@go-to-k/cdkd 0.158.0 → 0.158.1

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { _ as withSkipPrefix, a as runDockerStreaming, c as getLogger, d as getLiveRenderer, f as PATTERN_B_NAME_PROPERTIES, g as generateResourceNameWithFallback, h as generateResourceName, i as runDockerForeground, n as formatDockerLoginError, p as PATTERN_B_RESOURCE_TYPES, r as getDockerCmd, u as runStackBuffered, v as withStackName } from "./docker-cmd-iDMcWcre.js";
-import { $ as CdkdError, A as shouldRetainResource, B as resolveSkipPrefix, C as IntrinsicFunctionResolver, D as TemplateParser, E as DagBuilder, F as Synthesizer, G as CFN_TEMPLATE_URL_LIMIT, H as resolveStateBucketWithDefaultAndSource, I as getDefaultStateBucketName, J as uploadCfnTemplate, K as MIGRATE_TMP_PREFIX, L as getLegacyStateBucketName, M as stringifyValue, N as WorkGraph, O as LockManager, P as buildDockerImage, R as resolveApp, S as assertRegionMatch, T as DiffCalculator, U as warnDeprecatedNoPrefixCliFlag, V as resolveStateBucketWithDefault, W as CFN_TEMPLATE_BODY_LIMIT, Y as AssemblyReader, Z as resolveBucketRegion, _ as matchesCdkPath, a as withRetry, b as ProviderRegistry, bt as withErrorHandling, c as bold, ct as PartialFailureError, d as green, dt as ResourceUpdateNotSupportedError, f as red, ft as RouteDiscoveryError, g as CDK_PATH_TAG, h as collectInlinePolicyNamesManagedBySiblings, i as withResourceDeadline, it as LocalStartServiceError, j as AssetPublisher, k as S3StateBackend, l as cyan, lt as ProvisioningError, m as IAMRoleProvider, mt as StackTerminationProtectionError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as LocalInvokeBuildError, o as IMPLICIT_DELETE_DEPENDENCIES, ot as MissingCdkCliError, p as yellow, pt as StackHasActiveImportsError, q as findLargeInlineResources, r as DeployEngine, rt as LocalMigrateError, s as formatResourceLine, st as NestedStackChildDirectDestroyError, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, ut as ResourceTimeoutError, v as normalizeAwsTagsToCfn, w as applyRoleArnIfSet, x as CloudControlProvider, y as resolveExplicitPhysicalId, yt as normalizeAwsError, z as resolveCaptureObservedState } from "./deploy-engine-UmoqjtWH.js";
+import { $ as CdkdError, A as shouldRetainResource, B as resolveSkipPrefix, C as IntrinsicFunctionResolver, D as TemplateParser, E as DagBuilder, F as Synthesizer, G as CFN_TEMPLATE_URL_LIMIT, H as resolveStateBucketWithDefaultAndSource, I as getDefaultStateBucketName, J as uploadCfnTemplate, K as MIGRATE_TMP_PREFIX, L as getLegacyStateBucketName, M as stringifyValue, N as WorkGraph, O as LockManager, P as buildDockerImage, R as resolveApp, S as assertRegionMatch, T as DiffCalculator, U as warnDeprecatedNoPrefixCliFlag, V as resolveStateBucketWithDefault, W as CFN_TEMPLATE_BODY_LIMIT, Y as AssemblyReader, Z as resolveBucketRegion, _ as matchesCdkPath, a as withRetry, b as ProviderRegistry, bt as withErrorHandling, c as bold, ct as PartialFailureError, d as green, dt as ResourceUpdateNotSupportedError, f as red, ft as RouteDiscoveryError, g as CDK_PATH_TAG, h as collectInlinePolicyNamesManagedBySiblings, i as withResourceDeadline, it as LocalStartServiceError, j as AssetPublisher, k as S3StateBackend, l as cyan, lt as ProvisioningError, m as IAMRoleProvider, mt as StackTerminationProtectionError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as LocalInvokeBuildError, o as IMPLICIT_DELETE_DEPENDENCIES, ot as MissingCdkCliError, p as yellow, pt as StackHasActiveImportsError, q as findLargeInlineResources, r as DeployEngine, rt as LocalMigrateError, s as formatResourceLine, st as NestedStackChildDirectDestroyError, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, ut as ResourceTimeoutError, v as normalizeAwsTagsToCfn, w as applyRoleArnIfSet, x as CloudControlProvider, y as resolveExplicitPhysicalId, yt as normalizeAwsError, z as resolveCaptureObservedState } from "./deploy-engine-CGmdz5WP.js";
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-B15NAPbL.js";
 import { AsyncLocalStorage } from "node:async_hooks";
 import { createHash, createHmac, createPublicKey, createVerify, randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
@@ -3225,6 +3225,7 @@ var S3BucketProvider = class {
