@go-to-k/cdkd 0.115.3 → 0.116.0

package/README.md

@@ -4,15 +4,14 @@ Drop-in CDK CLI for existing CDK apps — faster deploys via AWS SDK instead of
 
 - **Drop-in CDK compatible** — your existing CDK app code runs as-is.
 - **Up to 15x faster deploys than the AWS CDK CLI (CloudFormation)**
-- **Run AWS resources locally without deploying** — invoke Lambdas, run ECS tasks, and serve API Gateway routes from Docker.
+- **Local dev for CDK apps** — invoke Lambdas, serve API Gateway routes, and run ECS tasks directly from your CDK code, no `cdk synth → sam local` round-trip.
 
 ![cdkd demo](https://github.com/user-attachments/assets/0128730d-186d-4bd3-abea-aabc80ba4dd5)
 
 **cdkd complements the AWS CDK CLI rather than replacing it.** Use cdkd in dev/test for rapid iteration and SAM-style local execution; use the AWS CDK CLI in production for full CloudFormation tooling. Bidirectional migration is supported — [import an existing CloudFormation stack](#importing-existing-resources) into cdkd for iteration, or [export back to CloudFormation](#exporting-a-stack-back-to-cloudformation) when ready for production.
 
-> **⚠️ WARNING: NOT PRODUCTION READY**
->
-> An experimental project exploring direct SDK provisioning as an alternative to the AWS CDK CLI — **NOT a replacement** and **NOT suitable for production use**. Features are incomplete, APIs may change without notice, and bugs may affect your AWS infrastructure. Use at your own risk in development / testing environments only.
+> [!IMPORTANT]
+> cdkd is for dev/test workflows only — early in development, not yet production-ready.
 
 ## Features
 

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-CuHRHcyW.js";
-import { $ as StackHasActiveImportsError, A as Synthesizer, C as AssetPublisher, D as formatDockerLoginError, E as buildDockerImage, F as resolveSkipPrefix, I as resolveStateBucketWithDefault, J as PartialFailureError, K as LocalInvokeBuildError, L as resolveStateBucketWithDefaultAndSource, M as getLegacyStateBucketName, N as resolveApp, O as getDockerCmd, P as resolveCaptureObservedState, Q as RouteDiscoveryError, R as warnDeprecatedNoPrefixCliFlag, S as shouldRetainResource, T as WorkGraph, U as CdkdError, V as resolveBucketRegion, X as ResourceTimeoutError, Y as ProvisioningError, Z as ResourceUpdateNotSupportedError, _ as DiffCalculator, _t as withStackName, a as withRetry, at as normalizeAwsError, b as LockManager, c as collectInlinePolicyNamesManagedBySiblings, ct as getLogger, d as normalizeAwsTagsToCfn, dt as getLiveRenderer, et as StackTerminationProtectionError, f as resolveExplicitPhysicalId, ft as PATTERN_B_NAME_PROPERTIES, g as IntrinsicFunctionResolver, gt as withSkipPrefix, h as assertRegionMatch, ht as generateResourceNameWithFallback, i as withResourceDeadline, j as getDefaultStateBucketName, k as runDockerStreaming, l as CDK_PATH_TAG, m as CloudControlProvider, mt as generateResourceName, n as DEFAULT_RESOURCE_WARN_AFTER_MS, o as IMPLICIT_DELETE_DEPENDENCIES, ot as withErrorHandling, p as ProviderRegistry, pt as PATTERN_B_RESOURCE_TYPES, r as DeployEngine, s as IAMRoleProvider, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as matchesCdkPath, ut as runStackBuffered, v as DagBuilder, w as stringifyValue, x as S3StateBackend, y as TemplateParser, z as AssemblyReader } from "./deploy-engine-VFIYh_NY.js";
