@go-to-k/cdkd 0.196.0 → 0.198.0

package/dist/cli.js

@@ -1,14 +1,13 @@
 #!/usr/bin/env node
-import { _ as withSkipPrefix, a as runDockerStreaming, c as getLogger, d as getLiveRenderer, f as PATTERN_B_NAME_PROPERTIES, g as generateResourceNameWithFallback, h as generateResourceName, i as runDockerForeground, n as formatDockerLoginError, p as PATTERN_B_RESOURCE_TYPES, r as getDockerCmd, u as runStackBuffered, v as withStackName } from "./docker-cmd-iDMcWcre.js";
-import { A as S3StateBackend, B as resolveCaptureObservedState, C as assertRegionMatch, D as DagBuilder, E as DiffCalculator, F as buildDockerImage, G as CFN_TEMPLATE_BODY_LIMIT, H as resolveStateBucketWithDefault, I as Synthesizer, J as findLargeInlineResources, K as CFN_TEMPLATE_URL_LIMIT, L as getDefaultStateBucketName, M as AssetPublisher, N as stringifyValue, O as TemplateParser, P as WorkGraph, Q as resolveBucketRegion, R as getLegacyStateBucketName, S as CloudControlProvider, T as applyRoleArnIfSet, U as resolveStateBucketWithDefaultAndSource, V as resolveSkipPrefix, W as warnDeprecatedNoPrefixCliFlag, X as AssemblyReader, Y as uploadCfnTemplate, _ as matchesCdkPath, a as withRetry, at as LocalStartServiceError, b as ProviderRegistry, bt as withErrorHandling, c as bold, ct as NestedStackChildDirectDestroyError, d as green, dt as ResourceTimeoutError, et as CdkdError, f as red, ft as ResourceUpdateNotSupportedError, g as CDK_PATH_TAG, h as collectInlinePolicyNamesManagedBySiblings, i as withResourceDeadline, it as LocalMigrateError, j as shouldRetainResource, k as LockManager, l as cyan, lt as PartialFailureError, m as IAMRoleProvider, mt as StackTerminationProtectionError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, o as IMPLICIT_DELETE_DEPENDENCIES, p as yellow, pt as StackHasActiveImportsError, q as MIGRATE_TMP_PREFIX, r as DeployEngine, rt as LocalInvokeBuildError$1, s as formatResourceLine, st as MissingCdkCliError, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, ut as ProvisioningError, v as normalizeAwsTagsToCfn, w as IntrinsicFunctionResolver, x as findActionableSilentDrops, y as resolveExplicitPhysicalId, yt as normalizeAwsError, z as resolveApp } from "./deploy-engine-C6v_fcDw.js";
-import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-B15NAPbL.js";
+import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-DWUnLza1.js";
+import { $ as uploadCfnTemplate, A as S3StateBackend, At as PATTERN_B_NAME_PROPERTIES, B as Synthesizer, C as assertRegionMatch, Ct as normalizeAwsError, D as DagBuilder, E as DiffCalculator, Et as getLogger, F as buildDockerImage, Ft as withStackName, G as resolveSkipPrefix, H as getLegacyStateBucketName, I as formatDockerLoginError, J as warnDeprecatedNoPrefixCliFlag, K as resolveStateBucketWithDefault, L as getDockerCmd, M as AssetPublisher, Mt as generateResourceName, N as stringifyValue, Nt as generateResourceNameWithFallback, O as TemplateParser, Ot as runStackBuffered, P as WorkGraph, Pt as withSkipPrefix, Q as findLargeInlineResources, R as runDockerForeground, S as CloudControlProvider, T as applyRoleArnIfSet, U as resolveApp, V as getDefaultStateBucketName, W as resolveCaptureObservedState, X as CFN_TEMPLATE_URL_LIMIT, Y as CFN_TEMPLATE_BODY_LIMIT, Z as MIGRATE_TMP_PREFIX, _ as matchesCdkPath, _t as StackHasActiveImportsError, a as withRetry, b as ProviderRegistry, c as bold, ct as LocalMigrateError, d as green, dt as MissingCdkCliError, et as AssemblyReader, f as red, ft as NestedStackChildDirectDestroyError, g as CDK_PATH_TAG, gt as ResourceUpdateNotSupportedError, h as