cdk-local 0.57.0 → 0.59.0

package/dist/{local-list-DmEjNav4.js → local-list-ChGfKSkV.js}

@@ -1,5 +1,5 @@
 import { a as runDockerStreaming, c as getEmbedConfig, r as getDockerCmd, s as getLogger, u as setEmbedConfig } from "./docker-cmd-voNPrcRh.js";
-import { $n as parseContextOptions, $t as resolveEcsTaskTarget, At as parseEcrUri, Bn as matchStacks, Bt as removeContainer, Cn as listTargets, Ct as singleFlight, Dt as waitForRieReady, Et as invokeRie, Fn as resolveAgentCoreTarget, Ft as appendEnvFlags, Gn as LocalInvokeBuildError, Gt as resolveRuntimeImage, Hn as readCdkPathOrUndefined, Ht as streamLogs, In as resolveLambdaTarget, It as ensureDockerAvailable, Jn as applyRoleArnIfSet, Jt as applyCrossStackResolverToTask, Kn as LocalStartServiceError, Kt as EcsTaskResolutionError, Ln as derivePseudoParametersFromRegion, Lt as execEnvForSecrets, Mt as buildDockerImage, Nt as DockerRunnerError, Ot as architectureToPlatform, Pn as pickAgentCoreCandidateStack, Pt as SENSITIVE_ENV_KEYS, Q as verifyJwtViaDiscovery, Qn as deprecatedRegionOption, Qt as parseEcsTarget, Rt as pickFreePort, Sn as countTargets, St as writeProfileCredentialsFile, Tt as getDockerImageBySourceHash, Un as resolveCdkPathToLogicalIds, Ut as resolveRuntimeCodeMountPath, Vn as buildCdkPathIndex, Vt as runDetached, Wn as CdkLocalError, Wt as resolveRuntimeFileExtension, Xn as commonOptions, Xt as derivePartitionAndUrlSuffix, Y as createJwksCache, Yn as appOptions, Yt as checkVolumeHostPath, Zn as contextOptions, Zt as detectEcsImageResolutionNeeds, _n as resolveApp, an as resolveEnvVars, at as invokeAgentCoreWs, bn as resolveMultiTarget, c as resolveProfileCredentials$1, cn as createLocalStateProvider, dn as resolveCfnFallbackRegion, en as applyDeployedEnvFallback, er as warnIfDeprecatedRegion, ft as signAgentCoreInvocation, gt as downloadAndExtractS3Bundle, ht as waitForAgentCorePing, i as getPublishedHostPort, in as substituteEnvVarsFromStateAsync, jn as AGENTCORE_MCP_PROTOCOL, jt as pullEcrImage, kt as buildContainerImage, lt as mcpInvokeOnce, mt as invokeAgentCore, n as CloudMapRegistry, nn as substituteAgainstStateAsync, on as materializeLayerFromArn, ot as MCP_CONTAINER_PORT, qn as withErrorHandling, qt as TASK_ROLE_ACCOUNT_PLACEHOLDER, r as getContainerNetworkIp, st as MCP_PATH, t as buildCloudMapIndex, un as rejectExplicitCfnStackWithMultipleStacks, vt as buildAgentCoreCodeImage, wt as AssetManifestLoader, xn as resolveSingleTarget, yn as Synthesizer, zt as pullImage } from "./cloud-map-resolver-BDAxtbvB.js";
+import { $n as applyRoleArnIfSet, $t as derivePartitionAndUrlSuffix, At as waitForRieReady, Bn as resolveAgentCoreTarget, Bt as execEnvForSecrets, Cn as resolveMultiTarget, Dt as AssetManifestLoader, En as listTargets, Et as singleFlight, Ft as buildDockerImage, Gn as matchStacks, Gt as streamLogs, Hn as derivePseudoParametersFromRegion, Ht as pullImage, In as AGENTCORE_MCP_PROTOCOL, It as DockerRunnerError, Jn as resolveCdkPathToLogicalIds, Jt as resolveRuntimeImage, Kn as buildCdkPathIndex, Kt as resolveRuntimeCodeMountPath, Lt as SENSITIVE_ENV_KEYS, Mt as buildContainerImage, Nn as AGENTCORE_A2A_PROTOCOL, Nt as parseEcrUri, Ot as getDockerImageBySourceHash, Pn as AGENTCORE_AGUI_PROTOCOL, Pt as pullEcrImage, Q as verifyJwtViaDiscovery, Qn as withErrorHandling, Qt as checkVolumeHostPath, Rt as appendEnvFlags, Sn as Synthesizer, Tn as countTargets, Tt as writeProfileCredentialsFile, Ut as removeContainer, Vn as resolveLambdaTarget, Vt as pickFreePort, Wt as runDetached, Xn as LocalInvokeBuildError, Xt as TASK_ROLE_ACCOUNT_PLACEHOLDER, Y as createJwksCache, Yn as CdkLocalError, Yt as EcsTaskResolutionError, Z as verifyJwtAuthorizer, Zn as LocalStartServiceError, Zt as applyCrossStackResolverToTask, _t as invokeAgentCore, an as substituteAgainstStateAsync, ar as warnIfDeprecatedRegion, at as invokeAgentCoreWs, bn as resolveApp, c as resolveProfileCredentials$1, cn as resolveEnvVars, ct as a2aInvokeOnce, dn as createLocalStateProvider, en as detectEcsImageResolutionNeeds, er as appOptions, ft as mcpInvokeOnce, ht as signAgentCoreInvocation, i as getPublishedHostPort, ir as parseContextOptions, jt as architectureToPlatform, kt as invokeRie, ln as materializeLayerFromArn, lt as MCP_CONTAINER_PORT, mn as resolveCfnFallbackRegion, n as CloudMapRegistry, nn as resolveEcsTaskTarget, nr as contextOptions, ot as A2A_CONTAINER_PORT, pn as rejectExplicitCfnStackWithMultipleStacks, qn as readCdkPathOrUndefined, qt as resolveRuntimeFileExtension, r as getContainerNetworkIp, rn as applyDeployedEnvFallback, rr as deprecatedRegionOption, sn as substituteEnvVarsFromStateAsync, st as A2A_PATH, t as buildCloudMapIndex, tn as parseEcsTarget, tr as commonOptions, ut as MCP_PATH, vt as waitForAgentCorePing, wn as resolveSingleTarget, xt as buildAgentCoreCodeImage, yt as downloadAndExtractS3Bundle, zn as pickAgentCoreCandidateStack, zt as ensureDockerAvailable } from "./cloud-map-resolver-DjKCYyIq.js";
