@go-to-k/cdkd 0.143.0 → 0.145.0

package/dist/cli.js

@@ -1,7 +1,8 @@
 #!/usr/bin/env node
 import { _ as withSkipPrefix, a as runDockerStreaming, c as getLogger, d as getLiveRenderer, f as PATTERN_B_NAME_PROPERTIES, g as generateResourceNameWithFallback, h as generateResourceName, i as runDockerForeground, n as formatDockerLoginError, p as PATTERN_B_RESOURCE_TYPES, r as getDockerCmd, u as runStackBuffered, v as withStackName } from "./docker-cmd-EtWSTAje.js";
-import { A as AssetPublisher, B as resolveStateBucketWithDefault, C as applyRoleArnIfSet, D as LockManager, E as TemplateParser, F as getDefaultStateBucketName, G as MIGRATE_TMP_PREFIX, H as warnDeprecatedNoPrefixCliFlag, I as getLegacyStateBucketName, J as AssemblyReader, K as findLargeInlineResources, L as resolveApp, M as WorkGraph, N as buildDockerImage, O as S3StateBackend, P as Synthesizer, Q as CdkdError, R as resolveCaptureObservedState, S as IntrinsicFunctionResolver, T as DagBuilder, U as CFN_TEMPLATE_BODY_LIMIT, V as resolveStateBucketWithDefaultAndSource, W as CFN_TEMPLATE_URL_LIMIT, X as resolveBucketRegion, _ as normalizeAwsTagsToCfn, _t as normalizeAwsError, a as withRetry, at as MissingCdkCliError, b as CloudControlProvider, c as cyan, ct as ResourceTimeoutError, d as red, dt as StackHasActiveImportsError, f as yellow, ft as StackTerminationProtectionError, g as matchesCdkPath, h as CDK_PATH_TAG, i as withResourceDeadline, j as stringifyValue, k as shouldRetainResource, l as gray, lt as ResourceUpdateNotSupportedError, m as collectInlinePolicyNamesManagedBySiblings, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as LocalMigrateError, o as IMPLICIT_DELETE_DEPENDENCIES, ot as PartialFailureError, p as IAMRoleProvider, q as uploadCfnTemplate, r as DeployEngine, rt as LocalStartServiceError, s as bold, st as ProvisioningError, t as DEFAULT_RESOURCE_TIMEOUT_MS, tt as LocalInvokeBuildError, u as green, ut as RouteDiscoveryError, v as resolveExplicitPhysicalId, vt as withErrorHandling, w as DiffCalculator, x as assertRegionMatch, y as ProviderRegistry, z as resolveSkipPrefix } from "./deploy-engine-Dff3_JMn.js";
+import { A as AssetPublisher, B as resolveStateBucketWithDefault, C as applyRoleArnIfSet, D as LockManager, E as TemplateParser, F as getDefaultStateBucketName, G as MIGRATE_TMP_PREFIX, H as warnDeprecatedNoPrefixCliFlag, I as getLegacyStateBucketName, J as AssemblyReader, K as findLargeInlineResources, L as resolveApp, M as WorkGraph, N as buildDockerImage, O as S3StateBackend, P as Synthesizer, Q as CdkdError, R as resolveCaptureObservedState, S as IntrinsicFunctionResolver, T as DagBuilder, U as CFN_TEMPLATE_BODY_LIMIT, V as resolveStateBucketWithDefaultAndSource, W as CFN_TEMPLATE_URL_LIMIT, X as resolveBucketRegion, _ as normalizeAwsTagsToCfn, _t as normalizeAwsError, a as withRetry, at as MissingCdkCliError, b as CloudControlProvider, c as cyan, ct as ResourceTimeoutError, d as red, dt as StackHasActiveImportsError, f as yellow, ft as StackTerminationProtectionError, g as matchesCdkPath, h as CDK_PATH_TAG, i as withResourceDeadline, j as stringifyValue, k as shouldRetainResource, l as gray, lt as ResourceUpdateNotSupportedError, m as collectInlinePolicyNamesManagedBySiblings, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as LocalMigrateError, o as IMPLICIT_DELETE_DEPENDENCIES, ot as PartialFailureError, p as IAMRoleProvider, q as uploadCfnTemplate, r as DeployEngine, rt as LocalStartServiceError, s as bold, st as ProvisioningError, t as DEFAULT_RESOURCE_TIMEOUT_MS, tt as LocalInvokeBuildError, u as green, ut as RouteDiscoveryError, v as resolveExplicitPhysicalId, vt as withErrorHandling, w as DiffCalculator, x as assertRegionMatch, y as ProviderRegistry, z as resolveSkipPrefix } from "./deploy-engine-DjnWyAAc.js";
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-BF03Alpe.js";
+import { AsyncLocalStorage } from "node:async_hooks";
 import { createHash, createHmac, createPublicKey, createVerify, randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
 import { AddRoleToInstanceProfileCommand, AddUserToGroupCommand, AttachGroupPolicyCommand, AttachUserPolicyCommand, CreateGroupCommand, CreateInstanceProfileCommand, CreateLoginProfileCommand, CreateUserCommand, DeleteAccessKeyCommand, DeleteGroupCommand, DeleteGroupPolicyCommand, DeleteInstanceProfileCommand, DeleteLoginProfileCommand, DeleteRolePolicyCommand, DeleteUserCommand, DeleteUserPermissionsBoundaryCommand, DeleteUserPolicyCommand, DetachGroupPolicyCommand, DetachUserPolicyCommand, GetGroupCommand, GetGroupPolicyCommand, GetInstanceProfileCommand, GetRolePolicyCommand, GetUserCommand, GetUserPolicyCommand, IAMClient, ListAccessKeysCommand, ListAttachedGroupPoliciesCommand, ListAttachedUserPoliciesCommand, ListGroupPoliciesCommand, ListGroupsForUserCommand, ListInstanceProfilesCommand, ListUserPoliciesCommand, ListUserTagsCommand, ListUsersCommand, NoSuchEntityException, PutGroupPolicyCommand, PutRolePolicyCommand, PutUserPermissionsBoundaryCommand, PutUserPolicyCommand, RemoveRoleFromInstanceProfileCommand, RemoveUserFromGroupCommand, TagUserCommand, UntagUserCommand, UpdateLoginProfileCommand } from "@aws-sdk/client-iam";
@@ -20,6 +21,7 @@ import { CloudFrontClient, CreateCloudFrontOriginAccessIdentityCommand, CreateDi
 import { CloudWatchClient, DeleteAlarmsCommand, DescribeAlarmsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$4, PutMetricAlarmCommand, TagResourceCommand as TagResourceCommand$6, UntagResourceCommand as UntagResourceCommand$6 } from "@aws-sdk/client-cloudwatch";
 import { CloudWatchLogsClient, CreateLogGroupCommand, DeleteDataProtectionPolicyCommand, DeleteIndexPolicyCommand, DeleteLogGroupCommand, DeleteRetentionPolicyCommand, DescribeIndexPoliciesCommand, DescribeLogGroupsCommand, GetDataProtectionPolicyCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$5, PutBearerTokenAuthenticationCommand, PutDataProtectionPolicyCommand, PutIndexPolicyCommand, PutLogGroupDeletionProtectionCommand, PutRetentionPolicyCommand, ResourceAlreadyExistsException, ResourceNotFoundException as ResourceNotFoundException$4, TagResourceCommand as TagResourceCommand$7, UntagResourceCommand as UntagResourceCommand$7 } from "@aws-sdk/client-cloudwatch-logs";
 import { BedrockAgentCoreControlClient, CreateAgentRuntimeCommand, DeleteAgentRuntimeCommand, GetAgentRuntimeCommand, ResourceNotFoundException as ResourceNotFoundException$5, UpdateAgentRuntimeCommand } from "@aws-sdk/client-bedrock-agentcore-control";
+import * as fs from "node:fs";
 import { cpSync, createWriteStream, existsSync, mkdirSync, mkdtempSync, readFileSync, readdirSync, rmSync, statSync, writeFileSync } from "node:fs";
 import * as path from "node:path";
 import { dirname, isAbsolute, join, normalize, resolve } from "node:path";
@@ -27403,7 +27405,17 @@ var EFSProvider = class {
 * Membership grows as each follow-up PR lands. Keep alphabetical
 * to minimize merge conflicts when multiple follow-ups race.
 */
-const SUPPORTED_UPDATE_DESTINATIONS = new Set(["ExtendedS3DestinationConfiguration", "RedshiftDestinationConfiguration"]);
+const SUPPORTED_UPDATE_DESTINATIONS = new Set([
+	"AmazonOpenSearchServerlessDestinationConfiguration",
+	"AmazonopensearchserviceDestinationConfiguration",
+	"ElasticsearchDestinationConfiguration",
+	"ExtendedS3DestinationConfiguration",
+	"HttpEndpointDestinationConfiguration",
+	"IcebergDestinationConfiguration",
+	"RedshiftDestinationConfiguration",
+	"SnowflakeDestinationConfiguration",
+	"SplunkDestinationConfiguration"
+]);
 /**
 * SDK Provider for AWS Kinesis Firehose resources
 *
@@ -27607,18 +27619,85 @@ var FirehoseProvider = class {
 	*     `CloudWatchLoggingOptions`, `Username` / `Password` /
 	*     `RoleARN` / `ClusterJDBCURL`.
 	*
-	* Other destination types (`S3DestinationConfiguration`,
-	* `HttpEndpointDestinationConfiguration`,
-	* `ElasticsearchDestinationConfiguration`,
-	* `AmazonopensearchserviceDestinationConfiguration`,
-	* `SplunkDestinationConfiguration`,
-	* `AmazonOpenSearchServerlessDestinationConfiguration`,
-	* `IcebergDestinationConfiguration`,
-	* `SnowflakeDestinationConfiguration`) stay rejected with a tightened
-	* error message naming the AWS API. Each one is a follow-up to (#549)
-	* — AWS provides `UpdateDestination` for them too, but the per-shape
-	* reverse-mappers are deep and each warrants its own focused PR.
-	* Re-deploy with `cdkd deploy --replace` until they land.
+	*   - `SplunkDestinationConfiguration` (#549) — same flow as
+	*     Redshift: `DescribeDeliveryStream` recovers VersionId +
+	*     DestinationId, then `UpdateDestinationCommand` issues the
+	*     diff with a `SplunkDestinationUpdate` payload produced by
+	*     {@link mapSplunkConfigToUpdate}. Handles `HECEndpoint`,
+	*     `HECEndpointType`, `HECToken`,
+	*     `HECAcknowledgmentTimeoutInSeconds`, `RetryOptions`,
+	*     `S3BackupMode`, `S3Configuration` → `S3Update`,
+	*     `ProcessingConfiguration`, `CloudWatchLoggingOptions`,
+	*     `BufferingHints`, `SecretsManagerConfiguration`. Splunk has
+	*     no S3 backup destination shape (no `S3BackupConfiguration`
+	*     field) — unlike Redshift / ExtendedS3.
+	*
+	*   - `AmazonopensearchserviceDestinationConfiguration` (#549) —
+	*     `AmazonopensearchserviceDestinationUpdate` payload produced
+	*     by {@link mapAmazonopensearchserviceConfigToUpdate}. Handles
+	*     `RoleARN`, `DomainARN`, `ClusterEndpoint`, `IndexName`,
+	*     `TypeName`, `IndexRotationPeriod`, `BufferingHints`,
+	*     `RetryOptions`, `S3Configuration` → `S3Update`,
+	*     `ProcessingConfiguration`, `CloudWatchLoggingOptions`,
+	*     `DocumentIdOptions`. `VpcConfiguration` is read-only on
+	*     AWS-side Update — diffs to that field will not be forwarded
+	*     and surface on the next `cdkd drift` run.
+	*
+	*   - `AmazonOpenSearchServerlessDestinationConfiguration` (#549) —
+	*     `AmazonOpenSearchServerlessDestinationUpdate` payload
+	*     produced by {@link mapAmazonOpenSearchServerlessConfigToUpdate}.
+	*     Simpler than the service variant — `RoleARN`,
+	*     `CollectionEndpoint`, `IndexName`, `BufferingHints`,
+	*     `RetryOptions`, `S3Configuration` → `S3Update`,
+	*     `ProcessingConfiguration`, `CloudWatchLoggingOptions`.
+	*
+	*   - `HttpEndpointDestinationConfiguration` (#549) —
+	*     `HttpEndpointDestinationUpdate` payload produced by
+	*     {@link mapHttpEndpointConfigToUpdate}. Handles
+	*     `EndpointConfiguration`, `BufferingHints`,
+	*     `CloudWatchLoggingOptions`, `RequestConfiguration`,
+	*     `ProcessingConfiguration`, `RoleARN`, `RetryOptions`,
+	*     `S3BackupMode`, `S3Configuration` → `S3Update`,
+	*     `SecretsManagerConfiguration`.
