cdk-local 0.53.0 → 0.55.0

package/dist/{local-list-B1RsKINr.js → local-list-DT8qRbKy.js}

@@ -1,15 +1,16 @@
 import { a as runDockerStreaming, c as getEmbedConfig, r as getDockerCmd, s as getLogger, u as setEmbedConfig } from "./docker-cmd-voNPrcRh.js";
 import { $n as parseContextOptions, $t as resolveEcsTaskTarget, At as parseEcrUri, Bn as matchStacks, Bt as removeContainer, Cn as listTargets, Ct as singleFlight, Dt as waitForRieReady, Et as invokeRie, Fn as resolveAgentCoreTarget, Ft as appendEnvFlags, Gn as LocalInvokeBuildError, Gt as resolveRuntimeImage, Hn as readCdkPathOrUndefined, Ht as streamLogs, In as resolveLambdaTarget, It as ensureDockerAvailable, Jn as applyRoleArnIfSet, Jt as applyCrossStackResolverToTask, Kn as LocalStartServiceError, Kt as EcsTaskResolutionError, Ln as derivePseudoParametersFromRegion, Lt as execEnvForSecrets, Mt as buildDockerImage, Nt as DockerRunnerError, Ot as architectureToPlatform, Pn as pickAgentCoreCandidateStack, Pt as SENSITIVE_ENV_KEYS, Q as verifyJwtViaDiscovery, Qn as deprecatedRegionOption, Qt as parseEcsTarget, Rt as pickFreePort, Sn as countTargets, St as writeProfileCredentialsFile, Tt as getDockerImageBySourceHash, Un as resolveCdkPathToLogicalIds, Ut as resolveRuntimeCodeMountPath, Vn as buildCdkPathIndex, Vt as runDetached, Wn as CdkLocalError, Wt as resolveRuntimeFileExtension, Xn as commonOptions, Xt as derivePartitionAndUrlSuffix, Y as createJwksCache, Yn as appOptions, Yt as checkVolumeHostPath, Zn as contextOptions, Zt as detectEcsImageResolutionNeeds, _n as resolveApp, an as resolveEnvVars, at as invokeAgentCoreWs, bn as resolveMultiTarget, c as resolveProfileCredentials$1, cn as createLocalStateProvider, dn as resolveCfnFallbackRegion, en as applyDeployedEnvFallback, er as warnIfDeprecatedRegion, ft as signAgentCoreInvocation, gt as downloadAndExtractS3Bundle, ht as waitForAgentCorePing, i as getPublishedHostPort, in as substituteEnvVarsFromStateAsync, jn as AGENTCORE_MCP_PROTOCOL, jt as pullEcrImage, kt as buildContainerImage, lt as mcpInvokeOnce, mt as invokeAgentCore, n as CloudMapRegistry, nn as substituteAgainstStateAsync, on as materializeLayerFromArn, ot as MCP_CONTAINER_PORT, qn as withErrorHandling, qt as TASK_ROLE_ACCOUNT_PLACEHOLDER, r as getContainerNetworkIp, st as MCP_PATH, t as buildCloudMapIndex, un as rejectExplicitCfnStackWithMultipleStacks, vt as buildAgentCoreCodeImage, wt as AssetManifestLoader, xn as resolveSingleTarget, yn as Synthesizer, zt as pullImage } from "./cloud-map-resolver-CbSdXQjx.js";
-import { cpSync, existsSync, mkdirSync, mkdtempSync, readFileSync, rmSync, statSync, writeFileSync } from "node:fs";
-import { tmpdir } from "node:os";
+import { cpSync, existsSync, mkdirSync, mkdtempSync, readFileSync, rmSync, statSync, unlinkSync, writeFileSync } from "node:fs";
+import { homedir, tmpdir } from "node:os";
 import * as path from "node:path";
-import { dirname } from "node:path";
+import { dirname, join } from "node:path";
 import { Command, Option } from "commander";
 import { GetParameterCommand, SSMClient } from "@aws-sdk/client-ssm";
 import { execFile, spawn } from "node:child_process";
 import { promisify } from "node:util";
-import { randomBytes, randomUUID } from "node:crypto";
+import { X509Certificate, randomBytes, randomUUID } from "node:crypto";
 import { createServer, request } from "node:http";
+import { createServer as createServer$1 } from "node:https";
 import graphlib from "graphlib";
 import { GetSecretValueCommand, SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
 
@@ -593,6 +594,15 @@ function createLocalInvokeCommand(opts = {}) {
 //#endregion
 //#region src/cli/commands/local-invoke-agentcore.ts
 /**
+* Parser for `--timeout <ms>`. Accepts a positive integer; rejects 0,
+* negatives, fractions, and non-numeric input.
