npm - cdk-local - Versions diffs - 0.58.0 → 0.59.0 - Mend

cdk-local 0.58.0 → 0.59.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md +2 -2
package/dist/cli.js +2 -2
package/dist/index.d.ts.map +1 -1
package/dist/index.js +1 -1
package/dist/{local-list-B-5gO8ht.js → local-list-ChGfKSkV.js} +274 -42
package/dist/local-list-ChGfKSkV.js.map +1 -0
package/package.json +1 -1
package/dist/local-list-B-5gO8ht.js.map +0 -1

package/README.md CHANGED Viewed

@@ -61,7 +61,7 @@ cdkl list                                      # every runnable target, grouped
 - **`start-api`** serves one HTTP server per API; a bare `start-api` in a multi-stack app needs `--all-stacks` or `--stack <name>`. Add **`--watch`** to re-synth and hot-reload on CDK source changes ([details](docs/local-emulation.md#hot-reload---watch)).
 - **`run-task`** / single-replica **`start-service`** publish declared container ports on the host and log `Reach it at 127.0.0.1:<port>` (`--host-port <container>=<host>` remaps; handy for privileged ports on macOS).
-- **`start-alb`** stands up the ECS service(s) behind an ALB plus a host-side front-door on each listener port, honoring all six listener-rule conditions, weighted forwards, redirect / fixed-response actions, and mixed ECS + Lambda targets ([details](docs/cli-reference.md#cdkl-start-alb-run-an-alb-fronted-service-locally)).
+- **`start-alb`** stands up the ECS service(s) behind an ALB plus a host-side front-door on each listener port, honoring all six listener-rule conditions, weighted forwards, redirect / fixed-response actions, mixed ECS + Lambda targets, and `authenticate-cognito` / `authenticate-oidc` actions (local Bearer-JWT enforcement) ([details](docs/cli-reference.md#cdkl-start-alb-run-an-alb-fronted-service-locally)).
 - **`invoke-agentcore`** invokes a Bedrock AgentCore Runtime agent locally — container or `fromCodeAsset` / `fromS3` managed runtime, HTTP / SSE / WebSocket / MCP protocols, with `customJwtAuthorizer` and `--sigv4` enforcement ([details](docs/cli-reference.md#cdkl-invoke-agentcore-run-bedrock-agentcore-runtime-agents-locally)).
 - Non-TTY (CI / pipes): every command except a bare `start-api` needs an explicit target.
@@ -80,7 +80,7 @@ Full flags, precedence, and `--from-cfn-stack` resolution: [docs/cli-reference.m
 | ECS task definitions | `run-task` |
 | ECS services | `start-service` |
 | Cloud Map / Service Connect registry | service discovery between local replicas |
-| ALB-fronted ECS / Lambda services | `start-alb` — HTTP / HTTPS listeners, all six listener-rule conditions, weighted forwards, redirect / fixed-response, mixed ECS + Lambda targets |
+| ALB-fronted ECS / Lambda services | `start-alb` — HTTP / HTTPS listeners, all six listener-rule conditions, weighted forwards, redirect / fixed-response, mixed ECS + Lambda targets, authenticate-cognito / authenticate-oidc (local Bearer-JWT enforcement) |
 | Bedrock AgentCore Runtime agents | `invoke-agentcore` — container + `fromCodeAsset` / `fromS3` artifacts, HTTP + MCP |
 Lambda runs on every current AWS Lambda runtime — Node.js (18/20/22/24), Python (3.11–3.14), Ruby (3.2/3.3), Java (8.al2/11/17/21), .NET (6/8), and the OS-only `provided.al2` / `provided.al2023`. The retired `go1.x` runtime is rejected with a pointer to migrate to `provided.al2023`.

package/dist/cli.js CHANGED Viewed

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
 import { a as createLocalStartApiCommand } from "./cloud-map-resolver-DjKCYyIq.js";
-import { a as createLocalRunTaskCommand, i as createLocalStartServiceCommand, o as createLocalInvokeAgentCoreCommand, r as createLocalStartAlbCommand, s as createLocalInvokeCommand, t as createLocalListCommand } from "./local-list-B-5gO8ht.js";
+import { a as createLocalRunTaskCommand, i as createLocalStartServiceCommand, o as createLocalInvokeAgentCoreCommand, r as createLocalStartAlbCommand, s as createLocalInvokeCommand, t as createLocalListCommand } from "./local-list-ChGfKSkV.js";
 import { Command } from "commander";
 //#region src/cli/index.ts
 const program = new Command();
-program.name("cdkl").description("Run AWS CDK stacks locally with Docker.").version("0.58.0");
+program.name("cdkl").description("Run AWS CDK stacks locally with Docker.").version("0.59.0");
 program.addCommand(createLocalInvokeCommand());
 program.addCommand(createLocalInvokeAgentCoreCommand());
 program.addCommand(createLocalStartApiCommand());

