@go-to-k/cdkd 0.122.0 → 0.124.0

package/README.md

@@ -552,11 +552,14 @@ adopt nor recreate them).
 cdkd export MyStack                           # confirmation prompt; CFn stack name = cdkd stack name
 cdkd export MyStack --cfn-stack-name MyStack-CFn
 cdkd export MyStack --dry-run                 # print the import plan, do not call CFn
-cdkd export MyStack --template path.json      # skip synth, use a pre-rendered JSON template
+cdkd export MyStack --template path.json      # skip synth, use a pre-rendered template (JSON or YAML — format auto-detected)
 cdkd export MyStack --include-non-importable  # 2-phase: IMPORT importable + CFn-CREATE Custom Resources
 ```
 
-MVP scope: JSON templates only (CDK-generated).
+Accepts JSON and YAML templates. YAML round-trips through a CFn-aware codec
+(`src/cli/yaml-cfn.ts`) that preserves every shorthand intrinsic (`!Ref` /
+`!GetAtt` / `!Sub` / `!Join` / etc.), so a YAML-authored CFn stack stays YAML
+on the phase-1 IMPORT and phase-2 UPDATE changesets.
 
 ## Drift detection
 

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-CuHRHcyW.js";
-import { $ as LocalInvokeBuildError, A as stringifyValue, B as resolveApp, C as DiffCalculator, Ct as withSkipPrefix, D as S3StateBackend, E as LockManager, F as runDockerForeground, G as warnDeprecatedNoPrefixCliFlag, H as resolveSkipPrefix, I as runDockerStreaming, J as resolveBucketRegion, K as AssemblyReader, L as Synthesizer, M as buildDockerImage, N as formatDockerLoginError, O as shouldRetainResource, P as getDockerCmd, R as getDefaultStateBucketName, S as IntrinsicFunctionResolver, St as generateResourceNameWithFallback, T as TemplateParser, U as resolveStateBucketWithDefault, V as resolveCaptureObservedState, W as resolveStateBucketWithDefaultAndSource, X as CdkdError, _ as normalizeAwsTagsToCfn, _t as runStackBuffered, a as withRetry, at as RouteDiscoveryError, b as CloudControlProvider, bt as PATTERN_B_RESOURCE_TYPES, c as cyan, d as red, f as yellow, ft as normalizeAwsError, g as matchesCdkPath, h as CDK_PATH_TAG, ht as getLogger, i as withResourceDeadline, it as ResourceUpdateNotSupportedError, j as WorkGraph, k as AssetPublisher, l as gray, m as collectInlinePolicyNamesManagedBySiblings, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as ProvisioningError, o as IMPLICIT_DELETE_DEPENDENCIES, ot as StackHasActiveImportsError, p as IAMRoleProvider, pt as withErrorHandling, r as DeployEngine, rt as ResourceTimeoutError, s as bold, st as StackTerminationProtectionError, t as DEFAULT_RESOURCE_TIMEOUT_MS, tt as PartialFailureError, u as green, v as resolveExplicitPhysicalId, vt as getLiveRenderer, w as DagBuilder, wt as withStackName, x as assertRegionMatch, xt as generateResourceName, y as ProviderRegistry, yt as PATTERN_B_NAME_PROPERTIES, z as getLegacyStateBucketName } from "./deploy-engine-B2RZT3ai.js";
+import { A as AssetPublisher, B as getLegacyStateBucketName, C as applyRoleArnIfSet, Ct as generateResourceNameWithFallback, D as LockManager, E as TemplateParser, F as getDockerCmd, G as resolveStateBucketWithDefaultAndSource, H as resolveCaptureObservedState, I as runDockerForeground, K as warnDeprecatedNoPrefixCliFlag, L as runDockerStreaming, M as WorkGraph, N as buildDockerImage, O as S3StateBackend, P as formatDockerLoginError, R as Synthesizer, S as IntrinsicFunctionResolver, St as generateResourceName, T as DagBuilder, Tt as withStackName, U as resolveSkipPrefix, V as resolveApp, W as resolveStateBucketWithDefault, Y as resolveBucketRegion, Z as CdkdError, _ as normalizeAwsTagsToCfn, a as withRetry, at as ResourceUpdateNotSupportedError, b as CloudControlProvider, bt as PATTERN_B_NAME_PROPERTIES, c as cyan, ct as StackTerminationProtectionError, d as red, et as LocalInvokeBuildError, f as yellow, g as matchesCdkPath, gt as getLogger, h as CDK_PATH_TAG, i as withResourceDeadline, it as ResourceTimeoutError, j as stringifyValue, k as shouldRetainResource, l as gray, m as collectInlinePolicyNamesManagedBySiblings, mt as withErrorHandling, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as PartialFailureError, o as IMPLICIT_DELETE_DEPENDENCIES, ot as RouteDiscoveryError, p as IAMRoleProvider, pt as normalizeAwsError, q as AssemblyReader, r as DeployEngine, rt as ProvisioningError, s as bold, st as StackHasActiveImportsError, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as green, v as resolveExplicitPhysicalId, vt as runStackBuffered, w as DiffCalculator, wt as withSkipPrefix, x as assertRegionMatch, xt as PATTERN_B_RESOURCE_TYPES, y as ProviderRegistry, yt as getLiveRenderer, z as getDefaultStateBucketName } from "./deploy-engine-DWpeb9wT.js";
