@go-to-k/cdkd 0.10.0 → 0.12.0

package/dist/cli.js

@@ -450,7 +450,7 @@ var init_aws_clients = __esm({
 import { Command as Command10 } from "commander";
 
 // src/cli/commands/bootstrap.ts
-import { Command } from "commander";
+import { Command, Option as Option2 } from "commander";
 import {
   CreateBucketCommand,
   HeadBucketCommand,
@@ -476,13 +476,23 @@ function parseContextOptions(contextArgs) {
 }
 var commonOptions = [
   new Option("--verbose", "Enable verbose logging").default(false),
-  new Option("--region <region>", "AWS region"),
   new Option("--profile <profile>", "AWS profile"),
   new Option(
     "-y, --yes",
     "Automatically answer interactive prompts with the recommended response (e.g. confirm destroy)"
   ).default(false)
 ];
+var deprecatedRegionOption = new Option(
+  "--region <region>",
+  "[deprecated] No effect on this command; use AWS_REGION or your AWS profile"
+).hideHelp();
+function warnIfDeprecatedRegion(options) {
+  if (options.region !== void 0) {
+    process.stderr.write(
+      "Warning: --region is deprecated for this command and has no effect. Use the AWS_REGION environment variable or your AWS profile to override the SDK default region.\n"
+    );
+  }
+}
 var appOptions = [
   new Option(
     "-a, --app <command>",
@@ -971,7 +981,10 @@ function resolveStateBucket(cliBucket) {
   const bucket = cdkdContext?.["stateBucket"];
   return typeof bucket === "string" ? bucket : void 0;
 }
-function getDefaultStateBucketName(accountId, region) {
+function getDefaultStateBucketName(accountId) {
+  return `cdkd-state-${accountId}`;
+}
+function getLegacyStateBucketName(accountId, region) {
   return `cdkd-state-${accountId}-${region}`;
 }
 async function resolveStateBucketWithDefault(cliBucket, region) {
@@ -981,13 +994,48 @@ async function resolveStateBucketWithDefault(cliBucket, region) {
   const logger = getLogger();
   logger.debug("No state bucket specified, resolving default from account...");
   const { GetCallerIdentityCommand: GetCallerIdentityCommand8 } = await import("@aws-sdk/client-sts");
+  const { S3Client: S3Client10 } = await import("@aws-sdk/client-s3");
   const { getAwsClients: getAwsClients2 } = await Promise.resolve().then(() => (init_aws_clients(), aws_clients_exports));
   const awsClients = getAwsClients2();
   const identity = await awsClients.sts.send(new GetCallerIdentityCommand8({}));
   const accountId = identity.Account;
-  const bucketName = getDefaultStateBucketName(accountId, region);
-  logger.info(`State bucket: ${bucketName}`);
-  return bucketName;
+  const newName = getDefaultStateBucketName(accountId);
+  const legacyName = getLegacyStateBucketName(accountId, region);
+  const probe = new S3Client10({ region: "us-east-1" });
+  try {
+    if (await bucketExists(probe, newName)) {
+      logger.info(`State bucket: ${newName}`);
+      return newName;
+    }
+    if (await bucketExists(probe, legacyName)) {
+      logger.warn(
+        `Using legacy state bucket name '${legacyName}'. The default has changed to '${newName}'. Future cdkd versions will drop legacy support; consider migrating with cdkd state migrate-bucket (coming in a future release).`
+      );
+      return legacyName;
+    }
+    throw new Error(
+      `No cdkd state bucket found for account ${accountId}. Looked for '${newName}' (current default) and '${legacyName}' (legacy default). Run 'cdkd bootstrap' to create '${newName}'.`
+    );
+  } finally {
+    probe.destroy();
+  }
+}
+async function bucketExists(client, bucketName) {
+  const { HeadBucketCommand: HeadBucketCommand3 } = await import("@aws-sdk/client-s3");
+  try {
+    await client.send(new HeadBucketCommand3({ Bucket: bucketName }));
+    return true;
+  } catch (error) {
+    const err = error;
+    const status = err.$metadata?.httpStatusCode;
+    if (err.name === "NotFound" || err.name === "NoSuchBucket" || status === 404) {
+      return false;
+    }
+    if (status === 301 || status === 403) {
+      return true;
+    }
+    throw error;
+  }
 }
 
 // src/cli/commands/bootstrap.ts
@@ -1015,14 +1063,14 @@ async function bootstrapCommand(options) {
     logger.info("No --state-bucket specified, resolving default bucket name...");
     const identity = await awsClients.sts.send(new GetCallerIdentityCommand({}));
     accountId = identity.Account;
-    bucketName = getDefaultStateBucketName(accountId, region);
+    bucketName = getDefaultStateBucketName(accountId);
     logger.info(`Using default state bucket: ${bucketName}`);
   }
   try {
-    let bucketExists = false;
+    let bucketExists2 = false;
     try {
       await s3Client.send(new HeadBucketCommand({ Bucket: bucketName }));
-      bucketExists = true;
+      bucketExists2 = true;
       logger.info(`Bucket ${bucketName} already exists`);
     } catch (error) {
       const err = error;
@@ -1032,7 +1080,7 @@ async function bootstrapCommand(options) {
         throw normalizeAwsError(error, { bucket: bucketName, operation: "HeadBucket" });
       }
     }
-    if (bucketExists) {
+    if (bucketExists2) {
       if (!options.force) {
         logger.warn(
           `Bucket ${bucketName} already exists. Use --force to reconfigure (this will not delete existing state)`
@@ -1119,8 +1167,17 @@ State bucket: ${bucketName}`);
 function createBootstrapCommand() {
   const cmd = new Command("bootstrap").description("Bootstrap cdkd by creating required S3 bucket for state management").option(
     "--state-bucket <bucket>",
-    "Name of S3 bucket to create for state storage (default: cdkd-state-{accountId}-{region})"
-  ).option("--force", "Force reconfiguration of existing bucket", false).action(withErrorHandling(bootstrapCommand));
+    "Name of S3 bucket to create for state storage (default: cdkd-state-{accountId})"
+  ).option("--force", "Force reconfiguration of existing bucket", false).addOption(
+    // Bootstrap-specific: needs to know which region to create the bucket
+    // in. After PR 5, `--region` is removed from `commonOptions` and only
+    // re-added explicitly here — every other command resolves the region
+    // from `AWS_REGION` / profile.
