cdk-local 0.54.0 → 0.55.0

package/README.md

@@ -69,7 +69,7 @@ Full flags, precedence, and `--from-cfn-stack` resolution: [docs/cli-reference.m
 
 ### start-service vs start-alb — which one?
 
-`start-service` runs just the ECS service's replicas (workers, queue consumers, Service-Connect-only). `start-alb` boots the ECS service(s) behind an ALB **plus** a host-side front-door on each listener port, so external traffic reaches them the way it does in the cloud. Full resolution model: [docs/cli-reference.md](docs/cli-reference.md#cdkl-start-alb-run-an-alb-fronted-service-locally).
+`start-service` runs just the ECS service's replicas (workers, queue consumers, Service-Connect-only). `start-alb` boots the ECS service(s) behind an ALB **plus** a host-side front-door on each listener port — HTTP and HTTPS (TLS terminated locally with `--tls-cert` / `--tls-key` or an auto-generated self-signed cert) — so external traffic reaches them the way it does in the cloud. Full resolution model: [docs/cli-reference.md](docs/cli-reference.md#cdkl-start-alb-run-an-alb-fronted-service-locally).
 
 ## Supported resources
 
@@ -80,7 +80,7 @@ Full flags, precedence, and `--from-cfn-stack` resolution: [docs/cli-reference.m
 | ECS task definitions | `run-task` |
 | ECS services | `start-service` |
 | Cloud Map / Service Connect registry | service discovery between local replicas |
-| ALB-fronted ECS / Lambda services | `start-alb` — all six listener-rule conditions, weighted forwards, redirect / fixed-response, mixed ECS + Lambda targets |
+| ALB-fronted ECS / Lambda services | `start-alb` — HTTP / HTTPS listeners, all six listener-rule conditions, weighted forwards, redirect / fixed-response, mixed ECS + Lambda targets |
 | Bedrock AgentCore Runtime agents | `invoke-agentcore` — container + `fromCodeAsset` / `fromS3` artifacts, HTTP + MCP |
 
 Lambda runs on every current AWS Lambda runtime — Node.js (18/20/22/24), Python (3.11–3.14), Ruby (3.2/3.3), Java (8.al2/11/17/21), .NET (6/8), and the OS-only `provided.al2` / `provided.al2023`. The retired `go1.x` runtime is rejected with a pointer to migrate to `provided.al2023`.

package/dist/cli.js

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
 import { a as createLocalStartApiCommand } from "./cloud-map-resolver-CbSdXQjx.js";
-import { a as createLocalRunTaskCommand, i as createLocalStartServiceCommand, o as createLocalInvokeAgentCoreCommand, r as createLocalStartAlbCommand, s as createLocalInvokeCommand, t as createLocalListCommand } from "./local-list-e7cz-0OZ.js";
+import { a as createLocalRunTaskCommand, i as createLocalStartServiceCommand, o as createLocalInvokeAgentCoreCommand, r as createLocalStartAlbCommand, s as createLocalInvokeCommand, t as createLocalListCommand } from "./local-list-DT8qRbKy.js";
 import { Command } from "commander";
 
 //#region src/cli/index.ts
 const program = new Command();
-program.name("cdkl").description("Run AWS CDK stacks locally with Docker.").version("0.54.0");
+program.name("cdkl").description("Run AWS CDK stacks locally with Docker.").version("0.55.0");
 program.addCommand(createLocalInvokeCommand());
 program.addCommand(createLocalInvokeAgentCoreCommand());
 program.addCommand(createLocalStartApiCommand());

