@go-to-k/cdkd 0.196.0 → 0.197.0

package/dist/docker-cmd-iDMcWcre.js

@@ -1,1004 +0,0 @@
-import { t as __exportAll } from "./rolldown-runtime-CjeV3_4I.js";
-import { AsyncLocalStorage } from "node:async_hooks";
-import { createHash } from "node:crypto";
-import { spawn } from "node:child_process";
-
-//#region src/provisioning/resource-name.ts
-/**
-* Per-async-context stack name. Resource-name generation reads this so that
-* concurrent deploys (`cdkd deploy --all` runs stacks in parallel up to
-* `--stack-concurrency`) don't fight over a single shared variable.
-*
-* History: this was `let currentStackName: string | undefined` until
-* 2026-05-01. Two parallel `deploy()` calls would each call
-* `setCurrentStackName(...)` and the second would overwrite the first;
-* any IAM Role / SQS Queue / etc. created by the first stack while the
-* second was active would get the second stack's prefix in its physical
-* name, then the second stack's own create attempt for the same logical
-* id would collide ("Role with name X already exists"). Switching to
-* `AsyncLocalStorage` scopes the value to each deploy's async chain.
-*/
-const stackNameStore = new AsyncLocalStorage();
-function withStackName(stackName, fn) {
-	return stackNameStore.run(stackName, fn);
-}
-/**
-* Read the current async context's stack name, if any.
-*
-* Returns `undefined` outside any `withStackName` / `setCurrentStackName`
-* scope. Used by the live renderer to scope per-stack in-flight task
-* entries so concurrent deploys don't clobber each other's tasks (same
-* `logicalId` in two stacks would collide on the singleton renderer's
-* task Map without this).
-*/
-function getCurrentStackName() {
-	return stackNameStore.getStore();
-}
-/**
-* Per-async-context "skip the stack-name prefix on user-supplied physical
-* names" flag. Read by `generateResourceName` when its caller passes
-* `userSupplied: true`; auto-generated-name paths
-* (`generateResourceName(logicalId, ...)`) ignore this flag.
-*
-* Scoped via AsyncLocalStorage so that `--stack-concurrency > 1` runs
-* cannot cross-contaminate — each deploy's body is wrapped in its own
-* `withSkipPrefix(...)` scope (the deploy CLI plumbs the resolved
-* `--no-prefix-user-supplied-names` value through here). Default
-* `false` preserves pre-PR behavior when the flag is not set.
-*/
-const skipPrefixStore = new AsyncLocalStorage();
-function withSkipPrefix(skip, fn) {
-	return skipPrefixStore.run(skip, fn);
-}
-/**
-* Read the current async context's skip-prefix flag. Defaults to
-* `false` when no `withSkipPrefix` scope is active.
-*
-* Public for unit tests; `generateResourceName` consumes this
-* internally.
-*/
-function getCurrentSkipPrefix() {
-	return skipPrefixStore.getStore() ?? false;
-}
-/**
-* Resource types whose pre-PR #297 code path ran user-supplied
-* physical names through `generateResourceName` (= got the stack-name
-* prefix). These are the only types affected by
-* `--no-prefix-user-supplied-names`; flipping the flag against an
-* existing stack proposes REPLACEMENT on every state resource of
-* one of these types whose `physicalId` is still prefixed.
-*
-* Pattern A providers (Lambda, S3, SNS, SQS, DynamoDB, Logs LogGroup,
-* Events Rule, etc.) historically short-circuited user-supplied names
-* **out** of `generateResourceName` entirely — those types never got
-* the prefix regardless of the flag, so they are NOT included here.
-*
-* Used by the deploy-time pre-flight migration check in
-* `src/cli/commands/prefix-migration-check.ts`. Keep in sync with the
-* Pattern B provider call sites that consume
-* `generateResourceNameWithFallback(...)`.
-*/
-const PATTERN_B_RESOURCE_TYPES = [
-	"AWS::IAM::Role",
-	"AWS::IAM::User",
-	"AWS::IAM::Group",
-	"AWS::IAM::InstanceProfile",
-	"AWS::IAM::ManagedPolicy",
-	"AWS::ElasticLoadBalancingV2::LoadBalancer",
-	"AWS::ElasticLoadBalancingV2::TargetGroup"
-];
-/**
-* For each Pattern B resource type, the CFn template `Properties` field
-* the user sets to supply a physical name (`new iam.Role(this, 'X',
-* { roleName: 'my-role' })` → `Properties.RoleName: 'my-role'`).
-*
-* Used by the prefix-migration check to distinguish user-supplied
-* physical names (which the v0.94.0 default flip would actually
-* REPLACE on next deploy) from auto-generated logical-id-fallback
-* names (which keep the prefix in BOTH old and new default — no
-* REPLACE pending). Without this discriminator, the migration
-* check naively flags every prefix-style physicalId regardless of
-* its origin, surfacing a false-positive WARNING on auto-generated
-* names that won't actually be touched.
-*
-* Keep in sync with `PATTERN_B_RESOURCE_TYPES` and with each
-* provider's `Properties[<NameField>]` lookup in
-* `src/provisioning/providers/`.
