@go-to-k/cdkd 0.150.0 → 0.150.2

package/dist/cli.js

@@ -35832,6 +35832,18 @@ async function confirmPrompt$2(prompt) {
 * itself; we do not try to maintain a closed allowlist here.
 */
 const NEVER_IMPORTABLE_TYPES = new Set(["AWS::CDK::Metadata"]);
+/**
+* Per-non-root-child lock-acquisition retry budget for the nested-stack
+* export loop (`runPerStackImportLoop`). `acquireLockWithRetry` retries
+* `maxRetries` times with `retryDelay` between attempts, so the total wait
+* ceiling is `maxRetries * retryDelay` ≈ 30s. A genuinely-active concurrent
+* cdkd run on a child is awaited briefly instead of failing instantly;
+* `acquireLock`'s own expired-lock auto-cleanup (30-min TTL) covers the
+* crashed-previous-run case. 30s keeps an interactive `cdkd export` snappy
+* even across a multi-level tree (each child waits at most this ceiling).
+*/
+const CHILD_LOCK_RETRY_MAX_ATTEMPTS = 6;
+const CHILD_LOCK_RETRY_DELAY_MS = 5e3;
 function isNeverImportableType(resourceType) {
 	if (NEVER_IMPORTABLE_TYPES.has(resourceType)) return true;
 	if (isCustomResourceType(resourceType)) return true;
@@ -36430,10 +36442,22 @@ function flattenCdkdStateTreeLeafFirst(tree) {
 * Top-level cdkd stack names that already conform to CFn's character set
 * are passed through unchanged — `cdkd2cfnStackName('MyApp') === 'MyApp'`.
 *
+* The post-substitution result is validated against the same CFn
+* stack-name regex `parseCfnChildStackNameOverrides` enforces
+* (`[a-zA-Z][-a-zA-Z0-9]*`). The `~` → `-` swap only handles the v6
+* separator; a cdkd name that is otherwise CFn-illegal (leading digit /
+* underscore, embedded `.` or `/`, etc.) would still pass through and
+* surface as an opaque CFn API rejection deep inside the IMPORT loop.
+* Throwing here surfaces the problem at orchestrator pre-flight time with
+* an actionable pointer at the `--cfn-stack-name` / `--cfn-child-stack-name`
+* override escape hatch.
+*
 * Issue #464 design §9 Q8.
 */
 function cdkd2cfnStackName(cdkdStackName) {
-	return cdkdStackName.replace(/~/g, "-");
+	const cfnName = cdkdStackName.replace(/~/g, "-");
+	if (!/^[a-zA-Z][-a-zA-Z0-9]*$/.test(cfnName)) throw new Error(`cdkd stack name '${cdkdStackName}' maps to CFn stack name '${cfnName}', which violates the CloudFormation stack-name constraint [a-zA-Z][-a-zA-Z0-9]* (must start with a letter; no '_', '.', '/', or other special characters). Supply an explicit name via --cfn-stack-name (root) or --cfn-child-stack-name '<cdkdName>=<cfnName>' (nested child).`);
+	return cfnName;
 }
 /**
 * Parse the repeatable `--cfn-child-stack-name <cdkdName>=<cfnName>` CLI
@@ -37327,10 +37351,15 @@ async function collectImportFailureSummary(cfnClient, stackName) {
 * `cdkd:nested-export-flip` tag is the only delta). This is the canonical
 * AWS workaround for the IMPORT_COMPLETE → UPDATE_COMPLETE transition.
 *
-* Idempotency: each invocation uses a fresh ISO 8601 timestamp value so
-* AWS never returns "No updates are to be performed" (which would leave
-* the stack stuck in `IMPORT_COMPLETE`). The tag accumulates across
-* retries — harmless and easy to reap manually under the `cdkd:` prefix.
