npm - cdk-local - Versions diffs - 0.44.0 → 0.46.0 - Mend

cdk-local 0.44.0 → 0.46.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md +3 -3
package/dist/cli.js +2 -2
package/dist/index.d.ts.map +1 -1
package/dist/index.js +1 -1
package/dist/{local-list-EweOsy3A.js → local-list-DL6DlYSN.js} +832 -127
package/dist/local-list-DL6DlYSN.js.map +1 -0
package/package.json +1 -1
package/dist/local-list-EweOsy3A.js.map +0 -1

package/dist/{local-list-EweOsy3A.js → local-list-DL6DlYSN.js} RENAMED Viewed

@@ -1235,6 +1235,22 @@ function resolveAgentCoreTarget(target, stacks, imageContext) {
 	return extractRuntimeProperties(stack, logicalId, resource, resources, imageContext);
 }
 /**
+* Best-effort pick of the candidate stack a target lives in, BEFORE full
+* resolution — so the command can build a `--from-cfn-stack` image-resolution
+* context (state load + pseudo parameters) and thread it into
+* {@link resolveAgentCoreTarget} so a same-stack `AWS::ECR::Repository`
+* `Fn::Join` ContainerUri resolves to the deployed URI. Returns undefined when
+* the stack is ambiguous (multi-stack app, no prefix) — the caller proceeds
+* without a context and the resolver surfaces its own error if one is needed.
+* Mirrors `run-task`'s `pickCandidateStack`.
+*/
+function pickAgentCoreCandidateStack(target, stacks) {
+	const parsed = parseTarget(target);
+	if (parsed.stackPattern === null) return stacks.length === 1 ? stacks[0] : void 0;
+	const matched = matchStacks(stacks, [parsed.stackPattern]);
+	return matched.length === 1 ? matched[0] : void 0;
+}
+/**
 * Single-stack auto-detect: if the app has exactly one stack the user may
 * omit the stack prefix; otherwise an explicit stack pattern is required.
 * Mirrors the Lambda / ECS resolvers' behavior via the shared
@@ -7794,7 +7810,7 @@ async function localInvokeCommand(target, options, extraStateProviders) {
 			}
 		}
 		if (!assumeSucceeded) {
-			forwardAwsEnv$2(dockerEnv);
+			forwardAwsEnv$3(dockerEnv);
 			applyProfileCredentialsOverlay(dockerEnv, profileCredentials, false);
 			if (profileCredsFile) {
 				dockerEnv["AWS_SHARED_CREDENTIALS_FILE"] = profileCredsFile.containerPath;
@@ -7849,14 +7865,14 @@ async function localInvokeCommand(target, options, extraStateProviders) {
 	}
 }
 async function resolveImagePlan(lambda, options) {
-	if (lambda.kind === "zip") return resolveZipImagePlan(lambda, options);
-	return resolveContainerImagePlan(lambda, options);
+	if (lambda.kind === "zip") return resolveZipImagePlan$1(lambda, options);
+	return resolveContainerImagePlan$1(lambda, options);
 }
-async function resolveZipImagePlan(lambda, options) {
+async function resolveZipImagePlan$1(lambda, options) {
 	let inlineTmpDir;
 	let codeDir = lambda.codePath;
 	if (codeDir === null) {
-		inlineTmpDir = materializeInlineCode$1(lambda.handler, lambda.inlineCode ?? "", resolveRuntimeFileExtension(lambda.runtime));
+		inlineTmpDir = materializeInlineCode$2(lambda.handler, lambda.inlineCode ?? "", resolveRuntimeFileExtension(lambda.runtime));
 		codeDir = inlineTmpDir;
 	}
 	const image = resolveRuntimeImage(lambda.runtime);
@@ -7933,7 +7949,7 @@ function materializeLambdaLayers$1(layers) {
 		tmpDir
 	};
 }
-async function resolveContainerImagePlan(lambda, options) {
+async function resolveContainerImagePlan$1(lambda, options) {
 	const logger = getLogger();
 	const platform = architectureToPlatform(lambda.architecture);
 	const localBuild = await resolveLocalBuildPlan$1(lambda);
@@ -8083,7 +8099,7 @@ async function assumeLambdaExecutionRole$1(roleArn, region) {
 		sts.destroy();
 	}
 }
-function forwardAwsEnv$2(env) {
+function forwardAwsEnv$3(env) {
 	for (const key of [
 		"AWS_ACCESS_KEY_ID",
 		"AWS_SECRET_ACCESS_KEY",
@@ -8123,7 +8139,7 @@ function applyProfileCredentialsOverlay(env, profileCreds, assumeRoleActive) {
 	if (profileCreds.sessionToken) env["AWS_SESSION_TOKEN"] = profileCreds.sessionToken;
 	else delete env["AWS_SESSION_TOKEN"];
 }
-function materializeInlineCode$1(handler, source, fileExtension) {
+function materializeInlineCode$2(handler, source, fileExtension) {
 	const lastDot = handler.lastIndexOf(".");
 	if (lastDot <= 0) throw new Error(`Handler '${handler}' is malformed: expected '<modulePath>.<exportName>'.`);
 	const modulePath = handler.substring(0, lastDot);
@@ -8138,10 +8154,10 @@ function suggestAssumeRoleFromState(state, logicalId) {
 	const roleArn = resolveExecutionRoleArnFromState(state, logicalId);
 	if (roleArn) logger.info(`Hint: the deployed function uses execution role ${roleArn}. Re-run with --assume-role to invoke under the deployed function's narrow permissions.`);
 }
-function resolveExecutionRoleArnFromState(state, logicalId) {
+function resolveExecutionRoleArnFromState(state, logicalId, roleProperty = "Role") {
 	const lambda = state.resources[logicalId];
 	if (!lambda) return void 0;
-	const roleRef = lambda.properties?.["Role"] ?? lambda.observedProperties?.["Role"];
+	const roleRef = lambda.properties?.[roleProperty] ?? lambda.observedProperties?.[roleProperty];
 	if (typeof roleRef === "string" && roleRef.startsWith("arn:")) return roleRef;
 	if (typeof roleRef === "object" && roleRef !== null) {
 		const refLogicalId = pickReferencedLogicalId(roleRef);
@@ -12749,7 +12765,7 @@ const MOCK_API_ID = "local";
 *     UTF-8; otherwise base64. Mirrors what API Gateway emits.
 */
 function buildHttpApiV2Event(req, ctx, opts = {}) {
-	const { rawPath, rawQueryString } = splitRawUrl$1(req.rawUrl);
+	const { rawPath, rawQueryString } = splitRawUrl$2(req.rawUrl);
 	const { headers, cookies } = normalizeHeadersV2(req.headers);
 	const queryStringParameters = parseQueryStringV2(rawQueryString);
 	const userAgent = headers["user-agent"] ?? "";
@@ -12809,7 +12825,7 @@ function buildHttpApiV2Event(req, ctx, opts = {}) {
 *   - `pathParameters` may be `null` when there are none (matches AWS).
 */
 function buildRestV1Event(req, ctx, opts = {}) {
-	const { rawPath, rawQueryString } = splitRawUrl$1(req.rawUrl);
+	const { rawPath, rawQueryString } = splitRawUrl$2(req.rawUrl);
 	const { singular: headers, multi: multiValueHeaders } = normalizeHeadersV1(req.headers);
 	const { singular: queryStringParameters, multi: multiValueQueryStringParameters } = parseQueryStringV1(rawQueryString);
 	const contentType = headers["content-type"] ?? "";
@@ -12899,7 +12915,7 @@ function applyAuthorizerOverlay(event, overlay) {
 * `rawQueryString` (everything after, or `''`). Neither component is
 * decoded — that's the whole point of "raw" per the AWS spec.
 */
-function splitRawUrl$1(rawUrl) {
+function splitRawUrl$2(rawUrl) {
 	const q = rawUrl.indexOf("?");
 	if (q === -1) return {
 		rawPath: rawUrl,
@@ -13030,7 +13046,7 @@ function encodeBody(body, contentType) {
 		body: "",
 		isBase64Encoded: false
 	};
-	if (isTextualContentType(contentType)) return {
+	if (isTextualContentType$1(contentType)) return {
 		body: body.toString("utf-8"),
 		isBase64Encoded: false
 	};
@@ -13051,7 +13067,7 @@ const TEXT_PREFIXES = [
 * Whether the given `Content-Type` value indicates textual data (so the
 * event body should be UTF-8 instead of base64).
 */
-function isTextualContentType(contentType) {
+function isTextualContentType$1(contentType) {
 	if (!contentType) return false;
 	const lower = contentType.toLowerCase();
 	return TEXT_PREFIXES.some((p) => lower.startsWith(p));
@@ -13116,7 +13132,7 @@ function formatRequestTime(d) {
 *                  v2 separates them.
 */
 function translateLambdaResponse(payload, version) {
-	if (isErrorEnvelope(payload)) return errorEnvelopeResponse();
+	if (isErrorEnvelope$1(payload)) return errorEnvelopeResponse();
 	if (isShapedResponse(payload)) return translateShapedResponse(payload, version);
 	return autoFormatResponse(payload);
 }
@@ -13127,7 +13143,7 @@ function translateLambdaResponse(payload, version) {
 * matters because user code MAY return a Lambda Proxy response that
 * happens to have `errorMessage` as a payload field.
 */
-function isErrorEnvelope(payload) {
+function isErrorEnvelope$1(payload) {
 	if (!payload || typeof payload !== "object" || Array.isArray(payload)) return false;
 	const obj = payload;
 	if ("statusCode" in obj) return false;
@@ -13185,7 +13201,7 @@ function translateShapedResponse(payload, version) {
 	const headersIn = payload["headers"];
 	if (headersIn && typeof headersIn === "object" && !Array.isArray(headersIn)) for (const [name, value] of Object.entries(headersIn)) {
 		const lower = name.toLowerCase();
-		const stringValue = stringifyHeaderValue(value);
+		const stringValue = stringifyHeaderValue$1(value);
 		if (lower === "set-cookie") {
 			cookies.push(stringValue);
 			continue;
@@ -13197,7 +13213,7 @@ function translateShapedResponse(payload, version) {
 		if (mvh && typeof mvh === "object" && !Array.isArray(mvh)) for (const [name, values] of Object.entries(mvh)) {
 			if (!Array.isArray(values)) continue;
 			const lower = name.toLowerCase();
-			const stringified = values.map((v) => stringifyHeaderValue(v));
+			const stringified = values.map((v) => stringifyHeaderValue$1(v));
 			if (lower === "set-cookie") {
 				for (const c of stringified) cookies.push(c);
 				continue;
@@ -13242,7 +13258,7 @@ function autoFormatResponse(payload) {
 * comma-joined to match the same dup-coalesce rule used on the request
 * side.