-*/
-const PATTERN_B_NAME_PROPERTIES = {
-	"AWS::IAM::Role": "RoleName",
-	"AWS::IAM::User": "UserName",
-	"AWS::IAM::Group": "GroupName",
-	"AWS::IAM::InstanceProfile": "InstanceProfileName",
-	"AWS::IAM::ManagedPolicy": "ManagedPolicyName",
-	"AWS::ElasticLoadBalancingV2::LoadBalancer": "Name",
-	"AWS::ElasticLoadBalancingV2::TargetGroup": "Name"
-};
-/**
-* Generate a unique resource name from the logical ID.
-*
-* Generates names in CloudFormation-compatible format:
-* `{StackName}-{LogicalId}-{Hash}` (truncated to maxLength).
-*
-* @param name The raw name (from properties or logicalId fallback)
-* @param options Length and character constraints
-* @returns A sanitized, truncated name that fits the constraints
-*/
-function generateResourceName(name, options) {
-	const { maxLength, lowercase = false, allowedPattern = /[^a-zA-Z0-9-]/g, userSupplied = false } = options;
-	const currentStackName = stackNameStore.getStore();
-	const fullName = currentStackName && !(userSupplied && getCurrentSkipPrefix()) ? `${currentStackName}-${name}` : name;
-	let sanitized = lowercase ? fullName.toLowerCase() : fullName;
-	sanitized = sanitized.replace(allowedPattern, "-");
-	sanitized = sanitized.replace(/-{2,}/g, "-").replace(/^-+|-+$/g, "");
-	if (sanitized.length <= maxLength) return sanitized;
-	const hash = createHash("sha256").update(fullName).digest("hex").substring(0, 8);
-	const maxPrefixLength = maxLength - hash.length - 1;
-	return `${sanitized.substring(0, maxPrefixLength).replace(/-+$/, "")}-${hash}`;
-}
-/**
-* Generate a resource name from a user-declared physical name OR
-* fall back to the logical id.
-*
-* Wraps {@link generateResourceName} to express the Pattern B call-site
-* shape (`generateResourceName((properties['Name'] as string | undefined)
-* || logicalId, opts)`) as a single typed helper. The user-supplied
-* branch passes `userSupplied: true`, which makes the per-deploy
-* `withSkipPrefix(true)` flag drop the stack-name prefix on that name.
-* The fallback (logical-id) branch is `userSupplied: false` and keeps
-* the prefix regardless of the flag — auto-generated names rely on
-* the prefix for cross-stack uniqueness.
-*
-* Use at every Pattern B provider call site (currently IAM Role, IAM
-* User, IAM Group, IAM InstanceProfile, ELBv2 LoadBalancer, ELBv2
-* TargetGroup) so the `--no-prefix-user-supplied-names` flag controls
-* those types consistently. Pattern A providers (Lambda, S3, SNS,
-* SQS, DynamoDB, etc.) do NOT need this helper — they already
-* short-circuit the user-supplied name out of the
-* `generateResourceName` call entirely, so the prefix is never
-* applied to user-supplied names regardless of the flag.
-*/
-function generateResourceNameWithFallback(userSuppliedName, logicalId, options) {
-	if (userSuppliedName !== void 0 && userSuppliedName !== "") return generateResourceName(userSuppliedName, {
-		...options,
-		userSupplied: true
-	});
-	return generateResourceName(logicalId, {
-		...options,
-		userSupplied: false
-	});
-}
-/**
-* Default name generation rules for CC API fallback.
-*
-* When an SDK provider falls back to CC API, the resource may need a
-* default name that the SDK provider would have generated. This map
-* defines the name property and generation options for each resource type.
