cdk-local 0.73.0 → 0.73.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/cli.js +2 -2
- package/dist/index.d.ts +1 -1
- package/dist/index.js +1 -1
- package/dist/internal.d.ts +2 -2
- package/dist/internal.d.ts.map +1 -1
- package/dist/internal.js +1 -1
- package/dist/{local-list-8PbawOd2.d.ts → local-list-BUY3Tweh.d.ts} +7 -6
- package/dist/{local-list-8PbawOd2.d.ts.map → local-list-BUY3Tweh.d.ts.map} +1 -1
- package/dist/{local-list-Ch0RglJl.js → local-list-Cj96dZzK.js} +101 -52
- package/dist/local-list-Cj96dZzK.js.map +1 -0
- package/package.json +1 -1
- package/dist/local-list-Ch0RglJl.js.map +0 -1
|
@@ -2029,11 +2029,14 @@ function applyResponseParameters(base, responseParameters, responseCtx) {
|
|
|
2029
2029
|
continue;
|
|
2030
2030
|
}
|
|
2031
2031
|
const headerMatch = /^(append|overwrite|remove):header\.(.+)$/i.exec(key);
|
|
2032
|
-
if (!headerMatch || !headerMatch[1] || !headerMatch[2])
|
|
2032
|
+
if (!headerMatch || !headerMatch[1] || !headerMatch[2]) {
|
|
2033
|
+
logger.warn(`ResponseParameters: key '${key}' does not match the expected shape '(append|overwrite|remove):header.<name>' or 'overwrite:statuscode'; the value was dropped. Check for typos (e.g. 'appen:' vs 'append:').`);
|
|
2034
|
+
continue;
|
|
2035
|
+
}
|
|
2033
2036
|
const op = headerMatch[1].toLowerCase();
|
|
2034
2037
|
const name = headerMatch[2].toLowerCase();
|
|
2035
2038
|
if (isReservedHeader(name)) {
|
|
2036
|
-
logger.
|
|
2039
|
+
logger.warn(`ResponseParameters: header '${name}' is reserved by API Gateway and was skipped`);
|
|
2037
2040
|
continue;
|
|
2038
2041
|
}
|
|
2039
2042
|
if (op === "remove") delete headers[name];
|
|
@@ -8488,7 +8491,7 @@ function createLocalInvokeCommand(opts = {}) {
|
|
|
8488
8491
|
* `--help` clusters. Chainable: returns `cmd`.
|
|
8489
8492
|
*/
|
|
8490
8493
|
function addInvokeSpecificOptions(cmd) {
|
|
8491
|
-
return cmd.addOption(new Option("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option("--event-stdin", "Read event JSON from stdin").default(false)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}})")).addOption(new Option("--no-pull", "Skip docker pull
|
|
8494
|
+
return cmd.addOption(new Option("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option("--event-stdin", "Read event JSON from stdin").default(false)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}})")).addOption(new Option("--no-pull", "Skip docker pull. Semantics differ by code path: ZIP Lambdas skip pulling the public Lambda base image; Container Lambdas on the local-build path are a no-op (docker build does not refresh the FROM cache by default); Container Lambdas on the ECR-pull fallback skip docker pull AND error if the image is not in the local cache (re-run without --no-pull or pre-pull manually).")).addOption(new Option("--no-build", "Skip docker build on the IMAGE local-build path (use the previously-built tag). Requires the deterministic tag to already be in the local registry; errors with an actionable message when missing. No-op for ZIP Lambdas and the IMAGE ECR-pull path. Compatible with --no-pull.")).addOption(new Option("--debug-port <port>", "Node --inspect-brk port (default: off)")).addOption(new Option("--container-host <host>", "Host to bind the RIE port to").default("127.0.0.1")).addOption(new Option("--assume-role [arn]", "Assume the Lambda's deployed execution role and forward STS-issued temp credentials to the container so the handler runs with the deployed function's narrow permissions. Three forms: (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) auto-resolves the function's execution role ARN from state (requires an active state source); (3) `--no-assume-role` explicitly opts out. Off by default — when omitted, the developer's shell credentials are forwarded unchanged (SAM-compatible default). STS failures degrade to a warn + dev-creds fallback.")).addOption(new Option("--layer-role-arn <arn>", "Role to sts:AssumeRole before calling lambda:GetLayerVersion on every literal-ARN entry in Properties.Layers. Use only when the dev credentials cannot read the layer — typically cross-account layers. AWS-published public layers (e.g. Lambda Powertools) are readable from every account and need no role.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries. Issues sts:AssumeRole via the default credential chain and uses the temporary credentials for ecr:GetAuthorizationToken + docker pull. Required when the caller does not have direct cross-account access to the target repository. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in env vars with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (`cdk deploy`). Bare form uses the resolved stack name; pass an explicit value when CFn stack name differs. Fn::GetAtt is warn-and-dropped in v1 (CFn ListStackResources does not return per-attribute values).")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region."));
|
|
8492
8495
|
}
|
|
8493
8496
|
|
|
8494
8497
|
//#endregion
|
|
@@ -10154,6 +10157,30 @@ function shortJson(value) {
|
|
|
10154
10157
|
|
|
10155
10158
|
//#endregion
|
|
10156
10159
|
//#region src/local/cognito-jwt.ts
|
|
10160
|
+
/**
|
|
10161
|
+
* Re-emit window for unreachable-endpoint warns. 5 minutes is short enough
|
|
10162
|
+
* the user notices the degraded state on a normal `--watch` session, long
|
|
10163
|
+
* enough not to spam the log on every request when the upstream IdP is down.
