@go-to-k/cdkd 0.115.1 → 0.115.2

package/dist/{deploy-engine-CAg_d5uX.js → deploy-engine-AoZgViZN.js}

@@ -15,12 +15,11 @@ import { GetParameterCommand, SSMClient } from "@aws-sdk/client-ssm";
 import { GetCloudFrontOriginAccessIdentityCommand } from "@aws-sdk/client-cloudfront";
 import { createReadStream, existsSync, mkdirSync, mkdtempSync, readFileSync, rmSync, statSync, writeFileSync } from "node:fs";
 import { basename, join, resolve } from "node:path";
-import { execFile, spawn } from "node:child_process";
+import { spawn } from "node:child_process";
 import { homedir, tmpdir } from "node:os";
 import { GetHostedZoneCommand, ListHostedZonesByNameCommand, Route53Client } from "@aws-sdk/client-route-53";
 import { DescribeListenersCommand, DescribeLoadBalancersCommand, ElasticLoadBalancingV2Client } from "@aws-sdk/client-elastic-load-balancing-v2";
 import { KMSClient, ListAliasesCommand } from "@aws-sdk/client-kms";
-import { promisify } from "node:util";
 import { DescribeImagesCommand as DescribeImagesCommand$1, ECRClient, GetAuthorizationTokenCommand } from "@aws-sdk/client-ecr";
 import { hostname } from "os";
 import graphlib from "graphlib";
@@ -2796,82 +2795,202 @@ var FileAssetPublisher = class {
 	}
 };
 
+//#endregion
+//#region src/utils/docker-cmd.ts
+/**
+* Shared helpers for invoking the docker-compatible CLI binary across cdkd.
+*
+* Two parity decisions with `aws-cdk-cli`'s `cdk-assets-lib`:
+*   1. `CDK_DOCKER` env var swaps the binary so podman / finch users can
+*      run cdkd without code changes (`CDK_DOCKER=podman cdkd deploy`).
+*   2. `runDockerStreaming` uses streaming spawn rather than `execFile`'s
+*      buffered `maxBuffer` ceiling. BuildKit's progress output can run to
+*      tens of MB on multi-stage builds with `# syntax=docker/dockerfile:1`
+*      frontend downloads + heredoc / `RUN --mount=...` features; the 50 MB
+*      `execFile` ceiling cdkd used to set silently killed those builds
+*      with `ERR_CHILD_PROCESS_STDIO_MAXBUFFER`.
+*
+* Output handling: stdout/stderr are collected in memory unconditionally so
+* `runDockerStreaming` can return them to the caller for error wrapping.
+* When the logger is at debug level (i.e. the user passed `--verbose`),
+* the chunks are ALSO mirrored to `process.stdout` / `process.stderr` so
+* the user sees live build progress.
+*/
+/**
+* Return the docker-compatible CLI binary to invoke. Matches CDK CLI:
+* `CDK_DOCKER` env var overrides the default `docker` so users on
+* podman / finch / nerdctl can swap without changing cdkd code.
+*/
+function getDockerCmd() {
+	const override = process.env["CDK_DOCKER"];
+	return override && override.length > 0 ? override : "docker";
+}
+/**
+* Spawn a docker-compatible CLI binary (resolved via `getDockerCmd`) with
+* streaming I/O. Collects stdout/stderr in memory and resolves with both
+* on exit code 0; rejects with a `SpawnError` carrying both streams on any
+* non-zero exit so the caller can wrap with its own error class without
+* losing the upstream output.
+*
+* No `maxBuffer` ceiling: BuildKit progress output frequently exceeds the
+* `child_process.execFile` default of 1 MB (cdkd previously bumped to 50 MB
+* but BuildKit + frontend pulls can still exceed that on first-time builds).
+*/
+async function runDockerStreaming(args, options = {}) {
+	return spawnStreaming(getDockerCmd(), args, options);
+}
+/**
+* Generic streaming spawn — used by `runDockerStreaming` AND by the
+* `executable` source mode in `docker-build.ts` (which runs an arbitrary
+* user-supplied build command, not docker).
