@go-to-k/cdkd 0.161.4 → 0.162.1

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { _ as withSkipPrefix, a as runDockerStreaming, c as getLogger, d as getLiveRenderer, f as PATTERN_B_NAME_PROPERTIES, g as generateResourceNameWithFallback, h as generateResourceName, i as runDockerForeground, n as formatDockerLoginError, p as PATTERN_B_RESOURCE_TYPES, r as getDockerCmd, u as runStackBuffered, v as withStackName } from "./docker-cmd-iDMcWcre.js";
-import { A as S3StateBackend, B as resolveCaptureObservedState, C as assertRegionMatch, D as DagBuilder, E as DiffCalculator, F as buildDockerImage, G as CFN_TEMPLATE_BODY_LIMIT, H as resolveStateBucketWithDefault, I as Synthesizer, J as findLargeInlineResources, K as CFN_TEMPLATE_URL_LIMIT, L as getDefaultStateBucketName, M as AssetPublisher, N as stringifyValue, O as TemplateParser, P as WorkGraph, Q as resolveBucketRegion, R as getLegacyStateBucketName, S as CloudControlProvider, T as applyRoleArnIfSet, U as resolveStateBucketWithDefaultAndSource, V as resolveSkipPrefix, W as warnDeprecatedNoPrefixCliFlag, X as AssemblyReader, Y as uploadCfnTemplate, _ as matchesCdkPath, a as withRetry, at as LocalStartServiceError, b as ProviderRegistry, bt as normalizeAwsError, c as bold, ct as NestedStackChildDirectDestroyError, d as green, dt as ResourceTimeoutError, et as CdkdError, f as red, ft as ResourceUpdateNotSupportedError, g as CDK_PATH_TAG, h as collectInlinePolicyNamesManagedBySiblings, ht as StackTerminationProtectionError, i as withResourceDeadline, it as LocalMigrateError, j as shouldRetainResource, k as LockManager, l as cyan, lt as PartialFailureError, m as IAMRoleProvider, mt as StackHasActiveImportsError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, o as IMPLICIT_DELETE_DEPENDENCIES, p as yellow, pt as RouteDiscoveryError, q as MIGRATE_TMP_PREFIX, r as DeployEngine, rt as LocalInvokeBuildError, s as formatResourceLine, st as MissingCdkCliError, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, ut as ProvisioningError, v as normalizeAwsTagsToCfn, w as IntrinsicFunctionResolver, x as findActionableSilentDrops, xt as withErrorHandling, y as resolveExplicitPhysicalId, z as resolveApp } from "./deploy-engine-D4iGkZAC.js";
+import { A as S3StateBackend, B as resolveCaptureObservedState, C as assertRegionMatch, D as DagBuilder, E as DiffCalculator, F as buildDockerImage, G as CFN_TEMPLATE_BODY_LIMIT, H as resolveStateBucketWithDefault, I as Synthesizer, J as findLargeInlineResources, K as CFN_TEMPLATE_URL_LIMIT, L as getDefaultStateBucketName, M as AssetPublisher, N as stringifyValue, O as TemplateParser, P as WorkGraph, Q as resolveBucketRegion, R as getLegacyStateBucketName, S as CloudControlProvider, T as applyRoleArnIfSet, U as resolveStateBucketWithDefaultAndSource, V as resolveSkipPrefix, W as warnDeprecatedNoPrefixCliFlag, X as AssemblyReader, Y as uploadCfnTemplate, _ as matchesCdkPath, a as withRetry, at as LocalStartServiceError, b as ProviderRegistry, bt as normalizeAwsError, c as bold, ct as NestedStackChildDirectDestroyError, d as green, dt as ResourceTimeoutError, et as CdkdError, f as red, ft as ResourceUpdateNotSupportedError, g as CDK_PATH_TAG, h as collectInlinePolicyNamesManagedBySiblings, ht as StackTerminationProtectionError, i as withResourceDeadline, it as LocalMigrateError, j as shouldRetainResource, k as LockManager, l as cyan, lt as PartialFailureError, m as IAMRoleProvider, mt as StackHasActiveImportsError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, o as IMPLICIT_DELETE_DEPENDENCIES, p as yellow, pt as RouteDiscoveryError, q as MIGRATE_TMP_PREFIX, r as DeployEngine, rt as LocalInvokeBuildError, s as formatResourceLine, st as MissingCdkCliError, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, ut as ProvisioningError, v as normalizeAwsTagsToCfn, w as IntrinsicFunctionResolver, x as findActionableSilentDrops, xt as withErrorHandling, y as resolveExplicitPhysicalId, z as resolveApp } from "./deploy-engine-DEbogepd.js";
