdaTarget`
+* (weight applied by the caller), or `undefined` (with a warning) when the
+* backing function is not an in-stack `AWS::Lambda::Function` reference.
+*/
+function resolveLambdaForwardTarget(tgProps, tgRef, resources, stackName, label, warnings) {
+	const lambdaLogicalId = resolveLambdaTargetLogicalId(tgProps["Targets"]);
+	if (!lambdaLogicalId) {
+		warnings.push(`${label} forwards to a Lambda target group '${tgRef}', but its Targets[].Id is not an in-stack { "Fn::GetAtt": [<FnLogicalId>, "Arn"] } reference; the local ALB front-door supports an in-stack Lambda target only (literal / imported ARNs deferred). Skipping that target group.`);
 		return;
 	}
-	const backing = tgToService.get(tgRef);
-	if (!backing) {
-		warnings.push(`${label} forwards to target group '${tgRef}', which is not referenced by any ${SERVICE_TYPE}.LoadBalancers[] in ${stackName}; cdk-local has no ECS service to front behind it. Skipping it.`);
+	const lambda = resources[lambdaLogicalId];
+	if (!lambda || lambda.Type !== LAMBDA_FUNCTION_TYPE) {
+		warnings.push(`${label} forwards to Lambda target group '${tgRef}', whose target resolves to '${lambdaLogicalId}', but no ${LAMBDA_FUNCTION_TYPE} with that logical id exists in ${stackName}. Skipping that target group.`);
 		return;
 	}
 	return {
-		serviceLogicalId: backing.serviceLogicalId,
-		targetContainerName: backing.containerName,
-		targetContainerPort: backing.containerPort,
-		targetGroupLogicalId: tgRef
+		kind: "lambda",
+		lambdaLogicalId,
+		targetGroupLogicalId: tgRef,
+		multiValueHeaders: readMultiValueHeadersAttribute(tgProps["TargetGroupAttributes"])
+	};
+}
+/** Resolve a `redirect` action into its `Location`-template fields + status code. */
+function resolveRedirectAction(action, label, warnings) {
+	const cfg = action["RedirectConfig"];
+	if (!cfg || typeof cfg !== "object") {
+		warnings.push(`${label} is a redirect with no RedirectConfig; skipping it.`);
+		return;
+	}
+	const c = cfg;
+	const out = {
+		kind: "redirect",
+		statusCode: parseRedirectStatusCode(c["StatusCode"])
+	};
+	if (typeof c["Protocol"] === "string") out.protocol = c["Protocol"];
+	if (typeof c["Host"] === "string") out.host = c["Host"];
+	if (typeof c["Port"] === "string") out.port = c["Port"];
+	if (typeof c["Path"] === "string") out.path = c["Path"];
+	if (typeof c["Query"] === "string") out.query = c["Query"];
+	return out;
+}
+/** Resolve a `fixed-response` action into its status / content-type / body. */
+function resolveFixedResponseAction(action) {
+	const cfg = action["FixedResponseConfig"];
+	const c = cfg && typeof cfg === "object" ? cfg : {};
+	const out = {
+		kind: "fixed-response",
+		statusCode: parseFixedResponseStatusCode(c["StatusCode"])
 	};
+	if (typeof c["ContentType"] === "string") out.contentType = c["ContentType"];
+	if (typeof c["MessageBody"] === "string") out.messageBody = c["MessageBody"];
+	return out;
+}
+/**
+* Resolve a `TargetType: lambda` target group's backing Lambda logical id from
+* its `Targets[].Id`. CDK synthesizes the registration as
+* `Targets: [{ Id: { "Fn::GetAtt": [<FnLogicalId>, "Arn"] } }]`; a `Ref` to the
+* function (its name) is also accepted. Returns the logical id, or `undefined`
+* when the target is a literal / imported ARN (not an in-stack reference).
+*/
+function resolveLambdaTargetLogicalId(targets) {
+	if (!Array.isArray(targets) || targets.length === 0) return void 0;
+	const first = targets[0];
+	if (!first || typeof first !== "object") return void 0;
+	const id = first["Id"];
+	if (!id || typeof id !== "object" || Array.isArray(id)) return void 0;
+	const idObj = id;
+	const getAtt = idObj["Fn::GetAtt"];
+	if (Array.isArray(getAtt) && typeof getAtt[0] === "string" && getAtt[0].length > 0) return getAtt[0];
+	const ref = idObj["Ref"];
+	if (typeof ref === "string" && ref.length > 0) return ref;
+}
+/**
+* Read the `lambda.multi_value_headers.enabled` target-group attribute (a
+* string `"true"` / `"false"` in CFn). Defaults to `false` when absent.