package/dist/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","names":[],"sources":["../src/cli/commands/local-invoke.ts","../src/cli/commands/local-invoke-agentcore.ts","../src/cli/commands/local-run-task.ts","../src/local/target-lister.ts","../src/cli/commands/local-start-service.ts","../src/cli/commands/local-start-alb.ts","../src/cli/commands/local-list.ts","../src/local/cfn-local-state-provider.ts"],"mappings":";;;;;UA6IiB,+BAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBAi6BA,wBAAA,CAAyB,IAAA,GAAM,+BAAA,GAAuC,OAAA;;;UCz2BrE,wCAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBA6wCA,iCAAA,CACd,IAAA,GAAM,wCAAA,GACL,OAAA;;;UC/2Cc,gCAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBAmhBA,yBAAA,CAA0B,IAAA,GAAM,gCAAA,GAAwC,OAAA;;;UCjnBvE,WAAA;EAEf,SAAA;EAEA,SAAA;EAKA,WAAA;EAMA,WAAA;EAOA,IAAA;AAAA;AAAA,UAOe,aAAA;EAEf,OAAA,EAAS,WAAA;EAMT,IAAA,EAAM,WAAA;EAEN,WAAA,EAAa,WAAA;EAEb,kBAAA,EAAoB,WAAA;EAEpB,iBAAA,EAAmB,WAAA;EAEnB,aAAA,EAAe,WAAA;AAAA;AAAA,iBAkID,WAAA,CAAY,MAAA,WAAiB,SAAA,KAAc,aAAA;AAAA,iBAsC3C,YAAA,CAAa,OAAA,EAAS,aAAA;;;UC3MrB,qCAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBAmCA,8BAAA,CACd,IAAA,GAAM,qCAAA,GACL,OAAA;;;UChCc,iCAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,~~iBA2QA~~,0BAAA,CAA2B,IAAA,GAAM,iCAAA,GAAyC,OAAA;;;~~UCvQzE~~,6BAAA;EAEf,WAAA,GAAc,mBAAA;AAAA;AAAA,UAuCC,0BAAA;EAOf,IAAA;AAAA;AAAA,iBAYc,mBAAA,CACd,OAAA,EAAS,aAAA,EACT,OAAA,UACA,OAAA,GAAS,0BAAA;AAAA,iBAuEK,sBAAA,CAAuB,IAAA,GAAM,6BAAA,GAAqC,OAAA;;;UC/FjE,4BAAA;EAOf,YAAA;EAKA,MAAA;EAiBA,OAAA;AAAA;AAAA,cAGW,qBAAA,YAAiC,kBAAA;EAAA,SAG5B,KAAA;EAAA,iBACC,YAAA;EAAA,iBACA,MAAA;EAAA,QAKT,MAAA;EAAA,QAKA,YAAA;EAAA,QAKA,SAAA;EAAA,iBACS,aAAA;EAAA,QAQT,QAAA;cAEI,IAAA,EAAM,4BAAA;EAAA,QAOV,SAAA;EAAA,QAmBA,eAAA;EAAA,QAaA,YAAA;EA6BK,4BAAA,CACX,QAAA,EAAU,sBAAA,GACT,OAAA,CAAQ,qBAAA;EAsBE,0BAAA,CACX,kBAAA,WACC,OAAA,CAAQ,MAAA;EAmCE,IAAA,CACX,UAAA,UACA,YAAA,uBACC,OAAA,CAAQ,gBAAA;EA2DE,uBAAA,CACX,eAAA,WACC,OAAA,CAAQ,kBAAA;EA8DJ,OAAA,CAAA;AAAA"}
1	+ {"version":3,"file":"index.d.ts","names":[],"sources":["../src/cli/commands/local-invoke.ts","../src/cli/commands/local-invoke-agentcore.ts","../src/cli/commands/local-run-task.ts","../src/local/target-lister.ts","../src/cli/commands/local-start-service.ts","../src/cli/commands/local-start-alb.ts","../src/cli/commands/local-list.ts","../src/local/cfn-local-state-provider.ts"],"mappings":";;;;;UA6IiB,+BAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBAi6BA,wBAAA,CAAyB,IAAA,GAAM,+BAAA,GAAuC,OAAA;;;UCz2BrE,wCAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBA6wCA,iCAAA,CACd,IAAA,GAAM,wCAAA,GACL,OAAA;;;UC/2Cc,gCAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBAmhBA,yBAAA,CAA0B,IAAA,GAAM,gCAAA,GAAwC,OAAA;;;UCjnBvE,WAAA;EAEf,SAAA;EAEA,SAAA;EAKA,WAAA;EAMA,WAAA;EAOA,IAAA;AAAA;AAAA,UAOe,aAAA;EAEf,OAAA,EAAS,WAAA;EAMT,IAAA,EAAM,WAAA;EAEN,WAAA,EAAa,WAAA;EAEb,kBAAA,EAAoB,WAAA;EAEpB,iBAAA,EAAmB,WAAA;EAEnB,aAAA,EAAe,WAAA;AAAA;AAAA,iBAkID,WAAA,CAAY,MAAA,WAAiB,SAAA,KAAc,aAAA;AAAA,iBAsC3C,YAAA,CAAa,OAAA,EAAS,aAAA;;;UC3MrB,qCAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBAmCA,8BAAA,CACd,IAAA,GAAM,qCAAA,GACL,OAAA;;;UChCc,iCAAA;EACf,mBAAA,GAAsB,mBAAA;EAEtB,WAAA,GAAc,mBAAA;AAAA;AAAA,iBA6QA,0BAAA,CAA2B,IAAA,GAAM,iCAAA,GAAyC,OAAA;;;UCzQzE,6BAAA;EAEf,WAAA,GAAc,mBAAA;AAAA;AAAA,UAuCC,0BAAA;EAOf,IAAA;AAAA;AAAA,iBAYc,mBAAA,CACd,OAAA,EAAS,aAAA,EACT,OAAA,UACA,OAAA,GAAS,0BAAA;AAAA,iBAuEK,sBAAA,CAAuB,IAAA,GAAM,6BAAA,GAAqC,OAAA;;;UC/FjE,4BAAA;EAOf,YAAA;EAKA,MAAA;EAiBA,OAAA;AAAA;AAAA,cAGW,qBAAA,YAAiC,kBAAA;EAAA,SAG5B,KAAA;EAAA,iBACC,YAAA;EAAA,iBACA,MAAA;EAAA,QAKT,MAAA;EAAA,QAKA,YAAA;EAAA,QAKA,SAAA;EAAA,iBACS,aAAA;EAAA,QAQT,QAAA;cAEI,IAAA,EAAM,4BAAA;EAAA,QAOV,SAAA;EAAA,QAmBA,eAAA;EAAA,QAaA,YAAA;EA6BK,4BAAA,CACX,QAAA,EAAU,sBAAA,GACT,OAAA,CAAQ,qBAAA;EAsBE,0BAAA,CACX,kBAAA,WACC,OAAA,CAAQ,MAAA;EAmCE,IAAA,CACX,UAAA,UACA,YAAA,uBACC,OAAA,CAAQ,gBAAA;EA2DE,uBAAA,CACX,eAAA,WACC,OAAA,CAAQ,kBAAA;EA8DJ,OAAA,CAAA;AAAA"}

package/dist/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 import { c as getEmbedConfig, l as resetEmbedConfig, u as setEmbedConfig } from "./docker-cmd-voNPrcRh.js";
 import { En as listTargets, Tn as countTargets, _n as CfnLocalStateProvider, a as createLocalStartApiCommand, an as substituteAgainstStateAsync, dn as createLocalStateProvider, fn as isCfnFlagPresent, gn as resolveCfnStackName, hn as resolveCfnRegion, in as substituteAgainstState, mn as resolveCfnFallbackRegion, on as substituteEnvVarsFromState, pn as rejectExplicitCfnStackWithMultipleStacks, sn as substituteEnvVarsFromStateAsync, un as LocalStateSourceError, vn as collectSsmParameterRefs, yn as resolveSsmParameters } from "./cloud-map-resolver-DjKCYyIq.js";
-import { a as createLocalRunTaskCommand, i as createLocalStartServiceCommand, n as formatTargetListing, o as createLocalInvokeAgentCoreCommand, r as createLocalStartAlbCommand, s as createLocalInvokeCommand, t as createLocalListCommand } from "./local-list-B-5gO8ht.js";
