npm - @go-to-k/cdkd - Versions diffs - 0.143.0 → 0.144.0 - Mend

@go-to-k/cdkd 0.143.0 → 0.144.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md +5 -2
package/dist/cli.js +677 -351
package/dist/cli.js.map +1 -1
package/dist/{deploy-engine-Dff3_JMn.js → deploy-engine-DjnWyAAc.js} +32 -8
package/dist/deploy-engine-DjnWyAAc.js.map +1 -0
package/dist/index.d.ts +7 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +1 -1
package/package.json +1 -1
package/dist/deploy-engine-Dff3_JMn.js.map +0 -1

package/dist/cli.js CHANGED Viewed

@@ -1,7 +1,8 @@
 #!/usr/bin/env node
 import { _ as withSkipPrefix, a as runDockerStreaming, c as getLogger, d as getLiveRenderer, f as PATTERN_B_NAME_PROPERTIES, g as generateResourceNameWithFallback, h as generateResourceName, i as runDockerForeground, n as formatDockerLoginError, p as PATTERN_B_RESOURCE_TYPES, r as getDockerCmd, u as runStackBuffered, v as withStackName } from "./docker-cmd-EtWSTAje.js";
-import { A as AssetPublisher, B as resolveStateBucketWithDefault, C as applyRoleArnIfSet, D as LockManager, E as TemplateParser, F as getDefaultStateBucketName, G as MIGRATE_TMP_PREFIX, H as warnDeprecatedNoPrefixCliFlag, I as getLegacyStateBucketName, J as AssemblyReader, K as findLargeInlineResources, L as resolveApp, M as WorkGraph, N as buildDockerImage, O as S3StateBackend, P as Synthesizer, Q as CdkdError, R as resolveCaptureObservedState, S as IntrinsicFunctionResolver, T as DagBuilder, U as CFN_TEMPLATE_BODY_LIMIT, V as resolveStateBucketWithDefaultAndSource, W as CFN_TEMPLATE_URL_LIMIT, X as resolveBucketRegion, _ as normalizeAwsTagsToCfn, _t as normalizeAwsError, a as withRetry, at as MissingCdkCliError, b as CloudControlProvider, c as cyan, ct as ResourceTimeoutError, d as red, dt as StackHasActiveImportsError, f as yellow, ft as StackTerminationProtectionError, g as matchesCdkPath, h as CDK_PATH_TAG, i as withResourceDeadline, j as stringifyValue, k as shouldRetainResource, l as gray, lt as ResourceUpdateNotSupportedError, m as collectInlinePolicyNamesManagedBySiblings, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as LocalMigrateError, o as IMPLICIT_DELETE_DEPENDENCIES, ot as PartialFailureError, p as IAMRoleProvider, q as uploadCfnTemplate, r as DeployEngine, rt as LocalStartServiceError, s as bold, st as ProvisioningError, t as DEFAULT_RESOURCE_TIMEOUT_MS, tt as LocalInvokeBuildError, u as green, ut as RouteDiscoveryError, v as resolveExplicitPhysicalId, vt as withErrorHandling, w as DiffCalculator, x as assertRegionMatch, y as ProviderRegistry, z as resolveSkipPrefix } from "./deploy-engine-Dff3_JMn.js";
+import { A as AssetPublisher, B as resolveStateBucketWithDefault, C as applyRoleArnIfSet, D as LockManager, E as TemplateParser, F as getDefaultStateBucketName, G as MIGRATE_TMP_PREFIX, H as warnDeprecatedNoPrefixCliFlag, I as getLegacyStateBucketName, J as AssemblyReader, K as findLargeInlineResources, L as resolveApp, M as WorkGraph, N as buildDockerImage, O as S3StateBackend, P as Synthesizer, Q as CdkdError, R as resolveCaptureObservedState, S as IntrinsicFunctionResolver, T as DagBuilder, U as CFN_TEMPLATE_BODY_LIMIT, V as resolveStateBucketWithDefaultAndSource, W as CFN_TEMPLATE_URL_LIMIT, X as resolveBucketRegion, _ as normalizeAwsTagsToCfn, _t as normalizeAwsError, a as withRetry, at as MissingCdkCliError, b as CloudControlProvider, c as cyan, ct as ResourceTimeoutError, d as red, dt as StackHasActiveImportsError, f as yellow, ft as StackTerminationProtectionError, g as matchesCdkPath, h as CDK_PATH_TAG, i as withResourceDeadline, j as stringifyValue, k as shouldRetainResource, l as gray, lt as ResourceUpdateNotSupportedError, m as collectInlinePolicyNamesManagedBySiblings, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as LocalMigrateError, o as IMPLICIT_DELETE_DEPENDENCIES, ot as PartialFailureError, p as IAMRoleProvider, q as uploadCfnTemplate, r as DeployEngine, rt as LocalStartServiceError, s as bold, st as ProvisioningError, t as DEFAULT_RESOURCE_TIMEOUT_MS, tt as LocalInvokeBuildError, u as green, ut as RouteDiscoveryError, v as resolveExplicitPhysicalId, vt as withErrorHandling, w as DiffCalculator, x as assertRegionMatch, y as ProviderRegistry, z as resolveSkipPrefix } from "./deploy-engine-DjnWyAAc.js";
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-BF03Alpe.js";
+import { AsyncLocalStorage } from "node:async_hooks";
 import { createHash, createHmac, createPublicKey, createVerify, randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
 import { AddRoleToInstanceProfileCommand, AddUserToGroupCommand, AttachGroupPolicyCommand, AttachUserPolicyCommand, CreateGroupCommand, CreateInstanceProfileCommand, CreateLoginProfileCommand, CreateUserCommand, DeleteAccessKeyCommand, DeleteGroupCommand, DeleteGroupPolicyCommand, DeleteInstanceProfileCommand, DeleteLoginProfileCommand, DeleteRolePolicyCommand, DeleteUserCommand, DeleteUserPermissionsBoundaryCommand, DeleteUserPolicyCommand, DetachGroupPolicyCommand, DetachUserPolicyCommand, GetGroupCommand, GetGroupPolicyCommand, GetInstanceProfileCommand, GetRolePolicyCommand, GetUserCommand, GetUserPolicyCommand, IAMClient, ListAccessKeysCommand, ListAttachedGroupPoliciesCommand, ListAttachedUserPoliciesCommand, ListGroupPoliciesCommand, ListGroupsForUserCommand, ListInstanceProfilesCommand, ListUserPoliciesCommand, ListUserTagsCommand, ListUsersCommand, NoSuchEntityException, PutGroupPolicyCommand, PutRolePolicyCommand, PutUserPermissionsBoundaryCommand, PutUserPolicyCommand, RemoveRoleFromInstanceProfileCommand, RemoveUserFromGroupCommand, TagUserCommand, UntagUserCommand, UpdateLoginProfileCommand } from "@aws-sdk/client-iam";
@@ -20,6 +21,7 @@ import { CloudFrontClient, CreateCloudFrontOriginAccessIdentityCommand, CreateDi
 import { CloudWatchClient, DeleteAlarmsCommand, DescribeAlarmsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$4, PutMetricAlarmCommand, TagResourceCommand as TagResourceCommand$6, UntagResourceCommand as UntagResourceCommand$6 } from "@aws-sdk/client-cloudwatch";
 import { CloudWatchLogsClient, CreateLogGroupCommand, DeleteDataProtectionPolicyCommand, DeleteIndexPolicyCommand, DeleteLogGroupCommand, DeleteRetentionPolicyCommand, DescribeIndexPoliciesCommand, DescribeLogGroupsCommand, GetDataProtectionPolicyCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$5, PutBearerTokenAuthenticationCommand, PutDataProtectionPolicyCommand, PutIndexPolicyCommand, PutLogGroupDeletionProtectionCommand, PutRetentionPolicyCommand, ResourceAlreadyExistsException, ResourceNotFoundException as ResourceNotFoundException$4, TagResourceCommand as TagResourceCommand$7, UntagResourceCommand as UntagResourceCommand$7 } from "@aws-sdk/client-cloudwatch-logs";
 import { BedrockAgentCoreControlClient, CreateAgentRuntimeCommand, DeleteAgentRuntimeCommand, GetAgentRuntimeCommand, ResourceNotFoundException as ResourceNotFoundException$5, UpdateAgentRuntimeCommand } from "@aws-sdk/client-bedrock-agentcore-control";
+import * as fs from "node:fs";
 import { cpSync, createWriteStream, existsSync, mkdirSync, mkdtempSync, readFileSync, readdirSync, rmSync, statSync, writeFileSync } from "node:fs";
 import * as path from "node:path";
 import { dirname, isAbsolute, join, normalize, resolve } from "node:path";
@@ -30944,6 +30946,602 @@ function mapNotificationsToCfn(configurations) {
 	return result;
 }
+//#endregion
+//#region src/cli/commands/destroy-runner.ts
+/**
+* Resource-type → state-property name pairs that gate AWS deletion
+* protection. Used by the `--remove-protection` confirmation prompt to
+* report a best-effort count of resources that will have protection
+* cleared. The actual flip-off is unconditional inside each provider's
+* `delete()` (idempotent — safe when AWS already has protection off),
+* so the count is informational only.
