cdk-local 0.51.0 → 0.53.0

package/dist/cli.js

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
-import { a as createLocalStartApiCommand } from "./cloud-map-resolver-BvhnCkSe.js";
-import { a as createLocalRunTaskCommand, i as createLocalStartServiceCommand, o as createLocalInvokeAgentCoreCommand, r as createLocalStartAlbCommand, s as createLocalInvokeCommand, t as createLocalListCommand } from "./local-list-DbBCVhla.js";
+import { a as createLocalStartApiCommand } from "./cloud-map-resolver-CbSdXQjx.js";
+import { a as createLocalRunTaskCommand, i as createLocalStartServiceCommand, o as createLocalInvokeAgentCoreCommand, r as createLocalStartAlbCommand, s as createLocalInvokeCommand, t as createLocalListCommand } from "./local-list-B1RsKINr.js";
 import { Command } from "commander";
 
 //#region src/cli/index.ts
 const program = new Command();
-program.name("cdkl").description("Run AWS CDK stacks locally with Docker.").version("0.51.0");
+program.name("cdkl").description("Run AWS CDK stacks locally with Docker.").version("0.53.0");
 program.addCommand(createLocalInvokeCommand());
 program.addCommand(createLocalInvokeAgentCoreCommand());
 program.addCommand(createLocalStartApiCommand());

package/dist/{cloud-map-resolver-BvhnCkSe.js → cloud-map-resolver-CbSdXQjx.js}

@@ -24,6 +24,8 @@ import { setTimeout as setTimeout$1 } from "node:timers/promises";
 import { readFile } from "fs/promises";
 import { join as join$1 } from "path";
 import { unzipSync } from "fflate";
+import { Sha256 } from "@aws-crypto/sha256-js";
+import { SignatureV4 } from "@smithy/signature-v4";
 import { WebSocket, WebSocketServer } from "ws";
 import { createServer as createServer$1 } from "node:http";
 import { createServer as createServer$2 } from "node:https";
@@ -1327,13 +1329,86 @@ function extractJwtAuthorizer(authorizerConfig, logicalId) {
 	const toStringArray = (v) => Array.isArray(v) ? v.filter((x) => typeof x === "string") : void 0;
 	const allowedAudience = toStringArray(cfg["AllowedAudience"]);
 	const allowedClients = toStringArray(cfg["AllowedClients"]);
+	const allowedScopes = toStringArray(cfg["AllowedScopes"]);
+	const customClaims = extractCustomClaims(cfg["CustomClaims"], logicalId);
 	return {
 		discoveryUrl,
 		...allowedAudience && allowedAudience.length > 0 && { allowedAudience },
-		...allowedClients && allowedClients.length > 0 && { allowedClients }
+		...allowedClients && allowedClients.length > 0 && { allowedClients },
+		...allowedScopes && allowedScopes.length > 0 && { allowedScopes },
+		...customClaims && customClaims.length > 0 && { customClaims }
 	};
 }
 /**
+* Parse a `CustomJWTAuthorizer.CustomClaims[]` array into
+* {@link AgentCoreCustomClaim}s. The template shape (synthesized by the L2):
+*
+* ```
+* {
+*   InboundTokenClaimName: <claim name>,
+*   InboundTokenClaimValueType: 'STRING' | 'STRING_ARRAY',
+*   AuthorizingClaimMatchValue: {
+*     ClaimMatchOperator: 'EQUALS' | 'CONTAINS' | 'CONTAINS_ANY',
+*     ClaimMatchValue: { MatchValueString?: ..., MatchValueStringList?: [...] }
+*   }
+* }
+* ```
+*
+* Each entry that fails to parse (missing name / unknown type / unknown
+* operator / wrong value shape) is warn-and-skipped — the deployed runtime
+* would reject a token that violates ANY claim rule, so dropping a rule we
+* can't evaluate is the safer side (under-restrictive in `--no-verify-auth`
+* paths, fine elsewhere because the surviving rules still gate the token).
