@aws-cdk/toolkit-lib 0.3.2 → 0.3.3

package/lib/api/shared-public.js

@@ -26,12 +26,21 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
   mod
 ));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var __decorateClass = (decorators, target, key, kind) => {
+  var result2 = kind > 1 ? void 0 : kind ? __getOwnPropDesc(target, key) : target;
+  for (var i = decorators.length - 1, decorator; i >= 0; i--)
+    if (decorator = decorators[i])
+      result2 = (kind ? decorator(target, key, result2) : decorator(result2)) || result2;
+  if (kind && result2) __defProp(target, key, result2);
+  return result2;
+};
 
 // lib/api/shared-public.ts
 var shared_public_exports = {};
 __export(shared_public_exports, {
   AssemblyError: () => AssemblyError,
   AuthenticationError: () => AuthenticationError,
+  ContextProviderError: () => ContextProviderError,
   ExpandStackSelection: () => ExpandStackSelection,
   NonHotswappableReason: () => NonHotswappableReason,
   PermissionChangeType: () => PermissionChangeType,
@@ -41,7 +50,7 @@ __export(shared_public_exports, {
 });
 module.exports = __toCommonJS(shared_public_exports);
 
-// ../tmp-toolkit-helpers/src/api/toolkit-error.ts
+// lib/api/toolkit-error.ts
 var TOOLKIT_ERROR_SYMBOL = Symbol.for("@aws-cdk/toolkit-lib.ToolkitError");
 var AUTHENTICATION_ERROR_SYMBOL = Symbol.for("@aws-cdk/toolkit-lib.AuthenticationError");
 var ASSEMBLY_ERROR_SYMBOL = Symbol.for("@aws-cdk/toolkit-lib.AssemblyError");
@@ -141,8 +150,19 @@ var AssemblyError = class _AssemblyError extends ToolkitError {
     this.stacks = stacks;
   }
 };
+var ContextProviderError = class _ContextProviderError extends ToolkitError {
+  /**
+   * Denotes the source of the error as user.
+   */
+  source = "user";
+  constructor(message2) {
+    super(message2, "context-provider");
+    Object.setPrototypeOf(this, _ContextProviderError.prototype);
+    Object.defineProperty(this, CONTEXT_PROVIDER_ERROR_SYMBOL, { value: true });
+  }
+};
 
-// ../tmp-toolkit-helpers/src/api/cloud-assembly/stack-selector.ts
+// lib/api/cloud-assembly/stack-selector.ts
 var StackSelectionStrategy = /* @__PURE__ */ ((StackSelectionStrategy2) => {
   StackSelectionStrategy2["ALL_STACKS"] = "all-stacks";
   StackSelectionStrategy2["MAIN_ASSEMBLY"] = "main-assembly";
@@ -159,26 +179,94 @@ var ExpandStackSelection = /* @__PURE__ */ ((ExpandStackSelection2) => {
   return ExpandStackSelection2;
 })(ExpandStackSelection || {});
 
-// ../tmp-toolkit-helpers/src/api/plugin/plugin.ts
-var import_util2 = require("util");
+// lib/api/resource-metadata/resource-metadata.ts
+var import_cloud_assembly_schema = require("@aws-cdk/cloud-assembly-schema");
 
-// ../tmp-toolkit-helpers/src/api/plugin/context-provider-plugin.ts
+// lib/api/plugin/plugin.ts
+var import_util27 = require("util");
+
+// lib/api/plugin/context-provider-plugin.ts
 function isContextProviderPlugin(x) {
   return typeof x === "object" && !!x && !!x.getValue;
 }
 
-// ../tmp-toolkit-helpers/src/api/io/private/span.ts
-var util = __toESM(require("node:util"));
-var uuid = __toESM(require("uuid"));
-
-// ../tmp-toolkit-helpers/src/util/archive.ts
+// lib/util/archive.ts
 var glob = __toESM(require("glob"));
+
+// lib/util/format-error.ts
+function formatErrorMessage(error2) {
+  if (error2 && Array.isArray(error2.errors)) {
+    const innerMessages = error2.errors.map((innerError) => innerError?.message || innerError?.toString()).join("\n");
+    return `AggregateError: ${innerMessages}`;
+  }
+  return error2?.message || error2?.toString() || "Unknown error";
+}
+
+// lib/util/archive.ts
 var archiver = require("archiver");
 
-// ../tmp-toolkit-helpers/src/util/types.ts
+// lib/util/directories.ts
+var fs = __toESM(require("fs"));
+var os = __toESM(require("os"));
+var path = __toESM(require("path"));
+function cdkHomeDir() {
+  const tmpDir = fs.realpathSync(os.tmpdir());
+  let home;
+  try {
+    let userInfoHome = os.userInfo().homedir;
+    if (userInfoHome == "/var/empty") {
+      userInfoHome = void 0;
+    }
+    home = path.join((userInfoHome ?? os.homedir()).trim(), ".cdk");
+  } catch {
+  }
+  return process.env.CDK_HOME ? path.resolve(process.env.CDK_HOME) : home || fs.mkdtempSync(path.join(tmpDir, ".cdk")).trim();
+}
+function cdkCacheDir() {
+  return path.join(cdkHomeDir(), "cache");
+}
+function bundledPackageRootDir(start, fail) {
+  function _rootDir(dirname2) {
+    const manifestPath = path.join(dirname2, "package.json");
+    if (fs.existsSync(manifestPath)) {
+      return dirname2;
+    }
+    if (path.dirname(dirname2) === dirname2) {
+      if (fail ?? true) {
+        throw new ToolkitError("Unable to find package manifest");
+      }
+      return void 0;
+    }
+    return _rootDir(path.dirname(dirname2));
+  }
+  return _rootDir(start);
+}
+
+// lib/util/json.ts
+function getResultObj(jsonObject, identifier, propertiesToReturn) {
+  const propsObj = {};
+  propertiesToReturn.forEach((propName) => {
+    Object.assign(propsObj, { [propName]: findJsonValue(jsonObject, propName) });
+  });
+  Object.assign(propsObj, { ["Identifier"]: identifier });
+  return propsObj;
+}
+function findJsonValue(jsonObject, path5) {
+  const paths = path5.split(".");
+  let obj = jsonObject;
+  paths.forEach((p) => {
+    obj = obj[p];
+    if (obj === void 0) {
+      throw new TypeError(`Cannot read field ${path5}. ${p} is not found.`);
+    }
+  });
+  return obj;
+}
+
+// lib/util/types.ts
 var isArray = Array.isArray;
 
-// ../tmp-toolkit-helpers/src/util/yaml-cfn.ts
+// lib/util/yaml-cfn.ts
 var yaml = __toESM(require("yaml"));
 var yaml_types = __toESM(require("yaml/types"));
 function makeTagForCfnIntrinsic(intrinsicName, addFnPrefix) {
@@ -223,7 +311,7 @@ function parseYamlStrWithCfnTags(text) {
   });
 }
 
-// ../tmp-toolkit-helpers/src/util/string-manipulation.ts
+// lib/util/string-manipulation.ts
 function formatTime(num) {
   return roundPercentage(millisecondsToSeconds(num));
 }
@@ -234,10 +322,2083 @@ function millisecondsToSeconds(num) {
   return num / 1e3;
 }
 
-// ../tmp-toolkit-helpers/src/util/version-range.ts
+// lib/util/version-range.ts
 var semver = __toESM(require("semver"));
 
