@go-to-k/cdkd 0.12.0 → 0.14.0

package/dist/cli.js

@@ -447,7 +447,7 @@ var init_aws_clients = __esm({
 });
 
 // src/cli/index.ts
-import { Command as Command10 } from "commander";
+import { Command as Command11 } from "commander";
 
 // src/cli/commands/bootstrap.ts
 import { Command, Option as Option2 } from "commander";
@@ -970,16 +970,18 @@ function resolveApp(cliApp) {
   const cdkJson = loadCdkJson();
   return cdkJson?.app ?? void 0;
 }
-function resolveStateBucket(cliBucket) {
+function resolveStateBucketWithSource(cliBucket) {
   if (cliBucket)
-    return cliBucket;
+    return { bucket: cliBucket, source: "cli-flag" };
   const envBucket = process.env["CDKD_STATE_BUCKET"];
   if (envBucket)
-    return envBucket;
+    return { bucket: envBucket, source: "env" };
   const cdkJson = loadCdkJson();
   const cdkdContext = cdkJson?.context?.["cdkd"];
   const bucket = cdkdContext?.["stateBucket"];
-  return typeof bucket === "string" ? bucket : void 0;
+  if (typeof bucket === "string")
+    return { bucket, source: "cdk.json" };
+  return void 0;
 }
 function getDefaultStateBucketName(accountId) {
   return `cdkd-state-${accountId}`;
@@ -988,30 +990,37 @@ function getLegacyStateBucketName(accountId, region) {
   return `cdkd-state-${accountId}-${region}`;
 }
 async function resolveStateBucketWithDefault(cliBucket, region) {
-  const syncResult = resolveStateBucket(cliBucket);
+  return (await resolveStateBucketWithDefaultAndSource(cliBucket, region)).bucket;
+}
+async function resolveStateBucketWithDefaultAndSource(cliBucket, region) {
+  const syncResult = resolveStateBucketWithSource(cliBucket);
   if (syncResult)
     return syncResult;
   const logger = getLogger();
   logger.debug("No state bucket specified, resolving default from account...");
-  const { GetCallerIdentityCommand: GetCallerIdentityCommand8 } = await import("@aws-sdk/client-sts");
-  const { S3Client: S3Client10 } = await import("@aws-sdk/client-s3");
+  const { GetCallerIdentityCommand: GetCallerIdentityCommand9 } = await import("@aws-sdk/client-sts");
+  const { S3Client: S3Client11 } = await import("@aws-sdk/client-s3");
   const { getAwsClients: getAwsClients2 } = await Promise.resolve().then(() => (init_aws_clients(), aws_clients_exports));
   const awsClients = getAwsClients2();
-  const identity = await awsClients.sts.send(new GetCallerIdentityCommand8({}));
+  const identity = await awsClients.sts.send(new GetCallerIdentityCommand9({}));
   const accountId = identity.Account;
   const newName = getDefaultStateBucketName(accountId);
   const legacyName = getLegacyStateBucketName(accountId, region);
-  const probe = new S3Client10({ region: "us-east-1" });
+  const probe = new S3Client11({ region: "us-east-1" });
   try {
     if (await bucketExists(probe, newName)) {
-      logger.info(`State bucket: ${newName}`);
-      return newName;
+      logger.debug(`State bucket: ${newName}`);
+      return { bucket: newName, source: "default" };
     }
     if (await bucketExists(probe, legacyName)) {
       logger.warn(
-        `Using legacy state bucket name '${legacyName}'. The default has changed to '${newName}'. Future cdkd versions will drop legacy support; consider migrating with cdkd state migrate-bucket (coming in a future release).`
+        `Using legacy state bucket name '${legacyName}'. The default has changed to '${newName}'. To migrate, run:
+
+    cdkd state migrate-bucket --region ${region}
+
+(add --remove-legacy to delete the legacy bucket after a successful copy; legacy support will be dropped in a future release.)`
       );
-      return legacyName;
+      return { bucket: legacyName, source: "default-legacy" };
     }
     throw new Error(
