@go-to-k/cdkd 0.159.3 → 0.160.0

package/dist/{deploy-engine-BzrECC3i.js → deploy-engine-BXWv-yRb.js}

@@ -3354,7 +3354,8 @@ const STATE_SCHEMA_VERSIONS_READABLE = [
 	3,
 	4,
 	5,
-	6
+	6,
+	7
 ];
 /**
 * Returns true when a recorded `DeletionPolicy` should prevent cdkd from
@@ -3597,7 +3598,7 @@ var S3StateBackend = class {
 		const { expectedEtag, migrateLegacy } = options;
 		const body = {
 			...state,
-			version: 6,
+			version: 7,
 			stackName,
 			region
 		};
@@ -9864,20 +9865,25 @@ const PROPERTY_COVERAGE_BY_TYPE = new Map([
 //#endregion
 //#region src/provisioning/property-coverage.ts
 /**
-* Helpers for cdkd's deploy-time property-coverage pre-flight check.
+* Helpers for cdkd's deploy-time property-coverage check.
 *
 * The data ({@link PROPERTY_COVERAGE_BY_TYPE}) is generated by
 * `scripts/gen-property-coverage.ts` (run via `vp run gen:property-coverage`)
 * from the CFn schema fixtures (`tests/fixtures/cfn-schemas/*.json`) and
 * each SDK provider's `handledProperties` / `unhandledByDesign` declarations.
 * This module adds the runtime predicates + the actionable issue link used
-* by the pre-flight check (see {@link ./provider-registry.ProviderRegistry.validateResourceProperties}).
+* by the routing decision (see
+* {@link ./provider-registry.ProviderRegistry.getProviderFor} and
+* {@link ./provider-registry.ProviderRegistry.reportSilentDropDecisions}).
 *
-* The pre-flight rejects deploys whose templates use top-level CFn properties
-* for which cdkd's SDK provider does not write to AWS (= silent drop). The
-* user can opt in to the silent drop on a per-property basis via
-* `--allow-unsupported-properties <Type:Prop>,...`. v0 stance: silent drop
-* is a bug; explicit opt-in is required to proceed.
+* Behavior: when a template uses a top-level CFn property cdkd's SDK
+* Provider does not write to AWS (= silent drop), the resource is
+* **auto-routed via Cloud Control API** by default — CC forwards the
+* full property map verbatim, closing the silent-drop bug (#614). The
+* user can opt out per-property via
+* `--allow-unsupported-properties <Type:Prop>,...`, which keeps the
+* resource on the SDK Provider path and accepts the silent drop (a
+* warn line is logged for auditability).
 */
 /**
 * Look up a Tier 1 type's property-coverage record. Returns `undefined` for
@@ -9914,24 +9920,48 @@ function findSilentDropProperties(resourceType, templateProperties) {
 	return drops.sort((a, b) => a.property.localeCompare(b.property));
 }
 /**
-* A 1-click pre-filled GitHub issue link requesting cdkd support for a
-* specific top-level property on a resource type. Surfaced in the pre-flight
-* error so a user hitting a silent drop lands directly in the "request
-* support" flow.
-*/
-function unsupportedPropertyIssueUrl(resourceType, property) {
-	return `https://github.com/go-to-k/cdkd/issues/new?title=${encodeURIComponent(`Support property ${resourceType}.${property}`)}&labels=resource-support`;
+* Same as {@link findSilentDropProperties} but filters out entries whose
+* `<Type>:<Prop>` key is in the supplied allow set (the
+* `--allow-unsupported-properties` user override). Returned drops are the
+* ones that should drive CC API auto-routing (issue
+* [#614](https://github.com/go-to-k/cdkd/issues/614)) — silent drops
+* the user has explicitly opted-into via the override are removed so the
+* resource stays on the SDK Provider path.
+*
+* Mirrors `findSilentDropProperties`'s sort + early-return behavior:
+* returns `[]` for Tier 2 / Custom / unknown types, undefined / empty
+* `templateProperties`, or when every drop is in `allowedKeys`.
+*/
+function findActionableSilentDrops(resourceType, templateProperties, allowedKeys) {
+	const drops = findSilentDropProperties(resourceType, templateProperties);
+	if (drops.length === 0) return drops;
+	return drops.filter(({ property }) => !allowedKeys.has(`${resourceType}:${property}`));
 }
 
 //#endregion
 //#region src/provisioning/provider-registry.ts
 /**
-* Provider registry for managing resource providers
-*
-* Implements a fallback strategy:
-* 1. Try specific SDK provider if registered for this resource type
-* 2. Fall back to Cloud Control API if resource type is supported
-* 3. Throw error if no provider available
+* Provider registry for managing resource providers.
+*
+* Selection strategy for a fresh resource (see {@link getProviderFor}):
+* 1. Custom Resource (`Custom::*` / `AWS::CloudFormation::CustomResource`)
+*    → Custom Resource provider (recorded as `provisionedBy: 'sdk'`).
+* 2. Existing-state `provisionedBy: 'cc-api'` → Cloud Control (sticky).
+* 3. SDK Provider registered, no silent-drop properties (after the
+*    `--allow-unsupported-properties` override filter) → SDK Provider.
+* 4. SDK Provider registered, silent-drop properties present, NOT all
+*    in the allow set → Cloud Control (auto-route, info-logged).
+* 5. SDK Provider registered, silent-drop properties present, ALL in
+*    the allow set → SDK Provider (the user explicitly accepted the
+*    silent drop, warn-logged).