-*
-* Format: resourceType → { nameProperty, options, postProcess? }
-*/
-const FALLBACK_NAME_RULES = {
-	"AWS::S3::Bucket": {
-		nameProperty: "BucketName",
-		options: {
-			maxLength: 63,
-			lowercase: true
-		}
-	},
-	"AWS::SQS::Queue": {
-		nameProperty: "QueueName",
-		options: { maxLength: 80 }
-	},
-	"AWS::SNS::Topic": {
-		nameProperty: "TopicName",
-		options: { maxLength: 256 }
-	},
-	"AWS::Lambda::Function": {
-		nameProperty: "FunctionName",
-		options: { maxLength: 64 }
-	},
-	"AWS::Lambda::LayerVersion": {
-		nameProperty: "LayerName",
-		options: { maxLength: 64 }
-	},
-	"AWS::IAM::Role": {
-		nameProperty: "RoleName",
-		options: { maxLength: 64 }
-	},
-	"AWS::IAM::Policy": {
-		nameProperty: "PolicyName",
-		options: { maxLength: 64 }
-	},
-	"AWS::IAM::ManagedPolicy": {
-		nameProperty: "ManagedPolicyName",
-		options: { maxLength: 128 }
-	},
-	"AWS::IAM::User": {
-		nameProperty: "UserName",
-		options: { maxLength: 64 }
-	},
-	"AWS::IAM::Group": {
-		nameProperty: "GroupName",
-		options: { maxLength: 128 }
-	},
-	"AWS::IAM::InstanceProfile": {
-		nameProperty: "InstanceProfileName",
-		options: { maxLength: 128 }
-	},
-	"AWS::DynamoDB::Table": {
-		nameProperty: "TableName",
-		options: { maxLength: 255 }
-	},
-	"AWS::ECR::Repository": {
-		nameProperty: "RepositoryName",
-		options: {
-			maxLength: 256,
-			lowercase: true
-		}
-	},
-	"AWS::ECS::Cluster": {
-		nameProperty: "ClusterName",
-		options: { maxLength: 255 }
-	},
-	"AWS::ECS::Service": {
-		nameProperty: "ServiceName",
-		options: { maxLength: 255 }
-	},
-	"AWS::Logs::LogGroup": {
-		nameProperty: "LogGroupName",
-		options: { maxLength: 512 }
-	},
-	"AWS::CloudWatch::Alarm": {
-		nameProperty: "AlarmName",
-		options: { maxLength: 256 }
-	},
-	"AWS::Events::Rule": {
-		nameProperty: "Name",
-		options: { maxLength: 64 }
-	},
-	"AWS::Events::EventBus": {
-		nameProperty: "Name",
-		options: { maxLength: 256 }
-	},
-	"AWS::Kinesis::Stream": {
-		nameProperty: "Name",
-		options: { maxLength: 128 }
-	},
-	"AWS::StepFunctions::StateMachine": {
-		nameProperty: "StateMachineName",
-		options: { maxLength: 80 }
-	},
-	"AWS::SecretsManager::Secret": {
-		nameProperty: "Name",
-		options: {
-			maxLength: 512,
-			allowedPattern: /[^a-zA-Z0-9-/_]/g
-		}
-	},
-	"AWS::SSM::Parameter": {
-		nameProperty: "Name",
-		options: { maxLength: 2048 }
-	},
-	"AWS::Cognito::UserPool": {
-		nameProperty: "UserPoolName",
-		options: { maxLength: 128 }
-	},
-	"AWS::ElastiCache::SubnetGroup": {
-		nameProperty: "CacheSubnetGroupName",
-		options: {
-			maxLength: 255,
-			lowercase: true
-		}
-	},
-	"AWS::ElastiCache::CacheCluster": {
-		nameProperty: "ClusterName",
-		options: {
-			maxLength: 40,
-			lowercase: true
-		}
-	},
-	"AWS::RDS::DBSubnetGroup": {
-		nameProperty: "DBSubnetGroupName",
-		options: {
-			maxLength: 255,
-			lowercase: true
-		}
-	},
-	"AWS::RDS::DBCluster": {
-		nameProperty: "DBClusterIdentifier",
-		options: {
-			maxLength: 63,
-			lowercase: true
-		}
-	},
-	"AWS::RDS::DBInstance": {
-		nameProperty: "DBInstanceIdentifier",
-		options: {
-			maxLength: 63,
-			lowercase: true
-		}
-	},
-	"AWS::DocDB::DBSubnetGroup": {
-		nameProperty: "DBSubnetGroupName",
-		options: {
-			maxLength: 255,
-			lowercase: true
-		}
-	},
-	"AWS::DocDB::DBCluster": {
-		nameProperty: "DBClusterIdentifier",
-		options: {
-			maxLength: 63,
-			lowercase: true
-		}
-	},
-	"AWS::DocDB::DBInstance": {
-		nameProperty: "DBInstanceIdentifier",
-		options: {
-			maxLength: 63,
-			lowercase: true
-		}
-	},
-	"AWS::Neptune::DBSubnetGroup": {
-		nameProperty: "DBSubnetGroupName",
-		options: {
-			maxLength: 255,
-			lowercase: true
-		}
-	},
-	"AWS::Neptune::DBCluster": {
-		nameProperty: "DBClusterIdentifier",
-		options: {
-			maxLength: 63,
-			lowercase: true
-		}
-	},
-	"AWS::Neptune::DBInstance": {
-		nameProperty: "DBInstanceIdentifier",
-		options: {
-			maxLength: 63,
-			lowercase: true
-		}
-	},
-	"AWS::ElasticLoadBalancingV2::LoadBalancer": {
-		nameProperty: "Name",
-		options: { maxLength: 32 }
-	},
-	"AWS::ElasticLoadBalancingV2::TargetGroup": {
-		nameProperty: "Name",
-		options: { maxLength: 32 }
-	},
-	"AWS::WAFv2::WebACL": {
-		nameProperty: "Name",
-		options: { maxLength: 128 }
-	},
-	"AWS::CodeBuild::Project": {
-		nameProperty: "Name",
-		options: { maxLength: 255 }
-	},
-	"AWS::S3Express::DirectoryBucket": {
-		nameProperty: "BucketName",
-		options: {
-			maxLength: 63,
-			lowercase: true
-		}
-	}
-};
-/**
-* Apply default name generation for CC API fallback.