 import { createHash, createHmac, createPublicKey, createVerify, randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
 import { AddRoleToInstanceProfileCommand, AddUserToGroupCommand, AttachGroupPolicyCommand, AttachUserPolicyCommand, CreateGroupCommand, CreateInstanceProfileCommand, CreateLoginProfileCommand, CreateUserCommand, DeleteAccessKeyCommand, DeleteGroupCommand, DeleteGroupPolicyCommand, DeleteInstanceProfileCommand, DeleteLoginProfileCommand, DeleteRolePolicyCommand, DeleteUserCommand, DeleteUserPermissionsBoundaryCommand, DeleteUserPolicyCommand, DetachGroupPolicyCommand, DetachUserPolicyCommand, GetGroupCommand, GetGroupPolicyCommand, GetInstanceProfileCommand, GetRolePolicyCommand, GetUserCommand, GetUserPolicyCommand, IAMClient, ListAccessKeysCommand, ListAttachedGroupPoliciesCommand, ListAttachedUserPoliciesCommand, ListGroupPoliciesCommand, ListGroupsForUserCommand, ListInstanceProfilesCommand, ListUserPoliciesCommand, ListUserTagsCommand, ListUsersCommand, NoSuchEntityException, PutGroupPolicyCommand, PutRolePolicyCommand, PutUserPermissionsBoundaryCommand, PutUserPolicyCommand, RemoveRoleFromInstanceProfileCommand, RemoveUserFromGroupCommand, TagUserCommand, UntagUserCommand, UpdateLoginProfileCommand } from "@aws-sdk/client-iam";
@@ -56,6 +56,7 @@ import { CreateVectorBucketCommand, DeleteIndexCommand, DeleteVectorBucketComman
 import { CreateNamespaceCommand, CreateTableBucketCommand, CreateTableCommand as CreateTableCommand$2, DeleteNamespaceCommand as DeleteNamespaceCommand$1, DeleteTableBucketCommand, DeleteTableCommand as DeleteTableCommand$2, GetTableBucketCommand, GetTableCommand as GetTableCommand$1, ListNamespacesCommand as ListNamespacesCommand$1, ListTableBucketsCommand, ListTablesCommand as ListTablesCommand$1, ListTagsForResourceCommand as ListTagsForResourceCommand$19, NotFoundException as NotFoundException$5, S3TablesClient } from "@aws-sdk/client-s3tables";
 import { AttachTrafficSourcesCommand, AutoScalingClient, CreateAutoScalingGroupCommand, DeleteAutoScalingGroupCommand, DeleteLifecycleHookCommand, DeleteNotificationConfigurationCommand, DescribeAutoScalingGroupsCommand, DescribeLifecycleHooksCommand, DescribeNotificationConfigurationsCommand, DescribeTrafficSourcesCommand, DetachTrafficSourcesCommand, DisableMetricsCollectionCommand, EnableMetricsCollectionCommand, PutLifecycleHookCommand, PutNotificationConfigurationCommand, UpdateAutoScalingGroupCommand } from "@aws-sdk/client-auto-scaling";
 import * as readline from "node:readline/promises";
+import { Document, Pair, Scalar, YAMLMap, YAMLSeq, parse as parse$1, stringify } from "yaml";
 import { createServer } from "node:net";
 import { promisify } from "node:util";
 import { setTimeout as setTimeout$1 } from "node:timers/promises";
@@ -437,63 +438,6 @@ function effectiveAssumeRoleArn(logicalId, opt) {
 */
 const destroyOptions = [new Option("-f, --force", "Do not ask for confirmation before destroying the stacks").default(false), new Option("--remove-protection", "Bypass deletion protection on protected resources by flipping the per-resource protection flag off in-place before delete. Covers stack-level terminationProtection (CDK property) and resource-level protection on AWS::Logs::LogGroup, AWS::RDS::DBInstance, AWS::RDS::DBCluster, AWS::DocDB::DBCluster, AWS::Neptune::DBCluster, AWS::Neptune::DBInstance, AWS::DynamoDB::Table, AWS::EC2::Instance, AWS::Cognito::UserPool, AWS::AutoScaling::AutoScalingGroup, and AWS::ElasticLoadBalancingV2::LoadBalancer.").default(false)];
 
-//#endregion
-//#region src/utils/role-arn.ts
-/**
-* Resolve the role-arn argument (CLI flag or `CDKD_ROLE_ARN` env var) and,
-* when set, assume the role and write the resulting temporary credentials
-* into `AWS_ACCESS_KEY_ID` / `AWS_SECRET_ACCESS_KEY` / `AWS_SESSION_TOKEN`
-* for the rest of the process.
-*
-* **Why env vars, not threaded credentials.** cdkd constructs ~13
-* independent `AwsClients` instances across deploy / destroy / state /
-* import / etc. paths (each with its own region, sometimes — e.g. the
-* state-bucket client lives in a different region from the provisioning
-* clients). Threading a `credentials` object through every site is high
-* churn for an opt-in flag. AWS SDK v3 reads the standard `AWS_*` env
-* vars at the top of its default credentials chain, so writing into them
-* once at the command's entry makes every later `new XxxClient()` pick
-* up the assumed-role credentials automatically without touching the
-* client construction sites.
