npm - cdk-local - Versions diffs - 0.63.0 → 0.64.0 - Mend

cdk-local 0.63.0 → 0.64.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/README.md +2 -2
package/dist/cli.js +3 -3
package/dist/index.d.ts +1 -8
package/dist/index.d.ts.map +1 -1
package/dist/index.js +2 -2
package/dist/internal.d.ts +2 -2
package/dist/internal.js +2 -2
package/dist/{local-list-Dxwno_0V.js → local-list-BNkoH5tV.js} +3 -187
package/dist/local-list-BNkoH5tV.js.map +1 -0
package/dist/{elb-front-door-resolver-y5FicgLi.js → local-start-alb-CIE0TMpn.js} +242 -19
package/dist/local-start-alb-CIE0TMpn.js.map +1 -0
package/dist/{ecs-service-emulator-BgO3gb5D.d.ts → local-start-alb-CTu5lvrU.d.ts} +17 -2
package/dist/local-start-alb-CTu5lvrU.d.ts.map +1 -0
package/package.json +1 -1
package/dist/ecs-service-emulator-BgO3gb5D.d.ts.map +0 -1
package/dist/elb-front-door-resolver-y5FicgLi.js.map +0 -1
package/dist/local-list-Dxwno_0V.js.map +0 -1

package/dist/{elb-front-door-resolver-y5FicgLi.js → local-start-alb-CIE0TMpn.js} RENAMED Viewed

@@ -798,7 +798,7 @@ function parseTarget(target) {
 function resolveLambdaTarget(target, stacks) {
 	if (stacks.length === 0) throw new LocalInvokeResolutionError("No stacks found in the synthesized assembly.");
 	const parsed = parseTarget(target);
-	const stack = pickStack$3(parsed, stacks);
+	const stack = pickStack$4(parsed, stacks);
 	const template = stack.template;
 	const resources = template.Resources ?? {};
 	let match;
@@ -832,7 +832,7 @@ function resolveLambdaTarget(target, stacks) {
 * user may omit the stack prefix. Otherwise an explicit stack pattern is
 * required.
 */
-function pickStack$3(parsed, stacks) {
+function pickStack$4(parsed, stacks) {
 	if (parsed.stackPattern === null) {
 		if (stacks.length === 1) return stacks[0];
 		throw new LocalInvokeResolutionError(`Multiple stacks in app, target '${parsed.pathOrId}' is missing a stack prefix. Use 'StackName:${parsed.pathOrId}' or 'StackName/...' (path form). Available stacks: ${stacks.map((s) => s.stackName).join(", ")}.`);
@@ -1241,7 +1241,7 @@ var AgentCoreResolutionError = class AgentCoreResolutionError extends Error {
 function resolveAgentCoreTarget(target, stacks, imageContext) {
 	if (stacks.length === 0) throw new AgentCoreResolutionError("No stacks found in the synthesized assembly.");
 	const parsed = parseTarget(target);
-	const stack = pickStack$2(parsed, stacks);
+	const stack = pickStack$3(parsed, stacks);
 	const resources = stack.template.Resources ?? {};
 	const { logicalId, resource } = matchRuntime(parsed, target, stack, resources);
 	if (resource.Type !== "AWS::BedrockAgentCore::Runtime") throw new AgentCoreResolutionError(`Resource '${logicalId}' in ${stack.stackName} is ${resource.Type}, not ${AGENTCORE_RUNTIME_TYPE}. ${getEmbedConfig().cliName} invoke-agentcore only runs Bedrock AgentCore Runtime resources.`);
@@ -1269,7 +1269,7 @@ function pickAgentCoreCandidateStack(target, stacks) {
 * Mirrors the Lambda / ECS resolvers' behavior via the shared
 * stack-matcher.
 */
-function pickStack$2(parsed, stacks) {
+function pickStack$3(parsed, stacks) {
 	if (parsed.stackPattern === null) {
 		if (stacks.length === 1) return stacks[0];
 		throw new AgentCoreResolutionError(`Multiple stacks in app, target '${parsed.pathOrId}' is missing a stack prefix. Use 'StackName:${parsed.pathOrId}' or 'StackName/...' (path form). Available stacks: ${stacks.map((s) => s.stackName).join(", ")}.`);
@@ -5620,7 +5620,7 @@ function parseEcsTarget(target) {
 function resolveEcsTaskTarget(target, stacks, context) {
 	if (stacks.length === 0) throw new EcsTaskResolutionError("No stacks found in the synthesized assembly.");
 	const parsed = parseEcsTarget(target);
-	const stack = pickStack$1(parsed, stacks);
+	const stack = pickStack$2(parsed, stacks);
 	const resources = stack.template.Resources ?? {};
 	let logicalId;
 	let resource;
@@ -5641,7 +5641,7 @@ function resolveEcsTaskTarget(target, stacks, context) {
 	if (resource.Type !== "AWS::ECS::TaskDefinition") throw new EcsTaskResolutionError(`Resource '${logicalId}' in ${stack.stackName} is ${resource.Type}, not an AWS::ECS::TaskDefinition.`);
 	return extractTaskDefinitionProperties(stack, logicalId, resource, context);
 }
-function pickStack$1(parsed, stacks) {
+function pickStack$2(parsed, stacks) {
 	if (parsed.stackPattern === null) {
 		if (stacks.length === 1) return stacks[0];
 		throw new EcsTaskResolutionError(`Multiple stacks in app, target '${parsed.pathOrId}' is missing a stack prefix. Use 'StackName:${parsed.pathOrId}' or 'StackName/...' (path form). Available stacks: ${stacks.map((s) => s.stackName).join(", ")}.`);
@@ -18672,7 +18672,7 @@ function shellJoin(parts) {
 function resolveEcsServiceTarget(target, stacks, context) {
 	if (stacks.length === 0) throw new EcsTaskResolutionError("No stacks found in the synthesized assembly.");
 	const parsed = parseEcsTarget(target);
-	const stack = pickStack(parsed, stacks);
+	const stack = pickStack$1(parsed, stacks);
 	const resources = stack.template.Resources ?? {};
 	let serviceLogicalId;
 	let serviceResource;
@@ -18874,7 +18874,7 @@ function parseServiceName(raw, serviceLogicalId) {
 * service-specific extensions (e.g. cross-stack service-to-task refs)
 * can diverge without breaking the run-task code path.
