@go-to-k/cdkd 0.165.0 → 0.166.1

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { _ as withSkipPrefix, a as runDockerStreaming, c as getLogger, d as getLiveRenderer, f as PATTERN_B_NAME_PROPERTIES, g as generateResourceNameWithFallback, h as generateResourceName, i as runDockerForeground, n as formatDockerLoginError, p as PATTERN_B_RESOURCE_TYPES, r as getDockerCmd, u as runStackBuffered, v as withStackName } from "./docker-cmd-iDMcWcre.js";
-import { A as S3StateBackend, B as resolveCaptureObservedState, C as assertRegionMatch, D as DagBuilder, E as DiffCalculator, F as buildDockerImage, G as CFN_TEMPLATE_BODY_LIMIT, H as resolveStateBucketWithDefault, I as Synthesizer, J as findLargeInlineResources, K as CFN_TEMPLATE_URL_LIMIT, L as getDefaultStateBucketName, M as AssetPublisher, N as stringifyValue, O as TemplateParser, P as WorkGraph, Q as resolveBucketRegion, R as getLegacyStateBucketName, S as CloudControlProvider, T as applyRoleArnIfSet, U as resolveStateBucketWithDefaultAndSource, V as resolveSkipPrefix, W as warnDeprecatedNoPrefixCliFlag, X as AssemblyReader, Y as uploadCfnTemplate, _ as matchesCdkPath, a as withRetry, at as LocalStartServiceError, b as ProviderRegistry, bt as normalizeAwsError, c as bold, ct as NestedStackChildDirectDestroyError, d as green, dt as ResourceTimeoutError, et as CdkdError, f as red, ft as ResourceUpdateNotSupportedError, g as CDK_PATH_TAG, h as collectInlinePolicyNamesManagedBySiblings, ht as StackTerminationProtectionError, i as withResourceDeadline, it as LocalMigrateError, j as shouldRetainResource, k as LockManager, l as cyan, lt as PartialFailureError, m as IAMRoleProvider, mt as StackHasActiveImportsError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, o as IMPLICIT_DELETE_DEPENDENCIES, p as yellow, pt as RouteDiscoveryError, q as MIGRATE_TMP_PREFIX, r as DeployEngine, rt as LocalInvokeBuildError, s as formatResourceLine, st as MissingCdkCliError, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, ut as ProvisioningError, v as normalizeAwsTagsToCfn, w as IntrinsicFunctionResolver, x as findActionableSilentDrops, xt as withErrorHandling, y as resolveExplicitPhysicalId, z as resolveApp } from "./deploy-engine-DEbogepd.js";
+import { A as S3StateBackend, B as resolveCaptureObservedState, C as assertRegionMatch, D as DagBuilder, E as DiffCalculator, F as buildDockerImage, G as CFN_TEMPLATE_BODY_LIMIT, H as resolveStateBucketWithDefault, I as Synthesizer, J as findLargeInlineResources, K as CFN_TEMPLATE_URL_LIMIT, L as getDefaultStateBucketName, M as AssetPublisher, N as stringifyValue, O as TemplateParser, P as WorkGraph, Q as resolveBucketRegion, R as getLegacyStateBucketName, S as CloudControlProvider, T as applyRoleArnIfSet, U as resolveStateBucketWithDefaultAndSource, V as resolveSkipPrefix, W as warnDeprecatedNoPrefixCliFlag, X as AssemblyReader, Y as uploadCfnTemplate, _ as matchesCdkPath, a as withRetry, at as LocalStartServiceError, b as ProviderRegistry, bt as normalizeAwsError, c as bold, ct as NestedStackChildDirectDestroyError, d as green, dt as ResourceTimeoutError, et as CdkdError, f as red, ft as ResourceUpdateNotSupportedError, g as CDK_PATH_TAG, h as collectInlinePolicyNamesManagedBySiblings, ht as StackTerminationProtectionError, i as withResourceDeadline, it as LocalMigrateError, j as shouldRetainResource, k as LockManager, l as cyan, lt as PartialFailureError, m as IAMRoleProvider, mt as StackHasActiveImportsError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, o as IMPLICIT_DELETE_DEPENDENCIES, p as yellow, pt as RouteDiscoveryError, q as MIGRATE_TMP_PREFIX, r as DeployEngine, rt as LocalInvokeBuildError, s as formatResourceLine, st as MissingCdkCliError, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, ut as ProvisioningError, v as normalizeAwsTagsToCfn, w as IntrinsicFunctionResolver, x as findActionableSilentDrops, xt as withErrorHandling, y as resolveExplicitPhysicalId, z as resolveApp } from "./deploy-engine-BQkk03hJ.js";
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-B15NAPbL.js";