+	*
+	*   - `ElasticsearchDestinationConfiguration` (#549) —
+	*     `ElasticsearchDestinationUpdate` payload produced by
+	*     {@link mapElasticsearchConfigToUpdate}. Legacy variant of
+	*     `Amazonopensearchservice*`; same field shape sans
+	*     `VpcConfiguration` (also read-only on Update).
+	*
+	*   - `IcebergDestinationConfiguration` (#549) —
+	*     `IcebergDestinationUpdate` payload produced by
+	*     {@link mapIcebergConfigToUpdate}. Handles
+	*     `DestinationTableConfigurationList`,
+	*     `SchemaEvolutionConfiguration`,
+	*     `TableCreationConfiguration`, `BufferingHints`,
+	*     `CloudWatchLoggingOptions`, `ProcessingConfiguration`,
+	*     `S3BackupMode`, `RetryOptions`, `RoleARN`, `AppendOnly`,
+	*     `CatalogConfiguration`, `S3Configuration`. **Quirk**: the
+	*     SDK Update shape's S3 field is named `S3Configuration` (full
+	*     `S3DestinationConfiguration` shape), NOT `S3Update` — unlike
+	*     every other destination type. The reverse-mapper forwards it
+	*     verbatim without renaming.
+	*
+	*   - `SnowflakeDestinationConfiguration` (#549) —
+	*     `SnowflakeDestinationUpdate` payload produced by
+	*     {@link mapSnowflakeConfigToUpdate}. Handles many connector
+	*     credentials (`AccountUrl` / `PrivateKey` / `KeyPassphrase` /
+	*     `User` / `Database` / `Schema` / `Table` /
+	*     `SnowflakeRoleConfiguration`) plus the standard suite
+	*     (`DataLoadingOption`, `MetaDataColumnName`,
+	*     `ContentColumnName`, `CloudWatchLoggingOptions`,
+	*     `ProcessingConfiguration`, `RoleARN`, `RetryOptions`,
+	*     `S3BackupMode`, `S3Configuration` → `S3Update`,
+	*     `SecretsManagerConfiguration`, `BufferingHints`).
+	*
+	* The legacy `S3DestinationConfiguration` (deprecated by AWS in
+	* favor of `ExtendedS3DestinationConfiguration`) stays rejected
+	* with a tightened error — CDK constructs always emit Extended.
+	* Templates that still pin the legacy shape should migrate to
+	* Extended; in-place update of the deprecated shape isn't a
+	* priority follow-up.
 	*
 	* Destination-type SWITCHES (e.g. ExtendedS3 → Redshift) are immutable
 	* on AWS; cdkd surfaces `ResourceUpdateNotSupportedError` so the caller
@@ -27646,6 +27725,41 @@ var FirehoseProvider = class {
 			const prevDest = previousProperties[activeDest] ?? {};
 			if (JSON.stringify(nextDest) !== JSON.stringify(prevDest)) await this.applyRedshiftDestinationUpdate(physicalId, nextDest);
 		}
+		if (activeDest === "SplunkDestinationConfiguration") {
+			const nextDest = properties[activeDest] ?? {};
+			const prevDest = previousProperties[activeDest] ?? {};
+			if (JSON.stringify(nextDest) !== JSON.stringify(prevDest)) await this.applySplunkDestinationUpdate(physicalId, nextDest);
+		}
+		if (activeDest === "AmazonopensearchserviceDestinationConfiguration") {
+			const nextDest = properties[activeDest] ?? {};
+			const prevDest = previousProperties[activeDest] ?? {};
+			if (JSON.stringify(nextDest) !== JSON.stringify(prevDest)) await this.applyAmazonopensearchserviceDestinationUpdate(physicalId, nextDest);
+		}
+		if (activeDest === "AmazonOpenSearchServerlessDestinationConfiguration") {
+			const nextDest = properties[activeDest] ?? {};
+			const prevDest = previousProperties[activeDest] ?? {};
+			if (JSON.stringify(nextDest) !== JSON.stringify(prevDest)) await this.applyAmazonOpenSearchServerlessDestinationUpdate(physicalId, nextDest);
+		}
+		if (activeDest === "HttpEndpointDestinationConfiguration") {
+			const nextDest = properties[activeDest] ?? {};
+			const prevDest = previousProperties[activeDest] ?? {};
+			if (JSON.stringify(nextDest) !== JSON.stringify(prevDest)) await this.applyHttpEndpointDestinationUpdate(physicalId, nextDest);
+		}
+		if (activeDest === "ElasticsearchDestinationConfiguration") {
+			const nextDest = properties[activeDest] ?? {};
+			const prevDest = previousProperties[activeDest] ?? {};
+			if (JSON.stringify(nextDest) !== JSON.stringify(prevDest)) await this.applyElasticsearchDestinationUpdate(physicalId, nextDest);
+		}
+		if (activeDest === "IcebergDestinationConfiguration") {
+			const nextDest = properties[activeDest] ?? {};
+			const prevDest = previousProperties[activeDest] ?? {};
+			if (JSON.stringify(nextDest) !== JSON.stringify(prevDest)) await this.applyIcebergDestinationUpdate(physicalId, nextDest);
+		}
+		if (activeDest === "SnowflakeDestinationConfiguration") {
+			const nextDest = properties[activeDest] ?? {};
+			const prevDest = previousProperties[activeDest] ?? {};
+			if (JSON.stringify(nextDest) !== JSON.stringify(prevDest)) await this.applySnowflakeDestinationUpdate(physicalId, nextDest);
+		}
 		const desc = (await this.getClient().send(new DescribeDeliveryStreamCommand({ DeliveryStreamName: physicalId }))).DeliveryStreamDescription;
 		return {
 			physicalId,
@@ -27887,6 +28001,304 @@ var FirehoseProvider = class {
 		return result;
 	}
 	/**
+	* Recover `CurrentDeliveryStreamVersionId` + `DestinationId` from
+	* `DescribeDeliveryStream` and issue `UpdateDestination` with the new
+	* Splunk shape. The reverse-mapper at
+	* {@link mapSplunkConfigToUpdate} produces the
+	* `SplunkDestinationUpdate` payload — only fields present in the
+	* input are forwarded so omitted CFn keys don't clobber AWS-side
+	* state. Mirrors {@link applyRedshiftDestinationUpdate} (#549).
+	*/
+	async applySplunkDestinationUpdate(physicalId, nextConfig) {
+		const desc = (await this.getClient().send(new DescribeDeliveryStreamCommand({ DeliveryStreamName: physicalId }))).DeliveryStreamDescription;
+		const currentVersionId = desc?.VersionId;
+		const destinationId = (desc?.Destinations?.[0])?.DestinationId;
+		if (!currentVersionId || !destinationId) throw new ProvisioningError(`DescribeDeliveryStream for ${physicalId} did not return VersionId or DestinationId; UpdateDestination cannot proceed.`, "AWS::KinesisFirehose::DeliveryStream", physicalId);
+		await this.getClient().send(new UpdateDestinationCommand({
+			DeliveryStreamName: physicalId,
+			CurrentDeliveryStreamVersionId: currentVersionId,
+			DestinationId: destinationId,
+			SplunkDestinationUpdate: this.mapSplunkConfigToUpdate(nextConfig)
+		}));
+	}
+	/**
+	* Map CFn `SplunkDestinationConfiguration` to the
+	* `SplunkDestinationUpdate` shape used by AWS
+	* `UpdateDestinationCommand` (#549). Every field is `!== undefined`
+	* gated so omitted CFn keys do not clobber AWS-side state. The CFn
+	* `S3Configuration` field is mapped through
+	* {@link mapS3ConfigToUpdate} into the SDK-side `S3Update` slot.
+	* Splunk has no `S3BackupConfiguration` field (unlike Redshift /
+	* ExtendedS3).
+	*/
+	mapSplunkConfigToUpdate(config) {
+		const result = {};
+		if (config["HECEndpoint"] !== void 0) result.HECEndpoint = config["HECEndpoint"];
+		if (config["HECEndpointType"] !== void 0) result.HECEndpointType = config["HECEndpointType"];
+		if (config["HECToken"] !== void 0) result.HECToken = config["HECToken"];
+		if (config["HECAcknowledgmentTimeoutInSeconds"] !== void 0) result.HECAcknowledgmentTimeoutInSeconds = config["HECAcknowledgmentTimeoutInSeconds"];
+		if (config["RetryOptions"] !== void 0) result.RetryOptions = config["RetryOptions"];
+		if (config["S3BackupMode"] !== void 0) result.S3BackupMode = config["S3BackupMode"];
+		if (config["S3Configuration"] !== void 0) result.S3Update = this.mapS3ConfigToUpdate(config["S3Configuration"]);
+		if (config["ProcessingConfiguration"] !== void 0) result.ProcessingConfiguration = config["ProcessingConfiguration"];
+		if (config["CloudWatchLoggingOptions"] !== void 0) result.CloudWatchLoggingOptions = config["CloudWatchLoggingOptions"];
+		if (config["BufferingHints"] !== void 0) result.BufferingHints = config["BufferingHints"];
+		if (config["SecretsManagerConfiguration"] !== void 0) result.SecretsManagerConfiguration = config["SecretsManagerConfiguration"];
+		return result;
+	}
+	/**
+	* Apply UpdateDestination for `AmazonopensearchserviceDestinationConfiguration` (#549).
+	* Mirrors {@link applyRedshiftDestinationUpdate}.
+	*/
+	async applyAmazonopensearchserviceDestinationUpdate(physicalId, nextConfig) {
+		const desc = (await this.getClient().send(new DescribeDeliveryStreamCommand({ DeliveryStreamName: physicalId }))).DeliveryStreamDescription;
+		const currentVersionId = desc?.VersionId;
+		const destinationId = desc?.Destinations?.[0]?.DestinationId;
+		if (!currentVersionId || !destinationId) throw new ProvisioningError(`DescribeDeliveryStream for ${physicalId} did not return VersionId or DestinationId; UpdateDestination cannot proceed.`, "AWS::KinesisFirehose::DeliveryStream", physicalId);
+		await this.getClient().send(new UpdateDestinationCommand({
+			DeliveryStreamName: physicalId,
+			CurrentDeliveryStreamVersionId: currentVersionId,
+			DestinationId: destinationId,
+			AmazonopensearchserviceDestinationUpdate: this.mapAmazonopensearchserviceConfigToUpdate(nextConfig)
+		}));
+	}
+	/**
+	* Map CFn `AmazonopensearchserviceDestinationConfiguration` to the
+	* `AmazonopensearchserviceDestinationUpdate` shape (#549). Every field
+	* `!== undefined` gated. CFn `S3Configuration` → SDK `S3Update`.
+	* `VpcConfiguration` is intentionally NOT included — the SDK Update
+	* shape has no field for it (AWS treats Vpc placement as immutable
+	* post-create). VpcConfiguration-only diffs will surface on the next
+	* `cdkd drift` run if the user re-applies a different Vpc on the
+	* console side.
+	*/
+	mapAmazonopensearchserviceConfigToUpdate(config) {
+		const result = {};
+		const roleArn = config["RoleARN"] ?? config["RoleArn"];
+		if (roleArn !== void 0) result.RoleARN = roleArn;
+		const domainArn = config["DomainARN"] ?? config["DomainArn"];
+		if (domainArn !== void 0) result.DomainARN = domainArn;
+		if (config["ClusterEndpoint"] !== void 0) result.ClusterEndpoint = config["ClusterEndpoint"];
+		if (config["IndexName"] !== void 0) result.IndexName = config["IndexName"];
+		if (config["TypeName"] !== void 0) result.TypeName = config["TypeName"];
+		if (config["IndexRotationPeriod"] !== void 0) result.IndexRotationPeriod = config["IndexRotationPeriod"];
+		if (config["BufferingHints"] !== void 0) result.BufferingHints = config["BufferingHints"];
+		if (config["RetryOptions"] !== void 0) result.RetryOptions = config["RetryOptions"];
+		if (config["S3Configuration"] !== void 0) result.S3Update = this.mapS3ConfigToUpdate(config["S3Configuration"]);
+		if (config["ProcessingConfiguration"] !== void 0) result.ProcessingConfiguration = config["ProcessingConfiguration"];
+		if (config["CloudWatchLoggingOptions"] !== void 0) result.CloudWatchLoggingOptions = config["CloudWatchLoggingOptions"];
+		if (config["DocumentIdOptions"] !== void 0) result.DocumentIdOptions = config["DocumentIdOptions"];
+		return result;
+	}
+	/**
+	* Apply UpdateDestination for `AmazonOpenSearchServerlessDestinationConfiguration` (#549).
+	* Mirrors {@link applyRedshiftDestinationUpdate}.
