@go-to-k/cdkd 0.115.2 → 0.115.4

package/dist/{deploy-engine-AoZgViZN.js → deploy-engine-Chzg_hDE.js}

@@ -2896,6 +2896,87 @@ async function spawnStreaming(cmd, args, options = {}) {
 		}
 	});
 }
+/**
+* Spawn a docker-compatible CLI binary (resolved via `getDockerCmd`) attached
+* to the parent process's stdio so the user sees live output (`docker pull`
+* layer progress, `docker login` interactive prompts that should never fire
+* with `--password-stdin` but still safe to inherit, etc.). Resolves on exit
+* code 0; rejects with a plain `Error` carrying the exit code on any non-zero
+* exit, so the caller can wrap with its own error class.
+*
+* Differs from {@link runDockerStreaming} in two ways:
+*   1. `stdio: 'inherit'` — output is NOT captured, so terminal control codes
+*      (color, progress bar overwrites) flow through unchanged. This is the
+*      load-bearing reason for the split: `docker pull`'s progress bars only
+*      animate properly when stdout is a real TTY connected to the parent.
+*   2. No `input` / `streamLive` options — inherit-mode has nothing to
+*      capture and nothing to mirror.
+*
+* Used by the `--verbose`-mode `docker pull` plumbing in `docker-runner.ts`
+* and `ecr-puller.ts` (visible layer progress). Non-verbose pulls go through
+* {@link runDockerStreaming} so stderr can be folded into the error message.
+*/
+async function runDockerForeground(args, options = {}) {
+	return spawnForeground(getDockerCmd(), args, options);
+}
+/**
+* Foreground (stdio-inherit) spawn — the inherit-mode counterpart to
+* {@link spawnStreaming}. Used by {@link runDockerForeground} for docker-CLI
+* subprocesses.
+*
+* The ENOENT branch crafts a docker-specific install hint ("Install Docker
+* (or set CDK_DOCKER ...)"), so non-docker callers reusing this helper
+* would see a misleading error on missing-binary failures. Keep the binary
+* docker-shaped, or update the ENOENT message before adding a non-docker
+* call site.
+*/
+async function spawnForeground(cmd, args, options = {}) {
+	const env = options.env ? mergeEnv(options.env) : void 0;
+	return new Promise((resolve, reject) => {
+		const child = spawn(cmd, args, {
+			cwd: options.cwd,
+			env,
+			stdio: "inherit"
+		});
+		child.once("error", (err) => {
+			if (err.code === "ENOENT") {
+				const usingOverride = process.env["CDK_DOCKER"] === cmd && cmd !== "docker";
+				reject(/* @__PURE__ */ new Error(usingOverride ? `Failed to find and execute '${cmd}' (resolved via CDK_DOCKER). Install '${cmd}' or unset CDK_DOCKER to fall back to 'docker'.` : `Failed to find and execute '${cmd}'. Install Docker (or set the 'CDK_DOCKER' environment variable to a compatible binary such as podman / finch).`));
+			} else reject(/* @__PURE__ */ new Error(`${cmd} failed: ${err.message}`));
+		});
+		child.once("close", (code) => {
+			if (code === 0) resolve();
+			else reject(/* @__PURE__ */ new Error(`${cmd} exited with code ${code}`));
+		});
+	});
+}
+/**
+* Format the stderr from a failed `docker login` so the surfaced cdkd
+* error gives the user an actionable workaround when the underlying
+* failure is a credential-helper persistence bug (which has nothing to
+* do with cdkd, AWS, or IAM perms — the docker CLI itself fails to
+* save the auth token to the platform's credential store). The most
+* common shape is `osxkeychain` on macOS rejecting an overwrite for
+* an existing entry, but `wincred` (Windows), `pass` (Linux), and
+* `secretservice` (Linux) hit the same class of `Error saving
+* credentials` failure, so the rewritten message stays platform-
+* agnostic — `docker logout <endpoint>` is the correct recovery on
+* every backend.