+*
+* Most types use a boolean flag — the value `true` is what we count.
+* Two types use a string-valued enum (Cognito UserPool's
+* `DeletionProtection` is `'ACTIVE' | 'INACTIVE'`, AutoScalingGroup's
+* `DeletionProtection` is `'none' | 'prevent-force-deletion' |
+* 'prevent-all-deletion'`). For those, the helper checks against a
+* per-type set of "active" values via `PROTECTION_ACTIVE_VALUES_BY_TYPE`.
+*
+* Exported for unit-test coverage of `countProtectedResources`.
+*/
+const PROTECTION_PROPERTY_BY_TYPE = {
+	"AWS::Logs::LogGroup": "DeletionProtectionEnabled",
+	"AWS::RDS::DBInstance": "DeletionProtection",
+	"AWS::RDS::DBCluster": "DeletionProtection",
+	"AWS::DocDB::DBCluster": "DeletionProtection",
+	"AWS::Neptune::DBCluster": "DeletionProtection",
+	"AWS::Neptune::DBInstance": "DeletionProtection",
+	"AWS::DynamoDB::Table": "DeletionProtectionEnabled",
+	"AWS::DynamoDB::GlobalTable": "DeletionProtectionEnabled",
+	"AWS::EC2::Instance": "DisableApiTermination",
+	"AWS::Cognito::UserPool": "DeletionProtection",
+	"AWS::AutoScaling::AutoScalingGroup": "DeletionProtection"
+};
+/**
+* For string-valued protection enums, the set of values that count as
+* "currently protected". Types absent from this map use the default
+* (boolean `true`).
+*/
+const PROTECTION_ACTIVE_VALUES_BY_TYPE = {
+	"AWS::Cognito::UserPool": new Set(["ACTIVE"]),
+	"AWS::AutoScaling::AutoScalingGroup": new Set(["prevent-force-deletion", "prevent-all-deletion"])
+};
+/**
+* Count how many resources in a stack's recorded state appear to have
+* deletion protection enabled. Walks `properties` and `observedProperties`
+* for the property name registered against each resource type in
+* `PROTECTION_PROPERTY_BY_TYPE`. ELBv2 LoadBalancer protection lives in
+* `LoadBalancerAttributes` (a CFn `Array<{Key, Value}>`), so it's
+* handled separately via the `deletion_protection.enabled` key.
+*/
+function countProtectedResources(state) {
+	let count = 0;
+	for (const resource of Object.values(state.resources ?? {})) {
+		const propName = PROTECTION_PROPERTY_BY_TYPE[resource.resourceType];
+		if (propName) {
+			const recorded = resource.properties?.[propName] ?? resource.observedProperties?.[propName];
+			const activeValues = PROTECTION_ACTIVE_VALUES_BY_TYPE[resource.resourceType];
+			if (activeValues) {
+				if (activeValues.has(recorded)) count++;
+			} else if (recorded === true) count++;
+			continue;
+		}
+		if (resource.resourceType === "AWS::ElasticLoadBalancingV2::LoadBalancer") {
+			if (((resource.properties?.["LoadBalancerAttributes"] ?? resource.observedProperties?.["LoadBalancerAttributes"])?.find((a) => a?.Key === "deletion_protection.enabled"))?.Value === "true") count++;
+		}
+	}
+	return count;
+}
+/**
+* Run the destroy lifecycle for one stack against an already-loaded
+* `StackState`, reusing the caller's state backend / lock manager.
+*
+* Hoisted from `cdkd destroy` so the new `cdkd state destroy` subcommand
+* can call into the exact same per-stack pipeline without depending on
+* synth or the CDK app. The state-source split is the only meaningful
+* difference between the two commands — everything from "prompt the user"
+* onwards is identical.
+*
+* Side effects:
+* - Acquires (and releases) the stack's S3 lock.
+* - Switches `process.env.AWS_REGION` for the duration of the destroy when
+*   the stack's recorded region differs from `baseRegion`. Restored in the
+*   `finally` block.
+* - On full success, deletes the state file. On any failure, the state
+*   file is preserved so the user can retry.
+*/
+async function runDestroyForStack(stackName, state, ctx) {
+	const logger = getLogger();
+	const result = {
+		stackName,
+		cancelled: false,
+		skippedEmpty: false,
+		deletedCount: 0,
+		retainedCount: 0,
+		errorCount: 0
+	};
+	const resourceCount = Object.keys(state.resources).length;
+	const regionForState = state.region ?? ctx.baseRegion;
+	if (resourceCount === 0) {
+		logger.info(`Stack ${stackName} has no resources, cleaning up state...`);
+		await ctx.stateBackend.deleteState(stackName, regionForState);
+		logger.info(`${green("✓")} State deleted`);
+		result.skippedEmpty = true;
+		return result;
+	}
+	const needsStrongRefCheck = !!(state.outputs && Object.keys(state.outputs).length > 0);
+	if (needsStrongRefCheck) {
+		const consumers = await scanActiveConsumers(stackName, regionForState, ctx);
+		if (consumers.length > 0) throw new StackHasActiveImportsError(stackName, regionForState, consumers);
+	}
+	logger.info(`\nResources to be deleted (${resourceCount}):`);
+	for (const [logicalId, resource] of Object.entries(state.resources)) logger.info(`  - ${logicalId} (${resource.resourceType})`);
+	const protectedCount = ctx.removeProtection ? countProtectedResources(state) : 0;
+	if (!ctx.skipConfirmation) {
+		const rl = readline.createInterface({
+			input: process.stdin,
+			output: process.stdout
+		});
+		const prompt = ctx.removeProtection ? `\nAbout to destroy ${resourceCount} resources from stack "${stackName}", REMOVING DELETION PROTECTION on ${protectedCount} of them. Continue? (y/N): ` : `\nAre you sure you want to destroy stack "${stackName}" and delete all ${resourceCount} resources? (Y/n): `;
+		const answer = await rl.question(prompt);
+		rl.close();
+		const trimmed = answer.trim().toLowerCase();
+		if (ctx.removeProtection) {
+			if (trimmed !== "y" && trimmed !== "yes") {
+				logger.info("Destroy cancelled");
+				result.cancelled = true;
+				return result;
+			}
+		} else if (trimmed === "n" || trimmed === "no") {
+			logger.info("Destroy cancelled");
+			result.cancelled = true;
+			return result;
+		}
+	}
+	const stackRegion = state.region;
+	let destroyProviderRegistry = ctx.providerRegistry;
+	let destroyAwsClients;
+	if (stackRegion && stackRegion !== ctx.baseRegion) {
+		logger.info(`Stack region: ${stackRegion}`);
+		process.env["AWS_REGION"] = stackRegion;
+		process.env["AWS_DEFAULT_REGION"] = stackRegion;
+		destroyAwsClients = new AwsClients({
+			region: stackRegion,
+			...ctx.profile && { profile: ctx.profile }
+		});
+		setAwsClients(destroyAwsClients);
+		destroyProviderRegistry = new ProviderRegistry();
+		registerAllProviders(destroyProviderRegistry);
+		destroyProviderRegistry.setCustomResourceResponseBucket(ctx.stateBucket);
+	}
+	logger.info(`\nAcquiring lock for stack ${stackName}...`);
+	await ctx.lockManager.acquireLock(stackName, regionForState, void 0, "destroy");
+	if (needsStrongRefCheck) {
+		const consumers = await scanActiveConsumers(stackName, regionForState, ctx);
+		if (consumers.length > 0) {
+			try {
+				await ctx.lockManager.releaseLock(stackName, regionForState);
+			} catch (releaseErr) {
+				logger.warn(`Failed to release lock after strong-ref refusal: ${releaseErr instanceof Error ? releaseErr.message : String(releaseErr)}`);
+			}
+			throw new StackHasActiveImportsError(stackName, regionForState, consumers);
+		}
+	}
+	const renderer = getLiveRenderer();
+	renderer.start();
+	try {
+		logger.info("Building dependency graph...");
+		const template = {
+			AWSTemplateFormatVersion: "2010-09-09",
+			Resources: {}
+		};
+		for (const [logicalId, resource] of Object.entries(state.resources)) template.Resources[logicalId] = {
+			Type: resource.resourceType,
+			Properties: resource.properties || {},
+			...resource.dependencies && resource.dependencies.length > 0 && { DependsOn: resource.dependencies }
+		};
+		const typeToLogicalIds = /* @__PURE__ */ new Map();
+		for (const [logicalId, resource] of Object.entries(state.resources)) {
+			const ids = typeToLogicalIds.get(resource.resourceType) ?? [];
+			ids.push(logicalId);
+			typeToLogicalIds.set(resource.resourceType, ids);
+		}
+		for (const [logicalId, resource] of Object.entries(state.resources)) {
+			const mustDeleteAfter = IMPLICIT_DELETE_DEPENDENCIES[resource.resourceType];
+			if (!mustDeleteAfter) continue;
+			for (const depType of mustDeleteAfter) {
+				const depIds = typeToLogicalIds.get(depType);
+				if (!depIds) continue;
+				for (const depId of depIds) {
+					const existing = template.Resources[depId]?.DependsOn ?? [];