-// ../tmp-toolkit-helpers/src/api/io/private/span.ts
+// lib/private/dispose-polyfill.ts
+Symbol.dispose ??= Symbol("Symbol.dispose");
+Symbol.asyncDispose ??= Symbol("Symbol.asyncDispose");
+
+// lib/private/activity-printer/history.ts
+var chalk = __toESM(require("chalk"));
+
+// lib/private/activity-printer/current.ts
+var chalk2 = __toESM(require("chalk"));
+
+// lib/private/activity-printer/display.ts
+var wrapAnsi = require("wrap-ansi");
+
+// lib/private/activity-printer/current.ts
+var PROGRESSBAR_EXTRA_SPACE = 2 + 2 + 4 + 6;
+
+// lib/api/aws-auth/proxy-agent.ts
+var fs2 = __toESM(require("fs-extra"));
+var import_proxy_agent = require("proxy-agent");
+
+// lib/api/aws-auth/sdk.ts
+var import_client_appsync = require("@aws-sdk/client-appsync");
+var import_client_cloudcontrol = require("@aws-sdk/client-cloudcontrol");
+var import_client_cloudformation = require("@aws-sdk/client-cloudformation");
+var import_client_cloudwatch_logs = require("@aws-sdk/client-cloudwatch-logs");
+var import_client_codebuild = require("@aws-sdk/client-codebuild");
+var import_client_ec2 = require("@aws-sdk/client-ec2");
+var import_client_ecr = require("@aws-sdk/client-ecr");
+var import_client_ecs = require("@aws-sdk/client-ecs");
+var import_client_elastic_load_balancing_v2 = require("@aws-sdk/client-elastic-load-balancing-v2");
+var import_client_iam = require("@aws-sdk/client-iam");
+var import_client_kms = require("@aws-sdk/client-kms");
+var import_client_lambda = require("@aws-sdk/client-lambda");
+var import_client_route_53 = require("@aws-sdk/client-route-53");
+var import_client_s3 = require("@aws-sdk/client-s3");
+var import_client_secrets_manager = require("@aws-sdk/client-secrets-manager");
+var import_client_sfn = require("@aws-sdk/client-sfn");
+var import_client_ssm = require("@aws-sdk/client-ssm");
+var import_client_sts = require("@aws-sdk/client-sts");
+var import_lib_storage = require("@aws-sdk/lib-storage");
+var import_middleware_endpoint = require("@smithy/middleware-endpoint");
+var import_util_retry = require("@smithy/util-retry");
+
+// lib/api/aws-auth/account-cache.ts
+var path2 = __toESM(require("path"));
+var fs3 = __toESM(require("fs-extra"));
+var AccountAccessKeyCache = class _AccountAccessKeyCache {
+  /**
+   * Max number of entries in the cache, after which the cache will be reset.
+   */
+  static MAX_ENTRIES = 1e3;
+  /**
+   * The default path used for the accounts access key cache
+   */
+  static get DEFAULT_PATH() {
+    return path2.join(cdkCacheDir(), "accounts_partitions.json");
+  }
+  cacheFile;
+  debug;
+  /**
+   * @param filePath Path to the cache file
+   */
+  constructor(filePath = _AccountAccessKeyCache.DEFAULT_PATH, debugFn) {
+    this.cacheFile = filePath;
+    this.debug = debugFn;
+  }
+  /**
+   * Tries to fetch the account ID from cache. If it's not in the cache, invokes
+   * the resolver function which should retrieve the account ID and return it.
+   * Then, it will be stored into disk cache returned.
+   *
+   * Example:
+   *
+   *    const accountId = cache.fetch(accessKey, async () => {
+   *      return await fetchAccountIdFromSomewhere(accessKey);
+   *    });
+   */
+  async fetch(accessKeyId, resolver) {
+    const cached2 = await this.get(accessKeyId);
+    if (cached2) {
+      await this.debug(`Retrieved account ID ${cached2.accountId} from disk cache`);
+      return cached2;
+    }
+    const account = await resolver();
+    if (account) {
+      await this.put(accessKeyId, account);
+    }
+    return account;
+  }
+  /** Get the account ID from an access key or undefined if not in cache */
+  async get(accessKeyId) {
+    const map = await this.loadMap();
+    return map[accessKeyId];
+  }
+  /** Put a mapping between access key and account ID */
+  async put(accessKeyId, account) {
+    let map = await this.loadMap();
+    if (Object.keys(map).length >= _AccountAccessKeyCache.MAX_ENTRIES) {
+      map = {};
+    }
+    map[accessKeyId] = account;
+    await this.saveMap(map);
+  }
+  async loadMap() {
+    try {
+      return await fs3.readJson(this.cacheFile);
+    } catch (e) {
+      if (e.code === "ENOENT" || e.code === "EACCES") {
+        return {};
+      }
+      if (e instanceof SyntaxError) {
+        return {};
+      }
+      throw e;
+    }
+  }
+  async saveMap(map) {
+    try {
+      await fs3.ensureFile(this.cacheFile);
+      await fs3.writeJson(this.cacheFile, map, { spaces: 2 });
+    } catch (e) {
+      if (e.code === "ENOENT" || e.code === "EACCES" || e.code === "EROFS") {
+        return;
+      }
+      throw e;
+    }
+  }
+};
+
+// lib/api/aws-auth/cached.ts
+function cached(obj, sym, fn) {
+  if (!(sym in obj)) {
+    obj[sym] = fn();
+  }
+  return obj[sym];
+}
+async function cachedAsync(obj, sym, fn) {
+  if (!(sym in obj)) {
+    obj[sym] = await fn();
+  }
+  return obj[sym];
+}
+
+// lib/api/aws-auth/tracing.ts
+var ENABLED = false;
+var INDENT = 0;
+function callTrace(fn, className, logger) {
+  if (!ENABLED || !logger) {
+    return;
+  }
+  logger.info(`[trace] ${" ".repeat(INDENT)}${className || "(anonymous)"}#${fn}()`);
+}
+function traceCall(receiver, _propertyKey, descriptor, parentClassName) {
+  const fn = descriptor.value;
+  const className = typeof receiver === "function" ? receiver.name : parentClassName;
+  descriptor.value = function(...args) {
+    const logger = this.logger;
+    if (!ENABLED || typeof logger?.info !== "function") {
+      return fn.apply(this, args);
+    }
+    logger.info.apply(logger, [`[trace] ${" ".repeat(INDENT)}${className || this.constructor.name || "(anonymous)"}#${fn.name}()`]);
+    INDENT += 2;
+    const ret = fn.apply(this, args);
+    if (ret instanceof Promise) {
+      return ret.finally(() => {
+        INDENT -= 2;
+      });
+    } else {
+      INDENT -= 2;
+      return ret;
+    }
+  };
+  return descriptor;
+}
+function traceMemberMethods(constructor) {
+  for (const [name, descriptor] of Object.entries(Object.getOwnPropertyDescriptors(constructor.prototype))) {
+    if (typeof descriptor.value !== "function") {
+      continue;
+    }
+    const newDescriptor = traceCall(constructor.prototype, name, descriptor, constructor.name) ?? descriptor;
+    Object.defineProperty(constructor.prototype, name, newDescriptor);
+  }
+}
+
+// lib/api/aws-auth/user-agent.ts
+var path3 = __toESM(require("path"));
+
+// lib/api/aws-auth/util.ts
+var fs4 = __toESM(require("fs-extra"));
+function readIfPossible(filename) {
+  try {
+    if (!fs4.pathExistsSync(filename)) {
+      return void 0;
+    }
+    return fs4.readFileSync(filename, { encoding: "utf-8" });
+  } catch (e) {
+    return void 0;
+  }
+}
+
+// lib/api/aws-auth/user-agent.ts
+function defaultCliUserAgent() {
+  const root = bundledPackageRootDir(__dirname, false);
+  const pkg = JSON.parse((root ? readIfPossible(path3.join(root, "package.json")) : void 0) ?? "{}");
+  const name = pkg.name ?? path3.basename(process.argv[1] ?? "cdk-cli");
+  const version = pkg.version ?? "<unknown>";
+  return `${name}/${version}`;
+}
+
+// lib/api/aws-auth/sdk.ts
+var SDK = class {
+  constructor(credProvider, region, requestHandler, ioHelper, logger) {
+    this.credProvider = credProvider;
+    const debugFn = async (msg) => ioHelper.notify(IO.DEFAULT_SDK_DEBUG.msg(msg));
+    this.accountCache = new AccountAccessKeyCache(AccountAccessKeyCache.DEFAULT_PATH, debugFn);
+    this.debug = debugFn;
+    this.config = {
+      region,
+      credentials: credProvider,
+      requestHandler,
+      retryStrategy: new import_util_retry.ConfiguredRetryStrategy(7, (attempt) => 300 * 2 ** attempt),
+      customUserAgent: defaultCliUserAgent(),
+      logger
+    };
+    this.logger = logger;
+    this.currentRegion = region;
+  }
+  currentRegion;
+  config;
+  logger;
+  accountCache;
+  /**
+   * STS is used to check credential validity, don't do too many retries.
+   */
+  stsRetryStrategy = new import_util_retry.ConfiguredRetryStrategy(3, (attempt) => 100 * 2 ** attempt);
+  /**
+   * Whether we have proof that the credentials have not expired
+   *
+   * We need to do some manual plumbing around this because the JS SDKv2 treats `ExpiredToken`
+   * as retriable and we have hefty retries on CFN calls making the CLI hang for a good 15 minutes
+   * if the credentials have expired.
+   */
+  _credentialsValidated = false;
+  /**
+   * A function to create debug messages
+   */
+  debug;
+  appendCustomUserAgent(userAgentData) {
+    if (!userAgentData) {
+      return;
+    }
+    const currentCustomUserAgent = this.config.customUserAgent;
+    this.config.customUserAgent = currentCustomUserAgent ? `${currentCustomUserAgent} ${userAgentData}` : userAgentData;
+  }
+  removeCustomUserAgent(userAgentData) {
+    this.config.customUserAgent = this.config.customUserAgent?.replace(userAgentData, "");
+  }
+  appsync() {
+    const client = new import_client_appsync.AppSyncClient(this.config);
+    return {
+      getSchemaCreationStatus: (input) => client.send(new import_client_appsync.GetSchemaCreationStatusCommand(input)),
+      startSchemaCreation: (input) => client.send(new import_client_appsync.StartSchemaCreationCommand(input)),
+      updateApiKey: (input) => client.send(new import_client_appsync.UpdateApiKeyCommand(input)),
+      updateFunction: (input) => client.send(new import_client_appsync.UpdateFunctionCommand(input)),
+      updateResolver: (input) => client.send(new import_client_appsync.UpdateResolverCommand(input)),
+      // Pagination Functions
+      listFunctions: async (input) => {
+        const functions = Array();
+        const paginator = (0, import_client_appsync.paginateListFunctions)({ client }, input);
+        for await (const page of paginator) {
+          functions.push(...page.functions || []);
+        }
+        return functions;
+      }
+    };
+  }
+  cloudControl() {
+    const client = new import_client_cloudcontrol.CloudControlClient(this.config);
+    return {
+      listResources: (input) => client.send(new import_client_cloudcontrol.ListResourcesCommand(input)),
+      getResource: (input) => client.send(new import_client_cloudcontrol.GetResourceCommand(input))
+    };
+  }
+  cloudFormation() {
+    const client = new import_client_cloudformation.CloudFormationClient({
+      ...this.config,
+      retryStrategy: new import_util_retry.ConfiguredRetryStrategy(11, (attempt) => 1e3 * 2 ** attempt)
+    });
+    return {
+      continueUpdateRollback: async (input) => client.send(new import_client_cloudformation.ContinueUpdateRollbackCommand(input)),
+      createChangeSet: (input) => client.send(new import_client_cloudformation.CreateChangeSetCommand(input)),
+      createGeneratedTemplate: (input) => client.send(new import_client_cloudformation.CreateGeneratedTemplateCommand(input)),
+      createStack: (input) => client.send(new import_client_cloudformation.CreateStackCommand(input)),
+      deleteChangeSet: (input) => client.send(new import_client_cloudformation.DeleteChangeSetCommand(input)),
+      deleteGeneratedTemplate: (input) => client.send(new import_client_cloudformation.DeleteGeneratedTemplateCommand(input)),
+      deleteStack: (input) => client.send(new import_client_cloudformation.DeleteStackCommand(input)),
+      describeChangeSet: (input) => client.send(new import_client_cloudformation.DescribeChangeSetCommand(input)),
+      describeGeneratedTemplate: (input) => client.send(new import_client_cloudformation.DescribeGeneratedTemplateCommand(input)),
+      describeResourceScan: (input) => client.send(new import_client_cloudformation.DescribeResourceScanCommand(input)),
+      describeStacks: (input) => client.send(new import_client_cloudformation.DescribeStacksCommand(input)),
+      describeStackResources: (input) => client.send(new import_client_cloudformation.DescribeStackResourcesCommand(input)),
+      executeChangeSet: (input) => client.send(new import_client_cloudformation.ExecuteChangeSetCommand(input)),
+      getGeneratedTemplate: (input) => client.send(new import_client_cloudformation.GetGeneratedTemplateCommand(input)),
+      getTemplate: (input) => client.send(new import_client_cloudformation.GetTemplateCommand(input)),
+      getTemplateSummary: (input) => client.send(new import_client_cloudformation.GetTemplateSummaryCommand(input)),
+      listExports: (input) => client.send(new import_client_cloudformation.ListExportsCommand(input)),
+      listResourceScanRelatedResources: (input) => client.send(new import_client_cloudformation.ListResourceScanRelatedResourcesCommand(input)),
+      listResourceScanResources: (input) => client.send(new import_client_cloudformation.ListResourceScanResourcesCommand(input)),
+      listResourceScans: (input) => client.send(new import_client_cloudformation.ListResourceScansCommand(input)),
+      listStacks: (input) => client.send(new import_client_cloudformation.ListStacksCommand(input)),
+      rollbackStack: (input) => client.send(new import_client_cloudformation.RollbackStackCommand(input)),
+      startResourceScan: (input) => client.send(new import_client_cloudformation.StartResourceScanCommand(input)),
+      updateStack: (input) => client.send(new import_client_cloudformation.UpdateStackCommand(input)),
+      updateTerminationProtection: (input) => client.send(new import_client_cloudformation.UpdateTerminationProtectionCommand(input)),
+      describeStackEvents: (input) => {
+        return client.send(new import_client_cloudformation.DescribeStackEventsCommand(input));
+      },
+      listStackResources: async (input) => {
+        const stackResources = Array();
+        const paginator = (0, import_client_cloudformation.paginateListStackResources)({ client }, input);
+        for await (const page of paginator) {
+          stackResources.push(...page?.StackResourceSummaries || []);
+        }
+        return stackResources;
+      },
+      paginatedListStacks: async (input) => {
+        const stackResources = Array();
+        const paginator = (0, import_client_cloudformation.paginateListStacks)({ client }, input);
+        for await (const page of paginator) {
+          stackResources.push(...page?.StackSummaries || []);
+        }
+        return stackResources;
+      }
+    };
+  }
+  cloudWatchLogs() {
+    const client = new import_client_cloudwatch_logs.CloudWatchLogsClient(this.config);
+    return {
+      describeLogGroups: (input) => client.send(new import_client_cloudwatch_logs.DescribeLogGroupsCommand(input)),
+      filterLogEvents: (input) => client.send(new import_client_cloudwatch_logs.FilterLogEventsCommand(input))
+    };
+  }
+  codeBuild() {
+    const client = new import_client_codebuild.CodeBuildClient(this.config);
+    return {
+      updateProject: (input) => client.send(new import_client_codebuild.UpdateProjectCommand(input))
+    };
+  }
+  ec2() {
+    const client = new import_client_ec2.EC2Client(this.config);
+    return {
+      describeAvailabilityZones: (input) => client.send(new import_client_ec2.DescribeAvailabilityZonesCommand(input)),
+      describeImages: (input) => client.send(new import_client_ec2.DescribeImagesCommand(input)),
+      describeInstances: (input) => client.send(new import_client_ec2.DescribeInstancesCommand(input)),
+      describeRouteTables: (input) => client.send(new import_client_ec2.DescribeRouteTablesCommand(input)),
+      describeSecurityGroups: (input) => client.send(new import_client_ec2.DescribeSecurityGroupsCommand(input)),
+      describeSubnets: (input) => client.send(new import_client_ec2.DescribeSubnetsCommand(input)),
+      describeVpcEndpointServices: (input) => client.send(new import_client_ec2.DescribeVpcEndpointServicesCommand(input)),
+      describeVpcs: (input) => client.send(new import_client_ec2.DescribeVpcsCommand(input)),
+      describeVpnGateways: (input) => client.send(new import_client_ec2.DescribeVpnGatewaysCommand(input))
+    };
+  }
+  ecr() {
+    const client = new import_client_ecr.ECRClient(this.config);
+    return {
+      batchDeleteImage: (input) => client.send(new import_client_ecr.BatchDeleteImageCommand(input)),
+      batchGetImage: (input) => client.send(new import_client_ecr.BatchGetImageCommand(input)),
+      createRepository: (input) => client.send(new import_client_ecr.CreateRepositoryCommand(input)),
+      describeImages: (input) => client.send(new import_client_ecr.DescribeImagesCommand(input)),
+      describeRepositories: (input) => client.send(new import_client_ecr.DescribeRepositoriesCommand(input)),
+      getAuthorizationToken: (input) => client.send(new import_client_ecr.GetAuthorizationTokenCommand(input)),
+      listImages: (input) => client.send(new import_client_ecr.ListImagesCommand(input)),
+      putImage: (input) => client.send(new import_client_ecr.PutImageCommand(input)),
+      putImageScanningConfiguration: (input) => client.send(new import_client_ecr.PutImageScanningConfigurationCommand(input))
+    };
+  }
+  ecs() {
+    const client = new import_client_ecs.ECSClient(this.config);
+    return {
+      listClusters: (input) => client.send(new import_client_ecs.ListClustersCommand(input)),