 import { cpSync, existsSync, mkdirSync, mkdtempSync, readFileSync, rmSync, statSync, unlinkSync, writeFileSync } from "node:fs";
 import { homedir, tmpdir } from "node:os";
 import * as path from "node:path";
@@ -681,15 +681,21 @@ async function localInvokeAgentCoreCommand(target, options, extraStateProviders)
 		const resolved = resolveAgentCoreTarget(resolvedTarget, stacks, imageContext);
 		logger.info(`Target: ${resolved.stack.stackName}/${resolved.logicalId} (${resolved.protocol})`);
 		const isMcp = resolved.protocol === "MCP";
-		if (isMcp && options.ws) logger.warn("--ws applies only to the HTTP protocol; ignoring it for this MCP runtime.");
+		const isA2a = resolved.protocol === "A2A";
+		if (resolved.protocol === "AGUI") logger.info("AGUI runtime: routing through the HTTP /invocations + /ws path (AG-UI wire is SSE / WebSocket on port 8080).");
+		if ((isMcp || isA2a) && options.ws) logger.warn(`--ws applies only to the HTTP / AGUI protocols; ignoring it for this ${resolved.protocol} runtime.`);
 		if (options.wsInteractive && !options.ws) logger.warn("--ws-interactive is meaningful only with --ws; ignoring.");
-		if (options.sigv4 && (isMcp || options.ws)) logger.warn("--sigv4 signs the HTTP /invocations request only; ignoring it for the " + (isMcp ? "MCP" : "/ws WebSocket") + " path.");
+		if (options.sigv4 && (isMcp || isA2a || options.ws)) logger.warn("--sigv4 signs the HTTP /invocations request only; ignoring it for the " + (isMcp ? "MCP" : isA2a ? "A2A" : "/ws WebSocket") + " path.");
 		const sessionId = options.sessionId ?? randomUUID();
 		const event = await readEvent(options);
 		const mcpRequest = isMcp ? buildMcpRequest(event) : void 0;
+		const a2aRequest = isA2a ? buildA2aRequest(event) : void 0;
 		let authorization;
-		if (isMcp) {
-			if (resolved.jwtAuthorizer || options.bearerToken) logger.info(`MCP runtime: invoking the local container's ${MCP_PATH} directly (vanilla MCP). An inbound JWT / --bearer-token is an AgentCore managed-plane concern and is not applied locally.`);
+		if (isMcp || isA2a) {
+			if (resolved.jwtAuthorizer || options.bearerToken) {
+				const pathLabel = isMcp ? MCP_PATH : "/";
+				logger.info(`${resolved.protocol} runtime: invoking the local container's ${pathLabel} directly (vanilla ${resolved.protocol}). An inbound JWT / --bearer-token is an AgentCore managed-plane concern and is not applied locally.`);
+			}
 		} else authorization = await resolveInboundAuthorization(resolved, options);
 		await resolveFromS3BucketIntrinsic(resolved, stateProvider, loadedState, imageContext);
 		const image = await resolveAgentCoreImage(resolved, options, loadedState);
@@ -697,7 +703,8 @@ async function localInvokeAgentCoreCommand(target, options, extraStateProviders)
 		const hostPort = await pickFreePort();
 		const containerHost = options.containerHost;
 		const containerName = `${getEmbedConfig().resourceNamePrefix}-agentcore-${process.pid}-${Math.random().toString(36).slice(2, 8)}`;
-		const containerPortLabel = isMcp ? `${MCP_CONTAINER_PORT}${MCP_PATH}` : "8080";
+		const containerPort = isMcp ? MCP_CONTAINER_PORT : isA2a ? A2A_CONTAINER_PORT : void 0;
+		const containerPortLabel = isMcp ? `${MCP_CONTAINER_PORT}${MCP_PATH}` : isA2a ? `${A2A_CONTAINER_PORT}${"/"}` : "8080";
 		logger.info(`Starting agent container (image=${image}, port=${hostPort} -> ${containerPortLabel})...`);
 		containerId = await runDetached({
 			image,
@@ -708,7 +715,7 @@ async function localInvokeAgentCoreCommand(target, options, extraStateProviders)
 			host: containerHost,
 			platform: options.platform,
 			name: containerName,
-			...isMcp && { containerPort: 8e3 },
+			...containerPort !== void 0 && { containerPort },
 			...sensitiveEnvKeys.size > 0 && { sensitiveEnvKeys }
 		});
 		stopLogs = streamLogs(containerId);
@@ -721,6 +728,11 @@ async function localInvokeAgentCoreCommand(target, options, extraStateProviders)
 			const mcp = await mcpInvokeOnce(containerHost, hostPort, mcpRequest, { requestTimeoutMs: options.timeout });
 			await new Promise((r) => setTimeout(r, 250));
 			emitMcpResult(mcp);
+		} else if (isA2a && a2aRequest) {
+			logger.info(`A2A request: ${a2aRequest.method}`);
+			const a2a = await a2aInvokeOnce(containerHost, hostPort, a2aRequest, { requestTimeoutMs: options.timeout });
+			await new Promise((r) => setTimeout(r, 250));
+			emitA2aResult(a2a);
 		} else if (options.ws) {
 			await waitForAgentCorePing(containerHost, hostPort);
 			const frameSource = options.wsInteractive ? readStdinLines() : void 0;
@@ -1239,6 +1251,39 @@ function emitMcpResult(result) {
 	}
 	process.stdout.write(`${result.raw}\n`);
 }
+/**
+* Build the JSON-RPC request to send to an A2A runtime from `--event`:
+*   - no `--event` (empty object) → `agent/getCard` (discover the agent's card),
+*   - an object with a string `method` → that method + its `params`,
+*   - anything else → a fail-fast error.