-*
-* When a resource doesn't have an explicit name property set,
-* generates the same default name that the SDK provider would have created.
-* This ensures consistent naming regardless of whether SDK or CC API handles the resource.
-*
-* @param logicalId Logical ID from the template
-* @param resourceType CloudFormation resource type
-* @param properties Resource properties (will not be mutated)
-* @returns Properties with default name applied if needed, or original properties if no rule exists
-*/
-function applyDefaultNameForFallback(logicalId, resourceType, properties) {
-	const rule = FALLBACK_NAME_RULES[resourceType];
-	if (!rule) return properties;
-	if (properties[rule.nameProperty]) return properties;
-	const generatedName = generateResourceName(logicalId, rule.options);
-	return {
-		...properties,
-		[rule.nameProperty]: generatedName
-	};
-}
-
-//#endregion
-//#region src/utils/live-renderer.ts
-/**
-* Live multi-line progress renderer for the bottom of the terminal.
-*
-* Maintains a "live area" listing in-flight tasks (Creating MyBucket...),
-* redrawn on a spinner timer. Other log output is routed through
-* {@link LiveRenderer.printAbove} so it appears above the live area without
-* disturbing the currently-displayed in-flight tasks.
-*
-* Design notes:
-* - Multiple resources can be in flight concurrently (cdkd uses parallel DAG
-*   dispatch), so a single in-place line overwrite is not enough — each
-*   in-flight resource is its own line in the live area.
-* - On non-TTY (CI/log-collection), the renderer stays inactive and
-*   {@link LiveRenderer.printAbove} falls through to a direct write, so output
-*   matches the previous append-only behavior.
-* - In verbose mode (debug level) the caller should not start the renderer:
-*   debug logs would interleave too aggressively with the live area.
-*/
-const SPINNER_FRAMES = [
-	"⠋",
-	"⠙",
-	"⠹",
-	"⠸",
-	"⠼",
-	"⠴",
-	"⠦",
-	"⠧",
-	"⠇",
-	"⠏"
-];
-const FRAME_INTERVAL_MS = 80;
-const ESC = "\x1B[";
-/**
-* Scope a task `id` to its calling stack so two stacks running in
-* parallel — `cdkd deploy --all` with `--stack-concurrency > 1` — don't
-* collide on the same `logicalId` in the renderer's task Map. Without
-* this, stack B's `addTask('MyQueue', ...)` would overwrite stack A's
-* entry, and stack A's later `removeTask('MyQueue')` would erase
-* stack B's.
-*/
-function scopedKey(id, stackName) {
-	return stackName ? `${stackName}:${id}` : id;
-}
-var LiveRenderer = class {
-	tasks = /* @__PURE__ */ new Map();
-	active = false;
-	spinnerIndex = 0;
-	interval = null;
-	linesDrawn = 0;
-	cursorHidden = false;
-	exitListener = null;
-	stream;
-	constructor(stream = process.stdout) {
-		this.stream = stream;
-	}
-	isActive() {
-		return this.active;
-	}
-	/**
-	* Enable the live renderer. No-op if stdout is not a TTY or if
-	* `CDKD_NO_LIVE=1`. Returns true if successfully enabled.
-	*/
-	start() {
-		if (this.active) return true;
-		if (!this.stream.isTTY) return false;
-		if (process.env["CDKD_NO_LIVE"] === "1") return false;
-		this.active = true;
-		this.hideCursor();
-		if (!this.exitListener) {
-			this.exitListener = () => this.showCursor();
-			process.on("exit", this.exitListener);
-		}
-		this.interval = setInterval(() => this.draw(), FRAME_INTERVAL_MS);
-		if (typeof this.interval.unref === "function") this.interval.unref();
-		return true;
-	}
-	stop() {
-		if (!this.active) return;
-		if (this.interval) {
-			clearInterval(this.interval);
-			this.interval = null;
-		}
-		this.clear();
-		this.showCursor();
-		if (this.exitListener) {
-			process.removeListener("exit", this.exitListener);
-			this.exitListener = null;
-		}
-		this.tasks.clear();
-		this.active = false;
-	}
-	addTask(id, label) {
-		const stackName = getCurrentStackName();
-		this.tasks.set(scopedKey(id, stackName), {
-			label,
-			startedAt: Date.now(),
-			stackName
-		});
-		if (this.active) this.draw();
-	}
-	removeTask(id) {
-		const stackName = getCurrentStackName();
-		if (!this.tasks.delete(scopedKey(id, stackName))) return;
-		if (this.active) this.draw();
-	}
-	/**
-	* Replace the label of a previously-added task in place. No-op if the
-	* task is not currently tracked (e.g. it already finished). Used by the
-	* per-resource deadline wrapper to surface a "[taking longer than
-	* expected, Nm+]" suffix without disturbing the elapsed-time counter
-	* the renderer tracks via `startedAt`.
-	*/
-	updateTaskLabel(id, label) {
-		const stackName = getCurrentStackName();
-		const task = this.tasks.get(scopedKey(id, stackName));
-		if (!task) return;
-		task.label = label;
-		if (this.active) this.draw();
-	}
-	/**
-	* Print content above the live area. Clears the live area, runs the writer,
-	* then redraws the live area. When the renderer is inactive, the writer
-	* runs directly so callers can use this unconditionally.