+*/
+function extractCustomClaims(raw, logicalId) {
+	if (!Array.isArray(raw)) return void 0;
+	const out = [];
+	for (const entry of raw) {
+		if (!entry || typeof entry !== "object" || Array.isArray(entry)) continue;
+		const e = entry;
+		const name = e["InboundTokenClaimName"];
+		const valueType = e["InboundTokenClaimValueType"];
+		const matchObj = e["AuthorizingClaimMatchValue"];
+		if (typeof name !== "string" || name.length === 0) continue;
+		if (valueType !== "STRING" && valueType !== "STRING_ARRAY") {
+			getLogger().warn(`AgentCore Runtime '${logicalId}' CustomClaims entry '${name}' has unsupported InboundTokenClaimValueType '${String(valueType)}' (expected STRING / STRING_ARRAY); skipping.`);
+			continue;
+		}
+		if (!matchObj || typeof matchObj !== "object" || Array.isArray(matchObj)) continue;
+		const m = matchObj;
+		const operator = m["ClaimMatchOperator"];
+		const matchValue = m["ClaimMatchValue"];
+		if (operator !== "EQUALS" && operator !== "CONTAINS" && operator !== "CONTAINS_ANY") {
+			getLogger().warn(`AgentCore Runtime '${logicalId}' CustomClaims entry '${name}' has unsupported ClaimMatchOperator '${String(operator)}' (expected EQUALS / CONTAINS / CONTAINS_ANY); skipping.`);
+			continue;
+		}
+		if (!matchValue || typeof matchValue !== "object" || Array.isArray(matchValue)) continue;
+		const mv = matchValue;
+		let value;
+		if (operator === "CONTAINS_ANY") {
+			const list = mv["MatchValueStringList"];
+			if (Array.isArray(list)) {
+				value = list.filter((x) => typeof x === "string");
+				if (value.length === 0) value = void 0;
+			}
+		} else {
+			const s = mv["MatchValueString"];
+			if (typeof s === "string" && s.length > 0) value = s;
+		}
+		if (value === void 0) {
+			getLogger().warn(`AgentCore Runtime '${logicalId}' CustomClaims entry '${name}' has no usable MatchValueString / MatchValueStringList for operator ${operator}; skipping.`);
+			continue;
+		}
+		out.push({
+			name,
+			valueType,
+			operator,
+			value
+		});
+	}
+	return out;
+}
+/**
 * Validate `ProtocolConfiguration`. Serves `HTTP` (the default when absent)
 * and `MCP`; `A2A` / `AGUI` speak other wire contracts and hard-error with a
 * pointer to the follow-up.
@@ -7957,7 +8032,8 @@ async function invokeAgentCore(host, port, event, options) {
 				"Content-Type": "application/json",
 				Accept: "application/json, text/event-stream",
 				[AGENTCORE_SESSION_ID_HEADER]: options.sessionId,
-				...options.authorization && { Authorization: options.authorization }
+				...options.authorization && { Authorization: options.authorization },
+				...options.additionalHeaders ?? {}
 			},
 			body,
 			signal: controller.signal
@@ -8011,6 +8087,71 @@ async function streamBody(body, onChunk) {
 	}
 }
 
+//#endregion
+//#region src/local/agentcore-sigv4-sign.ts
+/**
+* Client-side SigV4 signing for `cdkl invoke-agentcore --sigv4`.
+*
+* AgentCore's `InvokeAgentRuntime` API authenticates inbound `/invocations`
+* requests with IAM SigV4 when the runtime declares no
+* `customJwtAuthorizer`. The deployed cloud verifies the signature; a locally
+* running agent never does (no AWS public-key infra inside the container),
+* but an agent that introspects the `Authorization` header (e.g. via the
+* `bedrock-agentcore` SDK's request context) sees the same shape it would in
+* the cloud — header parity for debugging and local-dev of IAM-aware agents.
+*
+* Signing is OPT-IN via `--sigv4` on the command. Default behavior is
+* unchanged: no Authorization header on an unauthenticated invoke.
