npm - cdk-local - Versions diffs - 0.58.0 → 0.60.0 - Mend

cdk-local 0.58.0 → 0.60.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md +2 -2
package/dist/cli.js +2 -2
package/dist/index.d.ts.map +1 -1
package/dist/index.js +1 -1
package/dist/{local-list-B-5gO8ht.js → local-list-CZEZ5-JP.js} +505 -46
package/dist/local-list-CZEZ5-JP.js.map +1 -0
package/package.json +1 -1
package/dist/local-list-B-5gO8ht.js.map +0 -1

package/dist/{local-list-B-5gO8ht.js → local-list-CZEZ5-JP.js} RENAMED Viewed

@@ -1,5 +1,5 @@
 import { a as runDockerStreaming, c as getEmbedConfig, r as getDockerCmd, s as getLogger, u as setEmbedConfig } from "./docker-cmd-voNPrcRh.js";
-import { $n as applyRoleArnIfSet, $t as derivePartitionAndUrlSuffix, At as waitForRieReady, Bn as resolveAgentCoreTarget, Bt as execEnvForSecrets, Cn as resolveMultiTarget, Dt as AssetManifestLoader, En as listTargets, Et as singleFlight, Ft as buildDockerImage, Gn as matchStacks, Gt as streamLogs, Hn as derivePseudoParametersFromRegion, Ht as pullImage, In as AGENTCORE_MCP_PROTOCOL, It as DockerRunnerError, Jn as resolveCdkPathToLogicalIds, Jt as resolveRuntimeImage, Kn as buildCdkPathIndex, Kt as resolveRuntimeCodeMountPath, Lt as SENSITIVE_ENV_KEYS, Mt as buildContainerImage, Nn as AGENTCORE_A2A_PROTOCOL, Nt as parseEcrUri, Ot as getDockerImageBySourceHash, Pn as AGENTCORE_AGUI_PROTOCOL, Pt as pullEcrImage, Q as verifyJwtViaDiscovery, Qn as withErrorHandling, Qt as checkVolumeHostPath, Rt as appendEnvFlags, Sn as Synthesizer, Tn as countTargets, Tt as writeProfileCredentialsFile, Ut as removeContainer, Vn as resolveLambdaTarget, Vt as pickFreePort, Wt as runDetached, Xn as LocalInvokeBuildError, Xt as TASK_ROLE_ACCOUNT_PLACEHOLDER, Y as createJwksCache, Yn as CdkLocalError, Yt as EcsTaskResolutionError, Zn as LocalStartServiceError, Zt as applyCrossStackResolverToTask, _t as invokeAgentCore, an as substituteAgainstStateAsync, ar as warnIfDeprecatedRegion, at as invokeAgentCoreWs, bn as resolveApp, c as resolveProfileCredentials$1, cn as resolveEnvVars, ct as a2aInvokeOnce, dn as createLocalStateProvider, en as detectEcsImageResolutionNeeds, er as appOptions, ft as mcpInvokeOnce, ht as signAgentCoreInvocation, i as getPublishedHostPort, ir as parseContextOptions, jt as architectureToPlatform, kt as invokeRie, ln as materializeLayerFromArn, lt as MCP_CONTAINER_PORT, mn as resolveCfnFallbackRegion, n as CloudMapRegistry, nn as resolveEcsTaskTarget, nr as contextOptions, ot as A2A_CONTAINER_PORT, pn as rejectExplicitCfnStackWithMultipleStacks, qn as readCdkPathOrUndefined, qt as resolveRuntimeFileExtension, r as getContainerNetworkIp, rn as applyDeployedEnvFallback, rr as deprecatedRegionOption, sn as substituteEnvVarsFromStateAsync, st as A2A_PATH, t as buildCloudMapIndex, tn as parseEcsTarget, tr as commonOptions, ut as MCP_PATH, vt as waitForAgentCorePing, wn as resolveSingleTarget, xt as buildAgentCoreCodeImage, yt as downloadAndExtractS3Bundle, zn as pickAgentCoreCandidateStack, zt as ensureDockerAvailable } from "./cloud-map-resolver-DjKCYyIq.js";
+import { $n as applyRoleArnIfSet, $t as derivePartitionAndUrlSuffix, At as waitForRieReady, Bn as resolveAgentCoreTarget, Bt as execEnvForSecrets, Cn as resolveMultiTarget, Dt as AssetManifestLoader, En as listTargets, Et as singleFlight, Ft as buildDockerImage, Gn as matchStacks, Gt as streamLogs, Hn as derivePseudoParametersFromRegion, Ht as pullImage, In as AGENTCORE_MCP_PROTOCOL, It as DockerRunnerError, Jn as resolveCdkPathToLogicalIds, Jt as resolveRuntimeImage, Kn as buildCdkPathIndex, Kt as resolveRuntimeCodeMountPath, Lt as SENSITIVE_ENV_KEYS, Mt as buildContainerImage, Nn as AGENTCORE_A2A_PROTOCOL, Nt as parseEcrUri, Ot as getDockerImageBySourceHash, Pn as AGENTCORE_AGUI_PROTOCOL, Pt as pullEcrImage, Q as verifyJwtViaDiscovery, Qn as withErrorHandling, Qt as checkVolumeHostPath, Rt as appendEnvFlags, Sn as Synthesizer, Tn as countTargets, Tt as writeProfileCredentialsFile, Ut as removeContainer, Vn as resolveLambdaTarget, Vt as pickFreePort, Wt as runDetached, Xn as LocalInvokeBuildError, Xt as TASK_ROLE_ACCOUNT_PLACEHOLDER, Y as createJwksCache, Yn as CdkLocalError, Yt as EcsTaskResolutionError, Z as verifyJwtAuthorizer, Zn as LocalStartServiceError, Zt as applyCrossStackResolverToTask, _t as invokeAgentCore, an as substituteAgainstStateAsync, ar as warnIfDeprecatedRegion, at as invokeAgentCoreWs, bn as resolveApp, c as resolveProfileCredentials$1, cn as resolveEnvVars, ct as a2aInvokeOnce, dn as createLocalStateProvider, en as detectEcsImageResolutionNeeds, er as appOptions, ft as mcpInvokeOnce, ht as signAgentCoreInvocation, i as getPublishedHostPort, ir as parseContextOptions, jt as architectureToPlatform, kt as invokeRie, ln as materializeLayerFromArn, lt as MCP_CONTAINER_PORT, mn as resolveCfnFallbackRegion, n as CloudMapRegistry, nn as resolveEcsTaskTarget, nr as contextOptions, ot as A2A_CONTAINER_PORT, pn as rejectExplicitCfnStackWithMultipleStacks, qn as readCdkPathOrUndefined, qt as resolveRuntimeFileExtension, r as getContainerNetworkIp, rn as applyDeployedEnvFallback, rr as deprecatedRegionOption, sn as substituteEnvVarsFromStateAsync, st as A2A_PATH, t as buildCloudMapIndex, tn as parseEcsTarget, tr as commonOptions, ut as MCP_PATH, vt as waitForAgentCorePing, wn as resolveSingleTarget, xt as buildAgentCoreCodeImage, yt as downloadAndExtractS3Bundle, zn as pickAgentCoreCandidateStack, zt as ensureDockerAvailable } from "./cloud-map-resolver-DjKCYyIq.js";