+      registerTaskDefinition: (input) => client.send(new import_client_ecs.RegisterTaskDefinitionCommand(input)),
+      updateService: (input) => client.send(new import_client_ecs.UpdateServiceCommand(input)),
+      // Waiters
+      waitUntilServicesStable: (input) => {
+        return (0, import_client_ecs.waitUntilServicesStable)(
+          {
+            client,
+            maxWaitTime: 600,
+            minDelay: 6,
+            maxDelay: 6
+          },
+          input
+        );
+      }
+    };
+  }
+  elbv2() {
+    const client = new import_client_elastic_load_balancing_v2.ElasticLoadBalancingV2Client(this.config);
+    return {
+      describeListeners: (input) => client.send(new import_client_elastic_load_balancing_v2.DescribeListenersCommand(input)),
+      describeLoadBalancers: (input) => client.send(new import_client_elastic_load_balancing_v2.DescribeLoadBalancersCommand(input)),
+      describeTags: (input) => client.send(new import_client_elastic_load_balancing_v2.DescribeTagsCommand(input)),
+      // Pagination Functions
+      paginateDescribeListeners: async (input) => {
+        const listeners = Array();
+        const paginator = (0, import_client_elastic_load_balancing_v2.paginateDescribeListeners)({ client }, input);
+        for await (const page of paginator) {
+          listeners.push(...page?.Listeners || []);
+        }
+        return listeners;
+      },
+      paginateDescribeLoadBalancers: async (input) => {
+        const loadBalancers = Array();
+        const paginator = (0, import_client_elastic_load_balancing_v2.paginateDescribeLoadBalancers)({ client }, input);
+        for await (const page of paginator) {
+          loadBalancers.push(...page?.LoadBalancers || []);
+        }
+        return loadBalancers;
+      }
+    };
+  }
+  iam() {
+    const client = new import_client_iam.IAMClient(this.config);
+    return {
+      createPolicy: (input) => client.send(new import_client_iam.CreatePolicyCommand(input)),
+      getPolicy: (input) => client.send(new import_client_iam.GetPolicyCommand(input)),
+      getRole: (input) => client.send(new import_client_iam.GetRoleCommand(input))
+    };
+  }
+  kms() {
+    const client = new import_client_kms.KMSClient(this.config);
+    return {
+      describeKey: (input) => client.send(new import_client_kms.DescribeKeyCommand(input)),
+      listAliases: (input) => client.send(new import_client_kms.ListAliasesCommand(input))
+    };
+  }
+  lambda() {
+    const client = new import_client_lambda.LambdaClient(this.config);
+    return {
+      invokeCommand: (input) => client.send(new import_client_lambda.InvokeCommand(input)),
+      publishVersion: (input) => client.send(new import_client_lambda.PublishVersionCommand(input)),
+      updateAlias: (input) => client.send(new import_client_lambda.UpdateAliasCommand(input)),
+      updateFunctionCode: (input) => client.send(new import_client_lambda.UpdateFunctionCodeCommand(input)),
+      updateFunctionConfiguration: (input) => client.send(new import_client_lambda.UpdateFunctionConfigurationCommand(input)),
+      // Waiters
+      waitUntilFunctionUpdated: (delaySeconds, input) => {
+        return (0, import_client_lambda.waitUntilFunctionUpdatedV2)(
+          {
+            client,
+            maxDelay: delaySeconds,
+            minDelay: delaySeconds,
+            maxWaitTime: delaySeconds * 60
+          },
+          input
+        );
+      }
+    };
+  }
+  route53() {
+    const client = new import_client_route_53.Route53Client(this.config);
+    return {
+      getHostedZone: (input) => client.send(new import_client_route_53.GetHostedZoneCommand(input)),
+      listHostedZones: (input) => client.send(new import_client_route_53.ListHostedZonesCommand(input)),
+      listHostedZonesByName: (input) => client.send(new import_client_route_53.ListHostedZonesByNameCommand(input))
+    };
+  }
+  s3() {
+    const client = new import_client_s3.S3Client(this.config);
+    return {
+      deleteObjects: (input) => client.send(new import_client_s3.DeleteObjectsCommand({
+        ...input,
+        ChecksumAlgorithm: "SHA256"
+      })),
+      deleteObjectTagging: (input) => client.send(new import_client_s3.DeleteObjectTaggingCommand(input)),
+      getBucketEncryption: (input) => client.send(new import_client_s3.GetBucketEncryptionCommand(input)),
+      getBucketLocation: (input) => client.send(new import_client_s3.GetBucketLocationCommand(input)),
+      getObject: (input) => client.send(new import_client_s3.GetObjectCommand(input)),
+      getObjectTagging: (input) => client.send(new import_client_s3.GetObjectTaggingCommand(input)),
+      listObjectsV2: (input) => client.send(new import_client_s3.ListObjectsV2Command(input)),
+      putObjectTagging: (input) => client.send(new import_client_s3.PutObjectTaggingCommand({
+        ...input,
+        ChecksumAlgorithm: "SHA256"
+      })),
+      upload: (input) => {
+        try {
+          const upload = new import_lib_storage.Upload({
+            client,
+            params: { ...input, ChecksumAlgorithm: "SHA256" }
+          });
+          return upload.done();
+        } catch (e) {
+          throw new AuthenticationError(`Upload failed: ${formatErrorMessage(e)}`);
+        }
+      }
+    };
+  }
+  secretsManager() {
+    const client = new import_client_secrets_manager.SecretsManagerClient(this.config);
+    return {
+      getSecretValue: (input) => client.send(new import_client_secrets_manager.GetSecretValueCommand(input))
+    };
+  }
+  ssm() {
+    const client = new import_client_ssm.SSMClient(this.config);
+    return {
+      getParameter: (input) => client.send(new import_client_ssm.GetParameterCommand(input))
+    };
+  }
+  stepFunctions() {
+    const client = new import_client_sfn.SFNClient(this.config);
+    return {
+      updateStateMachine: (input) => client.send(new import_client_sfn.UpdateStateMachineCommand(input))
+    };
+  }
+  /**
+   * The AWS SDK v3 requires a client config and a command in order to get an endpoint for
+   * any given service.
+   */
+  async getUrlSuffix(region) {
+    const cfn = new import_client_cloudformation.CloudFormationClient({ region });
+    const endpoint = await (0, import_middleware_endpoint.getEndpointFromInstructions)({}, import_client_cloudformation.DescribeStackResourcesCommand, { ...cfn.config });
+    return endpoint.url.hostname.split(`${region}.`).pop();
+  }
+  async currentAccount() {
+    return cachedAsync(this, CURRENT_ACCOUNT_KEY, async () => {
+      const creds = await this.credProvider();
+      return this.accountCache.fetch(creds.accessKeyId, async () => {
+        await this.debug("Looking up default account ID from STS");
+        const client = new import_client_sts.STSClient({
+          ...this.config,
+          retryStrategy: this.stsRetryStrategy
+        });
+        const command = new import_client_sts.GetCallerIdentityCommand({});
+        const result2 = await client.send(command);
+        const accountId = result2.Account;
+        const partition = result2.Arn.split(":")[1];
+        if (!accountId) {
+          throw new AuthenticationError("STS didn't return an account ID");
+        }
+        await this.debug(`Default account ID: ${accountId}`);
+        this._credentialsValidated = true;
+        return { accountId, partition };
+      });
+    });
+  }
+  /**
+   * Make sure the the current credentials are not expired
+   */
+  async validateCredentials() {
+    if (this._credentialsValidated) {
+      return;
+    }
+    const client = new import_client_sts.STSClient({ ...this.config, retryStrategy: this.stsRetryStrategy });
+    await client.send(new import_client_sts.GetCallerIdentityCommand({}));
+    this._credentialsValidated = true;
+  }
+};
+SDK = __decorateClass([
+  traceMemberMethods
+], SDK);
+var CURRENT_ACCOUNT_KEY = Symbol("current_account_key");
+
+// lib/api/aws-auth/sdk-provider.ts
+var os2 = __toESM(require("os"));
+var import_cx_api = require("@aws-cdk/cx-api");
+var import_credential_providers2 = require("@aws-sdk/credential-providers");
+
+// lib/api/aws-auth/awscli-compatible.ts
+var import_node_util = require("node:util");
+var import_credential_providers = require("@aws-sdk/credential-providers");
+var import_ec2_metadata_service = require("@aws-sdk/ec2-metadata-service");
+var import_shared_ini_file_loader = require("@smithy/shared-ini-file-loader");
+var promptly = __toESM(require("promptly"));
+
+// lib/api/aws-auth/provider-caching.ts
+var import_property_provider = require("@smithy/property-provider");
+function makeCachingProvider(provider) {
+  return (0, import_property_provider.memoize)(
+    provider,
+    credentialsAboutToExpire,
+    (token) => !!token.expiration
+  );
+}
+function credentialsAboutToExpire(token) {
+  const expiryMarginSecs = 5;
+  return !!token.expiration && token.expiration.getTime() - Date.now() < expiryMarginSecs * 1e3;
+}
+
+// lib/api/aws-auth/awscli-compatible.ts
+var AwsCliCompatible = class {
+  ioHelper;
+  requestHandler;
+  logger;
+  constructor(ioHelper, requestHandler, logger) {
+    this.ioHelper = ioHelper;
+    this.requestHandler = requestHandler;
+    this.logger = logger;
+  }
+  async baseConfig(profile) {
+    const credentialProvider = await this.credentialChainBuilder({
+      profile,
+      logger: this.logger
+    });
+    const defaultRegion = await this.region(profile);
+    return { credentialProvider, defaultRegion };
+  }
+  /**
+   * Build an AWS CLI-compatible credential chain provider
+   *
+   * The credential chain returned by this function is always caching.
+   */
+  async credentialChainBuilder(options = {}) {
+    const clientConfig = {
+      requestHandler: this.requestHandler,
+      customUserAgent: "aws-cdk",
+      logger: options.logger
+    };
+    const parentClientConfig = {
+      region: await this.region(options.profile)
+    };
+    if (options.profile) {
+      return makeCachingProvider((0, import_credential_providers.fromIni)({
+        profile: options.profile,
+        ignoreCache: true,
+        mfaCodeProvider: this.tokenCodeFn.bind(this),
+        clientConfig,
+        parentClientConfig,
+        logger: options.logger
+      }));
+    }
+    const envProfile = process.env.AWS_PROFILE || process.env.AWS_DEFAULT_PROFILE;
+    const nodeProviderChain = (0, import_credential_providers.fromNodeProviderChain)({
+      profile: envProfile,
+      clientConfig,
+      parentClientConfig,
+      logger: options.logger,
+      mfaCodeProvider: this.tokenCodeFn.bind(this),
+      ignoreCache: true
+    });
+    return shouldPrioritizeEnv() ? (0, import_credential_providers.createCredentialChain)((0, import_credential_providers.fromEnv)(), nodeProviderChain).expireAfter(60 * 6e4) : nodeProviderChain;
+  }
+  /**
+   * Attempts to get the region from a number of sources and falls back to us-east-1 if no region can be found,
+   * as is done in the AWS CLI.
+   *
+   * The order of priority is the following:
+   *
+   * 1. Environment variables specifying region, with both an AWS prefix and AMAZON prefix
+   *    to maintain backwards compatibility, and without `DEFAULT` in the name because
+   *    Lambda and CodeBuild set the $AWS_REGION variable.
+   * 2. Regions listed in the Shared Ini Files - First checking for the profile provided
+   *    and then checking for the default profile.
+   * 3. IMDS instance identity region from the Metadata Service.
+   * 4. us-east-1
+   */
+  async region(maybeProfile) {
+    const defaultRegion = "us-east-1";
+    const profile = maybeProfile || process.env.AWS_PROFILE || process.env.AWS_DEFAULT_PROFILE || "default";
+    const region = process.env.AWS_REGION || process.env.AMAZON_REGION || process.env.AWS_DEFAULT_REGION || process.env.AMAZON_DEFAULT_REGION || await this.getRegionFromIni(profile) || await this.regionFromMetadataService();
+    if (!region) {
+      const usedProfile = !profile ? "" : ` (profile: "${profile}")`;
+      await this.ioHelper.notify(IO.DEFAULT_SDK_DEBUG.msg(
+        `Unable to determine AWS region from environment or AWS configuration${usedProfile}, defaulting to '${defaultRegion}'`
+      ));
+      return defaultRegion;
+    }
+    return region;
+  }
+  /**
+   * The MetadataService class will attempt to fetch the instance identity document from
+   * IMDSv2 first, and then will attempt v1 as a fallback.
+   *
+   * If this fails, we will use us-east-1 as the region so no error should be thrown.
+   * @returns The region for the instance identity
+   */
+  async regionFromMetadataService() {
+    await this.ioHelper.notify(IO.DEFAULT_SDK_DEBUG.msg("Looking up AWS region in the EC2 Instance Metadata Service (IMDS)."));
+    try {
+      const metadataService = new import_ec2_metadata_service.MetadataService({
+        httpOptions: {
+          timeout: 1e3
+        }
+      });
+      await metadataService.fetchMetadataToken();
+      const document = await metadataService.request("/latest/dynamic/instance-identity/document", {});
+      return JSON.parse(document).region;
+    } catch (e) {
+      await this.ioHelper.notify(IO.DEFAULT_SDK_DEBUG.msg(`Unable to retrieve AWS region from IMDS: ${e}`));
+    }
+  }
+  /**
+   * Looks up the region of the provided profile. If no region is present,
+   * it will attempt to lookup the default region.
+   * @param profile The profile to use to lookup the region
+   * @returns The region for the profile or default profile, if present. Otherwise returns undefined.
+   */
+  async getRegionFromIni(profile) {
+    const sharedFiles = await (0, import_shared_ini_file_loader.loadSharedConfigFiles)({ ignoreCache: true });
+    return this.getRegionFromIniFile(profile, sharedFiles.credentialsFile) ?? this.getRegionFromIniFile(profile, sharedFiles.configFile) ?? this.getRegionFromIniFile("default", sharedFiles.credentialsFile) ?? this.getRegionFromIniFile("default", sharedFiles.configFile);
+  }
+  getRegionFromIniFile(profile, data) {
+    return data?.[profile]?.region;
+  }
+  /**
+   * Ask user for MFA token for given serial
+   *
+   * Result is send to callback function for SDK to authorize the request
+   */
+  async tokenCodeFn(serialArn) {
+    const debugFn = (msg, ...args) => this.ioHelper.notify(IO.DEFAULT_SDK_DEBUG.msg((0, import_node_util.format)(msg, ...args)));
+    await debugFn("Require MFA token for serial ARN", serialArn);
+    try {
+      const token = await promptly.prompt(`MFA token for ${serialArn}: `, {
+        trim: true,
+        default: ""
+      });
+      await debugFn("Successfully got MFA token from user");
+      return token;
+    } catch (err) {
+      await debugFn("Failed to get MFA token", err);
+      const e = new AuthenticationError(`Error fetching MFA token: ${err.message ?? err}`);
+      e.name = "SharedIniFileCredentialsProviderFailure";
+      throw e;
+    }
+  }
+};
+function shouldPrioritizeEnv() {
+  const id = process.env.AWS_ACCESS_KEY_ID || process.env.AMAZON_ACCESS_KEY_ID;
+  const key = process.env.AWS_SECRET_ACCESS_KEY || process.env.AMAZON_SECRET_ACCESS_KEY;
+  if (!!id && !!key) {
+    process.env.AWS_ACCESS_KEY_ID = id;
+    process.env.AWS_SECRET_ACCESS_KEY = key;
+    const sessionToken = process.env.AWS_SESSION_TOKEN ?? process.env.AMAZON_SESSION_TOKEN;
+    if (sessionToken) {
+      process.env.AWS_SESSION_TOKEN = sessionToken;
+    }
+    return true;
+  }
+  return false;
+}
+
+// lib/api/aws-auth/credential-plugins.ts
+var import_util8 = require("util");
+var CredentialPlugins = class {
+  constructor(host, ioHelper) {
+    this.host = host;
+    this.ioHelper = ioHelper;
+  }
+  cache = {};
+  async fetchCredentialsFor(awsAccountId, mode) {
+    const key = `${awsAccountId}-${mode}`;
+    if (!(key in this.cache)) {
+      this.cache[key] = await this.lookupCredentials(awsAccountId, mode);
+    }
+    return this.cache[key];
+  }
+  get availablePluginNames() {
+    return this.host.credentialProviderSources.map((s) => s.name);
+  }
+  async lookupCredentials(awsAccountId, mode) {
+    const triedSources = [];
+    for (const source of this.host.credentialProviderSources) {
+      let available;
+      try {
+        available = await source.isAvailable();
+      } catch (e) {
+        await this.ioHelper.notify(IO.CDK_TOOLKIT_W0100.msg(`Uncaught exception in ${source.name}: ${formatErrorMessage(e)}`));
+        available = false;
+      }
+      if (!available) {
+        await this.ioHelper.notify(IO.DEFAULT_TOOLKIT_DEBUG.msg(`Credentials source ${source.name} is not available, ignoring it.`));
+        continue;
+      }
+      triedSources.push(source);
+      let canProvide;
+      try {
+        canProvide = await source.canProvideCredentials(awsAccountId);
+      } catch (e) {
+        await this.ioHelper.notify(IO.CDK_TOOLKIT_W0100.msg(`Uncaught exception in ${source.name}: ${formatErrorMessage(e)}`));
+        canProvide = false;
+      }
+      if (!canProvide) {
+        continue;
+      }
+      await this.ioHelper.notify(IO.DEFAULT_TOOLKIT_DEBUG.msg(`Using ${source.name} credentials for account ${awsAccountId}`));
