@go-to-k/cdkd 0.121.0 → 0.122.0

package/README.md

@@ -25,7 +25,7 @@ Drop-in CDK CLI for existing CDK apps — faster deploys via AWS SDK instead of
 - **Rollback on failure**: When a deploy errors mid-stack, cdkd rolls back the resources it just created so the stack state stays consistent (CloudFormation parity — but cdkd does this without round-tripping through CFn). Pass `cdkd deploy --no-rollback` to skip rollback and keep the partial state for Terraform-style inspection / repair. See [Rollback behavior](#rollback-behavior).
 - **`--no-wait` for async resources**: Skip the multi-minute wait on CloudFront / RDS / ElastiCache / NAT Gateway and return as soon as the create call returns (CloudFormation always blocks)
 - **VPC route DependsOn relaxation (on by default)**: Drop CDK-injected defensive `DependsOn` edges from VPC Lambdas onto private-subnet routes so `CloudFront::Distribution` and `Lambda::Url` start their ~3-min propagation in parallel with NAT Gateway stabilization (~50% faster on VPC + Lambda + CloudFront stacks). Pass `--no-aggressive-vpc-parallel` to opt out.
-- **Local execution without deploying** (`cdkd local invoke` / `cdkd local start-api` / `cdkd local run-task`): run any Lambda — stand up every API Gateway route as a local HTTP server — or start every container in an `AWS::ECS::TaskDefinition` on a per-task docker network with the AWS-published metadata-endpoints sidecar. SAM-compatible mental model but reuses cdkd's synthesis / asset / route-discovery (no `template.yaml` round-trip). All AWS Lambda runtimes (Node.js / Python / Ruby / Java / .NET / `provided.*`) and one server per discovered API (HTTP API v2 / REST v1 / Function URL) with their own port / authorizers / CORS configs. `local run-task` is Phase 1 (single task, DependsOn ordering, IAM task-role via AssumeRole) — ECS Services / ALB routing / Service Connect are Phase 2 / Phase 3 follow-ups. `cdkd local run-task --from-state` substitutes intrinsic-valued container `Environment[].Value` (`Ref` / `Fn::GetAtt` / `Fn::Sub` / `Fn::Join`) and `Secrets[].ValueFrom` against the deployed cdkd state — `table.tableName` / `ecs.Secret.fromSecretsManager(secret)` / `ecs.Secret.fromSsmParameter(param)` Just Work locally instead of silently dropping.
+- **Local execution without deploying** (`cdkd local invoke` / `cdkd local start-api` / `cdkd local run-task`): run any Lambda — stand up every API Gateway route as a local HTTP server — or start every container in an `AWS::ECS::TaskDefinition` on a per-task docker network with the AWS-published metadata-endpoints sidecar. SAM-compatible mental model but reuses cdkd's synthesis / asset / route-discovery (no `template.yaml` round-trip). All AWS Lambda runtimes (Node.js / Python / Ruby / Java / .NET / `provided.*`) and one server per discovered API (HTTP API v2 / REST v1 / Function URL) with their own port / authorizers / CORS configs. `local run-task` is Phase 1 (single task, DependsOn ordering, IAM task-role via AssumeRole) — ECS Services / ALB routing / Service Connect are Phase 2 / Phase 3 follow-ups. `cdkd local run-task --from-state` substitutes intrinsic-valued container `Environment[].Value` (`Ref` / `Fn::GetAtt` / `Fn::Sub` / `Fn::Join` / `Fn::ImportValue` / `Fn::GetStackOutput`) and `Secrets[].ValueFrom` against the deployed cdkd state — `table.tableName` / `ecs.Secret.fromSecretsManager(secret)` / `ecs.Secret.fromSsmParameter(param)` / cross-stack output refs Just Work locally instead of silently dropping.
 - **Bidirectional CloudFormation migration**: `cdkd import` adopts AWS-deployed resources (including `cdk deploy`-managed CloudFormation stacks via `--migrate-from-cloudformation`) into cdkd state without re-creating them; `cdkd export` hands a cdkd-managed stack back to CloudFormation when you're ready to move to production. See [Importing existing resources](#importing-existing-resources) and [Exporting a stack back to CloudFormation](#exporting-a-stack-back-to-cloudformation).