-	*/
-	printAbove(write) {
-		if (!this.active) {
-			write();
-			return;
-		}
-		this.clear();
-		write();
-		this.draw();
-	}
-	clear() {
-		if (this.linesDrawn === 0) return;
-		this.stream.write("\r");
-		for (let i = 0; i < this.linesDrawn; i++) this.stream.write(`${ESC}1A${ESC}2K`);
-		this.linesDrawn = 0;
-	}
-	draw() {
-		if (!this.active) return;
-		this.clear();
-		if (this.tasks.size === 0) return;
-		const frame = SPINNER_FRAMES[this.spinnerIndex % SPINNER_FRAMES.length];
-		this.spinnerIndex++;
-		const distinctStacks = /* @__PURE__ */ new Set();
-		for (const task of this.tasks.values()) distinctStacks.add(task.stackName);
-		const showStackPrefix = distinctStacks.size > 1;
-		const cols = this.stream.columns ?? 80;
-		const lines = [];
-		for (const task of this.tasks.values()) {
-			const elapsed = ((Date.now() - task.startedAt) / 1e3).toFixed(1);
-			const raw = `  ${frame} ${showStackPrefix && task.stackName ? `[${task.stackName}] ` : ""}${task.label} (${elapsed}s)`;
-			lines.push(this.truncate(raw, cols));
-		}
-		this.stream.write(lines.join("\n") + "\n");
-		this.linesDrawn = lines.length;
-	}
-	truncate(s, maxLen) {
-		if (s.length <= maxLen) return s;
-		if (maxLen <= 1) return "…";
-		return s.substring(0, maxLen - 1) + "…";
-	}
-	hideCursor() {
-		if (this.cursorHidden) return;
-		this.stream.write(`${ESC}?25l`);
-		this.cursorHidden = true;
-	}
-	showCursor() {
-		if (!this.cursorHidden) return;
-		this.stream.write(`${ESC}?25h`);
-		this.cursorHidden = false;
-	}
-};
-let globalRenderer = null;
-function getLiveRenderer() {
-	if (!globalRenderer) globalRenderer = new LiveRenderer();
-	return globalRenderer;
-}
-
-//#endregion
-//#region src/utils/stack-context.ts
-const outputBufferStore = new AsyncLocalStorage();
-/**
-* Run `fn` with a fresh log buffer scoped to its async chain. Any
-* `logger.info / debug / warn / error` calls inside `fn` (and any
-* `await`s) push into the buffer instead of writing to stdout/stderr.
-* Returns the buffered lines (and either `result` or `error`) so the
-* caller can flush them in one block.
-*/
-async function runStackBuffered(fn) {
-	const buffer = { lines: [] };
-	return outputBufferStore.run(buffer, async () => {
-		try {
-			return {
-				ok: true,
-				result: await fn(),
-				lines: buffer.lines
-			};
-		} catch (error) {
-			return {
-				ok: false,
-				error,
-				lines: buffer.lines
-			};
-		}
-	});
-}
-/**
-* Get the current async context's stack output buffer, or `undefined`
-* if no `runStackBuffered` is active. The logger consults this on every
-* call: present → push to buffer; absent → fall through to live
-* renderer / console.
-*/
-function getCurrentStackOutputBuffer() {
-	return outputBufferStore.getStore();
-}
-
-//#endregion
-//#region src/utils/logger.ts
-/**
-* ANSI color codes
-*
-* Kept internal — `ConsoleLogger.formatMessage` references these for the
-* verbose/compact mode level prefixes. For inline color wrapping in
-* production code, import from `./colors.js` instead (which lives in a
-* separate module so unit tests that mock `logger.ts` don't strip color
-* helpers as a side effect).