+*
+* Exported for unit testing.
+*/
+function buildA2aRequest(event) {
+	if (event === void 0 || event === null) return {
+		method: "agent/getCard",
+		params: {}
+	};
+	if (typeof event !== "object" || Array.isArray(event)) throw new CdkLocalError("A2A --event must be a JSON object describing a JSON-RPC request (e.g. {\"method\":\"tasks/send\",\"params\":{\"id\":\"...\",\"message\":{...}}}).", "LOCAL_INVOKE_AGENTCORE_A2A_EVENT_INVALID");
+	const obj = event;
+	if (Object.keys(obj).length === 0) return {
+		method: "agent/getCard",
+		params: {}
+	};
+	if (typeof obj["method"] !== "string") throw new CdkLocalError(`A2A --event must include a string "method" (a JSON-RPC method such as "agent/getCard" or "tasks/send"). Got keys: ${Object.keys(obj).join(", ")}.`, "LOCAL_INVOKE_AGENTCORE_A2A_EVENT_INVALID");
+	return {
+		method: obj["method"],
+		...obj["params"] !== void 0 && { params: obj["params"] }
+	};
+}
+/** Print the A2A JSON-RPC response; exit 1 when it carried a JSON-RPC error. */
+function emitA2aResult(result) {
+	if (!result.ok) {
+		getLogger().warn("A2A server returned a JSON-RPC error.");
+		process.exitCode = 1;
+	}
+	process.stdout.write(`${result.raw}\n`);
+}
 /** Map a `--platform` value to the architecture `buildContainerImage` expects. */
 function platformToArchitecture(platform) {
 	return platform === "linux/amd64" ? "x86_64" : "arm64";
@@ -3798,25 +3843,67 @@ function handleProxyRequest(req, res, opts) {
 			...req.socket.remoteAddress !== void 0 && { sourceIp: req.socket.remoteAddress }
 		});
 		if (!action) return reply404(req, res, opts);
-		if (action.kind === "redirect" || action.kind === "fixed-response") {
-			req.resume();
-			if (action.kind === "redirect") writeRedirect(res, action, req, opts.listenerPort, opts.tls ? "https" : "http");
-			else writeFixedResponse(res, action);
-			return Promise.resolve();
-		}
-		const picked = pickWeightedTarget(action.pools);
-		if (!picked) {
-			writeError(res, 502, `No forward target selected behind ${opts.label} (every weighted target has weight 0).`);
-			return Promise.resolve();
+		if (action.auth) {
+			const auth = action.auth;
+			return auth.check(req.headers).then((result) => {
+				if (!result.allow) {
+					req.resume();
+					writeUnauthorized(res, auth.realm, result.reason);
+					return;
+				}
+				return serveAction(req, res, action, opts);
+			}).catch((err) => {
+				getLogger().child("front-door").debug(`auth gate error: ${err instanceof Error ? err.message : String(err)}`);
+				req.resume();
+				writeUnauthorized(res, auth.realm, "auth check failed");
+			});
 		}
-		if ("lambda" in picked) return handleLambdaRequest(req, res, picked.lambda, opts);
-		return handlePoolRequest(req, res, picked.pool, opts);
+		return serveAction(req, res, action, opts);
 	}
 	const target = resolveDispatchTarget(opts, url);
 	if (!target) return reply404(req, res, opts);
 	if (target.kind === "lambda") return handleLambdaRequest(req, res, target.lambda, opts);
 	return handlePoolRequest(req, res, target.pool, opts);
 }
+/**
+* Dispatch a resolved {@link RouteAction} — the path the route resolver
+* returned (after any auth gate). Splits forward (ECS pool or Lambda invoker)
+* from redirect / fixed-response, mirroring what the inline logic used to do.