 import { AsyncLocalStorage } from "node:async_hooks";
 import { createHash, createHmac, createPublicKey, createVerify, randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
@@ -449,6 +449,27 @@ function parseRecreateViaCcApiToken(value, previous) {
 }
 const recreateViaCcApiOption = new Option("--recreate-via-cc-api <logicalId>", "Destroy + recreate the named resource (by CloudFormation logical id) via Cloud Control API in this deploy, so a top-level CFn property cdkd would otherwise silently drop reaches AWS via CC. Repeatable — pass the flag once per resource. Per-resource opt-in (no bulk / no per-stack shortcut) so the destroy-and-recreate cost is acknowledged for each target. Stateful resource types (RDS, DynamoDB, S3, EFS, ...) refuse unless --force-stateful-recreation is ALSO passed (two-flag protection). Cannot be combined with --allow-unsupported-properties on the same resource type and property.").argParser(parseRecreateViaCcApiToken);
 /**
+* Issue [#651] — `--recreate-via-sdk-provider <LogicalId>` is the reverse
+* direction of `--recreate-via-cc-api`. Once a resource is sticky on
+* `provisionedBy: 'cc-api'` (e.g. after a #615 SDK→CC migration, or
+* because cdkd auto-routed it via the #614 default-on Cloud Control
+* fallback on a fresh deploy), subsequent SDK Provider backfills
+* (issue #609) do NOT auto-migrate it back — sticky semantics avoid
+* SDK↔CC ping-pong on every backfill release. This flag is the
+* user-initiated CC → SDK migration: destroy + recreate the named
+* resource so the new copy is `provisionedBy: 'sdk'`.
+*
+* Symmetric to `--recreate-via-cc-api`: same per-resource explicit
+* opt-in, same destroy-then-create ordering, same stateful guard,
+* same multi-region refusal, same `Continue? (y/N)` interactive prompt.
+*/
+function parseRecreateViaSdkProviderToken(value, previous) {
+	const token = value.trim();
+	if (!LOGICAL_ID_FORMAT.test(token)) throw new Error(`Invalid --recreate-via-sdk-provider value "${value}": expected a CloudFormation logical id (alphanumeric, starts with a letter, max 255 chars). One --recreate-via-sdk-provider flag per resource — repeat the flag for additional targets.`);
+	return [...previous ?? [], token];
+}
+const recreateViaSdkProviderOption = new Option("--recreate-via-sdk-provider <logicalId>", "Destroy + recreate the named resource (by CloudFormation logical id) via cdkd's SDK Provider in this deploy, so a resource currently sticky on provisionedBy: cc-api flips back to provisionedBy: sdk. Used after a #609 backfill release adds SDK coverage for a type the user originally needed CC for (e.g. Lambda LoggingConfig). Repeatable — pass the flag once per resource. Per-resource opt-in. Stateful resource types refuse unless --force-stateful-recreation is ALSO passed.").argParser(parseRecreateViaSdkProviderToken);
+/**
 * Issue [#615] — `--force-stateful-recreation` (boolean) is the second
 * flag required to allow `--recreate-via-cc-api` to operate on a
 * stateful resource (RDS / DynamoDB / EFS / S3 with data / etc.). Two
@@ -480,6 +501,7 @@ const deployOptions = [
 	allowUnsupportedTypesOption,
 	allowUnsupportedPropertiesOption,
 	recreateViaCcApiOption,
+	recreateViaSdkProviderOption,
 	forceStatefulRecreationOption,
 	...resourceTimeoutOptions
 ];
@@ -1089,16 +1111,31 @@ function renderStatefulReason(reason) {
 */
 const EMPTY_ALLOW_SET$1 = /* @__PURE__ */ new Set();
 function validateRecreateTargets(input) {
+	const seenCcApi = new Set(input.recreateViaCcApi);
+	const seenSdk = new Set(input.recreateViaSdkProvider ?? []);
+	const conflictingDirections = [...seenCcApi].filter((id) => seenSdk.has(id));
 	const seen = /* @__PURE__ */ new Set();
 	const targets = [];
 	const unknownLogicalIds = [];
 	const missingFromState = [];
 	const ambiguousIntent = [];
+	const ambiguousIntentSdk = [];
 	const blockedStatefulTargets = [];
 	const blockedMultiRegionTargets = [];
-	for (const logicalId of input.recreateViaCcApi) {
+	const blockedAlreadySdk = [];
