cdk-local 0.69.0 → 0.71.0

package/dist/{local-list-l2_7oGHF.js → local-list-B67vK97a.js}

@@ -19182,6 +19182,143 @@ function addInvokeAgentCoreSpecificOptions(cmd) {
 	return cmd.addOption(new Option("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option("--event-stdin", "Read event JSON from stdin").default(false)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}})")).addOption(new Option("--session-id <id>", "AgentCore runtime session id header value (default: a random UUID)")).addOption(new Option("--ws", "Stream over the HTTP-protocol agent's bidirectional /ws WebSocket endpoint (on 8080) instead of POST /invocations: send --event as the first frame and print every received frame to stdout until the agent closes. Ignored for an MCP runtime.").default(false)).addOption(new Option("--ws-interactive", "REPL mode for --ws: after the initial --event frame, read additional frames from stdin (one frame per line, trailing newline stripped) and send each as a text frame until stdin EOFs (Ctrl-D) or the agent closes. Only meaningful with --ws.").default(false)).addOption(new Option("--bearer-token <jwt>", "Bearer JWT to present when the runtime declares a customJwtAuthorizer. Verified against the runtime OIDC discovery URL (signature / issuer / expiry / audience) before the container starts, then forwarded to /invocations as Authorization: Bearer <jwt>.")).addOption(new Option("--no-verify-auth", "Skip inbound JWT verification even when the runtime declares a customJwtAuthorizer (local-dev escape hatch). A --bearer-token, if given, is still forwarded.")).addOption(new Option("--sigv4", "Sign the /invocations POST with AWS SigV4 (service bedrock-agentcore) using the resolved credentials, matching the cloud default when the runtime declares no customJwtAuthorizer. Opt-in: default unsigned. Mutually exclusive with --bearer-token; ignored on a JWT-protected runtime.").default(false)).addOption(new Option("--platform <platform>", "docker --platform for the agent container (linux/amd64 or linux/arm64)").choices(["linux/amd64", "linux/arm64"]).default("linux/arm64")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for the local-build path")).addOption(new Option("--no-build", "Skip docker build on the local-asset path (use the previously-built tag). No-op for the ECR / registry pull paths.")).addOption(new Option("--container-host <host>", "Host to bind the agent port to").default("127.0.0.1")).addOption(new Option("--timeout <ms>", "Per-request timeout in milliseconds. Applied to POST /invocations, POST /mcp, and the /ws open-to-close window. Raise this for long-running agent calls that exceed the default.").default(12e4).argParser(parseTimeoutMs)).addOption(new Option("--assume-role [arn]", "Assume the runtime's execution role and forward STS-issued temp credentials to the container so the agent runs with the deployed role. Three forms: (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) uses the runtime's RoleArn when it is a literal ARN; (3) `--no-assume-role` opts out. Off by default — the developer's shell credentials are forwarded unchanged.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in env vars with the deployed physical IDs / exports. Bare form uses the resolved stack name; pass an explicit value when the CFn stack name differs.")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region."));
 }
 
+//#endregion
+//#region src/local/container-log-streamer.ts
+/**
+* Spawn `docker logs -f <containerId>` and pipe its stdout / stderr to
+* the host's `process.stdout` / `process.stderr`, prefixing every emitted
+* line with the caller-supplied `prefix`. Returns a stop function that
+* drains any unterminated tail line and SIGTERMs the streamer process —
+* idempotent + safe to call from a `finally` or shutdown handler.
+*
+* Used by `cdkl run-task` (per-container prefix `[<container-name>]`) and
+* by `cdkl start-service` / `cdkl start-alb` (per-replica prefix
+* `[svc=<service> r=<i> c=<container>]`) so application `console.log`
+* output inside a replica is visible in the foreground terminal without
+* having to attach `docker logs -f` in a separate shell. The prefix shape
+* is the caller's concern: this helper only cares about line-buffered
+* pass-through.
+*
+* **Auto re-attach on `docker restart`** (Issue #227 + #214 soft-reload):
+* the docker daemon terminates `docker logs -f` when the container's
+* PID 1 exits — so a `docker restart` (the soft-reload primitive) ends
+* the follow stream even though the container ID is preserved across the
+* restart. The streamer detects an unsolicited child-exit and re-spawns
+* `docker logs -f` with `--since 0s` so only NEW output (from the
+* post-restart PID-1) is forwarded; the v1 prelude is not re-emitted.
+* `stop()` flips an internal "stopping" flag so the re-attach loop sees
+* the intentional teardown and does not respawn.
+*
+* **Cap-reached warning** (Issue #227 review fix — Code #2): the
+* re-attach budget is bounded at 50 to defend against a permanently-
+* broken `docker logs -f` (the container was removed out from under
+* us). When the cap is hit, the streamer surfaces ONE warning line via
+* `process.stderr` naming the prefix + the manual recovery so a long-
+* running `--watch` session does not lose its foreground log surface
+* silently.
+*
+* **Dying-container respawn skip** (Issue #227 review fix — Code #4):
+* when the child exits unsolicited and the container's `State.Status`
+* is `exited` / `dead` / `removing`, the streamer does NOT respawn —
+* the natural-exit path is the service-runner's `cleanupEcsRun(...)`
+* call (~1s after the wait resolves), and a respawn against a
+* dying container is just a wasted `docker logs -f` process + a
+* spurious cap-reached tick. A `docker restart` (the soft-reload
+* primitive) leaves the container in `restarting` / `running`, so
+* the soft-reload re-attach path is preserved. Falls open: an
+* inspect error treats the container as still alive (best-effort —
+* the cap+stop() invariants stay correct either way).