 		"ObjectLockConfiguration",
 		"ObjectLockEnabled"
 	])]]);
+	unhandledByDesign = new Map([["AWS::S3::Bucket", new Map([["AccessControl", "Legacy canned ACL; AWS disables ACLs by default since 2023-04 — use BucketOwnershipControls + BucketPolicy / PublicAccessBlockConfiguration instead"]])]]);
 	constructor() {
 		const awsClients = getAwsClients();
 		this.s3Client = awsClients.s3;
@@ -5997,6 +5998,7 @@ var SNSSubscriptionProvider = class {
 		"Endpoint",
 		"FilterPolicy"
 	])]]);
+	unhandledByDesign = new Map([["AWS::SNS::Subscription", new Map([["Region", "CFn-only cross-region subscription hint; cdkd uses the SDK client region directly and has no per-resource region override"]])]]);
 	constructor() {
 		const awsClients = getAwsClients();
 		this.snsClient = awsClients.sns;
@@ -11700,9 +11702,11 @@ var EC2Provider = class {
 			"FromPort",
 			"ToPort",
 			"CidrIp",
+			"CidrIpv6",
 			"Description",
 			"SourceSecurityGroupId",
-			"SourceSecurityGroupOwnerId"
+			"SourceSecurityGroupOwnerId",
+			"SourcePrefixListId"
 		])],
 		["AWS::EC2::Instance", new Set([
 			"ImageId",
@@ -11726,10 +11730,15 @@ var EC2Provider = class {
 			"CidrBlock",
 			"Ipv6CidrBlock",
 			"PortRange",
-			"IcmpTypeCode"
+			"Icmp"
 		])],
 		["AWS::EC2::SubnetNetworkAclAssociation", new Set(["SubnetId", "NetworkAclId"])]
 	]);
+	unhandledByDesign = new Map([
+		["AWS::EC2::Instance", new Map([["ElasticGpuSpecifications", "AWS Elastic GPU end-of-life (announced 2023-11); no replacement API"], ["ElasticInferenceAccelerators", "AWS Elastic Inference end-of-life 2024-04; use AWS Inferentia / Trainium accelerator instance families instead"]])],
+		["AWS::EC2::SecurityGroupIngress", new Map([["GroupName", "EC2-Classic-only — use GroupId for VPC security groups (EC2-Classic retired 2022-08-15)"], ["SourceSecurityGroupName", "EC2-Classic-only — use SourceSecurityGroupId for VPC peer security groups (EC2-Classic retired 2022-08-15)"]])],
+		["AWS::EC2::NatGateway", new Map([["VpcId", "AWS derives the VPC from SubnetId; the ec2:CreateNatGateway API has no VpcId parameter"]])]
+	]);
 	constructor() {
 		const awsClients = getAwsClients();
 		this.ec2Client = awsClients.ec2;
@@ -12864,7 +12873,7 @@ var EC2Provider = class {
 			const cidrBlock = properties["CidrBlock"];
 			const ipv6CidrBlock = properties["Ipv6CidrBlock"];
 			const portRange = properties["PortRange"];
-			const icmpTypeCode = properties["IcmpTypeCode"];
+			const icmpTypeCode = properties["Icmp"] ?? properties["IcmpTypeCode"];
 			await this.ec2Client.send(new CreateNetworkAclEntryCommand({
 				NetworkAclId: networkAclId,
 				RuleNumber: ruleNumber,
@@ -13614,7 +13623,10 @@ var EC2Provider = class {
 			const icmp = {};
 			if (entry.IcmpTypeCode.Type !== void 0) icmp["Type"] = entry.IcmpTypeCode.Type;
 			if (entry.IcmpTypeCode.Code !== void 0) icmp["Code"] = entry.IcmpTypeCode.Code;
-			if (Object.keys(icmp).length > 0) result["IcmpTypeCode"] = icmp;
+			if (Object.keys(icmp).length > 0) {
+				result["Icmp"] = icmp;
+				result["IcmpTypeCode"] = icmp;
+			}
 		}
 		return result;
 	}
@@ -13861,6 +13873,7 @@ var ApiGatewayProvider = class ApiGatewayProvider {
 			"MethodResponses"
 		])]
 	]);
+	unhandledByDesign = new Map([["AWS::ApiGateway::Deployment", new Map([["StageName", "CFn-only convenience for inline-creating a Stage from a Deployment; declare AWS::ApiGateway::Stage explicitly to attach to this Deployment"], ["StageDescription", "CFn-only convenience for inline-creating a Stage; declare AWS::ApiGateway::Stage with the Description property instead"]])]]);
 	/** Maximum number of retries for IAM propagation delays */
 	static MAX_IAM_RETRIES = 3;
 	/** Delay between IAM propagation retries (ms) - exponential backoff */
@@ -17003,7 +17016,7 @@ var ECSProvider = class {
 			"CapacityProviderStrategy",
 			"DeploymentConfiguration",
 			"PlacementConstraints",
-			"PlacementStrategy",
+			"PlacementStrategies",
 			"PlatformVersion",
 			"HealthCheckGracePeriodSeconds",
 			"SchedulingStrategy",
@@ -17014,6 +17027,7 @@ var ECSProvider = class {
 			"Tags"
 		])]
 	]);