+	const blockedNoSdkProvider = [];
+	const conflictSet = new Set(conflictingDirections);
+	const namedTargets = [...input.recreateViaCcApi.map((id) => ({
+		logicalId: id,
+		direction: "to-cc-api"
+	})), ...(input.recreateViaSdkProvider ?? []).map((id) => ({
+		logicalId: id,
+		direction: "to-sdk"
+	}))];
+	for (const { logicalId, direction } of namedTargets) {
 		if (seen.has(logicalId)) continue;
 		seen.add(logicalId);
+		if (conflictSet.has(logicalId)) continue;
 		const templateResource = input.template.Resources?.[logicalId];
 		if (!templateResource) {
 			unknownLogicalIds.push(logicalId);
@@ -1114,18 +1151,30 @@ function validateRecreateTargets(input) {
 			logicalId,
 			resourceType,
 			physicalId: recordedResource.physicalId,
-			statefulReason: isStatefulRecreateTargetSync(resourceType, recordedResource.properties)
+			statefulReason: isStatefulRecreateTargetSync(resourceType, recordedResource.properties),
+			direction
 		};
 		targets.push(target);
 		if (MULTI_REGION_RECREATE_BLOCKED_TYPES.has(resourceType)) blockedMultiRegionTargets.push(target);
-		const actionableDrops = findActionableSilentDrops(resourceType, templateResource.Properties, EMPTY_ALLOW_SET$1);
-		for (const { property } of actionableDrops) {
-			const allowKey = `${resourceType}:${property}`;
-			if (input.allowUnsupportedProperties.has(allowKey)) ambiguousIntent.push({
+		if (direction === "to-cc-api") {
+			const actionableDrops = findActionableSilentDrops(resourceType, templateResource.Properties, EMPTY_ALLOW_SET$1);
+			for (const { property } of actionableDrops) {
+				const allowKey = `${resourceType}:${property}`;
+				if (input.allowUnsupportedProperties.has(allowKey)) ambiguousIntent.push({
+					logicalId,
+					resourceType,
+					property
+				});
+			}
+		} else {
+			const actionableDrops = findActionableSilentDrops(resourceType, templateResource.Properties, input.allowUnsupportedProperties);
+			for (const { property } of actionableDrops) ambiguousIntentSdk.push({
 				logicalId,
 				resourceType,
 				property
 			});
+			if (!(recordedResource.provisionedBy === "cc-api")) blockedAlreadySdk.push(target);
+			if (input.hasSdkProvider && !input.hasSdkProvider(resourceType)) blockedNoSdkProvider.push(target);
 		}
 		if (target.statefulReason !== null && !input.forceStatefulRecreation) blockedStatefulTargets.push(target);
 	}
@@ -1134,8 +1183,12 @@ function validateRecreateTargets(input) {
 		unknownLogicalIds,
 		missingFromState,
 		ambiguousIntent,
+		ambiguousIntentSdk,
 		blockedStatefulTargets,
-		blockedMultiRegionTargets
+		blockedMultiRegionTargets,
+		blockedAlreadySdk,
+		blockedNoSdkProvider,
+		conflictingDirections
 	};
 }
 /**
@@ -1147,16 +1200,17 @@ function validateRecreateTargets(input) {
 */
 function renderRecreateTargetsErrors(validation) {
 	const lines = [];
+	const FLAG_UMBRELLA = "--recreate-via-cc-api / --recreate-via-sdk-provider";
 	if (validation.unknownLogicalIds.length > 0) {
-		lines.push(`--recreate-via-cc-api named ${validation.unknownLogicalIds.length} logical id(s) not present in the synth template:`);
+		lines.push(`${FLAG_UMBRELLA} named ${validation.unknownLogicalIds.length} logical id(s) not present in the synth template:`);
 		for (const id of validation.unknownLogicalIds) lines.push(`  - ${id}`);
 		lines.push("  Fix: confirm each id exists in the template (CDK display path is the parent; the logical id is the CFn-emitted name, e.g. cdkd synth | jq '.Resources | keys'). Recreate operates on the synth template's logical ids, not CDK display paths.");
 	}
 	if (validation.missingFromState.length > 0) {
 		if (lines.length > 0) lines.push("");
-		lines.push(`--recreate-via-cc-api named ${validation.missingFromState.length} logical id(s) the template declares but cdkd state has no record of:`);
+		lines.push(`${FLAG_UMBRELLA} named ${validation.missingFromState.length} logical id(s) the template declares but cdkd state has no record of:`);
 		for (const id of validation.missingFromState) lines.push(`  - ${id}`);