+*/
+async function spawnStreaming(cmd, args, options = {}) {
+	const streamLive = options.streamLive ?? getLogger().getLevel() === "debug";
+	const env = options.env ? mergeEnv(options.env) : void 0;
+	return new Promise((resolve, reject) => {
+		const child = spawn(cmd, args, {
+			cwd: options.cwd,
+			env,
+			stdio: [
+				options.input ? "pipe" : "ignore",
+				"pipe",
+				"pipe"
+			]
+		});
+		const stdoutChunks = [];
+		const stderrChunks = [];
+		child.stdout.on("data", (chunk) => {
+			stdoutChunks.push(chunk);
+			if (streamLive) process.stdout.write(chunk);
+		});
+		child.stderr.on("data", (chunk) => {
+			stderrChunks.push(chunk);
+			if (streamLive) process.stderr.write(chunk);
+		});
+		child.once("error", (err) => {
+			if (err.code === "ENOENT") {
+				const usingOverride = process.env["CDK_DOCKER"] === cmd && cmd !== "docker";
+				reject(/* @__PURE__ */ new Error(usingOverride ? `Failed to find and execute '${cmd}' (resolved via CDK_DOCKER). Install '${cmd}' or unset CDK_DOCKER to fall back to 'docker'.` : `Failed to find and execute '${cmd}'. Install Docker (or set the 'CDK_DOCKER' environment variable to a compatible binary such as podman / finch).`));
+			} else reject(err);
+		});
+		child.once("close", (code) => {
+			const stdout = Buffer.concat(stdoutChunks).toString("utf-8");
+			const stderr = Buffer.concat(stderrChunks).toString("utf-8");
+			if (code === 0) resolve({
+				stdout,
+				stderr
+			});
+			else {
+				const message = stderr.trim() || stdout.trim() || `${cmd} ${args[0] ?? ""} exited with code ${code}`;
+				const err = new Error(message);
+				err.stderr = stderr;
+				err.stdout = stdout;
+				err.exitCode = code;
+				reject(err);
+			}
+		});
+		if (options.input !== void 0) {
+			child.stdin.on("error", () => {});
+			child.stdin.write(options.input);
+			child.stdin.end();
+		}
+	});
+}
+function mergeEnv(overrides) {
+	const merged = { ...process.env };
+	for (const [k, v] of Object.entries(overrides)) if (v === void 0) delete merged[k];
+	else merged[k] = v;
+	return merged;
+}
+
 //#endregion
 //#region src/assets/docker-build.ts
-const execFileAsync$1 = promisify(execFile);
-/**
-* Shared `docker build` invocation used by both
-* `src/assets/docker-asset-publisher.ts` (publish to ECR) and
-* `src/local/docker-image-builder.ts` (run a container Lambda locally
-* via `cdkd local invoke`).
-*
-* Invariants preserved across the two callers:
-*   - `maxBuffer: 50 * 1024 * 1024` so a verbose `docker build` log doesn't
-*     blow up `execFile`'s default 1 MB buffer.
-*   - Build args iterate in the order `Object.entries(...)` returns them so
-*     the resulting layer cache is stable across runs (any reordering would
-*     bust caches for both the publisher and local invoke).
-*   - Errors carry the captured stderr so the user can re-run `docker build`
-*     directly to debug. The error class is parameterized: each consumer
-*     wraps the failure with its own typed error (`AssetError` for the
-*     publisher, `LocalInvokeBuildError` for local invoke) so the existing
-*     error-handling chain on each side keeps working unchanged.
-*
-* `platform` is new in PR 5: container Lambdas declare `Architectures:
-* [x86_64]` (default) or `[arm64]`, and the local-invoke caller MUST pass the
-* matching `linux/amd64` / `linux/arm64` so the built image can run on the
-* developer's host (which may have the opposite arch). The publisher caller
-* defaults to `undefined` for backward compatibility — passing through is
-* the no-op, the user's local docker default arch picks up.
-*/
-/**
-* Build a Docker image from a CDK asset's source description.
-*
-* @param asset       The `DockerImageAsset` entry from the cdk asset
-*                    manifest (carries `directory`, `dockerFile`, build args,
-*                    target, outputs).
-* @param cdkOutDir   Absolute path to the CDK output directory (`cdk.out`).
