cdk-local 0.49.0 → 0.51.0

package/dist/{local-list-BovxL7PC.js → local-list-DbBCVhla.js}

@@ -1,5 +1,5 @@
 import { a as runDockerStreaming, c as getEmbedConfig, r as getDockerCmd, s as getLogger, u as setEmbedConfig } from "./docker-cmd-voNPrcRh.js";
-import { At as buildDockerImage, Bn as readCdkPathOrUndefined, Bt as streamLogs, Ct as getDockerImageBySourceHash, Dt as buildContainerImage, Et as architectureToPlatform, Fn as derivePseudoParametersFromRegion, Ft as execEnvForSecrets, Gn as withErrorHandling, Gt as TASK_ROLE_ACCOUNT_PLACEHOLDER, Hn as CdkLocalError, Ht as resolveRuntimeFileExtension, It as pickFreePort, Jn as commonOptions, Jt as derivePartitionAndUrlSuffix, Kn as applyRoleArnIfSet, Kt as applyCrossStackResolverToTask, Lt as pullImage, Mn as pickAgentCoreCandidateStack, Mt as SENSITIVE_ENV_KEYS, Nn as resolveAgentCoreTarget, Nt as appendEnvFlags, Ot as parseEcrUri, Pn as resolveLambdaTarget, Pt as ensureDockerAvailable, Q as verifyJwtViaDiscovery, Qn as warnIfDeprecatedRegion, Qt as applyDeployedEnvFallback, Rn as matchStacks, Rt as removeContainer, St as AssetManifestLoader, Tt as waitForRieReady, Un as LocalInvokeBuildError, Ut as resolveRuntimeImage, Vn as resolveCdkPathToLogicalIds, Vt as resolveRuntimeCodeMountPath, Wn as LocalStartServiceError, Wt as EcsTaskResolutionError, Xn as deprecatedRegionOption, Xt as parseEcsTarget, Y as createJwksCache, Yn as contextOptions, Yt as detectEcsImageResolutionNeeds, Zn as parseContextOptions, Zt as resolveEcsTaskTarget, _n as Synthesizer, at as invokeAgentCoreWs, bn as countTargets, bt as writeProfileCredentialsFile, c as resolveProfileCredentials$1, cn as rejectExplicitCfnStackWithMultipleStacks, ft as invokeAgentCore, gt as buildAgentCoreCodeImage, hn as resolveApp, i as getPublishedHostPort, in as materializeLayerFromArn, jt as DockerRunnerError, kn as AGENTCORE_MCP_PROTOCOL, kt as pullEcrImage, ln as resolveCfnFallbackRegion, lt as mcpInvokeOnce, mt as downloadAndExtractS3Bundle, n as CloudMapRegistry, nn as substituteEnvVarsFromStateAsync, on as createLocalStateProvider, ot as MCP_CONTAINER_PORT, pt as waitForAgentCorePing, qn as appOptions, qt as checkVolumeHostPath, r as getContainerNetworkIp, rn as resolveEnvVars, st as MCP_PATH, t as buildCloudMapIndex, vn as resolveMultiTarget, wt as invokeRie, xn as listTargets, xt as singleFlight, yn as resolveSingleTarget, zn as buildCdkPathIndex, zt as runDetached } from "./cloud-map-resolver-CW4Paz5K.js";
+import { At as buildDockerImage, Bn as readCdkPathOrUndefined, Bt as streamLogs, Ct as getDockerImageBySourceHash, Dt as buildContainerImage, Et as architectureToPlatform, Fn as derivePseudoParametersFromRegion, Ft as execEnvForSecrets, Gn as withErrorHandling, Gt as TASK_ROLE_ACCOUNT_PLACEHOLDER, Hn as CdkLocalError, Ht as resolveRuntimeFileExtension, It as pickFreePort, Jn as commonOptions, Jt as derivePartitionAndUrlSuffix, Kn as applyRoleArnIfSet, Kt as applyCrossStackResolverToTask, Lt as pullImage, Mn as pickAgentCoreCandidateStack, Mt as SENSITIVE_ENV_KEYS, Nn as resolveAgentCoreTarget, Nt as appendEnvFlags, Ot as parseEcrUri, Pn as resolveLambdaTarget, Pt as ensureDockerAvailable, Q as verifyJwtViaDiscovery, Qn as warnIfDeprecatedRegion, Qt as applyDeployedEnvFallback, Rn as matchStacks, Rt as removeContainer, St as AssetManifestLoader, Tt as waitForRieReady, Un as LocalInvokeBuildError, Ut as resolveRuntimeImage, Vn as resolveCdkPathToLogicalIds, Vt as resolveRuntimeCodeMountPath, Wn as LocalStartServiceError, Wt as EcsTaskResolutionError, Xn as deprecatedRegionOption, Xt as parseEcsTarget, Y as createJwksCache, Yn as contextOptions, Yt as detectEcsImageResolutionNeeds, Zn as parseContextOptions, Zt as resolveEcsTaskTarget, _n as Synthesizer, at as invokeAgentCoreWs, bn as countTargets, bt as writeProfileCredentialsFile, c as resolveProfileCredentials$1, cn as rejectExplicitCfnStackWithMultipleStacks, en as substituteAgainstStateAsync, ft as invokeAgentCore, gt as buildAgentCoreCodeImage, hn as