+					const depsArray = Array.isArray(existing) ? existing : [existing];
+					if (!depsArray.includes(logicalId)) {
+						template.Resources[depId] = {
+							...template.Resources[depId],
+							DependsOn: [...depsArray, logicalId]
+						};
+						logger.debug(`Implicit delete dependency: ${depId} (${depType}) must be deleted before ${logicalId} (${resource.resourceType})`);
+					}
+				}
+			}
+		}
+		const dagBuilder = new DagBuilder();
+		const graph = dagBuilder.buildGraph(template);
+		const executionLevels = dagBuilder.getExecutionLevels(graph);
+		logger.debug(`Dependency graph: ${executionLevels.length} level(s)`);
+		for (let levelIndex = executionLevels.length - 1; levelIndex >= 0; levelIndex--) {
+			const level = executionLevels[levelIndex];
+			if (!level) continue;
+			logger.debug(`Deletion level ${executionLevels.length - levelIndex}/${executionLevels.length} (${level.length} resources)`);
+			const stackRegion = state.region ?? ctx.baseRegion;
+			const deletePromises = level.map(async (logicalId) => {
+				const resource = state.resources[logicalId];
+				if (!resource) {
+					logger.warn(`Resource ${logicalId} not found in state, skipping`);
+					return;
+				}
+				if (shouldRetainResource(resource.deletionPolicy)) {
+					logger.info(`  ⊘ ${logicalId} (${resource.resourceType}) retained — DeletionPolicy: ${resource.deletionPolicy}`);
+					result.retainedCount++;
+					return;
+				}
+				const baseLabel = `Deleting ${logicalId} (${resource.resourceType})`;
+				renderer.addTask(logicalId, baseLabel);
+				try {
+					const provider = destroyProviderRegistry.getProvider(resource.resourceType);
+					const providerMinTimeoutMs = provider.getMinResourceTimeoutMs?.() ?? 0;
+					const warnAfterMs = ctx.resourceWarnAfterByType?.[resource.resourceType] ?? ctx.resourceWarnAfterMs ?? 3e5;
+					const globalTimeoutMs = ctx.resourceTimeoutMs ?? 18e5;
+					const timeoutMs = ctx.resourceTimeoutByType?.[resource.resourceType] ?? Math.max(providerMinTimeoutMs, globalTimeoutMs);
+					await withResourceDeadline(async () => {
+						const maxAttempts = provider.disableOuterRetry ? 0 : 3;
+						let lastDeleteError;
+						for (let attempt = 0; attempt <= maxAttempts; attempt++) try {
+							await provider.delete(logicalId, resource.physicalId, resource.resourceType, resource.properties, {
+								...state.region !== void 0 && { expectedRegion: state.region },
+								...ctx.removeProtection === true && { removeProtection: true }
+							});
+							lastDeleteError = null;
+							break;
+						} catch (retryError) {
+							lastDeleteError = retryError;
+							const msg = retryError instanceof Error ? retryError.message : String(retryError);
+							if (!(msg.includes("Too Many Requests") || msg.includes("has dependencies") || msg.includes("can't be deleted since") || msg.includes("DependencyViolation")) || attempt >= maxAttempts) break;
+							const delay = 5e3 * Math.pow(2, attempt);
+							logger.debug(`  ⏳ Retrying delete ${logicalId} in ${delay / 1e3}s (attempt ${attempt + 1}/${maxAttempts})`);
+							await new Promise((resolve) => setTimeout(resolve, delay));
+						}
+						if (lastDeleteError) throw lastDeleteError;
+					}, {
+						warnAfterMs,
+						timeoutMs,
+						onWarn: (elapsedMs) => {
+							const minutes = Math.max(1, Math.round(elapsedMs / 6e4));
+							renderer.updateTaskLabel(logicalId, `${baseLabel} [taking longer than expected, ${minutes}m+]`);
+							renderer.printAbove(() => {
+								logger.warn(`${logicalId} (${resource.resourceType}) has been deleting for ${minutes}m — still waiting`);
+							});
+						},
+						onTimeout: (elapsedMs) => new ResourceTimeoutError(logicalId, resource.resourceType, stackRegion, elapsedMs, "DELETE", timeoutMs)
+					});
+					renderer.removeTask(logicalId);
+					logger.info(`  ${red("✗")} ${bold(logicalId)} ${gray(`(${resource.resourceType})`)} ${red("deleted")}`);
+					result.deletedCount++;
+				} catch (error) {
+					renderer.removeTask(logicalId);
+					const msg = error instanceof Error ? error.message : String(error);
+					if (msg.includes("does not exist") || msg.includes("not found") || msg.includes("No policy found") || msg.includes("NoSuchEntity") || msg.includes("NotFoundException")) {
+						logger.debug(`  ${logicalId} already deleted, removing from state`);
+						result.deletedCount++;
+					} else if (error instanceof ResourceTimeoutError) {
+						const wrapped = new ProvisioningError(error.message, resource.resourceType, logicalId, resource.physicalId, error);
+						logger.error(`  ✗ Failed to delete ${logicalId}:`, wrapped.message);
+						result.errorCount++;
+					} else {
+						logger.error(`  ✗ Failed to delete ${logicalId}:`, String(error));
+						result.errorCount++;
+					}
+				} finally {
+					renderer.removeTask(logicalId);
+				}
+			});
+			await Promise.all(deletePromises);
+		}
+		if (result.errorCount === 0) {
+			await ctx.stateBackend.deleteState(stackName, regionForState);
+			logger.debug("State deleted");
+			if (ctx.exportIndexStore) await ctx.exportIndexStore.removeStack(stackName, regionForState);
+		} else logger.warn(`${result.errorCount} resource(s) failed to delete. State preserved.`);
+		const retainedSuffix = result.retainedCount > 0 ? `, ${result.retainedCount} retained` : "";
+		if (result.errorCount === 0) logger.info(`\n${green("✓")} ${bold(`Stack ${stackName} destroyed`)} (${green(result.deletedCount)} deleted${retainedSuffix}, ${result.errorCount} errors)`);
+		else logger.warn(`\n${yellow("⚠")} ${bold(`Stack ${stackName} partially destroyed`)} (${green(result.deletedCount)} deleted${retainedSuffix}, ${red(result.errorCount)} errors). State preserved — re-run 'cdkd destroy' / 'cdkd state destroy' to clean up.`);
+	} finally {
+		renderer.stop();
+		logger.debug("Releasing lock...");
+		await ctx.lockManager.releaseLock(stackName, regionForState);
+		if (destroyAwsClients) {
+			destroyAwsClients.destroy();
+			process.env["AWS_REGION"] = ctx.baseRegion;
+			process.env["AWS_DEFAULT_REGION"] = ctx.baseRegion;
+			setAwsClients(ctx.baseAwsClients);
+		}
+	}
+	return result;
+}
+/**
+* Strong-reference scan: read every other stack's state.json from the
+* state bucket and check whether any of its `imports[]` entries names
+* `producerStack`. Returns the list of offending consumers (possibly
+* empty).
+*
+* NEVER trusts the persistent exports index — a stale index could miss
+* a freshly-recorded consumer and let a destructive destroy through.
+* The cost is one `listStacks` + N parallel GETs at destroy time only
+* (not the deploy hot path), which the user-facing UX rationalizes as
+* the "destroy is slow OK" trade-off (Issue #343).
+*/
+async function scanActiveConsumers(producerStack, producerRegion, ctx) {
+	const refs = await ctx.stateBackend.listStacks();
+	return (await Promise.all(refs.map(async (ref) => {
+		const region = ref.region ?? ctx.baseRegion;
+		if (ref.stackName === producerStack && region === producerRegion) return null;
+		try {
+			const imports = (await ctx.stateBackend.getState(ref.stackName, region))?.state.imports;
+			if (!imports || imports.length === 0) return null;
+			const matches = imports.filter((entry) => entry.sourceStack === producerStack && entry.sourceRegion === producerRegion);
+			if (matches.length === 0) return null;
+			return matches.map((entry) => ({
+				consumerStack: ref.stackName,
+				consumerRegion: region,
+				exportName: entry.exportName
+			}));
+		} catch {
+			return null;
+		}
+	}))).filter((r) => r !== null).flat();
+}
+//#endregion
+//#region src/provisioning/nested-stack-context.ts
+const storage = new AsyncLocalStorage();
+/**
+* Run `fn` inside a NestedStackProvider context scope. Calls to
+* `getCurrentNestedStackContext()` from inside `fn` (and any awaited callees)
+* return `ctx`. Nested scopes shadow outer ones — the recursive provider
+* uses this to switch the "current parent" to the child before kicking off
+* the child's deploy / destroy, so grand-nested handling resolves against
+* the right parent.
