@go-to-k/cdkd 0.102.7 → 0.103.1

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-CuHRHcyW.js";
-import { A as resolveApp, B as CdkdError, C as AssetPublisher, D as Synthesizer, E as buildDockerImage, F as warnDeprecatedNoPrefixCliFlag, G as PartialFailureError, I as AssemblyReader, J as ResourceUpdateNotSupportedError, K as ProvisioningError, M as resolveSkipPrefix, N as resolveStateBucketWithDefault, O as getDefaultStateBucketName, P as resolveStateBucketWithDefaultAndSource, R as resolveBucketRegion, S as shouldRetainResource, T as WorkGraph, U as LocalInvokeBuildError, X as StackHasActiveImportsError, Y as RouteDiscoveryError, Z as StackTerminationProtectionError, _ as DiffCalculator, a as withRetry, at as getLogger, b as LockManager, c as collectInlinePolicyNamesManagedBySiblings, ct as getLiveRenderer, d as normalizeAwsTagsToCfn, dt as generateResourceName, f as resolveExplicitPhysicalId, ft as generateResourceNameWithFallback, g as IntrinsicFunctionResolver, h as assertRegionMatch, i as withResourceDeadline, j as resolveCaptureObservedState, k as getLegacyStateBucketName, l as CDK_PATH_TAG, lt as PATTERN_B_NAME_PROPERTIES, m as CloudControlProvider, mt as withStackName, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as normalizeAwsError, o as IMPLICIT_DELETE_DEPENDENCIES, p as ProviderRegistry, pt as withSkipPrefix, q as ResourceTimeoutError, r as DeployEngine, rt as withErrorHandling, s as IAMRoleProvider, st as runStackBuffered, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as matchesCdkPath, ut as PATTERN_B_RESOURCE_TYPES, v as DagBuilder, w as stringifyValue, x as S3StateBackend, y as TemplateParser } from "./deploy-engine-DGKtcKF6.js";
+import { A as resolveApp, B as CdkdError, C as AssetPublisher, D as Synthesizer, E as buildDockerImage, F as warnDeprecatedNoPrefixCliFlag, G as PartialFailureError, I as AssemblyReader, J as ResourceUpdateNotSupportedError, K as ProvisioningError, M as resolveSkipPrefix, N as resolveStateBucketWithDefault, O as getDefaultStateBucketName, P as resolveStateBucketWithDefaultAndSource, R as resolveBucketRegion, S as shouldRetainResource, T as WorkGraph, U as LocalInvokeBuildError, X as StackHasActiveImportsError, Y as RouteDiscoveryError, Z as StackTerminationProtectionError, _ as DiffCalculator, a as withRetry, at as getLogger, b as LockManager, c as collectInlinePolicyNamesManagedBySiblings, ct as getLiveRenderer, d as normalizeAwsTagsToCfn, dt as generateResourceName, f as resolveExplicitPhysicalId, ft as generateResourceNameWithFallback, g as IntrinsicFunctionResolver, h as assertRegionMatch, i as withResourceDeadline, j as resolveCaptureObservedState, k as getLegacyStateBucketName, l as CDK_PATH_TAG, lt as PATTERN_B_NAME_PROPERTIES, m as CloudControlProvider, mt as withStackName, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as normalizeAwsError, o as IMPLICIT_DELETE_DEPENDENCIES, p as ProviderRegistry, pt as withSkipPrefix, q as ResourceTimeoutError, r as DeployEngine, rt as withErrorHandling, s as IAMRoleProvider, st as runStackBuffered, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as matchesCdkPath, ut as PATTERN_B_RESOURCE_TYPES, v as DagBuilder, w as stringifyValue, x as S3StateBackend, y as TemplateParser } from "./deploy-engine-D6nbHjNM.js";
 import { createHash, createPublicKey, createVerify, randomBytes, randomUUID } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
 import { AddRoleToInstanceProfileCommand, AddUserToGroupCommand, AttachGroupPolicyCommand, AttachUserPolicyCommand, CreateGroupCommand, CreateInstanceProfileCommand, CreateLoginProfileCommand, CreateUserCommand, DeleteAccessKeyCommand, DeleteGroupCommand, DeleteGroupPolicyCommand, DeleteInstanceProfileCommand, DeleteLoginProfileCommand, DeleteRolePolicyCommand, DeleteUserCommand, DeleteUserPermissionsBoundaryCommand, DeleteUserPolicyCommand, DetachGroupPolicyCommand, DetachUserPolicyCommand, GetGroupCommand, GetGroupPolicyCommand, GetInstanceProfileCommand, GetRolePolicyCommand, GetUserCommand, GetUserPolicyCommand, IAMClient, ListAccessKeysCommand, ListAttachedGroupPoliciesCommand, ListAttachedUserPoliciesCommand, ListGroupPoliciesCommand, ListGroupsForUserCommand, ListInstanceProfilesCommand, ListUserPoliciesCommand, ListUserTagsCommand, ListUsersCommand, NoSuchEntityException, PutGroupPolicyCommand, PutRolePolicyCommand, PutUserPermissionsBoundaryCommand, PutUserPolicyCommand, RemoveRoleFromInstanceProfileCommand, RemoveUserFromGroupCommand, TagUserCommand, UntagUserCommand, UpdateLoginProfileCommand } from "@aws-sdk/client-iam";
@@ -9,7 +9,7 @@ import { CreateTopicCommand, DeleteTopicCommand, GetSubscriptionAttributesComman
 import { AddPermissionCommand, CreateEventSourceMappingCommand, CreateFunctionCommand, CreateFunctionUrlConfigCommand, DeleteEventSourceMappingCommand, DeleteFunctionCommand, DeleteFunctionUrlConfigCommand, DeleteLayerVersionCommand, GetEventSourceMappingCommand, GetFunctionCommand, GetFunctionUrlConfigCommand, GetLayerVersionByArnCommand, GetPolicyCommand, LambdaClient, ListFunctionsCommand, ListLayersCommand, ListTagsCommand, PublishLayerVersionCommand, RemovePermissionCommand, ResourceNotFoundException, TagResourceCommand as TagResourceCommand$1, UntagResourceCommand as UntagResourceCommand$1, UpdateEventSourceMappingCommand, UpdateFunctionCodeCommand, UpdateFunctionConfigurationCommand, UpdateFunctionUrlConfigCommand, waitUntilFunctionUpdatedV2 } from "@aws-sdk/client-lambda";
 import { AssumeRoleCommand, GetCallerIdentityCommand, STSClient } from "@aws-sdk/client-sts";
