@go-to-k/cdkd 0.115.1 → 0.115.3

package/dist/{deploy-engine-CAg_d5uX.js → deploy-engine-VFIYh_NY.js}

@@ -15,12 +15,11 @@ import { GetParameterCommand, SSMClient } from "@aws-sdk/client-ssm";
 import { GetCloudFrontOriginAccessIdentityCommand } from "@aws-sdk/client-cloudfront";
 import { createReadStream, existsSync, mkdirSync, mkdtempSync, readFileSync, rmSync, statSync, writeFileSync } from "node:fs";
 import { basename, join, resolve } from "node:path";
-import { execFile, spawn } from "node:child_process";
+import { spawn } from "node:child_process";
 import { homedir, tmpdir } from "node:os";
 import { GetHostedZoneCommand, ListHostedZonesByNameCommand, Route53Client } from "@aws-sdk/client-route-53";
 import { DescribeListenersCommand, DescribeLoadBalancersCommand, ElasticLoadBalancingV2Client } from "@aws-sdk/client-elastic-load-balancing-v2";
 import { KMSClient, ListAliasesCommand } from "@aws-sdk/client-kms";
-import { promisify } from "node:util";
 import { DescribeImagesCommand as DescribeImagesCommand$1, ECRClient, GetAuthorizationTokenCommand } from "@aws-sdk/client-ecr";
 import { hostname } from "os";
 import graphlib from "graphlib";
@@ -2796,82 +2795,229 @@ var FileAssetPublisher = class {
 	}
 };
 
+//#endregion
+//#region src/utils/docker-cmd.ts
+/**
+* Shared helpers for invoking the docker-compatible CLI binary across cdkd.
+*
+* Two parity decisions with `aws-cdk-cli`'s `cdk-assets-lib`:
+*   1. `CDK_DOCKER` env var swaps the binary so podman / finch users can
+*      run cdkd without code changes (`CDK_DOCKER=podman cdkd deploy`).
+*   2. `runDockerStreaming` uses streaming spawn rather than `execFile`'s
+*      buffered `maxBuffer` ceiling. BuildKit's progress output can run to
+*      tens of MB on multi-stage builds with `# syntax=docker/dockerfile:1`
+*      frontend downloads + heredoc / `RUN --mount=...` features; the 50 MB
+*      `execFile` ceiling cdkd used to set silently killed those builds
+*      with `ERR_CHILD_PROCESS_STDIO_MAXBUFFER`.
+*
+* Output handling: stdout/stderr are collected in memory unconditionally so
+* `runDockerStreaming` can return them to the caller for error wrapping.
+* When the logger is at debug level (i.e. the user passed `--verbose`),
+* the chunks are ALSO mirrored to `process.stdout` / `process.stderr` so
+* the user sees live build progress.
+*/
+/**
+* Return the docker-compatible CLI binary to invoke. Matches CDK CLI:
+* `CDK_DOCKER` env var overrides the default `docker` so users on
+* podman / finch / nerdctl can swap without changing cdkd code.
+*/
+function getDockerCmd() {
+	const override = process.env["CDK_DOCKER"];
+	return override && override.length > 0 ? override : "docker";
+}
+/**
+* Spawn a docker-compatible CLI binary (resolved via `getDockerCmd`) with
+* streaming I/O. Collects stdout/stderr in memory and resolves with both
+* on exit code 0; rejects with a `SpawnError` carrying both streams on any
+* non-zero exit so the caller can wrap with its own error class without
+* losing the upstream output.
+*
+* No `maxBuffer` ceiling: BuildKit progress output frequently exceeds the
+* `child_process.execFile` default of 1 MB (cdkd previously bumped to 50 MB
+* but BuildKit + frontend pulls can still exceed that on first-time builds).
+*/
+async function runDockerStreaming(args, options = {}) {
+	return spawnStreaming(getDockerCmd(), args, options);
+}
+/**
+* Generic streaming spawn — used by `runDockerStreaming` AND by the
+* `executable` source mode in `docker-build.ts` (which runs an arbitrary
+* user-supplied build command, not docker).