+* 6. No SDK Provider, Cloud Control supports the type → Cloud Control.
+* 7. `--allow-unsupported-types` escape hatch → Cloud Control optimistically.
+* 8. Otherwise → throw (no provider available).
+*
+* Tier 3 (`NON_PROVISIONABLE`) types are rejected earlier by
+* {@link validateResourceTypes}; the silent-drop auto-route only fires for
+* Tier 1 types whose SDK Provider declares `handledProperties` and where
+* Cloud Control is guaranteed to be a viable alternative.
 */
 var ProviderRegistry = class {
 	logger = getLogger().child("ProviderRegistry");
@@ -9961,10 +9991,12 @@ var ProviderRegistry = class {
 	/**
 	* Escape hatch for the `--allow-unsupported-properties` CLI flag. Each entry
 	* is a `<ResourceType>:<PropertyName>` token (e.g.
-	* `AWS::Lambda::Function:LoggingConfig`). Named entries bypass the
-	* property-level silent-drop pre-flight reject for that exact type+property
-	* pair. Per-type-property (not blanket) so the user explicitly acknowledges
-	* each silent drop they accept.
+	* `AWS::Lambda::Function:LoggingConfig`). As of issue
+	* [#614](https://github.com/go-to-k/cdkd/issues/614), the flag now means
+	* "force the SDK Provider path and accept the silent drop" — the default
+	* for an un-flagged silent-drop property is to auto-route the resource
+	* through Cloud Control instead. Per-type-property (not blanket) so the
+	* user explicitly acknowledges each silent drop they accept.
 	*/
 	allowUnsupportedProperties(entries) {
 		for (const entry of entries) {
@@ -10007,38 +10039,84 @@ var ProviderRegistry = class {
 		this.providers.delete(resourceType);
 	}
 	/**
-	* Get provider for a resource type
+	* Resolve the provider for a resource using the full routing decision
+	* matrix (see class docstring). The returned object carries the chosen
+	* provider, the `provisionedBy` layer label to persist on the resource's
+	* state record, and (for the CC auto-route case) the names of the
+	* silent-drop properties that drove the decision so callers can render
+	* `[via CC API: <reason>]` plan annotations.
 	*
-	* Selection strategy:
-	* 1. If specific SDK provider is registered, use it
-	* 2. Otherwise, use Cloud Control API if supported
-	* 3. Throw error if no provider available
-	*
-	* @param resourceType CloudFormation resource type
-	* @returns Provider instance
-	* @throws Error if no provider available
+	* @throws Error if no provider can be found for the type.
 	*/
-	getProvider(resourceType) {
+	getProviderFor(input) {
+		const { resourceType, properties, provisionedBy } = input;
+		if (isCustomResource(resourceType)) {
+			this.logger.debug(`Using Custom Resource provider for ${resourceType}`);
+			return {
+				provider: this.customResourceProvider,
+				provisionedBy: "sdk"
+			};
+		}
+		if (provisionedBy === "cc-api") {
+			this.logger.debug(`Routing ${resourceType} via Cloud Control (state-recorded provisionedBy=cc-api)`);
+			return {
+				provider: this.cloudControlProvider,
+				provisionedBy: "cc-api"
+			};
+		}
 		const specificProvider = this.providers.get(resourceType);
 		if (specificProvider) {
-			this.logger.debug(`Using specific SDK provider for ${resourceType}`);
-			return specificProvider;
+			const actionableDrops = findActionableSilentDrops(resourceType, properties, this.allowedUnsupportedProperties);
+			if (actionableDrops.length === 0) {
+				this.logger.debug(`Using specific SDK provider for ${resourceType}`);
+				return {
+					provider: specificProvider,
+					provisionedBy: "sdk"
+				};
+			}
+			this.logger.debug(`Auto-routing ${resourceType} via Cloud Control (silent-drop properties: ${actionableDrops.map((d) => d.property).join(", ")})`);
+			return {
+				provider: this.cloudControlProvider,
+				provisionedBy: "cc-api",
+				ccRouteReason: { properties: actionableDrops.map((d) => d.property) }
+			};
 		}
 		if (CloudControlProvider.isSupportedResourceType(resourceType)) {
 			this.logger.debug(`Using Cloud Control API provider for ${resourceType}`);
-			return this.cloudControlProvider;
-		}
-		if (resourceType.startsWith("Custom::") || resourceType === "AWS::CloudFormation::CustomResource") {
-			this.logger.debug(`Using Custom Resource provider for ${resourceType}`);
-			return this.customResourceProvider;
+			return {
+				provider: this.cloudControlProvider,
+				provisionedBy: "cc-api"
+			};
 		}
 		if (this.allowedUnsupportedTypes.has(resourceType)) {
 			this.logger.debug(`Routing escape-hatch-allowed type ${resourceType} through Cloud Control API`);
-			return this.cloudControlProvider;
+			return {
+				provider: this.cloudControlProvider,
+				provisionedBy: "cc-api"
+			};
 		}
 		throw new Error(`No provider available for resource type: ${resourceType}. This resource type is not supported by Cloud Control API and no SDK provider is registered.`);
 	}
 	/**
+	* Legacy entry point that returns just the provider. Delegates to
+	* {@link getProviderFor} with no properties / no state-recorded layer —
+	* which means silent-drop auto-routing CANNOT fire (no template to
+	* inspect) and `provisionedBy === undefined` is treated as SDK semantics
+	* (legacy default). Use {@link getProviderFor} when the caller has
+	* properties / state — otherwise a CC-managed existing resource will get
+	* an SDK Provider on its update / delete path, which is the
+	* silent-data-corruption hazard that v7's schema bump is meant to
+	* prevent.
