@aws-cdk/toolkit-lib 0.3.1 → 0.3.3

package/lib/api/shared-public.js

@@ -1,7 +1,9 @@
 "use strict";
+var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -15,22 +17,40 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var __decorateClass = (decorators, target, key, kind) => {
+  var result2 = kind > 1 ? void 0 : kind ? __getOwnPropDesc(target, key) : target;
+  for (var i = decorators.length - 1, decorator; i >= 0; i--)
+    if (decorator = decorators[i])
+      result2 = (kind ? decorator(target, key, result2) : decorator(result2)) || result2;
+  if (kind && result2) __defProp(target, key, result2);
+  return result2;
+};
 
 // lib/api/shared-public.ts
 var shared_public_exports = {};
 __export(shared_public_exports, {
   AssemblyError: () => AssemblyError,
   AuthenticationError: () => AuthenticationError,
+  ContextProviderError: () => ContextProviderError,
   ExpandStackSelection: () => ExpandStackSelection,
   NonHotswappableReason: () => NonHotswappableReason,
   PermissionChangeType: () => PermissionChangeType,
+  PluginHost: () => PluginHost,
   StackSelectionStrategy: () => StackSelectionStrategy,
   ToolkitError: () => ToolkitError
 });
 module.exports = __toCommonJS(shared_public_exports);
 
-// ../tmp-toolkit-helpers/src/api/toolkit-error.ts
+// lib/api/toolkit-error.ts
 var TOOLKIT_ERROR_SYMBOL = Symbol.for("@aws-cdk/toolkit-lib.ToolkitError");
 var AUTHENTICATION_ERROR_SYMBOL = Symbol.for("@aws-cdk/toolkit-lib.AuthenticationError");
 var ASSEMBLY_ERROR_SYMBOL = Symbol.for("@aws-cdk/toolkit-lib.AssemblyError");
@@ -63,8 +83,8 @@ var ToolkitError = class _ToolkitError extends Error {
   /**
    * An AssemblyError with an original error as cause
    */
-  static withCause(message, error) {
-    return new _ToolkitError(message, "toolkit", error);
+  static withCause(message2, error2) {
+    return new _ToolkitError(message2, "toolkit", error2);
   }
   /**
    * The type of the error, defaults to "toolkit".
@@ -78,8 +98,8 @@ var ToolkitError = class _ToolkitError extends Error {
    * The specific original cause of the error, if available
    */
   cause;
-  constructor(message, type = "toolkit", cause) {
-    super(message);
+  constructor(message2, type = "toolkit", cause) {
+    super(message2);
     Object.setPrototypeOf(this, _ToolkitError.prototype);
     Object.defineProperty(this, TOOLKIT_ERROR_SYMBOL, { value: true });
     this.name = new.target.name;
@@ -93,8 +113,8 @@ var AuthenticationError = class _AuthenticationError extends ToolkitError {
    * Denotes the source of the error as user.
    */
   source = "user";
-  constructor(message) {
-    super(message, "authentication");
+  constructor(message2) {
+    super(message2, "authentication");
     Object.setPrototypeOf(this, _AuthenticationError.prototype);
     Object.defineProperty(this, AUTHENTICATION_ERROR_SYMBOL, { value: true });
   }
@@ -103,14 +123,14 @@ var AssemblyError = class _AssemblyError extends ToolkitError {
   /**
    * An AssemblyError with an original error as cause
    */
-  static withCause(message, error) {
-    return new _AssemblyError(message, void 0, error);
+  static withCause(message2, error2) {
+    return new _AssemblyError(message2, void 0, error2);
   }
   /**
    * An AssemblyError with a list of stacks as cause
    */
-  static withStacks(message, stacks) {
-    return new _AssemblyError(message, stacks);
+  static withStacks(message2, stacks) {
+    return new _AssemblyError(message2, stacks);
   }
   /**
    * Denotes the source of the error as user.
@@ -123,15 +143,26 @@ var AssemblyError = class _AssemblyError extends ToolkitError {
    * Absence indicates synthesis didn't fully complete.
    */
   stacks;
-  constructor(message, stacks, cause) {
-    super(message, "assembly", cause);
+  constructor(message2, stacks, cause) {
+    super(message2, "assembly", cause);
     Object.setPrototypeOf(this, _AssemblyError.prototype);
     Object.defineProperty(this, ASSEMBLY_ERROR_SYMBOL, { value: true });
     this.stacks = stacks;
   }
 };
+var ContextProviderError = class _ContextProviderError extends ToolkitError {
+  /**
+   * Denotes the source of the error as user.
+   */
+  source = "user";
+  constructor(message2) {
+    super(message2, "context-provider");
+    Object.setPrototypeOf(this, _ContextProviderError.prototype);
+    Object.defineProperty(this, CONTEXT_PROVIDER_ERROR_SYMBOL, { value: true });
+  }
+};
 
-// ../tmp-toolkit-helpers/src/api/cloud-assembly/stack-selector.ts
+// lib/api/cloud-assembly/stack-selector.ts
 var StackSelectionStrategy = /* @__PURE__ */ ((StackSelectionStrategy2) => {
   StackSelectionStrategy2["ALL_STACKS"] = "all-stacks";
   StackSelectionStrategy2["MAIN_ASSEMBLY"] = "main-assembly";
@@ -148,7 +179,3064 @@ var ExpandStackSelection = /* @__PURE__ */ ((ExpandStackSelection2) => {
   return ExpandStackSelection2;
 })(ExpandStackSelection || {});
 
-// ../tmp-toolkit-helpers/src/payloads/diff.ts
+// lib/api/resource-metadata/resource-metadata.ts
+var import_cloud_assembly_schema = require("@aws-cdk/cloud-assembly-schema");
+
+// lib/api/plugin/plugin.ts
+var import_util27 = require("util");
+
+// lib/api/plugin/context-provider-plugin.ts
+function isContextProviderPlugin(x) {
+  return typeof x === "object" && !!x && !!x.getValue;
+}
+
+// lib/util/archive.ts
+var glob = __toESM(require("glob"));
+
+// lib/util/format-error.ts
+function formatErrorMessage(error2) {
+  if (error2 && Array.isArray(error2.errors)) {
+    const innerMessages = error2.errors.map((innerError) => innerError?.message || innerError?.toString()).join("\n");
+    return `AggregateError: ${innerMessages}`;
+  }
+  return error2?.message || error2?.toString() || "Unknown error";
+}
+
+// lib/util/archive.ts
+var archiver = require("archiver");
+
+// lib/util/directories.ts
+var fs = __toESM(require("fs"));
+var os = __toESM(require("os"));
+var path = __toESM(require("path"));
+function cdkHomeDir() {
+  const tmpDir = fs.realpathSync(os.tmpdir());
+  let home;
+  try {
+    let userInfoHome = os.userInfo().homedir;
+    if (userInfoHome == "/var/empty") {
+      userInfoHome = void 0;
+    }
+    home = path.join((userInfoHome ?? os.homedir()).trim(), ".cdk");
+  } catch {
+  }
+  return process.env.CDK_HOME ? path.resolve(process.env.CDK_HOME) : home || fs.mkdtempSync(path.join(tmpDir, ".cdk")).trim();
+}
+function cdkCacheDir() {
+  return path.join(cdkHomeDir(), "cache");
+}
+function bundledPackageRootDir(start, fail) {
+  function _rootDir(dirname2) {
+    const manifestPath = path.join(dirname2, "package.json");
+    if (fs.existsSync(manifestPath)) {
+      return dirname2;
+    }
+    if (path.dirname(dirname2) === dirname2) {
+      if (fail ?? true) {
+        throw new ToolkitError("Unable to find package manifest");
+      }
+      return void 0;
+    }
+    return _rootDir(path.dirname(dirname2));
+  }
+  return _rootDir(start);
+}
+
+// lib/util/json.ts
+function getResultObj(jsonObject, identifier, propertiesToReturn) {
+  const propsObj = {};
+  propertiesToReturn.forEach((propName) => {
+    Object.assign(propsObj, { [propName]: findJsonValue(jsonObject, propName) });
+  });
+  Object.assign(propsObj, { ["Identifier"]: identifier });
+  return propsObj;
+}
+function findJsonValue(jsonObject, path5) {
+  const paths = path5.split(".");
+  let obj = jsonObject;
+  paths.forEach((p) => {
+    obj = obj[p];
+    if (obj === void 0) {
+      throw new TypeError(`Cannot read field ${path5}. ${p} is not found.`);
+    }
+  });
+  return obj;
+}
+
+// lib/util/types.ts
+var isArray = Array.isArray;
+
+// lib/util/yaml-cfn.ts
+var yaml = __toESM(require("yaml"));
+var yaml_types = __toESM(require("yaml/types"));
+function makeTagForCfnIntrinsic(intrinsicName, addFnPrefix) {
+  return {
+    identify(value) {
+      return typeof value === "string";
+    },
+    tag: `!${intrinsicName}`,
+    resolve: (_doc, cstNode) => {
+      const ret = {};
+      ret[addFnPrefix ? `Fn::${intrinsicName}` : intrinsicName] = // the +1 is to account for the ! the short form begins with
+      parseYamlStrWithCfnTags(cstNode.toString().substring(intrinsicName.length + 1));
+      return ret;
+    }
+  };
+}
+var shortForms = [
+  "Base64",
+  "Cidr",
+  "FindInMap",
+  "GetAZs",
+  "ImportValue",
+  "Join",
+  "Sub",
+  "Select",
+  "Split",
+  "Transform",
+  "And",
+  "Equals",
+  "If",
+  "Not",
+  "Or",
+  "GetAtt"
+].map((name) => makeTagForCfnIntrinsic(name, true)).concat(
+  makeTagForCfnIntrinsic("Ref", false),
+  makeTagForCfnIntrinsic("Condition", false)
+);
+function parseYamlStrWithCfnTags(text) {
+  return yaml.parse(text, {
+    customTags: shortForms,
+    schema: "core"
+  });
+}
+
+// lib/util/string-manipulation.ts
+function formatTime(num) {
+  return roundPercentage(millisecondsToSeconds(num));
+}
+function roundPercentage(num) {
+  return Math.round(100 * num) / 100;
+}
+function millisecondsToSeconds(num) {
+  return num / 1e3;
+}
+
+// lib/util/version-range.ts
+var semver = __toESM(require("semver"));
+
+// lib/private/dispose-polyfill.ts
+Symbol.dispose ??= Symbol("Symbol.dispose");
+Symbol.asyncDispose ??= Symbol("Symbol.asyncDispose");
+
+// lib/private/activity-printer/history.ts
+var chalk = __toESM(require("chalk"));
+
+// lib/private/activity-printer/current.ts
+var chalk2 = __toESM(require("chalk"));
+
+// lib/private/activity-printer/display.ts
+var wrapAnsi = require("wrap-ansi");
+
+// lib/private/activity-printer/current.ts
+var PROGRESSBAR_EXTRA_SPACE = 2 + 2 + 4 + 6;
+
+// lib/api/aws-auth/proxy-agent.ts
+var fs2 = __toESM(require("fs-extra"));
+var import_proxy_agent = require("proxy-agent");
+
+// lib/api/aws-auth/sdk.ts
+var import_client_appsync = require("@aws-sdk/client-appsync");
+var import_client_cloudcontrol = require("@aws-sdk/client-cloudcontrol");
+var import_client_cloudformation = require("@aws-sdk/client-cloudformation");
+var import_client_cloudwatch_logs = require("@aws-sdk/client-cloudwatch-logs");
+var import_client_codebuild = require("@aws-sdk/client-codebuild");
+var import_client_ec2 = require("@aws-sdk/client-ec2");
+var import_client_ecr = require("@aws-sdk/client-ecr");
+var import_client_ecs = require("@aws-sdk/client-ecs");
+var import_client_elastic_load_balancing_v2 = require("@aws-sdk/client-elastic-load-balancing-v2");
+var import_client_iam = require("@aws-sdk/client-iam");
+var import_client_kms = require("@aws-sdk/client-kms");
+var import_client_lambda = require("@aws-sdk/client-lambda");
+var import_client_route_53 = require("@aws-sdk/client-route-53");
+var import_client_s3 = require("@aws-sdk/client-s3");
+var import_client_secrets_manager = require("@aws-sdk/client-secrets-manager");
+var import_client_sfn = require("@aws-sdk/client-sfn");
+var import_client_ssm = require("@aws-sdk/client-ssm");
+var import_client_sts = require("@aws-sdk/client-sts");
+var import_lib_storage = require("@aws-sdk/lib-storage");
+var import_middleware_endpoint = require("@smithy/middleware-endpoint");
+var import_util_retry = require("@smithy/util-retry");
+
+// lib/api/aws-auth/account-cache.ts
+var path2 = __toESM(require("path"));
+var fs3 = __toESM(require("fs-extra"));
+var AccountAccessKeyCache = class _AccountAccessKeyCache {
+  /**
+   * Max number of entries in the cache, after which the cache will be reset.
+   */
+  static MAX_ENTRIES = 1e3;
+  /**
+   * The default path used for the accounts access key cache
+   */
+  static get DEFAULT_PATH() {
+    return path2.join(cdkCacheDir(), "accounts_partitions.json");
+  }
+  cacheFile;
+  debug;
+  /**
+   * @param filePath Path to the cache file
+   */
+  constructor(filePath = _AccountAccessKeyCache.DEFAULT_PATH, debugFn) {
+    this.cacheFile = filePath;
+    this.debug = debugFn;
+  }
+  /**
+   * Tries to fetch the account ID from cache. If it's not in the cache, invokes
+   * the resolver function which should retrieve the account ID and return it.
+   * Then, it will be stored into disk cache returned.
+   *
+   * Example:
+   *
+   *    const accountId = cache.fetch(accessKey, async () => {
+   *      return await fetchAccountIdFromSomewhere(accessKey);
+   *    });
+   */
+  async fetch(accessKeyId, resolver) {
+    const cached2 = await this.get(accessKeyId);
+    if (cached2) {
+      await this.debug(`Retrieved account ID ${cached2.accountId} from disk cache`);
+      return cached2;
+    }
+    const account = await resolver();
+    if (account) {
+      await this.put(accessKeyId, account);
+    }
+    return account;
+  }
+  /** Get the account ID from an access key or undefined if not in cache */
+  async get(accessKeyId) {
+    const map = await this.loadMap();
+    return map[accessKeyId];
+  }
+  /** Put a mapping between access key and account ID */
+  async put(accessKeyId, account) {
+    let map = await this.loadMap();
+    if (Object.keys(map).length >= _AccountAccessKeyCache.MAX_ENTRIES) {
+      map = {};
+    }
+    map[accessKeyId] = account;
+    await this.saveMap(map);
+  }
+  async loadMap() {
+    try {
+      return await fs3.readJson(this.cacheFile);
+    } catch (e) {
+      if (e.code === "ENOENT" || e.code === "EACCES") {
+        return {};
+      }
+      if (e instanceof SyntaxError) {
+        return {};
+      }
+      throw e;
+    }
+  }
+  async saveMap(map) {
+    try {
+      await fs3.ensureFile(this.cacheFile);
+      await fs3.writeJson(this.cacheFile, map, { spaces: 2 });
+    } catch (e) {
+      if (e.code === "ENOENT" || e.code === "EACCES" || e.code === "EROFS") {
+        return;
+      }
+      throw e;
+    }
+  }
+};
+
+// lib/api/aws-auth/cached.ts
+function cached(obj, sym, fn) {
+  if (!(sym in obj)) {
+    obj[sym] = fn();
+  }
+  return obj[sym];
+}
+async function cachedAsync(obj, sym, fn) {
+  if (!(sym in obj)) {
+    obj[sym] = await fn();
+  }
+  return obj[sym];
+}
+
+// lib/api/aws-auth/tracing.ts
+var ENABLED = false;
+var INDENT = 0;
+function callTrace(fn, className, logger) {
+  if (!ENABLED || !logger) {
+    return;
+  }
+  logger.info(`[trace] ${" ".repeat(INDENT)}${className || "(anonymous)"}#${fn}()`);
+}
+function traceCall(receiver, _propertyKey, descriptor, parentClassName) {
+  const fn = descriptor.value;
+  const className = typeof receiver === "function" ? receiver.name : parentClassName;
+  descriptor.value = function(...args) {
+    const logger = this.logger;
+    if (!ENABLED || typeof logger?.info !== "function") {
+      return fn.apply(this, args);
+    }
+    logger.info.apply(logger, [`[trace] ${" ".repeat(INDENT)}${className || this.constructor.name || "(anonymous)"}#${fn.name}()`]);
+    INDENT += 2;
+    const ret = fn.apply(this, args);
+    if (ret instanceof Promise) {
+      return ret.finally(() => {
+        INDENT -= 2;
+      });
+    } else {
+      INDENT -= 2;
+      return ret;
+    }
+  };
+  return descriptor;
+}
+function traceMemberMethods(constructor) {
+  for (const [name, descriptor] of Object.entries(Object.getOwnPropertyDescriptors(constructor.prototype))) {
+    if (typeof descriptor.value !== "function") {
+      continue;
+    }
+    const newDescriptor = traceCall(constructor.prototype, name, descriptor, constructor.name) ?? descriptor;
+    Object.defineProperty(constructor.prototype, name, newDescriptor);
+  }
+}
+
+// lib/api/aws-auth/user-agent.ts
+var path3 = __toESM(require("path"));
+
+// lib/api/aws-auth/util.ts
+var fs4 = __toESM(require("fs-extra"));
+function readIfPossible(filename) {
+  try {
+    if (!fs4.pathExistsSync(filename)) {
+      return void 0;
+    }
+    return fs4.readFileSync(filename, { encoding: "utf-8" });
+  } catch (e) {
+    return void 0;
+  }
+}
+
+// lib/api/aws-auth/user-agent.ts
+function defaultCliUserAgent() {
+  const root = bundledPackageRootDir(__dirname, false);
+  const pkg = JSON.parse((root ? readIfPossible(path3.join(root, "package.json")) : void 0) ?? "{}");
+  const name = pkg.name ?? path3.basename(process.argv[1] ?? "cdk-cli");
+  const version = pkg.version ?? "<unknown>";
+  return `${name}/${version}`;
+}
+
+// lib/api/aws-auth/sdk.ts
+var SDK = class {
+  constructor(credProvider, region, requestHandler, ioHelper, logger) {
+    this.credProvider = credProvider;
+    const debugFn = async (msg) => ioHelper.notify(IO.DEFAULT_SDK_DEBUG.msg(msg));
+    this.accountCache = new AccountAccessKeyCache(AccountAccessKeyCache.DEFAULT_PATH, debugFn);
+    this.debug = debugFn;
+    this.config = {
+      region,
+      credentials: credProvider,
+      requestHandler,
+      retryStrategy: new import_util_retry.ConfiguredRetryStrategy(7, (attempt) => 300 * 2 ** attempt),
+      customUserAgent: defaultCliUserAgent(),
+      logger
+    };
+    this.logger = logger;
+    this.currentRegion = region;
+  }
+  currentRegion;
+  config;
+  logger;
+  accountCache;
+  /**
+   * STS is used to check credential validity, don't do too many retries.