 import { AssociateRouteTableCommand, AttachInternetGatewayCommand, AuthorizeSecurityGroupEgressCommand, AuthorizeSecurityGroupIngressCommand, CreateInternetGatewayCommand, CreateNatGatewayCommand, CreateNetworkAclCommand, CreateNetworkAclEntryCommand, CreateRouteCommand, CreateRouteTableCommand, CreateSecurityGroupCommand, CreateSubnetCommand, CreateTagsCommand, CreateVpcCommand, DeleteInternetGatewayCommand, DeleteNatGatewayCommand, DeleteNetworkAclCommand, DeleteNetworkAclEntryCommand, DeleteNetworkInterfaceCommand, DeleteRouteCommand, DeleteRouteTableCommand, DeleteSecurityGroupCommand, DeleteSubnetCommand, DeleteTagsCommand, DeleteVpcCommand, DescribeAvailabilityZonesCommand, DescribeInstanceAttributeCommand, DescribeInstancesCommand, DescribeInternetGatewaysCommand, DescribeNatGatewaysCommand, DescribeNetworkAclsCommand, DescribeNetworkInterfacesCommand, DescribeRouteTablesCommand, DescribeSecurityGroupsCommand, DescribeSubnetsCommand, DescribeVolumesCommand, DescribeVpcAttributeCommand, DescribeVpcsCommand, DetachInternetGatewayCommand, DisassociateRouteTableCommand, EC2Client, ModifyInstanceAttributeCommand, ModifySubnetAttributeCommand, ModifyVpcAttributeCommand, ReplaceNetworkAclAssociationCommand, RevokeSecurityGroupEgressCommand, RevokeSecurityGroupIngressCommand, RunInstancesCommand, TerminateInstancesCommand, waitUntilInstanceRunning, waitUntilInstanceTerminated, waitUntilNatGatewayAvailable, waitUntilNatGatewayDeleted } from "@aws-sdk/client-ec2";
-import { CreateTableCommand, DeleteTableCommand, DescribeTableCommand, DynamoDBClient, ListTablesCommand, ListTagsOfResourceCommand, ResourceNotFoundException as ResourceNotFoundException$1, TagResourceCommand as TagResourceCommand$2, UntagResourceCommand as UntagResourceCommand$2, UpdateTableCommand } from "@aws-sdk/client-dynamodb";
+import { CreateTableCommand, DeleteTableCommand, DescribeTableCommand, DynamoDBClient, ListTablesCommand, ListTagsOfResourceCommand, ResourceNotFoundException as ResourceNotFoundException$1, TagResourceCommand as TagResourceCommand$2, UntagResourceCommand as UntagResourceCommand$2, UpdateTableCommand, UpdateTimeToLiveCommand } from "@aws-sdk/client-dynamodb";
 import { CloudFormationClient, CreateChangeSetCommand, DeleteChangeSetCommand, DeleteStackCommand, DescribeChangeSetCommand, DescribeStackEventsCommand, DescribeStackResourcesCommand, DescribeStacksCommand, DescribeTypeCommand, ExecuteChangeSetCommand, GetTemplateCommand, UpdateStackCommand, waitUntilChangeSetCreateComplete, waitUntilStackDeleteComplete, waitUntilStackImportComplete, waitUntilStackUpdateComplete } from "@aws-sdk/client-cloudformation";
 import { APIGatewayClient, CreateAuthorizerCommand, CreateDeploymentCommand, CreateResourceCommand, CreateStageCommand, DeleteAuthorizerCommand, DeleteDeploymentCommand, DeleteMethodCommand, DeleteResourceCommand, DeleteStageCommand, GetAccountCommand, GetAuthorizerCommand, GetDeploymentCommand, GetMethodCommand, GetResourceCommand, GetStageCommand, NotFoundException as NotFoundException$1, PutIntegrationCommand, PutIntegrationResponseCommand, PutMethodCommand, PutMethodResponseCommand, TagResourceCommand as TagResourceCommand$3, UntagResourceCommand as UntagResourceCommand$3, UpdateAccountCommand, UpdateAuthorizerCommand, UpdateMethodCommand, UpdateStageCommand } from "@aws-sdk/client-api-gateway";
 import { CreateEventBusCommand, DeleteEventBusCommand, DeleteRuleCommand, DescribeEventBusCommand, DescribeRuleCommand, EventBridgeClient, ListEventBusesCommand, ListRulesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$1, ListTargetsByRuleCommand, PutRuleCommand, PutTargetsCommand, RemoveTargetsCommand, ResourceNotFoundException as ResourceNotFoundException$2, TagResourceCommand as TagResourceCommand$4, UntagResourceCommand as UntagResourceCommand$4, UpdateEventBusCommand } from "@aws-sdk/client-eventbridge";
@@ -30,14 +30,14 @@ import { CreateAliasCommand, CreateKeyCommand, DeleteAliasCommand, DescribeKeyCo
 import { promisify } from "node:util";
 import { CreateRepositoryCommand, DeleteLifecyclePolicyCommand, DeleteRepositoryCommand, DeleteRepositoryPolicyCommand, DescribeRepositoriesCommand, ECRClient, GetAuthorizationTokenCommand, GetLifecyclePolicyCommand, LifecyclePolicyNotFoundException, ListTagsForResourceCommand as ListTagsForResourceCommand$7, PutImageScanningConfigurationCommand, PutImageTagMutabilityCommand, PutLifecyclePolicyCommand, RepositoryNotFoundException, SetRepositoryPolicyCommand, TagResourceCommand as TagResourceCommand$9 } from "@aws-sdk/client-ecr";
 import graphlib from "graphlib";
+import { AddTagsToResourceCommand as AddTagsToResourceCommand$1, CreateDBClusterCommand, CreateDBInstanceCommand, CreateDBSubnetGroupCommand, DeleteDBClusterCommand, DeleteDBInstanceCommand, DeleteDBSubnetGroupCommand, DescribeDBClustersCommand, DescribeDBInstancesCommand, DescribeDBSubnetGroupsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$8, ModifyDBClusterCommand, ModifyDBInstanceCommand, ModifyDBSubnetGroupCommand, RDSClient, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$1 } from "@aws-sdk/client-rds";
 import { Command, Option } from "commander";
 import { writeFileSync as writeFileSync$1 } from "fs";
 import { join as join$1 } from "path";
 import * as zlib from "node:zlib";
 import { ApiGatewayV2Client, CreateApiCommand, CreateAuthorizerCommand as CreateAuthorizerCommand$1, CreateIntegrationCommand, CreateRouteCommand as CreateRouteCommand$1, CreateStageCommand as CreateStageCommand$1, DeleteApiCommand, DeleteAuthorizerCommand as DeleteAuthorizerCommand$1, DeleteIntegrationCommand, DeleteRouteCommand as DeleteRouteCommand$1, DeleteStageCommand as DeleteStageCommand$1, GetApiCommand, GetApisCommand, GetAuthorizerCommand as GetAuthorizerCommand$1, GetIntegrationCommand, GetRouteCommand, GetStageCommand as GetStageCommand$1, NotFoundException as NotFoundException$3, UpdateApiCommand, UpdateAuthorizerCommand as UpdateAuthorizerCommand$1, UpdateIntegrationCommand, UpdateRouteCommand, UpdateStageCommand as UpdateStageCommand$1 } from "@aws-sdk/client-apigatewayv2";