-*                    Used to resolve `asset.source.directory` to a real
-*                    build context on disk.
-* @param tag         Local image tag to apply (`-t`). The caller chooses a
-*                    deterministic tag so subsequent runs hit Docker's
-*                    layer cache (publisher uses `cdkd-asset-<hash>`;
-*                    local-invoke uses `cdkd-local-invoke-<hash>`).
-* @param platform    Optional `--platform` value (e.g. `linux/amd64`,
-*                    `linux/arm64`). When `undefined` the flag is omitted
-*                    and Docker uses its default platform.
-* @param wrapError   Function the caller provides to wrap the underlying
-*                    `docker build` failure in a typed error specific to
-*                    its call site.
-* @throws Whatever `wrapError` returns when `docker build` exits non-zero.
-*/
-async function buildDockerImage(asset, cdkOutDir, tag, options) {
+/**
+* Build a Docker image from a CDK asset source. Returns the local image
+* tag the caller should use for `docker tag` / `docker push` (publisher)
+* or `docker run` (local-invoke).
+*
+* Two source modes (mirrors CDK CLI):
+*   - `executable`: run the user-supplied command, capture stdout, return
+*     it as the local tag. The script is responsible for building AND
+*     tagging; cdkd just reads the tag from stdout. Used for Bazel /
+*     custom build pipelines that produce images outside `docker build`.
+*   - `directory`: standard `docker build <dir>` with the full BuildKit
+*     flag set described above. Caller must pass `options.tag`.
+*
+* `executable` takes precedence when both fields are set (matches CDK CLI).
+*/
+async function buildDockerImage(asset, cdkOutDir, options) {
+	const source = asset.source;
 	const logger = getLogger().child("docker-build");
+	if (source.executable && source.executable.length > 0) {
+		const [cmd, ...args] = source.executable;
+		if (!cmd) throw options.wrapError("asset source.executable[] is empty");
+		const cwd = source.directory ? `${cdkOutDir}/${source.directory}` : cdkOutDir;
+		logger.debug(`Building Docker image via executable: ${source.executable.join(" ")} (cwd=${cwd})`);
+		let result;
+		try {
+			result = await spawnStreaming(cmd, args, { cwd });
+		} catch (err) {
+			const e = err;
+			throw options.wrapError(e.stderr || e.message || String(err));
+		}
+		const tag = result.stdout.trim();
+		if (!tag) throw options.wrapError(`docker build executable produced no output (expected the local image tag on stdout): ${cmd} ${args.join(" ")}`);
+		return tag;
+	}
+	if (!source.directory) throw options.wrapError(`DockerImageAssetSource must set either 'directory' or 'executable' (got: ${JSON.stringify(source)})`);
+	if (!options.tag) throw options.wrapError("buildDockerImage(directory mode) requires options.tag");
+	const buildArgs = buildDockerBuildCommand(source, options.tag, options.platform);
+	const contextDir = `${cdkOutDir}/${source.directory}`;
+	buildArgs.push(".");
+	logger.debug(`${getDockerCmd()} ${buildArgs.join(" ")} (cwd=${contextDir})`);
+	try {
+		await runDockerStreaming(buildArgs, {
+			cwd: contextDir,
+			env: { BUILDX_NO_DEFAULT_ATTESTATIONS: "1" }
+		});
+	} catch (err) {
+		const e = err;
+		throw options.wrapError(e.stderr || e.message || String(err));
+	}
+	return options.tag;
+}
+/**
+* Construct the `docker build` argv (without the trailing context directory).
+*
+* Exported for unit-test inspection — keeps the flag-ordering assertions
+* independent of the spawn machinery.