+*/
+async function spawnStreaming(cmd, args, options = {}) {
+	const streamLive = options.streamLive ?? getLogger().getLevel() === "debug";
+	const env = options.env ? mergeEnv(options.env) : void 0;
+	return new Promise((resolve, reject) => {
+		const child = spawn(cmd, args, {
+			cwd: options.cwd,
+			env,
+			stdio: [
+				options.input ? "pipe" : "ignore",
+				"pipe",
+				"pipe"
+			]
+		});
+		const stdoutChunks = [];
+		const stderrChunks = [];
+		child.stdout.on("data", (chunk) => {
+			stdoutChunks.push(chunk);
+			if (streamLive) process.stdout.write(chunk);
+		});
+		child.stderr.on("data", (chunk) => {
+			stderrChunks.push(chunk);
+			if (streamLive) process.stderr.write(chunk);
+		});
+		child.once("error", (err) => {
+			if (err.code === "ENOENT") {
+				const usingOverride = process.env["CDK_DOCKER"] === cmd && cmd !== "docker";
+				reject(/* @__PURE__ */ new Error(usingOverride ? `Failed to find and execute '${cmd}' (resolved via CDK_DOCKER). Install '${cmd}' or unset CDK_DOCKER to fall back to 'docker'.` : `Failed to find and execute '${cmd}'. Install Docker (or set the 'CDK_DOCKER' environment variable to a compatible binary such as podman / finch).`));
+			} else reject(err);
+		});
+		child.once("close", (code) => {
+			const stdout = Buffer.concat(stdoutChunks).toString("utf-8");
+			const stderr = Buffer.concat(stderrChunks).toString("utf-8");
+			if (code === 0) resolve({
+				stdout,
+				stderr
+			});
+			else {
+				const message = stderr.trim() || stdout.trim() || `${cmd} ${args[0] ?? ""} exited with code ${code}`;
+				const err = new Error(message);
+				err.stderr = stderr;
+				err.stdout = stdout;
+				err.exitCode = code;
+				reject(err);
+			}
+		});
+		if (options.input !== void 0) {
+			child.stdin.on("error", () => {});
+			child.stdin.write(options.input);
+			child.stdin.end();
+		}
+	});
+}
+/**
+* Format the stderr from a failed `docker login` so the surfaced cdkd
+* error gives the user an actionable workaround when the underlying
+* failure is a credential-helper persistence bug (which has nothing to
+* do with cdkd, AWS, or IAM perms — the docker CLI itself fails to
+* save the auth token to the platform's credential store). The most
+* common shape is `osxkeychain` on macOS rejecting an overwrite for
+* an existing entry, but `wincred` (Windows), `pass` (Linux), and
+* `secretservice` (Linux) hit the same class of `Error saving
+* credentials` failure, so the rewritten message stays platform-
+* agnostic — `docker logout <endpoint>` is the correct recovery on
+* every backend.
+*
+* Detected docker / docker-credential-* output patterns:
+*   - `error storing credentials - err: exit status 1, out: \`The
+*     specified item already exists in the keychain.\`` (osxkeychain)
+*   - `Error saving credentials: ...` (any backend)
+*
+* Non-matching failures (genuine IAM / network / endpoint problems)
+* pass through with just the stderr trimmed — the original message
+* stays load-bearing for diagnosis.
+*/
+function formatDockerLoginError(stderr, endpoint) {
+	const trimmed = stderr.trim();
+	if (trimmed.includes("already exists in the keychain") || trimmed.includes("Error saving credentials")) return `docker's credential helper (osxkeychain on macOS / wincred on Windows / pass / secretservice on Linux) failed to persist the ECR auth token. The "already exists in the keychain" / "Error saving credentials" output is a known docker-credential-helpers issue — unrelated to cdkd, AWS credentials, or IAM perms. Quick fix: run \`docker logout ${endpoint}\` to clear the stale entry, then retry the cdkd command. Permanent fix: edit ~/.docker/config.json and remove (or empty) the platform-specific "credsStore" entry (e.g. "osxkeychain" → "" or "desktop" on macOS Docker Desktop). Original docker stderr: ${trimmed}`;
+	return trimmed;
+}
+function mergeEnv(overrides) {
+	const merged = { ...process.env };
+	for (const [k, v] of Object.entries(overrides)) if (v === void 0) delete merged[k];
+	else merged[k] = v;
+	return merged;
+}
+
 //#endregion
 //#region src/assets/docker-build.ts
-const execFileAsync$1 = promisify(execFile);
-/**
-* Shared `docker build` invocation used by both
-* `src/assets/docker-asset-publisher.ts` (publish to ECR) and
-* `src/local/docker-image-builder.ts` (run a container Lambda locally
-* via `cdkd local invoke`).
-*
-* Invariants preserved across the two callers:
-*   - `maxBuffer: 50 * 1024 * 1024` so a verbose `docker build` log doesn't
-*     blow up `execFile`'s default 1 MB buffer.
