@go-to-k/cdkd 0.161.3 → 0.162.0

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { _ as withSkipPrefix, a as runDockerStreaming, c as getLogger, d as getLiveRenderer, f as PATTERN_B_NAME_PROPERTIES, g as generateResourceNameWithFallback, h as generateResourceName, i as runDockerForeground, n as formatDockerLoginError, p as PATTERN_B_RESOURCE_TYPES, r as getDockerCmd, u as runStackBuffered, v as withStackName } from "./docker-cmd-iDMcWcre.js";
-import { A as S3StateBackend, B as resolveCaptureObservedState, C as assertRegionMatch, D as DagBuilder, E as DiffCalculator, F as buildDockerImage, G as CFN_TEMPLATE_BODY_LIMIT, H as resolveStateBucketWithDefault, I as Synthesizer, J as findLargeInlineResources, K as CFN_TEMPLATE_URL_LIMIT, L as getDefaultStateBucketName, M as AssetPublisher, N as stringifyValue, O as TemplateParser, P as WorkGraph, Q as resolveBucketRegion, R as getLegacyStateBucketName, S as CloudControlProvider, T as applyRoleArnIfSet, U as resolveStateBucketWithDefaultAndSource, V as resolveSkipPrefix, W as warnDeprecatedNoPrefixCliFlag, X as AssemblyReader, Y as uploadCfnTemplate, _ as matchesCdkPath, a as withRetry, at as LocalStartServiceError, b as ProviderRegistry, bt as normalizeAwsError, c as bold, ct as NestedStackChildDirectDestroyError, d as green, dt as ResourceTimeoutError, et as CdkdError, f as red, ft as ResourceUpdateNotSupportedError, g as CDK_PATH_TAG, h as collectInlinePolicyNamesManagedBySiblings, ht as StackTerminationProtectionError, i as withResourceDeadline, it as LocalMigrateError, j as shouldRetainResource, k as LockManager, l as cyan, lt as PartialFailureError, m as IAMRoleProvider, mt as StackHasActiveImportsError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, o as IMPLICIT_DELETE_DEPENDENCIES, p as yellow, pt as RouteDiscoveryError, q as MIGRATE_TMP_PREFIX, r as DeployEngine, rt as LocalInvokeBuildError, s as formatResourceLine, st as MissingCdkCliError, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, ut as ProvisioningError, v as normalizeAwsTagsToCfn, w as IntrinsicFunctionResolver, x as findActionableSilentDrops, xt as withErrorHandling, y as resolveExplicitPhysicalId, z as resolveApp } from "./deploy-engine-D4iGkZAC.js";
+import { A as S3StateBackend, B as resolveCaptureObservedState, C as assertRegionMatch, D as DagBuilder, E as DiffCalculator, F as buildDockerImage, G as CFN_TEMPLATE_BODY_LIMIT, H as resolveStateBucketWithDefault, I as Synthesizer, J as findLargeInlineResources, K as CFN_TEMPLATE_URL_LIMIT, L as getDefaultStateBucketName, M as AssetPublisher, N as stringifyValue, O as TemplateParser, P as WorkGraph, Q as resolveBucketRegion, R as getLegacyStateBucketName, S as CloudControlProvider, T as applyRoleArnIfSet, U as resolveStateBucketWithDefaultAndSource, V as resolveSkipPrefix, W as warnDeprecatedNoPrefixCliFlag, X as AssemblyReader, Y as uploadCfnTemplate, _ as matchesCdkPath, a as withRetry, at as LocalStartServiceError, b as ProviderRegistry, bt as normalizeAwsError, c as bold, ct as NestedStackChildDirectDestroyError, d as green, dt as ResourceTimeoutError, et as CdkdError, f as red, ft as ResourceUpdateNotSupportedError, g as CDK_PATH_TAG, h as collectInlinePolicyNamesManagedBySiblings, ht as StackTerminationProtectionError, i as withResourceDeadline, it as LocalMigrateError, j as shouldRetainResource, k as LockManager, l as cyan, lt as PartialFailureError, m as IAMRoleProvider, mt as StackHasActiveImportsError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, o as IMPLICIT_DELETE_DEPENDENCIES, p as yellow, pt as RouteDiscoveryError, q as MIGRATE_TMP_PREFIX, r as DeployEngine, rt as LocalInvokeBuildError, s as formatResourceLine, st as MissingCdkCliError, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, ut as ProvisioningError, v as normalizeAwsTagsToCfn, w as IntrinsicFunctionResolver, x as findActionableSilentDrops, xt as withErrorHandling, y as resolveExplicitPhysicalId, z as resolveApp } from "./deploy-engine-DEbogepd.js";