+*/
+function withNestedStackContext(ctx, fn) {
+	return storage.run(ctx, fn);
+}
+/**
+* Returns the current `NestedStackProviderContext`, or `undefined` when called
+* outside any `withNestedStackContext` scope (= cdkd is operating on a
+* top-level stack with no nested-stack work in flight).
+*
+* `NestedStackProvider.create / update / delete` MUST find a context here —
+* absence means a caller forgot to wrap the deploy / destroy entry point.
+*/
+function getCurrentNestedStackContext() {
+	return storage.getStore();
+}
+//#endregion
+//#region src/provisioning/providers/nested-stack-provider.ts
+/**
+* Provider for `AWS::CloudFormation::Stack` — cdkd's recursive nested-stack
+* adapter. Issue [#459](https://github.com/go-to-k/cdkd/issues/459); see
+* [docs/design/459-nested-stacks.md](../../../docs/design/459-nested-stacks.md)
+* for the full design.
+*
+* On `create` / `update`, the provider builds a child {@link DeployEngine}
+* against the same shared state backend / lock manager / provider registry,
+* deploys the child template recursively, and surfaces the child's outputs
+* as `attributes['Outputs.<Key>']` so the parent's
+* `Fn::GetAtt: [<NestedStack>, 'Outputs.<Key>']` references resolve via
+* the existing flat-key fast path in {@link IntrinsicFunctionResolver}.
+*
+* On `delete`, the provider loads the child's state and routes it through
+* {@link runDestroyForStack} for a regular reverse-DAG destroy — the same
+* code `cdkd destroy` uses on a top-level stack.
+*
+* The child's state file lives at
+* `cdkd/<parentStackName>~<NestedStackLogicalId>/<region>/state.json`
+* (the `~` separator is rare in CDK logical ids; verified safe against
+* CDK Stage paths which use `/`). The synthesized `physicalId` is a fake
+* ARN with `cdkd-local` partition so any downstream consumer that
+* accidentally uses it as a real AWS ARN fails loudly.
+*/
+var NestedStackProvider = class {
+	logger = getLogger().child("NestedStackProvider");
+	/**
+	* Opt out of the deploy engine's outer transient-error retry loop. A
+	* nested-stack `create` recursively spawns a child {@link DeployEngine}
+	* that has its own retry / rollback machinery; an outer retry would
+	* re-enter the entire child deploy on a transient error and produce
+	* duplicate AWS resources before the second attempt's per-resource
+	* state save settles. The child engine handles transient errors
+	* internally — mirroring the same opt-out the Custom Resource provider
+	* uses for the same reason.
+	*/
+	disableOuterRetry = true;
+	/**
+	* The CC API fallback path for `AWS::CloudFormation::Stack` would call
+	* CloudFormation's own `CreateStack` — defeating cdkd's whole "no CFn"
+	* approach for the nested children. Refuse the fallback so any future
+	* regression that drops a real property from `handledProperties`
+	* surfaces as an explicit "unhandled property" deploy error instead of
+	* silently round-tripping through CloudFormation.
+	*/
+	disableCcApiFallback = true;
+	/**
+	* Properties this provider actually wires through to the child deploy.
+	* `TemplateURL` is the asset-published S3 URL of the child template
+	* (cdkd reads the local template file via `Metadata['aws:asset:path']`,
+	* so the URL itself is informational here); `Parameters` is the typed
+	* parameter map forwarded as `DeployEngineOptions.parameters` to the
+	* child engine.
+	*/
+	handledProperties = new Map([["AWS::CloudFormation::Stack", new Set(["TemplateURL", "Parameters"])]]);
+	/**
+	* Every other property on `AWS::CloudFormation::Stack` is intentionally
+	* not threaded through — cdkd does not go through CloudFormation, so
+	* CFn-only inputs (rollback / capability / role / notification /
+	* termination-protection / stack-update policy / per-stack timeout /
+	* tags) have no equivalent. The synthesized `Ref` ARN is a placeholder,
+	* not a real AWS resource — so `Tags` and `Description` similarly
+	* have nothing to attach to. `StackName` is replaced by cdkd's derived
+	* `<parent>~<logicalId>` key per design §3, and `TemplateBody` is
+	* superseded by the local `Metadata['aws:asset:path']` lookup.
+	*/
+	unhandledByDesign = new Map([["AWS::CloudFormation::Stack", new Map([
+		["TemplateBody", "CFn-only inline template — cdkd reads the child template from the synth output via Metadata['aws:asset:path'] instead of accepting it inline"],
+		["Capabilities", "CFn-only IAM capability declaration — cdkd does not go through CloudFormation so capabilities have no equivalent"],
+		["Description", "CFn-only informational — no semantic effect on the recursive deploy"],
+		["DisableRollback", "CFn-only — cdkd controls rollback via the top-level deploy-engine --no-rollback flag, not per nested stack"],
+		["EnableTerminationProtection", "CFn-only per-nested-stack flag — cdkd records stack-level terminationProtection at CDK synth time (parent only) and `cdkd destroy` consults that for refusal"],
+		["NotificationARNs", "CFn-only SNS-on-stack-event surface — cdkd has no equivalent (issue #459 design §9)"],
+		["RoleARN", "CFn-only role-assumption — cdkd uses the caller credentials directly, no per-resource role assumption"],
+		["StackName", "cdkd derives the child stack name as `<parent>~<logicalId>` per design §3 (state-key uniqueness); a user-provided StackName has no effect"],
+		["StackPolicyBody", "CFn-only stack-update policy — cdkd has no equivalent (per-resource diff replaces stack-level policy)"],
+		["StackPolicyURL", "CFn-only stack-update policy URL — cdkd has no equivalent"],
+		["StackStatusReason", "CFn-only read-only output — never a real input property"],
+		["Tags", "CFn-only — cdkd does not tag the synthesized \"stack\" (the parent's synthesized ARN is a cdkd-local placeholder, not a real AWS resource)"],
+		["TimeoutInMinutes", "CFn-only stack-create deadline — cdkd uses per-resource --resource-timeout instead (issue #459 design §9)"]
+	])]]);
+	async create(logicalId, _resourceType, properties) {
+		const ctx = this.requireContext();
+		this.requireDeployContext(ctx, "create");
+		const childTemplatePath = ctx.nestedTemplates[logicalId];
+		if (!childTemplatePath) throw new Error(`Nested template file not found for AWS::CloudFormation::Stack '${logicalId}' under parent '${ctx.parentStackName}'. Verify the synth output emits Metadata['aws:asset:path'] on this resource (CDK 2.x cdk.NestedStack does so by default).`);
+		const childTemplate = this.readChildTemplate(childTemplatePath);
+		const childStackName = this.deriveChildStackName(ctx.parentStackName, logicalId);
+		const childRegion = ctx.parentRegion;
+		const childParameters = this.extractParameters(properties);
+		const grandchildTemplates = this.indexGrandchildTemplates(childTemplate, childTemplatePath);
+		const resourceCount = Object.keys(childTemplate.Resources ?? {}).length;
+		this.logger.info(`Deploying nested stack ${childStackName} (logicalId=${logicalId}, ${resourceCount} resource(s))`);
+		await this.runChildDeploy(ctx, logicalId, childStackName, childRegion, childTemplate, childParameters, grandchildTemplates);
+		const attributes = await this.readChildOutputsAsAttributes(ctx, childStackName, childRegion);
+		return {
+			physicalId: this.synthesizeArn(ctx.accountId, ctx.parentRegion, ctx.parentStackName, logicalId),
+			attributes
+		};
+	}
+	async update(logicalId, physicalId, _resourceType, properties, _previousProperties) {
+		const ctx = this.requireContext();
+		this.requireDeployContext(ctx, "update");
+		const childTemplatePath = ctx.nestedTemplates[logicalId];
+		if (!childTemplatePath) throw new Error(`Nested template file not found for AWS::CloudFormation::Stack '${logicalId}' on update.`);
+		const childTemplate = this.readChildTemplate(childTemplatePath);
+		const childStackName = this.deriveChildStackName(ctx.parentStackName, logicalId);
+		const childRegion = ctx.parentRegion;
+		const childParameters = this.extractParameters(properties);
+		const grandchildTemplates = this.indexGrandchildTemplates(childTemplate, childTemplatePath);
+		const resourceCount = Object.keys(childTemplate.Resources ?? {}).length;
+		this.logger.info(`Updating nested stack ${childStackName} (logicalId=${logicalId}, ${resourceCount} resource(s))`);
+		await this.runChildDeploy(ctx, logicalId, childStackName, childRegion, childTemplate, childParameters, grandchildTemplates);
+		return {
+			physicalId,
+			wasReplaced: false,
+			attributes: await this.readChildOutputsAsAttributes(ctx, childStackName, childRegion)
+		};
+	}
+	async delete(logicalId, _physicalId, _resourceType, _properties, deleteContext) {
+		const ctx = this.requireContext();
+		const childStackName = this.deriveChildStackName(ctx.parentStackName, logicalId);
+		const childRegion = ctx.parentRegion;
+		const childStateData = await ctx.stateBackend.getState(childStackName, childRegion);
+		if (!childStateData) {
+			this.logger.debug(`Nested stack ${childStackName} has no state — treating delete as idempotent success.`);
+			return;
+		}