 */
-function pickStack(parsed, stacks) {
+function pickStack$1(parsed, stacks) {
 	if (parsed.stackPattern === null) {
 		if (stacks.length === 1) return stacks[0];
 		throw new EcsTaskResolutionError(`Target has no stack prefix, and the assembly contains ${stacks.length} stacks: ${stacks.map((s) => s.stackName).join(", ")}. Pass the target as 'Stack/Path' or 'Stack:LogicalId'.`);
@@ -20104,8 +20104,13 @@ const DEFAULT_UPSTREAM_TIMEOUT_MS = 3e4;
 async function startFrontDoorServer(opts) {
 	const logger = getLogger().child("front-door");
 	const host = opts.host ?? "127.0.0.1";
+	const forwardedProto = opts.forwardedProto ?? (opts.tls ? "https" : "http");
+	const effectiveOpts = {
+		...opts,
+		forwardedProto
+	};
 	const requestHandler = (req, res) => {
-		handleProxyRequest(req, res, opts).catch((err) => {
+		handleProxyRequest(req, res, effectiveOpts).catch((err) => {
 			logger.debug(`front-door request error: ${err instanceof Error ? err.message : String(err)}`);
 			if (!res.headersSent) writeError(res, 502, "Bad Gateway");
 		});
@@ -20117,7 +20122,7 @@ async function startFrontDoorServer(opts) {
 	const scheme = opts.tls ? "https" : "http";
 	server.on("connection", (socket) => socket.setNoDelay(true));
 	server.on("upgrade", (req, clientSocket, head) => {
-		handleUpgrade(req, clientSocket, head, opts).catch((err) => {
+		handleUpgrade(req, clientSocket, head, effectiveOpts).catch((err) => {
 			logger.debug(`front-door upgrade error: ${err instanceof Error ? err.message : String(err)}`);
 			if (!clientSocket.destroyed) clientSocket.destroy();
 		});
@@ -20206,7 +20211,7 @@ function handleProxyRequest(req, res, opts) {
 function serveAction(req, res, action, opts) {
 	if (action.kind === "redirect" || action.kind === "fixed-response") {
 		req.resume();
-		if (action.kind === "redirect") writeRedirect(res, action, req, opts.listenerPort, opts.tls ? "https" : "http");
+		if (action.kind === "redirect") writeRedirect(res, action, req, opts.listenerPort, resolveForwardedProto(opts));
 		else writeFixedResponse(res, action);
 		return Promise.resolve();
 	}
@@ -20258,7 +20263,7 @@ function handlePoolRequest(req, res, pool, opts) {
 		};
 		const headers = { ...req.headers };
 		stripHopByHopHeaders(headers);
-		appendForwardedHeaders(headers, req, opts.listenerPort, opts.tls ? "https" : "http");
+		appendForwardedHeaders(headers, req, opts.listenerPort, resolveForwardedProto(opts));
 		const proxyReq = request({
 			host: endpoint.host,
 			port: endpoint.port,
@@ -20414,7 +20419,7 @@ function handleLambdaRequest(req, res, lambda, opts) {
 					const body = Buffer.concat(chunks);
 					const forwardHeaders = { ...req.headers };
 					stripHopByHopHeaders(forwardHeaders);
-					appendForwardedHeaders(forwardHeaders, req, opts.listenerPort, opts.tls ? "https" : "http");
+					appendForwardedHeaders(forwardHeaders, req, opts.listenerPort, resolveForwardedProto(opts));
 					const snapshot = snapshotFromIncoming(req, body);
 					for (const [name, value] of Object.entries(forwardHeaders)) {
 						if (value === void 0) continue;
@@ -20474,6 +20479,14 @@ function stripHopByHopHeaders(headers) {
 	for (const name of HOP_BY_HOP_HEADERS) delete headers[name];
 }
 /**
+* Resolve the scheme to stamp on `X-Forwarded-Proto` and to default
+* redirect `#{protocol}` to: an explicit {@link StartFrontDoorServerOptions.forwardedProto}
+* override wins, otherwise it follows the wire (TLS = `https`, no TLS = `http`).