 */
-function stringifyHeaderValue(value) {
+function stringifyHeaderValue$1(value) {
 	if (value === null || value === void 0) return "";
 	if (Array.isArray(value)) return value.map((v) => stringifyValue(v)).join(",");
 	return stringifyValue(value);
@@ -14040,7 +14056,7 @@ function parseAuthorizationHeader(value) {
 *   Signature  = HexEncode(HMAC(SigningKey, StringToSign))
 */
 function computeSignature(req, parsed, secretAccessKey, amzDate) {
-	const { path, query } = splitRawUrl(req.rawUrl);
+	const { path, query } = splitRawUrl$1(req.rawUrl);
 	const canonicalUri = canonicalizePath(path);
 	const canonicalQuery = canonicalizeQueryString(query);
 	const headerLines = [];
@@ -14081,7 +14097,7 @@ function sha256Hex(buf) {
 * Important: keep the path RAW for canonicalization — the canonicalizer
 * does its own URI-encoding so we do NOT decode here.
 */
-function splitRawUrl(rawUrl) {
+function splitRawUrl$1(rawUrl) {
 	const q = rawUrl.indexOf("?");
 	if (q < 0) return {
 		path: rawUrl,
@@ -16669,7 +16685,7 @@ async function buildContainerSpec(args) {
 	let imageRef;
 	let platform;
 	if (lambda.kind === "zip") {
-		codeDir = lambda.codePath ?? materializeInlineCode(lambda.handler, lambda.inlineCode ?? "", resolveRuntimeFileExtension(lambda.runtime), inlineTmpDirs);
+		codeDir = lambda.codePath ?? materializeInlineCode$1(lambda.handler, lambda.inlineCode ?? "", resolveRuntimeFileExtension(lambda.runtime), inlineTmpDirs);
 		optDir = await materializeLambdaLayers(lambda.layers, layerTmpDirs, layerRoleArn);
 	} else {
 		imageRef = (await resolveContainerImageForStartApi(lambda, skipPull, args.profile)).imageRef;
@@ -16729,7 +16745,7 @@ async function buildContainerSpec(args) {
 		dockerEnv["AWS_SESSION_TOKEN"] = creds.sessionToken;
 		if (stsRegion) dockerEnv["AWS_REGION"] = stsRegion;
 	} else {
-		forwardAwsEnv$1(dockerEnv);
+		forwardAwsEnv$2(dockerEnv);
 		if (profileCredentials) {
 			dockerEnv["AWS_ACCESS_KEY_ID"] = profileCredentials.accessKeyId;
 			dockerEnv["AWS_SECRET_ACCESS_KEY"] = profileCredentials.secretAccessKey;
@@ -17071,7 +17087,7 @@ function formatRestV1IntegrationLabel(integration) {
 * them. (`cdkl invoke` runs once and `--rm` is the right model;
 * `cdkl start-api` lives across requests, so leaks compound.)
 */
-function materializeInlineCode(handler, source, fileExtension, tmpDirsOut) {
+function materializeInlineCode$1(handler, source, fileExtension, tmpDirsOut) {
 	const lastDot = handler.lastIndexOf(".");
 	if (lastDot <= 0) throw new Error(`Handler '${handler}' is malformed: expected '<modulePath>.<exportName>'.`);
 	const modulePath = handler.substring(0, lastDot);
@@ -17113,7 +17129,7 @@ function readEnvOverridesFile$3(filePath) {
 * handler's AWS SDK calls can authenticate. Used when --assume-role is
 * NOT set for that Lambda — SAM-compatible default.
 */
-function forwardAwsEnv$1(env) {
+function forwardAwsEnv$2(env) {
 	for (const key of [
 		"AWS_ACCESS_KEY_ID",
 		"AWS_SECRET_ACCESS_KEY",
@@ -17615,7 +17631,13 @@ async function localInvokeAgentCoreCommand(target, options, extraStateProviders)
 	let stopLogs;
 	let sigintHandler;
 	let profileCredsFile;
+	let stateProvider;
 	const cleanup = singleFlight(async () => {
+		if (stateProvider) try {
+			stateProvider.dispose();
+		} catch (err) {
+			getLogger().debug(`state provider dispose failed: ${err instanceof Error ? err.message : String(err)}`);
+		}
 		if (stopLogs) try {
 			stopLogs();
 		} catch (err) {
@@ -17655,12 +17677,19 @@ async function localInvokeAgentCoreCommand(target, options, extraStateProviders)
 			...Object.keys(context).length > 0 && { context }
 		};
 		const { stacks } = await synthesizer.synthesize(synthOpts);
-		const resolved = resolveAgentCoreTarget(await resolveSingleTarget(target, {
+		const resolvedTarget = await resolveSingleTarget(target, {
 			entries: listTargets(stacks).agentCoreRuntimes,
 			message: "Select an AgentCore Runtime to invoke",
 			noun: "AgentCore Runtimes",
 			onMissing: () => new CdkLocalError(`${getEmbedConfig().cliName} invoke-agentcore requires a <target> (an AgentCore Runtime display path or logical ID). Run \`${getEmbedConfig().cliName} list\` to see them, or run it in a TTY to pick interactively.`, "LOCAL_INVOKE_AGENTCORE_TARGET_REQUIRED")
-		}), stacks);
+		});
+		const candidate = pickAgentCoreCandidateStack(resolvedTarget, stacks);
+		stateProvider = createLocalStateProvider(options, candidate?.stackName ?? "", await resolveCfnFallbackRegion(options, candidate?.region), extraStateProviders);
+		const { context: imageContext, loaded: loadedState } = stateProvider && candidate ? await buildAgentCoreImageContext(candidate, stateProvider, options) : {
+			context: void 0,
+			loaded: void 0
+		};
+		const resolved = resolveAgentCoreTarget(resolvedTarget, stacks, imageContext);
 		logger.info(`Target: ${resolved.stack.stackName}/${resolved.logicalId} (${resolved.protocol})`);
 		const isMcp = resolved.protocol === "MCP";
 		const sessionId = options.sessionId ?? randomUUID();
@@ -17671,7 +17700,7 @@ async function localInvokeAgentCoreCommand(target, options, extraStateProviders)
 			if (resolved.jwtAuthorizer || options.bearerToken) logger.info(`MCP runtime: invoking the local container's ${MCP_PATH} directly (vanilla MCP). An inbound JWT / --bearer-token is an AgentCore managed-plane concern and is not applied locally.`);
 		} else authorization = await resolveInboundAuthorization(resolved, options);
 		const image = await resolveAgentCoreImage(resolved, options);
-		const dockerEnv = await buildContainerEnv(resolved, options, profileCredentials, profileCredsFile, extraStateProviders);
+		const { env: dockerEnv, sensitiveEnvKeys } = await buildContainerEnv(resolved, options, profileCredentials, profileCredsFile, stateProvider, loadedState, imageContext);
 		const hostPort = await pickFreePort();
 		const containerHost = options.containerHost;
 		const containerName = `${getEmbedConfig().resourceNamePrefix}-agentcore-${process.pid}-${Math.random().toString(36).slice(2, 8)}`;
@@ -17686,7 +17715,8 @@ async function localInvokeAgentCoreCommand(target, options, extraStateProviders)
 			host: containerHost,
 			platform: options.platform,
 			name: containerName,
-			...isMcp && { containerPort: 8e3 }
+			...isMcp && { containerPort: 8e3 },
+			...sensitiveEnvKeys.size > 0 && { sensitiveEnvKeys }
 		});
 		stopLogs = streamLogs(containerId);
 		sigintHandler = () => {
@@ -17818,32 +17848,37 @@ function findFileAssetByObjectKey(fileAssets, hash) {
 	for (const asset of fileAssets.values()) if (Object.values(asset.destinations).some((d) => d.objectKey === zip || d.objectKey.endsWith(`/${zip}`))) return asset;
 }
 /**
-* Build the container env: resolved template env vars (+ `--env-vars`
-* overrides, + `--from-cfn-stack` state substitution) plus AWS credentials
-* (`--assume-role` STS temp creds, else `--profile` / dev creds).
+* Build the container env + the set of env keys to keep off the `docker run`
+* argv. Substitutes `--from-cfn-stack` state into the template env (reusing the
+* shared state load + image-resolution context — Ref / Fn::Sub / Fn::Join +
+* SSM parameters, with decrypted SecureString values flagged sensitive),
+* applies `--env-vars` overrides, then injects AWS credentials (`--assume-role`
+* STS temp creds — resolving an intrinsic RoleArn from state for bare
+* `--assume-role` — else `--profile` / dev creds).
+*
+* The state provider + loaded record + image context are built once by the
+* caller and shared here, so this does not re-load state.
