@go-to-k/cdkd 0.121.0 → 0.123.0

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-CuHRHcyW.js";
-import { $ as LocalInvokeBuildError, A as stringifyValue, B as resolveApp, C as DiffCalculator, Ct as withSkipPrefix, D as S3StateBackend, E as LockManager, F as runDockerForeground, G as warnDeprecatedNoPrefixCliFlag, H as resolveSkipPrefix, I as runDockerStreaming, J as resolveBucketRegion, K as AssemblyReader, L as Synthesizer, M as buildDockerImage, N as formatDockerLoginError, O as shouldRetainResource, P as getDockerCmd, R as getDefaultStateBucketName, S as IntrinsicFunctionResolver, St as generateResourceNameWithFallback, T as TemplateParser, U as resolveStateBucketWithDefault, V as resolveCaptureObservedState, W as resolveStateBucketWithDefaultAndSource, X as CdkdError, _ as normalizeAwsTagsToCfn, _t as runStackBuffered, a as withRetry, at as RouteDiscoveryError, b as CloudControlProvider, bt as PATTERN_B_RESOURCE_TYPES, c as cyan, d as red, f as yellow, ft as normalizeAwsError, g as matchesCdkPath, h as CDK_PATH_TAG, ht as getLogger, i as withResourceDeadline, it as ResourceUpdateNotSupportedError, j as WorkGraph, k as AssetPublisher, l as gray, m as collectInlinePolicyNamesManagedBySiblings, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as ProvisioningError, o as IMPLICIT_DELETE_DEPENDENCIES, ot as StackHasActiveImportsError, p as IAMRoleProvider, pt as withErrorHandling, r as DeployEngine, rt as ResourceTimeoutError, s as bold, st as StackTerminationProtectionError, t as DEFAULT_RESOURCE_TIMEOUT_MS, tt as PartialFailureError, u as green, v as resolveExplicitPhysicalId, vt as getLiveRenderer, w as DagBuilder, wt as withStackName, x as assertRegionMatch, xt as generateResourceName, y as ProviderRegistry, yt as PATTERN_B_NAME_PROPERTIES, z as getLegacyStateBucketName } from "./deploy-engine-B2RZT3ai.js";
+import { A as AssetPublisher, B as getLegacyStateBucketName, C as applyRoleArnIfSet, Ct as generateResourceNameWithFallback, D as LockManager, E as TemplateParser, F as getDockerCmd, G as resolveStateBucketWithDefaultAndSource, H as resolveCaptureObservedState, I as runDockerForeground, K as warnDeprecatedNoPrefixCliFlag, L as runDockerStreaming, M as WorkGraph, N as buildDockerImage, O as S3StateBackend, P as formatDockerLoginError, R as Synthesizer, S as IntrinsicFunctionResolver, St as generateResourceName, T as DagBuilder, Tt as withStackName, U as resolveSkipPrefix, V as resolveApp, W as resolveStateBucketWithDefault, Y as resolveBucketRegion, Z as CdkdError, _ as normalizeAwsTagsToCfn, a as withRetry, at as ResourceUpdateNotSupportedError, b as CloudControlProvider, bt as PATTERN_B_NAME_PROPERTIES, c as cyan, ct as StackTerminationProtectionError, d as red, et as LocalInvokeBuildError, f as yellow, g as matchesCdkPath, gt as getLogger, h as CDK_PATH_TAG, i as withResourceDeadline, it as ResourceTimeoutError, j as stringifyValue, k as shouldRetainResource, l as gray, m as collectInlinePolicyNamesManagedBySiblings, mt as withErrorHandling, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as PartialFailureError, o as IMPLICIT_DELETE_DEPENDENCIES, ot as RouteDiscoveryError, p as IAMRoleProvider, pt as normalizeAwsError, q as AssemblyReader, r as DeployEngine, rt as ProvisioningError, s as bold, st as StackHasActiveImportsError, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as green, v as resolveExplicitPhysicalId, vt as runStackBuffered, w as DiffCalculator, wt as withSkipPrefix, x as assertRegionMatch, xt as PATTERN_B_RESOURCE_TYPES, y as ProviderRegistry, yt as getLiveRenderer, z as getDefaultStateBucketName } from "./deploy-engine-DWpeb9wT.js";
 import { createHash, createHmac, createPublicKey, createVerify, randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