+   */
+  stsRetryStrategy = new import_util_retry.ConfiguredRetryStrategy(3, (attempt) => 100 * 2 ** attempt);
+  /**
+   * Whether we have proof that the credentials have not expired
+   *
+   * We need to do some manual plumbing around this because the JS SDKv2 treats `ExpiredToken`
+   * as retriable and we have hefty retries on CFN calls making the CLI hang for a good 15 minutes
+   * if the credentials have expired.
+   */
+  _credentialsValidated = false;
+  /**
+   * A function to create debug messages
+   */
+  debug;
+  appendCustomUserAgent(userAgentData) {
+    if (!userAgentData) {
+      return;
+    }
+    const currentCustomUserAgent = this.config.customUserAgent;
+    this.config.customUserAgent = currentCustomUserAgent ? `${currentCustomUserAgent} ${userAgentData}` : userAgentData;
+  }
+  removeCustomUserAgent(userAgentData) {
+    this.config.customUserAgent = this.config.customUserAgent?.replace(userAgentData, "");
+  }
+  appsync() {
+    const client = new import_client_appsync.AppSyncClient(this.config);
+    return {
+      getSchemaCreationStatus: (input) => client.send(new import_client_appsync.GetSchemaCreationStatusCommand(input)),
+      startSchemaCreation: (input) => client.send(new import_client_appsync.StartSchemaCreationCommand(input)),
+      updateApiKey: (input) => client.send(new import_client_appsync.UpdateApiKeyCommand(input)),
+      updateFunction: (input) => client.send(new import_client_appsync.UpdateFunctionCommand(input)),
+      updateResolver: (input) => client.send(new import_client_appsync.UpdateResolverCommand(input)),
+      // Pagination Functions
+      listFunctions: async (input) => {
+        const functions = Array();
+        const paginator = (0, import_client_appsync.paginateListFunctions)({ client }, input);
+        for await (const page of paginator) {
+          functions.push(...page.functions || []);
+        }
+        return functions;
+      }
+    };
+  }
+  cloudControl() {
+    const client = new import_client_cloudcontrol.CloudControlClient(this.config);
+    return {
+      listResources: (input) => client.send(new import_client_cloudcontrol.ListResourcesCommand(input)),
+      getResource: (input) => client.send(new import_client_cloudcontrol.GetResourceCommand(input))
+    };
+  }
+  cloudFormation() {
+    const client = new import_client_cloudformation.CloudFormationClient({
+      ...this.config,
+      retryStrategy: new import_util_retry.ConfiguredRetryStrategy(11, (attempt) => 1e3 * 2 ** attempt)
+    });
+    return {
+      continueUpdateRollback: async (input) => client.send(new import_client_cloudformation.ContinueUpdateRollbackCommand(input)),
+      createChangeSet: (input) => client.send(new import_client_cloudformation.CreateChangeSetCommand(input)),
+      createGeneratedTemplate: (input) => client.send(new import_client_cloudformation.CreateGeneratedTemplateCommand(input)),
+      createStack: (input) => client.send(new import_client_cloudformation.CreateStackCommand(input)),
+      deleteChangeSet: (input) => client.send(new import_client_cloudformation.DeleteChangeSetCommand(input)),
+      deleteGeneratedTemplate: (input) => client.send(new import_client_cloudformation.DeleteGeneratedTemplateCommand(input)),
+      deleteStack: (input) => client.send(new import_client_cloudformation.DeleteStackCommand(input)),
+      describeChangeSet: (input) => client.send(new import_client_cloudformation.DescribeChangeSetCommand(input)),
+      describeGeneratedTemplate: (input) => client.send(new import_client_cloudformation.DescribeGeneratedTemplateCommand(input)),
+      describeResourceScan: (input) => client.send(new import_client_cloudformation.DescribeResourceScanCommand(input)),
+      describeStacks: (input) => client.send(new import_client_cloudformation.DescribeStacksCommand(input)),
+      describeStackResources: (input) => client.send(new import_client_cloudformation.DescribeStackResourcesCommand(input)),
+      executeChangeSet: (input) => client.send(new import_client_cloudformation.ExecuteChangeSetCommand(input)),
+      getGeneratedTemplate: (input) => client.send(new import_client_cloudformation.GetGeneratedTemplateCommand(input)),
+      getTemplate: (input) => client.send(new import_client_cloudformation.GetTemplateCommand(input)),
+      getTemplateSummary: (input) => client.send(new import_client_cloudformation.GetTemplateSummaryCommand(input)),
+      listExports: (input) => client.send(new import_client_cloudformation.ListExportsCommand(input)),
+      listResourceScanRelatedResources: (input) => client.send(new import_client_cloudformation.ListResourceScanRelatedResourcesCommand(input)),
+      listResourceScanResources: (input) => client.send(new import_client_cloudformation.ListResourceScanResourcesCommand(input)),
+      listResourceScans: (input) => client.send(new import_client_cloudformation.ListResourceScansCommand(input)),
+      listStacks: (input) => client.send(new import_client_cloudformation.ListStacksCommand(input)),
+      rollbackStack: (input) => client.send(new import_client_cloudformation.RollbackStackCommand(input)),
+      startResourceScan: (input) => client.send(new import_client_cloudformation.StartResourceScanCommand(input)),
+      updateStack: (input) => client.send(new import_client_cloudformation.UpdateStackCommand(input)),
+      updateTerminationProtection: (input) => client.send(new import_client_cloudformation.UpdateTerminationProtectionCommand(input)),
+      describeStackEvents: (input) => {
+        return client.send(new import_client_cloudformation.DescribeStackEventsCommand(input));
+      },
+      listStackResources: async (input) => {
+        const stackResources = Array();
+        const paginator = (0, import_client_cloudformation.paginateListStackResources)({ client }, input);
+        for await (const page of paginator) {
+          stackResources.push(...page?.StackResourceSummaries || []);
+        }
+        return stackResources;
+      },
+      paginatedListStacks: async (input) => {
+        const stackResources = Array();
+        const paginator = (0, import_client_cloudformation.paginateListStacks)({ client }, input);
+        for await (const page of paginator) {
+          stackResources.push(...page?.StackSummaries || []);
+        }
+        return stackResources;
+      }
+    };
+  }
+  cloudWatchLogs() {
+    const client = new import_client_cloudwatch_logs.CloudWatchLogsClient(this.config);
+    return {
+      describeLogGroups: (input) => client.send(new import_client_cloudwatch_logs.DescribeLogGroupsCommand(input)),
+      filterLogEvents: (input) => client.send(new import_client_cloudwatch_logs.FilterLogEventsCommand(input))
+    };
+  }
+  codeBuild() {
+    const client = new import_client_codebuild.CodeBuildClient(this.config);
+    return {
+      updateProject: (input) => client.send(new import_client_codebuild.UpdateProjectCommand(input))
+    };
+  }
+  ec2() {
+    const client = new import_client_ec2.EC2Client(this.config);
+    return {
+      describeAvailabilityZones: (input) => client.send(new import_client_ec2.DescribeAvailabilityZonesCommand(input)),
+      describeImages: (input) => client.send(new import_client_ec2.DescribeImagesCommand(input)),
+      describeInstances: (input) => client.send(new import_client_ec2.DescribeInstancesCommand(input)),
+      describeRouteTables: (input) => client.send(new import_client_ec2.DescribeRouteTablesCommand(input)),
+      describeSecurityGroups: (input) => client.send(new import_client_ec2.DescribeSecurityGroupsCommand(input)),
+      describeSubnets: (input) => client.send(new import_client_ec2.DescribeSubnetsCommand(input)),
+      describeVpcEndpointServices: (input) => client.send(new import_client_ec2.DescribeVpcEndpointServicesCommand(input)),
+      describeVpcs: (input) => client.send(new import_client_ec2.DescribeVpcsCommand(input)),
+      describeVpnGateways: (input) => client.send(new import_client_ec2.DescribeVpnGatewaysCommand(input))
+    };
+  }
+  ecr() {
+    const client = new import_client_ecr.ECRClient(this.config);
+    return {
+      batchDeleteImage: (input) => client.send(new import_client_ecr.BatchDeleteImageCommand(input)),
+      batchGetImage: (input) => client.send(new import_client_ecr.BatchGetImageCommand(input)),
+      createRepository: (input) => client.send(new import_client_ecr.CreateRepositoryCommand(input)),
+      describeImages: (input) => client.send(new import_client_ecr.DescribeImagesCommand(input)),
+      describeRepositories: (input) => client.send(new import_client_ecr.DescribeRepositoriesCommand(input)),
+      getAuthorizationToken: (input) => client.send(new import_client_ecr.GetAuthorizationTokenCommand(input)),
+      listImages: (input) => client.send(new import_client_ecr.ListImagesCommand(input)),
+      putImage: (input) => client.send(new import_client_ecr.PutImageCommand(input)),
+      putImageScanningConfiguration: (input) => client.send(new import_client_ecr.PutImageScanningConfigurationCommand(input))
+    };
+  }
+  ecs() {
+    const client = new import_client_ecs.ECSClient(this.config);
+    return {
+      listClusters: (input) => client.send(new import_client_ecs.ListClustersCommand(input)),
+      registerTaskDefinition: (input) => client.send(new import_client_ecs.RegisterTaskDefinitionCommand(input)),
+      updateService: (input) => client.send(new import_client_ecs.UpdateServiceCommand(input)),
+      // Waiters
+      waitUntilServicesStable: (input) => {
+        return (0, import_client_ecs.waitUntilServicesStable)(
+          {
+            client,
+            maxWaitTime: 600,
+            minDelay: 6,
+            maxDelay: 6
+          },
+          input
+        );
+      }
+    };
+  }
+  elbv2() {
+    const client = new import_client_elastic_load_balancing_v2.ElasticLoadBalancingV2Client(this.config);
+    return {
+      describeListeners: (input) => client.send(new import_client_elastic_load_balancing_v2.DescribeListenersCommand(input)),
+      describeLoadBalancers: (input) => client.send(new import_client_elastic_load_balancing_v2.DescribeLoadBalancersCommand(input)),
+      describeTags: (input) => client.send(new import_client_elastic_load_balancing_v2.DescribeTagsCommand(input)),
+      // Pagination Functions
+      paginateDescribeListeners: async (input) => {
+        const listeners = Array();
+        const paginator = (0, import_client_elastic_load_balancing_v2.paginateDescribeListeners)({ client }, input);
+        for await (const page of paginator) {
+          listeners.push(...page?.Listeners || []);
+        }
+        return listeners;
+      },
+      paginateDescribeLoadBalancers: async (input) => {
+        const loadBalancers = Array();
+        const paginator = (0, import_client_elastic_load_balancing_v2.paginateDescribeLoadBalancers)({ client }, input);
+        for await (const page of paginator) {
+          loadBalancers.push(...page?.LoadBalancers || []);
+        }
+        return loadBalancers;
+      }
+    };
+  }
+  iam() {
+    const client = new import_client_iam.IAMClient(this.config);
+    return {
+      createPolicy: (input) => client.send(new import_client_iam.CreatePolicyCommand(input)),
+      getPolicy: (input) => client.send(new import_client_iam.GetPolicyCommand(input)),
+      getRole: (input) => client.send(new import_client_iam.GetRoleCommand(input))
+    };
+  }
+  kms() {
+    const client = new import_client_kms.KMSClient(this.config);
+    return {
+      describeKey: (input) => client.send(new import_client_kms.DescribeKeyCommand(input)),
+      listAliases: (input) => client.send(new import_client_kms.ListAliasesCommand(input))
+    };
+  }
+  lambda() {
+    const client = new import_client_lambda.LambdaClient(this.config);
+    return {
+      invokeCommand: (input) => client.send(new import_client_lambda.InvokeCommand(input)),
+      publishVersion: (input) => client.send(new import_client_lambda.PublishVersionCommand(input)),
+      updateAlias: (input) => client.send(new import_client_lambda.UpdateAliasCommand(input)),
+      updateFunctionCode: (input) => client.send(new import_client_lambda.UpdateFunctionCodeCommand(input)),
+      updateFunctionConfiguration: (input) => client.send(new import_client_lambda.UpdateFunctionConfigurationCommand(input)),
+      // Waiters
+      waitUntilFunctionUpdated: (delaySeconds, input) => {
+        return (0, import_client_lambda.waitUntilFunctionUpdatedV2)(
+          {
+            client,
+            maxDelay: delaySeconds,
+            minDelay: delaySeconds,
+            maxWaitTime: delaySeconds * 60
+          },
+          input
+        );
+      }
+    };
+  }
+  route53() {
+    const client = new import_client_route_53.Route53Client(this.config);
+    return {
+      getHostedZone: (input) => client.send(new import_client_route_53.GetHostedZoneCommand(input)),
+      listHostedZones: (input) => client.send(new import_client_route_53.ListHostedZonesCommand(input)),
+      listHostedZonesByName: (input) => client.send(new import_client_route_53.ListHostedZonesByNameCommand(input))
+    };
+  }
+  s3() {
+    const client = new import_client_s3.S3Client(this.config);
+    return {
+      deleteObjects: (input) => client.send(new import_client_s3.DeleteObjectsCommand({
+        ...input,
+        ChecksumAlgorithm: "SHA256"
+      })),
+      deleteObjectTagging: (input) => client.send(new import_client_s3.DeleteObjectTaggingCommand(input)),
+      getBucketEncryption: (input) => client.send(new import_client_s3.GetBucketEncryptionCommand(input)),
+      getBucketLocation: (input) => client.send(new import_client_s3.GetBucketLocationCommand(input)),
+      getObject: (input) => client.send(new import_client_s3.GetObjectCommand(input)),
+      getObjectTagging: (input) => client.send(new import_client_s3.GetObjectTaggingCommand(input)),
+      listObjectsV2: (input) => client.send(new import_client_s3.ListObjectsV2Command(input)),
+      putObjectTagging: (input) => client.send(new import_client_s3.PutObjectTaggingCommand({
+        ...input,
+        ChecksumAlgorithm: "SHA256"
+      })),
+      upload: (input) => {
+        try {
+          const upload = new import_lib_storage.Upload({
+            client,
+            params: { ...input, ChecksumAlgorithm: "SHA256" }
+          });
+          return upload.done();
+        } catch (e) {
+          throw new AuthenticationError(`Upload failed: ${formatErrorMessage(e)}`);
+        }
+      }
+    };
+  }
+  secretsManager() {
+    const client = new import_client_secrets_manager.SecretsManagerClient(this.config);
+    return {
+      getSecretValue: (input) => client.send(new import_client_secrets_manager.GetSecretValueCommand(input))
+    };
+  }
+  ssm() {
+    const client = new import_client_ssm.SSMClient(this.config);
+    return {
+      getParameter: (input) => client.send(new import_client_ssm.GetParameterCommand(input))
+    };
+  }
+  stepFunctions() {
+    const client = new import_client_sfn.SFNClient(this.config);
+    return {
+      updateStateMachine: (input) => client.send(new import_client_sfn.UpdateStateMachineCommand(input))
+    };
+  }
+  /**
+   * The AWS SDK v3 requires a client config and a command in order to get an endpoint for
+   * any given service.
