@go-to-k/cdkd 0.115.0 → 0.115.2

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-CuHRHcyW.js";
-import { A as resolveApp, B as CdkdError, C as AssetPublisher, D as Synthesizer, E as buildDockerImage, F as warnDeprecatedNoPrefixCliFlag, G as PartialFailureError, I as AssemblyReader, J as ResourceUpdateNotSupportedError, K as ProvisioningError, M as resolveSkipPrefix, N as resolveStateBucketWithDefault, O as getDefaultStateBucketName, P as resolveStateBucketWithDefaultAndSource, R as resolveBucketRegion, S as shouldRetainResource, T as WorkGraph, U as LocalInvokeBuildError, X as StackHasActiveImportsError, Y as RouteDiscoveryError, Z as StackTerminationProtectionError, _ as DiffCalculator, a as withRetry, at as getLogger, b as LockManager, c as collectInlinePolicyNamesManagedBySiblings, ct as getLiveRenderer, d as normalizeAwsTagsToCfn, dt as generateResourceName, f as resolveExplicitPhysicalId, ft as generateResourceNameWithFallback, g as IntrinsicFunctionResolver, h as assertRegionMatch, i as withResourceDeadline, j as resolveCaptureObservedState, k as getLegacyStateBucketName, l as CDK_PATH_TAG, lt as PATTERN_B_NAME_PROPERTIES, m as CloudControlProvider, mt as withStackName, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as normalizeAwsError, o as IMPLICIT_DELETE_DEPENDENCIES, p as ProviderRegistry, pt as withSkipPrefix, q as ResourceTimeoutError, r as DeployEngine, rt as withErrorHandling, s as IAMRoleProvider, st as runStackBuffered, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as matchesCdkPath, ut as PATTERN_B_RESOURCE_TYPES, v as DagBuilder, w as stringifyValue, x as S3StateBackend, y as TemplateParser } from "./deploy-engine-CAg_d5uX.js";
+import { $ as StackTerminationProtectionError, A as getDefaultStateBucketName, B as resolveBucketRegion, C as AssetPublisher, D as getDockerCmd, E as buildDockerImage, F as resolveStateBucketWithDefault, G as LocalInvokeBuildError, H as CdkdError, I as resolveStateBucketWithDefaultAndSource, J as ProvisioningError, L as warnDeprecatedNoPrefixCliFlag, M as resolveApp, N as resolveCaptureObservedState, O as runDockerStreaming, P as resolveSkipPrefix, Q as StackHasActiveImportsError, R as AssemblyReader, S as shouldRetainResource, T as WorkGraph, X as ResourceUpdateNotSupportedError, Y as ResourceTimeoutError, Z as RouteDiscoveryError, _ as DiffCalculator, a as withRetry, at as withErrorHandling, b as LockManager, c as collectInlinePolicyNamesManagedBySiblings, d as normalizeAwsTagsToCfn, dt as PATTERN_B_NAME_PROPERTIES, f as resolveExplicitPhysicalId, ft as PATTERN_B_RESOURCE_TYPES, g as IntrinsicFunctionResolver, gt as withStackName, h as assertRegionMatch, ht as withSkipPrefix, i as withResourceDeadline, it as normalizeAwsError, j as getLegacyStateBucketName, k as Synthesizer, l as CDK_PATH_TAG, lt as runStackBuffered, m as CloudControlProvider, mt as generateResourceNameWithFallback, n as DEFAULT_RESOURCE_WARN_AFTER_MS, o as IMPLICIT_DELETE_DEPENDENCIES, p as ProviderRegistry, pt as generateResourceName, q as PartialFailureError, r as DeployEngine, s as IAMRoleProvider, st as getLogger, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as matchesCdkPath, ut as getLiveRenderer, v as DagBuilder, w as stringifyValue, x as S3StateBackend, y as TemplateParser } from "./deploy-engine-AoZgViZN.js";
