@go-to-k/cdkd 0.137.3 → 0.138.0

package/dist/cli.js

@@ -55,7 +55,7 @@ import { AddTagsCommand as AddTagsCommand$1, CloudTrailClient, CreateTrailComman
 import { BatchGetProjectsCommand, CodeBuildClient, CreateProjectCommand, DeleteProjectCommand, ListProjectsCommand, ResourceNotFoundException as ResourceNotFoundException$9, UpdateProjectCommand } from "@aws-sdk/client-codebuild";
 import { CreateVectorBucketCommand, DeleteIndexCommand, DeleteVectorBucketCommand, GetVectorBucketCommand, ListIndexesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$18, ListVectorBucketsCommand, S3VectorsClient } from "@aws-sdk/client-s3vectors";
 import { CreateNamespaceCommand, CreateTableBucketCommand, CreateTableCommand as CreateTableCommand$2, DeleteNamespaceCommand as DeleteNamespaceCommand$1, DeleteTableBucketCommand, DeleteTableCommand as DeleteTableCommand$2, GetTableBucketCommand, GetTableCommand as GetTableCommand$1, ListNamespacesCommand as ListNamespacesCommand$1, ListTableBucketsCommand, ListTablesCommand as ListTablesCommand$1, ListTagsForResourceCommand as ListTagsForResourceCommand$19, NotFoundException as NotFoundException$5, S3TablesClient } from "@aws-sdk/client-s3tables";
-import { AttachTrafficSourcesCommand, AutoScalingClient, CreateAutoScalingGroupCommand, DeleteAutoScalingGroupCommand, DeleteLifecycleHookCommand, DeleteNotificationConfigurationCommand, DescribeAutoScalingGroupsCommand, DescribeLifecycleHooksCommand, DescribeNotificationConfigurationsCommand, DescribeTrafficSourcesCommand, DetachTrafficSourcesCommand, DisableMetricsCollectionCommand, EnableMetricsCollectionCommand, PutLifecycleHookCommand, PutNotificationConfigurationCommand, UpdateAutoScalingGroupCommand } from "@aws-sdk/client-auto-scaling";
+import { AttachLoadBalancerTargetGroupsCommand, AttachLoadBalancersCommand, AttachTrafficSourcesCommand, AutoScalingClient, CreateAutoScalingGroupCommand, CreateOrUpdateTagsCommand, DeleteAutoScalingGroupCommand, DeleteLifecycleHookCommand, DeleteNotificationConfigurationCommand, DeleteTagsCommand as DeleteTagsCommand$1, DescribeAutoScalingGroupsCommand, DescribeLifecycleHooksCommand, DescribeNotificationConfigurationsCommand, DescribeTrafficSourcesCommand, DetachLoadBalancerTargetGroupsCommand, DetachLoadBalancersCommand, DetachTrafficSourcesCommand, DisableMetricsCollectionCommand, EnableMetricsCollectionCommand, PutLifecycleHookCommand, PutNotificationConfigurationCommand, UpdateAutoScalingGroupCommand } from "@aws-sdk/client-auto-scaling";
 import * as readline from "node:readline/promises";
 import { Document, Pair, Scalar, YAMLMap, YAMLSeq, parse as parse$1, stringify } from "yaml";
 import { mkdir, mkdtemp } from "node:fs/promises";
@@ -29963,27 +29963,36 @@ var ECRProvider = class {
 *      Groups` already provides.
 *
 * Update has narrower coverage than create: AWS does not support modifying
-* `AutoScalingGroupName` (immutable), `Tags` (those go through `CreateOrUpdate
-* Tags` / `DeleteTags`), or attached LB / target-group references (those go
-* through `Attach*` / `Detach*` calls). Those diffs still surface
-* `ResourceUpdateNotSupportedError` so the caller can `cdkd deploy --replace`.