+   */
+  async getUrlSuffix(region) {
+    const cfn = new import_client_cloudformation.CloudFormationClient({ region });
+    const endpoint = await (0, import_middleware_endpoint.getEndpointFromInstructions)({}, import_client_cloudformation.DescribeStackResourcesCommand, { ...cfn.config });
+    return endpoint.url.hostname.split(`${region}.`).pop();
+  }
+  async currentAccount() {
+    return cachedAsync(this, CURRENT_ACCOUNT_KEY, async () => {
+      const creds = await this.credProvider();
+      return this.accountCache.fetch(creds.accessKeyId, async () => {
+        await this.debug("Looking up default account ID from STS");
+        const client = new import_client_sts.STSClient({
+          ...this.config,
+          retryStrategy: this.stsRetryStrategy
+        });
+        const command = new import_client_sts.GetCallerIdentityCommand({});
+        const result2 = await client.send(command);
+        const accountId = result2.Account;
+        const partition = result2.Arn.split(":")[1];
+        if (!accountId) {
+          throw new AuthenticationError("STS didn't return an account ID");
+        }
+        await this.debug(`Default account ID: ${accountId}`);
+        this._credentialsValidated = true;
+        return { accountId, partition };
+      });
+    });
+  }
+  /**
+   * Make sure the the current credentials are not expired
+   */
+  async validateCredentials() {
+    if (this._credentialsValidated) {
+      return;
+    }
+    const client = new import_client_sts.STSClient({ ...this.config, retryStrategy: this.stsRetryStrategy });
+    await client.send(new import_client_sts.GetCallerIdentityCommand({}));
+    this._credentialsValidated = true;
+  }
+};
+SDK = __decorateClass([
+  traceMemberMethods
+], SDK);
+var CURRENT_ACCOUNT_KEY = Symbol("current_account_key");
+
+// lib/api/aws-auth/sdk-provider.ts
+var os2 = __toESM(require("os"));
+var import_cx_api = require("@aws-cdk/cx-api");
+var import_credential_providers2 = require("@aws-sdk/credential-providers");
+
+// lib/api/aws-auth/awscli-compatible.ts
+var import_node_util = require("node:util");
+var import_credential_providers = require("@aws-sdk/credential-providers");
+var import_ec2_metadata_service = require("@aws-sdk/ec2-metadata-service");
+var import_shared_ini_file_loader = require("@smithy/shared-ini-file-loader");
+var promptly = __toESM(require("promptly"));
+
+// lib/api/aws-auth/provider-caching.ts
+var import_property_provider = require("@smithy/property-provider");
+function makeCachingProvider(provider) {
+  return (0, import_property_provider.memoize)(
+    provider,
+    credentialsAboutToExpire,
+    (token) => !!token.expiration
+  );
+}
+function credentialsAboutToExpire(token) {
+  const expiryMarginSecs = 5;
+  return !!token.expiration && token.expiration.getTime() - Date.now() < expiryMarginSecs * 1e3;
+}
+
+// lib/api/aws-auth/awscli-compatible.ts
+var AwsCliCompatible = class {
+  ioHelper;
+  requestHandler;
+  logger;
+  constructor(ioHelper, requestHandler, logger) {
+    this.ioHelper = ioHelper;
+    this.requestHandler = requestHandler;
+    this.logger = logger;
+  }
+  async baseConfig(profile) {
+    const credentialProvider = await this.credentialChainBuilder({
+      profile,
+      logger: this.logger
+    });
+    const defaultRegion = await this.region(profile);
+    return { credentialProvider, defaultRegion };
+  }
+  /**
+   * Build an AWS CLI-compatible credential chain provider
+   *
+   * The credential chain returned by this function is always caching.
+   */
+  async credentialChainBuilder(options = {}) {
+    const clientConfig = {
+      requestHandler: this.requestHandler,
+      customUserAgent: "aws-cdk",
+      logger: options.logger
+    };
+    const parentClientConfig = {
+      region: await this.region(options.profile)
+    };
+    if (options.profile) {
+      return makeCachingProvider((0, import_credential_providers.fromIni)({
+        profile: options.profile,
+        ignoreCache: true,
+        mfaCodeProvider: this.tokenCodeFn.bind(this),
+        clientConfig,
+        parentClientConfig,
+        logger: options.logger
+      }));
+    }
+    const envProfile = process.env.AWS_PROFILE || process.env.AWS_DEFAULT_PROFILE;
+    const nodeProviderChain = (0, import_credential_providers.fromNodeProviderChain)({
+      profile: envProfile,
+      clientConfig,
+      parentClientConfig,
+      logger: options.logger,
+      mfaCodeProvider: this.tokenCodeFn.bind(this),
+      ignoreCache: true
+    });
+    return shouldPrioritizeEnv() ? (0, import_credential_providers.createCredentialChain)((0, import_credential_providers.fromEnv)(), nodeProviderChain).expireAfter(60 * 6e4) : nodeProviderChain;
+  }
+  /**
+   * Attempts to get the region from a number of sources and falls back to us-east-1 if no region can be found,
+   * as is done in the AWS CLI.
+   *
+   * The order of priority is the following:
+   *
+   * 1. Environment variables specifying region, with both an AWS prefix and AMAZON prefix
+   *    to maintain backwards compatibility, and without `DEFAULT` in the name because
+   *    Lambda and CodeBuild set the $AWS_REGION variable.
+   * 2. Regions listed in the Shared Ini Files - First checking for the profile provided
+   *    and then checking for the default profile.
+   * 3. IMDS instance identity region from the Metadata Service.
+   * 4. us-east-1
+   */
+  async region(maybeProfile) {
+    const defaultRegion = "us-east-1";
+    const profile = maybeProfile || process.env.AWS_PROFILE || process.env.AWS_DEFAULT_PROFILE || "default";
+    const region = process.env.AWS_REGION || process.env.AMAZON_REGION || process.env.AWS_DEFAULT_REGION || process.env.AMAZON_DEFAULT_REGION || await this.getRegionFromIni(profile) || await this.regionFromMetadataService();
+    if (!region) {
+      const usedProfile = !profile ? "" : ` (profile: "${profile}")`;
+      await this.ioHelper.notify(IO.DEFAULT_SDK_DEBUG.msg(
+        `Unable to determine AWS region from environment or AWS configuration${usedProfile}, defaulting to '${defaultRegion}'`
+      ));
+      return defaultRegion;
+    }
+    return region;
+  }
+  /**
+   * The MetadataService class will attempt to fetch the instance identity document from
+   * IMDSv2 first, and then will attempt v1 as a fallback.
+   *
+   * If this fails, we will use us-east-1 as the region so no error should be thrown.
+   * @returns The region for the instance identity
+   */
+  async regionFromMetadataService() {
+    await this.ioHelper.notify(IO.DEFAULT_SDK_DEBUG.msg("Looking up AWS region in the EC2 Instance Metadata Service (IMDS)."));
+    try {
+      const metadataService = new import_ec2_metadata_service.MetadataService({
+        httpOptions: {
+          timeout: 1e3
+        }
+      });
+      await metadataService.fetchMetadataToken();
+      const document = await metadataService.request("/latest/dynamic/instance-identity/document", {});
+      return JSON.parse(document).region;
+    } catch (e) {
+      await this.ioHelper.notify(IO.DEFAULT_SDK_DEBUG.msg(`Unable to retrieve AWS region from IMDS: ${e}`));
+    }
+  }
+  /**
+   * Looks up the region of the provided profile. If no region is present,
+   * it will attempt to lookup the default region.
+   * @param profile The profile to use to lookup the region
+   * @returns The region for the profile or default profile, if present. Otherwise returns undefined.
+   */
+  async getRegionFromIni(profile) {
+    const sharedFiles = await (0, import_shared_ini_file_loader.loadSharedConfigFiles)({ ignoreCache: true });
+    return this.getRegionFromIniFile(profile, sharedFiles.credentialsFile) ?? this.getRegionFromIniFile(profile, sharedFiles.configFile) ?? this.getRegionFromIniFile("default", sharedFiles.credentialsFile) ?? this.getRegionFromIniFile("default", sharedFiles.configFile);
+  }
+  getRegionFromIniFile(profile, data) {
+    return data?.[profile]?.region;
+  }
+  /**
+   * Ask user for MFA token for given serial
+   *
+   * Result is send to callback function for SDK to authorize the request
+   */
+  async tokenCodeFn(serialArn) {
+    const debugFn = (msg, ...args) => this.ioHelper.notify(IO.DEFAULT_SDK_DEBUG.msg((0, import_node_util.format)(msg, ...args)));
+    await debugFn("Require MFA token for serial ARN", serialArn);
+    try {
+      const token = await promptly.prompt(`MFA token for ${serialArn}: `, {
+        trim: true,
+        default: ""
+      });
+      await debugFn("Successfully got MFA token from user");
+      return token;
+    } catch (err) {
+      await debugFn("Failed to get MFA token", err);
+      const e = new AuthenticationError(`Error fetching MFA token: ${err.message ?? err}`);
+      e.name = "SharedIniFileCredentialsProviderFailure";
+      throw e;
+    }
+  }
+};
+function shouldPrioritizeEnv() {
+  const id = process.env.AWS_ACCESS_KEY_ID || process.env.AMAZON_ACCESS_KEY_ID;
+  const key = process.env.AWS_SECRET_ACCESS_KEY || process.env.AMAZON_SECRET_ACCESS_KEY;
+  if (!!id && !!key) {
+    process.env.AWS_ACCESS_KEY_ID = id;
+    process.env.AWS_SECRET_ACCESS_KEY = key;
+    const sessionToken = process.env.AWS_SESSION_TOKEN ?? process.env.AMAZON_SESSION_TOKEN;
+    if (sessionToken) {
+      process.env.AWS_SESSION_TOKEN = sessionToken;
+    }
+    return true;
+  }
+  return false;
+}
+
+// lib/api/aws-auth/credential-plugins.ts
+var import_util8 = require("util");
+var CredentialPlugins = class {
+  constructor(host, ioHelper) {
+    this.host = host;
+    this.ioHelper = ioHelper;
+  }
+  cache = {};
+  async fetchCredentialsFor(awsAccountId, mode) {
+    const key = `${awsAccountId}-${mode}`;
+    if (!(key in this.cache)) {
+      this.cache[key] = await this.lookupCredentials(awsAccountId, mode);
+    }
+    return this.cache[key];
+  }
+  get availablePluginNames() {
+    return this.host.credentialProviderSources.map((s) => s.name);
+  }
+  async lookupCredentials(awsAccountId, mode) {
+    const triedSources = [];
+    for (const source of this.host.credentialProviderSources) {
+      let available;
+      try {
+        available = await source.isAvailable();
+      } catch (e) {
+        await this.ioHelper.notify(IO.CDK_TOOLKIT_W0100.msg(`Uncaught exception in ${source.name}: ${formatErrorMessage(e)}`));
+        available = false;
+      }
+      if (!available) {
+        await this.ioHelper.notify(IO.DEFAULT_TOOLKIT_DEBUG.msg(`Credentials source ${source.name} is not available, ignoring it.`));
+        continue;
+      }
+      triedSources.push(source);
+      let canProvide;
+      try {
+        canProvide = await source.canProvideCredentials(awsAccountId);
+      } catch (e) {
+        await this.ioHelper.notify(IO.CDK_TOOLKIT_W0100.msg(`Uncaught exception in ${source.name}: ${formatErrorMessage(e)}`));
+        canProvide = false;
+      }
+      if (!canProvide) {
+        continue;
+      }
+      await this.ioHelper.notify(IO.DEFAULT_TOOLKIT_DEBUG.msg(`Using ${source.name} credentials for account ${awsAccountId}`));
+      return {
+        credentials: await v3ProviderFromPlugin(() => source.getProvider(awsAccountId, mode, {
+          supportsV3Providers: true
+        })),
+        pluginName: source.name
+      };
+    }
+    return void 0;
+  }
+};
+async function v3ProviderFromPlugin(producer) {
+  const initial = await producer();
+  if (isV3Provider(initial)) {
+    return makeCachingProvider(initial);
+  } else if (isV3Credentials(initial) && initial.expiration === void 0) {
+    return () => Promise.resolve(initial);
+  } else if (isV3Credentials(initial) && initial.expiration !== void 0) {
+    return refreshFromPluginProvider(initial, producer);
+  } else if (isV2Credentials(initial)) {
+    return v3ProviderFromV2Credentials(initial);
+  } else {
+    throw new AuthenticationError(`Plugin returned a value that doesn't resemble AWS credentials: ${(0, import_util8.inspect)(initial)}`);
+  }
+}
+function v3ProviderFromV2Credentials(x) {
+  return async () => {
+    await x.getPromise();
+    return {
+      accessKeyId: x.accessKeyId,
+      secretAccessKey: x.secretAccessKey,
+      sessionToken: x.sessionToken,
+      expiration: x.expireTime ?? void 0
+    };
+  };
+}
+function refreshFromPluginProvider(current, producer) {
+  return async () => {
+    if (credentialsAboutToExpire(current)) {
+      const newCreds = await producer();
+      if (!isV3Credentials(newCreds)) {
+        throw new AuthenticationError(`Plugin initially returned static V3 credentials but now returned something else: ${(0, import_util8.inspect)(newCreds)}`);
+      }
+      current = newCreds;
+    }
+    return current;
+  };
+}
+function isV3Provider(x) {
+  return typeof x === "function";
+}
+function isV2Credentials(x) {
+  return !!(x && typeof x === "object" && x.getPromise);
+}
+function isV3Credentials(x) {
+  return !!(x && typeof x === "object" && x.accessKeyId && !isV2Credentials(x));
+}
+
+// lib/api/aws-auth/sdk-provider.ts
+var CACHED_ACCOUNT = Symbol("cached_account");
+var SdkProvider = class {
+  /**
+   * Create a new SdkProvider which gets its defaults in a way that behaves like the AWS CLI does
+   *
+   * The AWS SDK for JS behaves slightly differently from the AWS CLI in a number of ways; see the
+   * class `AwsCliCompatible` for the details.
+   */
+  static async withAwsCliCompatibleDefaults(options) {
+    callTrace(SdkProvider.withAwsCliCompatibleDefaults.name, SdkProvider.constructor.name, options.logger);
+    const config = await new AwsCliCompatible(options.ioHelper, options.requestHandler ?? {}, options.logger).baseConfig(options.profile);
+    return new SdkProvider(config.credentialProvider, config.defaultRegion, options);
+  }
+  defaultRegion;
+  defaultCredentialProvider;
+  plugins;
+  requestHandler;
+  ioHelper;
+  logger;
+  constructor(defaultCredentialProvider, defaultRegion, services) {
+    this.defaultCredentialProvider = defaultCredentialProvider;
+    this.defaultRegion = defaultRegion ?? "us-east-1";
+    this.requestHandler = services.requestHandler ?? {};
+    this.ioHelper = services.ioHelper;
+    this.logger = services.logger;
+    this.plugins = new CredentialPlugins(services.pluginHost ?? new PluginHost(), this.ioHelper);
+  }
+  /**
+   * Return an SDK which can do operations in the given environment
+   *
+   * The `environment` parameter is resolved first (see `resolveEnvironment()`).