 */
-async function buildContainerEnv(resolved, options, profileCredentials, profileCredsFile, extraStateProviders) {
+async function buildContainerEnv(resolved, options, profileCredentials, profileCredsFile, stateProvider, loaded, imageContext) {
 	const logger = getLogger();
 	let templateEnv = resolved.environmentVariables;
-	const stateProvider = createLocalStateProvider(options, resolved.stack.stackName, await resolveCfnFallbackRegion(options, resolved.stack.region), extraStateProviders);
-	if (stateProvider) try {
-		const loaded = await stateProvider.load(resolved.stack.stackName, resolved.stack.region);
-		if (loaded) {
-			const subContext = {
-				resources: loaded.resources,
-				consumerRegion: loaded.region
-			};
-			const pseudo = derivePseudoParametersFromRegion(loaded.region);
-			if (pseudo) subContext.pseudoParameters = pseudo;
-			const resolver = await stateProvider.buildCrossStackResolver(loaded.region);
-			if (resolver) subContext.crossStackResolver = resolver;
-			const { env, audit } = await substituteEnvVarsFromStateAsync(templateEnv, subContext);
-			templateEnv = env;
-			for (const key of audit.resolvedKeys) logger.debug(`${stateProvider.label}: substituted env var ${key}`);
-			for (const { key, reason } of audit.unresolved) logger.warn(`${stateProvider.label}: could not substitute env var ${key} (${reason}). Override it via --env-vars or it will be dropped.`);
-		}
-	} finally {
-		stateProvider.dispose();
+	const sensitiveEnvKeys = /* @__PURE__ */ new Set();
+	if (stateProvider && loaded) {
+		const subContext = {
+			resources: imageContext?.stateResources ?? loaded.resources,
+			consumerRegion: loaded.region
+		};
+		const pseudo = imageContext?.pseudoParameters ?? derivePseudoParametersFromRegion(loaded.region);
+		if (pseudo) subContext.pseudoParameters = pseudo;
+		if (imageContext?.stateParameters) subContext.parameters = imageContext.stateParameters;
+		if (imageContext?.stateSensitiveParameters?.length) subContext.sensitiveParameters = new Set(imageContext.stateSensitiveParameters);
+		const resolver = await stateProvider.buildCrossStackResolver(loaded.region);
+		if (resolver) subContext.crossStackResolver = resolver;
+		const { env, audit } = await substituteEnvVarsFromStateAsync(templateEnv, subContext);
+		templateEnv = env;
+		for (const key of audit.resolvedKeys) logger.debug(`${stateProvider.label}: substituted env var ${key}`);
+		for (const key of audit.sensitiveKeys) sensitiveEnvKeys.add(key);
+		for (const { key, reason } of audit.unresolved) logger.warn(`${stateProvider.label}: could not substitute env var ${key} (${reason}). Override it via --env-vars or it will be dropped.`);
 	}
 	const overrides = readEnvOverridesFile$2(options.envVars);
 	const cdkPath = readCdkPathOrUndefined(resolved.resource);
@@ -17853,7 +17888,7 @@ async function buildContainerEnv(resolved, options, profileCredentials, profileC
 		logger.warn(`Environment variable ${key} contains a CloudFormation intrinsic and was dropped. Override it with --env-vars (e.g. {"${overrideKeyExample}":{"${key}":"<literal>"}}), or pass a state-source flag (e.g. --from-cfn-stack) to recover deployed values.`);
 	}
 	const dockerEnv = { ...envResult.resolved };
-	const assumeRoleArn = resolveAssumeRoleArn(options, resolved);
+	const assumeRoleArn = resolveAssumeRoleArn(options, resolved, loaded);
 	await applyAgentCoreCredentialEnv(dockerEnv, {
 		...assumeRoleArn !== void 0 && { assumeRoleArn },
 		...options.region !== void 0 && { region: options.region },
@@ -17863,7 +17898,56 @@ async function buildContainerEnv(resolved, options, profileCredentials, profileC
 			profileName: profileCredsFile.profileName
 		} }
 	});
-	return dockerEnv;
+	return {
+		env: dockerEnv,
+		sensitiveEnvKeys
+	};
+}
+/**
+* Build the `--from-cfn-stack` image-resolution context + return the loaded
+* state record (loaded once, reused by env substitution + role resolution).
+* Mirrors `run-task`'s `buildEcsImageResolutionContext`: pseudo parameters
+* (region + STS account id), the deployed resources, and SSM template
+* parameters (decrypted SecureString logical ids flagged sensitive).
+*/
+async function buildAgentCoreImageContext(candidate, stateProvider, options) {
+	const logger = getLogger();
+	const region = options.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? candidate.region;
+	let accountId;
+	try {
+		accountId = await resolveCallerAccountId$2(region, options.profile);
+	} catch (err) {
+		logger.warn(`--from-cfn-stack: STS GetCallerIdentity failed: ${err instanceof Error ? err.message : String(err)}. A same-stack ECR image URI referencing \${AWS::AccountId} may not resolve.`);
+	}
+	const context = {};
+	const pseudo = derivePseudoParametersFromRegion(region, accountId);
+	if (pseudo) context.pseudoParameters = pseudo;
+	const loaded = await stateProvider.load(candidate.stackName, candidate.region);
+	if (loaded) {
+		context.stateResources = loaded.resources;
+		if (stateProvider.resolveTemplateSsmParameters) {
+			const ssm = await stateProvider.resolveTemplateSsmParameters(candidate.template);
+			if (Object.keys(ssm.values).length > 0) context.stateParameters = ssm.values;
+			if (ssm.secureStringLogicalIds.length > 0) context.stateSensitiveParameters = ssm.secureStringLogicalIds;
+		}
+	}
+	return {
+		context,
+		loaded: loaded ?? void 0
+	};
+}
+/** STS `GetCallerIdentity` for the `${AWS::AccountId}` pseudo parameter (threads `--profile`). */
+async function resolveCallerAccountId$2(region, profile) {
+	const { STSClient, GetCallerIdentityCommand } = await import("@aws-sdk/client-sts");
+	const sts = new STSClient({
+		...region && { region },
+		...profile && { profile }
+	});
+	try {
+		return (await sts.send(new GetCallerIdentityCommand({}))).Account;
+	} finally {
+		sts.destroy();
+	}
 }
 /**
 * Inject AWS credentials into the container env. Precedence:
@@ -17893,7 +17977,7 @@ async function applyAgentCoreCredentialEnv(dockerEnv, args) {
 		}
 	}
 	if (!assumeSucceeded) {
-		forwardAwsEnv(dockerEnv);
+		forwardAwsEnv$1(dockerEnv);
 		applyProfileCredentialsOverlay(dockerEnv, args.profileCredentials, false);
 		if (args.profileCredsFile) {
 			dockerEnv["AWS_SHARED_CREDENTIALS_FILE"] = args.profileCredsFile.containerPath;
@@ -17903,14 +17987,23 @@ async function applyAgentCoreCredentialEnv(dockerEnv, args) {
 }
 /**
 * Resolve the role ARN to assume, honoring the three `--assume-role` forms.
-* Bare `--assume-role` uses the runtime's literal `RoleArn`; warns when it
-* is an intrinsic (no ARN to assume) and falls back to dev creds.
+* Bare `--assume-role` uses the runtime's literal `RoleArn`; when that is an
+* intrinsic (the common L2 case — `Fn::GetAtt` to an auto-created role) it
+* resolves the execution-role ARN from `--from-cfn-stack` state, and only
+* warns + falls back to dev creds when neither is available.
 */
-function resolveAssumeRoleArn(options, resolved) {
+function resolveAssumeRoleArn(options, resolved, loaded) {
 	if (typeof options.assumeRole === "string") return options.assumeRole;
 	if (options.assumeRole === true) {
 		if (resolved.roleArn) return resolved.roleArn;
-		getLogger().warn("--assume-role passed without an ARN, but the runtime's RoleArn is not a literal ARN in the template. Pass the ARN explicitly: --assume-role <arn>. Falling back to the developer's shell credentials.");
+		if (loaded) {
+			const fromState = resolveExecutionRoleArnFromState(loaded, resolved.logicalId, "RoleArn");
+			if (fromState) {
+				getLogger().debug(`--assume-role: resolved RoleArn from state: ${fromState}`);
+				return fromState;
+			}
+		}
+		getLogger().warn("--assume-role passed without an ARN, but the runtime's RoleArn is not a literal ARN in the template " + (loaded ? "and could not be resolved from the deployed stack state. " : "and no --from-cfn-stack state is available to resolve it. ") + "Pass the ARN explicitly: --assume-role <arn>. Falling back to the developer's shell credentials.");
 	}
 }
 function emitResult(result) {
@@ -17962,7 +18055,7 @@ function emitMcpResult(result) {
 function platformToArchitecture(platform) {
 	return platform === "linux/amd64" ? "x86_64" : "arm64";
 }
-function forwardAwsEnv(env) {
+function forwardAwsEnv$1(env) {
 	for (const key of [
 		"AWS_ACCESS_KEY_ID",
 		"AWS_SECRET_ACCESS_KEY",
@@ -20606,6 +20699,203 @@ var FrontDoorEndpointPool = class {
 	}
 };
+//#endregion
+//#region src/local/alb-lambda-event.ts
+/** Content types ALB treats as text (body sent verbatim, `isBase64Encoded: false`). */
+function isTextualContentType(contentType) {
+	const ct = contentType.toLowerCase();
+	return ct.startsWith("text/") || ct.startsWith("application/json") || ct.startsWith("application/javascript") || ct.startsWith("application/xml");
+}
+/**
+* Build a `AlbHttpRequestSnapshot` from a live `node:http` request plus the
+* already-buffered body. Header values arrive as `string | string[]`; this
+* normalizes them to `string[]` (preserving multi-value) the builder expects.
+*/
+function snapshotFromIncoming(req, body) {
+	const headers = {};
+	for (const [name, value] of Object.entries(req.headers)) {
+		if (value === void 0) continue;
+		headers[name] = Array.isArray(value) ? value : [value];
+	}
+	return {
+		method: (req.method ?? "GET").toUpperCase(),
+		rawUrl: req.url ?? "/",
+		headers,
+		body
+	};
+}
+/** Split a raw URL into its path (query-stripped, not decoded) and raw query string. */
+function splitRawUrl(rawUrl) {
+	const hashIdx = rawUrl.indexOf("#");
+	const noHash = hashIdx === -1 ? rawUrl : rawUrl.slice(0, hashIdx);
+	const qIdx = noHash.indexOf("?");
+	if (qIdx === -1) return {
+		path: noHash,
+		rawQuery: ""
+	};
+	return {
+		path: noHash.slice(0, qIdx),
+		rawQuery: noHash.slice(qIdx + 1)
+	};
+}
+/**
+* Parse a raw query string into single + multi-value maps. ALB does NOT decode
+* query parameters (the docs explicitly say "If the query parameters are
+* URL-encoded, the load balancer does not decode them"), so values are kept
+* verbatim. A bare `?flag` key yields the empty string value.