-import { CreateStateMachineCommand, DeleteStateMachineCommand, DescribeStateMachineCommand, ListStateMachinesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$8, SFNClient, StateMachineDoesNotExist, TagResourceCommand as TagResourceCommand$10, UntagResourceCommand as UntagResourceCommand$9, UpdateStateMachineCommand } from "@aws-sdk/client-sfn";
-import { CreateClusterCommand, CreateServiceCommand, DeleteClusterCommand, DeleteServiceCommand, DeregisterTaskDefinitionCommand, DescribeClustersCommand, DescribeServicesCommand, DescribeTaskDefinitionCommand, ECSClient, ListClustersCommand, ListServicesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$9, PutClusterCapacityProvidersCommand, RegisterTaskDefinitionCommand, TagResourceCommand as TagResourceCommand$11, UntagResourceCommand as UntagResourceCommand$10, UpdateClusterCommand, UpdateServiceCommand } from "@aws-sdk/client-ecs";
-import { AddTagsToResourceCommand as AddTagsToResourceCommand$1, CreateDBClusterCommand, CreateDBInstanceCommand, CreateDBSubnetGroupCommand, DeleteDBClusterCommand, DeleteDBInstanceCommand, DeleteDBSubnetGroupCommand, DescribeDBClustersCommand, DescribeDBInstancesCommand, DescribeDBSubnetGroupsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$10, ModifyDBClusterCommand, ModifyDBInstanceCommand, ModifyDBSubnetGroupCommand, RDSClient, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$1 } from "@aws-sdk/client-rds";
+import { CreateStateMachineCommand, DeleteStateMachineCommand, DescribeStateMachineCommand, ListStateMachinesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$9, SFNClient, StateMachineDoesNotExist, TagResourceCommand as TagResourceCommand$10, UntagResourceCommand as UntagResourceCommand$9, UpdateStateMachineCommand } from "@aws-sdk/client-sfn";
+import { CreateClusterCommand, CreateServiceCommand, DeleteClusterCommand, DeleteServiceCommand, DeregisterTaskDefinitionCommand, DescribeClustersCommand, DescribeServicesCommand, DescribeTaskDefinitionCommand, ECSClient, ListClustersCommand, ListServicesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$10, PutClusterCapacityProvidersCommand, RegisterTaskDefinitionCommand, TagResourceCommand as TagResourceCommand$11, UntagResourceCommand as UntagResourceCommand$10, UpdateClusterCommand, UpdateServiceCommand } from "@aws-sdk/client-ecs";
 import { AddTagsToResourceCommand as AddTagsToResourceCommand$2, CreateDBClusterCommand as CreateDBClusterCommand$1, CreateDBInstanceCommand as CreateDBInstanceCommand$1, CreateDBSubnetGroupCommand as CreateDBSubnetGroupCommand$1, DeleteDBClusterCommand as DeleteDBClusterCommand$1, DeleteDBInstanceCommand as DeleteDBInstanceCommand$1, DeleteDBSubnetGroupCommand as DeleteDBSubnetGroupCommand$1, DescribeDBClustersCommand as DescribeDBClustersCommand$1, DescribeDBInstancesCommand as DescribeDBInstancesCommand$1, DescribeDBSubnetGroupsCommand as DescribeDBSubnetGroupsCommand$1, DocDBClient, ListTagsForResourceCommand as ListTagsForResourceCommand$11, ModifyDBClusterCommand as ModifyDBClusterCommand$1, ModifyDBInstanceCommand as ModifyDBInstanceCommand$1, ModifyDBSubnetGroupCommand as ModifyDBSubnetGroupCommand$1, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$2 } from "@aws-sdk/client-docdb";
 import { AddTagsToResourceCommand as AddTagsToResourceCommand$3, CreateDBClusterCommand as CreateDBClusterCommand$2, CreateDBInstanceCommand as CreateDBInstanceCommand$2, CreateDBSubnetGroupCommand as CreateDBSubnetGroupCommand$2, DeleteDBClusterCommand as DeleteDBClusterCommand$2, DeleteDBInstanceCommand as DeleteDBInstanceCommand$2, DeleteDBSubnetGroupCommand as DeleteDBSubnetGroupCommand$2, DescribeDBClustersCommand as DescribeDBClustersCommand$2, DescribeDBInstancesCommand as DescribeDBInstancesCommand$2, DescribeDBSubnetGroupsCommand as DescribeDBSubnetGroupsCommand$2, ListTagsForResourceCommand as ListTagsForResourceCommand$12, ModifyDBClusterCommand as ModifyDBClusterCommand$2, ModifyDBInstanceCommand as ModifyDBInstanceCommand$2, ModifyDBSubnetGroupCommand as ModifyDBSubnetGroupCommand$2, NeptuneClient, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$3 } from "@aws-sdk/client-neptune";
 import { CreateWebACLCommand, DeleteWebACLCommand, GetWebACLCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$13, ListWebACLsCommand, TagResourceCommand as TagResourceCommand$12, UntagResourceCommand as UntagResourceCommand$11, UpdateWebACLCommand, WAFNonexistentItemException, WAFV2Client } from "@aws-sdk/client-wafv2";
@@ -7839,6 +7839,524 @@ var DynamoDBTableProvider = class {
 	}
 };
 
+//#endregion
+//#region src/provisioning/providers/dynamodb-globaltable-provider.ts
+/**
+* AWS DynamoDB GlobalTable Provider
+*
+* Implements resource provisioning for AWS::DynamoDB::GlobalTable using the
+* standard DynamoDB SDK (2019.11.21 API generation, NOT the legacy
+* 2017.11.29 endpoints). CDK v2's `dynamodb.TableV2` construct synthesizes
+* as this type.
+*
+* WHY a dedicated SDK provider:
+*   - Pre-PR the type fell through to Cloud Control API which did not pass
+*     a `TableName` field, so AWS auto-generated random names like
+*     `yq2phLewTEUtzr4sy2gYFRU4I-1OGJ0UFLOKOOV` instead of the cdkd
+*     `${stackName}-X<hash>` shape (Issue #383).
+*   - Per memory rule `feedback_dedicated_provider_over_special_case.md`,
+*     the consistent fix is a dedicated SDK Provider rather than adding
+*     the type to `FALLBACK_NAME_RULES`.
+*
+* **CRITICAL**: do NOT use the legacy 2017.11.29 endpoints
+* (`CreateGlobalTableCommand` / `UpdateGlobalTableCommand` /
+* `DescribeGlobalTableCommand`). The CFn type `AWS::DynamoDB::GlobalTable`
+* is the 2019.11.21 generation, which uses the regular DynamoDB CRUD API
+* (`CreateTableCommand` + `UpdateTableCommand` with `ReplicaUpdates`).
