# parlel/acm

A zero-dependency, in-process fake of **AWS Certificate Manager (ACM)**.
Speaks the AWS JSON 1.1 wire protocol (`X-Amz-Target: CertificateManager.<Op>`).

| Property     | Value                              |
| ------------ | ---------------------------------- |
| Service name | `acm`                              |
| Port         | `4731`                             |
| Protocol     | AWS JSON 1.1 (POST `/`)            |
| Target       | `CertificateManager.<Operation>`  |
| Healthcheck  | `GET /_parlel/health`             |
| Account ID   | `000000000000`                     |

## Default connection

```
AWS_ENDPOINT_URL=http://127.0.0.1:4731
AWS_REGION=us-east-1
AWS_ACCESS_KEY_ID=parlel
AWS_SECRET_ACCESS_KEY=parlel
```

## Supported operations

| Operation                | Notes                                                          |
| ------------------------ | -------------------------------------------------------------- |
| RequestCertificate       | Auto-issues (`Status: ISSUED`) with DNS validation records.   |
| DescribeCertificate      | Returns full certificate metadata + `DomainValidationOptions`.|
| ListCertificates         | Optional `CertificateStatuses` filter.                        |
| GetCertificate           | Returns a synthetic PEM body + chain.                         |
| DeleteCertificate        | Removes the certificate.                                       |
| AddTagsToCertificate     | Merge tags onto a certificate.                                 |
| RemoveTagsFromCertificate| Remove tags by key.                                           |
| ListTagsForCertificate   | List tags.                                                     |

Each requested certificate includes a `DomainValidationOptions` entry per
domain/SAN with a DNS validation `ResourceRecord` (CNAME -> `acm-validations.aws`).

## SDK example

```js
import { ACMClient, RequestCertificateCommand, DescribeCertificateCommand } from "@aws-sdk/client-acm";

const acm = new ACMClient({
  region: "us-east-1",
  endpoint: "http://127.0.0.1:4731",
  credentials: { accessKeyId: "parlel", secretAccessKey: "parlel" },
});

const { CertificateArn } = await acm.send(new RequestCertificateCommand({ DomainName: "example.com" }));
const { Certificate } = await acm.send(new DescribeCertificateCommand({ CertificateArn }));
console.log(Certificate.Status); // ISSUED
```

## Access via MCP / preview URL

When run inside parlel, ACM is reachable through the pool's MCP bridge and any
assigned preview URL. Point `AWS_ENDPOINT_URL` at the preview URL.

## Surface coverage

This emulator faithfully replicates the API surface most application code and agents exercise. Anything below the supported lines is either an intentional design choice for a fast, zero-cost local emulator (✓ By design) or a candidate for a future release (⟳ Roadmap) — never a silent inaccuracy.

Legend: ✅ fully supported · ◐ accepted (stored, not strictly enforced) · ✓ by design · ⟳ on the roadmap.

| Area          | Limitation                                                  |
| ------------- | ----------------------------------------------------------- |
| Validation    | Certificates auto-issue immediately; no real DNS check.     |
| PEM material  | `GetCertificate` returns a placeholder, not a real cert.    |
| Imported certs| `ImportCertificate` is not implemented.                     |
| State         | In memory, cleared on reset.                                |