@devramps/cli 0.1.0

package/dist/index.js

@@ -0,0 +1,2563 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { program } from "commander";
+
+// src/commands/bootstrap.ts
+import ora from "ora";
+
+// src/aws/credentials.ts
+import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
+
+// src/utils/errors.ts
+var DevRampsError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "DevRampsError";
+  }
+};
+var NoDevrampsFolderError = class extends DevRampsError {
+  constructor() {
+    super(
+      "Could not find .devramps folder in current directory. Please run this command from the root of your project."
+    );
+    this.name = "NoDevrampsFolderError";
+  }
+};
+var NoCredentialsError = class extends DevRampsError {
+  constructor() {
+    super(
+      "No AWS credentials found. Please configure AWS credentials using `aws configure` or set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables."
+    );
+    this.name = "NoCredentialsError";
+  }
+};
+var RoleAssumptionError = class extends DevRampsError {
+  targetAccountId;
+  sourceAccountId;
+  roleName;
+  constructor(targetAccountId, roleName, sourceAccountId) {
+    super(
+      `Cannot bootstrap account ${targetAccountId}. Your current credentials (account ${sourceAccountId}) cannot assume role '${roleName}' in the target account. Please ensure the target account has a trust policy allowing your account to assume this role, or use --target-account-role-name to specify a different role.`
+    );
+    this.name = "RoleAssumptionError";
+    this.targetAccountId = targetAccountId;
+    this.sourceAccountId = sourceAccountId;
+    this.roleName = roleName;
+  }
+};
+var PipelineParseError = class extends DevRampsError {
+  pipelineSlug;
+  constructor(pipelineSlug, cause) {
+    super(`Failed to parse pipeline.yaml in .devramps/${pipelineSlug}/: ${cause}`);
+    this.name = "PipelineParseError";
+    this.pipelineSlug = pipelineSlug;
+  }
+};
+var AuthenticationError = class extends DevRampsError {
+  constructor(message) {
+    super(`Authentication failed: ${message}`);
+    this.name = "AuthenticationError";
+  }
+};
+var CloudFormationError = class extends DevRampsError {
+  stackName;
+  accountId;
+  constructor(stackName, accountId, cause) {
+    super(`Failed to deploy stack '${stackName}' in account ${accountId}: ${cause}`);
+    this.name = "CloudFormationError";
+    this.stackName = stackName;
+    this.accountId = accountId;
+  }
+};
+
+// src/utils/logger.ts
+import chalk from "chalk";
+var verboseMode = false;
+function setVerbose(enabled) {
+  verboseMode = enabled;
+}
+function isVerbose() {
+  return verboseMode;
+}
+function info(message) {
+  console.log(chalk.blue("\u2139"), message);
+}
+function success(message) {
+  console.log(chalk.green("\u2714"), message);
+}
+function warn(message) {
+  console.log(chalk.yellow("\u26A0"), message);
+}
+function error(message) {
+  console.error(chalk.red("\u2716"), message);
+}
+function verbose(message) {
+  if (verboseMode) {
+    console.log(chalk.gray("  \u2192"), chalk.gray(message));
+  }
+}
+function header(message) {
+  console.log();
+  console.log(chalk.bold.underline(message));
+  console.log();
+}
+function table(rows) {
+  if (rows.length === 0) return;
+  const colWidths = rows[0].map(
+    (_, colIndex) => Math.max(...rows.map((row) => (row[colIndex] || "").length))
+  );
+  const separator = "\u2500";
+  const corner = "\u253C";
+  const vertical = "\u2502";
+  const formatRow = (row, isHeader = false) => {
+    const cells = row.map((cell, i) => ` ${cell.padEnd(colWidths[i])} `);
+    const line = vertical + cells.join(vertical) + vertical;
+    return isHeader ? chalk.bold(line) : line;
+  };
+  const horizontalLine = (char) => {
+    const segments = colWidths.map((w) => char.repeat(w + 2));
+    return char === "\u2500" ? "\u251C" + segments.join(corner) + "\u2524" : "\u250C" + segments.join("\u252C") + "\u2510";
+  };
+  const bottomLine = () => {
+    const segments = colWidths.map((w) => separator.repeat(w + 2));
+    return "\u2514" + segments.join("\u2534") + "\u2518";
+  };
+  console.log(horizontalLine("\u2500").replace("\u251C", "\u250C").replace("\u2524", "\u2510").replace(/┼/g, "\u252C"));
+  console.log(formatRow(rows[0], true));
+  console.log(horizontalLine("\u2500"));
+  for (let i = 1; i < rows.length; i++) {
+    console.log(formatRow(rows[i]));
+  }
+  console.log(bottomLine());
+}
+function newline() {
+  console.log();
+}
+
+// src/aws/credentials.ts
+var DEFAULT_REGION = "us-east-1";
+async function getCurrentIdentity() {
+  const client = new STSClient({ region: DEFAULT_REGION });
+  try {
+    verbose("Checking AWS credentials...");
+    const response = await client.send(new GetCallerIdentityCommand({}));
+    if (!response.Account || !response.Arn || !response.UserId) {
+      throw new NoCredentialsError();
+    }
+    verbose(`Authenticated as: ${response.Arn}`);
+    verbose(`Account ID: ${response.Account}`);
+    return {
+      accountId: response.Account,
+      arn: response.Arn,
+      userId: response.UserId
+    };
+  } catch (error2) {
+    if (error2 instanceof NoCredentialsError) {
+      throw error2;
+    }
+    const errorMessage = error2 instanceof Error ? error2.message : String(error2);
+    if (errorMessage.includes("Could not load credentials") || errorMessage.includes("Missing credentials") || errorMessage.includes("ExpiredToken") || errorMessage.includes("InvalidClientTokenId")) {
+      throw new NoCredentialsError();
+    }
+    throw error2;
+  }
+}
+
+// src/aws/assume-role.ts
+import { STSClient as STSClient2, AssumeRoleCommand } from "@aws-sdk/client-sts";
+
+// src/types/config.ts
+var DEFAULT_TARGET_ROLE = "OrganizationAccountAccessRole";
+var FALLBACK_TARGET_ROLE = "AWSControlTowerExecution";
+var OIDC_PROVIDER_URL = "devramps.com";
+
+// src/aws/assume-role.ts
+async function assumeRoleForAccount(options) {
+  const { targetAccountId, currentAccountId, targetRoleName } = options;
+  if (targetAccountId === currentAccountId) {
+    verbose(`Target account ${targetAccountId} is the current account, using current credentials`);
+    return null;
+  }
+  const rolesToTry = targetRoleName ? [targetRoleName] : [DEFAULT_TARGET_ROLE, FALLBACK_TARGET_ROLE];
+  let lastError;
+  for (const roleName of rolesToTry) {
+    const roleArn = `arn:aws:iam::${targetAccountId}:role/${roleName}`;
+    try {
+      verbose(`Attempting to assume role: ${roleArn}`);
+      const credentials = await assumeRole(roleArn);
+      verbose(`Successfully assumed role: ${roleName}`);
+      return {
+        credentials,
+        accountId: targetAccountId,
+        roleArn
+      };
+    } catch (error2) {
+      verbose(`Failed to assume role ${roleName}: ${error2 instanceof Error ? error2.message : String(error2)}`);
+      lastError = error2 instanceof Error ? error2 : new Error(String(error2));
+      if (targetRoleName) {
+        break;
+      }
+    }
+  }
+  const attemptedRole = targetRoleName || `${DEFAULT_TARGET_ROLE} or ${FALLBACK_TARGET_ROLE}`;
+  throw new RoleAssumptionError(targetAccountId, attemptedRole, currentAccountId);
+}
+var DEFAULT_REGION2 = "us-east-1";
+async function assumeRole(roleArn) {
+  const client = new STSClient2({ region: DEFAULT_REGION2 });
+  const response = await client.send(
+    new AssumeRoleCommand({
+      RoleArn: roleArn,
+      RoleSessionName: "DevRampsBootstrap",
+      DurationSeconds: 3600
+      // 1 hour
+    })
+  );
+  if (!response.Credentials) {
+    throw new Error("AssumeRole returned no credentials");
+  }
+  const { AccessKeyId, SecretAccessKey, SessionToken, Expiration } = response.Credentials;
+  if (!AccessKeyId || !SecretAccessKey) {
+    throw new Error("AssumeRole returned incomplete credentials");
+  }
+  return {
+    accessKeyId: AccessKeyId,
+    secretAccessKey: SecretAccessKey,
+    sessionToken: SessionToken,
+    expiration: Expiration
+  };
+}
+
+// src/aws/cloudformation.ts
+import {
+  CloudFormationClient,
+  DescribeStacksCommand,
+  DescribeStackResourcesCommand,
+  CreateStackCommand,
+  UpdateStackCommand,
+  CreateChangeSetCommand,
+  DescribeChangeSetCommand,
+  DeleteChangeSetCommand,
+  waitUntilStackCreateComplete,
+  waitUntilStackUpdateComplete,
+  waitUntilChangeSetCreateComplete,
+  ChangeSetType
+} from "@aws-sdk/client-cloudformation";
+async function getStackStatus(stackName, credentials, region) {
+  const client = new CloudFormationClient({
+    credentials,
+    region
+  });
+  try {
+    const response = await client.send(
+      new DescribeStacksCommand({ StackName: stackName })
+    );
+    const stack = response.Stacks?.[0];
+    if (!stack) {
+      return { exists: false };
+    }
+    return {
+      exists: true,
+      status: stack.StackStatus,
+      stackId: stack.StackId
+    };
+  } catch (error2) {
+    const errorMessage = error2 instanceof Error ? error2.message : String(error2);
+    if (errorMessage.includes("does not exist")) {
+      return { exists: false };
+    }
+    throw error2;
+  }
+}
+async function previewStackChanges(options) {
+  const { stackName, template, region, credentials } = options;
+  const client = new CloudFormationClient({
+    credentials,
+    region
+  });
+  const templateBody = JSON.stringify(template);
+  const stackStatus = await getStackStatus(stackName, credentials, region);
+  const changeSetName = `devramps-preview-${Date.now()}`;
+  try {
+    await client.send(
+      new CreateChangeSetCommand({
+        StackName: stackName,
+        ChangeSetName: changeSetName,
+        TemplateBody: templateBody,
+        Capabilities: ["CAPABILITY_NAMED_IAM"],
+        ChangeSetType: stackStatus.exists ? ChangeSetType.UPDATE : ChangeSetType.CREATE
+      })
+    );
+    await waitUntilChangeSetCreateComplete(
+      { client, maxWaitTime: 120 },
+      { StackName: stackName, ChangeSetName: changeSetName }
+    );
+    const changeSetResponse = await client.send(
+      new DescribeChangeSetCommand({
+        StackName: stackName,
+        ChangeSetName: changeSetName
+      })
+    );
+    logStackChanges(stackName, changeSetResponse.Changes || [], stackStatus.exists);
+    await client.send(
+      new DeleteChangeSetCommand({
+        StackName: stackName,
+        ChangeSetName: changeSetName
+      })
+    );
+  } catch (error2) {
+    const errorMessage = error2 instanceof Error ? error2.message : String(error2);
+    if (errorMessage.includes("No updates are to be performed") || errorMessage.includes("didn't contain changes")) {
+      verbose(`  Stack ${stackName}: No changes`);
+      return;
+    }
+    try {
+      await client.send(
+        new DeleteChangeSetCommand({
+          StackName: stackName,
+          ChangeSetName: changeSetName
+        })
+      );
+    } catch {
+    }
+    verbose(`  Could not preview changes for ${stackName}: ${errorMessage}`);
+  }
+}
+function logStackChanges(stackName, changes, isUpdate) {
+  if (changes.length === 0) {
+    verbose(`  Stack ${stackName}: No changes`);
+    return;
+  }
+  const action = isUpdate ? "update" : "create";