 
 > **Note**: Resource types not covered by either SDK Providers or Cloud Control API cannot be deployed with cdkd. If you encounter an unsupported resource type, deployment will fail with a clear error message.
@@ -427,8 +427,12 @@ maintain, no `cdk synth | sam ...` round-trip.
 | `cdkd local run-task <target>` | ECS RunTask — every container in a task definition started on a per-task docker network |
 
 Requires Docker. Pass `--from-state` to substitute deployed physical
-IDs into intrinsic-valued properties; without it, intrinsic values are
-dropped with a per-key warning (matches `sam local *` semantics).
+IDs into intrinsic-valued properties (`Ref` / `Fn::GetAtt` / `Fn::Sub` /
+`Fn::Join` against the same stack's state plus AWS pseudo parameters
+via STS, AND `Fn::ImportValue` / `Fn::GetStackOutput` against the
+persistent exports index for cross-stack references — same-account /
+same-region); without it, intrinsic values are dropped with a per-key
+warning (matches `sam local *` semantics).
 
 ### `local invoke`
 

package/dist/cli.js

@@ -35768,6 +35768,119 @@ async function loadStateForStack(stackName, synthRegion, opts) {
 		resetAwsClients();
 	}
 }
+/**
+* Build a {@link CrossStackResolver} that walks cdkd's S3 state to look
+* up `Fn::ImportValue` / `Fn::GetStackOutput` references the same way
+* `cdkd deploy`'s `IntrinsicFunctionResolver` does. Returns `undefined`
+* when the state bucket cannot be resolved (warn + fall back; matches
+* `loadStateForStack`'s policy).
+*
+* The returned `dispose` closes the AWS clients owned by the resolver
+* when the caller is done — callers MUST call it (typically in a
+* `try / finally`) so the per-request S3 client isn't leaked across the
+* CLI's lifetime.
+*
+* Why a separate AwsClients instance from `loadStateForStack`: the
+* existing helper destroys its clients in a `finally` immediately after
+* loading the consumer stack's state. The cross-stack resolver lives
+* longer — every env-var that references a cross-stack output triggers a
+* new state read. Owning a fresh `AwsClients` here gives the resolver
+* an independent lifetime managed by the caller.
+*
+* Same-account / same-region only in v1 (the resolver's `producerRegion`
+* arg is honored, but only for state lookups within the same cdkd state
+* bucket). Cross-region `Fn::ImportValue` is tracked under #451;
+* cross-account `Fn::GetStackOutput.RoleArn` is tracked under #449.
+*/
+async function buildCrossStackResolver(consumerRegion, opts) {
+	const logger = getLogger();
+	const prefix = opts.logPrefix ?? "--from-state";
+	let stateBucket;
+	try {
+		stateBucket = await resolveStateBucketWithDefault(opts.stateBucket, consumerRegion);
+	} catch (err) {
+		logger.warn(`${prefix}: cross-stack resolver could not resolve state bucket: ${err instanceof Error ? err.message : String(err)}. Fn::ImportValue / Fn::GetStackOutput env entries will warn-and-drop.`);
+		return;
+	}
+	const awsClients = new AwsClients({
+		...opts.region !== void 0 && { region: opts.region },
+		...opts.profile !== void 0 && { profile: opts.profile }
+	});
+	const stateConfig = {
+		bucket: stateBucket,
+		prefix: opts.statePrefix
+	};
+	const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
+		...opts.region !== void 0 && { region: opts.region },
+		...opts.profile !== void 0 && { profile: opts.profile }
+	});
+	try {
+		await stateBackend.verifyBucketExists();
+	} catch (err) {
+		awsClients.destroy();
+		logger.warn(`${prefix}: cross-stack resolver could not access state bucket '${stateBucket}': ${err instanceof Error ? err.message : String(err)}. Fn::ImportValue / Fn::GetStackOutput env entries will warn-and-drop.`);
+		return;
+	}
+	const exportIndex = new ExportIndexStore(awsClients.s3, stateBucket, opts.statePrefix, consumerRegion, stateBackend);
+	return {
+		resolver: {
+			async resolveImport(exportName) {
+				try {
+					const entry = await exportIndex.lookup(exportName);
+					if (entry) {
+						const value = entry.value;
+						if (typeof value === "string") return value;
+						if (typeof value === "number" || typeof value === "boolean") return String(value);