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","names":[],"sources":["../src/cli/commands/local-invoke.ts","../src/cli/commands/local-invoke-agentcore.ts","../src/cli/commands/local-run-task.ts","../src/local/target-lister.ts","../src/cli/commands/local-start-service.ts","../src/cli/commands/local-start-alb.ts","../src/cli/commands/local-list.ts","../src/local/cfn-local-state-provider.ts"],"mappings":";;;;;UA6IiB,+BAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBAi6BA,wBAAA,CAAyB,IAAA,GAAM,+BAAA,GAAuC,OAAA;;;UCz3BrE,wCAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBAmqCA,iCAAA,CACd,IAAA,GAAM,wCAAA,GACL,OAAA;;;UCrvCc,gCAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBAmhBA,yBAAA,CAA0B,IAAA,GAAM,gCAAA,GAAwC,OAAA;;;UCjnBvE,WAAA;EAEf,SAAA;EAEA,SAAA;EAKA,WAAA;EAMA,WAAA;EAOA,IAAA;AAAA;AAAA,UAOe,aAAA;EAEf,OAAA,EAAS,WAAA;EAMT,IAAA,EAAM,WAAA;EAEN,WAAA,EAAa,WAAA;EAEb,kBAAA,EAAoB,WAAA;EAEpB,iBAAA,EAAmB,WAAA;EAEnB,aAAA,EAAe,WAAA;AAAA;AAAA,iBAkID,WAAA,CAAY,MAAA,WAAiB,SAAA,KAAc,aAAA;AAAA,iBAsC3C,YAAA,CAAa,OAAA,EAAS,aAAA;;;UC3MrB,qCAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBAmCA,8BAAA,CACd,IAAA,GAAM,qCAAA,GACL,OAAA;;;UChCc,iCAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBA0QA,0BAAA,CAA2B,IAAA,GAAM,iCAAA,GAAyC,OAAA;;;UCtQzE,6BAAA;EAEf,WAAA,GAAc,mBAAA;AAAA;AAAA,UAuCC,0BAAA;EAOf,IAAA;AAAA;AAAA,iBAYc,mBAAA,CACd,OAAA,EAAS,aAAA,EACT,OAAA,UACA,OAAA,GAAS,0BAAA;AAAA,iBAuEK,sBAAA,CAAuB,IAAA,GAAM,6BAAA,GAAqC,OAAA;;;UC/FjE,4BAAA;EAOf,YAAA;EAKA,MAAA;EAiBA,OAAA;AAAA;AAAA,cAGW,qBAAA,YAAiC,kBAAA;EAAA,SAG5B,KAAA;EAAA,iBACC,YAAA;EAAA,iBACA,MAAA;EAAA,QAKT,MAAA;EAAA,QAKA,YAAA;EAAA,QAKA,SAAA;EAAA,iBACS,aAAA;EAAA,QAQT,QAAA;cAEI,IAAA,EAAM,4BAAA;EAAA,QAOV,SAAA;EAAA,QAmBA,eAAA;EAAA,QAaA,YAAA;EA6BK,4BAAA,CACX,QAAA,EAAU,sBAAA,GACT,OAAA,CAAQ,qBAAA;EAsBE,0BAAA,CACX,kBAAA,WACC,OAAA,CAAQ,MAAA;EAmCE,IAAA,CACX,UAAA,UACA,YAAA,uBACC,OAAA,CAAQ,gBAAA;EA2DE,uBAAA,CACX,eAAA,WACC,OAAA,CAAQ,kBAAA;EA8DJ,OAAA,CAAA;AAAA"}
+{"version":3,"file":"index.d.ts","names":[],"sources":["../src/cli/commands/local-invoke.ts","../src/cli/commands/local-invoke-agentcore.ts","../src/cli/commands/local-run-task.ts","../src/local/target-lister.ts","../src/cli/commands/local-start-service.ts","../src/cli/commands/local-start-alb.ts","../src/cli/commands/local-list.ts","../src/local/cfn-local-state-provider.ts"],"mappings":";;;;;UA6IiB,+BAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBAi6BA,wBAAA,CAAyB,IAAA,GAAM,+BAAA,GAAuC,OAAA;;;UCz3BrE,wCAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBAmqCA,iCAAA,CACd,IAAA,GAAM,wCAAA,GACL,OAAA;;;UCrvCc,gCAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBAmhBA,yBAAA,CAA0B,IAAA,GAAM,gCAAA,GAAwC,OAAA;;;UCjnBvE,WAAA;EAEf,SAAA;EAEA,SAAA;EAKA,WAAA;EAMA,WAAA;EAOA,IAAA;AAAA;AAAA,UAOe,aAAA;EAEf,OAAA,EAAS,WAAA;EAMT,IAAA,EAAM,WAAA;EAEN,WAAA,EAAa,WAAA;EAEb,kBAAA,EAAoB,WAAA;EAEpB,iBAAA,EAAmB,WAAA;EAEnB,aAAA,EAAe,WAAA;AAAA;AAAA,iBAkID,WAAA,CAAY,MAAA,WAAiB,SAAA,KAAc,aAAA;AAAA,iBAsC3C,YAAA,CAAa,OAAA,EAAS,aAAA;;;UC3MrB,qCAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBAmCA,8BAAA,CACd,IAAA,GAAM,qCAAA,GACL,OAAA;;;UChCc,iCAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBA2QA,0BAAA,CAA2B,IAAA,GAAM,iCAAA,GAAyC,OAAA;;;UCvQzE,6BAAA;EAEf,WAAA,GAAc,mBAAA;AAAA;AAAA,UAuCC,0BAAA;EAOf,IAAA;AAAA;AAAA,iBAYc,mBAAA,CACd,OAAA,EAAS,aAAA,EACT,OAAA,UACA,OAAA,GAAS,0BAAA;AAAA,iBAuEK,sBAAA,CAAuB,IAAA,GAAM,6BAAA,GAAqC,OAAA;;;UC/FjE,4BAAA;EAOf,YAAA;EAKA,MAAA;EAiBA,OAAA;AAAA;AAAA,cAGW,qBAAA,YAAiC,kBAAA;EAAA,SAG5B,KAAA;EAAA,iBACC,YAAA;EAAA,iBACA,MAAA;EAAA,QAKT,MAAA;EAAA,QAKA,YAAA;EAAA,QAKA,SAAA;EAAA,iBACS,aAAA;EAAA,QAQT,QAAA;cAEI,IAAA,EAAM,4BAAA;EAAA,QAOV,SAAA;EAAA,QAmBA,eAAA;EAAA,QAaA,YAAA;EA6BK,4BAAA,CACX,QAAA,EAAU,sBAAA,GACT,OAAA,CAAQ,qBAAA;EAsBE,0BAAA,CACX,kBAAA,WACC,OAAA,CAAQ,MAAA;EAmCE,IAAA,CACX,UAAA,UACA,YAAA,uBACC,OAAA,CAAQ,gBAAA;EA2DE,uBAAA,CACX,eAAA,WACC,OAAA,CAAQ,kBAAA;EA8DJ,OAAA,CAAA;AAAA"}