collectInlinePolicyNamesManagedBySiblings, ht as ResourceTimeoutError, i as withResourceDeadline, it as CdkdError, j as shouldRetainResource, jt as PATTERN_B_RESOURCE_TYPES, k as LockManager, kt as getLiveRenderer, l as cyan, lt as LocalStartServiceError, m as IAMRoleProvider, mt as ProvisioningError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as resolveBucketRegion, o as IMPLICIT_DELETE_DEPENDENCIES, p as yellow, pt as PartialFailureError, q as resolveStateBucketWithDefaultAndSource, r as DeployEngine, s as formatResourceLine, st as LocalInvokeBuildError$1, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, v as normalizeAwsTagsToCfn, vt as StackTerminationProtectionError, w as IntrinsicFunctionResolver, wt as withErrorHandling, x as findActionableSilentDrops, y as resolveExplicitPhysicalId, z as runDockerStreaming } from "./deploy-engine-B3Xc-bxB.js";
 import { AsyncLocalStorage } from "node:async_hooks";
 import { randomBytes, randomUUID } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
 import { AddRoleToInstanceProfileCommand, AddUserToGroupCommand, AttachGroupPolicyCommand, AttachRolePolicyCommand, AttachUserPolicyCommand, CreateGroupCommand, CreateInstanceProfileCommand, CreateLoginProfileCommand, CreatePolicyCommand, CreatePolicyVersionCommand, CreateUserCommand, DeleteAccessKeyCommand, DeleteGroupCommand, DeleteGroupPolicyCommand, DeleteInstanceProfileCommand, DeleteLoginProfileCommand, DeletePolicyCommand, DeletePolicyVersionCommand, DeleteRolePolicyCommand, DeleteUserCommand, DeleteUserPermissionsBoundaryCommand, DeleteUserPolicyCommand, DetachGroupPolicyCommand, DetachRolePolicyCommand, DetachUserPolicyCommand, GetGroupCommand, GetGroupPolicyCommand, GetInstanceProfileCommand, GetPolicyCommand, GetPolicyVersionCommand, GetRolePolicyCommand, GetUserCommand, GetUserPolicyCommand, IAMClient, ListAccessKeysCommand, ListAttachedGroupPoliciesCommand, ListAttachedUserPoliciesCommand, ListEntitiesForPolicyCommand, ListGroupPoliciesCommand, ListGroupsForUserCommand, ListInstanceProfilesCommand, ListPoliciesCommand, ListPolicyTagsCommand, ListPolicyVersionsCommand, ListUserPoliciesCommand, ListUserTagsCommand, ListUsersCommand, NoSuchEntityException, PutGroupPolicyCommand, PutRolePolicyCommand, PutUserPermissionsBoundaryCommand, PutUserPolicyCommand, RemoveRoleFromInstanceProfileCommand, RemoveUserFromGroupCommand, TagPolicyCommand, TagUserCommand, UntagPolicyCommand, UntagUserCommand, UpdateLoginProfileCommand } from "@aws-sdk/client-iam";
 import { CreateQueueCommand, DeleteQueueCommand, GetQueueAttributesCommand, GetQueueUrlCommand, ListQueueTagsCommand, ListQueuesCommand, QueueDoesNotExist, SQSClient, SetQueueAttributesCommand, TagQueueCommand, UntagQueueCommand } from "@aws-sdk/client-sqs";
 import { CreateTopicCommand, DeleteTopicCommand, GetSubscriptionAttributesCommand, GetTopicAttributesCommand, ListTagsForResourceCommand, ListTopicsCommand, NotFoundException, SNSClient, SetTopicAttributesCommand, SubscribeCommand, TagResourceCommand, UnsubscribeCommand, UntagResourceCommand } from "@aws-sdk/client-sns";
-import { AddPermissionCommand, CreateEventSourceMappingCommand, CreateFunctionCommand, CreateFunctionUrlConfigCommand, DeleteEventSourceMappingCommand, DeleteFunctionCommand, DeleteFunctionUrlConfigCommand, DeleteLayerVersionCommand, GetEventSourceMappingCommand, GetFunctionCommand, GetFunctionRecursionConfigCommand, GetFunctionUrlConfigCommand, GetLayerVersionByArnCommand, GetPolicyCommand as GetPolicyCommand$1, LambdaClient, ListFunctionsCommand, ListLayersCommand, ListTagsCommand, PublishLayerVersionCommand, PutFunctionRecursionConfigCommand, RemovePermissionCommand, ResourceNotFoundException, TagResourceCommand as TagResourceCommand$1, UntagResourceCommand as UntagResourceCommand$1, UpdateEventSourceMappingCommand, UpdateFunctionCodeCommand, UpdateFunctionConfigurationCommand, UpdateFunctionUrlConfigCommand, waitUntilFunctionUpdatedV2 } from "@aws-sdk/client-lambda";