-* The mutable fields handled in-place via `UpdateAutoScalingGroup` include
-* MinSize / MaxSize / DesiredCapacity / VPCZoneIdentifier / HealthCheckType /
-* HealthCheckGracePeriod / DefaultCooldown / Cooldown / NewInstancesProtected
-* FromScaleIn / MaxInstanceLifetime / TerminationPolicies / CapacityRebalance
-* / ServiceLinkedRoleARN / Context / DesiredCapacityType / DefaultInstance
-* Warmup / AvailabilityZones / AvailabilityZoneDistribution / Availability
-* ZoneImpairmentPolicy / SkipZonalShiftValidation / CapacityReservation
-* Specification / InstanceMaintenancePolicy / DeletionProtection / Mixed
-* InstancesPolicy / LaunchTemplate.
+* `AutoScalingGroupName` (immutable) — that diff still surfaces
+* `ResourceUpdateNotSupportedError` so the caller can `cdkd deploy
+* --replace`. The mutable fields handled in-place via
+* `UpdateAutoScalingGroup` include MinSize / MaxSize / DesiredCapacity /
+* VPCZoneIdentifier / HealthCheckType / HealthCheckGracePeriod /
+* DefaultCooldown / Cooldown / NewInstancesProtectedFromScaleIn /
+* MaxInstanceLifetime / TerminationPolicies / CapacityRebalance /
+* ServiceLinkedRoleARN / Context / DesiredCapacityType /
+* DefaultInstanceWarmup / AvailabilityZones / AvailabilityZoneDistribution
+* / AvailabilityZoneImpairmentPolicy / SkipZonalShiftValidation /
+* CapacityReservationSpecification / InstanceMaintenancePolicy /
+* DeletionProtection / MixedInstancesPolicy / LaunchTemplate.
 *
 * Sub-shape diffs are applied via dedicated AWS APIs before the main
-* `UpdateAutoScalingGroup` call: `MetricsCollection` →
-* `EnableMetricsCollection` / `DisableMetricsCollection`,
-* `LifecycleHookSpecificationList` → per-entry `PutLifecycleHook` /
-* `DeleteLifecycleHook`, `TrafficSources` → `AttachTrafficSources` /
-* `DetachTrafficSources`, `NotificationConfigurations` → per-topic
-* `PutNotificationConfiguration` / `DeleteNotificationConfiguration`.
+* `UpdateAutoScalingGroup` call:
+*   - `Tags` → `CreateOrUpdateTags` / `DeleteTags` (#475)
+*   - `LoadBalancerNames` → `AttachLoadBalancers` /
+*     `DetachLoadBalancers` (#476)
+*   - `TargetGroupARNs` → `AttachLoadBalancerTargetGroups` /
+*     `DetachLoadBalancerTargetGroups` (#476)
+*   - `MetricsCollection` → `EnableMetricsCollection` /
+*     `DisableMetricsCollection`
+*   - `LifecycleHookSpecificationList` → per-entry `PutLifecycleHook` /
+*     `DeleteLifecycleHook`
+*   - `TrafficSources` → `AttachTrafficSources` /
+*     `DetachTrafficSources`
+*   - `NotificationConfigurations` → per-topic
+*     `PutNotificationConfiguration` /
+*     `DeleteNotificationConfiguration`
+*
 * Each helper is a no-op when the before/after JSON is identical.