+	*
+	* Kept on the public surface for the destroy / drift / state-refresh
+	* paths whose call sites only know the resource type (the caller should
+	* still thread `provisionedBy` from state when it's available; this
+	* shape is only safe for type-only callers).
+	*/
+	getProvider(resourceType) {
+		return this.getProviderFor({ resourceType }).provider;
+	}
+	/**
 	* Check if a resource type should be skipped
 	*/
 	shouldSkipResource(resourceType) {
@@ -10050,7 +10128,7 @@ var ProviderRegistry = class {
 	hasProvider(resourceType) {
 		if (this.shouldSkipResource(resourceType)) return true;
 		if (this.allowedUnsupportedTypes.has(resourceType)) return true;
-		return this.providers.has(resourceType) || CloudControlProvider.isSupportedResourceType(resourceType) || resourceType.startsWith("Custom::") || resourceType === "AWS::CloudFormation::CustomResource";
+		return this.providers.has(resourceType) || CloudControlProvider.isSupportedResourceType(resourceType) || isCustomResource(resourceType);
 	}
 	/**
 	* Get the Cloud Control provider instance (for resource state lookup)
@@ -10095,77 +10173,96 @@ var ProviderRegistry = class {
 		this.logger.debug(`Validated ${resourceTypes.size} resource types: all have available providers`);
 	}
 	/**
-	* Pre-flight reject: walk every resource in the template and identify
-	* top-level CFn properties cdkd's SDK provider would silently drop on
-	* write. Throws with a per-resource per-property breakdown + the exact
-	* `--allow-unsupported-properties` re-run command. No-op for Tier 2 (Cloud
-	* Control) types — CC forwards the full property map to AWS, so cdkd has
-	* no write-side silent drop for those.
+	* Walk every resource in the template and identify top-level CFn
+	* properties cdkd's SDK provider would silently drop on write. As of
+	* issue [#614](https://github.com/go-to-k/cdkd/issues/614), this method
+	* **no longer throws** — silent drops now auto-route the resource through
+	* Cloud Control API by default (see {@link getProviderFor}). The method
+	* is retained on the name `validateResourceProperties` so existing deploy
+	* call sites continue to work; it now emits info-level routing decisions
+	* for each silent-drop resource, plus warn-level lines for resources
+	* where the user explicitly opted into the silent drop via
+	* `--allow-unsupported-properties`.
 	*
 	* Must be called AFTER {@link validateResourceTypes} — type-level errors
-	* are reported first. For a type allowed via `--allow-unsupported-types`,
-	* the type-level check passes and this property check is a no-op
-	* (`findSilentDropProperties` returns `[]` for non-Tier-1 / unknown types).
+	* are still hard rejects. For a type allowed via `--allow-unsupported-types`,
+	* the property check is a no-op (`findSilentDropProperties` returns `[]`
+	* for non-Tier-1 / unknown types).
+	*
+	* @see findAutoRouteHits for the pure-functional pre-deploy plan-builder
+	*      that returns the same information without logging.
 	*/
 	validateResourceProperties(resources) {
-		const errors = [];
-		for (const { logicalId, resourceType, properties } of resources) {
+		this.reportSilentDropDecisions(resources);
+	}
+	/**
+	* Info-log every silent-drop routing decision (auto-route via CC API) and
+	* warn-log every silent drop the user explicitly opted into via
+	* `--allow-unsupported-properties` (forced SDK path, the property will
+	* be dropped). Pure side-effect — does not mutate state and never throws.
+	*
+	* Issue [#614](https://github.com/go-to-k/cdkd/issues/614). Replaces the
+	* pre-v0.16x throw path: silent drops are now a routing signal, not an
+	* error.
+	*
+	* When the optional `provisionedBy` (from existing state) is `'cc-api'`,
+	* the auto-route info line is demoted to `debug` — the resource has been
+	* on CC for at least one prior deploy, so the routing decision is
+	* **continuation of sticky state, not a fresh auto-route**. Surfacing the
+	* info line every deploy would be repetitive noise. The warn line for
+	* explicit `--allow-unsupported-properties` overrides is NOT demoted —
+	* that override is an active user choice for THIS deploy and should
+	* surface every time.
+	*/
+	reportSilentDropDecisions(resources) {
+		for (const { logicalId, resourceType, properties, provisionedBy } of resources) {
 			const drops = findSilentDropProperties(resourceType, properties);
-			for (const { property, rationale } of drops) {
+			if (drops.length === 0) continue;
+			const overridden = [];
+			const autoRouted = [];
+			for (const { property } of drops) {
 				const allowKey = `${resourceType}:${property}`;
-				if (this.allowedUnsupportedProperties.has(allowKey)) continue;
-				errors.push({
-					logicalId,
-					resourceType,
-					property,
-					rationale
-				});
+				if (this.allowedUnsupportedProperties.has(allowKey)) overridden.push(property);
+				else autoRouted.push(property);
+			}
+			if (autoRouted.length > 0) {
+				const message = `${logicalId} (${resourceType}): routing via Cloud Control API (cdkd's SDK Provider does not yet wire ${autoRouted.join(", ")} — CC API will forward the full property map. Override via --allow-unsupported-properties ${autoRouted.map((p) => `${resourceType}:${p}`).join(",")}.)`;
+				if (provisionedBy === "cc-api") this.logger.debug(message);
+				else this.logger.info(message);
+			}
+			if (overridden.length > 0) {
+				const propList = overridden.join(", ");
+				this.logger.warn(`${logicalId} (${resourceType}): ${propList} will be silently dropped (--allow-unsupported-properties override accepted). Remove the override to route this resource via Cloud Control API instead.`);
 			}
 		}
-		if (errors.length === 0) return;
-		throw new Error(renderPropertyCoverageError(errors));
 	}
-};
-/**
-* Render the actionable pre-flight error for property-level silent drops.