+*/
+function readMultiValueHeadersAttribute(attributes) {
+	if (!Array.isArray(attributes)) return false;
+	for (const attr of attributes) {
+		if (!attr || typeof attr !== "object") continue;
+		const a = attr;
+		if (a["Key"] === "lambda.multi_value_headers.enabled") return String(a["Value"]).toLowerCase() === "true";
+	}
+	return false;
 }
 /**
 * Build a `targetGroupLogicalId -> backing ECS service` index by scanning every
@@ -21452,78 +22288,81 @@ function indexRulesByListener(resources) {
 	return index;
 }
 /**
-* Parse a ListenerRule's `Conditions` into its `path-pattern` values plus the
-* field names of any non-`path-pattern` conditions (which make the rule
-* unsupported in this version). A rule is only usable when every condition is a
-* `path-pattern` — ALB ANDs conditions together, and we cannot honor the others
-* locally yet.
+* Parse a ListenerRule's `Conditions` into its supported `path-pattern` and
+* `host-header` values plus the field names of any unsupported conditions
+* (which make the rule unsupported). ALB ANDs conditions of different fields,
+* so a rule with an unsupported field cannot be honored locally. Multiple
+* conditions of the same field merge their values (each field OR-matches).
 */
-function parseRulePathPatterns(conditions) {
-	const patterns = [];
+function parseRuleConditions(conditions) {
+	const pathPatterns = [];
+	const hostPatterns = [];
 	const unsupported = [];
 	if (!Array.isArray(conditions)) return {
-		patterns,
+		pathPatterns,
+		hostPatterns,
 		unsupported
 	};
 	for (const cond of conditions) {
 		if (!cond || typeof cond !== "object") continue;
 		const c = cond;
 		const field = typeof c["Field"] === "string" ? c["Field"] : "(unknown)";
-		if (field !== "path-pattern") {
-			unsupported.push(field);
-			continue;
-		}
-		const cfg = c["PathPatternConfig"];
-		const values = cfg && typeof cfg === "object" && Array.isArray(cfg["Values"]) ? cfg["Values"] : Array.isArray(c["Values"]) ? c["Values"] : [];
-		for (const v of values) if (typeof v === "string") patterns.push(v);
+		if (field === "path-pattern") pathPatterns.push(...conditionValues(c, "PathPatternConfig"));
+		else if (field === "host-header") hostPatterns.push(...conditionValues(c, "HostHeaderConfig"));
+		else unsupported.push(field);
 	}
 	return {
-		patterns,
+		pathPatterns,
+		hostPatterns,
 		unsupported
 	};
 }
-function collectForwardTargetGroupRefs(actions) {
-	const refs = /* @__PURE__ */ new Set();
-	if (!Array.isArray(actions)) return refs;
-	for (const action of actions) {
-		if (!action || typeof action !== "object") continue;
-		const a = action;
-		if (a["Type"] !== "forward") continue;
-		const direct = refOf(a["TargetGroupArn"]);
-		if (direct) refs.add(direct);
-		const forwardConfig = a["ForwardConfig"];
-		if (forwardConfig && typeof forwardConfig === "object") {
-			const groups = forwardConfig["TargetGroups"];
-			if (Array.isArray(groups)) for (const g of groups) {
-				if (!g || typeof g !== "object") continue;
-				const ref = refOf(g["TargetGroupArn"]);
-				if (ref) refs.add(ref);
-			}
+/**
+* Extract a condition's string values from either the typed `<Field>Config`
+* sub-object's `Values` or the legacy top-level `Values` array.
+*/
+function conditionValues(cond, configKey) {
+	const cfg = cond[configKey];
+	return (cfg && typeof cfg === "object" && Array.isArray(cfg["Values"]) ? cfg["Values"] : Array.isArray(cond["Values"]) ? cond["Values"] : []).filter((v) => typeof v === "string");
+}
+/** Collect a forward action's `(targetGroupRef, weight)` pairs (single + ForwardConfig forms). */
+function collectForwardTargetGroupRefs(action) {
+	const out = [];
+	const direct = refOf(action["TargetGroupArn"]);
+	if (direct) out.push({
+		tgRef: direct,
+		weight: 1
+	});
+	const forwardConfig = action["ForwardConfig"];
+	if (forwardConfig && typeof forwardConfig === "object") {
+		const groups = forwardConfig["TargetGroups"];
+		if (Array.isArray(groups)) for (const g of groups) {
+			if (!g || typeof g !== "object") continue;
+			const gObj = g;
+			const ref = refOf(gObj["TargetGroupArn"]);
+			if (ref) out.push({
+				tgRef: ref,
+				weight: parseWeight(gObj["Weight"])
+			});
 		}
 	}
-	return refs;
+	return out;
 }
 /**
-* True when `actions` has at least one `forward` action that references a target
-* group via a NON-`Ref` arn (literal / `Fn::GetAtt` / cross-stack) — i.e. a
-* forward we could not resolve to an in-stack target group. Used to warn rather
-* than silently skip such a listener / rule.