+      return {
+        credentials: await v3ProviderFromPlugin(() => source.getProvider(awsAccountId, mode, {
+          supportsV3Providers: true
+        })),
+        pluginName: source.name
+      };
+    }
+    return void 0;
+  }
+};
+async function v3ProviderFromPlugin(producer) {
+  const initial = await producer();
+  if (isV3Provider(initial)) {
+    return makeCachingProvider(initial);
+  } else if (isV3Credentials(initial) && initial.expiration === void 0) {
+    return () => Promise.resolve(initial);
+  } else if (isV3Credentials(initial) && initial.expiration !== void 0) {
+    return refreshFromPluginProvider(initial, producer);
+  } else if (isV2Credentials(initial)) {
+    return v3ProviderFromV2Credentials(initial);
+  } else {
+    throw new AuthenticationError(`Plugin returned a value that doesn't resemble AWS credentials: ${(0, import_util8.inspect)(initial)}`);
+  }
+}
+function v3ProviderFromV2Credentials(x) {
+  return async () => {
+    await x.getPromise();
+    return {
+      accessKeyId: x.accessKeyId,
+      secretAccessKey: x.secretAccessKey,
+      sessionToken: x.sessionToken,
+      expiration: x.expireTime ?? void 0
+    };
+  };
+}
+function refreshFromPluginProvider(current, producer) {
+  return async () => {
+    if (credentialsAboutToExpire(current)) {
+      const newCreds = await producer();
+      if (!isV3Credentials(newCreds)) {
+        throw new AuthenticationError(`Plugin initially returned static V3 credentials but now returned something else: ${(0, import_util8.inspect)(newCreds)}`);
+      }
+      current = newCreds;
+    }
+    return current;
+  };
+}
+function isV3Provider(x) {
+  return typeof x === "function";
+}
+function isV2Credentials(x) {
+  return !!(x && typeof x === "object" && x.getPromise);
+}
+function isV3Credentials(x) {
+  return !!(x && typeof x === "object" && x.accessKeyId && !isV2Credentials(x));
+}
+
+// lib/api/aws-auth/sdk-provider.ts
+var CACHED_ACCOUNT = Symbol("cached_account");
+var SdkProvider = class {
+  /**
+   * Create a new SdkProvider which gets its defaults in a way that behaves like the AWS CLI does
+   *
+   * The AWS SDK for JS behaves slightly differently from the AWS CLI in a number of ways; see the
+   * class `AwsCliCompatible` for the details.
+   */
+  static async withAwsCliCompatibleDefaults(options) {
+    callTrace(SdkProvider.withAwsCliCompatibleDefaults.name, SdkProvider.constructor.name, options.logger);
+    const config = await new AwsCliCompatible(options.ioHelper, options.requestHandler ?? {}, options.logger).baseConfig(options.profile);
+    return new SdkProvider(config.credentialProvider, config.defaultRegion, options);
+  }
+  defaultRegion;
+  defaultCredentialProvider;
+  plugins;
+  requestHandler;
+  ioHelper;
+  logger;
+  constructor(defaultCredentialProvider, defaultRegion, services) {
+    this.defaultCredentialProvider = defaultCredentialProvider;
+    this.defaultRegion = defaultRegion ?? "us-east-1";
+    this.requestHandler = services.requestHandler ?? {};
+    this.ioHelper = services.ioHelper;
+    this.logger = services.logger;
+    this.plugins = new CredentialPlugins(services.pluginHost ?? new PluginHost(), this.ioHelper);
+  }
+  /**
+   * Return an SDK which can do operations in the given environment
+   *
+   * The `environment` parameter is resolved first (see `resolveEnvironment()`).
+   */
+  async forEnvironment(environment, mode, options, quiet = false) {
+    const env = await this.resolveEnvironment(environment);
+    const baseCreds = await this.obtainBaseCredentials(env.account, mode);
+    if (baseCreds.source === "none") {
+      throw new AuthenticationError(fmtObtainCredentialsError(env.account, baseCreds));
+    }
+    if (options?.assumeRoleArn === void 0) {
+      if (baseCreds.source === "incorrectDefault") {
+        throw new AuthenticationError(fmtObtainCredentialsError(env.account, baseCreds));
+      }
+      const sdk = this._makeSdk(baseCreds.credentials, env.region);
+      await sdk.validateCredentials();
+      return { sdk, didAssumeRole: false };
+    }
+    try {
+      const sdk = await this.withAssumedRole(
+        baseCreds,
+        options.assumeRoleArn,
+        options.assumeRoleExternalId,
+        options.assumeRoleAdditionalOptions,
+        env.region
+      );
+      return { sdk, didAssumeRole: true };
+    } catch (err) {
+      if (err.name === "ExpiredToken") {
+        throw err;
+      }
+      if (baseCreds.source === "correctDefault" || baseCreds.source === "plugin") {
+        await this.ioHelper.notify(IO.DEFAULT_SDK_DEBUG.msg(err.message));
+        const maker = quiet ? IO.DEFAULT_SDK_DEBUG : IO.DEFAULT_SDK_WARN;
+        await this.ioHelper.notify(maker.msg(
+          `${fmtObtainedCredentials(baseCreds)} could not be used to assume '${options.assumeRoleArn}', but are for the right account. Proceeding anyway.`
+        ));
+        return {
+          sdk: this._makeSdk(baseCreds.credentials, env.region),
+          didAssumeRole: false
+        };
+      }
+      throw err;
+    }
+  }
+  /**
+   * Return the partition that base credentials are for
+   *
+   * Returns `undefined` if there are no base credentials.
+   */
+  async baseCredentialsPartition(environment, mode) {
+    const env = await this.resolveEnvironment(environment);
+    const baseCreds = await this.obtainBaseCredentials(env.account, mode);
+    if (baseCreds.source === "none") {
+      return void 0;
+    }
+    return (await this._makeSdk(baseCreds.credentials, env.region).currentAccount()).partition;
+  }
+  /**
+   * Resolve the environment for a stack
+   *
+   * Replaces the magic values `UNKNOWN_REGION` and `UNKNOWN_ACCOUNT`
+   * with the defaults for the current SDK configuration (`~/.aws/config` or
+   * otherwise).
+   *
+   * It is an error if `UNKNOWN_ACCOUNT` is used but the user hasn't configured
+   * any SDK credentials.
+   */
+  async resolveEnvironment(env) {
+    const region = env.region !== import_cx_api.UNKNOWN_REGION ? env.region : this.defaultRegion;
+    const account = env.account !== import_cx_api.UNKNOWN_ACCOUNT ? env.account : (await this.defaultAccount())?.accountId;
+    if (!account) {
+      throw new AuthenticationError(
+        "Unable to resolve AWS account to use. It must be either configured when you define your CDK Stack, or through the environment"
+      );
+    }
+    return {
+      region,
+      account,
+      name: import_cx_api.EnvironmentUtils.format(account, region)
+    };
+  }
+  /**
+   * The account we'd auth into if we used default credentials.
+   *
+   * Default credentials are the set of ambiently configured credentials using
+   * one of the environment variables, or ~/.aws/credentials, or the *one*
+   * profile that was passed into the CLI.
+   *
+   * Might return undefined if there are no default/ambient credentials
+   * available (in which case the user should better hope they have
+   * credential plugins configured).
+   *
+   * Uses a cache to avoid STS calls if we don't need 'em.
+   */
+  async defaultAccount() {
+    return cached(this, CACHED_ACCOUNT, async () => {
+      try {
+        return await this._makeSdk(this.defaultCredentialProvider, this.defaultRegion).currentAccount();
+      } catch (e) {
+        if (e.name === "ExpiredToken") {
+          await this.ioHelper.notify(IO.DEFAULT_SDK_WARN.msg(
+            "There are expired AWS credentials in your environment. The CDK app will synth without current account information."
+          ));
+          return void 0;
+        }
+        await this.ioHelper.notify(IO.DEFAULT_SDK_DEBUG.msg(`Unable to determine the default AWS account (${e.name}): ${formatErrorMessage(e)}`));
+        return void 0;
+      }
+    });
+  }
+  /**
+   * Get credentials for the given account ID in the given mode
+   *
+   * 1. Use the default credentials if the destination account matches the
+   *    current credentials' account.
+   * 2. Otherwise try all credential plugins.
+   * 3. Fail if neither of these yield any credentials.
+   * 4. Return a failure if any of them returned credentials
+   */
+  async obtainBaseCredentials(accountId, mode) {
+    const defaultAccountId = (await this.defaultAccount())?.accountId;
+    if (defaultAccountId === accountId) {
+      return {
+        source: "correctDefault",
+        credentials: await this.defaultCredentialProvider
+      };
+    }
+    const pluginCreds = await this.plugins.fetchCredentialsFor(accountId, mode);
+    if (pluginCreds) {
+      return { source: "plugin", ...pluginCreds };
+    }
+    if (defaultAccountId !== void 0) {
+      return {
+        source: "incorrectDefault",
+        accountId: defaultAccountId,
+        credentials: await this.defaultCredentialProvider,
+        unusedPlugins: this.plugins.availablePluginNames
+      };
+    }
+    return {
+      source: "none",
+      unusedPlugins: this.plugins.availablePluginNames
+    };
+  }
+  /**
+   * Return an SDK which uses assumed role credentials
+   *
+   * The base credentials used to retrieve the assumed role credentials will be the
+   * same credentials returned by obtainCredentials if an environment and mode is passed,
+   * otherwise it will be the current credentials.
+   */
+  async withAssumedRole(mainCredentials, roleArn, externalId, additionalOptions, region) {
+    await this.ioHelper.notify(IO.DEFAULT_SDK_DEBUG.msg(`Assuming role '${roleArn}'.`));
+    region = region ?? this.defaultRegion;
+    const sourceDescription = fmtObtainedCredentials(mainCredentials);
+    try {
+      const credentials = await makeCachingProvider((0, import_credential_providers2.fromTemporaryCredentials)({
+        masterCredentials: mainCredentials.credentials,
+        params: {
+          RoleArn: roleArn,
+          ExternalId: externalId,
+          RoleSessionName: `aws-cdk-${safeUsername()}`,
+          ...additionalOptions,
+          TransitiveTagKeys: additionalOptions?.Tags ? additionalOptions.Tags.map((t) => t.Key) : void 0
+        },
+        clientConfig: {
+          region,
+          requestHandler: this.requestHandler,
+          customUserAgent: "aws-cdk",
+          logger: this.logger
+        },
+        logger: this.logger
+      }));
+      await credentials();
+      return this._makeSdk(credentials, region);
+    } catch (err) {
+      if (err.name === "ExpiredToken") {
+        throw err;
+      }
+      await this.ioHelper.notify(IO.DEFAULT_SDK_DEBUG.msg(`Assuming role failed: ${err.message}`));
+      throw new AuthenticationError(
+        [
+          "Could not assume role in target account",
+          ...sourceDescription ? [`using ${sourceDescription}`] : [],
+          err.message,
+          ". Please make sure that this role exists in the account. If it doesn't exist, (re)-bootstrap the environment with the right '--trust', using the latest version of the CDK CLI."
+        ].join(" ")
+      );
+    }
+  }
+  /**
+   * Factory function that creates a new SDK instance
+   *
+   * This is a function here, instead of all the places where this is used creating a `new SDK`
+   * instance, so that it is trivial to mock from tests.
+   *
+   * Use like this:
+   *
+   * ```ts
+   * const mockSdk = jest.spyOn(SdkProvider.prototype, '_makeSdk').mockReturnValue(new MockSdk());
+   * // ...
+   * mockSdk.mockRestore();
+   * ```
+   *
+   * @internal
+   */
+  _makeSdk(credProvider, region) {
+    return new SDK(credProvider, region, this.requestHandler, this.ioHelper, this.logger);
+  }
+};
+SdkProvider = __decorateClass([
+  traceMemberMethods
+], SdkProvider);
+function safeUsername() {
+  try {
+    return os2.userInfo().username.replace(/[^\w+=,.@-]/g, "@");
+  } catch {
+    return "noname";
+  }
+}
+function fmtObtainCredentialsError(targetAccountId, obtainResult) {
+  const msg = [`Need to perform AWS calls for account ${targetAccountId}`];
+  switch (obtainResult.source) {
+    case "incorrectDefault":
+      msg.push(`but the current credentials are for ${obtainResult.accountId}`);
+      break;
+    case "none":
+      msg.push("but no credentials have been configured");
+  }
+  if (obtainResult.unusedPlugins.length > 0) {
+    msg.push(`and none of these plugins found any: ${obtainResult.unusedPlugins.join(", ")}`);
+  }
+  return msg.join(", ");
+}
+function fmtObtainedCredentials(obtainResult) {
+  switch (obtainResult.source) {
+    case "correctDefault":
+      return "current credentials";
+    case "plugin":
+      return `credentials returned by plugin '${obtainResult.pluginName}'`;
+    case "incorrectDefault":
+      const msg = [];
+      msg.push(`current credentials (which are for account ${obtainResult.accountId}`);
+      if (obtainResult.unusedPlugins.length > 0) {
+        msg.push(`, and none of the following plugins provided credentials: ${obtainResult.unusedPlugins.join(", ")}`);
+      }
+      msg.push(")");
+      return msg.join("");
+  }
+}
+async function initContextProviderSdk(aws, options) {
+  const account = options.account;
+  const region = options.region;
+  const creds = {
+    assumeRoleArn: options.lookupRoleArn,
+    assumeRoleExternalId: options.lookupRoleExternalId,
+    assumeRoleAdditionalOptions: options.assumeRoleAdditionalOptions
+  };
+  return (await aws.forEnvironment(import_cx_api.EnvironmentUtils.make(account, region), 0 /* ForReading */, creds)).sdk;
+}
+
+// lib/context-providers/index.ts
+var cxschema2 = __toESM(require("@aws-cdk/cloud-assembly-schema"));
+var cxapi2 = __toESM(require("@aws-cdk/cx-api"));
+
+// lib/context-providers/ami.ts
+var AmiContextProviderPlugin = class {
+  constructor(aws, io) {
+    this.aws = aws;
+    this.io = io;
+  }
+  async getValue(args) {
+    const region = args.region;
+    const account = args.account;
+    await this.io.info(`Searching for AMI in ${account}:${region}`);
+    await this.io.debug(`AMI search parameters: ${JSON.stringify(args)}`);
+    const ec2 = (await initContextProviderSdk(this.aws, args)).ec2();
+    const response = await ec2.describeImages({
+      Owners: args.owners,
+      Filters: Object.entries(args.filters).map(([key, values]) => ({
+        Name: key,
+        Values: values
+      }))
+    });
+    const images = [...response.Images || []].filter((i) => i.ImageId !== void 0);
+    if (images.length === 0) {
+      throw new ContextProviderError("No AMI found that matched the search criteria");
+    }
+    images.sort(descending((i) => Date.parse(i.CreationDate || "1970")));
+    await this.io.debug(`Selected image '${images[0].ImageId}' created at '${images[0].CreationDate}'`);
+    return images[0].ImageId;
+  }
+};
+function descending(valueOf) {
+  return (a, b) => {
+    return valueOf(b) - valueOf(a);
+  };
+}
+
+// lib/context-providers/availability-zones.ts
+var AZContextProviderPlugin = class {
+  constructor(aws, io) {
+    this.aws = aws;
+    this.io = io;
+  }
+  async getValue(args) {
+    const region = args.region;
+    const account = args.account;
+    await this.io.debug(`Reading AZs for ${account}:${region}`);
+    const ec2 = (await initContextProviderSdk(this.aws, args)).ec2();
+    const response = await ec2.describeAvailabilityZones({});
+    if (!response.AvailabilityZones) {
+      return [];
+    }
+    const azs = response.AvailabilityZones.filter((zone) => zone.State === "available").map(
+      (zone) => zone.ZoneName
+    );
+    return azs;
+  }
+};
+
+// lib/context-providers/cc-api-provider.ts
+var import_client_cloudcontrol2 = require("@aws-sdk/client-cloudcontrol");
+var CcApiContextProviderPlugin = class {
+  constructor(aws) {
+    this.aws = aws;
+  }
+  /**
+   * This returns a data object with the value from CloudControl API result.
+   *
+   * See the documentation in the Cloud Assembly Schema for the semantics of
+   * each query parameter.
+   */
+  async getValue(args) {
+    if (args.exactIdentifier && args.propertyMatch) {
+      throw new ContextProviderError(`Provider protocol error: specify either exactIdentifier or propertyMatch, but not both (got ${JSON.stringify(args)})`);
+    }
+    if (args.ignoreErrorOnMissingContext && args.dummyValue === void 0) {
+      throw new ContextProviderError(`Provider protocol error: if ignoreErrorOnMissingContext is set, a dummyValue must be supplied (got ${JSON.stringify(args)})`);
+    }
+    if (args.dummyValue !== void 0 && (!Array.isArray(args.dummyValue) || !args.dummyValue.every(isObject2))) {
+      throw new ContextProviderError(`Provider protocol error: dummyValue must be an array of objects (got ${JSON.stringify(args.dummyValue)})`);
+    }
+    const cloudControl = (await initContextProviderSdk(this.aws, args)).cloudControl();
+    try {
+      let resources;
+      if (args.exactIdentifier) {
+        resources = await this.getResource(cloudControl, args.typeName, args.exactIdentifier);
+      } else if (args.propertyMatch) {
+        resources = await this.listResources(cloudControl, args.typeName, args.propertyMatch, args.expectedMatchCount);
+      } else {
