@go-to-k/cdkd 0.106.0 → 0.108.0

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-CuHRHcyW.js";
-import { A as resolveApp, B as CdkdError, C as AssetPublisher, D as Synthesizer, E as buildDockerImage, F as warnDeprecatedNoPrefixCliFlag, G as PartialFailureError, I as AssemblyReader, J as ResourceUpdateNotSupportedError, K as ProvisioningError, M as resolveSkipPrefix, N as resolveStateBucketWithDefault, O as getDefaultStateBucketName, P as resolveStateBucketWithDefaultAndSource, R as resolveBucketRegion, S as shouldRetainResource, T as WorkGraph, U as LocalInvokeBuildError, X as StackHasActiveImportsError, Y as RouteDiscoveryError, Z as StackTerminationProtectionError, _ as DiffCalculator, a as withRetry, at as getLogger, b as LockManager, c as collectInlinePolicyNamesManagedBySiblings, ct as getLiveRenderer, d as normalizeAwsTagsToCfn, dt as generateResourceName, f as resolveExplicitPhysicalId, ft as generateResourceNameWithFallback, g as IntrinsicFunctionResolver, h as assertRegionMatch, i as withResourceDeadline, j as resolveCaptureObservedState, k as getLegacyStateBucketName, l as CDK_PATH_TAG, lt as PATTERN_B_NAME_PROPERTIES, m as CloudControlProvider, mt as withStackName, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as normalizeAwsError, o as IMPLICIT_DELETE_DEPENDENCIES, p as ProviderRegistry, pt as withSkipPrefix, q as ResourceTimeoutError, r as DeployEngine, rt as withErrorHandling, s as IAMRoleProvider, st as runStackBuffered, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as matchesCdkPath, ut as PATTERN_B_RESOURCE_TYPES, v as DagBuilder, w as stringifyValue, x as S3StateBackend, y as TemplateParser } from "./deploy-engine-D6nbHjNM.js";
+import { A as resolveApp, B as CdkdError, C as AssetPublisher, D as Synthesizer, E as buildDockerImage, F as warnDeprecatedNoPrefixCliFlag, G as PartialFailureError, I as AssemblyReader, J as ResourceUpdateNotSupportedError, K as ProvisioningError, M as resolveSkipPrefix, N as resolveStateBucketWithDefault, O as getDefaultStateBucketName, P as resolveStateBucketWithDefaultAndSource, R as resolveBucketRegion, S as shouldRetainResource, T as WorkGraph, U as LocalInvokeBuildError, X as StackHasActiveImportsError, Y as RouteDiscoveryError, Z as StackTerminationProtectionError, _ as DiffCalculator, a as withRetry, at as getLogger, b as LockManager, c as collectInlinePolicyNamesManagedBySiblings, ct as getLiveRenderer, d as normalizeAwsTagsToCfn, dt as generateResourceName, f as resolveExplicitPhysicalId, ft as generateResourceNameWithFallback, g as IntrinsicFunctionResolver, h as assertRegionMatch, i as withResourceDeadline, j as resolveCaptureObservedState, k as getLegacyStateBucketName, l as CDK_PATH_TAG, lt as PATTERN_B_NAME_PROPERTIES, m as CloudControlProvider, mt as withStackName, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as normalizeAwsError, o as IMPLICIT_DELETE_DEPENDENCIES, p as ProviderRegistry, pt as withSkipPrefix, q as ResourceTimeoutError, r as DeployEngine, rt as withErrorHandling, s as IAMRoleProvider, st as runStackBuffered, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as matchesCdkPath, ut as PATTERN_B_RESOURCE_TYPES, v as DagBuilder, w as stringifyValue, x as S3StateBackend, y as TemplateParser } from "./deploy-engine-Br8DvrvB.js";
 import { createHash, createPublicKey, createVerify, randomBytes, randomUUID } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
 import { AddRoleToInstanceProfileCommand, AddUserToGroupCommand, AttachGroupPolicyCommand, AttachUserPolicyCommand, CreateGroupCommand, CreateInstanceProfileCommand, CreateLoginProfileCommand, CreateUserCommand, DeleteAccessKeyCommand, DeleteGroupCommand, DeleteGroupPolicyCommand, DeleteInstanceProfileCommand, DeleteLoginProfileCommand, DeleteRolePolicyCommand, DeleteUserCommand, DeleteUserPermissionsBoundaryCommand, DeleteUserPolicyCommand, DetachGroupPolicyCommand, DetachUserPolicyCommand, GetGroupCommand, GetGroupPolicyCommand, GetInstanceProfileCommand, GetRolePolicyCommand, GetUserCommand, GetUserPolicyCommand, IAMClient, ListAccessKeysCommand, ListAttachedGroupPoliciesCommand, ListAttachedUserPoliciesCommand, ListGroupPoliciesCommand, ListGroupsForUserCommand, ListInstanceProfilesCommand, ListUserPoliciesCommand, ListUserTagsCommand, ListUsersCommand, NoSuchEntityException, PutGroupPolicyCommand, PutRolePolicyCommand, PutUserPermissionsBoundaryCommand, PutUserPolicyCommand, RemoveRoleFromInstanceProfileCommand, RemoveUserFromGroupCommand, TagUserCommand, UntagUserCommand, UpdateLoginProfileCommand } from "@aws-sdk/client-iam";
@@ -30,12 +30,12 @@ import { CreateAliasCommand, CreateKeyCommand, DeleteAliasCommand, DescribeKeyCo
 import { promisify } from "node:util";