+  info(`  Stack ${stackName} will ${action} ${changes.length} resource(s):`);
+  for (const change of changes) {
+    const resourceChange = change.ResourceChange;
+    if (!resourceChange) continue;
+    const actionSymbol = getActionSymbol(resourceChange.Action);
+    const resourceType = resourceChange.ResourceType || "Unknown";
+    const logicalId = resourceChange.LogicalResourceId || "Unknown";
+    const replacement = resourceChange.Replacement === "True" ? " (REPLACEMENT)" : "";
+    info(`    ${actionSymbol} ${resourceType} ${logicalId}${replacement}`);
+  }
+}
+function getActionSymbol(action) {
+  switch (action) {
+    case "Add":
+      return "+";
+    case "Modify":
+      return "~";
+    case "Remove":
+      return "-";
+    case "Import":
+      return ">";
+    case "Dynamic":
+      return "?";
+    default:
+      return " ";
+  }
+}
+async function deployStack(options) {
+  const { stackName, template, accountId, region, credentials } = options;
+  const client = new CloudFormationClient({
+    credentials,
+    region
+  });
+  const templateBody = JSON.stringify(template);
+  try {
+    const stackStatus = await getStackStatus(stackName, credentials, region);
+    if (stackStatus.exists) {
+      verbose(`Stack ${stackName} exists, updating...`);
+      await updateStack(client, stackName, templateBody, accountId);
+    } else {
+      verbose(`Stack ${stackName} does not exist, creating...`);
+      await createStack(client, stackName, templateBody, accountId);
+    }
+  } catch (error2) {
+    const errorMessage = error2 instanceof Error ? error2.message : String(error2);
+    if (errorMessage.includes("No updates are to be performed")) {
+      verbose(`Stack ${stackName} is already up to date`);
+      return;
+    }
+    throw new CloudFormationError(stackName, accountId, errorMessage);
+  }
+}
+async function createStack(client, stackName, templateBody, accountId) {
+  await client.send(
+    new CreateStackCommand({
+      StackName: stackName,
+      TemplateBody: templateBody,
+      Capabilities: ["CAPABILITY_NAMED_IAM"],
+      Tags: [
+        { Key: "CreatedBy", Value: "DevRamps" },
+        { Key: "ManagedBy", Value: "DevRamps-CLI" }
+      ]
+    })
+  );
+  verbose(`Waiting for stack ${stackName} to be created...`);
+  await waitUntilStackCreateComplete(
+    { client, maxWaitTime: 600 },
+    { StackName: stackName }
+  );
+  success(`Stack ${stackName} created successfully in account ${accountId}`);
+}
+async function updateStack(client, stackName, templateBody, accountId) {
+  await client.send(
+    new UpdateStackCommand({
+      StackName: stackName,
+      TemplateBody: templateBody,
+      Capabilities: ["CAPABILITY_NAMED_IAM"]
+    })
+  );
+  verbose(`Waiting for stack ${stackName} to be updated...`);
+  await waitUntilStackUpdateComplete(
+    { client, maxWaitTime: 600 },
+    { StackName: stackName }
+  );
+  success(`Stack ${stackName} updated successfully in account ${accountId}`);
+}
+async function readExistingStack(stackName, accountId, region, credentials) {
+  const client = new CloudFormationClient({
+    credentials,
+    region
+  });
+  try {
+    const stacksResponse = await client.send(
+      new DescribeStacksCommand({ StackName: stackName })
+    );
+    const stack = stacksResponse.Stacks?.[0];
+    if (!stack) {
+      return null;
+    }
+    const resourcesResponse = await client.send(
+      new DescribeStackResourcesCommand({ StackName: stackName })
+    );
+    const outputs = {};
+    if (stack.Outputs) {
+      for (const output of stack.Outputs) {
+        if (output.OutputKey && output.OutputValue) {
+          outputs[output.OutputKey] = output.OutputValue;
+        }
+      }
+    }
+    const resources = {};
+    if (resourcesResponse.StackResources) {
+      for (const resource of resourcesResponse.StackResources) {
+        if (resource.LogicalResourceId) {
+          resources[resource.LogicalResourceId] = {
+            type: resource.ResourceType,
+            physicalId: resource.PhysicalResourceId,
+            status: resource.ResourceStatus
+          };
+        }
+      }
+    }
+    return {
+      stackName,
+      accountId,
+      region,
+      resources,
+      outputs
+    };
+  } catch (error2) {
+    const errorMessage = error2 instanceof Error ? error2.message : String(error2);
+    if (errorMessage.includes("does not exist")) {
+      return null;
+    }
+    verbose(`Could not read stack ${stackName}: ${errorMessage}`);
+    return null;
+  }
+}
+
+// src/aws/oidc-provider.ts
+import {
+  IAMClient,
+  GetOpenIDConnectProviderCommand,
+  ListOpenIDConnectProvidersCommand
+} from "@aws-sdk/client-iam";
+async function checkOidcProviderExists(credentials, region) {
+  const client = new IAMClient({
+    credentials,
+    region
+  });
+  try {
+    const response = await client.send(new ListOpenIDConnectProvidersCommand({}));
+    const providers = response.OpenIDConnectProviderList || [];
+    for (const provider of providers) {
+      if (!provider.Arn) continue;
+      try {
+        const providerDetails = await client.send(
+          new GetOpenIDConnectProviderCommand({
+            OpenIDConnectProviderArn: provider.Arn
+          })
+        );
+        if (providerDetails.Url?.includes(OIDC_PROVIDER_URL)) {
+          verbose(`Found existing OIDC provider: ${provider.Arn}`);
+          return {
+            exists: true,
+            arn: provider.Arn
+          };
+        }
+      } catch {
+      }
+    }
+    verbose(`No existing OIDC provider found for ${OIDC_PROVIDER_URL}`);
+    return { exists: false };
+  } catch (error2) {
+    verbose(`Error checking OIDC providers: ${error2 instanceof Error ? error2.message : String(error2)}`);
+    return { exists: false };
+  }
+}
+function getOidcThumbprint() {
+  return "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+}
+
+// src/auth/browser-auth.ts
+import express from "express";
+import open from "open";
+import { createServer } from "http";
+
+// src/utils/validation.ts
+var AWS_ACCOUNT_ID_REGEX = /^\d{12}$/;
+var AWS_REGION_REGEX = /^[a-z]{2}-[a-z]+-\d$/;
+var VALID_AWS_REGIONS = /* @__PURE__ */ new Set([
+  // US regions
+  "us-east-1",
+  "us-east-2",
+  "us-west-1",
+  "us-west-2",
+  // EU regions
+  "eu-west-1",
+  "eu-west-2",
+  "eu-west-3",
+  "eu-central-1",
+  "eu-central-2",
+  "eu-north-1",
+  "eu-south-1",
+  "eu-south-2",
+  // Asia Pacific regions
+  "ap-east-1",
+  "ap-south-1",
+  "ap-south-2",
+  "ap-northeast-1",
+  "ap-northeast-2",
+  "ap-northeast-3",
+  "ap-southeast-1",
+  "ap-southeast-2",
+  "ap-southeast-3",
+  "ap-southeast-4",
+  // South America
+  "sa-east-1",
+  // Middle East
+  "me-south-1",
+  "me-central-1",
+  // Africa
+  "af-south-1",
+  // Canada
+  "ca-central-1",
+  "ca-west-1",
+  // China (special)
+  "cn-north-1",
+  "cn-northwest-1",
+  // GovCloud
+  "us-gov-east-1",
+  "us-gov-west-1",
+  // Israel
+  "il-central-1"
+]);
+function isValidAwsAccountId(accountId) {
+  return AWS_ACCOUNT_ID_REGEX.test(accountId);
+}
+function isValidAwsRegion(region) {
+  return AWS_REGION_REGEX.test(region) || VALID_AWS_REGIONS.has(region);
+}
+
+// src/auth/pkce.ts
+import { randomBytes, createHash } from "crypto";
+var UNRESERVED_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+function generateCodeVerifier() {
+  const length = 128;
+  const bytes = randomBytes(length);
+  let verifier = "";
+  for (let i = 0; i < length; i++) {
+    verifier += UNRESERVED_CHARS[bytes[i] % UNRESERVED_CHARS.length];
+  }
+  return verifier;
+}
+function generateCodeChallenge(verifier) {
+  const hash = createHash("sha256").update(verifier).digest();
+  return hash.toString("base64url");
+}
+function generateState() {
+  return randomBytes(24).toString("base64url");
+}
+
+// src/auth/browser-auth.ts
+var DEFAULT_AUTH_BASE_URL = "https://devramps.com";
+var AUTHORIZE_PATH = "/oauth/authorize";
+var TOKEN_PATH = "/oauth/token";
+var CLI_CLIENT_ID = "devramps-cli";
+var AUTH_TIMEOUT_MS = 3e5;
+async function authenticateViaBrowser(options = {}) {
+  const baseUrl = options.endpointOverride || DEFAULT_AUTH_BASE_URL;
+  info("Opening browser for authentication...");
+  if (options.endpointOverride) {
+    warn(`Using endpoint override: ${options.endpointOverride}`);
+  }
+  verbose("Starting local callback server...");
+  const codeVerifier = generateCodeVerifier();
+  const codeChallenge = generateCodeChallenge(codeVerifier);
+  const state = generateState();
+  verbose("Generated PKCE code_challenge and state");
+  const { server, port, callbackPromise } = await startCallbackServer(state);
+  try {
+    const redirectUri = `http://localhost:${port}`;
+    const authParams = new URLSearchParams({
+      response_type: "code",
+      client_id: CLI_CLIENT_ID,
+      redirect_uri: redirectUri,
+      code_challenge: codeChallenge,
+      code_challenge_method: "S256",
+      state
+    });
+    const authUrl = `${baseUrl}${AUTHORIZE_PATH}?${authParams.toString()}`;
+    verbose(`Auth URL: ${authUrl}`);
+    verbose(`Redirect URI: ${redirectUri}`);
+    await open(authUrl);
+    info("Waiting for authentication...");
+    verbose("Complete the authentication in your browser.");
+    const callbackResult = await Promise.race([
+      callbackPromise,
+      timeout(AUTH_TIMEOUT_MS)
+    ]);
+    if (!callbackResult) {
+      throw new AuthenticationError("Authentication timed out. Please try again.");
+    }
+    if (callbackResult.error) {
+      const errorMsg = callbackResult.errorDescription || callbackResult.error;
+      throw new AuthenticationError(errorMsg);
+    }
+    if (!callbackResult.code) {
+      throw new AuthenticationError("No authorization code received. Please try again.");
+    }
+    if (callbackResult.state !== state) {
+      throw new AuthenticationError("State mismatch - possible CSRF attack. Please try again.");
+    }
+    verbose("Received authorization code, exchanging for access token...");
+    const tokenResponse = await exchangeCodeForToken({
+      baseUrl,
+      code: callbackResult.code,
+      redirectUri,
+      codeVerifier
+    });
+    if (!tokenResponse.organization_id) {
+      throw new AuthenticationError("No organization ID in token response. Please try again.");
+    }
+    verbose("Fetching organization details...");
+    const orgResponse = await fetchOrganization({
+      baseUrl,
+      accessToken: tokenResponse.access_token,
+      organizationId: tokenResponse.organization_id
+    });
+    const awsConfig = await fetchAwsConfiguration({
+      baseUrl,
+      accessToken: tokenResponse.access_token,
+      organizationId: tokenResponse.organization_id
+    });
+    const cicdAccountId = awsConfig.cicdAccountId || awsConfig.cicdAccount?.accountId;
+    if (!cicdAccountId) {
+      throw new AuthenticationError("No CI/CD account configured for this organization. Please configure one in the DevRamps dashboard.");
+    }
+    if (!isValidAwsAccountId(cicdAccountId)) {
+      throw new AuthenticationError("Invalid CI/CD account ID format.");
+    }
+    if (!awsConfig.defaultRegion || !isValidAwsRegion(awsConfig.defaultRegion)) {