+* True when `action` is a `forward` that references a target group via a
+* NON-`Ref` arn (literal / `Fn::GetAtt` / cross-stack) — i.e. a forward we
+* could not resolve to an in-stack target group. Used to warn rather than
+* silently skip.
 */
-function hasUnresolvableForward(actions) {
-	if (!Array.isArray(actions)) return false;
-	for (const action of actions) {
-		if (!action || typeof action !== "object") continue;
-		const a = action;
-		if (a["Type"] !== "forward") continue;
-		if (a["TargetGroupArn"] !== void 0 && refOf(a["TargetGroupArn"]) === void 0) return true;
-		const forwardConfig = a["ForwardConfig"];
-		if (forwardConfig && typeof forwardConfig === "object") {
-			const groups = forwardConfig["TargetGroups"];
-			if (Array.isArray(groups)) for (const g of groups) {
-				if (!g || typeof g !== "object") continue;
-				const arn = g["TargetGroupArn"];
-				if (arn !== void 0 && refOf(arn) === void 0) return true;
-			}
+function hasUnresolvableForward(action) {
+	if (action["TargetGroupArn"] !== void 0 && refOf(action["TargetGroupArn"]) === void 0) return true;
+	const forwardConfig = action["ForwardConfig"];
+	if (forwardConfig && typeof forwardConfig === "object") {
+		const groups = forwardConfig["TargetGroups"];
+		if (Array.isArray(groups)) for (const g of groups) {
+			if (!g || typeof g !== "object") continue;
+			const arn = g["TargetGroupArn"];
+			if (arn !== void 0 && refOf(arn) === void 0) return true;
 		}
 	}
 	return false;
@@ -21545,6 +22384,27 @@ function parseContainerPort(raw) {
 	return parsePort(raw);
 }
 /**
+* Parse a `ForwardConfig.TargetGroups[].Weight`. ALB weights are 0-999; a
+* missing weight defaults to 1 (CDK's `weightedForward` always emits one, but
+* a hand-rolled template may omit it). Negative / non-numeric clamps to 0.
+*/
+function parseWeight(raw) {
+	if (typeof raw === "number" && Number.isFinite(raw)) return raw < 0 ? 0 : raw;
+	if (typeof raw === "string" && /^\d+$/.test(raw)) return parseInt(raw, 10);
+	return 1;
+}
+/** ALB emits redirect status as `HTTP_301` / `HTTP_302`; default to 302 when absent / unknown. */
+function parseRedirectStatusCode(raw) {
+	if (raw === "HTTP_301" || raw === "301" || raw === 301) return 301;
+	return 302;
+}
+/** Parse a `FixedResponseConfig.StatusCode` (a numeric string); default 200 when absent. */
+function parseFixedResponseStatusCode(raw) {
+	if (typeof raw === "number" && Number.isInteger(raw)) return raw;
+	if (typeof raw === "string" && /^\d+$/.test(raw)) return parseInt(raw, 10);
+	return 200;
+}
+/**
 * Parse a ListenerRule `Priority` (ALB priorities are 1-50000, lower = higher
 * precedence). A missing / unparseable priority sorts last so an explicitly
 * prioritized rule always wins over it.