-*
-* **Why cdkd needs admin-equivalent on the assumed role.** Unlike `cdk
-* deploy`, cdkd does NOT route through CloudFormation. There is no
-* cfn-exec-role to delegate to. Every IAM / EC2 / Lambda / etc. API
-* call is issued from the cdkd process directly. The role you pass to
-* `--role-arn` (or set in `CDKD_ROLE_ARN`) MUST therefore have
-* admin-equivalent permissions on the resources being deployed; CDK
-* CLI's `cdk-hnb659fds-deploy-role-*` is NOT sufficient — that role
-* only carries CFn + asset-publish permissions.
-*
-* Default session duration is 1 hour. For longer-running deploys, the
-* caller should re-issue the cdkd command (the in-flight credentials
-* stay valid until expiry, but a re-run is the simplest recovery for
-* the rare case where a deploy outlives them).
-*/
-async function applyRoleArnIfSet(opts) {
-	const roleArn = opts.roleArn || process.env["CDKD_ROLE_ARN"];
-	if (!roleArn) return;
-	const logger = getLogger().child("role-arn");
-	logger.debug(`Assuming role ${roleArn}...`);
-	const sts = new STSClient({ ...opts.region && { region: opts.region } });
-	try {
-		const response = await sts.send(new AssumeRoleCommand({
-			RoleArn: roleArn,
-			RoleSessionName: `cdkd-${Date.now()}`,
-			DurationSeconds: 3600
-		}));
-		if (!response.Credentials) throw new Error(`AssumeRole returned no credentials for role ${roleArn}`);
-		const { AccessKeyId, SecretAccessKey, SessionToken, Expiration } = response.Credentials;
-		if (!AccessKeyId || !SecretAccessKey || !SessionToken) throw new Error(`AssumeRole response missing credentials fields for role ${roleArn}`);
-		process.env["AWS_ACCESS_KEY_ID"] = AccessKeyId;
-		process.env["AWS_SECRET_ACCESS_KEY"] = SecretAccessKey;
-		process.env["AWS_SESSION_TOKEN"] = SessionToken;
-		logger.info(`Assumed role ${roleArn} (session expires ${Expiration?.toISOString() ?? "unknown"})`);
-	} finally {
-		sts.destroy();
-	}
-}
-
 //#endregion
 //#region src/cli/commands/bootstrap.ts
 /**
@@ -34801,6 +34745,307 @@ function createStateCommand() {
 	return cmd;
 }
 
+//#endregion
+//#region src/cli/yaml-cfn.ts
+/**
+* CloudFormation-aware YAML codec.
+*
+* Parses + serializes CFn templates while preserving every CFn shorthand
+* intrinsic tag (`!Ref`, `!GetAtt`, `!Sub`, `!Join`, ...) — generic YAML
+* libraries silently strip these tags on parse + re-emit, corrupting the
+* template. cdkd uses this codec on both directions of CFn migration:
+* `cdkd export` (cdkd → CFn IMPORT) and
+* `cdkd import --migrate-from-cloudformation` (CFn → cdkd state).
+*
+* Algorithm: each `!Foo` tag is registered as a YAML custom tag whose
+* resolver returns the long-form object shape `{Fn::Foo: <args>}` (or
+* `{Ref: <name>}` for the bare `!Ref`). On stringify, the same objects
+* are detected and emitted back to shorthand tag form. The internal
+* model cdkd carries between parse and stringify is the long-form object
+* shape — same shape JSON produces — so every downstream consumer
+* (`injectRetainPolicies`, `executeImportChangeSet`, etc.) reads one
+* representation.
+*
+* Each tag is registered three times (scalar / sequence / map) per the
+* `yaml` library's API contract — a single registration only matches one
+* collection shape. Nested intrinsics resolve recursively via
+* `node.toJSON()` (the yaml lib resolves child customTags before invoking
+* the parent resolver).
+*
+* Format detection sniffs the first non-whitespace byte: `{` or `[` →
+* JSON; anything else → YAML. Empty input rejected as JSON so the
+* caller's existing JSON-empty-input error path fires.
+*
+* Tag set supported (matches the AWS docs canonical list):
+*   `!Ref`, `!GetAtt`, `!Sub`, `!Join`, `!Select`, `!Split`,
+*   `!If`, `!Equals`, `!And`, `!Or`, `!Not`,
+*   `!FindInMap`, `!Base64`, `!Cidr`, `!GetAZs`, `!ImportValue`,
+*   `!Transform`, `!Condition` (used inside `Conditions:` references).
+*
+* `!GetAtt` accepts BOTH the scalar dot-delimited shape
+* (`!GetAtt LogicalId.Attribute.Path`) and the sequence shape
+* (`!GetAtt [LogicalId, Attribute]`); both round-trip back to the scalar
+* form when the attribute is a single string segment (the AWS-published
+* canonical shape), or to the sequence form when the attribute is itself
+* a sequence.
+*/
+/**
+* Tags whose long-form key uses the `Fn::` prefix. `!Ref`, `!Condition`,
+* and `!Transform` are special-cased separately because their long-form
+* key shape differs.