-		lines.push("  These are fresh CREATEs on the next deploy — recreate has nothing to destroy first. Remove the --recreate-via-cc-api flag for these resources; the new auto-route via Cloud Control (#614) handles fresh deploys.");
+		lines.push("  These are fresh CREATEs on the next deploy — recreate has nothing to destroy first. Remove the flag for these resources; the auto-route via Cloud Control (#614) handles fresh deploys for silent-drop properties, and SDK Provider is the default for everything else.");
 	}
 	if (validation.ambiguousIntent.length > 0) {
 		if (lines.length > 0) lines.push("");
@@ -1166,15 +1220,39 @@ function renderRecreateTargetsErrors(validation) {
 	}
 	if (validation.blockedStatefulTargets.length > 0) {
 		if (lines.length > 0) lines.push("");
-		lines.push(`--recreate-via-cc-api would destroy + recreate ${validation.blockedStatefulTargets.length} stateful resource(s). Recreate loses ALL data — no automatic data migration. Re-run with --force-stateful-recreation to acknowledge the data-loss footgun.`);
+		lines.push(`${FLAG_UMBRELLA} would destroy + recreate ${validation.blockedStatefulTargets.length} stateful resource(s). Recreate loses ALL data — no automatic data migration. Re-run with --force-stateful-recreation to acknowledge the data-loss footgun.`);
 		for (const blocked of validation.blockedStatefulTargets) lines.push(`  - ${blocked.logicalId} (${blocked.resourceType}) — ${renderStatefulReason(blocked.statefulReason)}`);
 	}
 	if (validation.blockedMultiRegionTargets.length > 0) {
 		if (lines.length > 0) lines.push("");
-		lines.push(`--recreate-via-cc-api refuses to operate on ${validation.blockedMultiRegionTargets.length} multi-region resource(s) — out of scope for v1 of this flag (the destroy + recreate cycle across replica regions is more involved than the single-region path):`);
+		lines.push(`--recreate-via-cc-api / --recreate-via-sdk-provider refuses to operate on ${validation.blockedMultiRegionTargets.length} multi-region resource(s) — out of scope for v1 of these flags (the destroy + recreate cycle across replica regions is more involved than the single-region path):`);
 		for (const blocked of validation.blockedMultiRegionTargets) lines.push(`  - ${blocked.logicalId} (${blocked.resourceType})`);
 		lines.push("  No --force-stateful-recreation bypass — this category is structurally unsupported in v1. File an issue if you need this path.");
 	}
+	if (validation.conflictingDirections.length > 0) {
+		if (lines.length > 0) lines.push("");
+		lines.push(`Conflicting recreate direction — ${validation.conflictingDirections.length} logical id(s) named in BOTH --recreate-via-cc-api AND --recreate-via-sdk-provider:`);
+		for (const id of validation.conflictingDirections) lines.push(`  - ${id}`);
+		lines.push("  Fix: pick ONE direction per resource. The two flags drive opposite provisionedBy targets ('cc-api' vs 'sdk').");
+	}
+	if (validation.blockedAlreadySdk.length > 0) {
+		if (lines.length > 0) lines.push("");
+		lines.push(`--recreate-via-sdk-provider named ${validation.blockedAlreadySdk.length} resource(s) that are NOT currently sticky on Cloud Control API (the reverse migration is a no-op):`);
+		for (const blocked of validation.blockedAlreadySdk) lines.push(`  - ${blocked.logicalId} (${blocked.resourceType})`);
+		lines.push("  Fix: remove --recreate-via-sdk-provider <id> for these resources. They are already SDK-managed (or pre-v7 legacy state, treated as SDK).");
+	}
+	if (validation.blockedNoSdkProvider.length > 0) {
+		if (lines.length > 0) lines.push("");
+		lines.push(`--recreate-via-sdk-provider named ${validation.blockedNoSdkProvider.length} resource(s) of types cdkd has no SDK provider for (Tier 2 CC-only):`);
+		for (const blocked of validation.blockedNoSdkProvider) lines.push(`  - ${blocked.logicalId} (${blocked.resourceType})`);
+		lines.push("  Fix: remove --recreate-via-sdk-provider <id> for these resources. The destroy + recreate would route via Cloud Control anyway — there's no SDK alternative available.");