+*
+* The streamer is best-effort. A spawn / pipe error is silently swallowed
+* (the parent's `docker wait` already surfaces the underlying container
+* failure with full context); the loud surface stays on the runner's exit
+* path.
+*/
+function attachContainerLogStreamer(prefix, containerId) {
+	let stopping = false;
+	let current;
+	let stdoutBuf = "";
+	let stderrBuf = "";
+	const maxReattaches = 50;
+	let reattachCount = 0;
+	let pendingRespawn;
+	const spawnOnce = (sinceArg) => {
+		const args = [
+			"logs",
+			"-f",
+			...sinceArg !== void 0 ? ["--since", sinceArg] : [],
+			containerId
+		];
+		const proc = spawn(getDockerCmd(), args, { stdio: [
+			"ignore",
+			"pipe",
+			"pipe"
+		] });
+		current = proc;
+		proc.stdout?.on("data", (chunk) => {
+			stdoutBuf = writePrefixedLines(prefix, stdoutBuf + chunk.toString("utf-8"), process.stdout);
+		});
+		proc.stderr?.on("data", (chunk) => {
+			stderrBuf = writePrefixedLines(prefix, stderrBuf + chunk.toString("utf-8"), process.stderr);
+		});
+		proc.on("error", () => {});
+		proc.on("exit", () => {
+			if (stopping) return;
+			if (reattachCount >= maxReattaches) {
+				process.stderr.write(`${prefix}cdkl: docker logs -f re-attached ${maxReattaches} times; giving up. Run \`docker logs -f ${containerId}\` manually to keep watching.\n`);
+				return;
+			}
+			reattachCount += 1;
+			execFile(getDockerCmd(), [
+				"inspect",
+				"--format",
+				"{{.State.Status}}",
+				containerId
+			], (err, stdout) => {
+				if (stopping) return;
+				if (!err) {
+					const status = stdout.trim().toLowerCase();
+					if (status === "exited" || status === "dead" || status === "removing") return;
+				}
+				pendingRespawn = setTimeout(() => {
+					pendingRespawn = void 0;
+					if (stopping) return;
+					spawnOnce("0s");
+				}, 200);
+			});
+		});
+	};
+	spawnOnce(void 0);
+	return () => {
+		stopping = true;
+		if (pendingRespawn !== void 0) {
+			clearTimeout(pendingRespawn);
+			pendingRespawn = void 0;
+		}
+		if (stdoutBuf) {
+			process.stdout.write(prefix + stdoutBuf + "\n");
+			stdoutBuf = "";
+		}
+		if (stderrBuf) {
+			process.stderr.write(prefix + stderrBuf + "\n");
+			stderrBuf = "";
+		}
+		if (current && !current.killed) current.kill("SIGTERM");
+	};
+}
+/**
+* Write every complete line in `buffer` to `out`, prefixed with `prefix`.
+* Returns the trailing partial line (no `\n` yet) so the caller can
+* accumulate it with the next `data` chunk. Exported for unit tests; the
+* production callers should use {@link attachContainerLogStreamer}.
+*/
+function writePrefixedLines(prefix, buffer, out) {
+	const lines = buffer.split("\n");
+	const remainder = lines.pop() ?? "";
+	for (const line of lines) out.write(prefix + line + "\n");
+	return remainder;
+}
+
 //#endregion
 //#region src/local/ecs-network.ts
 const execFileAsync$3 = promisify(execFile);
@@ -19770,7 +19907,7 @@ async function runEcsTask(task, options, state) {
 			id,
 			container
 		});
-		if (!options.detach) state.logStoppers.push(streamContainerLogs(container.name, id));
+		if (!options.detach) state.logStoppers.push(attachContainerLogStreamer(`[${container.name}] `, id));
 	}
 	if (options.detach) return {
 		exitCode: 0,
@@ -19910,42 +20047,6 @@ function sleep$1(ms) {
 	return new Promise((res) => setTimeout(res, ms));
 }
 /**
-* Stream `docker logs -f <id>` with `[<container-name>]` prefixes on
-* every line. Returns a stop function for the caller's `finally`.