+      throw new AuthenticationError("Invalid or missing default AWS region.");
+    }
+    success(`Authenticated with organization: ${orgResponse.slug}`);
+    verbose(`CI/CD Account: ${cicdAccountId}, Region: ${awsConfig.defaultRegion}`);
+    return {
+      orgSlug: orgResponse.slug,
+      cicdAccountId,
+      cicdRegion: awsConfig.defaultRegion
+    };
+  } finally {
+    await closeServer(server);
+  }
+}
+async function exchangeCodeForToken(params) {
+  const tokenUrl = `${params.baseUrl}${TOKEN_PATH}`;
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    client_id: CLI_CLIENT_ID,
+    code: params.code,
+    redirect_uri: params.redirectUri,
+    code_verifier: params.codeVerifier
+  });
+  verbose(`Token exchange URL: ${tokenUrl}`);
+  const response = await fetch(tokenUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json"
+    },
+    body: body.toString()
+  });
+  if (!response.ok) {
+    let errorMessage = `Token exchange failed with status ${response.status}`;
+    try {
+      const errorBody = await response.json();
+      if (errorBody.error_description) {
+        errorMessage = errorBody.error_description;
+      } else if (errorBody.error) {
+        errorMessage = `Token exchange failed: ${errorBody.error}`;
+      }
+    } catch {
+    }
+    throw new AuthenticationError(errorMessage);
+  }
+  const tokenResponse = await response.json();
+  if (!tokenResponse.access_token) {
+    throw new AuthenticationError("No access token in response");
+  }
+  verbose(`Token response: organization_id=${tokenResponse.organization_id}, scope=${tokenResponse.scope}, expires_in=${tokenResponse.expires_in}`);
+  return tokenResponse;
+}
+async function fetchOrganization(params) {
+  const url = `${params.baseUrl}/api/v1/organizations/${params.organizationId}`;
+  verbose(`Fetching organization: GET ${url}`);
+  const response = await fetch(url, {
+    method: "GET",
+    headers: {
+      Authorization: `Bearer ${params.accessToken}`,
+      Accept: "application/json"
+    }
+  });
+  verbose(`Organization response status: ${response.status}`);
+  if (!response.ok) {
+    const errorText = await response.text();
+    verbose(`Organization error response: ${errorText}`);
+    throw new AuthenticationError(`Failed to fetch organization: ${response.status}`);
+  }
+  const data = await response.json();
+  verbose(`Organization data: id=${data.id}, name=${data.name}, slug=${data.slug}`);
+  return data;
+}
+async function fetchAwsConfiguration(params) {
+  const url = `${params.baseUrl}/api/v1/organizations/${params.organizationId}/aws/configuration`;
+  verbose(`Fetching AWS configuration: GET ${url}`);
+  const response = await fetch(url, {
+    method: "GET",
+    headers: {
+      Authorization: `Bearer ${params.accessToken}`,
+      Accept: "application/json"
+    }
+  });
+  verbose(`AWS configuration response status: ${response.status}`);
+  if (!response.ok) {
+    const errorText = await response.text();
+    verbose(`AWS configuration error response: ${errorText}`);
+    throw new AuthenticationError(`Failed to fetch AWS configuration: ${response.status}`);
+  }
+  const data = await response.json();
+  verbose(`AWS configuration data: defaultRegion=${data.defaultRegion}, cicdAccountId=${data.cicdAccountId}, cicdAccount=${JSON.stringify(data.cicdAccount)}`);
+  return data;
+}
+async function startCallbackServer(expectedState) {
+  const app = express();
+  let resolveCallback;
+  const callbackPromise = new Promise((resolve) => {
+    resolveCallback = resolve;
+  });
+  app.get("/", (req, res) => {
+    const { code, state, error: error2, error_description } = req.query;
+    if (error2) {
+      res.send(errorPage(String(error_description || error2)));
+      resolveCallback({
+        error: String(error2),
+        errorDescription: error_description ? String(error_description) : void 0
+      });
+      return;
+    }
+    if (!state || state !== expectedState) {
+      res.send(errorPage("Invalid state parameter - possible CSRF attack"));
+      resolveCallback({ error: "state_mismatch" });
+      return;
+    }
+    if (!code || typeof code !== "string") {
+      res.send(errorPage("No authorization code received"));
+      resolveCallback({ error: "missing_code" });
+      return;
+    }
+    res.send(successPage());
+    resolveCallback({
+      code,
+      state: String(state)
+    });
+  });
+  return new Promise((resolve, reject) => {
+    const server = createServer(app);
+    server.listen(0, "127.0.0.1", () => {
+      const address = server.address();
+      if (!address || typeof address === "string") {
+        reject(new Error("Failed to get server address"));
+        return;
+      }
+      const port = address.port;
+      verbose(`Callback server listening on port ${port}`);
+      resolve({ server, port, callbackPromise });
+    });
+    server.on("error", reject);
+  });
+}
+async function closeServer(server) {
+  return new Promise((resolve) => {
+    server.close(() => {
+      verbose("Callback server closed");
+      resolve();
+    });
+  });
+}
+function timeout(ms) {
+  return new Promise((_, reject) => {
+    setTimeout(() => {
+      reject(new AuthenticationError("Authentication timed out"));
+    }, ms);
+  });
+}
+function successPage() {
+  return `
+<!DOCTYPE html>
+<html>
+<head>
+  <title>DevRamps - Authentication Successful</title>
+  <style>
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      display: flex;
+      justify-content: center;
+      align-items: center;
+      min-height: 100vh;
+      margin: 0;
+      background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+      color: white;
+    }
+    .container {
+      text-align: center;
+      padding: 2rem;
+    }
+    .checkmark {
+      font-size: 4rem;
+      margin-bottom: 1rem;
+    }
+    h1 {
+      margin: 0 0 0.5rem 0;
+    }
+    p {
+      opacity: 0.9;
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="checkmark">&#10003;</div>
+    <h1>Authentication Successful</h1>
+    <p>You can close this window and return to your terminal.</p>
+  </div>
+</body>
+</html>
+`;
+}
+function errorPage(error2) {
+  return `
+<!DOCTYPE html>
+<html>
+<head>
+  <title>DevRamps - Authentication Failed</title>
+  <style>
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      display: flex;
+      justify-content: center;
+      align-items: center;
+      min-height: 100vh;
+      margin: 0;
+      background: linear-gradient(135deg, #ff6b6b 0%, #ee5a5a 100%);
+      color: white;
+    }
+    .container {
+      text-align: center;
+      padding: 2rem;
+    }
+    .icon {
+      font-size: 4rem;
+      margin-bottom: 1rem;
+    }
+    h1 {
+      margin: 0 0 0.5rem 0;
+    }
+    p {
+      opacity: 0.9;
+    }
+    .error {
+      background: rgba(255,255,255,0.2);
+      padding: 0.5rem 1rem;
+      border-radius: 4px;
+      display: inline-block;
+      margin-top: 1rem;
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="icon">&#10007;</div>
+    <h1>Authentication Failed</h1>
+    <p>Please close this window and try again in your terminal.</p>
+    <div class="error">${error2}</div>
+  </div>
+</body>
+</html>
+`;
+}
+
+// src/parsers/pipeline.ts
+import { readFile as readFile2, readdir, access as access2, constants as constants2 } from "fs/promises";
+import { join as join2 } from "path";
+import { parse as parseYaml2 } from "yaml";
+
+// src/parsers/additional-policies.ts
+import { readFile, access, constants } from "fs/promises";
+import { join } from "path";
+import { parse as parseYaml } from "yaml";
+var POLICIES_JSON = "aws_additional_iam_policies.json";
+var POLICIES_YAML = "aws_additional_iam_policies.yaml";
+async function parseAdditionalPolicies(pipelineDir) {
+  const jsonPath = join(pipelineDir, POLICIES_JSON);
+  const yamlPath = join(pipelineDir, POLICIES_YAML);
+  let content;
+  let format;
+  try {
+    await access(jsonPath, constants.R_OK);
+    content = await readFile(jsonPath, "utf-8");
+    format = "json";
+    verbose(`Found additional policies: ${POLICIES_JSON}`);
+  } catch {
+    try {
+      await access(yamlPath, constants.R_OK);
+      content = await readFile(yamlPath, "utf-8");
+      format = "yaml";
+      verbose(`Found additional policies: ${POLICIES_YAML}`);
+    } catch {
+      return [];
+    }
+  }
+  if (!content || !format) {
+    return [];
+  }
+  let policies;
+  try {
+    if (format === "json") {
+      policies = JSON.parse(content);
+    } else {
+      policies = parseYaml(content);
+    }
+  } catch (error2) {
+    throw new Error(`Failed to parse ${format === "json" ? POLICIES_JSON : POLICIES_YAML}: ${error2 instanceof Error ? error2.message : String(error2)}`);
+  }
+  if (!Array.isArray(policies)) {
+    throw new Error(`Additional policies file must contain an array of IAM policies`);
+  }
+  const validatedPolicies = [];
+  for (let i = 0; i < policies.length; i++) {
+    const policy = policies[i];
+    if (!policy || typeof policy !== "object") {
+      throw new Error(`Policy at index ${i} is not an object`);
+    }
+    if (!("Statement" in policy) || !Array.isArray(policy.Statement)) {
+      throw new Error(`Policy at index ${i} is missing Statement array`);
+    }
+    validatedPolicies.push(policy);
+  }
+  verbose(`Loaded ${validatedPolicies.length} additional policies`);
+  return validatedPolicies;
+}
+
+// src/parsers/pipeline.ts
+var DEVRAMPS_FOLDER = ".devramps";
+var PIPELINE_FILE = "pipeline.yaml";
+async function findDevrampsPipelines(basePath, filterSlugs) {
+  const devrampsPath = join2(basePath, DEVRAMPS_FOLDER);
+  try {
+    await access2(devrampsPath, constants2.R_OK);
+  } catch {
+    throw new NoDevrampsFolderError();
+  }
+  const entries = await readdir(devrampsPath, { withFileTypes: true });
+  const pipelineSlugs = [];
+  for (const entry of entries) {
+    if (!entry.isDirectory()) continue;
+    const pipelinePath = join2(devrampsPath, entry.name, PIPELINE_FILE);
+    try {
+      await access2(pipelinePath, constants2.R_OK);
+      pipelineSlugs.push(entry.name);
+    } catch {
+      verbose(`Skipping ${entry.name}: no pipeline.yaml found`);
+    }
+  }
+  if (filterSlugs && filterSlugs.length > 0) {
+    const filtered = pipelineSlugs.filter((slug) => filterSlugs.includes(slug));
+    for (const slug of filterSlugs) {
+      if (!pipelineSlugs.includes(slug)) {
+        warn(`Pipeline '${slug}' not found in ${DEVRAMPS_FOLDER}/`);
+      }
+    }
+    return filtered;
+  }
+  return pipelineSlugs;
+}
+async function parsePipeline(basePath, slug) {
+  const pipelinePath = join2(basePath, DEVRAMPS_FOLDER, slug, PIPELINE_FILE);
+  verbose(`Parsing pipeline: ${pipelinePath}`);
+  let content;
+  try {
+    content = await readFile2(pipelinePath, "utf-8");
+  } catch (error2) {
+    throw new PipelineParseError(slug, `Could not read file: ${error2 instanceof Error ? error2.message : String(error2)}`);
+  }
+  let definition;
+  try {
+    definition = parseYaml2(content);
+  } catch (error2) {
+    throw new PipelineParseError(slug, `Invalid YAML: ${error2 instanceof Error ? error2.message : String(error2)}`);
