cdk-local 0.73.0 → 0.73.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -2029,11 +2029,14 @@ function applyResponseParameters(base, responseParameters, responseCtx) {
2029
2029
  continue;
2030
2030
  }
2031
2031
  const headerMatch = /^(append|overwrite|remove):header\.(.+)$/i.exec(key);
2032
- if (!headerMatch || !headerMatch[1] || !headerMatch[2]) continue;
2032
+ if (!headerMatch || !headerMatch[1] || !headerMatch[2]) {
2033
+ logger.warn(`ResponseParameters: key '${key}' does not match the expected shape '(append|overwrite|remove):header.<name>' or 'overwrite:statuscode'; the value was dropped. Check for typos (e.g. 'appen:' vs 'append:').`);
2034
+ continue;
2035
+ }
2033
2036
  const op = headerMatch[1].toLowerCase();
2034
2037
  const name = headerMatch[2].toLowerCase();
2035
2038
  if (isReservedHeader(name)) {
2036
- logger.debug(`ResponseParameters: header '${name}' is reserved by API Gateway and was skipped`);
2039
+ logger.warn(`ResponseParameters: header '${name}' is reserved by API Gateway and was skipped`);
2037
2040
  continue;
2038
2041
  }
2039
2042
  if (op === "remove") delete headers[name];
@@ -8488,7 +8491,7 @@ function createLocalInvokeCommand(opts = {}) {
8488
8491
  * `--help` clusters. Chainable: returns `cmd`.
8489
8492
  */
8490
8493
  function addInvokeSpecificOptions(cmd) {
8491
- return cmd.addOption(new Option("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option("--event-stdin", "Read event JSON from stdin").default(false)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}})")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) no-op for IMAGE local-build path; `docker build` does not pull base layers by default")).addOption(new Option("--no-build", "Skip docker build on the IMAGE local-build path (use the previously-built tag). Requires the deterministic tag to already be in the local registry; errors with an actionable message when missing. No-op for ZIP Lambdas and the IMAGE ECR-pull path. Compatible with --no-pull.")).addOption(new Option("--debug-port <port>", "Node --inspect-brk port (default: off)")).addOption(new Option("--container-host <host>", "Host to bind the RIE port to").default("127.0.0.1")).addOption(new Option("--assume-role [arn]", "Assume the Lambda's deployed execution role and forward STS-issued temp credentials to the container so the handler runs with the deployed function's narrow permissions. Three forms: (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) auto-resolves the function's execution role ARN from state (requires an active state source); (3) `--no-assume-role` explicitly opts out. Off by default — when omitted, the developer's shell credentials are forwarded unchanged (SAM-compatible default). STS failures degrade to a warn + dev-creds fallback.")).addOption(new Option("--layer-role-arn <arn>", "Role to sts:AssumeRole before calling lambda:GetLayerVersion on every literal-ARN entry in Properties.Layers. Use only when the dev credentials cannot read the layer — typically cross-account layers. AWS-published public layers (e.g. Lambda Powertools) are readable from every account and need no role.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries. Issues sts:AssumeRole via the default credential chain and uses the temporary credentials for ecr:GetAuthorizationToken + docker pull. Required when the caller does not have direct cross-account access to the target repository. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in env vars with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (`cdk deploy`). Bare form uses the resolved stack name; pass an explicit value when CFn stack name differs. Fn::GetAtt is warn-and-dropped in v1 (CFn ListStackResources does not return per-attribute values).")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region."));
8494
+ return cmd.addOption(new Option("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option("--event-stdin", "Read event JSON from stdin").default(false)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}})")).addOption(new Option("--no-pull", "Skip docker pull. Semantics differ by code path: ZIP Lambdas skip pulling the public Lambda base image; Container Lambdas on the local-build path are a no-op (docker build does not refresh the FROM cache by default); Container Lambdas on the ECR-pull fallback skip docker pull AND error if the image is not in the local cache (re-run without --no-pull or pre-pull manually).")).addOption(new Option("--no-build", "Skip docker build on the IMAGE local-build path (use the previously-built tag). Requires the deterministic tag to already be in the local registry; errors with an actionable message when missing. No-op for ZIP Lambdas and the IMAGE ECR-pull path. Compatible with --no-pull.")).addOption(new Option("--debug-port <port>", "Node --inspect-brk port (default: off)")).addOption(new Option("--container-host <host>", "Host to bind the RIE port to").default("127.0.0.1")).addOption(new Option("--assume-role [arn]", "Assume the Lambda's deployed execution role and forward STS-issued temp credentials to the container so the handler runs with the deployed function's narrow permissions. Three forms: (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) auto-resolves the function's execution role ARN from state (requires an active state source); (3) `--no-assume-role` explicitly opts out. Off by default — when omitted, the developer's shell credentials are forwarded unchanged (SAM-compatible default). STS failures degrade to a warn + dev-creds fallback.")).addOption(new Option("--layer-role-arn <arn>", "Role to sts:AssumeRole before calling lambda:GetLayerVersion on every literal-ARN entry in Properties.Layers. Use only when the dev credentials cannot read the layer — typically cross-account layers. AWS-published public layers (e.g. Lambda Powertools) are readable from every account and need no role.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries. Issues sts:AssumeRole via the default credential chain and uses the temporary credentials for ecr:GetAuthorizationToken + docker pull. Required when the caller does not have direct cross-account access to the target repository. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in env vars with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (`cdk deploy`). Bare form uses the resolved stack name; pass an explicit value when CFn stack name differs. Fn::GetAtt is warn-and-dropped in v1 (CFn ListStackResources does not return per-attribute values).")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region."));
8492
8495
  }
8493
8496
 
8494
8497
  //#endregion
@@ -10154,6 +10157,30 @@ function shortJson(value) {
10154
10157
 
10155
10158
  //#endregion
10156
10159
  //#region src/local/cognito-jwt.ts
10160
+ /**
10161
+ * Re-emit window for unreachable-endpoint warns. 5 minutes is short enough
10162
+ * the user notices the degraded state on a normal `--watch` session, long
10163
+ * enough not to spam the log on every request when the upstream IdP is down.