+*/
+function parseTimeoutMs(raw) {
+	const parsed = Number(raw);
+	if (!Number.isInteger(parsed) || parsed <= 0) throw new CdkLocalError(`--timeout must be a positive integer number of milliseconds (got '${raw}').`, "LOCAL_INVOKE_AGENTCORE_TIMEOUT_INVALID");
+	return parsed;
+}
+/**
 * `cdkl invoke-agentcore <target>` — run a Bedrock AgentCore Runtime container
 * locally and invoke it once over the AgentCore HTTP contract. Resolves
 * the `AWS::BedrockAgentCore::Runtime`, pulls / builds its container,
@@ -707,7 +717,7 @@ async function localInvokeAgentCoreCommand(target, options, extraStateProviders)
 		process.on("SIGINT", sigintHandler);
 		if (isMcp && mcpRequest) {
 			logger.info(`MCP request: ${mcpRequest.method}`);
-			const mcp = await mcpInvokeOnce(containerHost, hostPort, mcpRequest);
+			const mcp = await mcpInvokeOnce(containerHost, hostPort, mcpRequest, { requestTimeoutMs: options.timeout });
 			await new Promise((r) => setTimeout(r, 250));
 			emitMcpResult(mcp);
 		} else if (options.ws) {
@@ -715,7 +725,7 @@ async function localInvokeAgentCoreCommand(target, options, extraStateProviders)
 			logger.info("Opening the agent /ws WebSocket and streaming frames...");
 			const wsResult = await invokeAgentCoreWs(containerHost, hostPort, event, {
 				sessionId,
-				timeoutMs: 12e4,
+				timeoutMs: options.timeout,
 				onMessage: (text) => process.stdout.write(text),
 				...authorization && { authorization }
 			});
@@ -726,7 +736,7 @@ async function localInvokeAgentCoreCommand(target, options, extraStateProviders)
 			const additionalHeaders = await buildSigV4HeadersIfRequested(options, resolved, loadedState, containerHost, hostPort, event, sessionId);
 			const result = await invokeAgentCore(containerHost, hostPort, event, {
 				sessionId,
-				timeoutMs: 12e4,
+				timeoutMs: options.timeout,
 				onChunk: (text) => process.stdout.write(text),
 				...authorization && { authorization },
 				...additionalHeaders && { additionalHeaders }
@@ -1306,7 +1316,7 @@ function readEnvOverridesFile$2(filePath) {
 }
 function createLocalInvokeAgentCoreCommand(opts = {}) {
 	setEmbedConfig(opts.embedConfig);
-	const cmd = new Command("invoke-agentcore").description("Run a Bedrock AgentCore Runtime container locally and invoke it once over its protocol contract: HTTP (POST /invocations + GET /ping on 8080) or MCP (POST /mcp Streamable HTTP on 8000). Resolves the AWS::BedrockAgentCore::Runtime, pulls/builds its container, injects env vars + AWS credentials, and prints the response. For an MCP runtime, runs the session handshake then sends one JSON-RPC request (tools/list by default, or the method/params from --event). Target accepts a CDK display path (MyStack/MyAgent) or stack-qualified logical ID (MyStack:MyAgentRuntime1234). Single-stack apps may omit the stack prefix. Omit <target> in an interactive terminal to pick from a list. Supports the container artifact and the CodeConfiguration managed-runtime artifact (fromCodeAsset, built from source) on the HTTP + MCP protocols; the agent calls real AWS for managed services.").argument("[target]", "CDK display path or stack-qualified logical ID of the AgentCore Runtime to invoke (omit to pick interactively in a TTY)").addOption(new Option("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option("--event-stdin", "Read event JSON from stdin").default(false)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}})")).addOption(new Option("--session-id <id>", "AgentCore runtime session id header value (default: a random UUID)")).addOption(new Option("--ws", "Stream over the HTTP-protocol agent's bidirectional /ws WebSocket endpoint (on 8080) instead of POST /invocations: send --event as the first frame and print every received frame to stdout until the agent closes. Ignored for an MCP runtime.").default(false)).addOption(new Option("--bearer-token <jwt>", "Bearer JWT to present when the runtime declares a customJwtAuthorizer. Verified against the runtime OIDC discovery URL (signature / issuer / expiry / audience) before the container starts, then forwarded to /invocations as Authorization: Bearer <jwt>.")).addOption(new Option("--no-verify-auth", "Skip inbound JWT verification even when the runtime declares a customJwtAuthorizer (local-dev escape hatch). A --bearer-token, if given, is still forwarded.")).addOption(new Option("--sigv4", "Sign the /invocations POST with AWS SigV4 (service bedrock-agentcore) using the resolved credentials, matching the cloud default when the runtime declares no customJwtAuthorizer. Opt-in: default unsigned. Mutually exclusive with --bearer-token; ignored on a JWT-protected runtime.").default(false)).addOption(new Option("--platform <platform>", "docker --platform for the agent container (linux/amd64 or