+import { AddPermissionCommand, CreateEventSourceMappingCommand, CreateFunctionCommand, CreateFunctionUrlConfigCommand, DeleteEventSourceMappingCommand, DeleteFunctionCommand, DeleteFunctionConcurrencyCommand, DeleteFunctionUrlConfigCommand, DeleteLayerVersionCommand, GetEventSourceMappingCommand, GetFunctionCommand, GetFunctionConcurrencyCommand, GetFunctionRecursionConfigCommand, GetFunctionUrlConfigCommand, GetLayerVersionByArnCommand, GetPolicyCommand as GetPolicyCommand$1, LambdaClient, ListFunctionsCommand, ListLayersCommand, ListTagsCommand, PublishLayerVersionCommand, PutFunctionConcurrencyCommand, PutFunctionRecursionConfigCommand, RemovePermissionCommand, ResourceNotFoundException, TagResourceCommand as TagResourceCommand$1, UntagResourceCommand as UntagResourceCommand$1, UpdateEventSourceMappingCommand, UpdateFunctionCodeCommand, UpdateFunctionConfigurationCommand, UpdateFunctionUrlConfigCommand, waitUntilFunctionUpdatedV2 } from "@aws-sdk/client-lambda";
 import { AssumeRoleCommand, GetCallerIdentityCommand, STSClient } from "@aws-sdk/client-sts";
 import { AssociateRouteTableCommand, AttachInternetGatewayCommand, AuthorizeSecurityGroupEgressCommand, AuthorizeSecurityGroupIngressCommand, CreateInternetGatewayCommand, CreateNatGatewayCommand, CreateNetworkAclCommand, CreateNetworkAclEntryCommand, CreateRouteCommand, CreateRouteTableCommand, CreateSecurityGroupCommand, CreateSubnetCommand, CreateTagsCommand, CreateVpcCommand, DeleteInternetGatewayCommand, DeleteNatGatewayCommand, DeleteNetworkAclCommand, DeleteNetworkAclEntryCommand, DeleteNetworkInterfaceCommand, DeleteRouteCommand, DeleteRouteTableCommand, DeleteSecurityGroupCommand, DeleteSubnetCommand, DeleteTagsCommand, DeleteVpcCommand, DescribeAvailabilityZonesCommand, DescribeInstanceAttributeCommand, DescribeInstancesCommand, DescribeInternetGatewaysCommand, DescribeNatGatewaysCommand, DescribeNetworkAclsCommand, DescribeNetworkInterfacesCommand, DescribeRouteTablesCommand, DescribeSecurityGroupsCommand, DescribeSubnetsCommand, DescribeVolumesCommand, DescribeVpcAttributeCommand, DescribeVpcsCommand, DetachInternetGatewayCommand, DisassociateRouteTableCommand, EC2Client, ModifyInstanceAttributeCommand, ModifySubnetAttributeCommand, ModifyVpcAttributeCommand, ReplaceNetworkAclAssociationCommand, RevokeSecurityGroupEgressCommand, RevokeSecurityGroupIngressCommand, RunInstancesCommand, TerminateInstancesCommand, waitUntilInstanceRunning, waitUntilInstanceTerminated, waitUntilNatGatewayAvailable, waitUntilNatGatewayDeleted } from "@aws-sdk/client-ec2";
 import { CreateTableCommand, DeleteTableCommand, DescribeContinuousBackupsCommand, DescribeContributorInsightsCommand, DescribeKinesisStreamingDestinationCommand, DescribeTableCommand, DescribeTimeToLiveCommand, DynamoDBClient, ListTablesCommand, ListTagsOfResourceCommand, ResourceNotFoundException as ResourceNotFoundException$1, TagResourceCommand as TagResourceCommand$2, UntagResourceCommand as UntagResourceCommand$2, UpdateContinuousBackupsCommand, UpdateTableCommand, UpdateTimeToLiveCommand } from "@aws-sdk/client-dynamodb";
@@ -17,9 +16,9 @@ import { APIGatewayClient, CreateAuthorizerCommand, CreateDeploymentCommand, Cre