+						return JSON.stringify(value);
+					}
+				} catch (err) {
+					logger.debug(`${prefix}: exports index lookup failed for '${exportName}': ${err instanceof Error ? err.message : String(err)}; falling back to per-stack state scan`);
+				}
+				let refs;
+				try {
+					refs = await stateBackend.listStacks();
+				} catch (err) {
+					logger.debug(`${prefix}: failed to list stacks during Fn::ImportValue fallback for '${exportName}': ${err instanceof Error ? err.message : String(err)}`);
+					return;
+				}
+				for (const ref of refs) {
+					const region = ref.region ?? consumerRegion;
+					if (region !== consumerRegion) continue;
+					try {
+						const got = await stateBackend.getState(ref.stackName, region);
+						if (!got || !got.state.outputs) continue;
+						if (exportName in got.state.outputs) {
+							const value = got.state.outputs[exportName];
+							if (typeof value === "string") return value;
+							if (typeof value === "number" || typeof value === "boolean") return String(value);
+							return JSON.stringify(value);
+						}
+					} catch (err) {
+						logger.debug(`${prefix}: state read failed for ${ref.stackName} (${region}) during Fn::ImportValue fallback: ${err instanceof Error ? err.message : String(err)}`);
+						continue;
+					}
+				}
+			},
+			async resolveGetStackOutput(producerStack, producerRegion, outputName) {
+				try {
+					const got = await stateBackend.getState(producerStack, producerRegion);
+					if (!got || !got.state.outputs) return void 0;
+					if (!(outputName in got.state.outputs)) return void 0;
+					const value = got.state.outputs[outputName];
+					if (typeof value === "string") return value;
+					if (typeof value === "number" || typeof value === "boolean") return String(value);
+					return JSON.stringify(value);
+				} catch (err) {
+					logger.debug(`${prefix}: state read failed for Fn::GetStackOutput '${producerStack}.${outputName}' (${producerRegion}): ${err instanceof Error ? err.message : String(err)}`);
+					return;
+				}
+			}
+		},
+		dispose: () => {
+			awsClients.destroy();
+		}
+	};
+}
 
 //#endregion
 //#region src/local/intrinsic-image.ts
@@ -36733,6 +36846,159 @@ function resolveJoin(arg, context) {
 	};
 }
 /**
+* Async sibling of {@link substituteAgainstState}. Same semantics for every
+* intrinsic the sync path supports; additionally consults the
+* `crossStackResolver` (when supplied on the context) for `Fn::ImportValue`
+* and `Fn::GetStackOutput`.
+*
+* Callers that don't need cross-stack support should keep using the sync
+* helper. Code paths that wire `--from-state` env / secret substitution
+* (e.g. `cdkd local invoke --from-state`, `cdkd local run-task --from-state`)
+* route through this async version so a single env-var referencing a
+* cross-stack output is no longer warn-and-dropped.
+*/
+async function substituteAgainstStateAsync(value, contextOrResources) {
+	const context = isContext(contextOrResources) ? contextOrResources : { resources: contextOrResources };
+	if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") return {
+		kind: "literal",
+		value
+	};
+	if (value === null || typeof value !== "object") return {
+		kind: "unresolved",
+		reason: `unsupported value type: ${value === null ? "null" : typeof value}`
+	};
+	const obj = value;
+	const keys = Object.keys(obj);
+	if (keys.length !== 1) return {
+		kind: "unresolved",
+		reason: `expected an intrinsic with one key, got ${keys.length} keys`
+	};
+	const intrinsic = keys[0];
+	const arg = obj[intrinsic];
+	if (intrinsic === "Ref" || intrinsic === "Fn::GetAtt" || intrinsic === "Fn::Sub" || intrinsic === "Fn::Join") return substituteAgainstState(value, context);
+	if (intrinsic === "Fn::ImportValue") return resolveImportValueAsync(arg, context);
+	if (intrinsic === "Fn::GetStackOutput") return resolveGetStackOutputAsync(arg, context);
+	return {
+		kind: "unresolved",
+		reason: `unsupported intrinsic '${intrinsic}' (supported: Ref, Fn::GetAtt, Fn::Sub, Fn::Join, Fn::ImportValue, Fn::GetStackOutput)`
+	};
+}
+/**
+* `Fn::ImportValue: <exportName>` — the argument may itself be an
+* intrinsic that resolves to a string (e.g.