|
|
10164
|
+
*/
|
|
10165
|
+
const WARN_REEMIT_INTERVAL_MS = 300 * 1e3;
|
|
10166
|
+
/**
|
|
10167
|
+
* Returns true iff `key`'s last warn timestamp is older than
|
|
10168
|
+
* {@link WARN_REEMIT_INTERVAL_MS} (or has never been recorded). When true,
|
|
10169
|
+
* `warnedAt[key]` is updated to `now` as a side effect so the next call
|
|
10170
|
+
* within the window returns false.
|
|
10171
|
+
*
|
|
10172
|
+
* Callers that omit `warnedAt` (the per-AuthCheck local fallback in tests
|
|
10173
|
+
* and the no-dedup branch in shape-only call sites) get a no-op true on
|
|
10174
|
+
* every call.
|
|
10175
|
+
*/
|
|
10176
|
+
function shouldWarn(key, warnedAt, now) {
|
|
10177
|
+
if (!warnedAt) return true;
|
|
10178
|
+
const last = warnedAt.get(key);
|
|
10179
|
+
const t = now();
|
|
10180
|
+
if (last !== void 0 && t - last < 3e5) return false;
|
|
10181
|
+
warnedAt.set(key, t);
|
|
10182
|
+
return true;
|
|
10183
|
+
}
|
|
10157
10184
|
const DEFAULT_JWKS_TTL_MS = 3600 * 1e3;
|
|
10158
10185
|
/**
|
|
10159
10186
|
* Failure-mode TTL for JWKS-unreachable entries. Pre-fix the failure
|
|
@@ -10300,7 +10327,7 @@ async function verifyCognitoJwt(authorizer, authorizationHeader, jwksCache, opts
|
|
|
10300
10327
|
identityHash,
|
|
10301
10328
|
ttlSeconds: 0
|
|
10302
10329
|
};
|
|
10303
|
-
return verifyAndShape(token, buildCognitoJwksUrl(selectedPool.region, selectedPool.userPoolId), buildCognitoIssuer(selectedPool.region, selectedPool.userPoolId), void 0, void 0, void 0, jwksCache, opts.
|
|
10330
|
+
return verifyAndShape(token, buildCognitoJwksUrl(selectedPool.region, selectedPool.userPoolId), buildCognitoIssuer(selectedPool.region, selectedPool.userPoolId), void 0, void 0, void 0, jwksCache, opts.warnedAt, now);
|
|
10304
10331
|
}
|
|
10305
10332
|
/**
|
|
10306
10333
|
* Verify a Bearer JWT against an HTTP v2 JWT authorizer's `JwtConfiguration`.
|
|
@@ -10313,7 +10340,7 @@ async function verifyJwtAuthorizer(authorizer, authorizationHeader, jwksCache, o
|
|
|
10313
10340
|
identityHash: void 0,
|
|
10314
10341
|
ttlSeconds: 0
|
|
10315
10342
|
};
|
|
10316
|
-
return verifyAndShape(token, authorizer.region && authorizer.userPoolId ? buildCognitoJwksUrl(authorizer.region, authorizer.userPoolId) : buildJwksUrlFromIssuer(authorizer.issuer), authorizer.issuer.replace(/\/+$/, ""), authorizer.audience, void 0, void 0, jwksCache, opts.
|
|
10343
|
+
return verifyAndShape(token, authorizer.region && authorizer.userPoolId ? buildCognitoJwksUrl(authorizer.region, authorizer.userPoolId) : buildJwksUrlFromIssuer(authorizer.issuer), authorizer.issuer.replace(/\/+$/, ""), authorizer.audience, void 0, void 0, jwksCache, opts.warnedAt, now);
|
|
10317
10344
|
}
|
|
10318
10345
|
/**
|
|
10319
10346
|
* Verify a Bearer JWT against an OIDC-discovery-URL authorizer (Bedrock
|
|
@@ -10349,10 +10376,7 @@ async function verifyJwtViaDiscovery(authorizer, authorizationHeader, jwksCache,
|
|
|
10349
10376
|
issuer = doc.issuer;
|
|
10350
10377
|
jwksUri = doc.jwks_uri;
|
|
10351
10378
|
} catch (err) {
|
|
10352
|
-
if (opts.
|
|
10353
|
-
opts.warned.add(authorizer.discoveryUrl);
|
|
10354
|
-
getLogger().child("cognito-jwt").warn(`OIDC discovery unreachable at ${authorizer.discoveryUrl}: ${err instanceof Error ? err.message : String(err)}. Token accepted without verification — local dev fallback.`);
|
|
10355
|
-
}
|
|
10379
|
+
if (shouldWarn(authorizer.discoveryUrl, opts.warnedAt, now)) getLogger().child("cognito-jwt").warn(`OIDC discovery unreachable at ${authorizer.discoveryUrl}: ${err instanceof Error ? err.message : String(err)}. Token accepted without verification — local dev fallback.`);
|
|
10356
10380
|
const identityHash = buildIdentityHash([token]);
|
|
10357
10381
|
const parsed = parseJwt(token);
|
|
10358
10382
|
if (parsed) return shapeAllowResult(parsed, identityHash, now);
|
|
@@ -10365,16 +10389,13 @@ async function verifyJwtViaDiscovery(authorizer, authorizationHeader, jwksCache,
|
|
|
10365
10389
|
};
|
|
10366
10390
|
}
|
|
10367
10391
|
const allowlist = [...authorizer.allowedAudience ?? [], ...authorizer.allowedClients ?? []];
|
|
10368
|
-
return verifyAndShape(token, jwksUri, issuer.replace(/\/+$/, ""), allowlist.length > 0 ? allowlist : void 0, authorizer.allowedScopes, authorizer.customClaims, jwksCache, opts.