+	*/
+	async applyAmazonOpenSearchServerlessDestinationUpdate(physicalId, nextConfig) {
+		const desc = (await this.getClient().send(new DescribeDeliveryStreamCommand({ DeliveryStreamName: physicalId }))).DeliveryStreamDescription;
+		const currentVersionId = desc?.VersionId;
+		const destinationId = desc?.Destinations?.[0]?.DestinationId;
+		if (!currentVersionId || !destinationId) throw new ProvisioningError(`DescribeDeliveryStream for ${physicalId} did not return VersionId or DestinationId; UpdateDestination cannot proceed.`, "AWS::KinesisFirehose::DeliveryStream", physicalId);
+		await this.getClient().send(new UpdateDestinationCommand({
+			DeliveryStreamName: physicalId,
+			CurrentDeliveryStreamVersionId: currentVersionId,
+			DestinationId: destinationId,
+			AmazonOpenSearchServerlessDestinationUpdate: this.mapAmazonOpenSearchServerlessConfigToUpdate(nextConfig)
+		}));
+	}
+	/**
+	* Map CFn `AmazonOpenSearchServerlessDestinationConfiguration` to the
+	* `AmazonOpenSearchServerlessDestinationUpdate` shape (#549). Every
+	* field `!== undefined` gated. CFn `S3Configuration` → SDK `S3Update`.
+	* Simpler than the service variant — no VpcConfiguration / TypeName /
+	* IndexRotationPeriod / DocumentIdOptions.
+	*/
+	mapAmazonOpenSearchServerlessConfigToUpdate(config) {
+		const result = {};
+		const roleArn = config["RoleARN"] ?? config["RoleArn"];
+		if (roleArn !== void 0) result.RoleARN = roleArn;
+		if (config["CollectionEndpoint"] !== void 0) result.CollectionEndpoint = config["CollectionEndpoint"];
+		if (config["IndexName"] !== void 0) result.IndexName = config["IndexName"];
+		if (config["BufferingHints"] !== void 0) result.BufferingHints = config["BufferingHints"];
+		if (config["RetryOptions"] !== void 0) result.RetryOptions = config["RetryOptions"];
+		if (config["S3Configuration"] !== void 0) result.S3Update = this.mapS3ConfigToUpdate(config["S3Configuration"]);
+		if (config["ProcessingConfiguration"] !== void 0) result.ProcessingConfiguration = config["ProcessingConfiguration"];
+		if (config["CloudWatchLoggingOptions"] !== void 0) result.CloudWatchLoggingOptions = config["CloudWatchLoggingOptions"];
+		return result;
+	}
+	/**
+	* Apply UpdateDestination for `HttpEndpointDestinationConfiguration` (#549).
+	* Mirrors {@link applyRedshiftDestinationUpdate}.
+	*/
+	async applyHttpEndpointDestinationUpdate(physicalId, nextConfig) {
+		const desc = (await this.getClient().send(new DescribeDeliveryStreamCommand({ DeliveryStreamName: physicalId }))).DeliveryStreamDescription;
+		const currentVersionId = desc?.VersionId;
+		const destinationId = desc?.Destinations?.[0]?.DestinationId;
+		if (!currentVersionId || !destinationId) throw new ProvisioningError(`DescribeDeliveryStream for ${physicalId} did not return VersionId or DestinationId; UpdateDestination cannot proceed.`, "AWS::KinesisFirehose::DeliveryStream", physicalId);
+		await this.getClient().send(new UpdateDestinationCommand({
+			DeliveryStreamName: physicalId,
+			CurrentDeliveryStreamVersionId: currentVersionId,
+			DestinationId: destinationId,
+			HttpEndpointDestinationUpdate: this.mapHttpEndpointConfigToUpdate(nextConfig)
+		}));
+	}
+	/**
+	* Map CFn `HttpEndpointDestinationConfiguration` to the
+	* `HttpEndpointDestinationUpdate` shape (#549). Every field
+	* `!== undefined` gated. CFn `S3Configuration` → SDK `S3Update`.
+	* `EndpointConfiguration` (Url / Name / AccessKey) and
+	* `SecretsManagerConfiguration` are both pass-through (AWS accepts
+	* either auth mode on Update).
+	*/
+	mapHttpEndpointConfigToUpdate(config) {
+		const result = {};
+		if (config["EndpointConfiguration"] !== void 0) result.EndpointConfiguration = config["EndpointConfiguration"];
+		if (config["BufferingHints"] !== void 0) result.BufferingHints = config["BufferingHints"];
+		if (config["CloudWatchLoggingOptions"] !== void 0) result.CloudWatchLoggingOptions = config["CloudWatchLoggingOptions"];
+		if (config["RequestConfiguration"] !== void 0) result.RequestConfiguration = config["RequestConfiguration"];
+		if (config["ProcessingConfiguration"] !== void 0) result.ProcessingConfiguration = config["ProcessingConfiguration"];
+		const roleArn = config["RoleARN"] ?? config["RoleArn"];
+		if (roleArn !== void 0) result.RoleARN = roleArn;
+		if (config["RetryOptions"] !== void 0) result.RetryOptions = config["RetryOptions"];
+		if (config["S3BackupMode"] !== void 0) result.S3BackupMode = config["S3BackupMode"];
+		if (config["S3Configuration"] !== void 0) result.S3Update = this.mapS3ConfigToUpdate(config["S3Configuration"]);
+		if (config["SecretsManagerConfiguration"] !== void 0) result.SecretsManagerConfiguration = config["SecretsManagerConfiguration"];
+		return result;
+	}
+	/**
+	* Apply UpdateDestination for `ElasticsearchDestinationConfiguration` (#549).
+	* Mirrors {@link applyRedshiftDestinationUpdate}. Elasticsearch is the
+	* legacy variant — AWS still accepts it for stacks that pre-date the
+	* Amazonopensearchservice rename.
+	*/
+	async applyElasticsearchDestinationUpdate(physicalId, nextConfig) {
+		const desc = (await this.getClient().send(new DescribeDeliveryStreamCommand({ DeliveryStreamName: physicalId }))).DeliveryStreamDescription;
+		const currentVersionId = desc?.VersionId;
+		const destinationId = desc?.Destinations?.[0]?.DestinationId;
+		if (!currentVersionId || !destinationId) throw new ProvisioningError(`DescribeDeliveryStream for ${physicalId} did not return VersionId or DestinationId; UpdateDestination cannot proceed.`, "AWS::KinesisFirehose::DeliveryStream", physicalId);
+		await this.getClient().send(new UpdateDestinationCommand({
+			DeliveryStreamName: physicalId,
+			CurrentDeliveryStreamVersionId: currentVersionId,
+			DestinationId: destinationId,
+			ElasticsearchDestinationUpdate: this.mapElasticsearchConfigToUpdate(nextConfig)
+		}));
+	}
+	/**
+	* Map CFn `ElasticsearchDestinationConfiguration` to the
+	* `ElasticsearchDestinationUpdate` shape (#549). Every field
+	* `!== undefined` gated. CFn `S3Configuration` → SDK `S3Update`.
+	* Field set mirrors {@link mapAmazonopensearchserviceConfigToUpdate}
+	* — Elasticsearch is the legacy variant of the same destination.
+	*/
+	mapElasticsearchConfigToUpdate(config) {
+		const result = {};
+		const roleArn = config["RoleARN"] ?? config["RoleArn"];
+		if (roleArn !== void 0) result.RoleARN = roleArn;
+		const domainArn = config["DomainARN"] ?? config["DomainArn"];
+		if (domainArn !== void 0) result.DomainARN = domainArn;
+		if (config["ClusterEndpoint"] !== void 0) result.ClusterEndpoint = config["ClusterEndpoint"];
+		if (config["IndexName"] !== void 0) result.IndexName = config["IndexName"];
+		if (config["TypeName"] !== void 0) result.TypeName = config["TypeName"];
+		if (config["IndexRotationPeriod"] !== void 0) result.IndexRotationPeriod = config["IndexRotationPeriod"];
+		if (config["BufferingHints"] !== void 0) result.BufferingHints = config["BufferingHints"];
+		if (config["RetryOptions"] !== void 0) result.RetryOptions = config["RetryOptions"];
+		if (config["S3Configuration"] !== void 0) result.S3Update = this.mapS3ConfigToUpdate(config["S3Configuration"]);
+		if (config["ProcessingConfiguration"] !== void 0) result.ProcessingConfiguration = config["ProcessingConfiguration"];
+		if (config["CloudWatchLoggingOptions"] !== void 0) result.CloudWatchLoggingOptions = config["CloudWatchLoggingOptions"];
+		if (config["DocumentIdOptions"] !== void 0) result.DocumentIdOptions = config["DocumentIdOptions"];
+		return result;
+	}
+	/**
+	* Apply UpdateDestination for `IcebergDestinationConfiguration` (#549).
+	* Mirrors {@link applyRedshiftDestinationUpdate}.
+	*/
+	async applyIcebergDestinationUpdate(physicalId, nextConfig) {
+		const desc = (await this.getClient().send(new DescribeDeliveryStreamCommand({ DeliveryStreamName: physicalId }))).DeliveryStreamDescription;
+		const currentVersionId = desc?.VersionId;
+		const destinationId = desc?.Destinations?.[0]?.DestinationId;
+		if (!currentVersionId || !destinationId) throw new ProvisioningError(`DescribeDeliveryStream for ${physicalId} did not return VersionId or DestinationId; UpdateDestination cannot proceed.`, "AWS::KinesisFirehose::DeliveryStream", physicalId);
+		await this.getClient().send(new UpdateDestinationCommand({
+			DeliveryStreamName: physicalId,
+			CurrentDeliveryStreamVersionId: currentVersionId,
+			DestinationId: destinationId,
+			IcebergDestinationUpdate: this.mapIcebergConfigToUpdate(nextConfig)
+		}));
+	}
+	/**
+	* Map CFn `IcebergDestinationConfiguration` to the
+	* `IcebergDestinationUpdate` shape (#549). Every field
+	* `!== undefined` gated. **Quirk vs every other destination**: the
+	* SDK Update shape's S3 field is `S3Configuration` (a full
+	* `S3DestinationConfiguration`), NOT `S3Update`. Iceberg is a newer
+	* destination type and AWS chose to keep the field name aligned with
+	* the create shape; this reverse-mapper forwards it verbatim.
+	*/
+	mapIcebergConfigToUpdate(config) {
+		const result = {};
+		if (config["DestinationTableConfigurationList"] !== void 0) result.DestinationTableConfigurationList = config["DestinationTableConfigurationList"];
+		if (config["SchemaEvolutionConfiguration"] !== void 0) result.SchemaEvolutionConfiguration = config["SchemaEvolutionConfiguration"];
+		if (config["TableCreationConfiguration"] !== void 0) result.TableCreationConfiguration = config["TableCreationConfiguration"];
+		if (config["BufferingHints"] !== void 0) result.BufferingHints = config["BufferingHints"];
+		if (config["CloudWatchLoggingOptions"] !== void 0) result.CloudWatchLoggingOptions = config["CloudWatchLoggingOptions"];
+		if (config["ProcessingConfiguration"] !== void 0) result.ProcessingConfiguration = config["ProcessingConfiguration"];
+		if (config["S3BackupMode"] !== void 0) result.S3BackupMode = config["S3BackupMode"];
+		if (config["RetryOptions"] !== void 0) result.RetryOptions = config["RetryOptions"];
+		const roleArn = config["RoleARN"] ?? config["RoleArn"];
+		if (roleArn !== void 0) result.RoleARN = roleArn;
+		if (config["AppendOnly"] !== void 0) result.AppendOnly = config["AppendOnly"];
+		if (config["CatalogConfiguration"] !== void 0) result.CatalogConfiguration = config["CatalogConfiguration"];
+		if (config["S3Configuration"] !== void 0) result.S3Configuration = this.mapS3DestinationConfiguration(config["S3Configuration"]);
+		return result;
+	}
+	/**
+	* Apply UpdateDestination for `SnowflakeDestinationConfiguration` (#549).
+	* Mirrors {@link applyRedshiftDestinationUpdate}.
+	*/
+	async applySnowflakeDestinationUpdate(physicalId, nextConfig) {
+		const desc = (await this.getClient().send(new DescribeDeliveryStreamCommand({ DeliveryStreamName: physicalId }))).DeliveryStreamDescription;
+		const currentVersionId = desc?.VersionId;
+		const destinationId = desc?.Destinations?.[0]?.DestinationId;
+		if (!currentVersionId || !destinationId) throw new ProvisioningError(`DescribeDeliveryStream for ${physicalId} did not return VersionId or DestinationId; UpdateDestination cannot proceed.`, "AWS::KinesisFirehose::DeliveryStream", physicalId);
+		await this.getClient().send(new UpdateDestinationCommand({
+			DeliveryStreamName: physicalId,
+			CurrentDeliveryStreamVersionId: currentVersionId,
+			DestinationId: destinationId,
+			SnowflakeDestinationUpdate: this.mapSnowflakeConfigToUpdate(nextConfig)
+		}));
+	}
+	/**
+	* Map CFn `SnowflakeDestinationConfiguration` to the
+	* `SnowflakeDestinationUpdate` shape (#549). Every field
+	* `!== undefined` gated. CFn `S3Configuration` → SDK `S3Update`.