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-B15NAPbL.js";
 import { AsyncLocalStorage } from "node:async_hooks";
 import { createHash, createHmac, createPublicKey, createVerify, randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
@@ -423,6 +423,46 @@ function parseAllowUnsupportedPropertiesToken(value, previous) {
 	return [...previous ?? [], ...parsed];
 }
 const allowUnsupportedPropertiesOption = new Option("--allow-unsupported-properties <entries>", "Comma-separated <ResourceType>:<PropertyName> tokens to accept as silently dropped at deploy time. Escape hatch — the property will NOT be written to AWS, the deployed resource will be missing the field. Example: --allow-unsupported-properties AWS::Lambda::Function:LoggingConfig,AWS::RDS::DBInstance:CACertificateIdentifier").argParser(parseAllowUnsupportedPropertiesToken);
+/**
+* Issue [#615] — `--recreate-via-cc-api <LogicalId>` (repeatable). Each
+* named resource is destroyed + recreated this deploy via Cloud Control
+* API regardless of whether the existing state stamps it `sdk` or has
+* no `provisionedBy` field (legacy). The new physical id stamps
+* `provisionedBy: 'cc-api'` so all subsequent ops route via CC (sticky).
+*
+* Mirrors `--allow-unsupported-properties` per-resource explicit naming
+* (one flag-instance per logical id), but the argument is a single
+* logical id (no comma split — `MyLambda,Other` would be ambiguous
+* since logical ids do not embed commas anyway).
+*
+* Format-checks each logical id against CFn's `Logical IDs are
+* alphanumeric (A-Z, a-z, 0-9)` rule. A typo aborts at parse time so
+* an unmatched id is surfaced immediately rather than silently
+* skipped at deploy time.
+*/
+const LOGICAL_ID_FORMAT = /^[A-Za-z][A-Za-z0-9]{0,254}$/;
+function parseRecreateViaCcApiToken(value, previous) {
+	const token = value.trim();
+	if (!LOGICAL_ID_FORMAT.test(token)) throw new Error(`Invalid --recreate-via-cc-api value "${value}": expected a CloudFormation logical id (alphanumeric, starts with a letter, max 255 chars). One --recreate-via-cc-api flag per resource — repeat the flag for additional targets.`);
+	return [...previous ?? [], token];
+}
+const recreateViaCcApiOption = new Option("--recreate-via-cc-api <logicalId>", "Destroy + recreate the named resource (by CloudFormation logical id) via Cloud Control API in this deploy, so a top-level CFn property cdkd would otherwise silently drop reaches AWS via CC. Repeatable — pass the flag once per resource. Per-resource opt-in (no bulk / no per-stack shortcut) so the destroy-and-recreate cost is acknowledged for each target. Stateful resource types (RDS, DynamoDB, S3, EFS, ...) refuse unless --force-stateful-recreation is ALSO passed (two-flag protection). Cannot be combined with --allow-unsupported-properties on the same resource type and property.").argParser(parseRecreateViaCcApiToken);
+/**
+* Issue [#615] — `--force-stateful-recreation` (boolean) is the second
+* flag required to allow `--recreate-via-cc-api` to operate on a
+* stateful resource (RDS / DynamoDB / EFS / S3 with data / etc.). Two
+* flags so the user explicitly opts into the data-loss footgun.
+*
+* The guard list of "stateful" types lives in
+* `src/provisioning/stateful-types.ts` so it can be queried from both
+* the CLI pre-flight and the deploy engine.