+*/
+function parseQuery(rawQuery) {
+	const single = {};
+	const multi = {};
+	if (rawQuery.length === 0) return {
+		single,
+		multi
+	};
+	for (const pair of rawQuery.split("&")) {
+		if (pair.length === 0) continue;
+		const eq = pair.indexOf("=");
+		const key = eq === -1 ? pair : pair.slice(0, eq);
+		const value = eq === -1 ? "" : pair.slice(eq + 1);
+		single[key] = value;
+		(multi[key] ??= []).push(value);
+	}
+	return {
+		single,
+		multi
+	};
+}
+/**
+* Build the single + multi-value header maps. Names are lowercased; the single
+* map keeps the LAST value (ALB default-format), the multi map keeps every
+* value in arrival order.
+*/
+function buildHeaderMaps(headers) {
+	const single = {};
+	const multi = {};
+	for (const [name, values] of Object.entries(headers)) {
+		const lower = name.toLowerCase();
+		const list = values.slice();
+		multi[lower] = list;
+		if (list.length > 0) single[lower] = list[list.length - 1];
+	}
+	return {
+		single,
+		multi
+	};
+}
+/** Header lookup that tolerates the case-folded multi-value request map. */
+function firstHeader(headers, name) {
+	const lower = name.toLowerCase();
+	for (const [k, v] of Object.entries(headers)) if (k.toLowerCase() === lower) return v[0];
+}
+/**
+* Build the ALB Lambda-target invocation event from an HTTP request snapshot.
+* Emits exactly the single-value OR multi-value variant per
+* `opts.multiValueHeaders`.
+*/
+function buildAlbLambdaEvent(req, opts) {
+	const { path, rawQuery } = splitRawUrl(req.rawUrl);
+	const query = parseQuery(rawQuery);
+	const headerMaps = buildHeaderMaps(req.headers);
+	const contentEncoding = firstHeader(req.headers, "content-encoding");
+	const contentType = firstHeader(req.headers, "content-type") ?? "";
+	const isBase64Encoded = req.body.length > 0 && (contentEncoding !== void 0 ? true : !isTextualContentType(contentType));
+	const body = isBase64Encoded ? req.body.toString("base64") : req.body.toString("utf-8");
+	const event = {
+		requestContext: { elb: { targetGroupArn: opts.targetGroupArn } },
+		httpMethod: req.method,
+		path,
+		isBase64Encoded,
+		body
+	};
+	if (opts.multiValueHeaders) {
+		event["multiValueHeaders"] = headerMaps.multi;
+		event["multiValueQueryStringParameters"] = query.multi;
+	} else {
+		event["headers"] = headerMaps.single;
+		event["queryStringParameters"] = query.single;
+	}
+	return event;
+}
+/** A Lambda RIE error envelope (`{errorMessage, errorType, ...}`) with no statusCode. */
+function isErrorEnvelope(payload) {
+	if (!payload || typeof payload !== "object" || Array.isArray(payload)) return false;
+	const obj = payload;
+	if ("statusCode" in obj) return false;
+	return typeof obj["errorMessage"] === "string";
+}
+/**
+* The canonical 502 a real ALB returns when a Lambda target's response is
+* malformed (missing/invalid `statusCode`, non-object payload, or a runtime
+* error envelope). Plain-text body, mirroring ALB's own 502 page shape closely
+* enough for local dev.
+*/
+function badGatewayResponse() {
+	const body = Buffer.from("<html><body><h1>502 Bad Gateway</h1></body></html>", "utf-8");
+	return {
+		statusCode: 502,
+		statusDescription: "502 Bad Gateway",
+		headers: {
+			"content-type": ["text/html"],
+			"content-length": [String(body.length)]
+		},
+		body
+	};
+}
+function stringifyHeaderValue(value) {
+	if (value === null || value === void 0) return "";
+	if (typeof value === "string") return value;
+	if (typeof value === "number" || typeof value === "boolean" || typeof value === "bigint") return String(value);
+	return JSON.stringify(value) ?? "";
+}
+/**
+* Translate a Lambda ALB-target response payload into HTTP components.
+*
+* A well-formed response is an object with a numeric `statusCode`. Headers come
+* from `headers` (single-value) and/or `multiValueHeaders` (array-valued); ALB
+* accepts either regardless of the request-side multi-value setting, so both
+* are honored here (multiValueHeaders extend / append to the single map).
+* `body` is optional; `isBase64Encoded: true` means the body is base64 and is
+* decoded to raw bytes.
+*
+* Anything else -> 502 (matching a real ALB), incl. a runtime error envelope.
+*/
+function translateAlbLambdaResponse(payload) {
+	if (isErrorEnvelope(payload)) return badGatewayResponse();
+	if (!payload || typeof payload !== "object" || Array.isArray(payload)) return badGatewayResponse();
+	const obj = payload;
+	const statusRaw = obj["statusCode"];
+	if (typeof statusRaw !== "number" || !Number.isFinite(statusRaw)) return badGatewayResponse();
+	const statusCode = Math.trunc(statusRaw);
+	const isBase64 = obj["isBase64Encoded"] === true;
+	const rawBody = obj["body"];
+	let body;
+	if (rawBody === void 0 || rawBody === null) body = Buffer.alloc(0);
+	else if (typeof rawBody === "string") body = isBase64 ? Buffer.from(rawBody, "base64") : Buffer.from(rawBody, "utf-8");
+	else body = Buffer.from(JSON.stringify(rawBody), "utf-8");
+	const headers = {};
+	const addHeader = (name, value) => {
+		const lower = name.toLowerCase();
+		(headers[lower] ??= []).push(value);
+	};
+	const singleHeaders = obj["headers"];
+	if (singleHeaders && typeof singleHeaders === "object" && !Array.isArray(singleHeaders)) for (const [name, value] of Object.entries(singleHeaders)) addHeader(name, stringifyHeaderValue(value));
+	const multiHeaders = obj["multiValueHeaders"];
+	if (multiHeaders && typeof multiHeaders === "object" && !Array.isArray(multiHeaders)) for (const [name, values] of Object.entries(multiHeaders)) {
+		if (!Array.isArray(values)) continue;
+		for (const v of values) addHeader(name, stringifyHeaderValue(v));
+	}
+	headers["content-length"] = [String(body.length)];
+	const result = {
+		statusCode,
+		headers,
+		body
+	};
+	const statusDescription = obj["statusDescription"];
+	if (typeof statusDescription === "string" && statusDescription.length > 0) result.statusDescription = statusDescription;
+	return result;
+}
 //#endregion
 //#region src/local/front-door-server.ts
 /** Default per-request upstream timeout — a hung replica yields a 504, not a hang. */
@@ -20646,31 +20936,56 @@ async function startFrontDoorServer(opts) {
 		}
 	};
 }
+/**
+* Resolve the dispatch target for a request path from whichever selector the
+* caller supplied. `selectTarget` (#123, ECS-or-Lambda) wins over the
+* pool-only `selectPool`; a `selectPool` hit is adapted to a `kind: 'pool'`
+* target so the request handler has a single code path.
+*/
+function resolveDispatchTarget(opts, requestPath) {
+	if (opts.selectTarget) return opts.selectTarget(requestPath);
+	if (opts.selectPool) {
+		const pool = opts.selectPool(requestPath);
+		return pool ? {
+			kind: "pool",
+			pool
+		} : void 0;
+	}
+}
 function handleProxyRequest(req, res, opts) {
-	return new Promise((resolve) => {
-		const url = req.url ?? "/";
+	const url = req.url ?? "/";
+	if (opts.route) {
 		const action = opts.route({
 			path: url,
 			...hostHeader(req)
 		});
-		if (!action) {
-			writeError(res, 404, `No listener rule matched '${url}' on ${opts.label}, and the listener has no default action forwarding to a local target.`);
-			resolve();
-			return;
-		}
+		if (!action) return reply404(req, res, opts);
 		if (action.kind === "redirect" || action.kind === "fixed-response") {
 			req.resume();
 			if (action.kind === "redirect") writeRedirect(res, action, req, opts.listenerPort);
 			else writeFixedResponse(res, action);
-			resolve();
-			return;
+			return Promise.resolve();
 		}
-		const pool = pickWeightedPool(action.pools);
-		if (!pool) {
+		const picked = pickWeightedTarget(action.pools);
+		if (!picked) {
 			writeError(res, 502, `No forward target selected behind ${opts.label} (every weighted target has weight 0).`);
-			resolve();
-			return;
+			return Promise.resolve();
 		}
+		if ("lambda" in picked) return handleLambdaRequest(req, res, picked.lambda, opts);
+		return handlePoolRequest(req, res, picked.pool, opts);
+	}
+	const target = resolveDispatchTarget(opts, url);
+	if (!target) return reply404(req, res, opts);
+	if (target.kind === "lambda") return handleLambdaRequest(req, res, target.lambda, opts);
+	return handlePoolRequest(req, res, target.pool, opts);
+}
+/** Reply 404 — an ALB listener with no matching rule and no default action. */
+function reply404(req, res, opts) {
+	writeError(res, 404, `No listener rule matched '${req.url ?? "/"}' on ${opts.label}, and the listener has no default action forwarding to a local target.`);
+	return Promise.resolve();
+}
+function handlePoolRequest(req, res, pool, opts) {
+	return new Promise((resolve) => {
 		const endpoint = pool.next();
 		if (!endpoint) {
 			writeError(res, 503, `No running replicas behind ${opts.label} for the matched target. The front-door has no healthy target to forward to.`);
@@ -20727,23 +21042,24 @@ function hostHeader(req) {
 	return host ? { host } : {};
 }
 /**
-* Pick one pool from a weighted set: weighted random over the non-zero weights.
-* A single-entry set short-circuits to that pool. Returns `undefined` when
-* every weight is 0 (an ALB-valid but un-routable forward).