package/dist/index.js

@@ -1,5 +1,5 @@
 import { c as getEmbedConfig, l as resetEmbedConfig, u as setEmbedConfig } from "./docker-cmd-voNPrcRh.js";
 import { Cn as listTargets, Sn as countTargets, a as createLocalStartApiCommand, cn as createLocalStateProvider, dn as resolveCfnFallbackRegion, fn as resolveCfnRegion, gn as resolveSsmParameters, hn as collectSsmParameterRefs, in as substituteEnvVarsFromStateAsync, ln as isCfnFlagPresent, mn as CfnLocalStateProvider, nn as substituteAgainstStateAsync, pn as resolveCfnStackName, rn as substituteEnvVarsFromState, sn as LocalStateSourceError, tn as substituteAgainstState, un as rejectExplicitCfnStackWithMultipleStacks } from "./cloud-map-resolver-CbSdXQjx.js";
-import { a as createLocalRunTaskCommand, i as createLocalStartServiceCommand, n as formatTargetListing, o as createLocalInvokeAgentCoreCommand, r as createLocalStartAlbCommand, s as createLocalInvokeCommand, t as createLocalListCommand } from "./local-list-e7cz-0OZ.js";
+import { a as createLocalRunTaskCommand, i as createLocalStartServiceCommand, n as formatTargetListing, o as createLocalInvokeAgentCoreCommand, r as createLocalStartAlbCommand, s as createLocalInvokeCommand, t as createLocalListCommand } from "./local-list-DT8qRbKy.js";
 
 export { CfnLocalStateProvider, LocalStateSourceError, collectSsmParameterRefs, countTargets, createLocalInvokeAgentCoreCommand, createLocalInvokeCommand, createLocalListCommand, createLocalRunTaskCommand, createLocalStartAlbCommand, createLocalStartApiCommand, createLocalStartServiceCommand, createLocalStateProvider, formatTargetListing, getEmbedConfig, isCfnFlagPresent, listTargets, rejectExplicitCfnStackWithMultipleStacks, resetEmbedConfig, resolveCfnFallbackRegion, resolveCfnRegion, resolveCfnStackName, resolveSsmParameters, setEmbedConfig, substituteAgainstState, substituteAgainstStateAsync, substituteEnvVarsFromState, substituteEnvVarsFromStateAsync };

package/dist/{local-list-e7cz-0OZ.js → local-list-DT8qRbKy.js}

@@ -1,15 +1,16 @@
 import { a as runDockerStreaming, c as getEmbedConfig, r as getDockerCmd, s as getLogger, u as setEmbedConfig } from "./docker-cmd-voNPrcRh.js";
 import { $n as parseContextOptions, $t as resolveEcsTaskTarget, At as parseEcrUri, Bn as matchStacks, Bt as removeContainer, Cn as listTargets, Ct as singleFlight, Dt as waitForRieReady, Et as invokeRie, Fn as resolveAgentCoreTarget, Ft as appendEnvFlags, Gn as LocalInvokeBuildError, Gt as resolveRuntimeImage, Hn as readCdkPathOrUndefined, Ht as streamLogs, In as resolveLambdaTarget, It as ensureDockerAvailable, Jn as applyRoleArnIfSet, Jt as applyCrossStackResolverToTask, Kn as LocalStartServiceError, Kt as EcsTaskResolutionError, Ln as derivePseudoParametersFromRegion, Lt as execEnvForSecrets, Mt as buildDockerImage, Nt as DockerRunnerError, Ot as architectureToPlatform, Pn as pickAgentCoreCandidateStack, Pt as SENSITIVE_ENV_KEYS, Q as verifyJwtViaDiscovery, Qn as deprecatedRegionOption, Qt as parseEcsTarget, Rt as pickFreePort, Sn as countTargets, St as writeProfileCredentialsFile, Tt as getDockerImageBySourceHash, Un as resolveCdkPathToLogicalIds, Ut as resolveRuntimeCodeMountPath, Vn as buildCdkPathIndex, Vt as runDetached, Wn as CdkLocalError, Wt as resolveRuntimeFileExtension, Xn as commonOptions, Xt as derivePartitionAndUrlSuffix, Y as createJwksCache, Yn as appOptions, Yt as checkVolumeHostPath, Zn as contextOptions, Zt as detectEcsImageResolutionNeeds, _n as resolveApp, an as resolveEnvVars, at as invokeAgentCoreWs, bn as resolveMultiTarget, c as resolveProfileCredentials$1, cn as createLocalStateProvider, dn as resolveCfnFallbackRegion, en as applyDeployedEnvFallback, er as warnIfDeprecatedRegion, ft as signAgentCoreInvocation, gt as downloadAndExtractS3Bundle, ht as waitForAgentCorePing, i as getPublishedHostPort, in as substituteEnvVarsFromStateAsync, jn as AGENTCORE_MCP_PROTOCOL, jt as pullEcrImage, kt as buildContainerImage, lt as mcpInvokeOnce, mt as invokeAgentCore, n as CloudMapRegistry, nn as substituteAgainstStateAsync, on as materializeLayerFromArn, ot as MCP_CONTAINER_PORT, qn as withErrorHandling, qt as TASK_ROLE_ACCOUNT_PLACEHOLDER, r as getContainerNetworkIp, st as MCP_PATH, t as buildCloudMapIndex, un as rejectExplicitCfnStackWithMultipleStacks, vt as buildAgentCoreCodeImage, wt as AssetManifestLoader, xn as resolveSingleTarget, yn as Synthesizer, zt as pullImage } from "./cloud-map-resolver-CbSdXQjx.js";
-import { cpSync, existsSync, mkdirSync, mkdtempSync, readFileSync, rmSync, statSync, writeFileSync } from "node:fs";
-import { tmpdir } from "node:os";
+import { cpSync, existsSync, mkdirSync, mkdtempSync, readFileSync, rmSync, statSync, unlinkSync, writeFileSync } from "node:fs";
+import { homedir, tmpdir } from "node:os";
 import * as path from "node:path";
-import { dirname } from "node:path";
+import { dirname, join } from "node:path";
 import { Command, Option } from "commander";
 import { GetParameterCommand, SSMClient } from "@aws-sdk/client-ssm";
 import { execFile, spawn } from "node:child_process";
 import { promisify } from "node:util";
-import { randomBytes, randomUUID } from "node:crypto";
+import { X509Certificate, randomBytes, randomUUID } from "node:crypto";
 import { createServer, request } from "node:http";
+import { createServer as createServer$1 } from "node:https";
 import graphlib from "graphlib";
 import { GetSecretValueCommand, SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
 