+	* Snowflake carries many connector-side credential / target-table
+	* fields (`AccountUrl` / `PrivateKey` / `KeyPassphrase` / `User` /
+	* `Database` / `Schema` / `Table`) all pass-through.
+	*/
+	mapSnowflakeConfigToUpdate(config) {
+		const result = {};
+		if (config["AccountUrl"] !== void 0) result.AccountUrl = config["AccountUrl"];
+		if (config["PrivateKey"] !== void 0) result.PrivateKey = config["PrivateKey"];
+		if (config["KeyPassphrase"] !== void 0) result.KeyPassphrase = config["KeyPassphrase"];
+		if (config["User"] !== void 0) result.User = config["User"];
+		if (config["Database"] !== void 0) result.Database = config["Database"];
+		if (config["Schema"] !== void 0) result.Schema = config["Schema"];
+		if (config["Table"] !== void 0) result.Table = config["Table"];
+		if (config["SnowflakeRoleConfiguration"] !== void 0) result.SnowflakeRoleConfiguration = config["SnowflakeRoleConfiguration"];
+		if (config["DataLoadingOption"] !== void 0) result.DataLoadingOption = config["DataLoadingOption"];
+		if (config["MetaDataColumnName"] !== void 0) result.MetaDataColumnName = config["MetaDataColumnName"];
+		if (config["ContentColumnName"] !== void 0) result.ContentColumnName = config["ContentColumnName"];
+		if (config["CloudWatchLoggingOptions"] !== void 0) result.CloudWatchLoggingOptions = config["CloudWatchLoggingOptions"];
+		if (config["ProcessingConfiguration"] !== void 0) result.ProcessingConfiguration = config["ProcessingConfiguration"];
+		const roleArn = config["RoleARN"] ?? config["RoleArn"];
+		if (roleArn !== void 0) result.RoleARN = roleArn;
+		if (config["RetryOptions"] !== void 0) result.RetryOptions = config["RetryOptions"];
+		if (config["S3BackupMode"] !== void 0) result.S3BackupMode = config["S3BackupMode"];
+		if (config["S3Configuration"] !== void 0) result.S3Update = this.mapS3ConfigToUpdate(config["S3Configuration"]);
+		if (config["SecretsManagerConfiguration"] !== void 0) result.SecretsManagerConfiguration = config["SecretsManagerConfiguration"];
+		if (config["BufferingHints"] !== void 0) result.BufferingHints = config["BufferingHints"];
+		return result;
+	}
+	/**
 	* Map CFn `S3DestinationConfiguration` to the `S3DestinationUpdate`
 	* shape used by AWS `UpdateDestinationCommand` (#477; consumed by
 	* {@link mapExtendedS3ConfigToUpdate} for the `S3BackupUpdate` field).
@@ -30944,6 +31356,602 @@ function mapNotificationsToCfn(configurations) {
 	return result;
 }
 
+//#endregion
+//#region src/cli/commands/destroy-runner.ts
+/**
+* Resource-type → state-property name pairs that gate AWS deletion
+* protection. Used by the `--remove-protection` confirmation prompt to
+* report a best-effort count of resources that will have protection
+* cleared. The actual flip-off is unconditional inside each provider's
+* `delete()` (idempotent — safe when AWS already has protection off),
+* so the count is informational only.
+*
+* Most types use a boolean flag — the value `true` is what we count.
+* Two types use a string-valued enum (Cognito UserPool's
+* `DeletionProtection` is `'ACTIVE' | 'INACTIVE'`, AutoScalingGroup's
+* `DeletionProtection` is `'none' | 'prevent-force-deletion' |
+* 'prevent-all-deletion'`). For those, the helper checks against a
+* per-type set of "active" values via `PROTECTION_ACTIVE_VALUES_BY_TYPE`.
+*
+* Exported for unit-test coverage of `countProtectedResources`.
+*/
+const PROTECTION_PROPERTY_BY_TYPE = {
+	"AWS::Logs::LogGroup": "DeletionProtectionEnabled",
+	"AWS::RDS::DBInstance": "DeletionProtection",
+	"AWS::RDS::DBCluster": "DeletionProtection",
+	"AWS::DocDB::DBCluster": "DeletionProtection",
+	"AWS::Neptune::DBCluster": "DeletionProtection",
+	"AWS::Neptune::DBInstance": "DeletionProtection",
+	"AWS::DynamoDB::Table": "DeletionProtectionEnabled",
+	"AWS::DynamoDB::GlobalTable": "DeletionProtectionEnabled",
+	"AWS::EC2::Instance": "DisableApiTermination",
+	"AWS::Cognito::UserPool": "DeletionProtection",
+	"AWS::AutoScaling::AutoScalingGroup": "DeletionProtection"
+};
+/**
+* For string-valued protection enums, the set of values that count as
+* "currently protected". Types absent from this map use the default
+* (boolean `true`).
+*/
+const PROTECTION_ACTIVE_VALUES_BY_TYPE = {
+	"AWS::Cognito::UserPool": new Set(["ACTIVE"]),
+	"AWS::AutoScaling::AutoScalingGroup": new Set(["prevent-force-deletion", "prevent-all-deletion"])
+};
+/**
+* Count how many resources in a stack's recorded state appear to have
+* deletion protection enabled. Walks `properties` and `observedProperties`
+* for the property name registered against each resource type in
+* `PROTECTION_PROPERTY_BY_TYPE`. ELBv2 LoadBalancer protection lives in
+* `LoadBalancerAttributes` (a CFn `Array<{Key, Value}>`), so it's
+* handled separately via the `deletion_protection.enabled` key.
+*/
+function countProtectedResources(state) {
+	let count = 0;
+	for (const resource of Object.values(state.resources ?? {})) {
+		const propName = PROTECTION_PROPERTY_BY_TYPE[resource.resourceType];
+		if (propName) {
+			const recorded = resource.properties?.[propName] ?? resource.observedProperties?.[propName];
+			const activeValues = PROTECTION_ACTIVE_VALUES_BY_TYPE[resource.resourceType];
+			if (activeValues) {
+				if (activeValues.has(recorded)) count++;
+			} else if (recorded === true) count++;
+			continue;
+		}
+		if (resource.resourceType === "AWS::ElasticLoadBalancingV2::LoadBalancer") {
+			if (((resource.properties?.["LoadBalancerAttributes"] ?? resource.observedProperties?.["LoadBalancerAttributes"])?.find((a) => a?.Key === "deletion_protection.enabled"))?.Value === "true") count++;
+		}
+	}
+	return count;
+}
+/**
+* Run the destroy lifecycle for one stack against an already-loaded
+* `StackState`, reusing the caller's state backend / lock manager.
+*
+* Hoisted from `cdkd destroy` so the new `cdkd state destroy` subcommand
+* can call into the exact same per-stack pipeline without depending on
+* synth or the CDK app. The state-source split is the only meaningful
+* difference between the two commands — everything from "prompt the user"
+* onwards is identical.
+*
+* Side effects:
+* - Acquires (and releases) the stack's S3 lock.
+* - Switches `process.env.AWS_REGION` for the duration of the destroy when
+*   the stack's recorded region differs from `baseRegion`. Restored in the
+*   `finally` block.
+* - On full success, deletes the state file. On any failure, the state
+*   file is preserved so the user can retry.
+*/
+async function runDestroyForStack(stackName, state, ctx) {
+	const logger = getLogger();
+	const result = {
+		stackName,
+		cancelled: false,
+		skippedEmpty: false,
+		deletedCount: 0,
+		retainedCount: 0,
+		errorCount: 0
+	};
+	const resourceCount = Object.keys(state.resources).length;
+	const regionForState = state.region ?? ctx.baseRegion;
+	if (resourceCount === 0) {
+		logger.info(`Stack ${stackName} has no resources, cleaning up state...`);
+		await ctx.stateBackend.deleteState(stackName, regionForState);
+		logger.info(`${green("✓")} State deleted`);
+		result.skippedEmpty = true;
+		return result;
+	}
+	const needsStrongRefCheck = !!(state.outputs && Object.keys(state.outputs).length > 0);
+	if (needsStrongRefCheck) {
+		const consumers = await scanActiveConsumers(stackName, regionForState, ctx);
+		if (consumers.length > 0) throw new StackHasActiveImportsError(stackName, regionForState, consumers);
+	}
+	logger.info(`\nResources to be deleted (${resourceCount}):`);
+	for (const [logicalId, resource] of Object.entries(state.resources)) logger.info(`  - ${logicalId} (${resource.resourceType})`);
+	const protectedCount = ctx.removeProtection ? countProtectedResources(state) : 0;
+	if (!ctx.skipConfirmation) {
+		const rl = readline.createInterface({
+			input: process.stdin,
+			output: process.stdout
+		});
+		const prompt = ctx.removeProtection ? `\nAbout to destroy ${resourceCount} resources from stack "${stackName}", REMOVING DELETION PROTECTION on ${protectedCount} of them. Continue? (y/N): ` : `\nAre you sure you want to destroy stack "${stackName}" and delete all ${resourceCount} resources? (Y/n): `;
+		const answer = await rl.question(prompt);
+		rl.close();
+		const trimmed = answer.trim().toLowerCase();
+		if (ctx.removeProtection) {
+			if (trimmed !== "y" && trimmed !== "yes") {
+				logger.info("Destroy cancelled");
+				result.cancelled = true;
+				return result;
+			}
+		} else if (trimmed === "n" || trimmed === "no") {
+			logger.info("Destroy cancelled");
+			result.cancelled = true;
+			return result;
+		}
+	}
+	const stackRegion = state.region;
+	let destroyProviderRegistry = ctx.providerRegistry;
+	let destroyAwsClients;
+	if (stackRegion && stackRegion !== ctx.baseRegion) {
+		logger.info(`Stack region: ${stackRegion}`);
+		process.env["AWS_REGION"] = stackRegion;
+		process.env["AWS_DEFAULT_REGION"] = stackRegion;
+		destroyAwsClients = new AwsClients({
+			region: stackRegion,
+			...ctx.profile && { profile: ctx.profile }
+		});
+		setAwsClients(destroyAwsClients);
+		destroyProviderRegistry = new ProviderRegistry();
+		registerAllProviders(destroyProviderRegistry);
+		destroyProviderRegistry.setCustomResourceResponseBucket(ctx.stateBucket);
+	}
+	logger.info(`\nAcquiring lock for stack ${stackName}...`);
+	await ctx.lockManager.acquireLock(stackName, regionForState, void 0, "destroy");
+	if (needsStrongRefCheck) {
+		const consumers = await scanActiveConsumers(stackName, regionForState, ctx);
+		if (consumers.length > 0) {
+			try {
+				await ctx.lockManager.releaseLock(stackName, regionForState);
+			} catch (releaseErr) {
+				logger.warn(`Failed to release lock after strong-ref refusal: ${releaseErr instanceof Error ? releaseErr.message : String(releaseErr)}`);
+			}
+			throw new StackHasActiveImportsError(stackName, regionForState, consumers);
+		}
+	}
+	const renderer = getLiveRenderer();
+	renderer.start();
+	try {
+		logger.info("Building dependency graph...");
+		const template = {
+			AWSTemplateFormatVersion: "2010-09-09",
+			Resources: {}
+		};
+		for (const [logicalId, resource] of Object.entries(state.resources)) template.Resources[logicalId] = {
+			Type: resource.resourceType,
+			Properties: resource.properties || {},
+			...resource.dependencies && resource.dependencies.length > 0 && { DependsOn: resource.dependencies }
+		};
+		const typeToLogicalIds = /* @__PURE__ */ new Map();
+		for (const [logicalId, resource] of Object.entries(state.resources)) {
+			const ids = typeToLogicalIds.get(resource.resourceType) ?? [];
+			ids.push(logicalId);
+			typeToLogicalIds.set(resource.resourceType, ids);
+		}
+		for (const [logicalId, resource] of Object.entries(state.resources)) {
+			const mustDeleteAfter = IMPLICIT_DELETE_DEPENDENCIES[resource.resourceType];
+			if (!mustDeleteAfter) continue;
+			for (const depType of mustDeleteAfter) {
+				const depIds = typeToLogicalIds.get(depType);
+				if (!depIds) continue;
+				for (const depId of depIds) {
+					const existing = template.Resources[depId]?.DependsOn ?? [];
+					const depsArray = Array.isArray(existing) ? existing : [existing];
+					if (!depsArray.includes(logicalId)) {
+						template.Resources[depId] = {
+							...template.Resources[depId],
+							DependsOn: [...depsArray, logicalId]
+						};
+						logger.debug(`Implicit delete dependency: ${depId} (${depType}) must be deleted before ${logicalId} (${resource.resourceType})`);
+					}
+				}
+			}
+		}
+		const dagBuilder = new DagBuilder();
+		const graph = dagBuilder.buildGraph(template);
+		const executionLevels = dagBuilder.getExecutionLevels(graph);