resolveApp, i as getPublishedHostPort, in as materializeLayerFromArn, jt as DockerRunnerError, kn as AGENTCORE_MCP_PROTOCOL, kt as pullEcrImage, ln as resolveCfnFallbackRegion, lt as mcpInvokeOnce, mt as downloadAndExtractS3Bundle, n as CloudMapRegistry, nn as substituteEnvVarsFromStateAsync, on as createLocalStateProvider, ot as MCP_CONTAINER_PORT, pt as waitForAgentCorePing, qn as appOptions, qt as checkVolumeHostPath, r as getContainerNetworkIp, rn as resolveEnvVars, st as MCP_PATH, t as buildCloudMapIndex, vn as resolveMultiTarget, wt as invokeRie, xn as listTargets, xt as singleFlight, yn as resolveSingleTarget, zn as buildCdkPathIndex, zt as runDetached } from "./cloud-map-resolver-BvhnCkSe.js";
 import { cpSync, existsSync, mkdirSync, mkdtempSync, readFileSync, rmSync, statSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import * as path from "node:path";
@@ -679,6 +679,7 @@ async function localInvokeAgentCoreCommand(target, options, extraStateProviders)
 		if (isMcp) {
 			if (resolved.jwtAuthorizer || options.bearerToken) logger.info(`MCP runtime: invoking the local container's ${MCP_PATH} directly (vanilla MCP). An inbound JWT / --bearer-token is an AgentCore managed-plane concern and is not applied locally.`);
 		} else authorization = await resolveInboundAuthorization(resolved, options);
+		await resolveFromS3BucketIntrinsic(resolved, stateProvider, loadedState, imageContext);
 		const image = await resolveAgentCoreImage(resolved, options, loadedState);
 		const { env: dockerEnv, sensitiveEnvKeys } = await buildContainerEnv(resolved, options, profileCredentials, profileCredsFile, stateProvider, loadedState, imageContext);
 		const hostPort = await pickFreePort();
@@ -850,6 +851,12 @@ async function resolveAgentCoreCodeImage(resolved, code, options, architecture,
 */
 async function resolveAgentCoreCodeImageFromS3(resolved, code, s3Source, options, architecture, loaded) {
 	const logger = getLogger();
+	if (typeof s3Source.bucket !== "string" || s3Source.bucket.length === 0) throw new CdkLocalError(`AgentCore Runtime '${resolved.logicalId}' fromS3 bundle reached the image step with no literal bucket. This is a cdk-local bug — please report it.`, "LOCAL_INVOKE_AGENTCORE_FROMS3_BUCKET_UNRESOLVED");
+	const location = {
+		bucket: s3Source.bucket,
+		key: s3Source.key,
+		...s3Source.versionId !== void 0 && { versionId: s3Source.versionId }
+	};
 	const region = options.region ?? options.stackRegion ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? resolved.stack.region;
 	const assumeRoleArn = resolveAssumeRoleArn(options, resolved, loaded);
 	let credentials;
@@ -858,7 +865,7 @@ async function resolveAgentCoreCodeImageFromS3(resolved, code, s3Source, options
 	} catch (err) {
 		logger.warn(`--assume-role: STS AssumeRole(${assumeRoleArn}) failed for the fromS3 bundle download: ${err instanceof Error ? err.message : String(err)}. Falling back to ${options.profile ? `--profile ${options.profile}` : "the default credentials"}.`);
 	}
-	const bundle = await downloadAndExtractS3Bundle(s3Source, {
+	const bundle = await downloadAndExtractS3Bundle(location, {
 		...region !== void 0 && { region },
 		...options.profile !== void 0 && { profile: options.profile },
 		...credentials !== void 0 && { credentials }
@@ -941,6 +948,46 @@ async function buildContainerEnv(resolved, options, profileCredentials, profileC
 	};
 }
 /**
+* Resolve a fromS3 bundle's intrinsic `Code.S3.Bucket` to a literal bucket
+* name in place on `resolved.codeArtifact.s3Source.bucket`. Uses the SAME
+* state-substitution machinery env vars use under `--from-cfn-stack`, so
+* every cross-stack intrinsic that path supports (`Ref` / `Fn::ImportValue` /
+* `Fn::GetStackOutput`) is supported transparently here.
+*
+* No-op when there is no intrinsic to resolve. Errors when no state is
+* available, or when the substitution returns a non-string / unresolved value.
+*
+* Exported so a unit test can drive the gate without the full Docker pipeline.