10164
+ */
10165
+ const WARN_REEMIT_INTERVAL_MS = 300 * 1e3;
10166
+ /**
10167
+ * Returns true iff `key`'s last warn timestamp is older than
10168
+ * {@link WARN_REEMIT_INTERVAL_MS} (or has never been recorded). When true,
10169
+ * `warnedAt[key]` is updated to `now` as a side effect so the next call
10170
+ * within the window returns false.
10171
+ *
10172
+ * Callers that omit `warnedAt` (the per-AuthCheck local fallback in tests
10173
+ * and the no-dedup branch in shape-only call sites) get a no-op true on
10174
+ * every call.
10175
+ */
10176
+ function shouldWarn(key, warnedAt, now) {
10177
+ if (!warnedAt) return true;
10178
+ const last = warnedAt.get(key);
10179
+ const t = now();
10180
+ if (last !== void 0 && t - last < 3e5) return false;
10181
+ warnedAt.set(key, t);
10182
+ return true;
10183
+ }
10157
10184
  const DEFAULT_JWKS_TTL_MS = 3600 * 1e3;
10158
10185
  /**
10159
10186
  * Failure-mode TTL for JWKS-unreachable entries. Pre-fix the failure
@@ -10300,7 +10327,7 @@ async function verifyCognitoJwt(authorizer, authorizationHeader, jwksCache, opts
10300
10327
  identityHash,
10301
10328
  ttlSeconds: 0
10302
10329
  };
10303
- return verifyAndShape(token, buildCognitoJwksUrl(selectedPool.region, selectedPool.userPoolId), buildCognitoIssuer(selectedPool.region, selectedPool.userPoolId), void 0, void 0, void 0, jwksCache, opts.warned, now);
10330
+ return verifyAndShape(token, buildCognitoJwksUrl(selectedPool.region, selectedPool.userPoolId), buildCognitoIssuer(selectedPool.region, selectedPool.userPoolId), void 0, void 0, void 0, jwksCache, opts.warnedAt, now);
10304
10331
  }
10305
10332
  /**
10306
10333
  * Verify a Bearer JWT against an HTTP v2 JWT authorizer's `JwtConfiguration`.
@@ -10313,7 +10340,7 @@ async function verifyJwtAuthorizer(authorizer, authorizationHeader, jwksCache, o
10313
10340
  identityHash: void 0,
10314
10341
  ttlSeconds: 0
10315
10342
  };
10316
- return verifyAndShape(token, authorizer.region && authorizer.userPoolId ? buildCognitoJwksUrl(authorizer.region, authorizer.userPoolId) : buildJwksUrlFromIssuer(authorizer.issuer), authorizer.issuer.replace(/\/+$/, ""), authorizer.audience, void 0, void 0, jwksCache, opts.warned, now);
10343
+ return verifyAndShape(token, authorizer.region && authorizer.userPoolId ? buildCognitoJwksUrl(authorizer.region, authorizer.userPoolId) : buildJwksUrlFromIssuer(authorizer.issuer), authorizer.issuer.replace(/\/+$/, ""), authorizer.audience, void 0, void 0, jwksCache, opts.warnedAt, now);
10317
10344
  }
10318
10345
  /**
10319
10346
  * Verify a Bearer JWT against an OIDC-discovery-URL authorizer (Bedrock
@@ -10349,10 +10376,7 @@ async function verifyJwtViaDiscovery(authorizer, authorizationHeader, jwksCache,
10349
10376
  issuer = doc.issuer;
10350
10377
  jwksUri = doc.jwks_uri;
10351
10378
  } catch (err) {
10352
- if (opts.warned && !opts.warned.has(authorizer.discoveryUrl)) {
10353
- opts.warned.add(authorizer.discoveryUrl);
10354
- getLogger().child("cognito-jwt").warn(`OIDC discovery unreachable at ${authorizer.discoveryUrl}: ${err instanceof Error ? err.message : String(err)}. Token accepted without verification — local dev fallback.`);
10355
- }
10379
+ if (shouldWarn(authorizer.discoveryUrl, opts.warnedAt, now)) getLogger().child("cognito-jwt").warn(`OIDC discovery unreachable at ${authorizer.discoveryUrl}: ${err instanceof Error ? err.message : String(err)}. Token accepted without verification — local dev fallback.`);
10356
10380
  const identityHash = buildIdentityHash([token]);
10357
10381
  const parsed = parseJwt(token);
10358
10382
  if (parsed) return shapeAllowResult(parsed, identityHash, now);
@@ -10365,16 +10389,13 @@ async function verifyJwtViaDiscovery(authorizer, authorizationHeader, jwksCache,
10365
10389
  };
10366
10390
  }
10367
10391
  const allowlist = [...authorizer.allowedAudience ?? [], ...authorizer.allowedClients ?? []];
10368
- return verifyAndShape(token, jwksUri, issuer.replace(/\/+$/, ""), allowlist.length > 0 ? allowlist : void 0, authorizer.allowedScopes, authorizer.customClaims, jwksCache, opts.warned, now);
10392
+ return verifyAndShape(token, jwksUri, issuer.replace(/\/+$/, ""), allowlist.length > 0 ? allowlist : void 0, authorizer.allowedScopes, authorizer.customClaims, jwksCache, opts.warnedAt, now);
10369
10393
  }
10370
- async function verifyAndShape(token, jwksUrl, expectedIssuer, expectedAudience, requiredScopes, customClaims, jwksCache, warned, now) {
10394
+ async function verifyAndShape(token, jwksUrl, expectedIssuer, expectedAudience, requiredScopes, customClaims, jwksCache, warnedAt, now) {
10371
10395
  const identityHash = buildIdentityHash([token]);
10372
10396
  const jwks = await jwksCache.fetchAndCache(jwksUrl);
10373
10397
  if (jwks.passThrough) {
10374
- if (warned && !warned.has(jwksUrl)) {
10375
- warned.add(jwksUrl);
10376
- getLogger().child("cognito-jwt").warn(`JWKS pass-through mode for ${jwksUrl}: token accepted without signature verification.`);
10377
- }
10398
+ if (shouldWarn(jwksUrl, warnedAt, now)) getLogger().child("cognito-jwt").warn(`JWKS pass-through mode for ${jwksUrl}: token accepted without signature verification.`);
10378
10399
  const parsed = parseJwt(token);
10379
10400
  if (parsed) return shapeAllowResult(parsed, identityHash, now);
10380
10401
  return {
@@ -11196,7 +11217,7 @@ function attachWebSocketServer(opts) {
11196
11217
  try {
11197
11218
  ws.close(1008, "Forbidden");
11198
11219
  } catch {}
11199
- logger.debug(`WebSocket $connect denied for connection ${connectionId} on ${cfg.api.declaredAt}`);
11220