+        throw new ContextProviderError(`Provider protocol error: neither exactIdentifier nor propertyMatch is specified in ${JSON.stringify(args)}.`);
+      }
+      return resources.map((r) => getResultObj(r.properties, r.identifier, args.propertiesToReturn));
+    } catch (err) {
+      if (err instanceof ZeroResourcesFoundError && args.ignoreErrorOnMissingContext) {
+        return args.dummyValue;
+      }
+      throw err;
+    }
+  }
+  /**
+   * Calls getResource from CC API to get the resource.
+   * See https://docs.aws.amazon.com/cli/latest/reference/cloudcontrol/get-resource.html
+   *
+   * Will always return exactly one resource, or fail.
+   */
+  async getResource(cc, typeName, exactIdentifier) {
+    try {
+      const result2 = await cc.getResource({
+        TypeName: typeName,
+        Identifier: exactIdentifier
+      });
+      if (!result2.ResourceDescription) {
+        throw new ContextProviderError("Unexpected CloudControl API behavior: returned empty response");
+      }
+      return [foundResourceFromCcApi(result2.ResourceDescription)];
+    } catch (err) {
+      if (err instanceof import_client_cloudcontrol2.ResourceNotFoundException || err.name === "ResourceNotFoundException") {
+        throw new ZeroResourcesFoundError(`No resource of type ${typeName} with identifier: ${exactIdentifier}`);
+      }
+      if (!(err instanceof ContextProviderError)) {
+        throw new ContextProviderError(`Encountered CC API error while getting ${typeName} resource ${exactIdentifier}: ${err.message}`);
+      }
+      throw err;
+    }
+  }
+  /**
+   * Calls listResources from CC API to get the resources and apply args.propertyMatch to find the resources.
+   * See https://docs.aws.amazon.com/cli/latest/reference/cloudcontrol/list-resources.html
+   *
+   * Will return 0 or more resources.
+   *
+   * Does not currently paginate through more than one result page.
+   */
+  async listResources(cc, typeName, propertyMatch, expectedMatchCount) {
+    try {
+      const result2 = await cc.listResources({
+        TypeName: typeName
+      });
+      const found = (result2.ResourceDescriptions ?? []).map(foundResourceFromCcApi).filter((r) => {
+        return Object.entries(propertyMatch).every(([propPath, expected]) => {
+          const actual = findJsonValue(r.properties, propPath);
+          return propertyMatchesFilter(actual, expected);
+        });
+      });
+      if ((expectedMatchCount === "at-least-one" || expectedMatchCount === "exactly-one") && found.length === 0) {
+        throw new ZeroResourcesFoundError(`Could not find any resources matching ${JSON.stringify(propertyMatch)}`);
+      }
+      if ((expectedMatchCount === "at-most-one" || expectedMatchCount === "exactly-one") && found.length > 1) {
+        throw new ContextProviderError(`Found ${found.length} resources matching ${JSON.stringify(propertyMatch)}; please narrow the search criteria`);
+      }
+      return found;
+    } catch (err) {
+      if (!(err instanceof ContextProviderError) && !(err instanceof ZeroResourcesFoundError)) {
+        throw new ContextProviderError(`Encountered CC API error while listing ${typeName} resources matching ${JSON.stringify(propertyMatch)}: ${err.message}`);
+      }
+      throw err;
+    }
+  }
+};
+function foundResourceFromCcApi(desc) {
+  return {
+    identifier: desc.Identifier ?? "*MISSING*",
+    properties: JSON.parse(desc.Properties ?? "{}")
+  };
+}
+function propertyMatchesFilter(actual, expected) {
+  return expected === actual;
+}
+function isObject2(x) {
+  return typeof x === "object" && x !== null && !Array.isArray(x);
+}
+var ZeroResourcesFoundError = class extends Error {
+};
+
+// lib/context-providers/endpoint-service-availability-zones.ts
+var EndpointServiceAZContextProviderPlugin = class {
+  constructor(aws, io) {
+    this.aws = aws;
+    this.io = io;
+  }
+  async getValue(args) {
+    const region = args.region;
+    const account = args.account;
+    const serviceName = args.serviceName;
+    await this.io.debug(`Reading AZs for ${account}:${region}:${serviceName}`);
+    const ec2 = (await initContextProviderSdk(this.aws, args)).ec2();
+    const response = await ec2.describeVpcEndpointServices({
+      ServiceNames: [serviceName]
+    });
+    if (!response.ServiceDetails || response.ServiceDetails.length === 0) {
+      await this.io.debug(`Could not retrieve service details for ${account}:${region}:${serviceName}`);
+      return [];
+    }
+    const azs = response.ServiceDetails[0].AvailabilityZones;
+    await this.io.debug(`Endpoint service ${account}:${region}:${serviceName} is available in availability zones ${azs}`);
+    return azs;
+  }
+};
+
+// lib/context-providers/hosted-zones.ts
+var HostedZoneContextProviderPlugin = class {
+  constructor(aws, io) {
+    this.aws = aws;
+    this.io = io;
+  }
+  async getValue(args) {
+    const account = args.account;
+    const region = args.region;
+    if (!this.isHostedZoneQuery(args)) {
+      throw new ContextProviderError(`HostedZoneProvider requires domainName property to be set in ${args}`);
+    }
+    const domainName = args.domainName;
+    await this.io.debug(`Reading hosted zone ${account}:${region}:${domainName}`);
+    const r53 = (await initContextProviderSdk(this.aws, args)).route53();
+    const response = await r53.listHostedZonesByName({ DNSName: domainName });
+    if (!response.HostedZones) {
+      throw new ContextProviderError(`Hosted Zone not found in account ${account}, region ${region}: ${domainName}`);
+    }
+    const candidateZones = await this.filterZones(r53, response.HostedZones, args);
+    if (candidateZones.length !== 1) {
+      const filteProps = `dns:${domainName}, privateZone:${args.privateZone}, vpcId:${args.vpcId}`;
+      throw new ContextProviderError(`Found zones: ${JSON.stringify(candidateZones)} for ${filteProps}, but wanted exactly 1 zone`);
+    }
+    return {
+      Id: candidateZones[0].Id,
+      Name: candidateZones[0].Name
+    };
+  }
+  async filterZones(r53, zones, props) {
+    let candidates = [];
+    const domainName = props.domainName.endsWith(".") ? props.domainName : `${props.domainName}.`;
+    await this.io.debug(`Found the following zones ${JSON.stringify(zones)}`);
+    candidates = zones.filter((zone) => zone.Name === domainName);
+    await this.io.debug(`Found the following matched name zones ${JSON.stringify(candidates)}`);
+    if (props.privateZone) {
+      candidates = candidates.filter((zone) => zone.Config && zone.Config.PrivateZone);
+    } else {
+      candidates = candidates.filter((zone) => !zone.Config || !zone.Config.PrivateZone);
+    }
+    if (props.vpcId) {
+      const vpcZones = [];
+      for (const zone of candidates) {
+        const data = await r53.getHostedZone({ Id: zone.Id });
+        if (!data.VPCs) {
+          await this.io.debug(`Expected VPC for private zone but no VPC found ${zone.Id}`);
+          continue;
+        }
+        if (data.VPCs.map((vpc) => vpc.VPCId).includes(props.vpcId)) {
+          vpcZones.push(zone);
+        }
+      }
+      return vpcZones;
+    }
+    return candidates;
+  }
+  isHostedZoneQuery(props) {
+    return props.domainName !== void 0;
+  }
+};
+
+// lib/context-providers/keys.ts
+var KeyContextProviderPlugin = class {
+  constructor(aws, io) {
+    this.aws = aws;
+    this.io = io;
+  }
+  async getValue(args) {
+    const kms = (await initContextProviderSdk(this.aws, args)).kms();
+    const aliasListEntry = await this.findKey(kms, args);
+    return this.readKeyProps(aliasListEntry, args);
+  }
+  // TODO: use paginator function
+  async findKey(kms, args) {
+    await this.io.debug(`Listing keys in ${args.account}:${args.region}`);
+    let response;
+    let nextMarker;
+    do {
+      response = await kms.listAliases({
+        Marker: nextMarker
+      });
+      const aliases = response.Aliases || [];
+      for (const alias of aliases) {
+        if (alias.AliasName == args.aliasName) {
+          return alias;
+        }
+      }
+      nextMarker = response.NextMarker;
+    } while (nextMarker);
+    const suppressError = "ignoreErrorOnMissingContext" in args && args.ignoreErrorOnMissingContext;
+    const hasDummyKeyId = "dummyValue" in args && typeof args.dummyValue === "object" && args.dummyValue !== null && "keyId" in args.dummyValue;
+    if (suppressError && hasDummyKeyId) {
+      const keyId = args.dummyValue.keyId;
+      return { TargetKeyId: keyId };
+    }
+    throw new ContextProviderError(`Could not find any key with alias named ${args.aliasName}`);
+  }
+  async readKeyProps(alias, args) {
+    if (!alias.TargetKeyId) {
+      throw new ContextProviderError(`Could not find any key with alias named ${args.aliasName}`);
+    }
+    await this.io.debug(`Key found ${alias.TargetKeyId}`);
+    return {
+      keyId: alias.TargetKeyId
+    };
+  }
+};
+
+// lib/context-providers/load-balancers.ts
+var import_cx_api2 = require("@aws-cdk/cx-api");
+var LoadBalancerContextProviderPlugin = class {
+  constructor(aws) {
+    this.aws = aws;
+  }
+  async getValue(query) {
+    if (!query.loadBalancerArn && !query.loadBalancerTags) {
+      throw new ContextProviderError("The load balancer lookup query must specify either `loadBalancerArn` or `loadBalancerTags`");
+    }
+    const loadBalancer = await (await LoadBalancerProvider.getClient(this.aws, query)).getLoadBalancer();
+    const ipAddressType = loadBalancer.IpAddressType === "ipv4" ? import_cx_api2.LoadBalancerIpAddressType.IPV4 : import_cx_api2.LoadBalancerIpAddressType.DUAL_STACK;
+    return {
+      loadBalancerArn: loadBalancer.LoadBalancerArn,
+      loadBalancerCanonicalHostedZoneId: loadBalancer.CanonicalHostedZoneId,
+      loadBalancerDnsName: loadBalancer.DNSName,
+      vpcId: loadBalancer.VpcId,
+      securityGroupIds: loadBalancer.SecurityGroups ?? [],
+      ipAddressType
+    };
+  }
+};
+var LoadBalancerListenerContextProviderPlugin = class {
+  constructor(aws) {
+    this.aws = aws;
+  }
+  async getValue(query) {
+    if (!query.listenerArn && !query.loadBalancerArn && !query.loadBalancerTags) {
+      throw new ContextProviderError(
+        "The load balancer listener query must specify at least one of: `listenerArn`, `loadBalancerArn` or `loadBalancerTags`"
+      );
+    }
+    return (await LoadBalancerProvider.getClient(this.aws, query)).getListener();
+  }
+};
+var LoadBalancerProvider = class _LoadBalancerProvider {
+  constructor(client, filter, listener) {
+    this.client = client;
+    this.filter = filter;
+    this.listener = listener;
+  }
+  static async getClient(aws, query) {
+    const client = (await initContextProviderSdk(aws, query)).elbv2();
+    try {
+      const listener = query.listenerArn ? (
+        // Assert we're sure there's at least one so it throws if not
+        (await client.describeListeners({ ListenerArns: [query.listenerArn] })).Listeners[0]
+      ) : void 0;
+      return new _LoadBalancerProvider(
+        client,
+        { ...query, loadBalancerArn: listener?.LoadBalancerArn || query.loadBalancerArn },
+        listener
+      );
+    } catch (err) {
+      throw new ContextProviderError(`No load balancer listeners found matching arn ${query.listenerArn}`);
+    }
+  }
+  async getLoadBalancer() {
+    const loadBalancers = await this.getLoadBalancers();
+    if (loadBalancers.length === 0) {
+      throw new ContextProviderError(`No load balancers found matching ${JSON.stringify(this.filter)}`);
+    }
+    if (loadBalancers.length > 1) {
+      throw new ContextProviderError(
+        `Multiple load balancers found matching ${JSON.stringify(this.filter)} - please provide more specific criteria`
+      );
+    }
+    return loadBalancers[0];
+  }
+  async getListener() {
+    if (this.listener) {
+      try {
+        const loadBalancer = await this.getLoadBalancer();
+        return {
+          listenerArn: this.listener.ListenerArn,
+          listenerPort: this.listener.Port,
+          securityGroupIds: loadBalancer.SecurityGroups || []
+        };
+      } catch (err) {
+        throw new ContextProviderError(`No associated load balancer found for listener arn ${this.filter.listenerArn}`);
+      }
+    }
+    const loadBalancers = await this.getLoadBalancers();
+    if (loadBalancers.length === 0) {
+      throw new ContextProviderError(
+        `No associated load balancers found for load balancer listener query ${JSON.stringify(this.filter)}`
+      );
+    }
+    const listeners = (await this.getListenersForLoadBalancers(loadBalancers)).filter((listener) => {
+      return (!this.filter.listenerPort || listener.Port === this.filter.listenerPort) && (!this.filter.listenerProtocol || listener.Protocol === this.filter.listenerProtocol);
+    });
+    if (listeners.length === 0) {
+      throw new ContextProviderError(`No load balancer listeners found matching ${JSON.stringify(this.filter)}`);
+    }
+    if (listeners.length > 1) {
+      throw new ContextProviderError(
+        `Multiple load balancer listeners found matching ${JSON.stringify(this.filter)} - please provide more specific criteria`
+      );
+    }
+    return {
+      listenerArn: listeners[0].ListenerArn,
+      listenerPort: listeners[0].Port,
+      securityGroupIds: loadBalancers.find((lb) => listeners[0].LoadBalancerArn === lb.LoadBalancerArn)?.SecurityGroups || []
+    };
+  }
+  async getLoadBalancers() {
+    const loadBalancerArns = this.filter.loadBalancerArn ? [this.filter.loadBalancerArn] : void 0;
+    const loadBalancers = (await this.client.paginateDescribeLoadBalancers({
+      LoadBalancerArns: loadBalancerArns
+    })).filter((lb) => lb.Type === this.filter.loadBalancerType);
+    return this.filterByTags(loadBalancers);
+  }
+  async filterByTags(loadBalancers) {
+    if (!this.filter.loadBalancerTags) {
+      return loadBalancers;
+    }
+    return (await this.describeTags(loadBalancers.map((lb) => lb.LoadBalancerArn))).filter((tagDescription) => {
+      return this.filter.loadBalancerTags.every((filter) => {
+        return tagDescription.Tags?.some((tag) => filter.key === tag.Key && filter.value === tag.Value);
+      });
+    }).flatMap((tag) => loadBalancers.filter((loadBalancer) => tag.ResourceArn === loadBalancer.LoadBalancerArn));
+  }
+  /**
+   * Returns tag descriptions associated with the resources. The API doesn't support
+   * pagination, so this function breaks the resource list into chunks and issues
+   * the appropriate requests.
+   */
+  async describeTags(resourceArns) {
+    const chunkSize = 20;
+    const tags = Array();
+    for (let i = 0; i < resourceArns.length; i += chunkSize) {
+      const chunk = resourceArns.slice(i, Math.min(i + chunkSize, resourceArns.length));
+      const chunkTags = await this.client.describeTags({
+        ResourceArns: chunk
+      });
+      tags.push(...chunkTags.TagDescriptions || []);
+    }
+    return tags;
+  }
+  async getListenersForLoadBalancers(loadBalancers) {
+    const listeners = [];
+    for (const loadBalancer of loadBalancers.map((lb) => lb.LoadBalancerArn)) {
+      listeners.push(...await this.client.paginateDescribeListeners({ LoadBalancerArn: loadBalancer }));
+    }
+    return listeners;
+  }
+};
+
+// lib/context-providers/security-groups.ts
+var SecurityGroupContextProviderPlugin = class {
+  constructor(aws) {
+    this.aws = aws;
+  }
+  async getValue(args) {
+    if (args.securityGroupId && args.securityGroupName) {
+      throw new ContextProviderError(
+        "'securityGroupId' and 'securityGroupName' can not be specified both when looking up a security group"
+      );
+    }
+    if (!args.securityGroupId && !args.securityGroupName) {
+      throw new ContextProviderError("'securityGroupId' or 'securityGroupName' must be specified to look up a security group");
+    }
+    const ec2 = (await initContextProviderSdk(this.aws, args)).ec2();
+    const filters = [];
+    if (args.vpcId) {
+      filters.push({
+        Name: "vpc-id",
+        Values: [args.vpcId]
+      });
+    }
+    if (args.securityGroupName) {
+      filters.push({
+        Name: "group-name",
+        Values: [args.securityGroupName]
+      });
+    }
+    const response = await ec2.describeSecurityGroups({
+      GroupIds: args.securityGroupId ? [args.securityGroupId] : void 0,
+      Filters: filters.length > 0 ? filters : void 0
+    });
+    const securityGroups = response.SecurityGroups ?? [];
+    if (securityGroups.length === 0) {
+      throw new ContextProviderError(`No security groups found matching ${JSON.stringify(args)}`);
+    }
+    if (securityGroups.length > 1) {
+      throw new ContextProviderError(`More than one security groups found matching ${JSON.stringify(args)}`);
+    }
+    const [securityGroup] = securityGroups;
+    return {
+      securityGroupId: securityGroup.GroupId,
+      allowAllOutbound: hasAllTrafficEgress(securityGroup)
+    };
+  }
+};
+function hasAllTrafficEgress(securityGroup) {
+  let hasAllTrafficCidrV4 = false;
+  let hasAllTrafficCidrV6 = false;
+  for (const ipPermission of securityGroup.IpPermissionsEgress ?? []) {