 import { CreateRepositoryCommand, DeleteLifecyclePolicyCommand, DeleteRepositoryCommand, DeleteRepositoryPolicyCommand, DescribeRepositoriesCommand, ECRClient, GetAuthorizationTokenCommand, GetLifecyclePolicyCommand, LifecyclePolicyNotFoundException, ListTagsForResourceCommand as ListTagsForResourceCommand$7, PutImageScanningConfigurationCommand, PutImageTagMutabilityCommand, PutLifecyclePolicyCommand, RepositoryNotFoundException, SetRepositoryPolicyCommand, TagResourceCommand as TagResourceCommand$9 } from "@aws-sdk/client-ecr";
 import graphlib from "graphlib";
-import { AddTagsToResourceCommand as AddTagsToResourceCommand$1, CreateDBClusterCommand, CreateDBInstanceCommand, CreateDBProxyCommand, CreateDBSubnetGroupCommand, DBProxyNotFoundFault, DBProxyTargetGroupNotFoundFault, DBProxyTargetNotFoundFault, DeleteDBClusterCommand, DeleteDBInstanceCommand, DeleteDBProxyCommand, DeleteDBSubnetGroupCommand, DeregisterDBProxyTargetsCommand, DescribeDBClustersCommand, DescribeDBInstancesCommand, DescribeDBProxiesCommand, DescribeDBProxyTargetGroupsCommand, DescribeDBSubnetGroupsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$8, ModifyDBClusterCommand, ModifyDBInstanceCommand, ModifyDBProxyCommand, ModifyDBProxyTargetGroupCommand, ModifyDBSubnetGroupCommand, RDSClient, RegisterDBProxyTargetsCommand, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$1 } from "@aws-sdk/client-rds";
+import { AddTagsToResourceCommand as AddTagsToResourceCommand$1, CreateDBClusterCommand, CreateDBInstanceCommand, CreateDBProxyCommand, CreateDBProxyEndpointCommand, CreateDBSubnetGroupCommand, DBProxyEndpointNotFoundFault, DBProxyNotFoundFault, DBProxyTargetGroupNotFoundFault, DBProxyTargetNotFoundFault, DeleteDBClusterCommand, DeleteDBInstanceCommand, DeleteDBProxyCommand, DeleteDBProxyEndpointCommand, DeleteDBSubnetGroupCommand, DeregisterDBProxyTargetsCommand, DescribeDBClustersCommand, DescribeDBInstancesCommand, DescribeDBProxiesCommand, DescribeDBProxyEndpointsCommand, DescribeDBProxyTargetGroupsCommand, DescribeDBSubnetGroupsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$8, ModifyDBClusterCommand, ModifyDBInstanceCommand, ModifyDBProxyCommand, ModifyDBProxyEndpointCommand, ModifyDBProxyTargetGroupCommand, ModifyDBSubnetGroupCommand, RDSClient, RegisterDBProxyTargetsCommand, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$1 } from "@aws-sdk/client-rds";
 import { Command, Option } from "commander";
 import { writeFileSync as writeFileSync$1 } from "fs";
 import { join as join$1 } from "path";
 import * as zlib from "node:zlib";
-import { ApplicationAutoScalingClient, DescribeScalingPoliciesCommand } from "@aws-sdk/client-application-auto-scaling";
+import { ApplicationAutoScalingClient, DescribeScalableTargetsCommand, DescribeScalingPoliciesCommand } from "@aws-sdk/client-application-auto-scaling";
 import { ApiGatewayV2Client, CreateApiCommand, CreateAuthorizerCommand as CreateAuthorizerCommand$1, CreateIntegrationCommand, CreateRouteCommand as CreateRouteCommand$1, CreateStageCommand as CreateStageCommand$1, DeleteApiCommand, DeleteAuthorizerCommand as DeleteAuthorizerCommand$1, DeleteIntegrationCommand, DeleteRouteCommand as DeleteRouteCommand$1, DeleteStageCommand as DeleteStageCommand$1, GetApiCommand, GetApisCommand, GetAuthorizerCommand as GetAuthorizerCommand$1, GetIntegrationCommand, GetRouteCommand, GetStageCommand as GetStageCommand$1, NotFoundException as NotFoundException$3, UpdateApiCommand, UpdateAuthorizerCommand as UpdateAuthorizerCommand$1, UpdateIntegrationCommand, UpdateRouteCommand, UpdateStageCommand as UpdateStageCommand$1 } from "@aws-sdk/client-apigatewayv2";
 import { CreateStateMachineCommand, DeleteStateMachineCommand, DescribeStateMachineCommand, ListStateMachinesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$9, SFNClient, StateMachineDoesNotExist, TagResourceCommand as TagResourceCommand$10, UntagResourceCommand as UntagResourceCommand$9, UpdateStateMachineCommand } from "@aws-sdk/client-sfn";
 import { CreateClusterCommand, CreateServiceCommand, DeleteClusterCommand, DeleteServiceCommand, DeregisterTaskDefinitionCommand, DescribeClustersCommand, DescribeServicesCommand, DescribeTaskDefinitionCommand, ECSClient, ListClustersCommand, ListServicesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$10, PutClusterCapacityProvidersCommand, RegisterTaskDefinitionCommand, TagResourceCommand as TagResourceCommand$11, UntagResourceCommand as UntagResourceCommand$10, UpdateClusterCommand, UpdateServiceCommand } from "@aws-sdk/client-ecs";
@@ -7899,6 +7899,18 @@ var DynamoDBGlobalTableProvider = class {
 	*/
 	regionalClientCache = /* @__PURE__ */ new Map();
 	/**
+	* Caches per-region `ApplicationAutoScalingClient` instances for
+	* per-replica `ReadCapacityAutoScalingSettings` reverse-mapping in
+	* `readCurrentState`. Same lifetime / shape as `regionalClientCache`
+	* — one per region for the duration of the provider instance.
+	*
+	* Issue #395: per-replica read capacity autoscaling lives in the
+	* replica's region (each replica has its own scaling target +
+	* policy registered against `application-autoscaling` in that
+	* region), so we cannot reuse the local-region client.