+*/
+/** AWS service name for AgentCore InvokeAgentRuntime SigV4 signing. */
+const AGENTCORE_SIGV4_SERVICE = "bedrock-agentcore";
+/**
+* Build a SigV4 signature for a `POST /invocations` request to the local
+* AgentCore container. Returns the headers that must be forwarded.
+*/
+async function signAgentCoreInvocation(opts) {
+	const signer = new SignatureV4({
+		credentials: {
+			accessKeyId: opts.credentials.accessKeyId,
+			secretAccessKey: opts.credentials.secretAccessKey,
+			...opts.credentials.sessionToken && { sessionToken: opts.credentials.sessionToken }
+		},
+		region: opts.region,
+		service: AGENTCORE_SIGV4_SERVICE,
+		sha256: Sha256
+	});
+	const request = {
+		method: opts.method ?? "POST",
+		protocol: "http:",
+		hostname: opts.host,
+		port: opts.port,
+		path: opts.path,
+		headers: {
+			"Content-Type": "application/json",
+			Host: `${opts.host}:${opts.port}`,
+			[AGENTCORE_SESSION_ID_HEADER]: opts.sessionId
+		},
+		body: opts.body
+	};
+	const signed = await signer.sign(request, { ...opts.now && { signingDate: new Date(opts.now()) } });
+	const get = (name) => {
+		const lower = name.toLowerCase();
+		for (const [k, v] of Object.entries(signed.headers)) if (k.toLowerCase() === lower) return v;
+	};
+	const authorization = get("authorization");
+	const amzDate = get("x-amz-date");
+	const amzContentSha256 = get("x-amz-content-sha256");
+	if (!authorization || !amzDate) throw new Error("SigV4 signing produced no Authorization / X-Amz-Date header — internal error");
+	const out = {
+		authorization,
+		amzDate,
+		amzContentSha256: amzContentSha256 ?? ""
+	};
+	const amzSecurityToken = get("x-amz-security-token");
+	if (amzSecurityToken) out.amzSecurityToken = amzSecurityToken;
+	return out;
+}
+
 //#endregion
 //#region src/local/agentcore-mcp-client.ts
 /**
@@ -9249,7 +9390,7 @@ async function verifyCognitoJwt(authorizer, authorizationHeader, jwksCache, opts
 		identityHash,
 		ttlSeconds: 0
 	};
-	return verifyAndShape(token, buildCognitoJwksUrl(selectedPool.region, selectedPool.userPoolId), buildCognitoIssuer(selectedPool.region, selectedPool.userPoolId), void 0, jwksCache, opts.warned, now);
+	return verifyAndShape(token, buildCognitoJwksUrl(selectedPool.region, selectedPool.userPoolId), buildCognitoIssuer(selectedPool.region, selectedPool.userPoolId), void 0, void 0, void 0, jwksCache, opts.warned, now);
 }
 /**
 * Verify a Bearer JWT against an HTTP v2 JWT authorizer's `JwtConfiguration`.