|
|
10392
|
+
return verifyAndShape(token, jwksUri, issuer.replace(/\/+$/, ""), allowlist.length > 0 ? allowlist : void 0, authorizer.allowedScopes, authorizer.customClaims, jwksCache, opts.warnedAt, now);
|
|
10369
10393
|
}
|
|
10370
|
-
async function verifyAndShape(token, jwksUrl, expectedIssuer, expectedAudience, requiredScopes, customClaims, jwksCache,
|
|
10394
|
+
async function verifyAndShape(token, jwksUrl, expectedIssuer, expectedAudience, requiredScopes, customClaims, jwksCache, warnedAt, now) {
|
|
10371
10395
|
const identityHash = buildIdentityHash([token]);
|
|
10372
10396
|
const jwks = await jwksCache.fetchAndCache(jwksUrl);
|
|
10373
10397
|
if (jwks.passThrough) {
|
|
10374
|
-
if (
|
|
10375
|
-
warned.add(jwksUrl);
|
|
10376
|
-
getLogger().child("cognito-jwt").warn(`JWKS pass-through mode for ${jwksUrl}: token accepted without signature verification.`);
|
|
10377
|
-
}
|
|
10398
|
+
if (shouldWarn(jwksUrl, warnedAt, now)) getLogger().child("cognito-jwt").warn(`JWKS pass-through mode for ${jwksUrl}: token accepted without signature verification.`);
|
|
10378
10399
|
const parsed = parseJwt(token);
|
|
10379
10400
|
if (parsed) return shapeAllowResult(parsed, identityHash, now);
|
|
10380
10401
|
return {
|
|
@@ -11196,7 +11217,7 @@ function attachWebSocketServer(opts) {
|
|
|
11196
11217
|
try {
|
|
11197
11218
|
ws.close(1008, "Forbidden");
|
|
11198
11219
|
} catch {}
|
|
11199
|
-
logger.
|
|
11220
|
+
logger.info(`WebSocket $connect denied for connection ${connectionId} on ${cfg.api.declaredAt} — authorizer returned a non-allow verdict. Client was closed with code 1008.`);
|
|
11200
11221
|
return;
|
|
11201
11222
|
}
|
|
11202
11223
|
}
|
|
@@ -14604,21 +14625,21 @@ async function verifySigV4(req, loadCredentials, opts = {}) {
|
|
|
14604
14625
|
try {
|
|
14605
14626
|
parsed = parseAuthorizationHeader(authHeader);
|
|
14606
14627
|
} catch (err) {
|
|
14607
|
-
logger.
|
|
14628
|
+
logger.info(`AWS_IAM authorizer: rejecting request — malformed Authorization header (${err instanceof Error ? err.message : String(err)}). Expected shape: 'AWS4-HMAC-SHA256 Credential=<AKID>/<YYYYMMDD>/<region>/<service>/aws4_request, SignedHeaders=<h1>;<h2>;..., Signature=<hex>'.`);
|
|
14608
14629
|
return {
|
|
14609
14630
|
allow: false,
|
|
14610
14631
|
identityHash: void 0
|
|
14611
14632
|
};
|
|
14612
14633
|
}
|
|
14613
14634
|
if (parsed.algorithm !== "AWS4-HMAC-SHA256") {
|
|
14614
|
-
logger.
|
|
14635
|
+
logger.info(`AWS_IAM authorizer: rejecting request — unsupported Authorization algorithm '${parsed.algorithm}'. Expected 'AWS4-HMAC-SHA256'.`);
|
|
14615
14636
|
return {
|
|
14616
14637
|
allow: false,
|
|
14617
14638
|
identityHash: void 0
|
|
14618
14639
|
};
|
|
14619
14640
|
}
|
|
14620
14641
|
if (parsed.credentialTerminator !== "aws4_request") {
|
|
14621
|
-
logger.
|
|
14642
|
+
logger.info(`AWS_IAM authorizer: rejecting request — invalid credential-scope terminator '${parsed.credentialTerminator}'. Expected 'aws4_request' (the last '/' segment of the Credential= value).`);
|
|
14622
14643
|
return {
|
|
14623
14644
|
allow: false,
|
|
14624
14645
|
identityHash: void 0
|
|
@@ -14626,21 +14647,22 @@ async function verifySigV4(req, loadCredentials, opts = {}) {
|
|
|
14626
14647
|
}
|
|
14627
14648
|
const amzDate = pickHeader(req.headers, "x-amz-date") ?? pickHeader(req.headers, "date");
|
|
14628
14649
|
if (!amzDate) {
|
|
14629
|
-
logger.
|
|
14650
|
+
logger.info("AWS_IAM authorizer: rejecting request — missing x-amz-date / date header. Expected ISO-8601 basic 'YYYYMMDDTHHMMSSZ' in 'x-amz-date' (AWS SDK default) or RFC 1123 in 'date' (curl --aws-sigv4).");
|
|
14630
14651
|
return {
|
|
14631
14652
|
allow: false,
|
|
14632
14653
|
identityHash: void 0
|
|
14633
14654
|
};
|
|
14634
14655
|
}
|
|
14635
14656
|
if (!validateAmzDateMatchesCredentialDate(amzDate, parsed.credentialDate)) {
|
|
14636
|
-
logger.
|
|
14657
|
+
logger.info(`AWS_IAM authorizer: rejecting request — x-amz-date '${amzDate}' does not match credential-scope date '${parsed.credentialDate}'. The 'YYYYMMDD' prefix of x-amz-date must equal the date segment of Credential=<AKID>/<YYYYMMDD>/...`);
|
|
14637
14658
|
return {
|
|
14638
14659
|
allow: false,
|
|
14639
14660
|
identityHash: void 0
|
|
14640
14661
|
};
|
|
14641
14662
|
}
|
|
14642
|
-
|
|
14643
|
-
|
|
14663
|
+
const now = (opts.now ?? (() => /* @__PURE__ */ new Date()))();
|
|
14664
|
+
if (amzDateOutsideSkew(amzDate, now)) {
|
|
14665
|
+
logger.info(`AWS_IAM authorizer: rejecting request — x-amz-date '${amzDate}' is outside the 15-minute clock-skew window (local now=${now.toISOString()}). Re-sign the request with the current time or sync the local clock.`);
|
|
14644
14666
|
return {
|
|
14645
14667
|
allow: false,
|
|
14646
14668
|
identityHash: void 0
|
|
@@ -14692,7 +14714,7 @@ async function verifySigV4(req, loadCredentials, opts = {}) {
|
|
|
14692
14714
|
}
|
|
14693
14715
|
const recomputed = computeSignature(req, parsed, local.secretAccessKey, amzDate);
|
|
14694
14716
|
if (!constantTimeEqual(recomputed, parsed.signature)) {
|
|
14695
|
-
logger.