+	unhandledByDesign = new Map([["AWS::ECS::Service", new Map([["Role", "Legacy classic-ELB service-linked-role override; AWS uses the AWSServiceRoleForECS service-linked role automatically since 2017"]])], ["AWS::ECS::TaskDefinition", new Map([["InferenceAccelerators", "AWS Elastic Inference end-of-life 2024-04; use AWS Inferentia / Trainium accelerator instance families instead"]])]]);
 	getClient() {
 		if (!this.ecsClient) this.ecsClient = new ECSClient(this.providerRegion ? { region: this.providerRegion } : {});
 		return this.ecsClient;
@@ -17215,7 +17229,7 @@ var ECSProvider = class {
 				capacityProviderStrategy: properties["CapacityProviderStrategy"],
 				deploymentConfiguration: properties["DeploymentConfiguration"],
 				placementConstraints: properties["PlacementConstraints"],
-				placementStrategy: properties["PlacementStrategy"],
+				placementStrategy: properties["PlacementStrategies"] ?? properties["PlacementStrategy"],
 				platformVersion: properties["PlatformVersion"],
 				healthCheckGracePeriodSeconds: properties["HealthCheckGracePeriodSeconds"],
 				schedulingStrategy: properties["SchedulingStrategy"],
@@ -17255,7 +17269,7 @@ var ECSProvider = class {
 				capacityProviderStrategy: properties["CapacityProviderStrategy"],
 				deploymentConfiguration: properties["DeploymentConfiguration"],
 				placementConstraints: properties["PlacementConstraints"],
-				placementStrategy: properties["PlacementStrategy"],
+				placementStrategy: properties["PlacementStrategies"] ?? properties["PlacementStrategy"],
 				platformVersion: properties["PlatformVersion"],
 				healthCheckGracePeriodSeconds: properties["HealthCheckGracePeriodSeconds"],
 				enableExecuteCommand: properties["EnableExecuteCommand"]
@@ -17664,8 +17678,14 @@ var ECSProvider = class {
 		else if (!s.launchType) result["CapacityProviderStrategy"] = [];
 		if (s.deploymentConfiguration) result["DeploymentConfiguration"] = s.deploymentConfiguration;
 		result["PlacementConstraints"] = s.placementConstraints ?? [];
-		if (s.launchType === "EC2" || s.launchType === "EXTERNAL") result["PlacementStrategy"] = s.placementStrategy ?? [];
-		else if (s.placementStrategy && s.placementStrategy.length > 0) result["PlacementStrategy"] = s.placementStrategy;
+		if (s.launchType === "EC2" || s.launchType === "EXTERNAL") {
+			const strategy = s.placementStrategy ?? [];
+			result["PlacementStrategy"] = strategy;
+			result["PlacementStrategies"] = strategy;
+		} else if (s.placementStrategy && s.placementStrategy.length > 0) {
+			result["PlacementStrategy"] = s.placementStrategy;
+			result["PlacementStrategies"] = s.placementStrategy;
+		}
 		result["ServiceRegistries"] = s.serviceRegistries ?? [];
 		result["Tags"] = normalizeAwsTagsToCfn(s.tags);
 		return result;
@@ -18530,6 +18550,11 @@ var RDSProvider = class {
 			"Tags"
 		])]
 	]);
+	unhandledByDesign = new Map([["AWS::RDS::DBCluster", new Map([["DeleteAutomatedBackups", "cdkd hardcodes SkipFinalSnapshot=true on destroy; this CFn lifecycle flag has no equivalent on the runtime path"]])], ["AWS::RDS::DBInstance", new Map([
+		["DBSecurityGroups", "EC2-Classic-only feature retired by AWS (2022-08-15); new accounts cannot use this — use VPCSecurityGroups instead"],
+		["ApplyImmediately", "cdkd always applies modifications immediately (rds:ModifyDBInstance.ApplyImmediately=true is hardcoded); users wanting maintenance-window deferral should run aws rds modify-db-instance directly"],
+		["DeleteAutomatedBackups", "cdkd hardcodes SkipFinalSnapshot=true on destroy; this CFn lifecycle flag has no equivalent on the runtime path"]
+	])]]);
 	getClient() {
 		if (!this.rdsClient) this.rdsClient = new RDSClient(this.providerRegion ? { region: this.providerRegion } : {});
 		return this.rdsClient;
@@ -20868,6 +20893,7 @@ var NeptuneProvider = class {
 		["AWS::Neptune::DBCluster", new Set([
 			"DBClusterIdentifier",
 			"EngineVersion",
+			"DBPort",
 			"Port",
 			"VpcSecurityGroupIds",
 			"DBSubnetGroupName",
@@ -20997,7 +21023,7 @@ var NeptuneProvider = class {
 				DBClusterIdentifier: dbClusterIdentifier,
 				Engine: "neptune",
 				EngineVersion: properties["EngineVersion"],
-				Port: properties["Port"] != null ? Number(properties["Port"]) : void 0,