+* `{Fn::ImportValue: {Fn::Sub: 'MyStack-${AWS::Region}-Bucket'}}` — the
+* inner `Fn::Sub` is resolved against `pseudoParameters` first, then the
+* resulting string is looked up via the cross-stack resolver).
+*/
+async function resolveImportValueAsync(arg, context) {
+	const inner = substituteAgainstState(arg, context);
+	if (inner.kind !== "literal") return {
+		kind: "unresolved",
+		reason: `Fn::ImportValue argument: ${inner.reason}`
+	};
+	if (typeof inner.value !== "string" || inner.value.length === 0) return {
+		kind: "unresolved",
+		reason: `Fn::ImportValue argument must resolve to a non-empty string, got ${typeof inner.value}`
+	};
+	const exportName = inner.value;
+	if (!context.crossStackResolver) return {
+		kind: "unresolved",
+		reason: `Fn::ImportValue '${exportName}': no cross-stack resolver supplied (pass --from-state and ensure the producer stack was deployed via cdkd deploy)`
+	};
+	let resolved;
+	try {
+		resolved = await context.crossStackResolver.resolveImport(exportName);
+	} catch (err) {
+		return {
+			kind: "unresolved",
+			reason: `Fn::ImportValue '${exportName}': lookup failed: ${err instanceof Error ? err.message : String(err)}`
+		};
+	}
+	if (resolved === void 0) return {
+		kind: "unresolved",
+		reason: `Fn::ImportValue '${exportName}': export not found in any cdkd-managed stack in this region`
+	};
+	return {
+		kind: "literal",
+		value: resolved
+	};
+}
+/**
+* `Fn::GetStackOutput: { StackName, OutputName, Region? }`. Same shape as
+* the deploy-engine resolver. `RoleArn` (cross-account) is intentionally
+* NOT supported in this path — the user-visible error message points at
+* the followup issue tracking it.
+*/
+async function resolveGetStackOutputAsync(arg, context) {
+	if (!arg || typeof arg !== "object" || Array.isArray(arg)) return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput argument must be an object with StackName / OutputName / Region, got ${arg === null ? "null" : Array.isArray(arg) ? "array" : typeof arg}`
+	};
+	const args = arg;
+	const stackNameSub = substituteAgainstState(args["StackName"], context);
+	if (stackNameSub.kind !== "literal") return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput.StackName: ${stackNameSub.reason}`
+	};
+	if (typeof stackNameSub.value !== "string" || stackNameSub.value.length === 0) return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput.StackName must resolve to a non-empty string, got ${typeof stackNameSub.value}`
+	};
+	const stackName = stackNameSub.value;
+	const outputNameSub = substituteAgainstState(args["OutputName"], context);
+	if (outputNameSub.kind !== "literal") return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput.OutputName: ${outputNameSub.reason}`
+	};
+	if (typeof outputNameSub.value !== "string" || outputNameSub.value.length === 0) return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput.OutputName must resolve to a non-empty string, got ${typeof outputNameSub.value}`
+	};
+	const outputName = outputNameSub.value;
+	let region;
+	if (args["Region"] !== void 0 && args["Region"] !== null) {
+		const regionSub = substituteAgainstState(args["Region"], context);
+		if (regionSub.kind !== "literal") return {
+			kind: "unresolved",
+			reason: `Fn::GetStackOutput.Region: ${regionSub.reason}`
+		};
+		if (typeof regionSub.value !== "string" || regionSub.value.length === 0) return {
+			kind: "unresolved",
+			reason: `Fn::GetStackOutput.Region must resolve to a non-empty string, got ${typeof regionSub.value}`
+		};
+		region = regionSub.value;
+	} else region = context.consumerRegion ?? context.pseudoParameters?.region;
+	if (!region) return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput '${stackName}.${outputName}': no Region supplied and consumer region is unknown (set --region, AWS_REGION, or env.region on the CDK stack)`
+	};
+	if (args["RoleArn"] !== void 0 && args["RoleArn"] !== null) return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput '${stackName}.${outputName}': RoleArn (cross-account) is not yet supported by --from-state — tracked under issue #449`