 */
 var ASGProvider = class {
@@ -30091,10 +30100,10 @@ var ASGProvider = class {
 		this.logger.debug(`Updating AutoScalingGroup ${logicalId}: ${physicalId}`);
 		const stringEq = (a, b) => JSON.stringify(a) === JSON.stringify(b);
 		if (!stringEq(properties["AutoScalingGroupName"], previousProperties["AutoScalingGroupName"])) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "AutoScalingGroupName is immutable on AWS — UpdateAutoScalingGroup does not accept a new name; the name is fixed at creation. Use cdkd deploy --replace to replace the group.");
-		if (!stringEq(properties["Tags"] ?? [], previousProperties["Tags"] ?? [])) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "Tags updates on AWS::AutoScaling::AutoScalingGroup are not yet implemented in cdkd (AWS exposes CreateOrUpdateTags / DeleteTags); use cdkd deploy --replace, or update the tags via AWS console / CLI.");
-		if (!stringEq(properties["LoadBalancerNames"] ?? [], previousProperties["LoadBalancerNames"] ?? [])) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "LoadBalancerNames diffs on AWS::AutoScaling::AutoScalingGroup are not yet implemented in cdkd (AWS exposes AttachLoadBalancers / DetachLoadBalancers); use cdkd deploy --replace.");
-		if (!stringEq(properties["TargetGroupARNs"] ?? [], previousProperties["TargetGroupARNs"] ?? [])) throw new ResourceUpdateNotSupportedError(resourceType, logicalId, "TargetGroupARNs diffs on AWS::AutoScaling::AutoScalingGroup are not yet implemented in cdkd (AWS exposes AttachLoadBalancerTargetGroups / DetachLoadBalancerTargetGroups); use cdkd deploy --replace.");
 		try {
+			await this.applyTagsDiff(physicalId, properties["Tags"], previousProperties["Tags"]);
+			await this.applyLoadBalancerNamesDiff(physicalId, properties["LoadBalancerNames"], previousProperties["LoadBalancerNames"]);
+			await this.applyTargetGroupArnsDiff(physicalId, properties["TargetGroupARNs"], previousProperties["TargetGroupARNs"]);
 			await this.applyMetricsCollectionDiff(physicalId, properties["MetricsCollection"], previousProperties["MetricsCollection"]);
 			await this.applyLifecycleHooksDiff(physicalId, properties["LifecycleHookSpecificationList"], previousProperties["LifecycleHookSpecificationList"]);
 			await this.applyTrafficSourcesDiff(physicalId, properties["TrafficSources"], previousProperties["TrafficSources"]);
@@ -30354,6 +30363,99 @@ var ASGProvider = class {
 	sleep(ms) {
 		return new Promise((resolve) => setTimeout(resolve, ms));
 	}
+	/**
+	* Diff and apply changes to the ASG's `Tags` property via the
+	* `CreateOrUpdateTags` / `DeleteTags` AWS APIs (#475). CFn Tags shape is
+	* `[{Key, Value, PropagateAtLaunch}]`; AWS Tag input adds `ResourceId`
+	* (= the ASG name) and `ResourceType: 'auto-scaling-group'`.
+	*
+	* Diff semantics:
+	*   - Removed keys → `DeleteTags`.
+	*   - Added keys → `CreateOrUpdateTags`.
+	*   - Modified value or `PropagateAtLaunch` flag → `CreateOrUpdateTags`
+	*     (the AWS API upserts by `(ResourceId, ResourceType, Key)` tuple, so
+	*     a single upsert call replaces the old value).
+	*
+	* No-op when before/after JSON is identical.