 import { cpSync, existsSync, mkdirSync, mkdtempSync, readFileSync, rmSync, statSync, unlinkSync, writeFileSync } from "node:fs";
 import { homedir, tmpdir } from "node:os";
 import * as path from "node:path";
@@ -7,10 +7,11 @@ import { dirname, join } from "node:path";
 import { Command, Option } from "commander";
 import { GetParameterCommand, SSMClient } from "@aws-sdk/client-ssm";
 import { execFile, spawn } from "node:child_process";
+import { connect } from "node:net";
 import { promisify } from "node:util";
 import { X509Certificate, randomBytes, randomUUID } from "node:crypto";
-import { createServer, request } from "node:http";
-import { createServer as createServer$1 } from "node:https";
+import { createServer as createServer$1, request } from "node:http";
+import { createServer as createServer$2 } from "node:https";
 import graphlib from "graphlib";
 import { GetSecretValueCommand, SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
@@ -3783,12 +3784,18 @@ async function startFrontDoorServer(opts) {
 			if (!res.headersSent) writeError(res, 502, "Bad Gateway");
 		});
 	};
-	const server = opts.tls ? createServer$1({
+	const server = opts.tls ? createServer$2({
 		cert: opts.tls.certPem,
 		key: opts.tls.keyPem
-	}, requestHandler) : createServer(requestHandler);
+	}, requestHandler) : createServer$1(requestHandler);
 	const scheme = opts.tls ? "https" : "http";
 	server.on("connection", (socket) => socket.setNoDelay(true));
+	server.on("upgrade", (req, clientSocket, head) => {
+		handleUpgrade(req, clientSocket, head, opts).catch((err) => {
+			logger.debug(`front-door upgrade error: ${err instanceof Error ? err.message : String(err)}`);
+			if (!clientSocket.destroyed) clientSocket.destroy();
+		});
+	});
 	const boundPort = await new Promise((resolve, reject) => {
 		server.once("error", reject);
 		server.listen(opts.port, host, () => {
@@ -3843,25 +3850,67 @@ function handleProxyRequest(req, res, opts) {
 			...req.socket.remoteAddress !== void 0 && { sourceIp: req.socket.remoteAddress }
 		});
 		if (!action) return reply404(req, res, opts);
-		if (action.kind === "redirect" || action.kind === "fixed-response") {
-			req.resume();
-			if (action.kind === "redirect") writeRedirect(res, action, req, opts.listenerPort, opts.tls ? "https" : "http");
-			else writeFixedResponse(res, action);
-			return Promise.resolve();
-		}
-		const picked = pickWeightedTarget(action.pools);
-		if (!picked) {
-			writeError(res, 502, `No forward target selected behind ${opts.label} (every weighted target has weight 0).`);
-			return Promise.resolve();
+		if (action.auth) {
+			const auth = action.auth;
+			return auth.check(req.headers).then((result) => {
+				if (!result.allow) {
+					req.resume();
+					writeUnauthorized(res, auth.realm, result.reason);
+					return;
+				}
+				return serveAction(req, res, action, opts);
+			}).catch((err) => {
+				getLogger().child("front-door").debug(`auth gate error: ${err instanceof Error ? err.message : String(err)}`);
+				req.resume();
+				writeUnauthorized(res, auth.realm, "auth check failed");
+			});
 		}
-		if ("lambda" in picked) return handleLambdaRequest(req, res, picked.lambda, opts);
-		return handlePoolRequest(req, res, picked.pool, opts);
+		return serveAction(req, res, action, opts);
 	}
 	const target = resolveDispatchTarget(opts, url);
 	if (!target) return reply404(req, res, opts);
 	if (target.kind === "lambda") return handleLambdaRequest(req, res, target.lambda, opts);
 	return handlePoolRequest(req, res, target.pool, opts);
 }
+/**
+* Dispatch a resolved {@link RouteAction} — the path the route resolver
+* returned (after any auth gate). Splits forward (ECS pool or Lambda invoker)
+* from redirect / fixed-response, mirroring what the inline logic used to do.
+*/
+function serveAction(req, res, action, opts) {
+	if (action.kind === "redirect" || action.kind === "fixed-response") {
+		req.resume();
+		if (action.kind === "redirect") writeRedirect(res, action, req, opts.listenerPort, opts.tls ? "https" : "http");
+		else writeFixedResponse(res, action);
+		return Promise.resolve();
+	}
+	const picked = pickWeightedTarget(action.pools);
+	if (!picked) {
+		writeError(res, 502, `No forward target selected behind ${opts.label} (every weighted target has weight 0).`);
+		return Promise.resolve();
+	}
+	if ("lambda" in picked) return handleLambdaRequest(req, res, picked.lambda, opts);
+	return handlePoolRequest(req, res, picked.pool, opts);
+}
+/**
+* Write a 401 with `WWW-Authenticate: Bearer realm="..."`. ALB itself would
+* redirect to the IdP's authorize endpoint; for local dev parity we deny
+* loudly so the user notices and either supplies `--bearer-token` / passes a
+* fresh Authorization header / disables the guard with `--no-verify-auth`.