+*/
+function serveAction(req, res, action, opts) {
+	if (action.kind === "redirect" || action.kind === "fixed-response") {
+		req.resume();
+		if (action.kind === "redirect") writeRedirect(res, action, req, opts.listenerPort, opts.tls ? "https" : "http");
+		else writeFixedResponse(res, action);
+		return Promise.resolve();
+	}
+	const picked = pickWeightedTarget(action.pools);
+	if (!picked) {
+		writeError(res, 502, `No forward target selected behind ${opts.label} (every weighted target has weight 0).`);
+		return Promise.resolve();
+	}
+	if ("lambda" in picked) return handleLambdaRequest(req, res, picked.lambda, opts);
+	return handlePoolRequest(req, res, picked.pool, opts);
+}
+/**
+* Write a 401 with `WWW-Authenticate: Bearer realm="..."`. ALB itself would
+* redirect to the IdP's authorize endpoint; for local dev parity we deny
+* loudly so the user notices and either supplies `--bearer-token` / passes a
+* fresh Authorization header / disables the guard with `--no-verify-auth`.
+*/
+function writeUnauthorized(res, realm, reason) {
+	const body = reason && reason !== "" ? reason : "Unauthorized";
+	res.writeHead(401, {
+		"content-type": "text/plain; charset=utf-8",
+		"content-length": String(Buffer.byteLength(`${body}\n`)),
+		"www-authenticate": `Bearer realm="${escapeRealmQuotes(realm)}"`
+	});
+	res.end(`${body}\n`);
+}
+/** Escape `"` in the realm so the `WWW-Authenticate` header parses cleanly. */
+function escapeRealmQuotes(realm) {
+	return realm.replace(/"/g, "\\\"");
+}
 /** Reply 404 — an ALB listener with no matching rule and no default action. */
 function reply404(req, res, opts) {
 	writeError(res, 404, `No listener rule matched '${req.url ?? "/"}' on ${opts.label}, and the listener has no default action forwarding to a local target.`);
@@ -4685,6 +4772,98 @@ function createFrontDoorLambdaRunner(lambda, opts) {
 	};
 }
 
+//#endregion
+//#region src/local/front-door-auth.ts
+/**
+* Build the front-door's auth-check callback for an
+* `authenticate-cognito` / `authenticate-oidc` guard.
+*
+* Local-dev parity model: the cloud-side ALB authenticates the user via a
+* full OAuth roundtrip (redirect to the IdP's authorize endpoint, callback,
+* AWSELBAuthSessionCookie issuance). The local front-door does NOT reproduce
+* the roundtrip — it accepts EITHER a Bearer JWT (verified against the
+* Cognito JWKS / OIDC discovery URL just like API Gateway's JWT authorizer)
+* OR an `AWSELBAuthSessionCookie-*` cookie pass-through (the user is acting
+* as if already signed in via the deployed ALB — `--bearer-token` makes the
+* Bearer-JWT path the headline path; the cookie pass-through is convenience
+* for hitting the local front-door from a browser session that already
+* authenticated through the deployed ALB).
+*
+* `--no-verify-auth` (the `noVerifyAuth` flag) short-circuits everything to
+* `allow: true` — explicitly off-switching the guard for local dev where
+* you do not want to mint a Bearer token at all.
+*
+* `--bearer-token <jwt>` (the `bearerToken` arg) makes the supplied token
+* the default `Authorization` value when the inbound request has none.
+*/
+function buildAuthCheck(guard, jwksCache, opts = {}) {
+	const realm = guard.label;
+	if (opts.noVerifyAuth === true) return {
+		realm,
+		check: async () => ({ allow: true })
+	};
+	const warned = opts.warned ?? /* @__PURE__ */ new Set();
+	const sessionCookiePrefix = guard.sessionCookieName;
+	const injectedBearer = opts.bearerToken;
+	return {
+		realm,
+		check: async (headers) => {
+			const cookieHeader = headerValue(headers["cookie"]);
+			if (cookieHeader && cookieHasSessionPrefix(cookieHeader, sessionCookiePrefix)) return { allow: true };
+			let authorization = headerValue(headers["authorization"]);
+			if ((!authorization || authorization === "") && injectedBearer !== void 0) authorization = `Bearer ${injectedBearer}`;
+			if (!authorization || authorization === "") return {
+				allow: false,
+				reason: "No Bearer token presented. Supply Authorization: Bearer <jwt> or pass --bearer-token <jwt>."
+			};
+			if (!authorization.toLowerCase().startsWith("bearer ")) return {
+				allow: false,
+				reason: "Authorization scheme is not Bearer; the ALB authenticate-* guard only accepts Bearer JWTs."
+			};
+			try {
+				if ((await verifyJwtAuthorizer({
+					kind: "jwt",
+					logicalId: guard.label,
+					declaredAt: "start-alb authenticate-* action",
+					issuer: guard.issuer,
+					audience: [guard.audience],
+					...guard.region !== void 0 && { region: guard.region },
+					...guard.userPoolId !== void 0 && { userPoolId: guard.userPoolId }
+				}, authorization, jwksCache, { warned })).allow) return { allow: true };
+				return {
+					allow: false,
+					reason: "Bearer token rejected (signature / iss / aud / exp check failed)."
+				};
+			} catch (err) {
+				getLogger().child("front-door-auth").debug(`auth check threw: ${err instanceof Error ? err.message : String(err)}`);
+				return {
+					allow: false,
+					reason: "Auth check failed."