+import { a as createLocalRunTaskCommand, i as createLocalStartServiceCommand, n as formatTargetListing, o as createLocalInvokeAgentCoreCommand, r as createLocalStartAlbCommand, s as createLocalInvokeCommand, t as createLocalListCommand } from "./local-list-ChGfKSkV.js";
 export { CfnLocalStateProvider, LocalStateSourceError, collectSsmParameterRefs, countTargets, createLocalInvokeAgentCoreCommand, createLocalInvokeCommand, createLocalListCommand, createLocalRunTaskCommand, createLocalStartAlbCommand, createLocalStartApiCommand, createLocalStartServiceCommand, createLocalStateProvider, formatTargetListing, getEmbedConfig, isCfnFlagPresent, listTargets, rejectExplicitCfnStackWithMultipleStacks, resetEmbedConfig, resolveCfnFallbackRegion, resolveCfnRegion, resolveCfnStackName, resolveSsmParameters, setEmbedConfig, substituteAgainstState, substituteAgainstStateAsync, substituteEnvVarsFromState, substituteEnvVarsFromStateAsync };

package/dist/{local-list-B-5gO8ht.js → local-list-ChGfKSkV.js} RENAMED Viewed

@@ -1,5 +1,5 @@
 import { a as runDockerStreaming, c as getEmbedConfig, r as getDockerCmd, s as getLogger, u as setEmbedConfig } from "./docker-cmd-voNPrcRh.js";
-import { $n as applyRoleArnIfSet, $t as derivePartitionAndUrlSuffix, At as waitForRieReady, Bn as resolveAgentCoreTarget, Bt as execEnvForSecrets, Cn as resolveMultiTarget, Dt as AssetManifestLoader, En as listTargets, Et as singleFlight, Ft as buildDockerImage, Gn as matchStacks, Gt as streamLogs, Hn as derivePseudoParametersFromRegion, Ht as pullImage, In as AGENTCORE_MCP_PROTOCOL, It as DockerRunnerError, Jn as resolveCdkPathToLogicalIds, Jt as resolveRuntimeImage, Kn as buildCdkPathIndex, Kt as resolveRuntimeCodeMountPath, Lt as SENSITIVE_ENV_KEYS, Mt as buildContainerImage, Nn as AGENTCORE_A2A_PROTOCOL, Nt as parseEcrUri, Ot as getDockerImageBySourceHash, Pn as AGENTCORE_AGUI_PROTOCOL, Pt as pullEcrImage, Q as verifyJwtViaDiscovery, Qn as withErrorHandling, Qt as checkVolumeHostPath, Rt as appendEnvFlags, Sn as Synthesizer, Tn as countTargets, Tt as writeProfileCredentialsFile, Ut as removeContainer, Vn as resolveLambdaTarget, Vt as pickFreePort, Wt as runDetached, Xn as LocalInvokeBuildError, Xt as TASK_ROLE_ACCOUNT_PLACEHOLDER, Y as createJwksCache, Yn as CdkLocalError, Yt as EcsTaskResolutionError, Zn as LocalStartServiceError, Zt as applyCrossStackResolverToTask, _t as invokeAgentCore, an as substituteAgainstStateAsync, ar as warnIfDeprecatedRegion, at as invokeAgentCoreWs, bn as resolveApp, c as resolveProfileCredentials$1, cn as resolveEnvVars, ct as a2aInvokeOnce, dn as createLocalStateProvider, en as detectEcsImageResolutionNeeds, er as appOptions, ft as mcpInvokeOnce, ht as signAgentCoreInvocation, i as getPublishedHostPort, ir as parseContextOptions, jt as architectureToPlatform, kt as invokeRie, ln as materializeLayerFromArn, lt as MCP_CONTAINER_PORT, mn as resolveCfnFallbackRegion, n as CloudMapRegistry, nn as resolveEcsTaskTarget, nr as contextOptions, ot as A2A_CONTAINER_PORT, pn as rejectExplicitCfnStackWithMultipleStacks, qn as readCdkPathOrUndefined, qt as resolveRuntimeFileExtension, r as getContainerNetworkIp, rn as applyDeployedEnvFallback, rr as deprecatedRegionOption, sn as substituteEnvVarsFromStateAsync, st as A2A_PATH, t as buildCloudMapIndex, tn as parseEcsTarget, tr as commonOptions, ut as MCP_PATH, vt as waitForAgentCorePing, wn as resolveSingleTarget, xt as buildAgentCoreCodeImage, yt as downloadAndExtractS3Bundle, zn as pickAgentCoreCandidateStack, zt as ensureDockerAvailable } from "./cloud-map-resolver-DjKCYyIq.js";
+import { $n as applyRoleArnIfSet, $t as derivePartitionAndUrlSuffix, At as waitForRieReady, Bn as resolveAgentCoreTarget, Bt as execEnvForSecrets, Cn as resolveMultiTarget, Dt as AssetManifestLoader, En as listTargets, Et as singleFlight, Ft as buildDockerImage, Gn as matchStacks, Gt as streamLogs, Hn as derivePseudoParametersFromRegion, Ht as pullImage, In as AGENTCORE_MCP_PROTOCOL, It as DockerRunnerError, Jn as resolveCdkPathToLogicalIds, Jt as resolveRuntimeImage, Kn as buildCdkPathIndex, Kt as resolveRuntimeCodeMountPath, Lt as SENSITIVE_ENV_KEYS, Mt as buildContainerImage, Nn as AGENTCORE_A2A_PROTOCOL, Nt as parseEcrUri, Ot as getDockerImageBySourceHash, Pn as AGENTCORE_AGUI_PROTOCOL, Pt as pullEcrImage, Q as verifyJwtViaDiscovery, Qn as withErrorHandling, Qt as checkVolumeHostPath, Rt as appendEnvFlags, Sn as Synthesizer, Tn as countTargets, Tt as writeProfileCredentialsFile, Ut as removeContainer, Vn as