+*
+* Detected docker / docker-credential-* output patterns:
+*   - `error storing credentials - err: exit status 1, out: \`The
+*     specified item already exists in the keychain.\`` (osxkeychain)
+*   - `Error saving credentials: ...` (any backend)
+*
+* Non-matching failures (genuine IAM / network / endpoint problems)
+* pass through with just the stderr trimmed — the original message
+* stays load-bearing for diagnosis.
+*/
+function formatDockerLoginError(stderr, endpoint) {
+	const trimmed = stderr.trim();
+	if (trimmed.includes("already exists in the keychain") || trimmed.includes("Error saving credentials")) return `docker's credential helper (osxkeychain on macOS / wincred on Windows / pass / secretservice on Linux) failed to persist the ECR auth token. The "already exists in the keychain" / "Error saving credentials" output is a known docker-credential-helpers issue — unrelated to cdkd, AWS credentials, or IAM perms. Quick fix: run \`docker logout ${endpoint}\` to clear the stale entry, then retry the cdkd command. Permanent fix: edit ~/.docker/config.json and remove (or empty) the platform-specific "credsStore" entry (e.g. "osxkeychain" → "" or "desktop" on macOS Docker Desktop). Original docker stderr: ${trimmed}`;
+	return trimmed;
+}
 function mergeEnv(overrides) {
 	const merged = { ...process.env };
 	for (const [k, v] of Object.entries(overrides)) if (v === void 0) delete merged[k];
@@ -2965,7 +3046,7 @@ async function buildDockerImage(asset, cdkOutDir, options) {
 function buildDockerBuildCommand(source, tag, platformOverride) {
 	const args = [
 		"build",
-		"-t",
+		"--tag",
 		tag
 	];
 	if (source.dockerBuildArgs) for (const [k, v] of Object.entries(source.dockerBuildArgs)) args.push("--build-arg", `${k}=${v}`);
@@ -2973,7 +3054,7 @@ function buildDockerBuildCommand(source, tag, platformOverride) {
 	if (source.dockerBuildSecrets) for (const [k, v] of Object.entries(source.dockerBuildSecrets)) args.push("--secret", `id=${k},${v}`);
 	if (source.dockerBuildSsh) args.push("--ssh", source.dockerBuildSsh);
 	if (source.dockerBuildTarget) args.push("--target", source.dockerBuildTarget);
-	if (source.dockerFile) args.push("-f", source.dockerFile);
+	if (source.dockerFile) args.push("--file", source.dockerFile);
 	if (source.networkMode) args.push("--network", source.networkMode);
 	const platform = platformOverride ?? source.platform;
 	if (platform) args.push("--platform", platform);
@@ -3129,7 +3210,7 @@ var DockerAssetPublisher = class {
 			], { input: password });
 		} catch (err) {
 			const e = err;
-			throw new AssetError(`ECR login failed: ${e.stderr?.trim() || e.message || String(err)}`);
+			throw new AssetError(`ECR login failed: ${formatDockerLoginError(e.stderr || e.message || String(err), endpoint)}`);
 		}
 	}
 	/**
@@ -9740,5 +9821,5 @@ var DeployEngine = class {
 };
 
 //#endregion
