@go-to-k/cdkd 0.120.0 → 0.122.0

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-CuHRHcyW.js";
-import { $ as RouteDiscoveryError, A as runDockerStreaming, B as AssemblyReader, C as AssetPublisher, D as formatDockerLoginError, E as buildDockerImage, F as resolveCaptureObservedState, H as resolveBucketRegion, I as resolveSkipPrefix, L as resolveStateBucketWithDefault, M as getDefaultStateBucketName, N as getLegacyStateBucketName, O as getDockerCmd, P as resolveApp, Q as ResourceUpdateNotSupportedError, R as resolveStateBucketWithDefaultAndSource, S as shouldRetainResource, T as WorkGraph, W as CdkdError, X as ProvisioningError, Y as PartialFailureError, Z as ResourceTimeoutError, _ as DiffCalculator, _t as withSkipPrefix, a as withRetry, b as LockManager, c as collectInlinePolicyNamesManagedBySiblings, d as normalizeAwsTagsToCfn, dt as runStackBuffered, et as StackHasActiveImportsError, f as resolveExplicitPhysicalId, ft as getLiveRenderer, g as IntrinsicFunctionResolver, gt as generateResourceNameWithFallback, h as assertRegionMatch, ht as generateResourceName, i as withResourceDeadline, j as Synthesizer, k as runDockerForeground, l as CDK_PATH_TAG, lt as getLogger, m as CloudControlProvider, mt as PATTERN_B_RESOURCE_TYPES, n as DEFAULT_RESOURCE_WARN_AFTER_MS, o as IMPLICIT_DELETE_DEPENDENCIES, ot as normalizeAwsError, p as ProviderRegistry, pt as PATTERN_B_NAME_PROPERTIES, q as LocalInvokeBuildError, r as DeployEngine, s as IAMRoleProvider, st as withErrorHandling, t as DEFAULT_RESOURCE_TIMEOUT_MS, tt as StackTerminationProtectionError, u as matchesCdkPath, v as DagBuilder, vt as withStackName, w as stringifyValue, x as S3StateBackend, y as TemplateParser, z as warnDeprecatedNoPrefixCliFlag } from "./deploy-engine-Chzg_hDE.js";
+import { $ as LocalInvokeBuildError, A as stringifyValue, B as resolveApp, C as DiffCalculator, Ct as withSkipPrefix, D as S3StateBackend, E as LockManager, F as runDockerForeground, G as warnDeprecatedNoPrefixCliFlag, H as resolveSkipPrefix, I as runDockerStreaming, J as resolveBucketRegion, K as AssemblyReader, L as Synthesizer, M as buildDockerImage, N as formatDockerLoginError, O as shouldRetainResource, P as getDockerCmd, R as getDefaultStateBucketName, S as IntrinsicFunctionResolver, St as generateResourceNameWithFallback, T as TemplateParser, U as resolveStateBucketWithDefault, V as resolveCaptureObservedState, W as resolveStateBucketWithDefaultAndSource, X as CdkdError, _ as normalizeAwsTagsToCfn, _t as runStackBuffered, a as withRetry, at as RouteDiscoveryError, b as CloudControlProvider, bt as PATTERN_B_RESOURCE_TYPES, c as cyan, d as red, f as yellow, ft as normalizeAwsError, g as matchesCdkPath, h as CDK_PATH_TAG, ht as getLogger, i as withResourceDeadline, it as ResourceUpdateNotSupportedError, j as WorkGraph, k as AssetPublisher, l as gray, m as collectInlinePolicyNamesManagedBySiblings, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as ProvisioningError, o as IMPLICIT_DELETE_DEPENDENCIES, ot as StackHasActiveImportsError, p as IAMRoleProvider, pt as withErrorHandling, r as DeployEngine, rt as ResourceTimeoutError, s as bold, st as StackTerminationProtectionError, t as DEFAULT_RESOURCE_TIMEOUT_MS, tt as PartialFailureError, u as green, v as resolveExplicitPhysicalId, vt as getLiveRenderer, w as DagBuilder, wt as withStackName, x as assertRegionMatch, xt as generateResourceName, y as ProviderRegistry, yt as PATTERN_B_NAME_PROPERTIES, z as getLegacyStateBucketName } from "./deploy-engine-B2RZT3ai.js";
 import { createHash, createHmac, createPublicKey, createVerify, randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