+				Port: properties["DBPort"] != null ? Number(properties["DBPort"]) : properties["Port"] != null ? Number(properties["Port"]) : void 0,
 				VpcSecurityGroupIds: properties["VpcSecurityGroupIds"],
 				DBSubnetGroupName: properties["DBSubnetGroupName"],
 				StorageEncrypted: properties["StorageEncrypted"],
@@ -21043,7 +21069,7 @@ var NeptuneProvider = class {
 				DBClusterParameterGroupName: properties["DBClusterParameterGroupName"],
 				EnableIAMDatabaseAuthentication: properties["IamAuthEnabled"],
 				...sendVpcSgIds && { VpcSecurityGroupIds: vpcSgIds },
-				Port: properties["Port"] != null ? Number(properties["Port"]) : void 0,
+				Port: properties["DBPort"] != null ? Number(properties["DBPort"]) : properties["Port"] != null ? Number(properties["Port"]) : void 0,
 				ApplyImmediately: true
 			}));
 			this.logger.debug(`Successfully updated Neptune DBCluster ${logicalId}`);
@@ -21370,7 +21396,10 @@ var NeptuneProvider = class {
 		const result = {};
 		if (cluster.DBClusterIdentifier !== void 0) result["DBClusterIdentifier"] = cluster.DBClusterIdentifier;
 		if (cluster.EngineVersion !== void 0) result["EngineVersion"] = cluster.EngineVersion;
-		if (cluster.Port !== void 0) result["Port"] = cluster.Port;
+		if (cluster.Port !== void 0) {
+			result["Port"] = cluster.Port;
+			result["DBPort"] = cluster.Port;
+		}
 		result["VpcSecurityGroupIds"] = (cluster.VpcSecurityGroups ?? []).map((sg) => sg.VpcSecurityGroupId).filter((id) => !!id);
 		if (cluster.DBSubnetGroup !== void 0) result["DBSubnetGroupName"] = cluster.DBSubnetGroup;
 		if (cluster.StorageEncrypted !== void 0) result["StorageEncrypted"] = cluster.StorageEncrypted;
@@ -22810,6 +22839,7 @@ var ElastiCacheProvider = class {
 	handledProperties = new Map([["AWS::ElastiCache::SubnetGroup", new Set([
 		"CacheSubnetGroupName",
 		"CacheSubnetGroupDescription",
+		"Description",
 		"SubnetIds",
 		"Tags"
 	])], ["AWS::ElastiCache::CacheCluster", new Set([
@@ -22837,6 +22867,7 @@ var ElastiCacheProvider = class {
 		"IpDiscovery",
 		"TransitEncryptionEnabled"
 	])]]);
+	unhandledByDesign = new Map([["AWS::ElastiCache::CacheCluster", new Map([["CacheSecurityGroupNames", "EC2-Classic-only — use VpcSecurityGroupIds for VPC-deployed clusters (EC2-Classic retired 2022-08-15)"]])]]);
 	getClient() {
 		if (!this.client) this.client = new ElastiCacheClient(this.providerRegion ? { region: this.providerRegion } : {});
 		return this.client;
@@ -22871,7 +22902,7 @@ var ElastiCacheProvider = class {
 		try {
 			await this.getClient().send(new CreateCacheSubnetGroupCommand({
 				CacheSubnetGroupName: cacheSubnetGroupName,
-				CacheSubnetGroupDescription: properties["CacheSubnetGroupDescription"] || `Subnet group for ${logicalId}`,
+				CacheSubnetGroupDescription: properties["Description"] ?? properties["CacheSubnetGroupDescription"] ?? `Subnet group for ${logicalId}`,
 				SubnetIds: properties["SubnetIds"]
 			}));
 			this.logger.debug(`Successfully created CacheSubnetGroup ${logicalId}: ${cacheSubnetGroupName}`);
@@ -22889,7 +22920,7 @@ var ElastiCacheProvider = class {
 		try {
 			await this.getClient().send(new ModifyCacheSubnetGroupCommand({
 				CacheSubnetGroupName: physicalId,
-				CacheSubnetGroupDescription: properties["CacheSubnetGroupDescription"],
+				CacheSubnetGroupDescription: properties["Description"] ?? properties["CacheSubnetGroupDescription"],
 				SubnetIds: properties["SubnetIds"]
 			}));
 			this.logger.debug(`Successfully updated CacheSubnetGroup ${logicalId}`);
@@ -23199,7 +23230,10 @@ var ElastiCacheProvider = class {
 		if (!group) return void 0;
 		const result = {};
 		if (group.CacheSubnetGroupName !== void 0) result["CacheSubnetGroupName"] = group.CacheSubnetGroupName;
-		if (group.CacheSubnetGroupDescription !== void 0) result["CacheSubnetGroupDescription"] = group.CacheSubnetGroupDescription;
+		if (group.CacheSubnetGroupDescription !== void 0) {
+			result["CacheSubnetGroupDescription"] = group.CacheSubnetGroupDescription;
+			result["Description"] = group.CacheSubnetGroupDescription;
+		}
 		result["SubnetIds"] = (group.Subnets ?? []).map((s) => s.SubnetIdentifier).filter((id) => !!id);
 		if (group.ARN) await this.attachTags(result, group.ARN);