@@ -1329,7 +1330,7 @@ function createLocalInvokeAgentCoreCommand(opts = {}) {
 
 //#endregion
 //#region src/local/ecs-network.ts
-const execFileAsync$1 = promisify(execFile);
+const execFileAsync$2 = promisify(execFile);
 /**
 * Docker network + AWS-published metadata-endpoints sidecar lifecycle for
 * `cdkl run-task`. The sidecar (a small Go binary maintained by
@@ -1453,7 +1454,7 @@ async function sweepOrphanedSvcNetworks(prefix) {
 	const filter = `${prefix}-svc-`;
 	let names;
 	try {
-		const { stdout } = await execFileAsync$1(getDockerCmd(), [
+		const { stdout } = await execFileAsync$2(getDockerCmd(), [
 			"network",
 			"ls",
 			"--filter",
@@ -1471,7 +1472,7 @@ async function sweepOrphanedSvcNetworks(prefix) {
 	for (const name of names) {
 		let attached;
 		try {
-			const { stdout } = await execFileAsync$1(getDockerCmd(), [
+			const { stdout } = await execFileAsync$2(getDockerCmd(), [
 				"network",
 				"inspect",
 				name,
@@ -1506,7 +1507,7 @@ async function createNetworkAndSidecar(args) {
 	await pullImage(METADATA_ENDPOINT_IMAGE, skipPull);
 	logger.info(`Creating docker network ${networkName} (subnet ${cidr})...`);
 	try {
-		await execFileAsync$1(getDockerCmd(), [
+		await execFileAsync$2(getDockerCmd(), [
 			"network",
 			"create",
 			"--driver",
@@ -1541,7 +1542,7 @@ async function createNetworkAndSidecar(args) {
 	sidecarArgs.push(METADATA_ENDPOINT_IMAGE);
 	logger.info(`Starting ECS local-container-endpoints sidecar at ${sidecarIp}...`);
 	try {
-		const { stdout } = await execFileAsync$1(getDockerCmd(), sidecarArgs, {
+		const { stdout } = await execFileAsync$2(getDockerCmd(), sidecarArgs, {
 			maxBuffer: 10 * 1024 * 1024,
 			...execEnvForSecrets(sidecarPassthroughEnv)
 		});
@@ -1612,7 +1613,7 @@ async function destroyNetworkOnly(networkName) {
 	if (!networkName) return;
 	const logger = getLogger().child("ecs-network");
 	try {
-		await execFileAsync$1(getDockerCmd(), [
+		await execFileAsync$2(getDockerCmd(), [
 			"network",
 			"rm",
 			networkName
@@ -1751,7 +1752,7 @@ async function resolveSsm(entry, shape, client) {
 