+   */
+  async forEnvironment(environment, mode, options, quiet = false) {
+    const env = await this.resolveEnvironment(environment);
+    const baseCreds = await this.obtainBaseCredentials(env.account, mode);
+    if (baseCreds.source === "none") {
+      throw new AuthenticationError(fmtObtainCredentialsError(env.account, baseCreds));
+    }
+    if (options?.assumeRoleArn === void 0) {
+      if (baseCreds.source === "incorrectDefault") {
+        throw new AuthenticationError(fmtObtainCredentialsError(env.account, baseCreds));
+      }
+      const sdk = this._makeSdk(baseCreds.credentials, env.region);
+      await sdk.validateCredentials();
+      return { sdk, didAssumeRole: false };
+    }
+    try {
+      const sdk = await this.withAssumedRole(
+        baseCreds,
+        options.assumeRoleArn,
+        options.assumeRoleExternalId,
+        options.assumeRoleAdditionalOptions,
+        env.region
+      );
+      return { sdk, didAssumeRole: true };
+    } catch (err) {
+      if (err.name === "ExpiredToken") {
+        throw err;
+      }
+      if (baseCreds.source === "correctDefault" || baseCreds.source === "plugin") {
+        await this.ioHelper.notify(IO.DEFAULT_SDK_DEBUG.msg(err.message));
+        const maker = quiet ? IO.DEFAULT_SDK_DEBUG : IO.DEFAULT_SDK_WARN;
+        await this.ioHelper.notify(maker.msg(
+          `${fmtObtainedCredentials(baseCreds)} could not be used to assume '${options.assumeRoleArn}', but are for the right account. Proceeding anyway.`
+        ));
+        return {
+          sdk: this._makeSdk(baseCreds.credentials, env.region),
+          didAssumeRole: false
+        };
+      }
+      throw err;
+    }
+  }
+  /**
+   * Return the partition that base credentials are for
+   *
+   * Returns `undefined` if there are no base credentials.
+   */
+  async baseCredentialsPartition(environment, mode) {
+    const env = await this.resolveEnvironment(environment);
+    const baseCreds = await this.obtainBaseCredentials(env.account, mode);
+    if (baseCreds.source === "none") {
+      return void 0;
+    }
+    return (await this._makeSdk(baseCreds.credentials, env.region).currentAccount()).partition;
+  }
+  /**
+   * Resolve the environment for a stack
+   *
+   * Replaces the magic values `UNKNOWN_REGION` and `UNKNOWN_ACCOUNT`
+   * with the defaults for the current SDK configuration (`~/.aws/config` or
+   * otherwise).
+   *
+   * It is an error if `UNKNOWN_ACCOUNT` is used but the user hasn't configured
+   * any SDK credentials.
+   */
+  async resolveEnvironment(env) {
+    const region = env.region !== import_cx_api.UNKNOWN_REGION ? env.region : this.defaultRegion;
+    const account = env.account !== import_cx_api.UNKNOWN_ACCOUNT ? env.account : (await this.defaultAccount())?.accountId;
+    if (!account) {
+      throw new AuthenticationError(
+        "Unable to resolve AWS account to use. It must be either configured when you define your CDK Stack, or through the environment"
+      );
+    }
+    return {
+      region,
+      account,
+      name: import_cx_api.EnvironmentUtils.format(account, region)
+    };
+  }
+  /**
+   * The account we'd auth into if we used default credentials.
+   *
+   * Default credentials are the set of ambiently configured credentials using
+   * one of the environment variables, or ~/.aws/credentials, or the *one*
+   * profile that was passed into the CLI.
+   *
+   * Might return undefined if there are no default/ambient credentials
+   * available (in which case the user should better hope they have
+   * credential plugins configured).
+   *
+   * Uses a cache to avoid STS calls if we don't need 'em.
+   */
+  async defaultAccount() {
+    return cached(this, CACHED_ACCOUNT, async () => {
+      try {
+        return await this._makeSdk(this.defaultCredentialProvider, this.defaultRegion).currentAccount();
+      } catch (e) {
+        if (e.name === "ExpiredToken") {
+          await this.ioHelper.notify(IO.DEFAULT_SDK_WARN.msg(
+            "There are expired AWS credentials in your environment. The CDK app will synth without current account information."
+          ));
+          return void 0;
+        }
+        await this.ioHelper.notify(IO.DEFAULT_SDK_DEBUG.msg(`Unable to determine the default AWS account (${e.name}): ${formatErrorMessage(e)}`));
+        return void 0;
+      }
+    });
+  }
+  /**
+   * Get credentials for the given account ID in the given mode
+   *
+   * 1. Use the default credentials if the destination account matches the
+   *    current credentials' account.
+   * 2. Otherwise try all credential plugins.
+   * 3. Fail if neither of these yield any credentials.
+   * 4. Return a failure if any of them returned credentials
+   */
+  async obtainBaseCredentials(accountId, mode) {
+    const defaultAccountId = (await this.defaultAccount())?.accountId;
+    if (defaultAccountId === accountId) {
+      return {
+        source: "correctDefault",
+        credentials: await this.defaultCredentialProvider
+      };
+    }
+    const pluginCreds = await this.plugins.fetchCredentialsFor(accountId, mode);
+    if (pluginCreds) {
+      return { source: "plugin", ...pluginCreds };
+    }
+    if (defaultAccountId !== void 0) {
+      return {
+        source: "incorrectDefault",
+        accountId: defaultAccountId,
+        credentials: await this.defaultCredentialProvider,
+        unusedPlugins: this.plugins.availablePluginNames
+      };
+    }
+    return {
+      source: "none",
+      unusedPlugins: this.plugins.availablePluginNames
+    };
+  }
+  /**
+   * Return an SDK which uses assumed role credentials
+   *
+   * The base credentials used to retrieve the assumed role credentials will be the
+   * same credentials returned by obtainCredentials if an environment and mode is passed,
+   * otherwise it will be the current credentials.
+   */
+  async withAssumedRole(mainCredentials, roleArn, externalId, additionalOptions, region) {
+    await this.ioHelper.notify(IO.DEFAULT_SDK_DEBUG.msg(`Assuming role '${roleArn}'.`));
+    region = region ?? this.defaultRegion;
+    const sourceDescription = fmtObtainedCredentials(mainCredentials);
+    try {
+      const credentials = await makeCachingProvider((0, import_credential_providers2.fromTemporaryCredentials)({
+        masterCredentials: mainCredentials.credentials,
+        params: {
+          RoleArn: roleArn,
+          ExternalId: externalId,
+          RoleSessionName: `aws-cdk-${safeUsername()}`,
+          ...additionalOptions,
+          TransitiveTagKeys: additionalOptions?.Tags ? additionalOptions.Tags.map((t) => t.Key) : void 0
+        },
+        clientConfig: {
+          region,
+          requestHandler: this.requestHandler,
+          customUserAgent: "aws-cdk",
+          logger: this.logger
+        },
+        logger: this.logger
+      }));
+      await credentials();
+      return this._makeSdk(credentials, region);
+    } catch (err) {
+      if (err.name === "ExpiredToken") {
+        throw err;
+      }
+      await this.ioHelper.notify(IO.DEFAULT_SDK_DEBUG.msg(`Assuming role failed: ${err.message}`));
+      throw new AuthenticationError(
+        [
+          "Could not assume role in target account",
+          ...sourceDescription ? [`using ${sourceDescription}`] : [],
+          err.message,
+          ". Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI."
+        ].join(" ")
+      );
+    }
+  }
+  /**
+   * Factory function that creates a new SDK instance
+   *
+   * This is a function here, instead of all the places where this is used creating a `new SDK`
+   * instance, so that it is trivial to mock from tests.
+   *
+   * Use like this:
+   *
+   * ```ts
+   * const mockSdk = jest.spyOn(SdkProvider.prototype, '_makeSdk').mockReturnValue(new MockSdk());
+   * // ...
+   * mockSdk.mockRestore();
+   * ```
+   *
+   * @internal
+   */
+  _makeSdk(credProvider, region) {
+    return new SDK(credProvider, region, this.requestHandler, this.ioHelper, this.logger);
+  }
+};
+SdkProvider = __decorateClass([
+  traceMemberMethods
+], SdkProvider);
+function safeUsername() {
+  try {
+    return os2.userInfo().username.replace(/[^\w+=,.@-]/g, "@");
+  } catch {
+    return "noname";
+  }
+}
+function fmtObtainCredentialsError(targetAccountId, obtainResult) {
+  const msg = [`Need to perform AWS calls for account ${targetAccountId}`];
+  switch (obtainResult.source) {
+    case "incorrectDefault":
+      msg.push(`but the current credentials are for ${obtainResult.accountId}`);
+      break;
+    case "none":
+      msg.push("but no credentials have been configured");
+  }
+  if (obtainResult.unusedPlugins.length > 0) {
+    msg.push(`and none of these plugins found any: ${obtainResult.unusedPlugins.join(", ")}`);
+  }
+  return msg.join(", ");
+}
+function fmtObtainedCredentials(obtainResult) {
+  switch (obtainResult.source) {
+    case "correctDefault":
+      return "current credentials";
+    case "plugin":
+      return `credentials returned by plugin '${obtainResult.pluginName}'`;
+    case "incorrectDefault":
+      const msg = [];
+      msg.push(`current credentials (which are for account ${obtainResult.accountId}`);
+      if (obtainResult.unusedPlugins.length > 0) {
+        msg.push(`, and none of the following plugins provided credentials: ${obtainResult.unusedPlugins.join(", ")}`);
+      }
+      msg.push(")");
+      return msg.join("");
+  }
+}
+async function initContextProviderSdk(aws, options) {
+  const account = options.account;
+  const region = options.region;
+  const creds = {
+    assumeRoleArn: options.lookupRoleArn,
+    assumeRoleExternalId: options.lookupRoleExternalId,
+    assumeRoleAdditionalOptions: options.assumeRoleAdditionalOptions
+  };
+  return (await aws.forEnvironment(import_cx_api.EnvironmentUtils.make(account, region), 0 /* ForReading */, creds)).sdk;
+}
+
+// lib/context-providers/index.ts
+var cxschema2 = __toESM(require("@aws-cdk/cloud-assembly-schema"));
+var cxapi2 = __toESM(require("@aws-cdk/cx-api"));
+
+// lib/context-providers/ami.ts
+var AmiContextProviderPlugin = class {
+  constructor(aws, io) {
+    this.aws = aws;
+    this.io = io;
+  }
+  async getValue(args) {
+    const region = args.region;
+    const account = args.account;
+    await this.io.info(`Searching for AMI in ${account}:${region}`);
+    await this.io.debug(`AMI search parameters: ${JSON.stringify(args)}`);
+    const ec2 = (await initContextProviderSdk(this.aws, args)).ec2();
+    const response = await ec2.describeImages({
+      Owners: args.owners,
+      Filters: Object.entries(args.filters).map(([key, values]) => ({
+        Name: key,
+        Values: values
+      }))
+    });
+    const images = [...response.Images || []].filter((i) => i.ImageId !== void 0);
+    if (images.length === 0) {
+      throw new ContextProviderError("No AMI found that matched the search criteria");
+    }
+    images.sort(descending((i) => Date.parse(i.CreationDate || "1970")));
+    await this.io.debug(`Selected image '${images[0].ImageId}' created at '${images[0].CreationDate}'`);
+    return images[0].ImageId;
+  }
+};
+function descending(valueOf) {
+  return (a, b) => {
+    return valueOf(b) - valueOf(a);
+  };
+}
+
+// lib/context-providers/availability-zones.ts
+var AZContextProviderPlugin = class {
+  constructor(aws, io) {
+    this.aws = aws;
+    this.io = io;
+  }
+  async getValue(args) {
+    const region = args.region;
+    const account = args.account;
+    await this.io.debug(`Reading AZs for ${account}:${region}`);
+    const ec2 = (await initContextProviderSdk(this.aws, args)).ec2();
+    const response = await ec2.describeAvailabilityZones({});
+    if (!response.AvailabilityZones) {
+      return [];
+    }
+    const azs = response.AvailabilityZones.filter((zone) => zone.State === "available").map(
+      (zone) => zone.ZoneName
+    );
+    return azs;
+  }
+};
+
+// lib/context-providers/cc-api-provider.ts
+var import_client_cloudcontrol2 = require("@aws-sdk/client-cloudcontrol");
+var CcApiContextProviderPlugin = class {
+  constructor(aws) {
+    this.aws = aws;
+  }
+  /**
+   * This returns a data object with the value from CloudControl API result.
+   *
+   * See the documentation in the Cloud Assembly Schema for the semantics of
+   * each query parameter.
+   */
+  async getValue(args) {
+    if (args.exactIdentifier && args.propertyMatch) {
+      throw new ContextProviderError(`Provider protocol error: specify either exactIdentifier or propertyMatch, but not both (got ${JSON.stringify(args)})`);
+    }
+    if (args.ignoreErrorOnMissingContext && args.dummyValue === void 0) {
+      throw new ContextProviderError(`Provider protocol error: if ignoreErrorOnMissingContext is set, a dummyValue must be supplied (got ${JSON.stringify(args)})`);
+    }
+    if (args.dummyValue !== void 0 && (!Array.isArray(args.dummyValue) || !args.dummyValue.every(isObject2))) {
+      throw new ContextProviderError(`Provider protocol error: dummyValue must be an array of objects (got ${JSON.stringify(args.dummyValue)})`);
+    }
+    const cloudControl = (await initContextProviderSdk(this.aws, args)).cloudControl();
+    try {
+      let resources;
+      if (args.exactIdentifier) {
+        resources = await this.getResource(cloudControl, args.typeName, args.exactIdentifier);
+      } else if (args.propertyMatch) {
+        resources = await this.listResources(cloudControl, args.typeName, args.propertyMatch, args.expectedMatchCount);
+      } else {
+        throw new ContextProviderError(`Provider protocol error: neither exactIdentifier nor propertyMatch is specified in ${JSON.stringify(args)}.`);
+      }
+      return resources.map((r) => getResultObj(r.properties, r.identifier, args.propertiesToReturn));
+    } catch (err) {
+      if (err instanceof ZeroResourcesFoundError && args.ignoreErrorOnMissingContext) {
+        return args.dummyValue;
+      }
+      throw err;
+    }
+  }
+  /**
+   * Calls getResource from CC API to get the resource.
+   * See https://docs.aws.amazon.com/cli/latest/reference/cloudcontrol/get-resource.html
+   *
+   * Will always return exactly one resource, or fail.
+   */
+  async getResource(cc, typeName, exactIdentifier) {
+    try {
+      const result2 = await cc.getResource({
+        TypeName: typeName,
+        Identifier: exactIdentifier
+      });
+      if (!result2.ResourceDescription) {
+        throw new ContextProviderError("Unexpected CloudControl API behavior: returned empty response");
+      }
+      return [foundResourceFromCcApi(result2.ResourceDescription)];
+    } catch (err) {
+      if (err instanceof import_client_cloudcontrol2.ResourceNotFoundException || err.name === "ResourceNotFoundException") {
+        throw new ZeroResourcesFoundError(`No resource of type ${typeName} with identifier: ${exactIdentifier}`);
+      }
+      if (!(err instanceof ContextProviderError)) {
+        throw new ContextProviderError(`Encountered CC API error while getting ${typeName} resource ${exactIdentifier}: ${err.message}`);
+      }
+      throw err;
+    }
+  }
+  /**
+   * Calls listResources from CC API to get the resources and apply args.propertyMatch to find the resources.
+   * See https://docs.aws.amazon.com/cli/latest/reference/cloudcontrol/list-resources.html
+   *
+   * Will return 0 or more resources.
+   *
+   * Does not currently paginate through more than one result page.