+		logger.debug(`Dependency graph: ${executionLevels.length} level(s)`);
+		for (let levelIndex = executionLevels.length - 1; levelIndex >= 0; levelIndex--) {
+			const level = executionLevels[levelIndex];
+			if (!level) continue;
+			logger.debug(`Deletion level ${executionLevels.length - levelIndex}/${executionLevels.length} (${level.length} resources)`);
+			const stackRegion = state.region ?? ctx.baseRegion;
+			const deletePromises = level.map(async (logicalId) => {
+				const resource = state.resources[logicalId];
+				if (!resource) {
+					logger.warn(`Resource ${logicalId} not found in state, skipping`);
+					return;
+				}
+				if (shouldRetainResource(resource.deletionPolicy)) {
+					logger.info(`  ⊘ ${logicalId} (${resource.resourceType}) retained — DeletionPolicy: ${resource.deletionPolicy}`);
+					result.retainedCount++;
+					return;
+				}
+				const baseLabel = `Deleting ${logicalId} (${resource.resourceType})`;
+				renderer.addTask(logicalId, baseLabel);
+				try {
+					const provider = destroyProviderRegistry.getProvider(resource.resourceType);
+					const providerMinTimeoutMs = provider.getMinResourceTimeoutMs?.() ?? 0;
+					const warnAfterMs = ctx.resourceWarnAfterByType?.[resource.resourceType] ?? ctx.resourceWarnAfterMs ?? 3e5;
+					const globalTimeoutMs = ctx.resourceTimeoutMs ?? 18e5;
+					const timeoutMs = ctx.resourceTimeoutByType?.[resource.resourceType] ?? Math.max(providerMinTimeoutMs, globalTimeoutMs);
+					await withResourceDeadline(async () => {
+						const maxAttempts = provider.disableOuterRetry ? 0 : 3;
+						let lastDeleteError;
+						for (let attempt = 0; attempt <= maxAttempts; attempt++) try {
+							await provider.delete(logicalId, resource.physicalId, resource.resourceType, resource.properties, {
+								...state.region !== void 0 && { expectedRegion: state.region },
+								...ctx.removeProtection === true && { removeProtection: true }
+							});
+							lastDeleteError = null;
+							break;
+						} catch (retryError) {
+							lastDeleteError = retryError;
+							const msg = retryError instanceof Error ? retryError.message : String(retryError);
+							if (!(msg.includes("Too Many Requests") || msg.includes("has dependencies") || msg.includes("can't be deleted since") || msg.includes("DependencyViolation")) || attempt >= maxAttempts) break;
+							const delay = 5e3 * Math.pow(2, attempt);
+							logger.debug(`  ⏳ Retrying delete ${logicalId} in ${delay / 1e3}s (attempt ${attempt + 1}/${maxAttempts})`);
+							await new Promise((resolve) => setTimeout(resolve, delay));
+						}
+						if (lastDeleteError) throw lastDeleteError;
+					}, {
+						warnAfterMs,
+						timeoutMs,
+						onWarn: (elapsedMs) => {
+							const minutes = Math.max(1, Math.round(elapsedMs / 6e4));
+							renderer.updateTaskLabel(logicalId, `${baseLabel} [taking longer than expected, ${minutes}m+]`);
+							renderer.printAbove(() => {
+								logger.warn(`${logicalId} (${resource.resourceType}) has been deleting for ${minutes}m — still waiting`);
+							});
+						},
+						onTimeout: (elapsedMs) => new ResourceTimeoutError(logicalId, resource.resourceType, stackRegion, elapsedMs, "DELETE", timeoutMs)
+					});
+					renderer.removeTask(logicalId);
+					logger.info(`  ${red("✗")} ${bold(logicalId)} ${gray(`(${resource.resourceType})`)} ${red("deleted")}`);
+					result.deletedCount++;
+				} catch (error) {
+					renderer.removeTask(logicalId);
+					const msg = error instanceof Error ? error.message : String(error);
+					if (msg.includes("does not exist") || msg.includes("not found") || msg.includes("No policy found") || msg.includes("NoSuchEntity") || msg.includes("NotFoundException")) {
+						logger.debug(`  ${logicalId} already deleted, removing from state`);
+						result.deletedCount++;
+					} else if (error instanceof ResourceTimeoutError) {
+						const wrapped = new ProvisioningError(error.message, resource.resourceType, logicalId, resource.physicalId, error);
+						logger.error(`  ✗ Failed to delete ${logicalId}:`, wrapped.message);
+						result.errorCount++;
+					} else {
+						logger.error(`  ✗ Failed to delete ${logicalId}:`, String(error));
+						result.errorCount++;
+					}
+				} finally {
+					renderer.removeTask(logicalId);
+				}
+			});
+			await Promise.all(deletePromises);
+		}
+		if (result.errorCount === 0) {
+			await ctx.stateBackend.deleteState(stackName, regionForState);
+			logger.debug("State deleted");
+			if (ctx.exportIndexStore) await ctx.exportIndexStore.removeStack(stackName, regionForState);
+		} else logger.warn(`${result.errorCount} resource(s) failed to delete. State preserved.`);
+		const retainedSuffix = result.retainedCount > 0 ? `, ${result.retainedCount} retained` : "";
+		if (result.errorCount === 0) logger.info(`\n${green("✓")} ${bold(`Stack ${stackName} destroyed`)} (${green(result.deletedCount)} deleted${retainedSuffix}, ${result.errorCount} errors)`);
+		else logger.warn(`\n${yellow("⚠")} ${bold(`Stack ${stackName} partially destroyed`)} (${green(result.deletedCount)} deleted${retainedSuffix}, ${red(result.errorCount)} errors). State preserved — re-run 'cdkd destroy' / 'cdkd state destroy' to clean up.`);
+	} finally {
+		renderer.stop();
+		logger.debug("Releasing lock...");
+		await ctx.lockManager.releaseLock(stackName, regionForState);
+		if (destroyAwsClients) {
+			destroyAwsClients.destroy();
+			process.env["AWS_REGION"] = ctx.baseRegion;
+			process.env["AWS_DEFAULT_REGION"] = ctx.baseRegion;
+			setAwsClients(ctx.baseAwsClients);
+		}
+	}
+	return result;
+}
+/**
+* Strong-reference scan: read every other stack's state.json from the
+* state bucket and check whether any of its `imports[]` entries names
+* `producerStack`. Returns the list of offending consumers (possibly
+* empty).
+*
+* NEVER trusts the persistent exports index — a stale index could miss
+* a freshly-recorded consumer and let a destructive destroy through.
+* The cost is one `listStacks` + N parallel GETs at destroy time only
+* (not the deploy hot path), which the user-facing UX rationalizes as
+* the "destroy is slow OK" trade-off (Issue #343).
+*/
+async function scanActiveConsumers(producerStack, producerRegion, ctx) {
+	const refs = await ctx.stateBackend.listStacks();
+	return (await Promise.all(refs.map(async (ref) => {
+		const region = ref.region ?? ctx.baseRegion;
+		if (ref.stackName === producerStack && region === producerRegion) return null;
+		try {
+			const imports = (await ctx.stateBackend.getState(ref.stackName, region))?.state.imports;
+			if (!imports || imports.length === 0) return null;
+			const matches = imports.filter((entry) => entry.sourceStack === producerStack && entry.sourceRegion === producerRegion);
+			if (matches.length === 0) return null;
+			return matches.map((entry) => ({
+				consumerStack: ref.stackName,
+				consumerRegion: region,
+				exportName: entry.exportName
+			}));
+		} catch {
+			return null;
+		}
+	}))).filter((r) => r !== null).flat();
+}
+
+//#endregion
+//#region src/provisioning/nested-stack-context.ts
+const storage = new AsyncLocalStorage();
+/**
+* Run `fn` inside a NestedStackProvider context scope. Calls to
+* `getCurrentNestedStackContext()` from inside `fn` (and any awaited callees)
+* return `ctx`. Nested scopes shadow outer ones — the recursive provider
+* uses this to switch the "current parent" to the child before kicking off
+* the child's deploy / destroy, so grand-nested handling resolves against
+* the right parent.
+*/
+function withNestedStackContext(ctx, fn) {
+	return storage.run(ctx, fn);
+}
+/**
+* Returns the current `NestedStackProviderContext`, or `undefined` when called
+* outside any `withNestedStackContext` scope (= cdkd is operating on a
+* top-level stack with no nested-stack work in flight).
+*
+* `NestedStackProvider.create / update / delete` MUST find a context here —
+* absence means a caller forgot to wrap the deploy / destroy entry point.
+*/
+function getCurrentNestedStackContext() {
+	return storage.getStore();
+}
+
+//#endregion
+//#region src/provisioning/providers/nested-stack-provider.ts
+/**
+* Provider for `AWS::CloudFormation::Stack` — cdkd's recursive nested-stack
+* adapter. Issue [#459](https://github.com/go-to-k/cdkd/issues/459); see
+* [docs/design/459-nested-stacks.md](../../../docs/design/459-nested-stacks.md)
+* for the full design.
+*
+* On `create` / `update`, the provider builds a child {@link DeployEngine}
+* against the same shared state backend / lock manager / provider registry,
+* deploys the child template recursively, and surfaces the child's outputs
+* as `attributes['Outputs.<Key>']` so the parent's
+* `Fn::GetAtt: [<NestedStack>, 'Outputs.<Key>']` references resolve via
+* the existing flat-key fast path in {@link IntrinsicFunctionResolver}.
+*
+* On `delete`, the provider loads the child's state and routes it through
+* {@link runDestroyForStack} for a regular reverse-DAG destroy — the same
+* code `cdkd destroy` uses on a top-level stack.
+*
+* The child's state file lives at
+* `cdkd/<parentStackName>~<NestedStackLogicalId>/<region>/state.json`
+* (the `~` separator is rare in CDK logical ids; verified safe against
+* CDK Stage paths which use `/`). The synthesized `physicalId` is a fake
+* ARN with `cdkd-local` partition so any downstream consumer that
+* accidentally uses it as a real AWS ARN fails loudly.
+*/
+var NestedStackProvider = class {
+	logger = getLogger().child("NestedStackProvider");
+	/**
+	* Opt out of the deploy engine's outer transient-error retry loop. A
+	* nested-stack `create` recursively spawns a child {@link DeployEngine}
+	* that has its own retry / rollback machinery; an outer retry would
+	* re-enter the entire child deploy on a transient error and produce
+	* duplicate AWS resources before the second attempt's per-resource
+	* state save settles. The child engine handles transient errors
+	* internally — mirroring the same opt-out the Custom Resource provider
+	* uses for the same reason.
+	*/
+	disableOuterRetry = true;
+	/**
+	* The CC API fallback path for `AWS::CloudFormation::Stack` would call
+	* CloudFormation's own `CreateStack` — defeating cdkd's whole "no CFn"
+	* approach for the nested children. Refuse the fallback so any future
+	* regression that drops a real property from `handledProperties`
+	* surfaces as an explicit "unhandled property" deploy error instead of
+	* silently round-tripping through CloudFormation.
+	*/
+	disableCcApiFallback = true;
+	/**
+	* Properties this provider actually wires through to the child deploy.
+	* `TemplateURL` is the asset-published S3 URL of the child template
+	* (cdkd reads the local template file via `Metadata['aws:asset:path']`,
+	* so the URL itself is informational here); `Parameters` is the typed
+	* parameter map forwarded as `DeployEngineOptions.parameters` to the
+	* child engine.
+	*/
+	handledProperties = new Map([["AWS::CloudFormation::Stack", new Set(["TemplateURL", "Parameters"])]]);
+	/**
+	* Every other property on `AWS::CloudFormation::Stack` is intentionally
+	* not threaded through — cdkd does not go through CloudFormation, so
+	* CFn-only inputs (rollback / capability / role / notification /
+	* termination-protection / stack-update policy / per-stack timeout /
+	* tags) have no equivalent. The synthesized `Ref` ARN is a placeholder,
+	* not a real AWS resource — so `Tags` and `Description` similarly
+	* have nothing to attach to. `StackName` is replaced by cdkd's derived
+	* `<parent>~<logicalId>` key per design §3, and `TemplateBody` is
+	* superseded by the local `Metadata['aws:asset:path']` lookup.