       `No cdkd state bucket found for account ${accountId}. Looked for '${newName}' (current default) and '${legacyName}' (legacy default). Run 'cdkd bootstrap' to create '${newName}'.`
@@ -1021,9 +1030,9 @@ async function resolveStateBucketWithDefault(cliBucket, region) {
   }
 }
 async function bucketExists(client, bucketName) {
-  const { HeadBucketCommand: HeadBucketCommand3 } = await import("@aws-sdk/client-s3");
+  const { HeadBucketCommand: HeadBucketCommand4 } = await import("@aws-sdk/client-s3");
   try {
-    await client.send(new HeadBucketCommand3({ Bucket: bucketName }));
+    await client.send(new HeadBucketCommand4({ Bucket: bucketName }));
     return true;
   } catch (error) {
     const err = error;
@@ -1067,10 +1076,10 @@ async function bootstrapCommand(options) {
     logger.info(`Using default state bucket: ${bucketName}`);
   }
   try {
-    let bucketExists2 = false;
+    let bucketExists3 = false;
     try {
       await s3Client.send(new HeadBucketCommand({ Bucket: bucketName }));
-      bucketExists2 = true;
+      bucketExists3 = true;
       logger.info(`Bucket ${bucketName} already exists`);
     } catch (error) {
       const err = error;
@@ -1080,7 +1089,7 @@ async function bootstrapCommand(options) {
         throw normalizeAwsError(error, { bucket: bucketName, operation: "HeadBucket" });
       }
     }
-    if (bucketExists2) {
+    if (bucketExists3) {
       if (!options.force) {
         logger.warn(
           `Bucket ${bucketName} already exists. Use --force to reconfigure (this will not delete existing state)`
@@ -3234,9 +3243,9 @@ var AssetPublisher = class {
       const region = options.region || process.env["AWS_REGION"] || "us-east-1";
       let accountId = options.accountId;
       if (!accountId) {
-        const { STSClient: STSClient7, GetCallerIdentityCommand: GetCallerIdentityCommand8 } = await import("@aws-sdk/client-sts");
+        const { STSClient: STSClient7, GetCallerIdentityCommand: GetCallerIdentityCommand9 } = await import("@aws-sdk/client-sts");
         const stsClient = new STSClient7({ region });
-        const identity = await stsClient.send(new GetCallerIdentityCommand8({}));
+        const identity = await stsClient.send(new GetCallerIdentityCommand9({}));
         accountId = identity.Account;
         stsClient.destroy();
       }
@@ -28711,11 +28720,11 @@ async function deployCommand(stacks, options) {
         addDependencies(stack.stackName);
       }
     }
-    const { STSClient: STSClient7, GetCallerIdentityCommand: GetCallerIdentityCommand8 } = await import("@aws-sdk/client-sts");
+    const { STSClient: STSClient7, GetCallerIdentityCommand: GetCallerIdentityCommand9 } = await import("@aws-sdk/client-sts");
     const stsClient = new STSClient7({
       region: options.region || process.env["AWS_REGION"] || "us-east-1"
     });
-    const callerIdentity = await stsClient.send(new GetCallerIdentityCommand8({}));
+    const callerIdentity = await stsClient.send(new GetCallerIdentityCommand9({}));
     const accountId = callerIdentity.Account;
     stsClient.destroy();
     const assetPublisher = new AssetPublisher();
@@ -29546,9 +29555,321 @@ function createForceUnlockCommand() {
 }
 
 // src/cli/commands/state.ts
+import * as readline3 from "node:readline/promises";
+import { Command as Command10, Option as Option5 } from "commander";
+import {
+  GetBucketLocationCommand as GetBucketLocationCommand2,
+  GetObjectCommand as GetObjectCommand4,
+  ListObjectsV2Command as ListObjectsV2Command4
+} from "@aws-sdk/client-s3";
+init_aws_clients();
+
+// src/cli/commands/state-migrate-bucket.ts
 import * as readline2 from "node:readline/promises";
-import { Command as Command9, Option as Option5 } from "commander";
+import { Command as Command9 } from "commander";
+import {
+  CopyObjectCommand,