+*/
+function writeUnauthorized(res, realm, reason) {
+	const body = reason && reason !== "" ? reason : "Unauthorized";
+	res.writeHead(401, {
+		"content-type": "text/plain; charset=utf-8",
+		"content-length": String(Buffer.byteLength(`${body}\n`)),
+		"www-authenticate": `Bearer realm="${escapeRealmQuotes(realm)}"`
+	});
+	res.end(`${body}\n`);
+}
+/** Escape `"` in the realm so the `WWW-Authenticate` header parses cleanly. */
+function escapeRealmQuotes(realm) {
+	return realm.replace(/"/g, "\\\"");
+}
 /** Reply 404 — an ALB listener with no matching rule and no default action. */
 function reply404(req, res, opts) {
 	writeError(res, 404, `No listener rule matched '${req.url ?? "/"}' on ${opts.label}, and the listener has no default action forwarding to a local target.`);
@@ -4116,6 +4165,226 @@ function writeError(res, statusCode, message) {
 	res.writeHead(statusCode, { "content-type": "text/plain; charset=utf-8" });
 	res.end(`${message}\n`);
 }
+/**
+* Handle an HTTP `Upgrade` request (WebSocket). Goes through the same
+* `route()` callback so listener-rule matching + auth gates apply
+* identically. ECS forward targets get a raw TCP bridge to the picked
+* replica; Lambda forward targets answer 502 (Lambda TGs do not support
+* WS); redirect / fixed-response actions synthesize a regular HTTP/1.1
+* response over the upgrade socket and close. Errors at every stage
+* destroy the client socket cleanly.
+*/
+function handleUpgrade(req, clientSocket, head, opts) {
+	clientSocket.setNoDelay?.(true);
+	if (!opts.route) {
+		writeRawHttpError(clientSocket, 404, "Not Found");
+		return Promise.resolve();
+	}
+	const action = opts.route({
+		path: req.url ?? "/",
+		...hostHeader(req),
+		headers: req.headers,
+		...req.method !== void 0 && { method: req.method },
+		...req.socket.remoteAddress !== void 0 && { sourceIp: req.socket.remoteAddress }
+	});
+	if (!action) {
+		writeRawHttpError(clientSocket, 404, "No listener rule matched the upgrade request.");
+		return Promise.resolve();
+	}
+	const proceed = () => {
+		if (action.kind === "redirect") {
+			writeRawHttpRedirect(clientSocket, action, req, opts.listenerPort, opts.tls ? "https" : "http");
+			return Promise.resolve();
+		}
+		if (action.kind === "fixed-response") {
+			writeRawHttpFixedResponse(clientSocket, action);
+			return Promise.resolve();
+		}
+		const picked = pickWeightedTarget(action.pools);
+		if (!picked) {
+			writeRawHttpError(clientSocket, 502, `No forward target selected behind ${opts.label} (every weighted target has weight 0).`);
+			return Promise.resolve();
+		}
+		if ("lambda" in picked) {
+			writeRawHttpError(clientSocket, 502, `WebSocket upgrade is not supported for Lambda target groups (${picked.lambda.label}).`);
+			return Promise.resolve();
+		}
+		return bridgeWebSocket(req, clientSocket, head, picked.pool, opts);
+	};
+	if (action.auth) {
+		const auth = action.auth;
+		return auth.check(req.headers).then((result) => {
+			if (!result.allow) {
+				writeRawHttpUnauthorized(clientSocket, auth.realm, result.reason);
+				return;
+			}
+			return proceed();
+		}).catch((err) => {
+			getLogger().child("front-door").debug(`upgrade auth gate error: ${err instanceof Error ? err.message : String(err)}`);
+			writeRawHttpUnauthorized(clientSocket, auth.realm, "auth check failed");
+		});
+	}
+	return proceed();
+}
+/**
+* Bridge a WebSocket upgrade onto an ECS replica. Opens a raw TCP socket
+* to the picked endpoint, replays the upgrade request (with `X-Forwarded-*`
+* stamped on), forwards any pre-read `head` bytes, then pipes the two
+* sockets in both directions. `Upgrade` / `Connection: Upgrade` / the
+* `Sec-WebSocket-*` headers are forwarded verbatim — RFC 7230 marks
+* `Upgrade` as hop-by-hop, but for the upgrade handshake itself the proxy
+* MUST preserve them (nginx / haproxy / ALB all do).