resolveLambdaTarget, Vt as pickFreePort, Wt as runDetached, Xn as LocalInvokeBuildError, Xt as TASK_ROLE_ACCOUNT_PLACEHOLDER, Y as createJwksCache, Yn as CdkLocalError, Yt as EcsTaskResolutionError, Z as verifyJwtAuthorizer, Zn as LocalStartServiceError, Zt as applyCrossStackResolverToTask, _t as invokeAgentCore, an as substituteAgainstStateAsync, ar as warnIfDeprecatedRegion, at as invokeAgentCoreWs, bn as resolveApp, c as resolveProfileCredentials$1, cn as resolveEnvVars, ct as a2aInvokeOnce, dn as createLocalStateProvider, en as detectEcsImageResolutionNeeds, er as appOptions, ft as mcpInvokeOnce, ht as signAgentCoreInvocation, i as getPublishedHostPort, ir as parseContextOptions, jt as architectureToPlatform, kt as invokeRie, ln as materializeLayerFromArn, lt as MCP_CONTAINER_PORT, mn as resolveCfnFallbackRegion, n as CloudMapRegistry, nn as resolveEcsTaskTarget, nr as contextOptions, ot as A2A_CONTAINER_PORT, pn as rejectExplicitCfnStackWithMultipleStacks, qn as readCdkPathOrUndefined, qt as resolveRuntimeFileExtension, r as getContainerNetworkIp, rn as applyDeployedEnvFallback, rr as deprecatedRegionOption, sn as substituteEnvVarsFromStateAsync, st as A2A_PATH, t as buildCloudMapIndex, tn as parseEcsTarget, tr as commonOptions, ut as MCP_PATH, vt as waitForAgentCorePing, wn as resolveSingleTarget, xt as buildAgentCoreCodeImage, yt as downloadAndExtractS3Bundle, zn as pickAgentCoreCandidateStack, zt as ensureDockerAvailable } from "./cloud-map-resolver-DjKCYyIq.js";
 import { cpSync, existsSync, mkdirSync, mkdtempSync, readFileSync, rmSync, statSync, unlinkSync, writeFileSync } from "node:fs";
 import { homedir, tmpdir } from "node:os";
 import * as path from "node:path";
@@ -3843,25 +3843,67 @@ function handleProxyRequest(req, res, opts) {
 			...req.socket.remoteAddress !== void 0 && { sourceIp: req.socket.remoteAddress }
 		});
 		if (!action) return reply404(req, res, opts);
-		if (action.kind === "redirect" || action.kind === "fixed-response") {
-			req.resume();
-			if (action.kind === "redirect") writeRedirect(res, action, req, opts.listenerPort, opts.tls ? "https" : "http");
-			else writeFixedResponse(res, action);
-			return Promise.resolve();
-		}
-		const picked = pickWeightedTarget(action.pools);
-		if (!picked) {
-			writeError(res, 502, `No forward target selected behind ${opts.label} (every weighted target has weight 0).`);
-			return Promise.resolve();
+		if (action.auth) {
+			const auth = action.auth;
+			return auth.check(req.headers).then((result) => {
+				if (!result.allow) {
+					req.resume();
+					writeUnauthorized(res, auth.realm, result.reason);
+					return;
+				}
+				return serveAction(req, res, action, opts);
+			}).catch((err) => {
+				getLogger().child("front-door").debug(`auth gate error: ${err instanceof Error ? err.message : String(err)}`);
+				req.resume();
+				writeUnauthorized(res, auth.realm, "auth check failed");
+			});
 		}
-		if ("lambda" in picked) return handleLambdaRequest(req, res, picked.lambda, opts);
-		return handlePoolRequest(req, res, picked.pool, opts);
+		return serveAction(req, res, action, opts);
 	}
 	const target = resolveDispatchTarget(opts, url);
 	if (!target) return reply404(req, res, opts);
 	if (target.kind === "lambda") return handleLambdaRequest(req, res, target.lambda, opts);
 	return handlePoolRequest(req, res, target.pool, opts);
 }
+/**
+* Dispatch a resolved {@link RouteAction} — the path the route resolver
+* returned (after any auth gate). Splits forward (ECS pool or Lambda invoker)
+* from redirect / fixed-response, mirroring what the inline logic used to do.
+*/
+function serveAction(req, res, action, opts) {
+	if (action.kind === "redirect" || action.kind === "fixed-response") {
+		req.resume();
+		if (action.kind === "redirect") writeRedirect(res, action, req, opts.listenerPort, opts.tls ? "https" : "http");
+		else writeFixedResponse(res, action);
+		return Promise.resolve();
+	}
+	const picked = pickWeightedTarget(action.pools);
+	if (!picked) {
+		writeError(res, 502, `No forward target selected behind ${opts.label} (every weighted target has weight 0).`);
+		return Promise.resolve();
+	}
+	if ("lambda" in picked) return handleLambdaRequest(req, res, picked.lambda, opts);
+	return handlePoolRequest(req, res, picked.pool, opts);
+}
+/**
+* Write a 401 with `WWW-Authenticate: Bearer realm="..."`. ALB itself would
+* redirect to the IdP's authorize endpoint; for local dev parity we deny
+* loudly so the user notices and either supplies `--bearer-token` / passes a
+* fresh Authorization header / disables the guard with `--no-verify-auth`.