linux/arm64)").choices(["linux/amd64", "linux/arm64"]).default("linux/arm64")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for the local-build path")).addOption(new Option("--no-build", "Skip docker build on the local-asset path (use the previously-built tag). No-op for the ECR / registry pull paths.")).addOption(new Option("--container-host <host>", "Host to bind the agent port to").default("127.0.0.1")).addOption(new Option("--assume-role [arn]", "Assume the runtime's execution role and forward STS-issued temp credentials to the container so the agent runs with the deployed role. Three forms: (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) uses the runtime's RoleArn when it is a literal ARN; (3) `--no-assume-role` opts out. Off by default — the developer's shell credentials are forwarded unchanged.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in env vars with the deployed physical IDs / exports. Bare form uses the resolved stack name; pass an explicit value when the CFn stack name differs.")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).action(withErrorHandling(async (target, options) => {
+	const cmd = new Command("invoke-agentcore").description("Run a Bedrock AgentCore Runtime container locally and invoke it once over its protocol contract: HTTP (POST /invocations + GET /ping on 8080) or MCP (POST /mcp Streamable HTTP on 8000). Resolves the AWS::BedrockAgentCore::Runtime, pulls/builds its container, injects env vars + AWS credentials, and prints the response. For an MCP runtime, runs the session handshake then sends one JSON-RPC request (tools/list by default, or the method/params from --event). Target accepts a CDK display path (MyStack/MyAgent) or stack-qualified logical ID (MyStack:MyAgentRuntime1234). Single-stack apps may omit the stack prefix. Omit <target> in an interactive terminal to pick from a list. Supports the container artifact and the CodeConfiguration managed-runtime artifact (fromCodeAsset, built from source) on the HTTP + MCP protocols; the agent calls real AWS for managed services.").argument("[target]", "CDK display path or stack-qualified logical ID of the AgentCore Runtime to invoke (omit to pick interactively in a TTY)").addOption(new Option("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option("--event-stdin", "Read event JSON from stdin").default(false)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}})")).addOption(new Option("--session-id <id>", "AgentCore runtime session id header value (default: a random UUID)")).addOption(new Option("--ws", "Stream over the HTTP-protocol agent's bidirectional /ws WebSocket endpoint (on 8080) instead of POST /invocations: send --event as the first frame and print every received frame to stdout until the agent closes. Ignored for an MCP runtime.").default(false)).addOption(new Option("--bearer-token <jwt>", "Bearer JWT to present when the runtime declares a customJwtAuthorizer. Verified against the runtime OIDC discovery URL (signature / issuer / expiry / audience) before the container starts, then forwarded to /invocations as Authorization: Bearer <jwt>.")).addOption(new Option("--no-verify-auth", "Skip inbound JWT verification even when the runtime declares a customJwtAuthorizer (local-dev escape hatch). A --bearer-token, if given, is still forwarded.")).addOption(new Option("--sigv4", "Sign the /invocations POST with AWS SigV4 (service bedrock-agentcore) using the resolved credentials, matching the cloud default when the runtime declares no customJwtAuthorizer. Opt-in: default unsigned. Mutually exclusive with --bearer-token; ignored on a JWT-protected runtime.").default(false)).addOption(new Option("--platform <platform>", "docker --platform for the agent container (linux/amd64 or linux/arm64)").choices(["linux/amd64", "linux/arm64"]).default("linux/arm64")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for the local-build path")).addOption(new Option("--no-build", "Skip docker build on the local-asset path (use the previously-built tag). No-op for the ECR / registry pull paths.")).addOption(new Option("--container-host <host>", "Host to bind the agent port to").default("127.0.0.1")).addOption(new Option("--timeout <ms>", "Per-request timeout in milliseconds. Applied to POST /invocations, POST /mcp, and the /ws open-to-close window. Raise this for long-running agent calls that exceed the default.").default(12e4).argParser(parseTimeoutMs)).addOption(new Option("--assume-role [arn]", "Assume the runtime's execution role and forward STS-issued temp credentials to the container so the agent runs with the deployed role. Three forms: (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) uses the runtime's RoleArn when it is a literal ARN; (3) `--no-assume-role` opts out. Off by default — the developer's shell credentials are forwarded unchanged.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in env vars with the deployed physical IDs / exports. Bare form uses the resolved stack name; pass an explicit value when the CFn stack name differs.")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).action(withErrorHandling(async (target, options) => {