+*
+* There is no per-resource granularity on the force flag — when set,
+* EVERY named recreate target bypasses the stateful guard. Per-resource
+* force would create a false sense of granularity (the user is opting
+* into a footgun; pretending to scope it per-resource is misleading).
+*/
+const forceStatefulRecreationOption = new Option("--force-stateful-recreation", "Bypass the stateful-resource guard for --recreate-via-cc-api targets. Required when ANY named target is a stateful type (RDS / DynamoDB / EFS / S3 with data / Logs with retention / Cognito / Secrets / SSM / Glue / ECR / CloudFront / Kinesis / OpenSearch). Destroy + recreate loses ALL data in the resource — no automatic data migration. Triple-opt-in for CI use: --recreate-via-cc-api <id> --force-stateful-recreation --yes.").default(false);
 const deployOptions = [
 	new Option("--concurrency <number>", "Maximum concurrent resource operations").default(10).argParser((value) => parseInt(value, 10)),
 	new Option("--stack-concurrency <number>", "Maximum concurrent stack deployments").default(4).argParser((value) => parseInt(value, 10)),
@@ -438,6 +478,8 @@ const deployOptions = [
 	new Option("-e, --exclusively", "Only deploy requested stacks, do not include dependencies").default(false),
 	allowUnsupportedTypesOption,
 	allowUnsupportedPropertiesOption,
+	recreateViaCcApiOption,
+	forceStatefulRecreationOption,
 	...resourceTimeoutOptions
 ];
 /**
@@ -883,6 +925,219 @@ function createListCommand() {
 	return cmd;
 }
 
+//#endregion
+//#region src/provisioning/stateful-types.ts
+/**
+* Stateful-resource guard list (issue [#615]).
+*
+* `--recreate-via-cc-api <LogicalId>` destroys + recreates the named
+* resource in one deploy so a previously-silent-dropped top-level CFn
+* property reaches AWS via Cloud Control API. For most types this is
+* safe — destroying + recreating an IAM Role or a Lambda Function
+* loses no user data — but for **data-bearing** types the destroy
+* cycle loses everything in the resource: rows in a DynamoDB table,
+* objects in an S3 bucket, log lines in a LogGroup, images in an ECR
+* repository, etc.
+*
+* To avoid an accidental data-loss footgun, cdkd refuses to recreate
+* any resource whose type is in {@link STATEFUL_TYPES} unless the user
+* ALSO passes `--force-stateful-recreation`. The two-flag protection
+* mirrors `--remove-protection`'s pattern (see
+* `src/cli/commands/destroy-runner.ts`).
+*
+* The list is hand-curated and intentionally **conservative**: every
+* type here carries user data that the AWS service does NOT
+* automatically migrate to the replacement resource. Types that the
+* AWS service treats as ephemeral (e.g. Lambda Function, IAM Role)
+* are NOT in this list — recreate is cheap.
+*
+* Two entries are **conditionally stateful** — they only count when
+* the resource actually contains data:
+*
+*   - `AWS::S3::Bucket`: empty buckets are safe to recreate. The
+*     deploy engine probes `s3:ListObjectsV2` at plan time and only
+*     refuses when the bucket has at least one object.
+*   - `AWS::Logs::LogGroup`: a log group with `RetentionInDays`
+*     undefined or zero is functionally ephemeral. The deploy engine
+*     refuses only when `RetentionInDays > 0`.
+*
+* Both conditional checks live in {@link isStatefulRecreateTarget};
+* the bare {@link STATEFUL_TYPES} set is the type-only first-cut.