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-B15NAPbL.js";
 import { AsyncLocalStorage } from "node:async_hooks";
 import { createHash, createHmac, createPublicKey, createVerify, randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
@@ -423,6 +423,46 @@ function parseAllowUnsupportedPropertiesToken(value, previous) {
 	return [...previous ?? [], ...parsed];
 }
 const allowUnsupportedPropertiesOption = new Option("--allow-unsupported-properties <entries>", "Comma-separated <ResourceType>:<PropertyName> tokens to accept as silently dropped at deploy time. Escape hatch — the property will NOT be written to AWS, the deployed resource will be missing the field. Example: --allow-unsupported-properties AWS::Lambda::Function:LoggingConfig,AWS::RDS::DBInstance:CACertificateIdentifier").argParser(parseAllowUnsupportedPropertiesToken);
+/**
+* Issue [#615] — `--recreate-via-cc-api <LogicalId>` (repeatable). Each
+* named resource is destroyed + recreated this deploy via Cloud Control
+* API regardless of whether the existing state stamps it `sdk` or has
+* no `provisionedBy` field (legacy). The new physical id stamps
+* `provisionedBy: 'cc-api'` so all subsequent ops route via CC (sticky).
+*
+* Mirrors `--allow-unsupported-properties` per-resource explicit naming
+* (one flag-instance per logical id), but the argument is a single
+* logical id (no comma split — `MyLambda,Other` would be ambiguous
+* since logical ids do not embed commas anyway).
+*
+* Format-checks each logical id against CFn's `Logical IDs are
+* alphanumeric (A-Z, a-z, 0-9)` rule. A typo aborts at parse time so
+* an unmatched id is surfaced immediately rather than silently
+* skipped at deploy time.
+*/
+const LOGICAL_ID_FORMAT = /^[A-Za-z][A-Za-z0-9]{0,254}$/;
+function parseRecreateViaCcApiToken(value, previous) {
+	const token = value.trim();
+	if (!LOGICAL_ID_FORMAT.test(token)) throw new Error(`Invalid --recreate-via-cc-api value "${value}": expected a CloudFormation logical id (alphanumeric, starts with a letter, max 255 chars). One --recreate-via-cc-api flag per resource — repeat the flag for additional targets.`);
+	return [...previous ?? [], token];
+}
+const recreateViaCcApiOption = new Option("--recreate-via-cc-api <logicalId>", "Destroy + recreate the named resource (by CloudFormation logical id) via Cloud Control API in this deploy, so a top-level CFn property cdkd would otherwise silently drop reaches AWS via CC. Repeatable — pass the flag once per resource. Per-resource opt-in (no bulk / no per-stack shortcut) so the destroy-and-recreate cost is acknowledged for each target. Stateful resource types (RDS, DynamoDB, S3, EFS, ...) refuse unless --force-stateful-recreation is ALSO passed (two-flag protection). Cannot be combined with --allow-unsupported-properties on the same resource type and property.").argParser(parseRecreateViaCcApiToken);
+/**
+* Issue [#615] — `--force-stateful-recreation` (boolean) is the second
+* flag required to allow `--recreate-via-cc-api` to operate on a
+* stateful resource (RDS / DynamoDB / EFS / S3 with data / etc.). Two
+* flags so the user explicitly opts into the data-loss footgun.
+*
+* The guard list of "stateful" types lives in
+* `src/provisioning/stateful-types.ts` so it can be queried from both
+* the CLI pre-flight and the deploy engine.
+*
+* There is no per-resource granularity on the force flag — when set,
+* EVERY named recreate target bypasses the stateful guard. Per-resource
+* force would create a false sense of granularity (the user is opting
+* into a footgun; pretending to scope it per-resource is misleading).