+				};
+			}
+		}
+	};
+}
+function headerValue(raw) {
+	if (raw === void 0) return void 0;
+	if (Array.isArray(raw)) return raw[0];
+	return raw;
+}
+/**
+* True iff the `Cookie` header contains a cookie whose name starts with
+* `<sessionCookiePrefix>` (ALB suffixes the cookie with `-0` / `-1` / ...
+* when the auth session payload exceeds the per-cookie size limit, so we
+* match the prefix, not an exact name).
+*/
+function cookieHasSessionPrefix(cookieHeader, sessionCookiePrefix) {
+	for (const pair of cookieHeader.split(";")) {
+		const eq = pair.indexOf("=");
+		const name = (eq === -1 ? pair : pair.slice(0, eq)).trim();
+		if (name === sessionCookiePrefix || name.startsWith(`${sessionCookiePrefix}-`)) return true;
+	}
+	return false;
+}
+
 //#endregion
 //#region src/cli/commands/ecs-service-emulator.ts
 /**
@@ -4993,9 +5172,20 @@ async function buildFrontDoor(plan, options, logger) {
 		certPath: options.tlsCert,
 		keyPath: options.tlsKey
 	}) : void 0;
+	const jwksCache = createJwksCache();
+	const sharedWarned = /* @__PURE__ */ new Set();
+	const authForGuard = (guard) => buildAuthCheck(guard, jwksCache, {
+		...options.verifyAuth === false && { noVerifyAuth: true },
+		...options.bearerToken !== void 0 && { bearerToken: options.bearerToken },
+		warned: sharedWarned
+	});
+	const attachAuth = (action, guard) => guard ? {
+		...action,
+		auth: authForGuard(guard)
+	} : action;
 	try {
 		for (const listener of plan.listeners) {
-			const defaultRoute = listener.defaultAction ? toRouteAction(listener.defaultAction) : void 0;
+			const defaultRoute = listener.defaultAction ? attachAuth(toRouteAction(listener.defaultAction), listener.defaultAuthGuard) : void 0;
 			const ruleRoutes = listener.rules.map((r) => ({
 				priority: r.priority,
 				pathPatterns: r.pathPatterns,
@@ -5004,7 +5194,7 @@ async function buildFrontDoor(plan, options, logger) {
 				httpRequestMethods: r.httpRequestMethods,
 				queryStringConditions: r.queryStringConditions,
 				sourceIpCidrs: r.sourceIpCidrs,
-				target: toRouteAction(r.action)
+				target: attachAuth(toRouteAction(r.action), r.authGuard)
 			}));
 			const route = (req) => matchAlbPathRule(req, ruleRoutes) ?? defaultRoute;
 			const tls = listener.protocol === "HTTPS" ? tlsMaterials : void 0;
@@ -5322,9 +5512,19 @@ function createLocalStartServiceCommand(opts = {}) {
 * mix ECS and Lambda targets. HTTPS listeners are served — local TLS
 * termination uses a user-supplied or auto-generated self-signed cert/key
 * pair (the deployed `Listener.Certificates[]` ACM ARNs are not fetched,
-* because ACM private keys are not retrievable by design). Skipped with a
-* warning: TLS listeners (NLB-style, not ALB) and `authenticate-cognito` /
-* `authenticate-oidc` actions.
+* because ACM private keys are not retrievable by design).
+*
+* `authenticate-cognito` / `authenticate-oidc` actions ARE served — they are
+* lifted from the `Actions[]` array into an `authGuard` attached to the
+* terminal action they wrap. The front-door enforces a Bearer-JWT check
+* locally (signature + `iss` + `exp` + `aud`) using the existing JWKS-cached
+* verifier; missing / invalid token -> 401 with `WWW-Authenticate: Bearer`.
+* Out of scope: the full OAuth roundtrip (authorize-endpoint redirect +
+* callback). The local-dev parity is "I have a JWT, let me through" — the
+* `--bearer-token <jwt>` flag is the convenience escape hatch; the
+* `--no-verify-auth` flag disables the guard entirely.
+*
+* Skipped with a warning: TLS listeners (NLB-style, not ALB).