+	}
+	if (validation.ambiguousIntentSdk.length > 0) {
+		if (lines.length > 0) lines.push("");
+		lines.push(`Inverse ambiguous intent — ${validation.ambiguousIntentSdk.length} --recreate-via-sdk-provider target(s) would IMMEDIATELY be re-routed back to Cloud Control after the recreate because their template uses silent-drop properties NOT in --allow-unsupported-properties:`);
+		for (const overlap of validation.ambiguousIntentSdk) lines.push(`  - ${overlap.logicalId} (${overlap.resourceType}) — template uses ${overlap.property}; the default-on CC auto-route would re-route the recreated resource back to CC immediately`);
+		lines.push("  Fix: pass --allow-unsupported-properties <Type>:<Prop> for each silent-drop property so the recreated resource stays on SDK with the property explicitly dropped. Or drop --recreate-via-sdk-provider — the resource already routes via CC and honors the property.");
+	}
 	return lines.length > 0 ? lines.join("\n") : null;
 }
 /**
@@ -1225,7 +1303,7 @@ async function probeStatefulRecreateTargetsAsync(targets, s3Client, logger = get
 			});
 			else promoted.push({ ...target });
 		} catch (e) {
-			logger.warn(`--recreate-via-cc-api: live S3 probe failed for ${target.logicalId} (bucket ${target.physicalId}); leaving stateful guard at the sync result. If the bucket might be non-empty, re-run with --force-stateful-recreation. Underlying error: ${e instanceof Error ? e.message : String(e)}`);
+			logger.warn(`--recreate-via-cc-api / --recreate-via-sdk-provider: live S3 probe failed for ${target.logicalId} (bucket ${target.physicalId}); leaving stateful guard at the sync result. If the bucket might be non-empty, re-run with --force-stateful-recreation. Underlying error: ${e instanceof Error ? e.message : String(e)}`);
 			promoted.push({ ...target });
 		}
 	}
@@ -1347,13 +1425,18 @@ function renderDownstreamConsumers(producerStack, consumers) {
 async function promptRecreateConfirm(input) {
 	if (input.targets.length === 0) return true;
 	const logger = getLogger();
+	const toCcCount = input.targets.filter((t) => t.direction === "to-cc-api").length;
+	const toSdkCount = input.targets.filter((t) => t.direction === "to-sdk").length;
 	logger.warn("");
-	logger.warn(`--recreate-via-cc-api will destroy + recreate ${input.targets.length} resource(s) via Cloud Control API on stack ${input.stackName}:`);
+	if (toCcCount > 0 && toSdkCount > 0) logger.warn(`recreate-via-cc-api / recreate-via-sdk-provider will destroy + recreate ${input.targets.length} resource(s) on stack ${input.stackName} (${toCcCount} → Cloud Control, ${toSdkCount} → SDK Provider):`);
+	else if (toCcCount > 0) logger.warn(`--recreate-via-cc-api will destroy + recreate ${toCcCount} resource(s) via Cloud Control API on stack ${input.stackName}:`);
+	else logger.warn(`--recreate-via-sdk-provider will destroy + recreate ${toSdkCount} resource(s) via SDK Provider on stack ${input.stackName}:`);
 	for (const t of input.targets) {
 		const stateful = t.statefulReason !== null;
 		const dataLossPrefix = stateful ? "**DATA LOSS** " : "";
+		const directionTag = t.direction === "to-cc-api" ? " [SDK → CC]" : " [CC → SDK]";
 		const stateNote = stateful ? ` — stateful (${t.statefulReason}); --force-stateful-recreation acknowledged` : "";
-		logger.warn(`  - ${dataLossPrefix}${t.logicalId} (${t.resourceType})${stateNote}`);
+		logger.warn(`  - ${dataLossPrefix}${t.logicalId} (${t.resourceType})${directionTag}${stateNote}`);
 		if (stateful) logger.warn(`    DATA: all data in ${t.logicalId} will be lost (no automatic data migration)`);
 	}
 	if (input.downstreamConsumers && input.downstreamConsumers.length > 0) {
@@ -33834,7 +33917,8 @@ async function deployCommand(stacks, options) {
 					}
 				}
 				let recreateViaCcApiTargets;
-				if (options.recreateViaCcApi?.length) {
+				let recreateViaSdkProviderTargets;
+				if (options.recreateViaCcApi?.length || options.recreateViaSdkProvider?.length) {
 					const stateForRecreateCheck = await stackStateBackend.getState(stackInfo.stackName, stackRegion);