+*/
+function resolveForwardedProto(opts) {
+	return opts.forwardedProto ?? (opts.tls ? "https" : "http");
+}
+/**
 * Inject the ALB-style forwarding headers a downstream app may read. Appends
 * the client IP to any existing `X-Forwarded-For` chain (ALB appends rather
 * than replaces) and stamps the scheme / listener port. `scheme` follows the
@@ -20519,7 +20532,7 @@ function handleUpgrade(req, clientSocket, head, opts) {
 	}
 	const proceed = () => {
 		if (action.kind === "redirect") {
-			writeRawHttpRedirect(clientSocket, action, req, opts.listenerPort, opts.tls ? "https" : "http");
+			writeRawHttpRedirect(clientSocket, action, req, opts.listenerPort, resolveForwardedProto(opts));
 			return Promise.resolve();
 		}
 		if (action.kind === "fixed-response") {
@@ -20585,7 +20598,7 @@ function bridgeWebSocket(req, clientSocket, head, pool, opts) {
 		upstream.on("connect", () => {
 			upstreamConnected = true;
 			const headers = { ...req.headers };
-			appendForwardedHeaders(headers, req, opts.listenerPort, opts.tls ? "https" : "http");
+			appendForwardedHeaders(headers, req, opts.listenerPort, resolveForwardedProto(opts));
 			const lines = [`${req.method ?? "GET"} ${req.url ?? "/"} HTTP/${req.httpVersion}`];
 			for (const [name, value] of Object.entries(headers)) {
 				if (value === void 0) continue;
@@ -21722,7 +21735,9 @@ async function buildFrontDoor(plan, options, logger) {
 			...action.messageBody !== void 0 && { messageBody: action.messageBody }
 		};
 	};
-	const tlsMaterials = plan.listeners.some((l) => l.protocol === "HTTPS") ? await resolveFrontDoorTlsMaterials({
+	const hasHttpsListener = plan.listeners.some((l) => l.protocol === "HTTPS");
+	const wantTls = options.tls === true || options.tlsCert !== void 0 || options.tlsKey !== void 0;
+	const tlsMaterials = hasHttpsListener && wantTls ? await resolveFrontDoorTlsMaterials({
 		certPath: options.tlsCert,
 		keyPath: options.tlsKey
 	}) : void 0;
@@ -21751,17 +21766,21 @@ async function buildFrontDoor(plan, options, logger) {
 				target: attachAuth(toRouteAction(r.action), r.authGuard)
 			}));
 			const route = (req) => matchAlbPathRule(req, ruleRoutes) ?? defaultRoute;
-			const tls = listener.protocol === "HTTPS" ? tlsMaterials : void 0;
+			const tls = listener.protocol === "HTTPS" && wantTls ? tlsMaterials : void 0;
+			const forwardedProto = listener.protocol === "HTTPS" ? "https" : "http";
+			const degradedHttps = listener.protocol === "HTTPS" && !wantTls;
 			const server = await startFrontDoorServer({
 				route,
 				port: listener.hostPort,
 				host: containerHost,
 				listenerPort: listener.listenerPort,
 				label: `listener port ${listener.listenerPort}`,
+				forwardedProto,
 				...tls ? { tls } : {}
 			});
 			servers.push(server);
 			logger.info(`ALB front-door: ${server.scheme}://${server.host}:${server.port} (listener port ${listener.listenerPort})`);
+			if (degradedHttps) logger.warn(`  WARN: listener port ${listener.listenerPort} is HTTPS in the cloud but serving HTTP locally (X-Forwarded-Proto: https preserved). Pass --tls to terminate TLS locally with a self-signed or user-supplied cert.`);
 			if (listener.defaultAction) logger.info(`  default -> ${describeAction(listener.defaultAction)}`);
 			for (const r of [...listener.rules].sort((a, b) => a.priority - b.priority)) logger.info(`  ${describeConditions(r)} (priority ${r.priority}) -> ${describeAction(r.action)}`);
 			if (!listener.defaultAction) logger.info("  (no default action: unmatched requests return 404)");
@@ -22667,5 +22686,209 @@ function parseAuthenticateAction(action, type, label, warnings) {
 }
 //#endregion
-export { buildMgmtEndpointEnvUrl as $, resolveCdkPathToLogicalIds as $n, resolveRuntimeCodeMountPath as $t, startApiServer as A, countTargets as An, waitForAgentCorePing as At, translateLambdaResponse as B, AGENTCORE_HTTP_PROTOCOL as Bn, getDockerImageBySourceHash as Bt, attachStageContext as C, CfnLocalStateProvider as Cn, MCP_PROTOCOL_VERSION as Ct, filterRoutesByApiIdentifiers as D, resolveWatchConfig as Dn, signAgentCoreInvocation as Dt, filterRoutesByApiIdentifier as E, resolveApp as En, AGENTCORE_SIGV4_SERVICE as Et, computeRequestIdentityHash as F, discoverRoutes as Fn, renderCodeDockerfile as Ft, pickResponseTemplate as G, resolveAgentCoreTarget as Gn, parseEcrUri as Gt, buildHttpApiV2Event as H, AGENTCORE_RUNTIME_TYPE as Hn, waitForRieReady as Ht, evaluateCachedLambdaPolicy as I, pickRefLogicalId as In, toCmdArgv as It, VtlEvaluationError