-*/
-function streamContainerLogs(containerName, containerId) {
-	const proc = spawn(getDockerCmd(), [
-		"logs",
-		"-f",
-		containerId
-	], { stdio: [
-		"ignore",
-		"pipe",
-		"pipe"
-	] });
-	const prefix = `[${containerName}] `;
-	let stdoutBuf = "";
-	let stderrBuf = "";
-	proc.stdout?.on("data", (chunk) => {
-		stdoutBuf = writePrefixed(prefix, stdoutBuf + chunk.toString("utf-8"), process.stdout);
-	});
-	proc.stderr?.on("data", (chunk) => {
-		stderrBuf = writePrefixed(prefix, stderrBuf + chunk.toString("utf-8"), process.stderr);
-	});
-	proc.on("error", () => {});
-	return () => {
-		if (stdoutBuf) process.stdout.write(prefix + stdoutBuf + "\n");
-		if (stderrBuf) process.stderr.write(prefix + stderrBuf + "\n");
-		if (!proc.killed) proc.kill("SIGTERM");
-	};
-}
-function writePrefixed(prefix, buffer, out) {
-	const lines = buffer.split("\n");
-	const remainder = lines.pop() ?? "";
-	for (const line of lines) out.write(prefix + line + "\n");
-	return remainder;
-}
-/**
 * Resolve every container's `Image` to a tag the runner can pass to
 * `docker run`. The map is keyed by container name; entries are
 * populated in parallel up to the asset-manifest bound (single
@@ -20577,6 +20678,7 @@ function extractServiceProperties(stack, serviceLogicalId, resource, stacks, con
 	const desiredCount = parseDesiredCount(props["DesiredCount"], serviceLogicalId);
 	const healthCheckGracePeriodSeconds = parseHealthCheckGrace(props["HealthCheckGracePeriodSeconds"], serviceLogicalId);
 	const serviceName = parseServiceName(props["ServiceName"], serviceLogicalId);
+	const serviceDisplayName = deriveServiceDisplayName(props["ServiceName"], serviceLogicalId, resource.Metadata);
 	if (!options?.suppressLoadBalancerWarning && Array.isArray(props["LoadBalancers"]) && props["LoadBalancers"].length > 0) {
 		const { cliName } = getEmbedConfig();
 		warnings.push(`ECS Service '${serviceLogicalId}' declares LoadBalancers, but \`${cliName} start-service\` runs the replicas only; no local listener fronts them. Reach the containers via their published ports, or run \`${cliName} start-alb <Stack>/<Alb>\` to boot the same replicas behind a local front-door that round-robins the listener rules.`);
@@ -20587,6 +20689,7 @@ function extractServiceProperties(stack, serviceLogicalId, resource, stacks, con
 		serviceLogicalId,
 		resource,
 		serviceName,
+		serviceDisplayName,
 		desiredCount,
 		healthCheckGracePeriodSeconds,
 		task,
@@ -20741,6 +20844,50 @@ function parseServiceName(raw, serviceLogicalId) {
 	return serviceLogicalId;
 }
 /**
+* Issue #227 review fix — derive a CLEAN display name for the per-replica
+* `[svc=<name> r=<i> c=<container>] ` log prefix. L2 constructs
+* (`FargateService`, `ApplicationLoadBalancedFargateService`) do NOT set
+* `ServiceName` explicitly, so the synthesized template's `ServiceName`
+* is absent and {@link parseServiceName} falls back to the
+* hash-suffixed logical id (e.g. `BackendApi5F9D8C32`). That ends up in
+* the foreground prefix as `[svc=BackendApi5F9D8C32 ...]` — noisy +
+* not what Issue #227's spec example showed.
+*
+* Resolution order (display ONLY — does NOT change `service.serviceName`):
+*   1. The explicit CFn `ServiceName` property, if the user set one.
+*   2. The last meaningful segment of the resource's `aws:cdk:path`
+*      Metadata. For a typical L2, this is the construct id the user
+*      wrote in CDK source (e.g. `AppStack/BackendApi/Service` →
+*      `BackendApi`). Trailing CDK-internal segments (`/Service`,
+*      `/Resource`, `/Default`) are stripped so the result matches the
+*      construct id the user typed, not the per-resource CFn segment.
+*   3. The `serviceLogicalId` as today's fallback when neither is
+*      available (synthetic / hand-rolled CFn).
+*
+* Pure helper — keep narrowly scoped to the log-prefix use case so
+* other call sites that rely on `service.serviceName` for awsvpc /
+* Cloud Map / discovery semantics keep their existing fallback
+* behavior.
+*/
+function deriveServiceDisplayName(rawServiceName, serviceLogicalId, metadata) {
+	if (typeof rawServiceName === "string" && rawServiceName.length > 0) return rawServiceName;
+	const cdkPath = typeof metadata?.["aws:cdk:path"] === "string" ? metadata["aws:cdk:path"] : "";
+	if (cdkPath.length > 0) {
+		const segments = cdkPath.split("/");
+		while (segments.length > 1) {
+			const tail = segments[segments.length - 1];
+			if (tail === "Service" || tail === "Resource" || tail === "Default") {
+				segments.pop();
+				continue;
+			}
+			break;
+		}
+		const tail = segments[segments.length - 1];
+		if (typeof tail === "string" && tail.length > 0) return tail;
+	}
+	return serviceLogicalId;
+}
+/**
 * Local copy of the same `pickStack` helper used by the task resolver.
 * Kept in-file rather than exported from `ecs-task-resolver.ts` so future
 * service-specific extensions (e.g. cross-stack service-to-task refs)
@@ -20887,6 +21034,22 @@ var EcsServiceRunnerError = class EcsServiceRunnerError extends Error {
 		Object.setPrototypeOf(this, EcsServiceRunnerError.prototype);
 	}
 };
+/**
+* Phase 4 (#214) — completion-log suffix the soft-reload primitive
+* emits AFTER `Soft-reloaded replica r<i> (gen <g>): ` to confirm
+* the docker restart + TCP-ready probe + Cloud Map / front-door
+* re-publish round trip is done.
+*
+* Exported so integ fixtures + unit tests can grep against the
+* canonical text instead of hand-copying the wording — a future
+* refactor that rewords this line stays detectable via the symbol
+* import instead of silently breaking every test's regex.
+*
+* Per-repo memory (#218 / test reviewer N4): log-line text is part
+* of the public contract for `--watch` integ scripts, so it earns a
+* constant.