-*   - Build args iterate in the order `Object.entries(...)` returns them so
-*     the resulting layer cache is stable across runs (any reordering would
-*     bust caches for both the publisher and local invoke).
-*   - Errors carry the captured stderr so the user can re-run `docker build`
-*     directly to debug. The error class is parameterized: each consumer
-*     wraps the failure with its own typed error (`AssetError` for the
-*     publisher, `LocalInvokeBuildError` for local invoke) so the existing
-*     error-handling chain on each side keeps working unchanged.
-*
-* `platform` is new in PR 5: container Lambdas declare `Architectures:
-* [x86_64]` (default) or `[arm64]`, and the local-invoke caller MUST pass the
-* matching `linux/amd64` / `linux/arm64` so the built image can run on the
-* developer's host (which may have the opposite arch). The publisher caller
-* defaults to `undefined` for backward compatibility — passing through is
-* the no-op, the user's local docker default arch picks up.
-*/
-/**
-* Build a Docker image from a CDK asset's source description.
-*
-* @param asset       The `DockerImageAsset` entry from the cdk asset
-*                    manifest (carries `directory`, `dockerFile`, build args,
-*                    target, outputs).
-* @param cdkOutDir   Absolute path to the CDK output directory (`cdk.out`).
-*                    Used to resolve `asset.source.directory` to a real
-*                    build context on disk.
-* @param tag         Local image tag to apply (`-t`). The caller chooses a
-*                    deterministic tag so subsequent runs hit Docker's
-*                    layer cache (publisher uses `cdkd-asset-<hash>`;
-*                    local-invoke uses `cdkd-local-invoke-<hash>`).
-* @param platform    Optional `--platform` value (e.g. `linux/amd64`,
-*                    `linux/arm64`). When `undefined` the flag is omitted
-*                    and Docker uses its default platform.
-* @param wrapError   Function the caller provides to wrap the underlying
-*                    `docker build` failure in a typed error specific to
-*                    its call site.
-* @throws Whatever `wrapError` returns when `docker build` exits non-zero.
-*/
-async function buildDockerImage(asset, cdkOutDir, tag, options) {
+/**
+* Build a Docker image from a CDK asset source. Returns the local image
+* tag the caller should use for `docker tag` / `docker push` (publisher)
+* or `docker run` (local-invoke).
+*
+* Two source modes (mirrors CDK CLI):
+*   - `executable`: run the user-supplied command, capture stdout, return
+*     it as the local tag. The script is responsible for building AND
+*     tagging; cdkd just reads the tag from stdout. Used for Bazel /
+*     custom build pipelines that produce images outside `docker build`.
+*   - `directory`: standard `docker build <dir>` with the full BuildKit
+*     flag set described above. Caller must pass `options.tag`.
+*
+* `executable` takes precedence when both fields are set (matches CDK CLI).
+*/
+async function buildDockerImage(asset, cdkOutDir, options) {
+	const source = asset.source;
 	const logger = getLogger().child("docker-build");
+	if (source.executable && source.executable.length > 0) {
+		const [cmd, ...args] = source.executable;
+		if (!cmd) throw options.wrapError("asset source.executable[] is empty");
+		const cwd = source.directory ? `${cdkOutDir}/${source.directory}` : cdkOutDir;
+		logger.debug(`Building Docker image via executable: ${source.executable.join(" ")} (cwd=${cwd})`);
+		let result;
+		try {
+			result = await spawnStreaming(cmd, args, { cwd });
+		} catch (err) {
+			const e = err;
+			throw options.wrapError(e.stderr || e.message || String(err));
+		}
+		const tag = result.stdout.trim();
+		if (!tag) throw options.wrapError(`docker build executable produced no output (expected the local image tag on stdout): ${cmd} ${args.join(" ")}`);
+		return tag;
+	}
+	if (!source.directory) throw options.wrapError(`DockerImageAssetSource must set either 'directory' or 'executable' (got: ${JSON.stringify(source)})`);
+	if (!options.tag) throw options.wrapError("buildDockerImage(directory mode) requires options.tag");
+	const buildArgs = buildDockerBuildCommand(source, options.tag, options.platform);
+	const contextDir = `${cdkOutDir}/${source.directory}`;
+	buildArgs.push(".");
+	logger.debug(`${getDockerCmd()} ${buildArgs.join(" ")} (cwd=${contextDir})`);
+	try {
+		await runDockerStreaming(buildArgs, {
+			cwd: contextDir,
+			env: { BUILDX_NO_DEFAULT_ATTESTATIONS: "1" }
+		});
+	} catch (err) {
+		const e = err;
+		throw options.wrapError(e.stderr || e.message || String(err));
+	}
+	return options.tag;
+}
+/**
+* Construct the `docker build` argv (without the trailing context directory).