 import { AddRoleToInstanceProfileCommand, AddUserToGroupCommand, AttachGroupPolicyCommand, AttachUserPolicyCommand, CreateGroupCommand, CreateInstanceProfileCommand, CreateLoginProfileCommand, CreateUserCommand, DeleteAccessKeyCommand, DeleteGroupCommand, DeleteGroupPolicyCommand, DeleteInstanceProfileCommand, DeleteLoginProfileCommand, DeleteRolePolicyCommand, DeleteUserCommand, DeleteUserPermissionsBoundaryCommand, DeleteUserPolicyCommand, DetachGroupPolicyCommand, DetachUserPolicyCommand, GetGroupCommand, GetGroupPolicyCommand, GetInstanceProfileCommand, GetRolePolicyCommand, GetUserCommand, GetUserPolicyCommand, IAMClient, ListAccessKeysCommand, ListAttachedGroupPoliciesCommand, ListAttachedUserPoliciesCommand, ListGroupPoliciesCommand, ListGroupsForUserCommand, ListInstanceProfilesCommand, ListUserPoliciesCommand, ListUserTagsCommand, ListUsersCommand, NoSuchEntityException, PutGroupPolicyCommand, PutRolePolicyCommand, PutUserPermissionsBoundaryCommand, PutUserPolicyCommand, RemoveRoleFromInstanceProfileCommand, RemoveUserFromGroupCommand, TagUserCommand, UntagUserCommand, UpdateLoginProfileCommand } from "@aws-sdk/client-iam";
@@ -437,63 +437,6 @@ function effectiveAssumeRoleArn(logicalId, opt) {
 */
 const destroyOptions = [new Option("-f, --force", "Do not ask for confirmation before destroying the stacks").default(false), new Option("--remove-protection", "Bypass deletion protection on protected resources by flipping the per-resource protection flag off in-place before delete. Covers stack-level terminationProtection (CDK property) and resource-level protection on AWS::Logs::LogGroup, AWS::RDS::DBInstance, AWS::RDS::DBCluster, AWS::DocDB::DBCluster, AWS::Neptune::DBCluster, AWS::Neptune::DBInstance, AWS::DynamoDB::Table, AWS::EC2::Instance, AWS::Cognito::UserPool, AWS::AutoScaling::AutoScalingGroup, and AWS::ElasticLoadBalancingV2::LoadBalancer.").default(false)];
 
-//#endregion
-//#region src/utils/role-arn.ts
-/**
-* Resolve the role-arn argument (CLI flag or `CDKD_ROLE_ARN` env var) and,
-* when set, assume the role and write the resulting temporary credentials
-* into `AWS_ACCESS_KEY_ID` / `AWS_SECRET_ACCESS_KEY` / `AWS_SESSION_TOKEN`
-* for the rest of the process.
-*
-* **Why env vars, not threaded credentials.** cdkd constructs ~13
-* independent `AwsClients` instances across deploy / destroy / state /
-* import / etc. paths (each with its own region, sometimes — e.g. the
-* state-bucket client lives in a different region from the provisioning
-* clients). Threading a `credentials` object through every site is high
-* churn for an opt-in flag. AWS SDK v3 reads the standard `AWS_*` env
-* vars at the top of its default credentials chain, so writing into them
-* once at the command's entry makes every later `new XxxClient()` pick
-* up the assumed-role credentials automatically without touching the
-* client construction sites.
-*
-* **Why cdkd needs admin-equivalent on the assumed role.** Unlike `cdk
-* deploy`, cdkd does NOT route through CloudFormation. There is no
-* cfn-exec-role to delegate to. Every IAM / EC2 / Lambda / etc. API
-* call is issued from the cdkd process directly. The role you pass to
-* `--role-arn` (or set in `CDKD_ROLE_ARN`) MUST therefore have
-* admin-equivalent permissions on the resources being deployed; CDK
-* CLI's `cdk-hnb659fds-deploy-role-*` is NOT sufficient — that role
-* only carries CFn + asset-publish permissions.
-*
-* Default session duration is 1 hour. For longer-running deploys, the
-* caller should re-issue the cdkd command (the in-flight credentials
-* stay valid until expiry, but a re-run is the simplest recovery for
-* the rare case where a deploy outlives them).