+	*/
+	regionalAutoScalingClientCache = /* @__PURE__ */ new Map();
+	/**
 	* Caches `getAttribute(physicalId, attribute)` results for the lifetime
 	* of this provider instance (one deploy run). Safe under the current
 	* `update()` contract because `update()` cannot mid-deploy mutate
@@ -7954,6 +7966,24 @@ var DynamoDBGlobalTableProvider = class {
 		return client;
 	}
 	/**
+	* Return an `ApplicationAutoScalingClient` pinned to the given region,
+	* caching per region for the lifetime of this provider instance. Mirrors
+	* `getRegionalClient` but for the application-autoscaling service.
+	*
+	* Used by `readAutoScalingSettings` (Issue #395) to recover per-replica
+	* `ReadCapacityAutoScalingSettings` shapes — each cross-region replica's
+	* scaling target + policy are registered with the autoscaling control
+	* plane in the replica's region, so cross-region drift reads need a
+	* region-scoped client.
+	*/
+	getRegionalAutoScalingClient(region) {
+		const cached = this.regionalAutoScalingClientCache.get(region);
+		if (cached) return cached;
+		const client = new ApplicationAutoScalingClient({ region });
+		this.regionalAutoScalingClientCache.set(region, client);
+		return client;
+	}
+	/**
 	* Construct the regional table ARN for a cross-region replica of a
 	* GlobalTable. AWS replicates the same `TableName` across every
 	* replica region, with each replica's ARN differing only in the
@@ -8493,13 +8523,17 @@ var DynamoDBGlobalTableProvider = class {
 	*  - StreamSpecification / SSESpecification follow the existing
 	*    DynamoDB::Table provider's Class 1 guard: only surfaced when AWS
 	*    reports the feature actually enabled.
-	*  - `ProvisionedThroughput`-bearing fields are declared in
-	*    `getDriftUnknownPaths` and intentionally not emitted in v1 — the
-	*    reverse-mapping from AWS's `ProvisionedThroughput` shape into
-	*    CFn's `WriteProvisionedThroughputSettings` /
-	*    `ReadProvisionedThroughputSettings` wrappers (which carry
-	*    `WriteCapacityAutoScalingSettings` etc.) needs more work to round
-	*    -trip cleanly.
+	*  - `WriteProvisionedThroughputSettings` reverse-maps both shapes:
+	*    flat `{WriteCapacityUnits}` (no autoscaling) and full
+	*    `{WriteCapacityAutoScalingSettings}` (Issue #395; recovered from
+	*    application-autoscaling's `DescribeScalableTargets` +
+	*    `DescribeScalingPolicies` for the
+	*    `dynamodb:table:WriteCapacityUnits` dimension).
+	*  - Per-replica `ReadProvisionedThroughputSettings` reverse-maps the
+	*    `{ReadCapacityAutoScalingSettings}` shape only — there is no
+	*    per-replica flat read capacity in `DescribeTable`'s response
+	*    (the local `ProvisionedThroughput` block is table-level, not
+	*    replica-level), so non-autoscaled replicas omit the key.
 	*
 	* Per-replica sub-specifications (`ContributorInsightsSpecification` /
 	* `PointInTimeRecoverySpecification` / `KinesisStreamSpecification`)
@@ -8555,15 +8589,23 @@ var DynamoDBGlobalTableProvider = class {
 					}
 				}
 				else entry["Tags"] = [];
+				if (billingMode === "PROVISIONED") {
+					const replicaAutoScalingClient = isLocal ? void 0 : this.getRegionalAutoScalingClient(regionLabel);
+					const readAutoScaling = await this.readAutoScalingSettings(tableNameForSubs, "dynamodb:table:ReadCapacityUnits", replicaAutoScalingClient);
+					if (readAutoScaling) entry["ReadProvisionedThroughputSettings"] = { ReadCapacityAutoScalingSettings: readAutoScaling };
+				}
 				return entry;
 			}));
 			if (table.OnDemandThroughput?.MaxWriteRequestUnits !== void 0) result["WriteOnDemandThroughputSettings"] = { MaxWriteRequestUnits: table.OnDemandThroughput.MaxWriteRequestUnits };
 			else result["WriteOnDemandThroughputSettings"] = {};
 			if (billingMode === "PROVISIONED") {
-				const writeCapacity = table.ProvisionedThroughput?.WriteCapacityUnits;
-				if (writeCapacity !== void 0) if (!await this.hasWriteAutoScalingPolicy(tableNameForSubs)) result["WriteProvisionedThroughputSettings"] = { WriteCapacityUnits: writeCapacity };
-				else result["WriteProvisionedThroughputSettings"] = {};
-				else result["WriteProvisionedThroughputSettings"] = {};
+				const autoScaling = await this.readAutoScalingSettings(tableNameForSubs, "dynamodb:table:WriteCapacityUnits");
+				if (autoScaling) result["WriteProvisionedThroughputSettings"] = { WriteCapacityAutoScalingSettings: autoScaling };
+				else {
+					const writeCapacity = table.ProvisionedThroughput?.WriteCapacityUnits;
+					if (writeCapacity !== void 0) result["WriteProvisionedThroughputSettings"] = { WriteCapacityUnits: writeCapacity };
+					else result["WriteProvisionedThroughputSettings"] = {};
+				}
 			} else result["WriteProvisionedThroughputSettings"] = {};
 			try {
 				const ttlDesc = (await this.dynamoDBClient.send(new DescribeTimeToLiveCommand({ TableName: tableNameForSubs }))).TimeToLiveDescription;
@@ -8629,29 +8671,90 @@ var DynamoDBGlobalTableProvider = class {
 		return out;
 	}
 	/**
-	* Detect whether application-autoscaling has a scaling policy on this
-	* table's WriteCapacityUnits dimension. Used to decide whether the
-	* `WriteProvisionedThroughputSettings.WriteCapacityUnits` flat-value
-	* surface in `readCurrentState` is safe to emit (auto-scaling
-	* dynamically mutates capacity, so a flat snapshot would fire false
-	* drift on every scale event — when an autoscaling policy is in play
-	* we omit the flat surface so a follow-up PR can reverse-map the
-	* full `WriteCapacityAutoScalingSettings` shape).