+*/
+const SOFT_RELOAD_COMPLETION_LOG_SUFFIX = "restart + TCP-ready probe complete; Cloud Map + front-door re-published.";
 function createServiceRunState() {
 	return {
 		replicas: [],
@@ -21139,8 +21302,33 @@ async function bootReplica(service, options, instance) {
 	};
 	logger.info(`Booting replica ${instance.index} (${perReplicaCluster})`);
 	await runEcsTask(service.task, perReplicaTaskOptions, instance.state);
+	if (options.streamLogs !== false) for (const started of instance.state.startedContainers) {
+		const prefix = `[svc=${service.serviceDisplayName} r=${instance.index} c=${started.name}] `;
+		instance.state.logStoppers.push(attachContainerLogStreamer(prefix, started.id));
+	}
 	if (options.discovery) await publishReplicaToCloudMap(service, instance, options.discovery, ownerKeyPrefix);
 	if (options.frontDoor) await publishReplicaToFrontDoor(service, instance, options.frontDoor, options.taskOptions.containerHost, ownerKeyPrefix);
+	instance.lastDeployedAssetHash = pickEssentialAssetHash(service);
+}
+/**
+* Phase 4 follow-up (#218) — extract the CDK asset hash from a
+* resolved service's first essential container (with the same
+* fallback the watcher uses: first essential, else first container).
+* Returns `undefined` when the image isn't a CDK asset OR carries
+* no hash. Pure helper so the boot + rolling + soft-reload paths
+* share one source of truth for "what's running right now".
+*
+* Exported for unit tests; not part of the semver-covered public
+* surface.
+*
+* @internal
+*/
+function pickEssentialAssetHash(service) {
+	const essential = service.task.containers.find((c) => c.essential) ?? service.task.containers[0];
+	if (!essential) return void 0;
+	const image = essential.image;
+	if (image?.kind !== "cdk-asset") return void 0;
+	return image.assetHash;
 }
 /**
 * After the replica's main container is up, discover its docker
@@ -21515,6 +21703,7 @@ async function softReloadReplica(args) {
 	}
 	unregisterReplicaFromFrontDoor(instance, controllerOptions.frontDoor);
 	instance.softReloadInProgress = true;
+	instance.softReloadGeneration = (instance.softReloadGeneration ?? 0) + 1;
 	try {
 		logger.info(`Soft-reloading replica r${instance.index} (gen ${instance.generation}): docker cp ${sourceDirToCopy} -> ${targets.length} essential container(s); restart.`);
 		for (const target of targets) {
@@ -21545,7 +21734,8 @@ async function softReloadReplica(args) {
 		const ownerKeyPrefix = `${newService.serviceLogicalId}:r${instance.index}${ownerKeyGenSuffix}`;
 		if (controllerOptions.discovery) await publishReplicaToCloudMap(newService, instance, controllerOptions.discovery, ownerKeyPrefix);
 		if (controllerOptions.frontDoor) await publishReplicaToFrontDoor(newService, instance, controllerOptions.frontDoor, controllerOptions.taskOptions.containerHost, ownerKeyPrefix);
-		logger.info(`Soft-reloaded replica r${instance.index} (gen ${instance.generation}): restart + TCP-ready probe complete; Cloud Map + front-door re-published.`);
+		instance.lastDeployedAssetHash = pickEssentialAssetHash(newService);
+		logger.info(`Soft-reloaded replica r${instance.index} (gen ${instance.generation}): ${SOFT_RELOAD_COMPLETION_LOG_SUFFIX}`);
 	} finally {
 		instance.softReloadInProgress = false;
 	}
@@ -21740,6 +21930,7 @@ async function watchReplica(service, options, instance, runState) {
 			await sleep(500);
 			continue;
 		}
+		const softReloadGenBeforeWait = instance.softReloadGeneration ?? 0;
 		let exitCode;
 		try {
 			exitCode = await waitForExitImpl(essentialId);
@@ -21748,7 +21939,8 @@ async function watchReplica(service, options, instance, runState) {
 			exitCode = -1;
 		}
 		if (instance.shuttingDown || runState.shuttingDown) return;
-		if (instance.softReloadInProgress) {
+		const softReloadHappenedMidWait = (instance.softReloadGeneration ?? 0) !== softReloadGenBeforeWait;
+		if (instance.softReloadInProgress || softReloadHappenedMidWait) {
 			while (instance.softReloadInProgress && !instance.shuttingDown && !runState.shuttingDown) await sleep(100);
 			if (instance.shuttingDown || runState.shuttingDown) return;
 			continue;
@@ -22729,9 +22921,51 @@ function escapeRealmQuotes(realm) {
 }
 /** Reply 404 — an ALB listener with no matching rule and no default action. */
 function reply404(req, res, opts) {
-	writeError(res, 404, `No listener rule matched '${req.url ?? "/"}' on ${opts.label}, and the listener has no default action forwarding to a local target.`);
+	writeError(res, 404, buildNoRuleMatched404Body(req, opts));
 	return Promise.resolve();
 }
+/**
+* Build the no-rule-matched 404 body. When the call site supplied a
+* {@link StartFrontDoorServerOptions.rulesSummary}, the body lists every
+* ALB condition field that WAS evaluated (method, host, path) plus every
+* configured rule's priority + conditions + action target — so a user
+* whose request missed on, say, the Host header can spot the mismatch
+* without inspecting the synthesized template. Header conditions are
+* NOT spelled out in the evaluated section (too noisy) but ARE listed
+* in each rule's condition row when the rule constrains them. Without a
+* summary the body falls back to the original path-only shape (preserves
+* the behavior for direct callers that wire the proxy with just a
+* `selectPool` / `selectTarget`).