 		await localInvokeAgentCoreCommand(target, options, opts.extraStateProviders);
 	}));
 	[
@@ -1320,7 +1330,7 @@ function createLocalInvokeAgentCoreCommand(opts = {}) {
 
 //#endregion
 //#region src/local/ecs-network.ts
-const execFileAsync$1 = promisify(execFile);
+const execFileAsync$2 = promisify(execFile);
 /**
 * Docker network + AWS-published metadata-endpoints sidecar lifecycle for
 * `cdkl run-task`. The sidecar (a small Go binary maintained by
@@ -1444,7 +1454,7 @@ async function sweepOrphanedSvcNetworks(prefix) {
 	const filter = `${prefix}-svc-`;
 	let names;
 	try {
-		const { stdout } = await execFileAsync$1(getDockerCmd(), [
+		const { stdout } = await execFileAsync$2(getDockerCmd(), [
 			"network",
 			"ls",
 			"--filter",
@@ -1462,7 +1472,7 @@ async function sweepOrphanedSvcNetworks(prefix) {
 	for (const name of names) {
 		let attached;
 		try {
-			const { stdout } = await execFileAsync$1(getDockerCmd(), [
+			const { stdout } = await execFileAsync$2(getDockerCmd(), [
 				"network",
 				"inspect",
 				name,
@@ -1497,7 +1507,7 @@ async function createNetworkAndSidecar(args) {
 	await pullImage(METADATA_ENDPOINT_IMAGE, skipPull);
 	logger.info(`Creating docker network ${networkName} (subnet ${cidr})...`);
 	try {
-		await execFileAsync$1(getDockerCmd(), [
+		await execFileAsync$2(getDockerCmd(), [
 			"network",
 			"create",
 			"--driver",
@@ -1532,7 +1542,7 @@ async function createNetworkAndSidecar(args) {
 	sidecarArgs.push(METADATA_ENDPOINT_IMAGE);
 	logger.info(`Starting ECS local-container-endpoints sidecar at ${sidecarIp}...`);
 	try {
-		const { stdout } = await execFileAsync$1(getDockerCmd(), sidecarArgs, {
+		const { stdout } = await execFileAsync$2(getDockerCmd(), sidecarArgs, {
 			maxBuffer: 10 * 1024 * 1024,
 			...execEnvForSecrets(sidecarPassthroughEnv)
 		});
@@ -1603,7 +1613,7 @@ async function destroyNetworkOnly(networkName) {
 	if (!networkName) return;
 	const logger = getLogger().child("ecs-network");
 	try {
-		await execFileAsync$1(getDockerCmd(), [
+		await execFileAsync$2(getDockerCmd(), [
 			"network",
 			"rm",
 			networkName
@@ -1742,7 +1752,7 @@ async function resolveSsm(entry, shape, client) {
 
 //#endregion
 //#region src/local/ecs-task-runner.ts
-const execFileAsync = promisify(execFile);
+const execFileAsync$1 = promisify(execFile);
 /**
 * Top-level orchestrator for `cdkl run-task`. Coordinates image
 * preparation, secret resolution, docker-network bring-up, container
@@ -1802,7 +1812,7 @@ async function cleanupEcsRun(state, options) {
 	if (state.network && !state.network.ownedByCaller) await destroyTaskNetwork(state.network);
 	state.network = void 0;
 	for (const v of state.dockerVolumeNames) try {
-		await execFileAsync(getDockerCmd(), [
+		await execFileAsync$1(getDockerCmd(), [
 			"volume",
 			"rm",
 			v
@@ -1883,7 +1893,7 @@ async function runEcsTask(task, options, state) {
 		logger.info(`Starting container '${container.name}' (image=${imagePlan.get(container.name)})`);
 		let id;
 		try {
-			const { stdout } = await execFileAsync(getDockerCmd(), args, {
+			const { stdout } = await execFileAsync$1(getDockerCmd(), args, {
 				maxBuffer: 10 * 1024 * 1024,
 				...execEnvForSecrets(sensitiveEnv)
 			});
@@ -1995,7 +2005,7 @@ async function waitForContainerHealthy(containerId, displayName) {
 	let lastStatus = "";
 	while (Date.now() < deadline) {
 		try {
-			const { stdout } = await execFileAsync(getDockerCmd(), [
+			const { stdout } = await execFileAsync$1(getDockerCmd(), [
 				"inspect",
 				"--format",
 				"{{.State.Health.Status}}",
@@ -2018,7 +2028,7 @@ async function waitForContainerHealthy(containerId, displayName) {
 }
 async function waitForContainerExit(containerId) {
 	try {
-		const { stdout } = await execFileAsync(getDockerCmd(), ["wait", containerId], { maxBuffer: 1024 * 1024 });
+		const { stdout } = await execFileAsync$1(getDockerCmd(), ["wait", containerId], { maxBuffer: 1024 * 1024 });
 		const code = Number.parseInt(stdout.trim(), 10);
 		return Number.isFinite(code) ? code : 1;
 	} catch (err) {
@@ -2028,7 +2038,7 @@ async function waitForContainerExit(containerId) {
 }
 async function stopContainer(containerId, graceSeconds) {
 	try {
-		await execFileAsync(getDockerCmd(), [
+		await execFileAsync$1(getDockerCmd(), [
 			"stop",
 			"-t",
 			String(graceSeconds),
@@ -2154,7 +2164,7 @@ async function realizeDockerVolumes(volumes, state) {
 		const dockerVolumeName = `${getEmbedConfig().resourceNamePrefix}-${v.name}-${randHex(4)}`;
 		args.push(dockerVolumeName);