-* Groups by logical ID, sorts properties within each resource, and emits
-* a comma-joined `--allow-unsupported-properties` re-run command with
-* deduplicated `Type:Prop` entries (the same type appearing in two
-* resources only needs one entry — the flag is per-type-prop, not
-* per-resource).
-*/
-function renderPropertyCoverageError(errors) {
-	const byLogicalId = /* @__PURE__ */ new Map();
-	for (const e of errors) {
-		let entry = byLogicalId.get(e.logicalId);
-		if (!entry) {
-			entry = {
-				resourceType: e.resourceType,
-				props: []
-			};
-			byLogicalId.set(e.logicalId, entry);
+	/**
+	* Pure-functional discovery of every resource whose template uses one or
+	* more silent-drop properties that are NOT in the
+	* `--allow-unsupported-properties` allow set — i.e. every resource that
+	* {@link getProviderFor} would auto-route via Cloud Control. Returned
+	* entries carry the silent-drop property names so plan / diff renderers
+	* can show `[via CC API: LoggingConfig]`.
+	*
+	* Does NOT log or throw. Use {@link reportSilentDropDecisions} for the
+	* side-effecting info / warn surface.
+	*/
+	findAutoRouteHits(resources) {
+		const hits = [];
+		for (const { logicalId, resourceType, properties } of resources) {
+			const actionable = findActionableSilentDrops(resourceType, properties, this.allowedUnsupportedProperties);
+			if (actionable.length === 0) continue;
+			hits.push({
+				logicalId,
+				resourceType,
+				properties: actionable.map((d) => d.property)
+			});
 		}
-		entry.props.push({
-			property: e.property,
-			rationale: e.rationale
-		});
+		return hits;
 	}
-	const sections = [];
-	const sortedLogicalIds = [...byLogicalId.keys()].sort((a, b) => a.localeCompare(b));
-	for (const logicalId of sortedLogicalIds) {
-		const { resourceType, props } = byLogicalId.get(logicalId);
-		const propLines = [...props].sort((a, b) => a.property.localeCompare(b.property)).map(({ property, rationale }) => {
-			return `    - ${property}\n        ${rationale}\n        Request support: ${unsupportedPropertyIssueUrl(resourceType, property)}`;
-		}).join("\n");
-		sections.push(`  ${logicalId} (${resourceType}):\n${propLines}`);
-	}
-	const dedupRerun = Array.from(new Set(errors.map((e) => `${e.resourceType}:${e.property}`))).join(",");
-	return `cdkd would silently drop these properties at deploy time:\n\n` + sections.join("\n\n") + `
-
-These properties exist in your CDK code but cdkd will not write them to AWS. The deployed resource will be missing these fields.
-
-To proceed anyway (accepts the silent drop), re-run with:
-  --allow-unsupported-properties ${dedupRerun}`;
+};
+function isCustomResource(resourceType) {
+	return resourceType.startsWith("Custom::") || resourceType === "AWS::CloudFormation::CustomResource";
 }
 
 //#endregion
@@ -11505,7 +11602,7 @@ var DeployEngine = class {
 		try {
 			const currentStateData = await this.stateBackend.getState(stackName, this.stackRegion);
 			const currentState = currentStateData?.state ?? {
-				version: 6,
+				version: 7,
 				region: this.stackRegion,
 				stackName,
 				resources: {},
@@ -11532,7 +11629,8 @@ var DeployEngine = class {
 			const resourcesForPropertyCheck = Object.entries(template.Resources || {}).filter(([, r]) => r.Type !== "AWS::CDK::Metadata").map(([logicalId, r]) => ({
 				logicalId,
 				resourceType: r.Type,
-				properties: r.Properties
+				properties: r.Properties,
+				provisionedBy: currentState.resources[logicalId]?.provisionedBy
 			}));
 			this.providerRegistry.validateResourceProperties(resourcesForPropertyCheck);
 			this.logger.debug(`All resource properties validated`);
@@ -11553,7 +11651,7 @@ var DeployEngine = class {
 					await this.drainObservedCaptures(currentState.resources);
 					try {
 						const refreshedState = {
-							version: 6,
+							version: 7,
 							region: this.stackRegion,
 							stackName: currentState.stackName,
 							resources: currentState.resources,
@@ -11653,7 +11751,7 @@ var DeployEngine = class {
 			saveChain = saveChain.then(async () => {
 				try {
 					const partialState = {
-						version: 6,
+						version: 7,
 						region: this.stackRegion,
 						stackName: currentState.stackName,
 						resources: newResources,
@@ -11711,6 +11809,7 @@ var DeployEngine = class {
 							logicalId,
 							changeType: change.changeType,
 							resourceType: change.resourceType,
+							provisionedBy: newResources[logicalId]?.provisionedBy ?? previousState?.provisionedBy,
 							previousState,
 							physicalId: newResources[logicalId]?.physicalId,
 							properties: newResources[logicalId]?.properties
@@ -11747,6 +11846,7 @@ var DeployEngine = class {
 							logicalId,
 							changeType: "DELETE",
 							resourceType: change.resourceType,
+							provisionedBy: previousState?.provisionedBy,
 							previousState
 						});
 						saveStateAfterResource(logicalId);
@@ -11759,7 +11859,7 @@ var DeployEngine = class {
 		} catch (error) {
 			try {
 				const preRollbackState = {
-					version: 6,
+					version: 7,
 					region: this.stackRegion,
 					stackName: currentState.stackName,