+*/
+function bridgeWebSocket(req, clientSocket, head, pool, opts) {
+	const logger = getLogger().child("front-door");
+	return new Promise((resolve) => {
+		const endpoint = pool.next();
+		if (!endpoint) {
+			writeRawHttpError(clientSocket, 503, `No running replicas behind ${opts.label} for the matched target.`);
+			resolve();
+			return;
+		}
+		const upstream = connect({
+			host: endpoint.host,
+			port: endpoint.port
+		});
+		upstream.setNoDelay(true);
+		let settled = false;
+		const done = () => {
+			if (settled) return;
+			settled = true;
+			resolve();
+		};
+		let upstreamConnected = false;
+		upstream.on("connect", () => {
+			upstreamConnected = true;
+			const headers = { ...req.headers };
+			appendForwardedHeaders(headers, req, opts.listenerPort, opts.tls ? "https" : "http");
+			const lines = [`${req.method ?? "GET"} ${req.url ?? "/"} HTTP/${req.httpVersion}`];
+			for (const [name, value] of Object.entries(headers)) {
+				if (value === void 0) continue;
+				if (Array.isArray(value)) for (const v of value) lines.push(`${name}: ${v}`);
+				else lines.push(`${name}: ${value}`);
+			}
+			upstream.write(`${lines.join("\r\n")}\r\n\r\n`);
+			if (head.length > 0) upstream.write(head);
+			clientSocket.pipe(upstream);
+			upstream.pipe(clientSocket);
+		});
+		upstream.on("error", (err) => {
+			logger.debug(`WS upstream error (${endpoint.host}:${endpoint.port}): ${err instanceof Error ? err.message : String(err)}`);
+			if (!clientSocket.destroyed) {
+				if (!upstreamConnected) try {
+					writeRawHttpError(clientSocket, 502, `Failed to reach replica ${endpoint.host}:${endpoint.port} behind ${opts.label}.`);
+				} catch {}
+				clientSocket.destroy();
+			}
+			done();
+		});
+		upstream.on("close", () => {
+			if (!clientSocket.destroyed) clientSocket.destroy();
+			done();
+		});
+		clientSocket.on("error", () => {
+			if (!upstream.destroyed) upstream.destroy();
+			done();
+		});
+		clientSocket.on("close", () => {
+			if (!upstream.destroyed) upstream.destroy();
+			done();
+		});
+	});
+}
+/**
+* Write a minimal HTTP/1.1 error response over a raw upgrade socket and
+* close it. Used for the pre-101-Switching-Protocols failure paths
+* (no rule match, no replica, Lambda target, etc.).
+*/
+function writeRawHttpError(socket, statusCode, message) {
+	if (socket.destroyed) return;
+	const body = `${message}\n`;
+	const lines = [
+		`HTTP/1.1 ${statusCode} ${STATUS_TEXT[statusCode] ?? "Error"}`,
+		"content-type: text/plain; charset=utf-8",
+		`content-length: ${Buffer.byteLength(body)}`,
+		"connection: close",
+		"",
+		""
+	];
+	try {
+		socket.write(lines.join("\r\n") + body);
+	} catch {}
+	socket.end();
+}
+/** Write a 401 over a raw upgrade socket with the WS-aware `WWW-Authenticate` header. */
+function writeRawHttpUnauthorized(socket, realm, reason) {
+	if (socket.destroyed) return;
+	const body = `${reason && reason !== "" ? reason : "Unauthorized"}\n`;
+	const lines = [
+		"HTTP/1.1 401 Unauthorized",
+		"content-type: text/plain; charset=utf-8",
+		`content-length: ${Buffer.byteLength(body)}`,
+		`www-authenticate: Bearer realm="${escapeRealmQuotes(realm)}"`,
+		"connection: close",
+		"",
+		""
+	];
+	try {
+		socket.write(lines.join("\r\n") + body);
+	} catch {}
+	socket.end();
+}
+/** Write an ALB-style 301 / 302 redirect over a raw upgrade socket. */
+function writeRawHttpRedirect(socket, action, req, listenerPort, scheme) {
+	if (socket.destroyed) return;
+	const location = buildRedirectLocation(action, req, listenerPort, scheme);
+	const statusText = action.statusCode === 301 ? "Moved Permanently" : "Found";
+	const lines = [
+		`HTTP/1.1 ${action.statusCode} ${statusText}`,
+		`location: ${location}`,
+		"content-type: text/plain; charset=utf-8",
+		"content-length: 0",
+		"connection: close",
+		"",
+		""
+	];
+	try {
+		socket.write(lines.join("\r\n"));
+	} catch {}
+	socket.end();
+}
+/** Write an ALB-style fixed-response over a raw upgrade socket. */
+function writeRawHttpFixedResponse(socket, action) {
+	if (socket.destroyed) return;
+	const body = action.messageBody ?? "";
+	const statusText = STATUS_TEXT[action.statusCode] ?? "";
+	const contentType = sanitizeRawHeaderValue(action.contentType ?? "text/plain; charset=utf-8");
+	const lines = [
+		`HTTP/1.1 ${action.statusCode} ${statusText}`,
+		`content-type: ${contentType}`,
+		`content-length: ${Buffer.byteLength(body)}`,
+		"connection: close",
+		"",
+		""
+	];
+	try {
+		socket.write(lines.join("\r\n") + body);
+	} catch {}
+	socket.end();
+}
+/** Strip CR / LF / NUL from a raw HTTP header value to prevent header injection. */
+function sanitizeRawHeaderValue(value) {
+	return value.replace(/[\r\n]/g, " ");
+}
+/** Minimal HTTP/1.1 status text map for the codes the raw writers emit. */
+const STATUS_TEXT = {
+	301: "Moved Permanently",
+	302: "Found",
+	401: "Unauthorized",
+	404: "Not Found",
+	502: "Bad Gateway",
+	503: "Service Unavailable"
+};
 //#endregion
 //#region src/local/alb-path-matcher.ts
@@ -4730,6 +4999,98 @@ function createFrontDoorLambdaRunner(lambda, opts) {
 	};
 }
+//#endregion
+//#region src/local/front-door-auth.ts
+/**
+* Build the front-door's auth-check callback for an
+* `authenticate-cognito` / `authenticate-oidc` guard.
+*
+* Local-dev parity model: the cloud-side ALB authenticates the user via a
+* full OAuth roundtrip (redirect to the IdP's authorize endpoint, callback,
+* AWSELBAuthSessionCookie issuance). The local front-door does NOT reproduce
+* the roundtrip — it accepts EITHER a Bearer JWT (verified against the
+* Cognito JWKS / OIDC discovery URL just like API Gateway's JWT authorizer)
+* OR an `AWSELBAuthSessionCookie-*` cookie pass-through (the user is acting
+* as if already signed in via the deployed ALB — `--bearer-token` makes the
+* Bearer-JWT path the headline path; the cookie pass-through is convenience
+* for hitting the local front-door from a browser session that already
+* authenticated through the deployed ALB).