+*/
+function buildDockerBuildCommand(source, tag, platformOverride) {
 	const args = [
 		"build",
 		"-t",
 		tag
 	];
-	if (options.platform) args.push("--platform", options.platform);
-	if (asset.source.dockerFile) args.push("-f", asset.source.dockerFile);
-	if (asset.source.dockerBuildArgs) for (const [key, value] of Object.entries(asset.source.dockerBuildArgs)) args.push("--build-arg", `${key}=${value}`);
-	if (asset.source.dockerBuildTarget) args.push("--target", asset.source.dockerBuildTarget);
-	if (asset.source.dockerOutputs) for (const output of asset.source.dockerOutputs) args.push("--output", output);
-	const contextDir = `${cdkOutDir}/${asset.source.directory}`;
-	args.push(contextDir);
-	logger.debug(`docker ${args.join(" ")}`);
-	try {
-		await execFileAsync$1("docker", args, { maxBuffer: 50 * 1024 * 1024 });
-	} catch (error) {
-		const err = error;
-		const stderr = err.stderr || err.message || String(error);
-		throw options.wrapError(stderr);
-	}
+	if (source.dockerBuildArgs) for (const [k, v] of Object.entries(source.dockerBuildArgs)) args.push("--build-arg", `${k}=${v}`);
+	if (source.dockerBuildContexts) for (const [k, v] of Object.entries(source.dockerBuildContexts)) args.push("--build-context", `${k}=${v}`);
+	if (source.dockerBuildSecrets) for (const [k, v] of Object.entries(source.dockerBuildSecrets)) args.push("--secret", `id=${k},${v}`);
+	if (source.dockerBuildSsh) args.push("--ssh", source.dockerBuildSsh);
+	if (source.dockerBuildTarget) args.push("--target", source.dockerBuildTarget);
+	if (source.dockerFile) args.push("-f", source.dockerFile);
+	if (source.networkMode) args.push("--network", source.networkMode);
+	const platform = platformOverride ?? source.platform;
+	if (platform) args.push("--platform", platform);
+	if (source.dockerOutputs) for (const output of source.dockerOutputs) args.push(`--output=${output}`);
+	if (source.cacheFrom) for (const c of source.cacheFrom) args.push("--cache-from", cacheOptionToFlag(c));
+	if (source.cacheTo) args.push("--cache-to", cacheOptionToFlag(source.cacheTo));
+	if (source.cacheDisabled) args.push("--no-cache");
+	return args;
+}
+function cacheOptionToFlag(option) {
+	let flag = `type=${option.type}`;
+	if (option.params) for (const [k, v] of Object.entries(option.params)) flag += `,${k}=${v}`;
+	return flag;
 }
 
 //#endregion
 //#region src/assets/docker-asset-publisher.ts
-const execFileAsync = promisify(execFile);
 /**
 * Publishes Docker image assets to ECR
 *
@@ -2913,7 +3032,13 @@ var DockerAssetPublisher = class {
 		}
 	}
 	/**
-	* Build a Docker image (public, used by WorkGraph asset-build nodes)
+	* Build a Docker image (public, used by WorkGraph asset-build nodes).
+	*
+	* For `directory` source mode the build tags the result as `localTag`
+	* directly via `docker build -t`. For `executable` source mode the
+	* user-supplied script returns its own tag; cdkd re-tags it to `localTag`
+	* via `docker tag` so the downstream `push()` step (which is wired to
+	* `localTag` at graph-construction time) keeps working unchanged.
 	*/
 	async build(asset, cdkOutputDir, localTag) {
 		await this.buildImage(asset, cdkOutputDir, localTag);
@@ -2961,69 +3086,79 @@ var DockerAssetPublisher = class {
 	/**
 	* Build Docker image — delegates to the shared `buildDockerImage`
 	* helper so this code path stays in sync with `cdkd local invoke`'s
-	* container-Lambda build path. `--platform` is currently not threaded
-	* through here (publish-assets has no Architectures hint to consult);
-	* a follow-up can lift this once the asset manifest carries a
-	* platform field.
+	* container-Lambda build path. `--platform` is read from the asset
+	* manifest's `source.platform` (when set); cdkd does not currently
+	* inject a publish-side override.
+	*
+	* `buildDockerImage` returns the actual local tag. For `directory`
+	* source mode that's always `tag`. For `executable` source mode the
+	* user's script returns its own tag; we re-tag via `docker tag` so the
+	* downstream push step finds the image under the deterministic
+	* `cdkd-asset-<hash>` name it expects.