 		return result;
@@ -23853,6 +23887,7 @@ var AppSyncProvider = class {
 			"Expires"
 		])]
 	]);
+	unhandledByDesign = new Map([["AWS::AppSync::DataSource", new Map([["ElasticsearchConfig", "Legacy Elasticsearch alias; use OpenSearchServiceConfig (AppSync deprecated the Elasticsearch DataSource type in favor of OpenSearch)"]])]]);
 	getClient() {
 		if (!this.client) this.client = new AppSyncClient(this.providerRegion ? { region: this.providerRegion } : {});
 		return this.client;
@@ -24718,9 +24753,14 @@ var GlueProvider = class {
 	cachedAccountId;
 	providerRegion = process.env["AWS_REGION"];
 	logger = getLogger().child("GlueProvider");
-	handledProperties = new Map([["AWS::Glue::Database", new Set(["DatabaseInput", "CatalogId"])], ["AWS::Glue::Table", new Set([
+	handledProperties = new Map([["AWS::Glue::Database", new Set([
+		"DatabaseInput",
+		"DatabaseName",
+		"CatalogId"
+	])], ["AWS::Glue::Table", new Set([
 		"DatabaseName",
 		"TableInput",
+		"Name",
 		"CatalogId"
 	])]]);
 	getClient() {
@@ -24752,8 +24792,8 @@ var GlueProvider = class {
 		this.logger.debug(`Creating Glue Database ${logicalId}`);
 		const databaseInput = properties["DatabaseInput"];
 		if (!databaseInput) throw new ProvisioningError(`DatabaseInput is required for Glue Database ${logicalId}`, resourceType, logicalId);
-		const databaseName = databaseInput["Name"];
-		if (!databaseName) throw new ProvisioningError(`DatabaseInput.Name is required for Glue Database ${logicalId}`, resourceType, logicalId);
+		const databaseName = databaseInput["Name"] ?? properties["DatabaseName"];
+		if (!databaseName) throw new ProvisioningError(`DatabaseInput.Name or top-level DatabaseName is required for Glue Database ${logicalId}`, resourceType, logicalId);
 		const catalogId = properties["CatalogId"];
 		try {
 			await this.getClient().send(new CreateDatabaseCommand({
@@ -24816,14 +24856,14 @@ var GlueProvider = class {
 		if (!databaseName) throw new ProvisioningError(`DatabaseName is required for Glue Table ${logicalId}`, resourceType, logicalId);
 		const tableInput = properties["TableInput"];
 		if (!tableInput) throw new ProvisioningError(`TableInput is required for Glue Table ${logicalId}`, resourceType, logicalId);
-		const tableName = tableInput["Name"];
-		if (!tableName) throw new ProvisioningError(`TableInput.Name is required for Glue Table ${logicalId}`, resourceType, logicalId);
+		const tableName = tableInput["Name"] ?? properties["Name"];
+		if (!tableName) throw new ProvisioningError(`TableInput.Name or top-level Name is required for Glue Table ${logicalId}`, resourceType, logicalId);
 		const catalogId = properties["CatalogId"];
 		try {
 			await this.getClient().send(new CreateTableCommand$1({
 				CatalogId: catalogId,
 				DatabaseName: databaseName,
-				TableInput: this.buildTableInput(tableInput)
+				TableInput: this.buildTableInput(tableInput, tableName)
 			}));
 			const physicalId = `${databaseName}|${tableName}`;
 			this.logger.debug(`Successfully created Glue Table ${logicalId}: ${physicalId}`);
@@ -24838,8 +24878,8 @@ var GlueProvider = class {
 	}
 	async updateTable(logicalId, physicalId, resourceType, properties) {
 		this.logger.debug(`Updating Glue Table ${logicalId}: ${physicalId}`);
-		const [databaseName] = physicalId.split("|");
-		if (!databaseName) throw new ProvisioningError(`Invalid Glue Table physical ID format: ${physicalId}`, resourceType, logicalId, physicalId);
+		const [databaseName, tableName] = physicalId.split("|");
+		if (!databaseName || !tableName) throw new ProvisioningError(`Invalid Glue Table physical ID format: ${physicalId}`, resourceType, logicalId, physicalId);
 		const tableInput = properties["TableInput"];
 		if (!tableInput) throw new ProvisioningError(`TableInput is required for Glue Table update ${logicalId}`, resourceType, logicalId, physicalId);
 		const catalogId = properties["CatalogId"];
@@ -24847,7 +24887,7 @@ var GlueProvider = class {
 			await this.getClient().send(new UpdateTableCommand$1({
 				CatalogId: catalogId,
 				DatabaseName: databaseName,
-				TableInput: this.buildTableInput(tableInput)
+				TableInput: this.buildTableInput(tableInput, tableName)