+    const isAllProtocols = ipPermission.IpProtocol === "-1";
+    if (isAllProtocols && ipPermission.IpRanges?.some((m) => m.CidrIp === "0.0.0.0/0")) {
+      hasAllTrafficCidrV4 = true;
+    }
+    if (isAllProtocols && ipPermission.Ipv6Ranges?.some((m) => m.CidrIpv6 === "::/0")) {
+      hasAllTrafficCidrV6 = true;
+    }
+  }
+  return hasAllTrafficCidrV4 && hasAllTrafficCidrV6;
+}
+
+// lib/context-providers/ssm-parameters.ts
+var SSMContextProviderPlugin = class {
+  constructor(aws, io) {
+    this.aws = aws;
+    this.io = io;
+  }
+  async getValue(args) {
+    const region = args.region;
+    const account = args.account;
+    if (!("parameterName" in args)) {
+      throw new ContextProviderError("parameterName must be provided in props for SSMContextProviderPlugin");
+    }
+    const parameterName = args.parameterName;
+    await this.io.debug(`Reading SSM parameter ${account}:${region}:${parameterName}`);
+    const response = await this.getSsmParameterValue(args);
+    const parameterNotFound = !response.Parameter || response.Parameter.Value === void 0;
+    const suppressError = "ignoreErrorOnMissingContext" in args && args.ignoreErrorOnMissingContext;
+    if (parameterNotFound && suppressError && "dummyValue" in args) {
+      return args.dummyValue;
+    }
+    if (parameterNotFound) {
+      throw new ContextProviderError(`SSM parameter not available in account ${account}, region ${region}: ${parameterName}`);
+    }
+    return response.Parameter.Value;
+  }
+  /**
+   * Gets the value of an SSM Parameter, while not throwin if the parameter does not exist.
+   * @param account       the account in which the SSM Parameter is expected to be.
+   * @param region        the region in which the SSM Parameter is expected to be.
+   * @param parameterName the name of the SSM Parameter
+   * @param lookupRoleArn the ARN of the lookup role.
+   *
+   * @returns the result of the ``GetParameter`` operation.
+   *
+   * @throws Error if a service error (other than ``ParameterNotFound``) occurs.
+   */
+  async getSsmParameterValue(args) {
+    const ssm = (await initContextProviderSdk(this.aws, args)).ssm();
+    try {
+      return await ssm.getParameter({ Name: args.parameterName });
+    } catch (e) {
+      if (e.name === "ParameterNotFound") {
+        return { $metadata: {} };
+      }
+      throw e;
+    }
+  }
+};
+
+// lib/context-providers/vpcs.ts
+var import_cx_api3 = require("@aws-cdk/cx-api");
+var VpcNetworkContextProviderPlugin = class {
+  constructor(aws, io) {
+    this.aws = aws;
+    this.io = io;
+  }
+  async getValue(args) {
+    const ec2 = (await initContextProviderSdk(this.aws, args)).ec2();
+    const vpcId = await this.findVpc(ec2, args);
+    return this.readVpcProps(ec2, vpcId, args);
+  }
+  async findVpc(ec2, args) {
+    const filters = Object.entries(args.filter).map(([tag, value]) => ({ Name: tag, Values: [value] }));
+    await this.io.debug(`Listing VPCs in ${args.account}:${args.region}`);
+    const response = await ec2.describeVpcs({ Filters: filters });
+    const vpcs = response.Vpcs || [];
+    if (vpcs.length === 0) {
+      throw new ContextProviderError(`Could not find any VPCs matching ${JSON.stringify(args)}`);
+    }
+    if (vpcs.length > 1) {
+      throw new ContextProviderError(`Found ${vpcs.length} VPCs matching ${JSON.stringify(args)}; please narrow the search criteria`);
+    }
+    return vpcs[0];
+  }
+  async readVpcProps(ec2, vpc, args) {
+    const vpcId = vpc.VpcId;
+    await this.io.debug(`Describing VPC ${vpcId}`);
+    const filters = { Filters: [{ Name: "vpc-id", Values: [vpcId] }] };
+    const subnetsResponse = await ec2.describeSubnets(filters);
+    const listedSubnets = subnetsResponse.Subnets || [];
+    const routeTablesResponse = await ec2.describeRouteTables(filters);
+    const routeTables = new RouteTables(routeTablesResponse.RouteTables || []);
+    const azs = Array.from(new Set(listedSubnets.map((s) => s.AvailabilityZone)));
+    azs.sort();
+    const subnets = listedSubnets.map((subnet) => {
+      let type = getTag("aws-cdk:subnet-type", subnet.Tags);
+      if (type === void 0 && subnet.MapPublicIpOnLaunch) {
+        type = "Public" /* Public */;
+      }
+      if (type === void 0 && routeTables.hasRouteToIgw(subnet.SubnetId)) {
+        type = "Public" /* Public */;
+      }
+      if (type === void 0 && routeTables.hasRouteToNatGateway(subnet.SubnetId)) {
+        type = "Private" /* Private */;
+      }
+      if (type === void 0 && routeTables.hasRouteToTransitGateway(subnet.SubnetId)) {
+        type = "Private" /* Private */;
+      }
+      if (type === void 0) {
+        type = "Isolated" /* Isolated */;
+      }
+      if (!isValidSubnetType(type)) {
+        throw new ContextProviderError(
+          `Subnet ${subnet.SubnetArn} has invalid subnet type ${type} (must be ${"Public" /* Public */}, ${"Private" /* Private */} or ${"Isolated" /* Isolated */})`
+        );
+      }
+      if (args.subnetGroupNameTag && !getTag(args.subnetGroupNameTag, subnet.Tags)) {
+        throw new ContextProviderError(
+          `Invalid subnetGroupNameTag: Subnet ${subnet.SubnetArn} does not have an associated tag with Key='${args.subnetGroupNameTag}'`
+        );
+      }
+      const name = getTag(args.subnetGroupNameTag || "aws-cdk:subnet-name", subnet.Tags) || type;
+      const routeTableId = routeTables.routeTableIdForSubnetId(subnet.SubnetId);
+      if (!routeTableId) {
+        throw new ContextProviderError(
+          `Subnet ${subnet.SubnetArn} does not have an associated route table (and there is no "main" table)`
+        );
+      }
+      return {
+        az: subnet.AvailabilityZone,
+        cidr: subnet.CidrBlock,
+        type,
+        name,
+        subnetId: subnet.SubnetId,
+        routeTableId
+      };
+    });
+    let grouped;
+    let assymetricSubnetGroups;
+    if (args.returnAsymmetricSubnets) {
+      grouped = { azs: [], groups: [] };
+      assymetricSubnetGroups = groupAsymmetricSubnets(subnets);
+    } else {
+      grouped = groupSubnets(subnets);
+      assymetricSubnetGroups = void 0;
+    }
+    const vpnGatewayResponse = args.returnVpnGateways ?? true ? await ec2.describeVpnGateways({
+      Filters: [
+        {
+          Name: "attachment.vpc-id",
+          Values: [vpcId]
+        },
+        {
+          Name: "attachment.state",
+          Values: ["attached"]
+        },
+        {
+          Name: "state",
+          Values: ["available"]
+        }
+      ]
+    }) : void 0;
+    const vpnGatewayId = vpnGatewayResponse?.VpnGateways?.length === 1 ? vpnGatewayResponse.VpnGateways[0].VpnGatewayId : void 0;
+    return {
+      vpcId,
+      vpcCidrBlock: vpc.CidrBlock,
+      ownerAccountId: vpc.OwnerId,
+      availabilityZones: grouped.azs,
+      isolatedSubnetIds: collapse(
+        flatMap(findGroups("Isolated" /* Isolated */, grouped), (group) => group.subnets.map((s) => s.subnetId))
+      ),
+      isolatedSubnetNames: collapse(
+        flatMap(findGroups("Isolated" /* Isolated */, grouped), (group) => group.name ? [group.name] : [])
+      ),
+      isolatedSubnetRouteTableIds: collapse(
+        flatMap(findGroups("Isolated" /* Isolated */, grouped), (group) => group.subnets.map((s) => s.routeTableId))
+      ),
+      privateSubnetIds: collapse(
+        flatMap(findGroups("Private" /* Private */, grouped), (group) => group.subnets.map((s) => s.subnetId))
+      ),
+      privateSubnetNames: collapse(
+        flatMap(findGroups("Private" /* Private */, grouped), (group) => group.name ? [group.name] : [])
+      ),
+      privateSubnetRouteTableIds: collapse(
+        flatMap(findGroups("Private" /* Private */, grouped), (group) => group.subnets.map((s) => s.routeTableId))
+      ),
+      publicSubnetIds: collapse(
+        flatMap(findGroups("Public" /* Public */, grouped), (group) => group.subnets.map((s) => s.subnetId))
+      ),
+      publicSubnetNames: collapse(
+        flatMap(findGroups("Public" /* Public */, grouped), (group) => group.name ? [group.name] : [])
+      ),
+      publicSubnetRouteTableIds: collapse(
+        flatMap(findGroups("Public" /* Public */, grouped), (group) => group.subnets.map((s) => s.routeTableId))
+      ),
+      vpnGatewayId,
+      subnetGroups: assymetricSubnetGroups
+    };
+  }
+};
+var RouteTables = class {
+  constructor(tables) {
+    this.tables = tables;
+    this.mainRouteTable = this.tables.find(
+      (table) => !!table.Associations && table.Associations.some((assoc) => !!assoc.Main)
+    );
+  }
+  mainRouteTable;
+  routeTableIdForSubnetId(subnetId) {
+    const table = this.tableForSubnet(subnetId);
+    return table && table.RouteTableId || this.mainRouteTable && this.mainRouteTable.RouteTableId;
+  }
+  /**
+   * Whether the given subnet has a route to a NAT Gateway
+   */
+  hasRouteToNatGateway(subnetId) {
+    const table = this.tableForSubnet(subnetId) || this.mainRouteTable;
+    return !!table && !!table.Routes && table.Routes.some((route) => !!route.NatGatewayId && route.DestinationCidrBlock === "0.0.0.0/0");
+  }
+  /**
+   * Whether the given subnet has a route to a Transit Gateway
+   */
+  hasRouteToTransitGateway(subnetId) {
+    const table = this.tableForSubnet(subnetId) || this.mainRouteTable;
+    return !!table && !!table.Routes && table.Routes.some((route) => !!route.TransitGatewayId && route.DestinationCidrBlock === "0.0.0.0/0");
+  }
+  /**
+   * Whether the given subnet has a route to an IGW
+   */
+  hasRouteToIgw(subnetId) {
+    const table = this.tableForSubnet(subnetId) || this.mainRouteTable;
+    return !!table && !!table.Routes && table.Routes.some((route) => !!route.GatewayId && route.GatewayId.startsWith("igw-"));
+  }
+  tableForSubnet(subnetId) {
+    return this.tables.find(
+      (table) => !!table.Associations && table.Associations.some((assoc) => assoc.SubnetId === subnetId)
+    );
+  }
+};
+function getTag(name, tags) {
+  for (const tag of tags || []) {
+    if (tag.Key === name) {
+      return tag.Value;
+    }
+  }
+  return void 0;
+}
+function groupSubnets(subnets) {
+  const grouping = {};
+  for (const subnet of subnets) {
+    const key = [subnet.type, subnet.name].toString();
+    if (!(key in grouping)) {
+      grouping[key] = [];
+    }
+    grouping[key].push(subnet);
+  }
+  const groups = Object.values(grouping).map((sns) => {
+    sns.sort((a, b) => a.az.localeCompare(b.az));
+    return {
+      type: sns[0].type,
+      name: sns[0].name,
+      subnets: sns
+    };
+  });
+  const azs = groups[0].subnets.map((s) => s.az);
+  for (const group of groups) {
+    const groupAZs = group.subnets.map((s) => s.az);
+    if (!arraysEqual(groupAZs, azs)) {
+      throw new ContextProviderError(`Not all subnets in VPC have the same AZs: ${groupAZs} vs ${azs}`);
+    }
+  }
+  return { azs, groups };
+}
+function groupAsymmetricSubnets(subnets) {
+  const grouping = {};
+  for (const subnet of subnets) {
+    const key = [subnet.type, subnet.name].toString();
+    if (!(key in grouping)) {
+      grouping[key] = [];
+    }
+    grouping[key].push(subnet);
+  }
+  return Object.values(grouping).map((subnetArray) => {
+    subnetArray.sort((subnet1, subnet2) => subnet1.az.localeCompare(subnet2.az));
+    return {
+      name: subnetArray[0].name,
+      type: subnetTypeToVpcSubnetType(subnetArray[0].type),
+      subnets: subnetArray.map((subnet) => ({
+        subnetId: subnet.subnetId,
+        cidr: subnet.cidr,
+        availabilityZone: subnet.az,
+        routeTableId: subnet.routeTableId
+      }))
+    };
+  });
+}
+function subnetTypeToVpcSubnetType(type) {
+  switch (type) {
+    case "Isolated" /* Isolated */:
+      return import_cx_api3.VpcSubnetGroupType.ISOLATED;
+    case "Private" /* Private */:
+      return import_cx_api3.VpcSubnetGroupType.PRIVATE;
+    case "Public" /* Public */:
+      return import_cx_api3.VpcSubnetGroupType.PUBLIC;
+  }
+}
+function isValidSubnetType(val) {
+  return val === "Public" /* Public */ || val === "Private" /* Private */ || val === "Isolated" /* Isolated */;
+}
+function arraysEqual(as, bs) {
+  if (as.length !== bs.length) {
+    return false;
+  }
+  for (let i = 0; i < as.length; i++) {
+    if (as[i] !== bs[i]) {
+      return false;
+    }
+  }
+  return true;
+}
+function findGroups(type, groups) {
+  return groups.groups.filter((g) => g.type === type);
+}
+function flatMap(xs, fn) {
+  const ret = new Array();
+  for (const x of xs) {
+    ret.push(...fn(x));
+  }
+  return ret;
+}
+function collapse(xs) {
+  if (xs.length > 0) {
+    return xs;
+  }
+  return void 0;
+}
+
+// lib/api/settings.ts
+var fs5 = __toESM(require("fs-extra"));
+
+// lib/api/notices.ts
+var path4 = __toESM(require("path"));
+var fs7 = __toESM(require("fs-extra"));
+var semver2 = __toESM(require("semver"));
+
+// lib/api/tree.ts
+var fs6 = __toESM(require("fs-extra"));
+
+// lib/api/notices.ts
+var CACHE_FILE_PATH = path4.join(cdkCacheDir(), "notices.json");
+var TIME_TO_LIVE_SUCCESS = 60 * 60 * 1e3;
+var TIME_TO_LIVE_ERROR = 1 * 60 * 1e3;
+
+// lib/api/toolkit-info.ts
+var chalk4 = __toESM(require("chalk"));
+
+// lib/api/deployments/cfn-api.ts
+var cxapi = __toESM(require("@aws-cdk/cx-api"));
+var import_cx_api5 = require("@aws-cdk/cx-api");
+var import_client_cloudformation3 = require("@aws-sdk/client-cloudformation");
+var import_cdk_assets2 = require("cdk-assets");
+
+// lib/api/deployments/asset-manifest-builder.ts
+var cxschema = __toESM(require("@aws-cdk/cloud-assembly-schema"));
+var import_cdk_assets = require("cdk-assets");
+
+// lib/api/cloudformation/template-body-parameter.ts
+var import_cx_api4 = require("@aws-cdk/cx-api");
+var import_client_s32 = require("@aws-sdk/client-s3");
+var import_middleware_endpoint2 = require("@smithy/middleware-endpoint");
+var chalk3 = __toESM(require("chalk"));
+
+// lib/api/cloudformation/nested-stack-helpers.ts
+var fs8 = __toESM(require("fs-extra"));
+
+// lib/api/stack-events/stack-activity-monitor.ts
+var uuid = __toESM(require("uuid"));
+
+// lib/api/stack-events/stack-status.ts
+var import_client_cloudformation2 = require("@aws-sdk/client-cloudformation");
+
+// lib/api/environment/placeholders.ts
+var import_cx_api6 = require("@aws-cdk/cx-api");
+
+// lib/context-providers/index.ts
+var availableContextProviders = {
+  [cxschema2.ContextProvider.AVAILABILITY_ZONE_PROVIDER]: (s, io) => new AZContextProviderPlugin(s, io),
+  [cxschema2.ContextProvider.SSM_PARAMETER_PROVIDER]: (s, io) => new SSMContextProviderPlugin(s, io),
+  [cxschema2.ContextProvider.HOSTED_ZONE_PROVIDER]: (s, io) => new HostedZoneContextProviderPlugin(s, io),
+  [cxschema2.ContextProvider.VPC_PROVIDER]: (s, io) => new VpcNetworkContextProviderPlugin(s, io),
+  [cxschema2.ContextProvider.AMI_PROVIDER]: (s, io) => new AmiContextProviderPlugin(s, io),
+  [cxschema2.ContextProvider.ENDPOINT_SERVICE_AVAILABILITY_ZONE_PROVIDER]: (s, io) => new EndpointServiceAZContextProviderPlugin(s, io),
+  [cxschema2.ContextProvider.SECURITY_GROUP_PROVIDER]: (s) => new SecurityGroupContextProviderPlugin(s),
+  [cxschema2.ContextProvider.LOAD_BALANCER_PROVIDER]: (s) => new LoadBalancerContextProviderPlugin(s),
+  [cxschema2.ContextProvider.LOAD_BALANCER_LISTENER_PROVIDER]: (s) => new LoadBalancerListenerContextProviderPlugin(s),
+  [cxschema2.ContextProvider.KEY_PROVIDER]: (s, io) => new KeyContextProviderPlugin(s, io),
+  [cxschema2.ContextProvider.CC_API_PROVIDER]: (s) => new CcApiContextProviderPlugin(s)
+};
+
+// lib/api/cloud-assembly/private/stack-assembly.ts
+var import_semver = require("semver");
+
+// lib/api/cloud-assembly/stack-assembly.ts
+var chalk5 = __toESM(require("chalk"));
+var import_minimatch = require("minimatch");
+
+// lib/api/cloud-assembly/stack-collection.ts
+var import_cx_api7 = require("@aws-cdk/cx-api");
+
+// lib/api/cloud-assembly/private/exec.ts
+var split = require("split2");
+
+// lib/api/cloud-assembly/private/prepare-source.ts
+var cxschema3 = __toESM(require("@aws-cdk/cloud-assembly-schema"));
+var cxapi4 = __toESM(require("@aws-cdk/cx-api"));
+var fs10 = __toESM(require("fs-extra"));
+var import_semver2 = require("semver");
+
+// lib/api/cloud-assembly/environment.ts
+var cxapi3 = __toESM(require("@aws-cdk/cx-api"));
+var fs9 = __toESM(require("fs-extra"));
+
+// lib/api/cloud-assembly/private/source-builder.ts
+var cxapi5 = __toESM(require("@aws-cdk/cx-api"));
+var fs11 = __toESM(require("fs-extra"));
+
+// lib/api/cloud-assembly/private/stack-selectors.ts
+var ALL_STACKS = {
+  strategy: "all-stacks" /* ALL_STACKS */
+};
+
+// lib/api/io/private/span.ts
+var util = __toESM(require("node:util"));
+var uuid2 = __toESM(require("uuid"));
 var SpanMaker = class {
   definition;
   ioHelper;
@@ -246,7 +2407,7 @@ var SpanMaker = class {
     this.ioHelper = ioHelper;
   }
   async begin(a, b) {
-    const spanId = uuid.v4();
+    const spanId = uuid2.v4();
     const startTime = (/* @__PURE__ */ new Date()).getTime();
     const notify = (msg) => {
       return this.ioHelper.notify(withSpanId(spanId, msg));
@@ -314,7 +2475,7 @@ function withSpanId(span, message2) {
   };
 }
 