+  }
+  if (!definition.pipeline) {
+    throw new PipelineParseError(slug, 'Missing "pipeline" key in definition');
+  }
+  if (!definition.pipeline.stages || definition.pipeline.stages.length === 0) {
+    throw new PipelineParseError(slug, "Pipeline must have at least one stage");
+  }
+  for (const stage of definition.pipeline.stages) {
+    if (!stage.account_id) {
+      throw new PipelineParseError(slug, `Stage "${stage.name}" is missing account_id`);
+    }
+    if (!stage.region) {
+      throw new PipelineParseError(slug, `Stage "${stage.name}" is missing region`);
+    }
+  }
+  const targetAccountIds = extractTargetAccountIds(definition);
+  const steps = extractSteps(definition);
+  const additionalPolicies = await parseAdditionalPoliciesForPipeline(basePath, slug);
+  verbose(`Pipeline ${slug}: ${targetAccountIds.length} accounts, ${steps.length} steps`);
+  return {
+    slug,
+    definition,
+    targetAccountIds,
+    stages: definition.pipeline.stages,
+    steps,
+    additionalPolicies
+  };
+}
+function extractTargetAccountIds(definition) {
+  const accountIds = /* @__PURE__ */ new Set();
+  for (const stage of definition.pipeline.stages) {
+    if (stage.account_id) {
+      accountIds.add(stage.account_id);
+    }
+  }
+  return Array.from(accountIds);
+}
+function extractSteps(definition) {
+  return definition.pipeline.steps || [];
+}
+async function parseAdditionalPoliciesForPipeline(basePath, slug) {
+  const pipelineDir = join2(basePath, DEVRAMPS_FOLDER, slug);
+  try {
+    return await parseAdditionalPolicies(pipelineDir);
+  } catch (error2) {
+    verbose(`No additional policies for ${slug}: ${error2 instanceof Error ? error2.message : String(error2)}`);
+    return [];
+  }
+}
+
+// src/parsers/artifacts.ts
+var DOCKER_TYPES = ["DEVRAMPS:DOCKER:BUILD", "DEVRAMPS:DOCKER:IMPORT"];
+var BUNDLE_TYPES = ["DEVRAMPS:BUNDLE:BUILD", "DEVRAMPS:BUNDLE:IMPORT"];
+var VALID_TYPES = [...DOCKER_TYPES, ...BUNDLE_TYPES];
+function parseArtifacts(definition) {
+  const docker = [];
+  const bundle = [];
+  const rawArtifacts = definition.pipeline.artifacts;
+  if (!rawArtifacts) {
+    return { docker, bundle };
+  }
+  for (const [name, raw] of Object.entries(rawArtifacts)) {
+    const artifact = parseArtifact(name, raw);
+    if (!artifact) {
+      continue;
+    }
+    if (DOCKER_TYPES.includes(artifact.type)) {
+      docker.push(artifact);
+    } else if (BUNDLE_TYPES.includes(artifact.type)) {
+      bundle.push(artifact);
+    }
+  }
+  verbose(`Parsed artifacts: ${docker.length} docker, ${bundle.length} bundle`);
+  return { docker, bundle };
+}
+function parseArtifact(name, raw) {
+  if (!raw.type) {
+    warn(`Artifact "${name}" is missing type, skipping`);
+    return null;
+  }
+  if (!VALID_TYPES.includes(raw.type)) {
+    warn(`Artifact "${name}" has unknown type "${raw.type}", skipping`);
+    return null;
+  }
+  const base = {
+    name,
+    id: raw.id,
+    type: raw.type,
+    architecture: raw.architecture,
+    host_size: raw.host_size,
+    per_stage: raw.per_stage,
+    rebuild_when_changed: raw.rebuild_when_changed,
+    dependencies: raw.dependencies,
+    params: raw.params
+  };
+  switch (raw.type) {
+    case "DEVRAMPS:DOCKER:BUILD":
+      return base;
+    case "DEVRAMPS:DOCKER:IMPORT":
+      return base;
+    case "DEVRAMPS:BUNDLE:BUILD":
+      return base;
+    case "DEVRAMPS:BUNDLE:IMPORT":
+      return base;
+    default:
+      return null;
+  }
+}
+function filterArtifactsForPipelineStack(artifacts) {
+  return {
+    docker: artifacts.docker.filter((a) => !a.per_stage),
+    bundle: artifacts.bundle.filter((a) => !a.per_stage)
+  };
+}
+function getArtifactId(artifact) {
+  if (artifact.id) {
+    return artifact.id;
+  }
+  return artifact.name.toLowerCase().replace(/[^a-z0-9]/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "");
+}
+
+// src/templates/common.ts
+var STANDARD_TAGS = [
+  { Key: "CreatedBy", Value: "DevRamps" },
+  { Key: "ManagedBy", Value: "DevRamps-CLI" }
+];
+function createBaseTemplate(description) {
+  return {
+    AWSTemplateFormatVersion: "2010-09-09",
+    Description: description,
+    Parameters: {},
+    Conditions: {},
+    Resources: {},
+    Outputs: {}
+  };
+}
+function sanitizeResourceId(name) {
+  return name.replace(/[^a-zA-Z0-9]/g, "").substring(0, 64);
+}
+function addOidcProviderResource(template, conditional = true) {
+  if (conditional) {
+    template.Parameters.OIDCProviderExists = {
+      Type: "String",
+      Default: "false",
+      AllowedValues: ["true", "false"],
+      Description: "Whether the OIDC provider already exists in this account"
+    };
+    template.Conditions.CreateOIDCProvider = {
+      "Fn::Equals": [{ Ref: "OIDCProviderExists" }, "false"]
+    };
+  }
+  template.Resources.DevRampsOIDCProvider = {
+    Type: "AWS::IAM::OIDCProvider",
+    ...conditional ? { Condition: "CreateOIDCProvider" } : {},
+    Properties: {
+      Url: `https://${OIDC_PROVIDER_URL}`,
+      ClientIdList: [OIDC_PROVIDER_URL],
+      ThumbprintList: [getOidcThumbprint()],
+      Tags: STANDARD_TAGS
+    }
+  };
+}
+function getOidcProviderArn(accountId, conditional = true) {
+  if (conditional) {
+    return {
+      "Fn::If": [
+        "CreateOIDCProvider",
+        { "Fn::GetAtt": ["DevRampsOIDCProvider", "Arn"] },
+        `arn:aws:iam::${accountId}:oidc-provider/${OIDC_PROVIDER_URL}`
+      ]
+    };
+  }
+  return { "Fn::GetAtt": ["DevRampsOIDCProvider", "Arn"] };
+}
+function buildOidcTrustPolicy(accountId, subject) {
+  return {
+    Version: "2012-10-17",
+    Statement: [
+      {
+        Effect: "Allow",
+        Principal: {
+          Federated: `arn:aws:iam::${accountId}:oidc-provider/${OIDC_PROVIDER_URL}`
+        },
+        Action: "sts:AssumeRoleWithWebIdentity",
+        Condition: {
+          StringEquals: {
+            [`${OIDC_PROVIDER_URL}:sub`]: subject,
+            [`${OIDC_PROVIDER_URL}:aud`]: OIDC_PROVIDER_URL
+          }
+        }
+      }
+    ]
+  };
+}
+function createIamRoleResource(roleName, trustPolicy, policies, additionalTags = []) {
+  return {
+    Type: "AWS::IAM::Role",
+    Properties: {
+      RoleName: roleName,
+      AssumeRolePolicyDocument: trustPolicy,
+      ...policies && policies.length > 0 ? { Policies: policies } : {},
+      Tags: [...STANDARD_TAGS, ...additionalTags]
+    }
+  };
+}
+function createS3BucketResource(bucketName, additionalTags = [], encryption) {
+  const encryptionConfig = encryption?.kmsKeyArn ? {
+    ServerSideEncryptionConfiguration: [
+      {
+        ServerSideEncryptionByDefault: {
+          SSEAlgorithm: "aws:kms",
+          KMSMasterKeyID: encryption.kmsKeyArn
+        }
+      }
+    ]
+  } : {
+    ServerSideEncryptionConfiguration: [
+      {
+        ServerSideEncryptionByDefault: {
+          SSEAlgorithm: "AES256"
+        }
+      }
+    ]
+  };
+  return {
+    Type: "AWS::S3::Bucket",
+    Properties: {
+      BucketName: bucketName,
+      VersioningConfiguration: { Status: "Enabled" },
+      BucketEncryption: encryptionConfig,
+      PublicAccessBlockConfiguration: {
+        BlockPublicAcls: true,
+        BlockPublicPolicy: true,
+        IgnorePublicAcls: true,
+        RestrictPublicBuckets: true
+      },
+      Tags: [...STANDARD_TAGS, ...additionalTags]
+    }
+  };
+}
+function createEcrRepositoryResource(repositoryName, additionalTags = []) {
+  return {
+    Type: "AWS::ECR::Repository",
+    Properties: {
+      RepositoryName: repositoryName,
+      ImageScanningConfiguration: { ScanOnPush: true },
+      EncryptionConfiguration: { EncryptionType: "AES256" },
+      Tags: [...STANDARD_TAGS, ...additionalTags]
+    }
+  };
+}
+function createKmsKeyResource(description, keyPolicy, additionalTags = []) {
+  return {
+    Type: "AWS::KMS::Key",
+    Properties: {
+      Description: description,
+      EnableKeyRotation: true,
+      KeyPolicy: keyPolicy,
+      Tags: [...STANDARD_TAGS, ...additionalTags]
+    }
+  };
+}
+function createKmsKeyAliasResource(aliasName, targetKeyRef) {
+  return {
+    Type: "AWS::KMS::Alias",
+    Properties: {
+      AliasName: aliasName,
+      TargetKeyId: { Ref: targetKeyRef }
+    }
+  };
+}
+
+// src/naming/index.ts
+var S3_BUCKET_MAX_LENGTH = 63;
+var ECR_REPO_MAX_LENGTH = 256;
+var IAM_ROLE_MAX_LENGTH = 64;
+var CF_STACK_MAX_LENGTH = 128;
+function normalizeName(name) {
+  return name.toLowerCase().replace(/[^a-z0-9-]/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "");
+}
+function generateShortHash(input, length = 6) {
+  let hash = 0;
+  for (let i = 0; i < input.length; i++) {
+    const char = input.charCodeAt(i);
+    hash = (hash << 5) - hash + char;
+    hash = hash & hash;
+  }
+  return Math.abs(hash).toString(36).substring(0, length).padStart(length, "0");
+}
+function truncateName(name, maxLength, hashLength = 6) {
+  if (name.length <= maxLength) {
+    return name;
+  }
+  const availableLength = maxLength - hashLength - 1;
+  const hash = generateShortHash(name, hashLength);
+  return `${name.substring(0, availableLength)}-${hash}`;
+}
+function generateTerraformStateBucketName(orgSlug) {
+  const normalized = normalizeName(`devramps-${orgSlug}-terraform-state`);
+  return truncateName(normalized, S3_BUCKET_MAX_LENGTH);
+}
+function generatePipelineBucketName(cicdAccountId, pipelineSlug, artifactId) {
+  const normalized = normalizeName(`${cicdAccountId}-${pipelineSlug}-${artifactId}`);
+  return truncateName(normalized, S3_BUCKET_MAX_LENGTH);
+}
+function generateStageBucketName(accountId, pipelineSlug, stageName, artifactId) {
+  const normalized = normalizeName(`${accountId}-${pipelineSlug}-${stageName}-${artifactId}`);
+  return truncateName(normalized, S3_BUCKET_MAX_LENGTH);
+}
+function generatePipelineEcrRepoName(pipelineSlug, artifactId) {
+  const normalized = normalizeName(`${pipelineSlug}-${artifactId}`);
+  return truncateName(normalized, ECR_REPO_MAX_LENGTH);
+}
+function generateStageEcrRepoName(pipelineSlug, stageName, artifactId) {
+  const normalized = normalizeName(`${pipelineSlug}-${stageName}-${artifactId}`);
+  return truncateName(normalized, ECR_REPO_MAX_LENGTH);
+}
+function getOrgRoleName() {
+  return "DevRamps-CICD-DeploymentRole";
+}
+function generateStageRoleName(pipelineSlug, stageName) {
+  const baseName = `DevRamps-${pipelineSlug}-${stageName}-DeploymentRole`;
+  return truncateName(baseName, IAM_ROLE_MAX_LENGTH);
+}
+function getOrgStackName(orgSlug) {
+  return truncateName(`DevRamps-${orgSlug}-Org`, CF_STACK_MAX_LENGTH);
+}
+function getPipelineStackName(pipelineSlug) {
+  return truncateName(`DevRamps-${pipelineSlug}-Pipeline`, CF_STACK_MAX_LENGTH);
+}
+function getStageStackName(pipelineSlug, stageName) {
+  return truncateName(`DevRamps-${pipelineSlug}-${stageName}-Stage`, CF_STACK_MAX_LENGTH);
+}
+function getKmsKeyAlias(orgSlug) {
+  return `alias/devramps-${normalizeName(orgSlug)}`;
+}
+
+// src/merge/bucket-policy.ts
+import { S3Client, GetBucketPolicyCommand } from "@aws-sdk/client-s3";
+
+// src/merge/strategy.ts
+var BaseMergeStrategy = class {
+  /**
+   * Default validation - always valid. Override for specific validation.