|
|
14717
|
+
logger.info(`AWS_IAM authorizer: rejecting request — Signature= mismatch (recomputed '${recomputed}', got '${parsed.signature}'). The request was signed with the expected access-key-id but the HMAC does not verify — check the SignedHeaders list, request body, and canonical-request normalization on the signer side.`);
|
|
14696
14718
|
return {
|
|
14697
14719
|
allow: false,
|
|
14698
14720
|
identityHash: void 0
|
|
@@ -15669,7 +15691,7 @@ async function runAuthorizerPass(authorizer, snapshot, matchCtx, state, opts, re
|
|
|
15669
15691
|
denyKind: "policy-deny"
|
|
15670
15692
|
};
|
|
15671
15693
|
const authHeader = headers["authorization"];
|
|
15672
|
-
const jwksOpts = { ...opts.
|
|
15694
|
+
const jwksOpts = { ...opts.jwksWarnedAt && { warnedAt: opts.jwksWarnedAt } };
|
|
15673
15695
|
if (authorizer.kind === "cognito") {
|
|
15674
15696
|
if (cache && authHeader !== void 0) {
|
|
15675
15697
|
const cached = cache.get(authorizer.logicalId, hashOne(authHeader));
|
|
@@ -16494,10 +16516,13 @@ const DEFAULT_DEBOUNCE_MS = 500;
|
|
|
16494
16516
|
* (chokidar starts listening before this function returns); the
|
|
16495
16517
|
* caller does not need to `await` ready.
|
|
16496
16518
|
*
|
|
16497
|
-
* Errors from chokidar (typically "ENOENT: path doesn't exist"
|
|
16498
|
-
*
|
|
16499
|
-
*
|
|
16500
|
-
* goes missing during a
|
|
16519
|
+
* Errors from chokidar (typically "ENOENT: path doesn't exist", or
|
|
16520
|
+
* EMFILE on macOS when watching a deep tree) are logged at WARN and
|
|
16521
|
+
* otherwise swallowed — the start-api server should keep serving even
|
|
16522
|
+
* when one of the watched asset directories goes missing during a
|
|
16523
|
+
* reload, but the user gets a visible signal that `--watch` may have
|
|
16524
|
+
* stopped firing so they don't sit there waiting for a reload that
|
|
16525
|
+
* will never come.
|
|
16501
16526
|
*/
|
|
16502
16527
|
function createFileWatcher(options) {
|
|
16503
16528
|
const logger = getLogger().child("start-api-watch");
|
|
@@ -16537,7 +16562,7 @@ function createFileWatcher(options) {
|
|
|
16537
16562
|
watcher.on("change", onEvent);
|
|
16538
16563
|
watcher.on("unlink", onEvent);
|
|
16539
16564
|
watcher.on("error", (err) => {
|
|
16540
|
-
logger.
|
|
16565
|
+
logger.warn(`chokidar error: ${err instanceof Error ? err.message : String(err)}. --watch may be degraded for the remainder of this session — file changes may no longer trigger reloads. Restart cdkl to recover.`);
|
|
16541
16566
|
});
|
|
16542
16567
|
return { close: async () => {
|
|
16543
16568
|
closed = true;
|
|
@@ -16625,7 +16650,7 @@ async function localStartApiCommand(targets, options, extraStateProviders) {
|
|
|
16625
16650
|
let profileCredsFile;
|
|
16626
16651
|
const authorizerCache = createAuthorizerCache();
|
|
16627
16652
|
const jwksCache = createJwksCache();
|
|
16628
|
-
const
|
|
16653
|
+
const jwksWarnedAt = /* @__PURE__ */ new Map();
|
|
16629
16654
|
let sigV4CredentialsLoader;
|
|
16630
16655
|
const sigV4WarnedForeignIds = /* @__PURE__ */ new Set();
|
|
16631
16656
|
const fromCfnTipEmitted = { value: false };
|
|
@@ -16802,7 +16827,7 @@ async function localStartApiCommand(targets, options, extraStateProviders) {
|
|
|
16802
16827
|
port: basePort === 0 ? 0 : nextPort,
|
|
16803
16828
|
authorizerCache,
|
|
16804
16829
|
jwksCache,
|
|
16805
|
-
|
|
16830
|
+
jwksWarnedAt,
|
|
16806
16831
|
sigV4CredentialsLoader,
|
|
16807
16832
|
sigV4WarnedForeignIds,
|
|
16808
16833
|
sigV4Strict: options.strictSigv4 === true,
|
|
@@ -16849,7 +16874,7 @@ async function localStartApiCommand(targets, options, extraStateProviders) {
|
|
|
16849
16874
|
port: basePort === 0 ? 0 : nextPort,
|
|
16850
16875
|
authorizerCache,
|
|
16851
16876
|
jwksCache,
|
|
16852
|
-
|
|
16877
|
+
jwksWarnedAt,
|
|
16853
16878
|
sigV4WarnedForeignIds,
|
|
16854
16879
|
sigV4Strict: options.strictSigv4 === true,
|
|
16855
16880
|
preDispatch: async (req, res) => {
|
|
@@ -18544,7 +18569,7 @@ async function resolveInboundAuthorization(resolved, options) {
|
|
|
18544
18569
|
...authorizer.allowedClients && { allowedClients: authorizer.allowedClients },
|
|
18545
18570
|
...authorizer.allowedScopes && { allowedScopes: authorizer.allowedScopes },
|
|
18546
18571
|
...authorizer.customClaims && { customClaims: authorizer.customClaims }
|
|
18547
|
-
}, header, createJwksCache(), {
|
|
18572
|
+
}, header, createJwksCache(), { warnedAt: /* @__PURE__ */ new Map() })).allow) throw new CdkLocalError(`Inbound JWT rejected by the runtime's customJwtAuthorizer (signature / issuer / expiry / audience check failed against ${authorizer.discoveryUrl}).`, "LOCAL_INVOKE_AGENTCORE_AUTH_DENIED");
|
|
18548
18573
|
logger.info(`Inbound JWT verified against ${authorizer.discoveryUrl}.`);
|
|
18549
18574
|
return header;
|
|
18550
18575
|
}
|
|
@@ -19151,7 +19176,7 @@ function readEnvOverridesFile$2(filePath) {
|
|
|
19151
19176
|
}
|
|
19152
19177
|
function createLocalInvokeAgentCoreCommand(opts = {}) {
|
|
19153
19178
|
setEmbedConfig(opts.embedConfig);
|
|
19154
|
-
const cmd = new Command("invoke-agentcore").description("Run a Bedrock AgentCore Runtime container locally and invoke it once over its protocol contract: HTTP (POST /invocations + GET /ping on 8080)
|
|
19179
|
+