+*/
+const FN_TAGS = [
+	"GetAtt",
+	"Sub",
+	"Join",
+	"Select",
+	"Split",
+	"If",
+	"Equals",
+	"And",
+	"Or",
+	"Not",
+	"FindInMap",
+	"Base64",
+	"Cidr",
+	"GetAZs",
+	"ImportValue",
+	"Length",
+	"ToJsonString",
+	"ForEach"
+];
+function nodeJs(node) {
+	if (node === null || node === void 0) return null;
+	if (typeof node === "object" && node !== null && "toJSON" in node) return node.toJSON();
+	return node;
+}
+/**
+* Build the set of custom YAML tags cdkd registers. Each tag may need
+* up to 3 entries (scalar / seq / map) so every shape an AWS-published
+* template carries is accepted; un-templated shapes for a given tag
+* fall through to the lib's default tag resolution (which the lib
+* surfaces as a warning — never an error — by design).
+*
+* `identify: () => false` on every entry: we never want the lib to
+* auto-tag a parsed result on stringify. We build the YAML output via
+* our own `jsToYamlNode` walk that emits the tag explicitly.
+*/
+function buildCustomTags() {
+	const tags = [];
+	tags.push({
+		tag: "!Ref",
+		resolve(value) {
+			return { Ref: value };
+		},
+		identify: () => false
+	});
+	tags.push({
+		tag: "!Condition",
+		resolve(value) {
+			return { Condition: value };
+		},
+		identify: () => false
+	});
+	tags.push({
+		tag: "!Transform",
+		collection: "map",
+		resolve(node) {
+			return { "Fn::Transform": nodeJs(node) };
+		},
+		identify: () => false
+	});
+	tags.push({
+		tag: "!GetAtt",
+		resolve(value) {
+			const dot = value.indexOf(".");
+			if (dot < 0) throw new Error(`!GetAtt requires '<LogicalId>.<Attribute>'; got '${value}'`);
+			return { "Fn::GetAtt": [value.slice(0, dot), value.slice(dot + 1)] };
+		},
+		identify: () => false
+	});
+	tags.push({
+		tag: "!GetAtt",
+		collection: "seq",
+		resolve(node) {
+			return { "Fn::GetAtt": nodeJs(node) };
+		},
+		identify: () => false
+	});
+	for (const name of FN_TAGS) {
+		if (name === "GetAtt") continue;
+		const longKey = `Fn::${name}`;
+		tags.push({
+			tag: `!${name}`,
+			resolve(value) {
+				return { [longKey]: value };
+			},
+			identify: () => false
+		});
+		tags.push({
+			tag: `!${name}`,
+			collection: "seq",
+			resolve(node) {
+				return { [longKey]: nodeJs(node) };
+			},
+			identify: () => false
+		});
+		tags.push({
+			tag: `!${name}`,
+			collection: "map",
+			resolve(node) {
+				return { [longKey]: nodeJs(node) };
+			},
+			identify: () => false
+		});
+	}
+	return tags;
+}
+const CUSTOM_TAGS = buildCustomTags();
+/**
+* Parse a CFn template string. JSON or YAML, auto-detected.
+*
+* @throws Error with a clear message when the input is empty, malformed,
+*   or does not produce an object root.
+*/
+function parseCfnTemplate(text) {
+	const format = detectTemplateFormat(text);
+	const body = text.charCodeAt(0) === 65279 ? text.slice(1) : text;
+	let parsed;
+	if (format === "json") try {
+		parsed = JSON.parse(body);
+	} catch (err) {
+		throw new Error(`Template is not valid JSON. Cause: ${err instanceof Error ? err.message : String(err)}`);
+	}
+	else try {
+		parsed = parse$1(body, { customTags: CUSTOM_TAGS });
+	} catch (err) {
+		throw new Error(`Template is not valid YAML. Cause: ${err instanceof Error ? err.message : String(err)}`);
+	}
+	if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) throw new Error(`Template root is not an object.`);
+	return parsed;
+}
+/**
+* Serialize a CFn template back to JSON or YAML. The `format` parameter
+* controls the output shape; callers should pass the result of the
+* original `detectTemplateFormat` (or remembered from `parseCfnTemplate`)
+* so a YAML-authored template stays YAML on round-trip.
+*
+* YAML output emits CFn intrinsics back to shorthand tags (`!Ref`,
+* `!GetAtt`, etc.) by walking the JS object tree before passing it to
+* `yaml.stringify`. Long-form `{Fn::Foo: <args>}` objects are converted
+* to `Document` nodes carrying the appropriate `!Foo` tag.
+*
+* JSON output is two-space-indented to match cdkd's existing canonical
+* shape.
+*/
+function stringifyCfnTemplate(template, format) {
+	if (format === "json") return JSON.stringify(template, null, 2);
+	const doc = new Document();
+	doc.contents = jsToYamlNode(template, doc);
+	return stringify(doc, {
+		aliasDuplicateObjects: false,
+		lineWidth: 0
+	});
+}
+/**
+* Convert a plain JS value into a YAML node, detecting CFn intrinsics and
+* emitting them with their shorthand tag. Recursive — every sub-tree is
+* inspected.