+*
+* `--no-verify-auth` (the `noVerifyAuth` flag) short-circuits everything to
+* `allow: true` — explicitly off-switching the guard for local dev where
+* you do not want to mint a Bearer token at all.
+*
+* `--bearer-token <jwt>` (the `bearerToken` arg) makes the supplied token
+* the default `Authorization` value when the inbound request has none.
+*/
+function buildAuthCheck(guard, jwksCache, opts = {}) {
+	const realm = guard.label;
+	if (opts.noVerifyAuth === true) return {
+		realm,
+		check: async () => ({ allow: true })
+	};
+	const warned = opts.warned ?? /* @__PURE__ */ new Set();
+	const sessionCookiePrefix = guard.sessionCookieName;
+	const injectedBearer = opts.bearerToken;
+	return {
+		realm,
+		check: async (headers) => {
+			const cookieHeader = headerValue(headers["cookie"]);
+			if (cookieHeader && cookieHasSessionPrefix(cookieHeader, sessionCookiePrefix)) return { allow: true };
+			let authorization = headerValue(headers["authorization"]);
+			if ((!authorization || authorization === "") && injectedBearer !== void 0) authorization = `Bearer ${injectedBearer}`;
+			if (!authorization || authorization === "") return {
+				allow: false,
+				reason: "No Bearer token presented. Supply Authorization: Bearer <jwt> or pass --bearer-token <jwt>."
+			};
+			if (!authorization.toLowerCase().startsWith("bearer ")) return {
+				allow: false,
+				reason: "Authorization scheme is not Bearer; the ALB authenticate-* guard only accepts Bearer JWTs."
+			};
+			try {
+				if ((await verifyJwtAuthorizer({
+					kind: "jwt",
+					logicalId: guard.label,
+					declaredAt: "start-alb authenticate-* action",
+					issuer: guard.issuer,
+					audience: [guard.audience],
+					...guard.region !== void 0 && { region: guard.region },
+					...guard.userPoolId !== void 0 && { userPoolId: guard.userPoolId }
+				}, authorization, jwksCache, { warned })).allow) return { allow: true };
+				return {
+					allow: false,
+					reason: "Bearer token rejected (signature / iss / aud / exp check failed)."
+				};
+			} catch (err) {
+				getLogger().child("front-door-auth").debug(`auth check threw: ${err instanceof Error ? err.message : String(err)}`);
+				return {
+					allow: false,
+					reason: "Auth check failed."
+				};
+			}
+		}
+	};
+}
+function headerValue(raw) {
+	if (raw === void 0) return void 0;
+	if (Array.isArray(raw)) return raw[0];
+	return raw;
+}
+/**
+* True iff the `Cookie` header contains a cookie whose name starts with
+* `<sessionCookiePrefix>` (ALB suffixes the cookie with `-0` / `-1` / ...
+* when the auth session payload exceeds the per-cookie size limit, so we
+* match the prefix, not an exact name).
+*/
+function cookieHasSessionPrefix(cookieHeader, sessionCookiePrefix) {
+	for (const pair of cookieHeader.split(";")) {
+		const eq = pair.indexOf("=");
+		const name = (eq === -1 ? pair : pair.slice(0, eq)).trim();
+		if (name === sessionCookiePrefix || name.startsWith(`${sessionCookiePrefix}-`)) return true;
+	}
+	return false;
+}
 //#endregion
 //#region src/cli/commands/ecs-service-emulator.ts
 /**
@@ -5038,9 +5399,20 @@ async function buildFrontDoor(plan, options, logger) {
 		certPath: options.tlsCert,
 		keyPath: options.tlsKey
 	}) : void 0;
+	const jwksCache = createJwksCache();
+	const sharedWarned = /* @__PURE__ */ new Set();
+	const authForGuard = (guard) => buildAuthCheck(guard, jwksCache, {
+		...options.verifyAuth === false && { noVerifyAuth: true },
+		...options.bearerToken !== void 0 && { bearerToken: options.bearerToken },
+		warned: sharedWarned
+	});
+	const attachAuth = (action, guard) => guard ? {
+		...action,
+		auth: authForGuard(guard)
+	} : action;
 	try {
 		for (const listener of plan.listeners) {
-			const defaultRoute = listener.defaultAction ? toRouteAction(listener.defaultAction) : void 0;
+			const defaultRoute = listener.defaultAction ? attachAuth(toRouteAction(listener.defaultAction), listener.defaultAuthGuard) : void 0;
 			const ruleRoutes = listener.rules.map((r) => ({
 				priority: r.priority,
 				pathPatterns: r.pathPatterns,
@@ -5049,7 +5421,7 @@ async function buildFrontDoor(plan, options, logger) {
 				httpRequestMethods: r.httpRequestMethods,
 				queryStringConditions: r.queryStringConditions,
 				sourceIpCidrs: r.sourceIpCidrs,
-				target: toRouteAction(r.action)
+				target: attachAuth(toRouteAction(r.action), r.authGuard)
 			}));
 			const route = (req) => matchAlbPathRule(req, ruleRoutes) ?? defaultRoute;
 			const tls = listener.protocol === "HTTPS" ? tlsMaterials : void 0;
@@ -5367,9 +5739,19 @@ function createLocalStartServiceCommand(opts = {}) {
 * mix ECS and Lambda targets. HTTPS listeners are served — local TLS
 * termination uses a user-supplied or auto-generated self-signed cert/key
 * pair (the deployed `Listener.Certificates[]` ACM ARNs are not fetched,
-* because ACM private keys are not retrievable by design). Skipped with a
-* warning: TLS listeners (NLB-style, not ALB) and `authenticate-cognito` /
-* `authenticate-oidc` actions.
+* because ACM private keys are not retrievable by design).
+*
+* `authenticate-cognito` / `authenticate-oidc` actions ARE served — they are
+* lifted from the `Actions[]` array into an `authGuard` attached to the
+* terminal action they wrap. The front-door enforces a Bearer-JWT check
+* locally (signature + `iss` + `exp` + `aud`) using the existing JWKS-cached
+* verifier; missing / invalid token -> 401 with `WWW-Authenticate: Bearer`.