-	*
-	* Best-effort: errors return `false` (no autoscaling detected) so a
-	* permissions gap on `application-autoscaling:DescribeScalingPolicies`
-	* does not abort drift reads. Logged at debug.
-	*/
-	async hasWriteAutoScalingPolicy(tableName) {
-		try {
-			return ((await new ApplicationAutoScalingClient({ region: await this.dynamoDBClient.config.region() ?? "" }).send(new DescribeScalingPoliciesCommand({
+	* Reverse-map application-autoscaling state for the given DynamoDB table
+	* dimension into the CFn `*CapacityAutoScalingSettings` shape (Issue
+	* #395). Used for BOTH the table-level write dimension
+	* (`dynamodb:table:WriteCapacityUnits`) and the per-replica read
+	* dimension (`dynamodb:table:ReadCapacityUnits`); the CFn shape is
+	* symmetric.
+	*
+	* Returns shape (CFn-canonical PascalCase keys, verified via `cdk synth`
+	* on a real `TableV2` with `Capacity.autoscaled(...)` on 2026-05-16 —
+	* see PR notes for the probe transcript):
+	*
+	* ```
+	* {
+	*   MinCapacity: number;
+	*   MaxCapacity: number;
+	*   TargetTrackingScalingPolicyConfiguration: {
+	*     TargetValue: number;
+	*     DisableScaleIn?: boolean;
+	*     ScaleInCooldown?: number;
+	*     ScaleOutCooldown?: number;
+	*   };
+	* }
+	* ```
+	*
+	* `SeedCapacity` is intentionally NOT round-tripped — it is a CFn
+	* create-only field with no corresponding application-autoscaling
+	* surface (AWS does not retain the initial seed value once the
+	* scaling target is registered).
+	*
+	* Resolution order:
+	*  1. `DescribeScalableTargets` → recover `MinCapacity` / `MaxCapacity`
+	*     for the matching `ScalableDimension`. Returns `null` when no
+	*     target is registered (= no autoscaling in play for this
+	*     dimension — caller falls back to the flat capacity surface).
+	*  2. `DescribeScalingPolicies` → find the `TargetTrackingScaling`
+	*     policy (filter out `StepScaling` / `PredictiveScaling` — CFn's
+	*     shape only carries the target-tracking variant). Returns `null`
+	*     when no `TargetTrackingScaling` policy is present (a scaling
+	*     target without a target-tracking policy is not cdkd-managed
+	*     drift territory; surface the flat capacity instead).
+	*
+	* Best-effort: any error (permissions gap, throttle, network) returns
+	* `null` and the caller falls back to the flat-capacity branch. Logged
+	* at debug so a real permissions misconfiguration is still visible
+	* under `--verbose`.
+	*
+	* @param tableName DynamoDB table name (the `physicalId`).
+	* @param scalableDimension `'dynamodb:table:WriteCapacityUnits'` or
+	*   `'dynamodb:table:ReadCapacityUnits'`.
+	* @param client Pre-built region-scoped autoscaling client. Defaults to
+	*   a fresh client in the local region — pass an explicit client when
+	*   reading from a cross-region replica.
+	*/
+	async readAutoScalingSettings(tableName, scalableDimension, client) {
+		try {
+			const asClient = client ?? new ApplicationAutoScalingClient({ region: await this.dynamoDBClient.config.region() ?? "" });
+			const targets = (await asClient.send(new DescribeScalableTargetsCommand({
+				ServiceNamespace: "dynamodb",
+				ResourceIds: [`table/${tableName}`],
+				ScalableDimension: scalableDimension
+			}))).ScalableTargets ?? [];
+			if (targets.length === 0) return null;
+			const target = targets[0];
+			if (target.MinCapacity === void 0 || target.MaxCapacity === void 0) return null;
+			const targetTracking = ((await asClient.send(new DescribeScalingPoliciesCommand({
 				ServiceNamespace: "dynamodb",
 				ResourceId: `table/${tableName}`,
-				ScalableDimension: "dynamodb:table:WriteCapacityUnits"
-			}))).ScalingPolicies ?? []).length > 0;
+				ScalableDimension: scalableDimension
+			}))).ScalingPolicies ?? []).find((p) => p.PolicyType === "TargetTrackingScaling");
+			if (!targetTracking) return null;
+			const cfg = targetTracking.TargetTrackingScalingPolicyConfiguration;
+			if (!cfg || cfg.TargetValue === void 0) return null;
+			const tttConfig = { TargetValue: cfg.TargetValue };
+			if (cfg.DisableScaleIn !== void 0) tttConfig["DisableScaleIn"] = cfg.DisableScaleIn;
+			if (cfg.ScaleInCooldown !== void 0) tttConfig["ScaleInCooldown"] = cfg.ScaleInCooldown;
+			if (cfg.ScaleOutCooldown !== void 0) tttConfig["ScaleOutCooldown"] = cfg.ScaleOutCooldown;
+			return {
+				MinCapacity: target.MinCapacity,
+				MaxCapacity: target.MaxCapacity,
+				TargetTrackingScalingPolicyConfiguration: tttConfig
+			};
 		} catch (err) {
-			this.logger.debug(`Could not query application-autoscaling for ${tableName}: ${err instanceof Error ? err.message : String(err)}`);
-			return false;
+			this.logger.debug(`Could not read application-autoscaling settings for ${tableName} (${scalableDimension}): ${err instanceof Error ? err.message : String(err)}`);
+			return null;
 		}
 	}
 	/**
@@ -8659,13 +8762,17 @@ var DynamoDBGlobalTableProvider = class {
 	* reverse-map. The drift comparator skips these so a templated value
 	* doesn't fire guaranteed false drift on every clean run.