+ logger.info(`WebSocket $connect denied for connection ${connectionId} on ${cfg.api.declaredAt} — authorizer returned a non-allow verdict. Client was closed with code 1008.`);
11200
11221
  return;
11201
11222
  }
11202
11223
  }
@@ -14604,21 +14625,21 @@ async function verifySigV4(req, loadCredentials, opts = {}) {
14604
14625
  try {
14605
14626
  parsed = parseAuthorizationHeader(authHeader);
14606
14627
  } catch (err) {
14607
- logger.debug(`AWS_IAM authorizer: malformed Authorization header ${err instanceof Error ? err.message : String(err)}`);
14628
+ logger.info(`AWS_IAM authorizer: rejecting request — malformed Authorization header (${err instanceof Error ? err.message : String(err)}). Expected shape: 'AWS4-HMAC-SHA256 Credential=<AKID>/<YYYYMMDD>/<region>/<service>/aws4_request, SignedHeaders=<h1>;<h2>;..., Signature=<hex>'.`);
14608
14629
  return {
14609
14630
  allow: false,
14610
14631
  identityHash: void 0
14611
14632
  };
14612
14633
  }
14613
14634
  if (parsed.algorithm !== "AWS4-HMAC-SHA256") {
14614
- logger.debug(`AWS_IAM authorizer: unsupported algorithm '${parsed.algorithm}'`);
14635
+ logger.info(`AWS_IAM authorizer: rejecting request — unsupported Authorization algorithm '${parsed.algorithm}'. Expected 'AWS4-HMAC-SHA256'.`);
14615
14636
  return {
14616
14637
  allow: false,
14617
14638
  identityHash: void 0
14618
14639
  };
14619
14640
  }
14620
14641
  if (parsed.credentialTerminator !== "aws4_request") {
14621
- logger.debug(`AWS_IAM authorizer: invalid credential scope terminator '${parsed.credentialTerminator}'`);
14642
+ logger.info(`AWS_IAM authorizer: rejecting request — invalid credential-scope terminator '${parsed.credentialTerminator}'. Expected 'aws4_request' (the last '/' segment of the Credential= value).`);
14622
14643
  return {
14623
14644
  allow: false,
14624
14645
  identityHash: void 0
@@ -14626,21 +14647,22 @@ async function verifySigV4(req, loadCredentials, opts = {}) {
14626
14647
  }
14627
14648
  const amzDate = pickHeader(req.headers, "x-amz-date") ?? pickHeader(req.headers, "date");
14628
14649
  if (!amzDate) {
14629
- logger.debug("AWS_IAM authorizer: missing x-amz-date / date header");
14650
+ logger.info("AWS_IAM authorizer: rejecting request — missing x-amz-date / date header. Expected ISO-8601 basic 'YYYYMMDDTHHMMSSZ' in 'x-amz-date' (AWS SDK default) or RFC 1123 in 'date' (curl --aws-sigv4).");
14630
14651
  return {
14631
14652
  allow: false,
14632
14653
  identityHash: void 0
14633
14654
  };
14634
14655
  }
14635
14656
  if (!validateAmzDateMatchesCredentialDate(amzDate, parsed.credentialDate)) {
14636
- logger.debug(`AWS_IAM authorizer: x-amz-date '${amzDate}' does not match credential scope date '${parsed.credentialDate}'`);
14657
+ logger.info(`AWS_IAM authorizer: rejecting request — x-amz-date '${amzDate}' does not match credential-scope date '${parsed.credentialDate}'. The 'YYYYMMDD' prefix of x-amz-date must equal the date segment of Credential=<AKID>/<YYYYMMDD>/...`);
14637
14658
  return {
14638
14659
  allow: false,
14639
14660
  identityHash: void 0
14640
14661
  };
14641
14662
  }
14642
- if (amzDateOutsideSkew(amzDate, (opts.now ?? (() => /* @__PURE__ */ new Date()))())) {
14643
- logger.debug(`AWS_IAM authorizer: x-amz-date '${amzDate}' outside 15-min clock skew`);
14663
+ const now = (opts.now ?? (() => /* @__PURE__ */ new Date()))();
14664
+ if (amzDateOutsideSkew(amzDate, now)) {
14665
+ logger.info(`AWS_IAM authorizer: rejecting request — x-amz-date '${amzDate}' is outside the 15-minute clock-skew window (local now=${now.toISOString()}). Re-sign the request with the current time or sync the local clock.`);
14644
14666
  return {
14645
14667
  allow: false,
14646
14668
  identityHash: void 0
@@ -14692,7 +14714,7 @@ async function verifySigV4(req, loadCredentials, opts = {}) {
14692
14714
  }
14693
14715
  const recomputed = computeSignature(req, parsed, local.secretAccessKey, amzDate);
14694
14716
  if (!constantTimeEqual(recomputed, parsed.signature)) {
14695
- logger.debug(`AWS_IAM authorizer: signature mismatch (expected '${recomputed}', got '${parsed.signature}')`);
14717
+ logger.info(`AWS_IAM authorizer: rejecting request — Signature= mismatch (recomputed '${recomputed}', got '${parsed.signature}'). The request was signed with the expected access-key-id but the HMAC does not verify — check the SignedHeaders list, request body, and canonical-request normalization on the signer side.`);
14696
14718
  return {
14697
14719
  allow: false,
14698
14720
  identityHash: void 0
@@ -15669,7 +15691,7 @@ async function runAuthorizerPass(authorizer, snapshot, matchCtx, state, opts, re
15669
15691
  denyKind: "policy-deny"
15670
15692
  };
15671
15693
  const authHeader = headers["authorization"];
15672
- const jwksOpts = { ...opts.jwksWarnedUrls && { warned: opts.jwksWarnedUrls } };
15694
+ const jwksOpts = { ...opts.jwksWarnedAt && { warnedAt: opts.jwksWarnedAt } };
15673
15695
  if (authorizer.kind === "cognito") {
15674
15696
  if (cache && authHeader !== void 0) {
15675
15697
  const cached = cache.get(authorizer.logicalId, hashOne(authHeader));
@@ -16494,10 +16516,13 @@ const DEFAULT_DEBOUNCE_MS = 500;
16494
16516
  * (chokidar starts listening before this function returns); the
16495
16517
  * caller does not need to `await` ready.
16496
16518
  *
16497
- * Errors from chokidar (typically "ENOENT: path doesn't exist") are
16498
- * logged at debug and otherwise swallowed the start-api server
16499
- * should keep serving even when one of the watched asset directories
16500
- * goes missing during a reload.
16519
+ * Errors from chokidar (typically "ENOENT: path doesn't exist", or
16520
+ * EMFILE on macOS when watching a deep tree) are logged at WARN and
16521