-// ../tmp-toolkit-helpers/src/api/io/private/io-helper.ts
+// lib/api/io/private/io-helper.ts
 var IoHelper = class _IoHelper {
   static fromIoHost(ioHost, action) {
     return new _IoHelper(ioHost, action);
@@ -351,7 +2512,7 @@ var IoHelper = class _IoHelper {
   }
 };
 
-// ../tmp-toolkit-helpers/src/api/io/private/level-priority.ts
+// lib/api/io/private/level-priority.ts
 var levels = [
   "trace",
   "debug",
@@ -362,7 +2523,7 @@ var levels = [
 ];
 var orderedLevels = Object.fromEntries(Object.entries(levels).map((a) => a.reverse()));
 
-// ../tmp-toolkit-helpers/src/api/io/private/message-maker.ts
+// lib/api/io/private/message-maker.ts
 function message(level, details) {
   const maker = (text, data) => ({
     time: /* @__PURE__ */ new Date(),
@@ -404,7 +2565,7 @@ var confirm = (details) => request("info", {
   defaultResponse: true
 });
 
-// ../tmp-toolkit-helpers/src/api/io/private/messages.ts
+// lib/api/io/private/messages.ts
 var IO = {
   // Defaults (0000)
   DEFAULT_TOOLKIT_INFO: info({
@@ -925,7 +3086,7 @@ var SPAN = {
   }
 };
 