+   */
+  validate(result) {
+    return { valid: true };
+  }
+};
+
+// src/merge/bucket-policy.ts
+var BucketPolicyMergeStrategy = class extends BaseMergeStrategy {
+  strategyId = "terraform-state-bucket-policy";
+  displayName = "Terraform State Bucket Policy";
+  bucketName = null;
+  credentials;
+  region = "us-east-1";
+  /**
+   * Configure the strategy with bucket details
+   */
+  configure(bucketName, region, credentials) {
+    this.bucketName = bucketName;
+    this.region = region;
+    this.credentials = credentials;
+  }
+  /**
+   * Extract existing account IDs from the current bucket policy
+   */
+  async extractExisting(stackResources) {
+    if (!this.bucketName) {
+      verbose("No bucket name configured, cannot extract existing policy");
+      return null;
+    }
+    try {
+      const client = new S3Client({
+        region: this.region,
+        credentials: this.credentials
+      });
+      const response = await client.send(
+        new GetBucketPolicyCommand({ Bucket: this.bucketName })
+      );
+      if (!response.Policy) {
+        verbose("Bucket has no policy");
+        return null;
+      }
+      const policy = JSON.parse(response.Policy);
+      const accountIds = this.extractAccountIdsFromPolicy(policy);
+      verbose(`Found ${accountIds.length} existing account(s) in bucket policy`);
+      return { allowedAccountIds: accountIds };
+    } catch (error2) {
+      if (error2 instanceof Error && error2.name === "NoSuchBucketPolicy") {
+        verbose("Bucket has no policy (NoSuchBucketPolicy)");
+        return null;
+      }
+      if (error2 instanceof Error && error2.name === "NoSuchBucket") {
+        verbose("Bucket does not exist yet");
+        return null;
+      }
+      verbose(`Could not read bucket policy: ${error2 instanceof Error ? error2.message : String(error2)}`);
+      return null;
+    }
+  }
+  /**
+   * Collect all target account IDs from all pipelines
+   */
+  async collectNew(context) {
+    const accountIds = /* @__PURE__ */ new Set();
+    if (!isValidAwsAccountId(context.cicdAccountId)) {
+      throw new Error(
+        `Invalid CI/CD account ID: "${context.cicdAccountId}". AWS account IDs must be exactly 12 digits.`
+      );
+    }
+    accountIds.add(context.cicdAccountId);
+    for (const pipeline of context.pipelines) {
+      for (const accountId of pipeline.targetAccountIds) {
+        if (!isValidAwsAccountId(accountId)) {
+          throw new Error(
+            `Invalid target account ID in pipeline "${pipeline.slug}": "${accountId}". AWS account IDs must be exactly 12 digits.`
+          );
+        }
+        accountIds.add(accountId);
+      }
+    }
+    verbose(`Collected ${accountIds.size} account(s) from pipelines`);
+    return { allowedAccountIds: Array.from(accountIds) };
+  }
+  /**
+   * Merge existing and new account IDs, deduplicating
+   */
+  merge(existing, newData) {
+    const mergedAccountIds = /* @__PURE__ */ new Set();
+    if (existing) {
+      for (const accountId of existing.allowedAccountIds) {
+        mergedAccountIds.add(accountId);
+      }
+    }
+    for (const accountId of newData.allowedAccountIds) {
+      mergedAccountIds.add(accountId);
+    }
+    const sorted = Array.from(mergedAccountIds).sort();
+    verbose(`Merged to ${sorted.length} unique account(s)`);
+    return { allowedAccountIds: sorted };
+  }
+  /**
+   * Validate the merged result
+   */
+  validate(result) {
+    const errors = [];
+    const warnings = [];
+    for (const accountId of result.allowedAccountIds) {
+      if (!/^\d{12}$/.test(accountId)) {
+        errors.push(`Invalid AWS account ID format: ${accountId}`);
+      }
+    }
+    if (result.allowedAccountIds.length > 50) {
+      warnings.push(
+        `Large number of accounts (${result.allowedAccountIds.length}) in bucket policy. Consider using AWS Organizations conditions instead.`
+      );
+    }
+    return {
+      valid: errors.length === 0,
+      errors: errors.length > 0 ? errors : void 0,
+      warnings: warnings.length > 0 ? warnings : void 0
+    };
+  }
+  /**
+   * Extract account IDs from a bucket policy document
+   */
+  extractAccountIdsFromPolicy(policy) {
+    const accountIds = [];
+    if (!policy || typeof policy !== "object") {
+      return accountIds;
+    }
+    const policyDoc = policy;
+    if (!Array.isArray(policyDoc.Statement)) {
+      return accountIds;
+    }
+    for (const statement of policyDoc.Statement) {
+      if (!statement || typeof statement !== "object") continue;
+      const stmt = statement;
+      const principal = stmt.Principal?.AWS;
+      if (!principal) continue;
+      const principals = Array.isArray(principal) ? principal : [principal];
+      for (const p of principals) {
+        let extractedId = null;
+        const arnMatch = p.match(/arn:aws:iam::(\d{12}):/);
+        if (arnMatch) {
+          extractedId = arnMatch[1];
+        } else if (/^\d{12}$/.test(p)) {
+          extractedId = p;
+        }
+        if (extractedId) {
+          if (isValidAwsAccountId(extractedId)) {
+            accountIds.push(extractedId);
+          } else {
+            verbose(`Skipping invalid account ID from existing policy: "${extractedId}"`);
+          }
+        }
+      }
+    }
+    return [...new Set(accountIds)];
+  }
+};
+function createTerraformStateBucketPolicy(bucketName, cicdAccountId, allowedAccountIds) {
+  const accountStatements = allowedAccountIds.filter((id) => id !== cicdAccountId).map((accountId) => ({
+    Sid: `AllowAccount${accountId}`,
+    Effect: "Allow",
+    Principal: {
+      AWS: `arn:aws:iam::${accountId}:root`
+    },
+    Action: [
+      "s3:GetObject",
+      "s3:PutObject",
+      "s3:DeleteObject"
+    ],
+    Resource: `arn:aws:s3:::${bucketName}/*`
+  }));
+  const listStatement = {
+    Sid: "AllowListBucket",
+    Effect: "Allow",
+    Principal: {
+      AWS: allowedAccountIds.map((id) => `arn:aws:iam::${id}:root`)
+    },
+    Action: "s3:ListBucket",
+    Resource: `arn:aws:s3:::${bucketName}`
+  };
+  const cicdStatement = {
+    Sid: "AllowCICDAccount",
+    Effect: "Allow",
+    Principal: {
+      AWS: `arn:aws:iam::${cicdAccountId}:root`
+    },
+    Action: "s3:*",
+    Resource: [
+      `arn:aws:s3:::${bucketName}`,
+      `arn:aws:s3:::${bucketName}/*`
+    ]
+  };
+  return {
+    Version: "2012-10-17",
+    Statement: [cicdStatement, listStatement, ...accountStatements]
+  };
+}
+
+// src/templates/org-stack.ts
+function generateOrgStackTemplate(options) {
+  const { orgSlug, cicdAccountId, targetAccountIds } = options;
+  const template = createBaseTemplate(`DevRamps Org Stack for ${orgSlug}`);
+  addOidcProviderResource(template, true);
+  const kmsKeyPolicy = buildKmsKeyPolicy(cicdAccountId, targetAccountIds);
+  template.Resources.DevRampsKMSKey = createKmsKeyResource(
+    `DevRamps encryption key for org: ${orgSlug}`,
+    kmsKeyPolicy,
+    [{ Key: "Organization", Value: orgSlug }]
+  );
+  template.Resources.DevRampsKMSKeyAlias = createKmsKeyAliasResource(
+    getKmsKeyAlias(orgSlug),
+    "DevRampsKMSKey"
+  );
+  const bucketName = generateTerraformStateBucketName(orgSlug);
+  template.Resources.TerraformStateBucket = createS3BucketResource(
+    bucketName,
+    [{ Key: "Organization", Value: orgSlug }],
+    { kmsKeyArn: { "Fn::GetAtt": ["DevRampsKMSKey", "Arn"] } }
+  );
+  const bucketPolicy = createTerraformStateBucketPolicy(
+    bucketName,
+    cicdAccountId,
+    targetAccountIds
+  );
+  template.Resources.TerraformStateBucketPolicy = {
+    Type: "AWS::S3::BucketPolicy",
+    Properties: {
+      Bucket: { Ref: "TerraformStateBucket" },
+      PolicyDocument: bucketPolicy
+    }
+  };
+  const trustPolicy = buildOidcTrustPolicy(cicdAccountId, `org:${orgSlug}`);
+  const orgRolePolicies = buildOrgRolePolicies(orgSlug);
+  template.Resources.DevRampsCICDDeploymentRole = createIamRoleResource(
+    getOrgRoleName(),
+    trustPolicy,
+    orgRolePolicies,
+    [{ Key: "Organization", Value: orgSlug }]
+  );
+  template.Outputs = {
+    OrgRoleArn: {
+      Description: "ARN of the org-level CICD deployment role",
+      Value: { "Fn::GetAtt": ["DevRampsCICDDeploymentRole", "Arn"] },
+      Export: { Name: `DevRamps-${orgSlug}-OrgRoleArn` }
+    },
+    OrgRoleName: {
+      Description: "Name of the org-level CICD deployment role",
+      Value: { Ref: "DevRampsCICDDeploymentRole" }
+    },
+    KMSKeyArn: {
+      Description: "ARN of the KMS encryption key",
+      Value: { "Fn::GetAtt": ["DevRampsKMSKey", "Arn"] },
+      Export: { Name: `DevRamps-${orgSlug}-KMSKeyArn` }
+    },
+    KMSKeyId: {
+      Description: "ID of the KMS encryption key",
+      Value: { Ref: "DevRampsKMSKey" }
+    },
+    TerraformStateBucketName: {
+      Description: "Name of the Terraform state bucket",
+      Value: { Ref: "TerraformStateBucket" },
+      Export: { Name: `DevRamps-${orgSlug}-TerraformStateBucket` }
+    },
+    TerraformStateBucketArn: {
+      Description: "ARN of the Terraform state bucket",
+      Value: { "Fn::GetAtt": ["TerraformStateBucket", "Arn"] }
+    },
+    OIDCProviderArn: {
+      Description: "ARN of the OIDC provider",
+      Value: getOidcProviderArn(cicdAccountId, true)
+    }
+  };
+  return template;
+}
+function buildKmsKeyPolicy(cicdAccountId, targetAccountIds) {
+  const allAccountIds = [.../* @__PURE__ */ new Set([cicdAccountId, ...targetAccountIds])];
+  return {
+    Version: "2012-10-17",
+    Statement: [
+      {
+        Sid: "EnableRootAccountPermissions",
+        Effect: "Allow",
+        Principal: {
+          AWS: `arn:aws:iam::${cicdAccountId}:root`
+        },
+        Action: "kms:*",
+        Resource: "*"
+      },
+      {
+        Sid: "AllowTargetAccountsEncryptDecrypt",
+        Effect: "Allow",
+        Principal: {
+          AWS: allAccountIds.map((id) => `arn:aws:iam::${id}:root`)
+        },
+        Action: [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+        ],
+        Resource: "*"
+      }
+    ]
+  };
+}
+function buildOrgRolePolicies(orgSlug) {
+  return [
+    {
+      PolicyName: "DevRampsOrgPolicy",
