cdk-local 0.50.0 → 0.52.0

package/README.md

@@ -72,7 +72,7 @@ Full flags, precedence, and `--from-cfn-stack` resolution: [docs/cli-reference.m
 | `cdkl start-service <Service>` | the ECS **service** | just the service's replicas (no load balancer) | workers / queue consumers / Service-Connect-only services, or to hit the containers directly |
 | `cdkl start-alb <Alb>` | the **ALB** | the ECS service(s) behind it **plus** a local **front-door** on each listener port | an `ApplicationLoadBalancedFargateService`-style service you want to reach the way external traffic does |
 
-`start-alb` discovers the ECS service(s) behind the ALB's HTTP listeners, boots their replicas, and stands up a host-side front-door on each listener port that round-robins across the replicas — one stable host endpoint, like behind a real load balancer. It honors **`path-pattern` and `host-header` listener rules**, **weighted** forwards, and **`redirect` / `fixed-response`** actions, so a listener routing `/api/*` (or `api.example.com`) to one service and everything else to another — or returning a redirect / canned response — is reproduced locally. A **`TargetType: lambda`** target group is served by invoking the backing Lambda locally (the request is translated to the ALB `requestContext.elb` event and run through the Lambda RIE), so a forward can mix ECS and Lambda targets.
+`start-alb` discovers the ECS service(s) behind the ALB's HTTP listeners, boots their replicas, and stands up a host-side front-door on each listener port that round-robins across the replicas — one stable host endpoint, like behind a real load balancer. It honors **every ALB listener-rule condition** — `path-pattern`, `host-header`, `http-header`, `http-request-method`, `query-string`, and `source-ip` — plus **weighted** forwards and **`redirect` / `fixed-response`** actions, so a listener routing `/api/*` (or `api.example.com`, or `X-Tenant: acme`, or `POST` writes, or `?version=2`, or `10.0.0.0/8`) to one service and everything else to another — or returning a redirect / canned response — is reproduced locally. A **`TargetType: lambda`** target group is served by invoking the backing Lambda locally (the request is translated to the ALB `requestContext.elb` event and run through the Lambda RIE), so a forward can mix ECS and Lambda targets.
 
 ```bash
 cdkl start-alb MyStack/WebAlb --lb-port 80=8080   # remap the privileged listener port 80 (macOS)
@@ -80,7 +80,7 @@ curl http://127.0.0.1:8080/        # default action -> the default service (roun
 curl http://127.0.0.1:8080/api/x   # path-pattern rule /api/* -> the api service
 ```
 
-Resolution model + scope (HTTP listeners, `path-pattern` + `host-header` rules, weighted forwards, `redirect` / `fixed-response`, ECS **and** Lambda targets; `http-header` / `query-string` / `source-ip` conditions deferred): [docs/cli-reference.md](docs/cli-reference.md#cdkl-start-alb-run-an-alb-fronted-service-locally).
+Resolution model + scope (HTTP listeners, all six ALB rule-condition fields, weighted forwards, `redirect` / `fixed-response`, ECS **and** Lambda targets): [docs/cli-reference.md](docs/cli-reference.md#cdkl-start-alb-run-an-alb-fronted-service-locally).
 
 ## Override env vars without a state source
 
@@ -104,7 +104,7 @@ Format + full precedence: [docs/cli-reference.md](docs/cli-reference.md).
 | `AWS::ECS::TaskDefinition` (run-task) | ✓ |
 | `AWS::ECS::Service` (start-service) | ✓ |
 | `AWS::ServiceDiscovery::*` (Cloud Map / Service Connect) | ✓ |
-| `AWS::ElasticLoadBalancingV2::*` (start-alb: ALB front-door; `path-pattern` + `host-header` rules, weighted forward, redirect / fixed-response; ECS + Lambda targets) | ✓ |
+| `AWS::ElasticLoadBalancingV2::*` (start-alb: ALB front-door; all six listener-rule condition fields, weighted forward, redirect / fixed-response; ECS + Lambda targets) | ✓ |
 | `AWS::BedrockAgentCore::Runtime` (invoke-agentcore, container + fromCodeAsset/fromS3 artifacts, HTTP + MCP) | ✓ |
 
 Lambda runs on every current AWS Lambda runtime — Node.js (18/20/22/24), Python (3.11–3.14), Ruby (3.2/3.3), Java (8.al2/11/17/21), .NET (6/8), and the OS-only `provided.al2` / `provided.al2023`. The retired `go1.x` runtime is rejected with a pointer to migrate to `provided.al2023`.