+*
+* MVP scope:
+*  - `update()` throws `ResourceUpdateNotSupportedError`. In-place GlobalTable
+*    updates (replica add/remove, GSI add/remove, BillingMode flip, throughput
+*    rewrites) are out of scope and a follow-up PR.
+*  - `getDriftUnknownPaths` declares TTL + throughput-settings paths because
+*    cdkd's create/update flows surface them but the read-side reverse
+*    mapping is non-trivial and would fire false drift.
+*  - Per-replica drift (`ContributorInsightsSpecification` /
+*    `PointInTimeRecoverySpecification` / `KinesisStreamSpecification`) is
+*    out of scope for v1.
+*/
+var DynamoDBGlobalTableProvider = class {
+	dynamoDBClient;
+	logger = getLogger().child("DynamoDBGlobalTableProvider");
+	attributeCache = /* @__PURE__ */ new Map();
+	handledProperties = new Map([["AWS::DynamoDB::GlobalTable", new Set([
+		"TableName",
+		"KeySchema",
+		"AttributeDefinitions",
+		"BillingMode",
+		"StreamSpecification",
+		"GlobalSecondaryIndexes",
+		"LocalSecondaryIndexes",
+		"SSESpecification",
+		"Replicas",
+		"TableClass",
+		"TimeToLiveSpecification",
+		"WriteProvisionedThroughputSettings",
+		"WriteOnDemandThroughputSettings",
+		"DeletionProtectionEnabled",
+		"Tags"
+	])]]);
+	constructor() {
+		const awsClients = getAwsClients();
+		this.dynamoDBClient = awsClients.dynamoDB;
+	}
+	/**
+	* Create a DynamoDB Global Table (CDK TableV2).
+	*
+	* GlobalTable is built on the regular DynamoDB Table primitive: cdkd issues
+	* `CreateTableCommand` first (which only creates the table in the local
+	* region), waits for `ACTIVE`, then issues one `UpdateTableCommand` per
+	* additional replica region via `ReplicaUpdates: [{ Create: {...} }]`.
+	*
+	* Streams must be enabled with `NEW_AND_OLD_IMAGES` when the table has any
+	* cross-region replicas — AWS rejects the replica-add otherwise. cdkd
+	* auto-enables them with an info log when the template omits it.
+	*
+	* Partial-create cleanup (PR #374-class): if any post-`CreateTableCommand`
+	* wiring (wait ACTIVE → replica adds → TTL → Tags) throws, cdkd issues a
+	* best-effort `DeleteTableCommand` so AWS is not left holding a billing
+	* orphan with no cdkd state record. Cleanup failures escalate to WARN
+	* with the exact `aws dynamodb delete-table --table-name <id>` recovery
+	* command.
+	*/
+	async create(logicalId, resourceType, properties) {
+		this.logger.debug(`Creating DynamoDB GlobalTable ${logicalId}`);
+		const tableName = properties["TableName"] || generateResourceName(logicalId, { maxLength: 255 });
+		const keySchema = properties["KeySchema"];
+		const attributeDefinitions = properties["AttributeDefinitions"];
+		if (!keySchema) throw new ProvisioningError(`KeySchema is required for DynamoDB GlobalTable ${logicalId}`, resourceType, logicalId);
+		if (!attributeDefinitions) throw new ProvisioningError(`AttributeDefinitions is required for DynamoDB GlobalTable ${logicalId}`, resourceType, logicalId);
+		const billingMode = properties["BillingMode"] ?? "PAY_PER_REQUEST";
+		const currentRegion = await this.dynamoDBClient.config.region() ?? "";
+		const replicas = properties["Replicas"] ?? [];
+		const createParams = {
+			TableName: tableName,
+			KeySchema: keySchema,
+			AttributeDefinitions: attributeDefinitions,
+			BillingMode: billingMode
+		};
+		if (billingMode === "PROVISIONED") {
+			const writeAutoScaling = properties["WriteProvisionedThroughputSettings"]?.["WriteCapacityAutoScalingSettings"];
+			const writeCapacity = Number(writeAutoScaling?.["MinCapacity"] ?? 5);
+			const readAutoScaling = (replicas.find((r) => r["Region"] === currentRegion)?.["ReadProvisionedThroughputSettings"])?.["ReadCapacityAutoScalingSettings"];
+			createParams.ProvisionedThroughput = {
+				ReadCapacityUnits: Number(readAutoScaling?.["MinCapacity"] ?? 5),
+				WriteCapacityUnits: writeCapacity
+			};
+		}
+		const streamSpecInput = properties["StreamSpecification"];
+		const needsStream = replicas.some((r) => r["Region"] !== currentRegion) || replicas.length > 1;
+		if (streamSpecInput) createParams.StreamSpecification = {
+			StreamEnabled: true,
+			StreamViewType: streamSpecInput["StreamViewType"] ?? "NEW_AND_OLD_IMAGES"
+		};
+		else if (needsStream) {
+			this.logger.info(`Auto-enabling streams (NEW_AND_OLD_IMAGES) on ${logicalId} — required for cross-region replication`);
+			createParams.StreamSpecification = {
+				StreamEnabled: true,
+				StreamViewType: "NEW_AND_OLD_IMAGES"
+			};
+		}
+		if (properties["GlobalSecondaryIndexes"]) createParams.GlobalSecondaryIndexes = properties["GlobalSecondaryIndexes"];
+		if (properties["LocalSecondaryIndexes"]) createParams.LocalSecondaryIndexes = properties["LocalSecondaryIndexes"];
+		if (properties["SSESpecification"]) {
+			const sse = properties["SSESpecification"];
+			const sseInput = { Enabled: sse["SSEEnabled"] !== void 0 ? Boolean(sse["SSEEnabled"]) : true };
+			if (sse["SSEType"]) sseInput.SSEType = sse["SSEType"];
+			createParams.SSESpecification = sseInput;
+		}
+		if (properties["DeletionProtectionEnabled"] !== void 0) createParams.DeletionProtectionEnabled = properties["DeletionProtectionEnabled"];
+		if (properties["TableClass"]) createParams.TableClass = properties["TableClass"];
+		const wodts = properties["WriteOnDemandThroughputSettings"];
+		if (wodts?.["MaxWriteRequestUnits"] !== void 0) createParams.OnDemandThroughput = { MaxWriteRequestUnits: Number(wodts["MaxWriteRequestUnits"]) };
+		if (properties["Tags"]) createParams.Tags = properties["Tags"];
+		try {
+			await this.dynamoDBClient.send(new CreateTableCommand(createParams));
+			this.logger.debug(`CreateTable initiated for ${tableName}, waiting for ACTIVE`);
+		} catch (error) {
+			const cause = error instanceof Error ? error : void 0;
+			throw new ProvisioningError(`Failed to create DynamoDB GlobalTable ${logicalId}: ${error instanceof Error ? error.message : String(error)}`, resourceType, logicalId, tableName, cause);
+		}
+		try {
+			const tableInfo = await this.waitForTableActive(tableName);
+			for (const replica of replicas) {
+				const region = replica["Region"];
+				if (!region || region === currentRegion) continue;
+				await this.addReplica(tableName, replica, region);
+			}
+			if (properties["TimeToLiveSpecification"]) {
+				const ttl = properties["TimeToLiveSpecification"];
+				const attributeName = ttl["AttributeName"];
+				const enabled = ttl["Enabled"] !== void 0 ? Boolean(ttl["Enabled"]) : true;
+				if (attributeName) await this.dynamoDBClient.send(new UpdateTimeToLiveCommand({
+					TableName: tableName,
+					TimeToLiveSpecification: {
+						Enabled: enabled,
+						AttributeName: attributeName
+					}
+				}));
+			}