+	*/
+	async applyTagsDiff(physicalId, next, prev) {
+		if (JSON.stringify(next ?? []) === JSON.stringify(prev ?? [])) return;
+		const nextEntries = Array.isArray(next) ? next : [];
+		const prevEntries = Array.isArray(prev) ? prev : [];
+		const nextByKey = /* @__PURE__ */ new Map();
+		for (const t of nextEntries) if (t.Key) nextByKey.set(t.Key, t);
+		const prevByKey = /* @__PURE__ */ new Map();
+		for (const t of prevEntries) if (t.Key) prevByKey.set(t.Key, t);
+		const toDelete = [];
+		for (const [key, tag] of prevByKey) if (!nextByKey.has(key)) toDelete.push(tag);
+		if (toDelete.length > 0) await this.getClient().send(new DeleteTagsCommand$1({ Tags: toDelete.map((t) => ({
+			ResourceId: physicalId,
+			ResourceType: "auto-scaling-group",
+			Key: t.Key
+		})) }));
+		const toUpsert = [];
+		for (const [key, tag] of nextByKey) {
+			const before = prevByKey.get(key);
+			if (JSON.stringify(before) === JSON.stringify(tag)) continue;
+			toUpsert.push(tag);
+		}
+		if (toUpsert.length > 0) await this.getClient().send(new CreateOrUpdateTagsCommand({ Tags: toUpsert.map((t) => ({
+			ResourceId: physicalId,
+			ResourceType: "auto-scaling-group",
+			Key: t.Key,
+			...t.Value !== void 0 && { Value: t.Value },
+			...t.PropagateAtLaunch !== void 0 && { PropagateAtLaunch: t.PropagateAtLaunch }
+		})) }));
+	}
+	/**
+	* Diff `LoadBalancerNames` (Classic Load Balancers) and issue
+	* `AttachLoadBalancers` / `DetachLoadBalancers` for the delta (#476).
+	* Names are opaque strings; AWS allows N attached LBs per ASG so this
+	* helper batches every add into one Attach call and every remove into
+	* one Detach call. No-op when before/after JSON is identical.
+	*/
+	async applyLoadBalancerNamesDiff(physicalId, next, prev) {
+		if (JSON.stringify(next ?? []) === JSON.stringify(prev ?? [])) return;
+		const nextNames = (Array.isArray(next) ? next : []).filter((n) => typeof n === "string");
+		const prevNames = (Array.isArray(prev) ? prev : []).filter((n) => typeof n === "string");
+		const nextSet = new Set(nextNames);
+		const prevSet = new Set(prevNames);
+		const toAttach = nextNames.filter((n) => !prevSet.has(n));
+		const toDetach = prevNames.filter((n) => !nextSet.has(n));
+		if (toDetach.length > 0) await this.getClient().send(new DetachLoadBalancersCommand({
+			AutoScalingGroupName: physicalId,
+			LoadBalancerNames: toDetach
+		}));
+		if (toAttach.length > 0) await this.getClient().send(new AttachLoadBalancersCommand({
+			AutoScalingGroupName: physicalId,
+			LoadBalancerNames: toAttach
+		}));
+	}
+	/**
+	* Diff `TargetGroupARNs` (ALB / NLB target groups) and issue
+	* `AttachLoadBalancerTargetGroups` /
+	* `DetachLoadBalancerTargetGroups` for the delta (#476). Target-group
+	* ARNs are opaque strings; same per-call batching pattern as
+	* `applyLoadBalancerNamesDiff`. No-op when before/after JSON is
+	* identical.
+	*/
+	async applyTargetGroupArnsDiff(physicalId, next, prev) {
+		if (JSON.stringify(next ?? []) === JSON.stringify(prev ?? [])) return;
+		const nextArns = (Array.isArray(next) ? next : []).filter((a) => typeof a === "string");
+		const prevArns = (Array.isArray(prev) ? prev : []).filter((a) => typeof a === "string");
+		const nextSet = new Set(nextArns);
+		const prevSet = new Set(prevArns);
+		const toAttach = nextArns.filter((a) => !prevSet.has(a));
+		const toDetach = prevArns.filter((a) => !nextSet.has(a));
+		if (toDetach.length > 0) await this.getClient().send(new DetachLoadBalancerTargetGroupsCommand({
+			AutoScalingGroupName: physicalId,
+			TargetGroupARNs: toDetach
+		}));
+		if (toAttach.length > 0) await this.getClient().send(new AttachLoadBalancerTargetGroupsCommand({
+			AutoScalingGroupName: physicalId,
+			TargetGroupARNs: toAttach
+		}));
+	}
 	async applyMetricsCollectionDiff(physicalId, next, prev) {
 		if (JSON.stringify(next ?? []) === JSON.stringify(prev ?? [])) return;
 		const nextEntries = Array.isArray(next) ? next : [];
@@ -39898,6 +40000,25 @@ function resolveFnSubInvokeArn(arg) {
 	};
 }
 
+//#endregion
+//#region src/local/intrinsic-utils.ts
+/**
+* If `value` is a `{ Ref: <string> }` intrinsic, return the referenced
+* logical ID. Otherwise return `null`.