 import { createHash, createPublicKey, createVerify, randomBytes, randomUUID } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
 import { AddRoleToInstanceProfileCommand, AddUserToGroupCommand, AttachGroupPolicyCommand, AttachUserPolicyCommand, CreateGroupCommand, CreateInstanceProfileCommand, CreateLoginProfileCommand, CreateUserCommand, DeleteAccessKeyCommand, DeleteGroupCommand, DeleteGroupPolicyCommand, DeleteInstanceProfileCommand, DeleteLoginProfileCommand, DeleteRolePolicyCommand, DeleteUserCommand, DeleteUserPermissionsBoundaryCommand, DeleteUserPolicyCommand, DetachGroupPolicyCommand, DetachUserPolicyCommand, GetGroupCommand, GetGroupPolicyCommand, GetInstanceProfileCommand, GetRolePolicyCommand, GetUserCommand, GetUserPolicyCommand, IAMClient, ListAccessKeysCommand, ListAttachedGroupPoliciesCommand, ListAttachedUserPoliciesCommand, ListGroupPoliciesCommand, ListGroupsForUserCommand, ListInstanceProfilesCommand, ListUserPoliciesCommand, ListUserTagsCommand, ListUsersCommand, NoSuchEntityException, PutGroupPolicyCommand, PutRolePolicyCommand, PutUserPermissionsBoundaryCommand, PutUserPolicyCommand, RemoveRoleFromInstanceProfileCommand, RemoveUserFromGroupCommand, TagUserCommand, UntagUserCommand, UpdateLoginProfileCommand } from "@aws-sdk/client-iam";
@@ -27,7 +27,6 @@ import { tmpdir } from "node:os";
 import { AssociateVPCWithHostedZoneCommand, ChangeResourceRecordSetsCommand, ChangeTagsForResourceCommand, CreateHostedZoneCommand, CreateQueryLoggingConfigCommand, DeleteHostedZoneCommand, DeleteQueryLoggingConfigCommand, DisassociateVPCFromHostedZoneCommand, GetHostedZoneCommand, ListHostedZonesByNameCommand, ListHostedZonesCommand, ListQueryLoggingConfigsCommand, ListResourceRecordSetsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$6, Route53Client, UpdateHostedZoneCommentCommand } from "@aws-sdk/client-route-53";
 import { AddTagsCommand, CreateListenerCommand, CreateLoadBalancerCommand, CreateTargetGroupCommand, DeleteListenerCommand, DeleteLoadBalancerCommand, DeleteTargetGroupCommand, DescribeListenersCommand, DescribeLoadBalancerAttributesCommand, DescribeLoadBalancersCommand, DescribeTagsCommand, DescribeTargetGroupsCommand, ElasticLoadBalancingV2Client, ModifyListenerCommand, ModifyLoadBalancerAttributesCommand, ModifyTargetGroupCommand, RemoveTagsCommand, SetIpAddressTypeCommand, SetSecurityGroupsCommand, SetSubnetsCommand } from "@aws-sdk/client-elastic-load-balancing-v2";
 import { CreateAliasCommand, CreateKeyCommand, DeleteAliasCommand, DescribeKeyCommand, DisableKeyCommand, DisableKeyRotationCommand, EnableKeyCommand, EnableKeyRotationCommand, GetKeyPolicyCommand, GetKeyRotationStatusCommand, KMSClient, ListAliasesCommand, ListKeysCommand, ListResourceTagsCommand, NotFoundException as NotFoundException$2, PutKeyPolicyCommand, ScheduleKeyDeletionCommand, TagResourceCommand as TagResourceCommand$8, UntagResourceCommand as UntagResourceCommand$8, UpdateAliasCommand, UpdateKeyDescriptionCommand } from "@aws-sdk/client-kms";
-import { promisify } from "node:util";