+*/
+async function resolveFromS3BucketIntrinsic(resolved, stateProvider, loaded, imageContext) {
+	const s3Source = resolved.codeArtifact?.s3Source;
+	if (!s3Source || s3Source.bucketIntrinsic === void 0) return;
+	if (s3Source.bucket !== void 0) return;
+	if (!stateProvider || !loaded) throw new CdkLocalError(`AgentCore Runtime '${resolved.logicalId}' fromS3 bundle's Code.S3.Bucket is an unresolved intrinsic (${describeIntrinsic(s3Source.bucketIntrinsic)}). Pass --from-cfn-stack so its physical bucket name can be resolved against the deployed stack state.`, "LOCAL_INVOKE_AGENTCORE_FROMS3_BUCKET_INTRINSIC_NO_STATE");
+	const subContext = {
+		resources: imageContext?.stateResources ?? loaded.resources,
+		consumerRegion: loaded.region
+	};
+	const pseudo = imageContext?.pseudoParameters ?? derivePseudoParametersFromRegion(loaded.region);
+	if (pseudo) subContext.pseudoParameters = pseudo;
+	const crossStackResolver = await stateProvider.buildCrossStackResolver(loaded.region);
+	if (crossStackResolver) subContext.crossStackResolver = crossStackResolver;
+	const result = await substituteAgainstStateAsync(s3Source.bucketIntrinsic, subContext);
+	if (result.kind !== "literal") throw new CdkLocalError(`Could not resolve AgentCore Runtime '${resolved.logicalId}' fromS3 Code.S3.Bucket intrinsic (${describeIntrinsic(s3Source.bucketIntrinsic)}) against the --from-cfn-stack state: ${result.reason}. Confirm the referenced resource / export exists in the deployed stack.`, "LOCAL_INVOKE_AGENTCORE_FROMS3_BUCKET_INTRINSIC_UNRESOLVED");
+	if (typeof result.value !== "string" || result.value.length === 0) throw new CdkLocalError(`AgentCore Runtime '${resolved.logicalId}' fromS3 Code.S3.Bucket intrinsic resolved to a ${typeof result.value} value, not a bucket name string. (${describeIntrinsic(s3Source.bucketIntrinsic)})`, "LOCAL_INVOKE_AGENTCORE_FROMS3_BUCKET_INTRINSIC_NOT_STRING");
+	s3Source.bucket = result.value;
+	getLogger().info(`Resolved fromS3 Code.S3.Bucket from state: ${describeIntrinsic(s3Source.bucketIntrinsic)} -> ${result.value}`);
+}
+/** Render the intrinsic key for an error / log message (e.g. `Ref:Bucket1`). */
+function describeIntrinsic(value) {
+	if (!value || typeof value !== "object") return String(value);
+	const obj = value;
+	const key = Object.keys(obj)[0] ?? "?";
+	const arg = obj[key];
+	if (typeof arg === "string") return `${key}:${arg}`;
+	return key;
+}
+/**
 * Build the `--from-cfn-stack` image-resolution context + return the loaded
 * state record (loaded once, reused by env substitution + role resolution).
 * Mirrors `run-task`'s `buildEcsImageResolutionContext`: pseudo parameters
@@ -3623,7 +3670,10 @@ function handleProxyRequest(req, res, opts) {
 	if (opts.route) {
 		const action = opts.route({
 			path: url,
-			...hostHeader(req)
+			...hostHeader(req),
+			headers: req.headers,
+			...req.method !== void 0 && { method: req.method },
+			...req.socket.remoteAddress !== void 0 && { sourceIp: req.socket.remoteAddress }
 		});
 		if (!action) return reply404(req, res, opts);
 		if (action.kind === "redirect" || action.kind === "fixed-response") {
@@ -3902,25 +3952,24 @@ function writeError(res, statusCode, message) {
 * evaluated in ascending priority; the input order is irrelevant.
 *
 * Accepts either a request facts object or a bare path string (the path-only
-* form keeps the original signature working for callers that have no Host).
+* form keeps the original signature working for callers that have no Host /
+* headers / method / source IP).
 */
 function matchAlbPathRule(req, rules) {
-	const { path, host } = typeof req === "string" ? {
-		path: req,
-		host: void 0
-	} : req;
-	const requestPath = pathOf(path);
-	const requestHost = host !== void 0 ? hostOf(host) : void 0;
+	const facts = typeof req === "string" ? { path: req } : req;
+	const requestPath = pathOf(facts.path);
+	const requestQuery = queryOf(facts.path);
+	const requestHost = facts.host !== void 0 ? hostOf(facts.host) : void 0;
 	const ordered = [...rules].sort((a, b) => a.priority - b.priority);
-	for (const rule of ordered) if (ruleMatches(rule, requestPath, requestHost)) return rule.target;
+	for (const rule of ordered) if (ruleMatches(rule, requestPath, requestQuery, requestHost, facts)) return rule.target;
 }
 /**
-* Whether a single rule's conditions all match. A `path-pattern` /
-* `host-header` condition is satisfied when ANY of its values match (OR); a
-* rule with both fields requires both to match (AND). An empty pattern list
-* for a field means "no constraint on that field" (the condition was absent).
+* Whether a single rule's conditions all match. Each present condition field
+* is OR-matched within (multiple values) and AND'd across fields. An empty /
+* absent condition list means "no constraint on that field" (the condition was
+* absent on the rule).
 */
-function ruleMatches(rule, requestPath, requestHost) {
+function ruleMatches(rule, requestPath, requestQuery, requestHost, facts) {
 	if (rule.pathPatterns.length > 0) {
 		if (!rule.pathPatterns.some((pattern) => globToRegExp(pattern, false).test(requestPath))) return false;
 	}
@@ -3929,8 +3978,71 @@ function ruleMatches(rule, requestPath, requestHost) {
 		if (requestHost === void 0) return false;
 		if (!hostPatterns.some((pattern) => globToRegExp(pattern, true).test(requestHost))) return false;
 	}
+	const headerConditions = rule.httpHeaderConditions ?? [];
+	if (headerConditions.length > 0) {
+		if (!headerConditions.every((cond) => httpHeaderConditionMatches(cond, facts.headers))) return false;
+	}
+	const methods = rule.httpRequestMethods ?? [];
+	if (methods.length > 0) {
+		if (facts.method === void 0) return false;
+		if (!methods.includes(facts.method)) return false;
+	}
+	const queryConditions = rule.queryStringConditions ?? [];
+	if (queryConditions.length > 0) {
+		const params = parseQueryParams(requestQuery);
+		if (!queryConditions.some((cond) => queryStringConditionMatches(cond, params))) return false;
+	}
+	const cidrs = rule.sourceIpCidrs ?? [];
+	if (cidrs.length > 0) {
+		if (facts.sourceIp === void 0) return false;
+		const ip = unmapV4MappedV6(facts.sourceIp);
+		if (!cidrs.some((cidr) => albCidrMatches(cidr, ip))) return false;
+	}
 	return true;
 }
+/**
+* Whether an `http-header` condition matches the request's headers. The
+* header name is looked up case-insensitively; each listed value glob is
+* matched case-insensitively against every value of that header (multi-valued
+* headers count each value separately).