+		const resourceCount = Object.keys(childStateData.state.resources).length;
+		this.logger.info(`Destroying nested stack ${childStackName} (logicalId=${logicalId}, ${resourceCount} resource(s))`);
+		await withNestedStackContext({
+			...ctx,
+			parentStackName: childStackName,
+			parentRegion: childRegion,
+			nestedTemplates: void 0
+		}, () => runDestroyForStack(childStackName, childStateData.state, {
+			stateBackend: ctx.stateBackend,
+			lockManager: ctx.lockManager,
+			providerRegistry: ctx.providerRegistry,
+			baseAwsClients: ctx.awsClients,
+			baseRegion: childRegion,
+			stateBucket: ctx.stateBucket,
+			skipConfirmation: true,
+			...ctx.exportIndexStore && { exportIndexStore: ctx.exportIndexStore },
+			...ctx.destroyOptions?.profile && { profile: ctx.destroyOptions.profile },
+			...deleteContext?.removeProtection === true && { removeProtection: true },
+			...ctx.destroyOptions?.resourceWarnAfterMs !== void 0 && { resourceWarnAfterMs: ctx.destroyOptions.resourceWarnAfterMs },
+			...ctx.destroyOptions?.resourceTimeoutMs !== void 0 && { resourceTimeoutMs: ctx.destroyOptions.resourceTimeoutMs },
+			...ctx.destroyOptions?.resourceWarnAfterByType && { resourceWarnAfterByType: ctx.destroyOptions.resourceWarnAfterByType },
+			...ctx.destroyOptions?.resourceTimeoutByType && { resourceTimeoutByType: ctx.destroyOptions.resourceTimeoutByType }
+		}));
+	}
+	async getAttribute(_physicalId, _resourceType, attributeName) {
+		throw new Error(`AWS::CloudFormation::Stack: attribute '${attributeName}' is not in the recorded Outputs map. Only 'Outputs.<Key>' references to declared Output names on the child template are supported.`);
+	}
+	async runChildDeploy(parentCtx, logicalId, childStackName, childRegion, childTemplate, childParameters, grandchildTemplates) {
+		const childEngine = new DeployEngine(parentCtx.stateBackend, parentCtx.lockManager, parentCtx.dagBuilder, parentCtx.diffCalculator, parentCtx.providerRegistry, {
+			...parentCtx.options ?? {},
+			parameters: childParameters,
+			parentStackInfo: {
+				parentStack: parentCtx.parentStackName,
+				parentLogicalId: logicalId,
+				parentRegion: parentCtx.parentRegion
+			}
+		}, childRegion, parentCtx.exportIndexStore);
+		await withNestedStackContext({
+			...parentCtx,
+			parentStackName: childStackName,
+			parentRegion: childRegion,
+			nestedTemplates: grandchildTemplates
+		}, () => childEngine.deploy(childStackName, childTemplate));
+	}
+	async readChildOutputsAsAttributes(ctx, childStackName, childRegion) {
+		const childStateData = await ctx.stateBackend.getState(childStackName, childRegion);
+		if (!childStateData) throw new Error(`Child stack state '${childStackName}' not found after deploy — NestedStackProvider invariant violated.`);
+		return this.buildOutputsAttributes(childStateData.state.outputs ?? {});
+	}
+	requireContext() {
+		const ctx = getCurrentNestedStackContext();
+		if (!ctx) throw new Error("NestedStackProvider invoked outside withNestedStackContext() scope. The deploy / destroy CLI entry point must wrap its DeployEngine.deploy / runDestroyForStack call in withNestedStackContext(ctx, () => ...).");
+		return ctx;
+	}
+	requireDeployContext(ctx, op) {
+		if (!ctx.nestedTemplates || !ctx.dagBuilder || !ctx.diffCalculator) throw new Error(`NestedStackProvider.${op}: deploy-mode context fields (nestedTemplates / dagBuilder / diffCalculator) are missing. This usually means a destroy-mode entry point called into create/update by mistake.`);
+	}
+	deriveChildStackName(parentStackName, nestedLogicalId) {
+		return `${parentStackName}~${nestedLogicalId}`;
+	}
+	synthesizeArn(accountId, region, parentStackName, logicalId) {
+		return `arn:cdkd-local:${region}:${accountId}:nested-stack/${parentStackName}/${logicalId}`;
+	}
+	extractParameters(properties) {
+		const params = properties["Parameters"];
+		if (!params || typeof params !== "object" || Array.isArray(params)) return {};
+		const result = {};
+		for (const [k, v] of Object.entries(params)) if (typeof v === "string") result[k] = v;
+		else if (typeof v === "number" || typeof v === "boolean") result[k] = String(v);
+		else throw new Error(`NestedStackProvider: child Parameter '${k}' resolved to a non-scalar value (type=${v === null ? "null" : typeof v}). Parameters must be scalars (string / number / boolean) by the time they reach the provider — an unresolved intrinsic here means IntrinsicFunctionResolver upstream did not handle the value, which is a bug. Surface the unresolved input rather than silently coercing to '[object Object]'.`);
+		return result;
+	}
+	readChildTemplate(templatePath) {
+		let raw;
+		try {
+			raw = fs.readFileSync(templatePath, "utf-8");
+		} catch (err) {
+			throw new Error(`Failed to read nested template at ${templatePath}: ${err instanceof Error ? err.message : String(err)}`);
+		}
+		try {
+			return JSON.parse(raw);
+		} catch (err) {
+			throw new Error(`Failed to parse nested template at ${templatePath}: ${err instanceof Error ? err.message : String(err)}`);
+		}
+	}
+	indexGrandchildTemplates(childTemplate, childTemplatePath) {
+		const dir = path.dirname(childTemplatePath);
+		const result = {};
+		for (const [grandLogicalId, resource] of Object.entries(childTemplate.Resources ?? {})) {
+			if (resource?.Type !== "AWS::CloudFormation::Stack") continue;
+			const assetPath = resource.Metadata?.["aws:asset:path"];
+			if (typeof assetPath !== "string" || assetPath.length === 0) continue;
+			if (path.isAbsolute(assetPath)) throw new Error(`NestedStackProvider: nested-stack '${grandLogicalId}' has Metadata['aws:asset:path']='${assetPath}' which is absolute. CDK emits relative asset paths for nested templates; an absolute path indicates the synth output was hand-modified or generated by a non-CDK toolchain. Refusing to load.`);
+			result[grandLogicalId] = path.join(dir, assetPath);
+		}
+		return result;
+	}
+	buildOutputsAttributes(outputs) {
+		const attributes = {};
+		for (const [key, value] of Object.entries(outputs)) attributes[`Outputs.${key}`] = value;
+		return attributes;
+	}
+};
 //#endregion
 //#region src/provisioning/register-providers.ts
 /**
@@ -31079,6 +31677,7 @@ function registerAllProviders(registry) {
 	registry.register("AWS::S3Tables::TableBucket", s3TablesProvider);
 	registry.register("AWS::S3Tables::Namespace", s3TablesProvider);
 	registry.register("AWS::S3Tables::Table", s3TablesProvider);
+	registry.register("AWS::CloudFormation::Stack", new NestedStackProvider());
 }
 //#endregion
@@ -31356,7 +31955,7 @@ async function deployCommand(stacks, options) {
 						if (!await promptMigrationConfirm(pending, { yes: options.yes })) return;
 					}
 				}
-				const deployResult = await new DeployEngine(stackStateBackend, stackLockManager, dagBuilder, diffCalculator, stackProviderRegistry, {
+				const deployEngineOptions = {
 					concurrency: options.concurrency,
 					dryRun: options.dryRun,
 					noRollback: !options.rollback,
@@ -31365,7 +31964,23 @@ async function deployCommand(stacks, options) {
 					...options.resourceTimeout?.globalMs !== void 0 && { resourceTimeoutMs: options.resourceTimeout.globalMs },
 					...options.resourceWarnAfter?.perTypeMs && { resourceWarnAfterByType: options.resourceWarnAfter.perTypeMs },
 					...options.resourceTimeout?.perTypeMs && { resourceTimeoutByType: options.resourceTimeout.perTypeMs }
-				}, stackRegion, exportIndexStore).deploy(stackInfo.stackName, stackInfo.template);
+				};
+				const stackDeployEngine = new DeployEngine(stackStateBackend, stackLockManager, dagBuilder, diffCalculator, stackProviderRegistry, deployEngineOptions, stackRegion, exportIndexStore);
+				const deployResult = await withNestedStackContext({
+					stateBackend: stackStateBackend,
+					lockManager: stackLockManager,
+					providerRegistry: stackProviderRegistry,
+					parentStackName: stackInfo.stackName,
+					parentRegion: stackRegion,
+					accountId,
+					awsClients: stackAwsClients,
+					stateBucket,
+					exportIndexStore,
+					nestedTemplates: stackInfo.nestedTemplates ?? {},
+					dagBuilder,
+					diffCalculator,
+					options: deployEngineOptions
+				}, () => stackDeployEngine.deploy(stackInfo.stackName, stackInfo.template));
 				logger.info(`\n${bold("Deployment Summary:")}`);
 				logger.info(`  Stack: ${bold(cyan(deployResult.stackName))}`);
 				logger.info(`  Created: ${deployResult.created > 0 ? green(deployResult.created) : gray(deployResult.created)}`);
@@ -32475,342 +33090,6 @@ function createDriftCommand() {
 	return cmd;
 }
-//#endregion
-//#region src/cli/commands/destroy-runner.ts
-/**
-* Resource-type → state-property name pairs that gate AWS deletion
-* protection. Used by the `--remove-protection` confirmation prompt to
-* report a best-effort count of resources that will have protection
-* cleared. The actual flip-off is unconditional inside each provider's
-* `delete()` (idempotent — safe when AWS already has protection off),
-* so the count is informational only.