-*/
-async function applyRoleArnIfSet(opts) {
-	const roleArn = opts.roleArn || process.env["CDKD_ROLE_ARN"];
-	if (!roleArn) return;
-	const logger = getLogger().child("role-arn");
-	logger.debug(`Assuming role ${roleArn}...`);
-	const sts = new STSClient({ ...opts.region && { region: opts.region } });
-	try {
-		const response = await sts.send(new AssumeRoleCommand({
-			RoleArn: roleArn,
-			RoleSessionName: `cdkd-${Date.now()}`,
-			DurationSeconds: 3600
-		}));
-		if (!response.Credentials) throw new Error(`AssumeRole returned no credentials for role ${roleArn}`);
-		const { AccessKeyId, SecretAccessKey, SessionToken, Expiration } = response.Credentials;
-		if (!AccessKeyId || !SecretAccessKey || !SessionToken) throw new Error(`AssumeRole response missing credentials fields for role ${roleArn}`);
-		process.env["AWS_ACCESS_KEY_ID"] = AccessKeyId;
-		process.env["AWS_SECRET_ACCESS_KEY"] = SecretAccessKey;
-		process.env["AWS_SESSION_TOKEN"] = SessionToken;
-		logger.info(`Assumed role ${roleArn} (session expires ${Expiration?.toISOString() ?? "unknown"})`);
-	} finally {
-		sts.destroy();
-	}
-}
-
 //#endregion
 //#region src/cli/commands/bootstrap.ts
 /**
@@ -35768,6 +35711,119 @@ async function loadStateForStack(stackName, synthRegion, opts) {
 		resetAwsClients();
 	}
 }
+/**
+* Build a {@link CrossStackResolver} that walks cdkd's S3 state to look
+* up `Fn::ImportValue` / `Fn::GetStackOutput` references the same way
+* `cdkd deploy`'s `IntrinsicFunctionResolver` does. Returns `undefined`
+* when the state bucket cannot be resolved (warn + fall back; matches
+* `loadStateForStack`'s policy).
+*
+* The returned `dispose` closes the AWS clients owned by the resolver
+* when the caller is done — callers MUST call it (typically in a
+* `try / finally`) so the per-request S3 client isn't leaked across the
+* CLI's lifetime.
+*
+* Why a separate AwsClients instance from `loadStateForStack`: the
+* existing helper destroys its clients in a `finally` immediately after
+* loading the consumer stack's state. The cross-stack resolver lives
+* longer — every env-var that references a cross-stack output triggers a
+* new state read. Owning a fresh `AwsClients` here gives the resolver
+* an independent lifetime managed by the caller.
+*
+* Same-account / same-region only in v1 (the resolver's `producerRegion`
+* arg is honored, but only for state lookups within the same cdkd state
+* bucket). Cross-region `Fn::ImportValue` is tracked under #451;
+* cross-account `Fn::GetStackOutput.RoleArn` is tracked under #449.
+*/
+async function buildCrossStackResolver(consumerRegion, opts) {
+	const logger = getLogger();
+	const prefix = opts.logPrefix ?? "--from-state";
+	let stateBucket;
+	try {
+		stateBucket = await resolveStateBucketWithDefault(opts.stateBucket, consumerRegion);
+	} catch (err) {
+		logger.warn(`${prefix}: cross-stack resolver could not resolve state bucket: ${err instanceof Error ? err.message : String(err)}. Fn::ImportValue / Fn::GetStackOutput env entries will warn-and-drop.`);
+		return;
+	}
+	const awsClients = new AwsClients({
+		...opts.region !== void 0 && { region: opts.region },
+		...opts.profile !== void 0 && { profile: opts.profile }
+	});
+	const stateConfig = {
+		bucket: stateBucket,
+		prefix: opts.statePrefix
+	};
+	const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
+		...opts.region !== void 0 && { region: opts.region },
+		...opts.profile !== void 0 && { profile: opts.profile }
+	});
+	try {
+		await stateBackend.verifyBucketExists();
+	} catch (err) {
+		awsClients.destroy();
+		logger.warn(`${prefix}: cross-stack resolver could not access state bucket '${stateBucket}': ${err instanceof Error ? err.message : String(err)}. Fn::ImportValue / Fn::GetStackOutput env entries will warn-and-drop.`);
+		return;
+	}
+	const exportIndex = new ExportIndexStore(awsClients.s3, stateBucket, opts.statePrefix, consumerRegion, stateBackend);
+	return {
+		resolver: {
+			async resolveImport(exportName) {
+				try {
+					const entry = await exportIndex.lookup(exportName);
+					if (entry) {
+						const value = entry.value;
+						if (typeof value === "string") return value;
+						if (typeof value === "number" || typeof value === "boolean") return String(value);
+						return JSON.stringify(value);
+					}
+				} catch (err) {
+					logger.debug(`${prefix}: exports index lookup failed for '${exportName}': ${err instanceof Error ? err.message : String(err)}; falling back to per-stack state scan`);
+				}
+				let refs;
+				try {
+					refs = await stateBackend.listStacks();
+				} catch (err) {
+					logger.debug(`${prefix}: failed to list stacks during Fn::ImportValue fallback for '${exportName}': ${err instanceof Error ? err.message : String(err)}`);
+					return;
+				}
+				for (const ref of refs) {
+					const region = ref.region ?? consumerRegion;
+					if (region !== consumerRegion) continue;
+					try {
+						const got = await stateBackend.getState(ref.stackName, region);
+						if (!got || !got.state.outputs) continue;