 					const validation = await probeAndRevalidateStateful({
 						validation: validateRecreateTargets({
@@ -33847,17 +33931,20 @@ async function deployCommand(stacks, options) {
 								outputs: {},
 								lastModified: Date.now()
 							},
-							recreateViaCcApi: options.recreateViaCcApi,
+							recreateViaCcApi: options.recreateViaCcApi ?? [],
+							recreateViaSdkProvider: options.recreateViaSdkProvider ?? [],
 							allowUnsupportedProperties: new Set(options.allowUnsupportedProperties ?? []),
-							forceStatefulRecreation: options.forceStatefulRecreation ?? false
+							forceStatefulRecreation: options.forceStatefulRecreation ?? false,
+							hasSdkProvider: (rt) => stackProviderRegistry.getProviderType(rt) === "sdk"
 						}),
 						s3Client: stackAwsClients.s3,
 						forceStatefulRecreation: options.forceStatefulRecreation ?? false
 					});
 					const errorBlock = renderRecreateTargetsErrors(validation);
-					if (errorBlock) throw new CdkdError(errorBlock, "RECREATE_VIA_CC_API_INVALID");
-					recreateViaCcApiTargets = new Set(validation.targets.map((t) => t.logicalId));
-					if (recreateViaCcApiTargets.size > 0) {
+					if (errorBlock) throw new CdkdError(errorBlock, "RECREATE_TARGETS_INVALID");
+					recreateViaCcApiTargets = new Set(validation.targets.filter((t) => t.direction === "to-cc-api").map((t) => t.logicalId));
+					recreateViaSdkProviderTargets = new Set(validation.targets.filter((t) => t.direction === "to-sdk").map((t) => t.logicalId));
+					if (recreateViaCcApiTargets.size > 0 || recreateViaSdkProviderTargets.size > 0) {
 						const downstreamConsumers = await findDownstreamConsumers({
 							producerStack: stackInfo.stackName,
 							producerRegion: stackRegion,
@@ -33877,6 +33964,7 @@ async function deployCommand(stacks, options) {
 					dryRun: options.dryRun,
 					noRollback: !options.rollback,
 					...recreateViaCcApiTargets && recreateViaCcApiTargets.size > 0 && { recreateViaCcApiTargets },
+					...recreateViaSdkProviderTargets && recreateViaSdkProviderTargets.size > 0 && { recreateViaSdkProviderTargets },
 					captureObservedState: resolveCaptureObservedState(options.captureObservedState),
 					...options.resourceWarnAfter?.globalMs !== void 0 && { resourceWarnAfterMs: options.resourceWarnAfter.globalMs },
 					...options.resourceTimeout?.globalMs !== void 0 && { resourceTimeoutMs: options.resourceTimeout.globalMs },
@@ -57201,6 +57289,7 @@ async function localRunTaskCommand(target, options) {
 			resolvedRoleArn = options.assumeTaskRole;
 			assumedCredentials = await assumeTaskRole$1(resolvedRoleArn, options.region);
 		}
+		const sidecarCredentials = await resolveSidecarCredentials(options, assumedCredentials);
 		const envOverrides = readEnvOverridesFile$2(options.envVars);
 		const runOpts = {
 			cluster: options.cluster,
@@ -57210,7 +57299,7 @@ async function localRunTaskCommand(target, options) {
 			detach: options.detach
 		};
 		if (envOverrides) runOpts.envOverrides = envOverrides;
-		if (assumedCredentials) runOpts.taskCredentials = assumedCredentials;
+		if (sidecarCredentials) runOpts.taskCredentials = sidecarCredentials;
 		if (resolvedRoleArn) runOpts.taskRoleArn = resolvedRoleArn;
 		if (options.platform) runOpts.platformOverride = options.platform;
 		if (options.region) runOpts.region = options.region;
@@ -57357,6 +57446,29 @@ function readEnvOverridesFile$2(filePath) {
 	if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) throw new Error(`--env-vars file '${filePath}' must contain a JSON object at the top level.`);
 	return parsed;
 }
+/**
+* Issue #658: pick the credentials forwarded to the AWS-published
+* `amazon-ecs-local-container-endpoints` sidecar. Precedence:
+*   1. `--assume-task-role <arn>` (or bare `--assume-task-role` against
+*      a resolvable `TaskRoleArn`) → STS-assumed temp creds. Highest
+*      priority — when the user opted in to IAM emulation, those creds
+*      drive the sidecar regardless of `--profile`.