+*/
+const forceStatefulRecreationOption = new Option("--force-stateful-recreation", "Bypass the stateful-resource guard for --recreate-via-cc-api targets. Required when ANY named target is a stateful type (RDS / DynamoDB / EFS / S3 with data / Logs with retention / Cognito / Secrets / SSM / Glue / ECR / CloudFront / Kinesis / OpenSearch). Destroy + recreate loses ALL data in the resource — no automatic data migration. Triple-opt-in for CI use: --recreate-via-cc-api <id> --force-stateful-recreation --yes.").default(false);
 const deployOptions = [
 	new Option("--concurrency <number>", "Maximum concurrent resource operations").default(10).argParser((value) => parseInt(value, 10)),
 	new Option("--stack-concurrency <number>", "Maximum concurrent stack deployments").default(4).argParser((value) => parseInt(value, 10)),
@@ -438,6 +478,8 @@ const deployOptions = [
 	new Option("-e, --exclusively", "Only deploy requested stacks, do not include dependencies").default(false),
 	allowUnsupportedTypesOption,
 	allowUnsupportedPropertiesOption,
+	recreateViaCcApiOption,
+	forceStatefulRecreationOption,
 	...resourceTimeoutOptions
 ];
 /**
@@ -883,6 +925,219 @@ function createListCommand() {
 	return cmd;
 }
 
+//#endregion
+//#region src/provisioning/stateful-types.ts
+/**
+* Stateful-resource guard list (issue [#615]).
+*
+* `--recreate-via-cc-api <LogicalId>` destroys + recreates the named
+* resource in one deploy so a previously-silent-dropped top-level CFn
+* property reaches AWS via Cloud Control API. For most types this is
+* safe — destroying + recreating an IAM Role or a Lambda Function
+* loses no user data — but for **data-bearing** types the destroy
+* cycle loses everything in the resource: rows in a DynamoDB table,
+* objects in an S3 bucket, log lines in a LogGroup, images in an ECR
+* repository, etc.
+*
+* To avoid an accidental data-loss footgun, cdkd refuses to recreate
+* any resource whose type is in {@link STATEFUL_TYPES} unless the user
+* ALSO passes `--force-stateful-recreation`. The two-flag protection
+* mirrors `--remove-protection`'s pattern (see
+* `src/cli/commands/destroy-runner.ts`).
+*
+* The list is hand-curated and intentionally **conservative**: every
+* type here carries user data that the AWS service does NOT
+* automatically migrate to the replacement resource. Types that the
+* AWS service treats as ephemeral (e.g. Lambda Function, IAM Role)
+* are NOT in this list — recreate is cheap.
+*
+* Two entries are **conditionally stateful** — they only count when
+* the resource actually contains data:
+*
+*   - `AWS::S3::Bucket`: empty buckets are safe to recreate. The
+*     deploy engine probes `s3:ListObjectsV2` at plan time and only
+*     refuses when the bucket has at least one object.
+*   - `AWS::Logs::LogGroup`: a log group with `RetentionInDays`
+*     undefined or zero is functionally ephemeral. The deploy engine
+*     refuses only when `RetentionInDays > 0`.
+*
+* Both conditional checks live in {@link isStatefulRecreateTarget};
+* the bare {@link STATEFUL_TYPES} set is the type-only first-cut.
+*/
+const STATEFUL_TYPES = new Set([
+	"AWS::RDS::DBInstance",
+	"AWS::RDS::DBCluster",
+	"AWS::DocDB::DBInstance",
+	"AWS::DocDB::DBCluster",
+	"AWS::Neptune::DBInstance",
+	"AWS::Neptune::DBCluster",
+	"AWS::DynamoDB::Table",
+	"AWS::DynamoDB::GlobalTable",
+	"AWS::EFS::FileSystem",
+	"AWS::S3::Bucket",
+	"AWS::ECR::Repository",
+	"AWS::Kinesis::Stream",
+	"AWS::Elasticsearch::Domain",
+	"AWS::OpenSearchService::Domain",
+	"AWS::Cognito::UserPool",
+	"AWS::SecretsManager::Secret",
+	"AWS::SSM::Parameter",
+	"AWS::Glue::Database",
+	"AWS::Glue::Table",
+	"AWS::Logs::LogGroup",
+	"AWS::CloudFront::Distribution"
+]);
+/**
+* Multi-region resource types — `--recreate-via-cc-api` refuses these
+* outright in v1 regardless of `--force-stateful-recreation`. Design
+* doc §8 calls these "out of scope": the destroy + recreate cycle
+* across replica regions is more involved than a single-region
+* destroy-and-create (replica regions, automated backups, eventual
+* consistency across the replication mesh, etc.).
+*
+* Distinct from {@link STATEFUL_TYPES} — STATEFUL_TYPES gates on data
+* loss (bypassable with `--force-stateful-recreation`); this set is
+* an out-of-scope refusal (no bypass).