 import { CreateEventBusCommand, DeleteEventBusCommand, DeleteRuleCommand, DescribeEventBusCommand, DescribeRuleCommand, EventBridgeClient, ListEventBusesCommand, ListRulesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$1, ListTargetsByRuleCommand, PutRuleCommand, PutTargetsCommand, RemoveTargetsCommand, ResourceNotFoundException as ResourceNotFoundException$2, TagResourceCommand as TagResourceCommand$4, UntagResourceCommand as UntagResourceCommand$4, UpdateEventBusCommand } from "@aws-sdk/client-eventbridge";
 import { CreateSecretCommand, DeleteSecretCommand, DescribeSecretCommand, GetSecretValueCommand, ListSecretsCommand, RemoveRegionsFromReplicationCommand, ReplicateSecretToRegionsCommand, ResourceNotFoundException as ResourceNotFoundException$3, SecretsManagerClient, TagResourceCommand as TagResourceCommand$5, UntagResourceCommand as UntagResourceCommand$5, UpdateSecretCommand } from "@aws-sdk/client-secrets-manager";
 import { AddTagsToResourceCommand, DeleteParameterCommand, DescribeParametersCommand, GetParameterCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$2, ParameterNotFound, PutParameterCommand, RemoveTagsFromResourceCommand, SSMClient } from "@aws-sdk/client-ssm";
-import { CloudFrontClient, CreateCloudFrontOriginAccessIdentityCommand, CreateDistributionCommand, DeleteCloudFrontOriginAccessIdentityCommand, DeleteDistributionCommand, GetCloudFrontOriginAccessIdentityCommand, GetDistributionCommand, GetDistributionConfigCommand, ListDistributionsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$3, NoSuchCloudFrontOriginAccessIdentity, NoSuchDistribution, UpdateCloudFrontOriginAccessIdentityCommand, UpdateDistributionCommand } from "@aws-sdk/client-cloudfront";
-import { CloudWatchClient, DeleteAlarmsCommand, DescribeAlarmsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$4, PutMetricAlarmCommand, TagResourceCommand as TagResourceCommand$6, UntagResourceCommand as UntagResourceCommand$6 } from "@aws-sdk/client-cloudwatch";
-import { CloudWatchLogsClient, CreateLogGroupCommand, DeleteDataProtectionPolicyCommand, DeleteIndexPolicyCommand, DeleteLogGroupCommand, DeleteRetentionPolicyCommand, DescribeIndexPoliciesCommand, DescribeLogGroupsCommand, GetDataProtectionPolicyCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$5, PutBearerTokenAuthenticationCommand, PutDataProtectionPolicyCommand, PutIndexPolicyCommand, PutLogGroupDeletionProtectionCommand, PutRetentionPolicyCommand, ResourceAlreadyExistsException, ResourceNotFoundException as ResourceNotFoundException$4, TagResourceCommand as TagResourceCommand$7, UntagResourceCommand as UntagResourceCommand$7 } from "@aws-sdk/client-cloudwatch-logs";
+import { CloudFrontClient, CreateCloudFrontOriginAccessIdentityCommand, CreateDistributionCommand, CreateDistributionWithTagsCommand, DeleteCloudFrontOriginAccessIdentityCommand, DeleteDistributionCommand, GetCloudFrontOriginAccessIdentityCommand, GetDistributionCommand, GetDistributionConfigCommand, ListDistributionsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$3, NoSuchCloudFrontOriginAccessIdentity, NoSuchDistribution, TagResourceCommand as TagResourceCommand$6, UntagResourceCommand as UntagResourceCommand$6, UpdateCloudFrontOriginAccessIdentityCommand, UpdateDistributionCommand } from "@aws-sdk/client-cloudfront";
+import { CloudWatchClient, DeleteAlarmsCommand, DescribeAlarmsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$4, PutMetricAlarmCommand, TagResourceCommand as TagResourceCommand$7, UntagResourceCommand as UntagResourceCommand$7 } from "@aws-sdk/client-cloudwatch";