+* Pick one weighted target from a forward set: weighted random over the
+* non-zero weights. A single-entry set short-circuits to that entry. Returns
+* `undefined` when every weight is 0 (an ALB-valid but un-routable forward).
+* Used for forwards that may mix ECS pools and Lambda invokers.
 */
-function pickWeightedPool(pools) {
-	if (pools.length === 0) return void 0;
-	if (pools.length === 1) return pools[0].weight > 0 ? pools[0].pool : void 0;
-	const total = pools.reduce((sum, p) => sum + Math.max(0, p.weight), 0);
+function pickWeightedTarget(targets) {
+	if (targets.length === 0) return void 0;
+	if (targets.length === 1) return targets[0].weight > 0 ? targets[0] : void 0;
+	const total = targets.reduce((sum, t) => sum + Math.max(0, t.weight), 0);
 	if (total <= 0) return void 0;
 	let roll = Math.random() * total;
-	for (const p of pools) {
-		const w = Math.max(0, p.weight);
+	for (const t of targets) {
+		const w = Math.max(0, t.weight);
 		if (w === 0) continue;
 		roll -= w;
-		if (roll < 0) return p.pool;
+		if (roll < 0) return t;
 	}
-	for (let i = pools.length - 1; i >= 0; i--) if (Math.max(0, pools[i].weight) > 0) return pools[i].pool;
+	for (let i = targets.length - 1; i >= 0; i--) if (Math.max(0, targets[i].weight) > 0) return targets[i];
 }
 /**
 * Synthesize an ALB-style redirect (301 / 302). ALB builds the `Location` from
@@ -20791,6 +21107,82 @@ function writeFixedResponse(res, action) {
 	});
 	res.end(body);
 }
+/** Maximum request body the ALB Lambda-target path buffers (ALB's own limit is 1 MB). */
+const ALB_LAMBDA_MAX_BODY_BYTES = 1024 * 1024;
+/**
+* Serve a request that resolved to a Lambda forward target (#123). Buffers the
+* request body (ALB caps the Lambda-target request body at 1 MB), translates
+* the request into the ALB Lambda-target event, invokes the function locally,
+* and writes the translated response. A malformed handler response or an
+* invoke failure surfaces as 502 — mirroring a real ALB.
+*/
+function handleLambdaRequest(req, res, lambda, opts) {
+	const logger = getLogger().child("front-door");
+	return new Promise((resolve) => {
+		let settled = false;
+		const done = () => {
+			if (settled) return;
+			settled = true;
+			resolve();
+		};
+		const chunks = [];
+		let total = 0;
+		let aborted = false;
+		req.on("data", (chunk) => {
+			if (aborted) return;
+			total += chunk.length;
+			if (total > ALB_LAMBDA_MAX_BODY_BYTES) {
+				aborted = true;
+				writeError(res, 413, `Request body exceeds the ${ALB_LAMBDA_MAX_BODY_BYTES}-byte Lambda-target limit on ${opts.label}.`);
+				req.destroy();
+				done();
+				return;
+			}
+			chunks.push(chunk);
+		});
+		req.on("error", () => {
+			if (!res.headersSent) writeError(res, 400, `Failed to read request body on ${opts.label}.`);
+			done();
+		});
+		req.on("end", () => {
+			if (aborted) return;
+			const serveLambda = async () => {
+				try {
+					const body = Buffer.concat(chunks);
+					const forwardHeaders = { ...req.headers };
+					stripHopByHopHeaders(forwardHeaders);
+					appendForwardedHeaders(forwardHeaders, req, opts.listenerPort);
+					const snapshot = snapshotFromIncoming(req, body);
+					for (const [name, value] of Object.entries(forwardHeaders)) {
+						if (value === void 0) continue;
+						snapshot.headers[name] = Array.isArray(value) ? value : [value];
+					}
+					const event = buildAlbLambdaEvent(snapshot, {
+						targetGroupArn: lambda.targetGroupArn,
+						multiValueHeaders: lambda.multiValueHeaders
+					});
+					const translated = translateAlbLambdaResponse(await lambda.invoke(event));
+					if (res.headersSent || res.writableEnded) {
+						done();
+						return;
+					}
+					const outHeaders = {};
+					for (const [name, values] of Object.entries(translated.headers)) outHeaders[name] = values.length === 1 ? values[0] : values;
+					if (translated.statusDescription) res.writeHead(translated.statusCode, translated.statusDescription, outHeaders);
+					else res.writeHead(translated.statusCode, outHeaders);
+					res.end(translated.body);
+					done();
+				} catch (err) {
+					logger.debug(`Lambda target '${lambda.label}' request failed: ${err instanceof Error ? err.message : String(err)}`);
+					if (!res.headersSent) writeError(res, 502, `Lambda target '${lambda.label}' behind ${opts.label} failed.`);
+					else if (!res.writableEnded) res.destroy();
+					done();
+				}
+			};
+			serveLambda();
+		});
+	});
+}
 /** Standard hop-by-hop headers (RFC 7230 §6.1) — a proxy must not forward these. */
 const HOP_BY_HOP_HEADERS = [
 	"connection",
@@ -20915,6 +21307,186 @@ function globToRegExp(pattern, caseInsensitive) {
 	return new RegExp(`^${body}$`);
 }
+//#endregion
+//#region src/local/front-door-lambda-runner.ts
+/** Forward the dev shell's AWS credential / region env into the Lambda container. */
+function forwardAwsEnv() {
+	const env = {};
+	for (const key of [
+		"AWS_ACCESS_KEY_ID",
+		"AWS_SECRET_ACCESS_KEY",
+		"AWS_SESSION_TOKEN",
+		"AWS_REGION",
+		"AWS_DEFAULT_REGION"
+	]) {
+		const value = process.env[key];
+		if (value !== void 0) env[key] = value;
+	}
+	return env;
+}
+/**
+* Materialize an inline (`Code.ZipFile`) ZIP Lambda's source into a temp dir at
+* the path implied by `handler`, returning the dir to bind-mount. Mirrors
+* `local-invoke.ts:materializeInlineCode`.
+*/
+function materializeInlineCode(handler, source, fileExtension) {
+	const lastDot = handler.lastIndexOf(".");
+	if (lastDot <= 0) throw new Error(`Handler '${handler}' is malformed: expected '<modulePath>.<exportName>'.`);
+	const modulePath = handler.substring(0, lastDot);
+	const dir = mkdtempSync(path.join(tmpdir(), `${getEmbedConfig().resourceNamePrefix}-alb-lambda-`));
+	const filePath = path.join(dir, `${modulePath}${fileExtension}`);
+	mkdirSync(path.dirname(filePath), { recursive: true });
+	writeFileSync(filePath, source, "utf-8");
+	return dir;
+}
+async function resolveZipImagePlan(lambda, opts) {
+	let inlineTmpDir;
+	let codeDir = lambda.codePath;
+	if (codeDir === null) {
+		inlineTmpDir = materializeInlineCode(lambda.handler, lambda.inlineCode ?? "", resolveRuntimeFileExtension(lambda.runtime));
+		codeDir = inlineTmpDir;
+	}
+	const image = resolveRuntimeImage(lambda.runtime);
+	await pullImage(image, opts.skipPull === true);
+	const containerCodePath = resolveRuntimeCodeMountPath(lambda.runtime);
+	return {
+		image,
+		mounts: [{
+			hostPath: codeDir,
+			containerPath: containerCodePath,
+			readOnly: true
+		}],
+		cmd: [lambda.handler],
+		...inlineTmpDir !== void 0 && { inlineTmpDir }
+	};
+}
+async function resolveContainerImagePlan(lambda, opts) {
+	const logger = getLogger().child("front-door-lambda");
+	const platform = opts.platformOverride ?? architectureToPlatform(lambda.architecture);
+	const manifestPath = lambda.stack.assetManifestPath;
+	let imageRef;
+	let localBuilt = false;
+	if (manifestPath) {
+		const cdkOutDir = path.dirname(manifestPath);
+		const manifest = await new AssetManifestLoader().loadManifest(cdkOutDir, lambda.stack.stackName);
+		const entry = manifest ? getDockerImageBySourceHash(manifest, lambda.imageUri) : void 0;
+		if (entry) {
+			imageRef = await buildContainerImage(entry.asset, cdkOutDir, { architecture: lambda.architecture });
+			localBuilt = true;
+		}
+	}
+	if (!localBuilt) {
+		if (!parseEcrUri(lambda.imageUri)) throw new Error(`Container Lambda '${lambda.logicalId}' has no matching asset in cdk.out, and Code.ImageUri '${lambda.imageUri}' is not an ECR URI ${getEmbedConfig().binaryName} can authenticate against. Re-synthesize the CDK app or deploy the image to ECR first.`);
+		logger.info(`No matching cdk.out asset for ${lambda.imageUri}; falling back to ECR pull...`);
+		imageRef = await pullEcrImage(lambda.imageUri, {
+			skipPull: opts.skipPull === true,
+			...opts.region !== void 0 && { region: opts.region },
+			...opts.ecrRoleArn !== void 0 && { ecrRoleArn: opts.ecrRoleArn }
+		});
+	}
+	return {
+		image: imageRef,
+		mounts: [],
+		cmd: lambda.imageConfig.command ?? [],
+		platform,
+		...lambda.imageConfig.entryPoint && lambda.imageConfig.entryPoint.length > 0 && { entryPoint: lambda.imageConfig.entryPoint },
+		...lambda.imageConfig.workingDirectory !== void 0 && { workingDir: lambda.imageConfig.workingDirectory }
+	};
+}
+/**
+* Build a {@link FrontDoorLambdaRunner} for a resolved Lambda. Construction is
+* pure (no docker work); `start()` does the boot. The invoke timeout defaults
+* to `max(30s, timeoutSec * 2 * 1000)` — same formula as `cdkl invoke`.