+   */
+  async listResources(cc, typeName, propertyMatch, expectedMatchCount) {
+    try {
+      const result2 = await cc.listResources({
+        TypeName: typeName
+      });
+      const found = (result2.ResourceDescriptions ?? []).map(foundResourceFromCcApi).filter((r) => {
+        return Object.entries(propertyMatch).every(([propPath, expected]) => {
+          const actual = findJsonValue(r.properties, propPath);
+          return propertyMatchesFilter(actual, expected);
+        });
+      });
+      if ((expectedMatchCount === "at-least-one" || expectedMatchCount === "exactly-one") && found.length === 0) {
+        throw new ZeroResourcesFoundError(`Could not find any resources matching ${JSON.stringify(propertyMatch)}`);
+      }
+      if ((expectedMatchCount === "at-most-one" || expectedMatchCount === "exactly-one") && found.length > 1) {
+        throw new ContextProviderError(`Found ${found.length} resources matching ${JSON.stringify(propertyMatch)}; please narrow the search criteria`);
+      }
+      return found;
+    } catch (err) {
+      if (!(err instanceof ContextProviderError) && !(err instanceof ZeroResourcesFoundError)) {
+        throw new ContextProviderError(`Encountered CC API error while listing ${typeName} resources matching ${JSON.stringify(propertyMatch)}: ${err.message}`);
+      }
+      throw err;
+    }
+  }
+};
+function foundResourceFromCcApi(desc) {
+  return {
+    identifier: desc.Identifier ?? "*MISSING*",
+    properties: JSON.parse(desc.Properties ?? "{}")
+  };
+}
+function propertyMatchesFilter(actual, expected) {
+  return expected === actual;
+}
+function isObject2(x) {
+  return typeof x === "object" && x !== null && !Array.isArray(x);
+}
+var ZeroResourcesFoundError = class extends Error {
+};
+
+// lib/context-providers/endpoint-service-availability-zones.ts
+var EndpointServiceAZContextProviderPlugin = class {
+  constructor(aws, io) {
+    this.aws = aws;
+    this.io = io;
+  }
+  async getValue(args) {
+    const region = args.region;
+    const account = args.account;
+    const serviceName = args.serviceName;
+    await this.io.debug(`Reading AZs for ${account}:${region}:${serviceName}`);
+    const ec2 = (await initContextProviderSdk(this.aws, args)).ec2();
+    const response = await ec2.describeVpcEndpointServices({
+      ServiceNames: [serviceName]
+    });
+    if (!response.ServiceDetails || response.ServiceDetails.length === 0) {
+      await this.io.debug(`Could not retrieve service details for ${account}:${region}:${serviceName}`);
+      return [];
+    }
+    const azs = response.ServiceDetails[0].AvailabilityZones;
+    await this.io.debug(`Endpoint service ${account}:${region}:${serviceName} is available in availability zones ${azs}`);
+    return azs;
+  }
+};
+
+// lib/context-providers/hosted-zones.ts
+var HostedZoneContextProviderPlugin = class {
+  constructor(aws, io) {
+    this.aws = aws;
+    this.io = io;
+  }
+  async getValue(args) {
+    const account = args.account;
+    const region = args.region;
+    if (!this.isHostedZoneQuery(args)) {
+      throw new ContextProviderError(`HostedZoneProvider requires domainName property to be set in ${args}`);
+    }
+    const domainName = args.domainName;
+    await this.io.debug(`Reading hosted zone ${account}:${region}:${domainName}`);
+    const r53 = (await initContextProviderSdk(this.aws, args)).route53();
+    const response = await r53.listHostedZonesByName({ DNSName: domainName });
+    if (!response.HostedZones) {
+      throw new ContextProviderError(`Hosted Zone not found in account ${account}, region ${region}: ${domainName}`);
+    }
+    const candidateZones = await this.filterZones(r53, response.HostedZones, args);
+    if (candidateZones.length !== 1) {
+      const filteProps = `dns:${domainName}, privateZone:${args.privateZone}, vpcId:${args.vpcId}`;
+      throw new ContextProviderError(`Found zones: ${JSON.stringify(candidateZones)} for ${filteProps}, but wanted exactly 1 zone`);
+    }
+    return {
+      Id: candidateZones[0].Id,
+      Name: candidateZones[0].Name
+    };
+  }
+  async filterZones(r53, zones, props) {
+    let candidates = [];
+    const domainName = props.domainName.endsWith(".") ? props.domainName : `${props.domainName}.`;
+    await this.io.debug(`Found the following zones ${JSON.stringify(zones)}`);
+    candidates = zones.filter((zone) => zone.Name === domainName);
+    await this.io.debug(`Found the following matched name zones ${JSON.stringify(candidates)}`);
+    if (props.privateZone) {
+      candidates = candidates.filter((zone) => zone.Config && zone.Config.PrivateZone);
+    } else {
+      candidates = candidates.filter((zone) => !zone.Config || !zone.Config.PrivateZone);
+    }
+    if (props.vpcId) {
+      const vpcZones = [];
+      for (const zone of candidates) {
+        const data = await r53.getHostedZone({ Id: zone.Id });
+        if (!data.VPCs) {
+          await this.io.debug(`Expected VPC for private zone but no VPC found ${zone.Id}`);
+          continue;
+        }
+        if (data.VPCs.map((vpc) => vpc.VPCId).includes(props.vpcId)) {
+          vpcZones.push(zone);
+        }
+      }
+      return vpcZones;
+    }
+    return candidates;
+  }
+  isHostedZoneQuery(props) {
+    return props.domainName !== void 0;
+  }
+};
+
+// lib/context-providers/keys.ts
+var KeyContextProviderPlugin = class {
+  constructor(aws, io) {
+    this.aws = aws;
+    this.io = io;
+  }
+  async getValue(args) {
+    const kms = (await initContextProviderSdk(this.aws, args)).kms();
+    const aliasListEntry = await this.findKey(kms, args);
+    return this.readKeyProps(aliasListEntry, args);
+  }
+  // TODO: use paginator function
+  async findKey(kms, args) {
+    await this.io.debug(`Listing keys in ${args.account}:${args.region}`);
+    let response;
+    let nextMarker;
+    do {
+      response = await kms.listAliases({
+        Marker: nextMarker
+      });
+      const aliases = response.Aliases || [];
+      for (const alias of aliases) {
+        if (alias.AliasName == args.aliasName) {
+          return alias;
+        }
+      }
+      nextMarker = response.NextMarker;
+    } while (nextMarker);
+    const suppressError = "ignoreErrorOnMissingContext" in args && args.ignoreErrorOnMissingContext;
+    const hasDummyKeyId = "dummyValue" in args && typeof args.dummyValue === "object" && args.dummyValue !== null && "keyId" in args.dummyValue;
+    if (suppressError && hasDummyKeyId) {
+      const keyId = args.dummyValue.keyId;
+      return { TargetKeyId: keyId };
+    }
+    throw new ContextProviderError(`Could not find any key with alias named ${args.aliasName}`);
+  }
+  async readKeyProps(alias, args) {
+    if (!alias.TargetKeyId) {
+      throw new ContextProviderError(`Could not find any key with alias named ${args.aliasName}`);
+    }
+    await this.io.debug(`Key found ${alias.TargetKeyId}`);
+    return {
+      keyId: alias.TargetKeyId
+    };
+  }
+};
+
+// lib/context-providers/load-balancers.ts
+var import_cx_api2 = require("@aws-cdk/cx-api");
+var LoadBalancerContextProviderPlugin = class {
+  constructor(aws) {
+    this.aws = aws;
+  }
+  async getValue(query) {
+    if (!query.loadBalancerArn && !query.loadBalancerTags) {
+      throw new ContextProviderError("The load balancer lookup query must specify either `loadBalancerArn` or `loadBalancerTags`");
+    }
+    const loadBalancer = await (await LoadBalancerProvider.getClient(this.aws, query)).getLoadBalancer();
+    const ipAddressType = loadBalancer.IpAddressType === "ipv4" ? import_cx_api2.LoadBalancerIpAddressType.IPV4 : import_cx_api2.LoadBalancerIpAddressType.DUAL_STACK;
+    return {
+      loadBalancerArn: loadBalancer.LoadBalancerArn,
+      loadBalancerCanonicalHostedZoneId: loadBalancer.CanonicalHostedZoneId,
+      loadBalancerDnsName: loadBalancer.DNSName,
+      vpcId: loadBalancer.VpcId,
+      securityGroupIds: loadBalancer.SecurityGroups ?? [],
+      ipAddressType
+    };
+  }
+};
+var LoadBalancerListenerContextProviderPlugin = class {
+  constructor(aws) {
+    this.aws = aws;
+  }
+  async getValue(query) {
+    if (!query.listenerArn && !query.loadBalancerArn && !query.loadBalancerTags) {
+      throw new ContextProviderError(
+        "The load balancer listener query must specify at least one of: `listenerArn`, `loadBalancerArn` or `loadBalancerTags`"
+      );
+    }
+    return (await LoadBalancerProvider.getClient(this.aws, query)).getListener();
+  }
+};
+var LoadBalancerProvider = class _LoadBalancerProvider {
+  constructor(client, filter, listener) {
+    this.client = client;
+    this.filter = filter;
+    this.listener = listener;
+  }
+  static async getClient(aws, query) {
+    const client = (await initContextProviderSdk(aws, query)).elbv2();
+    try {
+      const listener = query.listenerArn ? (
+        // Assert we're sure there's at least one so it throws if not
+        (await client.describeListeners({ ListenerArns: [query.listenerArn] })).Listeners[0]
+      ) : void 0;
+      return new _LoadBalancerProvider(
+        client,
+        { ...query, loadBalancerArn: listener?.LoadBalancerArn || query.loadBalancerArn },
+        listener
+      );
+    } catch (err) {
+      throw new ContextProviderError(`No load balancer listeners found matching arn ${query.listenerArn}`);
+    }
+  }
+  async getLoadBalancer() {
+    const loadBalancers = await this.getLoadBalancers();
+    if (loadBalancers.length === 0) {
+      throw new ContextProviderError(`No load balancers found matching ${JSON.stringify(this.filter)}`);
+    }
+    if (loadBalancers.length > 1) {
+      throw new ContextProviderError(
+        `Multiple load balancers found matching ${JSON.stringify(this.filter)} - please provide more specific criteria`
+      );
+    }
+    return loadBalancers[0];
+  }
+  async getListener() {
+    if (this.listener) {
+      try {
+        const loadBalancer = await this.getLoadBalancer();
+        return {
+          listenerArn: this.listener.ListenerArn,
+          listenerPort: this.listener.Port,
+          securityGroupIds: loadBalancer.SecurityGroups || []
+        };
+      } catch (err) {
+        throw new ContextProviderError(`No associated load balancer found for listener arn ${this.filter.listenerArn}`);
+      }
+    }
+    const loadBalancers = await this.getLoadBalancers();
+    if (loadBalancers.length === 0) {
+      throw new ContextProviderError(
+        `No associated load balancers found for load balancer listener query ${JSON.stringify(this.filter)}`
+      );
+    }
+    const listeners = (await this.getListenersForLoadBalancers(loadBalancers)).filter((listener) => {
+      return (!this.filter.listenerPort || listener.Port === this.filter.listenerPort) && (!this.filter.listenerProtocol || listener.Protocol === this.filter.listenerProtocol);
+    });
+    if (listeners.length === 0) {
+      throw new ContextProviderError(`No load balancer listeners found matching ${JSON.stringify(this.filter)}`);
+    }
+    if (listeners.length > 1) {
+      throw new ContextProviderError(
+        `Multiple load balancer listeners found matching ${JSON.stringify(this.filter)} - please provide more specific criteria`
+      );
+    }
+    return {
+      listenerArn: listeners[0].ListenerArn,
+      listenerPort: listeners[0].Port,
+      securityGroupIds: loadBalancers.find((lb) => listeners[0].LoadBalancerArn === lb.LoadBalancerArn)?.SecurityGroups || []
+    };
+  }
+  async getLoadBalancers() {
+    const loadBalancerArns = this.filter.loadBalancerArn ? [this.filter.loadBalancerArn] : void 0;
+    const loadBalancers = (await this.client.paginateDescribeLoadBalancers({
+      LoadBalancerArns: loadBalancerArns
+    })).filter((lb) => lb.Type === this.filter.loadBalancerType);
+    return this.filterByTags(loadBalancers);
+  }
+  async filterByTags(loadBalancers) {
+    if (!this.filter.loadBalancerTags) {
+      return loadBalancers;
+    }
+    return (await this.describeTags(loadBalancers.map((lb) => lb.LoadBalancerArn))).filter((tagDescription) => {
+      return this.filter.loadBalancerTags.every((filter) => {
+        return tagDescription.Tags?.some((tag) => filter.key === tag.Key && filter.value === tag.Value);
+      });
+    }).flatMap((tag) => loadBalancers.filter((loadBalancer) => tag.ResourceArn === loadBalancer.LoadBalancerArn));
+  }
+  /**
+   * Returns tag descriptions associated with the resources. The API doesn't support
+   * pagination, so this function breaks the resource list into chunks and issues
+   * the appropriate requests.
+   */
+  async describeTags(resourceArns) {
+    const chunkSize = 20;
+    const tags = Array();
+    for (let i = 0; i < resourceArns.length; i += chunkSize) {
+      const chunk = resourceArns.slice(i, Math.min(i + chunkSize, resourceArns.length));
+      const chunkTags = await this.client.describeTags({
+        ResourceArns: chunk
+      });
+      tags.push(...chunkTags.TagDescriptions || []);
+    }
+    return tags;
+  }
+  async getListenersForLoadBalancers(loadBalancers) {
+    const listeners = [];
+    for (const loadBalancer of loadBalancers.map((lb) => lb.LoadBalancerArn)) {
+      listeners.push(...await this.client.paginateDescribeListeners({ LoadBalancerArn: loadBalancer }));
+    }
+    return listeners;
+  }
+};
+
+// lib/context-providers/security-groups.ts
+var SecurityGroupContextProviderPlugin = class {
+  constructor(aws) {
+    this.aws = aws;
+  }
+  async getValue(args) {
+    if (args.securityGroupId && args.securityGroupName) {
+      throw new ContextProviderError(
+        "'securityGroupId' and 'securityGroupName' can not be specified both when looking up a security group"
+      );
+    }
+    if (!args.securityGroupId && !args.securityGroupName) {
+      throw new ContextProviderError("'securityGroupId' or 'securityGroupName' must be specified to look up a security group");
+    }
+    const ec2 = (await initContextProviderSdk(this.aws, args)).ec2();
+    const filters = [];
+    if (args.vpcId) {
+      filters.push({
+        Name: "vpc-id",
+        Values: [args.vpcId]
+      });
+    }
+    if (args.securityGroupName) {
+      filters.push({
+        Name: "group-name",
+        Values: [args.securityGroupName]
+      });
+    }
+    const response = await ec2.describeSecurityGroups({
+      GroupIds: args.securityGroupId ? [args.securityGroupId] : void 0,
+      Filters: filters.length > 0 ? filters : void 0
+    });
+    const securityGroups = response.SecurityGroups ?? [];
+    if (securityGroups.length === 0) {
+      throw new ContextProviderError(`No security groups found matching ${JSON.stringify(args)}`);
+    }
+    if (securityGroups.length > 1) {
+      throw new ContextProviderError(`More than one security groups found matching ${JSON.stringify(args)}`);
+    }
+    const [securityGroup] = securityGroups;
+    return {
+      securityGroupId: securityGroup.GroupId,
+      allowAllOutbound: hasAllTrafficEgress(securityGroup)
+    };
+  }
+};
+function hasAllTrafficEgress(securityGroup) {
+  let hasAllTrafficCidrV4 = false;
+  let hasAllTrafficCidrV6 = false;
+  for (const ipPermission of securityGroup.IpPermissionsEgress ?? []) {
+    const isAllProtocols = ipPermission.IpProtocol === "-1";
+    if (isAllProtocols && ipPermission.IpRanges?.some((m) => m.CidrIp === "0.0.0.0/0")) {
+      hasAllTrafficCidrV4 = true;
+    }
+    if (isAllProtocols && ipPermission.Ipv6Ranges?.some((m) => m.CidrIpv6 === "::/0")) {
+      hasAllTrafficCidrV6 = true;
+    }
+  }
+  return hasAllTrafficCidrV4 && hasAllTrafficCidrV6;
+}
+
+// lib/context-providers/ssm-parameters.ts
+var SSMContextProviderPlugin = class {
+  constructor(aws, io) {
+    this.aws = aws;
+    this.io = io;
+  }
+  async getValue(args) {
+    const region = args.region;
+    const account = args.account;
+    if (!("parameterName" in args)) {
+      throw new ContextProviderError("parameterName must be provided in props for SSMContextProviderPlugin");
+    }
+    const parameterName = args.parameterName;
+    await this.io.debug(`Reading SSM parameter ${account}:${region}:${parameterName}`);
+    const response = await this.getSsmParameterValue(args);
+    const parameterNotFound = !response.Parameter || response.Parameter.Value === void 0;
+    const suppressError = "ignoreErrorOnMissingContext" in args && args.ignoreErrorOnMissingContext;
+    if (parameterNotFound && suppressError && "dummyValue" in args) {
+      return args.dummyValue;
+    }
+    if (parameterNotFound) {
+      throw new ContextProviderError(`SSM parameter not available in account ${account}, region ${region}: ${parameterName}`);
+    }
+    return response.Parameter.Value;
+  }
+  /**
+   * Gets the value of an SSM Parameter, while not throwin if the parameter does not exist.
+   * @param account       the account in which the SSM Parameter is expected to be.