+	};
+	if (!context.crossStackResolver) return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput '${stackName}.${outputName}': no cross-stack resolver supplied (pass --from-state and ensure the producer stack was deployed via cdkd deploy)`
+	};
+	let resolved;
+	try {
+		resolved = await context.crossStackResolver.resolveGetStackOutput(stackName, region, outputName);
+	} catch (err) {
+		return {
+			kind: "unresolved",
+			reason: `Fn::GetStackOutput '${stackName}.${outputName}' (${region}): lookup failed: ${err instanceof Error ? err.message : String(err)}`
+		};
+	}
+	if (resolved === void 0) return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput '${stackName}.${outputName}' (${region}): output not found in producer stack state`
+	};
+	return {
+		kind: "literal",
+		value: resolved
+	};
+}
+/**
 * Build a pre-substituted env map from the template entry by feeding each
 * intrinsic value through `substituteAgainstState`. Literal entries pass
 * through untouched (the env-resolver handles them).
@@ -36773,6 +37039,50 @@ function substituteEnvVarsFromState(templateEnv, contextOrResources) {
 		audit
 	};
 }
+/**
+* Async sibling of {@link substituteEnvVarsFromState}. Routes every
+* intrinsic-valued entry through {@link substituteAgainstStateAsync} so
+* `Fn::ImportValue` / `Fn::GetStackOutput` resolve via the context's
+* `crossStackResolver` (when supplied). Mirrors the sync version in every
+* other respect: literal entries pass through unchanged, unresolved
+* entries are dropped with a per-key audit reason, and the env-resolver
+* sees the same "no template value" shape so the warn-and-drop path
+* fires consistently.
+*
+* Closes issue #454 — `cdkd local invoke --from-state` and
+* `cdkd local run-task --from-state` can now resolve cross-stack output
+* references in env vars / secrets instead of warn-and-dropping them.
+*/
+async function substituteEnvVarsFromStateAsync(templateEnv, contextOrResources) {
+	const env = {};
+	const audit = {
+		resolvedKeys: [],
+		unresolved: []
+	};
+	if (!templateEnv) return {
+		env,
+		audit
+	};
+	const context = isContext(contextOrResources) ? contextOrResources : { resources: contextOrResources };
+	for (const [key, value] of Object.entries(templateEnv)) {
+		if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
+			env[key] = value;
+			continue;
+		}
+		const result = await substituteAgainstStateAsync(value, context);
+		if (result.kind === "literal") {
+			env[key] = result.value;
+			audit.resolvedKeys.push(key);
+		} else audit.unresolved.push({
+			key,
+			reason: result.reason
+		});
+	}
+	return {
+		env,
+		audit
+	};
+}
 
 //#endregion
 //#region src/local/ecs-task-resolver.ts
@@ -36816,6 +37126,7 @@ function detectEcsImageResolutionNeeds(stack) {
 	let needsPseudoParameters = false;
 	let needsStateResources = false;
 	let needsEnvOrSecretSubstitution = false;
+	let needsCrossStackResolver = false;
 	for (const res of Object.values(resources)) {
 		if (res.Type !== "AWS::ECS::TaskDefinition") continue;
 		const props = res.Properties ?? {};
@@ -36828,6 +37139,10 @@ function detectEcsImageResolutionNeeds(stack) {
 			if (need.pseudo) needsPseudoParameters = true;
 			if (need.state) needsStateResources = true;
 			if (containerHasIntrinsicEnvOrSecret(co)) needsEnvOrSecretSubstitution = true;
+			if (containerHasCrossStackEnvOrSecret(co)) {
+				needsEnvOrSecretSubstitution = true;
+				needsCrossStackResolver = true;
+			}
 		}
 		const rawVolumes = props["Volumes"];
 		if (Array.isArray(rawVolumes)) {
@@ -36841,10 +37156,37 @@ function detectEcsImageResolutionNeeds(stack) {
 	return {
 		needsPseudoParameters,
 		needsStateResources,
-		needsEnvOrSecretSubstitution
+		needsEnvOrSecretSubstitution,
+		needsCrossStackResolver
 	};
 }
 /**
+* Returns true when any `Environment[].Value` or `Secrets[].ValueFrom`
+* is a top-level `Fn::ImportValue` / `Fn::GetStackOutput` intrinsic.
