cdk-local 0.52.0 → 0.53.0

package/dist/cli.js

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
-import { a as createLocalStartApiCommand } from "./cloud-map-resolver-D0OCnW6R.js";
-import { a as createLocalRunTaskCommand, i as createLocalStartServiceCommand, o as createLocalInvokeAgentCoreCommand, r as createLocalStartAlbCommand, s as createLocalInvokeCommand, t as createLocalListCommand } from "./local-list-v8D51s5a.js";
+import { a as createLocalStartApiCommand } from "./cloud-map-resolver-CbSdXQjx.js";
+import { a as createLocalRunTaskCommand, i as createLocalStartServiceCommand, o as createLocalInvokeAgentCoreCommand, r as createLocalStartAlbCommand, s as createLocalInvokeCommand, t as createLocalListCommand } from "./local-list-B1RsKINr.js";
 import { Command } from "commander";
 
 //#region src/cli/index.ts
 const program = new Command();
-program.name("cdkl").description("Run AWS CDK stacks locally with Docker.").version("0.52.0");
+program.name("cdkl").description("Run AWS CDK stacks locally with Docker.").version("0.53.0");
 program.addCommand(createLocalInvokeCommand());
 program.addCommand(createLocalInvokeAgentCoreCommand());
 program.addCommand(createLocalStartApiCommand());

package/dist/{cloud-map-resolver-D0OCnW6R.js → cloud-map-resolver-CbSdXQjx.js}

@@ -24,6 +24,8 @@ import { setTimeout as setTimeout$1 } from "node:timers/promises";
 import { readFile } from "fs/promises";
 import { join as join$1 } from "path";
 import { unzipSync } from "fflate";
+import { Sha256 } from "@aws-crypto/sha256-js";
+import { SignatureV4 } from "@smithy/signature-v4";
 import { WebSocket, WebSocketServer } from "ws";
 import { createServer as createServer$1 } from "node:http";
 import { createServer as createServer$2 } from "node:https";
@@ -8030,7 +8032,8 @@ async function invokeAgentCore(host, port, event, options) {
 				"Content-Type": "application/json",
 				Accept: "application/json, text/event-stream",
 				[AGENTCORE_SESSION_ID_HEADER]: options.sessionId,
-				...options.authorization && { Authorization: options.authorization }
+				...options.authorization && { Authorization: options.authorization },
+				...options.additionalHeaders ?? {}
 			},
 			body,
 			signal: controller.signal
@@ -8084,6 +8087,71 @@ async function streamBody(body, onChunk) {
 	}
 }
 
+//#endregion
+//#region src/local/agentcore-sigv4-sign.ts
+/**
+* Client-side SigV4 signing for `cdkl invoke-agentcore --sigv4`.
+*
+* AgentCore's `InvokeAgentRuntime` API authenticates inbound `/invocations`
+* requests with IAM SigV4 when the runtime declares no
+* `customJwtAuthorizer`. The deployed cloud verifies the signature; a locally
+* running agent never does (no AWS public-key infra inside the container),
+* but an agent that introspects the `Authorization` header (e.g. via the
+* `bedrock-agentcore` SDK's request context) sees the same shape it would in
+* the cloud — header parity for debugging and local-dev of IAM-aware agents.
+*
+* Signing is OPT-IN via `--sigv4` on the command. Default behavior is
+* unchanged: no Authorization header on an unauthenticated invoke.
+*/
+/** AWS service name for AgentCore InvokeAgentRuntime SigV4 signing. */
+const AGENTCORE_SIGV4_SERVICE = "bedrock-agentcore";
+/**
+* Build a SigV4 signature for a `POST /invocations` request to the local
+* AgentCore container. Returns the headers that must be forwarded.
+*/
+async function signAgentCoreInvocation(opts) {
+	const signer = new SignatureV4({
+		credentials: {
+			accessKeyId: opts.credentials.accessKeyId,
+			secretAccessKey: opts.credentials.secretAccessKey,
+			...opts.credentials.sessionToken && { sessionToken: opts.credentials.sessionToken }
+		},
+		region: opts.region,
+		service: AGENTCORE_SIGV4_SERVICE,
+		sha256: Sha256
+	});
+	const request = {
+		method: opts.method ?? "POST",
+		protocol: "http:",
+		hostname: opts.host,
+		port: opts.port,
+		path: opts.path,
+		headers: {
+			"Content-Type": "application/json",
+			Host: `${opts.host}:${opts.port}`,
+			[AGENTCORE_SESSION_ID_HEADER]: opts.sessionId
+		},
+		body: opts.body
+	};
+	const signed = await signer.sign(request, { ...opts.now && { signingDate: new Date(opts.now()) } });
+	const get = (name) => {
+		const lower = name.toLowerCase();
+		for (const [k, v] of Object.entries(signed.headers)) if (k.toLowerCase() === lower) return v;
+	};
+	const authorization = get("authorization");
+	const amzDate = get("x-amz-date");
+	const amzContentSha256 = get("x-amz-content-sha256");
+	if (!authorization || !amzDate) throw new Error("SigV4 signing produced no Authorization / X-Amz-Date header — internal error");
+	const out = {
+		authorization,
+		amzDate,
+		amzContentSha256: amzContentSha256 ?? ""
+	};
+	const amzSecurityToken = get("x-amz-security-token");
+	if (amzSecurityToken) out.amzSecurityToken = amzSecurityToken;
+	return out;
+}
+
 //#endregion
 //#region src/local/agentcore-mcp-client.ts
 /**
@@ -17721,5 +17789,5 @@ function extractDnsRecords(serviceProps) {
 }
 