+			this.logger.debug(`Successfully created DynamoDB GlobalTable ${logicalId}: ${tableName}`);
+			return {
+				physicalId: tableName,
+				attributes: {
+					Arn: tableInfo.tableArn,
+					TableId: tableInfo.tableId,
+					StreamArn: tableInfo.streamArn,
+					TableName: tableName
+				}
+			};
+		} catch (wiringError) {
+			this.logger.warn(`Wiring failed after CreateTable for ${tableName}; attempting best-effort cleanup`);
+			try {
+				await this.dynamoDBClient.send(new DeleteTableCommand({ TableName: tableName }));
+			} catch (cleanupErr) {
+				const cleanupMsg = cleanupErr instanceof Error ? cleanupErr.message : String(cleanupErr);
+				this.logger.warn(`Partial-create cleanup failed for ${tableName}: ${cleanupMsg}. Run: aws dynamodb delete-table --table-name ${tableName} to remove the orphaned AWS-side table.`);
+			}
+			const cause = wiringError instanceof Error ? wiringError : void 0;
+			throw new ProvisioningError(`Failed to create DynamoDB GlobalTable ${logicalId}: ${wiringError instanceof Error ? wiringError.message : String(wiringError)}`, resourceType, logicalId, tableName, cause);
+		}
+	}
+	/**
+	* Add a single replica region. Issues one `UpdateTableCommand` with
+	* `ReplicaUpdates: [{ Create: { RegionName, ... } }]` and polls
+	* `DescribeTable` until the replica's `ReplicaStatus` flips to ACTIVE.
+	* Capped at 10 minutes per replica (AWS Replica provisioning typically
+	* takes 1–5 min).
+	*/
+	async addReplica(tableName, replica, region) {
+		const create = { RegionName: region };
+		if (replica["KMSMasterKeyId"]) create.KMSMasterKeyId = replica["KMSMasterKeyId"];
+		if (replica["GlobalSecondaryIndexes"]) create.GlobalSecondaryIndexes = replica["GlobalSecondaryIndexes"];
+		if (replica["TableClassOverride"]) create.TableClassOverride = replica["TableClassOverride"];
+		const replicaUpdates = [{ Create: create }];
+		await this.dynamoDBClient.send(new UpdateTableCommand({
+			TableName: tableName,
+			ReplicaUpdates: replicaUpdates
+		}));
+		await this.waitForReplicaActive(tableName, region);
+	}
+	/**
+	* Update a DynamoDB Global Table.
+	*
+	* MVP: in-place updates are out of scope — replica add/remove, GSI
+	* add/remove, BillingMode flip, and throughput rewrites each have
+	* distinct UpdateTable shapes and ordering rules. `cdkd drift --revert`
+	* surfaces this as `ResourceUpdateNotSupportedError` (exit code 2);
+	* the user falls back to `cdkd deploy --replace` or destroy + redeploy.
+	*/
+	async update(logicalId, _physicalId, resourceType, _properties, _previousProperties) {
+		throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "GlobalTable in-place updates are not yet supported; use 'cdkd deploy --replace' or destroy + redeploy");
+	}
+	/**
+	* Delete a DynamoDB Global Table.
+	*
+	* Order is load-bearing:
+	*  1. Optional `--remove-protection` flip-off (idempotent).
+	*  2. `DescribeTable` → drop every non-local replica via UpdateTable
+	*     `ReplicaUpdates: [{ Delete: { RegionName } }]`, one at a time
+	*     (AWS rejects multiple replica updates per call). Each delete
+	*     polls until the replica disappears from `Replicas[]`.
+	*  3. `DeleteTableCommand` on the local region only.
+	*  4. Wait for `ResourceNotFoundException` on subsequent DescribeTable.
+	*
+	* DELETE idempotency: a `ResourceNotFoundException` is treated as
+	* success ONLY when the client region matches the state region
+	* (`assertRegionMatch`). A mismatched destroy would otherwise silently
+	* strip a still-existing resource from state.
+	*/
+	async delete(logicalId, physicalId, resourceType, _properties, context) {
+		this.logger.debug(`Deleting DynamoDB GlobalTable ${logicalId}: ${physicalId}`);
+		if (context?.removeProtection === true) try {
+			await this.dynamoDBClient.send(new UpdateTableCommand({
+				TableName: physicalId,
+				DeletionProtectionEnabled: false
+			}));
+			this.logger.debug(`Disabled DeletionProtectionEnabled on ${logicalId}, waiting for ACTIVE`);
+			try {
+				await this.waitForTableActiveAfterUpdate(physicalId);
+			} catch (waitErr) {
+				this.logger.debug(`Could not wait for table ${physicalId} ACTIVE after protection flip: ${waitErr instanceof Error ? waitErr.message : String(waitErr)}`);
+			}
+		} catch (flipError) {
+			if (!(flipError instanceof ResourceNotFoundException$1)) this.logger.debug(`Could not disable DeletionProtectionEnabled on ${physicalId}: ${flipError instanceof Error ? flipError.message : String(flipError)}`);
+		}
+		let currentRegion;
+		try {
+			currentRegion = await this.dynamoDBClient.config.region();
+		} catch (regionErr) {
+			const cause = regionErr instanceof Error ? regionErr : void 0;
+			throw new ProvisioningError(`Could not resolve client region for DynamoDB GlobalTable ${logicalId} delete — would risk dropping the local replica`, resourceType, logicalId, physicalId, cause);
+		}
+		try {
+			const replicas = (await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: physicalId }))).Table?.Replicas ?? [];
+			for (const replica of replicas) {
+				const region = replica.RegionName;
+				if (!region || region === currentRegion) continue;
+				try {
+					await this.dynamoDBClient.send(new UpdateTableCommand({
+						TableName: physicalId,
+						ReplicaUpdates: [{ Delete: { RegionName: region } }]
+					}));
+					await this.waitForReplicaGone(physicalId, region);
+				} catch (replicaErr) {
+					if (!(replicaErr instanceof ResourceNotFoundException$1)) throw replicaErr;
+				}
+			}
+		} catch (describeErr) {
+			if (!(describeErr instanceof ResourceNotFoundException$1)) {
+				const cause = describeErr instanceof Error ? describeErr : void 0;
+				throw new ProvisioningError(`Failed to describe DynamoDB GlobalTable ${logicalId} before delete: ${describeErr instanceof Error ? describeErr.message : String(describeErr)}`, resourceType, logicalId, physicalId, cause);
+			}
+		}
+		try {
+			await this.dynamoDBClient.send(new DeleteTableCommand({ TableName: physicalId }));
+			await this.waitForTableGone(physicalId);
+			this.logger.debug(`Successfully deleted DynamoDB GlobalTable ${logicalId}`);
+		} catch (error) {
+			if (error instanceof ResourceNotFoundException$1) {
+				assertRegionMatch(await this.dynamoDBClient.config.region(), context?.expectedRegion, resourceType, logicalId, physicalId);
+				this.logger.debug(`DynamoDB GlobalTable ${physicalId} does not exist, skipping`);
+				return;
+			}
+			const cause = error instanceof Error ? error : void 0;
+			throw new ProvisioningError(`Failed to delete DynamoDB GlobalTable ${logicalId}: ${error instanceof Error ? error.message : String(error)}`, resourceType, logicalId, physicalId, cause);
+		}
+	}
+	/**
+	* Resolve a single `Fn::GetAtt` attribute for an existing DynamoDB GlobalTable.