+*/
+function createFrontDoorLambdaRunner(lambda, opts) {
+	const logger = getLogger().child("front-door-lambda");
+	const defaultTimeoutMs = Math.max(3e4, lambda.timeoutSec * 2 * 1e3);
+	let plan;
+	let containerId;
+	let hostPort;
+	let stopLogStream;
+	let starting;
+	let stopped = false;
+	async function doStart() {
+		plan = lambda.kind === "zip" ? await resolveZipImagePlan(lambda, opts) : await resolveContainerImagePlan(lambda, opts);
+		const port = await pickFreePort();
+		hostPort = port;
+		const name = `${getEmbedConfig().resourceNamePrefix}-alblambda-${lambda.logicalId}-${process.pid}-${Math.floor(Math.random() * 1e6)}`;
+		const env = {
+			AWS_LAMBDA_FUNCTION_NAME: lambda.logicalId,
+			AWS_LAMBDA_FUNCTION_MEMORY_SIZE: String(lambda.memoryMb),
+			AWS_LAMBDA_FUNCTION_TIMEOUT: String(lambda.timeoutSec),
+			AWS_LAMBDA_FUNCTION_VERSION: "$LATEST",
+			AWS_LAMBDA_LOG_GROUP_NAME: `/aws/lambda/${lambda.logicalId}`,
+			AWS_LAMBDA_LOG_STREAM_NAME: "local",
+			...forwardAwsEnv()
+		};
+		logger.info(`Starting Lambda target container for ${lambda.logicalId} (image=${plan.image}, port=${port})...`);
+		const id = await runDetached({
+			image: plan.image,
+			mounts: plan.mounts,
+			env,
+			cmd: plan.cmd,
+			hostPort: port,
+			host: opts.containerHost,
+			name,
+			...plan.platform !== void 0 && { platform: plan.platform },
+			...plan.entryPoint !== void 0 && { entryPoint: plan.entryPoint },
+			...plan.workingDir !== void 0 && { workingDir: plan.workingDir }
+		});
+		containerId = id;
+		stopLogStream = opts.streamLogs === false ? void 0 : streamLogs(id);
+		try {
+			await waitForRieReady(opts.containerHost, port, 3e4);
+		} catch (err) {
+			try {
+				stopLogStream?.();
+			} catch {}
+			await removeContainer(id).catch(() => void 0);
+			containerId = void 0;
+			throw err;
+		}
+	}
+	return {
+		logicalId: lambda.logicalId,
+		async start() {
+			if (stopped) throw new Error("FrontDoorLambdaRunner.start called after stop");
+			if (containerId) return;
+			if (!starting) starting = doStart();
+			await starting;
+		},
+		async invoke(event, timeoutMs) {
+			if (!containerId || hostPort === void 0) throw new Error(`FrontDoorLambdaRunner('${lambda.logicalId}').invoke called before start() completed.`);
+			return (await invokeRie(opts.containerHost, hostPort, event, timeoutMs ?? defaultTimeoutMs)).payload;
+		},
+		async stop() {
+			if (stopped) return;
+			stopped = true;
+			try {
+				stopLogStream?.();
+			} catch (err) {
+				logger.debug(`stopLogStream(${lambda.logicalId}) failed: ${err instanceof Error ? err.message : String(err)}`);
+			}
+			if (containerId) {
+				try {
+					await removeContainer(containerId);
+				} catch (err) {
+					logger.warn(`Failed to remove Lambda target container for ${lambda.logicalId}: ${err instanceof Error ? err.message : String(err)}. Continuing cleanup.`);
+				}
+				containerId = void 0;
+			}
+			if (plan?.inlineTmpDir) try {
+				rmSync(plan.inlineTmpDir, {
+					recursive: true,
+					force: true
+				});
+			} catch (err) {
+				logger.debug(`Failed to remove inline-code tmpdir ${plan.inlineTmpDir}: ${err instanceof Error ? err.message : String(err)}`);
+			}
+		}
+	};
+}
 //#endregion
 //#region src/cli/commands/ecs-service-emulator.ts
 /**
@@ -20935,6 +21507,7 @@ async function runEcsServiceEmulator(targets, options, strategy, extraStateProvi
 	let profileCredsFile;
 	let frontDoorServers = [];
 	let frontDoorByService = /* @__PURE__ */ new Map();
+	let frontDoorLambdaRunners = [];
 	const cleanup = singleFlight(async () => {
 		await Promise.allSettled(perTarget.map(async (pt) => {
 			if (pt.controller) await pt.controller.shutdown();
@@ -20945,6 +21518,8 @@ async function runEcsServiceEmulator(targets, options, strategy, extraStateProvi
 		}));
 		await Promise.allSettled(frontDoorServers.map((s) => s.close().catch((err) => getLogger().warn(`front-door server teardown failed: ${err instanceof Error ? err.message : String(err)}`))));
 		frontDoorServers = [];
+		await Promise.allSettled(frontDoorLambdaRunners.map((r) => r.stop().catch((err) => getLogger().warn(`front-door Lambda target teardown failed: ${err instanceof Error ? err.message : String(err)}`))));
+		frontDoorLambdaRunners = [];
 		if (profileCredsFile) {
 			try {
 				await profileCredsFile.dispose();
@@ -20989,7 +21564,8 @@ async function runEcsServiceEmulator(targets, options, strategy, extraStateProvi
 		});
 		const { boots, frontDoor, warnings } = strategy.resolveBoots(stacks, resolvedTargets);
 		for (const w of warnings) logger.warn(w);
-		if (boots.length === 0) throw new LocalStartServiceError(`No runnable ECS service resolved from ${resolvedTargets.join(", ")}.`);
+		const hasFrontDoorListeners = !!frontDoor && frontDoor.listeners.length > 0;
+		if (boots.length === 0 && !hasFrontDoorListeners) throw new LocalStartServiceError(`No runnable target resolved from ${resolvedTargets.join(", ")}.`);
 		rejectExplicitCfnStackWithMultipleStacks(options, boots.length);
 		perTarget = boots.map((boot) => ({
 			boot,
@@ -21020,9 +21596,10 @@ async function runEcsServiceEmulator(targets, options, strategy, extraStateProvi
 			sharedNetwork
 		};
 		if (frontDoor && frontDoor.listeners.length > 0) {
-			const built = await buildFrontDoor(frontDoor, options.containerHost, logger);
+			const built = await buildFrontDoor(frontDoor, options, logger);
 			frontDoorServers = built.servers;
 			frontDoorByService = built.frontDoorByService;
+			frontDoorLambdaRunners = built.lambdaRunners;
 		}
 		sigintHandler = () => {
 			sigintCount += 1;
@@ -21036,10 +21613,13 @@ async function runEcsServiceEmulator(targets, options, strategy, extraStateProvi
 		process.on("SIGINT", sigintHandler);
 		process.on("SIGTERM", sigintHandler);
 		for (const pt of perTarget) pt.controller = await bootOneTarget(pt.boot, pt.runState, stacks, options, discovery, skipPull, extraStateProviders, profileCredsFile, frontDoorByService.get(pt.boot.target));
-		const summary = perTarget.map((pt) => `${pt.controller.service.serviceName} (${pt.controller.activeReplicaCount()} replica(s))`).join(", ");
-		logger.info(`Service(s) running: ${summary}.`);
+		if (perTarget.length > 0) {
+			const summary = perTarget.map((pt) => `${pt.controller.service.serviceName} (${pt.controller.activeReplicaCount()} replica(s))`).join(", ");
+			logger.info(`Service(s) running: ${summary}.`);
+		} else logger.info(`Service(s) running: ${frontDoorLambdaRunners.length} Lambda target(s) behind the ALB front-door.`);
 		logger.info("Press ^C to shut down.");
-		await Promise.all(perTarget.map((pt) => pt.controller.waitForShutdown()));
+		if (perTarget.length > 0) await Promise.all(perTarget.map((pt) => pt.controller.waitForShutdown()));
+		else await new Promise(() => {});
 	} finally {
 		if (sigintHandler) {
 			process.off("SIGINT", sigintHandler);
@@ -21137,28 +21717,63 @@ async function runOneTarget(boot, runState, stacks, options, discovery, skipPull
 * already in use) every server started so far is closed and the error is
 * re-thrown with a `--lb-port` hint.