+  CreateBucketCommand as CreateBucketCommand4,
+  DeleteBucketCommand as DeleteBucketCommand3,
+  DeleteObjectsCommand as DeleteObjectsCommand3,
+  HeadBucketCommand as HeadBucketCommand3,
+  ListObjectVersionsCommand as ListObjectVersionsCommand2,
+  ListObjectsV2Command as ListObjectsV2Command3,
+  PutBucketEncryptionCommand as PutBucketEncryptionCommand3,
+  PutBucketPolicyCommand as PutBucketPolicyCommand3,
+  PutBucketVersioningCommand as PutBucketVersioningCommand3,
+  S3Client as S3Client10
+} from "@aws-sdk/client-s3";
+import { GetCallerIdentityCommand as GetCallerIdentityCommand8 } from "@aws-sdk/client-sts";
 init_aws_clients();
+async function stateMigrateBucketCommand(options) {
+  const logger = getLogger();
+  if (options.verbose)
+    logger.setLevel("debug");
+  const region = options.region || process.env["AWS_REGION"] || "us-east-1";
+  const awsClients = new AwsClients({
+    region,
+    ...options.profile && { profile: options.profile }
+  });
+  setAwsClients(awsClients);
+  try {
+    const identity = await awsClients.sts.send(new GetCallerIdentityCommand8({}));
+    const accountId = identity.Account;
+    if (!accountId) {
+      throw new Error("STS GetCallerIdentity returned no Account id.");
+    }
+    const legacyBucket = options.legacyBucket ?? getLegacyStateBucketName(accountId, region);
+    const newBucket = options.newBucket ?? getDefaultStateBucketName(accountId);
+    if (legacyBucket === newBucket) {
+      logger.warn(
+        `Source and destination resolve to the same bucket (${legacyBucket}); nothing to do.`
+      );
+      return;
+    }
+    logger.info("Migrating state bucket:");
+    logger.info(`  source:      ${legacyBucket} (resolved for --region ${region})`);
+    logger.info(`  destination: ${newBucket}`);
+    const probeRegion = "us-east-1";
+    const probe = new S3Client10({ region: probeRegion });
+    let sourceExists;
+    try {
+      sourceExists = await bucketExists2(probe, legacyBucket);
+    } finally {
+      probe.destroy();
+    }
+    if (!sourceExists) {
+      throw new Error(
+        `Source bucket '${legacyBucket}' does not exist. Nothing to migrate. (Tip: run \`cdkd state info\` to confirm which bucket cdkd is reading from.)`
+      );
+    }
+    const legacyRegion = await resolveBucketRegion(legacyBucket);
+    logger.info(`  source bucket actual region: ${legacyRegion}`);
+    const legacyS3 = new S3Client10({ region: legacyRegion });
+    try {
+      await assertNoActiveLocks(legacyS3, legacyBucket);
+      const sourceObjects = await listAllObjects(legacyS3, legacyBucket);
+      logger.info(`  source object count: ${sourceObjects.length}`);
+      if (sourceObjects.length === 0) {
+        logger.info("Source bucket is empty \u2014 no objects to copy.");
+      }
+      if (!options.yes) {
+        const action = options.removeLegacy ? "and DELETE the source bucket" : "(source bucket will be kept)";
+        const ok = await confirmPrompt(
+          `Copy ${sourceObjects.length} object(s) from ${legacyBucket} -> ${newBucket} ${action}?`
+        );
+        if (!ok) {
+          logger.info("Migration cancelled.");
+          return;
+        }
+      }
+      if (options.dryRun) {
+        logger.info("--dry-run: no changes will be made. Stopping here.");
+        return;
+      }
+      const newS3 = await ensureDestinationBucket(newBucket, legacyRegion, accountId, logger);
+      try {
+        let copied = 0;
+        for (const obj of sourceObjects) {
+          if (!obj.Key)
+            continue;
+          await newS3.send(
+            new CopyObjectCommand({
+              Bucket: newBucket,
+              Key: obj.Key,
+              // CopySource needs encoding for slashes inside the key path.