 			}));
 			this.logger.debug(`Successfully updated Glue Table ${logicalId}`);
 			return {
@@ -24902,8 +24942,8 @@ var GlueProvider = class {
 	/**
 	* Build TableInput for Glue API from CFn template properties
 	*/
-	buildTableInput(tableInput) {
-		const result = { Name: tableInput["Name"] };
+	buildTableInput(tableInput, fallbackName) {
+		const result = { Name: tableInput["Name"] ?? fallbackName };
 		if (tableInput["Description"] !== void 0) result.Description = tableInput["Description"];
 		if (tableInput["TableType"] !== void 0) result.TableType = tableInput["TableType"];
 		if (tableInput["Parameters"] !== void 0) {
@@ -25009,7 +25049,9 @@ var GlueProvider = class {
 		dbInput["Description"] = db.Description ?? "";
 		if (db.LocationUri !== void 0) dbInput["LocationUri"] = db.LocationUri;
 		dbInput["Parameters"] = db.Parameters ?? {};
-		return { DatabaseInput: dbInput };
+		const result = { DatabaseInput: dbInput };
+		if (db.Name !== void 0) result["DatabaseName"] = db.Name;
+		return result;
 	}
 	async readTable(physicalId) {
 		const [databaseName, tableName] = physicalId.split("|");
@@ -25037,10 +25079,12 @@ var GlueProvider = class {
 		if (table.ViewOriginalText !== void 0) tableInput["ViewOriginalText"] = table.ViewOriginalText;
 		if (table.ViewExpandedText !== void 0) tableInput["ViewExpandedText"] = table.ViewExpandedText;
 		if (table.TargetTable) tableInput["TargetTable"] = table.TargetTable;
-		return {
+		const result = {
 			DatabaseName: databaseName,
 			TableInput: tableInput
 		};
+		if (table.Name !== void 0) result["Name"] = table.Name;
+		return result;
 	}
 	async import(input) {
 		switch (input.resourceType) {
@@ -27455,6 +27499,7 @@ var EFSProvider = class {
 			"AccessPointTags"
 		])]
 	]);
+	unhandledByDesign = new Map([["AWS::EFS::AccessPoint", new Map([["ClientToken", "AWS SDK manages this idempotency token internally on CreateAccessPoint; no user-supplied value is honored"]])]]);
 	getClient() {
 		if (!this.client) this.client = new EFSClient(this.providerRegion ? { region: this.providerRegion } : {});
 		return this.client;
@@ -30466,6 +30511,7 @@ var S3TablesProvider = class {
 		["AWS::S3Tables::Table", new Set([
 			"TableBucketARN",
 			"Namespace",
+			"TableName",
 			"Name",
 			"Format"
 		])]
@@ -30628,8 +30674,8 @@ var S3TablesProvider = class {
 		if (!tableBucketARN) throw new ProvisioningError(`TableBucketARN is required for S3 Tables Table ${logicalId}`, resourceType, logicalId);
 		const namespace = properties["Namespace"];
 		if (!namespace) throw new ProvisioningError(`Namespace is required for S3 Tables Table ${logicalId}`, resourceType, logicalId);
-		const name = properties["Name"];
-		if (!name) throw new ProvisioningError(`Name is required for S3 Tables Table ${logicalId}`, resourceType, logicalId);
+		const name = properties["TableName"] ?? properties["Name"];
+		if (!name) throw new ProvisioningError(`TableName is required for S3 Tables Table ${logicalId}`, resourceType, logicalId);
 		const format = properties["Format"];
 		if (!format) throw new ProvisioningError(`Format is required for S3 Tables Table ${logicalId}`, resourceType, logicalId);
 		try {
@@ -30714,10 +30760,12 @@ var S3TablesProvider = class {
 			if (err instanceof NotFoundException$5) return void 0;
 			throw err;
 		}
+		const tableNameValue = resp.name ?? name;
 		const result = {
 			TableBucketARN: tableBucketARN,
 			Namespace: namespace,
-			Name: resp.name ?? name
+			Name: tableNameValue,
+			TableName: tableNameValue
 		};
 		if (resp.format !== void 0) result["Format"] = resp.format;
 		return result;
@@ -31258,6 +31306,7 @@ var ASGProvider = class ASGProvider {
 		"InstanceMaintenancePolicy",
 		"DeletionProtection"
 	])]]);
+	unhandledByDesign = new Map([["AWS::AutoScaling::AutoScalingGroup", new Map([["LaunchConfigurationName", "AWS Launch Configurations end-of-life 2024-10; use LaunchTemplate instead"], ["NotificationConfiguration", "Legacy singular form; use NotificationConfigurations (plural) which cdkd already wires"]])]]);
 	getClient() {
 		if (!this.asgClient) this.asgClient = new AutoScalingClient(this.providerRegion ? { region: this.providerRegion } : {});