 		try {
-			await execFileAsync(getDockerCmd(), args);
+			await execFileAsync$1(getDockerCmd(), args);
 			state.dockerVolumeNames.push(dockerVolumeName);
 			logger.debug(`Created docker volume ${dockerVolumeName} for task volume '${v.name}'`);
 		} catch (err) {
@@ -3698,12 +3708,17 @@ const DEFAULT_UPSTREAM_TIMEOUT_MS = 3e4;
 async function startFrontDoorServer(opts) {
 	const logger = getLogger().child("front-door");
 	const host = opts.host ?? "127.0.0.1";
-	const server = createServer((req, res) => {
+	const requestHandler = (req, res) => {
 		handleProxyRequest(req, res, opts).catch((err) => {
 			logger.debug(`front-door request error: ${err instanceof Error ? err.message : String(err)}`);
 			if (!res.headersSent) writeError(res, 502, "Bad Gateway");
 		});
-	});
+	};
+	const server = opts.tls ? createServer$1({
+		cert: opts.tls.certPem,
+		key: opts.tls.keyPem
+	}, requestHandler) : createServer(requestHandler);
+	const scheme = opts.tls ? "https" : "http";
 	server.on("connection", (socket) => socket.setNoDelay(true));
 	const boundPort = await new Promise((resolve, reject) => {
 		server.once("error", reject);
@@ -3720,6 +3735,7 @@ async function startFrontDoorServer(opts) {
 	return {
 		port: boundPort,
 		host,
+		scheme,
 		server,
 		close: async () => {
 			if (closed) return;
@@ -3760,7 +3776,7 @@ function handleProxyRequest(req, res, opts) {
 		if (!action) return reply404(req, res, opts);
 		if (action.kind === "redirect" || action.kind === "fixed-response") {
 			req.resume();
-			if (action.kind === "redirect") writeRedirect(res, action, req, opts.listenerPort);
+			if (action.kind === "redirect") writeRedirect(res, action, req, opts.listenerPort, opts.tls ? "https" : "http");
 			else writeFixedResponse(res, action);
 			return Promise.resolve();
 		}
@@ -3798,7 +3814,7 @@ function handlePoolRequest(req, res, pool, opts) {
 		};
 		const headers = { ...req.headers };
 		stripHopByHopHeaders(headers);
-		appendForwardedHeaders(headers, req, opts.listenerPort);
+		appendForwardedHeaders(headers, req, opts.listenerPort, opts.tls ? "https" : "http");
 		const proxyReq = request({
 			host: endpoint.host,
 			port: endpoint.port,
@@ -3865,8 +3881,8 @@ function pickWeightedTarget(targets) {
 * `#{query}` placeholders filled from the incoming request. We resolve those
 * placeholders against the request the front-door received.
 */
-function writeRedirect(res, action, req, listenerPort) {
-	const location = buildRedirectLocation(action, req, listenerPort);
+function writeRedirect(res, action, req, listenerPort, scheme) {
+	const location = buildRedirectLocation(action, req, listenerPort, scheme);
 	res.writeHead(action.statusCode, {
 		location,
 		"content-type": "text/plain; charset=utf-8",
@@ -3874,15 +3890,20 @@ function writeRedirect(res, action, req, listenerPort) {
 	});
 	res.end();
 }
-/** Build the `Location` URL for a redirect action, resolving ALB `#{...}` placeholders. */
-function buildRedirectLocation(action, req, listenerPort) {
+/**
+* Build the `Location` URL for a redirect action, resolving ALB `#{...}`
+* placeholders. `scheme` is the receiving listener's protocol — it sets the
+* default for `#{protocol}` so an HTTPS listener redirects to `https://...`
+* by default, matching what a real ALB does.
+*/
+function buildRedirectLocation(action, req, listenerPort, scheme = "http") {
 	const url = req.url ?? "/";
 	const qIndex = url.indexOf("?");
 	const reqPath = qIndex === -1 ? url : url.slice(0, qIndex);
 	const reqQuery = qIndex === -1 ? "" : url.slice(qIndex + 1);
 	const rawHost = req.headers["host"];
 	const placeholders = {
-		protocol: "http",
+		protocol: scheme,
 		host: ((Array.isArray(rawHost) ? rawHost[0] : rawHost) ?? "").split(":")[0] ?? "",
 		port: String(listenerPort),
 		path: reqPath.replace(/^\//, ""),
@@ -3949,7 +3970,7 @@ function handleLambdaRequest(req, res, lambda, opts) {
 					const body = Buffer.concat(chunks);
 					const forwardHeaders = { ...req.headers };
 					stripHopByHopHeaders(forwardHeaders);
-					appendForwardedHeaders(forwardHeaders, req, opts.listenerPort);
+					appendForwardedHeaders(forwardHeaders, req, opts.listenerPort, opts.tls ? "https" : "http");
 					const snapshot = snapshotFromIncoming(req, body);
 					for (const [name, value] of Object.entries(forwardHeaders)) {
 						if (value === void 0) continue;
@@ -4011,14 +4032,15 @@ function stripHopByHopHeaders(headers) {
 /**
 * Inject the ALB-style forwarding headers a downstream app may read. Appends
 * the client IP to any existing `X-Forwarded-For` chain (ALB appends rather
-* than replaces) and stamps the scheme / listener port.
+* than replaces) and stamps the scheme / listener port. `scheme` follows the
+* listener's protocol so an HTTPS listener stamps `x-forwarded-proto: https`.