+	*/
+	unhandledByDesign = new Map([["AWS::CloudFormation::Stack", new Map([
+		["TemplateBody", "CFn-only inline template — cdkd reads the child template from the synth output via Metadata['aws:asset:path'] instead of accepting it inline"],
+		["Capabilities", "CFn-only IAM capability declaration — cdkd does not go through CloudFormation so capabilities have no equivalent"],
+		["Description", "CFn-only informational — no semantic effect on the recursive deploy"],
+		["DisableRollback", "CFn-only — cdkd controls rollback via the top-level deploy-engine --no-rollback flag, not per nested stack"],
+		["EnableTerminationProtection", "CFn-only per-nested-stack flag — cdkd records stack-level terminationProtection at CDK synth time (parent only) and `cdkd destroy` consults that for refusal"],
+		["NotificationARNs", "CFn-only SNS-on-stack-event surface — cdkd has no equivalent (issue #459 design §9)"],
+		["RoleARN", "CFn-only role-assumption — cdkd uses the caller credentials directly, no per-resource role assumption"],
+		["StackName", "cdkd derives the child stack name as `<parent>~<logicalId>` per design §3 (state-key uniqueness); a user-provided StackName has no effect"],
+		["StackPolicyBody", "CFn-only stack-update policy — cdkd has no equivalent (per-resource diff replaces stack-level policy)"],
+		["StackPolicyURL", "CFn-only stack-update policy URL — cdkd has no equivalent"],
+		["StackStatusReason", "CFn-only read-only output — never a real input property"],
+		["Tags", "CFn-only — cdkd does not tag the synthesized \"stack\" (the parent's synthesized ARN is a cdkd-local placeholder, not a real AWS resource)"],
+		["TimeoutInMinutes", "CFn-only stack-create deadline — cdkd uses per-resource --resource-timeout instead (issue #459 design §9)"]
+	])]]);
+	async create(logicalId, _resourceType, properties) {
+		const ctx = this.requireContext();
+		this.requireDeployContext(ctx, "create");
+		const childTemplatePath = ctx.nestedTemplates[logicalId];
+		if (!childTemplatePath) throw new Error(`Nested template file not found for AWS::CloudFormation::Stack '${logicalId}' under parent '${ctx.parentStackName}'. Verify the synth output emits Metadata['aws:asset:path'] on this resource (CDK 2.x cdk.NestedStack does so by default).`);
+		const childTemplate = this.readChildTemplate(childTemplatePath);
+		const childStackName = this.deriveChildStackName(ctx.parentStackName, logicalId);
+		const childRegion = ctx.parentRegion;
+		const childParameters = this.extractParameters(properties);
+		const grandchildTemplates = this.indexGrandchildTemplates(childTemplate, childTemplatePath);
+		const resourceCount = Object.keys(childTemplate.Resources ?? {}).length;
+		this.logger.info(`Deploying nested stack ${childStackName} (logicalId=${logicalId}, ${resourceCount} resource(s))`);
+		await this.runChildDeploy(ctx, logicalId, childStackName, childRegion, childTemplate, childParameters, grandchildTemplates);
+		const attributes = await this.readChildOutputsAsAttributes(ctx, childStackName, childRegion);
+		return {
+			physicalId: this.synthesizeArn(ctx.accountId, ctx.parentRegion, ctx.parentStackName, logicalId),
+			attributes
+		};
+	}
+	async update(logicalId, physicalId, _resourceType, properties, _previousProperties) {
+		const ctx = this.requireContext();
+		this.requireDeployContext(ctx, "update");
+		const childTemplatePath = ctx.nestedTemplates[logicalId];
+		if (!childTemplatePath) throw new Error(`Nested template file not found for AWS::CloudFormation::Stack '${logicalId}' on update.`);
+		const childTemplate = this.readChildTemplate(childTemplatePath);
+		const childStackName = this.deriveChildStackName(ctx.parentStackName, logicalId);
+		const childRegion = ctx.parentRegion;
+		const childParameters = this.extractParameters(properties);
+		const grandchildTemplates = this.indexGrandchildTemplates(childTemplate, childTemplatePath);
+		const resourceCount = Object.keys(childTemplate.Resources ?? {}).length;
+		this.logger.info(`Updating nested stack ${childStackName} (logicalId=${logicalId}, ${resourceCount} resource(s))`);
+		await this.runChildDeploy(ctx, logicalId, childStackName, childRegion, childTemplate, childParameters, grandchildTemplates);
+		return {
+			physicalId,
+			wasReplaced: false,
+			attributes: await this.readChildOutputsAsAttributes(ctx, childStackName, childRegion)
+		};
+	}
+	async delete(logicalId, _physicalId, _resourceType, _properties, deleteContext) {
+		const ctx = this.requireContext();
+		const childStackName = this.deriveChildStackName(ctx.parentStackName, logicalId);
+		const childRegion = ctx.parentRegion;
+		const childStateData = await ctx.stateBackend.getState(childStackName, childRegion);
+		if (!childStateData) {
+			this.logger.debug(`Nested stack ${childStackName} has no state — treating delete as idempotent success.`);
+			return;
+		}
+		const resourceCount = Object.keys(childStateData.state.resources).length;
+		this.logger.info(`Destroying nested stack ${childStackName} (logicalId=${logicalId}, ${resourceCount} resource(s))`);
+		await withNestedStackContext({
+			...ctx,
+			parentStackName: childStackName,
+			parentRegion: childRegion,
+			nestedTemplates: void 0
+		}, () => runDestroyForStack(childStackName, childStateData.state, {
+			stateBackend: ctx.stateBackend,
+			lockManager: ctx.lockManager,
+			providerRegistry: ctx.providerRegistry,
+			baseAwsClients: ctx.awsClients,
+			baseRegion: childRegion,
+			stateBucket: ctx.stateBucket,
+			skipConfirmation: true,
+			...ctx.exportIndexStore && { exportIndexStore: ctx.exportIndexStore },
+			...ctx.destroyOptions?.profile && { profile: ctx.destroyOptions.profile },
+			...deleteContext?.removeProtection === true && { removeProtection: true },
+			...ctx.destroyOptions?.resourceWarnAfterMs !== void 0 && { resourceWarnAfterMs: ctx.destroyOptions.resourceWarnAfterMs },
+			...ctx.destroyOptions?.resourceTimeoutMs !== void 0 && { resourceTimeoutMs: ctx.destroyOptions.resourceTimeoutMs },
+			...ctx.destroyOptions?.resourceWarnAfterByType && { resourceWarnAfterByType: ctx.destroyOptions.resourceWarnAfterByType },
+			...ctx.destroyOptions?.resourceTimeoutByType && { resourceTimeoutByType: ctx.destroyOptions.resourceTimeoutByType }
+		}));
+	}
+	async getAttribute(_physicalId, _resourceType, attributeName) {
+		throw new Error(`AWS::CloudFormation::Stack: attribute '${attributeName}' is not in the recorded Outputs map. Only 'Outputs.<Key>' references to declared Output names on the child template are supported.`);
+	}
+	async runChildDeploy(parentCtx, logicalId, childStackName, childRegion, childTemplate, childParameters, grandchildTemplates) {
+		const childEngine = new DeployEngine(parentCtx.stateBackend, parentCtx.lockManager, parentCtx.dagBuilder, parentCtx.diffCalculator, parentCtx.providerRegistry, {
+			...parentCtx.options ?? {},
+			parameters: childParameters,
+			parentStackInfo: {
+				parentStack: parentCtx.parentStackName,
+				parentLogicalId: logicalId,
+				parentRegion: parentCtx.parentRegion
+			}
+		}, childRegion, parentCtx.exportIndexStore);
+		await withNestedStackContext({
+			...parentCtx,
+			parentStackName: childStackName,
+			parentRegion: childRegion,
+			nestedTemplates: grandchildTemplates
+		}, () => childEngine.deploy(childStackName, childTemplate));
+	}
+	async readChildOutputsAsAttributes(ctx, childStackName, childRegion) {
+		const childStateData = await ctx.stateBackend.getState(childStackName, childRegion);
+		if (!childStateData) throw new Error(`Child stack state '${childStackName}' not found after deploy — NestedStackProvider invariant violated.`);
+		return this.buildOutputsAttributes(childStateData.state.outputs ?? {});
+	}
+	requireContext() {
+		const ctx = getCurrentNestedStackContext();
+		if (!ctx) throw new Error("NestedStackProvider invoked outside withNestedStackContext() scope. The deploy / destroy CLI entry point must wrap its DeployEngine.deploy / runDestroyForStack call in withNestedStackContext(ctx, () => ...).");
+		return ctx;
+	}
+	requireDeployContext(ctx, op) {
+		if (!ctx.nestedTemplates || !ctx.dagBuilder || !ctx.diffCalculator) throw new Error(`NestedStackProvider.${op}: deploy-mode context fields (nestedTemplates / dagBuilder / diffCalculator) are missing. This usually means a destroy-mode entry point called into create/update by mistake.`);
+	}
+	deriveChildStackName(parentStackName, nestedLogicalId) {
+		return `${parentStackName}~${nestedLogicalId}`;
+	}
+	synthesizeArn(accountId, region, parentStackName, logicalId) {
+		return `arn:cdkd-local:${region}:${accountId}:nested-stack/${parentStackName}/${logicalId}`;
+	}
+	extractParameters(properties) {
+		const params = properties["Parameters"];
+		if (!params || typeof params !== "object" || Array.isArray(params)) return {};
+		const result = {};
+		for (const [k, v] of Object.entries(params)) if (typeof v === "string") result[k] = v;
+		else if (typeof v === "number" || typeof v === "boolean") result[k] = String(v);
+		else throw new Error(`NestedStackProvider: child Parameter '${k}' resolved to a non-scalar value (type=${v === null ? "null" : typeof v}). Parameters must be scalars (string / number / boolean) by the time they reach the provider — an unresolved intrinsic here means IntrinsicFunctionResolver upstream did not handle the value, which is a bug. Surface the unresolved input rather than silently coercing to '[object Object]'.`);
+		return result;
+	}
+	readChildTemplate(templatePath) {
+		let raw;
+		try {
+			raw = fs.readFileSync(templatePath, "utf-8");
+		} catch (err) {
+			throw new Error(`Failed to read nested template at ${templatePath}: ${err instanceof Error ? err.message : String(err)}`);
+		}
+		try {
+			return JSON.parse(raw);
+		} catch (err) {
+			throw new Error(`Failed to parse nested template at ${templatePath}: ${err instanceof Error ? err.message : String(err)}`);
+		}
+	}
+	indexGrandchildTemplates(childTemplate, childTemplatePath) {
+		const dir = path.dirname(childTemplatePath);
+		const result = {};
+		for (const [grandLogicalId, resource] of Object.entries(childTemplate.Resources ?? {})) {
+			if (resource?.Type !== "AWS::CloudFormation::Stack") continue;
+			const assetPath = resource.Metadata?.["aws:asset:path"];
+			if (typeof assetPath !== "string" || assetPath.length === 0) continue;
+			if (path.isAbsolute(assetPath)) throw new Error(`NestedStackProvider: nested-stack '${grandLogicalId}' has Metadata['aws:asset:path']='${assetPath}' which is absolute. CDK emits relative asset paths for nested templates; an absolute path indicates the synth output was hand-modified or generated by a non-CDK toolchain. Refusing to load.`);
+			result[grandLogicalId] = path.join(dir, assetPath);
+		}
+		return result;
+	}
+	buildOutputsAttributes(outputs) {
+		const attributes = {};
+		for (const [key, value] of Object.entries(outputs)) attributes[`Outputs.${key}`] = value;
+		return attributes;
+	}
+};
+
 //#endregion
 //#region src/provisioning/register-providers.ts
 /**
@@ -31079,6 +32087,7 @@ function registerAllProviders(registry) {
 	registry.register("AWS::S3Tables::TableBucket", s3TablesProvider);
 	registry.register("AWS::S3Tables::Namespace", s3TablesProvider);
 	registry.register("AWS::S3Tables::Table", s3TablesProvider);
+	registry.register("AWS::CloudFormation::Stack", new NestedStackProvider());
 }
 
 //#endregion
@@ -31356,7 +32365,7 @@ async function deployCommand(stacks, options) {
 						if (!await promptMigrationConfirm(pending, { yes: options.yes })) return;
 					}
 				}
-				const deployResult = await new DeployEngine(stackStateBackend, stackLockManager, dagBuilder, diffCalculator, stackProviderRegistry, {
+				const deployEngineOptions = {
 					concurrency: options.concurrency,
 					dryRun: options.dryRun,
 					noRollback: !options.rollback,
@@ -31365,7 +32374,23 @@ async function deployCommand(stacks, options) {
 					...options.resourceTimeout?.globalMs !== void 0 && { resourceTimeoutMs: options.resourceTimeout.globalMs },
 					...options.resourceWarnAfter?.perTypeMs && { resourceWarnAfterByType: options.resourceWarnAfter.perTypeMs },
 					...options.resourceTimeout?.perTypeMs && { resourceTimeoutByType: options.resourceTimeout.perTypeMs }
-				}, stackRegion, exportIndexStore).deploy(stackInfo.stackName, stackInfo.template);
+				};
+				const stackDeployEngine = new DeployEngine(stackStateBackend, stackLockManager, dagBuilder, diffCalculator, stackProviderRegistry, deployEngineOptions, stackRegion, exportIndexStore);
+				const deployResult = await withNestedStackContext({
+					stateBackend: stackStateBackend,
+					lockManager: stackLockManager,
+					providerRegistry: stackProviderRegistry,
+					parentStackName: stackInfo.stackName,
+					parentRegion: stackRegion,
+					accountId,
+					awsClients: stackAwsClients,
+					stateBucket,
+					exportIndexStore,
+					nestedTemplates: stackInfo.nestedTemplates ?? {},
+					dagBuilder,
+					diffCalculator,
+					options: deployEngineOptions
+				}, () => stackDeployEngine.deploy(stackInfo.stackName, stackInfo.template));
 				logger.info(`\n${bold("Deployment Summary:")}`);
 				logger.info(`  Stack: ${bold(cyan(deployResult.stackName))}`);
 				logger.info(`  Created: ${deployResult.created > 0 ? green(deployResult.created) : gray(deployResult.created)}`);
@@ -32475,342 +33500,6 @@ function createDriftCommand() {
 	return cmd;
 }
 
-//#endregion
-//#region src/cli/commands/destroy-runner.ts
-/**
-* Resource-type → state-property name pairs that gate AWS deletion
-* protection. Used by the `--remove-protection` confirmation prompt to
-* report a best-effort count of resources that will have protection
-* cleared. The actual flip-off is unconditional inside each provider's
-* `delete()` (idempotent — safe when AWS already has protection off),
-* so the count is informational only.