 		return this.asgClient;
@@ -41608,6 +41657,7 @@ var CfnLocalStateProvider = class {
 	region;
 	client;
 	clientOptions;
+	disposed = false;
 	constructor(opts) {
 		this.cfnStackName = opts.cfnStackName;
 		this.region = opts.region;
@@ -41615,6 +41665,7 @@ var CfnLocalStateProvider = class {
 		if (opts.profile !== void 0) this.clientOptions.profile = opts.profile;
 	}
 	getClient() {
+		if (this.disposed) throw new Error("CfnLocalStateProvider used after dispose()");
 		if (!this.client) this.client = new CloudFormationClient({ region: this.region });
 		return this.client;
 	}
@@ -41631,13 +41682,14 @@ var CfnLocalStateProvider = class {
 	* behavior on every intrinsic-valued env var.
 	*/
 	async load(_stackName, _synthRegion) {
+		if (this.disposed) throw new Error("CfnLocalStateProvider used after dispose()");
 		const logger = getLogger();
 		const client = this.getClient();
 		let resourceMap;
 		try {
 			resourceMap = buildResourceStateMap((await client.send(new DescribeStackResourcesCommand({ StackName: this.cfnStackName }))).StackResources ?? []);
 		} catch (err) {
-			logger.warn(`${this.label}: DescribeStackResources(${this.cfnStackName}) failed: ${err instanceof Error ? err.message : String(err)}. Was the stack deployed in region '${this.region}'? Falling back.`);
+			logger.warn(`${this.label}: DescribeStackResources(${this.cfnStackName}) failed: ${formatAwsErrorForWarn(err)}. Was the stack deployed in region '${this.region}'? Falling back.`);
 			return;
 		}
 		let outputs;
@@ -41648,7 +41700,7 @@ var CfnLocalStateProvider = class {
 				outputs = {};
 			} else outputs = buildOutputsMap(stack.Outputs ?? []);
 		} catch (err) {
-			logger.warn(`${this.label}: DescribeStacks(${this.cfnStackName}) failed: ${err instanceof Error ? err.message : String(err)}. Outputs will be empty (Fn::GetStackOutput cannot resolve).`);
+			logger.warn(`${this.label}: DescribeStacks(${this.cfnStackName}) failed: ${formatAwsErrorForWarn(err)}. Outputs will be empty (Fn::GetStackOutput cannot resolve).`);
 			outputs = {};
 		}
 		return {
@@ -41672,18 +41724,18 @@ var CfnLocalStateProvider = class {
 	* partition-aware region list.
 	*/
 	async buildCrossStackResolver(_consumerRegion) {
+		if (this.disposed) throw new Error("CfnLocalStateProvider used after dispose()");
 		const logger = getLogger();
 		const client = this.getClient();
 		const label = this.label;
 		const region = this.region;
-		let cachedExports;
-		const ensureExports = async () => {
-			if (cachedExports) return cachedExports;
-			const result = await fetchAllExports(client).catch((err) => {
-				logger.warn(`${label}: ListExports (${region}) failed: ${err instanceof Error ? err.message : String(err)}. Fn::ImportValue intrinsics will warn-and-drop.`);
+		let exportsPromise;
+		const ensureExports = () => {
+			if (exportsPromise) return exportsPromise;
+			exportsPromise = fetchAllExports(client).catch((err) => {
+				logger.warn(`${label}: ListExports (${region}) failed: ${formatAwsErrorForWarn(err)}. Fn::ImportValue intrinsics will warn-and-drop.`);
 			});
-			if (result) cachedExports = result;
-			return result;
+			return exportsPromise;
 		};
 		return {
 			async resolveImport(exportName) {
@@ -41697,6 +41749,7 @@ var CfnLocalStateProvider = class {
 		};
 	}
 	dispose() {
+		this.disposed = true;
 		if (this.client) {
 			this.client.destroy();
 			this.client = void 0;
@@ -41764,9 +41817,32 @@ async function fetchAllExports(client) {
 		nextToken = resp.NextToken;
 		pages += 1;
 		if (pages > 50) throw new Error("ListExports pagination exceeded 50 pages — likely a malformed NextToken loop.");
-	} while (nextToken !== void 0);
+	} while (nextToken !== void 0 && nextToken !== "");
 	return out;
 }
+/**
+* Format an AWS SDK error as `<name> (HTTP <status>): <message>` so the
+* surfaced warn name the error class (e.g. `ThrottlingException`,
+* `AccessDeniedException`, `ValidationError`) and HTTP status alongside
+* the human-readable message. Falls back to the bare message for
+* non-SDK errors (the existing pre-issue-#611 behavior) so non-AWS
+* thrown values still surface meaningfully. Exported for unit testing.