 	*
-	* Issue #389 emptied this list:
-	*  - `WriteProvisionedThroughputSettings` (flat-WriteCapacityUnits
-	*    subset) is now reverse-mapped from `Table.ProvisionedThroughput`
-	*    when BillingMode is PROVISIONED AND application-autoscaling has
-	*    no policy on the WriteCapacityUnits dimension. Auto-scaling
-	*    cases emit an empty `{}` placeholder so the comparator does NOT
-	*    fire false drift on the literal `WriteCapacityUnits` subtree.
+	* Issue #389 + #395 emptied this list:
+	*  - `WriteProvisionedThroughputSettings` reverse-maps both the flat
+	*    `{WriteCapacityUnits}` shape (no autoscaling) AND the full
+	*    `{WriteCapacityAutoScalingSettings}` shape (autoscaling-managed;
+	*    recovered from `DescribeScalableTargets` +
+	*    `DescribeScalingPolicies`). PAY_PER_REQUEST tables emit `{}`.
+	*  - Per-replica `ReadProvisionedThroughputSettings.ReadCapacityAutoScalingSettings`
+	*    reverse-maps from a region-scoped application-autoscaling client
+	*    for the `dynamodb:table:ReadCapacityUnits` dimension. Non-
+	*    autoscaled replicas omit the key (no per-replica flat read
+	*    capacity available in `DescribeTable`).
 	*  - `WriteOnDemandThroughputSettings` is reverse-mapped from
 	*    `Table.OnDemandThroughput.MaxWriteRequestUnits`. Always-emit
 	*    `{}` placeholder when AWS reports no override.
@@ -18288,8 +18395,8 @@ var RDSProvider = class {
 
 //#endregion
 //#region src/provisioning/providers/rds-dbproxy-provider.ts
-const POLL_INTERVAL_MS = 5e3;
-const POLL_TIMEOUT_MS = 900 * 1e3;
+const POLL_INTERVAL_MS$1 = 5e3;
+const POLL_TIMEOUT_MS$1 = 900 * 1e3;
 /**
 * AWS RDS DBProxy Provider
 *
@@ -18376,7 +18483,7 @@ var RDSDBProxyProvider = class {
 		let endpoint;
 		let dbProxyArn;
 		let vpcId;
-		const deadline = Date.now() + POLL_TIMEOUT_MS;
+		const deadline = Date.now() + POLL_TIMEOUT_MS$1;
 		let status;
 		while (Date.now() < deadline) {
 			try {
@@ -18393,7 +18500,7 @@ var RDSDBProxyProvider = class {
 				if (error instanceof DBProxyNotFoundFault) {} else if (error instanceof ProvisioningError) throw error;
 				else throw this.wrapError(error, "CREATE (poll)", resourceType, logicalId, dbProxyName);
 			}
-			await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
+			await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS$1));
 		}
 		if (!endpoint || !dbProxyArn) throw new ProvisioningError(`Timed out waiting for DBProxy ${dbProxyName} to become available (last status: ${status ?? "unknown"})`, resourceType, logicalId, dbProxyName);
 		return {
@@ -18407,6 +18514,11 @@ var RDSDBProxyProvider = class {
 	}
 	async update(logicalId, physicalId, resourceType, properties, previousProperties) {
 		const client = this.getClient();
+		for (const field of [
+			"DBProxyName",
+			"EngineFamily",
+			"VpcSubnetIds"
+		]) if (JSON.stringify(properties[field]) !== JSON.stringify(previousProperties[field])) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, `${field} is immutable on AWS::RDS::DBProxy — destroy + redeploy to change it`);
 		const input = { DBProxyName: physicalId };
 		let hasModify = false;
 		for (const key of [
@@ -18449,7 +18561,7 @@ var RDSDBProxyProvider = class {
 			}
 			throw this.wrapError(error, "DELETE", resourceType, logicalId, physicalId);
 		}
-		const deadline = Date.now() + POLL_TIMEOUT_MS;
+		const deadline = Date.now() + POLL_TIMEOUT_MS$1;
 		while (Date.now() < deadline) {
 			try {
 				await client.send(new DescribeDBProxiesCommand({ DBProxyName: physicalId }));
@@ -18460,7 +18572,7 @@ var RDSDBProxyProvider = class {
 				}
 				throw this.wrapError(error, "DELETE (poll)", resourceType, logicalId, physicalId);
 			}
-			await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
+			await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS$1));
 		}
 		throw new ProvisioningError(`Timed out waiting for DBProxy ${physicalId} to fully delete`, resourceType, logicalId, physicalId);
 	}
@@ -18635,6 +18747,337 @@ var RDSDBProxyProvider = class {
 	}
 };
 
+//#endregion
+//#region src/provisioning/providers/rds-dbproxy-endpoint-provider.ts
+const POLL_INTERVAL_MS = 5e3;
+const POLL_TIMEOUT_MS = 900 * 1e3;
+/**
+* AWS RDS DBProxyEndpoint Provider
+*
+* Implements resource provisioning for `AWS::RDS::DBProxyEndpoint` — the
+* additional read/write or read-only endpoint that can be attached to a
+* parent DBProxy.
+*
+* **Why a dedicated SDK provider** (per `feedback_dedicated_provider_over_special_case.md`):
+* completes the RDS DBProxy family started in PR #387 (`DBProxyTargetGroup`)
+* and PR #394 (`DBProxy`). Keeps the whole family on one codebase so create /
+* update / delete handling stays consistent across the parent + endpoints +
+* target-group children.
+*
+* **Lifecycle**:
+* - `create`: validates required fields (`DBProxyName` / `VpcSubnetIds`),
+*   issues `CreateDBProxyEndpointCommand`, then polls `DescribeDBProxyEndpoints`
+*   until `Status === 'available'`. Returns `physicalId = DBProxyEndpointName`
+*   plus `Endpoint` / `DBProxyEndpointArn` / `IsDefault` / `VpcId` in
+*   `attributes`.