 */
-async function buildFrontDoor(plan, containerHost, logger) {
+async function buildFrontDoor(plan, options, logger) {
+	const containerHost = options.containerHost;
 	const servers = [];
-	const registry = /* @__PURE__ */ new Map();
-	const poolFor = (t) => {
+	const poolRegistry = /* @__PURE__ */ new Map();
+	const lambdaRegistry = /* @__PURE__ */ new Map();
+	const dispatchFor = (t) => {
+		if (t.kind === "lambda") {
+			let runner = lambdaRegistry.get(t.lambda.logicalId);
+			if (!runner) {
+				runner = createFrontDoorLambdaRunner(t.lambda, {
+					containerHost,
+					skipPull: options.pull === false,
+					...options.platform !== void 0 && { platformOverride: options.platform },
+					...options.ecrRoleArn !== void 0 && { ecrRoleArn: options.ecrRoleArn },
+					...options.region !== void 0 && { region: options.region }
+				});
+				lambdaRegistry.set(t.lambda.logicalId, runner);
+			}
+			const boundRunner = runner;
+			return {
+				kind: "lambda",
+				lambda: {
+					targetGroupArn: t.targetGroupArn,
+					multiValueHeaders: t.multiValueHeaders,
+					label: t.lambda.logicalId,
+					invoke: (event) => boundRunner.invoke(event)
+				}
+			};
+		}
 		const key = `${t.serviceTarget} ${t.targetContainerName} ${t.targetContainerPort}`;
-		let entry = registry.get(key);
+		let entry = poolRegistry.get(key);
 		if (!entry) {
 			entry = {
 				pool: new FrontDoorEndpointPool(),
 				target: t
 			};
-			registry.set(key, entry);
+			poolRegistry.set(key, entry);
 		}
-		return entry.pool;
+		return {
+			kind: "pool",
+			pool: entry.pool
+		};
+	};
+	const weightedTargetFor = (t) => {
+		const dispatch = dispatchFor(t);
+		return dispatch.kind === "lambda" ? {
+			lambda: dispatch.lambda,
+			weight: t.weight
+		} : {
+			pool: dispatch.pool,
+			weight: t.weight
+		};
 	};
 	const toRouteAction = (action) => {
 		if (action.kind === "forward") return {
 			kind: "forward",
-			pools: action.targets.map((t) => ({
-				pool: poolFor(t),
-				weight: t.weight
-			}))
+			pools: action.targets.map(weightedTargetFor)
 		};
 		if (action.kind === "redirect") return {
 			kind: "redirect",
@@ -21199,12 +21814,17 @@ async function buildFrontDoor(plan, containerHost, logger) {
 			for (const r of [...listener.rules].sort((a, b) => a.priority - b.priority)) logger.info(`  ${describeConditions(r)} (priority ${r.priority}) -> ${describeAction(r.action)}`);
 			if (!listener.defaultAction) logger.info("  (no default action: unmatched requests return 404)");
 		}
+		for (const runner of lambdaRegistry.values()) {
+			logger.info(`Booting Lambda target '${runner.logicalId}' behind the ALB front-door...`);
+			await runner.start();
+		}
 	} catch (err) {
 		await Promise.allSettled(servers.map((s) => s.close()));
+		await Promise.allSettled([...lambdaRegistry.values()].map((r) => r.stop()));
 		throw new LocalStartServiceError(`Failed to start ALB front-door: ${err instanceof Error ? err.message : String(err)}. If a listener port is privileged (< 1024), remap it to a non-privileged host port with --lb-port <listenerPort>=<hostPort> (e.g. --lb-port 80=8080).`);
 	}
 	const frontDoorByService = /* @__PURE__ */ new Map();
-	for (const { pool, target } of registry.values()) {
+	for (const { pool, target } of poolRegistry.values()) {
 		const list = frontDoorByService.get(target.serviceTarget) ?? [];
 		list.push({
 			pool,
@@ -21215,7 +21835,8 @@ async function buildFrontDoor(plan, containerHost, logger) {
 	}
 	return {
 		servers,
-		frontDoorByService
+		frontDoorByService,
+		lambdaRunners: [...lambdaRegistry.values()]
 	};
 }
 /** Human-readable summary of a planned rule's path / host conditions (for the boot banner). */
@@ -21229,11 +21850,17 @@ function describeConditions(rule) {
 function describeAction(action) {
 	if (action.kind === "redirect") return `redirect ${action.statusCode}`;
 	if (action.kind === "fixed-response") return `fixed-response ${action.statusCode}`;
-	if (action.targets.length === 1) {
-		const t = action.targets[0];
-		return `${t.serviceTarget} (container ${t.targetContainerName}:${t.targetContainerPort}) (round-robin)`;
-	}
-	return `weighted forward [${action.targets.map((t) => `${t.serviceTarget}@${t.weight}`).join(", ")}]`;
+	if (action.targets.length === 1) return describeTarget(action.targets[0]);
+	return `weighted forward [${action.targets.map((t) => `${describeTargetShort(t)}@${t.weight}`).join(", ")}]`;
+}
+/** One forward target, described in full (for a single-target forward banner). */
+function describeTarget(t) {
+	if (t.kind === "lambda") return `Lambda ${t.lambda.logicalId} (invoke)`;
+	return `${t.serviceTarget} (container ${t.targetContainerName}:${t.targetContainerPort}) (round-robin)`;
+}
+/** One forward target, described compactly (for a weighted-forward banner). */
+function describeTargetShort(t) {
+	return t.kind === "lambda" ? `Lambda ${t.lambda.logicalId}` : t.serviceTarget;
 }
 async function resolvePlaceholderAccount(arn, region) {
 	if (!arn.includes("${AWS::AccountId}")) return arn;
@@ -21468,17 +22095,20 @@ function createLocalStartServiceCommand(opts = {}) {
 * its path / host conditions.
 *
 * Scope: HTTP listeners; `path-pattern` + `host-header` conditions; `forward`
-* (single or weighted) to ECS services; `redirect` / `fixed-response` actions.
-* Skipped with a warning: HTTPS/TLS listeners, `TargetType:"lambda"` target
-* groups, the other condition fields (http-header / http-request-method /
-* query-string / source-ip), and `authenticate-cognito` / `authenticate-oidc`
-* actions. Those remaining listener-rule features are tracked in #123.
+* (single or weighted) to ECS services AND/OR Lambda functions
+* (`TargetType:"lambda"` target groups — #123: the TG -> backing
+* `AWS::Lambda::Function` is resolved and the front-door invokes it locally per
+* request); `redirect` / `fixed-response` actions. A single weighted forward may
+* mix ECS and Lambda targets. Skipped with a warning: HTTPS/TLS listeners, the
+* other condition fields (http-header / http-request-method / query-string /
+* source-ip), and `authenticate-cognito` / `authenticate-oidc` actions.
 */
 const ALB_TYPE = "AWS::ElasticLoadBalancingV2::LoadBalancer";
 const LISTENER_TYPE = "AWS::ElasticLoadBalancingV2::Listener";
 const LISTENER_RULE_TYPE = "AWS::ElasticLoadBalancingV2::ListenerRule";
 const TARGET_GROUP_TYPE = "AWS::ElasticLoadBalancingV2::TargetGroup";
 const SERVICE_TYPE = "AWS::ECS::Service";
+const LAMBDA_FUNCTION_TYPE = "AWS::Lambda::Function";
 /**
 * Resolve an ALB into its front-door listeners + routing tables. Pure — reads
 * only the supplied stack template. Returns an empty `listeners` array (with
@@ -21572,7 +22202,12 @@ function resolveAction(actions, resources, tgToService, stackName, label, warnin
 	}
 	if (sawAuthenticate) warnings.push(`${label} is an authenticate-* action with no local-servable terminal action. The local ALB front-door does not enforce authenticate-cognito / authenticate-oidc; skipping it.`);
 }
-/** Resolve a `forward` action into one or more weighted ECS-service targets. */
+/**
+* Resolve a `forward` action into one or more weighted targets. Each target
+* group is either an ECS service (the original `start-alb` path) or a
+* `TargetType: lambda` group backed by an in-stack Lambda (#123); a single
+* weighted forward may mix both.
+*/
 function resolveForwardAction(action, resources, tgToService, stackName, label, warnings) {
 	const refs = collectForwardTargetGroupRefs(action);
 	if (refs.length === 0) {
@@ -21586,8 +22221,13 @@ function resolveForwardAction(action, resources, tgToService, stackName, label,
 			warnings.push(`${label} forwards to target group '${tgRef}', but no ${TARGET_GROUP_TYPE} with that logical id exists in ${stackName}. Skipping that target group.`);
 			continue;
 		}
-		if (tg.Properties?.["TargetType"] === "lambda") {
-			warnings.push(`${label} forwards to a Lambda target group '${tgRef}' (TargetType: lambda). The local ALB front-door supports ECS targets only; Lambda targets are deferred. Skipping that target group.`);
+		const tgProps = tg.Properties ?? {};
+		if (tgProps["TargetType"] === "lambda") {
+			const lambdaTarget = resolveLambdaForwardTarget(tgProps, tgRef, resources, stackName, label, warnings);
+			if (lambdaTarget) targets.push({
+				...lambdaTarget,
+				weight
+			});
 			continue;
 		}
 		const backing = tgToService.get(tgRef);
@@ -21596,6 +22236,7 @@ function resolveForwardAction(action, resources, tgToService, stackName, label,
 			continue;
 		}
 		targets.push({
+			kind: "ecs",
 			serviceLogicalId: backing.serviceLogicalId,
 			targetContainerName: backing.containerName,
 			targetContainerPort: backing.containerPort,
@@ -21609,6 +22250,29 @@ function resolveForwardAction(action, resources, tgToService, stackName, label,
 		targets
 	};
 }
+/**
+* Resolve a `TargetType: lambda` target group into its `FrontDoorLambdaTarget`
+* (weight applied by the caller), or `undefined` (with a warning) when the
+* backing function is not an in-stack `AWS::Lambda::Function` reference.
+*/
+function resolveLambdaForwardTarget(tgProps, tgRef, resources, stackName, label, warnings) {
+	const lambdaLogicalId = resolveLambdaTargetLogicalId(tgProps["Targets"]);
+	if (!lambdaLogicalId) {
+		warnings.push(`${label} forwards to a Lambda target group '${tgRef}', but its Targets[].Id is not an in-stack { "Fn::GetAtt": [<FnLogicalId>, "Arn"] } reference; the local ALB front-door supports an in-stack Lambda target only (literal / imported ARNs deferred). Skipping that target group.`);
+		return;
+	}
+	const lambda = resources[lambdaLogicalId];
+	if (!lambda || lambda.Type !== LAMBDA_FUNCTION_TYPE) {
+		warnings.push(`${label} forwards to Lambda target group '${tgRef}', whose target resolves to '${lambdaLogicalId}', but no ${LAMBDA_FUNCTION_TYPE} with that logical id exists in ${stackName}. Skipping that target group.`);
+		return;
+	}
+	return {
+		kind: "lambda",
+		lambdaLogicalId,
+		targetGroupLogicalId: tgRef,
+		multiValueHeaders: readMultiValueHeadersAttribute(tgProps["TargetGroupAttributes"])
+	};
+}
 /** Resolve a `redirect` action into its `Location`-template fields + status code. */
 function resolveRedirectAction(action, label, warnings) {
 	const cfg = action["RedirectConfig"];
@@ -21641,6 +22305,38 @@ function resolveFixedResponseAction(action) {
 	return out;
 }
 /**
+* Resolve a `TargetType: lambda` target group's backing Lambda logical id from
+* its `Targets[].Id`. CDK synthesizes the registration as
+* `Targets: [{ Id: { "Fn::GetAtt": [<FnLogicalId>, "Arn"] } }]`; a `Ref` to the
+* function (its name) is also accepted. Returns the logical id, or `undefined`
+* when the target is a literal / imported ARN (not an in-stack reference).