package/dist/cli.js

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
-import { a as createLocalStartApiCommand } from "./cloud-map-resolver-BvhnCkSe.js";
-import { a as createLocalRunTaskCommand, i as createLocalStartServiceCommand, o as createLocalInvokeAgentCoreCommand, r as createLocalStartAlbCommand, s as createLocalInvokeCommand, t as createLocalListCommand } from "./local-list-C6xuYlRB.js";
+import { a as createLocalStartApiCommand } from "./cloud-map-resolver-D0OCnW6R.js";
+import { a as createLocalRunTaskCommand, i as createLocalStartServiceCommand, o as createLocalInvokeAgentCoreCommand, r as createLocalStartAlbCommand, s as createLocalInvokeCommand, t as createLocalListCommand } from "./local-list-v8D51s5a.js";
 import { Command } from "commander";
 
 //#region src/cli/index.ts
 const program = new Command();
-program.name("cdkl").description("Run AWS CDK stacks locally with Docker.").version("0.50.0");
+program.name("cdkl").description("Run AWS CDK stacks locally with Docker.").version("0.52.0");
 program.addCommand(createLocalInvokeCommand());
 program.addCommand(createLocalInvokeAgentCoreCommand());
 program.addCommand(createLocalStartApiCommand());

package/dist/{cloud-map-resolver-BvhnCkSe.js → cloud-map-resolver-D0OCnW6R.js}

@@ -1327,13 +1327,86 @@ function extractJwtAuthorizer(authorizerConfig, logicalId) {
 	const toStringArray = (v) => Array.isArray(v) ? v.filter((x) => typeof x === "string") : void 0;
 	const allowedAudience = toStringArray(cfg["AllowedAudience"]);
 	const allowedClients = toStringArray(cfg["AllowedClients"]);
+	const allowedScopes = toStringArray(cfg["AllowedScopes"]);
+	const customClaims = extractCustomClaims(cfg["CustomClaims"], logicalId);
 	return {
 		discoveryUrl,
 		...allowedAudience && allowedAudience.length > 0 && { allowedAudience },
-		...allowedClients && allowedClients.length > 0 && { allowedClients }
+		...allowedClients && allowedClients.length > 0 && { allowedClients },
+		...allowedScopes && allowedScopes.length > 0 && { allowedScopes },
+		...customClaims && customClaims.length > 0 && { customClaims }
 	};
 }
 /**
+* Parse a `CustomJWTAuthorizer.CustomClaims[]` array into
+* {@link AgentCoreCustomClaim}s. The template shape (synthesized by the L2):
+*
+* ```
+* {
+*   InboundTokenClaimName: <claim name>,
+*   InboundTokenClaimValueType: 'STRING' | 'STRING_ARRAY',
+*   AuthorizingClaimMatchValue: {
+*     ClaimMatchOperator: 'EQUALS' | 'CONTAINS' | 'CONTAINS_ANY',
+*     ClaimMatchValue: { MatchValueString?: ..., MatchValueStringList?: [...] }
+*   }
+* }
+* ```
+*
+* Each entry that fails to parse (missing name / unknown type / unknown
+* operator / wrong value shape) is warn-and-skipped — the deployed runtime
+* would reject a token that violates ANY claim rule, so dropping a rule we
+* can't evaluate is the safer side (under-restrictive in `--no-verify-auth`
+* paths, fine elsewhere because the surviving rules still gate the token).
+*/
+function extractCustomClaims(raw, logicalId) {
+	if (!Array.isArray(raw)) return void 0;
+	const out = [];
+	for (const entry of raw) {
+		if (!entry || typeof entry !== "object" || Array.isArray(entry)) continue;
+		const e = entry;
+		const name = e["InboundTokenClaimName"];
+		const valueType = e["InboundTokenClaimValueType"];
+		const matchObj = e["AuthorizingClaimMatchValue"];