+* Issue #454 — gates cross-stack resolver construction so literal +
+* same-stack-intrinsic env / secret maps don't pay the extra cost.
+*/
+function containerHasCrossStackEnvOrSecret(c) {
+	const env = c["Environment"];
+	if (Array.isArray(env)) for (const entry of env) {
+		if (!entry || typeof entry !== "object") continue;
+		const v = entry["Value"];
+		if (isCrossStackIntrinsic(v)) return true;
+	}
+	const secrets = c["Secrets"];
+	if (Array.isArray(secrets)) for (const entry of secrets) {
+		if (!entry || typeof entry !== "object") continue;
+		const v = entry["ValueFrom"];
+		if (isCrossStackIntrinsic(v)) return true;
+	}
+	return false;
+}
+function isCrossStackIntrinsic(value) {
+	if (!value || typeof value !== "object") return false;
+	const obj = value;
+	return "Fn::ImportValue" in obj || "Fn::GetStackOutput" in obj;
+}
+/**
 * Detect whether a Volume entry has an intrinsic-valued `Host.SourcePath`.
 * Used by `detectEcsImageResolutionNeeds` (Gap 6 of #286) to trigger
 * state-load + pseudo-parameter resolution under `--from-state` when the
@@ -37589,6 +37931,87 @@ function checkVolumeHostPath(hostPath) {
 		return false;
 	}
 }
+/**
+* Async post-pass that walks the resolved task's container Environment +
+* Secrets entries from the raw template (preserved in `task.resource`)
+* and re-attempts substitution via {@link substituteAgainstStateAsync}
+* against the supplied context. The sync `parseContainerDefinition`
+* pass already substituted everything the legacy resolver handles; this
+* pass picks up the additional shapes the async resolver supports —
+* specifically `Fn::ImportValue` / `Fn::GetStackOutput` (issue #454).
+*
+* Resolved entries are patched onto the container's `environment` /
+* `secrets` map AND the corresponding `warnings` entries are filtered
+* out so the CLI doesn't print a stale per-container warn for an entry
+* the post-pass successfully resolved. Entries that STILL can't resolve
+* (e.g. producer stack not deployed) keep their original warning so the
+* CLI's UX matches the sync path.
+*
+* Pure-functional on the task structure outside of in-place mutation of
+* the container's `environment` / `secrets` / `warnings` arrays. The
+* task is expected to be the same `ResolvedEcsTask` instance returned
+* by `resolveEcsTaskTarget` — the runner downstream reads from these
+* fields directly.