+   * @param region        the region in which the SSM Parameter is expected to be.
+   * @param parameterName the name of the SSM Parameter
+   * @param lookupRoleArn the ARN of the lookup role.
+   *
+   * @returns the result of the ``GetParameter`` operation.
+   *
+   * @throws Error if a service error (other than ``ParameterNotFound``) occurs.
+   */
+  async getSsmParameterValue(args) {
+    const ssm = (await initContextProviderSdk(this.aws, args)).ssm();
+    try {
+      return await ssm.getParameter({ Name: args.parameterName });
+    } catch (e) {
+      if (e.name === "ParameterNotFound") {
+        return { $metadata: {} };
+      }
+      throw e;
+    }
+  }
+};
+
+// lib/context-providers/vpcs.ts
+var import_cx_api3 = require("@aws-cdk/cx-api");
+var VpcNetworkContextProviderPlugin = class {
+  constructor(aws, io) {
+    this.aws = aws;
+    this.io = io;
+  }
+  async getValue(args) {
+    const ec2 = (await initContextProviderSdk(this.aws, args)).ec2();
+    const vpcId = await this.findVpc(ec2, args);
+    return this.readVpcProps(ec2, vpcId, args);
+  }
+  async findVpc(ec2, args) {
+    const filters = Object.entries(args.filter).map(([tag, value]) => ({ Name: tag, Values: [value] }));
+    await this.io.debug(`Listing VPCs in ${args.account}:${args.region}`);
+    const response = await ec2.describeVpcs({ Filters: filters });
+    const vpcs = response.Vpcs || [];
+    if (vpcs.length === 0) {
+      throw new ContextProviderError(`Could not find any VPCs matching ${JSON.stringify(args)}`);
+    }
+    if (vpcs.length > 1) {
+      throw new ContextProviderError(`Found ${vpcs.length} VPCs matching ${JSON.stringify(args)}; please narrow the search criteria`);
+    }
+    return vpcs[0];
+  }
+  async readVpcProps(ec2, vpc, args) {
+    const vpcId = vpc.VpcId;
+    await this.io.debug(`Describing VPC ${vpcId}`);
+    const filters = { Filters: [{ Name: "vpc-id", Values: [vpcId] }] };
+    const subnetsResponse = await ec2.describeSubnets(filters);
+    const listedSubnets = subnetsResponse.Subnets || [];
+    const routeTablesResponse = await ec2.describeRouteTables(filters);
+    const routeTables = new RouteTables(routeTablesResponse.RouteTables || []);
+    const azs = Array.from(new Set(listedSubnets.map((s) => s.AvailabilityZone)));
+    azs.sort();
+    const subnets = listedSubnets.map((subnet) => {
+      let type = getTag("aws-cdk:subnet-type", subnet.Tags);
+      if (type === void 0 && subnet.MapPublicIpOnLaunch) {
+        type = "Public" /* Public */;
+      }
+      if (type === void 0 && routeTables.hasRouteToIgw(subnet.SubnetId)) {
+        type = "Public" /* Public */;
+      }
+      if (type === void 0 && routeTables.hasRouteToNatGateway(subnet.SubnetId)) {
+        type = "Private" /* Private */;
+      }
+      if (type === void 0 && routeTables.hasRouteToTransitGateway(subnet.SubnetId)) {
+        type = "Private" /* Private */;
+      }
+      if (type === void 0) {
+        type = "Isolated" /* Isolated */;
+      }
+      if (!isValidSubnetType(type)) {
+        throw new ContextProviderError(
+          `Subnet ${subnet.SubnetArn} has invalid subnet type ${type} (must be ${"Public" /* Public */}, ${"Private" /* Private */} or ${"Isolated" /* Isolated */})`
+        );
+      }
+      if (args.subnetGroupNameTag && !getTag(args.subnetGroupNameTag, subnet.Tags)) {
+        throw new ContextProviderError(
+          `Invalid subnetGroupNameTag: Subnet ${subnet.SubnetArn} does not have an associated tag with Key='${args.subnetGroupNameTag}'`
+        );
+      }
+      const name = getTag(args.subnetGroupNameTag || "aws-cdk:subnet-name", subnet.Tags) || type;
+      const routeTableId = routeTables.routeTableIdForSubnetId(subnet.SubnetId);
+      if (!routeTableId) {
+        throw new ContextProviderError(
+          `Subnet ${subnet.SubnetArn} does not have an associated route table (and there is no "main" table)`
+        );
+      }
+      return {
+        az: subnet.AvailabilityZone,
+        cidr: subnet.CidrBlock,
+        type,
+        name,
+        subnetId: subnet.SubnetId,
+        routeTableId
+      };
+    });
+    let grouped;
+    let assymetricSubnetGroups;
+    if (args.returnAsymmetricSubnets) {
+      grouped = { azs: [], groups: [] };
+      assymetricSubnetGroups = groupAsymmetricSubnets(subnets);
+    } else {
+      grouped = groupSubnets(subnets);
+      assymetricSubnetGroups = void 0;
+    }
+    const vpnGatewayResponse = args.returnVpnGateways ?? true ? await ec2.describeVpnGateways({
+      Filters: [
+        {
+          Name: "attachment.vpc-id",
+          Values: [vpcId]
+        },
+        {
+          Name: "attachment.state",
+          Values: ["attached"]
+        },
+        {
+          Name: "state",
+          Values: ["available"]
+        }
+      ]
+    }) : void 0;
+    const vpnGatewayId = vpnGatewayResponse?.VpnGateways?.length === 1 ? vpnGatewayResponse.VpnGateways[0].VpnGatewayId : void 0;
+    return {
+      vpcId,
+      vpcCidrBlock: vpc.CidrBlock,
+      ownerAccountId: vpc.OwnerId,
+      availabilityZones: grouped.azs,
+      isolatedSubnetIds: collapse(
+        flatMap(findGroups("Isolated" /* Isolated */, grouped), (group) => group.subnets.map((s) => s.subnetId))
+      ),
+      isolatedSubnetNames: collapse(
+        flatMap(findGroups("Isolated" /* Isolated */, grouped), (group) => group.name ? [group.name] : [])
+      ),
+      isolatedSubnetRouteTableIds: collapse(
+        flatMap(findGroups("Isolated" /* Isolated */, grouped), (group) => group.subnets.map((s) => s.routeTableId))
+      ),
+      privateSubnetIds: collapse(
+        flatMap(findGroups("Private" /* Private */, grouped), (group) => group.subnets.map((s) => s.subnetId))
+      ),
+      privateSubnetNames: collapse(
+        flatMap(findGroups("Private" /* Private */, grouped), (group) => group.name ? [group.name] : [])
+      ),
+      privateSubnetRouteTableIds: collapse(
+        flatMap(findGroups("Private" /* Private */, grouped), (group) => group.subnets.map((s) => s.routeTableId))
+      ),
+      publicSubnetIds: collapse(
+        flatMap(findGroups("Public" /* Public */, grouped), (group) => group.subnets.map((s) => s.subnetId))
+      ),
+      publicSubnetNames: collapse(
+        flatMap(findGroups("Public" /* Public */, grouped), (group) => group.name ? [group.name] : [])
+      ),
+      publicSubnetRouteTableIds: collapse(
+        flatMap(findGroups("Public" /* Public */, grouped), (group) => group.subnets.map((s) => s.routeTableId))
+      ),
+      vpnGatewayId,
+      subnetGroups: assymetricSubnetGroups
+    };
+  }
+};
+var RouteTables = class {
+  constructor(tables) {
+    this.tables = tables;
+    this.mainRouteTable = this.tables.find(
+      (table) => !!table.Associations && table.Associations.some((assoc) => !!assoc.Main)
+    );
+  }
+  mainRouteTable;
+  routeTableIdForSubnetId(subnetId) {
+    const table = this.tableForSubnet(subnetId);
+    return table && table.RouteTableId || this.mainRouteTable && this.mainRouteTable.RouteTableId;
+  }
+  /**
+   * Whether the given subnet has a route to a NAT Gateway
+   */
+  hasRouteToNatGateway(subnetId) {
+    const table = this.tableForSubnet(subnetId) || this.mainRouteTable;
+    return !!table && !!table.Routes && table.Routes.some((route) => !!route.NatGatewayId && route.DestinationCidrBlock === "0.0.0.0/0");
+  }
+  /**
+   * Whether the given subnet has a route to a Transit Gateway
+   */
+  hasRouteToTransitGateway(subnetId) {
+    const table = this.tableForSubnet(subnetId) || this.mainRouteTable;
+    return !!table && !!table.Routes && table.Routes.some((route) => !!route.TransitGatewayId && route.DestinationCidrBlock === "0.0.0.0/0");
+  }
+  /**
+   * Whether the given subnet has a route to an IGW
+   */
+  hasRouteToIgw(subnetId) {
+    const table = this.tableForSubnet(subnetId) || this.mainRouteTable;
+    return !!table && !!table.Routes && table.Routes.some((route) => !!route.GatewayId && route.GatewayId.startsWith("igw-"));
+  }
+  tableForSubnet(subnetId) {
+    return this.tables.find(
+      (table) => !!table.Associations && table.Associations.some((assoc) => assoc.SubnetId === subnetId)
+    );
+  }
+};
+function getTag(name, tags) {
+  for (const tag of tags || []) {
+    if (tag.Key === name) {
+      return tag.Value;
+    }
+  }
+  return void 0;
+}
+function groupSubnets(subnets) {
+  const grouping = {};
+  for (const subnet of subnets) {
+    const key = [subnet.type, subnet.name].toString();
+    if (!(key in grouping)) {
+      grouping[key] = [];
+    }
+    grouping[key].push(subnet);
+  }
+  const groups = Object.values(grouping).map((sns) => {
+    sns.sort((a, b) => a.az.localeCompare(b.az));
+    return {
+      type: sns[0].type,
+      name: sns[0].name,
+      subnets: sns
+    };
+  });
+  const azs = groups[0].subnets.map((s) => s.az);
+  for (const group of groups) {
+    const groupAZs = group.subnets.map((s) => s.az);
+    if (!arraysEqual(groupAZs, azs)) {
+      throw new ContextProviderError(`Not all subnets in VPC have the same AZs: ${groupAZs} vs ${azs}`);
+    }
+  }
+  return { azs, groups };
+}
+function groupAsymmetricSubnets(subnets) {
+  const grouping = {};
+  for (const subnet of subnets) {
+    const key = [subnet.type, subnet.name].toString();
+    if (!(key in grouping)) {
+      grouping[key] = [];
+    }
+    grouping[key].push(subnet);
+  }
+  return Object.values(grouping).map((subnetArray) => {
+    subnetArray.sort((subnet1, subnet2) => subnet1.az.localeCompare(subnet2.az));
+    return {
+      name: subnetArray[0].name,
+      type: subnetTypeToVpcSubnetType(subnetArray[0].type),
+      subnets: subnetArray.map((subnet) => ({
+        subnetId: subnet.subnetId,
+        cidr: subnet.cidr,
+        availabilityZone: subnet.az,
+        routeTableId: subnet.routeTableId
+      }))
+    };
+  });
+}
+function subnetTypeToVpcSubnetType(type) {
+  switch (type) {
+    case "Isolated" /* Isolated */:
+      return import_cx_api3.VpcSubnetGroupType.ISOLATED;
+    case "Private" /* Private */:
+      return import_cx_api3.VpcSubnetGroupType.PRIVATE;
+    case "Public" /* Public */:
+      return import_cx_api3.VpcSubnetGroupType.PUBLIC;
+  }
+}
+function isValidSubnetType(val) {
+  return val === "Public" /* Public */ || val === "Private" /* Private */ || val === "Isolated" /* Isolated */;
+}
+function arraysEqual(as, bs) {
+  if (as.length !== bs.length) {
+    return false;
+  }
+  for (let i = 0; i < as.length; i++) {
+    if (as[i] !== bs[i]) {
+      return false;
+    }
+  }
+  return true;
+}
+function findGroups(type, groups) {
+  return groups.groups.filter((g) => g.type === type);
+}
+function flatMap(xs, fn) {
+  const ret = new Array();
+  for (const x of xs) {
+    ret.push(...fn(x));
+  }
+  return ret;
+}
+function collapse(xs) {
+  if (xs.length > 0) {
+    return xs;
+  }
+  return void 0;
+}
+
+// lib/api/settings.ts
+var fs5 = __toESM(require("fs-extra"));
+
+// lib/api/notices.ts
+var path4 = __toESM(require("path"));
+var fs7 = __toESM(require("fs-extra"));
+var semver2 = __toESM(require("semver"));
+
+// lib/api/tree.ts
+var fs6 = __toESM(require("fs-extra"));
+
+// lib/api/notices.ts
+var CACHE_FILE_PATH = path4.join(cdkCacheDir(), "notices.json");
+var TIME_TO_LIVE_SUCCESS = 60 * 60 * 1e3;
+var TIME_TO_LIVE_ERROR = 1 * 60 * 1e3;
+
+// lib/api/toolkit-info.ts
+var chalk4 = __toESM(require("chalk"));
+
+// lib/api/deployments/cfn-api.ts
+var cxapi = __toESM(require("@aws-cdk/cx-api"));
+var import_cx_api5 = require("@aws-cdk/cx-api");
+var import_client_cloudformation3 = require("@aws-sdk/client-cloudformation");
+var import_cdk_assets2 = require("cdk-assets");
+
+// lib/api/deployments/asset-manifest-builder.ts
+var cxschema = __toESM(require("@aws-cdk/cloud-assembly-schema"));
+var import_cdk_assets = require("cdk-assets");
+
+// lib/api/cloudformation/template-body-parameter.ts
+var import_cx_api4 = require("@aws-cdk/cx-api");
+var import_client_s32 = require("@aws-sdk/client-s3");
+var import_middleware_endpoint2 = require("@smithy/middleware-endpoint");
+var chalk3 = __toESM(require("chalk"));
+
+// lib/api/cloudformation/nested-stack-helpers.ts
+var fs8 = __toESM(require("fs-extra"));
+
+// lib/api/stack-events/stack-activity-monitor.ts
+var uuid = __toESM(require("uuid"));
+
+// lib/api/stack-events/stack-status.ts
+var import_client_cloudformation2 = require("@aws-sdk/client-cloudformation");
+
+// lib/api/environment/placeholders.ts
+var import_cx_api6 = require("@aws-cdk/cx-api");
+
+// lib/context-providers/index.ts
+var availableContextProviders = {
+  [cxschema2.ContextProvider.AVAILABILITY_ZONE_PROVIDER]: (s, io) => new AZContextProviderPlugin(s, io),
+  [cxschema2.ContextProvider.SSM_PARAMETER_PROVIDER]: (s, io) => new SSMContextProviderPlugin(s, io),
+  [cxschema2.ContextProvider.HOSTED_ZONE_PROVIDER]: (s, io) => new HostedZoneContextProviderPlugin(s, io),
+  [cxschema2.ContextProvider.VPC_PROVIDER]: (s, io) => new VpcNetworkContextProviderPlugin(s, io),
+  [cxschema2.ContextProvider.AMI_PROVIDER]: (s, io) => new AmiContextProviderPlugin(s, io),
+  [cxschema2.ContextProvider.ENDPOINT_SERVICE_AVAILABILITY_ZONE_PROVIDER]: (s, io) => new EndpointServiceAZContextProviderPlugin(s, io),
+  [cxschema2.ContextProvider.SECURITY_GROUP_PROVIDER]: (s) => new SecurityGroupContextProviderPlugin(s),
+  [cxschema2.ContextProvider.LOAD_BALANCER_PROVIDER]: (s) => new LoadBalancerContextProviderPlugin(s),
+  [cxschema2.ContextProvider.LOAD_BALANCER_LISTENER_PROVIDER]: (s) => new LoadBalancerListenerContextProviderPlugin(s),
+  [cxschema2.ContextProvider.KEY_PROVIDER]: (s, io) => new KeyContextProviderPlugin(s, io),
+  [cxschema2.ContextProvider.CC_API_PROVIDER]: (s) => new CcApiContextProviderPlugin(s)
+};
+