+*/
+const STATEFUL_TYPES = new Set([
+	"AWS::RDS::DBInstance",
+	"AWS::RDS::DBCluster",
+	"AWS::DocDB::DBInstance",
+	"AWS::DocDB::DBCluster",
+	"AWS::Neptune::DBInstance",
+	"AWS::Neptune::DBCluster",
+	"AWS::DynamoDB::Table",
+	"AWS::DynamoDB::GlobalTable",
+	"AWS::EFS::FileSystem",
+	"AWS::S3::Bucket",
+	"AWS::ECR::Repository",
+	"AWS::Kinesis::Stream",
+	"AWS::Elasticsearch::Domain",
+	"AWS::OpenSearchService::Domain",
+	"AWS::Cognito::UserPool",
+	"AWS::SecretsManager::Secret",
+	"AWS::SSM::Parameter",
+	"AWS::Glue::Database",
+	"AWS::Glue::Table",
+	"AWS::Logs::LogGroup",
+	"AWS::CloudFront::Distribution"
+]);
+/**
+* Multi-region resource types — `--recreate-via-cc-api` refuses these
+* outright in v1 regardless of `--force-stateful-recreation`. Design
+* doc §8 calls these "out of scope": the destroy + recreate cycle
+* across replica regions is more involved than a single-region
+* destroy-and-create (replica regions, automated backups, eventual
+* consistency across the replication mesh, etc.).
+*
+* Distinct from {@link STATEFUL_TYPES} — STATEFUL_TYPES gates on data
+* loss (bypassable with `--force-stateful-recreation`); this set is
+* an out-of-scope refusal (no bypass).
+*/
+const MULTI_REGION_RECREATE_BLOCKED_TYPES = new Set(["AWS::DynamoDB::GlobalTable"]);
+/**
+* Cheap, synchronous read of the resource's recorded properties only.
+* For `AWS::S3::Bucket` this returns `null` — the live `ListObjectsV2`
+* probe to distinguish empty buckets (safe to recreate) from
+* non-empty (data loss) needs an S3 client + an AWS round-trip and is
+* deferred to a follow-up issue (v1 sync-defers; an `--force-stateful-
+* recreation` is recommended for any potentially-non-empty S3 target).
+*
+* Returns the {@link StatefulReason} when the type is stateful (or
+* `null` for non-stateful types).
+*/
+function isStatefulRecreateTargetSync(resourceType, recordedProperties) {
+	if (!STATEFUL_TYPES.has(resourceType)) return null;
+	if (resourceType === "AWS::Logs::LogGroup") {
+		const retention = recordedProperties?.["RetentionInDays"];
+		if (typeof retention === "number" && retention > 0) return "has-retention";
+		return null;
+	}
+	if (resourceType === "AWS::S3::Bucket") return null;
+	return "always";
+}
+/**
+* Human-readable rendering of {@link StatefulReason} for error
+* messages. Used by the pre-flight guard's "X resources require
+* --force-stateful-recreation" listing.
+*/
+function renderStatefulReason(reason) {
+	switch (reason) {
+		case "always": return "destroy loses all data in the resource";
+		case "has-objects": return "S3 bucket is non-empty";
+		case "has-retention": return "log group retains data (RetentionInDays > 0)";
+		case null: return "(not stateful)";
+	}
+}
+
+//#endregion
+//#region src/deployment/recreate-targets.ts
+/**
+* Plan-time validation of the user's recreate-via-cc-api list.
+*
+* Pure with respect to AWS — does NOT probe S3 bucket emptiness. The
+* S3 conditional check is deferred to a follow-up issue (the live
+* `s3:ListObjectsV2` probe is out of scope for v1).
+*
+* Input order is preserved; duplicate logical ids in the user's input
+* are deduplicated.