+    new Option2(
+      "--region <region>",
+      "AWS region in which to create the state bucket (defaults to AWS_REGION env or us-east-1)"
+    )
+  ).action(withErrorHandling(bootstrapCommand));
   commonOptions.forEach((opt) => cmd.addOption(opt));
   return cmd;
 }
@@ -2455,6 +2512,7 @@ async function synthCommand(options) {
   if (options.verbose) {
     logger.setLevel("debug");
   }
+  warnIfDeprecatedRegion(options);
   const app = resolveApp(options.app);
   if (!app) {
     throw new Error(
@@ -2502,6 +2560,7 @@ Output: ${assemblyDir}`);
 function createSynthCommand() {
   const cmd = new Command2("synth").description("Synthesize CDK app to CloudFormation template").action(withErrorHandling(synthCommand));
   [...commonOptions, ...appOptions, ...contextOptions].forEach((opt) => cmd.addOption(opt));
+  cmd.addOption(deprecatedRegionOption);
   return cmd;
 }
 
@@ -2584,6 +2643,7 @@ async function listCommand(patterns, options) {
   if (options.verbose) {
     logger.setLevel("debug");
   }
+  warnIfDeprecatedRegion(options);
   const app = resolveApp(options.app);
   if (!app) {
     throw new Error(
@@ -2649,6 +2709,7 @@ function createListCommand() {
     "Stack name pattern(s). Accepts physical CloudFormation names (e.g. 'MyStage-Api') or CDK display paths (e.g. 'MyStage/Api'). Supports wildcards (e.g. 'MyStage/*')."
   ).option("-l, --long", "Display environment information for each stack", false).option("-d, --show-dependencies", "Display stack dependency information for each stack", false).option("--json", "Output as JSON instead of YAML for --long / --show-dependencies", false).action(withErrorHandling(listCommand));
   [...commonOptions, ...appOptions, ...contextOptions].forEach((opt) => cmd.addOption(opt));
+  cmd.addOption(deprecatedRegionOption);
   return cmd;
 }
 
@@ -28548,6 +28609,7 @@ async function deployCommand(stacks, options) {
     logger.setLevel("debug");
     process.env["CDKD_NO_LIVE"] = "1";
   }
+  warnIfDeprecatedRegion(options);
   if (!options.wait) {
     process.env["CDKD_NO_WAIT"] = "true";
   }
@@ -28797,6 +28859,7 @@ function createDeployCommand() {
     ...deployOptions,
     ...contextOptions
   ].forEach((opt) => cmd.addOption(opt));
+  cmd.addOption(deprecatedRegionOption);
   return cmd;
 }
 
@@ -28865,6 +28928,7 @@ async function diffCommand(stacks, options) {
   if (options.verbose) {
     logger.setLevel("debug");
   }
+  warnIfDeprecatedRegion(options);
   const app = resolveApp(options.app);
   if (!app) {
     throw new Error(
@@ -29008,19 +29072,219 @@ function createDiffCommand() {
   [...commonOptions, ...appOptions, ...stateOptions, ...stackOptions, ...contextOptions].forEach(
     (opt) => cmd.addOption(opt)
   );
+  cmd.addOption(deprecatedRegionOption);
   return cmd;
 }
 
 // src/cli/commands/destroy.ts
 import { Command as Command6 } from "commander";
 init_aws_clients();
+
+// src/cli/commands/destroy-runner.ts
 import * as readline from "node:readline/promises";
+init_aws_clients();
+async function runDestroyForStack(stackName, state, ctx) {
+  const logger = getLogger();
+  const result = {
+    stackName,
+    cancelled: false,
+    skippedEmpty: false,
+    deletedCount: 0,
+    errorCount: 0
+  };
+  const resourceCount = Object.keys(state.resources).length;
+  const regionForState = state.region ?? ctx.baseRegion;
+  if (resourceCount === 0) {
+    logger.info(`Stack ${stackName} has no resources, cleaning up state...`);
+    await ctx.stateBackend.deleteState(stackName, regionForState);
+    logger.info("\u2713 State deleted");
+    result.skippedEmpty = true;
+    return result;
+  }
+  logger.info(`
+Resources to be deleted (${resourceCount}):`);
+  for (const [logicalId, resource] of Object.entries(state.resources)) {
+    logger.info(`  - ${logicalId} (${resource.resourceType})`);
+  }
+  if (!ctx.skipConfirmation) {
+    const rl = readline.createInterface({
+      input: process.stdin,
+      output: process.stdout
+    });
+    const answer = await rl.question(
+      `
+Are you sure you want to destroy stack "${stackName}" and delete all ${resourceCount} resources? (Y/n): `
+    );
+    rl.close();
+    const trimmed = answer.trim().toLowerCase();
+    if (trimmed === "n" || trimmed === "no") {
+      logger.info("Destroy cancelled");
+      result.cancelled = true;
+      return result;
+    }
+  }
+  const stackRegion = state.region;
+  let destroyProviderRegistry = ctx.providerRegistry;
+  let destroyAwsClients;
+  if (stackRegion && stackRegion !== ctx.baseRegion) {
+    logger.info(`Stack region: ${stackRegion}`);
+    process.env["AWS_REGION"] = stackRegion;
+    process.env["AWS_DEFAULT_REGION"] = stackRegion;