 	*/
 	async buildImage(asset, cdkOutputDir, tag) {
-		await buildDockerImage(asset, cdkOutputDir, tag, { wrapError: (stderr) => new AssetError(`Docker build failed: ${stderr}`) });
+		const actualTag = await buildDockerImage(asset, cdkOutputDir, {
+			tag,
+			wrapError: (stderr) => new AssetError(`Docker build failed: ${stderr}`)
+		});
+		if (actualTag !== tag) {
+			this.logger.debug(`Re-tagging executable-built image '${actualTag}' → '${tag}'`);
+			try {
+				await this.tagImage(actualTag, tag);
+			} catch (err) {
+				throw new AssetError(`Docker tag failed re-tagging '${actualTag}' → '${tag}': ${err.message ?? String(err)}`);
+			}
+		}
 	}
 	/**
-	* Authenticate with ECR
+	* Authenticate with ECR via `docker login --password-stdin`.
 	*/
 	async ecrLogin(client, accountId, region) {
 		const authData = (await client.send(new GetAuthorizationTokenCommand({}))).authorizationData?.[0];
 		if (!authData?.authorizationToken) throw new AssetError("Failed to get ECR authorization token");
 		const [username, password] = Buffer.from(authData.authorizationToken, "base64").toString().split(":");
+		if (!username || password === void 0) throw new AssetError("ECR authorization token has unexpected shape (missing username/password)");
 		const endpoint = authData.proxyEndpoint || `https://${accountId}.dkr.ecr.${region}.amazonaws.com`;
-		await new Promise((resolve, reject) => {
-			const proc = spawn("docker", [
+		try {
+			await runDockerStreaming([
 				"login",
 				"--username",
 				username,
 				"--password-stdin",
 				endpoint
-			], { stdio: [
-				"pipe",
-				"pipe",
-				"pipe"
-			] });
-			let stderr = "";
-			proc.stderr?.on("data", (data) => {
-				stderr += data.toString();
-			});
-			proc.on("close", (code) => {
-				if (code === 0) resolve();
-				else reject(new AssetError(`ECR login failed: ${stderr.trim()}`));
-			});
-			proc.on("error", (err) => {
-				reject(new AssetError(`ECR login failed: ${err.message}`));
-			});
-			proc.stdin?.write(password);
-			proc.stdin?.end();
-		});
+			], { input: password });
+		} catch (err) {
+			const e = err;
+			throw new AssetError(`ECR login failed: ${e.stderr?.trim() || e.message || String(err)}`);
+		}
 	}
 	/**
 	* Tag Docker image
 	*/
 	async tagImage(source, target) {
-		await execFileAsync("docker", [
-			"tag",
-			source,
-			target
-		]);
+		try {
+			await runDockerStreaming([
+				"tag",
+				source,
+				target
+			]);
+		} catch (err) {
+			const e = err;
+			throw new AssetError(`Docker tag failed: ${e.stderr?.trim() || e.message || String(err)}`);
+		}
 	}
 	/**
-	* Push Docker image
+	* Push Docker image. Streams progress to stdout/stderr (via
+	* `runDockerStreaming`) when the logger is at debug level, otherwise
+	* captures silently and surfaces stderr on non-zero exit.