+*/
+const MULTI_REGION_RECREATE_BLOCKED_TYPES = new Set(["AWS::DynamoDB::GlobalTable"]);
+/**
+* Cheap, synchronous read of the resource's recorded properties only.
+* For `AWS::S3::Bucket` this returns `null` — the live `ListObjectsV2`
+* probe to distinguish empty buckets (safe to recreate) from
+* non-empty (data loss) needs an S3 client + an AWS round-trip and is
+* deferred to a follow-up issue (v1 sync-defers; an `--force-stateful-
+* recreation` is recommended for any potentially-non-empty S3 target).
+*
+* Returns the {@link StatefulReason} when the type is stateful (or
+* `null` for non-stateful types).
+*/
+function isStatefulRecreateTargetSync(resourceType, recordedProperties) {
+	if (!STATEFUL_TYPES.has(resourceType)) return null;
+	if (resourceType === "AWS::Logs::LogGroup") {
+		const retention = recordedProperties?.["RetentionInDays"];
+		if (typeof retention === "number" && retention > 0) return "has-retention";
+		return null;
+	}
+	if (resourceType === "AWS::S3::Bucket") return null;
+	return "always";
+}
+/**
+* Human-readable rendering of {@link StatefulReason} for error
+* messages. Used by the pre-flight guard's "X resources require
+* --force-stateful-recreation" listing.
+*/
+function renderStatefulReason(reason) {
+	switch (reason) {
+		case "always": return "destroy loses all data in the resource";
+		case "has-objects": return "S3 bucket is non-empty";
+		case "has-retention": return "log group retains data (RetentionInDays > 0)";
+		case null: return "(not stateful)";
+	}
+}
+
+//#endregion
+//#region src/deployment/recreate-targets.ts
+/**
+* Plan-time validation of the user's recreate-via-cc-api list.
+*
+* Pure with respect to AWS — does NOT probe S3 bucket emptiness. The
+* S3 conditional check is deferred to a follow-up issue (the live
+* `s3:ListObjectsV2` probe is out of scope for v1).
+*
+* Input order is preserved; duplicate logical ids in the user's input
+* are deduplicated.
+*/
+const EMPTY_ALLOW_SET$1 = /* @__PURE__ */ new Set();
+function validateRecreateTargets(input) {
+	const seen = /* @__PURE__ */ new Set();
+	const targets = [];
+	const unknownLogicalIds = [];
+	const missingFromState = [];
+	const ambiguousIntent = [];
+	const blockedStatefulTargets = [];
+	const blockedMultiRegionTargets = [];
+	for (const logicalId of input.recreateViaCcApi) {
+		if (seen.has(logicalId)) continue;
+		seen.add(logicalId);
+		const templateResource = input.template.Resources?.[logicalId];
+		if (!templateResource) {
+			unknownLogicalIds.push(logicalId);
+			continue;
+		}
+		const recordedResource = input.state.resources[logicalId];
+		if (!recordedResource) {
+			missingFromState.push(logicalId);
+			continue;
+		}
+		const resourceType = recordedResource.resourceType;
+		const target = {
+			logicalId,
+			resourceType,
+			physicalId: recordedResource.physicalId,
+			statefulReason: isStatefulRecreateTargetSync(resourceType, recordedResource.properties)
+		};
+		targets.push(target);
+		if (MULTI_REGION_RECREATE_BLOCKED_TYPES.has(resourceType)) blockedMultiRegionTargets.push(target);
+		const actionableDrops = findActionableSilentDrops(resourceType, templateResource.Properties, EMPTY_ALLOW_SET$1);
+		for (const { property } of actionableDrops) {
+			const allowKey = `${resourceType}:${property}`;
+			if (input.allowUnsupportedProperties.has(allowKey)) ambiguousIntent.push({
+				logicalId,
+				resourceType,
+				property
+			});
+		}
+		if (target.statefulReason !== null && !input.forceStatefulRecreation) blockedStatefulTargets.push(target);
+	}
+	return {
+		targets,
+		unknownLogicalIds,
+		missingFromState,
+		ambiguousIntent,
+		blockedStatefulTargets,
+		blockedMultiRegionTargets
+	};
+}
+/**
+* Render the validation failures into a single multi-line error
+* message. Returns `null` when the validation was clean (no errors).
+* The deploy command throws this string as the message of a
+* `ProvisioningError` so the surface is `cdkd deploy` exit code 1
+* with the same shape as other pre-flight failures.