+import { CloudWatchLogsClient, CreateLogGroupCommand, DeleteDataProtectionPolicyCommand, DeleteIndexPolicyCommand, DeleteLogGroupCommand, DeleteRetentionPolicyCommand, DescribeIndexPoliciesCommand, DescribeLogGroupsCommand, GetDataProtectionPolicyCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$5, PutBearerTokenAuthenticationCommand, PutDataProtectionPolicyCommand, PutIndexPolicyCommand, PutLogGroupDeletionProtectionCommand, PutRetentionPolicyCommand, ResourceAlreadyExistsException, ResourceNotFoundException as ResourceNotFoundException$4, TagResourceCommand as TagResourceCommand$8, UntagResourceCommand as UntagResourceCommand$8 } from "@aws-sdk/client-cloudwatch-logs";
 import { BedrockAgentCoreControlClient, CreateAgentRuntimeCommand, DeleteAgentRuntimeCommand, GetAgentRuntimeCommand, ResourceNotFoundException as ResourceNotFoundException$5, UpdateAgentRuntimeCommand } from "@aws-sdk/client-bedrock-agentcore-control";
 import { ACMClient, AddTagsToCertificateCommand, DeleteCertificateCommand, DescribeCertificateCommand, ListCertificatesCommand, ListTagsForCertificateCommand, RemoveTagsFromCertificateCommand, RequestCertificateCommand, ResourceNotFoundException as ResourceNotFoundException$6, UpdateCertificateOptionsCommand } from "@aws-sdk/client-acm";
 import * as fs from "node:fs";
@@ -30,8 +29,8 @@ import { execFile, spawn } from "node:child_process";
 import { tmpdir } from "node:os";
 import { AssociateVPCWithHostedZoneCommand, ChangeResourceRecordSetsCommand, ChangeTagsForResourceCommand, CreateHostedZoneCommand, CreateQueryLoggingConfigCommand, DeleteHostedZoneCommand, DeleteQueryLoggingConfigCommand, DisassociateVPCFromHostedZoneCommand, GetHostedZoneCommand, ListHostedZonesByNameCommand, ListHostedZonesCommand, ListQueryLoggingConfigsCommand, ListResourceRecordSetsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$6, Route53Client, UpdateHostedZoneCommentCommand, UpdateHostedZoneFeaturesCommand } from "@aws-sdk/client-route-53";
 import { AddTagsCommand, CreateListenerCommand, CreateLoadBalancerCommand, CreateTargetGroupCommand, DeleteListenerCommand, DeleteLoadBalancerCommand, DeleteTargetGroupCommand, DescribeListenersCommand, DescribeLoadBalancerAttributesCommand, DescribeLoadBalancersCommand, DescribeTagsCommand, DescribeTargetGroupsCommand, ElasticLoadBalancingV2Client, ModifyListenerCommand, ModifyLoadBalancerAttributesCommand, ModifyTargetGroupCommand, RemoveTagsCommand, SetIpAddressTypeCommand, SetSecurityGroupsCommand, SetSubnetsCommand } from "@aws-sdk/client-elastic-load-balancing-v2";
-import { CreateAliasCommand, CreateKeyCommand, DeleteAliasCommand, DescribeKeyCommand, DisableKeyCommand, DisableKeyRotationCommand, EnableKeyCommand, EnableKeyRotationCommand, GetKeyPolicyCommand, GetKeyRotationStatusCommand, KMSClient, ListAliasesCommand, ListKeysCommand, ListResourceTagsCommand, NotFoundException as NotFoundException$2, PutKeyPolicyCommand, ScheduleKeyDeletionCommand, TagResourceCommand as TagResourceCommand$8, UntagResourceCommand as UntagResourceCommand$8, UpdateAliasCommand, UpdateKeyDescriptionCommand } from "@aws-sdk/client-kms";
-import { CreateRepositoryCommand, DeleteLifecyclePolicyCommand, DeleteRepositoryCommand, DeleteRepositoryPolicyCommand, DescribeRepositoriesCommand, ECRClient, GetAuthorizationTokenCommand, GetLifecyclePolicyCommand, LifecyclePolicyNotFoundException, ListTagsForResourceCommand as ListTagsForResourceCommand$7, PutImageScanningConfigurationCommand, PutImageTagMutabilityCommand, PutLifecyclePolicyCommand, RepositoryNotFoundException, SetRepositoryPolicyCommand, TagResourceCommand as TagResourceCommand$9 } from "@aws-sdk/client-ecr";