 import { AddRoleToInstanceProfileCommand, AddUserToGroupCommand, AttachGroupPolicyCommand, AttachUserPolicyCommand, CreateGroupCommand, CreateInstanceProfileCommand, CreateLoginProfileCommand, CreateUserCommand, DeleteAccessKeyCommand, DeleteGroupCommand, DeleteGroupPolicyCommand, DeleteInstanceProfileCommand, DeleteLoginProfileCommand, DeleteRolePolicyCommand, DeleteUserCommand, DeleteUserPermissionsBoundaryCommand, DeleteUserPolicyCommand, DetachGroupPolicyCommand, DetachUserPolicyCommand, GetGroupCommand, GetGroupPolicyCommand, GetInstanceProfileCommand, GetRolePolicyCommand, GetUserCommand, GetUserPolicyCommand, IAMClient, ListAccessKeysCommand, ListAttachedGroupPoliciesCommand, ListAttachedUserPoliciesCommand, ListGroupPoliciesCommand, ListGroupsForUserCommand, ListInstanceProfilesCommand, ListUserPoliciesCommand, ListUserTagsCommand, ListUsersCommand, NoSuchEntityException, PutGroupPolicyCommand, PutRolePolicyCommand, PutUserPermissionsBoundaryCommand, PutUserPolicyCommand, RemoveRoleFromInstanceProfileCommand, RemoveUserFromGroupCommand, TagUserCommand, UntagUserCommand, UpdateLoginProfileCommand } from "@aws-sdk/client-iam";
@@ -696,7 +696,7 @@ async function synthCommand(options) {
 		const template = stacks[0].template;
 		process.stdout.write(toYaml(template));
 	}
-	logger.info(`\n✅ Synthesis complete! Found ${stacks.length} stack(s):`);
+	logger.info(`\n${green("✓")} ${bold("Synthesis complete!")} Found ${stacks.length} stack(s):`);
 	for (const stack of stacks) {
 		const resourceCount = countDeployableResources(stack.template);
 		const outputCount = Object.keys(stack.template.Outputs ?? {}).length;
@@ -30909,7 +30909,7 @@ async function deployCommand(stacks, options) {
 	};
 	process.on("SIGINT", topLevelSigintHandler);
 	try {
-		logger.info("Synthesizing CDK app...");
+		logger.info(cyan("Synthesizing CDK app..."));
 		const synthesizer = new Synthesizer();
 		const context = parseContextOptions(options.context);
 		const { stacks: allStacks } = await synthesizer.synthesize({
@@ -30995,7 +30995,7 @@ async function deployCommand(stacks, options) {
 		};
 		const runStackInner = async (stackInfo) => {
 			const stackRegion = stackInfo.region || baseRegion;
-			logger.info(`\nDeploying stack: ${stackInfo.stackName}${stackRegion !== baseRegion ? ` (region: ${stackRegion})` : ""}`);
+			logger.info(`\n${cyan("Deploying stack:")} ${bold(cyan(stackInfo.stackName))}${stackRegion !== baseRegion ? gray(` (region: ${stackRegion})`) : ""}`);
 			switchRegion(stackRegion);
 			const stackAwsClients = new AwsClients({
 				region: stackRegion,
@@ -31032,19 +31032,19 @@ async function deployCommand(stacks, options) {
 					...options.resourceWarnAfter?.perTypeMs && { resourceWarnAfterByType: options.resourceWarnAfter.perTypeMs },
 					...options.resourceTimeout?.perTypeMs && { resourceTimeoutByType: options.resourceTimeout.perTypeMs }
 				}, stackRegion, exportIndexStore).deploy(stackInfo.stackName, stackInfo.template);
-				logger.info("\nDeployment Summary:");
-				logger.info(`  Stack: ${deployResult.stackName}`);
-				logger.info(`  Created: ${deployResult.created}`);
-				logger.info(`  Updated: ${deployResult.updated}`);
-				logger.info(`  Deleted: ${deployResult.deleted}`);
-				logger.info(`  Unchanged: ${deployResult.unchanged}`);
-				logger.info(`  Duration: ${(deployResult.durationMs / 1e3).toFixed(2)}s`);
+				logger.info(`\n${bold("Deployment Summary:")}`);
+				logger.info(`  Stack: ${bold(cyan(deployResult.stackName))}`);
+				logger.info(`  Created: ${deployResult.created > 0 ? green(deployResult.created) : gray(deployResult.created)}`);
+				logger.info(`  Updated: ${deployResult.updated > 0 ? yellow(deployResult.updated) : gray(deployResult.updated)}`);
+				logger.info(`  Deleted: ${deployResult.deleted > 0 ? red(deployResult.deleted) : gray(deployResult.deleted)}`);
+				logger.info(`  Unchanged: ${gray(deployResult.unchanged)}`);
+				logger.info(`  Duration: ${cyan((deployResult.durationMs / 1e3).toFixed(2) + "s")}`);
 				if (deployResult.outputs && Object.keys(deployResult.outputs).length > 0) {
 					logger.info("\nOutputs:");
 					for (const [key, value] of Object.entries(deployResult.outputs)) logger.info(`  ${deployResult.stackName}.${key} = ${String(value)}`);
 				}
-				if (options.dryRun) logger.info("\n✓ Dry run completed - no actual changes made");
-				else logger.info("\n✓ Deployment completed successfully");
+				if (options.dryRun) logger.info(`\n${green("✓")} ${bold("Dry run completed")} - no actual changes made`);
+				else logger.info(`\n${green("✓")} ${bold("Deployment completed successfully")}`);
 			} finally {
 				stackAwsClients.destroy();