+*/
+function renderRecreateTargetsErrors(validation) {
+	const lines = [];
+	if (validation.unknownLogicalIds.length > 0) {
+		lines.push(`--recreate-via-cc-api named ${validation.unknownLogicalIds.length} logical id(s) not present in the synth template:`);
+		for (const id of validation.unknownLogicalIds) lines.push(`  - ${id}`);
+		lines.push("  Fix: confirm each id exists in the template (CDK display path is the parent; the logical id is the CFn-emitted name, e.g. cdkd synth | jq '.Resources | keys'). Recreate operates on the synth template's logical ids, not CDK display paths.");
+	}
+	if (validation.missingFromState.length > 0) {
+		if (lines.length > 0) lines.push("");
+		lines.push(`--recreate-via-cc-api named ${validation.missingFromState.length} logical id(s) the template declares but cdkd state has no record of:`);
+		for (const id of validation.missingFromState) lines.push(`  - ${id}`);
+		lines.push("  These are fresh CREATEs on the next deploy — recreate has nothing to destroy first. Remove the --recreate-via-cc-api flag for these resources; the new auto-route via Cloud Control (#614) handles fresh deploys.");
+	}
+	if (validation.ambiguousIntent.length > 0) {
+		if (lines.length > 0) lines.push("");
+		lines.push(`Ambiguous intent — ${validation.ambiguousIntent.length} resource(s) are named in BOTH --recreate-via-cc-api and --allow-unsupported-properties with the same Type:Prop on a silent-drop property the template uses:`);
+		for (const overlap of validation.ambiguousIntent) lines.push(`  - ${overlap.logicalId} (${overlap.resourceType}) — both --recreate-via-cc-api ${overlap.logicalId} (would migrate to CC, honoring ${overlap.property}) AND --allow-unsupported-properties ${overlap.resourceType}:${overlap.property} (would keep on SDK, accepting silent drop)`);
+		lines.push(`  Fix: pick ONE strategy per resource.`);
+	}
+	if (validation.blockedStatefulTargets.length > 0) {
+		if (lines.length > 0) lines.push("");
+		lines.push(`--recreate-via-cc-api would destroy + recreate ${validation.blockedStatefulTargets.length} stateful resource(s). Recreate loses ALL data — no automatic data migration. Re-run with --force-stateful-recreation to acknowledge the data-loss footgun.`);
+		for (const blocked of validation.blockedStatefulTargets) lines.push(`  - ${blocked.logicalId} (${blocked.resourceType}) — ${renderStatefulReason(blocked.statefulReason)}`);
+	}
+	if (validation.blockedMultiRegionTargets.length > 0) {
+		if (lines.length > 0) lines.push("");
+		lines.push(`--recreate-via-cc-api refuses to operate on ${validation.blockedMultiRegionTargets.length} multi-region resource(s) — out of scope for v1 of this flag (the destroy + recreate cycle across replica regions is more involved than the single-region path):`);
+		for (const blocked of validation.blockedMultiRegionTargets) lines.push(`  - ${blocked.logicalId} (${blocked.resourceType})`);
+		lines.push("  No --force-stateful-recreation bypass — this category is structurally unsupported in v1. File an issue if you need this path.");
+	}
+	return lines.length > 0 ? lines.join("\n") : null;
+}
+
 //#endregion
 //#region src/state/export-index-store.ts
 /**
@@ -33339,10 +33594,40 @@ async function deployCommand(stacks, options) {
 						if (!await promptMigrationConfirm(pending, { yes: options.yes })) return;
 					}
 				}
+				let recreateViaCcApiTargets;
+				if (options.recreateViaCcApi?.length) {
+					const stateForRecreateCheck = await stackStateBackend.getState(stackInfo.stackName, stackRegion);
+					const validation = validateRecreateTargets({
+						template: stackInfo.template,
+						state: stateForRecreateCheck?.state ?? {
+							version: 7,
+							stackName: stackInfo.stackName,
+							region: stackRegion,
+							resources: {},
+							outputs: {},
+							lastModified: Date.now()
+						},
+						recreateViaCcApi: options.recreateViaCcApi,
+						allowUnsupportedProperties: new Set(options.allowUnsupportedProperties ?? []),
+						forceStatefulRecreation: options.forceStatefulRecreation ?? false