+    destroyAwsClients = new AwsClients({
+      region: stackRegion,
+      ...ctx.profile && { profile: ctx.profile }
+    });
+    setAwsClients(destroyAwsClients);
+    destroyProviderRegistry = new ProviderRegistry();
+    registerAllProviders(destroyProviderRegistry);
+    destroyProviderRegistry.setCustomResourceResponseBucket(ctx.stateBucket);
+  }
+  logger.info(`
+Acquiring lock for stack ${stackName}...`);
+  await ctx.lockManager.acquireLock(stackName, regionForState, void 0, "destroy");
+  const renderer = getLiveRenderer();
+  renderer.start();
+  try {
+    logger.info("Building dependency graph...");
+    const template = {
+      AWSTemplateFormatVersion: "2010-09-09",
+      Resources: {}
+    };
+    for (const [logicalId, resource] of Object.entries(state.resources)) {
+      template.Resources[logicalId] = {
+        Type: resource.resourceType,
+        Properties: resource.properties || {},
+        ...resource.dependencies && resource.dependencies.length > 0 && {
+          DependsOn: resource.dependencies
+        }
+      };
+    }
+    const typeToLogicalIds = /* @__PURE__ */ new Map();
+    for (const [logicalId, resource] of Object.entries(state.resources)) {
+      const ids = typeToLogicalIds.get(resource.resourceType) ?? [];
+      ids.push(logicalId);
+      typeToLogicalIds.set(resource.resourceType, ids);
+    }
+    for (const [logicalId, resource] of Object.entries(state.resources)) {
+      const mustDeleteAfter = IMPLICIT_DELETE_DEPENDENCIES[resource.resourceType];
+      if (!mustDeleteAfter)
+        continue;
+      for (const depType of mustDeleteAfter) {
+        const depIds = typeToLogicalIds.get(depType);
+        if (!depIds)
+          continue;
+        for (const depId of depIds) {
+          const existing = template.Resources[depId]?.DependsOn ?? [];
+          const depsArray = Array.isArray(existing) ? existing : [existing];
+          if (!depsArray.includes(logicalId)) {
+            template.Resources[depId] = {
+              ...template.Resources[depId],
+              DependsOn: [...depsArray, logicalId]
+            };
+            logger.debug(
+              `Implicit delete dependency: ${depId} (${depType}) must be deleted before ${logicalId} (${resource.resourceType})`
+            );
+          }
+        }
+      }
+    }
+    const dagBuilder = new DagBuilder();
+    const graph = dagBuilder.buildGraph(template);
+    const executionLevels = dagBuilder.getExecutionLevels(graph);
+    logger.debug(`Dependency graph: ${executionLevels.length} level(s)`);
+    for (let levelIndex = executionLevels.length - 1; levelIndex >= 0; levelIndex--) {
+      const level = executionLevels[levelIndex];
+      if (!level)
+        continue;
+      logger.debug(
+        `Deletion level ${executionLevels.length - levelIndex}/${executionLevels.length} (${level.length} resources)`
+      );
+      const deletePromises = level.map(async (logicalId) => {
+        const resource = state.resources[logicalId];
+        if (!resource) {
+          logger.warn(`Resource ${logicalId} not found in state, skipping`);
+          return;
+        }
+        renderer.addTask(logicalId, `Deleting ${logicalId} (${resource.resourceType})`);
+        try {
+          const provider = destroyProviderRegistry.getProvider(resource.resourceType);
+          let lastDeleteError;
+          for (let attempt = 0; attempt <= 3; attempt++) {
+            try {
+              await provider.delete(
+                logicalId,
+                resource.physicalId,
+                resource.resourceType,
+                resource.properties
+              );
+              lastDeleteError = null;
+              break;
+            } catch (retryError) {
+              lastDeleteError = retryError;
+              const msg = retryError instanceof Error ? retryError.message : String(retryError);
+              const isRetryable = msg.includes("Too Many Requests") || msg.includes("has dependencies") || msg.includes("can't be deleted since") || msg.includes("DependencyViolation");
+              if (!isRetryable || attempt >= 3)
+                break;
+              const delay = 5e3 * Math.pow(2, attempt);
+              logger.debug(
+                `  \u23F3 Retrying delete ${logicalId} in ${delay / 1e3}s (attempt ${attempt + 1}/3)`
+              );
+              await new Promise((resolve4) => setTimeout(resolve4, delay));
+            }
+          }
+          if (lastDeleteError)
+            throw lastDeleteError;
+          renderer.removeTask(logicalId);
+          logger.info(`  \u2705 ${logicalId} (${resource.resourceType}) deleted`);
+          result.deletedCount++;