+*/
+const EMPTY_ALLOW_SET$1 = /* @__PURE__ */ new Set();
+function validateRecreateTargets(input) {
+	const seen = /* @__PURE__ */ new Set();
+	const targets = [];
+	const unknownLogicalIds = [];
+	const missingFromState = [];
+	const ambiguousIntent = [];
+	const blockedStatefulTargets = [];
+	const blockedMultiRegionTargets = [];
+	for (const logicalId of input.recreateViaCcApi) {
+		if (seen.has(logicalId)) continue;
+		seen.add(logicalId);
+		const templateResource = input.template.Resources?.[logicalId];
+		if (!templateResource) {
+			unknownLogicalIds.push(logicalId);
+			continue;
+		}
+		const recordedResource = input.state.resources[logicalId];
+		if (!recordedResource) {
+			missingFromState.push(logicalId);
+			continue;
+		}
+		const resourceType = recordedResource.resourceType;
+		const target = {
+			logicalId,
+			resourceType,
+			physicalId: recordedResource.physicalId,
+			statefulReason: isStatefulRecreateTargetSync(resourceType, recordedResource.properties)
+		};
+		targets.push(target);
+		if (MULTI_REGION_RECREATE_BLOCKED_TYPES.has(resourceType)) blockedMultiRegionTargets.push(target);
+		const actionableDrops = findActionableSilentDrops(resourceType, templateResource.Properties, EMPTY_ALLOW_SET$1);
+		for (const { property } of actionableDrops) {
+			const allowKey = `${resourceType}:${property}`;
+			if (input.allowUnsupportedProperties.has(allowKey)) ambiguousIntent.push({
+				logicalId,
+				resourceType,
+				property
+			});
+		}
+		if (target.statefulReason !== null && !input.forceStatefulRecreation) blockedStatefulTargets.push(target);
+	}
+	return {
+		targets,
+		unknownLogicalIds,
+		missingFromState,
+		ambiguousIntent,
+		blockedStatefulTargets,
+		blockedMultiRegionTargets
+	};
+}
+/**
+* Render the validation failures into a single multi-line error
+* message. Returns `null` when the validation was clean (no errors).
+* The deploy command throws this string as the message of a
+* `ProvisioningError` so the surface is `cdkd deploy` exit code 1
+* with the same shape as other pre-flight failures.
+*/
+function renderRecreateTargetsErrors(validation) {
+	const lines = [];
+	if (validation.unknownLogicalIds.length > 0) {
+		lines.push(`--recreate-via-cc-api named ${validation.unknownLogicalIds.length} logical id(s) not present in the synth template:`);
+		for (const id of validation.unknownLogicalIds) lines.push(`  - ${id}`);
+		lines.push("  Fix: confirm each id exists in the template (CDK display path is the parent; the logical id is the CFn-emitted name, e.g. cdkd synth | jq '.Resources | keys'). Recreate operates on the synth template's logical ids, not CDK display paths.");
+	}
+	if (validation.missingFromState.length > 0) {
+		if (lines.length > 0) lines.push("");
+		lines.push(`--recreate-via-cc-api named ${validation.missingFromState.length} logical id(s) the template declares but cdkd state has no record of:`);
+		for (const id of validation.missingFromState) lines.push(`  - ${id}`);
+		lines.push("  These are fresh CREATEs on the next deploy — recreate has nothing to destroy first. Remove the --recreate-via-cc-api flag for these resources; the new auto-route via Cloud Control (#614) handles fresh deploys.");
+	}
+	if (validation.ambiguousIntent.length > 0) {
+		if (lines.length > 0) lines.push("");
+		lines.push(`Ambiguous intent — ${validation.ambiguousIntent.length} resource(s) are named in BOTH --recreate-via-cc-api and --allow-unsupported-properties with the same Type:Prop on a silent-drop property the template uses:`);
+		for (const overlap of validation.ambiguousIntent) lines.push(`  - ${overlap.logicalId} (${overlap.resourceType}) — both --recreate-via-cc-api ${overlap.logicalId} (would migrate to CC, honoring ${overlap.property}) AND --allow-unsupported-properties ${overlap.resourceType}:${overlap.property} (would keep on SDK, accepting silent drop)`);
+		lines.push(`  Fix: pick ONE strategy per resource.`);
+	}
+	if (validation.blockedStatefulTargets.length > 0) {
+		if (lines.length > 0) lines.push("");