 import { CreateRepositoryCommand, DeleteLifecyclePolicyCommand, DeleteRepositoryCommand, DeleteRepositoryPolicyCommand, DescribeRepositoriesCommand, ECRClient, GetAuthorizationTokenCommand, GetLifecyclePolicyCommand, LifecyclePolicyNotFoundException, ListTagsForResourceCommand as ListTagsForResourceCommand$7, PutImageScanningConfigurationCommand, PutImageTagMutabilityCommand, PutLifecyclePolicyCommand, RepositoryNotFoundException, SetRepositoryPolicyCommand, TagResourceCommand as TagResourceCommand$9 } from "@aws-sdk/client-ecr";
 import graphlib from "graphlib";
 import { AddTagsToResourceCommand as AddTagsToResourceCommand$1, CreateDBClusterCommand, CreateDBInstanceCommand, CreateDBProxyCommand, CreateDBProxyEndpointCommand, CreateDBSubnetGroupCommand, DBProxyEndpointNotFoundFault, DBProxyNotFoundFault, DBProxyTargetGroupNotFoundFault, DBProxyTargetNotFoundFault, DeleteDBClusterCommand, DeleteDBInstanceCommand, DeleteDBProxyCommand, DeleteDBProxyEndpointCommand, DeleteDBSubnetGroupCommand, DeregisterDBProxyTargetsCommand, DescribeDBClustersCommand, DescribeDBInstancesCommand, DescribeDBProxiesCommand, DescribeDBProxyEndpointsCommand, DescribeDBProxyTargetGroupsCommand, DescribeDBProxyTargetsCommand, DescribeDBSubnetGroupsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$8, ModifyDBClusterCommand, ModifyDBInstanceCommand, ModifyDBProxyCommand, ModifyDBProxyEndpointCommand, ModifyDBProxyTargetGroupCommand, ModifyDBSubnetGroupCommand, RDSClient, RegisterDBProxyTargetsCommand, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$1 } from "@aws-sdk/client-rds";
@@ -58,6 +57,7 @@ import { CreateNamespaceCommand, CreateTableBucketCommand, CreateTableCommand as
 import { AttachTrafficSourcesCommand, AutoScalingClient, CreateAutoScalingGroupCommand, DeleteAutoScalingGroupCommand, DeleteLifecycleHookCommand, DeleteNotificationConfigurationCommand, DescribeAutoScalingGroupsCommand, DescribeLifecycleHooksCommand, DescribeNotificationConfigurationsCommand, DescribeTrafficSourcesCommand, DetachTrafficSourcesCommand, DisableMetricsCollectionCommand, EnableMetricsCollectionCommand, PutLifecycleHookCommand, PutNotificationConfigurationCommand, UpdateAutoScalingGroupCommand } from "@aws-sdk/client-auto-scaling";
 import * as readline from "node:readline/promises";
 import { createServer } from "node:net";
+import { promisify } from "node:util";
 import { setTimeout as setTimeout$1 } from "node:timers/promises";
 import { readFile } from "fs/promises";
 import { createServer as createServer$1 } from "node:http";
@@ -37331,7 +37331,7 @@ function resolveRuntimeCodeMountPath(runtime) {
 
 //#endregion
 //#region src/local/docker-runner.ts
-const execFileAsync$3 = promisify(execFile);
+const execFileAsync$2 = promisify(execFile);
 /**
 * Wraps `docker pull` / `docker run` / `docker rm` for `cdkd local invoke`.
 *
@@ -37366,11 +37366,11 @@ async function pullImage(image, skipPull) {
 	}
 	if (getLogger().getLevel() === "debug") {
 		logger.info(`Pulling ${image}...`);
-		await runForeground$1("docker", ["pull", image]);
+		await runForeground$1(getDockerCmd(), ["pull", image]);
 		return;
 	}
 	logger.debug(`Pulling ${image} (silent — pass --verbose to stream progress)`);
-	await runCaptured("docker", ["pull", image], image);
+	await runCaptured(getDockerCmd(), ["pull", image], image);
 }
 /**
 * Run a child process with stdout / stderr captured (not inherited).