const cmd = new Command("invoke-agentcore").description("Run a Bedrock AgentCore Runtime container locally and invoke it once over its protocol contract: HTTP (POST /invocations + GET /ping on 8080; SSE / WebSocket are HTTP wire-shape variants on the same port), MCP (POST /mcp Streamable HTTP on 8000), A2A, or AGUI. Resolves the AWS::BedrockAgentCore::Runtime, pulls/builds its container, injects env vars + AWS credentials, and prints the response. For an MCP runtime, runs the session handshake then sends one JSON-RPC request (tools/list by default, or the method/params from --event). Target accepts a CDK display path (MyStack/MyAgent) or stack-qualified logical ID (MyStack:MyAgentRuntime1234). Single-stack apps may omit the stack prefix. Omit <target> in an interactive terminal to pick from a list. Supports the container artifact and the CodeConfiguration managed-runtime artifact (fromCodeAsset, built from source) on all four protocols; the agent calls real AWS for managed services.").argument("[target]", "CDK display path or stack-qualified logical ID of the AgentCore Runtime to invoke (omit to pick interactively in a TTY)").action(withErrorHandling(async (target, options) => {
|
|
19155
19180
|
await localInvokeAgentCoreCommand(target, options, opts.extraStateProviders);
|
|
19156
19181
|
}));
|
|
19157
19182
|
addInvokeAgentCoreSpecificOptions(cmd);
|
|
@@ -20640,7 +20665,7 @@ function createLocalRunTaskCommand(opts = {}) {
|
|
|
20640
20665
|
* surface non-trivially. Each command keeps its own helper.
|
|
20641
20666
|
*/
|
|
20642
20667
|
function addRunTaskSpecificOptions(cmd) {
|
|
20643
|
-
return cmd.addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default(getEmbedConfig().resourceNamePrefix)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--host-port <containerPort=hostPort...>", "Publish a container port on a specific host port (e.g. 80=8080); repeatable. Default: host port == container port. Use this on macOS to map a privileged container port (< 1024) to a non-privileged host port and avoid the Docker Desktop admin-password prompt.")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed function role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries. Issues sts:AssumeRole via the default credential chain and uses the temporary credentials for ecr:GetAuthorizationToken + docker pull. Required when the caller does not have direct cross-account access to the target repository. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--keep-running", "Don't docker rm -f the user containers on task exit (network + sidecar are still torn down). Use when you want to docker exec into a stopped container for post-mortems.").default(false)).addOption(new Option("--detach", "Start the containers in the background and exit (skip log streaming + auto teardown). Useful in CI smoke tests; caller manages container lifecycle.").default(false)).addOption(new Option("--from-cfn-stack [cfn-stack-name]", `Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in container env vars / secrets / image URIs with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (\`cdk deploy\`). Bare form uses the ${getEmbedConfig().binaryName} stack name; pass an explicit value when the CFn stack name differs. Fn::GetAtt is warn-and-dropped
|
|
20668
|
+
return cmd.addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default(getEmbedConfig().resourceNamePrefix)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--host-port <containerPort=hostPort...>", "Publish a container port on a specific host port (e.g. 80=8080); repeatable. Default: host port == container port. Use this on macOS to map a privileged container port (< 1024) to a non-privileged host port and avoid the Docker Desktop admin-password prompt.")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed function role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries. Issues sts:AssumeRole via the default credential chain and uses the temporary credentials for ecr:GetAuthorizationToken + docker pull. Required when the caller does not have direct cross-account access to the target repository. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--keep-running", "Don't docker rm -f the user containers on task exit (network + sidecar are still torn down). Use when you want to docker exec into a stopped container for post-mortems.").default(false)).addOption(new Option("--detach", "Start the containers in the background and exit (skip log streaming + auto teardown). Useful in CI smoke tests; caller manages container lifecycle.").default(false)).addOption(new Option("--from-cfn-stack [cfn-stack-name]", `Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in container env vars / secrets / image URIs with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (\`cdk deploy\`). Bare form uses the ${getEmbedConfig().binaryName} stack name; pass an explicit value when the CFn stack name differs. Fn::GetAtt in container Environment[].Value is warn-and-dropped: CFn ListStackResources does not return per-attribute values, and unlike Lambda (where \`cdkl invoke --from-cfn-stack\` recovers Fn::GetAtt from the deployed function via lambda:GetFunctionConfiguration), no ECS-side equivalent resolves attributes off a deployed task / service.`)).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region."));
|
|
20644
20669
|
}
|
|
20645
20670
|
|
|
20646
20671
|
//#endregion
|
|
@@ -24108,7 +24133,7 @@ function buildAuthCheck(guard, jwksCache, opts = {}) {
|
|
|
24108
24133
|
realm,
|
|
24109
24134
|
check: async () => ({ allow: true })
|
|
24110
24135
|
};
|
|
24111
|
-
const
|
|
24136
|
+
const warnedAt = opts.warnedAt ?? /* @__PURE__ */ new Map();
|
|
24112
24137
|
const sessionCookiePrefix = guard.sessionCookieName;
|
|
24113
24138
|
const injectedBearer = opts.bearerToken;
|
|
24114
24139
|
return {
|
|
@@ -24135,16 +24160,20 @@ function buildAuthCheck(guard, jwksCache, opts = {}) {
|
|
|
24135
24160
|
audience: [guard.audience],
|
|
24136
24161
|
...guard.region !== void 0 && { region: guard.region },
|
|
24137
24162
|
...guard.userPoolId !== void 0 && { userPoolId: guard.userPoolId }
|
|
24138
|
-
}, authorization, jwksCache, {
|
|
24163
|
+
}, authorization, jwksCache, { warnedAt })).allow) return { allow: true };
|
|
24139
24164
|
return {
|
|
24140
24165
|
allow: false,
|
|
24141
24166
|
reason: "Bearer token rejected (signature / iss / aud / exp check failed)."