+ * otherwise swallowed the start-api server should keep serving even
16522
+ * when one of the watched asset directories goes missing during a
16523
+ * reload, but the user gets a visible signal that `--watch` may have
16524
+ * stopped firing so they don't sit there waiting for a reload that
16525
+ * will never come.
16501
16526
  */
16502
16527
  function createFileWatcher(options) {
16503
16528
  const logger = getLogger().child("start-api-watch");
@@ -16537,7 +16562,7 @@ function createFileWatcher(options) {
16537
16562
  watcher.on("change", onEvent);
16538
16563
  watcher.on("unlink", onEvent);
16539
16564
  watcher.on("error", (err) => {
16540
- logger.debug(`chokidar error: ${err instanceof Error ? err.message : String(err)}. Continuing.`);
16565
+ logger.warn(`chokidar error: ${err instanceof Error ? err.message : String(err)}. --watch may be degraded for the remainder of this session — file changes may no longer trigger reloads. Restart cdkl to recover.`);
16541
16566
  });
16542
16567
  return { close: async () => {
16543
16568
  closed = true;
@@ -16625,7 +16650,7 @@ async function localStartApiCommand(targets, options, extraStateProviders) {
16625
16650
  let profileCredsFile;
16626
16651
  const authorizerCache = createAuthorizerCache();
16627
16652
  const jwksCache = createJwksCache();
16628
- const jwksWarnedUrls = /* @__PURE__ */ new Set();
16653
+ const jwksWarnedAt = /* @__PURE__ */ new Map();
16629
16654
  let sigV4CredentialsLoader;
16630
16655
  const sigV4WarnedForeignIds = /* @__PURE__ */ new Set();
16631
16656
  const fromCfnTipEmitted = { value: false };
@@ -16802,7 +16827,7 @@ async function localStartApiCommand(targets, options, extraStateProviders) {
16802
16827
  port: basePort === 0 ? 0 : nextPort,
16803
16828
  authorizerCache,
16804
16829
  jwksCache,
16805
- jwksWarnedUrls,
16830
+ jwksWarnedAt,
16806
16831
  sigV4CredentialsLoader,
16807
16832
  sigV4WarnedForeignIds,
16808
16833
  sigV4Strict: options.strictSigv4 === true,
@@ -16849,7 +16874,7 @@ async function localStartApiCommand(targets, options, extraStateProviders) {
16849
16874
  port: basePort === 0 ? 0 : nextPort,
16850
16875
  authorizerCache,
16851
16876
  jwksCache,
16852
- jwksWarnedUrls,
16877
+ jwksWarnedAt,
16853
16878
  sigV4WarnedForeignIds,
16854
16879
  sigV4Strict: options.strictSigv4 === true,
16855
16880
  preDispatch: async (req, res) => {
@@ -18544,7 +18569,7 @@ async function resolveInboundAuthorization(resolved, options) {
18544
18569
  ...authorizer.allowedClients && { allowedClients: authorizer.allowedClients },
18545
18570
  ...authorizer.allowedScopes && { allowedScopes: authorizer.allowedScopes },
18546
18571
  ...authorizer.customClaims && { customClaims: authorizer.customClaims }
18547
- }, header, createJwksCache(), { warned: /* @__PURE__ */ new Set() })).allow) throw new CdkLocalError(`Inbound JWT rejected by the runtime's customJwtAuthorizer (signature / issuer / expiry / audience check failed against ${authorizer.discoveryUrl}).`, "LOCAL_INVOKE_AGENTCORE_AUTH_DENIED");
18572
+ }, header, createJwksCache(), { warnedAt: /* @__PURE__ */ new Map() })).allow) throw new CdkLocalError(`Inbound JWT rejected by the runtime's customJwtAuthorizer (signature / issuer / expiry / audience check failed against ${authorizer.discoveryUrl}).`, "LOCAL_INVOKE_AGENTCORE_AUTH_DENIED");
18548
18573
  logger.info(`Inbound JWT verified against ${authorizer.discoveryUrl}.`);
18549
18574
  return header;
18550
18575
  }
@@ -19151,7 +19176,7 @@ function readEnvOverridesFile$2(filePath) {
19151
19176
  }
19152
19177
  function createLocalInvokeAgentCoreCommand(opts = {}) {
19153
19178
  setEmbedConfig(opts.embedConfig);
19154
- const cmd = new Command("invoke-agentcore").description("Run a Bedrock AgentCore Runtime container locally and invoke it once over its protocol contract: HTTP (POST /invocations + GET /ping on 8080) or MCP (POST /mcp Streamable HTTP on 8000). Resolves the AWS::BedrockAgentCore::Runtime, pulls/builds its container, injects env vars + AWS credentials, and prints the response. For an MCP runtime, runs the session handshake then sends one JSON-RPC request (tools/list by default, or the method/params from --event). Target accepts a CDK display path (MyStack/MyAgent) or stack-qualified logical ID (MyStack:MyAgentRuntime1234). Single-stack apps may omit the stack prefix. Omit <target> in an interactive terminal to pick from a list. Supports the container artifact and the CodeConfiguration managed-runtime artifact (fromCodeAsset, built from source) on the HTTP + MCP protocols; the agent calls real AWS for managed services.").argument("[target]", "CDK display path or stack-qualified logical ID of the AgentCore Runtime to invoke (omit to pick interactively in a TTY)").action(withErrorHandling(async (target, options) => {
19179
+ const cmd = new Command("invoke-agentcore").description("Run a Bedrock AgentCore Runtime container locally and invoke it once over its protocol contract: HTTP (POST /invocations + GET /ping on 8080; SSE / WebSocket are HTTP wire-shape variants on the same port), MCP (POST /mcp Streamable HTTP on 8000), A2A, or AGUI. Resolves the AWS::BedrockAgentCore::Runtime, pulls/builds its container, injects env vars + AWS credentials, and prints the response. For an MCP runtime, runs the session handshake then sends one JSON-RPC request (tools/list by default, or the method/params from --event). Target accepts a CDK display path (MyStack/MyAgent) or stack-qualified logical ID (MyStack:MyAgentRuntime1234). Single-stack apps may omit the stack prefix. Omit <target> in an interactive terminal to pick from a list. Supports the container artifact and the CodeConfiguration managed-runtime artifact (fromCodeAsset, built from source) on all four protocols; the agent calls real AWS for managed services.").argument("[target]", "CDK display path or stack-qualified logical ID of the AgentCore Runtime to invoke (omit to pick interactively in a TTY)").action(withErrorHandling(async (target, options) => {