 //#endregion
 //#region src/local/ecs-task-runner.ts
-const execFileAsync = promisify(execFile);
+const execFileAsync$1 = promisify(execFile);
 /**
 * Top-level orchestrator for `cdkl run-task`. Coordinates image
 * preparation, secret resolution, docker-network bring-up, container
@@ -1811,7 +1812,7 @@ async function cleanupEcsRun(state, options) {
 	if (state.network && !state.network.ownedByCaller) await destroyTaskNetwork(state.network);
 	state.network = void 0;
 	for (const v of state.dockerVolumeNames) try {
-		await execFileAsync(getDockerCmd(), [
+		await execFileAsync$1(getDockerCmd(), [
 			"volume",
 			"rm",
 			v
@@ -1892,7 +1893,7 @@ async function runEcsTask(task, options, state) {
 		logger.info(`Starting container '${container.name}' (image=${imagePlan.get(container.name)})`);
 		let id;
 		try {
-			const { stdout } = await execFileAsync(getDockerCmd(), args, {
+			const { stdout } = await execFileAsync$1(getDockerCmd(), args, {
 				maxBuffer: 10 * 1024 * 1024,
 				...execEnvForSecrets(sensitiveEnv)
 			});
@@ -2004,7 +2005,7 @@ async function waitForContainerHealthy(containerId, displayName) {
 	let lastStatus = "";
 	while (Date.now() < deadline) {
 		try {
-			const { stdout } = await execFileAsync(getDockerCmd(), [
+			const { stdout } = await execFileAsync$1(getDockerCmd(), [
 				"inspect",
 				"--format",
 				"{{.State.Health.Status}}",
@@ -2027,7 +2028,7 @@ async function waitForContainerHealthy(containerId, displayName) {
 }
 async function waitForContainerExit(containerId) {
 	try {
-		const { stdout } = await execFileAsync(getDockerCmd(), ["wait", containerId], { maxBuffer: 1024 * 1024 });
+		const { stdout } = await execFileAsync$1(getDockerCmd(), ["wait", containerId], { maxBuffer: 1024 * 1024 });
 		const code = Number.parseInt(stdout.trim(), 10);
 		return Number.isFinite(code) ? code : 1;
 	} catch (err) {
@@ -2037,7 +2038,7 @@ async function waitForContainerExit(containerId) {
 }
 async function stopContainer(containerId, graceSeconds) {
 	try {
-		await execFileAsync(getDockerCmd(), [
+		await execFileAsync$1(getDockerCmd(), [
 			"stop",
 			"-t",
 			String(graceSeconds),
@@ -2163,7 +2164,7 @@ async function realizeDockerVolumes(volumes, state) {
 		const dockerVolumeName = `${getEmbedConfig().resourceNamePrefix}-${v.name}-${randHex(4)}`;
 		args.push(dockerVolumeName);
 		try {
-			await execFileAsync(getDockerCmd(), args);
+			await execFileAsync$1(getDockerCmd(), args);
 			state.dockerVolumeNames.push(dockerVolumeName);
 			logger.debug(`Created docker volume ${dockerVolumeName} for task volume '${v.name}'`);
 		} catch (err) {
@@ -3707,12 +3708,17 @@ const DEFAULT_UPSTREAM_TIMEOUT_MS = 3e4;
 async function startFrontDoorServer(opts) {
 	const logger = getLogger().child("front-door");
 	const host = opts.host ?? "127.0.0.1";
-	const server = createServer((req, res) => {
+	const requestHandler = (req, res) => {
 		handleProxyRequest(req, res, opts).catch((err) => {
 			logger.debug(`front-door request error: ${err instanceof Error ? err.message : String(err)}`);
 			if (!res.headersSent) writeError(res, 502, "Bad Gateway");
 		});
-	});
+	};
+	const server = opts.tls ? createServer$1({
+		cert: opts.tls.certPem,
+		key: opts.tls.keyPem
+	}, requestHandler) : createServer(requestHandler);
+	const scheme = opts.tls ? "https" : "http";
 	server.on("connection", (socket) => socket.setNoDelay(true));
 	const boundPort = await new Promise((resolve, reject) => {
 		server.once("error", reject);
@@ -3729,6 +3735,7 @@ async function startFrontDoorServer(opts) {
 	return {
 		port: boundPort,
 		host,
+		scheme,
 		server,
 		close: async () => {
 			if (closed) return;
@@ -3769,7 +3776,7 @@ function handleProxyRequest(req, res, opts) {
 		if (!action) return reply404(req, res, opts);
 		if (action.kind === "redirect" || action.kind === "fixed-response") {
 			req.resume();
-			if (action.kind === "redirect") writeRedirect(res, action, req, opts.listenerPort);
+			if (action.kind === "redirect") writeRedirect(res, action, req, opts.listenerPort, opts.tls ? "https" : "http");
 			else writeFixedResponse(res, action);
 			return Promise.resolve();
 		}
@@ -3807,7 +3814,7 @@ function handlePoolRequest(req, res, pool, opts) {
 		};
 		const headers = { ...req.headers };
 		stripHopByHopHeaders(headers);
-		appendForwardedHeaders(headers, req, opts.listenerPort);
+		appendForwardedHeaders(headers, req, opts.listenerPort, opts.tls ? "https" : "http");
 		const proxyReq = request({
 			host: endpoint.host,
 			port: endpoint.port,
@@ -3874,8 +3881,8 @@ function pickWeightedTarget(targets) {
 * `#{query}` placeholders filled from the incoming request. We resolve those
 * placeholders against the request the front-door received.
 */
-function writeRedirect(res, action, req, listenerPort) {
-	const location = buildRedirectLocation(action, req, listenerPort);
+function writeRedirect(res, action, req, listenerPort, scheme) {
+	const location = buildRedirectLocation(action, req, listenerPort, scheme);
 	res.writeHead(action.statusCode, {
 		location,
 		"content-type": "text/plain; charset=utf-8",
@@ -3883,15 +3890,20 @@ function writeRedirect(res, action, req, listenerPort) {
 	});
 	res.end();
 }
-/** Build the `Location` URL for a redirect action, resolving ALB `#{...}` placeholders. */
-function buildRedirectLocation(action, req, listenerPort) {
+/**
+* Build the `Location` URL for a redirect action, resolving ALB `#{...}`
+* placeholders. `scheme` is the receiving listener's protocol — it sets the
+* default for `#{protocol}` so an HTTPS listener redirects to `https://...`
+* by default, matching what a real ALB does.
+*/
+function buildRedirectLocation(action, req, listenerPort, scheme = "http") {
 	const url = req.url ?? "/";
 	const qIndex = url.indexOf("?");
 	const reqPath = qIndex === -1 ? url : url.slice(0, qIndex);
 	const reqQuery = qIndex === -1 ? "" : url.slice(qIndex + 1);
 	const rawHost = req.headers["host"];
 	const placeholders = {
-		protocol: "http",
+		protocol: scheme,
 		host: ((Array.isArray(rawHost) ? rawHost[0] : rawHost) ?? "").split(":")[0] ?? "",
 		port: String(listenerPort),
 		path: reqPath.replace(/^\//, ""),
@@ -3958,7 +3970,7 @@ function handleLambdaRequest(req, res, lambda, opts) {
 					const body = Buffer.concat(chunks);
 					const forwardHeaders = { ...req.headers };
 					stripHopByHopHeaders(forwardHeaders);
-					appendForwardedHeaders(forwardHeaders, req, opts.listenerPort);
+					appendForwardedHeaders(forwardHeaders, req, opts.listenerPort, opts.tls ? "https" : "http");
 					const snapshot = snapshotFromIncoming(req, body);
 					for (const [name, value] of Object.entries(forwardHeaders)) {
 						if (value === void 0) continue;
@@ -4020,14 +4032,15 @@ function stripHopByHopHeaders(headers) {
 /**
 * Inject the ALB-style forwarding headers a downstream app may read. Appends
 * the client IP to any existing `X-Forwarded-For` chain (ALB appends rather
-* than replaces) and stamps the scheme / listener port.
+* than replaces) and stamps the scheme / listener port. `scheme` follows the
+* listener's protocol so an HTTPS listener stamps `x-forwarded-proto: https`.
 */
-function appendForwardedHeaders(headers, req, listenerPort) {
+function appendForwardedHeaders(headers, req, listenerPort, scheme) {
 	const clientIp = req.socket.remoteAddress ?? "";
 	const existing = headers["x-forwarded-for"];
 	const chain = Array.isArray(existing) ? existing.join(", ") : existing;
 	headers["x-forwarded-for"] = chain ? `${chain}, ${clientIp}` : clientIp;
-	headers["x-forwarded-proto"] = "http";
+	headers["x-forwarded-proto"] = scheme;
 	headers["x-forwarded-port"] = String(listenerPort);
 }
 function writeError(res, statusCode, message) {
@@ -4345,6 +4358,129 @@ function matchBitPrefix(a, b, prefixLength) {
 	return (a[fullBytes] & mask) === (b[fullBytes] & mask);
 }
 