as J, substituteImagePlaceholders as Jn, pickFreePort as Jt, selectIntegrationResponse as K, resolveLambdaTarget as Kn, pullEcrImage as Kt, invokeRequestAuthorizer as L, resolveLambdaArnIntrinsic as Ln, writeProfileCredentialsFile as Lt, resolveServiceIntegrationParameters as M, discoverWebSocketApis as Mn, SUPPORTED_CODE_RUNTIMES as Mt, defaultCredentialsLoader as N, discoverWebSocketApisOrThrow as Nn, buildAgentCoreCodeImage as Nt, groupRoutesByServer as O, Synthesizer as On, AGENTCORE_SESSION_ID_HEADER as Ot, buildMethodArn as P, parseSelectionExpressionPath as Pn, computeCodeImageTag as Pt, ConnectionRegistry as Q, readCdkPathOrUndefined as Qn, streamLogs as Qt, invokeTokenAuthorizer as R, AGENTCORE_A2A_PROTOCOL as Rn, singleFlight as Rt, createFileWatcher as S, resolveCfnStackName as Sn, MCP_PATH as St, availableApiIdentifiers as T, resolveSsmParameters as Tn, parseSseForJsonRpc as Tt, buildRestV1Event as U, AgentCoreResolutionError as Un, architectureToPlatform as Ut, applyAuthorizerOverlay as V, AGENTCORE_MCP_PROTOCOL as Vn, invokeRie as Vt, evaluateResponseParameters as W, pickAgentCoreCandidateStack as Wn, buildContainerImage as Wt, probeHostGatewaySupport as X, matchStacks as Xn, removeContainer as Xt, HOST_GATEWAY_MIN_VERSION as Y, tryResolveImageFnJoin as Yn, pullImage as Yt, bufferToBody as Z, buildCdkPathIndex as Zn, runDetached as Zt, createLocalStartApiCommand as _, createLocalStateProvider as _n, invokeAgentCoreWs as _t, buildEcsImageResolutionContext as a, derivePartitionAndUrlSuffix as an, appOptions as ar, buildCognitoJwksUrl as at, resolveProfileCredentials as b, resolveCfnFallbackRegion as bn, a2aInvokeOnce as bt, resolveSharedSidecarCredentials as c, resolveEcsTaskTarget as cn, deprecatedRegionOption as cr, verifyCognitoJwt as ct, CloudMapRegistry as d, substituteAgainstStateAsync as dn, attachAuthorizers as dt, resolveRuntimeFileExtension as en, CdkLocalError as er, handleConnectionsRequest as et, getContainerNetworkIp as f, substituteEnvVarsFromState as fn, applyCorsResponseHeaders as ft, runEcsTask as g, LocalStateSourceError as gn, matchPreflight as gt, parseHostPortOverrides as h, materializeLayerFromArn as hn, isFunctionUrlOacFronted as ht, addCommonEcsServiceOptions as i, applyCrossStackResolverToTask as in, applyRoleArnIfSet as ir, buildMessageEvent as it, resolveSelectionExpression as j, listTargets as jn, downloadAndExtractS3Bundle as jt, readMtlsMaterialsFromDisk as k, resolveSingleTarget as kn, invokeAgentCore as kt, runEcsServiceEmulator as l, applyDeployedEnvFallback as ln, parseContextOptions as lr, verifyJwtAuthorizer as lt, createEcsRunState as m, resolveEnvVars as mn, buildCorsConfigFromCloudFrontChain as mt, resolveAlbFrontDoor as n, EcsTaskResolutionError as nn, LocalStartServiceError as nr, buildConnectEvent as nt, parseMaxTasks as o, detectEcsImageResolutionNeeds as on, commonOptions as or, buildJwksUrlFromIssuer as ot, cleanupEcsRun as p, substituteEnvVarsFromStateAsync as pn, buildCorsConfigByApiId as pt, tryParseStatus as q, derivePseudoParametersFromRegion as qn, ensureDockerAvailable as qt, MAX_TASKS_SUBNET_RANGE_CAP as r, TASK_ROLE_ACCOUNT_PLACEHOLDER as rn, withErrorHandling as rr, buildDisconnectEvent as rt, parseRestartPolicy as s, parseEcsTarget as sn, contextOptions as sr, createJwksCache as st, isApplicationLoadBalancer as t, resolveRuntimeImage as tn, LocalInvokeBuildError as tr, parseConnectionsPath as tt, buildCloudMapIndex as u, substituteAgainstState as un, warnIfDeprecatedRegion as ur, verifyJwtViaDiscovery as ut, createWatchPredicates as v, isCfnFlagPresent as vn, A2A_CONTAINER_PORT as vt, buildStageMap as w, collectSsmParameterRefs as wn, mcpInvokeOnce as wt, createAuthorizerCache as x, resolveCfnRegion as xn, MCP_CONTAINER_PORT as xt, resolveApiTargetSubset as y, rejectExplicitCfnStackWithMultipleStacks as yn, A2A_PATH as yt, matchRoute as z, AGENTCORE_AGUI_PROTOCOL as zn, AssetManifestLoader as zt };
-//# sourceMappingURL=elb-front-door-resolver-y5FicgLi.js.map
+//#region src/cli/commands/local-start-alb.ts
+/**
+* Issue #86 v1 — parse `--lb-port <listenerPort>=<hostPort>` overrides into a
+* `listenerPort -> hostPort` map. The local ALB front-door binds the listener
+* port on the host by default, but a privileged listener port (e.g. 80 / 443)
+* fails to bind as non-root on macOS, so the user opts in to a non-privileged
+* host port (e.g. `--lb-port 80=8080`). Repeatable; each value is
+* `<listenerPort>=<hostPort>` with both in 1-65535.