+						if (exportName in got.state.outputs) {
+							const value = got.state.outputs[exportName];
+							if (typeof value === "string") return value;
+							if (typeof value === "number" || typeof value === "boolean") return String(value);
+							return JSON.stringify(value);
+						}
+					} catch (err) {
+						logger.debug(`${prefix}: state read failed for ${ref.stackName} (${region}) during Fn::ImportValue fallback: ${err instanceof Error ? err.message : String(err)}`);
+						continue;
+					}
+				}
+			},
+			async resolveGetStackOutput(producerStack, producerRegion, outputName) {
+				try {
+					const got = await stateBackend.getState(producerStack, producerRegion);
+					if (!got || !got.state.outputs) return void 0;
+					if (!(outputName in got.state.outputs)) return void 0;
+					const value = got.state.outputs[outputName];
+					if (typeof value === "string") return value;
+					if (typeof value === "number" || typeof value === "boolean") return String(value);
+					return JSON.stringify(value);
+				} catch (err) {
+					logger.debug(`${prefix}: state read failed for Fn::GetStackOutput '${producerStack}.${outputName}' (${producerRegion}): ${err instanceof Error ? err.message : String(err)}`);
+					return;
+				}
+			}
+		},
+		dispose: () => {
+			awsClients.destroy();
+		}
+	};
+}
 
 //#endregion
 //#region src/local/intrinsic-image.ts
@@ -36733,6 +36789,159 @@ function resolveJoin(arg, context) {
 	};
 }
 /**
+* Async sibling of {@link substituteAgainstState}. Same semantics for every
+* intrinsic the sync path supports; additionally consults the
+* `crossStackResolver` (when supplied on the context) for `Fn::ImportValue`
+* and `Fn::GetStackOutput`.
+*
+* Callers that don't need cross-stack support should keep using the sync
+* helper. Code paths that wire `--from-state` env / secret substitution
+* (e.g. `cdkd local invoke --from-state`, `cdkd local run-task --from-state`)
+* route through this async version so a single env-var referencing a
+* cross-stack output is no longer warn-and-dropped.
+*/
+async function substituteAgainstStateAsync(value, contextOrResources) {
+	const context = isContext(contextOrResources) ? contextOrResources : { resources: contextOrResources };
+	if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") return {
+		kind: "literal",
+		value
+	};
+	if (value === null || typeof value !== "object") return {
+		kind: "unresolved",
+		reason: `unsupported value type: ${value === null ? "null" : typeof value}`
+	};
+	const obj = value;
+	const keys = Object.keys(obj);
+	if (keys.length !== 1) return {
+		kind: "unresolved",
+		reason: `expected an intrinsic with one key, got ${keys.length} keys`
+	};
+	const intrinsic = keys[0];
+	const arg = obj[intrinsic];
+	if (intrinsic === "Ref" || intrinsic === "Fn::GetAtt" || intrinsic === "Fn::Sub" || intrinsic === "Fn::Join") return substituteAgainstState(value, context);
+	if (intrinsic === "Fn::ImportValue") return resolveImportValueAsync(arg, context);
+	if (intrinsic === "Fn::GetStackOutput") return resolveGetStackOutputAsync(arg, context);
+	return {
+		kind: "unresolved",
+		reason: `unsupported intrinsic '${intrinsic}' (supported: Ref, Fn::GetAtt, Fn::Sub, Fn::Join, Fn::ImportValue, Fn::GetStackOutput)`
+	};
+}
+/**
+* `Fn::ImportValue: <exportName>` — the argument may itself be an
+* intrinsic that resolves to a string (e.g.
+* `{Fn::ImportValue: {Fn::Sub: 'MyStack-${AWS::Region}-Bucket'}}` — the
+* inner `Fn::Sub` is resolved against `pseudoParameters` first, then the
+* resulting string is looked up via the cross-stack resolver).
+*/
+async function resolveImportValueAsync(arg, context) {
+	const inner = substituteAgainstState(arg, context);
+	if (inner.kind !== "literal") return {
+		kind: "unresolved",
+		reason: `Fn::ImportValue argument: ${inner.reason}`
+	};
+	if (typeof inner.value !== "string" || inner.value.length === 0) return {
+		kind: "unresolved",
+		reason: `Fn::ImportValue argument must resolve to a non-empty string, got ${typeof inner.value}`
+	};
+	const exportName = inner.value;
+	if (!context.crossStackResolver) return {
+		kind: "unresolved",
+		reason: `Fn::ImportValue '${exportName}': no cross-stack resolver supplied (pass --from-state and ensure the producer stack was deployed via cdkd deploy)`
+	};
+	let resolved;
+	try {
+		resolved = await context.crossStackResolver.resolveImport(exportName);
+	} catch (err) {
+		return {
+			kind: "unresolved",
+			reason: `Fn::ImportValue '${exportName}': lookup failed: ${err instanceof Error ? err.message : String(err)}`
+		};
+	}
+	if (resolved === void 0) return {
+		kind: "unresolved",
+		reason: `Fn::ImportValue '${exportName}': export not found in any cdkd-managed stack in this region`
+	};
+	return {
+		kind: "literal",
+		value: resolved
+	};
+}
+/**
+* `Fn::GetStackOutput: { StackName, OutputName, Region? }`. Same shape as
+* the deploy-engine resolver. `RoleArn` (cross-account) is intentionally
+* NOT supported in this path — the user-visible error message points at
+* the followup issue tracking it.