+*/
+function buildNoRuleMatched404Body(req, opts) {
+	const requestPath = req.url ?? "/";
+	const summary = opts.rulesSummary;
+	if (!summary) return `No listener rule matched '${requestPath}' on ${opts.label}, and the listener has no default action forwarding to a local target.`;
+	const rawHost = req.headers.host;
+	const hostValue = Array.isArray(rawHost) ? rawHost[0] : rawHost;
+	const lines = [];
+	lines.push(`No listener rule matched the request on ${opts.label}, and the listener has no default action forwarding to a local target.`);
+	lines.push("");
+	lines.push("  Evaluated:");
+	lines.push(`    Method:  ${req.method ?? "(unknown)"}`);
+	lines.push(`    Host:    ${hostValue ?? "(no Host header)"}`);
+	lines.push(`    Path:    ${requestPath}`);
+	lines.push("");
+	if (summary.length === 0) lines.push("  Listener has 0 rule(s).");
+	else {
+		lines.push(`  Listener has ${summary.length} rule(s):`);
+		const ordered = [...summary].sort((a, b) => a.priority - b.priority);
+		for (const rule of ordered) {
+			const conditions = rule.conditions.length === 0 ? "(no condition)" : rule.conditions.map(formatRuleConditionSummary).join(" AND ");
+			lines.push(`    [priority=${rule.priority}] ${conditions}  -> ${rule.action}`);
+		}
+	}
+	return lines.join("\n");
+}
+/** Format one condition row of a {@link FrontDoorRuleSummary} for the 404 body. */
+function formatRuleConditionSummary(c) {
+	return `${c.field} in [${c.values.join(", ")}]`;
+}
 function handlePoolRequest(req, res, pool, opts) {
 	return new Promise((resolve) => {
 		const endpoint = pool.next();
@@ -24239,6 +24473,13 @@ async function reloadAllServices(args) {
 * {@link AssetManifestLoader}) so the caller can fall back to rebuild
 * with a warn line that explains why the classifier couldn't run.
 */
+/**
+* @internal — exported for unit tests of the fall-through branches
+* (the 6 `return undefined` paths + the catch arm on
+* `resolveEcsServiceTarget` throw). Not part of the semver-covered
+* public surface; the only legitimate caller is `reloadAllServices`
+* inside this file.
+*/
 async function loadAssetContextForTarget(args) {
 	const { target, controller, stacks, cdkOutDir, assetLoader, logger } = args;
 	const candidate = pickCandidateStack(parseEcsTarget(target).stackPattern, stacks);
@@ -24261,8 +24502,12 @@ async function loadAssetContextForTarget(args) {
 	if (!newDockerImage.source.directory) return;
 	const newAssetSourceDir = path.resolve(cdkOutDir, newDockerImage.source.directory);
 	let oldAssetHash;
-	const oldEssential = controller.service.task.containers.find((c) => c.essential) ?? controller.service.task.containers[0];
-	if (oldEssential?.image.kind === "cdk-asset") oldAssetHash = oldEssential.image.assetHash;
+	const liveReplica = controller.runState.replicas.find((r) => !r.shuttingDown);
+	if (liveReplica?.lastDeployedAssetHash !== void 0) oldAssetHash = liveReplica.lastDeployedAssetHash;
+	else {
+		const oldEssential = controller.service.task.containers.find((c) => c.essential) ?? controller.service.task.containers[0];
+		if (oldEssential?.image.kind === "cdk-asset") oldAssetHash = oldEssential.image.assetHash;
+	}
 	return {
 		...oldAssetHash !== void 0 && { oldAssetHash },
 		newAssetHash,
@@ -24430,7 +24675,8 @@ async function resolveServiceAndRunnerOpts(boot, stacks, options, discovery, ski
 			restartPolicy: options.restartPolicy,
 			taskOptions: taskOpts,
 			discovery,
-			...frontDoorPools && frontDoorPools.length > 0 ? { frontDoor: { pools: frontDoorPools } } : {}
+			...frontDoorPools && frontDoorPools.length > 0 ? { frontDoor: { pools: frontDoorPools } } : {},
+			streamLogs: options.logs !== false
 		}
 	};
 }
@@ -24558,6 +24804,7 @@ async function buildFrontDoor(plan, options, logger) {
 			const tls = listener.protocol === "HTTPS" && wantTls ? tlsMaterials : void 0;
 			const forwardedProto = listener.protocol === "HTTPS" ? "https" : "http";
 			const degradedHttps = listener.protocol === "HTTPS" && !wantTls;
+			const rulesSummary = listener.rules.map(buildRuleSummary);
 			const server = await startFrontDoorServer({
 				route,
 				port: listener.hostPort,
@@ -24565,6 +24812,7 @@ async function buildFrontDoor(plan, options, logger) {
 				listenerPort: listener.listenerPort,
 				label: `listener port ${listener.listenerPort}`,
 				forwardedProto,
+				rulesSummary,
 				...tls ? { tls } : {}
 			});
 			servers.push(server);
@@ -24629,6 +24877,66 @@ function describeTarget(t) {
 function describeTargetShort(t) {
 	return t.kind === "lambda" ? `Lambda ${t.lambda.logicalId}` : t.serviceTarget;
 }
+/**
+* Build the per-rule summary the front-door surfaces in its no-rule-matched
+* 404 body (issue #228). One condition row per constrained ALB field, plus a
+* pre-formatted action target. Distinct from {@link describeConditions} /
+* {@link describeAction} (which produce a single-line boot-banner string) —
+* the 404 body needs the rule decomposed into its constituent fields so the
+* formatter can render `field in [values]` rows.