+        } catch (error) {
+          renderer.removeTask(logicalId);
+          const msg = error instanceof Error ? error.message : String(error);
+          if (msg.includes("does not exist") || msg.includes("not found") || msg.includes("No policy found") || msg.includes("NoSuchEntity") || msg.includes("NotFoundException")) {
+            logger.debug(`  ${logicalId} already deleted, removing from state`);
+            result.deletedCount++;
+          } else {
+            logger.error(`  \u2717 Failed to delete ${logicalId}:`, String(error));
+            result.errorCount++;
+          }
+        } finally {
+          renderer.removeTask(logicalId);
+        }
+      });
+      await Promise.all(deletePromises);
+    }
+    if (result.errorCount === 0) {
+      await ctx.stateBackend.deleteState(stackName, regionForState);
+      logger.debug("State deleted");
+    } else {
+      logger.warn(`${result.errorCount} resource(s) failed to delete. State preserved.`);
+    }
+    logger.info(
+      `
+\u2713 Stack ${stackName} destroyed (${result.deletedCount} deleted, ${result.errorCount} errors)`
+    );
+  } finally {
+    renderer.stop();
+    logger.debug("Releasing lock...");
+    await ctx.lockManager.releaseLock(stackName, regionForState);
+    if (destroyAwsClients) {
+      destroyAwsClients.destroy();
+      process.env["AWS_REGION"] = ctx.baseRegion;
+      process.env["AWS_DEFAULT_REGION"] = ctx.baseRegion;
+      setAwsClients(ctx.baseAwsClients);
+    }
+  }
+  return result;
+}
+
+// src/cli/commands/destroy.ts
 async function destroyCommand(stackArgs, options) {
   const logger = getLogger();
   if (options.verbose) {
     logger.setLevel("debug");
     process.env["CDKD_NO_LIVE"] = "1";
   }
+  warnIfDeprecatedRegion(options);
   const region = options.region || process.env["AWS_REGION"] || "us-east-1";
   const stateBucket = await resolveStateBucketWithDefault(options.stateBucket, region);
   logger.info("Starting stack destruction...");
@@ -29045,7 +29309,6 @@ async function destroyCommand(stackArgs, options) {
     });
     await stateBackend.verifyBucketExists();
     const lockManager = new LockManager(awsClients.s3, stateConfig);
-    const dagBuilder = new DagBuilder();
     const providerRegistry = new ProviderRegistry();
     registerAllProviders(providerRegistry);
     providerRegistry.setCustomResourceResponseBucket(stateBucket);
@@ -29145,189 +29408,16 @@ Preparing to destroy stack: ${stackName}`);
         logger.warn(`No state found for stack ${stackName}, skipping`);
         continue;
       }
-      const currentState = stateResult.state;
-      const resourceCount = Object.keys(currentState.resources).length;
-      if (resourceCount === 0) {
-        logger.info(`Stack ${stackName} has no resources, cleaning up state...`);
-        await stateBackend.deleteState(stackName, stackTargetRegion);
-        logger.info("\u2713 State deleted");
-        continue;
-      }
-      logger.info(`
-Resources to be deleted (${resourceCount}):`);
-      for (const [logicalId, resource] of Object.entries(currentState.resources)) {
-        logger.info(`  - ${logicalId} (${resource.resourceType})`);
-      }
-      if (!options.yes && !options.force) {
-        const rl = readline.createInterface({
-          input: process.stdin,
-          output: process.stdout
-        });
-        const answer = await rl.question(
-          `
-Are you sure you want to destroy stack "${stackName}" and delete all ${resourceCount} resources? (Y/n): `
-        );
-        rl.close();
-        const trimmed = answer.trim().toLowerCase();
-        if (trimmed === "n" || trimmed === "no") {
-          logger.info("Destroy cancelled");
-          continue;
-        }
-      }
-      const stackRegion = stackTargetRegion;
-      let destroyProviderRegistry = providerRegistry;
-      let destroyAwsClients;
-      if (stackRegion && stackRegion !== region) {
-        logger.info(`Stack region: ${stackRegion}`);
-        process.env["AWS_REGION"] = stackRegion;
-        process.env["AWS_DEFAULT_REGION"] = stackRegion;
-        destroyAwsClients = new AwsClients({
-          region: stackRegion,
-          ...options.profile && { profile: options.profile }
-        });
-        setAwsClients(destroyAwsClients);
-        destroyProviderRegistry = new ProviderRegistry();
-        registerAllProviders(destroyProviderRegistry);
-        destroyProviderRegistry.setCustomResourceResponseBucket(stateBucket);
-      }
-      logger.info(`
-Acquiring lock for stack ${stackName}...`);
-      await lockManager.acquireLock(stackName, stackRegion, void 0, "destroy");
-      const renderer = getLiveRenderer();
-      renderer.start();