+*/
+async function resolveGetStackOutputAsync(arg, context) {
+	if (!arg || typeof arg !== "object" || Array.isArray(arg)) return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput argument must be an object with StackName / OutputName / Region, got ${arg === null ? "null" : Array.isArray(arg) ? "array" : typeof arg}`
+	};
+	const args = arg;
+	const stackNameSub = substituteAgainstState(args["StackName"], context);
+	if (stackNameSub.kind !== "literal") return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput.StackName: ${stackNameSub.reason}`
+	};
+	if (typeof stackNameSub.value !== "string" || stackNameSub.value.length === 0) return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput.StackName must resolve to a non-empty string, got ${typeof stackNameSub.value}`
+	};
+	const stackName = stackNameSub.value;
+	const outputNameSub = substituteAgainstState(args["OutputName"], context);
+	if (outputNameSub.kind !== "literal") return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput.OutputName: ${outputNameSub.reason}`
+	};
+	if (typeof outputNameSub.value !== "string" || outputNameSub.value.length === 0) return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput.OutputName must resolve to a non-empty string, got ${typeof outputNameSub.value}`
+	};
+	const outputName = outputNameSub.value;
+	let region;
+	if (args["Region"] !== void 0 && args["Region"] !== null) {
+		const regionSub = substituteAgainstState(args["Region"], context);
+		if (regionSub.kind !== "literal") return {
+			kind: "unresolved",
+			reason: `Fn::GetStackOutput.Region: ${regionSub.reason}`
+		};
+		if (typeof regionSub.value !== "string" || regionSub.value.length === 0) return {
+			kind: "unresolved",
+			reason: `Fn::GetStackOutput.Region must resolve to a non-empty string, got ${typeof regionSub.value}`
+		};
+		region = regionSub.value;
+	} else region = context.consumerRegion ?? context.pseudoParameters?.region;
+	if (!region) return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput '${stackName}.${outputName}': no Region supplied and consumer region is unknown (set --region, AWS_REGION, or env.region on the CDK stack)`
+	};
+	if (args["RoleArn"] !== void 0 && args["RoleArn"] !== null) return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput '${stackName}.${outputName}': RoleArn (cross-account) is not yet supported by --from-state — tracked under issue #449`
+	};
+	if (!context.crossStackResolver) return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput '${stackName}.${outputName}': no cross-stack resolver supplied (pass --from-state and ensure the producer stack was deployed via cdkd deploy)`
+	};
+	let resolved;
+	try {
+		resolved = await context.crossStackResolver.resolveGetStackOutput(stackName, region, outputName);
+	} catch (err) {
+		return {
+			kind: "unresolved",
+			reason: `Fn::GetStackOutput '${stackName}.${outputName}' (${region}): lookup failed: ${err instanceof Error ? err.message : String(err)}`
+		};
+	}
+	if (resolved === void 0) return {
+		kind: "unresolved",
+		reason: `Fn::GetStackOutput '${stackName}.${outputName}' (${region}): output not found in producer stack state`
+	};
+	return {
+		kind: "literal",
+		value: resolved
+	};
+}
+/**
 * Build a pre-substituted env map from the template entry by feeding each
 * intrinsic value through `substituteAgainstState`. Literal entries pass
 * through untouched (the env-resolver handles them).
@@ -36773,6 +36982,50 @@ function substituteEnvVarsFromState(templateEnv, contextOrResources) {
 		audit
 	};
 }
+/**
+* Async sibling of {@link substituteEnvVarsFromState}. Routes every
+* intrinsic-valued entry through {@link substituteAgainstStateAsync} so
+* `Fn::ImportValue` / `Fn::GetStackOutput` resolve via the context's
+* `crossStackResolver` (when supplied). Mirrors the sync version in every
+* other respect: literal entries pass through unchanged, unresolved
+* entries are dropped with a per-key audit reason, and the env-resolver
+* sees the same "no template value" shape so the warn-and-drop path
+* fires consistently.
+*
+* Closes issue #454 — `cdkd local invoke --from-state` and
+* `cdkd local run-task --from-state` can now resolve cross-stack output
+* references in env vars / secrets instead of warn-and-dropping them.