+import { CreateAliasCommand, CreateKeyCommand, DeleteAliasCommand, DescribeKeyCommand, DisableKeyCommand, DisableKeyRotationCommand, EnableKeyCommand, EnableKeyRotationCommand, GetKeyPolicyCommand, GetKeyRotationStatusCommand, KMSClient, ListAliasesCommand, ListKeysCommand, ListResourceTagsCommand, NotFoundException as NotFoundException$2, PutKeyPolicyCommand, ScheduleKeyDeletionCommand, TagResourceCommand as TagResourceCommand$9, UntagResourceCommand as UntagResourceCommand$9, UpdateAliasCommand, UpdateKeyDescriptionCommand } from "@aws-sdk/client-kms";
+import { CreateRepositoryCommand, DeleteLifecyclePolicyCommand, DeleteRepositoryCommand, DeleteRepositoryPolicyCommand, DescribeRepositoriesCommand, ECRClient, GetAuthorizationTokenCommand, GetLifecyclePolicyCommand, LifecyclePolicyNotFoundException, ListTagsForResourceCommand as ListTagsForResourceCommand$7, PutImageScanningConfigurationCommand, PutImageTagMutabilityCommand, PutLifecyclePolicyCommand, RepositoryNotFoundException, SetRepositoryPolicyCommand, TagResourceCommand as TagResourceCommand$10 } from "@aws-sdk/client-ecr";
 import graphlib from "graphlib";
 import { AddTagsToResourceCommand as AddTagsToResourceCommand$1, CreateDBClusterCommand, CreateDBInstanceCommand, CreateDBProxyCommand, CreateDBProxyEndpointCommand, CreateDBSubnetGroupCommand, DBProxyEndpointNotFoundFault, DBProxyNotFoundFault, DBProxyTargetGroupNotFoundFault, DBProxyTargetNotFoundFault, DeleteDBClusterCommand, DeleteDBInstanceCommand, DeleteDBProxyCommand, DeleteDBProxyEndpointCommand, DeleteDBSubnetGroupCommand, DeregisterDBProxyTargetsCommand, DescribeDBClustersCommand, DescribeDBInstancesCommand, DescribeDBProxiesCommand, DescribeDBProxyEndpointsCommand, DescribeDBProxyTargetGroupsCommand, DescribeDBProxyTargetsCommand, DescribeDBSubnetGroupsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$8, ModifyDBClusterCommand, ModifyDBInstanceCommand, ModifyDBProxyCommand, ModifyDBProxyEndpointCommand, ModifyDBProxyTargetGroupCommand, ModifyDBSubnetGroupCommand, RDSClient, RegisterDBProxyTargetsCommand, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$1 } from "@aws-sdk/client-rds";
 import { Command, Option } from "commander";
@@ -42,18 +41,18 @@ import readline from "node:readline/promises";
 import * as zlib from "node:zlib";
 import { ApplicationAutoScalingClient, DeleteScalingPolicyCommand, DeregisterScalableTargetCommand, DescribeScalableTargetsCommand, DescribeScalingPoliciesCommand, PutScalingPolicyCommand, RegisterScalableTargetCommand } from "@aws-sdk/client-application-auto-scaling";
 import { ApiGatewayV2Client, CreateApiCommand, CreateAuthorizerCommand as CreateAuthorizerCommand$1, CreateIntegrationCommand, CreateRouteCommand as CreateRouteCommand$1, CreateStageCommand as CreateStageCommand$1, DeleteApiCommand, DeleteAuthorizerCommand as DeleteAuthorizerCommand$1, DeleteIntegrationCommand, DeleteRouteCommand as DeleteRouteCommand$1, DeleteStageCommand as DeleteStageCommand$1, GetApiCommand, GetApisCommand, GetAuthorizerCommand as GetAuthorizerCommand$1, GetIntegrationCommand, GetRouteCommand, GetStageCommand as GetStageCommand$1, NotFoundException as NotFoundException$3, UpdateApiCommand, UpdateAuthorizerCommand as UpdateAuthorizerCommand$1, UpdateIntegrationCommand, UpdateRouteCommand, UpdateStageCommand as UpdateStageCommand$1 } from "@aws-sdk/client-apigatewayv2";