+* Idempotency: each invocation uses a fresh ISO 8601 timestamp PLUS an
+* 8-char random UUID slice as the tag value so AWS never returns "No
+* updates are to be performed" (which would leave the stack stuck in
+* `IMPORT_COMPLETE`). The timestamp alone is insufficient — two rapid
+* back-to-back flips on the same stack within the same millisecond (e.g.
+* a retry after a transient SDK error) would otherwise emit identical
+* values; the UUID suffix guarantees uniqueness regardless of clock
+* resolution. The tag accumulates across retries — harmless and easy to
+* reap manually under the `cdkd:` prefix.
 *
 * Exported for unit testing.
 */
@@ -37340,7 +37369,7 @@ async function flipStackToUpdateComplete(cfnClient, cfnStackName) {
 		UsePreviousTemplate: true,
 		Tags: [{
 			Key: "cdkd:nested-export-flip",
-			Value: (/* @__PURE__ */ new Date()).toISOString()
+			Value: `${(/* @__PURE__ */ new Date()).toISOString()}-${randomUUID().slice(0, 8)}`
 		}],
 		Capabilities: [
 			"CAPABILITY_IAM",
@@ -37566,7 +37595,11 @@ async function runPerStackImportLoop(args) {
 	try {
 		for (const node of leafFirst) {
 			if (node.stackName === rootStackName) continue;
-			if (!await deps.lockManager.acquireLock(node.stackName, node.region, deps.lockOwner, "export")) throw new Error(`Could not acquire lock for nested-stack child '${node.stackName}' (${node.region}) — another cdkd process holds it. Wait for it to finish, or run 'cdkd force-unlock ${node.stackName}' if you are certain no other process is active. No CloudFormation changeset has been submitted; cdkd state is unchanged.`);
+			try {
+				await deps.lockManager.acquireLockWithRetry(node.stackName, node.region, deps.lockOwner, "export", CHILD_LOCK_RETRY_MAX_ATTEMPTS, CHILD_LOCK_RETRY_DELAY_MS);
+			} catch (err) {
+				throw new Error(`Could not acquire lock for nested-stack child '${node.stackName}' (${node.region}) — another cdkd process held it through the retry window. Wait for it to finish, or run 'cdkd force-unlock ${node.stackName}' if you are certain no other process is active. No CloudFormation changeset has been submitted; cdkd state is unchanged.`, { cause: err instanceof Error ? err : void 0 });
+			}
 			acquiredChildLocks.push({
 				stackName: node.stackName,
 				region: node.region
@@ -37575,6 +37608,7 @@ async function runPerStackImportLoop(args) {
 		const cfnArnByCdkdName = /* @__PURE__ */ new Map();
 		const uploadCleanups = [];
 		const importedStacks = [];
+		const sessionIntrinsicSkipped = /* @__PURE__ */ new Map();
 		try {
 			for (let i = 0; i < perStackPlans.length; i++) {
 				const plan = perStackPlans[i];
@@ -37588,7 +37622,10 @@ async function runPerStackImportLoop(args) {
 					const parentPlan = perStackPlans.find((p) => p.cdkdName === parentStackName);
 					if (!parentPlan) throw new Error(`runPerStackImportLoop: child '${plan.cdkdName}' references parent '${parentStackName}' which is not in the per-stack plan list — tree shape is inconsistent.`);
 					const extracted = extractChildImportParameters(parentPlan.template, parentLogicalId);
-					if (extracted.intrinsicSkipped.length > 0) logger.warn(`  Child '${plan.cdkdName}': skipping intrinsic-valued Parameter(s) ${extracted.intrinsicSkipped.join(", ")} (intrinsic-resolution at leaf-IMPORT time is a deferred follow-up). The child template's Parameter Default values must cover these — otherwise CFn will reject the IMPORT.`);
+					if (extracted.intrinsicSkipped.length > 0) {
+						sessionIntrinsicSkipped.set(plan.cdkdName, extracted.intrinsicSkipped);