+*/
+function writeUnauthorized(res, realm, reason) {
+	const body = reason && reason !== "" ? reason : "Unauthorized";
+	res.writeHead(401, {
+		"content-type": "text/plain; charset=utf-8",
+		"content-length": String(Buffer.byteLength(`${body}\n`)),
+		"www-authenticate": `Bearer realm="${escapeRealmQuotes(realm)}"`
+	});
+	res.end(`${body}\n`);
+}
+/** Escape `"` in the realm so the `WWW-Authenticate` header parses cleanly. */
+function escapeRealmQuotes(realm) {
+	return realm.replace(/"/g, "\\\"");
+}
 /** Reply 404 — an ALB listener with no matching rule and no default action. */
 function reply404(req, res, opts) {
 	writeError(res, 404, `No listener rule matched '${req.url ?? "/"}' on ${opts.label}, and the listener has no default action forwarding to a local target.`);
@@ -4730,6 +4772,98 @@ function createFrontDoorLambdaRunner(lambda, opts) {
 	};
 }
+//#endregion
+//#region src/local/front-door-auth.ts
+/**
+* Build the front-door's auth-check callback for an
+* `authenticate-cognito` / `authenticate-oidc` guard.
+*
+* Local-dev parity model: the cloud-side ALB authenticates the user via a
+* full OAuth roundtrip (redirect to the IdP's authorize endpoint, callback,
+* AWSELBAuthSessionCookie issuance). The local front-door does NOT reproduce
+* the roundtrip — it accepts EITHER a Bearer JWT (verified against the
+* Cognito JWKS / OIDC discovery URL just like API Gateway's JWT authorizer)
+* OR an `AWSELBAuthSessionCookie-*` cookie pass-through (the user is acting
+* as if already signed in via the deployed ALB — `--bearer-token` makes the
+* Bearer-JWT path the headline path; the cookie pass-through is convenience
+* for hitting the local front-door from a browser session that already
+* authenticated through the deployed ALB).
+*
+* `--no-verify-auth` (the `noVerifyAuth` flag) short-circuits everything to
+* `allow: true` — explicitly off-switching the guard for local dev where
+* you do not want to mint a Bearer token at all.
+*
+* `--bearer-token <jwt>` (the `bearerToken` arg) makes the supplied token
+* the default `Authorization` value when the inbound request has none.
+*/
+function buildAuthCheck(guard, jwksCache, opts = {}) {
+	const realm = guard.label;
+	if (opts.noVerifyAuth === true) return {
+		realm,
+		check: async () => ({ allow: true })
+	};
+	const warned = opts.warned ?? /* @__PURE__ */ new Set();
+	const sessionCookiePrefix = guard.sessionCookieName;
+	const injectedBearer = opts.bearerToken;
+	return {
+		realm,
+		check: async (headers) => {
+			const cookieHeader = headerValue(headers["cookie"]);
+			if (cookieHeader && cookieHasSessionPrefix(cookieHeader, sessionCookiePrefix)) return { allow: true };
+			let authorization = headerValue(headers["authorization"]);
+			if ((!authorization || authorization === "") && injectedBearer !== void 0) authorization = `Bearer ${injectedBearer}`;
+			if (!authorization || authorization === "") return {
+				allow: false,
+				reason: "No Bearer token presented. Supply Authorization: Bearer <jwt> or pass --bearer-token <jwt>."
+			};
+			if (!authorization.toLowerCase().startsWith("bearer ")) return {
+				allow: false,
+				reason: "Authorization scheme is not Bearer; the ALB authenticate-* guard only accepts Bearer JWTs."
+			};
+			try {
+				if ((await verifyJwtAuthorizer({
+					kind: "jwt",
+					logicalId: guard.label,
+					declaredAt: "start-alb authenticate-* action",
+					issuer: guard.issuer,
+					audience: [guard.audience],
+					...guard.region !== void 0 && { region: guard.region },
+					...guard.userPoolId !== void 0 && { userPoolId: guard.userPoolId }
+				}, authorization, jwksCache, { warned })).allow) return { allow: true };
+				return {
+					allow: false,
+					reason: "Bearer token rejected (signature / iss / aud / exp check failed)."
+				};
+			} catch (err) {
+				getLogger().child("front-door-auth").debug(`auth check threw: ${err instanceof Error ? err.message : String(err)}`);
+				return {
+					allow: false,
+					reason: "Auth check failed."
+				};
+			}
+		}
+	};
+}
+function headerValue(raw) {
+	if (raw === void 0) return void 0;
+	if (Array.isArray(raw)) return raw[0];
+	return raw;
+}
+/**
+* True iff the `Cookie` header contains a cookie whose name starts with
+* `<sessionCookiePrefix>` (ALB suffixes the cookie with `-0` / `-1` / ...
+* when the auth session payload exceeds the per-cookie size limit, so we
+* match the prefix, not an exact name).
+*/
+function cookieHasSessionPrefix(cookieHeader, sessionCookiePrefix) {
+	for (const pair of cookieHeader.split(";")) {
+		const eq = pair.indexOf("=");
+		const name = (eq === -1 ? pair : pair.slice(0, eq)).trim();
+		if (name === sessionCookiePrefix || name.startsWith(`${sessionCookiePrefix}-`)) return true;
+	}
+	return false;
+}
 //#endregion
 //#region src/cli/commands/ecs-service-emulator.ts
 /**
@@ -5038,9 +5172,20 @@ async function buildFrontDoor(plan, options, logger) {
 		certPath: options.tlsCert,
 		keyPath: options.tlsKey
 	}) : void 0;
+	const jwksCache = createJwksCache();
+	const sharedWarned = /* @__PURE__ */ new Set();
+	const authForGuard = (guard) => buildAuthCheck(guard, jwksCache, {
+		...options.verifyAuth === false && { noVerifyAuth: true },
+		...options.bearerToken !== void 0 && { bearerToken: options.bearerToken },
+		warned: sharedWarned
+	});
+	const attachAuth = (action, guard) => guard ? {
+		...action,
+		auth: authForGuard(guard)
+	} : action;
 	try {
 		for (const listener of plan.listeners) {
-			const defaultRoute = listener.defaultAction ? toRouteAction(listener.defaultAction) : void 0;
+			const defaultRoute = listener.defaultAction ? attachAuth(toRouteAction(listener.defaultAction), listener.defaultAuthGuard) : void 0;
 			const ruleRoutes = listener.rules.map((r) => ({
 				priority: r.priority,
 				pathPatterns: r.pathPatterns,
@@ -5049,7 +5194,7 @@ async function buildFrontDoor(plan, options, logger) {
 				httpRequestMethods: r.httpRequestMethods,
 				queryStringConditions: r.queryStringConditions,
 				sourceIpCidrs: r.sourceIpCidrs,
-				target: toRouteAction(r.action)
+				target: attachAuth(toRouteAction(r.action), r.authGuard)
 			}));
 			const route = (req) => matchAlbPathRule(req, ruleRoutes) ?? defaultRoute;
 			const tls = listener.protocol === "HTTPS" ? tlsMaterials : void 0;
@@ -5367,9 +5512,19 @@ function createLocalStartServiceCommand(opts = {}) {
 * mix ECS and Lambda targets. HTTPS listeners are served — local TLS
 * termination uses a user-supplied or auto-generated self-signed cert/key
 * pair (the deployed `Listener.Certificates[]` ACM ARNs are not fetched,
-* because ACM private keys are not retrievable by design). Skipped with a
-* warning: TLS listeners (NLB-style, not ALB) and `authenticate-cognito` /
-* `authenticate-oidc` actions.