 					resources: newResources,
@@ -11788,7 +11888,7 @@ var DeployEngine = class {
 			} else await this.performRollback(completedOperations, newResources, stackName);
 			try {
 				const postRollbackState = {
-					version: 6,
+					version: 7,
 					region: this.stackRegion,
 					stackName: currentState.stackName,
 					resources: newResources,
@@ -11803,7 +11903,7 @@ var DeployEngine = class {
 				try {
 					const freshEtag = (await this.stateBackend.getState(stackName, this.stackRegion))?.etag;
 					const postRollbackState = {
-						version: 6,
+						version: 7,
 						region: this.stackRegion,
 						stackName: currentState.stackName,
 						resources: newResources,
@@ -11822,7 +11922,7 @@ var DeployEngine = class {
 		const outputs = await this.resolveOutputs(template, newResources, stackName, parameterValues, conditions);
 		return {
 			state: {
-				version: 6,
+				version: 7,
 				region: this.stackRegion,
 				stackName: currentState.stackName,
 				resources: newResources,
@@ -11922,23 +12022,31 @@ var DeployEngine = class {
 	async performSingleRollback(op, stateResources) {
 		try {
 			switch (op.changeType) {
-				case "CREATE":
+				case "CREATE": {
 					if (!op.physicalId) {
 						this.logger.warn(`  Rollback: Cannot delete ${op.logicalId} — no physical ID recorded`);
 						break;
 					}
 					this.logger.info(`  Rollback: Deleting created resource ${op.logicalId} (${op.resourceType})`);
-					await this.providerRegistry.getProvider(op.resourceType).delete(op.logicalId, op.physicalId, op.resourceType, op.properties, { expectedRegion: this.stackRegion });
+					const { provider } = this.providerRegistry.getProviderFor({
+						resourceType: op.resourceType,
+						provisionedBy: op.provisionedBy
+					});
+					await provider.delete(op.logicalId, op.physicalId, op.resourceType, op.properties, { expectedRegion: this.stackRegion });
 					delete stateResources[op.logicalId];
 					this.logger.info(`  Rollback: ${op.logicalId} deleted successfully`);
 					break;
+				}
 				case "UPDATE": {
 					if (!op.previousState) {
 						this.logger.warn(`  Rollback: Cannot restore ${op.logicalId} — no previous state available`);
 						break;
 					}
 					this.logger.info(`  Rollback: Restoring ${op.logicalId} (${op.resourceType}) to previous state`);
-					const provider = this.providerRegistry.getProvider(op.resourceType);
+					const { provider } = this.providerRegistry.getProviderFor({
+						resourceType: op.resourceType,
+						provisionedBy: op.provisionedBy
+					});
 					const currentResource = stateResources[op.logicalId];
 					if (!currentResource) {
 						this.logger.warn(`  Rollback: Cannot restore ${op.logicalId} — resource not found in current state`);
@@ -12005,7 +12113,7 @@ var DeployEngine = class {
 	*/
 	async provisionResourceBody(logicalId, change, stateResources, stackName, template, parameterValues, conditions, counts, progress) {
 		const resourceType = change.resourceType;
-		const provider = this.providerRegistry.getProvider(resourceType);
+		const existingState = stateResources[logicalId];
 		const renderer = getLiveRenderer();
 		switch (change.changeType) {
 			case "CREATE": {
@@ -12017,8 +12125,13 @@ var DeployEngine = class {
 					...conditions && { conditions }
 				}, stackName);
 				const resolvedProps = await this.resolver.resolve(desiredProps, context);
-				const { provider: createProvider, properties: createProps } = this.selectProviderWithSafetyNet(provider, resourceType, resolvedProps, logicalId);
-				const result = await this.withRetry(() => createProvider.create(logicalId, resourceType, createProps), logicalId, void 0, void 0, provider);
+				const createDecision = this.providerRegistry.getProviderFor({
+					resourceType,
+					properties: resolvedProps
+				});
+				const createProvider = createDecision.provider;
+				const createProps = createDecision.provisionedBy === "cc-api" ? this.preparePropertiesForCcApi(resourceType, resolvedProps, logicalId) : resolvedProps;
+				const result = await this.withRetry(() => createProvider.create(logicalId, resourceType, createProps), logicalId, void 0, void 0, createProvider);
 				const dependencies = this.extractAllDependencies(template, logicalId);
 				const templateAttrs = this.extractTemplateAttributes(template, logicalId);
 				stateResources[logicalId] = {
@@ -12027,9 +12140,10 @@ var DeployEngine = class {
 					properties: resolvedProps,
 					...result.attributes && { attributes: result.attributes },
 					...dependencies && dependencies.length > 0 && { dependencies },
-					...templateAttrs
+					...templateAttrs,
+					provisionedBy: createDecision.provisionedBy
 				};
-				this.kickOffObservedCapture(provider, logicalId, result.physicalId, resourceType, resolvedProps);
+				this.kickOffObservedCapture(createProvider, logicalId, result.physicalId, resourceType, resolvedProps);
 				if (counts) counts.created++;
 				if (progress) progress.current++;
 				const createPrefix = progress ? `[${progress.current}/${progress.total}] ` : "  ";
@@ -12038,7 +12152,7 @@ var DeployEngine = class {
 				break;
 			}