 */
-function appendForwardedHeaders(headers, req, listenerPort) {
+function appendForwardedHeaders(headers, req, listenerPort, scheme) {
 	const clientIp = req.socket.remoteAddress ?? "";
 	const existing = headers["x-forwarded-for"];
 	const chain = Array.isArray(existing) ? existing.join(", ") : existing;
 	headers["x-forwarded-for"] = chain ? `${chain}, ${clientIp}` : clientIp;
-	headers["x-forwarded-proto"] = "http";
+	headers["x-forwarded-proto"] = scheme;
 	headers["x-forwarded-port"] = String(listenerPort);
 }
 function writeError(res, statusCode, message) {
@@ -4336,6 +4358,129 @@ function matchBitPrefix(a, b, prefixLength) {
 	return (a[fullBytes] & mask) === (b[fullBytes] & mask);
 }
 
+//#endregion
+//#region src/local/front-door-tls.ts
+const execFileAsync = promisify(execFile);
+/**
+* Resolve a single global cert/key pair for HTTPS front-door listeners. When
+* BOTH `certPath` and `keyPath` are supplied, those PEM files are read from
+* disk. When neither is supplied, a long-lived self-signed cert is cached
+* under `$XDG_CACHE_HOME/cdk-local/alb-https/` (defaulting to
+* `~/.cache/cdk-local/alb-https/`) and reused across boots; it is regenerated
+* when missing or within `regenerateWithinDays` of expiry. Pairing is enforced
+* — supplying exactly one of `--tls-cert` / `--tls-key` is rejected with a
+* clear error before the server starts.
+*
+* The self-signed cert path subprocesses `openssl req -x509 ...`. `openssl`
+* is on macOS / Linux dev boxes and Docker base images by default; absence
+* surfaces as an actionable error pointing at the BYO recipe.
+*/
+async function resolveFrontDoorTlsMaterials(opts) {
+	const hasCert = opts.certPath !== void 0 && opts.certPath !== "";
+	const hasKey = opts.keyPath !== void 0 && opts.keyPath !== "";
+	if (hasCert !== hasKey) throw new Error(`${hasCert ? "--tls-cert" : "--tls-key"} is set but ${hasCert ? "--tls-key" : "--tls-cert"} is missing. Both --tls-cert and --tls-key must be set together, or both left unset to use an auto-generated self-signed cert.`);
+	if (hasCert && hasKey) return {
+		certPem: readPemOrThrow(opts.certPath, "--tls-cert"),
+		keyPem: readPemOrThrow(opts.keyPath, "--tls-key")
+	};
+	return ensureSelfSignedCert({
+		cacheDir: opts.cacheDir ?? defaultCacheDir(),
+		regenerateWithinDays: opts.regenerateWithinDays ?? 30,
+		validityDays: opts.validityDays ?? 825
+	});
+}
+/** Default cache dir for the auto-generated self-signed cert. */
+function defaultCacheDir() {
+	const xdg = process.env["XDG_CACHE_HOME"];
+	return join(xdg && xdg !== "" ? xdg : join(homedir(), ".cache"), "cdk-local", "alb-https");
+}
+const CERT_FILENAME = "cert.pem";
+const KEY_FILENAME = "key.pem";
+async function ensureSelfSignedCert(opts) {
+	const logger = getLogger().child("front-door-tls");
+	const certPath = join(opts.cacheDir, CERT_FILENAME);
+	const keyPath = join(opts.cacheDir, KEY_FILENAME);
+	if (cachedPairIsFresh(certPath, keyPath, opts.regenerateWithinDays)) return {
+		certPem: readFileSync(certPath),
+		keyPem: readFileSync(keyPath)
+	};
+	mkdirSync(opts.cacheDir, { recursive: true });
+	try {
+		unlinkSync(certPath);
+	} catch {}
+	try {
+		unlinkSync(keyPath);
+	} catch {}
+	try {
+		await runOpenssl([
+			"req",
+			"-x509",
+			"-newkey",
+			"rsa:2048",
+			"-nodes",
+			"-keyout",
+			keyPath,
+			"-out",
+			certPath,
+			"-subj",
+			"/CN=localhost",
+			"-days",
+			String(opts.validityDays),
+			"-addext",
+			"subjectAltName=DNS:localhost,IP:127.0.0.1"
+		]);
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		throw new Error(`Failed to auto-generate a self-signed cert via openssl: ${msg}. Install openssl, or supply --tls-cert <path> + --tls-key <path> with your own PEM files. Recipe: openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -subj "/CN=localhost" -days 365.`);
+	}
+	logger.info(`ALB front-door: generated self-signed cert at ${certPath} (valid ${opts.validityDays} days)`);
+	return {
+		certPem: readFileSync(certPath),
+		keyPem: readFileSync(keyPath)
+	};
+}
+function cachedPairIsFresh(certPath, keyPath, regenWithinDays) {
+	try {
+		statSync(certPath);
+		statSync(keyPath);
+	} catch {
+		return false;
+	}
+	try {
+		const notAfter = readCertNotAfter(certPath);
+		if (notAfter === void 0) return false;
+		const renewAt = notAfter.getTime() - regenWithinDays * 864e5;
+		return Date.now() < renewAt;
+	} catch {
+		return false;
+	}
+}
+/**
+* Read a cert's `notAfter` expiry timestamp. Used to decide whether to
+* regenerate the cached self-signed cert proactively. Returns `undefined`
+* when the cert is unreadable (caller then regenerates).