+*/
+function httpHeaderConditionMatches(cond, headers) {
+	if (!headers) return false;
+	const rawValue = headerLookup(headers, cond.name.toLowerCase());
+	if (rawValue === void 0) return false;
+	const headerValues = Array.isArray(rawValue) ? rawValue : [rawValue];
+	return cond.values.some((glob) => {
+		const re = globToRegExp(glob, true);
+		return headerValues.some((v) => re.test(v.toLowerCase()));
+	});
+}
+/**
+* Whether a single `query-string` condition `{ Key?, Value }` matches the
+* request's parsed query parameters. Both Key and Value are case-insensitive
+* `*` / `?` globs; when `Key` is absent, ANY parameter whose value matches the
+* Value glob satisfies the condition.
+*/
+function queryStringConditionMatches(cond, params) {
+	const valueRe = globToRegExp(cond.value, true);
+	const keyRe = cond.key !== void 0 ? globToRegExp(cond.key, true) : void 0;
+	return params.some((p) => {
+		if (keyRe !== void 0 && !keyRe.test(p.key.toLowerCase())) return false;
+		return valueRe.test(p.value.toLowerCase());
+	});
+}
+/**
+* Whether an IPv4 or IPv6 address falls inside an IPv4 or IPv6 CIDR. Returns
+* `false` for mismatched families (an IPv4 address tested against an IPv6
+* CIDR, or vice versa) and for unparseable input.
+*/
+function albCidrMatches(cidr, ip) {
+	const parsed = parseCidr(cidr);
+	if (!parsed) return false;
+	const addr = parseIpAddress(ip);
+	if (!addr) return false;
+	if (parsed.family !== addr.family) return false;
+	return matchBitPrefix(parsed.bytes, addr.bytes, parsed.prefixLength);
+}
 /** Strip the query string / fragment so only the URL path is matched. */
 function pathOf(url) {
 	let end = url.length;
@@ -3941,6 +4053,45 @@ function pathOf(url) {
 	return url.slice(0, end);
 }
 /**
+* Pull the raw query string (`a=1&b=2`) out of a URL. Returns the empty string
+* when the URL has no `?`. The fragment is dropped.
+*/
+function queryOf(url) {
+	const q = url.indexOf("?");
+	if (q === -1) return "";
+	const rest = url.slice(q + 1);
+	const h = rest.indexOf("#");
+	return h === -1 ? rest : rest.slice(0, h);
+}
+/**
+* Decode a raw query string into a flat list of `{ key, value }` entries
+* (preserving repeats), URI-decoding both sides and treating `+` as a space
+* (the `application/x-www-form-urlencoded` convention browsers use). Pairs
+* with no `=` are treated as `{ key, value: '' }`.
+*/
+function parseQueryParams(query) {
+	if (!query) return [];
+	const out = [];
+	for (const pair of query.split("&")) {
+		if (!pair) continue;
+		const eq = pair.indexOf("=");
+		const rawKey = eq === -1 ? pair : pair.slice(0, eq);
+		const rawValue = eq === -1 ? "" : pair.slice(eq + 1);
+		out.push({
+			key: decodeQueryPart(rawKey),
+			value: decodeQueryPart(rawValue)
+		});
+	}
+	return out;
+}
+function decodeQueryPart(s) {
+	try {
+		return decodeURIComponent(s.replace(/\+/g, " "));
+	} catch {
+		return s;
+	}
+}
+/**
 * Normalize a `Host` header for matching: drop any `:port` suffix and lower-case
 * it (DNS hostnames are case-insensitive). IPv6 literals (`[::1]:8080`) keep the
 * bracketed address and only the trailing port is removed.
@@ -3955,13 +4106,18 @@ function hostOf(host) {
 	const colon = trimmed.indexOf(":");
 	return (colon === -1 ? trimmed : trimmed.slice(0, colon)).toLowerCase();
 }
+/** Case-insensitive header lookup against a Node-style headers dict. */
+function headerLookup(headers, lowerCaseName) {
+	const direct = headers[lowerCaseName];
+	if (direct !== void 0) return direct;
+	for (const key of Object.keys(headers)) if (key.toLowerCase() === lowerCaseName) return headers[key];
+}
 const REGEXP_META = /[.+^${}()|[\]\\]/;
 /**
 * Translate an ALB `*` / `?` glob into an anchored RegExp: `*` -> `.*`,
-* `?` -> `.`, every other character is escaped and matched literally. Host
-* patterns match case-insensitively (the `i` flag) and the pattern is
-* lower-cased to pair with the lower-cased host; path patterns are
-* case-sensitive.