+import { $ as RouteDiscoveryError, A as runDockerStreaming, B as AssemblyReader, C as AssetPublisher, D as formatDockerLoginError, E as buildDockerImage, F as resolveCaptureObservedState, H as resolveBucketRegion, I as resolveSkipPrefix, L as resolveStateBucketWithDefault, M as getDefaultStateBucketName, N as getLegacyStateBucketName, O as getDockerCmd, P as resolveApp, Q as ResourceUpdateNotSupportedError, R as resolveStateBucketWithDefaultAndSource, S as shouldRetainResource, T as WorkGraph, W as CdkdError, X as ProvisioningError, Y as PartialFailureError, Z as ResourceTimeoutError, _ as DiffCalculator, _t as withSkipPrefix, a as withRetry, b as LockManager, c as collectInlinePolicyNamesManagedBySiblings, d as normalizeAwsTagsToCfn, dt as runStackBuffered, et as StackHasActiveImportsError, f as resolveExplicitPhysicalId, ft as getLiveRenderer, g as IntrinsicFunctionResolver, gt as generateResourceNameWithFallback, h as assertRegionMatch, ht as generateResourceName, i as withResourceDeadline, j as Synthesizer, k as runDockerForeground, l as CDK_PATH_TAG, lt as getLogger, m as CloudControlProvider, mt as PATTERN_B_RESOURCE_TYPES, n as DEFAULT_RESOURCE_WARN_AFTER_MS, o as IMPLICIT_DELETE_DEPENDENCIES, ot as normalizeAwsError, p as ProviderRegistry, pt as PATTERN_B_NAME_PROPERTIES, q as LocalInvokeBuildError, r as DeployEngine, s as IAMRoleProvider, st as withErrorHandling, t as DEFAULT_RESOURCE_TIMEOUT_MS, tt as StackTerminationProtectionError, u as matchesCdkPath, v as DagBuilder, vt as withStackName, w as stringifyValue, x as S3StateBackend, y as TemplateParser, z as warnDeprecatedNoPrefixCliFlag } from "./deploy-engine-Chzg_hDE.js";
 import { createHash, createPublicKey, createVerify, randomBytes, randomUUID } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
 import { AddRoleToInstanceProfileCommand, AddUserToGroupCommand, AttachGroupPolicyCommand, AttachUserPolicyCommand, CreateGroupCommand, CreateInstanceProfileCommand, CreateLoginProfileCommand, CreateUserCommand, DeleteAccessKeyCommand, DeleteGroupCommand, DeleteGroupPolicyCommand, DeleteInstanceProfileCommand, DeleteLoginProfileCommand, DeleteRolePolicyCommand, DeleteUserCommand, DeleteUserPermissionsBoundaryCommand, DeleteUserPolicyCommand, DetachGroupPolicyCommand, DetachUserPolicyCommand, GetGroupCommand, GetGroupPolicyCommand, GetInstanceProfileCommand, GetRolePolicyCommand, GetUserCommand, GetUserPolicyCommand, IAMClient, ListAccessKeysCommand, ListAttachedGroupPoliciesCommand, ListAttachedUserPoliciesCommand, ListGroupPoliciesCommand, ListGroupsForUserCommand, ListInstanceProfilesCommand, ListUserPoliciesCommand, ListUserTagsCommand, ListUsersCommand, NoSuchEntityException, PutGroupPolicyCommand, PutRolePolicyCommand, PutUserPermissionsBoundaryCommand, PutUserPolicyCommand, RemoveRoleFromInstanceProfileCommand, RemoveUserFromGroupCommand, TagUserCommand, UntagUserCommand, UpdateLoginProfileCommand } from "@aws-sdk/client-iam";
@@ -37366,43 +37366,22 @@ async function pullImage(image, skipPull) {
 	}
 	if (getLogger().getLevel() === "debug") {
 		logger.info(`Pulling ${image}...`);
-		await runForeground$1(getDockerCmd(), ["pull", image]);
+		try {
+			await runDockerForeground(["pull", image]);
+		} catch (err) {
+			throw new DockerRunnerError(`docker pull ${image} failed: ${err.message}`);
+		}
 		return;
 	}
 	logger.debug(`Pulling ${image} (silent — pass --verbose to stream progress)`);
-	await runCaptured(getDockerCmd(), ["pull", image], image);
-}
-/**
-* Run a child process with stdout / stderr captured (not inherited).