+* because ACM private keys are not retrievable by design).
+*
+* `authenticate-cognito` / `authenticate-oidc` actions ARE served — they are
+* lifted from the `Actions[]` array into an `authGuard` attached to the
+* terminal action they wrap. The front-door enforces a Bearer-JWT check
+* locally (signature + `iss` + `exp` + `aud`) using the existing JWKS-cached
+* verifier; missing / invalid token -> 401 with `WWW-Authenticate: Bearer`.
+* Out of scope: the full OAuth roundtrip (authorize-endpoint redirect +
+* callback). The local-dev parity is "I have a JWT, let me through" — the
+* `--bearer-token <jwt>` flag is the convenience escape hatch; the
+* `--no-verify-auth` flag disables the guard entirely.
+*
+* Skipped with a warning: TLS listeners (NLB-style, not ALB).
 */
 const ALB_TYPE = "AWS::ElasticLoadBalancingV2::LoadBalancer";
 const LISTENER_TYPE = "AWS::ElasticLoadBalancingV2::Listener";
@@ -5401,7 +5556,7 @@ function resolveAlbFrontDoor(stack, albLogicalId) {
 			continue;
 		}
 		if (protocol === "HTTPS" && Array.isArray(props["Certificates"]) && props["Certificates"].length > 0) warnings.push(`Listener '${listenerLogicalId}' on port ${port} declares ACM Certificates which are not retrievable locally. The front-door terminates TLS with --tls-cert/--tls-key or an auto-generated self-signed cert.`);
-		const defaultAction = resolveAction(props["DefaultActions"], resources, tgToService, stackName, `Listener '${listenerLogicalId}' (port ${port}) default action`, warnings);
+		const defaultResolved = resolveAction(props["DefaultActions"], resources, tgToService, stackName, `Listener '${listenerLogicalId}' (port ${port}) default action`, warnings);
 		const rules = [];
 		for (const { ruleLogicalId, ruleProps } of rulesByListener.get(listenerLogicalId) ?? []) {
 			const priority = parsePriority(ruleProps["Priority"]);
@@ -5410,8 +5565,8 @@ function resolveAlbFrontDoor(stack, albLogicalId) {
 			if (!parsed) continue;
 			const { pathPatterns, hostPatterns, httpHeaderConditions, httpRequestMethods, queryStringConditions, sourceIpCidrs } = parsed;
 			if (!(pathPatterns.length > 0 || hostPatterns.length > 0 || httpHeaderConditions.length > 0 || httpRequestMethods.length > 0 || queryStringConditions.length > 0 || sourceIpCidrs.length > 0)) continue;
-			const action = resolveAction(ruleProps["Actions"], resources, tgToService, stackName, `${ruleLabel} action`, warnings);
-			if (!action) continue;
+			const ruleResolved = resolveAction(ruleProps["Actions"], resources, tgToService, stackName, `${ruleLabel} action`, warnings);
+			if (!ruleResolved) continue;
 			rules.push({
 				priority,
 				pathPatterns,
@@ -5420,15 +5575,17 @@ function resolveAlbFrontDoor(stack, albLogicalId) {
 				httpRequestMethods,
 				queryStringConditions,
 				sourceIpCidrs,
-				action
+				action: ruleResolved.action,
+				...ruleResolved.authGuard ? { authGuard: ruleResolved.authGuard } : {}
 			});
 		}
-		if (!defaultAction && rules.length === 0) continue;
+		if (!defaultResolved && rules.length === 0) continue;
 		listeners.push({
 			listenerPort: port,
 			listenerProtocol: protocol,
 			listenerLogicalId,
-			...defaultAction ? { defaultAction } : {},
+			...defaultResolved ? { defaultAction: defaultResolved.action } : {},
+			...defaultResolved?.authGuard ? { defaultAuthGuard: defaultResolved.authGuard } : {},
 			rules
 		});
 	}
@@ -5444,15 +5601,16 @@ function isApplicationLoadBalancer(resource) {
 	return type === void 0 || type === "application";
 }
 /**
-* Resolve a listener / rule `Actions` (or `DefaultActions`) array to the single
-* action the local front-door serves, or `undefined` when it is not resolvable
-* (a warning is emitted for the cases worth surfacing). ALB allows exactly one
-* non-authenticate terminal action per action set, optionally preceded by
-* authenticate-* actions (which the local front-door does not enforce — they
-* are skipped with a warning and the terminal action is honored).
+* Resolve a listener / rule `Actions` (or `DefaultActions`) array. ALB allows
+* any number of `authenticate-cognito` / `authenticate-oidc` entries followed
+* by exactly one terminal action (`forward` / `redirect` / `fixed-response`).
+* The first parseable authenticate-* (last wins if multiple) becomes the
+* returned `authGuard`; the terminal action becomes `action`. Returns
+* `undefined` when no terminal action is resolvable.