-*
-* Most types use a boolean flag — the value `true` is what we count.
-* Two types use a string-valued enum (Cognito UserPool's
-* `DeletionProtection` is `'ACTIVE' | 'INACTIVE'`, AutoScalingGroup's
-* `DeletionProtection` is `'none' | 'prevent-force-deletion' |
-* 'prevent-all-deletion'`). For those, the helper checks against a
-* per-type set of "active" values via `PROTECTION_ACTIVE_VALUES_BY_TYPE`.
-*
-* Exported for unit-test coverage of `countProtectedResources`.
-*/
-const PROTECTION_PROPERTY_BY_TYPE = {
-	"AWS::Logs::LogGroup": "DeletionProtectionEnabled",
-	"AWS::RDS::DBInstance": "DeletionProtection",
-	"AWS::RDS::DBCluster": "DeletionProtection",
-	"AWS::DocDB::DBCluster": "DeletionProtection",
-	"AWS::Neptune::DBCluster": "DeletionProtection",
-	"AWS::Neptune::DBInstance": "DeletionProtection",
-	"AWS::DynamoDB::Table": "DeletionProtectionEnabled",
-	"AWS::DynamoDB::GlobalTable": "DeletionProtectionEnabled",
-	"AWS::EC2::Instance": "DisableApiTermination",
-	"AWS::Cognito::UserPool": "DeletionProtection",
-	"AWS::AutoScaling::AutoScalingGroup": "DeletionProtection"
-};
-/**
-* For string-valued protection enums, the set of values that count as
-* "currently protected". Types absent from this map use the default
-* (boolean `true`).
-*/
-const PROTECTION_ACTIVE_VALUES_BY_TYPE = {
-	"AWS::Cognito::UserPool": new Set(["ACTIVE"]),
-	"AWS::AutoScaling::AutoScalingGroup": new Set(["prevent-force-deletion", "prevent-all-deletion"])
-};
-/**
-* Count how many resources in a stack's recorded state appear to have
-* deletion protection enabled. Walks `properties` and `observedProperties`
-* for the property name registered against each resource type in
-* `PROTECTION_PROPERTY_BY_TYPE`. ELBv2 LoadBalancer protection lives in
-* `LoadBalancerAttributes` (a CFn `Array<{Key, Value}>`), so it's
-* handled separately via the `deletion_protection.enabled` key.
-*/
-function countProtectedResources(state) {
-	let count = 0;
-	for (const resource of Object.values(state.resources ?? {})) {
-		const propName = PROTECTION_PROPERTY_BY_TYPE[resource.resourceType];
-		if (propName) {
-			const recorded = resource.properties?.[propName] ?? resource.observedProperties?.[propName];
-			const activeValues = PROTECTION_ACTIVE_VALUES_BY_TYPE[resource.resourceType];
-			if (activeValues) {
-				if (activeValues.has(recorded)) count++;
-			} else if (recorded === true) count++;
-			continue;
-		}
-		if (resource.resourceType === "AWS::ElasticLoadBalancingV2::LoadBalancer") {
-			if (((resource.properties?.["LoadBalancerAttributes"] ?? resource.observedProperties?.["LoadBalancerAttributes"])?.find((a) => a?.Key === "deletion_protection.enabled"))?.Value === "true") count++;
-		}
-	}
-	return count;
-}
-/**
-* Run the destroy lifecycle for one stack against an already-loaded
-* `StackState`, reusing the caller's state backend / lock manager.
-*
-* Hoisted from `cdkd destroy` so the new `cdkd state destroy` subcommand
-* can call into the exact same per-stack pipeline without depending on
-* synth or the CDK app. The state-source split is the only meaningful
-* difference between the two commands — everything from "prompt the user"
-* onwards is identical.
-*
-* Side effects:
-* - Acquires (and releases) the stack's S3 lock.
-* - Switches `process.env.AWS_REGION` for the duration of the destroy when
-*   the stack's recorded region differs from `baseRegion`. Restored in the
-*   `finally` block.
-* - On full success, deletes the state file. On any failure, the state
-*   file is preserved so the user can retry.
-*/
-async function runDestroyForStack(stackName, state, ctx) {
-	const logger = getLogger();
-	const result = {
-		stackName,
-		cancelled: false,
-		skippedEmpty: false,
-		deletedCount: 0,
-		retainedCount: 0,
-		errorCount: 0
-	};
-	const resourceCount = Object.keys(state.resources).length;
-	const regionForState = state.region ?? ctx.baseRegion;
-	if (resourceCount === 0) {
-		logger.info(`Stack ${stackName} has no resources, cleaning up state...`);
-		await ctx.stateBackend.deleteState(stackName, regionForState);
-		logger.info(`${green("✓")} State deleted`);
-		result.skippedEmpty = true;
-		return result;
-	}
-	const needsStrongRefCheck = !!(state.outputs && Object.keys(state.outputs).length > 0);
-	if (needsStrongRefCheck) {
-		const consumers = await scanActiveConsumers(stackName, regionForState, ctx);
-		if (consumers.length > 0) throw new StackHasActiveImportsError(stackName, regionForState, consumers);
-	}
-	logger.info(`\nResources to be deleted (${resourceCount}):`);
-	for (const [logicalId, resource] of Object.entries(state.resources)) logger.info(`  - ${logicalId} (${resource.resourceType})`);
-	const protectedCount = ctx.removeProtection ? countProtectedResources(state) : 0;
-	if (!ctx.skipConfirmation) {
-		const rl = readline.createInterface({
-			input: process.stdin,
-			output: process.stdout
-		});
-		const prompt = ctx.removeProtection ? `\nAbout to destroy ${resourceCount} resources from stack "${stackName}", REMOVING DELETION PROTECTION on ${protectedCount} of them. Continue? (y/N): ` : `\nAre you sure you want to destroy stack "${stackName}" and delete all ${resourceCount} resources? (Y/n): `;
-		const answer = await rl.question(prompt);
-		rl.close();
-		const trimmed = answer.trim().toLowerCase();
-		if (ctx.removeProtection) {
-			if (trimmed !== "y" && trimmed !== "yes") {
-				logger.info("Destroy cancelled");
-				result.cancelled = true;
-				return result;
-			}
-		} else if (trimmed === "n" || trimmed === "no") {
-			logger.info("Destroy cancelled");
-			result.cancelled = true;
-			return result;
-		}
-	}
-	const stackRegion = state.region;
-	let destroyProviderRegistry = ctx.providerRegistry;
-	let destroyAwsClients;
-	if (stackRegion && stackRegion !== ctx.baseRegion) {
-		logger.info(`Stack region: ${stackRegion}`);
-		process.env["AWS_REGION"] = stackRegion;
-		process.env["AWS_DEFAULT_REGION"] = stackRegion;
-		destroyAwsClients = new AwsClients({
-			region: stackRegion,
-			...ctx.profile && { profile: ctx.profile }
-		});
-		setAwsClients(destroyAwsClients);
-		destroyProviderRegistry = new ProviderRegistry();
-		registerAllProviders(destroyProviderRegistry);
-		destroyProviderRegistry.setCustomResourceResponseBucket(ctx.stateBucket);
-	}
-	logger.info(`\nAcquiring lock for stack ${stackName}...`);
-	await ctx.lockManager.acquireLock(stackName, regionForState, void 0, "destroy");
-	if (needsStrongRefCheck) {
-		const consumers = await scanActiveConsumers(stackName, regionForState, ctx);
-		if (consumers.length > 0) {
-			try {
-				await ctx.lockManager.releaseLock(stackName, regionForState);
-			} catch (releaseErr) {
-				logger.warn(`Failed to release lock after strong-ref refusal: ${releaseErr instanceof Error ? releaseErr.message : String(releaseErr)}`);
-			}
-			throw new StackHasActiveImportsError(stackName, regionForState, consumers);
-		}
-	}
-	const renderer = getLiveRenderer();
-	renderer.start();
-	try {
-		logger.info("Building dependency graph...");
-		const template = {
-			AWSTemplateFormatVersion: "2010-09-09",
-			Resources: {}
-		};
-		for (const [logicalId, resource] of Object.entries(state.resources)) template.Resources[logicalId] = {
-			Type: resource.resourceType,
-			Properties: resource.properties || {},
-			...resource.dependencies && resource.dependencies.length > 0 && { DependsOn: resource.dependencies }
-		};
-		const typeToLogicalIds = /* @__PURE__ */ new Map();
-		for (const [logicalId, resource] of Object.entries(state.resources)) {
-			const ids = typeToLogicalIds.get(resource.resourceType) ?? [];
-			ids.push(logicalId);
-			typeToLogicalIds.set(resource.resourceType, ids);
-		}
-		for (const [logicalId, resource] of Object.entries(state.resources)) {
-			const mustDeleteAfter = IMPLICIT_DELETE_DEPENDENCIES[resource.resourceType];
-			if (!mustDeleteAfter) continue;
-			for (const depType of mustDeleteAfter) {
-				const depIds = typeToLogicalIds.get(depType);
-				if (!depIds) continue;
-				for (const depId of depIds) {
-					const existing = template.Resources[depId]?.DependsOn ?? [];
-					const depsArray = Array.isArray(existing) ? existing : [existing];
-					if (!depsArray.includes(logicalId)) {
-						template.Resources[depId] = {
-							...template.Resources[depId],
-							DependsOn: [...depsArray, logicalId]
-						};
-						logger.debug(`Implicit delete dependency: ${depId} (${depType}) must be deleted before ${logicalId} (${resource.resourceType})`);
-					}
-				}
-			}
-		}
-		const dagBuilder = new DagBuilder();
-		const graph = dagBuilder.buildGraph(template);
-		const executionLevels = dagBuilder.getExecutionLevels(graph);
-		logger.debug(`Dependency graph: ${executionLevels.length} level(s)`);
-		for (let levelIndex = executionLevels.length - 1; levelIndex >= 0; levelIndex--) {
-			const level = executionLevels[levelIndex];
-			if (!level) continue;
-			logger.debug(`Deletion level ${executionLevels.length - levelIndex}/${executionLevels.length} (${level.length} resources)`);
-			const stackRegion = state.region ?? ctx.baseRegion;
-			const deletePromises = level.map(async (logicalId) => {
-				const resource = state.resources[logicalId];
-				if (!resource) {
-					logger.warn(`Resource ${logicalId} not found in state, skipping`);
-					return;
-				}
-				if (shouldRetainResource(resource.deletionPolicy)) {
-					logger.info(`  ⊘ ${logicalId} (${resource.resourceType}) retained — DeletionPolicy: ${resource.deletionPolicy}`);
-					result.retainedCount++;
-					return;
-				}
-				const baseLabel = `Deleting ${logicalId} (${resource.resourceType})`;
-				renderer.addTask(logicalId, baseLabel);
-				try {
-					const provider = destroyProviderRegistry.getProvider(resource.resourceType);
-					const providerMinTimeoutMs = provider.getMinResourceTimeoutMs?.() ?? 0;
-					const warnAfterMs = ctx.resourceWarnAfterByType?.[resource.resourceType] ?? ctx.resourceWarnAfterMs ?? 3e5;
-					const globalTimeoutMs = ctx.resourceTimeoutMs ?? 18e5;
-					const timeoutMs = ctx.resourceTimeoutByType?.[resource.resourceType] ?? Math.max(providerMinTimeoutMs, globalTimeoutMs);
-					await withResourceDeadline(async () => {
-						const maxAttempts = provider.disableOuterRetry ? 0 : 3;
-						let lastDeleteError;
-						for (let attempt = 0; attempt <= maxAttempts; attempt++) try {
-							await provider.delete(logicalId, resource.physicalId, resource.resourceType, resource.properties, {
-								...state.region !== void 0 && { expectedRegion: state.region },
-								...ctx.removeProtection === true && { removeProtection: true }
-							});
-							lastDeleteError = null;
-							break;
-						} catch (retryError) {
-							lastDeleteError = retryError;
-							const msg = retryError instanceof Error ? retryError.message : String(retryError);
-							if (!(msg.includes("Too Many Requests") || msg.includes("has dependencies") || msg.includes("can't be deleted since") || msg.includes("DependencyViolation")) || attempt >= maxAttempts) break;
-							const delay = 5e3 * Math.pow(2, attempt);
-							logger.debug(`  ⏳ Retrying delete ${logicalId} in ${delay / 1e3}s (attempt ${attempt + 1}/${maxAttempts})`);
-							await new Promise((resolve) => setTimeout(resolve, delay));
-						}
-						if (lastDeleteError) throw lastDeleteError;
-					}, {
-						warnAfterMs,
-						timeoutMs,