 				stateS3Client.destroy();
@@ -32239,7 +32239,7 @@ async function runDestroyForStack(stackName, state, ctx) {
 	if (resourceCount === 0) {
 		logger.info(`Stack ${stackName} has no resources, cleaning up state...`);
 		await ctx.stateBackend.deleteState(stackName, regionForState);
-		logger.info("✓ State deleted");
+		logger.info(`${green("✓")} State deleted`);
 		result.skippedEmpty = true;
 		return result;
 	}
@@ -32399,7 +32399,7 @@ async function runDestroyForStack(stackName, state, ctx) {
 						onTimeout: (elapsedMs) => new ResourceTimeoutError(logicalId, resource.resourceType, stackRegion, elapsedMs, "DELETE", timeoutMs)
 					});
 					renderer.removeTask(logicalId);
-					logger.info(`  ✅ ${logicalId} (${resource.resourceType}) deleted`);
+					logger.info(`  ${red("✗")} ${bold(logicalId)} ${gray(`(${resource.resourceType})`)} ${red("deleted")}`);
 					result.deletedCount++;
 				} catch (error) {
 					renderer.removeTask(logicalId);
@@ -32427,8 +32427,8 @@ async function runDestroyForStack(stackName, state, ctx) {
 			if (ctx.exportIndexStore) await ctx.exportIndexStore.removeStack(stackName, regionForState);
 		} else logger.warn(`${result.errorCount} resource(s) failed to delete. State preserved.`);
 		const retainedSuffix = result.retainedCount > 0 ? `, ${result.retainedCount} retained` : "";
-		if (result.errorCount === 0) logger.info(`\n✓ Stack ${stackName} destroyed (${result.deletedCount} deleted${retainedSuffix}, ${result.errorCount} errors)`);
-		else logger.warn(`\n⚠ Stack ${stackName} partially destroyed (${result.deletedCount} deleted${retainedSuffix}, ${result.errorCount} errors). State preserved — re-run 'cdkd destroy' / 'cdkd state destroy' to clean up.`);
+		if (result.errorCount === 0) logger.info(`\n${green("✓")} ${bold(`Stack ${stackName} destroyed`)} (${green(result.deletedCount)} deleted${retainedSuffix}, ${result.errorCount} errors)`);
+		else logger.warn(`\n${yellow("⚠")} ${bold(`Stack ${stackName} partially destroyed`)} (${green(result.deletedCount)} deleted${retainedSuffix}, ${red(result.errorCount)} errors). State preserved — re-run 'cdkd destroy' / 'cdkd state destroy' to clean up.`);
 	} finally {
 		renderer.stop();
 		logger.debug("Releasing lock...");
@@ -33466,7 +33466,7 @@ async function publishAssetsCommand(stacks, options) {
 		logger.info(`  ${tag} ${id} — ${detail}`);
 	}
 	if (failed.length > 0) throw new PartialFailureError(`Asset publishing completed with ${failed.length} stack failure(s) (${totalAssets} asset(s) published successfully across the rest).`);
-	logger.info(`\n✅ Asset publishing complete (${totalAssets} asset(s))`);
+	logger.info(`\n${green("✓")} ${bold("Asset publishing complete")} (${totalAssets} asset(s))`);
 }
 /**
 * Create publish-assets command.
@@ -35768,6 +35768,119 @@ async function loadStateForStack(stackName, synthRegion, opts) {
 		resetAwsClients();
 	}
 }
+/**
+* Build a {@link CrossStackResolver} that walks cdkd's S3 state to look
+* up `Fn::ImportValue` / `Fn::GetStackOutput` references the same way
+* `cdkd deploy`'s `IntrinsicFunctionResolver` does. Returns `undefined`
+* when the state bucket cannot be resolved (warn + fall back; matches
+* `loadStateForStack`'s policy).
+*
+* The returned `dispose` closes the AWS clients owned by the resolver
+* when the caller is done — callers MUST call it (typically in a
+* `try / finally`) so the per-request S3 client isn't leaked across the
+* CLI's lifetime.
+*
+* Why a separate AwsClients instance from `loadStateForStack`: the
+* existing helper destroys its clients in a `finally` immediately after
+* loading the consumer stack's state. The cross-stack resolver lives
+* longer — every env-var that references a cross-stack output triggers a
+* new state read. Owning a fresh `AwsClients` here gives the resolver
+* an independent lifetime managed by the caller.
+*
+* Same-account / same-region only in v1 (the resolver's `producerRegion`
+* arg is honored, but only for state lookups within the same cdkd state
+* bucket). Cross-region `Fn::ImportValue` is tracked under #451;
+* cross-account `Fn::GetStackOutput.RoleArn` is tracked under #449.