 */
 const ALB_TYPE = "AWS::ElasticLoadBalancingV2::LoadBalancer";
 const LISTENER_TYPE = "AWS::ElasticLoadBalancingV2::Listener";
@@ -5356,7 +5556,7 @@ function resolveAlbFrontDoor(stack, albLogicalId) {
 			continue;
 		}
 		if (protocol === "HTTPS" && Array.isArray(props["Certificates"]) && props["Certificates"].length > 0) warnings.push(`Listener '${listenerLogicalId}' on port ${port} declares ACM Certificates which are not retrievable locally. The front-door terminates TLS with --tls-cert/--tls-key or an auto-generated self-signed cert.`);
-		const defaultAction = resolveAction(props["DefaultActions"], resources, tgToService, stackName, `Listener '${listenerLogicalId}' (port ${port}) default action`, warnings);
+		const defaultResolved = resolveAction(props["DefaultActions"], resources, tgToService, stackName, `Listener '${listenerLogicalId}' (port ${port}) default action`, warnings);
 		const rules = [];
 		for (const { ruleLogicalId, ruleProps } of rulesByListener.get(listenerLogicalId) ?? []) {
 			const priority = parsePriority(ruleProps["Priority"]);
@@ -5365,8 +5565,8 @@ function resolveAlbFrontDoor(stack, albLogicalId) {
 			if (!parsed) continue;
 			const { pathPatterns, hostPatterns, httpHeaderConditions, httpRequestMethods, queryStringConditions, sourceIpCidrs } = parsed;
 			if (!(pathPatterns.length > 0 || hostPatterns.length > 0 || httpHeaderConditions.length > 0 || httpRequestMethods.length > 0 || queryStringConditions.length > 0 || sourceIpCidrs.length > 0)) continue;
-			const action = resolveAction(ruleProps["Actions"], resources, tgToService, stackName, `${ruleLabel} action`, warnings);
-			if (!action) continue;
+			const ruleResolved = resolveAction(ruleProps["Actions"], resources, tgToService, stackName, `${ruleLabel} action`, warnings);
+			if (!ruleResolved) continue;
 			rules.push({
 				priority,
 				pathPatterns,
@@ -5375,15 +5575,17 @@ function resolveAlbFrontDoor(stack, albLogicalId) {
 				httpRequestMethods,
 				queryStringConditions,
 				sourceIpCidrs,
-				action
+				action: ruleResolved.action,
+				...ruleResolved.authGuard ? { authGuard: ruleResolved.authGuard } : {}
 			});
 		}
-		if (!defaultAction && rules.length === 0) continue;
+		if (!defaultResolved && rules.length === 0) continue;
 		listeners.push({
 			listenerPort: port,
 			listenerProtocol: protocol,
 			listenerLogicalId,
-			...defaultAction ? { defaultAction } : {},
+			...defaultResolved ? { defaultAction: defaultResolved.action } : {},
+			...defaultResolved?.authGuard ? { defaultAuthGuard: defaultResolved.authGuard } : {},
 			rules
 		});
 	}
@@ -5399,15 +5601,16 @@ function isApplicationLoadBalancer(resource) {
 	return type === void 0 || type === "application";
 }
 /**
-* Resolve a listener / rule `Actions` (or `DefaultActions`) array to the single
-* action the local front-door serves, or `undefined` when it is not resolvable
-* (a warning is emitted for the cases worth surfacing). ALB allows exactly one
-* non-authenticate terminal action per action set, optionally preceded by
-* authenticate-* actions (which the local front-door does not enforce — they
-* are skipped with a warning and the terminal action is honored).
+* Resolve a listener / rule `Actions` (or `DefaultActions`) array. ALB allows
+* any number of `authenticate-cognito` / `authenticate-oidc` entries followed
+* by exactly one terminal action (`forward` / `redirect` / `fixed-response`).
+* The first parseable authenticate-* (last wins if multiple) becomes the
+* returned `authGuard`; the terminal action becomes `action`. Returns
+* `undefined` when no terminal action is resolvable.
 */
 function resolveAction(actions, resources, tgToService, stackName, label, warnings) {
 	if (!Array.isArray(actions)) return void 0;
+	let authGuard;
 	let sawAuthenticate = false;
 	for (const action of actions) {
 		if (!action || typeof action !== "object") continue;
@@ -5415,18 +5618,21 @@ function resolveAction(actions, resources, tgToService, stackName, label, warnin
 		const type = a["Type"];
 		if (type === "authenticate-cognito" || type === "authenticate-oidc") {
 			sawAuthenticate = true;
+			const parsed = parseAuthenticateAction(a, type, label, warnings);
+			if (parsed) authGuard = parsed;
 			continue;
 		}
-		if (type === "forward") return resolveForwardAction(a, resources, tgToService, stackName, label, warnings);
-		if (type === "redirect") {
-			const redirect = resolveRedirectAction(a, label, warnings);
-			if (redirect) return redirect;
-			continue;
-		}
-		if (type === "fixed-response") return resolveFixedResponseAction(a);
-		if (typeof type === "string") warnings.push(`${label} uses an unsupported action type '${type}'. The local ALB front-door supports forward / redirect / fixed-response actions only. Skipping it.`);
+		let terminal;
+		if (type === "forward") terminal = resolveForwardAction(a, resources, tgToService, stackName, label, warnings);
+		else if (type === "redirect") terminal = resolveRedirectAction(a, label, warnings);
+		else if (type === "fixed-response") terminal = resolveFixedResponseAction(a);
+		else if (typeof type === "string") warnings.push(`${label} uses an unsupported action type '${type}'. The local ALB front-door supports forward / redirect / fixed-response actions only. Skipping it.`);
+		if (terminal) return authGuard ? {
+			action: terminal,
+			authGuard
+		} : { action: terminal };
 	}
-	if (sawAuthenticate) warnings.push(`${label} is an authenticate-* action with no local-servable terminal action. The local ALB front-door does not enforce authenticate-cognito / authenticate-oidc; skipping it.`);
+	if (sawAuthenticate) warnings.push(`${label} is an authenticate-* action with no local-servable terminal action; skipping it.`);
 }
 /**
 * Resolve a `forward` action into one or more weighted targets. Each target
@@ -5832,6 +6038,75 @@ function parsePriority(raw) {
 	if (typeof raw === "string" && /^\d+$/.test(raw)) return parseInt(raw, 10);
 	return Number.MAX_SAFE_INTEGER;
 }
+/** ALB's default session cookie name prefix (suffixed `-0` / `-1` / ... by ALB). */
+const DEFAULT_ALB_SESSION_COOKIE = "AWSELBAuthSessionCookie";
+/**
+* Cognito User Pool ARN shape:
+*   `arn:aws:cognito-idp:<region>:<account>:userpool/<pool-id>`
+* The pool id itself contains a `_`, but never a `/`, so anchoring on the
+* `userpool/` segment is robust.