+              CopySource: encodeURIComponent(`${legacyBucket}/${obj.Key}`)
+            })
+          );
+          copied++;
+          logger.debug(`  copied ${obj.Key}`);
+        }
+        logger.info(`\u2713 Copied ${copied} object(s) to ${newBucket}`);
+        const destObjects = await listAllObjects(newS3, newBucket);
+        if (destObjects.length < sourceObjects.length) {
+          throw new Error(
+            `Migration verification failed: source has ${sourceObjects.length} object(s), destination has ${destObjects.length}. Aborting before any source-bucket cleanup.`
+          );
+        }
+        logger.info("\u2713 Object count verified at destination");
+        if (options.removeLegacy) {
+          logger.info(`Emptying source bucket ${legacyBucket} (all versions + delete markers)...`);
+          await emptyBucketAllVersions(legacyS3, legacyBucket);
+          logger.info(`Deleting source bucket ${legacyBucket}...`);
+          await legacyS3.send(new DeleteBucketCommand3({ Bucket: legacyBucket }));
+          logger.info(`\u2713 Deleted source bucket: ${legacyBucket}`);
+        } else {
+          logger.info(
+            `Source bucket ${legacyBucket} kept. Pass --remove-legacy on a future run to delete it.`
+          );
+        }
+        logger.info(`\u2713 Migration complete: ${legacyBucket} -> ${newBucket}`);
+      } finally {
+        newS3.destroy();
+      }
+    } finally {
+      legacyS3.destroy();
+    }
+  } finally {
+    awsClients.destroy();
+  }
+}
+async function bucketExists2(s3, bucketName) {
+  try {
+    await s3.send(new HeadBucketCommand3({ Bucket: bucketName }));
+    return true;
+  } catch (error) {
+    const err = error;
+    const status = err.$metadata?.httpStatusCode;
+    if (err.name === "NotFound" || err.name === "NoSuchBucket" || status === 404) {
+      return false;
+    }
+    if (status === 301 || status === 403)
+      return true;
+    throw error;
+  }
+}
+async function listAllObjects(s3, bucket) {
+  const all = [];
+  let continuationToken;
+  do {
+    const resp = await s3.send(
+      new ListObjectsV2Command3({
+        Bucket: bucket,
+        ...continuationToken && { ContinuationToken: continuationToken }
+      })
+    );
+    if (resp.Contents)
+      all.push(...resp.Contents);
+    continuationToken = resp.NextContinuationToken;
+  } while (continuationToken);
+  return all;
+}
+async function assertNoActiveLocks(s3, bucket) {
+  const all = await listAllObjects(s3, bucket);
+  const locks = all.map((o) => o.Key).filter((k) => typeof k === "string" && k.endsWith("/lock.json"));
+  if (locks.length > 0) {
+    const sample = locks.slice(0, 3).join(", ");
+    const more = locks.length > 3 ? ` (+${locks.length - 3} more)` : "";
+    throw new Error(
+      `Refusing to migrate: ${locks.length} active lock file(s) found in '${bucket}': ${sample}${more}. Wait for in-flight cdkd operations to complete, or run 'cdkd force-unlock <stack>' if a lock is stale.`
+    );
+  }
+}
+async function ensureDestinationBucket(bucketName, region, accountId, logger) {
+  const probe = new S3Client10({ region });
+  let exists;
+  try {
+    exists = await bucketExists2(probe, bucketName);
+  } finally {
+    probe.destroy();
+  }
+  if (exists) {
+    logger.info(`Destination bucket ${bucketName} already exists; reusing it.`);
+    const actual = await resolveBucketRegion(bucketName);
+    if (actual !== region) {
+      logger.warn(
+        `Destination bucket lives in ${actual}, but source is in ${region}. Cross-region copy is supported but slower; objects will be replicated to ${actual}.`
+      );
+    }
+    return new S3Client10({ region: actual });
+  }
+  logger.info(`Creating destination bucket ${bucketName} in ${region}...`);
+  const s3 = new S3Client10({ region });
+  const createParams = { Bucket: bucketName };
+  if (region !== "us-east-1") {
+    createParams.CreateBucketConfiguration = {
+      LocationConstraint: region
+    };
+  }
+  await s3.send(new CreateBucketCommand4(createParams));
+  logger.info(`\u2713 Created destination bucket: ${bucketName}`);
+  await s3.send(
+    new PutBucketVersioningCommand3({
+      Bucket: bucketName,
+      VersioningConfiguration: { Status: "Enabled" }
+    })
+  );
+  await s3.send(
+    new PutBucketEncryptionCommand3({
+      Bucket: bucketName,
+      ServerSideEncryptionConfiguration: {
+        Rules: [
+          {
+            ApplyServerSideEncryptionByDefault: { SSEAlgorithm: "AES256" },
+            BucketKeyEnabled: true
+          }
+        ]
+      }
+    })
+  );
+  await s3.send(
+    new PutBucketPolicyCommand3({
+      Bucket: bucketName,
+      Policy: JSON.stringify({
+        Version: "2012-10-17",
+        Statement: [
+          {
+            Sid: "DenyExternalAccess",
+            Effect: "Deny",
+            Principal: "*",
+            Action: "s3:*",
+            Resource: [`arn:aws:s3:::${bucketName}`, `arn:aws:s3:::${bucketName}/*`],
+            Condition: { StringNotEquals: { "aws:PrincipalAccount": accountId } }
+          }
+        ]
+      })
+    })
+  );
+  logger.info("\u2713 Applied versioning, encryption, and account-only access policy");
+  return s3;
+}
+async function emptyBucketAllVersions(s3, bucket) {
+  let keyMarker;