+*/
+function parseLbPortOverrides(values) {
+	const out = {};
+	for (const raw of values ?? []) {
+		const m = /^(\d+)=(\d+)$/.exec(raw.trim());
+		if (!m) throw new LocalStartServiceError(`Invalid --lb-port '${raw}'. Expected <listenerPort>=<hostPort> (e.g. 80=8080).`);
+		const listenerPort = Number(m[1]);
+		const hostPort = Number(m[2]);
+		for (const [label, p] of [["listener", listenerPort], ["host", hostPort]]) if (p < 1 || p > 65535) throw new LocalStartServiceError(`Invalid --lb-port '${raw}': ${label} port must be 1-65535.`);
+		out[listenerPort] = hostPort;
+	}
+	return out;
+}
+/**
+* Resolve an ALB target string (`Stack/Path` display path or `Stack:LogicalId`)
+* to its stack + `AWS::ElasticLoadBalancingV2::LoadBalancer` logical id. Mirrors
+* the ECS service resolver's target grammar.
+*/
+function resolveAlbTarget(target, stacks) {
+	if (stacks.length === 0) throw new LocalStartServiceError("No stacks found in the synthesized assembly.");
+	const parsed = parseEcsTarget(target);
+	const stack = pickStack(parsed.stackPattern, stacks, target);
+	const resources = stack.template.Resources ?? {};
+	if (parsed.isPath) {
+		const index = buildCdkPathIndex(stack.template);
+		const albs = resolveCdkPathToLogicalIds(parsed.pathOrId, index).filter(({ logicalId }) => {
+			const r = resources[logicalId];
+			return r !== void 0 && isApplicationLoadBalancer(r);
+		});
+		if (albs.length === 0) throw notFound(target, stack, resources);
+		if (albs.length > 1) throw new LocalStartServiceError(`Target '${target}' matches ${albs.length} load balancers in ${stack.stackName}: ${albs.map((a) => a.logicalId).join(", ")}. Refine the path or use the stack:LogicalId form.`);
+		return {
+			stack,
+			albLogicalId: albs[0].logicalId
+		};
+	}
+	const res = resources[parsed.pathOrId];
+	if (!res || !isApplicationLoadBalancer(res)) throw notFound(target, stack, resources);
+	return {
+		stack,
+		albLogicalId: parsed.pathOrId
+	};
+}
+function pickStack(stackPattern, stacks, target) {
+	if (stackPattern === null) {
+		if (stacks.length === 1) return stacks[0];
+		throw new LocalStartServiceError(`Target '${target}' has no stack prefix, and the assembly contains ${stacks.length} stacks: ${stacks.map((s) => s.stackName).join(", ")}. Pass it as 'Stack/Path' or 'Stack:LogicalId'.`);
+	}
+	const matched = matchStacks(stacks, [stackPattern]);
+	if (matched.length === 0) throw new LocalStartServiceError(`No stack matches '${stackPattern}'. Available stacks: ${stacks.map((s) => s.stackName).join(", ")}.`);
+	if (matched.length > 1) throw new LocalStartServiceError(`Multiple stacks match '${stackPattern}': ${matched.map((s) => s.stackName).join(", ")}. Refine the pattern.`);
+	return matched[0];
+}
+function notFound(target, stack, resources) {
+	const albs = Object.entries(resources).filter(([, r]) => r.Type === "AWS::ElasticLoadBalancingV2::LoadBalancer").map(([logicalId]) => logicalId);
+	const available = albs.length > 0 ? ` Available load balancers in ${stack.stackName}: ${albs.join(", ")}.` : ` ${stack.stackName} declares no AWS::ElasticLoadBalancingV2::LoadBalancer resources.`;
+	return new LocalStartServiceError(`Target '${target}' did not match an application Load Balancer in ${stack.stackName}.${available}`);
+}
+/**
+* `cdkl start-alb` strategy — name the ALB, boot the ECS service(s) behind it,
+* and expose each listener via a local front-door. Mirrors how `start-api`
+* names the API and serves its backing Lambdas.