+*/
+const COGNITO_USERPOOL_ARN = /^arn:[^:]+:cognito-idp:([^:]+):[^:]+:userpool\/([^/]+)$/;
+/**
+* Parse an `authenticate-cognito` / `authenticate-oidc` ALB action into a
+* resolvable {@link FrontDoorAuthGuard}, or `undefined` when the config is
+* unresolvable (a Ref / intrinsic in a required field, a malformed
+* UserPoolArn, etc.) — a warning is emitted in that case so the user knows
+* the guard was dropped (the terminal action will still serve unguarded).
+*/
+function parseAuthenticateAction(action, type, label, warnings) {
+	if (type === "authenticate-cognito") {
+		const cfg = action["AuthenticateCognitoConfig"];
+		if (!cfg || typeof cfg !== "object") {
+			warnings.push(`${label}: authenticate-cognito missing AuthenticateCognitoConfig; skipping guard.`);
+			return;
+		}
+		const c = cfg;
+		const userPoolArn = c["UserPoolArn"];
+		const userPoolClientId = c["UserPoolClientId"];
+		if (typeof userPoolArn !== "string" || typeof userPoolClientId !== "string") {
+			warnings.push(`${label}: authenticate-cognito UserPoolArn / UserPoolClientId must be literal strings (Ref / intrinsics cannot be resolved by the local front-door); skipping guard.`);
+			return;
+		}
+		const match = COGNITO_USERPOOL_ARN.exec(userPoolArn);
+		if (!match) {
+			warnings.push(`${label}: authenticate-cognito UserPoolArn '${userPoolArn}' is not in the expected arn:...:cognito-idp:<region>:<account>:userpool/<pool-id> shape; skipping guard.`);
+			return;
+		}
+		const region = match[1];
+		const userPoolId = match[2];
+		const sessionCookieName = typeof c["SessionCookieName"] === "string" && c["SessionCookieName"] !== "" ? c["SessionCookieName"] : DEFAULT_ALB_SESSION_COOKIE;
+		return {
+			kind: "authenticate-cognito",
+			issuer: `https://cognito-idp.${region}.amazonaws.com/${userPoolId}`,
+			audience: userPoolClientId,
+			region,
+			userPoolId,
+			sessionCookieName,
+			label: `authenticate-cognito (UserPool=${userPoolId})`
+		};
+	}
+	const cfg = action["AuthenticateOidcConfig"];
+	if (!cfg || typeof cfg !== "object") {
+		warnings.push(`${label}: authenticate-oidc missing AuthenticateOidcConfig; skipping guard.`);
+		return;
+	}
+	const c = cfg;
+	const issuer = c["Issuer"];
+	const clientId = c["ClientId"];
+	if (typeof issuer !== "string" || typeof clientId !== "string") {
+		warnings.push(`${label}: authenticate-oidc Issuer / ClientId must be literal strings (Ref / intrinsics cannot be resolved by the local front-door); skipping guard.`);
+		return;
+	}
+	const sessionCookieName = typeof c["SessionCookieName"] === "string" && c["SessionCookieName"] !== "" ? c["SessionCookieName"] : DEFAULT_ALB_SESSION_COOKIE;
+	return {
+		kind: "authenticate-oidc",
+		issuer: issuer.replace(/\/+$/, ""),
+		audience: clientId,
+		sessionCookieName,
+		label: `authenticate-oidc (Issuer=${issuer})`
+	};
+}
 
 //#endregion
 //#region src/cli/commands/local-start-alb.ts
@@ -5973,6 +6248,7 @@ function albStrategy(options) {
 						hostPort,
 						protocol: listener.listenerProtocol,
 						...listener.defaultAction ? { defaultAction: qualify(listener.defaultAction) } : {},
+						...listener.defaultAuthGuard ? { defaultAuthGuard: listener.defaultAuthGuard } : {},
 						rules: listener.rules.map((r) => ({
 							priority: r.priority,
 							pathPatterns: r.pathPatterns,
@@ -5981,7 +6257,8 @@ function albStrategy(options) {
 							httpRequestMethods: r.httpRequestMethods,
 							queryStringConditions: r.queryStringConditions,
 							sourceIpCidrs: r.sourceIpCidrs,
-							action: qualify(r.action)
+							action: qualify(r.action),
+							...r.authGuard ? { authGuard: r.authGuard } : {}
 						}))
 					});
 				}
@@ -6010,7 +6287,7 @@ function albStrategy(options) {
 */
 function createLocalStartAlbCommand(opts = {}) {
 	setEmbedConfig(opts.embedConfig);
-	return addCommonEcsServiceOptions(new Command("start-alb").description("Run an Application Load Balancer locally: name the ALB, and cdk-local boots the ECS service(s) behind its listeners and stands up a local front-door on each listener port that round-robins across the running replicas and routes its listener rules across the backing services — a stable host endpoint, like behind a real load balancer. The symmetric ALB counterpart of `start-api`. Each <target> accepts a CDK display path (MyStack/MyAlb) or stack-qualified logical ID; single-stack apps may omit the stack prefix. Supports HTTP and HTTPS listeners (TLS terminated locally with --tls-cert/--tls-key or an auto-generated self-signed cert); all six ALB rule-condition fields (path-pattern / host-header / http-header / http-request-method / query-string / source-ip); forward (single and weighted), redirect, and fixed-response actions; and ECS or Lambda targets (a Lambda target group is invoked locally via the Lambda RIE). authenticate-cognito / authenticate-oidc actions are skipped with a warning. Omit <targets> in an interactive terminal to multi-select the load balancers from a list.").argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ElasticLoadBalancingV2::LoadBalancer resources to run (omit to multi-select interactively in a TTY)").addOption(new Option("--lb-port <listenerPort=hostPort...