-import { CreateStateMachineCommand, DeleteStateMachineCommand, DescribeStateMachineCommand, ListStateMachinesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$9, SFNClient, StateMachineDoesNotExist, TagResourceCommand as TagResourceCommand$10, UntagResourceCommand as UntagResourceCommand$9, UpdateStateMachineCommand } from "@aws-sdk/client-sfn";
-import { CreateClusterCommand, CreateServiceCommand, DeleteClusterCommand, DeleteServiceCommand, DeregisterTaskDefinitionCommand, DescribeClustersCommand, DescribeServicesCommand, DescribeTaskDefinitionCommand, ECSClient, ListClustersCommand, ListServicesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$10, PutClusterCapacityProvidersCommand, RegisterTaskDefinitionCommand, TagResourceCommand as TagResourceCommand$11, UntagResourceCommand as UntagResourceCommand$10, UpdateClusterCommand, UpdateServiceCommand } from "@aws-sdk/client-ecs";
+import { CreateStateMachineCommand, DeleteStateMachineCommand, DescribeStateMachineCommand, ListStateMachinesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$9, SFNClient, StateMachineDoesNotExist, TagResourceCommand as TagResourceCommand$11, UntagResourceCommand as UntagResourceCommand$10, UpdateStateMachineCommand } from "@aws-sdk/client-sfn";
+import { CreateClusterCommand, CreateServiceCommand, DeleteClusterCommand, DeleteServiceCommand, DeregisterTaskDefinitionCommand, DescribeClustersCommand, DescribeServicesCommand, DescribeTaskDefinitionCommand, ECSClient, ListClustersCommand, ListServicesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$10, PutClusterCapacityProvidersCommand, RegisterTaskDefinitionCommand, TagResourceCommand as TagResourceCommand$12, UntagResourceCommand as UntagResourceCommand$11, UpdateClusterCommand, UpdateServiceCommand } from "@aws-sdk/client-ecs";
 import { AddTagsToResourceCommand as AddTagsToResourceCommand$2, CreateDBClusterCommand as CreateDBClusterCommand$1, CreateDBInstanceCommand as CreateDBInstanceCommand$1, CreateDBSubnetGroupCommand as CreateDBSubnetGroupCommand$1, DeleteDBClusterCommand as DeleteDBClusterCommand$1, DeleteDBInstanceCommand as DeleteDBInstanceCommand$1, DeleteDBSubnetGroupCommand as DeleteDBSubnetGroupCommand$1, DescribeDBClustersCommand as DescribeDBClustersCommand$1, DescribeDBInstancesCommand as DescribeDBInstancesCommand$1, DescribeDBSubnetGroupsCommand as DescribeDBSubnetGroupsCommand$1, DocDBClient, ListTagsForResourceCommand as ListTagsForResourceCommand$11, ModifyDBClusterCommand as ModifyDBClusterCommand$1, ModifyDBInstanceCommand as ModifyDBInstanceCommand$1, ModifyDBSubnetGroupCommand as ModifyDBSubnetGroupCommand$1, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$2 } from "@aws-sdk/client-docdb";
 import { AddTagsToResourceCommand as AddTagsToResourceCommand$3, CreateDBClusterCommand as CreateDBClusterCommand$2, CreateDBInstanceCommand as CreateDBInstanceCommand$2, CreateDBSubnetGroupCommand as CreateDBSubnetGroupCommand$2, DeleteDBClusterCommand as DeleteDBClusterCommand$2, DeleteDBInstanceCommand as DeleteDBInstanceCommand$2, DeleteDBSubnetGroupCommand as DeleteDBSubnetGroupCommand$2, DescribeDBClustersCommand as DescribeDBClustersCommand$2, DescribeDBInstancesCommand as DescribeDBInstancesCommand$2, DescribeDBSubnetGroupsCommand as DescribeDBSubnetGroupsCommand$2, ListTagsForResourceCommand as ListTagsForResourceCommand$12, ModifyDBClusterCommand as ModifyDBClusterCommand$2, ModifyDBInstanceCommand as ModifyDBInstanceCommand$2, ModifyDBSubnetGroupCommand as ModifyDBSubnetGroupCommand$2, NeptuneClient, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$3 } from "@aws-sdk/client-neptune";