-*
-* Most types use a boolean flag — the value `true` is what we count.
-* Two types use a string-valued enum (Cognito UserPool's
-* `DeletionProtection` is `'ACTIVE' | 'INACTIVE'`, AutoScalingGroup's
-* `DeletionProtection` is `'none' | 'prevent-force-deletion' |
-* 'prevent-all-deletion'`). For those, the helper checks against a
-* per-type set of "active" values via `PROTECTION_ACTIVE_VALUES_BY_TYPE`.
-*
-* Exported for unit-test coverage of `countProtectedResources`.
-*/
-const PROTECTION_PROPERTY_BY_TYPE = {
-	"AWS::Logs::LogGroup": "DeletionProtectionEnabled",
-	"AWS::RDS::DBInstance": "DeletionProtection",
-	"AWS::RDS::DBCluster": "DeletionProtection",
-	"AWS::DocDB::DBCluster": "DeletionProtection",
-	"AWS::Neptune::DBCluster": "DeletionProtection",
-	"AWS::Neptune::DBInstance": "DeletionProtection",
-	"AWS::DynamoDB::Table": "DeletionProtectionEnabled",
-	"AWS::DynamoDB::GlobalTable": "DeletionProtectionEnabled",
-	"AWS::EC2::Instance": "DisableApiTermination",
-	"AWS::Cognito::UserPool": "DeletionProtection",
-	"AWS::AutoScaling::AutoScalingGroup": "DeletionProtection"
-};
-/**
-* For string-valued protection enums, the set of values that count as
-* "currently protected". Types absent from this map use the default
-* (boolean `true`).
-*/
-const PROTECTION_ACTIVE_VALUES_BY_TYPE = {
-	"AWS::Cognito::UserPool": new Set(["ACTIVE"]),
-	"AWS::AutoScaling::AutoScalingGroup": new Set(["prevent-force-deletion", "prevent-all-deletion"])
-};
-/**
-* Count how many resources in a stack's recorded state appear to have
-* deletion protection enabled. Walks `properties` and `observedProperties`
-* for the property name registered against each resource type in
-* `PROTECTION_PROPERTY_BY_TYPE`. ELBv2 LoadBalancer protection lives in
-* `LoadBalancerAttributes` (a CFn `Array<{Key, Value}>`), so it's
-* handled separately via the `deletion_protection.enabled` key.
-*/
-function countProtectedResources(state) {
-	let count = 0;
-	for (const resource of Object.values(state.resources ?? {})) {
-		const propName = PROTECTION_PROPERTY_BY_TYPE[resource.resourceType];
-		if (propName) {
-			const recorded = resource.properties?.[propName] ?? resource.observedProperties?.[propName];
-			const activeValues = PROTECTION_ACTIVE_VALUES_BY_TYPE[resource.resourceType];
-			if (activeValues) {
-				if (activeValues.has(recorded)) count++;
-			} else if (recorded === true) count++;
-			continue;
-		}
-		if (resource.resourceType === "AWS::ElasticLoadBalancingV2::LoadBalancer") {
-			if (((resource.properties?.["LoadBalancerAttributes"] ?? resource.observedProperties?.["LoadBalancerAttributes"])?.find((a) => a?.Key === "deletion_protection.enabled"))?.Value === "true") count++;
-		}
-	}
-	return count;
-}
-/**
-* Run the destroy lifecycle for one stack against an already-loaded
-* `StackState`, reusing the caller's state backend / lock manager.
-*
-* Hoisted from `cdkd destroy` so the new `cdkd state destroy` subcommand
-* can call into the exact same per-stack pipeline without depending on
-* synth or the CDK app. The state-source split is the only meaningful
-* difference between the two commands — everything from "prompt the user"
-* onwards is identical.
-*
-* Side effects:
-* - Acquires (and releases) the stack's S3 lock.
-* - Switches `process.env.AWS_REGION` for the duration of the destroy when
-*   the stack's recorded region differs from `baseRegion`. Restored in the
-*   `finally` block.
-* - On full success, deletes the state file. On any failure, the state
-*   file is preserved so the user can retry.
-*/
-async function runDestroyForStack(stackName, state, ctx) {
-	const logger = getLogger();
-	const result = {
-		stackName,
-		cancelled: false,
-		skippedEmpty: false,
-		deletedCount: 0,
-		retainedCount: 0,
-		errorCount: 0
-	};
-	const resourceCount = Object.keys(state.resources).length;
-	const regionForState = state.region ?? ctx.baseRegion;
-	if (resourceCount === 0) {
-		logger.info(`Stack ${stackName} has no resources, cleaning up state...`);
-		await ctx.stateBackend.deleteState(stackName, regionForState);
-		logger.info(`${green("✓")} State deleted`);
-		result.skippedEmpty = true;
-		return result;
-	}
-	const needsStrongRefCheck = !!(state.outputs && Object.keys(state.outputs).length > 0);
-	if (needsStrongRefCheck) {
-		const consumers = await scanActiveConsumers(stackName, regionForState, ctx);
-		if (consumers.length > 0) throw new StackHasActiveImportsError(stackName, regionForState, consumers);
-	}
-	logger.info(`\nResources to be deleted (${resourceCount}):`);
-	for (const [logicalId, resource] of Object.entries(state.resources)) logger.info(`  - ${logicalId} (${resource.resourceType})`);
-	const protectedCount = ctx.removeProtection ? countProtectedResources(state) : 0;
-	if (!ctx.skipConfirmation) {
-		const rl = readline.createInterface({
-			input: process.stdin,
-			output: process.stdout
-		});
-		const prompt = ctx.removeProtection ? `\nAbout to destroy ${resourceCount} resources from stack "${stackName}", REMOVING DELETION PROTECTION on ${protectedCount} of them. Continue? (y/N): ` : `\nAre you sure you want to destroy stack "${stackName}" and delete all ${resourceCount} resources? (Y/n): `;
-		const answer = await rl.question(prompt);
-		rl.close();
-		const trimmed = answer.trim().toLowerCase();
-		if (ctx.removeProtection) {
-			if (trimmed !== "y" && trimmed !== "yes") {
-				logger.info("Destroy cancelled");
-				result.cancelled = true;
-				return result;
-			}
-		} else if (trimmed === "n" || trimmed === "no") {
-			logger.info("Destroy cancelled");
-			result.cancelled = true;
-			return result;
-		}
-	}
-	const stackRegion = state.region;
-	let destroyProviderRegistry = ctx.providerRegistry;
-	let destroyAwsClients;
-	if (stackRegion && stackRegion !== ctx.baseRegion) {
-		logger.info(`Stack region: ${stackRegion}`);
-		process.env["AWS_REGION"] = stackRegion;
-		process.env["AWS_DEFAULT_REGION"] = stackRegion;
-		destroyAwsClients = new AwsClients({
-			region: stackRegion,
-			...ctx.profile && { profile: ctx.profile }
-		});
-		setAwsClients(destroyAwsClients);
-		destroyProviderRegistry = new ProviderRegistry();
-		registerAllProviders(destroyProviderRegistry);
-		destroyProviderRegistry.setCustomResourceResponseBucket(ctx.stateBucket);
-	}
-	logger.info(`\nAcquiring lock for stack ${stackName}...`);
-	await ctx.lockManager.acquireLock(stackName, regionForState, void 0, "destroy");
-	if (needsStrongRefCheck) {
-		const consumers = await scanActiveConsumers(stackName, regionForState, ctx);
-		if (consumers.length > 0) {
-			try {
-				await ctx.lockManager.releaseLock(stackName, regionForState);
-			} catch (releaseErr) {
-				logger.warn(`Failed to release lock after strong-ref refusal: ${releaseErr instanceof Error ? releaseErr.message : String(releaseErr)}`);
-			}
-			throw new StackHasActiveImportsError(stackName, regionForState, consumers);
-		}
-	}
-	const renderer = getLiveRenderer();
-	renderer.start();
-	try {
-		logger.info("Building dependency graph...");
-		const template = {
-			AWSTemplateFormatVersion: "2010-09-09",
-			Resources: {}
-		};
-		for (const [logicalId, resource] of Object.entries(state.resources)) template.Resources[logicalId] = {