|
|
24142
24167
|
};
|
|
24143
24168
|
} catch (err) {
|
|
24144
|
-
|
|
24169
|
+
const errClass = err instanceof Error ? err.constructor.name : typeof err;
|
|
24170
|
+
const errMessage = err instanceof Error ? err.message : String(err);
|
|
24171
|
+
const REASON_MESSAGE_CAP = 200;
|
|
24172
|
+
const clientMessage = errMessage.length > REASON_MESSAGE_CAP ? `${errMessage.slice(0, REASON_MESSAGE_CAP)}...` : errMessage;
|
|
24173
|
+
getLogger().child("front-door-auth").warn(`Bearer JWT verification threw (${errClass}): ${errMessage}. Returning 401 to client. Check the JWKS URL is reachable and the token is well-formed.`);
|
|
24145
24174
|
return {
|
|
24146
24175
|
allow: false,
|
|
24147
|
-
reason:
|
|
24176
|
+
reason: `Auth check failed: ${errClass} — ${clientMessage}`
|
|
24148
24177
|
};
|
|
24149
24178
|
}
|
|
24150
24179
|
}
|
|
@@ -25117,24 +25146,44 @@ async function reloadAllServices(args) {
|
|
|
25117
25146
|
*/
|
|
25118
25147
|
async function loadAssetContextForTarget(args) {
|
|
25119
25148
|
const { target, controller, stacks, cdkOutDir, assetLoader, logger } = args;
|
|
25120
|
-
const
|
|
25121
|
-
|
|
25149
|
+
const parsed = parseEcsTarget(target);
|
|
25150
|
+
const candidate = pickCandidateStack(parsed.stackPattern, stacks);
|
|
25151
|
+
if (!candidate) {
|
|
25152
|
+
logger.debug(`loadAssetContext: stack pattern '${parsed.stackPattern}' from target '${target}' not in the assembly. Classifier will see no asset context (rebuild).`);
|
|
25153
|
+
return;
|
|
25154
|
+
}
|
|
25122
25155
|
let newService;
|
|
25123
25156
|
try {
|
|
25124
25157
|
newService = resolveEcsServiceTarget(target, stacks, void 0, { suppressLoadBalancerWarning: true });
|
|
25125
25158
|
} catch (err) {
|
|
25126
|
-
logger.debug(`
|
|
25159
|
+
logger.debug(`loadAssetContext: resolveEcsServiceTarget threw for target '${target}' against the new stacks: ${err instanceof Error ? err.message : String(err)}. Classifier will see no asset context (rebuild).`);
|
|
25127
25160
|
return;
|
|
25128
25161
|
}
|
|
25129
25162
|
const essential = newService.task.containers.find((c) => c.essential) ?? newService.task.containers[0];
|
|
25130
|
-
if (!essential)
|
|
25131
|
-
|
|
25163
|
+
if (!essential) {
|
|
25164
|
+
logger.debug(`loadAssetContext: task definition for target '${target}' has no containers. Classifier will see no asset context (rebuild).`);
|
|
25165
|
+
return;
|
|
25166
|
+
}
|
|
25167
|
+
if (essential.image.kind !== "cdk-asset" || !essential.image.assetHash) {
|
|
25168
|
+
const assetHashStr = essential.image.kind === "cdk-asset" ? essential.image.assetHash ?? "undefined" : "n/a";
|
|
25169
|
+
logger.debug(`loadAssetContext: target '${target}' essential image is not a CDK asset (kind='${essential.image.kind}', assetHash=${assetHashStr}). Classifier will see no asset context (rebuild).`);
|
|
25170
|
+
return;
|
|
25171
|
+
}
|
|
25132
25172
|
const newAssetHash = essential.image.assetHash;
|
|
25133
25173
|
const manifest = await assetLoader.loadManifest(cdkOutDir, candidate.stackName);
|
|
25134
|
-
if (!manifest)
|
|
25174
|
+
if (!manifest) {
|
|
25175
|
+
logger.debug(`loadAssetContext: asset manifest missing for stack '${candidate.stackName}' under '${cdkOutDir}'. Classifier will see no asset context (rebuild).`);
|
|
25176
|
+
return;
|
|
25177
|
+
}
|
|
25135
25178
|
const newDockerImage = manifest.dockerImages?.[newAssetHash];
|
|
25136
|
-
if (!newDockerImage)
|
|
25137
|
-
|
|
25179
|
+
if (!newDockerImage) {
|
|
25180
|
+
logger.debug(`loadAssetContext: asset hash '${newAssetHash}' not present in stack '${candidate.stackName}' dockerImages. Classifier will see no asset context (rebuild).`);
|
|
25181
|
+
return;
|
|
25182
|
+
}
|
|
25183
|
+
if (!newDockerImage.source.directory) {
|
|
25184
|
+
logger.debug(`loadAssetContext: docker asset '${newAssetHash}' for stack '${candidate.stackName}' is executable-mode (no source.directory). Classifier will see no asset context (rebuild).`);
|
|
25185
|
+
return;
|
|
25186
|
+
}
|
|
25138
25187
|
const newAssetSourceDir = path.resolve(cdkOutDir, newDockerImage.source.directory);
|
|
25139
25188
|
let oldAssetHash;
|
|
25140
25189
|
const liveReplica = controller.runState.replicas.find((r) => !r.shuttingDown);
|
|
@@ -25419,11 +25468,11 @@ async function buildFrontDoor(plan, options, logger) {
|
|
|
25419
25468
|
keyPath: options.tlsKey
|
|
25420
25469
|
}) : void 0;
|
|
25421
25470
|
const jwksCache = createJwksCache();
|
|
25422
|
-
const
|
|
25471
|
+