+*/
+function jsToYamlNode(value, doc) {
+	if (value === null || value === void 0) return new Scalar(null);
+	if (typeof value !== "object") return doc.createNode(value);
+	if (Array.isArray(value)) {
+		const seq = new YAMLSeq();
+		for (const item of value) seq.items.push(jsToYamlNode(item, doc));
+		return seq;
+	}
+	const keys = Object.keys(value);
+	if (keys.length === 1) {
+		const k = keys[0];
+		const v = value[k];
+		const tag = intrinsicShorthandFor(k);
+		if (tag) return makeIntrinsicNode(tag, v, doc);
+	}
+	const map = new YAMLMap();
+	for (const [k, v] of Object.entries(value)) map.items.push(new Pair(doc.createNode(k), jsToYamlNode(v, doc)));
+	return map;
+}
+/**
+* Map a long-form intrinsic key (`Ref` / `Fn::Foo` / `Condition`) to its
+* shorthand tag (`!Ref` / `!Foo` / `!Condition`). Returns null when the
+* key is not a recognized intrinsic.
+*/
+function intrinsicShorthandFor(key) {
+	if (key === "Ref") return "!Ref";
+	if (key === "Condition") return "!Condition";
+	if (!key.startsWith("Fn::")) return null;
+	const name = key.slice(4);
+	if (name === "Transform") return "!Transform";
+	if (name === "GetAtt") return "!GetAtt";
+	if (FN_TAGS.includes(name)) return `!${name}`;
+	return null;
+}
+/**
+* Build a YAML node carrying a CFn shorthand tag. Tag-specific shapes:
+*   - `!Ref` / `!Condition` → scalar (the referenced name).
+*   - `!GetAtt` → scalar `LogicalId.Attribute` when the long-form arg
+*     is `[LogicalId, Attribute]` of strings; sequence form otherwise.
+*   - Everything else → whatever shape the long-form arg has
+*     (scalar / sequence / map).
+*/
+function makeIntrinsicNode(tag, value, doc) {
+	if (tag === "!Ref" || tag === "!Condition") {
+		const s = new Scalar(typeof value === "string" ? value : String(value));
+		s.tag = tag;
+		return s;
+	}
+	if (tag === "!GetAtt") {
+		if (Array.isArray(value) && value.length === 2 && typeof value[0] === "string" && typeof value[1] === "string") {
+			const s = new Scalar(`${value[0]}.${value[1]}`);
+			s.tag = tag;
+			return s;
+		}
+		const node = jsToYamlNode(value, doc);
+		node.tag = tag;
+		return node;
+	}
+	const node = jsToYamlNode(value, doc);
+	node.tag = tag;
+	return node;
+}
+/**
+* Sniff the input text and decide whether to parse it as JSON or YAML.
+*
+* Rule (matches AWS docs / CDK CLI): if the first non-whitespace byte is
+* `{` or `[`, parse as JSON; otherwise YAML. Empty input is treated as
+* JSON so the caller's existing JSON-empty-input error path fires.
+*
+* UTF-8 BOM (``) is stripped before the sniff — some editors /
+* scripts emit BOM-prefixed files, and the BOM is NOT whitespace under
+* `trimStart()`, so a BOM-prefixed JSON file would otherwise route to
+* the YAML parser and fail.
+*/
+function detectTemplateFormat(text) {
+	const trimmed = (text.charCodeAt(0) === 65279 ? text.slice(1) : text).trimStart();
+	if (trimmed.length === 0) return "json";
+	const first = trimmed.charCodeAt(0);
+	if (first === 123 || first === 91) return "json";
+	return "yaml";
+}
+/**
+* Parse a CFn template + return both the parsed object AND the source
+* format, so the caller can later re-emit in the same shape. Convenience
+* wrapper around `parseCfnTemplate` + `detectTemplateFormat`.
+*/
+function parseCfnTemplateWithFormat(text) {
+	const format = detectTemplateFormat(text);
+	return {
+		template: parseCfnTemplate(text),
+		format
+	};
+}
+
 //#endregion
 //#region src/cli/commands/retire-cfn-stack.ts
 /**
@@ -34880,7 +35125,7 @@ async function retireCloudFormationStack(options) {
 		TemplateStage: "Original"
 	}));
 	if (!tpl.TemplateBody) throw new Error(`GetTemplate returned no body for '${cfnStackName}'.`);
-	const { body: newBody, modified } = injectRetainPolicies(tpl.TemplateBody, cfnStackName);
+	const { body: newBody, modified, format } = injectRetainPolicies(tpl.TemplateBody, cfnStackName);
 	if (!yes) {
 		if (!await confirmPrompt$2(`Set DeletionPolicy=Retain and UpdateReplacePolicy=Retain on every resource in CloudFormation stack '${cfnStackName}', then delete the stack? AWS resources will NOT be deleted (cdkd state has been written).`)) {
 			logger.info("CloudFormation stack retirement cancelled. cdkd state is unaffected.");
@@ -34900,6 +35145,7 @@ async function retireCloudFormationStack(options) {
 				bucket: stateBucket,
 				body: newBody,
 				cfnStackName,
+				format,
 				...s3ClientOpts && { s3ClientOpts }
 			});
 			updateInput = { TemplateURL: uploaded.url };
@@ -34961,7 +35207,7 @@ async function retireCloudFormationStack(options) {
 * Exported for unit testing.