+* - `update`: `ModifyDBProxyEndpointCommand` for the mutable fields
+*   (`VpcSecurityGroupIds` → SDK input `VpcSecurityGroupIds`,
+*   `NewDBProxyEndpointName` via rename). Tags diff via separate
+*   `AddTagsToResource` / `RemoveTagsFromResource` calls. DBProxyName /
+*   VpcSubnetIds / TargetRole are immutable on AWS.
+* - `delete`: `DeleteDBProxyEndpointCommand`, then polls until
+*   `DBProxyEndpointNotFoundFault`. Idempotent on NotFound (region-match
+*   gated). `DBProxyNotFoundFault` also idempotent — if the parent DBProxy
+*   is already gone via CASCADE, the endpoint is too.
+* - `getAttribute`: `Endpoint` / `DBProxyEndpointArn` / `IsDefault` / `VpcId`
+*   via `DescribeDBProxyEndpoints`, cached per `(physicalId, attribute)`.
+* - `import`: explicit `--resource <id>=<DBProxyEndpointName>` first; falls
+*   back to paginated auto-lookup via `DescribeDBProxyEndpoints` +
+*   `ListTagsForResource` matching `aws:cdk:path`.
+*
+* **physicalId** = DBProxyEndpointName (matches CFn `primaryIdentifier`).
+*/
+var RDSDBProxyEndpointProvider = class {
+	rdsClient;
+	providerRegion = process.env["AWS_REGION"];
+	logger = getLogger().child("RDSDBProxyEndpointProvider");
+	attributeCache = /* @__PURE__ */ new Map();
+	handledProperties = new Map([["AWS::RDS::DBProxyEndpoint", new Set([
+		"DBProxyEndpointName",
+		"DBProxyName",
+		"VpcSubnetIds",
+		"VpcSecurityGroupIds",
+		"TargetRole",
+		"Tags"
+	])]]);
+	getClient() {
+		if (!this.rdsClient) this.rdsClient = new RDSClient(this.providerRegion ? { region: this.providerRegion } : {});
+		return this.rdsClient;
+	}
+	async create(logicalId, resourceType, properties) {
+		const dbProxyName = properties["DBProxyName"];
+		if (!dbProxyName) throw new ProvisioningError(`DBProxyName is required for AWS::RDS::DBProxyEndpoint ${logicalId}`, resourceType, logicalId);
+		const dbProxyEndpointName = properties["DBProxyEndpointName"] ?? generateResourceName(logicalId, { maxLength: 64 });
+		const vpcSubnetIds = properties["VpcSubnetIds"];
+		if (!vpcSubnetIds || vpcSubnetIds.length === 0) throw new ProvisioningError(`VpcSubnetIds (at least one) is required for AWS::RDS::DBProxyEndpoint ${logicalId}`, resourceType, logicalId);
+		const client = this.getClient();
+		this.logger.debug(`Creating DBProxyEndpoint ${dbProxyEndpointName} (proxy=${dbProxyName})`);
+		try {
+			await client.send(new CreateDBProxyEndpointCommand({
+				DBProxyName: dbProxyName,
+				DBProxyEndpointName: dbProxyEndpointName,
+				VpcSubnetIds: vpcSubnetIds,
+				VpcSecurityGroupIds: properties["VpcSecurityGroupIds"],
+				TargetRole: properties["TargetRole"],
+				Tags: this.toAwsTags(properties["Tags"])
+			}));
+		} catch (error) {
+			throw this.wrapError(error, "CREATE", resourceType, logicalId, void 0);
+		}
+		let endpoint;
+		let arn;
+		let isDefault;
+		let vpcId;
+		const deadline = Date.now() + POLL_TIMEOUT_MS;
+		let status;
+		while (Date.now() < deadline) {
+			try {
+				const ep = (await client.send(new DescribeDBProxyEndpointsCommand({
+					DBProxyName: dbProxyName,
+					DBProxyEndpointName: dbProxyEndpointName
+				}))).DBProxyEndpoints?.[0];
+				status = ep?.Status;
+				if (status === "available") {
+					endpoint = ep?.Endpoint;
+					arn = ep?.DBProxyEndpointArn;
+					isDefault = ep?.IsDefault;
+					vpcId = ep?.VpcId;
+					break;
+				}
+				if (status === "incompatible-network" || status === "insufficient-resource-limits") throw new ProvisioningError(`DBProxyEndpoint ${dbProxyEndpointName} entered terminal failure state: ${status}`, resourceType, logicalId, dbProxyEndpointName);
+			} catch (error) {
+				if (error instanceof DBProxyEndpointNotFoundFault || error instanceof DBProxyNotFoundFault) {} else if (error instanceof ProvisioningError) throw error;
+				else throw this.wrapError(error, "CREATE (poll)", resourceType, logicalId, dbProxyEndpointName);
+			}
+			await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
+		}
+		if (!endpoint || !arn) throw new ProvisioningError(`Timed out waiting for DBProxyEndpoint ${dbProxyEndpointName} to become available (last status: ${status ?? "unknown"})`, resourceType, logicalId, dbProxyEndpointName);
+		return {
+			physicalId: dbProxyEndpointName,
+			attributes: {
+				Endpoint: endpoint,
+				DBProxyEndpointArn: arn,
+				IsDefault: isDefault ?? false,
+				VpcId: vpcId ?? ""
+			}
+		};
+	}
+	async update(logicalId, physicalId, resourceType, properties, previousProperties) {
+		const client = this.getClient();
+		for (const field of [
+			"DBProxyName",
+			"DBProxyEndpointName",
+			"VpcSubnetIds",
+			"TargetRole"
+		]) if (JSON.stringify(properties[field]) !== JSON.stringify(previousProperties[field])) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, `${field} is immutable on AWS::RDS::DBProxyEndpoint — destroy + redeploy to change it`);
+		const oldSG = previousProperties["VpcSecurityGroupIds"] ?? [];
+		const newSG = properties["VpcSecurityGroupIds"] ?? [];
+		if (JSON.stringify(oldSG) !== JSON.stringify(newSG)) {