const sharedWarnedAt = /* @__PURE__ */ new Map();
|
|
25423
25472
|
const authForGuard = (guard) => buildAuthCheck(guard, jwksCache, {
|
|
25424
25473
|
...options.verifyAuth === false && { noVerifyAuth: true },
|
|
25425
25474
|
...options.bearerToken !== void 0 && { bearerToken: options.bearerToken },
|
|
25426
|
-
|
|
25475
|
+
warnedAt: sharedWarnedAt
|
|
25427
25476
|
});
|
|
25428
25477
|
const attachAuth = (action, guard) => guard ? {
|
|
25429
25478
|
...action,
|
|
@@ -25851,7 +25900,7 @@ function enforceStrictOverrides(strict, uncoveredPinnedTargets) {
|
|
|
25851
25900
|
* factory.
|
|
25852
25901
|
*/
|
|
25853
25902
|
function addCommonEcsServiceOptions(cmd) {
|
|
25854
|
-
cmd.addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default(getEmbedConfig().resourceNamePrefix)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed task role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries.")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--max-tasks <n>", `Hard cap on local replica count. Caps the template DesiredCount so local dev machines don't run an unbounded number of containers. Cannot exceed ${83} due to the per-replica link-local /24 subnet allocator's range.`).default(3).argParser(parseMaxTasks)).addOption(new Option("--restart-policy <policy>", "How to react when an essential container exits. 'on-failure' (default) restarts only on non-zero exit; 'always' restarts on every exit; 'none' shuts the replica down and runs the service degraded.").default("on-failure").argParser(parseRestartPolicy)).addOption(new Option("--from-cfn-stack [cfn-stack-name]", `Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in container env vars / secrets / image URIs with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (\`cdk deploy\`). Bare form uses the ${getEmbedConfig().binaryName} stack name; pass an explicit value when the CFn stack name differs. Fn::GetAtt is warn-and-dropped
|
|
25903
|
+
cmd.addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default(getEmbedConfig().resourceNamePrefix)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed task role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries.")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--max-tasks <n>", `Hard cap on local replica count. Caps the template DesiredCount so local dev machines don't run an unbounded number of containers. Cannot exceed ${83} due to the per-replica link-local /24 subnet allocator's range.`).default(3).argParser(parseMaxTasks)).addOption(new Option("--restart-policy <policy>", "How to react when an essential container exits. 'on-failure' (default) restarts only on non-zero exit; 'always' restarts on every exit; 'none' shuts the replica down and runs the service degraded.").default("on-failure").argParser(parseRestartPolicy)).addOption(new Option("--from-cfn-stack [cfn-stack-name]", `Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in container env vars / secrets / image URIs with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (\`cdk deploy\`). Bare form uses the ${getEmbedConfig().binaryName} stack name; pass an explicit value when the CFn stack name differs. Fn::GetAtt in container Environment[].Value is warn-and-dropped: CFn ListStackResources does not return per-attribute values, and unlike Lambda (where \`cdkl invoke --from-cfn-stack\` recovers Fn::GetAtt from the deployed function via lambda:GetFunctionConfiguration), no ECS-side equivalent resolves attributes off a deployed task / service.`)).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).addOption(new Option("--no-logs", "Disable foreground streaming of each replica container stdout/stderr. By default every booted replica streams its docker logs to the host terminal with a [svc=<service> r=<replica-index> c=<container>] prefix (parity with `run-task`). Pass --no-logs for multi-replica / multi-service runs whose interleaved log volume is unreadable; `docker logs -f <id>` in a separate terminal stays available."));
|
|
25855
25904
|
[
|
|
25856
25905
|
...commonOptions(),
|
|
25857
25906
|
...appOptions(),
|
|
@@ -26901,4 +26950,4 @@ function addListSpecificOptions(cmd) {
|
|
|
26901
26950
|
|
|
26902
26951
|
//#endregion
|
|
26903
26952
|