+*/
+function albStrategy(options) {
+	const lbPortOverrides = parseLbPortOverrides(options.lbPort);
+	return {
+		pickEntries: (stacks) => listTargets(stacks).loadBalancers,
+		pickerMessage: "Select one or more Application Load Balancers to run",
+		pickerNoun: "Application Load Balancers",
+		onMissing: () => new LocalStartServiceError(`${getEmbedConfig().cliName} start-alb requires at least one <target>. Pass one or more ALB paths like 'Stack/MyAlb', or run it in a TTY to pick interactively.`),
+		resolveBoots: (stacks, chosenTargets) => {
+			const warnings = [];
+			const serviceTargets = /* @__PURE__ */ new Set();
+			const listeners = [];
+			const claimedHostPorts = /* @__PURE__ */ new Map();
+			for (const albTarget of chosenTargets) {
+				const { stack, albLogicalId } = resolveAlbTarget(albTarget, stacks);
+				const resolution = resolveAlbFrontDoor(stack, albLogicalId);
+				warnings.push(...resolution.warnings);
+				const qualifyTarget = (t) => {
+					if (t.kind === "lambda") return {
+						kind: "lambda",
+						lambda: resolveLambdaTarget(`${stack.stackName}:${t.lambdaLogicalId}`, stacks),
+						targetGroupArn: `${stack.stackName}:${t.targetGroupLogicalId}`,
+						multiValueHeaders: t.multiValueHeaders,
+						weight: t.weight
+					};
+					const serviceTarget = `${stack.stackName}:${t.serviceLogicalId}`;
+					serviceTargets.add(serviceTarget);
+					return {
+						kind: "ecs",
+						serviceTarget,
+						targetContainerName: t.targetContainerName,
+						targetContainerPort: t.targetContainerPort,
+						weight: t.weight
+					};
+				};
+				const qualify = (action) => {
+					if (action.kind === "forward") return {
+						kind: "forward",
+						targets: action.targets.map(qualifyTarget)
+					};
+					if (action.kind === "redirect") return {
+						kind: "redirect",
+						statusCode: action.statusCode,
+						...action.protocol !== void 0 && { protocol: action.protocol },
+						...action.host !== void 0 && { host: action.host },
+						...action.port !== void 0 && { port: action.port },
+						...action.path !== void 0 && { path: action.path },
+						...action.query !== void 0 && { query: action.query }
+					};
+					return {
+						kind: "fixed-response",
+						statusCode: action.statusCode,
+						...action.contentType !== void 0 && { contentType: action.contentType },
+						...action.messageBody !== void 0 && { messageBody: action.messageBody }
+					};
+				};
+				for (const listener of resolution.listeners) {
+					const hostPort = lbPortOverrides[listener.listenerPort] ?? listener.listenerPort;
+					const claimedBy = claimedHostPorts.get(hostPort);
+					if (claimedBy !== void 0) {
+						warnings.push(`Listener port ${listener.listenerPort} would bind host port ${hostPort}, already claimed by listener port ${claimedBy}; the local front-door fronts only the first. Use --lb-port to remap one of them.`);
+						continue;
+					}
+					claimedHostPorts.set(hostPort, listener.listenerPort);
+					listeners.push({
+						listenerPort: listener.listenerPort,
+						hostPort,
+						protocol: listener.listenerProtocol,
+						...listener.defaultAction ? { defaultAction: qualify(listener.defaultAction) } : {},
+						...listener.defaultAuthGuard ? { defaultAuthGuard: listener.defaultAuthGuard } : {},
+						rules: listener.rules.map((r) => ({
+							priority: r.priority,
+							pathPatterns: r.pathPatterns,
+							hostPatterns: r.hostPatterns,
+							httpHeaderConditions: r.httpHeaderConditions,
+							httpRequestMethods: r.httpRequestMethods,
+							queryStringConditions: r.queryStringConditions,
+							sourceIpCidrs: r.sourceIpCidrs,
+							action: qualify(r.action),
+							...r.authGuard ? { authGuard: r.authGuard } : {}
+						}))
+					});
+				}
+			}
+			const boots = [...serviceTargets].map((target) => ({ target }));
+			const resolvedPorts = new Set(listeners.map((l) => l.listenerPort));
+			for (const portStr of Object.keys(lbPortOverrides)) {
+				const port = Number(portStr);
+				if (!resolvedPorts.has(port)) warnings.push(`--lb-port override for listener port ${port} matched no ALB listener resolved for the named target(s); it was ignored.`);
+			}
+			return {
+				boots,
+				...listeners.length > 0 ? { frontDoor: { listeners } } : {},
+				warnings
+			};
+		},
+		lbPortOverrides
+	};
+}
+/**
+* `cdkl start-alb <Stack/Alb>` — Issue #86 v1. Names an
+* `AWS::ElasticLoadBalancingV2::LoadBalancer`, discovers the ECS service(s)
+* behind its HTTP `forward` listeners, boots their replicas, and stands up a
+* local front-door on each listener port that round-robins across the replicas.
+* The symmetric ALB counterpart of `start-api`.