+*
+* Shared across the `src/local/*` resolvers (route discovery, authorizer
+* resolution, stage attachment) so future intrinsic-shape extensions
+* (e.g. accepting `Fn::Sub`-bound Refs in REST v1 ResourceId / ParentId)
+* land in one place instead of three.
+*/
+function pickRefLogicalId(value) {
+	if (value && typeof value === "object" && !Array.isArray(value)) {
+		const ref = value["Ref"];
+		if (typeof ref === "string") return ref;
+	}
+	return null;
+}
+
 //#endregion
 //#region src/local/httpv2-service-integration.ts
 const logger = getLogger();
@@ -40363,7 +40484,7 @@ function discoverRestV1Method(logicalId, resource, template, stackName) {
 	const integration = props["Integration"];
 	if (!integration) throw new Error(`${stackName}/${logicalId} (AWS::ApiGateway::Method): missing Integration property`);
 	const restApiId = props["RestApiId"];
-	const restApiLogicalId = pickRefLogicalId$3(restApiId);
+	const restApiLogicalId = pickRefLogicalId(restApiId);
 	if (!restApiLogicalId) throw new Error(`${stackName}/${logicalId} (AWS::ApiGateway::Method): RestApiId must be a { Ref: '...' } reference (got ${shortJson$1(restApiId)}).`);
 	const resourceId = props["ResourceId"];
 	const path = buildRestV1Path(resourceId, restApiLogicalId, template, stackName, logicalId);
@@ -40723,7 +40844,7 @@ function buildRestV1Path(resourceIdIntrinsic, restApiLogicalId, template, stackN
 			if (Array.isArray(arg) && arg.length === 2 && arg[1] === "RootResourceId") return "/";
 		}
 	}
-	const resourceLogicalId = pickRefLogicalId$3(resourceIdIntrinsic);
+	const resourceLogicalId = pickRefLogicalId(resourceIdIntrinsic);
 	if (!resourceLogicalId) throw new Error(`${stackName}/${methodLogicalId}: ResourceId must be { Ref: '...' } or { 'Fn::GetAtt': [..., 'RootResourceId'] } (got ${shortJson$1(resourceIdIntrinsic)}).`);
 	const segments = [];
 	const visited = /* @__PURE__ */ new Set();
@@ -40743,7 +40864,7 @@ function buildRestV1Path(resourceIdIntrinsic, restApiLogicalId, template, stackN
 			const arg = parentId["Fn::GetAtt"];
 			if (Array.isArray(arg) && arg[1] === "RootResourceId") break;
 		}
-		cursor = pickRefLogicalId$3(parentId) ?? void 0;
+		cursor = pickRefLogicalId(parentId) ?? void 0;
 	}
 	return "/" + segments.join("/");
 }
@@ -40758,7 +40879,7 @@ function pickRestV1Stage(restApiLogicalId, template) {
 	for (const [, resource] of Object.entries(resources)) {
 		if (resource.Type !== "AWS::ApiGateway::Stage") continue;
 		const props = resource.Properties ?? {};
-		if (pickRefLogicalId$3(props["RestApiId"]) === restApiLogicalId) {
+		if (pickRefLogicalId(props["RestApiId"]) === restApiLogicalId) {
 			const stageName = props["StageName"];
 			if (typeof stageName === "string") return stageName;
 		}
@@ -40777,7 +40898,7 @@ function pickRestV1Stage(restApiLogicalId, template) {
 function discoverHttpApiRoute(logicalId, resource, template, stackName) {
 	const props = resource.Properties ?? {};
 	const apiId = props["ApiId"];
-	const apiLogicalId = pickRefLogicalId$3(apiId);
+	const apiLogicalId = pickRefLogicalId(apiId);