+			this.logger.debug(`Updating DBProxyEndpoint ${physicalId} security groups`);
+			try {
+				await client.send(new ModifyDBProxyEndpointCommand({
+					DBProxyEndpointName: physicalId,
+					VpcSecurityGroupIds: newSG
+				}));
+			} catch (error) {
+				throw this.wrapError(error, "UPDATE", resourceType, logicalId, physicalId);
+			}
+		}
+		await this.applyTagDiff(physicalId, previousProperties["Tags"], properties["Tags"], resourceType, logicalId);
+		this.invalidateAttributeCache(physicalId);
+		return {
+			physicalId,
+			wasReplaced: false
+		};
+	}
+	async delete(logicalId, physicalId, resourceType, _properties, context) {
+		const client = this.getClient();
+		this.logger.debug(`Deleting DBProxyEndpoint ${physicalId}`);
+		try {
+			await client.send(new DeleteDBProxyEndpointCommand({ DBProxyEndpointName: physicalId }));
+		} catch (error) {
+			if (error instanceof DBProxyEndpointNotFoundFault || error instanceof DBProxyNotFoundFault) {
+				assertRegionMatch(await client.config.region(), context?.expectedRegion, resourceType, logicalId, physicalId);
+				this.logger.debug(`DBProxyEndpoint ${physicalId} or parent already gone, treating as success`);
+				return;
+			}
+			throw this.wrapError(error, "DELETE", resourceType, logicalId, physicalId);
+		}
+		const deadline = Date.now() + POLL_TIMEOUT_MS;
+		while (Date.now() < deadline) {
+			try {
+				await client.send(new DescribeDBProxyEndpointsCommand({ DBProxyEndpointName: physicalId }));
+			} catch (error) {
+				if (error instanceof DBProxyEndpointNotFoundFault || error instanceof DBProxyNotFoundFault) {
+					this.logger.debug(`DBProxyEndpoint ${physicalId} fully deleted`);
+					return;
+				}
+				throw this.wrapError(error, "DELETE (poll)", resourceType, logicalId, physicalId);
+			}
+			await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
+		}
+		throw new ProvisioningError(`Timed out waiting for DBProxyEndpoint ${physicalId} to fully delete`, resourceType, logicalId, physicalId);
+	}
+	async getAttribute(physicalId, _resourceType, attributeName) {
+		const cacheKey = `${physicalId}:${attributeName}`;
+		const cached = this.attributeCache.get(cacheKey);
+		if (cached !== void 0) return cached;
+		if (attributeName !== "Endpoint" && attributeName !== "DBProxyEndpointArn" && attributeName !== "IsDefault" && attributeName !== "VpcId") {
+			this.logger.warn(`Unknown attribute ${attributeName} for AWS::RDS::DBProxyEndpoint, returning undefined`);
+			return;
+		}
+		try {
+			const ep = (await this.getClient().send(new DescribeDBProxyEndpointsCommand({ DBProxyEndpointName: physicalId }))).DBProxyEndpoints?.[0];
+			if (!ep) return void 0;
+			const value = {
+				Endpoint: ep.Endpoint,
+				DBProxyEndpointArn: ep.DBProxyEndpointArn,
+				IsDefault: ep.IsDefault ?? false,
+				VpcId: ep.VpcId
+			}[attributeName];
+			if (value !== void 0) this.attributeCache.set(cacheKey, value);
+			return value;
+		} catch (error) {
+			if (error instanceof DBProxyEndpointNotFoundFault || error instanceof DBProxyNotFoundFault) return;
+			throw error;
+		}
+	}
+	async import(input) {
+		const explicit = resolveExplicitPhysicalId(input, "DBProxyEndpointName");
+		if (explicit) return this.buildImportResult(explicit);
+		const client = this.getClient();
+		let marker;
+		do {
+			const describe = await client.send(new DescribeDBProxyEndpointsCommand({
+				Marker: marker,
+				MaxRecords: 100
+			}));
+			for (const ep of describe.DBProxyEndpoints ?? []) {
+				if (!ep.DBProxyEndpointArn) continue;
+				try {
+					if (matchesCdkPath((await client.send(new ListTagsForResourceCommand$8({ ResourceName: ep.DBProxyEndpointArn }))).TagList ?? [], input.cdkPath)) return this.buildImportResult(ep.DBProxyEndpointName ?? "");
+				} catch (error) {
+					this.logger.debug(`ListTagsForResource failed for ${ep.DBProxyEndpointName}: ${error instanceof Error ? error.message : String(error)}`);
+				}
+			}
+			marker = describe.Marker;
+		} while (marker);
+		return null;
+	}
+	async readCurrentState(physicalId) {
+		const client = this.getClient();
+		let ep;
+		try {
+			ep = (await client.send(new DescribeDBProxyEndpointsCommand({ DBProxyEndpointName: physicalId }))).DBProxyEndpoints?.[0];
+			if (!ep) return void 0;
+		} catch (error) {
+			if (error instanceof DBProxyEndpointNotFoundFault || error instanceof DBProxyNotFoundFault) return;
+			throw error;
+		}
+		const e = ep;
+		const result = {
+			DBProxyEndpointName: e.DBProxyEndpointName,
+			DBProxyName: e.DBProxyName,
+			VpcSubnetIds: e.VpcSubnetIds ?? [],
+			VpcSecurityGroupIds: e.VpcSecurityGroupIds ?? [],
+			TargetRole: e.TargetRole ?? "READ_WRITE"
+		};
+		if (e.DBProxyEndpointArn) try {
+			result["Tags"] = normalizeAwsTagsToCfn((await client.send(new ListTagsForResourceCommand$8({ ResourceName: e.DBProxyEndpointArn }))).TagList ?? []);
+		} catch (error) {
+			this.logger.debug(`ListTagsForResource failed for ${physicalId}: ${error instanceof Error ? error.message : String(error)}`);
+			result["Tags"] = [];
+		}