+* Out of scope: the full OAuth roundtrip (authorize-endpoint redirect +
+* callback). The local-dev parity is "I have a JWT, let me through" — the
+* `--bearer-token <jwt>` flag is the convenience escape hatch; the
+* `--no-verify-auth` flag disables the guard entirely.
+*
+* Skipped with a warning: TLS listeners (NLB-style, not ALB).
 */
 const ALB_TYPE = "AWS::ElasticLoadBalancingV2::LoadBalancer";
 const LISTENER_TYPE = "AWS::ElasticLoadBalancingV2::Listener";
@@ -5401,7 +5783,7 @@ function resolveAlbFrontDoor(stack, albLogicalId) {
 			continue;
 		}
 		if (protocol === "HTTPS" && Array.isArray(props["Certificates"]) && props["Certificates"].length > 0) warnings.push(`Listener '${listenerLogicalId}' on port ${port} declares ACM Certificates which are not retrievable locally. The front-door terminates TLS with --tls-cert/--tls-key or an auto-generated self-signed cert.`);
-		const defaultAction = resolveAction(props["DefaultActions"], resources, tgToService, stackName, `Listener '${listenerLogicalId}' (port ${port}) default action`, warnings);
+		const defaultResolved = resolveAction(props["DefaultActions"], resources, tgToService, stackName, `Listener '${listenerLogicalId}' (port ${port}) default action`, warnings);
 		const rules = [];
 		for (const { ruleLogicalId, ruleProps } of rulesByListener.get(listenerLogicalId) ?? []) {
 			const priority = parsePriority(ruleProps["Priority"]);
@@ -5410,8 +5792,8 @@ function resolveAlbFrontDoor(stack, albLogicalId) {
 			if (!parsed) continue;
 			const { pathPatterns, hostPatterns, httpHeaderConditions, httpRequestMethods, queryStringConditions, sourceIpCidrs } = parsed;
 			if (!(pathPatterns.length > 0 || hostPatterns.length > 0 || httpHeaderConditions.length > 0 || httpRequestMethods.length > 0 || queryStringConditions.length > 0 || sourceIpCidrs.length > 0)) continue;
-			const action = resolveAction(ruleProps["Actions"], resources, tgToService, stackName, `${ruleLabel} action`, warnings);
-			if (!action) continue;
+			const ruleResolved = resolveAction(ruleProps["Actions"], resources, tgToService, stackName, `${ruleLabel} action`, warnings);
+			if (!ruleResolved) continue;
 			rules.push({
 				priority,
 				pathPatterns,
@@ -5420,15 +5802,17 @@ function resolveAlbFrontDoor(stack, albLogicalId) {
 				httpRequestMethods,
 				queryStringConditions,
 				sourceIpCidrs,
-				action
+				action: ruleResolved.action,
+				...ruleResolved.authGuard ? { authGuard: ruleResolved.authGuard } : {}
 			});
 		}
-		if (!defaultAction && rules.length === 0) continue;
+		if (!defaultResolved && rules.length === 0) continue;
 		listeners.push({
 			listenerPort: port,
 			listenerProtocol: protocol,
 			listenerLogicalId,
-			...defaultAction ? { defaultAction } : {},
+			...defaultResolved ? { defaultAction: defaultResolved.action } : {},
+			...defaultResolved?.authGuard ? { defaultAuthGuard: defaultResolved.authGuard } : {},
 			rules
 		});
 	}
@@ -5444,15 +5828,16 @@ function isApplicationLoadBalancer(resource) {
 	return type === void 0 || type === "application";
 }
 /**
-* Resolve a listener / rule `Actions` (or `DefaultActions`) array to the single
-* action the local front-door serves, or `undefined` when it is not resolvable
-* (a warning is emitted for the cases worth surfacing). ALB allows exactly one
-* non-authenticate terminal action per action set, optionally preceded by
-* authenticate-* actions (which the local front-door does not enforce — they
-* are skipped with a warning and the terminal action is honored).
+* Resolve a listener / rule `Actions` (or `DefaultActions`) array. ALB allows
+* any number of `authenticate-cognito` / `authenticate-oidc` entries followed
+* by exactly one terminal action (`forward` / `redirect` / `fixed-response`).
+* The first parseable authenticate-* (last wins if multiple) becomes the
+* returned `authGuard`; the terminal action becomes `action`. Returns
+* `undefined` when no terminal action is resolvable.