 	if (!apiLogicalId) throw new Error(`${stackName}/${logicalId} (AWS::ApiGatewayV2::Route): ApiId must be { Ref: '...' } (got ${shortJson$1(apiId)}).`);
 	const routeKey = props["RouteKey"];
 	if (typeof routeKey !== "string" || routeKey.length === 0) throw new Error(`${stackName}/${logicalId} (AWS::ApiGatewayV2::Route): RouteKey must be a string`);
@@ -40990,11 +41111,11 @@ function parseHttpApiTargetIntegration(target, location) {
 			const sep = join[0];
 			const parts = join[1];
 			if (sep === "/" && parts.length === 2 && parts[0] === "integrations") {
-				const ref = pickRefLogicalId$3(parts[1]);
+				const ref = pickRefLogicalId(parts[1]);
 				if (ref) return ref;
 			}
 			if (sep === "" && parts.length === 2 && parts[0] === "integrations/") {
-				const ref = pickRefLogicalId$3(parts[1]);
+				const ref = pickRefLogicalId(parts[1]);
 				if (ref) return ref;
 			}
 		}
@@ -41014,7 +41135,7 @@ function parseHttpApiTargetIntegration(target, location) {
 				if (m) {
 					const bound = bindings[m[1]];
 					if (bound !== void 0) {
-						const ref = pickRefLogicalId$3(bound);
+						const ref = pickRefLogicalId(bound);
 						if (ref) return ref;
 					}
 				}
@@ -41040,17 +41161,6 @@ function parseRouteKey(routeKey) {
 	};
 }
 /**
-* If `value` is a `{ Ref: <string> }` intrinsic, return the referenced
-* logical ID. Otherwise return `null`.
-*/
-function pickRefLogicalId$3(value) {
-	if (value && typeof value === "object" && !Array.isArray(value)) {
-		const ref = value["Ref"];
-		if (typeof ref === "string") return ref;
-	}
-	return null;
-}
-/**
 * Compact JSON for error messages — caps long objects so a malformed
 * intrinsic doesn't dump the whole template into a stderr line.
 */
@@ -41142,7 +41252,7 @@ function collectAuthRoutesForApi(apiLogicalId, template, _stackName) {
 	for (const [, resource] of Object.entries(resources)) {
 		if (resource.Type !== "AWS::ApiGatewayV2::Route") continue;
 		const props = resource.Properties ?? {};
-		if (pickRefLogicalId$2(props["ApiId"]) !== apiLogicalId) continue;
+		if (pickRefLogicalId(props["ApiId"]) !== apiLogicalId) continue;
 		const authType = props["AuthorizationType"];
 		if (authType === void 0) continue;
 		const routeKey = props["RouteKey"];
@@ -41194,7 +41304,7 @@ function pickStage$1(apiLogicalId, template) {
 	for (const [, resource] of Object.entries(resources)) {
 		if (resource.Type !== "AWS::ApiGatewayV2::Stage") continue;
 		const props = resource.Properties ?? {};
-		if (pickRefLogicalId$2(props["ApiId"]) === apiLogicalId) {
+		if (pickRefLogicalId(props["ApiId"]) === apiLogicalId) {
 			const stageName = props["StageName"];
 			if (typeof stageName === "string" && stageName.length > 0) return stageName;
 		}
@@ -41215,7 +41325,7 @@ function collectRoutesForApi(apiLogicalId, template, stackName) {
 	for (const [routeLogicalId, resource] of Object.entries(resources)) {
 		if (resource.Type !== "AWS::ApiGatewayV2::Route") continue;
 		const props = resource.Properties ?? {};
-		if (pickRefLogicalId$2(props["ApiId"]) !== apiLogicalId) continue;