@@ -9262,7 +9403,7 @@ async function verifyJwtAuthorizer(authorizer, authorizationHeader, jwksCache, o
 		identityHash: void 0,
 		ttlSeconds: 0
 	};
-	return verifyAndShape(token, authorizer.region && authorizer.userPoolId ? buildCognitoJwksUrl(authorizer.region, authorizer.userPoolId) : buildJwksUrlFromIssuer(authorizer.issuer), authorizer.issuer.replace(/\/+$/, ""), authorizer.audience, jwksCache, opts.warned, now);
+	return verifyAndShape(token, authorizer.region && authorizer.userPoolId ? buildCognitoJwksUrl(authorizer.region, authorizer.userPoolId) : buildJwksUrlFromIssuer(authorizer.issuer), authorizer.issuer.replace(/\/+$/, ""), authorizer.audience, void 0, void 0, jwksCache, opts.warned, now);
 }
 /**
 * Verify a Bearer JWT against an OIDC-discovery-URL authorizer (Bedrock
@@ -9314,9 +9455,9 @@ async function verifyJwtViaDiscovery(authorizer, authorizationHeader, jwksCache,
 		};
 	}
 	const allowlist = [...authorizer.allowedAudience ?? [], ...authorizer.allowedClients ?? []];
-	return verifyAndShape(token, jwksUri, issuer.replace(/\/+$/, ""), allowlist.length > 0 ? allowlist : void 0, jwksCache, opts.warned, now);
+	return verifyAndShape(token, jwksUri, issuer.replace(/\/+$/, ""), allowlist.length > 0 ? allowlist : void 0, authorizer.allowedScopes, authorizer.customClaims, jwksCache, opts.warned, now);
 }
-async function verifyAndShape(token, jwksUrl, expectedIssuer, expectedAudience, jwksCache, warned, now) {
+async function verifyAndShape(token, jwksUrl, expectedIssuer, expectedAudience, requiredScopes, customClaims, jwksCache, warned, now) {
 	const identityHash = buildIdentityHash([token]);
 	const jwks = await jwksCache.fetchAndCache(jwksUrl);
 	if (jwks.passThrough) {
@@ -9377,9 +9518,59 @@ async function verifyAndShape(token, jwksUrl, expectedIssuer, expectedAudience,
 			ttlSeconds: 0
 		};
 	}
+	if (requiredScopes && requiredScopes.length > 0) {
+		if (!verifyRequiredScopes(claims["scope"], requiredScopes)) return {
+			allow: false,
+			identityHash,
+			ttlSeconds: 0
+		};
+	}
+	if (customClaims && customClaims.length > 0) {
+		for (const rule of customClaims) if (!verifyCustomClaim(claims[rule.name], rule)) return {
+			allow: false,
+			identityHash,
+			ttlSeconds: 0
+		};
+	}
 	return shapeAllowResult(parsed, identityHash, now);
 }
 /**
+* The OAuth `scope` claim is a space-separated string. The token is allowed
+* iff every required scope is present (allowlist as REQUIRED, not OR).
+*/
+function verifyRequiredScopes(scopeClaim, requiredScopes) {
+	const tokenScopes = typeof scopeClaim === "string" ? scopeClaim.split(/\s+/).filter((s) => s.length > 0) : Array.isArray(scopeClaim) ? scopeClaim.filter((s) => typeof s === "string") : [];
+	return requiredScopes.every((s) => tokenScopes.includes(s));
+}
+/**
+* Verify a single `CustomJWTAuthorizer.CustomClaims` rule against the token's
+* claim value:
+*
+* - `STRING` + `EQUALS` — claim is a string equal to `value`.
+* - `STRING_ARRAY` + `CONTAINS` — claim is an array containing `value`.
+* - `STRING_ARRAY` + `CONTAINS_ANY` — claim is an array sharing at least one
+*   entry with `value` (an array of allowed strings).
+*
+* A missing or wrong-typed claim fails the rule.
+*/
+function verifyCustomClaim(claimValue, rule) {
+	if (rule.valueType === "STRING") {
+		if (rule.operator !== "EQUALS" || typeof rule.value !== "string") return false;
+		return typeof claimValue === "string" && claimValue === rule.value;
+	}
+	if (!Array.isArray(claimValue)) return false;
+	const tokenValues = claimValue.filter((v) => typeof v === "string");
+	if (rule.operator === "CONTAINS") {
+		if (typeof rule.value !== "string") return false;
+		return tokenValues.includes(rule.value);
+	}
+	if (rule.operator === "CONTAINS_ANY") {
+		if (!Array.isArray(rule.value)) return false;
+		return rule.value.some((v) => tokenValues.includes(v));
+	}
+	return false;
+}
+/**
 * Construct the Allow result for a verified JWT. The handler-side context
 * is the parsed claim map; principalId mirrors Cognito's deployed
 * behavior (the `sub` claim, falling back to `username` then `cognito:username`).