+		lines.push(`--recreate-via-cc-api would destroy + recreate ${validation.blockedStatefulTargets.length} stateful resource(s). Recreate loses ALL data — no automatic data migration. Re-run with --force-stateful-recreation to acknowledge the data-loss footgun.`);
+		for (const blocked of validation.blockedStatefulTargets) lines.push(`  - ${blocked.logicalId} (${blocked.resourceType}) — ${renderStatefulReason(blocked.statefulReason)}`);
+	}
+	if (validation.blockedMultiRegionTargets.length > 0) {
+		if (lines.length > 0) lines.push("");
+		lines.push(`--recreate-via-cc-api refuses to operate on ${validation.blockedMultiRegionTargets.length} multi-region resource(s) — out of scope for v1 of this flag (the destroy + recreate cycle across replica regions is more involved than the single-region path):`);
+		for (const blocked of validation.blockedMultiRegionTargets) lines.push(`  - ${blocked.logicalId} (${blocked.resourceType})`);
+		lines.push("  No --force-stateful-recreation bypass — this category is structurally unsupported in v1. File an issue if you need this path.");
+	}
+	return lines.length > 0 ? lines.join("\n") : null;
+}
+
 //#endregion
 //#region src/state/export-index-store.ts
 /**
@@ -33339,10 +33594,40 @@ async function deployCommand(stacks, options) {
 						if (!await promptMigrationConfirm(pending, { yes: options.yes })) return;
 					}
 				}
+				let recreateViaCcApiTargets;
+				if (options.recreateViaCcApi?.length) {
+					const stateForRecreateCheck = await stackStateBackend.getState(stackInfo.stackName, stackRegion);
+					const validation = validateRecreateTargets({
+						template: stackInfo.template,
+						state: stateForRecreateCheck?.state ?? {
+							version: 7,
+							stackName: stackInfo.stackName,
+							region: stackRegion,
+							resources: {},
+							outputs: {},
+							lastModified: Date.now()
+						},
+						recreateViaCcApi: options.recreateViaCcApi,
+						allowUnsupportedProperties: new Set(options.allowUnsupportedProperties ?? []),
+						forceStatefulRecreation: options.forceStatefulRecreation ?? false
+					});
+					const errorBlock = renderRecreateTargetsErrors(validation);
+					if (errorBlock) throw new CdkdError(errorBlock, "RECREATE_VIA_CC_API_INVALID");
+					recreateViaCcApiTargets = new Set(validation.targets.map((t) => t.logicalId));
+					if (recreateViaCcApiTargets.size > 0) {
+						logger.warn(`--recreate-via-cc-api will destroy + recreate ${recreateViaCcApiTargets.size} resource(s) via Cloud Control API on stack ${stackInfo.stackName}:`);
+						for (const t of validation.targets) {
+							const stateNote = t.statefulReason !== null ? ` ⚠ stateful (${t.statefulReason}) — --force-stateful-recreation acknowledged` : "";
+							logger.warn(`  - ${t.logicalId} (${t.resourceType})${stateNote}`);
+						}
+						logger.warn("  The destroy + recreate cycle is per-resource; sibling resources are unaffected. Downstream consumers of any recreated resource's outputs (Fn::GetStackOutput / Fn::ImportValue) will need a re-deploy to see the new physical id.");
+					}
+				}
 				const deployEngineOptions = {
 					concurrency: options.concurrency,
 					dryRun: options.dryRun,
 					noRollback: !options.rollback,
+					...recreateViaCcApiTargets && recreateViaCcApiTargets.size > 0 && { recreateViaCcApiTargets },
 					captureObservedState: resolveCaptureObservedState(options.captureObservedState),
 					...options.resourceWarnAfter?.globalMs !== void 0 && { resourceWarnAfterMs: options.resourceWarnAfter.globalMs },
 					...options.resourceTimeout?.globalMs !== void 0 && { resourceTimeoutMs: options.resourceTimeout.globalMs },
@@ -50868,6 +51153,140 @@ function pickStringArray(value) {
 	return out;
 }
 /**
+* Build a `fnUrlLogicalId → CorsConfig` map by tracing CloudFront →
+* Function URL chains in the template (issue #646).
+*
+* Production-correct CDK pattern: Function URL fronted by a CloudFront
+* Distribution where CORS is declared on the CloudFront
+* `ResponseHeadersPolicy` (NOT on the Function URL itself). Without this
+* helper, `cdkd local start-api` sees `Cors: null` on the Function URL
+* and emits no preflight headers — even though the CDK code correctly
+* declares the allowed origins on the CloudFront side.