19155
19180
  await localInvokeAgentCoreCommand(target, options, opts.extraStateProviders);
19156
19181
  }));
19157
19182
  addInvokeAgentCoreSpecificOptions(cmd);
@@ -20640,7 +20665,7 @@ function createLocalRunTaskCommand(opts = {}) {
20640
20665
  * surface non-trivially. Each command keeps its own helper.
20641
20666
  */
20642
20667
  function addRunTaskSpecificOptions(cmd) {
20643
- return cmd.addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default(getEmbedConfig().resourceNamePrefix)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--host-port <containerPort=hostPort...>", "Publish a container port on a specific host port (e.g. 80=8080); repeatable. Default: host port == container port. Use this on macOS to map a privileged container port (< 1024) to a non-privileged host port and avoid the Docker Desktop admin-password prompt.")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed function role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries. Issues sts:AssumeRole via the default credential chain and uses the temporary credentials for ecr:GetAuthorizationToken + docker pull. Required when the caller does not have direct cross-account access to the target repository. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--keep-running", "Don't docker rm -f the user containers on task exit (network + sidecar are still torn down). Use when you want to docker exec into a stopped container for post-mortems.").default(false)).addOption(new Option("--detach", "Start the containers in the background and exit (skip log streaming + auto teardown). Useful in CI smoke tests; caller manages container lifecycle.").default(false)).addOption(new Option("--from-cfn-stack [cfn-stack-name]", `Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in container env vars / secrets / image URIs with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (\`cdk deploy\`). Bare form uses the ${getEmbedConfig().binaryName} stack name; pass an explicit value when the CFn stack name differs. Fn::GetAtt is warn-and-dropped in v1 (CFn ListStackResources does not return per-attribute values).`)).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region."));
20668
+ return cmd.addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default(getEmbedConfig().resourceNamePrefix)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--host-port <containerPort=hostPort...>", "Publish a container port on a specific host port (e.g. 80=8080); repeatable. Default: host port == container port. Use this on macOS to map a privileged container port (< 1024) to a non-privileged host port and avoid the Docker Desktop admin-password prompt.")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed function role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries. Issues sts:AssumeRole via the default credential chain and uses the temporary credentials for ecr:GetAuthorizationToken + docker pull. Required when the caller does not have direct cross-account access to the target repository. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--keep-running", "Don't docker rm -f the user containers on task exit (network + sidecar are still torn down). Use when you want to docker exec into a stopped container for post-mortems.").default(false)).addOption(new Option("--detach", "Start the containers in the background and exit (skip log streaming + auto teardown). Useful in CI smoke tests; caller manages container lifecycle.").default(false)).addOption(new Option("--from-cfn-stack [cfn-stack-name]", `Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in container env vars / secrets / image URIs with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (\`cdk deploy\`). Bare form uses the ${getEmbedConfig().binaryName} stack name; pass an explicit value when the CFn stack name differs. Fn::GetAtt in container Environment[].Value is warn-and-dropped: CFn ListStackResources does not return per-attribute values, and unlike Lambda (where \`cdkl invoke --from-cfn-stack\` recovers Fn::GetAtt from the deployed function via lambda:GetFunctionConfiguration), no ECS-side equivalent resolves attributes off a deployed task / service.`)).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region."));
20644
20669
  }
20645
20670
 
20646
20671
  //#endregion
@@ -24108,7 +24133,7 @@ function buildAuthCheck(guard, jwksCache, opts = {}) {
24108
24133
  realm,
24109
24134
  check: async () => ({ allow: true })
24110
24135
  };
24111
- const warned = opts.warned ?? /* @__PURE__ */ new Set();
24136
+ const warnedAt = opts.warnedAt ?? /* @__PURE__ */ new Map();
24112
24137
  const sessionCookiePrefix = guard.sessionCookieName;
24113
24138
  const injectedBearer = opts.bearerToken;
24114
24139
  return {
@@ -24135,16 +24160,20 @@ function buildAuthCheck(guard, jwksCache, opts = {}) {
24135
24160
  audience: [guard.audience],
24136
24161
  ...guard.region !== void 0 && { region: guard.region },
24137
24162
  ...guard.userPoolId !== void 0 && { userPoolId: guard.userPoolId }
24138
- }, authorization, jwksCache, { warned })).allow) return { allow: true };
24163
+ }, authorization, jwksCache, { warnedAt })).allow) return { allow: true };
24139
24164
  return {
24140
24165
  allow: false,
24141
24166
  reason: "Bearer token rejected (signature / iss / aud / exp check failed)."