-// ../tmp-toolkit-helpers/src/api/io/private/io-default-messages.ts
+// lib/api/io/private/io-default-messages.ts
 var util2 = __toESM(require("util"));
 var IoDefaultMessages = class {
   constructor(ioHelper) {
@@ -971,7 +3132,7 @@ var IoDefaultMessages = class {
   }
 };
 
-// ../tmp-toolkit-helpers/src/api/plugin/plugin.ts
+// lib/api/plugin/plugin.ts
 var PluginHost = class {
   /**
    * Access the currently registered CredentialProviderSources. New sources can
@@ -1069,13 +3230,13 @@ var PluginHost = class {
    */
   registerContextProviderAlpha(pluginProviderName, provider) {
     if (!isContextProviderPlugin(provider)) {
-      throw new ToolkitError(`Object you gave me does not look like a ContextProviderPlugin: ${(0, import_util2.inspect)(provider)}`);
+      throw new ToolkitError(`Object you gave me does not look like a ContextProviderPlugin: ${(0, import_util27.inspect)(provider)}`);
     }
     this.contextProviderPlugins[pluginProviderName] = provider;
   }
 };
 
-// ../tmp-toolkit-helpers/src/payloads/diff.ts
+// lib/payloads/diff.ts
 var PermissionChangeType = /* @__PURE__ */ ((PermissionChangeType2) => {
   PermissionChangeType2["NONE"] = "none";
   PermissionChangeType2["BROADENING"] = "broadening";
@@ -1083,7 +3244,7 @@ var PermissionChangeType = /* @__PURE__ */ ((PermissionChangeType2) => {
   return PermissionChangeType2;
 })(PermissionChangeType || {});
 
-// ../tmp-toolkit-helpers/src/payloads/hotswap.ts
+// lib/payloads/hotswap.ts
 var NonHotswappableReason = /* @__PURE__ */ ((NonHotswappableReason2) => {
   NonHotswappableReason2["TAGS"] = "tags";
   NonHotswappableReason2["PROPERTIES"] = "properties";
@@ -1100,6 +3261,7 @@ var NonHotswappableReason = /* @__PURE__ */ ((NonHotswappableReason2) => {
 0 && (module.exports = {
   AssemblyError,
   AuthenticationError,
+  ContextProviderError,
   ExpandStackSelection,
   NonHotswappableReason,
   PermissionChangeType,