+*
+* Detection: an `AWS::CloudFront::Distribution` whose `Origins[].DomainName`
+* matches the canonical CDK 2.x shape
+* `Fn::Select[2, Fn::Split['/', Fn::GetAtt[<FnUrlLogicalId>, 'FunctionUrl']]]`
+* is the chain marker. For each such origin, we walk every cache behavior
+* (`DefaultCacheBehavior` + `CacheBehaviors[]`), resolve their
+* `ResponseHeadersPolicyId: { Ref: <RhpLogicalId> }` to the
+* `AWS::CloudFront::ResponseHeadersPolicy` resource, and extract its
+* `Properties.ResponseHeadersPolicyConfig.CorsConfig`.
+*
+* Schema mapping (CloudFront → internal `CorsConfig`):
+*
+*   AccessControlAllowOrigins.Items  → AllowOrigins
+*   AccessControlAllowMethods.Items  → AllowMethods
+*   AccessControlAllowHeaders.Items  → AllowHeaders
+*   AccessControlExposeHeaders.Items → ExposeHeaders
+*   AccessControlMaxAgeSec           → MaxAge
+*   AccessControlAllowCredentials    → AllowCredentials
+*   (OriginOverride is ignored — cdkd has only one config slot)
+*
+* Multiple distributions fronting the same Function URL: last write
+* wins (rare in practice). Per-path CORS via `CacheBehaviors[]` is
+* NOT supported in v1 — the `DefaultCacheBehavior`'s policy applies
+* to all paths.
+*/
+function buildCorsConfigFromCloudFrontChain(template) {
+	const out = /* @__PURE__ */ new Map();
+	const resources = template.Resources ?? {};
+	for (const [, resource] of Object.entries(resources)) {
+		if (resource.Type !== "AWS::CloudFront::Distribution") continue;
+		const distConfig = (resource.Properties ?? {})["DistributionConfig"];
+		if (!distConfig || typeof distConfig !== "object") continue;
+		const dc = distConfig;
+		const origins = Array.isArray(dc["Origins"]) ? dc["Origins"] : [];
+		for (const origin of origins) {
+			if (!origin || typeof origin !== "object") continue;
+			const fnUrlLogicalId = pickFnUrlLogicalIdFromOriginDomainName(origin["DomainName"]);
+			if (!fnUrlLogicalId) continue;
+			const cacheBehaviors = [dc["DefaultCacheBehavior"], ...Array.isArray(dc["CacheBehaviors"]) ? dc["CacheBehaviors"] : []];
+			for (const behavior of cacheBehaviors) {
+				if (!behavior || typeof behavior !== "object") continue;
+				const rhpId = pickRhpRefLogicalId(behavior["ResponseHeadersPolicyId"]);
+				if (!rhpId) continue;
+				const rhpResource = resources[rhpId];
+				if (!rhpResource || rhpResource.Type !== "AWS::CloudFront::ResponseHeadersPolicy") continue;
+				const rhpConfig = (rhpResource.Properties ?? {})["ResponseHeadersPolicyConfig"];
+				if (!rhpConfig || typeof rhpConfig !== "object") continue;
+				const corsConfig = rhpConfig["CorsConfig"];
+				if (!corsConfig || typeof corsConfig !== "object" || Array.isArray(corsConfig)) continue;
+				const parsed = parseCloudFrontCorsConfig(corsConfig);
+				if (parsed) out.set(fnUrlLogicalId, parsed);
+			}
+		}
+	}
+	return out;
+}
+/**
+* Detect the canonical CDK 2.x `DomainName` shape that points a
+* CloudFront Origin at a Function URL:
+*   {Fn::Select: [2, {Fn::Split: ['/', {Fn::GetAtt: [<id>, 'FunctionUrl']}]}]}
+* Returns the Function URL's logical ID, or undefined if the shape
+* doesn't match.
+*/
+function pickFnUrlLogicalIdFromOriginDomainName(value) {
+	if (!value || typeof value !== "object") return void 0;
+	const sel = value["Fn::Select"];
+	if (!Array.isArray(sel) || sel.length !== 2 || sel[0] !== 2) return void 0;
+	const split = sel[1];
+	if (!split || typeof split !== "object") return void 0;
+	const splitArgs = split["Fn::Split"];
+	if (!Array.isArray(splitArgs) || splitArgs.length !== 2 || splitArgs[0] !== "/") return void 0;
+	const getAtt = splitArgs[1];
+	if (!getAtt || typeof getAtt !== "object") return void 0;
+	const ga = getAtt["Fn::GetAtt"];
+	if (!Array.isArray(ga) || ga.length !== 2 || typeof ga[0] !== "string" || ga[1] !== "FunctionUrl") return;
+	return ga[0];
+}
+/**
+* Unwrap a `ResponseHeadersPolicyId` value to its referenced logical
+* ID. CDK 2.x synthesizes this as `{ Ref: <id> }`. Returns undefined
+* for the AWS-managed-policy ID form (literal UUID string) since
+* cdkd can't fetch those — and for any non-Ref shape.