@@ -21643,13 +22503,43 @@ function albStrategy(options) {
 				const { stack, albLogicalId } = resolveAlbTarget(albTarget, stacks);
 				const resolution = resolveAlbFrontDoor(stack, albLogicalId);
 				warnings.push(...resolution.warnings);
-				const qualify = (t) => {
+				const qualifyTarget = (t) => {
+					if (t.kind === "lambda") return {
+						kind: "lambda",
+						lambda: resolveLambdaTarget(`${stack.stackName}:${t.lambdaLogicalId}`, stacks),
+						targetGroupArn: `${stack.stackName}:${t.targetGroupLogicalId}`,
+						multiValueHeaders: t.multiValueHeaders,
+						weight: t.weight
+					};
 					const serviceTarget = `${stack.stackName}:${t.serviceLogicalId}`;
 					serviceTargets.add(serviceTarget);
 					return {
+						kind: "ecs",
 						serviceTarget,
 						targetContainerName: t.targetContainerName,
-						targetContainerPort: t.targetContainerPort
+						targetContainerPort: t.targetContainerPort,
+						weight: t.weight
+					};
+				};
+				const qualify = (action) => {
+					if (action.kind === "forward") return {
+						kind: "forward",
+						targets: action.targets.map(qualifyTarget)
+					};
+					if (action.kind === "redirect") return {
+						kind: "redirect",
+						statusCode: action.statusCode,
+						...action.protocol !== void 0 && { protocol: action.protocol },
+						...action.host !== void 0 && { host: action.host },
+						...action.port !== void 0 && { port: action.port },
+						...action.path !== void 0 && { path: action.path },
+						...action.query !== void 0 && { query: action.query }
+					};
+					return {
+						kind: "fixed-response",
+						statusCode: action.statusCode,
+						...action.contentType !== void 0 && { contentType: action.contentType },
+						...action.messageBody !== void 0 && { messageBody: action.messageBody }
 					};
 				};
 				for (const listener of resolution.listeners) {
@@ -21663,11 +22553,12 @@ function albStrategy(options) {
 					listeners.push({
 						listenerPort: listener.listenerPort,
 						hostPort,
-						...listener.defaultTarget ? { defaultTarget: qualify(listener.defaultTarget) } : {},
+						...listener.defaultAction ? { defaultAction: qualify(listener.defaultAction) } : {},
 						rules: listener.rules.map((r) => ({
 							priority: r.priority,
 							pathPatterns: r.pathPatterns,
-							target: qualify(r.target)
+							hostPatterns: r.hostPatterns,
+							action: qualify(r.action)
 						}))
 					});
 				}
@@ -21696,7 +22587,7 @@ function albStrategy(options) {
 */
 function createLocalStartAlbCommand(opts = {}) {
 	setEmbedConfig(opts.embedConfig);
-	return addCommonEcsServiceOptions(new Command("start-alb").description("Run an Application Load Balancer locally: name the ALB, and cdk-local boots the ECS service(s) behind its HTTP listeners and stands up a local front-door on each listener port that round-robins across the running replicas and path-routes its path-pattern rules across the backing services — a stable host endpoint, like behind a real load balancer. The symmetric ALB counterpart of `start-api`. Each <target> accepts a CDK display path (MyStack/MyAlb) or stack-qualified logical ID; single-stack apps may omit the stack prefix. Supports HTTP listeners, single-target forward actions, and path-pattern rules; HTTPS listeners, Lambda target groups, weighted forwards, other rule conditions, and redirect/fixed-response actions are skipped with a warning. Omit <targets> in an interactive terminal to multi-select the load balancers from a list.").argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ElasticLoadBalancingV2::LoadBalancer resources to run (omit to multi-select interactively in a TTY)").addOption(new Option("--lb-port <listenerPort=hostPort...>", "Bind the local front-door on a specific host port (e.g. 80=8080); repeatable. Default: host port == ALB listener port. Use this on macOS to remap a privileged listener port (< 1024) to a non-privileged host port.")).action(withErrorHandling(async (targets, options) => {
