cdk-local 0.47.0 → 0.49.0

package/dist/{local-list-9MtupW0M.js → local-list-BovxL7PC.js}

@@ -1,5 +1,5 @@
 import { a as runDockerStreaming, c as getEmbedConfig, r as getDockerCmd, s as getLogger, u as setEmbedConfig } from "./docker-cmd-voNPrcRh.js";
-import { At as DockerRunnerError, Bn as resolveCdkPathToLogicalIds, Bt as resolveRuntimeCodeMountPath, Ct as invokeRie, Dt as parseEcrUri, Et as buildContainerImage, Ft as pickFreePort, Gn as applyRoleArnIfSet, Gt as applyCrossStackResolverToTask, Hn as LocalInvokeBuildError, Ht as resolveRuntimeImage, It as pullImage, Jn as contextOptions, Jt as detectEcsImageResolutionNeeds, Kn as appOptions, Kt as checkVolumeHostPath, Ln as matchStacks, Lt as removeContainer, Mn as resolveAgentCoreTarget, Mt as appendEnvFlags, Nn as resolveLambdaTarget, Nt as ensureDockerAvailable, On as AGENTCORE_MCP_PROTOCOL, Ot as pullEcrImage, Pn as derivePseudoParametersFromRegion, Pt as execEnvForSecrets, Q as verifyJwtViaDiscovery, Rn as buildCdkPathIndex, Rt as runDetached, St as getDockerImageBySourceHash, Tt as architectureToPlatform, Un as LocalStartServiceError, Ut as EcsTaskResolutionError, Vn as CdkLocalError, Vt as resolveRuntimeFileExtension, Wn as withErrorHandling, Wt as TASK_ROLE_ACCOUNT_PLACEHOLDER, Xn as parseContextOptions, Xt as resolveEcsTaskTarget, Y as createJwksCache, Yn as deprecatedRegionOption, Yt as parseEcsTarget, Zn as warnIfDeprecatedRegion, Zt as applyDeployedEnvFallback, _n as resolveMultiTarget, an as createLocalStateProvider, at as invokeAgentCoreWs, bn as listTargets, bt as singleFlight, c as resolveProfileCredentials$1, cn as resolveCfnFallbackRegion, ft as invokeAgentCore, gn as Synthesizer, ht as buildAgentCoreCodeImage, i as getPublishedHostPort, jn as pickAgentCoreCandidateStack, jt as SENSITIVE_ENV_KEYS, kt as buildDockerImage, lt as mcpInvokeOnce, mn as resolveApp, n as CloudMapRegistry, nn as resolveEnvVars, ot as MCP_CONTAINER_PORT, pt as waitForAgentCorePing, qn as commonOptions, qt as derivePartitionAndUrlSuffix, r as getContainerNetworkIp, rn as materializeLayerFromArn, sn as rejectExplicitCfnStackWithMultipleStacks, st as MCP_PATH, t as buildCloudMapIndex, tn as substituteEnvVarsFromStateAsync, vn as resolveSingleTarget, wt as waitForRieReady, xt as AssetManifestLoader, yn as countTargets, yt as writeProfileCredentialsFile, zn as readCdkPathOrUndefined, zt as streamLogs } from "./cloud-map-resolver-BHapzvlA.js";
+import { At as buildDockerImage, Bn as readCdkPathOrUndefined, Bt as streamLogs, Ct as getDockerImageBySourceHash, Dt as buildContainerImage, Et as architectureToPlatform, Fn as derivePseudoParametersFromRegion, Ft as execEnvForSecrets, Gn as withErrorHandling, Gt as TASK_ROLE_ACCOUNT_PLACEHOLDER, Hn as CdkLocalError, Ht as resolveRuntimeFileExtension, It as pickFreePort, Jn as commonOptions, Jt as derivePartitionAndUrlSuffix, Kn as applyRoleArnIfSet, Kt as applyCrossStackResolverToTask, Lt as pullImage, Mn as pickAgentCoreCandidateStack, Mt as SENSITIVE_ENV_KEYS, Nn as resolveAgentCoreTarget, Nt as appendEnvFlags, Ot as parseEcrUri, Pn as resolveLambdaTarget, Pt as ensureDockerAvailable, Q as verifyJwtViaDiscovery, Qn as warnIfDeprecatedRegion, Qt as applyDeployedEnvFallback, Rn as matchStacks, Rt as removeContainer, St as AssetManifestLoader, Tt as waitForRieReady, Un as LocalInvokeBuildError, Ut as resolveRuntimeImage, Vn as resolveCdkPathToLogicalIds, Vt as resolveRuntimeCodeMountPath, Wn as LocalStartServiceError, Wt as EcsTaskResolutionError, Xn as deprecatedRegionOption, Xt as parseEcsTarget, Y as createJwksCache, Yn as contextOptions, Yt as detectEcsImageResolutionNeeds, Zn as parseContextOptions, Zt as resolveEcsTaskTarget, _n as Synthesizer, at as invokeAgentCoreWs, bn as countTargets, bt as writeProfileCredentialsFile, c as resolveProfileCredentials$1, cn as rejectExplicitCfnStackWithMultipleStacks, ft as invokeAgentCore, gt as buildAgentCoreCodeImage, hn as resolveApp, i as getPublishedHostPort, in as materializeLayerFromArn, jt as DockerRunnerError, kn as AGENTCORE_MCP_PROTOCOL, kt as pullEcrImage, ln as resolveCfnFallbackRegion, lt as mcpInvokeOnce, mt as downloadAndExtractS3Bundle, n as CloudMapRegistry, nn as substituteEnvVarsFromStateAsync, on as createLocalStateProvider, ot as MCP_CONTAINER_PORT, pt as waitForAgentCorePing, qn as appOptions, qt as checkVolumeHostPath, r as getContainerNetworkIp, rn as resolveEnvVars, st as MCP_PATH, t as buildCloudMapIndex, vn as resolveMultiTarget, wt as invokeRie, xn as listTargets, xt as singleFlight, yn as resolveSingleTarget, zn as buildCdkPathIndex, zt as runDetached } from "./cloud-map-resolver-CW4Paz5K.js";