+*
+* Exported for unit-test inspection — keeps the flag-ordering assertions
+* independent of the spawn machinery.
+*/
+function buildDockerBuildCommand(source, tag, platformOverride) {
 	const args = [
 		"build",
 		"-t",
 		tag
 	];
-	if (options.platform) args.push("--platform", options.platform);
-	if (asset.source.dockerFile) args.push("-f", asset.source.dockerFile);
-	if (asset.source.dockerBuildArgs) for (const [key, value] of Object.entries(asset.source.dockerBuildArgs)) args.push("--build-arg", `${key}=${value}`);
-	if (asset.source.dockerBuildTarget) args.push("--target", asset.source.dockerBuildTarget);
-	if (asset.source.dockerOutputs) for (const output of asset.source.dockerOutputs) args.push("--output", output);
-	const contextDir = `${cdkOutDir}/${asset.source.directory}`;
-	args.push(contextDir);
-	logger.debug(`docker ${args.join(" ")}`);
-	try {
-		await execFileAsync$1("docker", args, { maxBuffer: 50 * 1024 * 1024 });
-	} catch (error) {
-		const err = error;
-		const stderr = err.stderr || err.message || String(error);
-		throw options.wrapError(stderr);
-	}
+	if (source.dockerBuildArgs) for (const [k, v] of Object.entries(source.dockerBuildArgs)) args.push("--build-arg", `${k}=${v}`);
+	if (source.dockerBuildContexts) for (const [k, v] of Object.entries(source.dockerBuildContexts)) args.push("--build-context", `${k}=${v}`);
+	if (source.dockerBuildSecrets) for (const [k, v] of Object.entries(source.dockerBuildSecrets)) args.push("--secret", `id=${k},${v}`);
+	if (source.dockerBuildSsh) args.push("--ssh", source.dockerBuildSsh);
+	if (source.dockerBuildTarget) args.push("--target", source.dockerBuildTarget);
+	if (source.dockerFile) args.push("-f", source.dockerFile);
+	if (source.networkMode) args.push("--network", source.networkMode);
+	const platform = platformOverride ?? source.platform;
+	if (platform) args.push("--platform", platform);
+	if (source.dockerOutputs) for (const output of source.dockerOutputs) args.push(`--output=${output}`);
+	if (source.cacheFrom) for (const c of source.cacheFrom) args.push("--cache-from", cacheOptionToFlag(c));
+	if (source.cacheTo) args.push("--cache-to", cacheOptionToFlag(source.cacheTo));
+	if (source.cacheDisabled) args.push("--no-cache");
+	return args;
+}
+function cacheOptionToFlag(option) {
+	let flag = `type=${option.type}`;
+	if (option.params) for (const [k, v] of Object.entries(option.params)) flag += `,${k}=${v}`;
+	return flag;
 }
 
 //#endregion
 //#region src/assets/docker-asset-publisher.ts
-const execFileAsync = promisify(execFile);
 /**
 * Publishes Docker image assets to ECR
 *
@@ -2913,7 +3059,13 @@ var DockerAssetPublisher = class {
 		}
 	}
 	/**
-	* Build a Docker image (public, used by WorkGraph asset-build nodes)
+	* Build a Docker image (public, used by WorkGraph asset-build nodes).
+	*
+	* For `directory` source mode the build tags the result as `localTag`
+	* directly via `docker build -t`. For `executable` source mode the
+	* user-supplied script returns its own tag; cdkd re-tags it to `localTag`
+	* via `docker tag` so the downstream `push()` step (which is wired to
+	* `localTag` at graph-construction time) keeps working unchanged.
 	*/
 	async build(asset, cdkOutputDir, localTag) {
 		await this.buildImage(asset, cdkOutputDir, localTag);
@@ -2961,69 +3113,79 @@ var DockerAssetPublisher = class {
 	/**
 	* Build Docker image — delegates to the shared `buildDockerImage`
 	* helper so this code path stays in sync with `cdkd local invoke`'s
-	* container-Lambda build path. `--platform` is currently not threaded
-	* through here (publish-assets has no Architectures hint to consult);
-	* a follow-up can lift this once the asset manifest carries a
-	* platform field.