+*/
+async function buildCrossStackResolver(consumerRegion, opts) {
+	const logger = getLogger();
+	const prefix = opts.logPrefix ?? "--from-state";
+	let stateBucket;
+	try {
+		stateBucket = await resolveStateBucketWithDefault(opts.stateBucket, consumerRegion);
+	} catch (err) {
+		logger.warn(`${prefix}: cross-stack resolver could not resolve state bucket: ${err instanceof Error ? err.message : String(err)}. Fn::ImportValue / Fn::GetStackOutput env entries will warn-and-drop.`);
+		return;
+	}
+	const awsClients = new AwsClients({
+		...opts.region !== void 0 && { region: opts.region },
+		...opts.profile !== void 0 && { profile: opts.profile }
+	});
+	const stateConfig = {
+		bucket: stateBucket,
+		prefix: opts.statePrefix
+	};
+	const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
+		...opts.region !== void 0 && { region: opts.region },
+		...opts.profile !== void 0 && { profile: opts.profile }
+	});
+	try {
+		await stateBackend.verifyBucketExists();
+	} catch (err) {
+		awsClients.destroy();
+		logger.warn(`${prefix}: cross-stack resolver could not access state bucket '${stateBucket}': ${err instanceof Error ? err.message : String(err)}. Fn::ImportValue / Fn::GetStackOutput env entries will warn-and-drop.`);
+		return;
+	}
+	const exportIndex = new ExportIndexStore(awsClients.s3, stateBucket, opts.statePrefix, consumerRegion, stateBackend);
+	return {
+		resolver: {
+			async resolveImport(exportName) {
+				try {
+					const entry = await exportIndex.lookup(exportName);
+					if (entry) {
+						const value = entry.value;
+						if (typeof value === "string") return value;
+						if (typeof value === "number" || typeof value === "boolean") return String(value);
+						return JSON.stringify(value);
+					}
+				} catch (err) {
+					logger.debug(`${prefix}: exports index lookup failed for '${exportName}': ${err instanceof Error ? err.message : String(err)}; falling back to per-stack state scan`);
+				}
+				let refs;
+				try {
+					refs = await stateBackend.listStacks();
+				} catch (err) {
+					logger.debug(`${prefix}: failed to list stacks during Fn::ImportValue fallback for '${exportName}': ${err instanceof Error ? err.message : String(err)}`);
+					return;
+				}
+				for (const ref of refs) {
+					const region = ref.region ?? consumerRegion;
+					if (region !== consumerRegion) continue;
+					try {
+						const got = await stateBackend.getState(ref.stackName, region);
+						if (!got || !got.state.outputs) continue;
+						if (exportName in got.state.outputs) {
+							const value = got.state.outputs[exportName];
+							if (typeof value === "string") return value;
+							if (typeof value === "number" || typeof value === "boolean") return String(value);
+							return JSON.stringify(value);
+						}
+					} catch (err) {
+						logger.debug(`${prefix}: state read failed for ${ref.stackName} (${region}) during Fn::ImportValue fallback: ${err instanceof Error ? err.message : String(err)}`);
+						continue;
+					}
+				}
+			},
+			async resolveGetStackOutput(producerStack, producerRegion, outputName) {
+				try {
+					const got = await stateBackend.getState(producerStack, producerRegion);
+					if (!got || !got.state.outputs) return void 0;
+					if (!(outputName in got.state.outputs)) return void 0;
+					const value = got.state.outputs[outputName];
+					if (typeof value === "string") return value;
+					if (typeof value === "number" || typeof value === "boolean") return String(value);
+					return JSON.stringify(value);
+				} catch (err) {
+					logger.debug(`${prefix}: state read failed for Fn::GetStackOutput '${producerStack}.${outputName}' (${producerRegion}): ${err instanceof Error ? err.message : String(err)}`);
+					return;
+				}
+			}
+		},
+		dispose: () => {
+			awsClients.destroy();
+		}
+	};
+}
 
 //#endregion
 //#region src/local/intrinsic-image.ts
@@ -36733,6 +36846,159 @@ function resolveJoin(arg, context) {
 	};
 }
 /**
+* Async sibling of {@link substituteAgainstState}. Same semantics for every
+* intrinsic the sync path supports; additionally consults the
+* `crossStackResolver` (when supplied on the context) for `Fn::ImportValue`
+* and `Fn::GetStackOutput`.
+*
+* Callers that don't need cross-stack support should keep using the sync
+* helper. Code paths that wire `--from-state` env / secret substitution
+* (e.g. `cdkd local invoke --from-state`, `cdkd local run-task --from-state`)
+* route through this async version so a single env-var referencing a
+* cross-stack output is no longer warn-and-dropped.
+*/
+async function substituteAgainstStateAsync(value, contextOrResources) {
+	const context = isContext(contextOrResources) ? contextOrResources : { resources: contextOrResources };
+	if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") return {
+		kind: "literal",
+		value
+	};
+	if (value === null || typeof value !== "object") return {
+		kind: "unresolved",
+		reason: `unsupported value type: ${value === null ? "null" : typeof value}`
+	};
+	const obj = value;
+	const keys = Object.keys(obj);
+	if (keys.length !== 1) return {
+		kind: "unresolved",
+		reason: `expected an intrinsic with one key, got ${keys.length} keys`
+	};
+	const intrinsic = keys[0];
+	const arg = obj[intrinsic];
+	if (intrinsic === "Ref" || intrinsic === "Fn::GetAtt" || intrinsic === "Fn::Sub" || intrinsic === "Fn::Join") return substituteAgainstState(value, context);
+	if (intrinsic === "Fn::ImportValue") return resolveImportValueAsync(arg, context);
+	if (intrinsic === "Fn::GetStackOutput") return resolveGetStackOutputAsync(arg, context);
+	return {
+		kind: "unresolved",
+		reason: `unsupported intrinsic '${intrinsic}' (supported: Ref, Fn::GetAtt, Fn::Sub, Fn::Join, Fn::ImportValue, Fn::GetStackOutput)`
+	};
+}
+/**
+* `Fn::ImportValue: <exportName>` — the argument may itself be an
+* intrinsic that resolves to a string (e.g.