+	*
+	* Cached per `(physicalId, attribute)` for the deploy run to avoid
+	* repeated `DescribeTable` calls.
+	*/
+	async getAttribute(physicalId, _resourceType, attributeName) {
+		const cacheKey = `${physicalId}::${attributeName}`;
+		if (this.attributeCache.has(cacheKey)) return this.attributeCache.get(cacheKey);
+		try {
+			const resp = await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: physicalId }));
+			let value;
+			switch (attributeName) {
+				case "Arn":
+					value = resp.Table?.TableArn;
+					break;
+				case "StreamArn":
+					value = resp.Table?.LatestStreamArn;
+					break;
+				case "TableId":
+					value = resp.Table?.TableId;
+					break;
+				default: value = void 0;
+			}
+			this.attributeCache.set(cacheKey, value);
+			return value;
+		} catch (err) {
+			if (err instanceof ResourceNotFoundException$1) return void 0;
+			throw err;
+		}
+	}
+	/**
+	* Read the AWS-current DynamoDB GlobalTable configuration in CFn-property shape.
+	*
+	* Reverse-maps `DescribeTable` + `ListTagsOfResource` into the
+	* `AWS::DynamoDB::GlobalTable` property set.
+	*
+	* Type-discriminator gating (memory rule
+	* `feedback_always_emit_check_type_discriminator.md`):
+	*  - `ProvisionedThroughput`-bearing fields are only surfaced when
+	*    `BillingMode === 'PROVISIONED'`. Emitting placeholders on
+	*    PAY_PER_REQUEST tables (or vice versa) would fire false drift on
+	*    every clean run.
+	*  - StreamSpecification / SSESpecification follow the existing
+	*    DynamoDB::Table provider's Class 1 guard: only surfaced when AWS
+	*    reports the feature actually enabled.
+	*
+	* `getDriftUnknownPaths` declares TTL + write-throughput-settings —
+	* those round-trip in the create path but the reverse-mapping is not
+	* yet implemented and would fire guaranteed false drift.
+	*/
+	async readCurrentState(physicalId, _logicalId, _resourceType) {
+		try {
+			const table = (await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: physicalId }))).Table;
+			if (!table) return void 0;
+			const result = {};
+			if (table.TableName !== void 0) result["TableName"] = table.TableName;
+			if (table.KeySchema) result["KeySchema"] = table.KeySchema;
+			if (table.AttributeDefinitions) result["AttributeDefinitions"] = table.AttributeDefinitions;
+			const billingMode = table.BillingModeSummary?.BillingMode;
+			if (billingMode) result["BillingMode"] = billingMode;
+			if (table.GlobalSecondaryIndexes && table.GlobalSecondaryIndexes.length > 0) result["GlobalSecondaryIndexes"] = table.GlobalSecondaryIndexes;
+			if (table.LocalSecondaryIndexes && table.LocalSecondaryIndexes.length > 0) result["LocalSecondaryIndexes"] = table.LocalSecondaryIndexes;
+			if (table.StreamSpecification?.StreamEnabled && table.StreamSpecification.StreamViewType) result["StreamSpecification"] = {
+				StreamEnabled: true,
+				StreamViewType: table.StreamSpecification.StreamViewType
+			};
+			if (table.SSEDescription?.Status === "ENABLED") {
+				const sse = { SSEEnabled: true };
+				if (table.SSEDescription.SSEType !== void 0) sse["SSEType"] = table.SSEDescription.SSEType;
+				result["SSESpecification"] = sse;
+			}
+			result["Replicas"] = (table.Replicas ?? []).map((r) => ({
+				Region: r.RegionName,
+				...r.KMSMasterKeyId !== void 0 && { KMSMasterKeyId: r.KMSMasterKeyId }
+			}));
+			if (table.TableClassSummary?.TableClass) result["TableClass"] = table.TableClassSummary.TableClass;
+			if (table.DeletionProtectionEnabled !== void 0) result["DeletionProtectionEnabled"] = table.DeletionProtectionEnabled;
+			if (table.TableArn) try {
+				result["Tags"] = normalizeAwsTagsToCfn((await this.dynamoDBClient.send(new ListTagsOfResourceCommand({ ResourceArn: table.TableArn }))).Tags);
+			} catch (err) {
+				if (err instanceof ResourceNotFoundException$1) return void 0;
+				result["Tags"] = [];
+			}
+			else result["Tags"] = [];
+			return result;
+		} catch (err) {
+			if (err instanceof ResourceNotFoundException$1) return void 0;
+			throw err;
+		}
+	}
+	/**
+	* State property paths cdkd's GlobalTable readCurrentState cannot (yet)
+	* reverse-map. The drift comparator skips these so a templated value
+	* doesn't fire guaranteed false drift on every clean run.
+	*
+	* - `TimeToLiveSpecification`: cdkd's create() applies it via
+	*   UpdateTimeToLive, but the reverse-mapping needs a separate
+	*   DescribeTimeToLive call (not yet implemented).