+*/
+function buildRuleSummary(rule) {
+	const conditions = [];
+	if (rule.pathPatterns.length > 0) conditions.push({
+		field: "path-pattern",
+		values: rule.pathPatterns
+	});
+	if (rule.hostPatterns.length > 0) conditions.push({
+		field: "host-header",
+		values: rule.hostPatterns
+	});
+	for (const h of rule.httpHeaderConditions) conditions.push({
+		field: "http-header",
+		values: [`${h.name}: ${h.values.join(", ")}`]
+	});
+	if (rule.httpRequestMethods.length > 0) conditions.push({
+		field: "http-request-method",
+		values: rule.httpRequestMethods
+	});
+	if (rule.queryStringConditions.length > 0) conditions.push({
+		field: "query-string",
+		values: rule.queryStringConditions.map(describeQueryStringCondition)
+	});
+	if (rule.sourceIpCidrs.length > 0) conditions.push({
+		field: "source-ip",
+		values: rule.sourceIpCidrs
+	});
+	return {
+		priority: rule.priority,
+		conditions,
+		action: describeRuleActionForSummary(rule.action)
+	};
+}
+/**
+* Describe a planned action for the no-rule-matched 404 body (issue #228).
+* Uses the `<ECS: ...>` / `<Lambda: ...>` shape the issue body proposes so a
+* user can read each rule's target at a glance.
+*/
+function describeRuleActionForSummary(action) {
+	if (action.kind === "redirect") return `redirect ${action.statusCode}`;
+	if (action.kind === "fixed-response") return `fixed-response ${action.statusCode}`;
+	if (action.targets.length === 1) return `forward to ${describeForwardTargetForSummary(action.targets[0])}`;
+	return `forward weighted [${action.targets.map((t) => `${describeForwardTargetForSummary(t)}@${t.weight}`).join(", ")}]`;
+}
+/**
+* One forward target named the way the 404 body shows it: `<ECS: Service>` or
+* `<Lambda: LogicalId>` — distinct from the boot-banner format (which also
+* prints the container / port / round-robin hint) so the 404 body stays
+* scannable.
+*/
+function describeForwardTargetForSummary(t) {
+	return t.kind === "lambda" ? `<Lambda: ${t.lambda.logicalId}>` : `<ECS: ${t.serviceTarget}>`;
+}
 async function resolvePlaceholderAccount(arn, region) {
 	if (!arn.includes("${AWS::AccountId}")) return arn;
 	const { STSClient, GetCallerIdentityCommand } = await import("@aws-sdk/client-sts");
@@ -24821,7 +25129,7 @@ async function resolveSharedSidecarCredentials(options) {
 * factory.
 */
 function addCommonEcsServiceOptions(cmd) {
-	cmd.addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default(getEmbedConfig().resourceNamePrefix)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed task role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries.")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--max-tasks <n>", `Hard cap on local replica count. Caps the template DesiredCount so local dev machines don't run an unbounded number of containers. Cannot exceed ${83} due to the per-replica link-local /24 subnet allocator's range.`).default(3).argParser(parseMaxTasks)).addOption(new Option("--restart-policy <policy>", "How to react when an essential container exits. 'on-failure' (default) restarts only on non-zero exit; 'always' restarts on every exit; 'none' shuts the replica down and runs the service degraded.").default("on-failure").argParser(parseRestartPolicy)).addOption(new Option("--from-cfn-stack [cfn-stack-name]", `Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in container env vars / secrets / image URIs with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (\`cdk deploy\`). Bare form uses the ${getEmbedConfig().binaryName} stack name; pass an explicit value when the CFn stack name differs. Fn::GetAtt is warn-and-dropped in v1 (CFn ListStackResources does not return per-attribute values).`)).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region."));
+	cmd.addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default(getEmbedConfig().resourceNamePrefix)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed task role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries.")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--max-tasks <n>", `Hard cap on local replica count. Caps the template DesiredCount so local dev machines don't run an unbounded number of containers. Cannot exceed ${83} due to the per-replica link-local /24 subnet allocator's range.`).default(3).argParser(parseMaxTasks)).addOption(new Option("--restart-policy <policy>", "How to react when an essential container exits. 'on-failure' (default) restarts only on non-zero exit; 'always' restarts on every exit; 'none' shuts the replica down and runs the service degraded.").default("on-failure").argParser(parseRestartPolicy)).addOption(new Option("--from-cfn-stack [cfn-stack-name]", `Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in container env vars / secrets / image URIs with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (\`cdk deploy\`). Bare form uses the ${getEmbedConfig().binaryName} stack name; pass an explicit value when the CFn stack name differs. Fn::GetAtt is warn-and-dropped in v1 (CFn ListStackResources does not return per-attribute values).`)).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).addOption(new Option("--no-logs", "Disable foreground streaming of each replica container stdout/stderr. By default every booted replica streams its docker logs to the host terminal with a [svc=<service> r=<replica-index> c=<container>] prefix (parity with `run-task`). Pass --no-logs for multi-replica / multi-service runs whose interleaved log volume is unreadable; `docker logs -f <id>` in a separate terminal stays available."));