+      PolicyDocument: {
+        Version: "2012-10-17",
+        Statement: [
+          {
+            Sid: "AllowAssumeStageRoles",
+            Effect: "Allow",
+            Action: "sts:AssumeRole",
+            Resource: `arn:aws:iam::*:role/DevRamps-*-DeploymentRole`
+          },
+          {
+            Sid: "AllowKMSUsage",
+            Effect: "Allow",
+            Action: [
+              "kms:Encrypt",
+              "kms:Decrypt",
+              "kms:GenerateDataKey*"
+            ],
+            Resource: "*",
+            Condition: {
+              StringEquals: {
+                "kms:CallerAccount": { Ref: "AWS::AccountId" }
+              }
+            }
+          },
+          {
+            Sid: "AllowS3TerraformState",
+            Effect: "Allow",
+            Action: [
+              "s3:GetObject",
+              "s3:PutObject",
+              "s3:DeleteObject",
+              "s3:ListBucket"
+            ],
+            Resource: [
+              { "Fn::GetAtt": ["TerraformStateBucket", "Arn"] },
+              { "Fn::Sub": "${TerraformStateBucket.Arn}/*" }
+            ]
+          },
+          {
+            Sid: "AllowECROperations",
+            Effect: "Allow",
+            Action: [
+              "ecr:GetAuthorizationToken",
+              "ecr:BatchCheckLayerAvailability",
+              "ecr:GetDownloadUrlForLayer",
+              "ecr:BatchGetImage",
+              "ecr:PutImage",
+              "ecr:InitiateLayerUpload",
+              "ecr:UploadLayerPart",
+              "ecr:CompleteLayerUpload"
+            ],
+            Resource: "*"
+          }
+        ]
+      }
+    }
+  ];
+}
+
+// src/templates/pipeline-stack.ts
+function generatePipelineStackTemplate(options) {
+  const { pipelineSlug, cicdAccountId, dockerArtifacts, bundleArtifacts } = options;
+  const template = createBaseTemplate(`DevRamps Pipeline Stack for ${pipelineSlug}`);
+  const ecrOutputs = {};
+  const s3Outputs = {};
+  for (const artifact of dockerArtifacts) {
+    const artifactId = getArtifactId(artifact);
+    const repoName = generatePipelineEcrRepoName(pipelineSlug, artifactId);
+    const resourceId = sanitizeResourceId(`ECR${artifactId}`);
+    template.Resources[resourceId] = createEcrRepositoryResource(
+      repoName,
+      [
+        { Key: "Pipeline", Value: pipelineSlug },
+        { Key: "Artifact", Value: artifact.name },
+        { Key: "ArtifactType", Value: artifact.type }
+      ]
+    );
+    ecrOutputs[artifact.name] = { repoName, resourceId };
+  }
+  for (const artifact of bundleArtifacts) {
+    const artifactId = getArtifactId(artifact);
+    const bucketName = generatePipelineBucketName(cicdAccountId, pipelineSlug, artifactId);
+    const resourceId = sanitizeResourceId(`Bucket${artifactId}`);
+    template.Resources[resourceId] = createS3BucketResource(
+      bucketName,
+      [
+        { Key: "Pipeline", Value: pipelineSlug },
+        { Key: "Artifact", Value: artifact.name },
+        { Key: "ArtifactType", Value: artifact.type }
+      ]
+    );
+    s3Outputs[artifact.name] = { bucketName, resourceId };
+  }
+  for (const [artifactName, { resourceId }] of Object.entries(ecrOutputs)) {
+    const safeName = sanitizeResourceId(artifactName);
+    template.Outputs[`${safeName}RepoUri`] = {
+      Description: `ECR Repository URI for ${artifactName}`,
+      Value: { "Fn::GetAtt": [resourceId, "RepositoryUri"] },
+      Export: { Name: `DevRamps-${pipelineSlug}-${safeName}-RepoUri` }
+    };
+    template.Outputs[`${safeName}RepoArn`] = {
+      Description: `ECR Repository ARN for ${artifactName}`,
+      Value: { "Fn::GetAtt": [resourceId, "Arn"] }
+    };
+  }
+  for (const [artifactName, { resourceId }] of Object.entries(s3Outputs)) {
+    const safeName = sanitizeResourceId(artifactName);
+    template.Outputs[`${safeName}BucketName`] = {
+      Description: `S3 Bucket name for ${artifactName}`,
+      Value: { Ref: resourceId },
+      Export: { Name: `DevRamps-${pipelineSlug}-${safeName}-BucketName` }
+    };
+    template.Outputs[`${safeName}BucketArn`] = {
+      Description: `S3 Bucket ARN for ${artifactName}`,
+      Value: { "Fn::GetAtt": [resourceId, "Arn"] }
+    };
+  }
+  template.Outputs.PipelineSlug = {
+    Description: "Pipeline slug",
+    Value: pipelineSlug
+  };
+  template.Outputs.ECRRepoCount = {
+    Description: "Number of ECR repositories created",
+    Value: String(Object.keys(ecrOutputs).length)
+  };
+  template.Outputs.S3BucketCount = {
+    Description: "Number of S3 buckets created",
+    Value: String(Object.keys(s3Outputs).length)
+  };
+  return template;
+}
+
+// src/permissions/eks-deploy.ts
+var EKS_DEPLOY_PERMISSIONS = {
+  actions: [
+    // EKS cluster access
+    "eks:DescribeCluster",
+    "eks:AccessKubernetesApi",
+    // EKS access entry management (for setting up kubectl access)
+    "eks:CreateAccessEntry",
+    "eks:DescribeAccessEntry",
+    "eks:AssociateAccessPolicy"
+  ],
+  // Resources are scoped to the specific cluster at deployment time
+  // '*' is used here as the specific cluster ARN is determined by the pipeline config
+  resources: ["*"]
+};
+
+// src/permissions/eks-helm.ts
+var EKS_HELM_PERMISSIONS = {
+  actions: [
+    // EKS cluster access
+    "eks:DescribeCluster",
+    "eks:AccessKubernetesApi",
+    // EKS access entry management (for setting up kubectl/helm access)
+    "eks:CreateAccessEntry",
+    "eks:DescribeAccessEntry",
+    "eks:AssociateAccessPolicy"
+  ],
+  // Resources are scoped to the specific cluster at deployment time
+  resources: ["*"]
+};
+
+// src/permissions/ecs-deploy.ts
+var ECS_DEPLOY_PERMISSIONS = {
+  actions: [
+    // ECS service operations
+    "ecs:UpdateService",
+    "ecs:DescribeServices",
+    // Task definition operations
+    "ecs:DescribeTaskDefinition",
+    "ecs:RegisterTaskDefinition",
+    // Required for ECS to use task/execution roles
+    "iam:PassRole"
+  ],
+  // Resources are scoped to the specific cluster/service at deployment time
+  resources: ["*"]
+};
+
+// src/permissions/approval-bake.ts
+var APPROVAL_BAKE_PERMISSIONS = {
+  actions: [],
+  resources: []
+};
+
+// src/permissions/approval-test.ts
+var APPROVAL_TEST_PERMISSIONS = {
+  actions: [],
+  resources: []
+};
+
+// src/permissions/mirror-ecr.ts
+var MIRROR_ECR_PERMISSIONS = {
+  actions: [
+    // ECR authentication
+    "ecr:GetAuthorizationToken",
+    // Pull operations (source ECR)
+    "ecr:BatchGetImage",
+    "ecr:GetDownloadUrlForLayer",
+    // Push operations (target ECR)
+    "ecr:PutImage",
+    "ecr:InitiateLayerUpload",
+    "ecr:UploadLayerPart",
+    "ecr:CompleteLayerUpload",
+    "ecr:BatchCheckLayerAvailability"
+  ],
+  resources: ["*"]
+};
+
+// src/permissions/mirror-s3.ts
+var MIRROR_S3_PERMISSIONS = {
+  actions: [
+    // Read operations (source bucket)
+    "s3:GetObject",
+    "s3:HeadObject",
+    // Write operations (target bucket)
+    "s3:PutObject",
+    "s3:PutObjectAcl"
+  ],
+  resources: ["*"]
+};
+
+// src/permissions/bundle-import.ts
+var BUNDLE_IMPORT_PERMISSIONS = {
+  actions: [
+    // Read operations (source bucket in CI/CD account)
+    "s3:GetObject",
+    "s3:HeadObject",
+    // Write operations (target bucket in deployment account)
+    "s3:PutObject",
+    "s3:PutObjectAcl",
+    // Cross-account role assumption
+    "sts:AssumeRole"
+  ],
+  resources: ["*"]
+};
+
+// src/permissions/docker-import.ts
+var DOCKER_IMPORT_PERMISSIONS = {
+  actions: [
+    // ECR authentication
+    "ecr:GetAuthorizationToken",
+    // Check image availability (source ECR)
+    "ecr:DescribeImages",
+    // Pull operations (source ECR)
+    "ecr:BatchGetImage",
+    "ecr:GetDownloadUrlForLayer",
+    // Push operations (target ECR)
+    "ecr:PutImage",
+    "ecr:InitiateLayerUpload",
+    "ecr:UploadLayerPart",
+    "ecr:CompleteLayerUpload",
+    "ecr:BatchCheckLayerAvailability",
+    // Cross-account role assumption
+    "sts:AssumeRole"
+  ],
+  resources: ["*"]
+};
+
+// src/permissions/custom.ts
+function getCustomPermissions(stepType) {
+  verbose(
+    `Step type '${stepType}' is a custom step. Ensure permissions are defined in aws_additional_iam_policies.yaml/json`
+  );
+  return {
+    actions: [],
+    resources: []
+  };
+}
+
+// src/permissions/index.ts
+var PERMISSIONS_REGISTRY = {
+  // Deployment steps
+  "DEVRAMPS:EKS:DEPLOY": EKS_DEPLOY_PERMISSIONS,
+  "DEVRAMPS:EKS:HELM": EKS_HELM_PERMISSIONS,
+  "DEVRAMPS:ECS:DEPLOY": ECS_DEPLOY_PERMISSIONS,
+  // Artifact mirroring steps (CI/CD account -> deployment account)
+  "DEVRAMPS:MIRROR:ECR": MIRROR_ECR_PERMISSIONS,
+  "DEVRAMPS:MIRROR:S3": MIRROR_S3_PERMISSIONS,
+  // Artifact import steps (cross-account)
+  "DEVRAMPS:BUNDLE:IMPORT": BUNDLE_IMPORT_PERMISSIONS,
+  "DEVRAMPS:DOCKER:IMPORT": DOCKER_IMPORT_PERMISSIONS,
+  // Approval/wait steps (no AWS permissions needed)
+  "DEVRAMPS:APPROVAL:BAKE": APPROVAL_BAKE_PERMISSIONS,
+  "DEVRAMPS:APPROVAL:TEST": APPROVAL_TEST_PERMISSIONS
+};
+function getStepPermissions(stepType) {
+  const permissions = PERMISSIONS_REGISTRY[stepType];
+  if (permissions) {
+    return permissions;
+  }
+  if (stepType.startsWith("CUSTOM:")) {
+    return getCustomPermissions(stepType);
+  }
+  return {
+    actions: [],
+    resources: []
+  };
+}
+function hasPermissions(stepType) {
+  const permissions = getStepPermissions(stepType);
+  return permissions.actions.length > 0;
+}
+
+// src/templates/stage-stack.ts
+function generateStageStackTemplate(options) {
+  const {
+    pipelineSlug,
+    stageName,
+    orgSlug,
+    accountId,
+    steps,
+    additionalPolicies,
+    dockerArtifacts,
+    bundleArtifacts
+  } = options;
+  const template = createBaseTemplate(
+    `DevRamps Stage Stack for ${pipelineSlug}/${stageName}`
+  );
+  addOidcProviderResource(template, true);
+  const roleName = generateStageRoleName(pipelineSlug, stageName);
+  const trustPolicy = buildStageTrustPolicy(accountId, orgSlug, pipelineSlug, stageName);
+  const policies = buildStagePolicies(steps, additionalPolicies);
+  template.Resources.StageDeploymentRole = createIamRoleResource(