-export { StackTerminationProtectionError as $, getDefaultStateBucketName as A, resolveBucketRegion as B, AssetPublisher as C, getDockerCmd as D, buildDockerImage as E, resolveStateBucketWithDefault as F, LocalInvokeBuildError as G, CdkdError as H, resolveStateBucketWithDefaultAndSource as I, ProvisioningError as J, LockError as K, warnDeprecatedNoPrefixCliFlag as L, resolveApp as M, resolveCaptureObservedState as N, runDockerStreaming as O, resolveSkipPrefix as P, StackHasActiveImportsError as Q, AssemblyReader as R, shouldRetainResource as S, WorkGraph as T, ConfigError as U, AssetError as V, DependencyError as W, ResourceUpdateNotSupportedError as X, ResourceTimeoutError as Y, RouteDiscoveryError as Z, DiffCalculator as _, withRetry as a, withErrorHandling as at, LockManager as b, collectInlinePolicyNamesManagedBySiblings as c, setLogger as ct, normalizeAwsTagsToCfn as d, PATTERN_B_NAME_PROPERTIES as dt, StateError as et, resolveExplicitPhysicalId as f, PATTERN_B_RESOURCE_TYPES as ft, IntrinsicFunctionResolver as g, withStackName as gt, assertRegionMatch as h, withSkipPrefix as ht, withResourceDeadline as i, normalizeAwsError as it, getLegacyStateBucketName as j, Synthesizer as k, CDK_PATH_TAG as l, runStackBuffered as lt, CloudControlProvider as m, generateResourceNameWithFallback as mt, DEFAULT_RESOURCE_WARN_AFTER_MS as n, formatError as nt, IMPLICIT_DELETE_DEPENDENCIES as o, ConsoleLogger as ot, ProviderRegistry as p, generateResourceName as pt, PartialFailureError as q, DeployEngine as r, isCdkdError as rt, IAMRoleProvider as s, getLogger as st, DEFAULT_RESOURCE_TIMEOUT_MS as t, SynthesisError as tt, matchesCdkPath as u, getLiveRenderer as ut, DagBuilder as v, stringifyValue as w, S3StateBackend as x, TemplateParser as y, clearBucketRegionCache as z };
-//# sourceMappingURL=deploy-engine-AoZgViZN.js.map
+export { RouteDiscoveryError as $, runDockerStreaming as A, AssemblyReader as B, AssetPublisher as C, formatDockerLoginError as D, buildDockerImage as E, resolveCaptureObservedState as F, ConfigError as G, resolveBucketRegion as H, resolveSkipPrefix as I, LockError as J, DependencyError as K, resolveStateBucketWithDefault as L, getDefaultStateBucketName as M, getLegacyStateBucketName as N, getDockerCmd as O, resolveApp as P, ResourceUpdateNotSupportedError as Q, resolveStateBucketWithDefaultAndSource as R, shouldRetainResource as S, WorkGraph as T, AssetError as U, clearBucketRegionCache as V, CdkdError as W, ProvisioningError as X, PartialFailureError as Y, ResourceTimeoutError as Z, DiffCalculator as _, withSkipPrefix as _t, withRetry as a, isCdkdError as at, LockManager as b, collectInlinePolicyNamesManagedBySiblings as c, ConsoleLogger as ct, normalizeAwsTagsToCfn as d, runStackBuffered as dt, StackHasActiveImportsError as et, resolveExplicitPhysicalId as f, getLiveRenderer as ft, IntrinsicFunctionResolver as g, generateResourceNameWithFallback as gt, assertRegionMatch as h, generateResourceName as ht, withResourceDeadline as i, formatError as it, Synthesizer as j, runDockerForeground as k, CDK_PATH_TAG as l, getLogger as lt, CloudControlProvider as m, PATTERN_B_RESOURCE_TYPES as mt, DEFAULT_RESOURCE_WARN_AFTER_MS as n, StateError as nt, IMPLICIT_DELETE_DEPENDENCIES as o, normalizeAwsError as ot, ProviderRegistry as p, PATTERN_B_NAME_PROPERTIES as pt, LocalInvokeBuildError as q, DeployEngine as r, SynthesisError as rt, IAMRoleProvider as s, withErrorHandling as st, DEFAULT_RESOURCE_TIMEOUT_MS as t, StackTerminationProtectionError as tt, matchesCdkPath as u, setLogger as ut, DagBuilder as v, withStackName as vt, stringifyValue as w, S3StateBackend as x, TemplateParser as y, warnDeprecatedNoPrefixCliFlag as z };
+//# sourceMappingURL=deploy-engine-Chzg_hDE.js.map