-* On success: discard the captured output (silent). On failure: fold
-* the captured stderr (or stdout as a fallback) into the rejection so
-* the error message names what actually went wrong instead of a bare
-* "exit code N".
-*/
-function runCaptured(cmd, args, image) {
-	return new Promise((resolveProc, rejectProc) => {
-		const proc = spawn(cmd, args, { stdio: [
-			"ignore",
-			"pipe",
-			"pipe"
-		] });
-		let stdout = "";
-		let stderr = "";
-		proc.stdout?.on("data", (chunk) => {
-			stdout += chunk.toString("utf-8");
-		});
-		proc.stderr?.on("data", (chunk) => {
-			stderr += chunk.toString("utf-8");
-		});
-		proc.on("error", (err) => rejectProc(new DockerRunnerError(`${cmd} pull ${image} failed: ${err.message}`)));
-		proc.on("close", (code) => {
-			if (code === 0) {
-				resolveProc();
-				return;
-			}
-			rejectProc(new DockerRunnerError(`docker pull ${image} exited with code ${code}: ${stderr.trim() || stdout.trim() || "(no output)"}`));
-		});
-	});
+	try {
+		await runDockerStreaming(["pull", image], { streamLive: false });
+	} catch (err) {
+		const e = err;
+		if (e.exitCode === void 0 || e.exitCode === null) throw new DockerRunnerError(`docker pull ${image} failed: ${e.message ?? String(err)}`);
+		const detail = e.stderr?.trim() || e.stdout?.trim() || "(no output)";
+		throw new DockerRunnerError(`docker pull ${image} exited with code ${e.exitCode}: ${detail}`);
+	}
 }
 /**
 * Run the container detached. Returns the container ID.
@@ -37576,21 +37555,6 @@ function redactAwsCredentialsInArgs(args) {
 	}
 	return out;
 }
-/**
-* Run a child process attached to the parent's stdio (so users see
-* progress lines as they happen). Resolves on exit code 0; rejects with
-* the captured stderr otherwise. Used for `docker pull`.
-*/
-function runForeground$1(cmd, args) {
-	return new Promise((resolveProc, rejectProc) => {
-		const proc = spawn(cmd, args, { stdio: "inherit" });
-		proc.on("error", (err) => rejectProc(new DockerRunnerError(`${cmd} failed: ${err.message}`)));
-		proc.on("close", (code) => {
-			if (code === 0) resolveProc();
-			else rejectProc(new DockerRunnerError(`${cmd} exited with code ${code}`));
-		});
-	});
-}
 
 //#endregion
 //#region src/local/ecr-puller.ts
@@ -37665,7 +37629,11 @@ async function pullEcrImage(imageUri, options) {
 		ecr.destroy();
 	}
 	logger.info(`Pulling ${imageUri}...`);
-	await runForeground(getDockerCmd(), ["pull", imageUri]);
+	try {
+		await runDockerForeground(["pull", imageUri]);
+	} catch (err) {
+		throw new LocalInvokeBuildError(`docker pull ${imageUri} failed: ${err.message}`);
+	}
 	return imageUri;
 }
 /**
@@ -37729,22 +37697,6 @@ async function isImageInLocalCache(imageRef) {
 		return false;
 	}
 }
-/**
-* `docker pull` plumbed to the parent's stdio so the user sees layer
-* pull progress. Mirrors the runtime image's `pullImage` plumbing in
-* `docker-runner.ts` but local to this module to avoid a circular
-* dependency.
-*/
-function runForeground(cmd, args) {
-	return new Promise((resolve, reject) => {
-		const proc = spawn(cmd, args, { stdio: "inherit" });
-		proc.on("error", (err) => reject(new LocalInvokeBuildError(`${cmd} failed: ${err.message}`)));
-		proc.on("close", (code) => {
-			if (code === 0) resolve();
-			else reject(new LocalInvokeBuildError(`${cmd} exited with code ${code}`));
-		});
-	});
-}
 
 //#endregion
 //#region src/local/docker-image-builder.ts
@@ -38731,6 +38683,13 @@ function resolveLambdaArnOutcome(value) {
 	return resolveLambdaArnIntrinsic(value);
 }
 /**
+* Marker prefix the HTTP API v2 Route `Target` field always starts with —
+* AWS documents this as `integrations/<IntegrationId>`. Load-bearing
+* signal that an `Fn::Sub` shape on this field is actually pointing at
+* a same-template Integration rather than something unrelated.