@@ -17598,5 +17789,5 @@ function extractDnsRecords(serviceProps) {
 }
 
 //#endregion
-export { attachAuthorizers as $, substituteAgainstState as $t, buildHttpApiV2Event as A, AGENTCORE_RUNTIME_TYPE as An, buildDockerImage as At, ConnectionRegistry as B, readCdkPathOrUndefined as Bn, streamLogs as Bt, computeRequestIdentityHash as C, discoverWebSocketApisOrThrow as Cn, getDockerImageBySourceHash as Ct, matchRoute as D, resolveLambdaArnIntrinsic as Dn, buildContainerImage as Dt, invokeTokenAuthorizer as E, pickRefLogicalId as En, architectureToPlatform as Et, tryParseStatus as F, derivePseudoParametersFromRegion as Fn, execEnvForSecrets as Ft, buildDisconnectEvent as G, withErrorHandling as Gn, TASK_ROLE_ACCOUNT_PLACEHOLDER as Gt, handleConnectionsRequest as H, CdkLocalError as Hn, resolveRuntimeFileExtension as Ht, VtlEvaluationError as I, substituteImagePlaceholders as In, pickFreePort as It, buildJwksUrlFromIssuer as J, commonOptions as Jn, derivePartitionAndUrlSuffix as Jt, buildMessageEvent as K, applyRoleArnIfSet as Kn, applyCrossStackResolverToTask as Kt, HOST_GATEWAY_MIN_VERSION as L, tryResolveImageFnJoin as Ln, pullImage as Lt, evaluateResponseParameters as M, pickAgentCoreCandidateStack as Mn, SENSITIVE_ENV_KEYS as Mt, pickResponseTemplate as N, resolveAgentCoreTarget as Nn, appendEnvFlags as Nt, translateLambdaResponse as O, AGENTCORE_HTTP_PROTOCOL as On, parseEcrUri as Ot, selectIntegrationResponse as P, resolveLambdaTarget as Pn, ensureDockerAvailable as Pt, verifyJwtViaDiscovery as Q, warnIfDeprecatedRegion as Qn, applyDeployedEnvFallback as Qt, probeHostGatewaySupport as R, matchStacks as Rn, removeContainer as Rt, buildMethodArn as S, discoverWebSocketApis as Sn, AssetManifestLoader as St, invokeRequestAuthorizer as T, discoverRoutes as Tn, waitForRieReady as Tt, parseConnectionsPath as U, LocalInvokeBuildError as Un, resolveRuntimeImage as Ut, buildMgmtEndpointEnvUrl as V, resolveCdkPathToLogicalIds as Vn, resolveRuntimeCodeMountPath as Vt, buildConnectEvent as W, LocalStartServiceError as Wn, EcsTaskResolutionError as Wt, verifyCognitoJwt as X, deprecatedRegionOption as Xn, parseEcsTarget as Xt, createJwksCache as Y, contextOptions as Yn, detectEcsImageResolutionNeeds as Yt, verifyJwtAuthorizer as Z, parseContextOptions as Zn, resolveEcsTaskTarget as Zt, readMtlsMaterialsFromDisk as _, Synthesizer as _n, computeCodeImageTag as _t, createLocalStartApiCommand as a, LocalStateSourceError as an, invokeAgentCoreWs as at, resolveServiceIntegrationParameters as b, countTargets as bn, writeProfileCredentialsFile as bt, resolveProfileCredentials as c, rejectExplicitCfnStackWithMultipleStacks as cn, MCP_PROTOCOL_VERSION as ct, attachStageContext as d, resolveCfnStackName as dn, AGENTCORE_SESSION_ID_HEADER as dt, substituteAgainstStateAsync as en, applyCorsResponseHeaders as et, buildStageMap as f, CfnLocalStateProvider as fn, invokeAgentCore as ft, groupRoutesByServer as g, resolveWatchConfig as gn, buildAgentCoreCodeImage as gt, filterRoutesByApiIdentifiers as h, resolveApp as