+    roleName,
+    trustPolicy,
+    policies.length > 0 ? policies : void 0,
+    [
+      { Key: "Pipeline", Value: pipelineSlug },
+      { Key: "Stage", Value: stageName },
+      { Key: "Organization", Value: orgSlug }
+    ]
+  );
+  const ecrOutputs = {};
+  const s3Outputs = {};
+  for (const artifact of dockerArtifacts) {
+    const artifactId = getArtifactId(artifact);
+    const repoName = generateStageEcrRepoName(pipelineSlug, stageName, artifactId);
+    const resourceId = sanitizeResourceId(`ECR${artifactId}`);
+    template.Resources[resourceId] = createEcrRepositoryResource(
+      repoName,
+      [
+        { Key: "Pipeline", Value: pipelineSlug },
+        { Key: "Stage", Value: stageName },
+        { Key: "Artifact", Value: artifact.name },
+        { Key: "ArtifactType", Value: artifact.type }
+      ]
+    );
+    ecrOutputs[artifact.name] = { resourceId };
+  }
+  for (const artifact of bundleArtifacts) {
+    const artifactId = getArtifactId(artifact);
+    const bucketName = generateStageBucketName(accountId, pipelineSlug, stageName, artifactId);
+    const resourceId = sanitizeResourceId(`Bucket${artifactId}`);
+    template.Resources[resourceId] = createS3BucketResource(
+      bucketName,
+      [
+        { Key: "Pipeline", Value: pipelineSlug },
+        { Key: "Stage", Value: stageName },
+        { Key: "Artifact", Value: artifact.name },
+        { Key: "ArtifactType", Value: artifact.type }
+      ]
+    );
+    s3Outputs[artifact.name] = { resourceId };
+  }
+  template.Outputs = {
+    StageRoleArn: {
+      Description: "ARN of the stage deployment role",
+      Value: { "Fn::GetAtt": ["StageDeploymentRole", "Arn"] },
+      Export: { Name: `DevRamps-${pipelineSlug}-${stageName}-RoleArn` }
+    },
+    StageRoleName: {
+      Description: "Name of the stage deployment role",
+      Value: { Ref: "StageDeploymentRole" }
+    },
+    OIDCProviderArn: {
+      Description: "ARN of the OIDC provider",
+      Value: getOidcProviderArn(accountId, true)
+    },
+    PipelineSlug: {
+      Description: "Pipeline slug",
+      Value: pipelineSlug
+    },
+    StageName: {
+      Description: "Stage name",
+      Value: stageName
+    }
+  };
+  for (const [artifactName, { resourceId }] of Object.entries(ecrOutputs)) {
+    const safeName = sanitizeResourceId(artifactName);
+    template.Outputs[`${safeName}RepoUri`] = {
+      Description: `ECR Repository URI for ${artifactName}`,
+      Value: { "Fn::GetAtt": [resourceId, "RepositoryUri"] }
+    };
+  }
+  for (const [artifactName, { resourceId }] of Object.entries(s3Outputs)) {
+    const safeName = sanitizeResourceId(artifactName);
+    template.Outputs[`${safeName}BucketName`] = {
+      Description: `S3 Bucket name for ${artifactName}`,
+      Value: { Ref: resourceId }
+    };
+  }
+  return template;
+}
+function buildStageTrustPolicy(accountId, orgSlug, pipelineSlug, stageName) {
+  const subject = `org:${orgSlug}/pipeline:${pipelineSlug}/stage:${stageName}`;
+  return buildOidcTrustPolicy(accountId, subject);
+}
+function buildStagePolicies(steps, additionalPolicies) {
+  const policies = [];
+  for (const step of steps) {
+    if (!hasPermissions(step.type)) {
+      continue;
+    }
+    const permissions = getStepPermissions(step.type);
+    if (!permissions.actions || permissions.actions.length === 0) {
+      continue;
+    }
+    const policyName = `${sanitizeResourceId(step.name)}DeploymentPolicy`;
+    policies.push({
+      PolicyName: policyName,
+      PolicyDocument: {
+        Version: "2012-10-17",
+        Statement: [
+          {
+            Sid: sanitizeResourceId(step.name),
+            Effect: "Allow",
+            Action: permissions.actions,
+            Resource: permissions.resources || ["*"]
+          }
+        ]
+      }
+    });
+  }
+  for (let i = 0; i < additionalPolicies.length; i++) {
+    const policy = additionalPolicies[i];
+    const policyName = `AdditionalPolicy${i + 1}`;
+    policies.push({
+      PolicyName: policyName,
+      PolicyDocument: {
+        Version: policy.Version || "2012-10-17",
+        Statement: policy.Statement.map((stmt) => ({
+          ...stmt.Sid ? { Sid: stmt.Sid } : {},
+          Effect: stmt.Effect,
+          Action: Array.isArray(stmt.Action) ? stmt.Action : [stmt.Action],
+          Resource: stmt.Resource,
+          ...stmt.Condition ? { Condition: stmt.Condition } : {}
+        }))
+      }
+    });
+  }
+  return policies;
+}
+
+// src/merge/index.ts
+var MERGE_STRATEGIES = /* @__PURE__ */ new Map();
+var bucketPolicyStrategy = new BucketPolicyMergeStrategy();
+MERGE_STRATEGIES.set(bucketPolicyStrategy.strategyId, bucketPolicyStrategy);
+function getBucketPolicyStrategy() {
+  return bucketPolicyStrategy;
+}
+
+// src/utils/prompts.ts
+import inquirer from "inquirer";
+async function confirmDeployment(plan) {
+  header("DevRamps Bootstrap Summary");
+  console.log(`Organization: ${plan.orgSlug}`);
+  newline();
+  const pipelineGroups = /* @__PURE__ */ new Map();
+  for (const stack of plan.stacks) {
+    const existing = pipelineGroups.get(stack.pipelineSlug) || [];
+    existing.push(stack);
+    pipelineGroups.set(stack.pipelineSlug, existing);
+  }
+  console.log("Pipelines to bootstrap:");
+  for (const [slug, stacks] of pipelineGroups) {
+    const accounts = new Set(stacks.map((s) => s.accountId));
+    console.log(`  - ${slug} (${accounts.size} target account${accounts.size !== 1 ? "s" : ""})`);
+  }
+  newline();
+  console.log("Stacks to deploy:");
+  const tableRows = [
+    ["Account ID", "Pipeline", "Stack Name", "Action"]
+  ];
+  for (const stack of plan.stacks) {
+    tableRows.push([
+      stack.accountId,
+      stack.pipelineSlug,
+      stack.stackName,
+      stack.action
+    ]);
+  }
+  table(tableRows);
+  newline();
+  console.log("Each stack creates:");
+  console.log("  - OIDC Identity Provider for devramps.com (if not exists)");
+  console.log("  - IAM Role: DevRamps-CICD-DeploymentRole");
+  console.log(`    - Trust: org:${plan.orgSlug}/pipeline:<pipeline-slug>`);
+  console.log("    - Policies for each deployment step");
+  newline();
+  const { proceed } = await inquirer.prompt([
+    {
+      type: "confirm",
+      name: "proceed",
+      message: "Do you want to proceed?",
+      default: false
+    }
+  ]);
+  return proceed;
+}
+
+// src/commands/bootstrap.ts
+async function bootstrapCommand(options) {
+  try {
+    if (options.verbose) {
+      setVerbose(true);
+    }
+    header("DevRamps Bootstrap");
+    const spinner = ora("Checking AWS credentials...").start();
+    const identity = await getCurrentIdentity();
+    spinner.succeed(`Authenticated as ${identity.arn}`);
+    const authData = await authenticateViaBrowser({
+      endpointOverride: options.endpointOverride
+    });
+    spinner.start("Finding pipelines...");
+    const basePath = process.cwd();
+    const filterSlugs = options.pipelineSlugs ? options.pipelineSlugs.split(",").map((s) => s.trim()) : void 0;
+    const pipelineSlugs = await findDevrampsPipelines(basePath, filterSlugs);
+    if (pipelineSlugs.length === 0) {
+      spinner.fail("No pipelines found");
+      error("No pipeline.yaml files found in .devramps/ folder.");
+      process.exit(1);
+    }
+    spinner.text = `Parsing ${pipelineSlugs.length} pipeline(s)...`;
+    const pipelines = [];
+    const pipelineArtifacts = /* @__PURE__ */ new Map();
+    for (const slug of pipelineSlugs) {
+      const pipeline = await parsePipeline(basePath, slug);
+      pipelines.push(pipeline);
+      const artifacts = parseArtifacts(pipeline.definition);
+      pipelineArtifacts.set(slug, artifacts);
+    }
+    spinner.succeed(`Found ${pipelines.length} pipeline(s)`);
+    spinner.start("Building deployment plan...");
+    const plan = await buildDeploymentPlan(
+      pipelines,
+      pipelineArtifacts,
+      authData,
+      identity.accountId,
+      options.targetAccountRoleName
+    );
+    spinner.succeed("Deployment plan ready");
+    if (options.dryRun) {
+      await showDryRunPlan(plan);
+      return;
+    }
+    const confirmed = await confirmDeploymentPlan(plan);
+    if (!confirmed) {
+      info("Deployment cancelled by user.");
+      return;
+    }
+    await executeDeployment(plan, pipelines, pipelineArtifacts, authData, identity.accountId, options);
+  } catch (error2) {
+    if (error2 instanceof DevRampsError) {
+      error(error2.message);
+      process.exit(1);
+    }
+    error(`Unexpected error: ${error2 instanceof Error ? error2.message : String(error2)}`);
+    if (isVerbose() && error2 instanceof Error && error2.stack) {
+      console.error(error2.stack);
+    }
+    process.exit(1);
+  }
+}
+async function buildDeploymentPlan(pipelines, pipelineArtifacts, authData, currentAccountId, targetRoleName) {
+  const { orgSlug, cicdAccountId, cicdRegion } = authData;
+  const allTargetAccountIds = /* @__PURE__ */ new Set();
+  for (const pipeline of pipelines) {
+    for (const accountId of pipeline.targetAccountIds) {
+      allTargetAccountIds.add(accountId);
+    }
+  }
+  let cicdCredentials;
+  try {
+    if (cicdAccountId !== currentAccountId) {
+      const assumed = await assumeRoleForAccount({
+        targetAccountId: cicdAccountId,
+        currentAccountId,
+        targetRoleName
+      });
+      cicdCredentials = assumed?.credentials;
+    }
+  } catch {
+    verbose("Could not assume role in CI/CD account for status check");
+  }
+  const orgStackName = getOrgStackName(orgSlug);
+  const orgStack = {
+    stackType: "Org",
+    stackName: orgStackName,
+    accountId: cicdAccountId,
+    region: cicdRegion,
+    action: await determineStackAction(orgStackName, cicdCredentials, cicdRegion),
+    orgSlug,
+    targetAccountIds: Array.from(allTargetAccountIds)
+  };
+  const pipelineStacks = [];
+  for (const pipeline of pipelines) {
+    const artifacts = pipelineArtifacts.get(pipeline.slug);
+    const filteredArtifacts = filterArtifactsForPipelineStack(artifacts);
+    const stackName = getPipelineStackName(pipeline.slug);
+    pipelineStacks.push({
+      stackType: "Pipeline",