-      try {
-        logger.info("Building dependency graph...");
-        const template = {
-          AWSTemplateFormatVersion: "2010-09-09",
-          Resources: {}
-        };
-        for (const [logicalId, resource] of Object.entries(currentState.resources)) {
-          template.Resources[logicalId] = {
-            Type: resource.resourceType,
-            Properties: resource.properties || {},
-            ...resource.dependencies && resource.dependencies.length > 0 && {
-              DependsOn: resource.dependencies
-            }
-          };
-        }
-        const typeToLogicalIds = /* @__PURE__ */ new Map();
-        for (const [logicalId, resource] of Object.entries(currentState.resources)) {
-          const ids = typeToLogicalIds.get(resource.resourceType) ?? [];
-          ids.push(logicalId);
-          typeToLogicalIds.set(resource.resourceType, ids);
-        }
-        for (const [logicalId, resource] of Object.entries(currentState.resources)) {
-          const mustDeleteAfter = IMPLICIT_DELETE_DEPENDENCIES[resource.resourceType];
-          if (!mustDeleteAfter)
-            continue;
-          for (const depType of mustDeleteAfter) {
-            const depIds = typeToLogicalIds.get(depType);
-            if (!depIds)
-              continue;
-            for (const depId of depIds) {
-              const existing = template.Resources[depId]?.DependsOn ?? [];
-              const depsArray = Array.isArray(existing) ? existing : [existing];
-              if (!depsArray.includes(logicalId)) {
-                template.Resources[depId] = {
-                  ...template.Resources[depId],
-                  DependsOn: [...depsArray, logicalId]
-                };
-                logger.debug(
-                  `Implicit delete dependency: ${depId} (${depType}) must be deleted before ${logicalId} (${resource.resourceType})`
-                );
-              }
-            }
-          }
-        }
-        const graph = dagBuilder.buildGraph(template);
-        const executionLevels = dagBuilder.getExecutionLevels(graph);
-        logger.debug(`Dependency graph: ${executionLevels.length} level(s)`);
-        let deletedCount = 0;
-        let errorCount = 0;
-        for (let levelIndex = executionLevels.length - 1; levelIndex >= 0; levelIndex--) {
-          const level = executionLevels[levelIndex];
-          if (!level) {
-            continue;
-          }
-          logger.debug(
-            `Deletion level ${executionLevels.length - levelIndex}/${executionLevels.length} (${level.length} resources)`
-          );
-          const deletePromises = level.map(async (logicalId) => {
-            const resource = currentState.resources[logicalId];
-            if (!resource) {
-              logger.warn(`Resource ${logicalId} not found in state, skipping`);
-              return;
-            }
-            renderer.addTask(logicalId, `Deleting ${logicalId} (${resource.resourceType})`);
-            try {
-              const provider = destroyProviderRegistry.getProvider(resource.resourceType);
-              let lastDeleteError;
-              for (let attempt = 0; attempt <= 3; attempt++) {
-                try {
-                  await provider.delete(
-                    logicalId,
-                    resource.physicalId,
-                    resource.resourceType,
-                    resource.properties,
-                    { expectedRegion: currentState.region }
-                  );
-                  lastDeleteError = null;
-                  break;
-                } catch (retryError) {
-                  lastDeleteError = retryError;
-                  const msg = retryError instanceof Error ? retryError.message : String(retryError);
-                  const isRetryable = msg.includes("Too Many Requests") || msg.includes("has dependencies") || msg.includes("can't be deleted since") || msg.includes("DependencyViolation");
-                  if (!isRetryable || attempt >= 3)
-                    break;
-                  const delay = 5e3 * Math.pow(2, attempt);
-                  logger.debug(
-                    `  \u23F3 Retrying delete ${logicalId} in ${delay / 1e3}s (attempt ${attempt + 1}/3)`
-                  );
-                  await new Promise((resolve4) => setTimeout(resolve4, delay));
-                }
-              }
-              if (lastDeleteError)
-                throw lastDeleteError;
-              renderer.removeTask(logicalId);
-              logger.info(`  \u2705 ${logicalId} (${resource.resourceType}) deleted`);
-              deletedCount++;
-            } catch (error) {
-              renderer.removeTask(logicalId);