+	* container-Lambda build path. `--platform` is read from the asset
+	* manifest's `source.platform` (when set); cdkd does not currently
+	* inject a publish-side override.
+	*
+	* `buildDockerImage` returns the actual local tag. For `directory`
+	* source mode that's always `tag`. For `executable` source mode the
+	* user's script returns its own tag; we re-tag via `docker tag` so the
+	* downstream push step finds the image under the deterministic
+	* `cdkd-asset-<hash>` name it expects.
 	*/
 	async buildImage(asset, cdkOutputDir, tag) {
-		await buildDockerImage(asset, cdkOutputDir, tag, { wrapError: (stderr) => new AssetError(`Docker build failed: ${stderr}`) });
+		const actualTag = await buildDockerImage(asset, cdkOutputDir, {
+			tag,
+			wrapError: (stderr) => new AssetError(`Docker build failed: ${stderr}`)
+		});
+		if (actualTag !== tag) {
+			this.logger.debug(`Re-tagging executable-built image '${actualTag}' → '${tag}'`);
+			try {
+				await this.tagImage(actualTag, tag);
+			} catch (err) {
+				throw new AssetError(`Docker tag failed re-tagging '${actualTag}' → '${tag}': ${err.message ?? String(err)}`);
+			}
+		}
 	}
 	/**
-	* Authenticate with ECR
+	* Authenticate with ECR via `docker login --password-stdin`.
 	*/
 	async ecrLogin(client, accountId, region) {
 		const authData = (await client.send(new GetAuthorizationTokenCommand({}))).authorizationData?.[0];
 		if (!authData?.authorizationToken) throw new AssetError("Failed to get ECR authorization token");
 		const [username, password] = Buffer.from(authData.authorizationToken, "base64").toString().split(":");
+		if (!username || password === void 0) throw new AssetError("ECR authorization token has unexpected shape (missing username/password)");
 		const endpoint = authData.proxyEndpoint || `https://${accountId}.dkr.ecr.${region}.amazonaws.com`;
-		await new Promise((resolve, reject) => {
-			const proc = spawn("docker", [
+		try {
+			await runDockerStreaming([
 				"login",
 				"--username",
 				username,
 				"--password-stdin",
 				endpoint
-			], { stdio: [
-				"pipe",
-				"pipe",
-				"pipe"
-			] });
-			let stderr = "";
-			proc.stderr?.on("data", (data) => {
-				stderr += data.toString();
-			});
-			proc.on("close", (code) => {
-				if (code === 0) resolve();
-				else reject(new AssetError(`ECR login failed: ${stderr.trim()}`));
-			});
-			proc.on("error", (err) => {
-				reject(new AssetError(`ECR login failed: ${err.message}`));
-			});
-			proc.stdin?.write(password);
-			proc.stdin?.end();
-		});
+			], { input: password });
+		} catch (err) {
+			const e = err;
+			throw new AssetError(`ECR login failed: ${formatDockerLoginError(e.stderr || e.message || String(err), endpoint)}`);
+		}
 	}
 	/**
 	* Tag Docker image
 	*/
 	async tagImage(source, target) {
-		await execFileAsync("docker", [
-			"tag",
-			source,
-			target
-		]);
+		try {
+			await runDockerStreaming([
+				"tag",
+				source,
+				target
+			]);
+		} catch (err) {
+			const e = err;
+			throw new AssetError(`Docker tag failed: ${e.stderr?.trim() || e.message || String(err)}`);
+		}
 	}
 	/**
-	* Push Docker image
+	* Push Docker image. Streams progress to stdout/stderr (via
+	* `runDockerStreaming`) when the logger is at debug level, otherwise
+	* captures silently and surfaces stderr on non-zero exit.