 			case "UPDATE": {
-				const currentResource = stateResources[logicalId];
+				const currentResource = existingState;
 				if (!currentResource) throw new Error(`Cannot update ${logicalId}: resource not found in state`);
 				const desiredProps = change.desiredProperties || {};
 				const currentProps = change.currentProperties || {};
@@ -12073,14 +12187,24 @@ var DeployEngine = class {
 				if (needsReplacement) {
 					const replacedProps = change.propertyChanges?.filter((pc) => pc.requiresReplacement).map((pc) => pc.path).join(", ");
 					this.logger.info(`Replacing ${logicalId} (${resourceType}) - immutable properties changed: ${replacedProps}`);
+					const replaceDecision = this.providerRegistry.getProviderFor({
+						resourceType,
+						properties: resolvedProps
+					});
+					const replaceProvider = replaceDecision.provider;
+					const replaceProps = replaceDecision.provisionedBy === "cc-api" ? this.preparePropertiesForCcApi(resourceType, resolvedProps, logicalId) : resolvedProps;
 					this.logger.info(`  Creating new ${logicalId}...`);
-					const { provider: replaceProvider, properties: replaceProps } = this.selectProviderWithSafetyNet(provider, resourceType, resolvedProps, logicalId);
-					const createResult = await this.withRetry(() => replaceProvider.create(logicalId, resourceType, replaceProps), logicalId, void 0, void 0, provider);
-					if (template?.Resources?.[logicalId]?.UpdateReplacePolicy === "Retain") this.logger.info(`  Retaining old ${logicalId} (${currentResource.physicalId}) - UpdateReplacePolicy: Retain`);
+					const createResult = await this.withRetry(() => replaceProvider.create(logicalId, resourceType, replaceProps), logicalId, void 0, void 0, replaceProvider);
+					const updateReplacePolicy = template?.Resources?.[logicalId]?.UpdateReplacePolicy;
+					const oldDeleteProvider = this.providerRegistry.getProviderFor({
+						resourceType,
+						provisionedBy: currentResource.provisionedBy
+					}).provider;
+					if (updateReplacePolicy === "Retain") this.logger.info(`  Retaining old ${logicalId} (${currentResource.physicalId}) - UpdateReplacePolicy: Retain`);
 					else {
 						this.logger.info(`  Deleting old ${logicalId} (${currentResource.physicalId})...`);
 						try {
-							await provider.delete(logicalId, currentResource.physicalId, resourceType, currentResource.properties, { expectedRegion: this.stackRegion });
+							await oldDeleteProvider.delete(logicalId, currentResource.physicalId, resourceType, currentResource.properties, { expectedRegion: this.stackRegion });
 							this.logger.info(`  ${green("✓")} Old resource deleted`);
 						} catch (deleteError) {
 							this.logger.warn(`  ⚠ Failed to delete old resource ${logicalId} (${currentResource.physicalId}): ${deleteError instanceof Error ? deleteError.message : String(deleteError)}`);
@@ -12092,9 +12216,10 @@ var DeployEngine = class {
 						properties: resolvedProps,
 						...createResult.attributes && { attributes: createResult.attributes },
 						...dependencies && dependencies.length > 0 && { dependencies },
-						...this.extractTemplateAttributes(template, logicalId)
+						...this.extractTemplateAttributes(template, logicalId),
+						provisionedBy: replaceDecision.provisionedBy
 					};
-					this.kickOffObservedCapture(provider, logicalId, createResult.physicalId, resourceType, resolvedProps);
+					this.kickOffObservedCapture(replaceProvider, logicalId, createResult.physicalId, resourceType, resolvedProps);
 					if (counts) counts.updated++;
 					if (progress) progress.current++;
 					const replacePrefix = progress ? `[${progress.current}/${progress.total}] ` : "  ";
@@ -12102,28 +12227,41 @@ var DeployEngine = class {
 					this.logger.info(`${replacePrefix}${yellow("↻")} ${bold(logicalId)} ${gray(`(${resourceType})`)} ${yellow("replaced")}`);
 				} else {
 					this.logger.debug(`Updating ${logicalId} (${resourceType})`);
-					const { provider: updateProvider, properties: updateProps } = this.selectProviderWithSafetyNet(provider, resourceType, resolvedProps, logicalId);
+					const updateDecision = this.providerRegistry.getProviderFor({
+						resourceType,
+						properties: resolvedProps,
+						provisionedBy: currentResource.provisionedBy
+					});
+					const updateProvider = updateDecision.provider;
+					const updateProps = updateDecision.provisionedBy === "cc-api" ? this.preparePropertiesForCcApi(resourceType, resolvedProps, logicalId) : resolvedProps;
 					let result;
+					let resultProvisionedBy = updateDecision.provisionedBy;
 					try {
-						result = await this.withRetry(() => updateProvider.update(logicalId, currentResource.physicalId, resourceType, updateProps, currentProps), logicalId, void 0, void 0, provider);
+						result = await this.withRetry(() => updateProvider.update(logicalId, currentResource.physicalId, resourceType, updateProps, currentProps), logicalId, void 0, void 0, updateProvider);
 					} catch (updateError) {
 						const msg = updateError instanceof Error ? updateError.message : String(updateError);
 						if (msg.includes("UnsupportedActionException") || msg.includes("does not support UPDATE")) {