-              const msg = error instanceof Error ? error.message : String(error);
-              if (msg.includes("does not exist") || msg.includes("not found") || msg.includes("No policy found") || msg.includes("NoSuchEntity") || msg.includes("NotFoundException")) {
-                logger.debug(`  ${logicalId} already deleted, removing from state`);
-                deletedCount++;
-              } else {
-                logger.error(`  \u2717 Failed to delete ${logicalId}:`, String(error));
-                errorCount++;
-              }
-            } finally {
-              renderer.removeTask(logicalId);
-            }
-          });
-          await Promise.all(deletePromises);
-        }
-        if (errorCount === 0) {
-          await stateBackend.deleteState(stackName, stackRegion);
-          logger.debug("State deleted");
-        } else {
-          logger.warn(`${errorCount} resource(s) failed to delete. State preserved.`);
-        }
-        logger.info(
-          `
-\u2713 Stack ${stackName} destroyed (${deletedCount} deleted, ${errorCount} errors)`
-        );
-      } finally {
-        renderer.stop();
-        logger.debug("Releasing lock...");
-        await lockManager.releaseLock(stackName, stackRegion);
-        if (destroyAwsClients) {
-          destroyAwsClients.destroy();
-          process.env["AWS_REGION"] = region;
-          process.env["AWS_DEFAULT_REGION"] = region;
-          setAwsClients(awsClients);
-        }
-      }
+      await runDestroyForStack(stackName, stateResult.state, {
+        stateBackend,
+        lockManager,
+        providerRegistry,
+        baseAwsClients: awsClients,
+        baseRegion: region,
+        ...options.profile && { profile: options.profile },
+        stateBucket,
+        skipConfirmation: options.yes || options.force
+      });
     }
   } finally {
     awsClients.destroy();
@@ -29346,16 +29436,18 @@ function createDestroyCommand() {
     ...destroyOptions,
     ...contextOptions
   ].forEach((opt) => cmd.addOption(opt));
+  cmd.addOption(deprecatedRegionOption);
   return cmd;
 }
 
 // src/cli/commands/publish-assets.ts
-import { Option as Option2, Command as Command7 } from "commander";
+import { Option as Option3, Command as Command7 } from "commander";
 async function publishAssetsCommand(options) {
   const logger = getLogger();
   if (options.verbose) {
     logger.setLevel("debug");
   }
+  warnIfDeprecatedRegion(options);
   logger.info("Publishing assets...");
   logger.debug("Asset manifest path:", options.path);
   const publisher = new AssetPublisher();
@@ -29369,25 +29461,27 @@ async function publishAssetsCommand(options) {
 }
 function createPublishAssetsCommand() {
   const cmd = new Command7("publish-assets").description("Publish assets to S3/ECR from asset manifest").requiredOption("--path <path>", "Path to asset manifest file or directory").addOption(
-    new Option2(
+    new Option3(
       "--asset-publish-concurrency <number>",
       "Maximum concurrent asset publish operations"
     ).default(8).argParser((value) => parseInt(value, 10))
   ).addOption(
-    new Option2("--image-build-concurrency <number>", "Maximum concurrent Docker image builds").default(4).argParser((value) => parseInt(value, 10))
+    new Option3("--image-build-concurrency <number>", "Maximum concurrent Docker image builds").default(4).argParser((value) => parseInt(value, 10))
   ).action(withErrorHandling(publishAssetsCommand));
   commonOptions.forEach((opt) => cmd.addOption(opt));
+  cmd.addOption(deprecatedRegionOption);
   return cmd;
 }
 
 // src/cli/commands/force-unlock.ts
-import { Command as Command8, Option as Option3 } from "commander";
+import { Command as Command8, Option as Option4 } from "commander";
 init_aws_clients();
 async function forceUnlockCommand(stackArgs, options) {
   const logger = getLogger();
   if (options.verbose) {
     logger.setLevel("debug");
   }
+  warnIfDeprecatedRegion(options);
   const stackPatterns = stackArgs.length > 0 ? stackArgs : options.stack ? [options.stack] : [];
   if (stackPatterns.length === 0) {
     throw new Error("Stack name is required. Usage: cdkd force-unlock <stack-name>");
@@ -29441,18 +29535,19 @@ async function forceUnlockCommand(stackArgs, options) {
 }
 function createForceUnlockCommand() {
   const cmd = new Command8("force-unlock").description("Force-release a stale lock on a stack").argument("[stacks...]", "Stack name(s) to unlock").addOption(
-    new Option3(
+    new Option4(
       "--stack-region <region>",
       "Stack region whose lock to release (use when the same stack name has locks in multiple regions). Defaults to all regions where the stack has state."