hn, SUPPORTED_CODE_RUNTIMES as ht, getPublishedHostPort as i, materializeLayerFromArn as in, matchPreflight as it, buildRestV1Event as j, AgentCoreResolutionError as jn, DockerRunnerError as jt, applyAuthorizerOverlay as k, AGENTCORE_MCP_PROTOCOL as kn, pullEcrImage as kt, createAuthorizerCache as l, resolveCfnFallbackRegion as ln, mcpInvokeOnce as lt, filterRoutesByApiIdentifier as m, resolveSsmParameters as mn, downloadAndExtractS3Bundle as mt, CloudMapRegistry as n, substituteEnvVarsFromStateAsync as nn, buildCorsConfigFromCloudFrontChain as nt, createWatchPredicates as o, createLocalStateProvider as on, MCP_CONTAINER_PORT as ot, availableApiIdentifiers as p, collectSsmParameterRefs as pn, waitForAgentCorePing as pt, buildCognitoJwksUrl as q, appOptions as qn, checkVolumeHostPath as qt, getContainerNetworkIp as r, resolveEnvVars as rn, isFunctionUrlOacFronted as rt, resolveApiTargetSubset as s, isCfnFlagPresent as sn, MCP_PATH as st, buildCloudMapIndex as t, substituteEnvVarsFromState as tn, buildCorsConfigByApiId as tt, createFileWatcher as u, resolveCfnRegion as un, parseSseForJsonRpc as ut, startApiServer as v, resolveMultiTarget as vn, renderCodeDockerfile as vt, evaluateCachedLambdaPolicy as w, parseSelectionExpressionPath as wn, invokeRie as wt, defaultCredentialsLoader as x, listTargets as xn, singleFlight as xt, resolveSelectionExpression as y, resolveSingleTarget as yn, toCmdArgv as yt, bufferToBody as z, buildCdkPathIndex as zn, runDetached as zt };
-//# sourceMappingURL=cloud-map-resolver-BvhnCkSe.js.map
+export { attachAuthorizers as $, parseContextOptions as $n, resolveEcsTaskTarget as $t, buildHttpApiV2Event as A, AGENTCORE_HTTP_PROTOCOL as An, parseEcrUri as At, ConnectionRegistry as B, matchStacks as Bn, removeContainer as Bt, computeRequestIdentityHash as C, listTargets as Cn, singleFlight as Ct, matchRoute as D, discoverRoutes as Dn, waitForRieReady as Dt, invokeTokenAuthorizer as E, parseSelectionExpressionPath as En, invokeRie as Et, tryParseStatus as F, resolveAgentCoreTarget as Fn, appendEnvFlags as Ft, buildDisconnectEvent as G, LocalInvokeBuildError as Gn, resolveRuntimeImage as Gt, handleConnectionsRequest as H, readCdkPathOrUndefined as Hn, streamLogs as Ht, VtlEvaluationError as I, resolveLambdaTarget as In, ensureDockerAvailable as It, buildJwksUrlFromIssuer as J, applyRoleArnIfSet as Jn, applyCrossStackResolverToTask as Jt, buildMessageEvent as K, LocalStartServiceError as Kn, EcsTaskResolutionError as Kt, HOST_GATEWAY_MIN_VERSION as L, derivePseudoParametersFromRegion as Ln, execEnvForSecrets as Lt, evaluateResponseParameters as M, AGENTCORE_RUNTIME_TYPE as Mn, buildDockerImage as Mt, pickResponseTemplate as N, AgentCoreResolutionError as Nn, DockerRunnerError as Nt, translateLambdaResponse as O, pickRefLogicalId as On, architectureToPlatform as Ot, selectIntegrationResponse as P, pickAgentCoreCandidateStack as Pn, SENSITIVE_ENV_KEYS as Pt, verifyJwtViaDiscovery as Q, deprecatedRegionOption as Qn, parseEcsTarget as Qt, probeHostGatewaySupport as R, substituteImagePlaceholders