+*/
+function resolveLambdaTargetLogicalId(targets) {
+	if (!Array.isArray(targets) || targets.length === 0) return void 0;
+	const first = targets[0];
+	if (!first || typeof first !== "object") return void 0;
+	const id = first["Id"];
+	if (!id || typeof id !== "object" || Array.isArray(id)) return void 0;
+	const idObj = id;
+	const getAtt = idObj["Fn::GetAtt"];
+	if (Array.isArray(getAtt) && typeof getAtt[0] === "string" && getAtt[0].length > 0) return getAtt[0];
+	const ref = idObj["Ref"];
+	if (typeof ref === "string" && ref.length > 0) return ref;
+}
+/**
+* Read the `lambda.multi_value_headers.enabled` target-group attribute (a
+* string `"true"` / `"false"` in CFn). Defaults to `false` when absent.
+*/
+function readMultiValueHeadersAttribute(attributes) {
+	if (!Array.isArray(attributes)) return false;
+	for (const attr of attributes) {
+		if (!attr || typeof attr !== "object") continue;
+		const a = attr;
+		if (a["Key"] === "lambda.multi_value_headers.enabled") return String(a["Value"]).toLowerCase() === "true";
+	}
+	return false;
+}
+/**
 * Build a `targetGroupLogicalId -> backing ECS service` index by scanning every
 * `AWS::ECS::Service.LoadBalancers[]`. First service wins on a shared target
 * group (unusual; would only happen with a hand-rolled template).
@@ -21900,19 +22596,28 @@ function albStrategy(options) {
 				const { stack, albLogicalId } = resolveAlbTarget(albTarget, stacks);
 				const resolution = resolveAlbFrontDoor(stack, albLogicalId);
 				warnings.push(...resolution.warnings);
+				const qualifyTarget = (t) => {
+					if (t.kind === "lambda") return {
+						kind: "lambda",
+						lambda: resolveLambdaTarget(`${stack.stackName}:${t.lambdaLogicalId}`, stacks),
+						targetGroupArn: `${stack.stackName}:${t.targetGroupLogicalId}`,
+						multiValueHeaders: t.multiValueHeaders,
+						weight: t.weight
+					};
+					const serviceTarget = `${stack.stackName}:${t.serviceLogicalId}`;
+					serviceTargets.add(serviceTarget);
+					return {
+						kind: "ecs",
+						serviceTarget,
+						targetContainerName: t.targetContainerName,
+						targetContainerPort: t.targetContainerPort,
+						weight: t.weight
+					};
+				};
 				const qualify = (action) => {
 					if (action.kind === "forward") return {
 						kind: "forward",
-						targets: action.targets.map((t) => {
-							const serviceTarget = `${stack.stackName}:${t.serviceLogicalId}`;
-							serviceTargets.add(serviceTarget);
-							return {
-								serviceTarget,
-								targetContainerName: t.targetContainerName,
-								targetContainerPort: t.targetContainerPort,
-								weight: t.weight
-							};
-						})
+						targets: action.targets.map(qualifyTarget)
 					};
 					if (action.kind === "redirect") return {
 						kind: "redirect",
@@ -21975,7 +22680,7 @@ function albStrategy(options) {
 */
 function createLocalStartAlbCommand(opts = {}) {
 	setEmbedConfig(opts.embedConfig);
-	return addCommonEcsServiceOptions(new Command("start-alb").description("Run an Application Load Balancer locally: name the ALB, and cdk-local boots the ECS service(s) behind its HTTP listeners and stands up a local front-door on each listener port that round-robins across the running replicas and routes its listener rules across the backing services — a stable host endpoint, like behind a real load balancer. The symmetric ALB counterpart of `start-api`. Each <target> accepts a CDK display path (MyStack/MyAlb) or stack-qualified logical ID; single-stack apps may omit the stack prefix. Supports HTTP listeners; path-pattern and host-header rule conditions; forward (single and weighted), redirect, and fixed-response actions. HTTPS listeners, Lambda target groups, the other rule conditions (http-header / query-string / source-ip / http-request-method), and authenticate-* actions are skipped with a warning. Omit <targets> in an interactive terminal to multi-select the load balancers from a list.").argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ElasticLoadBalancingV2::LoadBalancer resources to run (omit to multi-select interactively in a TTY)").addOption(new Option("--lb-port <listenerPort=hostPort...>", "Bind the local front-door on a specific host port (e.g. 80=8080); repeatable. Default: host port == ALB listener port. Use this on macOS to remap a privileged listener port (< 1024) to a non-privileged host port.")).action(withErrorHandling(async (targets, options) => {
+	return addCommonEcsServiceOptions(new Command("start-alb").description("Run an Application Load Balancer locally: name the ALB, and cdk-local boots the ECS service(s) behind its HTTP listeners and stands up a local front-door on each listener port that round-robins across the running replicas and routes its listener rules across the backing services — a stable host endpoint, like behind a real load balancer. The symmetric ALB counterpart of `start-api`. Each <target> accepts a CDK display path (MyStack/MyAlb) or stack-qualified logical ID; single-stack apps may omit the stack prefix. Supports HTTP listeners; path-pattern and host-header rule conditions; forward (single and weighted), redirect, and fixed-response actions; and ECS or Lambda targets (a Lambda target group is invoked locally via the Lambda RIE). HTTPS listeners, the other rule conditions (http-header / query-string / source-ip / http-request-method), and authenticate-* actions are skipped with a warning. Omit <targets> in an interactive terminal to multi-select the load balancers from a list.").argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ElasticLoadBalancingV2::LoadBalancer resources to run (omit to multi-select interactively in a TTY)").addOption(new Option("--lb-port <listenerPort=hostPort...>", "Bind the local front-door on a specific host port (e.g. 80=8080); repeatable. Default: host port == ALB listener port. Use this on macOS to remap a privileged listener port (< 1024) to a non-privileged host port.")).action(withErrorHandling(async (targets, options) => {
 		await runEcsServiceEmulator(targets, options, albStrategy(options), opts.extraStateProviders);
 	})));
 }
@@ -22052,4 +22757,4 @@ function createLocalListCommand(opts = {}) {
 //#endregion
 export { createJwksCache as $, resolveLambdaArnIntrinsic as $t, invokeTokenAuthorizer as A, substituteAgainstStateAsync as At, VtlEvaluationError as B, resolveCfnRegion as Bt, resolveSelectionExpression as C, architectureToPlatform as Ct, computeRequestIdentityHash as D, resolveRuntimeImage as Dt, buildMethodArn as E, resolveRuntimeFileExtension as Et, buildRestV1Event as F, LocalStateSourceError as Ft, buildMgmtEndpointEnvUrl as G, resolveWatchConfig as Gt, probeHostGatewaySupport as H, CfnLocalStateProvider as Ht, evaluateResponseParameters as I, createLocalStateProvider as It, buildConnectEvent as J, discoverWebSocketApis as Jt, handleConnectionsRequest as K, countTargets as Kt, pickResponseTemplate as L, isCfnFlagPresent as Lt, translateLambdaResponse as M, substituteEnvVarsFromStateAsync as Mt, applyAuthorizerOverlay as N, resolveEnvVars as Nt, evaluateCachedLambdaPolicy as O, EcsTaskResolutionError as Ot, buildHttpApiV2Event as P, materializeLayerFromArn as Pt, buildJwksUrlFromIssuer as Q, pickRefLogicalId as Qt, selectIntegrationResponse as R, rejectExplicitCfnStackWithMultipleStacks as Rt, startApiServer as S, createLocalInvokeCommand as St, defaultCredentialsLoader as T, resolveRuntimeCodeMountPath as Tt, bufferToBody as U, collectSsmParameterRefs as Ut, HOST_GATEWAY_MIN_VERSION as V, resolveCfnStackName as Vt, ConnectionRegistry as W, resolveSsmParameters as Wt, buildMessageEvent as X, parseSelectionExpressionPath as Xt, buildDisconnectEvent as Y, discoverWebSocketApisOrThrow as Yt, buildCognitoJwksUrl as Z, discoverRoutes as Zt, availableApiIdentifiers as _, SUPPORTED_CODE_RUNTIMES as _t, buildCloudMapIndex as a, derivePseudoParametersFromRegion as an, buildCorsConfigByApiId as at, groupRoutesByServer as b, renderCodeDockerfile as bt, createLocalRunTaskCommand as c, LocalInvokeBuildError as cn, matchPreflight as ct, createWatchPredicates as d, MCP_PROTOCOL_VERSION as dt, AGENTCORE_HTTP_PROTOCOL as en, verifyCognitoJwt as et, resolveApiTargetSubset as f, mcpInvokeOnce as ft, buildStageMap as g, waitForAgentCorePing as gt, attachStageContext as h, invokeAgentCore as ht, createLocalStartServiceCommand as i, resolveAgentCoreTarget as in, applyCorsResponseHeaders as it, matchRoute as j, substituteEnvVarsFromState as jt, invokeRequestAuthorizer as k, substituteAgainstState as kt, createLocalInvokeAgentCoreCommand as l, MCP_CONTAINER_PORT as lt, createFileWatcher as m, AGENTCORE_SESSION_ID_HEADER as mt, formatTargetListing as n, AGENTCORE_RUNTIME_TYPE as nn, verifyJwtViaDiscovery as nt, CloudMapRegistry as o, substituteImagePlaceholders as on, buildCorsConfigFromCloudFrontChain as ot, createAuthorizerCache as p, parseSseForJsonRpc as pt, parseConnectionsPath as q, listTargets as qt, createLocalStartAlbCommand as r, AgentCoreResolutionError as rn, attachAuthorizers as rt, getContainerNetworkIp as s, tryResolveImageFnJoin as sn, isFunctionUrlOacFronted as st, createLocalListCommand as t, AGENTCORE_MCP_PROTOCOL as tn, verifyJwtAuthorizer as tt, createLocalStartApiCommand as u, MCP_PATH as ut, filterRoutesByApiIdentifier as v, buildAgentCoreCodeImage as vt, resolveServiceIntegrationParameters as w, buildContainerImage as wt, readMtlsMaterialsFromDisk as x, toCmdArgv as xt, filterRoutesByApiIdentifiers as y, computeCodeImageTag as yt, tryParseStatus as z, resolveCfnFallbackRegion as zt };
-//# sourceMappingURL=local-list-EweOsy3A.js.map
+//# sourceMappingURL=local-list-DL6DlYSN.js.map