 */
 async function uploadTemplateForUpdateStack(args) {
-	const { bucket, body, cfnStackName, s3ClientOpts } = args;
+	const { bucket, body, cfnStackName, format, s3ClientOpts } = args;
 	const region = await resolveBucketRegion(bucket, {
 		...s3ClientOpts?.profile && { profile: s3ClientOpts.profile },
 		...s3ClientOpts?.credentials && { credentials: s3ClientOpts.credentials }
@@ -34971,13 +35217,15 @@ async function uploadTemplateForUpdateStack(args) {
 		...s3ClientOpts?.profile && { profile: s3ClientOpts.profile },
 		...s3ClientOpts?.credentials && { credentials: s3ClientOpts.credentials }
 	});
-	const key = `${MIGRATE_TMP_PREFIX}/${cfnStackName}/${Date.now()}.json`;
+	const ext = format === "yaml" ? "yaml" : "json";
+	const contentType = format === "yaml" ? "application/x-yaml" : "application/json";
+	const key = `${MIGRATE_TMP_PREFIX}/${cfnStackName}/${Date.now()}.${ext}`;
 	try {
 		await s3.send(new PutObjectCommand({
 			Bucket: bucket,
 			Key: key,
 			Body: body,
-			ContentType: "application/json"
+			ContentType: contentType
 		}));
 	} catch (err) {
 		s3.destroy();
@@ -35000,33 +35248,32 @@ async function uploadTemplateForUpdateStack(args) {
 	};
 }
 /**
-* Parse a CloudFormation template body (JSON), set `DeletionPolicy: Retain`
-* and `UpdateReplacePolicy: Retain` on every resource that doesn't already
-* have those exact values, and re-serialize.
+* Parse a CloudFormation template body (JSON or YAML), set
+* `DeletionPolicy: Retain` and `UpdateReplacePolicy: Retain` on every
+* resource that doesn't already have those exact values, and re-serialize
+* in the SAME format as the input. Returns the resulting body, a
+* `modified` flag, and the detected source format so callers can stamp
+* the right content type / S3 key extension on follow-up uploads.
 *
-* JSON-only by design. The `--migrate-from-cloudformation` flow's primary
-* upstream is `cdk migrate` (which produces a CDK app whose synthesized
-* template is always JSON) followed by `cdk deploy` / `cdkd deploy` (also
-* JSON). Adding YAML support would require parsing CloudFormation
-* shorthand intrinsics (`!Ref`, `!Sub`, `!GetAtt`, …) which round-trip
-* incorrectly through generic YAML libraries — a generic YAML
-* unmarshal/remarshal silently strips the custom tags and corrupts the
-* template. Until a CFn-aware YAML codec is in scope, hand-written YAML
-* stacks are best retired with the manual 3-step procedure.
+* YAML templates are routed through cdkd's CFn-aware YAML codec
+* (`src/cli/yaml-cfn.ts`), which preserves every CFn shorthand intrinsic
+* (`!Ref`, `!GetAtt`, `!Sub`, etc.) on round-trip. JSON templates take
+* the canonical two-space-indented JSON path.
 *
 * Exported for unit testing (the AWS round-trips are mocked, but the
 * mutation logic itself is pure and worth exercising directly).
 */
 function injectRetainPolicies(templateBody, cfnStackName) {
+	const format = detectTemplateFormat(templateBody);
 	let parsed;
 	try {
-		parsed = JSON.parse(templateBody);
+		parsed = parseCfnTemplate(templateBody);
 	} catch (err) {
-		throw new Error(`Template for '${cfnStackName}' is not valid JSON. cdkd's --migrate-from-cloudformation flow only supports CDK-generated (JSON) templates. Cause: ${err instanceof Error ? err.message : String(err)}`);
+		throw new Error(`Template for '${cfnStackName}' is not a valid CloudFormation template. cdkd's --migrate-from-cloudformation flow supports both JSON and YAML templates (YAML via a CFn-aware codec that preserves !Ref / !GetAtt / !Sub shorthand). Cause: ${err instanceof Error ? err.message : String(err)}`);
 	}
-	if (!parsed || typeof parsed !== "object" || Array.isArray(parsed) || !("Resources" in parsed) || typeof parsed.Resources !== "object" || parsed.Resources === null) throw new Error(`Template for '${cfnStackName}' has no Resources section — refusing to retire.`);
+	if (!("Resources" in parsed) || typeof parsed["Resources"] !== "object" || parsed["Resources"] === null || Array.isArray(parsed["Resources"])) throw new Error(`Template for '${cfnStackName}' has no Resources section — refusing to retire.`);
 	let modified = false;
-	const resources = parsed.Resources;
+	const resources = parsed["Resources"];
 	for (const [, resource] of Object.entries(resources)) {
 		if (!resource || typeof resource !== "object" || Array.isArray(resource)) continue;
 		const r = resource;
@@ -35040,8 +35287,9 @@ function injectRetainPolicies(templateBody, cfnStackName) {