+*/
+const TARGET_INTEGRATIONS_PREFIX = "integrations/";
+/**
 * Parse an HTTP API Route's `Target` into the integration's logical ID.
 *
 * CDK emits one of:
@@ -38739,9 +38698,14 @@ function resolveLambdaArnOutcome(value) {
 *     (the shape `aws-cdk-lib/aws-apigatewayv2`'s `HttpApi.addRoutes`
 *     actually emits — empty separator + `'integrations/'` literal
 *     prefix in front of the Ref).
+*   - `Fn::Sub: 'integrations/${MyIntegration}'` (1-arg form — AWS-docs
+*     canonical; emitted by hand-rolled `CfnRoute` constructs).
+*   - `Fn::Sub: ['integrations/${IntId}', { IntId: <Ref|GetAtt> }]`
+*     (2-arg form — what `cdk.Fn.sub(template, vars)` synthesizes
+*     when users build `target` programmatically).
 *   - `'integrations/abc123'` (literal — rare).
 *
-* All three forms are accepted; anything else throws.
+* All five forms are accepted; anything else throws.
 */
 function parseHttpApiTargetIntegration(target, location) {
 	if (typeof target === "string") {
@@ -38750,7 +38714,8 @@ function parseHttpApiTargetIntegration(target, location) {
 		throw new Error(`${location}: literal Target '${target}' must start with 'integrations/'`);
 	}
 	if (target && typeof target === "object" && !Array.isArray(target)) {
-		const join = target["Fn::Join"];
+		const obj = target;
+		const join = obj["Fn::Join"];
 		if (Array.isArray(join) && join.length === 2 && Array.isArray(join[1])) {
 			const sep = join[0];
 			const parts = join[1];
@@ -38763,8 +38728,30 @@ function parseHttpApiTargetIntegration(target, location) {
 				if (ref) return ref;
 			}
 		}
+		if ("Fn::Sub" in obj) {
+			const sub = obj["Fn::Sub"];
+			if (typeof sub === "string") {
+				const m = new RegExp(`^${TARGET_INTEGRATIONS_PREFIX}\\$\\{([^}]+)\\}$`).exec(sub);
+				if (m) {
+					const placeholder = m[1];
+					if (!placeholder.includes(".")) return placeholder;
+				}
+			}
+			if (Array.isArray(sub) && sub.length === 2 && typeof sub[0] === "string" && sub[1] !== null && typeof sub[1] === "object" && !Array.isArray(sub[1])) {
+				const template = sub[0];
+				const bindings = sub[1];
+				const m = new RegExp(`^${TARGET_INTEGRATIONS_PREFIX}\\$\\{([^}]+)\\}$`).exec(template);
+				if (m) {
+					const bound = bindings[m[1]];
+					if (bound !== void 0) {
+						const ref = pickRefLogicalId$2(bound);
+						if (ref) return ref;
+					}
+				}
+			}
+		}
 	}
-	throw new Error(`${location}: Target must be 'integrations/<id>' or Fn::Join with one of the documented shapes (got ${shortJson$1(target)}).`);
+	throw new Error(`${location}: Target must be 'integrations/<id>', Fn::Join with one of the documented shapes, or Fn::Sub with an 'integrations/\${...}' template (got ${shortJson$1(target)}).`);
 }
 /**
 * Parse an HTTP API RouteKey (`'<METHOD> <path>'` or `'$default'`) into
@@ -43875,7 +43862,17 @@ async function localInvokeCommand(target, options) {
 			if (stateAudit && stateAudit.unresolved.some((u) => u.key === key)) continue;
 			logger.warn(`Environment variable ${key} contains a CloudFormation intrinsic and was dropped. Override it with --env-vars (e.g. {"${lambda.logicalId}":{"${key}":"<literal>"}}) or pass --from-state to recover deployed values.`);
 		}
-		if (options.fromState && !options.assumeRole && stateForRoleHint) suggestAssumeRoleFromState(stateForRoleHint, lambda.logicalId);