24142
24167
  };
24143
24168
  } catch (err) {
24144
- getLogger().child("front-door-auth").debug(`auth check threw: ${err instanceof Error ? err.message : String(err)}`);
24169
+ const errClass = err instanceof Error ? err.constructor.name : typeof err;
24170
+ const errMessage = err instanceof Error ? err.message : String(err);
24171
+ const REASON_MESSAGE_CAP = 200;
24172
+ const clientMessage = errMessage.length > REASON_MESSAGE_CAP ? `${errMessage.slice(0, REASON_MESSAGE_CAP)}...` : errMessage;
24173
+ getLogger().child("front-door-auth").warn(`Bearer JWT verification threw (${errClass}): ${errMessage}. Returning 401 to client. Check the JWKS URL is reachable and the token is well-formed.`);
24145
24174
  return {
24146
24175
  allow: false,
24147
- reason: "Auth check failed."
24176
+ reason: `Auth check failed: ${errClass} — ${clientMessage}`
24148
24177
  };
24149
24178
  }
24150
24179
  }
@@ -25117,24 +25146,44 @@ async function reloadAllServices(args) {
25117
25146
  */
25118
25147
  async function loadAssetContextForTarget(args) {
25119
25148
  const { target, controller, stacks, cdkOutDir, assetLoader, logger } = args;
25120
- const candidate = pickCandidateStack(parseEcsTarget(target).stackPattern, stacks);
25121
- if (!candidate) return void 0;
25149
+ const parsed = parseEcsTarget(target);
25150
+ const candidate = pickCandidateStack(parsed.stackPattern, stacks);
25151
+ if (!candidate) {
25152
+ logger.debug(`loadAssetContext: stack pattern '${parsed.stackPattern}' from target '${target}' not in the assembly. Classifier will see no asset context (rebuild).`);
25153
+ return;
25154
+ }
25122
25155
  let newService;
25123
25156
  try {
25124
25157
  newService = resolveEcsServiceTarget(target, stacks, void 0, { suppressLoadBalancerWarning: true });
25125
25158
  } catch (err) {
25126
- logger.debug(`loadAssetContextForTarget: target '${target}' could not be re-resolved against the new stacks: ${err instanceof Error ? err.message : String(err)}. Classifier will see no asset context (rebuild).`);
25159
+ logger.debug(`loadAssetContext: resolveEcsServiceTarget threw for target '${target}' against the new stacks: ${err instanceof Error ? err.message : String(err)}. Classifier will see no asset context (rebuild).`);
25127
25160
  return;
25128
25161
  }
25129
25162
  const essential = newService.task.containers.find((c) => c.essential) ?? newService.task.containers[0];
25130
- if (!essential) return void 0;
25131
- if (essential.image.kind !== "cdk-asset" || !essential.image.assetHash) return;
25163
+ if (!essential) {
25164
+ logger.debug(`loadAssetContext: task definition for target '${target}' has no containers. Classifier will see no asset context (rebuild).`);
25165
+ return;
25166
+ }
25167
+ if (essential.image.kind !== "cdk-asset" || !essential.image.assetHash) {
25168
+ const assetHashStr = essential.image.kind === "cdk-asset" ? essential.image.assetHash ?? "undefined" : "n/a";
25169
+ logger.debug(`loadAssetContext: target '${target}' essential image is not a CDK asset (kind='${essential.image.kind}', assetHash=${assetHashStr}). Classifier will see no asset context (rebuild).`);
25170
+ return;
25171
+ }
25132
25172
  const newAssetHash = essential.image.assetHash;
25133
25173
  const manifest = await assetLoader.loadManifest(cdkOutDir, candidate.stackName);
25134
- if (!manifest) return void 0;
25174
+ if (!manifest) {
25175
+ logger.debug(`loadAssetContext: asset manifest missing for stack '${candidate.stackName}' under '${cdkOutDir}'. Classifier will see no asset context (rebuild).`);
25176
+ return;
25177
+ }
25135
25178
  const newDockerImage = manifest.dockerImages?.[newAssetHash];
25136
- if (!newDockerImage) return void 0;
25137
- if (!newDockerImage.source.directory) return;
25179
+ if (!newDockerImage) {
25180
+ logger.debug(`loadAssetContext: asset hash '${newAssetHash}' not present in stack '${candidate.stackName}' dockerImages. Classifier will see no asset context (rebuild).`);
25181
+ return;
25182
+ }
25183
+ if (!newDockerImage.source.directory) {
25184
+ logger.debug(`loadAssetContext: docker asset '${newAssetHash}' for stack '${candidate.stackName}' is executable-mode (no source.directory). Classifier will see no asset context (rebuild).`);
25185
+ return;
25186
+ }
25138
25187
  const newAssetSourceDir = path.resolve(cdkOutDir, newDockerImage.source.directory);
25139
25188
  let oldAssetHash;
25140
25189
  const liveReplica = controller.runState.replicas.find((r) => !r.shuttingDown);
@@ -25419,11 +25468,11 @@ async function buildFrontDoor(plan, options, logger) {
25419
25468
  keyPath: options.tlsKey
25420
25469
  }) : void 0;
25421
25470
  const jwksCache = createJwksCache();
25422
- const sharedWarned = /* @__PURE__ */ new Set();
25471