+		if (typeof name !== "string" || name.length === 0) continue;
+		if (valueType !== "STRING" && valueType !== "STRING_ARRAY") {
+			getLogger().warn(`AgentCore Runtime '${logicalId}' CustomClaims entry '${name}' has unsupported InboundTokenClaimValueType '${String(valueType)}' (expected STRING / STRING_ARRAY); skipping.`);
+			continue;
+		}
+		if (!matchObj || typeof matchObj !== "object" || Array.isArray(matchObj)) continue;
+		const m = matchObj;
+		const operator = m["ClaimMatchOperator"];
+		const matchValue = m["ClaimMatchValue"];
+		if (operator !== "EQUALS" && operator !== "CONTAINS" && operator !== "CONTAINS_ANY") {
+			getLogger().warn(`AgentCore Runtime '${logicalId}' CustomClaims entry '${name}' has unsupported ClaimMatchOperator '${String(operator)}' (expected EQUALS / CONTAINS / CONTAINS_ANY); skipping.`);
+			continue;
+		}
+		if (!matchValue || typeof matchValue !== "object" || Array.isArray(matchValue)) continue;
+		const mv = matchValue;
+		let value;
+		if (operator === "CONTAINS_ANY") {
+			const list = mv["MatchValueStringList"];
+			if (Array.isArray(list)) {
+				value = list.filter((x) => typeof x === "string");
+				if (value.length === 0) value = void 0;
+			}
+		} else {
+			const s = mv["MatchValueString"];
+			if (typeof s === "string" && s.length > 0) value = s;
+		}
+		if (value === void 0) {
+			getLogger().warn(`AgentCore Runtime '${logicalId}' CustomClaims entry '${name}' has no usable MatchValueString / MatchValueStringList for operator ${operator}; skipping.`);
+			continue;
+		}
+		out.push({
+			name,
+			valueType,
+			operator,
+			value
+		});
+	}
+	return out;
+}
+/**
 * Validate `ProtocolConfiguration`. Serves `HTTP` (the default when absent)
 * and `MCP`; `A2A` / `AGUI` speak other wire contracts and hard-error with a
 * pointer to the follow-up.
@@ -9249,7 +9322,7 @@ async function verifyCognitoJwt(authorizer, authorizationHeader, jwksCache, opts
 		identityHash,
 		ttlSeconds: 0
 	};
-	return verifyAndShape(token, buildCognitoJwksUrl(selectedPool.region, selectedPool.userPoolId), buildCognitoIssuer(selectedPool.region, selectedPool.userPoolId), void 0, jwksCache, opts.warned, now);
+	return verifyAndShape(token, buildCognitoJwksUrl(selectedPool.region, selectedPool.userPoolId), buildCognitoIssuer(selectedPool.region, selectedPool.userPoolId), void 0, void 0, void 0, jwksCache, opts.warned, now);
 }
 /**
 * Verify a Bearer JWT against an HTTP v2 JWT authorizer's `JwtConfiguration`.
@@ -9262,7 +9335,7 @@ async function verifyJwtAuthorizer(authorizer, authorizationHeader, jwksCache, o
 		identityHash: void 0,
 		ttlSeconds: 0
 	};
-	return verifyAndShape(token, authorizer.region && authorizer.userPoolId ? buildCognitoJwksUrl(authorizer.region, authorizer.userPoolId) : buildJwksUrlFromIssuer(authorizer.issuer), authorizer.issuer.replace(/\/+$/, ""), authorizer.audience, jwksCache, opts.warned, now);
+	return verifyAndShape(token, authorizer.region && authorizer.userPoolId ? buildCognitoJwksUrl(authorizer.region, authorizer.userPoolId) : buildJwksUrlFromIssuer(authorizer.issuer), authorizer.issuer.replace(/\/+$/, ""), authorizer.audience, void 0, void 0, jwksCache, opts.warned, now);
 }
 /**
 * Verify a Bearer JWT against an OIDC-discovery-URL authorizer (Bedrock
@@ -9314,9 +9387,9 @@ async function verifyJwtViaDiscovery(authorizer, authorizationHeader, jwksCache,