+*/
+function readCertNotAfter(certPath) {
+	try {
+		const cert = new X509Certificate(readFileSync(certPath));
+		const parsed = new Date(cert.validTo);
+		return Number.isNaN(parsed.getTime()) ? void 0 : parsed;
+	} catch {
+		return;
+	}
+}
+async function runOpenssl(args) {
+	await execFileAsync("openssl", args, { timeout: 3e4 });
+}
+function readPemOrThrow(path, flagName) {
+	try {
+		return readFileSync(path);
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		throw new Error(`${flagName}: cannot read PEM file at '${path}': ${msg}`);
+	}
+}
+
 //#endregion
 //#region src/local/front-door-lambda-runner.ts
 /** Forward the dev shell's AWS credential / region env into the Lambda container. */
@@ -4820,6 +4965,10 @@ async function buildFrontDoor(plan, options, logger) {
 			...action.messageBody !== void 0 && { messageBody: action.messageBody }
 		};
 	};
+	const tlsMaterials = plan.listeners.some((l) => l.protocol === "HTTPS") ? await resolveFrontDoorTlsMaterials({
+		certPath: options.tlsCert,
+		keyPath: options.tlsKey
+	}) : void 0;
 	try {
 		for (const listener of plan.listeners) {
 			const defaultRoute = listener.defaultAction ? toRouteAction(listener.defaultAction) : void 0;
@@ -4834,15 +4983,17 @@ async function buildFrontDoor(plan, options, logger) {
 				target: toRouteAction(r.action)
 			}));
 			const route = (req) => matchAlbPathRule(req, ruleRoutes) ?? defaultRoute;
+			const tls = listener.protocol === "HTTPS" ? tlsMaterials : void 0;
 			const server = await startFrontDoorServer({
 				route,
 				port: listener.hostPort,
 				host: containerHost,
 				listenerPort: listener.listenerPort,
-				label: `listener port ${listener.listenerPort}`
+				label: `listener port ${listener.listenerPort}`,
+				...tls ? { tls } : {}
 			});
 			servers.push(server);
-			logger.info(`ALB front-door: http://${server.host}:${server.port} (listener port ${listener.listenerPort})`);
+			logger.info(`ALB front-door: ${server.scheme}://${server.host}:${server.port} (listener port ${listener.listenerPort})`);
 			if (listener.defaultAction) logger.info(`  default -> ${describeAction(listener.defaultAction)}`);
 			for (const r of [...listener.rules].sort((a, b) => a.priority - b.priority)) logger.info(`  ${describeConditions(r)} (priority ${r.priority}) -> ${describeAction(r.action)}`);
 			if (!listener.defaultAction) logger.info("  (no default action: unmatched requests return 404)");
@@ -5144,8 +5295,12 @@ function createLocalStartServiceCommand(opts = {}) {
 * functions (`TargetType:"lambda"` target groups — #123: the TG -> backing
 * `AWS::Lambda::Function` is resolved and the front-door invokes it locally per
 * request); `redirect` / `fixed-response` actions. A single weighted forward may
-* mix ECS and Lambda targets. Skipped with a warning: HTTPS/TLS listeners and
-* `authenticate-cognito` / `authenticate-oidc` actions.
+* mix ECS and Lambda targets. HTTPS listeners are served — local TLS
+* termination uses a user-supplied or auto-generated self-signed cert/key
+* pair (the deployed `Listener.Certificates[]` ACM ARNs are not fetched,
+* because ACM private keys are not retrievable by design). Skipped with a
+* warning: TLS listeners (NLB-style, not ALB) and `authenticate-cognito` /
+* `authenticate-oidc` actions.
 */
 const ALB_TYPE = "AWS::ElasticLoadBalancingV2::LoadBalancer";
 const LISTENER_TYPE = "AWS::ElasticLoadBalancingV2::Listener";
@@ -5172,10 +5327,11 @@ function resolveAlbFrontDoor(stack, albLogicalId) {
 		const port = parsePort(props["Port"]);
 		if (port === void 0) continue;
 		const protocol = typeof props["Protocol"] === "string" ? props["Protocol"] : "HTTP";
-		if (protocol !== "HTTP") {
-			warnings.push(`Listener '${listenerLogicalId}' on port ${port} uses protocol ${protocol}; the local ALB front-door supports HTTP listeners only (TLS termination is deferred). Skipping it.`);
+		if (protocol !== "HTTP" && protocol !== "HTTPS") {
+			warnings.push(`Listener '${listenerLogicalId}' on port ${port} uses protocol ${protocol}; the local ALB front-door supports HTTP and HTTPS listeners only (TLS / NLB-style listeners are not served). Skipping it.`);
 			continue;
 		}
+		if (protocol === "HTTPS" && Array.isArray(props["Certificates"]) && props["Certificates"].length > 0) warnings.push(`Listener '${listenerLogicalId}' on port ${port} declares ACM Certificates which are not retrievable locally. The front-door terminates TLS with --tls-cert/--tls-key or an auto-generated self-signed cert.`);
 		const defaultAction = resolveAction(props["DefaultActions"], resources, tgToService, stackName, `Listener '${listenerLogicalId}' (port ${port}) default action`, warnings);
 		const rules = [];
 		for (const { ruleLogicalId, ruleProps } of rulesByListener.get(listenerLogicalId) ?? []) {
@@ -5201,7 +5357,7 @@ function resolveAlbFrontDoor(stack, albLogicalId) {
 		if (!defaultAction && rules.length === 0) continue;
 		listeners.push({
 			listenerPort: port,
-			listenerProtocol: "HTTP",
+			listenerProtocol: protocol,
 			listenerLogicalId,