+ const sharedWarnedAt = /* @__PURE__ */ new Map();
25423
25472
  const authForGuard = (guard) => buildAuthCheck(guard, jwksCache, {
25424
25473
  ...options.verifyAuth === false && { noVerifyAuth: true },
25425
25474
  ...options.bearerToken !== void 0 && { bearerToken: options.bearerToken },
25426
- warned: sharedWarned
25475
+ warnedAt: sharedWarnedAt
25427
25476
  });
25428
25477
  const attachAuth = (action, guard) => guard ? {
25429
25478
  ...action,
@@ -25851,7 +25900,7 @@ function enforceStrictOverrides(strict, uncoveredPinnedTargets) {
25851
25900
  * factory.
25852
25901
  */
25853
25902
  function addCommonEcsServiceOptions(cmd) {
25854
- cmd.addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default(getEmbedConfig().resourceNamePrefix)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed task role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries.")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--max-tasks <n>", `Hard cap on local replica count. Caps the template DesiredCount so local dev machines don't run an unbounded number of containers. Cannot exceed ${83} due to the per-replica link-local /24 subnet allocator's range.`).default(3).argParser(parseMaxTasks)).addOption(new Option("--restart-policy <policy>", "How to react when an essential container exits. 'on-failure' (default) restarts only on non-zero exit; 'always' restarts on every exit; 'none' shuts the replica down and runs the service degraded.").default("on-failure").argParser(parseRestartPolicy)).addOption(new Option("--from-cfn-stack [cfn-stack-name]", `Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in container env vars / secrets / image URIs with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (\`cdk deploy\`). Bare form uses the ${getEmbedConfig().binaryName} stack name; pass an explicit value when the CFn stack name differs. Fn::GetAtt is warn-and-dropped in v1 (CFn ListStackResources does not return per-attribute values).`)).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).addOption(new Option("--no-logs", "Disable foreground streaming of each replica container stdout/stderr. By default every booted replica streams its docker logs to the host terminal with a [svc=<service> r=<replica-index> c=<container>] prefix (parity with `run-task`). Pass --no-logs for multi-replica / multi-service runs whose interleaved log volume is unreadable; `docker logs -f <id>` in a separate terminal stays available."));
25903
+ cmd.addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default(getEmbedConfig().resourceNamePrefix)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed task role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries.")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--max-tasks <n>", `Hard cap on local replica count. Caps the template DesiredCount so local dev machines don't run an unbounded number of containers. Cannot exceed ${83} due to the per-replica link-local /24 subnet allocator's range.`).default(3).argParser(parseMaxTasks)).addOption(new Option("--restart-policy <policy>", "How to react when an essential container exits. 'on-failure' (default) restarts only on non-zero exit; 'always' restarts on every exit; 'none' shuts the replica down and runs the service degraded.").default("on-failure").argParser(parseRestartPolicy)).addOption(new Option("--from-cfn-stack [cfn-stack-name]", `Read a deployed CloudFormation stack via ListStackResources and substitute Ref / Fn::ImportValue in container env vars / secrets / image URIs with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (\`cdk deploy\`). Bare form uses the ${getEmbedConfig().binaryName} stack name; pass an explicit value when the CFn stack name differs. Fn::GetAtt in container Environment[].Value is warn-and-dropped: CFn ListStackResources does not return per-attribute values, and unlike Lambda (where \`cdkl invoke --from-cfn-stack\` recovers Fn::GetAtt from the deployed function via lambda:GetFunctionConfiguration), no ECS-side equivalent resolves attributes off a deployed task / service.`)).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).addOption(new Option("--no-logs", "Disable foreground streaming of each replica container stdout/stderr. By default every booted replica streams its docker logs to the host terminal with a [svc=<service> r=<replica-index> c=<container>] prefix (parity with `run-task`). Pass --no-logs for multi-replica / multi-service runs whose interleaved log volume is unreadable; `docker logs -f <id>` in a separate terminal stays available."));
25855
25904
  [
25856
25905
  ...commonOptions(),
25857
25906
  ...appOptions(),
@@ -26901,4 +26950,4 @@ function addListSpecificOptions(cmd) {
26901
26950
 
26902
26951
  //#endregion
26903
26952