+* `{Fn::ImportValue: {Fn::Sub: 'MyStack-${AWS::Region}-Bucket'}}` — the
+* inner `Fn::Sub` is resolved against `pseudoParameters` first, then the
+* resulting string is looked up via the cross-stack resolver).
+*/
+async function resolveImportValueAsync(arg, context) {
+	const inner = substituteAgainstState(arg, context);
+	if (inner.kind !== "literal") return {
+		kind: "unresolved",
+		reason: `Fn::ImportValue argument: ${inner.reason}`
+	};
+	if (typeof inner.value !== "string" || inner.value.length === 0) return {
+		kind: "unresolved",
+		reason: `Fn::ImportValue argument must resolve to a non-empty string, got ${typeof inner.value}`
+	};
+	const exportName = inner.value;
+	if (!context.crossStackResolver) return {
+		kind: "unresolved",
+		reason: `Fn::ImportValue '${exportName}': no cross-stack resolver supplied (pass --from-state and ensure the producer stack was deployed via cdkd deploy)`
+	};
+	let resolved;
+	try {
+		resolved = await context.crossStackResolver.resolveImport(exportName);
+	} catch (err) {
+		return {
+			kind: "unresolved",
+			reason: `Fn::ImportValue '${exportName}': lookup failed: ${err instanceof Error ? err.message : String(err)}`
+		};
+	}
+	if (resolved === void 0) return {
+		kind: "unresolved",
+		reason: `Fn::ImportValue '${exportName}': export not found in any cdkd-managed stack in this region`
+	};
+	return {
+		kind: "literal",
+		value: resolved
+	};
+}
+/**
+* `Fn::GetStackOutput: { StackName, OutputName, Region? }`. Same shape as
+* the deploy-engine resolver. `RoleArn` (cross-account) is intentionally
+* NOT supported in this path — the user-visible error message points at
+* the followup issue tracking it.
+*/
+async function resolveGetStackOutputAsync(arg, context) {
+	if (!arg || typeof arg !== "object" || Array.isArray(arg)) return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput argument must be an object with StackName / OutputName / Region, got ${arg === null ? "null" : Array.isArray(arg) ? "array" : typeof arg}`
+	};
+	const args = arg;
+	const stackNameSub = substituteAgainstState(args["StackName"], context);
+	if (stackNameSub.kind !== "literal") return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput.StackName: ${stackNameSub.reason}`
+	};
+	if (typeof stackNameSub.value !== "string" || stackNameSub.value.length === 0) return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput.StackName must resolve to a non-empty string, got ${typeof stackNameSub.value}`
+	};
+	const stackName = stackNameSub.value;
+	const outputNameSub = substituteAgainstState(args["OutputName"], context);
+	if (outputNameSub.kind !== "literal") return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput.OutputName: ${outputNameSub.reason}`
+	};
+	if (typeof outputNameSub.value !== "string" || outputNameSub.value.length === 0) return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput.OutputName must resolve to a non-empty string, got ${typeof outputNameSub.value}`
+	};
+	const outputName = outputNameSub.value;
+	let region;
+	if (args["Region"] !== void 0 && args["Region"] !== null) {
+		const regionSub = substituteAgainstState(args["Region"], context);
+		if (regionSub.kind !== "literal") return {
+			kind: "unresolved",
+			reason: `Fn::GetStackOutput.Region: ${regionSub.reason}`
+		};
+		if (typeof regionSub.value !== "string" || regionSub.value.length === 0) return {
+			kind: "unresolved",
+			reason: `Fn::GetStackOutput.Region must resolve to a non-empty string, got ${typeof regionSub.value}`
+		};
+		region = regionSub.value;
+	} else region = context.consumerRegion ?? context.pseudoParameters?.region;
+	if (!region) return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput '${stackName}.${outputName}': no Region supplied and consumer region is unknown (set --region, AWS_REGION, or env.region on the CDK stack)`
+	};
+	if (args["RoleArn"] !== void 0 && args["RoleArn"] !== null) return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput '${stackName}.${outputName}': RoleArn (cross-account) is not yet supported by --from-state — tracked under issue #449`
+	};
+	if (!context.crossStackResolver) return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput '${stackName}.${outputName}': no cross-stack resolver supplied (pass --from-state and ensure the producer stack was deployed via cdkd deploy)`
+	};
+	let resolved;
+	try {
+		resolved = await context.crossStackResolver.resolveGetStackOutput(stackName, region, outputName);
+	} catch (err) {
+		return {
+			kind: "unresolved",
+			reason: `Fn::GetStackOutput '${stackName}.${outputName}' (${region}): lookup failed: ${err instanceof Error ? err.message : String(err)}`
+		};
+	}
+	if (resolved === void 0) return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput '${stackName}.${outputName}' (${region}): output not found in producer stack state`
+	};
+	return {
+		kind: "literal",
+		value: resolved
+	};
+}
+/**
 * Build a pre-substituted env map from the template entry by feeding each
 * intrinsic value through `substituteAgainstState`. Literal entries pass
 * through untouched (the env-resolver handles them).