 */
 function resolveAction(actions, resources, tgToService, stackName, label, warnings) {
 	if (!Array.isArray(actions)) return void 0;
+	let authGuard;
 	let sawAuthenticate = false;
 	for (const action of actions) {
 		if (!action || typeof action !== "object") continue;
@@ -5460,18 +5618,21 @@ function resolveAction(actions, resources, tgToService, stackName, label, warnin
 		const type = a["Type"];
 		if (type === "authenticate-cognito" || type === "authenticate-oidc") {
 			sawAuthenticate = true;
+			const parsed = parseAuthenticateAction(a, type, label, warnings);
+			if (parsed) authGuard = parsed;
 			continue;
 		}
-		if (type === "forward") return resolveForwardAction(a, resources, tgToService, stackName, label, warnings);
-		if (type === "redirect") {
-			const redirect = resolveRedirectAction(a, label, warnings);
-			if (redirect) return redirect;
-			continue;
-		}
-		if (type === "fixed-response") return resolveFixedResponseAction(a);
-		if (typeof type === "string") warnings.push(`${label} uses an unsupported action type '${type}'. The local ALB front-door supports forward / redirect / fixed-response actions only. Skipping it.`);
+		let terminal;
+		if (type === "forward") terminal = resolveForwardAction(a, resources, tgToService, stackName, label, warnings);
+		else if (type === "redirect") terminal = resolveRedirectAction(a, label, warnings);
+		else if (type === "fixed-response") terminal = resolveFixedResponseAction(a);
+		else if (typeof type === "string") warnings.push(`${label} uses an unsupported action type '${type}'. The local ALB front-door supports forward / redirect / fixed-response actions only. Skipping it.`);
+		if (terminal) return authGuard ? {
+			action: terminal,
+			authGuard
+		} : { action: terminal };
 	}
-	if (sawAuthenticate) warnings.push(`${label} is an authenticate-* action with no local-servable terminal action. The local ALB front-door does not enforce authenticate-cognito / authenticate-oidc; skipping it.`);
+	if (sawAuthenticate) warnings.push(`${label} is an authenticate-* action with no local-servable terminal action; skipping it.`);
 }
 /**
 * Resolve a `forward` action into one or more weighted targets. Each target
@@ -5877,6 +6038,75 @@ function parsePriority(raw) {
 	if (typeof raw === "string" && /^\d+$/.test(raw)) return parseInt(raw, 10);
 	return Number.MAX_SAFE_INTEGER;
 }
+/** ALB's default session cookie name prefix (suffixed `-0` / `-1` / ... by ALB). */
+const DEFAULT_ALB_SESSION_COOKIE = "AWSELBAuthSessionCookie";
+/**
+* Cognito User Pool ARN shape:
+*   `arn:aws:cognito-idp:<region>:<account>:userpool/<pool-id>`
+* The pool id itself contains a `_`, but never a `/`, so anchoring on the
+* `userpool/` segment is robust.
+*/
+const COGNITO_USERPOOL_ARN = /^arn:[^:]+:cognito-idp:([^:]+):[^:]+:userpool\/([^/]+)$/;
+/**
+* Parse an `authenticate-cognito` / `authenticate-oidc` ALB action into a
+* resolvable {@link FrontDoorAuthGuard}, or `undefined` when the config is
+* unresolvable (a Ref / intrinsic in a required field, a malformed
+* UserPoolArn, etc.) — a warning is emitted in that case so the user knows
+* the guard was dropped (the terminal action will still serve unguarded).
+*/
+function parseAuthenticateAction(action, type, label, warnings) {
+	if (type === "authenticate-cognito") {
+		const cfg = action["AuthenticateCognitoConfig"];
+		if (!cfg || typeof cfg !== "object") {
+			warnings.push(`${label}: authenticate-cognito missing AuthenticateCognitoConfig; skipping guard.`);
+			return;
+		}
+		const c = cfg;
+		const userPoolArn = c["UserPoolArn"];
+		const userPoolClientId = c["UserPoolClientId"];
+		if (typeof userPoolArn !== "string" || typeof userPoolClientId !== "string") {
+			warnings.push(`${label}: authenticate-cognito UserPoolArn / UserPoolClientId must be literal strings (Ref / intrinsics cannot be resolved by the local front-door); skipping guard.`);
+			return;
+		}
+		const match = COGNITO_USERPOOL_ARN.exec(userPoolArn);
+		if (!match) {
+			warnings.push(`${label}: authenticate-cognito UserPoolArn '${userPoolArn}' is not in the expected arn:...:cognito-idp:<region>:<account>:userpool/<pool-id> shape; skipping guard.`);
+			return;
+		}
+		const region = match[1];
+		const userPoolId = match[2];
+		const sessionCookieName = typeof c["SessionCookieName"] === "string" && c["SessionCookieName"] !== "" ? c["SessionCookieName"] : DEFAULT_ALB_SESSION_COOKIE;
+		return {
+			kind: "authenticate-cognito",
+			issuer: `https://cognito-idp.${region}.amazonaws.com/${userPoolId}`,
+			audience: userPoolClientId,
+			region,
+			userPoolId,
+			sessionCookieName,
+			label: `authenticate-cognito (UserPool=${userPoolId})`
+		};
+	}
+	const cfg = action["AuthenticateOidcConfig"];
+	if (!cfg || typeof cfg !== "object") {
+		warnings.push(`${label}: authenticate-oidc missing AuthenticateOidcConfig; skipping guard.`);
+		return;
+	}
+	const c = cfg;
+	const issuer = c["Issuer"];
+	const clientId = c["ClientId"];
+	if (typeof issuer !== "string" || typeof clientId !== "string") {
+		warnings.push(`${label}: authenticate-oidc Issuer / ClientId must be literal strings (Ref / intrinsics cannot be resolved by the local front-door); skipping guard.`);
+		return;
+	}
+	const sessionCookieName = typeof c["SessionCookieName"] === "string" && c["SessionCookieName"] !== "" ? c["SessionCookieName"] : DEFAULT_ALB_SESSION_COOKIE;
+	return {
+		kind: "authenticate-oidc",
+		issuer: issuer.replace(/\/+$/, ""),
+		audience: clientId,
+		sessionCookieName,
+		label: `authenticate-oidc (Issuer=${issuer})`
+	};
+}
 //#endregion
 //#region src/cli/commands/local-start-alb.ts
@@ -6018,6 +6248,7 @@ function albStrategy(options) {
 						hostPort,
 						protocol: listener.listenerProtocol,
 						...listener.defaultAction ? { defaultAction: qualify(listener.defaultAction) } : {},
+						...listener.defaultAuthGuard ? { defaultAuthGuard: listener.defaultAuthGuard } : {},
 						rules: listener.rules.map((r) => ({
 							priority: r.priority,
 							pathPatterns: r.pathPatterns,
@@ -6026,7 +6257,8 @@ function albStrategy(options) {
 							httpRequestMethods: r.httpRequestMethods,
 							queryStringConditions: r.queryStringConditions,
 							sourceIpCidrs: r.sourceIpCidrs,
-							action: qualify(r.action)
+							action: qualify(r.action),
+							...r.authGuard ? { authGuard: r.authGuard } : {}