+//#endregion
+//#region src/local/front-door-tls.ts
+const execFileAsync = promisify(execFile);
+/**
+* Resolve a single global cert/key pair for HTTPS front-door listeners. When
+* BOTH `certPath` and `keyPath` are supplied, those PEM files are read from
+* disk. When neither is supplied, a long-lived self-signed cert is cached
+* under `$XDG_CACHE_HOME/cdk-local/alb-https/` (defaulting to
+* `~/.cache/cdk-local/alb-https/`) and reused across boots; it is regenerated
+* when missing or within `regenerateWithinDays` of expiry. Pairing is enforced
+* — supplying exactly one of `--tls-cert` / `--tls-key` is rejected with a
+* clear error before the server starts.
+*
+* The self-signed cert path subprocesses `openssl req -x509 ...`. `openssl`
+* is on macOS / Linux dev boxes and Docker base images by default; absence
+* surfaces as an actionable error pointing at the BYO recipe.
+*/
+async function resolveFrontDoorTlsMaterials(opts) {
+	const hasCert = opts.certPath !== void 0 && opts.certPath !== "";
+	const hasKey = opts.keyPath !== void 0 && opts.keyPath !== "";
+	if (hasCert !== hasKey) throw new Error(`${hasCert ? "--tls-cert" : "--tls-key"} is set but ${hasCert ? "--tls-key" : "--tls-cert"} is missing. Both --tls-cert and --tls-key must be set together, or both left unset to use an auto-generated self-signed cert.`);
+	if (hasCert && hasKey) return {
+		certPem: readPemOrThrow(opts.certPath, "--tls-cert"),
+		keyPem: readPemOrThrow(opts.keyPath, "--tls-key")
+	};
+	return ensureSelfSignedCert({
+		cacheDir: opts.cacheDir ?? defaultCacheDir(),
+		regenerateWithinDays: opts.regenerateWithinDays ?? 30,
+		validityDays: opts.validityDays ?? 825
+	});
+}
+/** Default cache dir for the auto-generated self-signed cert. */
+function defaultCacheDir() {
+	const xdg = process.env["XDG_CACHE_HOME"];
+	return join(xdg && xdg !== "" ? xdg : join(homedir(), ".cache"), "cdk-local", "alb-https");
+}
+const CERT_FILENAME = "cert.pem";
+const KEY_FILENAME = "key.pem";
+async function ensureSelfSignedCert(opts) {
+	const logger = getLogger().child("front-door-tls");
+	const certPath = join(opts.cacheDir, CERT_FILENAME);
+	const keyPath = join(opts.cacheDir, KEY_FILENAME);
+	if (cachedPairIsFresh(certPath, keyPath, opts.regenerateWithinDays)) return {
+		certPem: readFileSync(certPath),
+		keyPem: readFileSync(keyPath)
+	};
+	mkdirSync(opts.cacheDir, { recursive: true });
+	try {
+		unlinkSync(certPath);
+	} catch {}
+	try {
+		unlinkSync(keyPath);
+	} catch {}
+	try {
+		await runOpenssl([
+			"req",
+			"-x509",
+			"-newkey",
+			"rsa:2048",
+			"-nodes",
+			"-keyout",
+			keyPath,
+			"-out",
+			certPath,
+			"-subj",
+			"/CN=localhost",
+			"-days",
+			String(opts.validityDays),
+			"-addext",
+			"subjectAltName=DNS:localhost,IP:127.0.0.1"
+		]);
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		throw new Error(`Failed to auto-generate a self-signed cert via openssl: ${msg}. Install openssl, or supply --tls-cert <path> + --tls-key <path> with your own PEM files. Recipe: openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -subj "/CN=localhost" -days 365.`);
+	}
+	logger.info(`ALB front-door: generated self-signed cert at ${certPath} (valid ${opts.validityDays} days)`);
+	return {
+		certPem: readFileSync(certPath),
+		keyPem: readFileSync(keyPath)
+	};
+}
+function cachedPairIsFresh(certPath, keyPath, regenWithinDays) {
+	try {
+		statSync(certPath);
+		statSync(keyPath);
+	} catch {
+		return false;
+	}
+	try {
+		const notAfter = readCertNotAfter(certPath);
+		if (notAfter === void 0) return false;
+		const renewAt = notAfter.getTime() - regenWithinDays * 864e5;
+		return Date.now() < renewAt;
+	} catch {
+		return false;
+	}
+}
+/**
+* Read a cert's `notAfter` expiry timestamp. Used to decide whether to
+* regenerate the cached self-signed cert proactively. Returns `undefined`
+* when the cert is unreadable (caller then regenerates).
+*/
+function readCertNotAfter(certPath) {
+	try {
+		const cert = new X509Certificate(readFileSync(certPath));
+		const parsed = new Date(cert.validTo);
+		return Number.isNaN(parsed.getTime()) ? void 0 : parsed;
+	} catch {
+		return;
+	}
+}
+async function runOpenssl(args) {
+	await execFileAsync("openssl", args, { timeout: 3e4 });
+}
+function readPemOrThrow(path, flagName) {
+	try {
+		return readFileSync(path);
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		throw new Error(`${flagName}: cannot read PEM file at '${path}': ${msg}`);
+	}
+}
+
 //#endregion
 //#region src/local/front-door-lambda-runner.ts
 /** Forward the dev shell's AWS credential / region env into the Lambda container. */
@@ -4829,6 +4965,10 @@ async function buildFrontDoor(plan, options, logger) {