+						logger.warn(`  Child '${plan.cdkdName}': skipping intrinsic-valued Parameter(s) ${extracted.intrinsicSkipped.join(", ")} (intrinsic-resolution at leaf-IMPORT time is a deferred follow-up). The child template's Parameter Default values must cover these — otherwise CFn will reject the IMPORT.`);
+					}
 					stackParameters = extracted.params;
 				}
 				const phase1ATemplate = filterTemplateForImport(plan.template, plan.phase1Imports);
@@ -37695,6 +37732,10 @@ async function runPerStackImportLoop(args) {
 				const lines = stateDeletionFailures.map((f) => `  - cdkd/${f.stackName}/${f.region}/state.json: ${f.reason}`).join("\n");
 				throw new Error(`${stateDeletionFailures.length} cdkd state record(s) could not be deleted after a successful per-stack IMPORT loop. Every stack in the tree IS CFn-managed (the migration succeeded AWS-side); orphan state remains under:\n${lines}\nRecover with 'cdkd state orphan <stack>' per record.`);
 			}
+			if (sessionIntrinsicSkipped.size > 0) {
+				const detail = [...sessionIntrinsicSkipped.entries()].map(([cdkdName, params]) => `${cdkdName} (${params.join(", ")})`).join("; ");
+				logger.warn(`${sessionIntrinsicSkipped.size} stack(s) had intrinsic-valued Parameter(s) skipped at IMPORT time: ${detail}. Verify each child template's Parameter Default values cover these before the first 'cdk deploy' — intrinsic resolution at leaf-IMPORT time is a deferred follow-up.`);
+			}
 			return {
 				outcome: "success",
 				importedStacks
@@ -53688,6 +53729,7 @@ async function runEcsTask(task, options, state) {
 			platformOverride: options.platformOverride,
 			region: options.region,
 			sidecarIp: state.network.sidecarIp,
+			...options.skipHostPortPublish ? { skipHostPortPublish: true } : {},
 			...options.addHostFlags && options.addHostFlags.length > 0 ? { addHostFlags: options.addHostFlags } : {},
 			...(options.networkAliasesByContainer?.get(container.name)?.length ?? 0) > 0 ? { networkAliases: options.networkAliasesByContainer.get(container.name) } : {}
 		}));
@@ -54017,7 +54059,7 @@ function buildDockerRunArgs(opts) {
 	if (opts.addHostFlags && opts.addHostFlags.length > 0) for (const f of opts.addHostFlags) args.push(f);
 	if (opts.platformOverride) args.push("--platform", opts.platformOverride);
 	else if (task.runtimePlatform) args.push("--platform", task.runtimePlatform.cpuArchitecture === "ARM64" ? "linux/arm64" : "linux/amd64");
-	for (const pm of container.portMappings) {
+	if (!opts.skipHostPortPublish) for (const pm of container.portMappings) {
 		const hostPort = pm.hostPort ?? pm.containerPort;
 		args.push("-p", `${containerHost}:${hostPort}:${pm.containerPort}/${pm.protocol}`);
 	}
@@ -54910,10 +54952,12 @@ async function bootReplica(service, options, instance) {
 	const addHostFlags = options.discovery?.registry ? options.discovery.registry.buildAddHostFlags(ownerKeyPrefix) : [];
 	const sharedNetwork = options.discovery?.sharedNetwork;
 	const networkAliasesByContainer = buildNetworkAliasesByContainer(service);
+	const skipHostPortPublish = computeReplicaCount(service.desiredCount, options.maxTasks) > 1;
 	const perReplicaTaskOptions = {
 		...options.taskOptions,
 		cluster: perReplicaCluster,
 		detach: true,
+		...skipHostPortPublish ? { skipHostPortPublish: true } : {},
 		...sharedNetwork ? { existingNetwork: sharedNetwork } : { subnetOctet: pickSubnetOctet(instance.index) },
 		...addHostFlags.length > 0 ? { addHostFlags } : {},
 		...networkAliasesByContainer.size > 0 ? { networkAliasesByContainer } : {}
@@ -57585,7 +57629,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.150.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.150.2");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());