+*/
+async function substituteEnvVarsFromStateAsync(templateEnv, contextOrResources) {
+	const env = {};
+	const audit = {
+		resolvedKeys: [],
+		unresolved: []
+	};
+	if (!templateEnv) return {
+		env,
+		audit
+	};
+	const context = isContext(contextOrResources) ? contextOrResources : { resources: contextOrResources };
+	for (const [key, value] of Object.entries(templateEnv)) {
+		if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
+			env[key] = value;
+			continue;
+		}
+		const result = await substituteAgainstStateAsync(value, context);
+		if (result.kind === "literal") {
+			env[key] = result.value;
+			audit.resolvedKeys.push(key);
+		} else audit.unresolved.push({
+			key,
+			reason: result.reason
+		});
+	}
+	return {
+		env,
+		audit
+	};
+}
 
 //#endregion
 //#region src/local/ecs-task-resolver.ts
@@ -36816,6 +37069,7 @@ function detectEcsImageResolutionNeeds(stack) {
 	let needsPseudoParameters = false;
 	let needsStateResources = false;
 	let needsEnvOrSecretSubstitution = false;
+	let needsCrossStackResolver = false;
 	for (const res of Object.values(resources)) {
 		if (res.Type !== "AWS::ECS::TaskDefinition") continue;
 		const props = res.Properties ?? {};
@@ -36828,6 +37082,10 @@ function detectEcsImageResolutionNeeds(stack) {
 			if (need.pseudo) needsPseudoParameters = true;
 			if (need.state) needsStateResources = true;
 			if (containerHasIntrinsicEnvOrSecret(co)) needsEnvOrSecretSubstitution = true;
+			if (containerHasCrossStackEnvOrSecret(co)) {
+				needsEnvOrSecretSubstitution = true;
+				needsCrossStackResolver = true;
+			}
 		}
 		const rawVolumes = props["Volumes"];
 		if (Array.isArray(rawVolumes)) {
@@ -36841,10 +37099,37 @@ function detectEcsImageResolutionNeeds(stack) {
 	return {
 		needsPseudoParameters,
 		needsStateResources,
-		needsEnvOrSecretSubstitution
+		needsEnvOrSecretSubstitution,
+		needsCrossStackResolver
 	};
 }
 /**
+* Returns true when any `Environment[].Value` or `Secrets[].ValueFrom`
+* is a top-level `Fn::ImportValue` / `Fn::GetStackOutput` intrinsic.
+* Issue #454 — gates cross-stack resolver construction so literal +
+* same-stack-intrinsic env / secret maps don't pay the extra cost.
+*/
+function containerHasCrossStackEnvOrSecret(c) {
+	const env = c["Environment"];
+	if (Array.isArray(env)) for (const entry of env) {
+		if (!entry || typeof entry !== "object") continue;
+		const v = entry["Value"];
+		if (isCrossStackIntrinsic(v)) return true;
+	}
+	const secrets = c["Secrets"];
+	if (Array.isArray(secrets)) for (const entry of secrets) {
+		if (!entry || typeof entry !== "object") continue;
+		const v = entry["ValueFrom"];
+		if (isCrossStackIntrinsic(v)) return true;
+	}
+	return false;
+}
+function isCrossStackIntrinsic(value) {
+	if (!value || typeof value !== "object") return false;
+	const obj = value;
+	return "Fn::ImportValue" in obj || "Fn::GetStackOutput" in obj;
+}
+/**
 * Detect whether a Volume entry has an intrinsic-valued `Host.SourcePath`.
 * Used by `detectEcsImageResolutionNeeds` (Gap 6 of #286) to trigger
 * state-load + pseudo-parameter resolution under `--from-state` when the
@@ -37589,6 +37874,87 @@ function checkVolumeHostPath(hostPath) {
 		return false;
 	}
 }
+/**
+* Async post-pass that walks the resolved task's container Environment +
+* Secrets entries from the raw template (preserved in `task.resource`)
+* and re-attempts substitution via {@link substituteAgainstStateAsync}
+* against the supplied context. The sync `parseContainerDefinition`
+* pass already substituted everything the legacy resolver handles; this
+* pass picks up the additional shapes the async resolver supports —
+* specifically `Fn::ImportValue` / `Fn::GetStackOutput` (issue #454).
+*
+* Resolved entries are patched onto the container's `environment` /
+* `secrets` map AND the corresponding `warnings` entries are filtered
+* out so the CLI doesn't print a stale per-container warn for an entry
+* the post-pass successfully resolved. Entries that STILL can't resolve
+* (e.g. producer stack not deployed) keep their original warning so the
+* CLI's UX matches the sync path.
+*
+* Pure-functional on the task structure outside of in-place mutation of
+* the container's `environment` / `secrets` / `warnings` arrays. The
+* task is expected to be the same `ResolvedEcsTask` instance returned
+* by `resolveEcsTaskTarget` — the runner downstream reads from these
+* fields directly.