as Rn, pickFreePort as Rt, buildMethodArn as S, countTargets as Sn, writeProfileCredentialsFile as St, invokeRequestAuthorizer as T, discoverWebSocketApisOrThrow as Tn, getDockerImageBySourceHash as Tt, parseConnectionsPath as U, resolveCdkPathToLogicalIds as Un, resolveRuntimeCodeMountPath as Ut, buildMgmtEndpointEnvUrl as V, buildCdkPathIndex as Vn, runDetached as Vt, buildConnectEvent as W, CdkLocalError as Wn, resolveRuntimeFileExtension as Wt, verifyCognitoJwt as X, commonOptions as Xn, derivePartitionAndUrlSuffix as Xt, createJwksCache as Y, appOptions as Yn, checkVolumeHostPath as Yt, verifyJwtAuthorizer as Z, contextOptions as Zn, detectEcsImageResolutionNeeds as Zt, readMtlsMaterialsFromDisk as _, resolveApp as _n, SUPPORTED_CODE_RUNTIMES as _t, createLocalStartApiCommand as a, resolveEnvVars as an, invokeAgentCoreWs as at, resolveServiceIntegrationParameters as b, resolveMultiTarget as bn, renderCodeDockerfile as bt, resolveProfileCredentials as c, createLocalStateProvider as cn, MCP_PROTOCOL_VERSION as ct, attachStageContext as d, resolveCfnFallbackRegion as dn, AGENTCORE_SIGV4_SERVICE as dt, applyDeployedEnvFallback as en, warnIfDeprecatedRegion as er, applyCorsResponseHeaders as et, buildStageMap as f, resolveCfnRegion as fn, signAgentCoreInvocation as ft, groupRoutesByServer as g, resolveSsmParameters as gn, downloadAndExtractS3Bundle as gt, filterRoutesByApiIdentifiers as h, collectSsmParameterRefs as hn, waitForAgentCorePing as ht, getPublishedHostPort as i, substituteEnvVarsFromStateAsync as in, matchPreflight as it, buildRestV1Event as j, AGENTCORE_MCP_PROTOCOL as jn, pullEcrImage as jt, applyAuthorizerOverlay as k, resolveLambdaArnIntrinsic as kn, buildContainerImage as kt, createAuthorizerCache as l, isCfnFlagPresent as ln, mcpInvokeOnce as lt, filterRoutesByApiIdentifier as m, CfnLocalStateProvider as mn, invokeAgentCore as mt, CloudMapRegistry as n, substituteAgainstStateAsync as nn, buildCorsConfigFromCloudFrontChain as nt, createWatchPredicates as o, materializeLayerFromArn as on, MCP_CONTAINER_PORT as ot, availableApiIdentifiers as p, resolveCfnStackName as pn, AGENTCORE_SESSION_ID_HEADER as pt, buildCognitoJwksUrl as q, withErrorHandling as qn, TASK_ROLE_ACCOUNT_PLACEHOLDER as qt, getContainerNetworkIp as r, substituteEnvVarsFromState as rn, isFunctionUrlOacFronted as rt, resolveApiTargetSubset as s, LocalStateSourceError as sn, MCP_PATH as st, buildCloudMapIndex as t, substituteAgainstState as tn, buildCorsConfigByApiId as tt, createFileWatcher as u, rejectExplicitCfnStackWithMultipleStacks as un, parseSseForJsonRpc as ut, startApiServer as v, resolveWatchConfig as vn, buildAgentCoreCodeImage as vt, evaluateCachedLambdaPolicy as w, discoverWebSocketApis as wn, AssetManifestLoader as wt, defaultCredentialsLoader as x, resolveSingleTarget as xn, toCmdArgv as xt, resolveSelectionExpression as y, Synthesizer as yn, computeCodeImageTag as yt, bufferToBody as z, tryResolveImageFnJoin as zn, pullImage as zt };
+//# sourceMappingURL=cloud-map-resolver-CbSdXQjx.js.map