 	*/
 	async pushImage(uri) {
 		this.logger.debug(`Pushing: ${uri}`);
 		try {
-			await execFileAsync("docker", ["push", uri], { maxBuffer: 50 * 1024 * 1024 });
-		} catch (error) {
-			const err = error;
-			throw new AssetError(`Docker push failed: ${err.stderr || err.message || String(error)}`);
+			await runDockerStreaming(["push", uri]);
+		} catch (err) {
+			const e = err;
+			throw new AssetError(`Docker push failed: ${e.stderr?.trim() || e.message || String(err)}`);
 		}
 	}
 	/**
@@ -9605,5 +9740,5 @@ var DeployEngine = class {
 };
 
 //#endregion
-export { SynthesisError as $, resolveApp as A, CdkdError as B, AssetPublisher as C, Synthesizer as D, buildDockerImage as E, warnDeprecatedNoPrefixCliFlag as F, PartialFailureError as G, DependencyError as H, AssemblyReader as I, ResourceUpdateNotSupportedError as J, ProvisioningError as K, clearBucketRegionCache as L, resolveSkipPrefix as M, resolveStateBucketWithDefault as N, getDefaultStateBucketName as O, resolveStateBucketWithDefaultAndSource as P, StateError as Q, resolveBucketRegion as R, shouldRetainResource as S, WorkGraph as T, LocalInvokeBuildError as U, ConfigError as V, LockError as W, StackHasActiveImportsError as X, RouteDiscoveryError as Y, StackTerminationProtectionError as Z, DiffCalculator as _, withRetry as a, getLogger as at, LockManager as b, collectInlinePolicyNamesManagedBySiblings as c, getLiveRenderer as ct, normalizeAwsTagsToCfn as d, generateResourceName as dt, formatError as et, resolveExplicitPhysicalId as f, generateResourceNameWithFallback as ft, IntrinsicFunctionResolver as g, assertRegionMatch as h, withResourceDeadline as i, ConsoleLogger as it, resolveCaptureObservedState as j, getLegacyStateBucketName as k, CDK_PATH_TAG as l, PATTERN_B_NAME_PROPERTIES as lt, CloudControlProvider as m, withStackName as mt, DEFAULT_RESOURCE_WARN_AFTER_MS as n, normalizeAwsError as nt, IMPLICIT_DELETE_DEPENDENCIES as o, setLogger as ot, ProviderRegistry as p, withSkipPrefix as pt, ResourceTimeoutError as q, DeployEngine as r, withErrorHandling as rt, IAMRoleProvider as s, runStackBuffered as st, DEFAULT_RESOURCE_TIMEOUT_MS as t, isCdkdError as tt, matchesCdkPath as u, PATTERN_B_RESOURCE_TYPES as ut, DagBuilder as v, stringifyValue as w, S3StateBackend as x, TemplateParser as y, AssetError as z };
-//# sourceMappingURL=deploy-engine-CAg_d5uX.js.map
+export { StackTerminationProtectionError as $, getDefaultStateBucketName as A, resolveBucketRegion as B, AssetPublisher as C, getDockerCmd as D, buildDockerImage as E, resolveStateBucketWithDefault as F, LocalInvokeBuildError as G, CdkdError as H, resolveStateBucketWithDefaultAndSource as I, ProvisioningError as J, LockError as K, warnDeprecatedNoPrefixCliFlag as L, resolveApp as M, resolveCaptureObservedState as N, runDockerStreaming as O, resolveSkipPrefix as P, StackHasActiveImportsError as Q, AssemblyReader as R, shouldRetainResource as S, WorkGraph as T, ConfigError as U, AssetError as V, DependencyError as W, ResourceUpdateNotSupportedError as X, ResourceTimeoutError as Y, RouteDiscoveryError as Z, DiffCalculator as _, withRetry as a, withErrorHandling as at, LockManager as b, collectInlinePolicyNamesManagedBySiblings as c, setLogger as ct, normalizeAwsTagsToCfn as d, PATTERN_B_NAME_PROPERTIES as dt, StateError as et, resolveExplicitPhysicalId as f, PATTERN_B_RESOURCE_TYPES as ft, IntrinsicFunctionResolver as g, withStackName as gt, assertRegionMatch as h, withSkipPrefix as ht, withResourceDeadline as i, normalizeAwsError as it, getLegacyStateBucketName as j, Synthesizer as k, CDK_PATH_TAG as l, runStackBuffered as lt, CloudControlProvider as m, generateResourceNameWithFallback as mt, DEFAULT_RESOURCE_WARN_AFTER_MS as n, formatError as nt, IMPLICIT_DELETE_DEPENDENCIES as o, ConsoleLogger as ot, ProviderRegistry as p, generateResourceName as pt, PartialFailureError as q, DeployEngine as r, isCdkdError as rt, IAMRoleProvider as s, getLogger as st, DEFAULT_RESOURCE_TIMEOUT_MS as t, SynthesisError as tt, matchesCdkPath as u, getLiveRenderer as ut, DagBuilder as v, stringifyValue as w, S3StateBackend as x, TemplateParser as y, clearBucketRegionCache as z };
+//# sourceMappingURL=deploy-engine-AoZgViZN.js.map