+					});
+					const errorBlock = renderRecreateTargetsErrors(validation);
+					if (errorBlock) throw new CdkdError(errorBlock, "RECREATE_VIA_CC_API_INVALID");
+					recreateViaCcApiTargets = new Set(validation.targets.map((t) => t.logicalId));
+					if (recreateViaCcApiTargets.size > 0) {
+						logger.warn(`--recreate-via-cc-api will destroy + recreate ${recreateViaCcApiTargets.size} resource(s) via Cloud Control API on stack ${stackInfo.stackName}:`);
+						for (const t of validation.targets) {
+							const stateNote = t.statefulReason !== null ? ` ⚠ stateful (${t.statefulReason}) — --force-stateful-recreation acknowledged` : "";
+							logger.warn(`  - ${t.logicalId} (${t.resourceType})${stateNote}`);
+						}
+						logger.warn("  The destroy + recreate cycle is per-resource; sibling resources are unaffected. Downstream consumers of any recreated resource's outputs (Fn::GetStackOutput / Fn::ImportValue) will need a re-deploy to see the new physical id.");
+					}
+				}
 				const deployEngineOptions = {
 					concurrency: options.concurrency,
 					dryRun: options.dryRun,
 					noRollback: !options.rollback,
+					...recreateViaCcApiTargets && recreateViaCcApiTargets.size > 0 && { recreateViaCcApiTargets },
 					captureObservedState: resolveCaptureObservedState(options.captureObservedState),
 					...options.resourceWarnAfter?.globalMs !== void 0 && { resourceWarnAfterMs: options.resourceWarnAfter.globalMs },
 					...options.resourceTimeout?.globalMs !== void 0 && { resourceTimeoutMs: options.resourceTimeout.globalMs },
@@ -47040,6 +47325,7 @@ function discoverFunctionUrl(logicalId, resource, template, stackName) {
 		apiVersion: "v2",
 		stage: "$default",
 		apiStackName: stackName,
+		apiLogicalId: logicalId,
 		...lambdaCdkPath !== void 0 && { apiCdkPath: lambdaCdkPath },
 		declaredAt: `${stackName}/${logicalId}`
 	};
@@ -50800,17 +51086,32 @@ function isPlaceholder(segment) {
 //#endregion
 //#region src/local/cors-handler.ts
 /**
-* Build a `apiLogicalId → CorsConfig | undefined` map. Walks the
-* template once, picks every `AWS::ApiGatewayV2::Api`, and extracts its
-* `Properties.CorsConfiguration` if any. APIs without CorsConfiguration
-* (or whose CorsConfiguration is malformed) are NOT entered into the map.
+* Build a `logicalId → CorsConfig | undefined` map. Walks the template
+* once and picks two CORS-bearing resource types:
+*
+*   - `AWS::ApiGatewayV2::Api` → `Properties.CorsConfiguration`
+*     (HTTP API v2; the original PR 8c surface)
+*   - `AWS::Lambda::Url` → `Properties.Cors` (Function URL; issue #644)
+*
+* Both blocks are field-for-field identical in CFn schema (same
+* `AllowOrigins` / `AllowMethods` / `AllowHeaders` / `ExposeHeaders` /
+* `MaxAge` / `AllowCredentials`), so a single parser handles both. The
+* map key is the resource's own logical ID — that ID is later looked up
+* against `DiscoveredRoute.apiLogicalId` (set to the surface-bearing
+* resource at route-discovery time) so the preflight interceptor finds
+* the right config.
+*
+* Resources without a CORS block (or whose block is malformed) are NOT
+* entered into the map.
 */
 function buildCorsConfigByApiId(template) {
 	const out = /* @__PURE__ */ new Map();
 	const resources = template.Resources ?? {};
 	for (const [logicalId, resource] of Object.entries(resources)) {
-		if (resource.Type !== "AWS::ApiGatewayV2::Api") continue;
-		const raw = (resource.Properties ?? {})["CorsConfiguration"];
+		let raw;
+		if (resource.Type === "AWS::ApiGatewayV2::Api") raw = (resource.Properties ?? {})["CorsConfiguration"];
+		else if (resource.Type === "AWS::Lambda::Url") raw = (resource.Properties ?? {})["Cors"];
+		else continue;
 		if (!raw || typeof raw !== "object" || Array.isArray(raw)) continue;
 		const parsed = parseCorsConfiguration(raw);
 		if (parsed) out.set(logicalId, parsed);
@@ -59764,7 +60065,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.161.3");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.162.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());