 import { cpSync, existsSync, mkdirSync, mkdtempSync, readFileSync, rmSync, statSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import * as path from "node:path";
@@ -679,7 +679,7 @@ async function localInvokeAgentCoreCommand(target, options, extraStateProviders)
 		if (isMcp) {
 			if (resolved.jwtAuthorizer || options.bearerToken) logger.info(`MCP runtime: invoking the local container's ${MCP_PATH} directly (vanilla MCP). An inbound JWT / --bearer-token is an AgentCore managed-plane concern and is not applied locally.`);
 		} else authorization = await resolveInboundAuthorization(resolved, options);
-		const image = await resolveAgentCoreImage(resolved, options);
+		const image = await resolveAgentCoreImage(resolved, options, loadedState);
 		const { env: dockerEnv, sensitiveEnvKeys } = await buildContainerEnv(resolved, options, profileCredentials, profileCredsFile, stateProvider, loadedState, imageContext);
 		const hostPort = await pickFreePort();
 		const containerHost = options.containerHost;
@@ -770,14 +770,19 @@ async function resolveInboundAuthorization(resolved, options) {
 }
 /**
 * Acquire the agent image. A CODE artifact (managed runtime) is built from
-* source (generated Dockerfile over the bundle's cdk.out asset). A CONTAINER
-* artifact mirrors the container-Lambda path: build from a local cdk.out asset
-* when the URI matches one, else pull from ECR, else pull a plain registry image.
+* source — a fromCodeAsset bundle from its cdk.out asset, a fromS3 bundle
+* downloaded + extracted from S3. A CONTAINER artifact mirrors the
+* container-Lambda path: build from a local cdk.out asset when the URI matches
+* one, else pull from ECR, else pull a plain registry image.
+*
+* `loaded` is the `--from-cfn-stack` state record (when available) — threaded
+* through so a bare `--assume-role` can resolve the execution-role ARN from
+* state for the fromS3 download.
 */
-async function resolveAgentCoreImage(resolved, options) {
+async function resolveAgentCoreImage(resolved, options, loaded) {
 	const logger = getLogger();
 	const architecture = platformToArchitecture(options.platform);
-	if (resolved.codeArtifact) return resolveAgentCoreCodeImage(resolved, resolved.codeArtifact, options, architecture);
+	if (resolved.codeArtifact) return resolveAgentCoreCodeImage(resolved, resolved.codeArtifact, options, architecture, loaded);
 	const containerUri = resolved.containerUri;
 	if (containerUri === void 0) throw new CdkLocalError(`AgentCore Runtime '${resolved.logicalId}' has neither a container image nor a code artifact to run.`, "LOCAL_INVOKE_AGENTCORE_NO_ARTIFACT");
 	const manifestPath = resolved.stack.assetManifestPath;
@@ -805,12 +810,16 @@ async function resolveAgentCoreImage(resolved, options) {
 	return containerUri;
 }
 /**
-* Build a local image from a `CodeConfiguration` (managed-runtime) bundle:
-* locate the fromCodeAsset source dir in cdk.out via its asset hash, then run
-* the from-source build (generated Dockerfile → install deps → run EntryPoint).
-* A bundle with no local asset (fromS3) hard-errors — not supported yet.
+* Build a local image from a `CodeConfiguration` (managed-runtime) bundle.
+*
+* - fromS3 (`code.s3Source` set, a literal S3 object): download + extract the
+*   bundle, then run the from-source build over the extracted dir.
+* - fromCodeAsset: locate the source dir in cdk.out via its asset hash, then
+*   run the same from-source build (generated Dockerfile → install deps → run
+*   EntryPoint).