 		};
 	}
 	const allowlist = [...authorizer.allowedAudience ?? [], ...authorizer.allowedClients ?? []];
-	return verifyAndShape(token, jwksUri, issuer.replace(/\/+$/, ""), allowlist.length > 0 ? allowlist : void 0, jwksCache, opts.warned, now);
+	return verifyAndShape(token, jwksUri, issuer.replace(/\/+$/, ""), allowlist.length > 0 ? allowlist : void 0, authorizer.allowedScopes, authorizer.customClaims, jwksCache, opts.warned, now);
 }
-async function verifyAndShape(token, jwksUrl, expectedIssuer, expectedAudience, jwksCache, warned, now) {
+async function verifyAndShape(token, jwksUrl, expectedIssuer, expectedAudience, requiredScopes, customClaims, jwksCache, warned, now) {
 	const identityHash = buildIdentityHash([token]);
 	const jwks = await jwksCache.fetchAndCache(jwksUrl);
 	if (jwks.passThrough) {
@@ -9377,9 +9450,59 @@ async function verifyAndShape(token, jwksUrl, expectedIssuer, expectedAudience,
 			ttlSeconds: 0
 		};
 	}
+	if (requiredScopes && requiredScopes.length > 0) {
+		if (!verifyRequiredScopes(claims["scope"], requiredScopes)) return {
+			allow: false,
+			identityHash,
+			ttlSeconds: 0
+		};
+	}
+	if (customClaims && customClaims.length > 0) {
+		for (const rule of customClaims) if (!verifyCustomClaim(claims[rule.name], rule)) return {
+			allow: false,
+			identityHash,
+			ttlSeconds: 0
+		};
+	}
 	return shapeAllowResult(parsed, identityHash, now);
 }
 /**
+* The OAuth `scope` claim is a space-separated string. The token is allowed
+* iff every required scope is present (allowlist as REQUIRED, not OR).
+*/
+function verifyRequiredScopes(scopeClaim, requiredScopes) {
+	const tokenScopes = typeof scopeClaim === "string" ? scopeClaim.split(/\s+/).filter((s) => s.length > 0) : Array.isArray(scopeClaim) ? scopeClaim.filter((s) => typeof s === "string") : [];
+	return requiredScopes.every((s) => tokenScopes.includes(s));
+}
+/**
+* Verify a single `CustomJWTAuthorizer.CustomClaims` rule against the token's
+* claim value:
+*
+* - `STRING` + `EQUALS` — claim is a string equal to `value`.
+* - `STRING_ARRAY` + `CONTAINS` — claim is an array containing `value`.
+* - `STRING_ARRAY` + `CONTAINS_ANY` — claim is an array sharing at least one
+*   entry with `value` (an array of allowed strings).
+*
+* A missing or wrong-typed claim fails the rule.
+*/
+function verifyCustomClaim(claimValue, rule) {
+	if (rule.valueType === "STRING") {
+		if (rule.operator !== "EQUALS" || typeof rule.value !== "string") return false;
+		return typeof claimValue === "string" && claimValue === rule.value;
+	}
+	if (!Array.isArray(claimValue)) return false;
+	const tokenValues = claimValue.filter((v) => typeof v === "string");
+	if (rule.operator === "CONTAINS") {
+		if (typeof rule.value !== "string") return false;
+		return tokenValues.includes(rule.value);
+	}
+	if (rule.operator === "CONTAINS_ANY") {
+		if (!Array.isArray(rule.value)) return false;
+		return rule.value.some((v) => tokenValues.includes(v));
+	}
+	return false;
+}
+/**
 * Construct the Allow result for a verified JWT. The handler-side context
 * is the parsed claim map; principalId mirrors Cognito's deployed
 * behavior (the `sub` claim, falling back to `username` then `cognito:username`).
@@ -17599,4 +17722,4 @@ function extractDnsRecords(serviceProps) {
 