>", "Bind the local front-door on a specific host port (e.g. 80=8080); repeatable. Default: host port == ALB listener port. Use this on macOS to remap a privileged listener port (< 1024) to a non-privileged host port.")).addOption(new Option("--tls-cert <path>", "PEM-encoded server certificate for HTTPS front-door listeners. Must be set together with --tls-key. Omit both flags to auto-generate a self-signed cert (cached under $XDG_CACHE_HOME/cdk-local/alb-https/, default ~/.cache/cdk-local/alb-https/); requires openssl on PATH. The deployed Listener Certificates[] are NOT fetched (ACM private keys are not retrievable by design). The auto-generated cert lists DNS:localhost,IP:127.0.0.1 as SubjectAltName, so a client validating a non-loopback --container-host will fail the SAN check — pass --tls-cert / --tls-key with a SAN covering that host instead.")).addOption(new Option("--tls-key <path>", "PEM-encoded server private key matching --tls-cert. Must be set together with --tls-cert.")).action(withErrorHandling(async (targets, options) => {
+	return addCommonEcsServiceOptions(new Command("start-alb").description("Run an Application Load Balancer locally: name the ALB, and cdk-local boots the ECS service(s) behind its listeners and stands up a local front-door on each listener port that round-robins across the running replicas and routes its listener rules across the backing services — a stable host endpoint, like behind a real load balancer. The symmetric ALB counterpart of `start-api`. Each <target> accepts a CDK display path (MyStack/MyAlb) or stack-qualified logical ID; single-stack apps may omit the stack prefix. Supports HTTP and HTTPS listeners (TLS terminated locally with --tls-cert/--tls-key or an auto-generated self-signed cert); all six ALB rule-condition fields (path-pattern / host-header / http-header / http-request-method / query-string / source-ip); forward (single and weighted), redirect, and fixed-response actions; and ECS or Lambda targets (a Lambda target group is invoked locally via the Lambda RIE). authenticate-cognito / authenticate-oidc actions enforce a local Bearer-JWT check (or AWSELBAuthSessionCookie pass-through) against the same JWKS / OIDC discovery URL the deployed ALB would; use --bearer-token <jwt> to inject a default token or --no-verify-auth to disable the guard. Omit <targets> in an interactive terminal to multi-select the load balancers from a list.").argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ElasticLoadBalancingV2::LoadBalancer resources to run (omit to multi-select interactively in a TTY)").addOption(new Option("--lb-port <listenerPort=hostPort...>", "Bind the local front-door on a specific host port (e.g. 80=8080); repeatable. Default: host port == ALB listener port. Use this on macOS to remap a privileged listener port (< 1024) to a non-privileged host port.")).addOption(new Option("--tls-cert <path>", "PEM-encoded server certificate for HTTPS front-door listeners. Must be set together with --tls-key. Omit both flags to auto-generate a self-signed cert (cached under $XDG_CACHE_HOME/cdk-local/alb-https/, default ~/.cache/cdk-local/alb-https/); requires openssl on PATH. The deployed Listener Certificates[] are NOT fetched (ACM private keys are not retrievable by design). The auto-generated cert lists DNS:localhost,IP:127.0.0.1 as SubjectAltName, so a client validating a non-loopback --container-host will fail the SAN check — pass --tls-cert / --tls-key with a SAN covering that host instead.")).addOption(new Option("--tls-key <path>", "PEM-encoded server private key matching --tls-cert. Must be set together with --tls-cert.")).addOption(new Option("--no-verify-auth", "Disable local enforcement of authenticate-cognito / authenticate-oidc actions. Every request is served as if the auth check passed. Useful for local dev where you do not want to mint a Bearer token at all.")).addOption(new Option("--bearer-token <jwt>", "Default Bearer JWT injected as Authorization: Bearer <jwt> when the inbound request has none. Verified against the same JWKS / OIDC discovery URL the deployed ALB would (signature + iss + aud + exp). Local-dev convenience; cookie pass-through (AWSELBAuthSessionCookie-*) also works.")).action(withErrorHandling(async (targets, options) => {
 		await runEcsServiceEmulator(targets, options, albStrategy(options), opts.extraStateProviders);
 	})));
 }
@@ -6087,4 +6364,4 @@ function createLocalListCommand(opts = {}) {
 
 //#endregion
 export { createLocalRunTaskCommand as a, createLocalStartServiceCommand as i, formatTargetListing as n, createLocalInvokeAgentCoreCommand as o, createLocalStartAlbCommand as r, createLocalInvokeCommand as s, createLocalListCommand as t };
-//# sourceMappingURL=local-list-DmEjNav4.js.map
+//# sourceMappingURL=local-list-ChGfKSkV.js.map