export { groupRoutesByServer as $, tryResolveImageFnJoin as $n, AGENTCORE_SESSION_ID_HEADER as $t, isLocalCdkAssetImage as A, collectSsmParameterRefs as An, buildCognitoJwksUrl as At, addInvokeAgentCoreSpecificOptions as B, pickRefLogicalId as Bn, isFunctionUrlOacFronted as Bt, buildImageOverrideTag as C, createLocalStateProvider as Cn, ConnectionRegistry as Ct, resolveImageOverrides as D, resolveCfnRegion as Dn, buildConnectEvent as Dt, parseImageOverrideFlags as E, resolveCfnFallbackRegion as En, parseConnectionsPath as Et, SOFT_RELOAD_COMPLETION_LOG_SUFFIX as F, listTargets as Fn, verifyJwtViaDiscovery as Ft, resolveApiTargetSubset as G, AGENTCORE_MCP_PROTOCOL as Gn, a2aInvokeOnce as Gt, addStartApiSpecificOptions as H, AGENTCORE_A2A_PROTOCOL as Hn, invokeAgentCoreWs as Ht, getContainerNetworkIp as I, discoverWebSocketApis as In, attachAuthorizers as It, attachStageContext as J, pickAgentCoreCandidateStack as Jn, MCP_PROTOCOL_VERSION as Jt, createAuthorizerCache as K, AGENTCORE_RUNTIME_TYPE as Kn, MCP_CONTAINER_PORT as Kt, addRunTaskSpecificOptions as L, discoverWebSocketApisOrThrow as Ln, applyCorsResponseHeaders as Lt, buildCloudMapIndex as M, resolveWatchConfig as Mn, createJwksCache as Mt, CloudMapRegistry as N, resolveSingleTarget as Nn, verifyCognitoJwt as Nt, runImageOverrideBuilds as O, resolveCfnStackName as On, buildDisconnectEvent as Ot, classifySourceChange as P, countTargets as Pn, verifyJwtAuthorizer as Pt, filterRoutesByApiIdentifiers as Q, substituteImagePlaceholders as Qn, signAgentCoreInvocation as Qt, createLocalRunTaskCommand as R, parseSelectionExpressionPath as Rn, buildCorsConfigByApiId as Rt, ImageOverrideError as S, LocalStateSourceError as Sn, bufferToBody as St, mergeForService as T, rejectExplicitCfnStackWithMultipleStacks as Tn, handleConnectionsRequest as Tt, createLocalStartApiCommand as U, AGENTCORE_AGUI_PROTOCOL as Un, A2A_CONTAINER_PORT as Ut, createLocalInvokeAgentCoreCommand as V, resolveLambdaArnIntrinsic as Vn, matchPreflight as Vt, createWatchPredicates as W, AGENTCORE_HTTP_PROTOCOL as Wn, A2A_PATH as Wt, availableApiIdentifiers as X, derivePseudoParametersFromRegion as Xn, parseSseForJsonRpc as Xt, buildStageMap as Y, resolveAgentCoreTarget as Yn, mcpInvokeOnce as Yt, filterRoutesByApiIdentifier as Z, formatStateRemedy as Zn, AGENTCORE_SIGV4_SERVICE as Zt, buildEcsImageResolutionContext as _, substituteAgainstStateAsync as _n, selectIntegrationResponse as _t, albStrategy as a, computeCodeImageTag as an, buildMethodArn as at, resolveSharedSidecarCredentials as b, resolveEnvVars as bn, HOST_GATEWAY_MIN_VERSION as bt, resolveAlbTarget as c, addInvokeSpecificOptions as cn, invokeRequestAuthorizer as ct, addStartServiceSpecificOptions as d, buildContainerImage as dn, translateLambdaResponse as dt, invokeAgentCore as en, LocalInvokeBuildError as er, readMtlsMaterialsFromDisk as et, createLocalStartServiceCommand as f, resolveRuntimeCodeMountPath as fn, applyAuthorizerOverlay as ft, addImageOverrideOptions as g, substituteAgainstState as gn, pickResponseTemplate as gt, addCommonEcsServiceOptions as h, EcsTaskResolutionError as hn, evaluateResponseParameters as ht, addAlbSpecificOptions as i, buildAgentCoreCodeImage as in, defaultCredentialsLoader as it, listPinnedTargets as j, resolveSsmParameters as jn, buildJwksUrlFromIssuer as jt, describePinnedImageUri as k, CfnLocalStateProvider as kn, buildMessageEvent as kt, isApplicationLoadBalancer as l, createLocalInvokeCommand as ln, invokeTokenAuthorizer as lt, MAX_TASKS_SUBNET_RANGE_CAP as m, resolveRuntimeImage as mn, buildRestV1Event as mt, createLocalListCommand as n, downloadAndExtractS3Bundle as nn, resolveSelectionExpression as nt, createLocalStartAlbCommand as o, renderCodeDockerfile as on, computeRequestIdentityHash as ot, serviceStrategy as p, resolveRuntimeFileExtension as pn, buildHttpApiV2Event as pt, createFileWatcher as q, AgentCoreResolutionError as qn, MCP_PATH as qt, formatTargetListing as r, SUPPORTED_CODE_RUNTIMES as rn, resolveServiceIntegrationParameters as rt, parseLbPortOverrides as s, toCmdArgv as sn, evaluateCachedLambdaPolicy as st, addListSpecificOptions as t, waitForAgentCorePing as tn, startApiServer as tt, resolveAlbFrontDoor as u, architectureToPlatform as un, matchRoute as ut, parseMaxTasks as v, substituteEnvVarsFromState as vn, tryParseStatus as vt, enforceImageOverrideOrphans as w, isCfnFlagPresent as wn, buildMgmtEndpointEnvUrl as wt, runEcsServiceEmulator as x, materializeLayerFromArn as xn, probeHostGatewaySupport as xt, parseRestartPolicy as y, substituteEnvVarsFromStateAsync as yn, VtlEvaluationError as yt, attachContainerLogStreamer as z, discoverRoutes as zn, buildCorsConfigFromCloudFrontChain as zt };
|
|
26904
|
-
//# sourceMappingURL=local-list-
|
|
26953
|
+
//# sourceMappingURL=local-list-Cj96dZzK.js.map
|