 	*/
 	async pushImage(uri) {
 		this.logger.debug(`Pushing: ${uri}`);
 		try {
-			await execFileAsync("docker", ["push", uri], { maxBuffer: 50 * 1024 * 1024 });
-		} catch (error) {
-			const err = error;
-			throw new AssetError(`Docker push failed: ${err.stderr || err.message || String(error)}`);
+			await runDockerStreaming(["push", uri]);
+		} catch (err) {
+			const e = err;
+			throw new AssetError(`Docker push failed: ${e.stderr?.trim() || e.message || String(err)}`);
 		}
 	}
 	/**
@@ -9605,5 +9767,5 @@ var DeployEngine = class {
 };
 
 //#endregion
-export { SynthesisError as $, resolveApp as A, CdkdError as B, AssetPublisher as C, Synthesizer as D, buildDockerImage as E, warnDeprecatedNoPrefixCliFlag as F, PartialFailureError as G, DependencyError as H, AssemblyReader as I, ResourceUpdateNotSupportedError as J, ProvisioningError as K, clearBucketRegionCache as L, resolveSkipPrefix as M, resolveStateBucketWithDefault as N, getDefaultStateBucketName as O, resolveStateBucketWithDefaultAndSource as P, StateError as Q, resolveBucketRegion as R, shouldRetainResource as S, WorkGraph as T, LocalInvokeBuildError as U, ConfigError as V, LockError as W, StackHasActiveImportsError as X, RouteDiscoveryError as Y, StackTerminationProtectionError as Z, DiffCalculator as _, withRetry as a, getLogger as at, LockManager as b, collectInlinePolicyNamesManagedBySiblings as c, getLiveRenderer as ct, normalizeAwsTagsToCfn as d, generateResourceName as dt, formatError as et, resolveExplicitPhysicalId as f, generateResourceNameWithFallback as ft, IntrinsicFunctionResolver as g, assertRegionMatch as h, withResourceDeadline as i, ConsoleLogger as it, resolveCaptureObservedState as j, getLegacyStateBucketName as k, CDK_PATH_TAG as l, PATTERN_B_NAME_PROPERTIES as lt, CloudControlProvider as m, withStackName as mt, DEFAULT_RESOURCE_WARN_AFTER_MS as n, normalizeAwsError as nt, IMPLICIT_DELETE_DEPENDENCIES as o, setLogger as ot, ProviderRegistry as p, withSkipPrefix as pt, ResourceTimeoutError as q, DeployEngine as r, withErrorHandling as rt, IAMRoleProvider as s, runStackBuffered as st, DEFAULT_RESOURCE_TIMEOUT_MS as t, isCdkdError as tt, matchesCdkPath as u, PATTERN_B_RESOURCE_TYPES as ut, DagBuilder as v, stringifyValue as w, S3StateBackend as x, TemplateParser as y, AssetError as z };
-//# sourceMappingURL=deploy-engine-CAg_d5uX.js.map
+export { StackHasActiveImportsError as $, Synthesizer as A, clearBucketRegionCache as B, AssetPublisher as C, formatDockerLoginError as D, buildDockerImage as E, resolveSkipPrefix as F, DependencyError as G, AssetError as H, resolveStateBucketWithDefault as I, PartialFailureError as J, LocalInvokeBuildError as K, resolveStateBucketWithDefaultAndSource as L, getLegacyStateBucketName as M, resolveApp as N, getDockerCmd as O, resolveCaptureObservedState as P, RouteDiscoveryError as Q, warnDeprecatedNoPrefixCliFlag as R, shouldRetainResource as S, WorkGraph as T, CdkdError as U, resolveBucketRegion as V, ConfigError as W, ResourceTimeoutError as X, ProvisioningError as Y, ResourceUpdateNotSupportedError as Z, DiffCalculator as _, withStackName as _t, withRetry as a, normalizeAwsError as at, LockManager as b, collectInlinePolicyNamesManagedBySiblings as c, getLogger as ct, normalizeAwsTagsToCfn as d, getLiveRenderer as dt, StackTerminationProtectionError as et, resolveExplicitPhysicalId as f, PATTERN_B_NAME_PROPERTIES as ft, IntrinsicFunctionResolver as g, withSkipPrefix as gt, assertRegionMatch as h, generateResourceNameWithFallback as ht, withResourceDeadline as i, isCdkdError as it, getDefaultStateBucketName as j, runDockerStreaming as k, CDK_PATH_TAG as l, setLogger as lt, CloudControlProvider as m, generateResourceName as mt, DEFAULT_RESOURCE_WARN_AFTER_MS as n, SynthesisError as nt, IMPLICIT_DELETE_DEPENDENCIES as o, withErrorHandling as ot, ProviderRegistry as p, PATTERN_B_RESOURCE_TYPES as pt, LockError as q, DeployEngine as r, formatError as rt, IAMRoleProvider as s, ConsoleLogger as st, DEFAULT_RESOURCE_TIMEOUT_MS as t, StateError as tt, matchesCdkPath as u, runStackBuffered as ut, DagBuilder as v, stringifyValue as w, S3StateBackend as x, TemplateParser as y, AssemblyReader as z };
+//# sourceMappingURL=deploy-engine-VFIYh_NY.js.map