+*   2. `--profile <p>` → resolved via {@link resolveProfileCredentials}
+*      (the SDK's default credential provider chain — SSO / IAM
+*      Identity Center / fromIni / role-assumption). NEW in this PR.
+*   3. Neither set → `undefined`; the sidecar runs with its own
+*      default credential chain (typically empty inside a fresh
+*      container — user containers will get 4xx from the credentials
+*      endpoint, mimicking IAM-misconfigured prod).
+*
+* Extracted as an exported helper so a unit test can exercise every
+* branch without having to mock the full Synth + Docker + AWS pipeline
+* (the strategy PR #655 used for the Lambda container path).
+*/
+async function resolveSidecarCredentials(options, assumedCredentials) {
+	if (assumedCredentials) return assumedCredentials;
+	if (options.profile) return resolveProfileCredentials(options.profile);
+}
 function createLocalRunTaskCommand() {
 	const cmd = new Command("run-task").description("Run an AWS::ECS::TaskDefinition locally — pulls/builds images, sets up a per-task docker network with the AWS-published metadata-endpoints sidecar, and starts every container in dependsOn order. Target accepts a CDK display path (MyStack/MyService/TaskDef) or stack-qualified logical ID (MyStack:MyServiceTaskDefXYZ1234). Single-stack apps may omit the stack prefix.").argument("<target>", "CDK display path or stack-qualified logical ID of the AWS::ECS::TaskDefinition to run").addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default("cdkd-local")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed function role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries (#455). Issues sts:AssumeRole via the default credential chain and uses the temporary credentials for ecr:GetAuthorizationToken + docker pull. Required when the caller does not have direct cross-account access to the target repository. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--keep-running", "Don't docker rm -f the user containers on task exit (network + sidecar are still torn down). Use when you want to docker exec into a stopped container for post-mortems.").default(false)).addOption(new Option("--detach", "Start the containers in the background and exit (skip log streaming + auto teardown). Useful in CI smoke tests; caller manages container lifecycle.").default(false)).addOption(new Option("--from-state", "Read cdkd S3 state for the target stack and substitute Fn::Sub / Fn::GetAtt references to same-stack AWS::ECR::Repository resources with the deployed URI. Off by default — only the AWS pseudo-parameter tier (${AWS::AccountId} / ${AWS::Region}) is resolved without this flag.").default(false)).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via DescribeStackResources and substitute Ref / Fn::ImportValue in container env vars / secrets / image URIs with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (`cdk deploy`). Bare form uses the cdkd stack name; pass an explicit value when the CFn stack name differs. Mutually exclusive with --from-state. Fn::GetAtt is warn-and-dropped in v1 (CFn DescribeStackResources does not return per-attribute values).")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-state when the same stack name has state in multiple regions, and with --from-cfn-stack as the CFn client region (cdkd does not have a separate --cfn-stack-region flag).")).action(withErrorHandling(localRunTaskCommand));
 	[
@@ -58487,11 +58599,13 @@ async function localStartServiceCommand(targets, options) {
 			for (const w of index.warnings) logger.warn(w);
 		}
 		const registry = new CloudMapRegistry();
+		const sidecarCredentials = await resolveSharedSidecarCredentials(options);
 		try {
 			sharedNetwork = await createSharedSvcNetwork({
 				prefix: options.cluster,
 				skipPull,
-				cluster: options.cluster
+				cluster: options.cluster,
+				...sidecarCredentials !== void 0 && { credentials: sidecarCredentials }
 			});
 		} catch (err) {
 			throw new LocalStartServiceError(`Failed to create shared service network: ${err instanceof Error ? err.message : String(err)}`);
@@ -58731,6 +58845,34 @@ function parseRestartPolicy(raw) {
 	if (raw === "on-failure" || raw === "always" || raw === "none") return raw;
 	throw new LocalStartServiceError(`--restart-policy must be one of 'on-failure', 'always', or 'none' (got '${raw}').`);
 }
+/**
+* Issue #658: pick the credentials forwarded to the AWS-published
+* `amazon-ecs-local-container-endpoints` sidecar. `cdkd local
+* start-service`'s sidecar is SHARED across every replica boot in one
+* CLI invocation (design § 5 Option A), so this resolves ONCE at
+* startup. Precedence:
+*   1. `--profile <p>` → resolved via {@link resolveProfileCredentials}
+*      (the SDK's default credential provider chain — SSO / IAM
+*      Identity Center / fromIni / role-assumption). NEW in this PR.