+	* - `WriteProvisionedThroughputSettings` /
+	*   `WriteOnDemandThroughputSettings`: CFn's shapes wrap
+	*   auto-scaling / on-demand max-RU settings whose reverse-mapping
+	*   from `DescribeTable.ProvisionedThroughput` / `OnDemandThroughput`
+	*   is non-trivial and would fire false drift in v1.
+	*/
+	getDriftUnknownPaths(_resourceType) {
+		return [
+			"TimeToLiveSpecification",
+			"WriteProvisionedThroughputSettings",
+			"WriteOnDemandThroughputSettings"
+		];
+	}
+	/**
+	* Adopt an existing DynamoDB GlobalTable into cdkd state.
+	*
+	* Lookup order:
+	*   1. `--resource` override or `Properties.TableName` → verify via DescribeTable.
+	*   2. `ListTables` + `ListTagsOfResource`, match `aws:cdk:path` tag.
+	*
+	* Same shape as `DynamoDBTableProvider.import()`. The provider returns
+	* the physical id only; cdkd's import flow does the attribute capture
+	* separately.
+	*/
+	async import(input) {
+		const explicit = resolveExplicitPhysicalId(input, "TableName");
+		if (explicit) try {
+			await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: explicit }));
+			return {
+				physicalId: explicit,
+				attributes: {}
+			};
+		} catch (err) {
+			if (err instanceof ResourceNotFoundException$1) return null;
+			throw err;
+		}
+		if (!input.cdkPath) return null;
+		let exclusiveStartTableName;
+		do {
+			const list = await this.dynamoDBClient.send(new ListTablesCommand({ ...exclusiveStartTableName && { ExclusiveStartTableName: exclusiveStartTableName } }));
+			for (const name of list.TableNames ?? []) try {
+				const arn = (await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: name }))).Table?.TableArn;
+				if (!arn) continue;
+				if (matchesCdkPath((await this.dynamoDBClient.send(new ListTagsOfResourceCommand({ ResourceArn: arn }))).Tags, input.cdkPath)) return {
+					physicalId: name,
+					attributes: {}
+				};
+			} catch (err) {
+				if (err instanceof ResourceNotFoundException$1) continue;
+				throw err;
+			}
+			exclusiveStartTableName = list.LastEvaluatedTableName;
+		} while (exclusiveStartTableName);
+		return null;
+	}
+	async waitForTableActive(tableName, maxAttempts = 120) {
+		for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+			const response = await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: tableName }));
+			const status = response.Table?.TableStatus;
+			this.logger.debug(`Table ${tableName} status: ${status} (attempt ${attempt}/${maxAttempts})`);
+			if (status === "ACTIVE") return {
+				tableArn: response.Table?.TableArn,
+				tableId: response.Table?.TableId,
+				streamArn: response.Table?.LatestStreamArn
+			};
+			if (status !== "CREATING" && status !== "UPDATING") throw new Error(`Unexpected table status: ${status}`);
+			await new Promise((resolve) => setTimeout(resolve, 1e3));
+		}
+		throw new Error(`Table ${tableName} did not reach ACTIVE within ${maxAttempts}s`);
+	}
+	/**
+	* Wait for the table to reach ACTIVE after an UpdateTable call. Unlike
+	* `waitForTableActive`, this tolerates any non-terminal status — the
+	* table may already be ACTIVE on the no-op path (already-disabled
+	* protection) or transition through UPDATING.
+	*/
+	async waitForTableActiveAfterUpdate(tableName, maxAttempts = 120) {
+		for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+			if ((await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: tableName }))).Table?.TableStatus === "ACTIVE") return;
+			await new Promise((resolve) => setTimeout(resolve, 1e3));
+		}
+		throw new Error(`Table ${tableName} did not reach ACTIVE within ${maxAttempts}s after UpdateTable`);
+	}
+	/**
+	* Wait until a specific replica's `ReplicaStatus` flips to ACTIVE.
+	* Replica provisioning typically takes 1–5 min; cap at 10 min.
+	*/
+	async waitForReplicaActive(tableName, region, maxAttempts = 600) {
+		for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+			const replica = (await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: tableName }))).Table?.Replicas?.find((r) => r.RegionName === region);
+			if (replica?.ReplicaStatus === "ACTIVE") return;
+			this.logger.debug(`Replica ${region} status: ${replica?.ReplicaStatus} (attempt ${attempt}/${maxAttempts})`);
+			await new Promise((resolve) => setTimeout(resolve, 1e3));
+		}
+		throw new Error(`Replica ${region} for table ${tableName} did not reach ACTIVE within ${maxAttempts}s`);
+	}
+	/**
+	* Wait until a specific replica disappears from `Replicas[]` after a
+	* Delete replica update. Replica deletion typically takes 1–5 min;
+	* cap at 10 min.
+	*/
+	async waitForReplicaGone(tableName, region, maxAttempts = 600) {
+		for (let attempt = 1; attempt <= maxAttempts; attempt++) try {
+			if (!(await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: tableName }))).Table?.Replicas?.find((r) => r.RegionName === region)) return;
+			await new Promise((resolve) => setTimeout(resolve, 1e3));
+		} catch (err) {
+			if (err instanceof ResourceNotFoundException$1) return;
+			throw err;
+		}
+		throw new Error(`Replica ${region} for table ${tableName} did not disappear within ${maxAttempts}s`);
+	}
+	/**
+	* Wait for `DescribeTable` to return `ResourceNotFoundException`,
+	* confirming the table has actually been removed. `DeleteTable` is
+	* async — the call returns immediately with `TableStatus: DELETING`
+	* and AWS only removes the table some seconds later. Without this
+	* wait, downstream observers (siblings deleted in the same destroy
+	* run, integ scripts that re-check via `aws dynamodb describe-table`)
+	* see "destroy succeeded" but the table is still listed by AWS.
+	* Typical small-table delete completes in 5–30s; cap at 10 min for
+	* worst-case large-table / replica-cascade scenarios.