+  let versionIdMarker;
+  do {
+    const resp = await s3.send(
+      new ListObjectVersionsCommand2({
+        Bucket: bucket,
+        ...keyMarker && { KeyMarker: keyMarker },
+        ...versionIdMarker && { VersionIdMarker: versionIdMarker }
+      })
+    );
+    const ids = [];
+    for (const v of resp.Versions ?? []) {
+      if (v.Key && v.VersionId)
+        ids.push({ Key: v.Key, VersionId: v.VersionId });
+    }
+    for (const dm of resp.DeleteMarkers ?? []) {
+      if (dm.Key && dm.VersionId)
+        ids.push({ Key: dm.Key, VersionId: dm.VersionId });
+    }
+    for (let i = 0; i < ids.length; i += 1e3) {
+      const batch = ids.slice(i, i + 1e3);
+      await s3.send(
+        new DeleteObjectsCommand3({
+          Bucket: bucket,
+          Delete: {
+            Objects: batch,
+            Quiet: true
+          }
+        })
+      );
+    }
+    keyMarker = resp.NextKeyMarker;
+    versionIdMarker = resp.NextVersionIdMarker;
+  } while (keyMarker || versionIdMarker);
+}
+async function confirmPrompt(prompt) {
+  const rl = readline2.createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    const ans = await rl.question(`${prompt} [y/N] `);
+    return /^y(es)?$/i.test(ans.trim());
+  } finally {
+    rl.close();
+  }
+}
+function createStateMigrateBucketCommand() {
+  const cmd = new Command9("migrate-bucket").description(
+    "Migrate state from the legacy region-suffixed bucket (cdkd-state-{account}-{region}) to the new region-free default (cdkd-state-{account}). Source bucket is kept by default; pass --remove-legacy to delete it after a successful migration."
+  ).option(
+    "--region <region>",
+    "Region of the legacy bucket to migrate. Defaults to AWS_REGION or us-east-1. Run once per region for multi-region setups."
+  ).option(
+    "--legacy-bucket <name>",
+    "Override the legacy (source) bucket name (default: derived from STS account + --region)."
+  ).option(
+    "--new-bucket <name>",
+    "Override the new (destination) bucket name (default: cdkd-state-{accountId})."
+  ).option("--dry-run", "Show planned actions without making changes", false).option(
+    "--remove-legacy",
+    "Delete the source bucket after successful migration. Default: keep it.",
+    false
+  ).action(withErrorHandling(stateMigrateBucketCommand));
+  commonOptions.forEach((o) => cmd.addOption(o));
+  return cmd;
+}
+
+// src/cli/commands/state.ts
 function formatStackRef(ref) {
   return ref.region ? `${ref.stackName} (${ref.region})` : ref.stackName;
 }
@@ -29686,7 +30007,7 @@ async function stateListCommand(options) {
   }
 }
 function createStateListCommand() {
-  const cmd = new Command9("list").alias("ls").description("List stacks registered in the cdkd state bucket").option("-l, --long", "Show resource count, last-modified time, and lock status", false).option("--json", "Output as JSON", false).action(withErrorHandling(stateListCommand));
+  const cmd = new Command10("list").alias("ls").description("List stacks registered in the cdkd state bucket").option("-l, --long", "Show resource count, last-modified time, and lock status", false).option("--json", "Output as JSON", false).action(withErrorHandling(stateListCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   cmd.addOption(deprecatedRegionOption);
   return cmd;
@@ -29790,7 +30111,7 @@ function formatLockSummary(lockInfo) {
   return `locked by ${lockInfo.owner}${opStr}, ${expiresStr}`;
 }
 function createStateResourcesCommand() {
-  const cmd = new Command9("resources").description("List resources recorded in a stack's state").argument("<stack>", "Stack name (physical CloudFormation name)").option("-l, --long", "Include dependencies and attributes per resource", false).option("--json", "Output as JSON", false).addOption(stackRegionOption()).action(withErrorHandling(stateResourcesCommand));
+  const cmd = new Command10("resources").description("List resources recorded in a stack's state").argument("<stack>", "Stack name (physical CloudFormation name)").option("-l, --long", "Include dependencies and attributes per resource", false).option("--json", "Output as JSON", false).addOption(stackRegionOption()).action(withErrorHandling(stateResourcesCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   cmd.addOption(deprecatedRegionOption);
   return cmd;
@@ -29878,7 +30199,7 @@ async function stateShowCommand(stackName, options) {
   }
 }
 function createStateShowCommand() {
-  const cmd = new Command9("show").description("Show the full cdkd state record for a stack (metadata, outputs, resources)").argument("<stack>", "Stack name (physical CloudFormation name)").option("--json", "Output the raw state and lock as JSON", false).addOption(stackRegionOption()).action(withErrorHandling(stateShowCommand));
+  const cmd = new Command10("show").description("Show the full cdkd state record for a stack (metadata, outputs, resources)").argument("<stack>", "Stack name (physical CloudFormation name)").option("--json", "Output the raw state and lock as JSON", false).addOption(stackRegionOption()).action(withErrorHandling(stateShowCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   cmd.addOption(deprecatedRegionOption);
   return cmd;
@@ -29926,7 +30247,7 @@ Use 'cdkd destroy ${stackName}' if you want to delete the actual resources.