 //#endregion
-export { attachAuthorizers as $, substituteAgainstState as $t, buildHttpApiV2Event as A, AGENTCORE_RUNTIME_TYPE as An, buildDockerImage as At, ConnectionRegistry as B, readCdkPathOrUndefined as Bn, streamLogs as Bt, computeRequestIdentityHash as C, discoverWebSocketApisOrThrow as Cn, getDockerImageBySourceHash as Ct, matchRoute as D, resolveLambdaArnIntrinsic as Dn, buildContainerImage as Dt, invokeTokenAuthorizer as E, pickRefLogicalId as En, architectureToPlatform as Et, tryParseStatus as F, derivePseudoParametersFromRegion as Fn, execEnvForSecrets as Ft, buildDisconnectEvent as G, withErrorHandling as Gn, TASK_ROLE_ACCOUNT_PLACEHOLDER as Gt, handleConnectionsRequest as H, CdkLocalError as Hn, resolveRuntimeFileExtension as Ht, VtlEvaluationError as I, substituteImagePlaceholders as In, pickFreePort as It, buildJwksUrlFromIssuer as J, commonOptions as Jn, derivePartitionAndUrlSuffix as Jt, buildMessageEvent as K, applyRoleArnIfSet as Kn, applyCrossStackResolverToTask as Kt, HOST_GATEWAY_MIN_VERSION as L, tryResolveImageFnJoin as Ln, pullImage as Lt, evaluateResponseParameters as M, pickAgentCoreCandidateStack as Mn, SENSITIVE_ENV_KEYS as Mt, pickResponseTemplate as N, resolveAgentCoreTarget as Nn, appendEnvFlags as Nt, translateLambdaResponse as O, AGENTCORE_HTTP_PROTOCOL as On, parseEcrUri as Ot, selectIntegrationResponse as P, resolveLambdaTarget as Pn, ensureDockerAvailable as Pt, verifyJwtViaDiscovery as Q, warnIfDeprecatedRegion as Qn, applyDeployedEnvFallback as Qt, probeHostGatewaySupport as R, matchStacks as Rn, removeContainer as Rt, buildMethodArn as S, discoverWebSocketApis as Sn, AssetManifestLoader as St, invokeRequestAuthorizer as T, discoverRoutes as Tn, waitForRieReady as Tt, parseConnectionsPath as U, LocalInvokeBuildError as Un, resolveRuntimeImage as Ut, buildMgmtEndpointEnvUrl as V, resolveCdkPathToLogicalIds as Vn, resolveRuntimeCodeMountPath as Vt, buildConnectEvent as W, LocalStartServiceError as Wn, EcsTaskResolutionError as Wt, verifyCognitoJwt as X, deprecatedRegionOption as Xn, parseEcsTarget as Xt, createJwksCache as Y, contextOptions as Yn, detectEcsImageResolutionNeeds as Yt, verifyJwtAuthorizer as Z, parseContextOptions as Zn, resolveEcsTaskTarget as Zt, readMtlsMaterialsFromDisk as _, Synthesizer as _n, computeCodeImageTag as _t, createLocalStartApiCommand as a, LocalStateSourceError as an, invokeAgentCoreWs as at, resolveServiceIntegrationParameters as b, countTargets as bn, writeProfileCredentialsFile as bt, resolveProfileCredentials as c, rejectExplicitCfnStackWithMultipleStacks as cn, MCP_PROTOCOL_VERSION as ct, attachStageContext as d, resolveCfnStackName as dn, AGENTCORE_SESSION_ID_HEADER as dt, substituteAgainstStateAsync as en, applyCorsResponseHeaders as et, buildStageMap as f, CfnLocalStateProvider as fn, invokeAgentCore as ft, groupRoutesByServer as g, resolveWatchConfig as gn, buildAgentCoreCodeImage as gt, filterRoutesByApiIdentifiers as h, resolveApp as hn, SUPPORTED_CODE_RUNTIMES as ht, getPublishedHostPort