 */
 function resolveAction(actions, resources, tgToService, stackName, label, warnings) {
 	if (!Array.isArray(actions)) return void 0;
+	let authGuard;
 	let sawAuthenticate = false;
 	for (const action of actions) {
 		if (!action || typeof action !== "object") continue;
@@ -5460,18 +5845,21 @@ function resolveAction(actions, resources, tgToService, stackName, label, warnin
 		const type = a["Type"];
 		if (type === "authenticate-cognito" || type === "authenticate-oidc") {
 			sawAuthenticate = true;
+			const parsed = parseAuthenticateAction(a, type, label, warnings);
+			if (parsed) authGuard = parsed;
 			continue;
 		}
-		if (type === "forward") return resolveForwardAction(a, resources, tgToService, stackName, label, warnings);
-		if (type === "redirect") {
-			const redirect = resolveRedirectAction(a, label, warnings);
-			if (redirect) return redirect;
-			continue;
-		}
-		if (type === "fixed-response") return resolveFixedResponseAction(a);
-		if (typeof type === "string") warnings.push(`${label} uses an unsupported action type '${type}'. The local ALB front-door supports forward / redirect / fixed-response actions only. Skipping it.`);
+		let terminal;
+		if (type === "forward") terminal = resolveForwardAction(a, resources, tgToService, stackName, label, warnings);
+		else if (type === "redirect") terminal = resolveRedirectAction(a, label, warnings);
+		else if (type === "fixed-response") terminal = resolveFixedResponseAction(a);
+		else if (typeof type === "string") warnings.push(`${label} uses an unsupported action type '${type}'. The local ALB front-door supports forward / redirect / fixed-response actions only. Skipping it.`);
+		if (terminal) return authGuard ? {
+			action: terminal,
+			authGuard
+		} : { action: terminal };
 	}
-	if (sawAuthenticate) warnings.push(`${label} is an authenticate-* action with no local-servable terminal action. The local ALB front-door does not enforce authenticate-cognito / authenticate-oidc; skipping it.`);
+	if (sawAuthenticate) warnings.push(`${label} is an authenticate-* action with no local-servable terminal action; skipping it.`);
 }
 /**
 * Resolve a `forward` action into one or more weighted targets. Each target
@@ -5877,6 +6265,75 @@ function parsePriority(raw) {
 	if (typeof raw === "string" && /^\d+$/.test(raw)) return parseInt(raw, 10);
 	return Number.MAX_SAFE_INTEGER;
 }
+/** ALB's default session cookie name prefix (suffixed `-0` / `-1` / ... by ALB). */
+const DEFAULT_ALB_SESSION_COOKIE = "AWSELBAuthSessionCookie";
+/**
+* Cognito User Pool ARN shape:
+*   `arn:aws:cognito-idp:<region>:<account>:userpool/<pool-id>`
+* The pool id itself contains a `_`, but never a `/`, so anchoring on the
+* `userpool/` segment is robust.
+*/
+const COGNITO_USERPOOL_ARN = /^arn:[^:]+:cognito-idp:([^:]+):[^:]+:userpool\/([^/]+)$/;
+/**
+* Parse an `authenticate-cognito` / `authenticate-oidc` ALB action into a
+* resolvable {@link FrontDoorAuthGuard}, or `undefined` when the config is
+* unresolvable (a Ref / intrinsic in a required field, a malformed
+* UserPoolArn, etc.) — a warning is emitted in that case so the user knows
+* the guard was dropped (the terminal action will still serve unguarded).
+*/
+function parseAuthenticateAction(action, type, label, warnings) {
+	if (type === "authenticate-cognito") {
+		const cfg = action["AuthenticateCognitoConfig"];
+		if (!cfg || typeof cfg !== "object") {
+			warnings.push(`${label}: authenticate-cognito missing AuthenticateCognitoConfig; skipping guard.`);
+			return;
+		}
+		const c = cfg;
+		const userPoolArn = c["UserPoolArn"];
+		const userPoolClientId = c["UserPoolClientId"];
+		if (typeof userPoolArn !== "string" || typeof userPoolClientId !== "string") {
+			warnings.push(`${label}: authenticate-cognito UserPoolArn / UserPoolClientId must be literal strings (Ref / intrinsics cannot be resolved by the local front-door); skipping guard.`);
+			return;
+		}
+		const match = COGNITO_USERPOOL_ARN.exec(userPoolArn);
+		if (!match) {
+			warnings.push(`${label}: authenticate-cognito UserPoolArn '${userPoolArn}' is not in the expected arn:...:cognito-idp:<region>:<account>:userpool/<pool-id> shape; skipping guard.`);
+			return;
+		}
+		const region = match[1];
+		const userPoolId = match[2];
+		const sessionCookieName = typeof c["SessionCookieName"] === "string" && c["SessionCookieName"] !== "" ? c["SessionCookieName"] : DEFAULT_ALB_SESSION_COOKIE;
+		return {
+			kind: "authenticate-cognito",
+			issuer: `https://cognito-idp.${region}.amazonaws.com/${userPoolId}`,
+			audience: userPoolClientId,
+			region,
+			userPoolId,
+			sessionCookieName,
+			label: `authenticate-cognito (UserPool=${userPoolId})`
+		};
+	}
+	const cfg = action["AuthenticateOidcConfig"];
+	if (!cfg || typeof cfg !== "object") {
+		warnings.push(`${label}: authenticate-oidc missing AuthenticateOidcConfig; skipping guard.`);
+		return;
+	}
+	const c = cfg;
+	const issuer = c["Issuer"];
+	const clientId = c["ClientId"];
+	if (typeof issuer !== "string" || typeof clientId !== "string") {
+		warnings.push(`${label}: authenticate-oidc Issuer / ClientId must be literal strings (Ref / intrinsics cannot be resolved by the local front-door); skipping guard.`);
+		return;
+	}
+	const sessionCookieName = typeof c["SessionCookieName"] === "string" && c["SessionCookieName"] !== "" ? c["SessionCookieName"] : DEFAULT_ALB_SESSION_COOKIE;
+	return {
+		kind: "authenticate-oidc",
+		issuer: issuer.replace(/\/+$/, ""),
+		audience: clientId,
+		sessionCookieName,
+		label: `authenticate-oidc (Issuer=${issuer})`
+	};
+}
 //#endregion
 //#region src/cli/commands/local-start-alb.ts
@@ -6018,6 +6475,7 @@ function albStrategy(options) {
 						hostPort,
 						protocol: listener.listenerProtocol,
 						...listener.defaultAction ? { defaultAction: qualify(listener.defaultAction) } : {},
+						...listener.defaultAuthGuard ? { defaultAuthGuard: listener.defaultAuthGuard } : {},
 						rules: listener.rules.map((r) => ({
 							priority: r.priority,
 							pathPatterns: r.pathPatterns,
@@ -6026,7 +6484,8 @@ function albStrategy(options) {
 							httpRequestMethods: r.httpRequestMethods,
 							queryStringConditions: r.queryStringConditions,
 							sourceIpCidrs: r.sourceIpCidrs,
-							action: qualify(r.action)
+							action: qualify(r.action),
+							...r.authGuard ? { authGuard: r.authGuard } : {}