+		if (pickRefLogicalId(props["ApiId"]) !== apiLogicalId) continue;
 		const declaredAt = `${stackName}/${routeLogicalId}`;
 		const routeKey = props["RouteKey"];
 		if (typeof routeKey !== "string" || routeKey.length === 0) throw new Error(`${declaredAt}: RouteKey must be a non-empty string.`);
@@ -41263,11 +41373,11 @@ function parseRouteTarget(target, location) {
 			const sep = join[0];
 			const parts = join[1];
 			if (sep === "/" && parts.length === 2 && parts[0] === "integrations") {
-				const ref = pickRefLogicalId$2(parts[1]);
+				const ref = pickRefLogicalId(parts[1]);
 				if (ref) return ref;
 			}
 			if (sep === "" && parts.length === 2 && parts[0] === "integrations/") {
-				const ref = pickRefLogicalId$2(parts[1]);
+				const ref = pickRefLogicalId(parts[1]);
 				if (ref) return ref;
 			}
 		}
@@ -41288,7 +41398,7 @@ function parseRouteTarget(target, location) {
 				if (m) {
 					const bound = bindings[m[1]];
 					if (bound !== void 0) {
-						const ref = pickRefLogicalId$2(bound);
+						const ref = pickRefLogicalId(bound);
 						if (ref) return ref;
 					}
 				}
@@ -41297,13 +41407,6 @@ function parseRouteTarget(target, location) {
 	}
 	throw new Error(`${location}: Target must be 'integrations/<id>' literal, Fn::Join with the documented shapes, or Fn::Sub with an 'integrations/\${...}' template.`);
 }
-function pickRefLogicalId$2(value) {
-	if (value && typeof value === "object" && !Array.isArray(value)) {
-		const ref = value["Ref"];
-		if (typeof ref === "string") return ref;
-	}
-	return null;
-}
 function readApiCdkPath(logicalId, template) {
 	const resource = template.Resources?.[logicalId];
 	if (!resource) return void 0;
@@ -45119,11 +45222,22 @@ function parseCognitoIssuer(issuer) {
 	};
 }
 /**
-* Pull a string out of a {Ref} / literal entry under `ProviderARNs`.
-* CDK's CognitoUserPoolsAuthorizer emits a literal array of `Fn::GetAtt:
-* [<UserPool>, 'Arn']` entries — we accept both. The `location` argument
-* carries the full `<stack>/<authorizer>.ProviderARNs[<idx>]` path so the
-* error names the offending entry exactly.
+* Pull a string out of a literal / `Fn::GetAtt` entry under `ProviderARNs`.
+*
+* CDK's `apigateway.CognitoUserPoolsAuthorizer` emits a `Fn::GetAtt:
+* [<UserPool>, 'Arn']` reference, which is the canonical shape any user
+* who writes `new CognitoUserPoolsAuthorizer(this, 'auth', { cognitoUserPools: [pool] })`
+* ends up with (#470). Without `--from-state` we cannot resolve the
+* deployed pool ARN, so we synthesize an obviously-unreachable placeholder
+* pointing at a non-existent pool id — the JWKS fetch will fail and
+* cognito-jwt.ts's pass-through fallback (PR #234) admits every JWT
+* without signature verification. The warn log names the affected
+* authorizer + the recommended explicit `providerArns` workaround so
+* developers who DO want real verification know how to switch over.
+*
+* The `location` argument carries the full
+* `<stack>/<authorizer>.ProviderARNs[<idx>]` path so the warn / error
+* names the offending entry exactly.