 						}))
 					});
 				}
@@ -6055,7 +6287,7 @@ function albStrategy(options) {
 */
 function createLocalStartAlbCommand(opts = {}) {
 	setEmbedConfig(opts.embedConfig);
-	return addCommonEcsServiceOptions(new Command("start-alb").description("Run an Application Load Balancer locally: name the ALB, and cdk-local boots the ECS service(s) behind its listeners and stands up a local front-door on each listener port that round-robins across the running replicas and routes its listener rules across the backing services — a stable host endpoint, like behind a real load balancer. The symmetric ALB counterpart of `start-api`. Each <target> accepts a CDK display path (MyStack/MyAlb) or stack-qualified logical ID; single-stack apps may omit the stack prefix. Supports HTTP and HTTPS listeners (TLS terminated locally with --tls-cert/--tls-key or an auto-generated self-signed cert); all six ALB rule-condition fields (path-pattern / host-header / http-header / http-request-method / query-string / source-ip); forward (single and weighted), redirect, and fixed-response actions; and ECS or Lambda targets (a Lambda target group is invoked locally via the Lambda RIE). authenticate-cognito / authenticate-oidc actions are skipped with a warning. Omit <targets> in an interactive terminal to multi-select the load balancers from a list.").argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ElasticLoadBalancingV2::LoadBalancer resources to run (omit to multi-select interactively in a TTY)").addOption(new Option("--lb-port <listenerPort=hostPort...>", "Bind the local front-door on a specific host port (e.g. 80=8080); repeatable. Default: host port == ALB listener port. Use this on macOS to remap a privileged listener port (< 1024) to a non-privileged host port.")).addOption(new Option("--tls-cert <path>", "PEM-encoded server certificate for HTTPS front-door listeners. Must be set together with --tls-key. Omit both flags to auto-generate a self-signed cert (cached under $XDG_CACHE_HOME/cdk-local/alb-https/, default ~/.cache/cdk-local/alb-https/); requires openssl on PATH. The deployed Listener Certificates[] are NOT fetched (ACM private keys are not retrievable by design). The auto-generated cert lists DNS:localhost,IP:127.0.0.1 as SubjectAltName, so a client validating a non-loopback --container-host will fail the SAN check — pass --tls-cert / --tls-key with a SAN covering that host instead.")).addOption(new Option("--tls-key <path>", "PEM-encoded server private key matching --tls-cert. Must be set together with --tls-cert.")).action(withErrorHandling(async (targets, options) => {
+	return addCommonEcsServiceOptions(new Command("start-alb").description("Run an Application Load Balancer locally: name the ALB, and cdk-local boots the ECS service(s) behind its listeners and stands up a local front-door on each listener port that round-robins across the running replicas and routes its listener rules across the backing services — a stable host endpoint, like behind a real load balancer. The symmetric ALB counterpart of `start-api`. Each <target> accepts a CDK display path (MyStack/MyAlb) or stack-qualified logical ID; single-stack apps may omit the stack prefix. Supports HTTP and HTTPS listeners (TLS terminated locally with --tls-cert/--tls-key or an auto-generated self-signed cert); all six ALB rule-condition fields (path-pattern / host-header / http-header / http-request-method / query-string / source-ip); forward (single and weighted), redirect, and fixed-response actions; and ECS or Lambda targets (a Lambda target group is invoked locally via the Lambda RIE). authenticate-cognito / authenticate-oidc actions enforce a local Bearer-JWT check (or AWSELBAuthSessionCookie pass-through) against the same JWKS / OIDC discovery URL the deployed ALB would; use --bearer-token <jwt> to inject a default token or --no-verify-auth to disable the guard. Omit <targets> in an interactive terminal to multi-select the load balancers from a list.").argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ElasticLoadBalancingV2::LoadBalancer resources to run (omit to multi-select interactively in a TTY)").addOption(new Option("--lb-port <listenerPort=hostPort...>", "Bind the local front-door on a specific host port (e.g. 80=8080); repeatable. Default: host port == ALB listener port. Use this on macOS to remap a privileged listener port (< 1024) to a non-privileged host port.")).addOption(new Option("--tls-cert <path>", "PEM-encoded server certificate for HTTPS front-door listeners. Must be set together with --tls-key. Omit both flags to auto-generate a self-signed cert (cached under $XDG_CACHE_HOME/cdk-local/alb-https/, default ~/.cache/cdk-local/alb-https/); requires openssl on PATH. The deployed Listener Certificates[] are NOT fetched (ACM private keys are not retrievable by design). The auto-generated cert lists DNS:localhost,IP:127.0.0.1 as SubjectAltName, so a client validating a non-loopback --container-host will fail the SAN check — pass --tls-cert / --tls-key with a SAN covering that host instead.")).addOption(new Option("--tls-key <path>", "PEM-encoded server private key matching --tls-cert. Must be set together with --tls-cert.")).addOption(new Option("--no-verify-auth", "Disable local enforcement of authenticate-cognito / authenticate-oidc actions. Every request is served as if the auth check passed. Useful for local dev where you do not want to mint a Bearer token at all.")).addOption(new Option("--bearer-token <jwt>", "Default Bearer JWT injected as Authorization: Bearer <jwt> when the inbound request has none. Verified against the same JWKS / OIDC discovery URL the deployed ALB would (signature + iss + aud + exp). Local-dev convenience; cookie pass-through (AWSELBAuthSessionCookie-*) also works.")).action(withErrorHandling(async (targets, options) => {
 		await runEcsServiceEmulator(targets, options, albStrategy(options), opts.extraStateProviders);
 	})));
 }
@@ -6132,4 +6364,4 @@ function createLocalListCommand(opts = {}) {
 //#endregion
 export { createLocalRunTaskCommand as a, createLocalStartServiceCommand as i, formatTargetListing as n, createLocalInvokeAgentCoreCommand as o, createLocalStartAlbCommand as r, createLocalInvokeCommand as s, createLocalListCommand as t };
-//# sourceMappingURL=local-list-B-5gO8ht.js.map
+//# sourceMappingURL=local-list-ChGfKSkV.js.map