+* `?` -> `.`, every other character is escaped and matched literally. The
+* `caseInsensitive` form lower-cases the pattern (callers pair it with a
+* lower-cased input); path patterns are case-sensitive.
 */
 function globToRegExp(pattern, caseInsensitive) {
 	const source = caseInsensitive ? pattern.toLowerCase() : pattern;
@@ -3972,6 +4128,131 @@ function globToRegExp(pattern, caseInsensitive) {
 	else body += ch;
 	return new RegExp(`^${body}$`);
 }
+/** Parse a CIDR (`ip/prefix`) into its address bytes + prefix length. */
+function parseCidr(cidr) {
+	const slash = cidr.indexOf("/");
+	if (slash === -1) return void 0;
+	const addrPart = cidr.slice(0, slash);
+	const prefixPart = cidr.slice(slash + 1);
+	if (!/^\d+$/.test(prefixPart)) return void 0;
+	const prefixLength = parseInt(prefixPart, 10);
+	const addr = parseIpAddress(addrPart);
+	if (!addr) return void 0;
+	const maxPrefix = addr.family === "v4" ? 32 : 128;
+	if (prefixLength < 0 || prefixLength > maxPrefix) return void 0;
+	return {
+		family: addr.family,
+		bytes: addr.bytes,
+		prefixLength
+	};
+}
+/** Parse an IPv4 (`1.2.3.4`) or IPv6 address into its byte representation. */
+function parseIpAddress(ip) {
+	if (ip.includes(".") && !ip.includes(":")) return parseIpv4(ip);
+	if (ip.includes(":")) return parseIpv6(ip);
+}
+function parseIpv4(ip) {
+	const parts = ip.split(".");
+	if (parts.length !== 4) return void 0;
+	const bytes = new Uint8Array(4);
+	for (let i = 0; i < 4; i++) {
+		const part = parts[i];
+		if (!/^\d+$/.test(part)) return void 0;
+		const n = parseInt(part, 10);
+		if (n < 0 || n > 255) return void 0;
+		bytes[i] = n;
+	}
+	return {
+		family: "v4",
+		bytes
+	};
+}
+/**
+* Parse a textual IPv6 address (incl. `::` shorthand and IPv4-suffix form like
+* `::ffff:1.2.3.4`) into its 16-byte representation.
+*/
+function parseIpv6(ip) {
+	let s = ip;
+	if (s.startsWith("[") && s.endsWith("]")) s = s.slice(1, -1);
+	let v4Suffix;
+	const lastColon = s.lastIndexOf(":");
+	if (lastColon !== -1 && s.slice(lastColon + 1).includes(".")) {
+		const parsed = parseIpv4(s.slice(lastColon + 1));
+		if (!parsed) return void 0;
+		v4Suffix = parsed.bytes;
+		s = s.slice(0, lastColon) + ":0:0";
+	}
+	const doubleColon = s.indexOf("::");
+	let head;
+	let tail;
+	if (doubleColon === -1) {
+		head = s.split(":");
+		tail = [];
+	} else {
+		head = s.slice(0, doubleColon) === "" ? [] : s.slice(0, doubleColon).split(":");
+		tail = s.slice(doubleColon + 2) === "" ? [] : s.slice(doubleColon + 2).split(":");
+	}
+	if (head.length + tail.length > 8) return void 0;
+	if (doubleColon === -1 && head.length !== 8) return void 0;
+	const groups = new Array(8).fill(0);
+	for (let i = 0; i < head.length; i++) {
+		const g = parseHexGroup(head[i]);
+		if (g === void 0) return void 0;
+		groups[i] = g;
+	}
+	for (let i = 0; i < tail.length; i++) {
+		const g = parseHexGroup(tail[tail.length - 1 - i]);
+		if (g === void 0) return void 0;
+		groups[7 - i] = g;
+	}
+	const bytes = new Uint8Array(16);
+	for (let i = 0; i < 8; i++) {
+		bytes[i * 2] = groups[i] >> 8 & 255;
+		bytes[i * 2 + 1] = groups[i] & 255;
+	}
+	if (v4Suffix) {
+		bytes[12] = v4Suffix[0];
+		bytes[13] = v4Suffix[1];
+		bytes[14] = v4Suffix[2];
+		bytes[15] = v4Suffix[3];
+	}
+	return {
+		family: "v6",
+		bytes
+	};
+}
+function parseHexGroup(g) {
+	if (g.length === 0 || g.length > 4) return void 0;
+	if (!/^[0-9a-fA-F]+$/.test(g)) return void 0;
+	return parseInt(g, 16);
+}
+/**
+* Unmap an IPv4-mapped IPv6 source IP (`::ffff:a.b.c.d` or `::ffff:NNNN:NNNN`)
+* to its bare IPv4 form. Node reports `::ffff:127.0.0.1` for an IPv4 client on
+* a dual-stack listener; rules that name a v4 CIDR should still match.