+*
+* Issue #611 NIT 4 — `normalizeAwsError` in `utils/error-handler.ts` is
+* S3-bucket-specific (it rewrites the synthetic `Unknown`/`UnknownError`
+* with bucket / region context), so the CFn provider extracts the
+* pieces directly here.
+*/
+function formatAwsErrorForWarn(err) {
+	if (!(err instanceof Error)) return String(err);
+	const name = err.name && err.name !== "Error" ? err.name : void 0;
+	const status = err.$metadata?.httpStatusCode;
+	const prefixParts = [];
+	if (name !== void 0) prefixParts.push(name);
+	if (status !== void 0) prefixParts.push(`HTTP ${status}`);
+	if (prefixParts.length === 0) return err.message;
+	return `${prefixParts.join(" ")}: ${err.message}`;
+}
 
 //#endregion
 //#region src/cli/commands/local-state-source.ts
@@ -41811,6 +41887,22 @@ function resolveCfnStackName(fromCfnStack, cdkdStackName) {
 	return cdkdStackName;
 }
 /**
+* Single source of truth for "is the user asking for `--from-cfn-stack`?".
+* Commander maps the flag to one of `undefined` (absent) / `true` (bare) /
+* `'<name>'` (explicit). Everything except `undefined` / `false` means the
+* flag is present. Extracted so the `local-start-api` "state source
+* active" check (the parent call site that decides whether to load any
+* state at all) and `createLocalStateProvider`'s own branch logic stay
+* in lock-step — a previous duplication of this predicate motivated the
+* extraction (issue #611 NIT 5).
+*
+* Exported for use by `local-start-api` and unit testing.
+*/
+function isCfnFlagPresent(opts) {
+	const v = opts.fromCfnStack;
+	return v !== void 0 && v !== false;
+}
+/**
 * Resolve the region used for the CFn client. The CFn provider is
 * region-bound at construction time; we apply the precedence chain
 * `--stack-region` > `--region` > `AWS_REGION` > `AWS_DEFAULT_REGION`
@@ -41881,8 +41973,9 @@ function rejectExplicitCfnStackWithMultipleStacks(options, routedStackCount) {
 */
 function createLocalStateProvider(options, cdkdStackName, synthRegion) {
 	const cfnStackOpt = options.fromCfnStack;
-	const cfnFlagPresent = cfnStackOpt !== void 0 && cfnStackOpt !== false;
+	const cfnFlagPresent = isCfnFlagPresent(options);
 	if (options.fromState && cfnFlagPresent) throw new LocalStateSourceError("--from-state and --from-cfn-stack are mutually exclusive. Use --from-state for stacks deployed via `cdkd deploy`; use --from-cfn-stack for stacks deployed via `cdk deploy` (CloudFormation).");
+	if (cfnStackOpt === "") throw new LocalStateSourceError("--from-cfn-stack requires a non-empty stack name when an explicit value is provided. Drop the value to use the cdkd stack name, or pass --from-cfn-stack <name>.");
 	if (options.fromState) return new S3LocalStateProvider({
 		statePrefix: options.statePrefix,
 		...options.stateBucket !== void 0 && { stateBucket: options.stateBucket },
@@ -53827,7 +53920,7 @@ async function localStartApiCommand(target, options) {
 			const m = buildCorsConfigByApiId(stack.template);
 			for (const [k, v] of m) corsConfigByApiId.set(k, v);
 		}
-		const stateByStack = options.fromState || options.fromCfnStack !== void 0 && options.fromCfnStack !== false ? await loadStateForRoutedStacks(targetStacks, routes, routesWithAuth, options) : /* @__PURE__ */ new Map();
+		const stateByStack = options.fromState || isCfnFlagPresent(options) ? await loadStateForRoutedStacks(targetStacks, routes, routesWithAuth, options) : /* @__PURE__ */ new Map();
 		const lambdaIds = uniqueLambdaIds(routes, routesWithAuth, webSocketApis);
 		const specs = /* @__PURE__ */ new Map();
 		for (let i = 0; i < lambdaIds.length; i++) {
@@ -59343,7 +59436,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.158.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.158.1");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());