@@ -37441,9 +37441,9 @@ async function runDetached(opts) {
 		entryPointTail = opts.entryPoint.slice(1);
 	}
 	args.push(opts.image, ...entryPointTail, ...opts.cmd);
-	getLogger().child("docker").debug(`docker ${redactAwsCredentialsInArgs(args).join(" ")}`);
+	getLogger().child("docker").debug(`${getDockerCmd()} ${redactAwsCredentialsInArgs(args).join(" ")}`);
 	try {
-		const { stdout } = await execFileAsync$3("docker", args, { maxBuffer: 10 * 1024 * 1024 });
+		const { stdout } = await execFileAsync$2(getDockerCmd(), args, { maxBuffer: 10 * 1024 * 1024 });
 		return stdout.trim();
 	} catch (error) {
 		const err = error;
@@ -37455,7 +37455,7 @@ async function runDetached(opts) {
 * stops the stream (used by the caller in a `finally` block).
 */
 function streamLogs(containerId) {
-	const proc = spawn("docker", [
+	const proc = spawn(getDockerCmd(), [
 		"logs",
 		"-f",
 		containerId
@@ -37480,7 +37480,7 @@ async function removeContainer(containerId) {
 	if (!containerId) return;
 	const logger = getLogger().child("docker");
 	try {
-		await execFileAsync$3("docker", [
+		await execFileAsync$2(getDockerCmd(), [
 			"rm",
 			"-f",
 			containerId
@@ -37497,16 +37497,17 @@ async function removeContainer(containerId) {
 * otherwise see at the first run call. Called once up front.
 */
 async function ensureDockerAvailable() {
+	const cmd = getDockerCmd();
 	try {
-		await execFileAsync$3("docker", [
+		await execFileAsync$2(cmd, [
 			"version",
 			"--format",
 			"{{.Server.Version}}"
 		]);
 	} catch (error) {
 		const err = error;
-		if (err.code === "ENOENT") throw new DockerRunnerError("docker is not installed or not on PATH. cdkd local invoke needs Docker — install Docker Desktop or the docker CLI and retry.");
-		throw new DockerRunnerError(`docker daemon is not reachable: ${err.stderr?.trim() || err.message || String(error)}. Start Docker Desktop / the docker daemon and retry.`);
+		if (err.code === "ENOENT") throw new DockerRunnerError(`${cmd} is not installed or not on PATH. cdkd local invoke needs Docker (or a compatible CLI specified via CDK_DOCKER) — install it and retry.`);
+		throw new DockerRunnerError(`${cmd} daemon is not reachable: ${err.stderr?.trim() || err.message || String(error)}. Start Docker Desktop / the docker daemon and retry.`);
 	}
 }
 /**
@@ -37593,7 +37594,6 @@ function runForeground$1(cmd, args) {
 
 //#endregion
 //#region src/local/ecr-puller.ts
-const execFileAsync$2 = promisify(execFile);
 /**
 * ECR pull fallback for `cdkd local invoke` against deployed container
 * Lambdas (PR 5, D5.2). When `Code.ImageUri` resolves to an ECR URI but
@@ -37665,7 +37665,7 @@ async function pullEcrImage(imageUri, options) {
 		ecr.destroy();
 	}
 	logger.info(`Pulling ${imageUri}...`);
-	await runForeground("docker", ["pull", imageUri]);
+	await runForeground(getDockerCmd(), ["pull", imageUri]);
 	return imageUri;
 }
 /**
@@ -37679,33 +37679,20 @@ async function ecrLogin(client, accountId, region) {
 	const authData = (await client.send(new GetAuthorizationTokenCommand({}))).authorizationData?.[0];
 	if (!authData?.authorizationToken) throw new LocalInvokeBuildError("Failed to get ECR authorization token");
 	const [username, password] = Buffer.from(authData.authorizationToken, "base64").toString().split(":");
+	if (!username || password === void 0) throw new LocalInvokeBuildError("ECR authorization token has unexpected shape (missing username/password)");
 	const endpoint = authData.proxyEndpoint || `https://${accountId}.dkr.ecr.${region}.amazonaws.com`;