-*/
-const colors = {
-	reset: "\x1B[0m",
-	bright: "\x1B[1m",
-	dim: "\x1B[2m",
-	red: "\x1B[31m",
-	green: "\x1B[32m",
-	yellow: "\x1B[33m",
-	blue: "\x1B[34m",
-	cyan: "\x1B[36m",
-	gray: "\x1B[90m"
-};
-/**
-* Format timestamp
-*/
-function formatTimestamp() {
-	return (/* @__PURE__ */ new Date()).toISOString();
-}
-/**
-* Console logger implementation
-*
-* Supports two output modes:
-* - verbose (debug level): timestamps, module prefixes, all details
-* - compact (info level): clean output without timestamps or prefixes
-*/
-var ConsoleLogger = class {
-	level;
-	useColors;
-	constructor(level = "info", useColors = true) {
-		this.level = level;
-		this.useColors = useColors;
-	}
-	shouldLog(level) {
-		const levels = [
-			"debug",
-			"info",
-			"warn",
-			"error"
-		];
-		const currentLevelIndex = levels.indexOf(this.level);
-		return levels.indexOf(level) >= currentLevelIndex;
-	}
-	formatMessage(level, message, ...args) {
-		const formattedArgs = args.length > 0 ? " " + args.map((a) => JSON.stringify(a)).join(" ") : "";
-		if (this.level === "debug") {
-			const timestamp = formatTimestamp();
-			const levelStr = level.toUpperCase().padEnd(5);
-			if (this.useColors) {
-				const levelColor = {
-					debug: colors.gray,
-					info: colors.blue,
-					warn: colors.yellow,
-					error: colors.red
-				}[level];
-				return `${colors.dim}${timestamp}${colors.reset} ${levelColor}${levelStr}${colors.reset} ${message}${formattedArgs}`;
-			}
-			return `${timestamp} ${levelStr} ${message}${formattedArgs}`;
-		}
-		if (this.useColors) {
-			if (level === "error") return `${colors.red}${message}${formattedArgs}${colors.reset}`;
-			if (level === "warn") return `${colors.yellow}${message}${formattedArgs}${colors.reset}`;
-			return `${message}${formattedArgs}`;
-		}
-		return `${message}${formattedArgs}`;
-	}
-	/**
-	* Route a formatted log line. When a per-stack output buffer is active in
-	* the current async context (parallel multi-stack deploy), capture the
-	* line into the buffer so it can be flushed as one atomic block when the
-	* stack finishes. Otherwise fall through to the live renderer / console
-	* as before.
-	*/
-	emit(level, formatted) {
-		const buffer = getCurrentStackOutputBuffer();
-		if (buffer) {
-			buffer.lines.push(formatted);
-			return;
-		}
-		getLiveRenderer().printAbove(() => {
-			if (level === "error") console.error(formatted);
-			else if (level === "warn") console.warn(formatted);
-			else if (level === "info") console.info(formatted);
-			else console.debug(formatted);
-		});
-	}
-	debug(message, ...args) {
-		if (this.shouldLog("debug")) this.emit("debug", this.formatMessage("debug", message, ...args));
-	}
-	info(message, ...args) {
-		if (this.shouldLog("info")) this.emit("info", this.formatMessage("info", message, ...args));
-	}
-	warn(message, ...args) {
-		if (this.shouldLog("warn")) this.emit("warn", this.formatMessage("warn", message, ...args));
-	}
-	error(message, ...args) {
-		if (this.shouldLog("error")) this.emit("error", this.formatMessage("error", message, ...args));
-	}
-	/**
-	* Set log level
-	*/
-	setLevel(level) {
-		this.level = level;
-	}
-	getLevel() {
-		return this.level;
-	}
-	/**
-	* Create a child logger with a prefix
-	*
-	* In verbose mode, prefix is shown as [Prefix]. In compact mode, prefix is hidden.
-	*/
-	child(prefix) {
-		return new ChildLogger(prefix, this.useColors);
-	}
-};
-/**
-* Child logger that always syncs level from global logger
-*/
-var ChildLogger = class extends ConsoleLogger {
-	prefix;
-	constructor(prefix, useColors) {
-		super("info", useColors);
-		this.prefix = prefix;
-	}
-	syncLevel() {
-		if (globalLogger) this.setLevel(globalLogger.getLevel());
-	}
-	debug(message, ...args) {
-		this.syncLevel();
-		super.debug(`[${this.prefix}] ${message}`, ...args);
-	}
-	info(message, ...args) {
-		this.syncLevel();
-		const msg = this.getLevel() === "debug" ? `[${this.prefix}] ${message}` : message;
-		super.info(msg, ...args);
-	}
-	warn(message, ...args) {
-		this.syncLevel();
-		const msg = this.getLevel() === "debug" ? `[${this.prefix}] ${message}` : message;
-		super.warn(msg, ...args);
-	}
-	error(message, ...args) {
-		this.syncLevel();
-		const msg = this.getLevel() === "debug" ? `[${this.prefix}] ${message}` : message;
-		super.error(msg, ...args);
-	}
-};
-/**
-* Global logger instance
-*/
-let globalLogger = null;
-/**
-* Get or create global logger
-*/
-function getLogger() {
-	if (!globalLogger) globalLogger = new ConsoleLogger();
-	return globalLogger;
-}
-/**
-* Set global logger instance
-*/
-function setLogger(logger) {
-	globalLogger = logger;
-}
-
-//#endregion
-//#region src/utils/docker-cmd.ts
-var docker_cmd_exports = /* @__PURE__ */ __exportAll({
-	formatDockerLoginError: () => formatDockerLoginError,
-	getDockerCmd: () => getDockerCmd,
-	runDockerForeground: () => runDockerForeground,
-	runDockerStreaming: () => runDockerStreaming,
-	spawnForeground: () => spawnForeground,
-	spawnStreaming: () => spawnStreaming
-});
-/**
-* Shared helpers for invoking the docker-compatible CLI binary across cdkd.
-*
-* Two parity decisions with `aws-cdk-cli`'s `cdk-assets-lib`:
-*   1. `CDK_DOCKER` env var swaps the binary so podman / finch users can
-*      run cdkd without code changes (`CDK_DOCKER=podman cdkd deploy`).