 		}
 	}
 	return {
-		body: JSON.stringify(parsed, null, 2),
-		modified
+		body: stringifyCfnTemplate(parsed, format),
+		modified,
+		format
 	};
 }
 /**
@@ -46185,10 +46433,13 @@ async function exportCommand(stackArg, options) {
 		let template;
 		let resolvedStackName;
 		let synthedRegion;
+		let templateFormat = "json";
 		let allSynthStacks = [];
 		if (options.template) {
 			if (!stackArg) throw new Error("--template requires a stack name as a positional argument to identify the cdkd state record.");
-			template = parseTemplateFile(options.template);
+			const parsed = parseTemplateFile(options.template);
+			template = parsed.template;
+			templateFormat = parsed.format;
 			resolvedStackName = stackArg;
 		} else {
 			const appCmd = options.app || resolveApp();
@@ -46285,7 +46536,7 @@ async function exportCommand(stackArg, options) {
 			const phase1Template = filterTemplateForImport(template, phase1Imports);
 			const injectedCount = injectDeletionPolicyForImport(phase1Template);
 			if (injectedCount > 0) logger.info(`Injected DeletionPolicy: Delete on ${injectedCount} resource(s) without an explicit DeletionPolicy (required by CFn IMPORT — matches the CDK/CFn default for resources without RemovalPolicy).`);
-			await executeImportChangeSet(awsClients.cloudFormation, cfnStackName, phase1Template, phase1Imports, cfnParameters);
+			await executeImportChangeSet(awsClients.cloudFormation, cfnStackName, phase1Template, phase1Imports, cfnParameters, templateFormat);
 			logger.info(`✓ Phase 1: CloudFormation stack '${cfnStackName}' created via IMPORT. ${phase1Imports.length} resource(s) imported.`);
 			if (recreateBeforePhase2.length > 0) for (const entry of recreateBeforePhase2) {
 				const handler = PRE_DELETE_HANDLERS[entry.resourceType];
@@ -46302,7 +46553,7 @@ async function exportCommand(stackArg, options) {
 			const phase2Count = phase2Creates.length + recreateBeforePhase2.length;
 			if (phase2Count > 0) try {
 				const phase2Template = applyImportOverlayForPhase2(template, phase1Imports);
-				await executeUpdateChangeSet(awsClients.cloudFormation, cfnStackName, phase2Template, cfnParameters);
+				await executeUpdateChangeSet(awsClients.cloudFormation, cfnStackName, phase2Template, cfnParameters, templateFormat);
 				const parts = [];
 				if (phase2Creates.length > 0) parts.push(`${phase2Creates.length} non-importable resource(s) CREATEd`);
 				if (recreateBeforePhase2.length > 0) parts.push(`${recreateBeforePhase2.length} IMPORT-unsupported resource(s) re-CREATEd`);
@@ -46362,14 +46613,15 @@ function parseTemplateFile(path) {
 	} catch (err) {
 		throw new Error(`Failed to read template file '${path}': ` + (err instanceof Error ? err.message : String(err)));
 	}
-	let parsed;
 	try {
-		parsed = JSON.parse(raw);
+		const { template, format } = parseCfnTemplateWithFormat(raw);
+		return {
+			template,
+			format
+		};
 	} catch (err) {
-		throw new Error(`Template file '${path}' is not valid JSON. cdkd export only supports JSON templates (CDK-generated). Cause: ` + (err instanceof Error ? err.message : String(err)));
+		throw new Error(`Template file '${path}' is not a valid CloudFormation template. cdkd export accepts JSON and YAML (YAML via a CFn-aware codec that preserves !Ref / !GetAtt / !Sub shorthand). Cause: ` + (err instanceof Error ? err.message : String(err)));
 	}
-	if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) throw new Error(`Template file '${path}' is not a JSON object.`);
-	return parsed;
 }
 async function assertCfnStackAbsent(cfnClient, stackName) {
 	try {
@@ -46917,10 +47169,10 @@ function printPlan(plan, cfnStackName) {
 	}
 	logger.info("");
 }
-async function executeImportChangeSet(cfnClient, stackName, template, plan, parameters) {
+async function executeImportChangeSet(cfnClient, stackName, template, plan, parameters, templateFormat = "json") {
 	const logger = getLogger();
 	const changeSetName = `cdkd-migrate-${Date.now()}`;
-	const templateBody = JSON.stringify(template, null, 2);
+	const templateBody = stringifyCfnTemplate(template, templateFormat);
 	const resourcesToImport = plan.map((entry) => ({
 		ResourceType: entry.resourceType,
 		LogicalResourceId: entry.logicalId,
@@ -47031,10 +47283,10 @@ async function collectImportFailureSummary(cfnClient, stackName) {
 * (cdkd state is intentionally NOT deleted between phases, so a phase-2
 * failure leaves a recoverable state).