-	await new Promise((resolve, reject) => {
-		const proc = spawn("docker", [
+	try {
+		await runDockerStreaming([
 			"login",
 			"--username",
 			username,
 			"--password-stdin",
 			endpoint
-		], { stdio: [
-			"pipe",
-			"pipe",
-			"pipe"
-		] });
-		let stderr = "";
-		proc.stderr?.on("data", (data) => {
-			stderr += data.toString();
-		});
-		proc.on("close", (code) => {
-			if (code === 0) resolve();
-			else reject(new LocalInvokeBuildError(`ECR login failed: ${stderr.trim()}`));
-		});
-		proc.on("error", (err) => {
-			reject(new LocalInvokeBuildError(`ECR login failed: ${err.message}`));
-		});
-		proc.stdin?.write(password);
-		proc.stdin?.end();
-	});
+		], { input: password });
+	} catch (err) {
+		const e = err;
+		throw new LocalInvokeBuildError(`ECR login failed: ${e.stderr?.trim() || e.message || String(err)}`);
+	}
 }
 /**
 * `docker image inspect <uri>` returns non-zero when the image is not in
@@ -37714,7 +37701,7 @@ async function ecrLogin(client, accountId, region) {
 */
 async function verifyImageInLocalCache(imageUri) {
 	try {
-		await execFileAsync$2("docker", [
+		await runDockerStreaming([
 			"image",
 			"inspect",
 			imageUri
@@ -37732,7 +37719,7 @@ async function verifyImageInLocalCache(imageUri) {
 */
 async function isImageInLocalCache(imageRef) {
 	try {
-		await execFileAsync$2("docker", [
+		await runDockerStreaming([
 			"image",
 			"inspect",
 			imageRef
@@ -37782,10 +37769,24 @@ async function buildContainerImage(asset, cdkOutDir, options) {
 	}
 	logger.info(`Building container image (platform=${platform})...`);
 	logger.debug(`Local tag: ${tag}`);
-	await buildDockerImage(asset, cdkOutDir, tag, {
+	const actualTag = await buildDockerImage(asset, cdkOutDir, {
+		tag,
 		platform,
-		wrapError: (stderr) => new LocalInvokeBuildError(`docker build failed for container Lambda asset (${asset.source.directory}): ${stderr}`)
+		wrapError: (stderr) => new LocalInvokeBuildError(`docker build failed for container Lambda asset (${asset.source.directory ?? asset.source.executable?.join(" ")}): ${stderr}`)
 	});
+	if (actualTag !== tag) {
+		logger.debug(`Re-tagging executable-built image '${actualTag}' → '${tag}'`);
+		try {
+			await runDockerStreaming([
+				"tag",
+				actualTag,
+				tag
+			]);
+		} catch (err) {
+			const e = err;
+			throw new LocalInvokeBuildError(`docker tag failed re-tagging '${actualTag}' → '${tag}': ${e.stderr?.trim() || e.message || String(err)}`);
+		}
+	}
 	return tag;
 }
 /**
@@ -37800,27 +37801,49 @@ function architectureToPlatform(architecture) {
 	return architecture === "arm64" ? "linux/arm64" : "linux/amd64";
 }
 /**
-* Build a stable local tag derived from the asset's build context. We
-* fingerprint `directory + dockerFile + dockerBuildTarget + dockerBuildArgs`
-* so an iteration that doesn't change those fields hits Docker's layer
-* cache; an iteration that DOES change them gets a fresh tag (the old
-* tag stays around in `docker images` but harmlessly).
+* Build a stable local tag derived from the asset's build context.
+*
+* Fingerprints every field that affects the produced image so an iteration
+* that doesn't change those fields hits Docker's layer cache; an iteration
+* that DOES change them gets a fresh tag (the old tag stays around in
+* `docker images` but harmlessly). The fingerprint covers the full CDK
+* `DockerImageSource` schema so `dockerBuildSecrets` / `dockerBuildContexts`
+* / `cacheFrom` / etc. changes also bust the local cache as expected.