-			Type: resource.resourceType,
-			Properties: resource.properties || {},
-			...resource.dependencies && resource.dependencies.length > 0 && { DependsOn: resource.dependencies }
-		};
-		const typeToLogicalIds = /* @__PURE__ */ new Map();
-		for (const [logicalId, resource] of Object.entries(state.resources)) {
-			const ids = typeToLogicalIds.get(resource.resourceType) ?? [];
-			ids.push(logicalId);
-			typeToLogicalIds.set(resource.resourceType, ids);
-		}
-		for (const [logicalId, resource] of Object.entries(state.resources)) {
-			const mustDeleteAfter = IMPLICIT_DELETE_DEPENDENCIES[resource.resourceType];
-			if (!mustDeleteAfter) continue;
-			for (const depType of mustDeleteAfter) {
-				const depIds = typeToLogicalIds.get(depType);
-				if (!depIds) continue;
-				for (const depId of depIds) {
-					const existing = template.Resources[depId]?.DependsOn ?? [];
-					const depsArray = Array.isArray(existing) ? existing : [existing];
-					if (!depsArray.includes(logicalId)) {
-						template.Resources[depId] = {
-							...template.Resources[depId],
-							DependsOn: [...depsArray, logicalId]
-						};
-						logger.debug(`Implicit delete dependency: ${depId} (${depType}) must be deleted before ${logicalId} (${resource.resourceType})`);
-					}
-				}
-			}
-		}
-		const dagBuilder = new DagBuilder();
-		const graph = dagBuilder.buildGraph(template);
-		const executionLevels = dagBuilder.getExecutionLevels(graph);
-		logger.debug(`Dependency graph: ${executionLevels.length} level(s)`);
-		for (let levelIndex = executionLevels.length - 1; levelIndex >= 0; levelIndex--) {
-			const level = executionLevels[levelIndex];
-			if (!level) continue;
-			logger.debug(`Deletion level ${executionLevels.length - levelIndex}/${executionLevels.length} (${level.length} resources)`);
-			const stackRegion = state.region ?? ctx.baseRegion;
-			const deletePromises = level.map(async (logicalId) => {
-				const resource = state.resources[logicalId];
-				if (!resource) {
-					logger.warn(`Resource ${logicalId} not found in state, skipping`);
-					return;
-				}
-				if (shouldRetainResource(resource.deletionPolicy)) {
-					logger.info(`  ⊘ ${logicalId} (${resource.resourceType}) retained — DeletionPolicy: ${resource.deletionPolicy}`);
-					result.retainedCount++;
-					return;
-				}
-				const baseLabel = `Deleting ${logicalId} (${resource.resourceType})`;
-				renderer.addTask(logicalId, baseLabel);
-				try {
-					const provider = destroyProviderRegistry.getProvider(resource.resourceType);
-					const providerMinTimeoutMs = provider.getMinResourceTimeoutMs?.() ?? 0;
-					const warnAfterMs = ctx.resourceWarnAfterByType?.[resource.resourceType] ?? ctx.resourceWarnAfterMs ?? 3e5;
-					const globalTimeoutMs = ctx.resourceTimeoutMs ?? 18e5;
-					const timeoutMs = ctx.resourceTimeoutByType?.[resource.resourceType] ?? Math.max(providerMinTimeoutMs, globalTimeoutMs);
-					await withResourceDeadline(async () => {
-						const maxAttempts = provider.disableOuterRetry ? 0 : 3;
-						let lastDeleteError;
-						for (let attempt = 0; attempt <= maxAttempts; attempt++) try {
-							await provider.delete(logicalId, resource.physicalId, resource.resourceType, resource.properties, {
-								...state.region !== void 0 && { expectedRegion: state.region },
-								...ctx.removeProtection === true && { removeProtection: true }
-							});
-							lastDeleteError = null;
-							break;
-						} catch (retryError) {
-							lastDeleteError = retryError;
-							const msg = retryError instanceof Error ? retryError.message : String(retryError);
-							if (!(msg.includes("Too Many Requests") || msg.includes("has dependencies") || msg.includes("can't be deleted since") || msg.includes("DependencyViolation")) || attempt >= maxAttempts) break;
-							const delay = 5e3 * Math.pow(2, attempt);
-							logger.debug(`  ⏳ Retrying delete ${logicalId} in ${delay / 1e3}s (attempt ${attempt + 1}/${maxAttempts})`);
-							await new Promise((resolve) => setTimeout(resolve, delay));
-						}
-						if (lastDeleteError) throw lastDeleteError;
-					}, {
-						warnAfterMs,
-						timeoutMs,
-						onWarn: (elapsedMs) => {
-							const minutes = Math.max(1, Math.round(elapsedMs / 6e4));
-							renderer.updateTaskLabel(logicalId, `${baseLabel} [taking longer than expected, ${minutes}m+]`);
-							renderer.printAbove(() => {
-								logger.warn(`${logicalId} (${resource.resourceType}) has been deleting for ${minutes}m — still waiting`);
-							});
-						},
-						onTimeout: (elapsedMs) => new ResourceTimeoutError(logicalId, resource.resourceType, stackRegion, elapsedMs, "DELETE", timeoutMs)
-					});
-					renderer.removeTask(logicalId);
-					logger.info(`  ${red("✗")} ${bold(logicalId)} ${gray(`(${resource.resourceType})`)} ${red("deleted")}`);
-					result.deletedCount++;
-				} catch (error) {
-					renderer.removeTask(logicalId);
-					const msg = error instanceof Error ? error.message : String(error);
-					if (msg.includes("does not exist") || msg.includes("not found") || msg.includes("No policy found") || msg.includes("NoSuchEntity") || msg.includes("NotFoundException")) {
-						logger.debug(`  ${logicalId} already deleted, removing from state`);
-						result.deletedCount++;
-					} else if (error instanceof ResourceTimeoutError) {
-						const wrapped = new ProvisioningError(error.message, resource.resourceType, logicalId, resource.physicalId, error);
-						logger.error(`  ✗ Failed to delete ${logicalId}:`, wrapped.message);
-						result.errorCount++;
-					} else {
-						logger.error(`  ✗ Failed to delete ${logicalId}:`, String(error));
-						result.errorCount++;
-					}
-				} finally {
-					renderer.removeTask(logicalId);
-				}
-			});
-			await Promise.all(deletePromises);
-		}
-		if (result.errorCount === 0) {
-			await ctx.stateBackend.deleteState(stackName, regionForState);
-			logger.debug("State deleted");
-			if (ctx.exportIndexStore) await ctx.exportIndexStore.removeStack(stackName, regionForState);
-		} else logger.warn(`${result.errorCount} resource(s) failed to delete. State preserved.`);
-		const retainedSuffix = result.retainedCount > 0 ? `, ${result.retainedCount} retained` : "";
-		if (result.errorCount === 0) logger.info(`\n${green("✓")} ${bold(`Stack ${stackName} destroyed`)} (${green(result.deletedCount)} deleted${retainedSuffix}, ${result.errorCount} errors)`);
-		else logger.warn(`\n${yellow("⚠")} ${bold(`Stack ${stackName} partially destroyed`)} (${green(result.deletedCount)} deleted${retainedSuffix}, ${red(result.errorCount)} errors). State preserved — re-run 'cdkd destroy' / 'cdkd state destroy' to clean up.`);
-	} finally {
-		renderer.stop();
-		logger.debug("Releasing lock...");
-		await ctx.lockManager.releaseLock(stackName, regionForState);
-		if (destroyAwsClients) {
-			destroyAwsClients.destroy();
-			process.env["AWS_REGION"] = ctx.baseRegion;
-			process.env["AWS_DEFAULT_REGION"] = ctx.baseRegion;
-			setAwsClients(ctx.baseAwsClients);
-		}
-	}
-	return result;
-}
-/**
-* Strong-reference scan: read every other stack's state.json from the
-* state bucket and check whether any of its `imports[]` entries names
-* `producerStack`. Returns the list of offending consumers (possibly
-* empty).