+		let resolvedAssumeRoleArn;
+		if (typeof options.assumeRole === "string") resolvedAssumeRoleArn = options.assumeRole;
+		else if (options.assumeRole === true) if (!stateForRoleHint) logger.warn("--assume-role passed without an ARN, but no cdkd state was loaded. Pair it with --from-state, or pass the ARN explicitly: --assume-role <arn>. Falling back to the developer's shell credentials.");
+		else {
+			const arn = resolveExecutionRoleArnFromState(stateForRoleHint, lambda.logicalId);
+			if (arn) {
+				resolvedAssumeRoleArn = arn;
+				logger.info(`--assume-role: auto-resolved execution role from cdkd state: ${arn}`);
+			} else logger.warn(`--assume-role: could not resolve the execution role ARN from cdkd state for '${lambda.logicalId}'. Pass the ARN explicitly: --assume-role <arn>. Falling back to the developer's shell credentials.`);
+		}
+		else if (options.assumeRole === void 0 && options.fromState && stateForRoleHint) suggestAssumeRoleFromState(stateForRoleHint, lambda.logicalId);
 		const event = await readEvent(options);
 		const dockerEnv = {
 			AWS_LAMBDA_FUNCTION_NAME: lambda.logicalId,
@@ -43886,14 +43883,22 @@ async function localInvokeCommand(target, options) {
 			AWS_LAMBDA_LOG_STREAM_NAME: "local",
 			...envResult.resolved
 		};
-		if (options.assumeRole) {
+		let assumeSucceeded = false;
+		if (resolvedAssumeRoleArn) {
 			const stsRegion = options.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"];
-			const creds = await assumeLambdaExecutionRole(options.assumeRole, stsRegion);
-			dockerEnv["AWS_ACCESS_KEY_ID"] = creds.accessKeyId;
-			dockerEnv["AWS_SECRET_ACCESS_KEY"] = creds.secretAccessKey;
-			dockerEnv["AWS_SESSION_TOKEN"] = creds.sessionToken;
-			if (stsRegion) dockerEnv["AWS_REGION"] = stsRegion;
-		} else forwardAwsEnv(dockerEnv);
+			try {
+				const creds = await assumeLambdaExecutionRole(resolvedAssumeRoleArn, stsRegion);
+				dockerEnv["AWS_ACCESS_KEY_ID"] = creds.accessKeyId;
+				dockerEnv["AWS_SECRET_ACCESS_KEY"] = creds.secretAccessKey;
+				dockerEnv["AWS_SESSION_TOKEN"] = creds.sessionToken;
+				if (stsRegion) dockerEnv["AWS_REGION"] = stsRegion;
+				assumeSucceeded = true;
+			} catch (err) {
+				const reason = err instanceof Error ? err.message : String(err);
+				logger.warn(`--assume-role: STS AssumeRole(${resolvedAssumeRoleArn}) failed: ${reason}. Falling back to the developer's shell credentials.`);
+			}
+		}
+		if (!assumeSucceeded) forwardAwsEnv(dockerEnv);
 		let debugPort;
 		if (options.debugPort) {
 			debugPort = Number(options.debugPort);
@@ -44184,11 +44189,10 @@ async function readStdin() {
 /**
 * Assume the Lambda execution role and return temporary credentials.
 *
-* Q1 recommendation B (PR 1): closes the "developer has admin creds, the
-* deployed function has narrow ones" skew that SAM users routinely hit.
-* Off by default; opt-in via `--assume-role <arn>`. PR 2's `--from-state`
-* will add auto-resolution from the template's `Role` property; for now
-* the user supplies the ARN explicitly.
+* Closes the "developer has admin creds, the deployed function has narrow
+* ones" skew that SAM users routinely hit. Off by default; opt-in via
+* `--assume-role <arn>` (explicit) or `--assume-role` (bare, auto-resolved
+* from cdkd state via `resolveExecutionRoleArnFromState`).