+*   2. Not set → `undefined`; the sidecar runs with its own default
+*      credential chain (typically empty inside a fresh container —
+*      user containers will get 4xx from the credentials endpoint).
+*
+* Note: per-service `--assume-task-role <Service>=<arn>` overrides are
+* INTENTIONALLY NOT consulted here. The shared sidecar has no concept
+* of per-service IAM — per-service `TaskRoleArn` flows into each
+* container's env via `buildMetadataEnv` at boot time, where the
+* sidecar's `/role/<role-arn>` path resolves per-request. The shared
+* sidecar's OWN startup credentials govern only the fallback path
+* (containers that did not bind a `TaskRoleArn`).
+*
+* Extracted as an exported helper so a unit test can exercise both
+* branches without having to mock the full Synth + Docker + AWS
+* pipeline (the strategy PR #655 used for the Lambda container path).
+*/
+async function resolveSharedSidecarCredentials(options) {
+	if (options.profile) return resolveProfileCredentials(options.profile);
+}
 function createLocalStartServiceCommand() {
 	const cmd = new Command("start-service").description("Run one or more AWS::ECS::Service resources locally as a long-running emulator. Spins up DesiredCount task replicas per service (clamped by --max-tasks) using the same per-task docker network + metadata sidecar pattern as `cdkd local run-task`, then keeps each replica running and restarts it on exit per --restart-policy. ^C tears every replica + sidecar + network down. Each <target> accepts a CDK display path (MyStack/MyService) or stack-qualified logical ID (MyStack:MyServiceXYZ); single-stack apps may omit the stack prefix. When two or more <target>s are supplied, every service is booted into a shared Cloud Map / Service Connect registry so peer services discover each other via docker --add-host overlay (Issue #460).").argument("<targets...>", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ECS::Service resources to run").addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default("cdkd-local")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed task role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries.")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--max-tasks <n>", `Hard cap on local replica count. Caps the template DesiredCount so local dev machines don't run an unbounded number of containers. Cannot exceed ${83} due to the per-replica link-local /24 subnet allocator's range.`).default(3).argParser(parseMaxTasks)).addOption(new Option("--restart-policy <policy>", "How to react when an essential container exits. 'on-failure' (default) restarts only on non-zero exit; 'always' restarts on every exit; 'none' shuts the replica down and runs the service degraded.").default("on-failure").argParser(parseRestartPolicy)).addOption(new Option("--from-state", "Read cdkd S3 state for the target stack and substitute Fn::Sub / Fn::GetAtt / Fn::ImportValue / Fn::GetStackOutput intrinsics in container images, environment variables, secrets, role ARNs, and volumes.").default(false)).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via DescribeStackResources and substitute Ref / Fn::ImportValue in container env vars / secrets / image URIs with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (`cdk deploy`). Bare form uses the cdkd stack name; pass an explicit value when the CFn stack name differs. Mutually exclusive with --from-state. Fn::GetAtt is warn-and-dropped in v1 (CFn DescribeStackResources does not return per-attribute values).")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-state when the same stack name has state in multiple regions, and with --from-cfn-stack as the CFn client region (cdkd does not have a separate --cfn-stack-region flag).")).action(withErrorHandling(localStartServiceCommand));
 	[
@@ -60619,7 +60761,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.165.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.166.1");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());