+      stackName,
+      accountId: cicdAccountId,
+      region: cicdRegion,
+      action: await determineStackAction(stackName, cicdCredentials, cicdRegion),
+      pipelineSlug: pipeline.slug,
+      dockerArtifacts: filteredArtifacts.docker,
+      bundleArtifacts: filteredArtifacts.bundle
+    });
+  }
+  const stageStacks = [];
+  for (const pipeline of pipelines) {
+    const artifacts = pipelineArtifacts.get(pipeline.slug);
+    for (const stage of pipeline.stages) {
+      const stackName = getStageStackName(pipeline.slug, stage.name);
+      let stageCredentials;
+      try {
+        if (stage.account_id !== currentAccountId) {
+          const assumed = await assumeRoleForAccount({
+            targetAccountId: stage.account_id,
+            currentAccountId,
+            targetRoleName
+          });
+          stageCredentials = assumed?.credentials;
+        }
+      } catch {
+        verbose(`Could not assume role in ${stage.account_id} for status check`);
+      }
+      stageStacks.push({
+        stackType: "Stage",
+        stackName,
+        accountId: stage.account_id,
+        region: stage.region,
+        action: await determineStackAction(stackName, stageCredentials, stage.region),
+        pipelineSlug: pipeline.slug,
+        stageName: stage.name,
+        orgSlug,
+        steps: pipeline.steps,
+        additionalPolicies: pipeline.additionalPolicies,
+        dockerArtifacts: artifacts.docker,
+        bundleArtifacts: artifacts.bundle
+      });
+    }
+  }
+  return {
+    orgSlug,
+    cicdAccountId,
+    cicdRegion,
+    orgStack,
+    pipelineStacks,
+    stageStacks
+  };
+}
+async function determineStackAction(stackName, credentials, region) {
+  try {
+    const status = await getStackStatus(stackName, credentials, region);
+    return status.exists ? "UPDATE" : "CREATE";
+  } catch {
+    return "CREATE";
+  }
+}
+async function showDryRunPlan(plan) {
+  newline();
+  header("Deployment Plan (Dry Run)");
+  info(`Organization: ${plan.orgSlug}`);
+  info(`CI/CD Account: ${plan.cicdAccountId}`);
+  info(`CI/CD Region: ${plan.cicdRegion}`);
+  newline();
+  info("Phase 1: Org Stack");
+  info(`  ${plan.orgStack.action}: ${plan.orgStack.stackName}`);
+  info(`    Account: ${plan.orgStack.accountId}`);
+  info(`    Target accounts with bucket access: ${plan.orgStack.targetAccountIds.length}`);
+  newline();
+  info("Phase 2: Pipeline Stacks");
+  for (const stack of plan.pipelineStacks) {
+    info(`  ${stack.action}: ${stack.stackName}`);
+    info(`    ECR repos: ${stack.dockerArtifacts.length}, S3 buckets: ${stack.bundleArtifacts.length}`);
+  }
+  newline();
+  info("Phase 3: Stage Stacks");
+  for (const stack of plan.stageStacks) {
+    info(`  ${stack.action}: ${stack.stackName}`);
+    info(`    Account: ${stack.accountId}, Region: ${stack.region}`);
+    info(`    ECR repos: ${stack.dockerArtifacts.length}, S3 buckets: ${stack.bundleArtifacts.length}`);
+  }
+  const totalStacks = 1 + plan.pipelineStacks.length + plan.stageStacks.length;
+  newline();
+  info(`Total stacks to deploy: ${totalStacks}`);
+}
+async function confirmDeploymentPlan(plan) {
+  const totalStacks = 1 + plan.pipelineStacks.length + plan.stageStacks.length;
+  newline();
+  info(`About to deploy ${totalStacks} stack(s):`);
+  info(`  - 1 Org stack (${plan.orgStack.action})`);
+  info(`  - ${plan.pipelineStacks.length} Pipeline stack(s)`);
+  info(`  - ${plan.stageStacks.length} Stage stack(s)`);
+  return confirmDeployment({
+    orgSlug: plan.orgSlug,
+    stacks: [
+      { ...plan.orgStack, pipelineSlug: "org", steps: [], additionalPoliciesCount: 0 },
+      ...plan.pipelineStacks.map((s) => ({ ...s, steps: [], additionalPoliciesCount: 0 })),
+      ...plan.stageStacks.map((s) => ({ ...s, steps: s.steps.map((st) => st.name), additionalPoliciesCount: s.additionalPolicies.length }))
+    ]
+  });
+}
+async function executeDeployment(plan, pipelines, pipelineArtifacts, authData, currentAccountId, options) {
+  const results = { success: 0, failed: 0 };
+  newline();
+  header("Phase 1: Org Stack");
+  try {
+    await deployOrgStack(plan, pipelines, authData, currentAccountId, options);
+    results.success++;
+    success("Org stack deployed successfully");
+  } catch (error2) {
+    results.failed++;
+    error(`Org stack failed: ${error2 instanceof Error ? error2.message : String(error2)}`);
+    throw error2;
+  }
+  newline();
+  header("Phase 2: Pipeline Stacks");
+  for (const stack of plan.pipelineStacks) {
+    const spinner = ora(`Deploying ${stack.stackName}...`).start();
+    try {
+      await deployPipelineStack(stack, authData, currentAccountId, options);
+      spinner.succeed(`${stack.stackName} deployed`);
+      results.success++;
+    } catch (error2) {
+      spinner.fail(`${stack.stackName} failed: ${error2 instanceof Error ? error2.message : String(error2)}`);
+      results.failed++;
+    }
+  }
+  newline();
+  header("Phase 3: Stage Stacks");
+  for (const stack of plan.stageStacks) {
+    const spinner = ora(`Deploying ${stack.stackName} to ${stack.accountId}/${stack.region}...`).start();
+    try {
+      await deployStageStack(stack, authData, currentAccountId, options);
+      spinner.succeed(`${stack.stackName} deployed to ${stack.accountId}`);
+      results.success++;
+    } catch (error2) {
+      spinner.fail(`${stack.stackName} failed: ${error2 instanceof Error ? error2.message : String(error2)}`);
+      results.failed++;
+    }
+  }
+  newline();
+  header("Deployment Summary");
+  if (results.failed === 0) {
+    success(`All ${results.success} stack(s) deployed successfully!`);
+  } else {
+    warn(`${results.success} stack(s) succeeded, ${results.failed} stack(s) failed.`);
+  }
+}
+async function deployOrgStack(plan, pipelines, authData, currentAccountId, options) {
+  const { orgSlug, cicdAccountId, cicdRegion } = authData;
+  const credentials = cicdAccountId !== currentAccountId ? (await assumeRoleForAccount({
+    targetAccountId: cicdAccountId,
+    currentAccountId,
+    targetRoleName: options.targetAccountRoleName
+  }))?.credentials : void 0;
+  let targetAccountIds = plan.orgStack.targetAccountIds;
+  if (plan.orgStack.action === "UPDATE") {
+    verbose("Merging bucket policy with existing accounts...");
+    const bucketName = generateTerraformStateBucketName(orgSlug);
+    const strategy = getBucketPolicyStrategy();
+    strategy.configure(bucketName, cicdRegion, credentials);
+    const existingStack = await readExistingStack(
+      plan.orgStack.stackName,
+      cicdAccountId,
+      cicdRegion,
+      credentials
+    );
+    if (existingStack) {
+      const existing = await strategy.extractExisting(existingStack);
+      const newData = { allowedAccountIds: targetAccountIds };
+      const merged = strategy.merge(existing, newData);
+      targetAccountIds = merged.allowedAccountIds;
+      verbose(`Merged ${targetAccountIds.length} account(s) into bucket policy`);
+    }
+  }
+  const template = generateOrgStackTemplate({
+    orgSlug,
+    cicdAccountId,
+    targetAccountIds
+  });
+  const deployOptions = {
+    stackName: plan.orgStack.stackName,
+    template,
+    accountId: cicdAccountId,
+    region: cicdRegion,
+    credentials
+  };
+  await previewStackChanges(deployOptions);
+  await deployStack(deployOptions);
+}
+async function deployPipelineStack(stack, authData, currentAccountId, options) {
+  const { cicdAccountId, cicdRegion } = authData;
+  const credentials = cicdAccountId !== currentAccountId ? (await assumeRoleForAccount({
+    targetAccountId: cicdAccountId,
+    currentAccountId,
+    targetRoleName: options.targetAccountRoleName
+  }))?.credentials : void 0;
+  const template = generatePipelineStackTemplate({
+    pipelineSlug: stack.pipelineSlug,
+    cicdAccountId,
+    dockerArtifacts: stack.dockerArtifacts,
+    bundleArtifacts: stack.bundleArtifacts
+  });
+  const deployOptions = {
+    stackName: stack.stackName,
+    template,
+    accountId: cicdAccountId,
+    region: cicdRegion,
+    credentials
+  };
+  await previewStackChanges(deployOptions);
+  await deployStack(deployOptions);
+}
+async function deployStageStack(stack, authData, currentAccountId, options) {
+  const credentials = stack.accountId !== currentAccountId ? (await assumeRoleForAccount({
+    targetAccountId: stack.accountId,
+    currentAccountId,
+    targetRoleName: options.targetAccountRoleName
+  }))?.credentials : void 0;
+  const oidcInfo = await checkOidcProviderExists(credentials, stack.region);
+  verbose(`OIDC provider in ${stack.accountId}: ${oidcInfo.exists ? "exists" : "will be created"}`);
+  const template = generateStageStackTemplate({
+    pipelineSlug: stack.pipelineSlug,
+    stageName: stack.stageName,
+    orgSlug: stack.orgSlug,
+    accountId: stack.accountId,
+    steps: stack.steps,
+    additionalPolicies: stack.additionalPolicies,
+    dockerArtifacts: stack.dockerArtifacts,
+    bundleArtifacts: stack.bundleArtifacts
+  });
+  const deployOptions = {
+    stackName: stack.stackName,
+    template,
+    accountId: stack.accountId,
+    region: stack.region,
+    credentials
+  };
+  await previewStackChanges(deployOptions);
+  await deployStack(deployOptions);
+}
+
+// src/index.ts
+program.name("devramps").description("DevRamps CLI - Bootstrap AWS infrastructure for CI/CD pipelines").version("0.1.0");
+program.command("bootstrap").description("Bootstrap IAM roles in target AWS accounts based on pipeline definitions").option(
+  "--target-account-role-name <name>",
+  "Role to assume in target accounts (default: OrganizationAccountAccessRole, fallback: AWSControlTowerExecution)"
+).option(
+  "--pipeline-slugs <slugs>",
+  "Comma-separated list of pipeline slugs to bootstrap (default: all pipelines)"
+).option(
+  "--dry-run",
+  "Show what would be deployed without actually deploying"
+).option(
+  "--verbose",
+  "Enable verbose logging for debugging"
+).option(
+  "--endpoint-override <url>",
+  "Override the DevRamps API endpoint (for testing, e.g., http://localhost:3000)"
+).action(bootstrapCommand);
+program.parse();