     )
   ).action(withErrorHandling(forceUnlockCommand));
   [...commonOptions, ...stateOptions, ...stackOptions].forEach((opt) => cmd.addOption(opt));
+  cmd.addOption(deprecatedRegionOption);
   return cmd;
 }
 
 // src/cli/commands/state.ts
 import * as readline2 from "node:readline/promises";
-import { Command as Command9, Option as Option4 } from "commander";
+import { Command as Command9, Option as Option5 } from "commander";
 init_aws_clients();
 function formatStackRef(ref) {
   return ref.region ? `${ref.stackName} (${ref.region})` : ref.stackName;
@@ -29482,6 +29577,7 @@ function resolveSingleRegion(stackName, refs, requestedRegion) {
   );
 }
 async function setupStateBackend(options) {
+  warnIfDeprecatedRegion(options);
   const awsClients = new AwsClients({
     ...options.region && { region: options.region },
     ...options.profile && { profile: options.profile }
@@ -29500,6 +29596,8 @@ async function setupStateBackend(options) {
   return {
     stateBackend,
     lockManager,
+    awsClients,
+    region,
     bucket,
     prefix,
     dispose: () => awsClients.destroy()
@@ -29590,6 +29688,7 @@ async function stateListCommand(options) {
 function createStateListCommand() {
   const cmd = new Command9("list").alias("ls").description("List stacks registered in the cdkd state bucket").option("-l, --long", "Show resource count, last-modified time, and lock status", false).option("--json", "Output as JSON", false).action(withErrorHandling(stateListCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
+  cmd.addOption(deprecatedRegionOption);
   return cmd;
 }
 async function stateResourcesCommand(stackName, options) {
@@ -29693,6 +29792,7 @@ function formatLockSummary(lockInfo) {
 function createStateResourcesCommand() {
   const cmd = new Command9("resources").description("List resources recorded in a stack's state").argument("<stack>", "Stack name (physical CloudFormation name)").option("-l, --long", "Include dependencies and attributes per resource", false).option("--json", "Output as JSON", false).addOption(stackRegionOption()).action(withErrorHandling(stateResourcesCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
+  cmd.addOption(deprecatedRegionOption);
   return cmd;
 }
 async function stateShowCommand(stackName, options) {
@@ -29780,6 +29880,7 @@ async function stateShowCommand(stackName, options) {
 function createStateShowCommand() {
   const cmd = new Command9("show").description("Show the full cdkd state record for a stack (metadata, outputs, resources)").argument("<stack>", "Stack name (physical CloudFormation name)").option("--json", "Output the raw state and lock as JSON", false).addOption(stackRegionOption()).action(withErrorHandling(stateShowCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
+  cmd.addOption(deprecatedRegionOption);
   return cmd;
 }
 async function stateRmCommand(stackArgs, options) {
@@ -29854,7 +29955,7 @@ Use 'cdkd destroy ${stackName}' if you want to delete the actual resources.
   }
 }
 function stackRegionOption() {
-  return new Option4(
+  return new Option5(
     "--stack-region <region>",
     "Region of the stack record to operate on. Required when the same stack name has state in multiple regions."