 	[
 		...commonOptions(),
 		...appOptions(),
@@ -25849,5 +26157,5 @@ function addListSpecificOptions(cmd) {
 }
 
 //#endregion
-export { applyAuthorizerOverlay as $, resolveRuntimeCodeMountPath as $t, createLocalStartApiCommand as A, AGENTCORE_AGUI_PROTOCOL as An, A2A_CONTAINER_PORT as At, groupRoutesByServer as B, tryResolveImageFnJoin as Bn, AGENTCORE_SESSION_ID_HEADER as Bt, classifySourceChange as C, discoverWebSocketApis as Cn, attachAuthorizers as Ct, addInvokeAgentCoreSpecificOptions as D, pickRefLogicalId as Dn, isFunctionUrlOacFronted as Dt, createLocalRunTaskCommand as E, discoverRoutes as En, buildCorsConfigFromCloudFrontChain as Et, attachStageContext as F, pickAgentCoreCandidateStack as Fn, MCP_PROTOCOL_VERSION as Ft, defaultCredentialsLoader as G, buildAgentCoreCodeImage as Gt, startApiServer as H, waitForAgentCorePing as Ht, buildStageMap as I, resolveAgentCoreTarget as In, mcpInvokeOnce as It, evaluateCachedLambdaPolicy as J, toCmdArgv as Jt, buildMethodArn as K, computeCodeImageTag as Kt, availableApiIdentifiers as L, derivePseudoParametersFromRegion as Ln, parseSseForJsonRpc as Lt, resolveApiTargetSubset as M, AGENTCORE_MCP_PROTOCOL as Mn, a2aInvokeOnce as Mt, createAuthorizerCache as N, AGENTCORE_RUNTIME_TYPE as Nn, MCP_CONTAINER_PORT as Nt, createLocalInvokeAgentCoreCommand as O, resolveLambdaArnIntrinsic as On, matchPreflight as Ot, createFileWatcher as P, AgentCoreResolutionError as Pn, MCP_PATH as Pt, translateLambdaResponse as Q, buildContainerImage as Qt, filterRoutesByApiIdentifier as R, formatStateRemedy as Rn, AGENTCORE_SIGV4_SERVICE as Rt, CloudMapRegistry as S, listTargets as Sn, verifyJwtViaDiscovery as St, addRunTaskSpecificOptions as T, parseSelectionExpressionPath as Tn, buildCorsConfigByApiId as Tt, resolveSelectionExpression as U, downloadAndExtractS3Bundle as Ut, readMtlsMaterialsFromDisk as V, LocalInvokeBuildError as Vn, invokeAgentCore as Vt, resolveServiceIntegrationParameters as W, SUPPORTED_CODE_RUNTIMES as Wt, invokeTokenAuthorizer as X, createLocalInvokeCommand as Xt, invokeRequestAuthorizer as Y, addInvokeSpecificOptions as Yt, matchRoute as Z, architectureToPlatform as Zt, parseMaxTasks as _, collectSsmParameterRefs as _n, buildCognitoJwksUrl as _t, albStrategy as a, substituteEnvVarsFromState as an, tryParseStatus as at, runEcsServiceEmulator as b, resolveSingleTarget as bn, verifyCognitoJwt as bt, resolveAlbTarget as c, materializeLayerFromArn as cn, probeHostGatewaySupport as ct, addStartServiceSpecificOptions as d, isCfnFlagPresent as dn, buildMgmtEndpointEnvUrl as dt, resolveRuntimeFileExtension as en, buildHttpApiV2Event as et, createLocalStartServiceCommand as f, rejectExplicitCfnStackWithMultipleStacks as fn, handleConnectionsRequest as ft, buildEcsImageResolutionContext as g, CfnLocalStateProvider as gn, buildMessageEvent as gt, addCommonEcsServiceOptions as h, resolveCfnStackName as hn, buildDisconnectEvent as ht, addAlbSpecificOptions as i, substituteAgainstStateAsync as in, selectIntegrationResponse as it, createWatchPredicates as j, AGENTCORE_HTTP_PROTOCOL as jn, A2A_PATH as jt, addStartApiSpecificOptions as k, AGENTCORE_A2A_PROTOCOL as kn, invokeAgentCoreWs as kt, isApplicationLoadBalancer as l, LocalStateSourceError as ln, bufferToBody as lt, MAX_TASKS_SUBNET_RANGE_CAP as m, resolveCfnRegion as mn, buildConnectEvent as mt, createLocalListCommand as n, EcsTaskResolutionError as nn, evaluateResponseParameters as nt, createLocalStartAlbCommand as o, substituteEnvVarsFromStateAsync as on, VtlEvaluationError as ot, serviceStrategy as p, resolveCfnFallbackRegion as pn, parseConnectionsPath as pt, computeRequestIdentityHash as q, renderCodeDockerfile as qt, formatTargetListing as r, substituteAgainstState as rn, pickResponseTemplate as rt, parseLbPortOverrides as s, resolveEnvVars as sn, HOST_GATEWAY_MIN_VERSION as st, addListSpecificOptions as t, resolveRuntimeImage as tn, buildRestV1Event as tt, resolveAlbFrontDoor as u, createLocalStateProvider as un, ConnectionRegistry as ut, parseRestartPolicy as v, resolveSsmParameters as vn, buildJwksUrlFromIssuer as vt, getContainerNetworkIp as w, discoverWebSocketApisOrThrow as wn, applyCorsResponseHeaders as wt, buildCloudMapIndex as x, countTargets as xn, verifyJwtAuthorizer as xt, resolveSharedSidecarCredentials as y, resolveWatchConfig as yn, createJwksCache as yt, filterRoutesByApiIdentifiers as z, substituteImagePlaceholders as zn, signAgentCoreInvocation as zt };