 
 `
         );
-        const rl = readline2.createInterface({
+        const rl = readline3.createInterface({
           input: process.stdin,
           output: process.stdout
         });
@@ -29961,7 +30282,7 @@ function stackRegionOption() {
   );
 }
 function createStateRmCommand() {
-  const cmd = new Command9("rm").description("Remove cdkd state for one or more stacks (does NOT delete AWS resources)").argument("<stacks...>", "Stack name(s) to remove from state").option("-f, --force", "Skip confirmation and remove even if the stack is locked", false).addOption(stackRegionOption()).action(withErrorHandling(stateRmCommand));
+  const cmd = new Command10("rm").description("Remove cdkd state for one or more stacks (does NOT delete AWS resources)").argument("<stacks...>", "Stack name(s) to remove from state").option("-f, --force", "Skip confirmation and remove even if the stack is locked", false).addOption(stackRegionOption()).action(withErrorHandling(stateRmCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   cmd.addOption(deprecatedRegionOption);
   return cmd;
@@ -30011,7 +30332,7 @@ WARNING: This destroys ${stackNames.length} stack(s) and removes their state rec
 `);
       }
       process.stdout.write("\n");
-      const rl = readline2.createInterface({
+      const rl = readline3.createInterface({
         input: process.stdin,
         output: process.stdout
       });
@@ -30086,7 +30407,7 @@ Preparing to destroy stack: ${stackName}${ref.region ? ` (${ref.region})` : ""}`
   }
 }
 function createStateDestroyCommand() {
-  const cmd = new Command9("destroy").description(
+  const cmd = new Command10("destroy").description(
     "Destroy a stack's AWS resources and remove its state record without requiring the CDK app. For removing only the state record (keeping AWS resources intact), use 'cdkd state rm'."
   ).argument("[stacks...]", "Stack name(s) to destroy (physical CloudFormation names)").option("--all", "Destroy every stack in the state bucket", false).addOption(stackRegionOption()).addHelpText(
     "after",
@@ -30106,13 +30427,133 @@ function createStateDestroyCommand() {
   cmd.addOption(deprecatedRegionOption);
   return cmd;
 }
+function formatBucketSource(source) {
+  switch (source) {
+    case "cli-flag":
+      return "--state-bucket flag";
+    case "env":
+      return "CDKD_STATE_BUCKET env";
+    case "cdk.json":
+      return "cdk.json (context.cdkd.stateBucket)";
+    case "default":
+      return "default (account ID from STS)";
+    case "default-legacy":
+      return "default (legacy region-suffixed name; cdkd state migrate-bucket recommended)";
+  }
+}
+async function detectBucketRegion(awsClients, bucket) {
+  try {
+    const resp = await awsClients.s3.send(new GetBucketLocationCommand2({ Bucket: bucket }));
+    const constraint = resp.LocationConstraint;
+    if (!constraint)
+      return "us-east-1";
+    if (constraint === "EU")
+      return "eu-west-1";
+    return constraint;
+  } catch {
+    return void 0;
+  }
+}
+async function listStateFileKeys(awsClients, bucket, prefix) {
+  const keys = [];
+  let continuationToken;
+  const searchPrefix = `${prefix}/`;
+  do {
+    const resp = await awsClients.s3.send(
+      new ListObjectsV2Command4({
+        Bucket: bucket,
+        Prefix: searchPrefix,
+        ...continuationToken && { ContinuationToken: continuationToken }
+      })
+    );
+    for (const obj of resp.Contents ?? []) {
+      const key = obj.Key;
+      if (typeof key === "string" && key.endsWith("/state.json")) {
+        keys.push(key);
+      }
+    }
+    continuationToken = resp.NextContinuationToken;
+  } while (continuationToken);
+  return keys;