   );
@@ -29862,6 +29963,147 @@ function stackRegionOption() {
 function createStateRmCommand() {
   const cmd = new Command9("rm").description("Remove cdkd state for one or more stacks (does NOT delete AWS resources)").argument("<stacks...>", "Stack name(s) to remove from state").option("-f, --force", "Skip confirmation and remove even if the stack is locked", false).addOption(stackRegionOption()).action(withErrorHandling(stateRmCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
+  cmd.addOption(deprecatedRegionOption);
+  return cmd;
+}
+async function stateDestroyCommand(stackArgs, options) {
+  const logger = getLogger();
+  if (options.verbose) {
+    logger.setLevel("debug");
+    process.env["CDKD_NO_LIVE"] = "1";
+  }
+  if (!options.all && stackArgs.length === 0) {
+    throw new Error(
+      "Stack name is required. Usage: cdkd state destroy <stack> [<stack>...] | --all"
+    );
+  }
+  const setup = await setupStateBackend(options);
+  const providerRegistry = new ProviderRegistry();
+  registerAllProviders(providerRegistry);
+  providerRegistry.setCustomResourceResponseBucket(setup.bucket);
+  try {
+    const stateRefs = await setup.stateBackend.listStacks();
+    const knownStackNames = new Set(stateRefs.map((r) => r.stackName));
+    let stackNames;
+    if (options.all) {
+      stackNames = [...knownStackNames].sort();
+      if (stackNames.length === 0) {
+        logger.info("No stacks found in state");
+        return;
+      }
+    } else {
+      const missing = stackArgs.filter((name) => !knownStackNames.has(name));
+      if (missing.length > 0) {
+        throw new Error(
+          `No state found for stack(s): ${missing.join(", ")}. Run 'cdkd state list' to see available stacks.`
+        );
+      }
+      stackNames = stackArgs;
+    }
+    if (options.all && !options.yes) {
+      process.stdout.write(
+        `
+WARNING: This destroys ${stackNames.length} stack(s) and removes their state records:
+`
+      );
+      for (const name of stackNames) {
+        process.stdout.write(`  - ${name}
+`);
+      }
+      process.stdout.write("\n");
+      const rl = readline2.createInterface({
+        input: process.stdin,
+        output: process.stdout
+      });
+      const answer = await rl.question(`Destroy all ${stackNames.length} stack(s)? (y/N): `);
+      rl.close();
+      const trimmed = answer.trim().toLowerCase();
+      if (trimmed !== "y" && trimmed !== "yes") {
+        logger.info("Destroy cancelled");
+        return;
+      }
+    }
+    logger.info(`Found ${stackNames.length} stack(s) to destroy: ${stackNames.join(", ")}`);
+    let totalErrors = 0;
+    for (const stackName of stackNames) {
+      const refs = stateRefs.filter((r) => r.stackName === stackName);
+      let targets;
+      if (options.stackRegion) {
+        targets = refs.filter((r) => r.region === options.stackRegion || !r.region);
+        if (targets.length === 0) {
+          logger.warn(
+            `Skipping ${stackName}: no state record matches --stack-region '${options.stackRegion}'`
+          );
+          continue;
+        }
+      } else if (refs.length === 1) {
+        targets = refs;
+      } else {
+        const regions = refs.map((r) => r.region ?? "(legacy)").join(", ");
+        throw new Error(
+          `Stack '${stackName}' has state in multiple regions: ${regions}. Use --region <region> to pick one.`
+        );
+      }
+      for (const ref of targets) {
+        logger.info(
+          `
+Preparing to destroy stack: ${stackName}${ref.region ? ` (${ref.region})` : ""}`
+        );
+        const stateResult = await setup.stateBackend.getState(
+          stackName,
+          ref.region ?? setup.region
+        );
+        if (!stateResult) {
+          logger.warn(
+            `No state found for stack ${stackName}${ref.region ? ` in ${ref.region}` : ""}, skipping`
+          );
+          continue;
+        }
+        const result = await runDestroyForStack(stackName, stateResult.state, {
+          stateBackend: setup.stateBackend,
+          lockManager: setup.lockManager,
+          providerRegistry,
+          baseAwsClients: setup.awsClients,
+          baseRegion: setup.region,
+          ...options.profile && { profile: options.profile },
+          stateBucket: setup.bucket,
+          // --yes covers both the --all batch prompt above (already consumed)
+          // and the per-stack prompt inside the runner. Per-stack prompts are
+          // skipped when `options.yes` is set OR `--all` was set (the user
+          // already accepted the batch prompt).
+          skipConfirmation: options.yes || options.all === true
+        });
+        totalErrors += result.errorCount;
+      }
+    }
+    if (totalErrors > 0) {
+      throw new Error(
+        `Destroy completed with ${totalErrors} resource error(s). Inspect 'cdkd state show <stack>' and re-run.`
+      );
+    }
+  } finally {
+    setup.dispose();
+  }
+}
+function createStateDestroyCommand() {
+  const cmd = new Command9("destroy").description(
+    "Destroy a stack's AWS resources and remove its state record without requiring the CDK app. For removing only the state record (keeping AWS resources intact), use 'cdkd state rm'."
+  ).argument("[stacks...]", "Stack name(s) to destroy (physical CloudFormation names)").option("--all", "Destroy every stack in the state bucket", false).addOption(stackRegionOption()).addHelpText(
+    "after",
+    [
+      "",
+      "Examples:",
+      "  cdkd state destroy MyStack",
+      "  cdkd state destroy MyStack OtherStack",
+      "  cdkd state destroy --all -y",
+      "  cdkd state destroy MyStack --state-bucket cdkd-state-test",
+      "  cdkd state destroy MyStack --stack-region us-west-2",
+      "",
+      "For removing only the state record (keeping AWS resources intact), use 'cdkd state rm'."
+    ].join("\n")
+  ).action(withErrorHandling(stateDestroyCommand));
+  [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
+  cmd.addOption(deprecatedRegionOption);
   return cmd;
 }
 function createStateCommand() {
@@ -29870,6 +30112,7 @@ function createStateCommand() {
   cmd.addCommand(createStateResourcesCommand());
   cmd.addCommand(createStateShowCommand());
   cmd.addCommand(createStateRmCommand());
+  cmd.addCommand(createStateDestroyCommand());
   return cmd;
 }
 
@@ -29898,7 +30141,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command10();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.10.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.12.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());