+*/
+function createLocalStartAlbCommand(opts = {}) {
+	setEmbedConfig(opts.embedConfig);
+	const cmd = new Command("start-alb").description("Run an Application Load Balancer locally: name the ALB, and cdk-local boots the ECS service(s) behind its listeners and stands up a local front-door on each listener port that round-robins across the running replicas and routes its listener rules across the backing services — a stable host endpoint, like behind a real load balancer. The symmetric ALB counterpart of `start-api`. Each <target> accepts a CDK display path (MyStack/MyAlb) or stack-qualified logical ID; single-stack apps may omit the stack prefix. Supports HTTP and HTTPS listeners — by default a cloud-HTTPS listener is served over plain HTTP locally (with X-Forwarded-Proto: https preserved). Pass --tls (or --tls-cert / --tls-key) to terminate TLS locally with a self-signed or user-supplied cert. All six ALB rule-condition fields are honored (path-pattern / host-header / http-header / http-request-method / query-string / source-ip); forward (single and weighted), redirect, and fixed-response actions; and ECS or Lambda targets (a Lambda target group is invoked locally via the Lambda RIE). authenticate-cognito / authenticate-oidc actions enforce a local Bearer-JWT check (or AWSELBAuthSessionCookie pass-through) against the same JWKS / OIDC discovery URL the deployed ALB would; use --bearer-token <jwt> to inject a default token or --no-verify-auth to disable the guard. Omit <targets> in an interactive terminal to multi-select the load balancers from a list.").argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ElasticLoadBalancingV2::LoadBalancer resources to run (omit to multi-select interactively in a TTY)").action(withErrorHandling(async (targets, options) => {
+		await runEcsServiceEmulator(targets, options, albStrategy(options), opts.extraStateProviders);
+	}));
+	addAlbSpecificOptions(cmd);
+	return addCommonEcsServiceOptions(cmd);
+}
+/**
+* Register the option block that `start-alb` adds on top of
+* {@link addCommonEcsServiceOptions} — the flags that only make sense for an
+* ALB-fronted local emulator (front-door port mapping, TLS termination,
+* authenticate-* gating). Shared between `cdkl start-alb` and any host CLI
+* (e.g. cdkd's `local start-alb`) that wraps {@link runEcsServiceEmulator}
+* with the ALB strategy, so adding or renaming an ALB-only flag here
+* propagates to every embedder without duplicate `.addOption(...)` blocks.
+*
+* Calling order only affects `--help` presentation (Commander parses
+* insertion-order-independent). The host-CLI convention is host-specific
+* options first, then this helper, then {@link addCommonEcsServiceOptions}
+* — host flags / ALB flags / common flags grouped in three `--help`
+* clusters. Chainable: returns `cmd`.
+*/
+function addAlbSpecificOptions(cmd) {
+	return cmd.addOption(new Option("--lb-port <listenerPort=hostPort...>", "Bind the local front-door on a specific host port (e.g. 80=8080); repeatable. Default: host port == ALB listener port. Use this on macOS to remap a privileged listener port (< 1024) to a non-privileged host port.")).addOption(new Option("--tls", "Terminate TLS locally for cloud-HTTPS listeners. Default: a cloud-HTTPS listener is served over plain HTTP locally (X-Forwarded-Proto: https is preserved so the upstream app still sees the deployed listener protocol). Implied by --tls-cert / --tls-key. Use this when local-dev cookies need Secure / SameSite=None, when the upstream app inspects TLS metadata, or for mTLS / SNI testing — otherwise plain HTTP is friendlier (no self-signed cert warnings in curl / browser).")).addOption(new Option("--tls-cert <path>", "PEM-encoded server certificate for HTTPS front-door listeners. Implies --tls. Must be set together with --tls-key. Pass --tls alone (without --tls-cert / --tls-key) to auto-generate a self-signed cert (cached under $XDG_CACHE_HOME/cdk-local/alb-https/, default ~/.cache/cdk-local/alb-https/); requires openssl on PATH. The deployed Listener Certificates[] are NOT fetched (ACM private keys are not retrievable by design). The auto-generated cert lists DNS:localhost,IP:127.0.0.1 as SubjectAltName, so a client validating a non-loopback --container-host will fail the SAN check — pass --tls-cert / --tls-key with a SAN covering that host instead.")).addOption(new Option("--tls-key <path>", "PEM-encoded server private key matching --tls-cert. Implies --tls. Must be set together with --tls-cert.")).addOption(new Option("--no-verify-auth", "Disable local enforcement of authenticate-cognito / authenticate-oidc actions. Every request is served as if the auth check passed. Useful for local dev where you do not want to mint a Bearer token at all.")).addOption(new Option("--bearer-token <jwt>", "Default Bearer JWT injected as Authorization: Bearer <jwt> when the inbound request has none. Verified against the same JWKS / OIDC discovery URL the deployed ALB would (signature + iss + aud + exp). Local-dev convenience; cookie pass-through (AWSELBAuthSessionCookie-*) also works."));