+*/
+function unmapV4MappedV6(ip) {
+	const m = /^::ffff:(.+)$/i.exec(ip);
+	if (!m) return ip;
+	const suffix = m[1];
+	if (suffix.includes(".")) return suffix;
+	const parts = suffix.split(":");
+	if (parts.length !== 2) return ip;
+	const high = parseInt(parts[0], 16);
+	const low = parseInt(parts[1], 16);
+	if (!Number.isFinite(high) || !Number.isFinite(low)) return ip;
+	return `${high >> 8 & 255}.${high & 255}.${low >> 8 & 255}.${low & 255}`;
+}
+/** Whether the first `prefixLength` bits of `a` equal those of `b`. */
+function matchBitPrefix(a, b, prefixLength) {
+	if (a.length !== b.length) return false;
+	const fullBytes = Math.floor(prefixLength / 8);
+	for (let i = 0; i < fullBytes; i++) if (a[i] !== b[i]) return false;
+	const remainingBits = prefixLength % 8;
+	if (remainingBits === 0) return true;
+	const mask = 255 << 8 - remainingBits;
+	return (a[fullBytes] & mask) === (b[fullBytes] & mask);
+}
 
 //#endregion
 //#region src/local/front-door-lambda-runner.ts
@@ -4464,6 +4745,10 @@ async function buildFrontDoor(plan, options, logger) {
 				priority: r.priority,
 				pathPatterns: r.pathPatterns,
 				hostPatterns: r.hostPatterns,
+				httpHeaderConditions: r.httpHeaderConditions,
+				httpRequestMethods: r.httpRequestMethods,
+				queryStringConditions: r.queryStringConditions,
+				sourceIpCidrs: r.sourceIpCidrs,
 				target: toRouteAction(r.action)
 			}));
 			const route = (req) => matchAlbPathRule(req, ruleRoutes) ?? defaultRoute;
@@ -4505,13 +4790,20 @@ async function buildFrontDoor(plan, options, logger) {
 		lambdaRunners: [...lambdaRegistry.values()]
 	};
 }
-/** Human-readable summary of a planned rule's path / host conditions (for the boot banner). */
+/** Human-readable summary of a planned rule's six ALB condition fields (for the boot banner). */
 function describeConditions(rule) {
 	const parts = [];
 	if (rule.pathPatterns.length > 0) parts.push(`path ${rule.pathPatterns.join(", ")}`);
 	if (rule.hostPatterns.length > 0) parts.push(`host ${rule.hostPatterns.join(", ")}`);
+	for (const h of rule.httpHeaderConditions) parts.push(`header ${h.name}: ${h.values.join(", ")}`);
+	if (rule.httpRequestMethods.length > 0) parts.push(`method ${rule.httpRequestMethods.join(", ")}`);
+	if (rule.queryStringConditions.length > 0) parts.push(`query ${rule.queryStringConditions.map(describeQueryStringCondition).join(", ")}`);
+	if (rule.sourceIpCidrs.length > 0) parts.push(`source-ip ${rule.sourceIpCidrs.join(", ")}`);
 	return parts.join(" AND ") || "(no condition)";
 }
+function describeQueryStringCondition(c) {
+	return c.key !== void 0 ? `${c.key}=${c.value}` : c.value;
+}
 /** Human-readable summary of a planned action (for the boot banner). */
 function describeAction(action) {
 	if (action.kind === "redirect") return `redirect ${action.statusCode}`;
@@ -4740,7 +5032,11 @@ function createLocalStartServiceCommand(opts = {}) {
 *     DefaultActions:[ <action> ] }
 * ElasticLoadBalancingV2::ListenerRule  : { ListenerArn:{Ref:<Listener>}, Priority,
 *     Conditions:[{ Field:"path-pattern", PathPatternConfig:{ Values:["/api/*"] } },
-*                 { Field:"host-header",  HostHeaderConfig:{ Values:["api.example.com"] } }],
+*                 { Field:"host-header",  HostHeaderConfig:{ Values:["api.example.com"] } },
+*                 { Field:"http-header",  HttpHeaderConfig:{ HttpHeaderName:"X-API", Values:["*"] } },
+*                 { Field:"http-request-method", HttpRequestMethodConfig:{ Values:["POST"] } },
+*                 { Field:"query-string", QueryStringConfig:{ Values:[{ Key:"v", Value:"1" }] } },
+*                 { Field:"source-ip",    SourceIpConfig:{ Values:["10.0.0.0/8"] } }],
 *     Actions:[ <action> ] }
 * ElasticLoadBalancingV2::TargetGroup   : { Port, Protocol, TargetType:"ip" }
 * ECS::Service.LoadBalancers[]          -> { ContainerName, ContainerPort, TargetGroupArn:{Ref:<TG>} }
@@ -4758,16 +5054,16 @@ function createLocalStartServiceCommand(opts = {}) {
 * `LoadBalancers[]` references each target group (a reverse scan; there is no
 * direct TG -> service pointer). Output is a per-listener routing table: a
 * default action plus the ordered rules, each carrying its resolved action and
-* its path / host conditions.
+* its full set of routing conditions.
 *
-* Scope: HTTP listeners; `path-pattern` + `host-header` conditions; `forward`
-* (single or weighted) to ECS services AND/OR Lambda functions
-* (`TargetType:"lambda"` target groups — #123: the TG -> backing
+* Scope: HTTP listeners; all six ALB rule-condition fields (`path-pattern`,
+* `host-header`, `http-header`, `http-request-method`, `query-string`,
+* `source-ip`); `forward` (single or weighted) to ECS services AND/OR Lambda
+* functions (`TargetType:"lambda"` target groups — #123: the TG -> backing
 * `AWS::Lambda::Function` is resolved and the front-door invokes it locally per
 * request); `redirect` / `fixed-response` actions. A single weighted forward may
-* mix ECS and Lambda targets. Skipped with a warning: HTTPS/TLS listeners, the
-* other condition fields (http-header / http-request-method / query-string /
-* source-ip), and `authenticate-cognito` / `authenticate-oidc` actions.