 */
-async function resolveAgentCoreCodeImage(resolved, code, options, architecture) {
+async function resolveAgentCoreCodeImage(resolved, code, options, architecture, loaded) {
+	if (code.s3Source) return resolveAgentCoreCodeImageFromS3(resolved, code, code.s3Source, options, architecture, loaded);
 	const manifestPath = resolved.stack.assetManifestPath;
 	if (!manifestPath) throw new CdkLocalError(`AgentCore Runtime '${resolved.logicalId}' uses a code artifact, but its stack has no asset manifest in cdk.out to read the bundle source from.`, "LOCAL_INVOKE_AGENTCORE_CODE_NO_MANIFEST");
 	const cdkOutDir = dirname(manifestPath);
@@ -818,7 +827,7 @@ async function resolveAgentCoreCodeImage(resolved, code, options, architecture)
 	const manifest = await loader.loadManifest(cdkOutDir, resolved.stack.stackName);
 	const fileAssets = manifest ? loader.getFileAssets(manifest) : void 0;
 	const asset = fileAssets ? fileAssets.get(code.codeAssetHash) ?? findFileAssetByObjectKey(fileAssets, code.codeAssetHash) : void 0;
-	if (!asset) throw new CdkLocalError(`AgentCore Runtime '${resolved.logicalId}' code bundle (asset ${code.codeAssetHash}) was not found in the cdk.out asset manifest. ${getEmbedConfig().cliName} invoke-agentcore runs a local from-source build of a fromCodeAsset bundle; a fromS3 bundle (a pre-existing S3 object) is not supported yet.`, "LOCAL_INVOKE_AGENTCORE_CODE_ASSET_NOT_FOUND");
+	if (!asset) throw new CdkLocalError(`AgentCore Runtime '${resolved.logicalId}' code bundle (asset ${code.codeAssetHash}) was not found in the cdk.out asset manifest. ${getEmbedConfig().cliName} invoke-agentcore runs a local from-source build of a fromCodeAsset bundle — re-synthesize the app so the asset is staged in cdk.out and retry. (A fromS3 bundle is downloaded from S3 instead; this runtime has no literal Code.S3.Bucket.)`, "LOCAL_INVOKE_AGENTCORE_CODE_ASSET_NOT_FOUND");
 	const sourceDir = loader.getAssetSourcePath(cdkOutDir, asset);
 	if (!existsSync(sourceDir) || !statSync(sourceDir).isDirectory()) throw new CdkLocalError(`AgentCore Runtime '${resolved.logicalId}' code bundle source '${sourceDir}' does not exist or is not a directory. Re-synthesize the app and retry.`, "LOCAL_INVOKE_AGENTCORE_CODE_SOURCE_MISSING");
 	return buildAgentCoreCodeImage({
@@ -830,6 +839,43 @@ async function resolveAgentCoreCodeImage(resolved, code, options, architecture)
 	});
 }
 /**
+* Build a local image from a fromS3 CodeConfiguration bundle: download +
+* extract the S3 object, run the from-source build over the extracted dir, then
+* clean up the temp dir.
+*
+* Credentials mirror the rest of the command: an `--assume-role` ARN (explicit,
+* or resolved from `--from-cfn-stack` state for the bare form) yields STS temp
+* creds for the download; otherwise `--profile` / the default chain is used.
+* The region is `--region` / `--stack-region` / env / the stack's region.
+*/
+async function resolveAgentCoreCodeImageFromS3(resolved, code, s3Source, options, architecture, loaded) {
+	const logger = getLogger();
+	const region = options.region ?? options.stackRegion ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? resolved.stack.region;
+	const assumeRoleArn = resolveAssumeRoleArn(options, resolved, loaded);
+	let credentials;
+	if (assumeRoleArn) try {
+		credentials = await assumeAgentCoreExecutionRole(assumeRoleArn, region);
+	} catch (err) {
+		logger.warn(`--assume-role: STS AssumeRole(${assumeRoleArn}) failed for the fromS3 bundle download: ${err instanceof Error ? err.message : String(err)}. Falling back to ${options.profile ? `--profile ${options.profile}` : "the default credentials"}.`);
+	}
+	const bundle = await downloadAndExtractS3Bundle(s3Source, {
+		...region !== void 0 && { region },
+		...options.profile !== void 0 && { profile: options.profile },
+		...credentials !== void 0 && { credentials }
+	});
+	try {
+		return await buildAgentCoreCodeImage({
+			sourceDir: bundle.dir,
+			runtime: code.runtime,
+			entryPoint: code.entryPoint,
+			architecture,
+			noBuild: options.build === false
+		});
+	} finally {
+		await bundle.cleanup();
+	}
+}
+/**
 * Find the file asset whose destination objectKey is `<hash>.zip` (matching the
 * `Code.S3.Prefix`'s hash) when the source-hash-keyed lookup misses — covers a
 * synthesizer whose source hash differs from the destination objectKey.
@@ -5377,4 +5423,4 @@ function createLocalListCommand(opts = {}) {
 
 //#endregion
 export { createLocalRunTaskCommand as a, createLocalStartServiceCommand as i, formatTargetListing as n, createLocalInvokeAgentCoreCommand as o, createLocalStartAlbCommand as r, createLocalInvokeCommand as s, createLocalListCommand as t };
-//# sourceMappingURL=local-list-9MtupW0M.js.map
+//# sourceMappingURL=local-list-BovxL7PC.js.map