+*/
+async function applyCrossStackResolverToTask(task, context) {
+	if (!context.crossStackResolver) return;
+	const rawContainers = (task.resource.Properties ?? {})["ContainerDefinitions"];
+	if (!Array.isArray(rawContainers)) return;
+	for (let idx = 0; idx < task.containers.length; idx += 1) {
+		const container = task.containers[idx];
+		const raw = rawContainers[idx];
+		if (!raw || typeof raw !== "object") continue;
+		const c = raw;
+		const containerName = pickString(c["Name"]) ?? container.name;
+		const resolvedEnvKeys = /* @__PURE__ */ new Set();
+		const resolvedSecretNames = /* @__PURE__ */ new Set();
+		if (Array.isArray(c["Environment"])) for (const entry of c["Environment"]) {
+			if (!entry || typeof entry !== "object") continue;
+			const e = entry;
+			const key = pickString(e["Name"]);
+			const value = e["Value"];
+			if (!key) continue;
+			if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") continue;
+			if (key in container.environment) continue;
+			if (!isCrossStackIntrinsic(value)) continue;
+			const sub = await substituteAgainstStateAsync(value, context);
+			if (sub.kind === "literal") {
+				container.environment[key] = String(sub.value);
+				resolvedEnvKeys.add(key);
+			}
+		}
+		if (Array.isArray(c["Secrets"])) for (const entry of c["Secrets"]) {
+			if (!entry || typeof entry !== "object") continue;
+			const e = entry;
+			const sName = pickString(e["Name"]);
+			const valueFromRaw = e["ValueFrom"];
+			if (!sName) continue;
+			if (typeof valueFromRaw === "string" && valueFromRaw.length > 0) continue;
+			if (container.secrets.some((s) => s.name === sName)) continue;
+			if (!isCrossStackIntrinsic(valueFromRaw)) continue;
+			const sub = await substituteAgainstStateAsync(valueFromRaw, context);
+			if (sub.kind === "literal" && typeof sub.value === "string" && sub.value.length > 0) {
+				container.secrets.push({
+					name: sName,
+					valueFrom: sub.value
+				});
+				resolvedSecretNames.add(sName);
+			}
+		}
+		if (resolvedEnvKeys.size > 0 || resolvedSecretNames.size > 0) {
+			container.warnings = container.warnings.filter((w) => {
+				for (const k of resolvedEnvKeys) if (w.startsWith(`Environment '${k}' dropped:`)) return false;
+				for (const k of resolvedSecretNames) if (w.startsWith(`Secret '${k}' dropped:`)) return false;
+				return true;
+			});
+			task.warnings = task.warnings.filter((w) => {
+				for (const k of resolvedEnvKeys) if (w.startsWith(`Container '${containerName}': Environment '${k}' dropped:`)) return false;
+				for (const k of resolvedSecretNames) if (w.startsWith(`Container '${containerName}': Secret '${k}' dropped:`)) return false;
+				return true;
+			});
+		}
+	}
+}
 
 //#endregion
 //#region src/local/runtime-image.ts
@@ -44605,8 +44971,34 @@ async function localRunTaskCommand(target, options) {
 			...Object.keys(context).length > 0 && { context }
 		};
 		const { stacks } = await synthesizer.synthesize(synthOpts);
-		const task = resolveEcsTaskTarget(target, stacks, await buildEcsImageResolutionContext(target, stacks, options));
+		const imageContext = await buildEcsImageResolutionContext(target, stacks, options);
+		const task = resolveEcsTaskTarget(target, stacks, imageContext);
 		logger.info(`Target: ${task.stack.stackName}/${task.taskDefinitionLogicalId} (family=${task.family}, containers=${task.containers.length})`);
+		const taskNeeds = detectEcsImageResolutionNeeds(stacks.find((s) => s.stackName === task.stack.stackName) ?? task.stack);
+		let taskCrossStackDispose;
+		if (options.fromState && taskNeeds.needsCrossStackResolver) {
+			const consumerRegion = options.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? task.stack.region ?? "us-east-1";
+			const built = await buildCrossStackResolver(consumerRegion, {
+				...options.stateBucket !== void 0 && { stateBucket: options.stateBucket },
+				statePrefix: options.statePrefix,
+				...options.region !== void 0 && { region: options.region },
+				...options.profile !== void 0 && { profile: options.profile }
+			});
+			if (built) {
+				taskCrossStackDispose = built.dispose;
+				try {
+					await applyCrossStackResolverToTask(task, {
+						resources: imageContext?.stateResources ?? {},
+						...imageContext?.pseudoParameters && { pseudoParameters: imageContext.pseudoParameters },
+						consumerRegion,
+						crossStackResolver: built.resolver
+					});
+				} finally {
+					taskCrossStackDispose();