+*/
+async function applyCrossStackResolverToTask(task, context) {
+	if (!context.crossStackResolver) return;
+	const rawContainers = (task.resource.Properties ?? {})["ContainerDefinitions"];
+	if (!Array.isArray(rawContainers)) return;
+	for (let idx = 0; idx < task.containers.length; idx += 1) {
+		const container = task.containers[idx];
+		const raw = rawContainers[idx];
+		if (!raw || typeof raw !== "object") continue;
+		const c = raw;
+		const containerName = pickString(c["Name"]) ?? container.name;
+		const resolvedEnvKeys = /* @__PURE__ */ new Set();
+		const resolvedSecretNames = /* @__PURE__ */ new Set();
+		if (Array.isArray(c["Environment"])) for (const entry of c["Environment"]) {
+			if (!entry || typeof entry !== "object") continue;
+			const e = entry;
+			const key = pickString(e["Name"]);
+			const value = e["Value"];
+			if (!key) continue;
+			if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") continue;
+			if (key in container.environment) continue;
+			if (!isCrossStackIntrinsic(value)) continue;
+			const sub = await substituteAgainstStateAsync(value, context);
+			if (sub.kind === "literal") {
+				container.environment[key] = String(sub.value);
+				resolvedEnvKeys.add(key);
+			}
+		}
+		if (Array.isArray(c["Secrets"])) for (const entry of c["Secrets"]) {
+			if (!entry || typeof entry !== "object") continue;
+			const e = entry;
+			const sName = pickString(e["Name"]);
+			const valueFromRaw = e["ValueFrom"];
+			if (!sName) continue;
+			if (typeof valueFromRaw === "string" && valueFromRaw.length > 0) continue;
+			if (container.secrets.some((s) => s.name === sName)) continue;
+			if (!isCrossStackIntrinsic(valueFromRaw)) continue;
+			const sub = await substituteAgainstStateAsync(valueFromRaw, context);
+			if (sub.kind === "literal" && typeof sub.value === "string" && sub.value.length > 0) {
+				container.secrets.push({
+					name: sName,
+					valueFrom: sub.value
+				});
+				resolvedSecretNames.add(sName);
+			}
+		}
+		if (resolvedEnvKeys.size > 0 || resolvedSecretNames.size > 0) {
+			container.warnings = container.warnings.filter((w) => {
+				for (const k of resolvedEnvKeys) if (w.startsWith(`Environment '${k}' dropped:`)) return false;
+				for (const k of resolvedSecretNames) if (w.startsWith(`Secret '${k}' dropped:`)) return false;
+				return true;
+			});
+			task.warnings = task.warnings.filter((w) => {
+				for (const k of resolvedEnvKeys) if (w.startsWith(`Container '${containerName}': Environment '${k}' dropped:`)) return false;
+				for (const k of resolvedSecretNames) if (w.startsWith(`Container '${containerName}': Secret '${k}' dropped:`)) return false;
+				return true;
+			});
+		}
+	}
+}
 
 //#endregion
 //#region src/local/runtime-image.ts
@@ -44605,8 +45028,34 @@ async function localRunTaskCommand(target, options) {
 			...Object.keys(context).length > 0 && { context }
 		};
 		const { stacks } = await synthesizer.synthesize(synthOpts);
-		const task = resolveEcsTaskTarget(target, stacks, await buildEcsImageResolutionContext(target, stacks, options));
+		const imageContext = await buildEcsImageResolutionContext(target, stacks, options);
+		const task = resolveEcsTaskTarget(target, stacks, imageContext);
 		logger.info(`Target: ${task.stack.stackName}/${task.taskDefinitionLogicalId} (family=${task.family}, containers=${task.containers.length})`);
+		const taskNeeds = detectEcsImageResolutionNeeds(stacks.find((s) => s.stackName === task.stack.stackName) ?? task.stack);
+		let taskCrossStackDispose;
+		if (options.fromState && taskNeeds.needsCrossStackResolver) {
+			const consumerRegion = options.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? task.stack.region ?? "us-east-1";
+			const built = await buildCrossStackResolver(consumerRegion, {
+				...options.stateBucket !== void 0 && { stateBucket: options.stateBucket },
+				statePrefix: options.statePrefix,
+				...options.region !== void 0 && { region: options.region },
+				...options.profile !== void 0 && { profile: options.profile }
+			});
+			if (built) {
+				taskCrossStackDispose = built.dispose;
+				try {
+					await applyCrossStackResolverToTask(task, {
+						resources: imageContext?.stateResources ?? {},
+						...imageContext?.pseudoParameters && { pseudoParameters: imageContext.pseudoParameters },
+						consumerRegion,
+						crossStackResolver: built.resolver
+					});
+				} finally {
+					taskCrossStackDispose();