+*/
+function pickRhpRefLogicalId(value) {
+	if (!value || typeof value !== "object") return void 0;
+	const ref = value["Ref"];
+	if (typeof ref !== "string" || ref.length === 0) return void 0;
+	return ref;
+}
+/**
+* Parse a CloudFront `ResponseHeadersPolicyConfig.CorsConfig` block
+* into the internal `CorsConfig` shape. Schema differs from Function
+* URL / HTTP API v2 (`AccessControl*` prefix + nested `Items` wrapper);
+* see `buildCorsConfigFromCloudFrontChain` JSDoc for the field mapping.
+*
+* Returns undefined when every value-bearing field is missing.
+*/
+function parseCloudFrontCorsConfig(raw) {
+	const allowOrigins = pickItemsStringArray(raw["AccessControlAllowOrigins"]);
+	const allowMethods = pickItemsStringArray(raw["AccessControlAllowMethods"]);
+	const allowHeaders = pickItemsStringArray(raw["AccessControlAllowHeaders"]);
+	const exposeHeaders = pickItemsStringArray(raw["AccessControlExposeHeaders"]);
+	const maxAgeRaw = raw["AccessControlMaxAgeSec"];
+	const allowCreds = raw["AccessControlAllowCredentials"];
+	if (allowOrigins.length === 0 && allowMethods.length === 0 && allowHeaders.length === 0 && exposeHeaders.length === 0 && maxAgeRaw === void 0 && allowCreds === void 0) return;
+	const config = {
+		AllowOrigins: allowOrigins,
+		AllowMethods: allowMethods,
+		AllowHeaders: allowHeaders,
+		ExposeHeaders: exposeHeaders
+	};
+	if (typeof maxAgeRaw === "number" && Number.isFinite(maxAgeRaw)) config.MaxAge = Math.trunc(maxAgeRaw);
+	if (typeof allowCreds === "boolean") config.AllowCredentials = allowCreds;
+	return config;
+}
+/**
+* CloudFront `AccessControl*Origins/Methods/Headers` use a nested
+* `Items: string[]` wrapper. Unwrap to a plain `string[]`.
+*/
+function pickItemsStringArray(value) {
+	if (!value || typeof value !== "object") return [];
+	const items = value["Items"];
+	return pickStringArray(items);
+}
+/**
 * Try to match an OPTIONS preflight request against the given CORS
 * config. Returns the canonical response when every check passes;
 * `null` when the request didn't satisfy AllowOrigins / AllowMethods /
@@ -54243,8 +54662,10 @@ async function localStartApiCommand(target, options) {
 		}
 		const corsConfigByApiId = /* @__PURE__ */ new Map();
 		for (const stack of targetStacks) {
-			const m = buildCorsConfigByApiId(stack.template);
-			for (const [k, v] of m) corsConfigByApiId.set(k, v);
+			const fromCloudFront = buildCorsConfigFromCloudFrontChain(stack.template);
+			for (const [k, v] of fromCloudFront) corsConfigByApiId.set(k, v);
+			const direct = buildCorsConfigByApiId(stack.template);
+			for (const [k, v] of direct) corsConfigByApiId.set(k, v);
 		}
 		const stateByStack = options.fromState || isCfnFlagPresent(options) ? await loadStateForRoutedStacks(targetStacks, routes, routesWithAuth, options) : /* @__PURE__ */ new Map();
 		const lambdaIds = uniqueLambdaIds(routes, routesWithAuth, webSocketApis);
@@ -59780,7 +60201,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.161.4");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.162.1");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());