 *
 * Mirrors the env-var-write pattern from `applyRoleArnIfSet` in
 * `src/utils/role-arn.ts` but writes the temp creds onto the container's
@@ -44263,26 +44267,51 @@ function materializeInlineCode(handler, source, fileExtension) {
 	return dir;
 }
 /**
-* When `--from-state` is set but `--assume-role` is not, log the function's
-* deployed execution role ARN once as a hint. Helps users discover the
-* scoped-credentials path without us silently auto-assuming (auto-assume
-* is a future PR's scope).
+* When `--from-state` is set but `--assume-role` was NOT passed (not even
+* bare), log the function's deployed execution role ARN once as a hint.
+* This is the pre-(#442) behavior — kept for backward compatibility with
+* users who don't want auto-assume. The bare-`--assume-role` path opts
+* in to actually assuming the resolved ARN; this hint path stays
+* informational only.
 */
 function suggestAssumeRoleFromState(state, logicalId) {
 	const logger = getLogger();
+	const roleArn = resolveExecutionRoleArnFromState(state, logicalId);
+	if (roleArn) logger.info(`Hint: the deployed function uses execution role ${roleArn}. Re-run with --assume-role to invoke under the deployed function's narrow permissions.`);
+}
+/**
+* Resolve the execution-role ARN for a Lambda from cdkd state. Used by
+* both the `--assume-role` auto-resolve path and the legacy hint path.
+*
+* Resolution rules (mirrors the v1 scope spelled out in (#442)):
+*
+*   - Literal-string `Role` starting with `arn:` → returned verbatim.
+*   - `{ Fn::GetAtt: [<RoleId>, 'Arn'] }` or `{ Ref: <RoleId> }` → looked up
+*     against the sibling IAM Role resource's `attributes.Arn` (recorded
+*     at deploy time by `IAMRoleProvider.create` / drift refresh).
+*   - Any other shape (`Fn::Sub` / `Fn::Join` / cross-stack imports) → not
+*     resolved in v1; the caller surfaces a warn and falls back to dev
+*     creds. Once real CDK apps emit those shapes for `Role` we can
+*     extend the resolver per `feedback_verify_cdk_synth_shape_before_resolver.md`.
+*
+* Returns `undefined` when state has no entry for the Lambda, the `Role`
+* is missing entirely, the referenced sibling has no `Arn` attribute
+* captured, or the shape is one we don't try to resolve.
+*
+* Exported for unit testing.
+*/
+function resolveExecutionRoleArnFromState(state, logicalId) {
 	const lambda = state.resources[logicalId];
-	if (!lambda) return;
+	if (!lambda) return void 0;
 	const roleRef = lambda.properties?.["Role"] ?? lambda.observedProperties?.["Role"];
-	let roleArn;
-	if (typeof roleRef === "string" && roleRef.startsWith("arn:")) roleArn = roleRef;
-	else if (typeof roleRef === "object" && roleRef !== null) {
+	if (typeof roleRef === "string" && roleRef.startsWith("arn:")) return roleRef;
+	if (typeof roleRef === "object" && roleRef !== null) {
 		const refLogicalId = pickReferencedLogicalId(roleRef);
 		if (refLogicalId) {
 			const cached = state.resources[refLogicalId]?.attributes?.["Arn"];
-			if (typeof cached === "string" && cached.startsWith("arn:")) roleArn = cached;
+			if (typeof cached === "string" && cached.startsWith("arn:")) return cached;
 		}
 	}
-	if (roleArn) logger.info(`Hint: the deployed function uses execution role ${roleArn}. Re-run with --assume-role <that-arn> to invoke under the deployed function's narrow permissions.`);
 }
 /**
 * Walk a single-key intrinsic and return the referenced logical ID, or
@@ -44306,7 +44335,7 @@ function pickReferencedLogicalId(intrinsic) {
 */
 function createLocalCommand() {
 	const local = new Command("local").description("Local execution of Lambda functions (RIE) and ECS task definitions (Docker required)");