 							this.logger.info(`UPDATE not supported for ${logicalId} (${resourceType}), replacing (DELETE → CREATE)`);
 							try {
-								await provider.delete(logicalId, currentResource.physicalId, resourceType, currentProps, { expectedRegion: this.stackRegion });
+								await updateProvider.delete(logicalId, currentResource.physicalId, resourceType, currentProps, { expectedRegion: this.stackRegion });
 							} catch (deleteError) {
 								const deleteMsg = deleteError instanceof Error ? deleteError.message : String(deleteError);
 								if (deleteMsg.includes("does not exist") || deleteMsg.includes("not found") || deleteMsg.includes("NotFound")) this.logger.debug(`Old resource ${logicalId} already gone, proceeding with CREATE`);
 								else throw deleteError;
 							}
-							const { provider: replProvider, properties: replProps } = this.selectProviderWithSafetyNet(provider, resourceType, resolvedProps, logicalId);
-							const createResult = await this.withRetry(() => replProvider.create(logicalId, resourceType, replProps), logicalId, void 0, void 0, provider);
+							const replDecision = this.providerRegistry.getProviderFor({
+								resourceType,
+								properties: resolvedProps
+							});
+							const replProvider = replDecision.provider;
+							const replProps = replDecision.provisionedBy === "cc-api" ? this.preparePropertiesForCcApi(resourceType, resolvedProps, logicalId) : resolvedProps;
+							const createResult = await this.withRetry(() => replProvider.create(logicalId, resourceType, replProps), logicalId, void 0, void 0, replProvider);
 							result = {
 								physicalId: createResult.physicalId,
 								attributes: createResult.attributes,
 								wasReplaced: true
 							};
+							resultProvisionedBy = replDecision.provisionedBy;
 						} else throw updateError;
 					}
 					if (result.wasReplaced) this.logger.info(`Resource ${logicalId} was replaced: ${currentResource.physicalId} -> ${result.physicalId}`);
@@ -12133,9 +12271,10 @@ var DeployEngine = class {
 						properties: resolvedProps,
 						...result.attributes && { attributes: result.attributes },
 						...dependencies && dependencies.length > 0 && { dependencies },
-						...this.extractTemplateAttributes(template, logicalId)
+						...this.extractTemplateAttributes(template, logicalId),
+						provisionedBy: resultProvisionedBy
 					};
-					this.kickOffObservedCapture(provider, logicalId, result.physicalId, resourceType, resolvedProps);
+					this.kickOffObservedCapture(updateProvider, logicalId, result.physicalId, resourceType, resolvedProps);
 					if (counts) counts.updated++;
 					if (progress) progress.current++;
 					const updatePrefix = progress ? `[${progress.current}/${progress.total}] ` : "  ";
@@ -12145,7 +12284,7 @@ var DeployEngine = class {
 				break;
 			}
 			case "DELETE": {
-				const currentResource = stateResources[logicalId];
+				const currentResource = existingState;
 				if (!currentResource) throw new Error(`Cannot delete ${logicalId}: resource not found in state`);
 				const deletionPolicy = currentResource.deletionPolicy ?? template?.Resources?.[logicalId]?.DeletionPolicy;
 				if (shouldRetainResource(deletionPolicy)) {
@@ -12153,9 +12292,13 @@ var DeployEngine = class {
 					delete stateResources[logicalId];
 					break;
 				}
+				const deleteProvider = this.providerRegistry.getProviderFor({
+					resourceType,
+					provisionedBy: currentResource.provisionedBy
+				}).provider;
 				this.logger.debug(`Deleting ${logicalId} (${resourceType})`);
 				try {
-					await this.withRetry(() => provider.delete(logicalId, currentResource.physicalId, resourceType, currentResource.properties, { expectedRegion: this.stackRegion }), logicalId, 3, 5e3, provider);
+					await this.withRetry(() => deleteProvider.delete(logicalId, currentResource.physicalId, resourceType, currentResource.properties, { expectedRegion: this.stackRegion }), logicalId, 3, 5e3, deleteProvider);
 				} catch (deleteError) {
 					const msg = deleteError instanceof Error ? deleteError.message : String(deleteError);
 					if (msg.includes("does not exist") || msg.includes("was not found") || msg.includes("not found") || msg.includes("No policy found") || msg.includes("NoSuchEntity") || msg.includes("NotFoundException") || msg.includes("ResourceNotFoundException")) this.logger.debug(`Resource ${logicalId} already deleted (${msg}), removing from state`);
@@ -12279,35 +12422,23 @@ var DeployEngine = class {
 		}
 	}
 	/**
-	* Select the appropriate provider for create/update, falling back to CC API
-	* if the SDK provider doesn't handle all template properties.
+	* Prepare a property map for a Cloud Control API call. When a Tier 1
+	* resource is routed via Cloud Control (either because the user's
+	* template hit silent-drop properties under #614 or because the resource
+	* is sticky-routed via `provisionedBy: 'cc-api'`), CC requires the full
+	* property map — including identifier-like fields (`BucketName`,
+	* `RoleName`, etc.) that the SDK provider would have auto-generated.