+					taskCrossStackDispose = void 0;
+				}
+			}
+		} else if (!options.fromState && taskNeeds.needsCrossStackResolver) logger.warn("Container Environment / Secrets entries contain Fn::ImportValue / Fn::GetStackOutput intrinsics. Pass --from-state to substitute them against deployed cdkd state.");
 		sigintHandler = () => {
 			sigintCount += 1;
 			if (sigintCount >= 2) {
@@ -44894,6 +45343,7 @@ async function localInvokeCommand(target, options) {
 		let stateAudit;
 		let templateEnv = getTemplateEnv(lambda.resource);
 		let stateForRoleHint;
+		let crossStackDispose;
 		if (options.fromState) {
 			const loaded = await loadStateForStack(lambda.stack.stackName, lambda.stack.region, {
 				...options.stackRegion !== void 0 && { stackRegion: options.stackRegion },
@@ -44904,16 +45354,38 @@ async function localInvokeCommand(target, options) {
 			});
 			if (loaded) {
 				stateForRoleHint = loaded.state;
-				const subContext = { resources: loaded.state.resources };
+				const subContext = {
+					resources: loaded.state.resources,
+					consumerRegion: loaded.region
+				};
 				if (envHasIntrinsicValue(templateEnv)) {
 					const pseudo = await resolvePseudoParametersForInvoke(lambda.stack.region, options);
 					if (pseudo) subContext.pseudoParameters = pseudo;
 				}
-				const { env, audit } = substituteEnvVarsFromState(templateEnv, subContext);
-				templateEnv = env;
-				stateAudit = audit;
-				for (const key of audit.resolvedKeys) logger.debug(`--from-state: substituted env var ${key} from cdkd state`);
-				for (const { key, reason } of audit.unresolved) logger.warn(`--from-state: could not substitute env var ${key} (${reason}). Override it via --env-vars or it will be dropped.`);
+				if (envHasCrossStackIntrinsic(templateEnv)) {
+					const built = await buildCrossStackResolver(loaded.region, {
+						...options.stateBucket !== void 0 && { stateBucket: options.stateBucket },
+						statePrefix: options.statePrefix,
+						...options.region !== void 0 && { region: options.region },
+						...options.profile !== void 0 && { profile: options.profile }
+					});
+					if (built) {
+						subContext.crossStackResolver = built.resolver;
+						crossStackDispose = built.dispose;
+					}
+				}
+				try {
+					const { env, audit } = await substituteEnvVarsFromStateAsync(templateEnv, subContext);
+					templateEnv = env;
+					stateAudit = audit;
+					for (const key of audit.resolvedKeys) logger.debug(`--from-state: substituted env var ${key} from cdkd state`);
+					for (const { key, reason } of audit.unresolved) logger.warn(`--from-state: could not substitute env var ${key} (${reason}). Override it via --env-vars or it will be dropped.`);
+				} finally {
+					if (crossStackDispose) {
+						crossStackDispose();
+						crossStackDispose = void 0;
+					}
+				}
 			}
 		}
 		const overrides = readEnvOverridesFile(options.envVars);
@@ -45186,6 +45658,29 @@ function envHasIntrinsicValue(templateEnv) {
 	return false;
 }
 /**
+* Returns true when any value in the function's template env map carries
+* a top-level `Fn::ImportValue` / `Fn::GetStackOutput` intrinsic. Used to
+* gate the cross-stack resolver construction inside the `--from-state`
+* flow: literal + same-stack-intrinsic env maps shouldn't pay for the
+* extra S3 client / index-load cost (issue #454).
+*
+* Detection is one level deep — same heuristic CDK 2.x uses for these
+* intrinsics in practice. Nested cross-stack intrinsics (e.g. an
+* `Fn::ImportValue` buried inside a `Fn::Join`) are not detected here;
+* those won't resolve in v1 anyway because the async resolver path
+* defers to the sync helper for `Fn::Join` / `Fn::Sub` bodies (see
+* `substituteAgainstStateAsync` docstring).
+*/
+function envHasCrossStackIntrinsic(templateEnv) {
+	if (!templateEnv) return false;
+	for (const v of Object.values(templateEnv)) {
+		if (!v || typeof v !== "object") continue;
+		const obj = v;
+		if ("Fn::ImportValue" in obj || "Fn::GetStackOutput" in obj) return true;
+	}
+	return false;
+}
+/**
 * Build the AWS pseudo-parameter bag for `--from-state` env-var
 * substitution. Issues a single `sts:GetCallerIdentity` for the account
 * id and derives `partition` / `urlSuffix` from the resolved region. Any
@@ -46717,7 +47212,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.121.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.122.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());