-*   2. `runDockerStreaming` uses streaming spawn rather than `execFile`'s
-*      buffered `maxBuffer` ceiling. BuildKit's progress output can run to
-*      tens of MB on multi-stage builds with `# syntax=docker/dockerfile:1`
-*      frontend downloads + heredoc / `RUN --mount=...` features; the 50 MB
-*      `execFile` ceiling cdkd used to set silently killed those builds
-*      with `ERR_CHILD_PROCESS_STDIO_MAXBUFFER`.
-*
-* Output handling: stdout/stderr are collected in memory unconditionally so
-* `runDockerStreaming` can return them to the caller for error wrapping.
-* When the logger is at debug level (i.e. the user passed `--verbose`),
-* the chunks are ALSO mirrored to `process.stdout` / `process.stderr` so
-* the user sees live build progress.
-*/
-/**
-* Return the docker-compatible CLI binary to invoke. Matches CDK CLI:
-* `CDK_DOCKER` env var overrides the default `docker` so users on
-* podman / finch / nerdctl can swap without changing cdkd code.
-*/
-function getDockerCmd() {
-	const override = process.env["CDK_DOCKER"];
-	return override && override.length > 0 ? override : "docker";
-}
-/**
-* Spawn a docker-compatible CLI binary (resolved via `getDockerCmd`) with
-* streaming I/O. Collects stdout/stderr in memory and resolves with both
-* on exit code 0; rejects with a `SpawnError` carrying both streams on any
-* non-zero exit so the caller can wrap with its own error class without
-* losing the upstream output.
-*
-* No `maxBuffer` ceiling: BuildKit progress output frequently exceeds the
-* `child_process.execFile` default of 1 MB (cdkd previously bumped to 50 MB
-* but BuildKit + frontend pulls can still exceed that on first-time builds).
-*/
-async function runDockerStreaming(args, options = {}) {
-	return spawnStreaming(getDockerCmd(), args, options);
-}
-/**
-* Generic streaming spawn — used by `runDockerStreaming` AND by the
-* `executable` source mode in `docker-build.ts` (which runs an arbitrary
-* user-supplied build command, not docker).
-*/
-async function spawnStreaming(cmd, args, options = {}) {
-	const streamLive = options.streamLive ?? getLogger().getLevel() === "debug";
-	const env = options.env ? mergeEnv(options.env) : void 0;
-	return new Promise((resolve, reject) => {
-		const child = spawn(cmd, args, {
-			cwd: options.cwd,
-			env,
-			stdio: [
-				options.input ? "pipe" : "ignore",
-				"pipe",
-				"pipe"
-			]
-		});
-		const stdoutChunks = [];
-		const stderrChunks = [];
-		child.stdout.on("data", (chunk) => {
-			stdoutChunks.push(chunk);
-			if (streamLive) process.stdout.write(chunk);
-		});
-		child.stderr.on("data", (chunk) => {
-			stderrChunks.push(chunk);
-			if (streamLive) process.stderr.write(chunk);
-		});
-		child.once("error", (err) => {
-			if (err.code === "ENOENT") {
-				const usingOverride = process.env["CDK_DOCKER"] === cmd && cmd !== "docker";
-				reject(/* @__PURE__ */ new Error(usingOverride ? `Failed to find and execute '${cmd}' (resolved via CDK_DOCKER). Install '${cmd}' or unset CDK_DOCKER to fall back to 'docker'.` : `Failed to find and execute '${cmd}'. Install Docker (or set the 'CDK_DOCKER' environment variable to a compatible binary such as podman / finch).`));
-			} else reject(err);
-		});
-		child.once("close", (code) => {
-			const stdout = Buffer.concat(stdoutChunks).toString("utf-8");
-			const stderr = Buffer.concat(stderrChunks).toString("utf-8");
-			if (code === 0) resolve({
-				stdout,
-				stderr
-			});
-			else {
-				const message = stderr.trim() || stdout.trim() || `${cmd} ${args[0] ?? ""} exited with code ${code}`;
-				const err = new Error(message);
-				err.stderr = stderr;
-				err.stdout = stdout;
-				err.exitCode = code;
-				reject(err);
-			}
-		});
-		if (options.input !== void 0) {
-			child.stdin.on("error", () => {});
-			child.stdin.write(options.input);
-			child.stdin.end();
-		}
-	});
-}
-/**
-* Spawn a docker-compatible CLI binary (resolved via `getDockerCmd`) attached
-* to the parent process's stdio so the user sees live output (`docker pull`
-* layer progress, `docker login` interactive prompts that should never fire
-* with `--password-stdin` but still safe to inherit, etc.). Resolves on exit
-* code 0; rejects with a plain `Error` carrying the exit code on any non-zero
-* exit, so the caller can wrap with its own error class.
-*
-* Differs from {@link runDockerStreaming} in two ways:
-*   1. `stdio: 'inherit'` — output is NOT captured, so terminal control codes
-*      (color, progress bar overwrites) flow through unchanged. This is the
-*      load-bearing reason for the split: `docker pull`'s progress bars only
-*      animate properly when stdout is a real TTY connected to the parent.