as i, materializeLayerFromArn as in, matchPreflight as it, buildRestV1Event as j, AgentCoreResolutionError as jn, DockerRunnerError as jt, applyAuthorizerOverlay as k, AGENTCORE_MCP_PROTOCOL as kn, pullEcrImage as kt, createAuthorizerCache as l, resolveCfnFallbackRegion as ln, mcpInvokeOnce as lt, filterRoutesByApiIdentifier as m, resolveSsmParameters as mn, downloadAndExtractS3Bundle as mt, CloudMapRegistry as n, substituteEnvVarsFromStateAsync as nn, buildCorsConfigFromCloudFrontChain as nt, createWatchPredicates as o, createLocalStateProvider as on, MCP_CONTAINER_PORT as ot, availableApiIdentifiers as p, collectSsmParameterRefs as pn, waitForAgentCorePing as pt, buildCognitoJwksUrl as q, appOptions as qn, checkVolumeHostPath as qt, getContainerNetworkIp as r, resolveEnvVars as rn, isFunctionUrlOacFronted as rt, resolveApiTargetSubset as s, isCfnFlagPresent as sn, MCP_PATH as st, buildCloudMapIndex as t, substituteEnvVarsFromState as tn, buildCorsConfigByApiId as tt, createFileWatcher as u, resolveCfnRegion as un, parseSseForJsonRpc as ut, startApiServer as v, resolveMultiTarget as vn, renderCodeDockerfile as vt, evaluateCachedLambdaPolicy as w, parseSelectionExpressionPath as wn, invokeRie as wt, defaultCredentialsLoader as x, listTargets as xn, singleFlight as xt, resolveSelectionExpression as y, resolveSingleTarget as yn, toCmdArgv as yt, bufferToBody as z, buildCdkPathIndex as zn, runDetached as zt };
-//# sourceMappingURL=cloud-map-resolver-D0OCnW6R.js.map
+export { attachAuthorizers as $, parseContextOptions as $n, resolveEcsTaskTarget as $t, buildHttpApiV2Event as A, AGENTCORE_HTTP_PROTOCOL as An, parseEcrUri as At, ConnectionRegistry as B, matchStacks as Bn, removeContainer as Bt, computeRequestIdentityHash as C, listTargets as Cn, singleFlight as Ct, matchRoute as D, discoverRoutes as Dn, waitForRieReady as Dt, invokeTokenAuthorizer as E, parseSelectionExpressionPath as En, invokeRie as Et, tryParseStatus as F, resolveAgentCoreTarget as Fn, appendEnvFlags as Ft, buildDisconnectEvent as G, LocalInvokeBuildError as Gn, resolveRuntimeImage as Gt, handleConnectionsRequest as H, readCdkPathOrUndefined as Hn, streamLogs as Ht, VtlEvaluationError as I, resolveLambdaTarget as In, ensureDockerAvailable as It, buildJwksUrlFromIssuer as J, applyRoleArnIfSet as Jn, applyCrossStackResolverToTask as Jt, buildMessageEvent as K, LocalStartServiceError as Kn, EcsTaskResolutionError as Kt, HOST_GATEWAY_MIN_VERSION as L, derivePseudoParametersFromRegion as Ln, execEnvForSecrets as Lt, evaluateResponseParameters as M, AGENTCORE_RUNTIME_TYPE as Mn, buildDockerImage as Mt, pickResponseTemplate as N, AgentCoreResolutionError as Nn, DockerRunnerError as Nt, translateLambdaResponse as O, pickRefLogicalId as On, architectureToPlatform as Ot, selectIntegrationResponse as P, pickAgentCoreCandidateStack as Pn, SENSITIVE_ENV_KEYS as Pt, verifyJwtViaDiscovery as Q, deprecatedRegionOption as Qn, parseEcsTarget as Qt, probeHostGatewaySupport as R, substituteImagePlaceholders as Rn, pickFreePort