 */
 function computeLocalTag(source) {
 	const hash = createHash("sha256");
-	hash.update(source.directory);
-	hash.update("\0");
-	hash.update(source.dockerFile ?? "");
-	hash.update("\0");
-	hash.update(source.dockerBuildTarget ?? "");
+	pushField(hash, "directory", source.directory ?? "");
+	pushField(hash, "executable", (source.executable ?? []).join(" "));
+	pushField(hash, "dockerFile", source.dockerFile ?? "");
+	pushField(hash, "dockerBuildTarget", source.dockerBuildTarget ?? "");
+	pushField(hash, "networkMode", source.networkMode ?? "");
+	pushField(hash, "platform", source.platform ?? "");
+	pushField(hash, "dockerBuildSsh", source.dockerBuildSsh ?? "");
+	pushField(hash, "cacheDisabled", source.cacheDisabled ? "1" : "0");
+	pushMap(hash, "dockerBuildArgs", source.dockerBuildArgs);
+	pushMap(hash, "dockerBuildContexts", source.dockerBuildContexts);
+	pushMap(hash, "dockerBuildSecrets", source.dockerBuildSecrets);
+	pushField(hash, "dockerOutputs", (source.dockerOutputs ?? []).join(""));
+	pushField(hash, "cacheFrom", (source.cacheFrom ?? []).map((o) => JSON.stringify(o)).join(""));
+	pushField(hash, "cacheTo", source.cacheTo ? JSON.stringify(source.cacheTo) : "");
+	return `cdkd-local-invoke-${hash.digest("hex").slice(0, 16)}`;
+}
+function pushField(hash, name, value) {
+	hash.update(name);
+	hash.update("=");
+	hash.update(value);
 	hash.update("\0");
-	if (source.dockerBuildArgs) for (const [k, v] of Object.entries(source.dockerBuildArgs)) {
+}
+function pushMap(hash, name, value) {
+	hash.update(name);
+	hash.update("={");
+	if (value) for (const [k, v] of Object.entries(value)) {
 		hash.update(k);
 		hash.update("=");
 		hash.update(v);
-		hash.update("\0");
+		hash.update(";");
 	}
-	return `cdkd-local-invoke-${hash.digest("hex").slice(0, 16)}`;
+	hash.update("}\0");
 }
 
 //#endregion
@@ -39987,19 +40010,52 @@ function resolveHttpApiAuthorizer(authorizerLogicalId, routeAuthorizationScopes,
 	throw new RouteDiscoveryError(`${stackName}/${authorizerLogicalId}: AWS::ApiGatewayV2::Authorizer.AuthorizerType '${String(authType)}' is not supported by cdkd local start-api (only REQUEST / JWT).`);
 }
 /**
+* Thrown by {@link resolveLambdaArn} when the authorizer's
+* `AuthorizerUri` intrinsic does not resolve to a same-template Lambda
+* (cross-stack reference, imported Lambda, hand-rolled `Fn::Sub` outside
+* the invoke-ARN wrapper).
+*
+* Caught by {@link attachAuthorizers} and converted into a per-route
+* `unsupported` flag — symmetric with how `route-discovery.ts` handles
+* an unresolvable `IntegrationUri`. The route appears in the route
+* table as `[501 Not Implemented]` and returns HTTP 501 + the
+* `reason` at request time. The alternative ("attach no authorizer,
+* leave route normal") would be **unsafe** — it would let a request
+* hit a user-protected route without any auth check just because the
+* authorizer Lambda lives in another stack.
+*
+* Private to this module: `attachAuthorizers` is the only legitimate
+* consumer.
+*/
+var AuthorizerLambdaUnresolvableError = class AuthorizerLambdaUnresolvableError extends RouteDiscoveryError {
+	reason;
+	constructor(reason) {
+		super(reason);
+		this.reason = reason;
+		this.name = "AuthorizerLambdaUnresolvableError";
+		Object.setPrototypeOf(this, AuthorizerLambdaUnresolvableError.prototype);
+	}
+};
+/**
 * Resolve a Lambda ARN intrinsic to its logical ID. Delegates to the
 * shared `resolveLambdaArnIntrinsic` in `intrinsic-lambda-arn.ts`
 * (extracted in issue #286 Gaps 3 / 4); accepts `Ref` /
 * `Fn::GetAtt: [..., 'Arn']` / the REST v1 invoke-ARN `Fn::Join` wrapper
 * (now also used by CDK 2.x's `HttpLambdaAuthorizer` for HTTP API v2 —
 * verified via real `cdk synth` 2026-05-12) / the `Fn::Sub` invoke-ARN
-* wrapper (both 1-arg and 2-arg forms). Any other shape hard-errors with
-* the offending route + raw intrinsic named.