+	return addCommonEcsServiceOptions(new Command("start-alb").description("Run an Application Load Balancer locally: name the ALB, and cdk-local boots the ECS service(s) behind its HTTP listeners and stands up a local front-door on each listener port that round-robins across the running replicas and routes its listener rules across the backing services — a stable host endpoint, like behind a real load balancer. The symmetric ALB counterpart of `start-api`. Each <target> accepts a CDK display path (MyStack/MyAlb) or stack-qualified logical ID; single-stack apps may omit the stack prefix. Supports HTTP listeners; path-pattern and host-header rule conditions; forward (single and weighted), redirect, and fixed-response actions; and ECS or Lambda targets (a Lambda target group is invoked locally via the Lambda RIE). HTTPS listeners, the other rule conditions (http-header / query-string / source-ip / http-request-method), and authenticate-* actions are skipped with a warning. Omit <targets> in an interactive terminal to multi-select the load balancers from a list.").argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ElasticLoadBalancingV2::LoadBalancer resources to run (omit to multi-select interactively in a TTY)").addOption(new Option("--lb-port <listenerPort=hostPort...>", "Bind the local front-door on a specific host port (e.g. 80=8080); repeatable. Default: host port == ALB listener port. Use this on macOS to remap a privileged listener port (< 1024) to a non-privileged host port.")).action(withErrorHandling(async (targets, options) => {
 		await runEcsServiceEmulator(targets, options, albStrategy(options), opts.extraStateProviders);
 	})));
 }
@@ -21773,4 +22664,4 @@ function createLocalListCommand(opts = {}) {
 //#endregion
 export { createJwksCache as $, resolveLambdaArnIntrinsic as $t, invokeTokenAuthorizer as A, substituteAgainstStateAsync as At, VtlEvaluationError as B, resolveCfnRegion as Bt, resolveSelectionExpression as C, architectureToPlatform as Ct, computeRequestIdentityHash as D, resolveRuntimeImage as Dt, buildMethodArn as E, resolveRuntimeFileExtension as Et, buildRestV1Event as F, LocalStateSourceError as Ft, buildMgmtEndpointEnvUrl as G, resolveWatchConfig as Gt, probeHostGatewaySupport as H, CfnLocalStateProvider as Ht, evaluateResponseParameters as I, createLocalStateProvider as It, buildConnectEvent as J, discoverWebSocketApis as Jt, handleConnectionsRequest as K, countTargets as Kt, pickResponseTemplate as L, isCfnFlagPresent as Lt, translateLambdaResponse as M, substituteEnvVarsFromStateAsync as Mt, applyAuthorizerOverlay as N, resolveEnvVars as Nt, evaluateCachedLambdaPolicy as O, EcsTaskResolutionError as Ot, buildHttpApiV2Event as P, materializeLayerFromArn as Pt, buildJwksUrlFromIssuer as Q, pickRefLogicalId as Qt, selectIntegrationResponse as R, rejectExplicitCfnStackWithMultipleStacks as Rt, startApiServer as S, createLocalInvokeCommand as St, defaultCredentialsLoader as T, resolveRuntimeCodeMountPath as Tt, bufferToBody as U, collectSsmParameterRefs as Ut, HOST_GATEWAY_MIN_VERSION as V, resolveCfnStackName as Vt, ConnectionRegistry as W, resolveSsmParameters as Wt, buildMessageEvent as X, parseSelectionExpressionPath as Xt, buildDisconnectEvent as Y, discoverWebSocketApisOrThrow as Yt, buildCognitoJwksUrl as Z, discoverRoutes as Zt, availableApiIdentifiers as _, SUPPORTED_CODE_RUNTIMES as _t, buildCloudMapIndex as a, derivePseudoParametersFromRegion as an, buildCorsConfigByApiId as at, groupRoutesByServer as b, renderCodeDockerfile as bt, createLocalRunTaskCommand as c, LocalInvokeBuildError as cn, matchPreflight as ct, createWatchPredicates as d, MCP_PROTOCOL_VERSION as dt, AGENTCORE_HTTP_PROTOCOL as en, verifyCognitoJwt as et, resolveApiTargetSubset as f, mcpInvokeOnce as ft, buildStageMap as g, waitForAgentCorePing as gt, attachStageContext as h, invokeAgentCore as ht, createLocalStartServiceCommand as i, resolveAgentCoreTarget as in, applyCorsResponseHeaders as it, matchRoute as j, substituteEnvVarsFromState as jt, invokeRequestAuthorizer as k, substituteAgainstState as kt, createLocalInvokeAgentCoreCommand as l, MCP_CONTAINER_PORT as lt, createFileWatcher as m, AGENTCORE_SESSION_ID_HEADER as mt, formatTargetListing as n, AGENTCORE_RUNTIME_TYPE as nn, verifyJwtViaDiscovery as nt, CloudMapRegistry as o, substituteImagePlaceholders as on, buildCorsConfigFromCloudFrontChain as ot, createAuthorizerCache as p, parseSseForJsonRpc as pt, parseConnectionsPath as q, listTargets as qt, createLocalStartAlbCommand as r, AgentCoreResolutionError as rn, attachAuthorizers as rt, getContainerNetworkIp as s, tryResolveImageFnJoin as sn, isFunctionUrlOacFronted as st, createLocalListCommand as t, AGENTCORE_MCP_PROTOCOL as tn, verifyJwtAuthorizer as tt, createLocalStartApiCommand as u, MCP_PATH as ut, filterRoutesByApiIdentifier as v, buildAgentCoreCodeImage as vt, resolveServiceIntegrationParameters as w, buildContainerImage as wt, readMtlsMaterialsFromDisk as x, toCmdArgv as xt, filterRoutesByApiIdentifiers as y, computeCodeImageTag as yt, tryParseStatus as z, resolveCfnFallbackRegion as zt };
-//# sourceMappingURL=local-list-bwZnI2pV.js.map
+//# sourceMappingURL=local-list-jk2HzwoN.js.map