 */
-async function executeUpdateChangeSet(cfnClient, stackName, template, parameters) {
+async function executeUpdateChangeSet(cfnClient, stackName, template, parameters, templateFormat = "json") {
 	const logger = getLogger();
 	const changeSetName = `cdkd-phase2-${Date.now()}`;
-	const templateBody = JSON.stringify(template, null, 2);
+	const templateBody = stringifyCfnTemplate(template, templateFormat);
 	if (templateBody.length > 51200) throw new Error(`Full template is ${templateBody.length} bytes, over the 51,200-byte inline TemplateBody limit for phase-2 UPDATE. TemplateURL upload is not yet implemented.`);
 	logger.info(`Creating UPDATE changeset '${changeSetName}' for phase 2 (${templateBody.length} bytes)...`);
 	try {
@@ -47160,7 +47412,7 @@ async function confirmPrompt(prompt) {
 	}
 }
 function createExportCommand() {
-	const cmd = new Command("export").description("Hand a cdkd-managed stack over to CloudFormation via CFn IMPORT (changeset). AWS resources are unchanged; cdkd state for the stack is deleted on success. Mirror of `cdkd import` (AWS → cdkd) in the reverse direction (cdkd → CFn). JSON templates only. Aborts if any resource is not CFn-importable.").argument("[stack]", "Stack name to export (auto-detected for single-stack apps)").option("--cfn-stack-name <name>", "Name of the destination CloudFormation stack. Defaults to the cdkd stack name.").option("--template <path>", "Path to a pre-rendered CloudFormation template (JSON). Skips synth.").option("--stack-region <region>", "Region of the cdkd state record to operate on. Required when the same stack name has state in multiple regions.").option("--dry-run", "Print the import plan without creating a changeset.", false).option("--accept-transient-context", "Allow CLI -c key=value overrides at export time even though they are not persisted to cdk.json / cdk.context.json (default: refuse). When set, the user is responsible for passing the same -c flags to every future cdk deploy.", false).option("--include-non-importable", "Run a 2-phase migration when the stack contains non-importable resources (Custom::*). Phase 1 imports the importable resources; phase 2 CFn-CREATEs the non-importable ones, which re-invokes each Custom Resource's onCreate handler. Make sure onCreate is idempotent before enabling.", false).option("--parameter <key=value...>", "CFn template Parameter override, repeatable. Required when the synthesized template has Parameters without Default values; otherwise overrides the template's default value. Format: --parameter Key=Value.").option("--strict-cross-stack", "Refuse to export when sibling cdkd stacks in the same CDK app reference the exporting stack via Fn::GetStackOutput. Without the flag, cdkd warns but proceeds — the user is expected to migrate the consumer stacks in a follow-up.", false).option("--no-recreate-import-unsupported", "Block instead of auto-handling resource types AWS does NOT support in IMPORT changesets (currently only AWS::ApiGatewayV2::Stage, emitted by CDK HttpApi). Default behavior: cdkd skips these from phase 1, deletes the AWS-side resource between phases, and lets CFn re-CREATE in phase 2 (brief unavailability window). With this flag, the export aborts with a clear error instead.").action(withErrorHandling(exportCommand));
+	const cmd = new Command("export").description("Hand a cdkd-managed stack over to CloudFormation via CFn IMPORT (changeset). AWS resources are unchanged; cdkd state for the stack is deleted on success. Mirror of `cdkd import` (AWS → cdkd) in the reverse direction (cdkd → CFn). Accepts JSON and YAML templates (YAML via a CFn-aware codec that preserves !Ref / !GetAtt / !Sub shorthand). Aborts if any resource is not CFn-importable.").argument("[stack]", "Stack name to export (auto-detected for single-stack apps)").option("--cfn-stack-name <name>", "Name of the destination CloudFormation stack. Defaults to the cdkd stack name.").option("--template <path>", "Path to a pre-rendered CloudFormation template (JSON or YAML — format auto-detected). Skips synth.").option("--stack-region <region>", "Region of the cdkd state record to operate on. Required when the same stack name has state in multiple regions.").option("--dry-run", "Print the import plan without creating a changeset.", false).option("--accept-transient-context", "Allow CLI -c key=value overrides at export time even though they are not persisted to cdk.json / cdk.context.json (default: refuse). When set, the user is responsible for passing the same -c flags to every future cdk deploy.", false).option("--include-non-importable", "Run a 2-phase migration when the stack contains non-importable resources (Custom::*). Phase 1 imports the importable resources; phase 2 CFn-CREATEs the non-importable ones, which re-invokes each Custom Resource's onCreate handler. Make sure onCreate is idempotent before enabling.", false).option("--parameter <key=value...>", "CFn template Parameter override, repeatable. Required when the synthesized template has Parameters without Default values; otherwise overrides the template's default value. Format: --parameter Key=Value.").option("--strict-cross-stack", "Refuse to export when sibling cdkd stacks in the same CDK app reference the exporting stack via Fn::GetStackOutput. Without the flag, cdkd warns but proceeds — the user is expected to migrate the consumer stacks in a follow-up.", false).option("--no-recreate-import-unsupported", "Block instead of auto-handling resource types AWS does NOT support in IMPORT changesets (currently only AWS::ApiGatewayV2::Stage, emitted by CDK HttpApi). Default behavior: cdkd skips these from phase 1, deletes the AWS-side resource between phases, and lets CFn re-CREATE in phase 2 (brief unavailability window). With this flag, the export aborts with a clear error instead.").action(withErrorHandling(exportCommand));
 	[
 		...commonOptions,
 		...appOptions,
@@ -47212,7 +47464,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.122.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.124.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());