as Rt, buildMethodArn as S, countTargets as Sn, writeProfileCredentialsFile as St, invokeRequestAuthorizer as T, discoverWebSocketApisOrThrow as Tn, getDockerImageBySourceHash as Tt, parseConnectionsPath as U, resolveCdkPathToLogicalIds as Un, resolveRuntimeCodeMountPath as Ut, buildMgmtEndpointEnvUrl as V, buildCdkPathIndex as Vn, runDetached as Vt, buildConnectEvent as W, CdkLocalError as Wn, resolveRuntimeFileExtension as Wt, verifyCognitoJwt as X, commonOptions as Xn, derivePartitionAndUrlSuffix as Xt, createJwksCache as Y, appOptions as Yn, checkVolumeHostPath as Yt, verifyJwtAuthorizer as Z, contextOptions as Zn, detectEcsImageResolutionNeeds as Zt, readMtlsMaterialsFromDisk as _, resolveApp as _n, SUPPORTED_CODE_RUNTIMES as _t, createLocalStartApiCommand as a, resolveEnvVars as an, invokeAgentCoreWs as at, resolveServiceIntegrationParameters as b, resolveMultiTarget as bn, renderCodeDockerfile as bt, resolveProfileCredentials as c, createLocalStateProvider as cn, MCP_PROTOCOL_VERSION as ct, attachStageContext as d, resolveCfnFallbackRegion as dn, AGENTCORE_SIGV4_SERVICE as dt, applyDeployedEnvFallback as en, warnIfDeprecatedRegion as er, applyCorsResponseHeaders as et, buildStageMap as f, resolveCfnRegion as fn, signAgentCoreInvocation as ft, groupRoutesByServer as g, resolveSsmParameters as gn, downloadAndExtractS3Bundle as gt, filterRoutesByApiIdentifiers as h, collectSsmParameterRefs as hn, waitForAgentCorePing as ht, getPublishedHostPort as i, substituteEnvVarsFromStateAsync as in, matchPreflight as it, buildRestV1Event as j, AGENTCORE_MCP_PROTOCOL as jn, pullEcrImage as jt, applyAuthorizerOverlay as k, resolveLambdaArnIntrinsic as kn, buildContainerImage as kt, createAuthorizerCache as l, isCfnFlagPresent as ln, mcpInvokeOnce as lt, filterRoutesByApiIdentifier as m, CfnLocalStateProvider as mn, invokeAgentCore as mt, CloudMapRegistry as n, substituteAgainstStateAsync as nn, buildCorsConfigFromCloudFrontChain as nt, createWatchPredicates as o, materializeLayerFromArn as on, MCP_CONTAINER_PORT as ot, availableApiIdentifiers as p, resolveCfnStackName as pn, AGENTCORE_SESSION_ID_HEADER as pt, buildCognitoJwksUrl as q, withErrorHandling as qn, TASK_ROLE_ACCOUNT_PLACEHOLDER as qt, getContainerNetworkIp as r, substituteEnvVarsFromState as rn, isFunctionUrlOacFronted as rt, resolveApiTargetSubset as s, LocalStateSourceError as sn, MCP_PATH as st, buildCloudMapIndex as t, substituteAgainstState as tn, buildCorsConfigByApiId as tt, createFileWatcher as u, rejectExplicitCfnStackWithMultipleStacks as un, parseSseForJsonRpc as ut, startApiServer as v, resolveWatchConfig as vn, buildAgentCoreCodeImage as vt, evaluateCachedLambdaPolicy as w, discoverWebSocketApis as wn, AssetManifestLoader as wt, defaultCredentialsLoader as x, resolveSingleTarget as xn, toCmdArgv as xt, resolveSelectionExpression as y, Synthesizer as yn, computeCodeImageTag as yt, bufferToBody as z, tryResolveImageFnJoin as zn, pullImage as zt };
+//# sourceMappingURL=cloud-map-resolver-CbSdXQjx.js.map