-//# sourceMappingURL=local-list-l2_7oGHF.js.map
+export { matchRoute as $, architectureToPlatform as $t, createLocalInvokeAgentCoreCommand as A, resolveLambdaArnIntrinsic as An, matchPreflight as At, filterRoutesByApiIdentifier as B, formatStateRemedy as Bn, AGENTCORE_SIGV4_SERVICE as Bt, classifySourceChange as C, countTargets as Cn, verifyJwtAuthorizer as Ct, createLocalRunTaskCommand as D, parseSelectionExpressionPath as Dn, buildCorsConfigByApiId as Dt, addRunTaskSpecificOptions as E, discoverWebSocketApisOrThrow as En, applyCorsResponseHeaders as Et, createAuthorizerCache as F, AGENTCORE_RUNTIME_TYPE as Fn, MCP_CONTAINER_PORT as Ft, resolveSelectionExpression as G, downloadAndExtractS3Bundle as Gt, groupRoutesByServer as H, tryResolveImageFnJoin as Hn, AGENTCORE_SESSION_ID_HEADER as Ht, createFileWatcher as I, AgentCoreResolutionError as In, MCP_PATH as It, buildMethodArn as J, computeCodeImageTag as Jt, resolveServiceIntegrationParameters as K, SUPPORTED_CODE_RUNTIMES as Kt, attachStageContext as L, pickAgentCoreCandidateStack as Ln, MCP_PROTOCOL_VERSION as Lt, createLocalStartApiCommand as M, AGENTCORE_AGUI_PROTOCOL as Mn, A2A_CONTAINER_PORT as Mt, createWatchPredicates as N, AGENTCORE_HTTP_PROTOCOL as Nn, A2A_PATH as Nt, attachContainerLogStreamer as O, discoverRoutes as On, buildCorsConfigFromCloudFrontChain as Ot, resolveApiTargetSubset as P, AGENTCORE_MCP_PROTOCOL as Pn, a2aInvokeOnce as Pt, invokeTokenAuthorizer as Q, createLocalInvokeCommand as Qt, buildStageMap as R, resolveAgentCoreTarget as Rn, mcpInvokeOnce as Rt, CloudMapRegistry as S, resolveSingleTarget as Sn, verifyCognitoJwt as St, getContainerNetworkIp as T, discoverWebSocketApis as Tn, attachAuthorizers as Tt, readMtlsMaterialsFromDisk as U, LocalInvokeBuildError as Un, invokeAgentCore as Ut, filterRoutesByApiIdentifiers as V, substituteImagePlaceholders as Vn, signAgentCoreInvocation as Vt, startApiServer as W, waitForAgentCorePing as Wt, evaluateCachedLambdaPolicy as X, toCmdArgv as Xt, computeRequestIdentityHash as Y, renderCodeDockerfile as Yt, invokeRequestAuthorizer as Z, addInvokeSpecificOptions as Zt, parseMaxTasks as _, resolveCfnStackName as _n, buildDisconnectEvent as _t, albStrategy as a, substituteAgainstState as an, pickResponseTemplate as at, runEcsServiceEmulator as b, resolveSsmParameters as bn, buildJwksUrlFromIssuer as bt, resolveAlbTarget as c, substituteEnvVarsFromStateAsync as cn, VtlEvaluationError as ct, addStartServiceSpecificOptions as d, LocalStateSourceError as dn, bufferToBody as dt, buildContainerImage as en, translateLambdaResponse as et, createLocalStartServiceCommand as f, createLocalStateProvider as fn, ConnectionRegistry as ft, buildEcsImageResolutionContext as g, resolveCfnRegion as gn, buildConnectEvent as gt, addCommonEcsServiceOptions as h, resolveCfnFallbackRegion as hn, parseConnectionsPath as ht, addAlbSpecificOptions as i, EcsTaskResolutionError as in, evaluateResponseParameters as it, addStartApiSpecificOptions as j, AGENTCORE_A2A_PROTOCOL as jn, invokeAgentCoreWs as jt, addInvokeAgentCoreSpecificOptions as k, pickRefLogicalId as kn, isFunctionUrlOacFronted as kt, isApplicationLoadBalancer as l, resolveEnvVars as ln, HOST_GATEWAY_MIN_VERSION as lt, MAX_TASKS_SUBNET_RANGE_CAP as m, rejectExplicitCfnStackWithMultipleStacks as mn, handleConnectionsRequest as mt, createLocalListCommand as n, resolveRuntimeFileExtension as nn, buildHttpApiV2Event as nt, createLocalStartAlbCommand as o, substituteAgainstStateAsync as on, selectIntegrationResponse as ot, serviceStrategy as p, isCfnFlagPresent as pn, buildMgmtEndpointEnvUrl as pt, defaultCredentialsLoader as q, buildAgentCoreCodeImage as qt, formatTargetListing as r, resolveRuntimeImage as rn, buildRestV1Event as rt, parseLbPortOverrides as s, substituteEnvVarsFromState as sn, tryParseStatus as st, addListSpecificOptions as t, resolveRuntimeCodeMountPath as tn, applyAuthorizerOverlay as tt, resolveAlbFrontDoor as u, materializeLayerFromArn as un, probeHostGatewaySupport as ut, parseRestartPolicy as v, CfnLocalStateProvider as vn, buildMessageEvent as vt, SOFT_RELOAD_COMPLETION_LOG_SUFFIX as w, listTargets as wn, verifyJwtViaDiscovery as wt, buildCloudMapIndex as x, resolveWatchConfig as xn, createJwksCache as xt, resolveSharedSidecarCredentials as y, collectSsmParameterRefs as yn, buildCognitoJwksUrl as yt, availableApiIdentifiers as z, derivePseudoParametersFromRegion as zn, parseSseForJsonRpc as zt };
+//# sourceMappingURL=local-list-B67vK97a.js.map