 //#endregion
 export { attachAuthorizers as $, substituteAgainstState as $t, buildHttpApiV2Event as A, AGENTCORE_RUNTIME_TYPE as An, buildDockerImage as At, ConnectionRegistry as B, readCdkPathOrUndefined as Bn, streamLogs as Bt, computeRequestIdentityHash as C, discoverWebSocketApisOrThrow as Cn, getDockerImageBySourceHash as Ct, matchRoute as D, resolveLambdaArnIntrinsic as Dn, buildContainerImage as Dt, invokeTokenAuthorizer as E, pickRefLogicalId as En, architectureToPlatform as Et, tryParseStatus as F, derivePseudoParametersFromRegion as Fn, execEnvForSecrets as Ft, buildDisconnectEvent as G, withErrorHandling as Gn, TASK_ROLE_ACCOUNT_PLACEHOLDER as Gt, handleConnectionsRequest as H, CdkLocalError as Hn, resolveRuntimeFileExtension as Ht, VtlEvaluationError as I, substituteImagePlaceholders as In, pickFreePort as It, buildJwksUrlFromIssuer as J, commonOptions as Jn, derivePartitionAndUrlSuffix as Jt, buildMessageEvent as K, applyRoleArnIfSet as Kn, applyCrossStackResolverToTask as Kt, HOST_GATEWAY_MIN_VERSION as L, tryResolveImageFnJoin as Ln, pullImage as Lt, evaluateResponseParameters as M, pickAgentCoreCandidateStack as Mn, SENSITIVE_ENV_KEYS as Mt, pickResponseTemplate as N, resolveAgentCoreTarget as Nn, appendEnvFlags as Nt, translateLambdaResponse as O, AGENTCORE_HTTP_PROTOCOL as On, parseEcrUri as Ot, selectIntegrationResponse as P, resolveLambdaTarget as Pn, ensureDockerAvailable as Pt, verifyJwtViaDiscovery as Q, warnIfDeprecatedRegion as Qn, applyDeployedEnvFallback as Qt, probeHostGatewaySupport as R, matchStacks as Rn, removeContainer as Rt, buildMethodArn as S, discoverWebSocketApis as Sn, AssetManifestLoader as St, invokeRequestAuthorizer as T, discoverRoutes as Tn, waitForRieReady as Tt, parseConnectionsPath as U, LocalInvokeBuildError as Un, resolveRuntimeImage as Ut, buildMgmtEndpointEnvUrl as V, resolveCdkPathToLogicalIds as Vn, resolveRuntimeCodeMountPath as Vt, buildConnectEvent as W, LocalStartServiceError as Wn, EcsTaskResolutionError as Wt, verifyCognitoJwt as X, deprecatedRegionOption as Xn, parseEcsTarget as Xt, createJwksCache as Y, contextOptions as Yn, detectEcsImageResolutionNeeds as Yt, verifyJwtAuthorizer as Z, parseContextOptions as Zn, resolveEcsTaskTarget as Zt, readMtlsMaterialsFromDisk as _, Synthesizer as _n, computeCodeImageTag as _t, createLocalStartApiCommand as a, LocalStateSourceError as an, invokeAgentCoreWs as at, resolveServiceIntegrationParameters as b, countTargets as bn, writeProfileCredentialsFile as bt, resolveProfileCredentials as c, rejectExplicitCfnStackWithMultipleStacks as cn, MCP_PROTOCOL_VERSION as ct, attachStageContext as d, resolveCfnStackName as dn, AGENTCORE_SESSION_ID_HEADER as dt, substituteAgainstStateAsync as en, applyCorsResponseHeaders as et, buildStageMap as f, CfnLocalStateProvider as fn, invokeAgentCore as ft, groupRoutesByServer as g, resolveWatchConfig as gn, buildAgentCoreCodeImage as gt, filterRoutesByApiIdentifiers as h, resolveApp as hn, SUPPORTED_CODE_RUNTIMES as ht, getPublishedHostPort as i, materializeLayerFromArn as in, matchPreflight as it, buildRestV1Event as j, AgentCoreResolutionError as jn, DockerRunnerError as jt, applyAuthorizerOverlay as k, AGENTCORE_MCP_PROTOCOL as kn, pullEcrImage as kt, createAuthorizerCache as l, resolveCfnFallbackRegion as ln, mcpInvokeOnce as lt, filterRoutesByApiIdentifier as m, resolveSsmParameters as mn, downloadAndExtractS3Bundle as mt, CloudMapRegistry as n, substituteEnvVarsFromStateAsync as nn, buildCorsConfigFromCloudFrontChain as nt, createWatchPredicates as o, createLocalStateProvider as on, MCP_CONTAINER_PORT as ot, availableApiIdentifiers as p, collectSsmParameterRefs as pn, waitForAgentCorePing as pt, buildCognitoJwksUrl as q, appOptions as qn, checkVolumeHostPath as qt, getContainerNetworkIp as r, resolveEnvVars as rn, isFunctionUrlOacFronted as rt, resolveApiTargetSubset as s, isCfnFlagPresent as sn, MCP_PATH as st, buildCloudMapIndex as t, substituteEnvVarsFromState as tn, buildCorsConfigByApiId as tt, createFileWatcher as u, resolveCfnRegion as un, parseSseForJsonRpc as ut, startApiServer as v, resolveMultiTarget as vn, renderCodeDockerfile as vt, evaluateCachedLambdaPolicy as w, parseSelectionExpressionPath as wn, invokeRie as wt, defaultCredentialsLoader as x, listTargets as xn, singleFlight as xt, resolveSelectionExpression as y, resolveSingleTarget as yn, toCmdArgv as yt, bufferToBody as z, buildCdkPathIndex as zn, runDetached as zt };
-//# sourceMappingURL=cloud-map-resolver-BvhnCkSe.js.map
+//# sourceMappingURL=cloud-map-resolver-D0OCnW6R.js.map