  export { groupRoutesByServer as $, tryResolveImageFnJoin as $n, AGENTCORE_SESSION_ID_HEADER as $t, isLocalCdkAssetImage as A, collectSsmParameterRefs as An, buildCognitoJwksUrl as At, addInvokeAgentCoreSpecificOptions as B, pickRefLogicalId as Bn, isFunctionUrlOacFronted as Bt, buildImageOverrideTag as C, createLocalStateProvider as Cn, ConnectionRegistry as Ct, resolveImageOverrides as D, resolveCfnRegion as Dn, buildConnectEvent as Dt, parseImageOverrideFlags as E, resolveCfnFallbackRegion as En, parseConnectionsPath as Et, SOFT_RELOAD_COMPLETION_LOG_SUFFIX as F, listTargets as Fn, verifyJwtViaDiscovery as Ft, resolveApiTargetSubset as G, AGENTCORE_MCP_PROTOCOL as Gn, a2aInvokeOnce as Gt, addStartApiSpecificOptions as H, AGENTCORE_A2A_PROTOCOL as Hn, invokeAgentCoreWs as Ht, getContainerNetworkIp as I, discoverWebSocketApis as In, attachAuthorizers as It, attachStageContext as J, pickAgentCoreCandidateStack as Jn, MCP_PROTOCOL_VERSION as Jt, createAuthorizerCache as K, AGENTCORE_RUNTIME_TYPE as Kn, MCP_CONTAINER_PORT as Kt, addRunTaskSpecificOptions as L, discoverWebSocketApisOrThrow as Ln, applyCorsResponseHeaders as Lt, buildCloudMapIndex as M, resolveWatchConfig as Mn, createJwksCache as Mt, CloudMapRegistry as N, resolveSingleTarget as Nn, verifyCognitoJwt as Nt, runImageOverrideBuilds as O, resolveCfnStackName as On, buildDisconnectEvent as Ot, classifySourceChange as P, countTargets as Pn, verifyJwtAuthorizer as Pt, filterRoutesByApiIdentifiers as Q, substituteImagePlaceholders as Qn, signAgentCoreInvocation as Qt, createLocalRunTaskCommand as R, parseSelectionExpressionPath as Rn, buildCorsConfigByApiId as Rt, ImageOverrideError as S, LocalStateSourceError as Sn, bufferToBody as St, mergeForService as T, rejectExplicitCfnStackWithMultipleStacks as Tn, handleConnectionsRequest as Tt, createLocalStartApiCommand as U, AGENTCORE_AGUI_PROTOCOL as Un, A2A_CONTAINER_PORT as Ut, createLocalInvokeAgentCoreCommand as V, resolveLambdaArnIntrinsic as Vn, matchPreflight as Vt, createWatchPredicates as W, AGENTCORE_HTTP_PROTOCOL as Wn, A2A_PATH as Wt, availableApiIdentifiers as X, derivePseudoParametersFromRegion as Xn, parseSseForJsonRpc as Xt, buildStageMap as Y, resolveAgentCoreTarget as Yn, mcpInvokeOnce as Yt, filterRoutesByApiIdentifier as Z, formatStateRemedy as Zn, AGENTCORE_SIGV4_SERVICE as Zt, buildEcsImageResolutionContext as _, substituteAgainstStateAsync as _n, selectIntegrationResponse as _t, albStrategy as a, computeCodeImageTag as an, buildMethodArn as at, resolveSharedSidecarCredentials as b, resolveEnvVars as bn, HOST_GATEWAY_MIN_VERSION as bt, resolveAlbTarget as c, addInvokeSpecificOptions as cn, invokeRequestAuthorizer as ct, addStartServiceSpecificOptions as d, buildContainerImage as dn, translateLambdaResponse as dt, invokeAgentCore as en, LocalInvokeBuildError as er, readMtlsMaterialsFromDisk as et, createLocalStartServiceCommand as f, resolveRuntimeCodeMountPath as fn, applyAuthorizerOverlay as ft, addImageOverrideOptions as g, substituteAgainstState as gn, pickResponseTemplate as gt, addCommonEcsServiceOptions as h, EcsTaskResolutionError as hn, evaluateResponseParameters as ht, addAlbSpecificOptions as i, buildAgentCoreCodeImage as in, defaultCredentialsLoader as it, listPinnedTargets as j, resolveSsmParameters as jn, buildJwksUrlFromIssuer as jt, describePinnedImageUri as k, CfnLocalStateProvider as kn, buildMessageEvent as kt, isApplicationLoadBalancer as l, createLocalInvokeCommand as ln, invokeTokenAuthorizer as lt, MAX_TASKS_SUBNET_RANGE_CAP as m, resolveRuntimeImage as mn, buildRestV1Event as mt, createLocalListCommand as n, downloadAndExtractS3Bundle as nn, resolveSelectionExpression as nt, createLocalStartAlbCommand as o, renderCodeDockerfile as on, computeRequestIdentityHash as ot, serviceStrategy as p, resolveRuntimeFileExtension as pn, buildHttpApiV2Event as pt, createFileWatcher as q, AgentCoreResolutionError as qn, MCP_PATH as qt, formatTargetListing as r, SUPPORTED_CODE_RUNTIMES as rn, resolveServiceIntegrationParameters as rt, parseLbPortOverrides as s, toCmdArgv as sn, evaluateCachedLambdaPolicy as st, addListSpecificOptions as t, waitForAgentCorePing as tn, startApiServer as tt, resolveAlbFrontDoor as u, architectureToPlatform as un, matchRoute as ut, parseMaxTasks as v, substituteEnvVarsFromState as vn, tryParseStatus as vt, enforceImageOverrideOrphans as w, isCfnFlagPresent as wn, buildMgmtEndpointEnvUrl as wt, runEcsServiceEmulator as x, materializeLayerFromArn as xn, probeHostGatewaySupport as xt, parseRestartPolicy as y, substituteEnvVarsFromStateAsync as yn, VtlEvaluationError as yt, attachContainerLogStreamer as z, discoverRoutes as zn, buildCorsConfigFromCloudFrontChain as zt };
26904
- //# sourceMappingURL=local-list-Ch0RglJl.js.map
26953
+ //# sourceMappingURL=local-list-Cj96dZzK.js.map