 */
 function pickStringFromArn(value, location) {
 	if (typeof value === "string") return value;
@@ -45131,7 +45245,11 @@ function pickStringFromArn(value, location) {
 		const obj = value;
 		if ("Fn::GetAtt" in obj) {
 			const arg = obj["Fn::GetAtt"];
-			if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string" && arg[1] === "Arn") throw new RouteDiscoveryError(`${location}: uses Fn::GetAtt against logical ID '${arg[0]}'. cdkd local start-api needs the literal ARN string to derive the JWKS URL — set the user pool ARN explicitly via 'authorizer.providerArns' on the CDK construct, or upgrade to JWT (HTTP v2) which encodes the pool in the Issuer URL.`);
+			if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string" && arg[1] === "Arn") {
+				const logicalId = arg[0];
+				getLogger().warn(`${location}: uses Fn::GetAtt against logical ID '${logicalId}'. cdkd local start-api cannot resolve the deployed user pool ARN — synthesizing an unreachable placeholder so JWKS pass-through admits every token. For real signature verification, set 'providerArns: [pool.userPoolArn]' explicitly on the CDK construct.`);
+				return `arn:aws:cognito-idp:us-east-1:000000000000:userpool/us-east-1_cdkdplaceholder${logicalId}`;
+			}
 		}
 	}
 	throw new RouteDiscoveryError(`${location}: must be a literal string (got ${shortJson(value)}).`);
@@ -45218,7 +45336,7 @@ function detectRestV1Authorizer(methodResource, methodLogicalId, stack) {
 		declaredAt: `${stack.stackName}/${methodLogicalId}`
 	};
 	const authorizerId = props["AuthorizerId"];
-	const refLogicalId = pickRefLogicalId$1(authorizerId);
+	const refLogicalId = pickRefLogicalId(authorizerId);
 	if (!refLogicalId) throw new RouteDiscoveryError(`${stack.stackName}/${methodLogicalId}: AuthorizationType='${stringifyValue(authType)}' but AuthorizerId is missing or not a {Ref:...}.`);
 	return resolveRestV1Authorizer(refLogicalId, stack.template, stack.stackName, `${stack.stackName}/${methodLogicalId}`);
 }
@@ -45227,18 +45345,11 @@ function detectHttpApiAuthorizer(routeResource, routeLogicalId, stack) {
 	const authType = props["AuthorizationType"];
 	if (authType === void 0 || authType === "NONE") return void 0;
 	const authorizerId = props["AuthorizerId"];
-	const refLogicalId = pickRefLogicalId$1(authorizerId);
+	const refLogicalId = pickRefLogicalId(authorizerId);
 	if (!refLogicalId) throw new RouteDiscoveryError(`${stack.stackName}/${routeLogicalId}: AuthorizationType='${stringifyValue(authType)}' but AuthorizerId is missing or not a {Ref:...}.`);
 	const scopesRaw = props["AuthorizationScopes"];
 	return resolveHttpApiAuthorizer(refLogicalId, Array.isArray(scopesRaw) ? scopesRaw.filter((s) => typeof s === "string") : void 0, stack.template, stack.stackName, `${stack.stackName}/${routeLogicalId}`);
 }
-function pickRefLogicalId$1(value) {
-	if (value && typeof value === "object" && !Array.isArray(value)) {
-		const ref = value["Ref"];
-		if (typeof ref === "string") return ref;
-	}
-	return null;
-}
 function shortJson(value) {
 	try {
 		const s = JSON.stringify(value);
@@ -47809,19 +47920,6 @@ function attachStageContext(routes, stageMap) {
 		route.stage = stage.stageName;
 	}
 }
-/**
-* If `value` is a `{ Ref: <string> }` intrinsic, return the referenced
-* logical ID. Otherwise return `null`. (Duplicated structurally from
-* `route-discovery.ts` — both modules walk the template independently
-* and shouldn't grow a coupling for a 5-line helper.)
-*/
-function pickRefLogicalId(value) {
-	if (value && typeof value === "object" && !Array.isArray(value)) {
-		const ref = value["Ref"];
-		if (typeof ref === "string") return ref;
-	}
-	return null;
-}
 
 //#endregion
 //#region src/local/file-watcher.ts
@@ -54164,7 +54262,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.137.3");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.138.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());