 						}))
 					});
 				}
@@ -6055,7 +6514,7 @@ function albStrategy(options) {
 */
 function createLocalStartAlbCommand(opts = {}) {
 	setEmbedConfig(opts.embedConfig);
-	return addCommonEcsServiceOptions(new Command("start-alb").description("Run an Application Load Balancer locally: name the ALB, and cdk-local boots the ECS service(s) behind its listeners and stands up a local front-door on each listener port that round-robins across the running replicas and routes its listener rules across the backing services — a stable host endpoint, like behind a real load balancer. The symmetric ALB counterpart of `start-api`. Each <target> accepts a CDK display path (MyStack/MyAlb) or stack-qualified logical ID; single-stack apps may omit the stack prefix. Supports HTTP and HTTPS listeners (TLS terminated locally with --tls-cert/--tls-key or an auto-generated self-signed cert); all six ALB rule-condition fields (path-pattern / host-header / http-header / http-request-method / query-string / source-ip); forward (single and weighted), redirect, and fixed-response actions; and ECS or Lambda targets (a Lambda target group is invoked locally via the Lambda RIE). authenticate-cognito / authenticate-oidc actions are skipped with a warning. Omit <targets> in an interactive terminal to multi-select the load balancers from a list.").argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ElasticLoadBalancingV2::LoadBalancer resources to run (omit to multi-select interactively in a TTY)").addOption(new Option("--lb-port <listenerPort=hostPort...>", "Bind the local front-door on a specific host port (e.g. 80=8080); repeatable. Default: host port == ALB listener port. Use this on macOS to remap a privileged listener port (< 1024) to a non-privileged host port.")).addOption(new Option("--tls-cert <path>", "PEM-encoded server certificate for HTTPS front-door listeners. Must be set together with --tls-key. Omit both flags to auto-generate a self-signed cert (cached under $XDG_CACHE_HOME/cdk-local/alb-https/, default ~/.cache/cdk-local/alb-https/); requires openssl on PATH. The deployed Listener Certificates[] are NOT fetched (ACM private keys are not retrievable by design). The auto-generated cert lists DNS:localhost,IP:127.0.0.1 as SubjectAltName, so a client validating a non-loopback --container-host will fail the SAN check — pass --tls-cert / --tls-key with a SAN covering that host instead.")).addOption(new Option("--tls-key <path>", "PEM-encoded server private key matching --tls-cert. Must be set together with --tls-cert.")).action(withErrorHandling(async (targets, options) => {
+	return addCommonEcsServiceOptions(new Command("start-alb").description("Run an Application Load Balancer locally: name the ALB, and cdk-local boots the ECS service(s) behind its listeners and stands up a local front-door on each listener port that round-robins across the running replicas and routes its listener rules across the backing services — a stable host endpoint, like behind a real load balancer. The symmetric ALB counterpart of `start-api`. Each <target> accepts a CDK display path (MyStack/MyAlb) or stack-qualified logical ID; single-stack apps may omit the stack prefix. Supports HTTP and HTTPS listeners (TLS terminated locally with --tls-cert/--tls-key or an auto-generated self-signed cert); all six ALB rule-condition fields (path-pattern / host-header / http-header / http-request-method / query-string / source-ip); forward (single and weighted), redirect, and fixed-response actions; and ECS or Lambda targets (a Lambda target group is invoked locally via the Lambda RIE). authenticate-cognito / authenticate-oidc actions enforce a local Bearer-JWT check (or AWSELBAuthSessionCookie pass-through) against the same JWKS / OIDC discovery URL the deployed ALB would; use --bearer-token <jwt> to inject a default token or --no-verify-auth to disable the guard. Omit <targets> in an interactive terminal to multi-select the load balancers from a list.").argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ElasticLoadBalancingV2::LoadBalancer resources to run (omit to multi-select interactively in a TTY)").addOption(new Option("--lb-port <listenerPort=hostPort...>", "Bind the local front-door on a specific host port (e.g. 80=8080); repeatable. Default: host port == ALB listener port. Use this on macOS to remap a privileged listener port (< 1024) to a non-privileged host port.")).addOption(new Option("--tls-cert <path>", "PEM-encoded server certificate for HTTPS front-door listeners. Must be set together with --tls-key. Omit both flags to auto-generate a self-signed cert (cached under $XDG_CACHE_HOME/cdk-local/alb-https/, default ~/.cache/cdk-local/alb-https/); requires openssl on PATH. The deployed Listener Certificates[] are NOT fetched (ACM private keys are not retrievable by design). The auto-generated cert lists DNS:localhost,IP:127.0.0.1 as SubjectAltName, so a client validating a non-loopback --container-host will fail the SAN check — pass --tls-cert / --tls-key with a SAN covering that host instead.")).addOption(new Option("--tls-key <path>", "PEM-encoded server private key matching --tls-cert. Must be set together with --tls-cert.")).addOption(new Option("--no-verify-auth", "Disable local enforcement of authenticate-cognito / authenticate-oidc actions. Every request is served as if the auth check passed. Useful for local dev where you do not want to mint a Bearer token at all.")).addOption(new Option("--bearer-token <jwt>", "Default Bearer JWT injected as Authorization: Bearer <jwt> when the inbound request has none. Verified against the same JWKS / OIDC discovery URL the deployed ALB would (signature + iss + aud + exp). Local-dev convenience; cookie pass-through (AWSELBAuthSessionCookie-*) also works.")).action(withErrorHandling(async (targets, options) => {
 		await runEcsServiceEmulator(targets, options, albStrategy(options), opts.extraStateProviders);
 	})));
 }
@@ -6132,4 +6591,4 @@ function createLocalListCommand(opts = {}) {
 //#endregion
 export { createLocalRunTaskCommand as a, createLocalStartServiceCommand as i, formatTargetListing as n, createLocalInvokeAgentCoreCommand as o, createLocalStartAlbCommand as r, createLocalInvokeCommand as s, createLocalListCommand as t };
-//# sourceMappingURL=local-list-B-5gO8ht.js.map
+//# sourceMappingURL=local-list-CZEZ5-JP.js.map