+* wrapper (both 1-arg and 2-arg forms).
+*
+* On an unresolvable intrinsic throws {@link AuthorizerLambdaUnresolvableError}
+* (caught by `attachAuthorizers` and converted into a per-route
+* deferred-501) instead of the generic `RouteDiscoveryError`, so
+* `cdkd local start-api` can boot against an app with a cross-stack
+* authorizer Lambda — symmetric with the route-level `IntegrationUri`
+* unresolvable case (issue #431).
 */
 function resolveLambdaArn(value, location) {
 	const outcome = resolveLambdaArnIntrinsic(value);
 	if (outcome.kind === "resolved") return outcome.logicalId;
-	throw new RouteDiscoveryError(`${location}: ${outcome.detail} (got ${shortJson(value)}). Only { Ref }, { Fn::GetAtt: [..., 'Arn'] }, the REST v1 invoke-ARN Fn::Join wrapper, and the Fn::Sub invoke-ARN wrapper are supported.`);
+	throw new AuthorizerLambdaUnresolvableError(`${location}: ${outcome.detail} (got ${shortJson(value)}). Only { Ref }, { Fn::GetAtt: [..., 'Arn'] }, the REST v1 invoke-ARN Fn::Join wrapper, and the Fn::Sub invoke-ARN wrapper are supported.`);
 }
 /**
 * REST v1 IdentitySource for TOKEN authorizers must be exactly one
@@ -40187,6 +40243,13 @@ function attachAuthorizers(stacks, routes) {
 				...authorizer && { authorizer }
 			});
 		} catch (err) {
+			if (err instanceof AuthorizerLambdaUnresolvableError) {
+				out.push({ route: {
+					...route,
+					unsupported: { reason: `${route.declaredAt}: authorizer Lambda Arn unresolvable — ${err.reason}` }
+				} });
+				continue;
+			}
 			errors.push(err instanceof Error ? err.message : String(err));
 		}
 	}
@@ -42727,7 +42790,7 @@ async function createTaskNetwork(options = {}) {
 	await pullImage(METADATA_ENDPOINT_IMAGE, options.skipPull ?? false);
 	logger.info(`Creating docker network ${networkName} (subnet ${METADATA_ENDPOINT_SUBNET})...`);
 	try {
-		await execFileAsync$1("docker", [
+		await execFileAsync$1(getDockerCmd(), [
 			"network",
 			"create",
 			"--driver",
@@ -42763,7 +42826,7 @@ async function createTaskNetwork(options = {}) {
 	logger.info("Starting ECS local-container-endpoints sidecar at 169.254.170.2...");
 	let sidecarContainerId;
 	try {
-		const { stdout } = await execFileAsync$1("docker", sidecarArgs, { maxBuffer: 10 * 1024 * 1024 });
+		const { stdout } = await execFileAsync$1(getDockerCmd(), sidecarArgs, { maxBuffer: 10 * 1024 * 1024 });
 		sidecarContainerId = stdout.trim();
 	} catch (err) {
 		await destroyNetworkOnly(networkName);
@@ -42809,7 +42872,7 @@ async function destroyNetworkOnly(networkName) {
 	if (!networkName) return;
 	const logger = getLogger().child("ecs-network");
 	try {
-		await execFileAsync$1("docker", [
+		await execFileAsync$1(getDockerCmd(), [
 			"network",
 			"rm",
 			networkName
@@ -43002,7 +43065,7 @@ async function cleanupEcsRun(state, options) {
 	await destroyTaskNetwork(state.network);
 	state.network = void 0;
 	for (const v of state.dockerVolumeNames) try {
-		await execFileAsync("docker", [
+		await execFileAsync(getDockerCmd(), [
 			"volume",
 			"rm",
 			v
@@ -43066,7 +43129,7 @@ async function runEcsTask(task, options, state) {
 		logger.info(`Starting container '${container.name}' (image=${imagePlan.get(container.name)})`);
 		let id;
 		try {
-			const { stdout } = await execFileAsync("docker", args, { maxBuffer: 10 * 1024 * 1024 });
+			const { stdout } = await execFileAsync(getDockerCmd(), args, { maxBuffer: 10 * 1024 * 1024 });