@@ -36773,6 +37039,50 @@ function substituteEnvVarsFromState(templateEnv, contextOrResources) {
 		audit
 	};
 }
+/**
+* Async sibling of {@link substituteEnvVarsFromState}. Routes every
+* intrinsic-valued entry through {@link substituteAgainstStateAsync} so
+* `Fn::ImportValue` / `Fn::GetStackOutput` resolve via the context's
+* `crossStackResolver` (when supplied). Mirrors the sync version in every
+* other respect: literal entries pass through unchanged, unresolved
+* entries are dropped with a per-key audit reason, and the env-resolver
+* sees the same "no template value" shape so the warn-and-drop path
+* fires consistently.
+*
+* Closes issue #454 — `cdkd local invoke --from-state` and
+* `cdkd local run-task --from-state` can now resolve cross-stack output
+* references in env vars / secrets instead of warn-and-dropping them.
+*/
+async function substituteEnvVarsFromStateAsync(templateEnv, contextOrResources) {
+	const env = {};
+	const audit = {
+		resolvedKeys: [],
+		unresolved: []
+	};
+	if (!templateEnv) return {
+		env,
+		audit
+	};
+	const context = isContext(contextOrResources) ? contextOrResources : { resources: contextOrResources };
+	for (const [key, value] of Object.entries(templateEnv)) {
+		if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
+			env[key] = value;
+			continue;
+		}
+		const result = await substituteAgainstStateAsync(value, context);
+		if (result.kind === "literal") {
+			env[key] = result.value;
+			audit.resolvedKeys.push(key);
+		} else audit.unresolved.push({
+			key,
+			reason: result.reason
+		});
+	}
+	return {
+		env,
+		audit
+	};
+}
 
 //#endregion
 //#region src/local/ecs-task-resolver.ts
@@ -36816,6 +37126,7 @@ function detectEcsImageResolutionNeeds(stack) {
 	let needsPseudoParameters = false;
 	let needsStateResources = false;
 	let needsEnvOrSecretSubstitution = false;
+	let needsCrossStackResolver = false;
 	for (const res of Object.values(resources)) {
 		if (res.Type !== "AWS::ECS::TaskDefinition") continue;
 		const props = res.Properties ?? {};
@@ -36828,6 +37139,10 @@ function detectEcsImageResolutionNeeds(stack) {
 			if (need.pseudo) needsPseudoParameters = true;
 			if (need.state) needsStateResources = true;
 			if (containerHasIntrinsicEnvOrSecret(co)) needsEnvOrSecretSubstitution = true;
+			if (containerHasCrossStackEnvOrSecret(co)) {
+				needsEnvOrSecretSubstitution = true;
+				needsCrossStackResolver = true;
+			}
 		}
 		const rawVolumes = props["Volumes"];
 		if (Array.isArray(rawVolumes)) {
@@ -36841,10 +37156,37 @@ function detectEcsImageResolutionNeeds(stack) {
 	return {
 		needsPseudoParameters,
 		needsStateResources,
-		needsEnvOrSecretSubstitution
+		needsEnvOrSecretSubstitution,
+		needsCrossStackResolver
 	};
 }
 /**
+* Returns true when any `Environment[].Value` or `Secrets[].ValueFrom`
+* is a top-level `Fn::ImportValue` / `Fn::GetStackOutput` intrinsic.
+* Issue #454 — gates cross-stack resolver construction so literal +
+* same-stack-intrinsic env / secret maps don't pay the extra cost.
+*/
+function containerHasCrossStackEnvOrSecret(c) {
+	const env = c["Environment"];
+	if (Array.isArray(env)) for (const entry of env) {
+		if (!entry || typeof entry !== "object") continue;
+		const v = entry["Value"];
+		if (isCrossStackIntrinsic(v)) return true;
+	}
+	const secrets = c["Secrets"];
+	if (Array.isArray(secrets)) for (const entry of secrets) {
+		if (!entry || typeof entry !== "object") continue;
+		const v = entry["ValueFrom"];
+		if (isCrossStackIntrinsic(v)) return true;
+	}
+	return false;
+}
+function isCrossStackIntrinsic(value) {
+	if (!value || typeof value !== "object") return false;
+	const obj = value;
+	return "Fn::ImportValue" in obj || "Fn::GetStackOutput" in obj;
+}
+/**
 * Detect whether a Volume entry has an intrinsic-valued `Host.SourcePath`.
 * Used by `detectEcsImageResolutionNeeds` (Gap 6 of #286) to trigger
 * state-load + pseudo-parameter resolution under `--from-state` when the
@@ -37589,6 +37931,87 @@ function checkVolumeHostPath(hostPath) {
 		return false;
 	}
 }
+/**
+* Async post-pass that walks the resolved task's container Environment +
+* Secrets entries from the raw template (preserved in `task.resource`)
+* and re-attempts substitution via {@link substituteAgainstStateAsync}
+* against the supplied context. The sync `parseContainerDefinition`
+* pass already substituted everything the legacy resolver handles; this
+* pass picks up the additional shapes the async resolver supports —
+* specifically `Fn::ImportValue` / `Fn::GetStackOutput` (issue #454).