+	* This helper threads the property prep through the registered SDK
+	* provider's `preparePropertiesForFallback` hook when defined, falling
+	* back to `applyDefaultNameForFallback` (which mints stack-prefixed
+	* names matching what the SDK provider would have done) otherwise.
 	*
-	* This safety net prevents properties from being silently dropped when an SDK
-	* provider only maps a subset of CloudFormation properties.
-	*
-	* DELETE always uses the SDK provider (force-delete, cleanup, etc.).
+	* No-ops for types with no registered SDK provider (Tier 2 / CC-native).
 	*/
-	selectProviderWithSafetyNet(sdkProvider, resourceType, resolvedProps, logicalId) {
-		const handledSet = sdkProvider.handledProperties?.get(resourceType);
-		if (!handledSet) return {
-			provider: sdkProvider,
-			properties: resolvedProps
-		};
-		const unhandledProps = Object.keys(resolvedProps).filter((p) => !handledSet.has(p));
-		if (unhandledProps.length === 0) return {
-			provider: sdkProvider,
-			properties: resolvedProps
-		};
-		if (CloudControlProvider.isSupportedResourceType(resourceType) && !sdkProvider.disableCcApiFallback) {
-			this.logger.info(`${logicalId}: SDK provider does not handle [${unhandledProps.join(", ")}] — falling back to CC API for create/update`);
-			const fallbackProps = sdkProvider.preparePropertiesForFallback ? sdkProvider.preparePropertiesForFallback(logicalId, resourceType, resolvedProps) : applyDefaultNameForFallback(logicalId, resourceType, resolvedProps);
-			return {
-				provider: this.providerRegistry.getCloudControlProvider(),
-				properties: fallbackProps
-			};
-		}
-		const reason = sdkProvider.disableCcApiFallback ? "CC API fallback is disabled for this provider (known CC API issues)" : `CC API does not support ${resourceType}`;
-		throw new ProvisioningError(`SDK provider for ${resourceType} does not handle properties [${unhandledProps.join(", ")}] and ${reason}. These properties would be silently dropped. Please update the SDK provider to handle all required properties.`, resourceType, logicalId, "");
+	preparePropertiesForCcApi(resourceType, resolvedProps, logicalId) {
+		const sdkProvider = this.providerRegistry.getRegisteredTypes().includes(resourceType) ? this.providerRegistry.getProvider(resourceType) : void 0;
+		if (sdkProvider?.preparePropertiesForFallback) return sdkProvider.preparePropertiesForFallback(logicalId, resourceType, resolvedProps);
+		return applyDefaultNameForFallback(logicalId, resourceType, resolvedProps);
 	}
 	/**
 	* Execute an operation with retry for transient IAM propagation errors.
@@ -12373,4 +12504,4 @@ var DeployEngine = class {
 
 //#endregion
 export { CdkdError as $, shouldRetainResource as A, resolveSkipPrefix as B, IntrinsicFunctionResolver as C, TemplateParser as D, DagBuilder as E, Synthesizer as F, CFN_TEMPLATE_URL_LIMIT as G, resolveStateBucketWithDefaultAndSource as H, getDefaultStateBucketName as I, uploadCfnTemplate as J, MIGRATE_TMP_PREFIX as K, getLegacyStateBucketName as L, stringifyValue as M, WorkGraph as N, LockManager as O, buildDockerImage as P, AssetError as Q, resolveApp as R, assertRegionMatch as S, DiffCalculator as T, warnDeprecatedNoPrefixCliFlag as U, resolveStateBucketWithDefault as V, CFN_TEMPLATE_BODY_LIMIT as W, clearBucketRegionCache as X, AssemblyReader as Y, resolveBucketRegion as Z, matchesCdkPath as _, formatError as _t, withRetry as a, LockError as at, ProviderRegistry as b, withErrorHandling as bt, bold as c, PartialFailureError as ct, green as d, ResourceUpdateNotSupportedError as dt, ConfigError as et, red as f, RouteDiscoveryError as ft, CDK_PATH_TAG as g, SynthesisError as gt, collectInlinePolicyNamesManagedBySiblings as h, StateError as ht, withResourceDeadline as i, LocalStartServiceError as it, AssetPublisher as j, S3StateBackend as k, cyan as l, ProvisioningError as lt, IAMRoleProvider as m, StackTerminationProtectionError as mt, DEFAULT_RESOURCE_WARN_AFTER_MS as n, LocalInvokeBuildError as nt, IMPLICIT_DELETE_DEPENDENCIES as o, MissingCdkCliError as ot, yellow as p, StackHasActiveImportsError as pt, findLargeInlineResources as q, DeployEngine as r, LocalMigrateError as rt, formatResourceLine as s, NestedStackChildDirectDestroyError as st, DEFAULT_RESOURCE_TIMEOUT_MS as t, DependencyError as tt, gray as u, ResourceTimeoutError as ut, normalizeAwsTagsToCfn as v, isCdkdError as vt, applyRoleArnIfSet as w, CloudControlProvider as x, resolveExplicitPhysicalId as y, normalizeAwsError as yt, resolveCaptureObservedState as z };
-//# sourceMappingURL=deploy-engine-BzrECC3i.js.map
+//# sourceMappingURL=deploy-engine-BXWv-yRb.js.map