+	*/
+	async waitForTableGone(tableName, maxAttempts = 600) {
+		for (let attempt = 1; attempt <= maxAttempts; attempt++) try {
+			await this.dynamoDBClient.send(new DescribeTableCommand({ TableName: tableName }));
+			await new Promise((resolve) => setTimeout(resolve, 1e3));
+		} catch (err) {
+			if (err instanceof ResourceNotFoundException$1) return;
+			throw err;
+		}
+		throw new Error(`Table ${tableName} did not disappear within ${maxAttempts}s`);
+	}
+};
+
 //#endregion
 //#region src/provisioning/providers/logs-loggroup-provider.ts
 /**
@@ -14812,7 +15330,7 @@ var StepFunctionsProvider = class {
 			result["EncryptionConfiguration"] = ec;
 		}
 		try {
-			result["Tags"] = normalizeAwsTagsToCfn((await this.getClient().send(new ListTagsForResourceCommand$8({ resourceArn: physicalId }))).tags);
+			result["Tags"] = normalizeAwsTagsToCfn((await this.getClient().send(new ListTagsForResourceCommand$9({ resourceArn: physicalId }))).tags);
 		} catch (err) {
 			if (!(err instanceof StateMachineDoesNotExist)) throw err;
 		}
@@ -14850,7 +15368,7 @@ var StepFunctionsProvider = class {
 			const list = await this.getClient().send(new ListStateMachinesCommand({ ...nextToken && { nextToken } }));
 			for (const sm of list.stateMachines ?? []) {
 				if (!sm.stateMachineArn) continue;
-				const tagsResp = await this.getClient().send(new ListTagsForResourceCommand$8({ resourceArn: sm.stateMachineArn }));
+				const tagsResp = await this.getClient().send(new ListTagsForResourceCommand$9({ resourceArn: sm.stateMachineArn }));
 				if (this.tagsMatchCdkPath(tagsResp.tags, input.cdkPath)) return {
 					physicalId: sm.stateMachineArn,
 					attributes: {}
@@ -15786,7 +16304,7 @@ var ECSProvider = class {
 		do {
 			const list = await this.getClient().send(new ListClustersCommand({ ...nextToken && { nextToken } }));
 			for (const arn of list.clusterArns ?? []) {
-				const tagsResp = await this.getClient().send(new ListTagsForResourceCommand$9({ resourceArn: arn }));
+				const tagsResp = await this.getClient().send(new ListTagsForResourceCommand$10({ resourceArn: arn }));
 				if (this.tagsMatchCdkPath(tagsResp.tags, input.cdkPath)) return {
 					physicalId: arn.substring(arn.lastIndexOf("/") + 1),
 					attributes: {}
@@ -15813,7 +16331,7 @@ var ECSProvider = class {
 						...svcToken && { nextToken: svcToken }
 					}));
 					for (const svcArn of svcList.serviceArns ?? []) {
-						const tagsResp = await this.getClient().send(new ListTagsForResourceCommand$9({ resourceArn: svcArn }));
+						const tagsResp = await this.getClient().send(new ListTagsForResourceCommand$10({ resourceArn: svcArn }));
 						if (this.tagsMatchCdkPath(tagsResp.tags, input.cdkPath)) return {
 							physicalId: `${clusterArn}|${svcArn.substring(svcArn.lastIndexOf("/") + 1)}`,
 							attributes: {}
@@ -17142,7 +17660,7 @@ var RDSProvider = class {
 	*/
 	async attachTags(result, arn) {
 		try {
-			result["Tags"] = normalizeAwsTagsToCfn((await this.getClient().send(new ListTagsForResourceCommand$10({ ResourceName: arn }))).TagList);
+			result["Tags"] = normalizeAwsTagsToCfn((await this.getClient().send(new ListTagsForResourceCommand$8({ ResourceName: arn }))).TagList);
 		} catch (err) {
 			this.logger.debug(`RDS ListTagsForResource(${arn}) failed: ${err instanceof Error ? err.message : String(err)}`);
 		}
@@ -17165,7 +17683,7 @@ var RDSProvider = class {
 			const list = await this.getClient().send(new DescribeDBInstancesCommand({ ...marker && { Marker: marker } }));
 			for (const inst of list.DBInstances ?? []) {
 				if (!inst.DBInstanceIdentifier || !inst.DBInstanceArn) continue;
-				if (matchesCdkPath((await this.getClient().send(new ListTagsForResourceCommand$10({ ResourceName: inst.DBInstanceArn }))).TagList, input.cdkPath)) return {
+				if (matchesCdkPath((await this.getClient().send(new ListTagsForResourceCommand$8({ ResourceName: inst.DBInstanceArn }))).TagList, input.cdkPath)) return {
 					physicalId: inst.DBInstanceIdentifier,
 					attributes: {}
 				};
@@ -17192,7 +17710,7 @@ var RDSProvider = class {
 			const list = await this.getClient().send(new DescribeDBClustersCommand({ ...marker && { Marker: marker } }));
 			for (const c of list.DBClusters ?? []) {
 				if (!c.DBClusterIdentifier || !c.DBClusterArn) continue;
-				if (matchesCdkPath((await this.getClient().send(new ListTagsForResourceCommand$10({ ResourceName: c.DBClusterArn }))).TagList, input.cdkPath)) return {
+				if (matchesCdkPath((await this.getClient().send(new ListTagsForResourceCommand$8({ ResourceName: c.DBClusterArn }))).TagList, input.cdkPath)) return {
 					physicalId: c.DBClusterIdentifier,
 					attributes: {}
 				};
@@ -17219,7 +17737,7 @@ var RDSProvider = class {
 			const list = await this.getClient().send(new DescribeDBSubnetGroupsCommand({ ...marker && { Marker: marker } }));
 			for (const sg of list.DBSubnetGroups ?? []) {
 				if (!sg.DBSubnetGroupName || !sg.DBSubnetGroupArn) continue;
-				if (matchesCdkPath((await this.getClient().send(new ListTagsForResourceCommand$10({ ResourceName: sg.DBSubnetGroupArn }))).TagList, input.cdkPath)) return {
+				if (matchesCdkPath((await this.getClient().send(new ListTagsForResourceCommand$8({ ResourceName: sg.DBSubnetGroupArn }))).TagList, input.cdkPath)) return {
 					physicalId: sg.DBSubnetGroupName,
 					attributes: {}
 				};
@@ -27905,6 +28423,7 @@ function registerAllProviders(registry) {
 	registry.register("AWS::Lambda::EventSourceMapping", new LambdaEventSourceMappingProvider());
 	registry.register("AWS::Lambda::LayerVersion", new LambdaLayerVersionProvider());
 	registry.register("AWS::DynamoDB::Table", new DynamoDBTableProvider());
+	registry.register("AWS::DynamoDB::GlobalTable", new DynamoDBGlobalTableProvider());
 	registry.register("AWS::Logs::LogGroup", new LogsLogGroupProvider());
 	registry.register("AWS::CloudWatch::Alarm", new CloudWatchAlarmProvider());
 	registry.register("AWS::SecretsManager::Secret", new SecretsManagerSecretProvider());
@@ -29427,6 +29946,7 @@ const PROTECTION_PROPERTY_BY_TYPE = {
 	"AWS::Neptune::DBCluster": "DeletionProtection",
 	"AWS::Neptune::DBInstance": "DeletionProtection",
 	"AWS::DynamoDB::Table": "DeletionProtectionEnabled",
+	"AWS::DynamoDB::GlobalTable": "DeletionProtectionEnabled",
 	"AWS::EC2::Instance": "DisableApiTermination",
 	"AWS::Cognito::UserPool": "DeletionProtection",
 	"AWS::AutoScaling::AutoScalingGroup": "DeletionProtection"
@@ -42932,7 +43452,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.102.7");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.103.1");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());