-	const invoke = new Command("invoke").description("Run a Lambda function locally in a Docker container (RIE-backed). Target accepts a CDK display path (MyStack/MyApi/Handler) or stack-qualified logical ID (MyStack:MyApiHandler1234ABCD). Single-stack apps may omit the stack prefix.").argument("<target>", "CDK display path or stack-qualified logical ID of the Lambda to invoke").addOption(new Option("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option("--event-stdin", "Read event JSON from stdin").default(false)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}})")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for IMAGE local-build path; `docker build` does not pull base layers by default")).addOption(new Option("--no-build", "Skip docker build on the IMAGE local-build path (use the previously-built tag). Requires the deterministic tag to already be in the local registry; errors with an actionable message when missing. No-op for ZIP Lambdas and the IMAGE ECR-pull path. Compatible with --no-pull.")).addOption(new Option("--debug-port <port>", "Node --inspect-brk port (default: off)")).addOption(new Option("--container-host <host>", "Host to bind the RIE port to").default("127.0.0.1")).addOption(new Option("--assume-role <arn>", "Assume the Lambda's deployed execution role and forward STS-issued temp credentials to the container so the handler runs with the deployed function's narrow permissions (closes the \"developer admin / function narrow\" skew). Off by default — when omitted, the developer's shell credentials are forwarded unchanged (SAM-compatible default).")).addOption(new Option("--from-state", "Read cdkd S3 state for the target stack and substitute Ref / Fn::GetAtt / Fn::Sub in env vars with the deployed physical IDs / attributes. Off by default — keep PR 1 warn-and-drop semantics; turn on for stacks already deployed via cdkd deploy.").default(false)).addOption(new Option("--stack-region <region>", "Region of the cdkd state record to read (used with --from-state when the same stack name has state in multiple regions).")).action(withErrorHandling(localInvokeCommand));
+	const invoke = new Command("invoke").description("Run a Lambda function locally in a Docker container (RIE-backed). Target accepts a CDK display path (MyStack/MyApi/Handler) or stack-qualified logical ID (MyStack:MyApiHandler1234ABCD). Single-stack apps may omit the stack prefix.").argument("<target>", "CDK display path or stack-qualified logical ID of the Lambda to invoke").addOption(new Option("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option("--event-stdin", "Read event JSON from stdin").default(false)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}})")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for IMAGE local-build path; `docker build` does not pull base layers by default")).addOption(new Option("--no-build", "Skip docker build on the IMAGE local-build path (use the previously-built tag). Requires the deterministic tag to already be in the local registry; errors with an actionable message when missing. No-op for ZIP Lambdas and the IMAGE ECR-pull path. Compatible with --no-pull.")).addOption(new Option("--debug-port <port>", "Node --inspect-brk port (default: off)")).addOption(new Option("--container-host <host>", "Host to bind the RIE port to").default("127.0.0.1")).addOption(new Option("--assume-role [arn]", "Assume the Lambda's deployed execution role and forward STS-issued temp credentials to the container so the handler runs with the deployed function's narrow permissions (closes the \"developer admin / function narrow\" skew). Three forms: (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) auto-resolves the function's execution role ARN from cdkd state (requires --from-state); (3) `--no-assume-role` explicitly opts out (forces dev creds even with --from-state). Off by default — when omitted, the developer's shell credentials are forwarded unchanged (SAM-compatible default). STS failures degrade to a warn + dev-creds fallback.")).addOption(new Option("--from-state", "Read cdkd S3 state for the target stack and substitute Ref / Fn::GetAtt / Fn::Sub in env vars with the deployed physical IDs / attributes. Off by default — keep PR 1 warn-and-drop semantics; turn on for stacks already deployed via cdkd deploy.").default(false)).addOption(new Option("--stack-region <region>", "Region of the cdkd state record to read (used with --from-state when the same stack name has state in multiple regions).")).action(withErrorHandling(localInvokeCommand));
 	[
 		...commonOptions,
 		...appOptions,
@@ -45594,7 +45623,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.115.3");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.116.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());