+					taskCrossStackDispose = void 0;
+				}
+			}
+		} else if (!options.fromState && taskNeeds.needsCrossStackResolver) logger.warn("Container Environment / Secrets entries contain Fn::ImportValue / Fn::GetStackOutput intrinsics. Pass --from-state to substitute them against deployed cdkd state.");
 		sigintHandler = () => {
 			sigintCount += 1;
 			if (sigintCount >= 2) {
@@ -44894,6 +45286,7 @@ async function localInvokeCommand(target, options) {
 		let stateAudit;
 		let templateEnv = getTemplateEnv(lambda.resource);
 		let stateForRoleHint;
+		let crossStackDispose;
 		if (options.fromState) {
 			const loaded = await loadStateForStack(lambda.stack.stackName, lambda.stack.region, {
 				...options.stackRegion !== void 0 && { stackRegion: options.stackRegion },
@@ -44904,16 +45297,38 @@ async function localInvokeCommand(target, options) {
 			});
 			if (loaded) {
 				stateForRoleHint = loaded.state;
-				const subContext = { resources: loaded.state.resources };
+				const subContext = {
+					resources: loaded.state.resources,
+					consumerRegion: loaded.region
+				};
 				if (envHasIntrinsicValue(templateEnv)) {
 					const pseudo = await resolvePseudoParametersForInvoke(lambda.stack.region, options);
 					if (pseudo) subContext.pseudoParameters = pseudo;
 				}
-				const { env, audit } = substituteEnvVarsFromState(templateEnv, subContext);
-				templateEnv = env;
-				stateAudit = audit;
-				for (const key of audit.resolvedKeys) logger.debug(`--from-state: substituted env var ${key} from cdkd state`);
-				for (const { key, reason } of audit.unresolved) logger.warn(`--from-state: could not substitute env var ${key} (${reason}). Override it via --env-vars or it will be dropped.`);
+				if (envHasCrossStackIntrinsic(templateEnv)) {
+					const built = await buildCrossStackResolver(loaded.region, {
+						...options.stateBucket !== void 0 && { stateBucket: options.stateBucket },
+						statePrefix: options.statePrefix,
+						...options.region !== void 0 && { region: options.region },
+						...options.profile !== void 0 && { profile: options.profile }
+					});
+					if (built) {
+						subContext.crossStackResolver = built.resolver;
+						crossStackDispose = built.dispose;
+					}
+				}
+				try {
+					const { env, audit } = await substituteEnvVarsFromStateAsync(templateEnv, subContext);
+					templateEnv = env;
+					stateAudit = audit;
+					for (const key of audit.resolvedKeys) logger.debug(`--from-state: substituted env var ${key} from cdkd state`);
+					for (const { key, reason } of audit.unresolved) logger.warn(`--from-state: could not substitute env var ${key} (${reason}). Override it via --env-vars or it will be dropped.`);
+				} finally {
+					if (crossStackDispose) {
+						crossStackDispose();
+						crossStackDispose = void 0;
+					}
+				}
 			}
 		}
 		const overrides = readEnvOverridesFile(options.envVars);
@@ -45186,6 +45601,29 @@ function envHasIntrinsicValue(templateEnv) {
 	return false;
 }
 /**
+* Returns true when any value in the function's template env map carries
+* a top-level `Fn::ImportValue` / `Fn::GetStackOutput` intrinsic. Used to
+* gate the cross-stack resolver construction inside the `--from-state`
+* flow: literal + same-stack-intrinsic env maps shouldn't pay for the
+* extra S3 client / index-load cost (issue #454).
+*
+* Detection is one level deep — same heuristic CDK 2.x uses for these
+* intrinsics in practice. Nested cross-stack intrinsics (e.g. an
+* `Fn::ImportValue` buried inside a `Fn::Join`) are not detected here;
+* those won't resolve in v1 anyway because the async resolver path
+* defers to the sync helper for `Fn::Join` / `Fn::Sub` bodies (see
+* `substituteAgainstStateAsync` docstring).
+*/
+function envHasCrossStackIntrinsic(templateEnv) {
+	if (!templateEnv) return false;
+	for (const v of Object.values(templateEnv)) {
+		if (!v || typeof v !== "object") continue;
+		const obj = v;
+		if ("Fn::ImportValue" in obj || "Fn::GetStackOutput" in obj) return true;
+	}
+	return false;
+}
+/**
 * Build the AWS pseudo-parameter bag for `--from-state` env-var
 * substitution. Issues a single `sts:GetCallerIdentity` for the account
 * id and derives `partition` / `urlSuffix` from the resolved region. Any
@@ -46717,7 +47155,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.121.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.123.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());