 			...defaultAction ? { defaultAction } : {},
 			rules
@@ -5791,6 +5947,7 @@ function albStrategy(options) {
 					listeners.push({
 						listenerPort: listener.listenerPort,
 						hostPort,
+						protocol: listener.listenerProtocol,
 						...listener.defaultAction ? { defaultAction: qualify(listener.defaultAction) } : {},
 						rules: listener.rules.map((r) => ({
 							priority: r.priority,
@@ -5829,7 +5986,7 @@ function albStrategy(options) {
 */
 function createLocalStartAlbCommand(opts = {}) {
 	setEmbedConfig(opts.embedConfig);
-	return addCommonEcsServiceOptions(new Command("start-alb").description("Run an Application Load Balancer locally: name the ALB, and cdk-local boots the ECS service(s) behind its HTTP listeners and stands up a local front-door on each listener port that round-robins across the running replicas and routes its listener rules across the backing services — a stable host endpoint, like behind a real load balancer. The symmetric ALB counterpart of `start-api`. Each <target> accepts a CDK display path (MyStack/MyAlb) or stack-qualified logical ID; single-stack apps may omit the stack prefix. Supports HTTP listeners; path-pattern and host-header rule conditions; forward (single and weighted), redirect, and fixed-response actions; and ECS or Lambda targets (a Lambda target group is invoked locally via the Lambda RIE). HTTPS listeners, the other rule conditions (http-header / query-string / source-ip / http-request-method), and authenticate-* actions are skipped with a warning. Omit <targets> in an interactive terminal to multi-select the load balancers from a list.").argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ElasticLoadBalancingV2::LoadBalancer resources to run (omit to multi-select interactively in a TTY)").addOption(new Option("--lb-port <listenerPort=hostPort...>", "Bind the local front-door on a specific host port (e.g. 80=8080); repeatable. Default: host port == ALB listener port. Use this on macOS to remap a privileged listener port (< 1024) to a non-privileged host port.")).action(withErrorHandling(async (targets, options) => {
+	return addCommonEcsServiceOptions(new Command("start-alb").description("Run an Application Load Balancer locally: name the ALB, and cdk-local boots the ECS service(s) behind its listeners and stands up a local front-door on each listener port that round-robins across the running replicas and routes its listener rules across the backing services — a stable host endpoint, like behind a real load balancer. The symmetric ALB counterpart of `start-api`. Each <target> accepts a CDK display path (MyStack/MyAlb) or stack-qualified logical ID; single-stack apps may omit the stack prefix. Supports HTTP and HTTPS listeners (TLS terminated locally with --tls-cert/--tls-key or an auto-generated self-signed cert); all six ALB rule-condition fields (path-pattern / host-header / http-header / http-request-method / query-string / source-ip); forward (single and weighted), redirect, and fixed-response actions; and ECS or Lambda targets (a Lambda target group is invoked locally via the Lambda RIE). authenticate-cognito / authenticate-oidc actions are skipped with a warning. Omit <targets> in an interactive terminal to multi-select the load balancers from a list.").argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ElasticLoadBalancingV2::LoadBalancer resources to run (omit to multi-select interactively in a TTY)").addOption(new Option("--lb-port <listenerPort=hostPort...>", "Bind the local front-door on a specific host port (e.g. 80=8080); repeatable. Default: host port == ALB listener port. Use this on macOS to remap a privileged listener port (< 1024) to a non-privileged host port.")).addOption(new Option("--tls-cert <path>", "PEM-encoded server certificate for HTTPS front-door listeners. Must be set together with --tls-key. Omit both flags to auto-generate a self-signed cert (cached under $XDG_CACHE_HOME/cdk-local/alb-https/, default ~/.cache/cdk-local/alb-https/); requires openssl on PATH. The deployed Listener Certificates[] are NOT fetched (ACM private keys are not retrievable by design). The auto-generated cert lists DNS:localhost,IP:127.0.0.1 as SubjectAltName, so a client validating a non-loopback --container-host will fail the SAN check — pass --tls-cert / --tls-key with a SAN covering that host instead.")).addOption(new Option("--tls-key <path>", "PEM-encoded server private key matching --tls-cert. Must be set together with --tls-cert.")).action(withErrorHandling(async (targets, options) => {
 		await runEcsServiceEmulator(targets, options, albStrategy(options), opts.extraStateProviders);
 	})));
 }
@@ -5906,4 +6063,4 @@ function createLocalListCommand(opts = {}) {
 
 //#endregion
 export { createLocalRunTaskCommand as a, createLocalStartServiceCommand as i, formatTargetListing as n, createLocalInvokeAgentCoreCommand as o, createLocalStartAlbCommand as r, createLocalInvokeCommand as s, createLocalListCommand as t };
-//# sourceMappingURL=local-list-B1RsKINr.js.map
+//# sourceMappingURL=local-list-DT8qRbKy.js.map