-*
-* NEVER trusts the persistent exports index — a stale index could miss
-* a freshly-recorded consumer and let a destructive destroy through.
-* The cost is one `listStacks` + N parallel GETs at destroy time only
-* (not the deploy hot path), which the user-facing UX rationalizes as
-* the "destroy is slow OK" trade-off (Issue #343).
-*/
-async function scanActiveConsumers(producerStack, producerRegion, ctx) {
-	const refs = await ctx.stateBackend.listStacks();
-	return (await Promise.all(refs.map(async (ref) => {
-		const region = ref.region ?? ctx.baseRegion;
-		if (ref.stackName === producerStack && region === producerRegion) return null;
-		try {
-			const imports = (await ctx.stateBackend.getState(ref.stackName, region))?.state.imports;
-			if (!imports || imports.length === 0) return null;
-			const matches = imports.filter((entry) => entry.sourceStack === producerStack && entry.sourceRegion === producerRegion);
-			if (matches.length === 0) return null;
-			return matches.map((entry) => ({
-				consumerStack: ref.stackName,
-				consumerRegion: region,
-				exportName: entry.exportName
-			}));
-		} catch {
-			return null;
-		}
-	}))).filter((r) => r !== null).flat();
-}
 //#endregion
 //#region src/cli/commands/destroy.ts
 /**
@@ -32904,6 +33183,7 @@ async function destroyCommand(stackArgs, options) {
 			return;
 		}
 		logger.info(`Found ${stackNames.length} stack(s) to destroy: ${stackNames.join(", ")}`);
+		const accountId = "unknown";
 		const stateRefsByName = /* @__PURE__ */ new Map();
 		for (const ref of allStateRefs) {
 			const arr = stateRefsByName.get(ref.stackName) ?? [];
@@ -32941,7 +33221,25 @@ async function destroyCommand(stackArgs, options) {
 				logger.warn(`No state found for stack ${stackName}, skipping`);
 				continue;
 			}
-			const result = await runDestroyForStack(stackName, stateResult.state, {
+			const result = await withNestedStackContext({
+				stateBackend,
+				lockManager,
+				providerRegistry,
+				parentStackName: stackName,
+				parentRegion: stackTargetRegion,
+				accountId,
+				awsClients,
+				stateBucket,
+				exportIndexStore,
+				destroyOptions: {
+					...options.profile && { profile: options.profile },
+					...options.removeProtection === true && { removeProtection: true },
+					...options.resourceWarnAfter?.globalMs !== void 0 && { resourceWarnAfterMs: options.resourceWarnAfter.globalMs },
+					...options.resourceTimeout?.globalMs !== void 0 && { resourceTimeoutMs: options.resourceTimeout.globalMs },
+					...options.resourceWarnAfter?.perTypeMs && { resourceWarnAfterByType: options.resourceWarnAfter.perTypeMs },
+					...options.resourceTimeout?.perTypeMs && { resourceTimeoutByType: options.resourceTimeout.perTypeMs }
+				}
+			}, () => runDestroyForStack(stackName, stateResult.state, {
 				stateBackend,
 				lockManager,
 				providerRegistry,
@@ -32956,7 +33254,7 @@ async function destroyCommand(stackArgs, options) {
 				...options.resourceTimeout?.globalMs !== void 0 && { resourceTimeoutMs: options.resourceTimeout.globalMs },
 				...options.resourceWarnAfter?.perTypeMs && { resourceWarnAfterByType: options.resourceWarnAfter.perTypeMs },
 				...options.resourceTimeout?.perTypeMs && { resourceTimeoutByType: options.resourceTimeout.perTypeMs }
-			});
+			}));
 			totalErrors += result.errorCount;
 		}
 		if (totalErrors > 0) throw new PartialFailureError(`Destroy completed with ${totalErrors} resource error(s). State preserved — inspect 'cdkd state show <stack>' and re-run 'cdkd destroy' to retry.`);
@@ -34690,7 +34988,25 @@ async function stateDestroyCommand(stackArgs, options) {
 					logger.warn(`No state found for stack ${stackName}${ref.region ? ` in ${ref.region}` : ""}, skipping`);
 					continue;
 				}
-				const result = await runDestroyForStack(stackName, stateResult.state, {
+				const result = await withNestedStackContext({
+					stateBackend: setup.stateBackend,
+					lockManager: setup.lockManager,
+					providerRegistry,
+					parentStackName: stackName,
+					parentRegion: ref.region ?? setup.region,
+					accountId: "unknown",
+					awsClients: setup.awsClients,
+					stateBucket: setup.bucket,
+					exportIndexStore: setup.exportIndexStore,
+					destroyOptions: {
+						...options.profile && { profile: options.profile },
+						...options.removeProtection === true && { removeProtection: true },
+						...options.resourceWarnAfter?.globalMs !== void 0 && { resourceWarnAfterMs: options.resourceWarnAfter.globalMs },
+						...options.resourceTimeout?.globalMs !== void 0 && { resourceTimeoutMs: options.resourceTimeout.globalMs },
+						...options.resourceWarnAfter?.perTypeMs && { resourceWarnAfterByType: options.resourceWarnAfter.perTypeMs },
+						...options.resourceTimeout?.perTypeMs && { resourceTimeoutByType: options.resourceTimeout.perTypeMs }
+					}
+				}, () => runDestroyForStack(stackName, stateResult.state, {
 					stateBackend: setup.stateBackend,
 					lockManager: setup.lockManager,
 					providerRegistry,
@@ -34705,7 +35021,7 @@ async function stateDestroyCommand(stackArgs, options) {
 					...options.resourceTimeout?.globalMs !== void 0 && { resourceTimeoutMs: options.resourceTimeout.globalMs },
 					...options.resourceWarnAfter?.perTypeMs && { resourceWarnAfterByType: options.resourceWarnAfter.perTypeMs },
 					...options.resourceTimeout?.perTypeMs && { resourceTimeoutByType: options.resourceTimeout.perTypeMs }
-				});
+				}));
 				totalErrors += result.errorCount;
 			}
 		}
@@ -52812,8 +53128,11 @@ function createLocalCommand() {
 *
 *   - `AWS::CDK::Metadata` is a CDK sentinel; not a real AWS resource and
 *     CFn refuses to import it.
-*   - `AWS::CloudFormation::Stack` is a nested stack reference; importing
-*     means re-creating the child stack, not adopting AWS resources.
+*   - `AWS::CloudFormation::Stack` is a nested stack reference. Fresh
+*     `cdkd deploy` of nested stacks IS supported (issue #459), but
+*     moving an existing nested-stack hierarchy from cdkd back into
+*     CloudFormation via `cdkd export` is deferred to the
+*     [#464](https://github.com/go-to-k/cdkd/issues/464) follow-up.
 *   - `AWS::CloudFormation::CustomResource` is the CFn resource type CDK
 *     emits for `new cdk.CustomResource(...)` when no `resourceType` is
 *     passed. Functionally identical to `Custom::*` — Lambda-backed,
@@ -53270,7 +53589,10 @@ async function assertCfnStackAbsent(cfnClient, stackName) {
 * `AWS::CloudFormation::Stack` (nested stacks) is intentionally NOT in
 * this set: CFn would CREATE a duplicate nested stack rather than adopt
 * the existing one, which would conflict with whatever the cdkd state
-* thought it owned. cdkd doesn't deploy nested stacks anyway.
+* thought it owned. Fresh `cdkd deploy` of nested stacks is supported
+* via the recursive `NestedStackProvider` (#459), but `cdkd export`
+* adoption back into CloudFormation is deferred to the
+* [#464](https://github.com/go-to-k/cdkd/issues/464) follow-up.
 *
 * Exported for unit testing.
 */
@@ -54222,10 +54544,14 @@ function compareSemver(a, b) {
 *    different from the metadata-transfer migration this command
 *    provides.
 *
-*  - `AWS::CloudFormation::Stack` — nested stacks. cdkd has no
-*    provider for this type, and the matching `cdk migrate` output
-*    flattens nested stacks into separate generated apps in a way
-*    that doesn't round-trip cleanly. Out of scope for #465.
+*  - `AWS::CloudFormation::Stack` — nested stacks. cdkd's recursive
+*    `NestedStackProvider` handles fresh `cdkd deploy` (#459), but
+*    `cdk migrate` flattens nested stacks into separate generated apps
+*    in a way that doesn't round-trip cleanly into cdkd's parent~child
+*    state-key layout, so the migrate command keeps rejecting them.
+*    Adopting an existing CFn-managed nested-stack hierarchy is
+*    deferred to issue
+*    [#464](https://github.com/go-to-k/cdkd/issues/464).
 *
 *  - `Custom::*` — any user-defined Custom Resource type prefix.
 *    Same rationale as `AWS::CloudFormation::CustomResource`.
@@ -55239,7 +55565,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.143.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.144.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());