 			id = stdout.trim();
 		} catch (err) {
 			const e = err;
@@ -43175,7 +43238,7 @@ async function waitForContainerHealthy(containerId, displayName) {
 	let lastStatus = "";
 	while (Date.now() < deadline) {
 		try {
-			const { stdout } = await execFileAsync("docker", [
+			const { stdout } = await execFileAsync(getDockerCmd(), [
 				"inspect",
 				"--format",
 				"{{.State.Health.Status}}",
@@ -43198,7 +43261,7 @@ async function waitForContainerHealthy(containerId, displayName) {
 }
 async function waitForContainerExit(containerId) {
 	try {
-		const { stdout } = await execFileAsync("docker", ["wait", containerId], { maxBuffer: 1024 * 1024 });
+		const { stdout } = await execFileAsync(getDockerCmd(), ["wait", containerId], { maxBuffer: 1024 * 1024 });
 		const code = Number.parseInt(stdout.trim(), 10);
 		return Number.isFinite(code) ? code : 1;
 	} catch (err) {
@@ -43208,7 +43271,7 @@ async function waitForContainerExit(containerId) {
 }
 async function stopContainer(containerId, graceSeconds) {
 	try {
-		await execFileAsync("docker", [
+		await execFileAsync(getDockerCmd(), [
 			"stop",
 			"-t",
 			String(graceSeconds),
@@ -43224,7 +43287,7 @@ function sleep(ms) {
 * every line. Returns a stop function for the caller's `finally`.
 */
 function streamContainerLogs(containerName, containerId) {
-	const proc = spawn("docker", [
+	const proc = spawn(getDockerCmd(), [
 		"logs",
 		"-f",
 		containerId
@@ -43291,10 +43354,21 @@ async function prepareOneImage(task, container, options) {
 			else if (entries.length === 1) asset = entries[0][1];
 			if (!asset) throw new EcsTaskRunnerError(`Container '${container.name}' references a CDK asset image but no matching entry was found in cdk.out. Re-synthesize the CDK app and retry.`);
 			const tag = `cdkd-local-run-task-${(image.assetHash ?? "single").slice(0, 16)}`;
-			await buildDockerImage(asset, cdkOutDir, tag, {
+			const actualTag = await buildDockerImage(asset, cdkOutDir, {
+				tag,
 				...options.platformOverride !== void 0 && { platform: options.platformOverride },
-				wrapError: (stderr) => new LocalInvokeBuildError(`docker build failed for ECS container '${container.name}' (${asset.source.directory}): ${stderr}`)
+				wrapError: (stderr) => new LocalInvokeBuildError(`docker build failed for ECS container '${container.name}' (${asset.source.directory ?? asset.source.executable?.join(" ")}): ${stderr}`)
 			});
+			if (actualTag !== tag) try {
+				await runDockerStreaming([
+					"tag",
+					actualTag,
+					tag
+				]);
+			} catch (err) {
+				const e = err;
+				throw new LocalInvokeBuildError(`docker tag failed re-tagging '${actualTag}' → '${tag}' for ECS container '${container.name}': ${e.stderr?.trim() || e.message || String(err)}`);
+			}
 			return tag;
 		}
 	}
@@ -43321,7 +43395,7 @@ async function realizeDockerVolumes(volumes, state) {
 		const dockerVolumeName = `cdkd-local-${v.name}-${randHex(4)}`;
 		args.push(dockerVolumeName);
 		try {
-			await execFileAsync("docker", args);
+			await execFileAsync(getDockerCmd(), args);
 			state.dockerVolumeNames.push(dockerVolumeName);
 			logger.debug(`Created docker volume ${dockerVolumeName} for task volume '${v.name}'`);
 		} catch (err) {
@@ -45520,7 +45594,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.115.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.115.2");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());