 			...action.messageBody !== void 0 && { messageBody: action.messageBody }
 		};
 	};
+	const tlsMaterials = plan.listeners.some((l) => l.protocol === "HTTPS") ? await resolveFrontDoorTlsMaterials({
+		certPath: options.tlsCert,
+		keyPath: options.tlsKey
+	}) : void 0;
 	try {
 		for (const listener of plan.listeners) {
 			const defaultRoute = listener.defaultAction ? toRouteAction(listener.defaultAction) : void 0;
@@ -4843,15 +4983,17 @@ async function buildFrontDoor(plan, options, logger) {
 				target: toRouteAction(r.action)
 			}));
 			const route = (req) => matchAlbPathRule(req, ruleRoutes) ?? defaultRoute;
+			const tls = listener.protocol === "HTTPS" ? tlsMaterials : void 0;
 			const server = await startFrontDoorServer({
 				route,
 				port: listener.hostPort,
 				host: containerHost,
 				listenerPort: listener.listenerPort,
-				label: `listener port ${listener.listenerPort}`
+				label: `listener port ${listener.listenerPort}`,
+				...tls ? { tls } : {}
 			});
 			servers.push(server);
-			logger.info(`ALB front-door: http://${server.host}:${server.port} (listener port ${listener.listenerPort})`);
+			logger.info(`ALB front-door: ${server.scheme}://${server.host}:${server.port} (listener port ${listener.listenerPort})`);
 			if (listener.defaultAction) logger.info(`  default -> ${describeAction(listener.defaultAction)}`);
 			for (const r of [...listener.rules].sort((a, b) => a.priority - b.priority)) logger.info(`  ${describeConditions(r)} (priority ${r.priority}) -> ${describeAction(r.action)}`);
 			if (!listener.defaultAction) logger.info("  (no default action: unmatched requests return 404)");
@@ -5153,8 +5295,12 @@ function createLocalStartServiceCommand(opts = {}) {
 * functions (`TargetType:"lambda"` target groups — #123: the TG -> backing
 * `AWS::Lambda::Function` is resolved and the front-door invokes it locally per
 * request); `redirect` / `fixed-response` actions. A single weighted forward may
-* mix ECS and Lambda targets. Skipped with a warning: HTTPS/TLS listeners and
-* `authenticate-cognito` / `authenticate-oidc` actions.
+* mix ECS and Lambda targets. HTTPS listeners are served — local TLS
+* termination uses a user-supplied or auto-generated self-signed cert/key
+* pair (the deployed `Listener.Certificates[]` ACM ARNs are not fetched,
+* because ACM private keys are not retrievable by design). Skipped with a
+* warning: TLS listeners (NLB-style, not ALB) and `authenticate-cognito` /
+* `authenticate-oidc` actions.
 */
 const ALB_TYPE = "AWS::ElasticLoadBalancingV2::LoadBalancer";
 const LISTENER_TYPE = "AWS::ElasticLoadBalancingV2::Listener";
@@ -5181,10 +5327,11 @@ function resolveAlbFrontDoor(stack, albLogicalId) {
 		const port = parsePort(props["Port"]);
 		if (port === void 0) continue;
 		const protocol = typeof props["Protocol"] === "string" ? props["Protocol"] : "HTTP";
-		if (protocol !== "HTTP") {
-			warnings.push(`Listener '${listenerLogicalId}' on port ${port} uses protocol ${protocol}; the local ALB front-door supports HTTP listeners only (TLS termination is deferred). Skipping it.`);
+		if (protocol !== "HTTP" && protocol !== "HTTPS") {
+			warnings.push(`Listener '${listenerLogicalId}' on port ${port} uses protocol ${protocol}; the local ALB front-door supports HTTP and HTTPS listeners only (TLS / NLB-style listeners are not served). Skipping it.`);
 			continue;
 		}
+		if (protocol === "HTTPS" && Array.isArray(props["Certificates"]) && props["Certificates"].length > 0) warnings.push(`Listener '${listenerLogicalId}' on port ${port} declares ACM Certificates which are not retrievable locally. The front-door terminates TLS with --tls-cert/--tls-key or an auto-generated self-signed cert.`);
 		const defaultAction = resolveAction(props["DefaultActions"], resources, tgToService, stackName, `Listener '${listenerLogicalId}' (port ${port}) default action`, warnings);
 		const rules = [];
 		for (const { ruleLogicalId, ruleProps } of rulesByListener.get(listenerLogicalId) ?? []) {
@@ -5210,7 +5357,7 @@ function resolveAlbFrontDoor(stack, albLogicalId) {
 		if (!defaultAction && rules.length === 0) continue;
 		listeners.push({
 			listenerPort: port,
-			listenerProtocol: "HTTP",
+			listenerProtocol: protocol,
 			listenerLogicalId,
 			...defaultAction ? { defaultAction } : {},
 			rules
@@ -5800,6 +5947,7 @@ function albStrategy(options) {
 					listeners.push({
 						listenerPort: listener.listenerPort,
 						hostPort,
+						protocol: listener.listenerProtocol,
 						...listener.defaultAction ? { defaultAction: qualify(listener.defaultAction) } : {},
 						rules: listener.rules.map((r) => ({
 							priority: r.priority,