+}
+async function readSchemaVersion(awsClients, bucket, keys) {
+  if (keys.length === 0)
+    return "unknown";
+  try {
+    const resp = await awsClients.s3.send(new GetObjectCommand4({ Bucket: bucket, Key: keys[0] }));
+    if (!resp.Body)
+      return "unknown";
+    const body = await resp.Body.transformToString();
+    const parsed = JSON.parse(body);
+    return typeof parsed.version === "number" ? parsed.version : "unknown";
+  } catch {
+    return "unknown";
+  }
+}
+async function stateInfoCommand(options) {
+  const logger = getLogger();
+  if (options.verbose)
+    logger.setLevel("debug");
+  const awsClients = new AwsClients({
+    ...options.region && { region: options.region },
+    ...options.profile && { profile: options.profile }
+  });
+  setAwsClients(awsClients);
+  try {
+    const region = options.region || process.env["AWS_REGION"] || "us-east-1";
+    const resolved = await resolveStateBucketWithDefaultAndSource(options.stateBucket, region);
+    const bucket = resolved.bucket;
+    const prefix = options.statePrefix;
+    const stateBackend = new S3StateBackend(awsClients.s3, { bucket, prefix });
+    await stateBackend.verifyBucketExists();
+    const detectedRegion = await detectBucketRegion(awsClients, bucket);
+    const stateFileKeys = await listStateFileKeys(awsClients, bucket, prefix);
+    const schemaVersion = await readSchemaVersion(awsClients, bucket, stateFileKeys);
+    if (options.json) {
+      const json = {
+        bucket,
+        region: detectedRegion ?? null,
+        regionSource: detectedRegion ? "auto-detected" : "unknown",
+        bucketSource: resolved.source,
+        schemaVersion,
+        stackCount: stateFileKeys.length
+      };
+      process.stdout.write(`${JSON.stringify(json, null, 2)}
+`);
+      return;
+    }
+    const lines = [];
+    lines.push(`State bucket:    ${bucket}`);
+    if (detectedRegion) {
+      lines.push(`Region:          ${detectedRegion} (auto-detected via GetBucketLocation)`);
+    } else {
+      lines.push("Region:          unknown (GetBucketLocation failed or denied)");
+    }
+    lines.push(`Source:          ${formatBucketSource(resolved.source)}`);
+    lines.push(`Schema version:  ${schemaVersion}`);
+    lines.push(`Stacks:          ${stateFileKeys.length}`);
+    process.stdout.write(`${lines.join("\n")}
+`);
+  } finally {
+    awsClients.destroy();
+  }
+}
+function createStateInfoCommand() {
+  const cmd = new Command10("info").description(
+    "Show cdkd state bucket info (bucket name, region, source, schema version, stack count)"
+  ).option("--json", "Output as JSON", false).action(withErrorHandling(stateInfoCommand));
+  [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
+  return cmd;
+}
 function createStateCommand() {
-  const cmd = new Command9("state").description("Manage cdkd state stored in S3");
+  const cmd = new Command10("state").description("Manage cdkd state stored in S3");
+  cmd.addCommand(createStateInfoCommand());
   cmd.addCommand(createStateListCommand());
   cmd.addCommand(createStateResourcesCommand());
   cmd.addCommand(createStateShowCommand());
   cmd.addCommand(createStateRmCommand());
   cmd.addCommand(createStateDestroyCommand());
+  cmd.addCommand(createStateMigrateBucketCommand());
   return cmd;
 }
 
@@ -30140,8 +30581,8 @@ function reorderArgs(argv) {
   return [...prefix, ...cmdAndAfter, ...beforeCmd];
 }
 async function main() {
-  const program = new Command10();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.12.0");
+  const program = new Command11();
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.14.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());