-						onWarn: (elapsedMs) => {
-							const minutes = Math.max(1, Math.round(elapsedMs / 6e4));
-							renderer.updateTaskLabel(logicalId, `${baseLabel} [taking longer than expected, ${minutes}m+]`);
-							renderer.printAbove(() => {
-								logger.warn(`${logicalId} (${resource.resourceType}) has been deleting for ${minutes}m — still waiting`);
-							});
-						},
-						onTimeout: (elapsedMs) => new ResourceTimeoutError(logicalId, resource.resourceType, stackRegion, elapsedMs, "DELETE", timeoutMs)
-					});
-					renderer.removeTask(logicalId);
-					logger.info(`  ${red("✗")} ${bold(logicalId)} ${gray(`(${resource.resourceType})`)} ${red("deleted")}`);
-					result.deletedCount++;
-				} catch (error) {
-					renderer.removeTask(logicalId);
-					const msg = error instanceof Error ? error.message : String(error);
-					if (msg.includes("does not exist") || msg.includes("not found") || msg.includes("No policy found") || msg.includes("NoSuchEntity") || msg.includes("NotFoundException")) {
-						logger.debug(`  ${logicalId} already deleted, removing from state`);
-						result.deletedCount++;
-					} else if (error instanceof ResourceTimeoutError) {
-						const wrapped = new ProvisioningError(error.message, resource.resourceType, logicalId, resource.physicalId, error);
-						logger.error(`  ✗ Failed to delete ${logicalId}:`, wrapped.message);
-						result.errorCount++;
-					} else {
-						logger.error(`  ✗ Failed to delete ${logicalId}:`, String(error));
-						result.errorCount++;
-					}
-				} finally {
-					renderer.removeTask(logicalId);
-				}
-			});
-			await Promise.all(deletePromises);
-		}
-		if (result.errorCount === 0) {
-			await ctx.stateBackend.deleteState(stackName, regionForState);
-			logger.debug("State deleted");
-			if (ctx.exportIndexStore) await ctx.exportIndexStore.removeStack(stackName, regionForState);
-		} else logger.warn(`${result.errorCount} resource(s) failed to delete. State preserved.`);
-		const retainedSuffix = result.retainedCount > 0 ? `, ${result.retainedCount} retained` : "";
-		if (result.errorCount === 0) logger.info(`\n${green("✓")} ${bold(`Stack ${stackName} destroyed`)} (${green(result.deletedCount)} deleted${retainedSuffix}, ${result.errorCount} errors)`);
-		else logger.warn(`\n${yellow("⚠")} ${bold(`Stack ${stackName} partially destroyed`)} (${green(result.deletedCount)} deleted${retainedSuffix}, ${red(result.errorCount)} errors). State preserved — re-run 'cdkd destroy' / 'cdkd state destroy' to clean up.`);
-	} finally {
-		renderer.stop();
-		logger.debug("Releasing lock...");
-		await ctx.lockManager.releaseLock(stackName, regionForState);
-		if (destroyAwsClients) {
-			destroyAwsClients.destroy();
-			process.env["AWS_REGION"] = ctx.baseRegion;
-			process.env["AWS_DEFAULT_REGION"] = ctx.baseRegion;
-			setAwsClients(ctx.baseAwsClients);
-		}
-	}
-	return result;
-}
-/**
-* Strong-reference scan: read every other stack's state.json from the
-* state bucket and check whether any of its `imports[]` entries names
-* `producerStack`. Returns the list of offending consumers (possibly
-* empty).
-*
-* NEVER trusts the persistent exports index — a stale index could miss
-* a freshly-recorded consumer and let a destructive destroy through.
-* The cost is one `listStacks` + N parallel GETs at destroy time only
-* (not the deploy hot path), which the user-facing UX rationalizes as
-* the "destroy is slow OK" trade-off (Issue #343).
-*/
-async function scanActiveConsumers(producerStack, producerRegion, ctx) {
-	const refs = await ctx.stateBackend.listStacks();
-	return (await Promise.all(refs.map(async (ref) => {
-		const region = ref.region ?? ctx.baseRegion;
-		if (ref.stackName === producerStack && region === producerRegion) return null;
-		try {
-			const imports = (await ctx.stateBackend.getState(ref.stackName, region))?.state.imports;
-			if (!imports || imports.length === 0) return null;
-			const matches = imports.filter((entry) => entry.sourceStack === producerStack && entry.sourceRegion === producerRegion);
-			if (matches.length === 0) return null;
-			return matches.map((entry) => ({
-				consumerStack: ref.stackName,
-				consumerRegion: region,
-				exportName: entry.exportName
-			}));
-		} catch {
-			return null;
-		}
-	}))).filter((r) => r !== null).flat();
-}
-
 //#endregion
 //#region src/cli/commands/destroy.ts
 /**
@@ -32904,6 +33593,7 @@ async function destroyCommand(stackArgs, options) {
 			return;
 		}
 		logger.info(`Found ${stackNames.length} stack(s) to destroy: ${stackNames.join(", ")}`);
+		const accountId = "unknown";
 		const stateRefsByName = /* @__PURE__ */ new Map();
 		for (const ref of allStateRefs) {
 			const arr = stateRefsByName.get(ref.stackName) ?? [];
@@ -32941,7 +33631,25 @@ async function destroyCommand(stackArgs, options) {
 				logger.warn(`No state found for stack ${stackName}, skipping`);
 				continue;
 			}
-			const result = await runDestroyForStack(stackName, stateResult.state, {
+			const result = await withNestedStackContext({
+				stateBackend,
+				lockManager,
+				providerRegistry,
+				parentStackName: stackName,
+				parentRegion: stackTargetRegion,
+				accountId,
+				awsClients,
+				stateBucket,
+				exportIndexStore,
+				destroyOptions: {
+					...options.profile && { profile: options.profile },
+					...options.removeProtection === true && { removeProtection: true },
+					...options.resourceWarnAfter?.globalMs !== void 0 && { resourceWarnAfterMs: options.resourceWarnAfter.globalMs },
+					...options.resourceTimeout?.globalMs !== void 0 && { resourceTimeoutMs: options.resourceTimeout.globalMs },
+					...options.resourceWarnAfter?.perTypeMs && { resourceWarnAfterByType: options.resourceWarnAfter.perTypeMs },
+					...options.resourceTimeout?.perTypeMs && { resourceTimeoutByType: options.resourceTimeout.perTypeMs }
+				}
+			}, () => runDestroyForStack(stackName, stateResult.state, {
 				stateBackend,
 				lockManager,
 				providerRegistry,
@@ -32956,7 +33664,7 @@ async function destroyCommand(stackArgs, options) {
 				...options.resourceTimeout?.globalMs !== void 0 && { resourceTimeoutMs: options.resourceTimeout.globalMs },
 				...options.resourceWarnAfter?.perTypeMs && { resourceWarnAfterByType: options.resourceWarnAfter.perTypeMs },
 				...options.resourceTimeout?.perTypeMs && { resourceTimeoutByType: options.resourceTimeout.perTypeMs }
-			});
+			}));
 			totalErrors += result.errorCount;
 		}
 		if (totalErrors > 0) throw new PartialFailureError(`Destroy completed with ${totalErrors} resource error(s). State preserved — inspect 'cdkd state show <stack>' and re-run 'cdkd destroy' to retry.`);
@@ -34690,7 +35398,25 @@ async function stateDestroyCommand(stackArgs, options) {
 					logger.warn(`No state found for stack ${stackName}${ref.region ? ` in ${ref.region}` : ""}, skipping`);
 					continue;
 				}
-				const result = await runDestroyForStack(stackName, stateResult.state, {
+				const result = await withNestedStackContext({
+					stateBackend: setup.stateBackend,
+					lockManager: setup.lockManager,
+					providerRegistry,
+					parentStackName: stackName,
+					parentRegion: ref.region ?? setup.region,
+					accountId: "unknown",
+					awsClients: setup.awsClients,
+					stateBucket: setup.bucket,
+					exportIndexStore: setup.exportIndexStore,
+					destroyOptions: {
+						...options.profile && { profile: options.profile },
+						...options.removeProtection === true && { removeProtection: true },
+						...options.resourceWarnAfter?.globalMs !== void 0 && { resourceWarnAfterMs: options.resourceWarnAfter.globalMs },
+						...options.resourceTimeout?.globalMs !== void 0 && { resourceTimeoutMs: options.resourceTimeout.globalMs },
+						...options.resourceWarnAfter?.perTypeMs && { resourceWarnAfterByType: options.resourceWarnAfter.perTypeMs },
+						...options.resourceTimeout?.perTypeMs && { resourceTimeoutByType: options.resourceTimeout.perTypeMs }
+					}
+				}, () => runDestroyForStack(stackName, stateResult.state, {
 					stateBackend: setup.stateBackend,
 					lockManager: setup.lockManager,
 					providerRegistry,
@@ -34705,7 +35431,7 @@ async function stateDestroyCommand(stackArgs, options) {
 					...options.resourceTimeout?.globalMs !== void 0 && { resourceTimeoutMs: options.resourceTimeout.globalMs },
 					...options.resourceWarnAfter?.perTypeMs && { resourceWarnAfterByType: options.resourceWarnAfter.perTypeMs },
 					...options.resourceTimeout?.perTypeMs && { resourceTimeoutByType: options.resourceTimeout.perTypeMs }
-				});
+				}));
 				totalErrors += result.errorCount;
 			}
 		}
@@ -52812,8 +53538,11 @@ function createLocalCommand() {
 *
 *   - `AWS::CDK::Metadata` is a CDK sentinel; not a real AWS resource and
 *     CFn refuses to import it.
-*   - `AWS::CloudFormation::Stack` is a nested stack reference; importing
-*     means re-creating the child stack, not adopting AWS resources.
+*   - `AWS::CloudFormation::Stack` is a nested stack reference. Fresh
+*     `cdkd deploy` of nested stacks IS supported (issue #459), but
+*     moving an existing nested-stack hierarchy from cdkd back into
+*     CloudFormation via `cdkd export` is deferred to the
+*     [#464](https://github.com/go-to-k/cdkd/issues/464) follow-up.
 *   - `AWS::CloudFormation::CustomResource` is the CFn resource type CDK
 *     emits for `new cdk.CustomResource(...)` when no `resourceType` is
 *     passed. Functionally identical to `Custom::*` — Lambda-backed,
@@ -53270,7 +53999,10 @@ async function assertCfnStackAbsent(cfnClient, stackName) {
 * `AWS::CloudFormation::Stack` (nested stacks) is intentionally NOT in
 * this set: CFn would CREATE a duplicate nested stack rather than adopt
 * the existing one, which would conflict with whatever the cdkd state
-* thought it owned. cdkd doesn't deploy nested stacks anyway.
+* thought it owned. Fresh `cdkd deploy` of nested stacks is supported
+* via the recursive `NestedStackProvider` (#459), but `cdkd export`
+* adoption back into CloudFormation is deferred to the
+* [#464](https://github.com/go-to-k/cdkd/issues/464) follow-up.
 *
 * Exported for unit testing.
 */
@@ -54222,10 +54954,14 @@ function compareSemver(a, b) {
 *    different from the metadata-transfer migration this command
 *    provides.
 *
-*  - `AWS::CloudFormation::Stack` — nested stacks. cdkd has no
-*    provider for this type, and the matching `cdk migrate` output
-*    flattens nested stacks into separate generated apps in a way
-*    that doesn't round-trip cleanly. Out of scope for #465.
+*  - `AWS::CloudFormation::Stack` — nested stacks. cdkd's recursive
+*    `NestedStackProvider` handles fresh `cdkd deploy` (#459), but
+*    `cdk migrate` flattens nested stacks into separate generated apps
+*    in a way that doesn't round-trip cleanly into cdkd's parent~child
+*    state-key layout, so the migrate command keeps rejecting them.
+*    Adopting an existing CFn-managed nested-stack hierarchy is
+*    deferred to issue
+*    [#464](https://github.com/go-to-k/cdkd/issues/464).
 *
 *  - `Custom::*` — any user-defined Custom Resource type prefix.
 *    Same rationale as `AWS::CloudFormation::CustomResource`.
@@ -55239,7 +55975,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.143.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.145.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());