+		else result["Tags"] = [];
+		return result;
+	}
+	async applyTagDiff(physicalId, oldTags, newTags, resourceType, logicalId) {
+		const oldMap = this.toTagMap(oldTags);
+		const newMap = this.toTagMap(newTags);
+		if (oldMap.size === newMap.size && [...oldMap.keys()].every((k) => newMap.has(k)) && [...oldMap.entries()].every(([k, v]) => newMap.get(k) === v)) return;
+		const client = this.getClient();
+		const arnCacheKey = `${physicalId}:DBProxyEndpointArn`;
+		let arn = this.attributeCache.get(arnCacheKey);
+		if (!arn) try {
+			arn = (await client.send(new DescribeDBProxyEndpointsCommand({ DBProxyEndpointName: physicalId }))).DBProxyEndpoints?.[0]?.DBProxyEndpointArn;
+			if (arn) this.attributeCache.set(arnCacheKey, arn);
+		} catch (error) {
+			this.logger.debug(`Skipping tag diff for ${physicalId} (no ARN): ${error instanceof Error ? error.message : String(error)}`);
+			return;
+		}
+		if (!arn) return;
+		const toRemove = [];
+		const toAdd = [];
+		for (const k of oldMap.keys()) if (!newMap.has(k)) toRemove.push(k);
+		for (const [k, v] of newMap.entries()) if (oldMap.get(k) !== v) toAdd.push({
+			Key: k,
+			Value: v
+		});
+		if (toRemove.length > 0) try {
+			await client.send(new RemoveTagsFromResourceCommand$1({
+				ResourceName: arn,
+				TagKeys: toRemove
+			}));
+		} catch (error) {
+			throw this.wrapError(error, "UPDATE (remove tags)", resourceType, logicalId, physicalId);
+		}
+		if (toAdd.length > 0) try {
+			await client.send(new AddTagsToResourceCommand$1({
+				ResourceName: arn,
+				Tags: toAdd
+			}));
+		} catch (error) {
+			throw this.wrapError(error, "UPDATE (add tags)", resourceType, logicalId, physicalId);
+		}
+	}
+	toTagMap(tags) {
+		const map = /* @__PURE__ */ new Map();
+		if (Array.isArray(tags)) {
+			for (const entry of tags) if (entry?.Key !== void 0) map.set(entry.Key, entry.Value ?? "");
+		}
+		return map;
+	}
+	toAwsTags(tags) {
+		if (!Array.isArray(tags) || tags.length === 0) return void 0;
+		return tags.filter((t) => t.Key !== void 0).map((t) => ({
+			Key: t.Key,
+			Value: t.Value ?? ""
+		}));
+	}
+	async buildImportResult(physicalId) {
+		try {
+			const ep = (await this.getClient().send(new DescribeDBProxyEndpointsCommand({ DBProxyEndpointName: physicalId }))).DBProxyEndpoints?.[0];
+			return {
+				physicalId,
+				attributes: {
+					Endpoint: ep?.Endpoint ?? "",
+					DBProxyEndpointArn: ep?.DBProxyEndpointArn ?? "",
+					IsDefault: ep?.IsDefault ?? false,
+					VpcId: ep?.VpcId ?? ""
+				}
+			};
+		} catch {
+			return {
+				physicalId,
+				attributes: {
+					Endpoint: "",
+					DBProxyEndpointArn: "",
+					IsDefault: false,
+					VpcId: ""
+				}
+			};
+		}
+	}
+	invalidateAttributeCache(physicalId) {
+		for (const key of this.attributeCache.keys()) if (key.startsWith(`${physicalId}:`)) this.attributeCache.delete(key);
+	}
+	wrapError(error, op, resourceType, logicalId, physicalId) {
+		const message = error instanceof Error ? error.message : String(error);
+		const cause = error instanceof Error ? error : void 0;
+		return new ProvisioningError(`${op} failed for ${logicalId}: ${message}`, resourceType, logicalId, physicalId, cause);
+	}
+};
+
 //#endregion
 //#region src/provisioning/providers/rds-dbproxy-targetgroup-provider.ts
 /**
@@ -18754,6 +19197,12 @@ var RDSDBProxyTargetGroupProvider = class {
 		const dbProxyName = properties["DBProxyName"];
 		if (!dbProxyName) throw new ProvisioningError(`DBProxyName is required for AWS::RDS::DBProxyTargetGroup ${logicalId} update`, resourceType, logicalId, physicalId);
 		const targetGroupName = properties["TargetGroupName"] ?? "default";
+		for (const field of ["DBProxyName", "TargetGroupName"]) {
+			const oldVal = previousProperties[field];
+			const newVal = properties[field];
+			const normalize = (v) => field === "TargetGroupName" && (v === void 0 || v === "default") ? "default" : v;
+			if (JSON.stringify(normalize(oldVal)) !== JSON.stringify(normalize(newVal))) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, `${field} is immutable on AWS::RDS::DBProxyTargetGroup — destroy + redeploy to change it`);
+		}
 		const client = this.getClient();
 		const oldPool = previousProperties["ConnectionPoolConfigurationInfo"];
 		const newPool = properties["ConnectionPoolConfigurationInfo"];
@@ -29596,6 +30045,7 @@ function registerAllProviders(registry) {
 	registry.register("AWS::RDS::DBCluster", rdsProvider);
 	registry.register("AWS::RDS::DBInstance", rdsProvider);
 	registry.register("AWS::RDS::DBProxy", new RDSDBProxyProvider());
+	registry.register("AWS::RDS::DBProxyEndpoint", new RDSDBProxyEndpointProvider());
 	registry.register("AWS::RDS::DBProxyTargetGroup", new RDSDBProxyTargetGroupProvider());
 	const docdbProvider = new DocDBProvider();
 	registry.register("AWS::DocDB::DBSubnetGroup", docdbProvider);
@@ -44576,7 +45026,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.106.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.108.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());