@@ -5838,7 +5986,7 @@ function albStrategy(options) {
 */
 function createLocalStartAlbCommand(opts = {}) {
 	setEmbedConfig(opts.embedConfig);
-	return addCommonEcsServiceOptions(new Command("start-alb").description("Run an Application Load Balancer locally: name the ALB, and cdk-local boots the ECS service(s) behind its HTTP listeners and stands up a local front-door on each listener port that round-robins across the running replicas and routes its listener rules across the backing services — a stable host endpoint, like behind a real load balancer. The symmetric ALB counterpart of `start-api`. Each <target> accepts a CDK display path (MyStack/MyAlb) or stack-qualified logical ID; single-stack apps may omit the stack prefix. Supports HTTP listeners; path-pattern and host-header rule conditions; forward (single and weighted), redirect, and fixed-response actions; and ECS or Lambda targets (a Lambda target group is invoked locally via the Lambda RIE). HTTPS listeners, the other rule conditions (http-header / query-string / source-ip / http-request-method), and authenticate-* actions are skipped with a warning. Omit <targets> in an interactive terminal to multi-select the load balancers from a list.").argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ElasticLoadBalancingV2::LoadBalancer resources to run (omit to multi-select interactively in a TTY)").addOption(new Option("--lb-port <listenerPort=hostPort...>", "Bind the local front-door on a specific host port (e.g. 80=8080); repeatable. Default: host port == ALB listener port. Use this on macOS to remap a privileged listener port (< 1024) to a non-privileged host port.")).action(withErrorHandling(async (targets, options) => {
+	return addCommonEcsServiceOptions(new Command("start-alb").description("Run an Application Load Balancer locally: name the ALB, and cdk-local boots the ECS service(s) behind its listeners and stands up a local front-door on each listener port that round-robins across the running replicas and routes its listener rules across the backing services — a stable host endpoint, like behind a real load balancer. The symmetric ALB counterpart of `start-api`. Each <target> accepts a CDK display path (MyStack/MyAlb) or stack-qualified logical ID; single-stack apps may omit the stack prefix. Supports HTTP and HTTPS listeners (TLS terminated locally with --tls-cert/--tls-key or an auto-generated self-signed cert); all six ALB rule-condition fields (path-pattern / host-header / http-header / http-request-method / query-string / source-ip); forward (single and weighted), redirect, and fixed-response actions; and ECS or Lambda targets (a Lambda target group is invoked locally via the Lambda RIE). authenticate-cognito / authenticate-oidc actions are skipped with a warning. Omit <targets> in an interactive terminal to multi-select the load balancers from a list.").argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ElasticLoadBalancingV2::LoadBalancer resources to run (omit to multi-select interactively in a TTY)").addOption(new Option("--lb-port <listenerPort=hostPort...>", "Bind the local front-door on a specific host port (e.g. 80=8080); repeatable. Default: host port == ALB listener port. Use this on macOS to remap a privileged listener port (< 1024) to a non-privileged host port.")).addOption(new Option("--tls-cert <path>", "PEM-encoded server certificate for HTTPS front-door listeners. Must be set together with --tls-key. Omit both flags to auto-generate a self-signed cert (cached under $XDG_CACHE_HOME/cdk-local/alb-https/, default ~/.cache/cdk-local/alb-https/); requires openssl on PATH. The deployed Listener Certificates[] are NOT fetched (ACM private keys are not retrievable by design). The auto-generated cert lists DNS:localhost,IP:127.0.0.1 as SubjectAltName, so a client validating a non-loopback --container-host will fail the SAN check — pass --tls-cert / --tls-key with a SAN covering that host instead.")).addOption(new Option("--tls-key <path>", "PEM-encoded server private key matching --tls-cert. Must be set together with --tls-cert.")).action(withErrorHandling(async (targets, options) => {
 		await runEcsServiceEmulator(targets, options, albStrategy(options), opts.extraStateProviders);
 	})));
 }
@@ -5915,4 +6063,4 @@ function createLocalListCommand(opts = {}) {
 
 //#endregion
 export { createLocalRunTaskCommand as a, createLocalStartServiceCommand as i, formatTargetListing as n, createLocalInvokeAgentCoreCommand as o, createLocalStartAlbCommand as r, createLocalInvokeCommand as s, createLocalListCommand as t };
-//# sourceMappingURL=local-list-e7cz-0OZ.js.map
+//# sourceMappingURL=local-list-DT8qRbKy.js.map