-*   2. No `input` / `streamLive` options — inherit-mode has nothing to
-*      capture and nothing to mirror.
-*
-* Used by the `--verbose`-mode `docker pull` plumbing in `docker-runner.ts`
-* and `ecr-puller.ts` (visible layer progress). Non-verbose pulls go through
-* {@link runDockerStreaming} so stderr can be folded into the error message.
-*/
-async function runDockerForeground(args, options = {}) {
-	return spawnForeground(getDockerCmd(), args, options);
-}
-/**
-* Foreground (stdio-inherit) spawn — the inherit-mode counterpart to
-* {@link spawnStreaming}. Used by {@link runDockerForeground} for docker-CLI
-* subprocesses.
-*
-* The ENOENT branch crafts a docker-specific install hint ("Install Docker
-* (or set CDK_DOCKER ...)"), so non-docker callers reusing this helper
-* would see a misleading error on missing-binary failures. Keep the binary
-* docker-shaped, or update the ENOENT message before adding a non-docker
-* call site.
-*/
-async function spawnForeground(cmd, args, options = {}) {
-	const env = options.env ? mergeEnv(options.env) : void 0;
-	return new Promise((resolve, reject) => {
-		const child = spawn(cmd, args, {
-			cwd: options.cwd,
-			env,
-			stdio: "inherit"
-		});
-		child.once("error", (err) => {
-			if (err.code === "ENOENT") {
-				const usingOverride = process.env["CDK_DOCKER"] === cmd && cmd !== "docker";
-				reject(/* @__PURE__ */ new Error(usingOverride ? `Failed to find and execute '${cmd}' (resolved via CDK_DOCKER). Install '${cmd}' or unset CDK_DOCKER to fall back to 'docker'.` : `Failed to find and execute '${cmd}'. Install Docker (or set the 'CDK_DOCKER' environment variable to a compatible binary such as podman / finch).`));
-			} else reject(/* @__PURE__ */ new Error(`${cmd} failed: ${err.message}`));
-		});
-		child.once("close", (code) => {
-			if (code === 0) resolve();
-			else reject(/* @__PURE__ */ new Error(`${cmd} exited with code ${code}`));
-		});
-	});
-}
-/**
-* Format the stderr from a failed `docker login` so the surfaced cdkd
-* error gives the user an actionable workaround when the underlying
-* failure is a credential-helper persistence bug (which has nothing to
-* do with cdkd, AWS, or IAM perms — the docker CLI itself fails to
-* save the auth token to the platform's credential store). The most
-* common shape is `osxkeychain` on macOS rejecting an overwrite for
-* an existing entry, but `wincred` (Windows), `pass` (Linux), and
-* `secretservice` (Linux) hit the same class of `Error saving
-* credentials` failure, so the rewritten message stays platform-
-* agnostic — `docker logout <endpoint>` is the correct recovery on
-* every backend.
-*
-* Detected docker / docker-credential-* output patterns:
-*   - `error storing credentials - err: exit status 1, out: \`The
-*     specified item already exists in the keychain.\`` (osxkeychain)
-*   - `Error saving credentials: ...` (any backend)
-*
-* Non-matching failures (genuine IAM / network / endpoint problems)
-* pass through with just the stderr trimmed — the original message
-* stays load-bearing for diagnosis.
-*/
-function formatDockerLoginError(stderr, endpoint) {
-	const trimmed = stderr.trim();
-	if (trimmed.includes("already exists in the keychain") || trimmed.includes("Error saving credentials")) return `docker's credential helper (osxkeychain on macOS / wincred on Windows / pass / secretservice on Linux) failed to persist the ECR auth token. The "already exists in the keychain" / "Error saving credentials" output is a known docker-credential-helpers issue — unrelated to cdkd, AWS credentials, or IAM perms. Quick fix: run \`docker logout ${endpoint}\` to clear the stale entry, then retry the cdkd command. Permanent fix: edit ~/.docker/config.json and remove (or empty) the platform-specific "credsStore" entry (e.g. "osxkeychain" → "" or "desktop" on macOS Docker Desktop). Original docker stderr: ${trimmed}`;
-	return trimmed;
-}
-function mergeEnv(overrides) {
-	const merged = { ...process.env };
-	for (const [k, v] of Object.entries(overrides)) if (v === void 0) delete merged[k];
-	else merged[k] = v;
-	return merged;
-}
-
-//#endregion
-export { withSkipPrefix as _, runDockerStreaming as a, getLogger as c, getLiveRenderer as d, PATTERN_B_NAME_PROPERTIES as f, generateResourceNameWithFallback as g, generateResourceName as h, runDockerForeground as i, setLogger as l, applyDefaultNameForFallback as m, formatDockerLoginError as n, spawnStreaming as o, PATTERN_B_RESOURCE_TYPES as p, getDockerCmd as r, ConsoleLogger as s, docker_cmd_exports as t, runStackBuffered as u, withStackName as v };
-//# sourceMappingURL=docker-cmd-iDMcWcre.js.map