+}
+//#endregion
+export { VtlEvaluationError as $, substituteImagePlaceholders as $n, pickFreePort as $t, availableApiIdentifiers as A, resolveSsmParameters as An, parseSseForJsonRpc as At, computeRequestIdentityHash as B, discoverRoutes as Bn, renderCodeDockerfile as Bt, createWatchPredicates as C, isCfnFlagPresent as Cn, A2A_CONTAINER_PORT as Ct, createFileWatcher as D, resolveCfnStackName as Dn, MCP_PATH as Dt, createAuthorizerCache as E, resolveCfnRegion as En, MCP_CONTAINER_PORT as Et, startApiServer as F, countTargets as Fn, waitForAgentCorePing as Ft, translateLambdaResponse as G, AGENTCORE_HTTP_PROTOCOL as Gn, getDockerImageBySourceHash as Gt, invokeRequestAuthorizer as H, resolveLambdaArnIntrinsic as Hn, writeProfileCredentialsFile as Ht, resolveSelectionExpression as I, listTargets as In, downloadAndExtractS3Bundle as It, buildRestV1Event as J, AgentCoreResolutionError as Jn, architectureToPlatform as Jt, applyAuthorizerOverlay as K, AGENTCORE_MCP_PROTOCOL as Kn, invokeRie as Kt, resolveServiceIntegrationParameters as L, discoverWebSocketApis as Ln, SUPPORTED_CODE_RUNTIMES as Lt, filterRoutesByApiIdentifiers as M, resolveWatchConfig as Mn, signAgentCoreInvocation as Mt, groupRoutesByServer as N, Synthesizer as Nn, AGENTCORE_SESSION_ID_HEADER as Nt, attachStageContext as O, CfnLocalStateProvider as On, MCP_PROTOCOL_VERSION as Ot, readMtlsMaterialsFromDisk as P, resolveSingleTarget as Pn, invokeAgentCore as Pt, tryParseStatus as Q, derivePseudoParametersFromRegion as Qn, ensureDockerAvailable as Qt, defaultCredentialsLoader as R, discoverWebSocketApisOrThrow as Rn, buildAgentCoreCodeImage as Rt, createLocalStartApiCommand as S, createLocalStateProvider as Sn, invokeAgentCoreWs as St, resolveProfileCredentials as T, resolveCfnFallbackRegion as Tn, a2aInvokeOnce as Tt, invokeTokenAuthorizer as U, AGENTCORE_A2A_PROTOCOL as Un, singleFlight as Ut, evaluateCachedLambdaPolicy as V, pickRefLogicalId as Vn, toCmdArgv as Vt, matchRoute as W, AGENTCORE_AGUI_PROTOCOL as Wn, AssetManifestLoader as Wt, pickResponseTemplate as X, resolveAgentCoreTarget as Xn, parseEcrUri as Xt, evaluateResponseParameters as Y, pickAgentCoreCandidateStack as Yn, buildContainerImage as Yt, selectIntegrationResponse as Z, resolveLambdaTarget as Zn, pullEcrImage as Zt, getContainerNetworkIp as _, substituteEnvVarsFromState as _n, applyCorsResponseHeaders as _t, resolveAlbTarget as a, resolveRuntimeFileExtension as an, LocalStartServiceError as ar, handleConnectionsRequest as at, parseHostPortOverrides as b, materializeLayerFromArn as bn, isFunctionUrlOacFronted as bt, MAX_TASKS_SUBNET_RANGE_CAP as c, TASK_ROLE_ACCOUNT_PLACEHOLDER as cn, appOptions as cr, buildDisconnectEvent as ct, parseMaxTasks as d, detectEcsImageResolutionNeeds as dn, deprecatedRegionOption as dr, buildJwksUrlFromIssuer as dt, pullImage as en, tryResolveImageFnJoin as er, HOST_GATEWAY_MIN_VERSION as et, parseRestartPolicy as f, parseEcsTarget as fn, parseContextOptions as fr, createJwksCache as ft, CloudMapRegistry as g, substituteAgainstStateAsync as gn, attachAuthorizers as gt, buildCloudMapIndex as h, substituteAgainstState as hn, verifyJwtViaDiscovery as ht, parseLbPortOverrides as i, resolveRuntimeCodeMountPath as in, LocalInvokeBuildError as ir, buildMgmtEndpointEnvUrl as it, filterRoutesByApiIdentifier as j, resolveApp as jn, AGENTCORE_SIGV4_SERVICE as jt, buildStageMap as k, collectSsmParameterRefs as kn, mcpInvokeOnce as kt, addCommonEcsServiceOptions as l, applyCrossStackResolverToTask as ln, commonOptions as lr, buildMessageEvent as lt, runEcsServiceEmulator as m, applyDeployedEnvFallback as mn, verifyJwtAuthorizer as mt, albStrategy as n, runDetached as nn, readCdkPathOrUndefined as nr, bufferToBody as nt, isApplicationLoadBalancer as o, resolveRuntimeImage as on, withErrorHandling as or, parseConnectionsPath as ot, resolveSharedSidecarCredentials as p, resolveEcsTaskTarget as pn, warnIfDeprecatedRegion as pr, verifyCognitoJwt as pt, buildHttpApiV2Event as q, AGENTCORE_RUNTIME_TYPE as qn, waitForRieReady as qt, createLocalStartAlbCommand as r, streamLogs as rn, CdkLocalError as rr, ConnectionRegistry as rt, resolveAlbFrontDoor as s, EcsTaskResolutionError as sn, applyRoleArnIfSet as sr, buildConnectEvent as st, addAlbSpecificOptions as t, removeContainer as tn, matchStacks as tr, probeHostGatewaySupport as tt, buildEcsImageResolutionContext as u, derivePartitionAndUrlSuffix as un, contextOptions as ur, buildCognitoJwksUrl as ut, cleanupEcsRun as v, substituteEnvVarsFromStateAsync as vn, buildCorsConfigByApiId as vt, resolveApiTargetSubset as w, rejectExplicitCfnStackWithMultipleStacks as wn, A2A_PATH as wt, runEcsTask as x, LocalStateSourceError as xn, matchPreflight as xt, createEcsRunState as y, resolveEnvVars as yn, buildCorsConfigFromCloudFrontChain as yt, buildMethodArn as z, parseSelectionExpressionPath as zn, computeCodeImageTag as zt };
+//# sourceMappingURL=local-start-alb-CIE0TMpn.js.map