+*
+* Resolved entries are patched onto the container's `environment` /
+* `secrets` map AND the corresponding `warnings` entries are filtered
+* out so the CLI doesn't print a stale per-container warn for an entry
+* the post-pass successfully resolved. Entries that STILL can't resolve
+* (e.g. producer stack not deployed) keep their original warning so the
+* CLI's UX matches the sync path.
+*
+* Pure-functional on the task structure outside of in-place mutation of
+* the container's `environment` / `secrets` / `warnings` arrays. The
+* task is expected to be the same `ResolvedEcsTask` instance returned
+* by `resolveEcsTaskTarget` — the runner downstream reads from these
+* fields directly.
+*/
+async function applyCrossStackResolverToTask(task, context) {
+	if (!context.crossStackResolver) return;
+	const rawContainers = (task.resource.Properties ?? {})["ContainerDefinitions"];
+	if (!Array.isArray(rawContainers)) return;
+	for (let idx = 0; idx < task.containers.length; idx += 1) {
+		const container = task.containers[idx];
+		const raw = rawContainers[idx];
+		if (!raw || typeof raw !== "object") continue;
+		const c = raw;
+		const containerName = pickString(c["Name"]) ?? container.name;
+		const resolvedEnvKeys = /* @__PURE__ */ new Set();
+		const resolvedSecretNames = /* @__PURE__ */ new Set();
+		if (Array.isArray(c["Environment"])) for (const entry of c["Environment"]) {
+			if (!entry || typeof entry !== "object") continue;
+			const e = entry;
+			const key = pickString(e["Name"]);
+			const value = e["Value"];
+			if (!key) continue;
+			if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") continue;
+			if (key in container.environment) continue;
+			if (!isCrossStackIntrinsic(value)) continue;
+			const sub = await substituteAgainstStateAsync(value, context);
+			if (sub.kind === "literal") {
+				container.environment[key] = String(sub.value);
+				resolvedEnvKeys.add(key);
+			}
+		}
+		if (Array.isArray(c["Secrets"])) for (const entry of c["Secrets"]) {
+			if (!entry || typeof entry !== "object") continue;
+			const e = entry;
+			const sName = pickString(e["Name"]);
+			const valueFromRaw = e["ValueFrom"];
+			if (!sName) continue;
+			if (typeof valueFromRaw === "string" && valueFromRaw.length > 0) continue;
+			if (container.secrets.some((s) => s.name === sName)) continue;
+			if (!isCrossStackIntrinsic(valueFromRaw)) continue;
+			const sub = await substituteAgainstStateAsync(valueFromRaw, context);
+			if (sub.kind === "literal" && typeof sub.value === "string" && sub.value.length > 0) {
+				container.secrets.push({
+					name: sName,
+					valueFrom: sub.value
+				});
+				resolvedSecretNames.add(sName);
+			}
+		}
+		if (resolvedEnvKeys.size > 0 || resolvedSecretNames.size > 0) {
+			container.warnings = container.warnings.filter((w) => {
+				for (const k of resolvedEnvKeys) if (w.startsWith(`Environment '${k}' dropped:`)) return false;
+				for (const k of resolvedSecretNames) if (w.startsWith(`Secret '${k}' dropped:`)) return false;
+				return true;
+			});
+			task.warnings = task.warnings.filter((w) => {
+				for (const k of resolvedEnvKeys) if (w.startsWith(`Container '${containerName}': Environment '${k}' dropped:`)) return false;
+				for (const k of resolvedSecretNames) if (w.startsWith(`Container '${containerName}': Secret '${k}' dropped:`)) return false;
+				return true;
+			});
+		}
+	}
+}
 
 //#endregion
 //#region src/local/runtime-image.ts
@@ -44605,8 +45028,34 @@ async function localRunTaskCommand(target, options) {
 			...Object.keys(context).length > 0 && { context }
 		};
 		const { stacks } = await synthesizer.synthesize(synthOpts);
-		const task = resolveEcsTaskTarget(target, stacks, await buildEcsImageResolutionContext(target, stacks, options));
+		const imageContext = await buildEcsImageResolutionContext(target, stacks, options);
+		const task = resolveEcsTaskTarget(target, stacks, imageContext);
 		logger.info(`Target: ${task.stack.stackName}/${task.taskDefinitionLogicalId} (family=${task.family}, containers=${task.containers.length})`);
+		const taskNeeds = detectEcsImageResolutionNeeds(stacks.find((s) => s.stackName === task.stack.stackName) ?? task.stack);
+		let taskCrossStackDispose;
+		if (options.fromState && taskNeeds.needsCrossStackResolver) {
+			const consumerRegion = options.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? task.stack.region ?? "us-east-1";
+			const built = await buildCrossStackResolver(consumerRegion, {
+				...options.stateBucket !== void 0 && { stateBucket: options.stateBucket },
+				statePrefix: options.statePrefix,
+				...options.region !== void 0 && { region: options.region },
+				...options.profile !== void 0 && { profile: options.profile }
+			});
+			if (built) {
+				taskCrossStackDispose = built.dispose;