+* mix ECS and Lambda targets. Skipped with a warning: HTTPS/TLS listeners and
+* `authenticate-cognito` / `authenticate-oidc` actions.
 */
 const ALB_TYPE = "AWS::ElasticLoadBalancingV2::LoadBalancer";
 const LISTENER_TYPE = "AWS::ElasticLoadBalancingV2::Listener";
@@ -4803,18 +5099,20 @@ function resolveAlbFrontDoor(stack, albLogicalId) {
 		for (const { ruleLogicalId, ruleProps } of rulesByListener.get(listenerLogicalId) ?? []) {
 			const priority = parsePriority(ruleProps["Priority"]);
 			const ruleLabel = `Listener rule '${ruleLogicalId}' (priority ${priority})`;
-			const { pathPatterns, hostPatterns, unsupported } = parseRuleConditions(ruleProps["Conditions"]);
-			if (unsupported.length > 0) {
-				warnings.push(`${ruleLabel} uses unsupported condition(s): ${unsupported.join(", ")}. The local ALB front-door supports path-pattern and host-header conditions only (http-header / query-string / http-request-method / source-ip deferred). Skipping it.`);
-				continue;
-			}
-			if (pathPatterns.length === 0 && hostPatterns.length === 0) continue;
+			const parsed = parseRuleConditions(ruleProps["Conditions"], ruleLabel, warnings);
+			if (!parsed) continue;
+			const { pathPatterns, hostPatterns, httpHeaderConditions, httpRequestMethods, queryStringConditions, sourceIpCidrs } = parsed;
+			if (!(pathPatterns.length > 0 || hostPatterns.length > 0 || httpHeaderConditions.length > 0 || httpRequestMethods.length > 0 || queryStringConditions.length > 0 || sourceIpCidrs.length > 0)) continue;
 			const action = resolveAction(ruleProps["Actions"], resources, tgToService, stackName, `${ruleLabel} action`, warnings);
 			if (!action) continue;
 			rules.push({
 				priority,
 				pathPatterns,
 				hostPatterns,
+				httpHeaderConditions,
+				httpRequestMethods,
+				queryStringConditions,
+				sourceIpCidrs,
 				action
 			});
 		}
@@ -5047,36 +5345,135 @@ function indexRulesByListener(resources) {
 	return index;
 }
 /**
-* Parse a ListenerRule's `Conditions` into its supported `path-pattern` and
-* `host-header` values plus the field names of any unsupported conditions
-* (which make the rule unsupported). ALB ANDs conditions of different fields,
-* so a rule with an unsupported field cannot be honored locally. Multiple
-* conditions of the same field merge their values (each field OR-matches).
+* Parse a ListenerRule's `Conditions` into the six supported fields. Returns
+* `undefined` when an unknown field is encountered or a known field is
+* malformed enough that honoring the rule would silently drop a constraint
+* — both surface a warning and skip the whole rule (ALB ANDs conditions of
+* different fields, so dropping any condition would route requests it should
+* not).
+*
+* Multiple `http-header` conditions on different names are kept (they AND).
+* Multiple `path-pattern` / `host-header` / `http-request-method` /
+* `query-string` / `source-ip` conditions on the same field merge their
+* values (each field OR-matches). A `source-ip` value that does not parse as
+* a CIDR makes the whole rule unsupported (the rule's authoring intent was
+* specific; dropping the invalid range would silently widen the allow list).
 */
-function parseRuleConditions(conditions) {
-	const pathPatterns = [];
-	const hostPatterns = [];
-	const unsupported = [];
-	if (!Array.isArray(conditions)) return {
-		pathPatterns,
-		hostPatterns,
-		unsupported
+function parseRuleConditions(conditions, ruleLabel, warnings) {
+	const out = {
+		pathPatterns: [],
+		hostPatterns: [],
+		httpHeaderConditions: [],
+		httpRequestMethods: [],
+		queryStringConditions: [],
+		sourceIpCidrs: []
 	};
+	if (!Array.isArray(conditions)) return out;
 	for (const cond of conditions) {
 		if (!cond || typeof cond !== "object") continue;
 		const c = cond;
 		const field = typeof c["Field"] === "string" ? c["Field"] : "(unknown)";
-		if (field === "path-pattern") pathPatterns.push(...conditionValues(c, "PathPatternConfig"));
-		else if (field === "host-header") hostPatterns.push(...conditionValues(c, "HostHeaderConfig"));
-		else unsupported.push(field);
+		if (field === "path-pattern") out.pathPatterns.push(...conditionValues(c, "PathPatternConfig"));
+		else if (field === "host-header") out.hostPatterns.push(...conditionValues(c, "HostHeaderConfig"));
+		else if (field === "http-header") {
+			const parsed = parseHttpHeaderCondition(c);
+			if (!parsed) {
+				warnings.push(`${ruleLabel} has an http-header condition with no HttpHeaderName / Values; skipping the rule.`);
+				return;
+			}
+			out.httpHeaderConditions.push(parsed);
+		} else if (field === "http-request-method") out.httpRequestMethods.push(...conditionValues(c, "HttpRequestMethodConfig"));
+		else if (field === "query-string") {
+			const { parsed, hadEntries } = parseQueryStringConditionValues(c);
+			if (hadEntries && parsed.length === 0) {
+				warnings.push(`${ruleLabel} query-string condition has no parseable { Key?, Value } entries; skipping the rule.`);
+				return;
+			}
+			out.queryStringConditions.push(...parsed);
+		} else if (field === "source-ip") {
+			const values = conditionValues(c, "SourceIpConfig");
+			const invalid = values.filter((v) => !isValidCidr(v));
+			if (invalid.length > 0) {
+				warnings.push(`${ruleLabel} source-ip condition has unparseable CIDR(s): ${invalid.join(", ")}. The local ALB front-door requires valid IPv4 / IPv6 CIDRs; skipping the rule.`);
+				return;
+			}
+			out.sourceIpCidrs.push(...values);
+		} else {
+			warnings.push(`${ruleLabel} uses unsupported condition field '${field}'. Skipping the rule.`);
+			return;
+		}
 	}
+	return out;
+}
+/**
+* Parse an `http-header` condition into its `{ name, values }` form. Returns
+* `undefined` when `HttpHeaderName` is missing / non-string or `Values` is
+* empty (either makes the rule's authoring intent unrecoverable).