+// lib/api/cloud-assembly/private/stack-assembly.ts
+var import_semver = require("semver");
+
+// lib/api/cloud-assembly/stack-assembly.ts
+var chalk5 = __toESM(require("chalk"));
+var import_minimatch = require("minimatch");
+
+// lib/api/cloud-assembly/stack-collection.ts
+var import_cx_api7 = require("@aws-cdk/cx-api");
+
+// lib/api/cloud-assembly/private/exec.ts
+var split = require("split2");
+
+// lib/api/cloud-assembly/private/prepare-source.ts
+var cxschema3 = __toESM(require("@aws-cdk/cloud-assembly-schema"));
+var cxapi4 = __toESM(require("@aws-cdk/cx-api"));
+var fs10 = __toESM(require("fs-extra"));
+var import_semver2 = require("semver");
+
+// lib/api/cloud-assembly/environment.ts
+var cxapi3 = __toESM(require("@aws-cdk/cx-api"));
+var fs9 = __toESM(require("fs-extra"));
+
+// lib/api/cloud-assembly/private/source-builder.ts
+var cxapi5 = __toESM(require("@aws-cdk/cx-api"));
+var fs11 = __toESM(require("fs-extra"));
+
+// lib/api/cloud-assembly/private/stack-selectors.ts
+var ALL_STACKS = {
+  strategy: "all-stacks" /* ALL_STACKS */
+};
+
+// lib/api/io/private/span.ts
+var util = __toESM(require("node:util"));
+var uuid2 = __toESM(require("uuid"));
+var SpanMaker = class {
+  definition;
+  ioHelper;
+  constructor(ioHelper, definition) {
+    this.definition = definition;
+    this.ioHelper = ioHelper;
+  }
+  async begin(a, b) {
+    const spanId = uuid2.v4();
+    const startTime = (/* @__PURE__ */ new Date()).getTime();
+    const notify = (msg) => {
+      return this.ioHelper.notify(withSpanId(spanId, msg));
+    };
+    const startInput = parseArgs(a, b);
+    const startMsg = startInput.message ?? `Starting ${this.definition.name} ...`;
+    const startPayload = startInput.payload;
+    await notify(this.definition.start.msg(
+      startMsg,
+      startPayload
+    ));
+    const timingMsgTemplate = "\n\u2728  %s time: %ds\n";
+    const time = () => {
+      const elapsedTime = (/* @__PURE__ */ new Date()).getTime() - startTime;
+      return {
+        asMs: elapsedTime,
+        asSec: formatTime(elapsedTime)
+      };
+    };
+    return {
+      elapsedTime: async () => {
+        return time();
+      },
+      notify: async (msg) => {
+        await notify(msg);
+      },
+      timing: async (maker, message2) => {
+        const duration = time();
+        const timingMsg = message2 ? message2 : util.format(timingMsgTemplate, this.definition.name, duration.asSec);
+        await notify(maker.msg(timingMsg, {
+          duration: duration.asMs
+        }));
+        return duration;
+      },
+      end: async (x, y) => {
+        const duration = time();
+        const endInput = parseArgs(x, y);
+        const endMsg = endInput.message ?? util.format(timingMsgTemplate, this.definition.name, duration.asSec);
+        const endPayload = endInput.payload;
+        await notify(this.definition.end.msg(
+          endMsg,
+          {
+            duration: duration.asMs,
+            ...endPayload
+          }
+        ));
+        return duration;
+      }
+    };
+  }
+};
+function parseArgs(first, second) {
+  const firstIsMessage = typeof first === "string";
+  const message2 = firstIsMessage || second ? first : void 0;
+  const payload = firstIsMessage || second ? second : first;
+  return {
+    message: message2,
+    payload
+  };
+}
+function withSpanId(span, message2) {
+  return {
+    ...message2,
+    span
+  };
+}
+
+// lib/api/io/private/io-helper.ts
+var IoHelper = class _IoHelper {
+  static fromIoHost(ioHost, action) {
+    return new _IoHelper(ioHost, action);
+  }
+  ioHost;
+  action;
+  constructor(ioHost, action) {
+    this.ioHost = ioHost;
+    this.action = action;
+  }
+  /**
+   * Forward a message to the IoHost, while injection the current action
+   */
+  notify(msg) {
+    return this.ioHost.notify({
+      ...msg,
+      action: this.action
+    });
+  }
+  /**
+   * Forward a request to the IoHost, while injection the current action
+   */
+  requestResponse(msg) {
+    return this.ioHost.requestResponse({
+      ...msg,
+      action: this.action
+    });
+  }
+  /**
+   * Create a new marker from a given registry entry
+   */
+  span(definition) {
+    return new SpanMaker(this, definition);
+  }
+};
+
+// lib/api/io/private/level-priority.ts
+var levels = [
+  "trace",
+  "debug",
+  "info",
+  "warn",
+  "result",
+  "error"
+];
+var orderedLevels = Object.fromEntries(Object.entries(levels).map((a) => a.reverse()));
+
+// lib/api/io/private/message-maker.ts
+function message(level, details) {
+  const maker = (text, data) => ({
+    time: /* @__PURE__ */ new Date(),
+    level,
+    code: details.code,
+    message: text,
+    data
+  });
+  return {
+    ...details,
+    level,
+    msg: maker,
+    is: (m) => m.code === details.code
+  };
+}
+var trace = (details) => message("trace", details);
+var debug = (details) => message("debug", details);
+var info = (details) => message("info", details);
+var warn = (details) => message("warn", details);
+var error = (details) => message("error", details);
+var result = (details) => message("result", details);
+function request(level, details) {
+  const maker = (text, data) => ({
+    time: /* @__PURE__ */ new Date(),
+    level,
+    code: details.code,
+    message: text,
+    data,
+    defaultResponse: details.defaultResponse
+  });
+  return {
+    ...details,
+    level,
+    req: maker
+  };
+}
+var confirm = (details) => request("info", {
+  ...details,
+  defaultResponse: true
+});
+
+// lib/api/io/private/messages.ts
+var IO = {
+  // Defaults (0000)
+  DEFAULT_TOOLKIT_INFO: info({
+    code: "CDK_TOOLKIT_I0000",
+    description: "Default info messages emitted from the Toolkit"
+  }),
+  DEFAULT_TOOLKIT_DEBUG: debug({
+    code: "CDK_TOOLKIT_I0000",
+    description: "Default debug messages emitted from the Toolkit"
+  }),
+  DEFAULT_TOOLKIT_WARN: warn({
+    code: "CDK_TOOLKIT_W0000",
+    description: "Default warning messages emitted from the Toolkit"
+  }),
+  DEFAULT_TOOLKIT_ERROR: error({
+    code: "CDK_TOOLKIT_E0000",
+    description: "Default error messages emitted from the Toolkit"
+  }),
+  DEFAULT_TOOLKIT_TRACE: trace({
+    code: "CDK_TOOLKIT_I0000",
+    description: "Default trace messages emitted from the Toolkit"
+  }),
+  // warnings & errors
+  CDK_TOOLKIT_W0100: warn({
+    code: "CDK_TOOLKIT_W0100",
+    description: "Credential plugin warnings"
+  }),
+  // 1: Synth (1xxx)
+  CDK_TOOLKIT_I1000: info({
+    code: "CDK_TOOLKIT_I1000",
+    description: "Provides synthesis times.",
+    interface: "Duration"
+  }),
+  CDK_TOOLKIT_I1001: trace({
+    code: "CDK_TOOLKIT_I1001",
+    description: "Cloud Assembly synthesis is starting",
+    interface: "StackSelectionDetails"
+  }),
+  CDK_TOOLKIT_I1901: result({
+    code: "CDK_TOOLKIT_I1901",
+    description: "Provides stack data",
+    interface: "StackAndAssemblyData"
+  }),
+  CDK_TOOLKIT_I1902: result({
+    code: "CDK_TOOLKIT_I1902",
+    description: "Successfully deployed stacks",
+    interface: "AssemblyData"
+  }),
+  // 2: List (2xxx)
+  CDK_TOOLKIT_I2901: result({
+    code: "CDK_TOOLKIT_I2901",
+    description: "Provides details on the selected stacks and their dependencies",
+    interface: "StackDetailsPayload"
+  }),
+  // 3: Import & Migrate
+  CDK_TOOLKIT_E3900: error({
+    code: "CDK_TOOLKIT_E3900",
+    description: "Resource import failed",
+    interface: "ErrorPayload"
+  }),
+  // 4: Diff (4xxx)
+  CDK_TOOLKIT_I4000: trace({
+    code: "CDK_TOOLKIT_I4000",
+    description: "Diff stacks is starting",
+    interface: "StackSelectionDetails"
+  }),
+  CDK_TOOLKIT_I4001: info({
+    code: "CDK_TOOLKIT_I4001",
+    description: "Output of the diff command",
+    interface: "DiffResult"
+  }),
+  // 5: Deploy & Watch (5xxx)
+  CDK_TOOLKIT_I5000: info({
+    code: "CDK_TOOLKIT_I5000",
+    description: "Provides deployment times",
+    interface: "Duration"
+  }),
+  CDK_TOOLKIT_I5001: info({
+    code: "CDK_TOOLKIT_I5001",
+    description: "Provides total time in deploy action, including synth and rollback",
+    interface: "Duration"
+  }),
+  CDK_TOOLKIT_I5002: info({
+    code: "CDK_TOOLKIT_I5002",
+    description: "Provides time for resource migration",
+    interface: "Duration"
+  }),
+  CDK_TOOLKIT_W5021: warn({
+    code: "CDK_TOOLKIT_W5021",
+    description: "Empty non-existent stack, deployment is skipped"
+  }),
+  CDK_TOOLKIT_W5022: warn({
+    code: "CDK_TOOLKIT_W5022",
+    description: "Empty existing stack, stack will be destroyed"
+  }),
+  CDK_TOOLKIT_I5031: info({
+    code: "CDK_TOOLKIT_I5031",
+    description: "Informs about any log groups that are traced as part of the deployment"
+  }),
+  CDK_TOOLKIT_I5032: debug({
+    code: "CDK_TOOLKIT_I5032",
+    description: "Start monitoring log groups",
+    interface: "CloudWatchLogMonitorControlEvent"
+  }),
+  CDK_TOOLKIT_I5033: info({
+    code: "CDK_TOOLKIT_I5033",
+    description: "A log event received from Cloud Watch",
+    interface: "CloudWatchLogEvent"
+  }),
+  CDK_TOOLKIT_I5034: debug({
+    code: "CDK_TOOLKIT_I5034",
+    description: "Stop monitoring log groups",
+    interface: "CloudWatchLogMonitorControlEvent"
+  }),
+  CDK_TOOLKIT_E5035: error({
+    code: "CDK_TOOLKIT_E5035",
+    description: "A log monitoring error",
+    interface: "ErrorPayload"
+  }),
+  CDK_TOOLKIT_I5050: confirm({
+    code: "CDK_TOOLKIT_I5050",
+    description: "Confirm rollback during deployment",
+    interface: "ConfirmationRequest"
+  }),
+  CDK_TOOLKIT_I5060: confirm({
+    code: "CDK_TOOLKIT_I5060",
+    description: "Confirm deploy security sensitive changes",
+    interface: "DeployConfirmationRequest"
+  }),
+  CDK_TOOLKIT_I5100: info({
+    code: "CDK_TOOLKIT_I5100",
+    description: "Stack deploy progress",
+    interface: "StackDeployProgress"
+  }),
+  // Assets (52xx)
+  CDK_TOOLKIT_I5210: trace({
+    code: "CDK_TOOLKIT_I5210",
+    description: "Started building a specific asset",
+    interface: "BuildAsset"
+  }),
+  CDK_TOOLKIT_I5211: trace({
+    code: "CDK_TOOLKIT_I5211",
+    description: "Building the asset has completed",
+    interface: "Duration"
+  }),
+  CDK_TOOLKIT_I5220: trace({
+    code: "CDK_TOOLKIT_I5220",
+    description: "Started publishing a specific asset",
+    interface: "PublishAsset"
+  }),
+  CDK_TOOLKIT_I5221: trace({
+    code: "CDK_TOOLKIT_I5221",
+    description: "Publishing the asset has completed",
+    interface: "Duration"
+  }),
+  // Watch (53xx)
+  CDK_TOOLKIT_I5310: debug({
+    code: "CDK_TOOLKIT_I5310",
+    description: "The computed settings used for file watching",
+    interface: "WatchSettings"
+  }),
+  CDK_TOOLKIT_I5311: info({
+    code: "CDK_TOOLKIT_I5311",
+    description: "File watching started",
+    interface: "FileWatchEvent"
+  }),
+  CDK_TOOLKIT_I5312: info({
+    code: "CDK_TOOLKIT_I5312",
+    description: "File event detected, starting deployment",
+    interface: "FileWatchEvent"
+  }),
+  CDK_TOOLKIT_I5313: info({
+    code: "CDK_TOOLKIT_I5313",
+    description: "File event detected during active deployment, changes are queued",
+    interface: "FileWatchEvent"
+  }),
+  CDK_TOOLKIT_I5314: info({
+    code: "CDK_TOOLKIT_I5314",
+    description: "Initial watch deployment started"
+  }),
+  CDK_TOOLKIT_I5315: info({
+    code: "CDK_TOOLKIT_I5315",
+    description: "Queued watch deployment started"
+  }),
+  // Hotswap (54xx)
+  CDK_TOOLKIT_I5400: trace({
+    code: "CDK_TOOLKIT_I5400",
+    description: "Attempting a hotswap deployment",
+    interface: "HotswapDeploymentAttempt"
+  }),
+  CDK_TOOLKIT_I5401: trace({
+    code: "CDK_TOOLKIT_I5401",
+    description: "Computed details for the hotswap deployment",
+    interface: "HotswapDeploymentDetails"
+  }),
+  CDK_TOOLKIT_I5402: info({
+    code: "CDK_TOOLKIT_I5402",
+    description: "A hotswappable change is processed as part of a hotswap deployment",
+    interface: "HotswappableChange"
+  }),
+  CDK_TOOLKIT_I5403: info({
+    code: "CDK_TOOLKIT_I5403",
+    description: "The hotswappable change has completed processing",
+    interface: "HotswappableChange"
+  }),
+  CDK_TOOLKIT_I5410: info({
+    code: "CDK_TOOLKIT_I5410",
+    description: "Hotswap deployment has ended, a full deployment might still follow if needed",
+    interface: "HotswapResult"
+  }),
+  // Stack Monitor (55xx)
+  CDK_TOOLKIT_I5501: info({
+    code: "CDK_TOOLKIT_I5501",
+    description: "Stack Monitoring: Start monitoring of a single stack",
+    interface: "StackMonitoringControlEvent"
+  }),
+  CDK_TOOLKIT_I5502: info({
+    code: "CDK_TOOLKIT_I5502",
+    description: "Stack Monitoring: Activity event for a single stack",
+    interface: "StackActivity"
+  }),
+  CDK_TOOLKIT_I5503: info({
+    code: "CDK_TOOLKIT_I5503",
+    description: "Stack Monitoring: Finished monitoring of a single stack",
+    interface: "StackMonitoringControlEvent"
+  }),
+  // Success (59xx)
+  CDK_TOOLKIT_I5900: result({
+    code: "CDK_TOOLKIT_I5900",
+    description: "Deployment results on success",
+    interface: "SuccessfulDeployStackResult"
+  }),
+  CDK_TOOLKIT_I5901: info({
+    code: "CDK_TOOLKIT_I5901",
+    description: "Generic deployment success messages"
+  }),
+  CDK_TOOLKIT_W5400: warn({
+    code: "CDK_TOOLKIT_W5400",
+    description: "Hotswap disclosure message"
+  }),
+  CDK_TOOLKIT_E5001: error({
+    code: "CDK_TOOLKIT_E5001",
+    description: "No stacks found"
+  }),
+  CDK_TOOLKIT_E5500: error({
+    code: "CDK_TOOLKIT_E5500",
+    description: "Stack Monitoring error",
+    interface: "ErrorPayload"
+  }),
+  // 6: Rollback (6xxx)
+  CDK_TOOLKIT_I6000: info({
+    code: "CDK_TOOLKIT_I6000",
+    description: "Provides rollback times",
+    interface: "Duration"
+  }),
+  CDK_TOOLKIT_I6100: info({
+    code: "CDK_TOOLKIT_I6100",
+    description: "Stack rollback progress",