+				try {
+					await applyCrossStackResolverToTask(task, {
+						resources: imageContext?.stateResources ?? {},
+						...imageContext?.pseudoParameters && { pseudoParameters: imageContext.pseudoParameters },
+						consumerRegion,
+						crossStackResolver: built.resolver
+					});
+				} finally {
+					taskCrossStackDispose();
+					taskCrossStackDispose = void 0;
+				}
+			}
+		} else if (!options.fromState && taskNeeds.needsCrossStackResolver) logger.warn("Container Environment / Secrets entries contain Fn::ImportValue / Fn::GetStackOutput intrinsics. Pass --from-state to substitute them against deployed cdkd state.");
 		sigintHandler = () => {
 			sigintCount += 1;
 			if (sigintCount >= 2) {
@@ -44894,6 +45343,7 @@ async function localInvokeCommand(target, options) {
 		let stateAudit;
 		let templateEnv = getTemplateEnv(lambda.resource);
 		let stateForRoleHint;
+		let crossStackDispose;
 		if (options.fromState) {
 			const loaded = await loadStateForStack(lambda.stack.stackName, lambda.stack.region, {
 				...options.stackRegion !== void 0 && { stackRegion: options.stackRegion },
@@ -44904,16 +45354,38 @@ async function localInvokeCommand(target, options) {
 			});
 			if (loaded) {
 				stateForRoleHint = loaded.state;
-				const subContext = { resources: loaded.state.resources };
+				const subContext = {
+					resources: loaded.state.resources,
+					consumerRegion: loaded.region
+				};
 				if (envHasIntrinsicValue(templateEnv)) {
 					const pseudo = await resolvePseudoParametersForInvoke(lambda.stack.region, options);
 					if (pseudo) subContext.pseudoParameters = pseudo;
 				}
-				const { env, audit } = substituteEnvVarsFromState(templateEnv, subContext);
-				templateEnv = env;
-				stateAudit = audit;
-				for (const key of audit.resolvedKeys) logger.debug(`--from-state: substituted env var ${key} from cdkd state`);
-				for (const { key, reason } of audit.unresolved) logger.warn(`--from-state: could not substitute env var ${key} (${reason}). Override it via --env-vars or it will be dropped.`);
+				if (envHasCrossStackIntrinsic(templateEnv)) {
+					const built = await buildCrossStackResolver(loaded.region, {
+						...options.stateBucket !== void 0 && { stateBucket: options.stateBucket },
+						statePrefix: options.statePrefix,
+						...options.region !== void 0 && { region: options.region },
+						...options.profile !== void 0 && { profile: options.profile }
+					});
+					if (built) {
+						subContext.crossStackResolver = built.resolver;
+						crossStackDispose = built.dispose;
+					}
+				}
+				try {
+					const { env, audit } = await substituteEnvVarsFromStateAsync(templateEnv, subContext);
+					templateEnv = env;
+					stateAudit = audit;
+					for (const key of audit.resolvedKeys) logger.debug(`--from-state: substituted env var ${key} from cdkd state`);
+					for (const { key, reason } of audit.unresolved) logger.warn(`--from-state: could not substitute env var ${key} (${reason}). Override it via --env-vars or it will be dropped.`);
+				} finally {
+					if (crossStackDispose) {
+						crossStackDispose();
+						crossStackDispose = void 0;
+					}
+				}
 			}
 		}
 		const overrides = readEnvOverridesFile(options.envVars);
@@ -45186,6 +45658,29 @@ function envHasIntrinsicValue(templateEnv) {
 	return false;
 }
 /**
+* Returns true when any value in the function's template env map carries
+* a top-level `Fn::ImportValue` / `Fn::GetStackOutput` intrinsic. Used to
+* gate the cross-stack resolver construction inside the `--from-state`
+* flow: literal + same-stack-intrinsic env maps shouldn't pay for the
+* extra S3 client / index-load cost (issue #454).
+*
+* Detection is one level deep — same heuristic CDK 2.x uses for these
+* intrinsics in practice. Nested cross-stack intrinsics (e.g. an
+* `Fn::ImportValue` buried inside a `Fn::Join`) are not detected here;
+* those won't resolve in v1 anyway because the async resolver path
+* defers to the sync helper for `Fn::Join` / `Fn::Sub` bodies (see
+* `substituteAgainstStateAsync` docstring).
+*/
+function envHasCrossStackIntrinsic(templateEnv) {
+	if (!templateEnv) return false;
+	for (const v of Object.values(templateEnv)) {
+		if (!v || typeof v !== "object") continue;
+		const obj = v;
+		if ("Fn::ImportValue" in obj || "Fn::GetStackOutput" in obj) return true;
+	}
+	return false;
+}
+/**
 * Build the AWS pseudo-parameter bag for `--from-state` env-var
 * substitution. Issues a single `sts:GetCallerIdentity` for the account
 * id and derives `partition` / `urlSuffix` from the resolved region. Any
@@ -46717,7 +47212,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.120.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.122.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());