+*/
+function parseHttpHeaderCondition(cond) {
+	const cfg = cond["HttpHeaderConfig"];
+	if (!cfg || typeof cfg !== "object") return void 0;
+	const c = cfg;
+	const name = c["HttpHeaderName"];
+	if (typeof name !== "string" || name.length === 0) return void 0;
+	const values = (Array.isArray(c["Values"]) ? c["Values"] : []).filter((v) => typeof v === "string");
+	if (values.length === 0) return void 0;
 	return {
-		pathPatterns,
-		hostPatterns,
-		unsupported
+		name,
+		values
 	};
 }
 /**
+* Parse a `query-string` condition's `Values` into `{ key?, value }` pairs.
+* ALB accepts either object entries (`{ Key?, Value }`) or bare strings
+* (legacy v1 shape: a string is treated as `{ value }`). Non-string `Key` /
+* `Value` fields are dropped; an entry with no `Value` is dropped. Returns
+* `hadEntries` so the caller can distinguish an absent / empty `Values` array
+* (drop the field silently) from one whose entries were all unparseable
+* (warn + skip the whole rule — silently dropping would widen routing).
+*/
+function parseQueryStringConditionValues(cond) {
+	const cfg = cond["QueryStringConfig"];
+	const rawValues = cfg && typeof cfg === "object" && Array.isArray(cfg["Values"]) ? cfg["Values"] : Array.isArray(cond["Values"]) ? cond["Values"] : [];
+	const parsed = [];
+	for (const v of rawValues) if (typeof v === "string") parsed.push({ value: v });
+	else if (v && typeof v === "object") {
+		const e = v;
+		const value = e["Value"];
+		if (typeof value !== "string") continue;
+		const key = e["Key"];
+		parsed.push(typeof key === "string" ? {
+			key,
+			value
+		} : { value });
+	}
+	return {
+		parsed,
+		hadEntries: rawValues.length > 0
+	};
+}
+/**
+* Cheap CIDR validity check used at parse time. Mirrors the more permissive
+* matcher (`albCidrMatches`) but only confirms shape; we do not need to
+* remember the parsed bytes here.
+*/
+function isValidCidr(value) {
+	const slash = value.indexOf("/");
+	if (slash === -1) return false;
+	const addr = value.slice(0, slash);
+	const prefix = value.slice(slash + 1);
+	if (!/^\d+$/.test(prefix)) return false;
+	const prefixLen = parseInt(prefix, 10);
+	if (addr.includes(".") && !addr.includes(":")) {
+		const parts = addr.split(".");
+		if (parts.length !== 4) return false;
+		if (!parts.every((p) => /^\d+$/.test(p) && parseInt(p, 10) <= 255)) return false;
+		return prefixLen >= 0 && prefixLen <= 32;
+	}
+	if (addr.includes(":")) return prefixLen >= 0 && prefixLen <= 128;
+	return false;
+}
+/**
 * Extract a condition's string values from either the typed `<Field>Config`
 * sub-object's `Values` or the legacy top-level `Values` array.
 */
@@ -5317,6 +5714,10 @@ function albStrategy(options) {
 							priority: r.priority,
 							pathPatterns: r.pathPatterns,
 							hostPatterns: r.hostPatterns,
+							httpHeaderConditions: r.httpHeaderConditions,
+							httpRequestMethods: r.httpRequestMethods,
+							queryStringConditions: r.queryStringConditions,
+							sourceIpCidrs: r.sourceIpCidrs,
 							action: qualify(r.action)
 						}))
 					});
@@ -5423,4 +5824,4 @@ function createLocalListCommand(opts = {}) {
 
 //#endregion
 export { createLocalRunTaskCommand as a, createLocalStartServiceCommand as i, formatTargetListing as n, createLocalInvokeAgentCoreCommand as o, createLocalStartAlbCommand as r, createLocalInvokeCommand as s, createLocalListCommand as t };
-//# sourceMappingURL=local-list-BovxL7PC.js.map
+//# sourceMappingURL=local-list-DbBCVhla.js.map