+    interface: "StackRollbackProgress"
+  }),
+  CDK_TOOLKIT_E6001: error({
+    code: "CDK_TOOLKIT_E6001",
+    description: "No stacks found"
+  }),
+  CDK_TOOLKIT_E6900: error({
+    code: "CDK_TOOLKIT_E6900",
+    description: "Rollback failed",
+    interface: "ErrorPayload"
+  }),
+  // 7: Destroy (7xxx)
+  CDK_TOOLKIT_I7000: info({
+    code: "CDK_TOOLKIT_I7000",
+    description: "Provides destroy times",
+    interface: "Duration"
+  }),
+  CDK_TOOLKIT_I7001: trace({
+    code: "CDK_TOOLKIT_I7001",
+    description: "Provides destroy time for a single stack",
+    interface: "Duration"
+  }),
+  CDK_TOOLKIT_I7010: confirm({
+    code: "CDK_TOOLKIT_I7010",
+    description: "Confirm destroy stacks",
+    interface: "ConfirmationRequest"
+  }),
+  CDK_TOOLKIT_I7100: info({
+    code: "CDK_TOOLKIT_I7100",
+    description: "Stack destroy progress",
+    interface: "StackDestroyProgress"
+  }),
+  CDK_TOOLKIT_I7101: trace({
+    code: "CDK_TOOLKIT_I7101",
+    description: "Start stack destroying",
+    interface: "StackDestroy"
+  }),
+  CDK_TOOLKIT_I7900: result({
+    code: "CDK_TOOLKIT_I7900",
+    description: "Stack deletion succeeded",
+    interface: "cxapi.CloudFormationStackArtifact"
+  }),
+  CDK_TOOLKIT_E7010: error({
+    code: "CDK_TOOLKIT_E7010",
+    description: "Action was aborted due to negative confirmation of request"
+  }),
+  CDK_TOOLKIT_E7900: error({
+    code: "CDK_TOOLKIT_E7900",
+    description: "Stack deletion failed",
+    interface: "ErrorPayload"
+  }),
+  // 8. Refactor (8xxx)
+  CDK_TOOLKIT_I8900: result({
+    code: "CDK_TOOLKIT_I8900",
+    description: "Refactor result",
+    interface: "RefactorResult"
+  }),
+  CDK_TOOLKIT_W8010: warn({
+    code: "CDK_TOOLKIT_W8010",
+    description: "Refactor execution not yet supported"
+  }),
+  // 9: Bootstrap (9xxx)
+  CDK_TOOLKIT_I9000: info({
+    code: "CDK_TOOLKIT_I9000",
+    description: "Provides bootstrap times",
+    interface: "Duration"
+  }),
+  CDK_TOOLKIT_I9100: info({
+    code: "CDK_TOOLKIT_I9100",
+    description: "Bootstrap progress",
+    interface: "BootstrapEnvironmentProgress"
+  }),
+  CDK_TOOLKIT_I9900: result({
+    code: "CDK_TOOLKIT_I9900",
+    description: "Bootstrap results on success",
+    interface: "cxapi.Environment"
+  }),
+  CDK_TOOLKIT_E9900: error({
+    code: "CDK_TOOLKIT_E9900",
+    description: "Bootstrap failed",
+    interface: "ErrorPayload"
+  }),
+  // Notices
+  CDK_TOOLKIT_I0100: info({
+    code: "CDK_TOOLKIT_I0100",
+    description: "Notices decoration (the header or footer of a list of notices)"
+  }),
+  CDK_TOOLKIT_W0101: warn({
+    code: "CDK_TOOLKIT_W0101",
+    description: "A notice that is marked as a warning"
+  }),
+  CDK_TOOLKIT_E0101: error({
+    code: "CDK_TOOLKIT_E0101",
+    description: "A notice that is marked as an error"
+  }),
+  CDK_TOOLKIT_I0101: info({
+    code: "CDK_TOOLKIT_I0101",
+    description: "A notice that is marked as informational"
+  }),
+  // Assembly codes
+  DEFAULT_ASSEMBLY_TRACE: trace({
+    code: "CDK_ASSEMBLY_I0000",
+    description: "Default trace messages emitted from Cloud Assembly operations"
+  }),
+  DEFAULT_ASSEMBLY_DEBUG: debug({
+    code: "CDK_ASSEMBLY_I0000",
+    description: "Default debug messages emitted from Cloud Assembly operations"
+  }),
+  DEFAULT_ASSEMBLY_INFO: info({
+    code: "CDK_ASSEMBLY_I0000",
+    description: "Default info messages emitted from Cloud Assembly operations"
+  }),
+  DEFAULT_ASSEMBLY_WARN: warn({
+    code: "CDK_ASSEMBLY_W0000",
+    description: "Default warning messages emitted from Cloud Assembly operations"
+  }),
+  CDK_ASSEMBLY_I0010: debug({
+    code: "CDK_ASSEMBLY_I0010",
+    description: "Generic environment preparation debug messages"
+  }),
+  CDK_ASSEMBLY_W0010: warn({
+    code: "CDK_ASSEMBLY_W0010",
+    description: "Emitted if the found framework version does not support context overflow"
+  }),
+  CDK_ASSEMBLY_I0042: debug({
+    code: "CDK_ASSEMBLY_I0042",
+    description: "Writing updated context",
+    interface: "UpdatedContext"
+  }),
+  CDK_ASSEMBLY_I0240: debug({
+    code: "CDK_ASSEMBLY_I0240",
+    description: "Context lookup was stopped as no further progress was made. ",
+    interface: "MissingContext"
+  }),
+  CDK_ASSEMBLY_I0241: debug({
+    code: "CDK_ASSEMBLY_I0241",
+    description: "Fetching missing context. This is an iterative message that may appear multiple times with different missing keys.",
+    interface: "MissingContext"
+  }),
+  CDK_ASSEMBLY_I1000: debug({
+    code: "CDK_ASSEMBLY_I1000",
+    description: "Cloud assembly output starts"
+  }),
+  CDK_ASSEMBLY_I1001: info({
+    code: "CDK_ASSEMBLY_I1001",
+    description: "Output lines emitted by the cloud assembly to stdout"
+  }),
+  CDK_ASSEMBLY_E1002: error({
+    code: "CDK_ASSEMBLY_E1002",
+    description: "Output lines emitted by the cloud assembly to stderr"
+  }),
+  CDK_ASSEMBLY_I1003: info({
+    code: "CDK_ASSEMBLY_I1003",
+    description: "Cloud assembly output finished"
+  }),
+  CDK_ASSEMBLY_E1111: error({
+    code: "CDK_ASSEMBLY_E1111",
+    description: "Incompatible CDK CLI version. Upgrade needed.",
+    interface: "ErrorPayload"
+  }),
+  CDK_ASSEMBLY_I0150: debug({
+    code: "CDK_ASSEMBLY_I0150",
+    description: "Indicates the use of a pre-synthesized cloud assembly directory"
+  }),
+  CDK_ASSEMBLY_I0300: info({
+    code: "CDK_ASSEMBLY_I0300",
+    description: "An info message emitted by a Context Provider",
+    interface: "ContextProviderMessageSource"
+  }),
+  CDK_ASSEMBLY_I0301: debug({
+    code: "CDK_ASSEMBLY_I0301",
+    description: "A debug message emitted by a Context Provider",
+    interface: "ContextProviderMessageSource"
+  }),
+  // Assembly Annotations
+  CDK_ASSEMBLY_I9999: info({
+    code: "CDK_ASSEMBLY_I9999",
+    description: "Annotations emitted by the cloud assembly",
+    interface: "cxapi.SynthesisMessage"
+  }),
+  CDK_ASSEMBLY_W9999: warn({
+    code: "CDK_ASSEMBLY_W9999",
+    description: "Warnings emitted by the cloud assembly",
+    interface: "cxapi.SynthesisMessage"
+  }),
+  CDK_ASSEMBLY_E9999: error({
+    code: "CDK_ASSEMBLY_E9999",
+    description: "Errors emitted by the cloud assembly",
+    interface: "cxapi.SynthesisMessage"
+  }),
+  // SDK codes
+  DEFAULT_SDK_TRACE: trace({
+    code: "CDK_SDK_I0000",
+    description: "An SDK trace message."
+  }),
+  DEFAULT_SDK_DEBUG: debug({
+    code: "CDK_SDK_I0000",
+    description: "An SDK debug message."
+  }),
+  DEFAULT_SDK_WARN: warn({
+    code: "CDK_SDK_W0000",
+    description: "An SDK warning message."
+  }),
+  CDK_SDK_I0100: trace({
+    code: "CDK_SDK_I0100",
+    description: "An SDK trace. SDK traces are emitted as traces to the IoHost, but contain the original SDK logging level.",
+    interface: "SdkTrace"
+  })
+};
+var SPAN = {
+  SYNTH_ASSEMBLY: {
+    name: "Synthesis",
+    start: IO.CDK_TOOLKIT_I1001,
+    end: IO.CDK_TOOLKIT_I1000
+  },
+  DEPLOY_STACK: {
+    name: "Deployment",
+    start: IO.CDK_TOOLKIT_I5100,
+    end: IO.CDK_TOOLKIT_I5001
+  },
+  ROLLBACK_STACK: {
+    name: "Rollback",
+    start: IO.CDK_TOOLKIT_I6100,
+    end: IO.CDK_TOOLKIT_I6000
+  },
+  DIFF_STACK: {
+    name: "Diff",
+    start: IO.CDK_TOOLKIT_I4000,
+    end: IO.CDK_TOOLKIT_I4001
+  },
+  DESTROY_STACK: {
+    name: "Destroy",
+    start: IO.CDK_TOOLKIT_I7100,
+    end: IO.CDK_TOOLKIT_I7001
+  },
+  DESTROY_ACTION: {
+    name: "Destroy",
+    start: IO.CDK_TOOLKIT_I7101,
+    end: IO.CDK_TOOLKIT_I7000
+  },
+  BOOTSTRAP_SINGLE: {
+    name: "Bootstrap",
+    start: IO.CDK_TOOLKIT_I9100,
+    end: IO.CDK_TOOLKIT_I9000
+  },
+  BUILD_ASSET: {
+    name: "Build Asset",
+    start: IO.CDK_TOOLKIT_I5210,
+    end: IO.CDK_TOOLKIT_I5211
+  },
+  PUBLISH_ASSET: {
+    name: "Publish Asset",
+    start: IO.CDK_TOOLKIT_I5220,
+    end: IO.CDK_TOOLKIT_I5221
+  },
+  HOTSWAP: {
+    name: "hotswap-deployment",
+    start: IO.CDK_TOOLKIT_I5400,
+    end: IO.CDK_TOOLKIT_I5410
+  }
+};
+
+// lib/api/io/private/io-default-messages.ts
+var util2 = __toESM(require("util"));
+var IoDefaultMessages = class {
+  constructor(ioHelper) {
+    this.ioHelper = ioHelper;
+  }
+  notify(msg) {
+    return this.ioHelper.notify(msg);
+  }
+  requestResponse(msg) {
+    return this.ioHelper.requestResponse(msg);
+  }
+  error(input, ...args) {
+    this.emitMessage(IO.DEFAULT_TOOLKIT_ERROR, input, ...args);
+  }
+  warn(input, ...args) {
+    this.emitMessage(IO.DEFAULT_TOOLKIT_WARN, input, ...args);
+  }
+  warning(input, ...args) {
+    this.emitMessage(IO.DEFAULT_TOOLKIT_WARN, input, ...args);
+  }
+  info(input, ...args) {
+    this.emitMessage(IO.DEFAULT_TOOLKIT_INFO, input, ...args);
+  }
+  debug(input, ...args) {
+    this.emitMessage(IO.DEFAULT_TOOLKIT_DEBUG, input, ...args);
+  }
+  trace(input, ...args) {
+    this.emitMessage(IO.DEFAULT_TOOLKIT_TRACE, input, ...args);
+  }
+  result(input, ...args) {
+    const message2 = args.length > 0 ? util2.format(input, ...args) : input;
+    void this.ioHelper.notify({
+      time: /* @__PURE__ */ new Date(),
+      code: IO.DEFAULT_TOOLKIT_INFO.code,
+      level: "result",
+      message: message2,
+      data: void 0
+    });
+  }
+  emitMessage(maker, input, ...args) {
+    const message2 = args.length > 0 ? util2.format(input, ...args) : input;
+    void this.ioHelper.notify(maker.msg(message2));
+  }
+};
+
+// lib/api/plugin/plugin.ts
+var PluginHost = class {
+  /**
+   * Access the currently registered CredentialProviderSources. New sources can
+   * be registered using the +registerCredentialProviderSource+ method.
+   */
+  credentialProviderSources = new Array();
+  contextProviderPlugins = {};
+  ioHost;
+  alreadyLoaded = /* @__PURE__ */ new Set();
+  /**
+   * Loads a plug-in into this PluginHost.
+   *
+   * Will use `require.resolve()` to get the most accurate representation of what
+   * code will get loaded in error messages. As such, it will not work in
+   * unit tests with Jest virtual modules becauase of <https://github.com/jestjs/jest/issues/9543>.
+   *
+   * @param moduleSpec the specification (path or name) of the plug-in module to be loaded.
+   * @param ioHost the I/O host to use for printing progress information
+   */
+  load(moduleSpec, ioHost) {
+    try {
+      const resolved = require.resolve(moduleSpec);
+      if (ioHost) {
+        new IoDefaultMessages(IoHelper.fromIoHost(ioHost, "init")).debug(`Loading plug-in: ${resolved} from ${moduleSpec}`);
+      }
+      return this._doLoad(resolved);
+    } catch (e) {
+      throw new ToolkitError(`Unable to resolve plug-in: Cannot find module '${moduleSpec}': ${e}`);
+    }
+  }
+  /**
+   * Do the loading given an already-resolved module name
+   *
+   * @internal
+   */
+  _doLoad(resolved) {
+    try {
+      if (this.alreadyLoaded.has(resolved)) {
+        return;
+      }
+      const plugin = require(resolved);
+      if (!isPlugin(plugin)) {
+        throw new ToolkitError(`Module ${resolved} is not a valid plug-in, or has an unsupported version.`);
+      }
+      if (plugin.init) {
+        plugin.init(this);
+      }
+      this.alreadyLoaded.add(resolved);
+    } catch (e) {
+      throw ToolkitError.withCause(`Unable to load plug-in '${resolved}'`, e);
+    }
+    function isPlugin(x) {
+      return x != null && x.version === "1";
+    }
+  }
+  /**
+   * Allows plug-ins to register new CredentialProviderSources.
+   *
+   * @param source a new CredentialProviderSource to register.
+   */
+  registerCredentialProviderSource(source) {
+    this.credentialProviderSources.push(source);
+  }
+  /**
+   * (EXPERIMENTAL) Allow plugins to register context providers
+   *
+   * Context providers are objects with the following method:
+   *
+   * ```ts
+   *   getValue(args: {[key: string]: any}): Promise<any>;
+   * ```
+   *
+   * Currently, they cannot reuse the CDK's authentication mechanisms, so they
+   * must be prepared to either not make AWS calls or use their own source of
+   * AWS credentials.
+   *
+   * This feature is experimental, and only intended to be used internally at Amazon
+   * as a trial.
+   *
+   * After registering with 'my-plugin-name', the provider must be addressed as follows:
+   *
+   * ```ts
+   * const value = ContextProvider.getValue(this, {
+   *   providerName: 'plugin',
+   *   props: {
+   *     pluginName: 'my-plugin-name',
+   *     myParameter1: 'xyz',
+   *   },
+   *   includeEnvironment: true | false,
+   *   dummyValue: 'what-to-return-on-the-first-pass',
+   * })
+   * ```
+   *
+   * @experimental
+   */
+  registerContextProviderAlpha(pluginProviderName, provider) {
+    if (!isContextProviderPlugin(provider)) {
+      throw new ToolkitError(`Object you gave me does not look like a ContextProviderPlugin: ${(0, import_util27.inspect)(provider)}`);
+    }
+    this.contextProviderPlugins[pluginProviderName] = provider;
+  }
+};
+
+// lib/payloads/diff.ts
 var PermissionChangeType = /* @__PURE__ */ ((PermissionChangeType2) => {
   PermissionChangeType2["NONE"] = "none";
   PermissionChangeType2["BROADENING"] = "broadening";
@@ -156,7 +3244,7 @@ var PermissionChangeType = /* @__PURE__ */ ((PermissionChangeType2) => {
   return PermissionChangeType2;
 })(PermissionChangeType || {});
 
-// ../tmp-toolkit-helpers/src/payloads/hotswap.ts
+// lib/payloads/hotswap.ts
 var NonHotswappableReason = /* @__PURE__ */ ((NonHotswappableReason2) => {
   NonHotswappableReason2["TAGS"] = "tags";
   NonHotswappableReason2["PROPERTIES"] = "properties";
@@ -173,9 +3261,11 @@ var NonHotswappableReason = /* @__PURE__ */ ((NonHotswappableReason2) => {
 0 && (module.exports = {
   AssemblyError,
   AuthenticationError,
+  ContextProviderError,
   ExpandStackSelection,
   NonHotswappableReason,
   PermissionChangeType,
+  PluginHost,
   StackSelectionStrategy,
   ToolkitError
 });