-import { CreateWebACLCommand, DeleteWebACLCommand, GetWebACLCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$13, ListWebACLsCommand, TagResourceCommand as TagResourceCommand$12, UntagResourceCommand as UntagResourceCommand$11, UpdateWebACLCommand, WAFNonexistentItemException, WAFV2Client } from "@aws-sdk/client-wafv2";
+import { CreateWebACLCommand, DeleteWebACLCommand, GetWebACLCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$13, ListWebACLsCommand, TagResourceCommand as TagResourceCommand$13, UntagResourceCommand as UntagResourceCommand$12, UpdateWebACLCommand, WAFNonexistentItemException, WAFV2Client } from "@aws-sdk/client-wafv2";
 import { CognitoIdentityProviderClient, CreateUserPoolCommand, DeleteUserPoolCommand, DescribeUserPoolCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$14, ListUserPoolsCommand, ResourceNotFoundException as ResourceNotFoundException$7, UpdateUserPoolCommand } from "@aws-sdk/client-cognito-identity-provider";
 import { AddTagsToResourceCommand as AddTagsToResourceCommand$4, CreateCacheClusterCommand, CreateCacheSubnetGroupCommand, DeleteCacheClusterCommand, DeleteCacheSubnetGroupCommand, DescribeCacheClustersCommand, DescribeCacheSubnetGroupsCommand, ElastiCacheClient, ListTagsForResourceCommand as ListTagsForResourceCommand$15, ModifyCacheClusterCommand, ModifyCacheSubnetGroupCommand, RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand$4 } from "@aws-sdk/client-elasticache";
 import { CreatePrivateDnsNamespaceCommand, CreateServiceCommand as CreateServiceCommand$1, DeleteNamespaceCommand, DeleteServiceCommand as DeleteServiceCommand$1, GetNamespaceCommand, GetOperationCommand, GetServiceCommand, ListNamespacesCommand, ListServicesCommand as ListServicesCommand$1, ListTagsForResourceCommand as ListTagsForResourceCommand$16, NamespaceNotFound, ServiceDiscoveryClient, ServiceNotFound, UpdatePrivateDnsNamespaceCommand, UpdateServiceCommand as UpdateServiceCommand$1 } from "@aws-sdk/client-servicediscovery";
-import { AppSyncClient, CreateApiKeyCommand, CreateDataSourceCommand, CreateGraphqlApiCommand, CreateResolverCommand, DeleteApiKeyCommand, DeleteDataSourceCommand, DeleteGraphqlApiCommand, DeleteResolverCommand, GetDataSourceCommand, GetGraphqlApiCommand, GetIntrospectionSchemaCommand, GetResolverCommand, ListApiKeysCommand, ListGraphqlApisCommand, NotFoundException as NotFoundException$4, StartSchemaCreationCommand, TagResourceCommand as TagResourceCommand$13, UntagResourceCommand as UntagResourceCommand$12, UpdateApiKeyCommand, UpdateDataSourceCommand, UpdateGraphqlApiCommand, UpdateResolverCommand } from "@aws-sdk/client-appsync";
+import { AppSyncClient, CreateApiKeyCommand, CreateDataSourceCommand, CreateGraphqlApiCommand, CreateResolverCommand, DeleteApiKeyCommand, DeleteDataSourceCommand, DeleteGraphqlApiCommand, DeleteResolverCommand, GetDataSourceCommand, GetGraphqlApiCommand, GetIntrospectionSchemaCommand, GetResolverCommand, ListApiKeysCommand, ListGraphqlApisCommand, NotFoundException as NotFoundException$4, StartSchemaCreationCommand, TagResourceCommand as TagResourceCommand$14, UntagResourceCommand as UntagResourceCommand$13, UpdateApiKeyCommand, UpdateDataSourceCommand, UpdateGraphqlApiCommand, UpdateResolverCommand } from "@aws-sdk/client-appsync";
 import { parse, print } from "graphql";
 import { CreateConnectionCommand, CreateCrawlerCommand, CreateDatabaseCommand, CreateJobCommand, CreateSecurityConfigurationCommand, CreateTableCommand as CreateTableCommand$1, CreateTriggerCommand, CreateWorkflowCommand, DeleteConnectionCommand, DeleteCrawlerCommand, DeleteDatabaseCommand, DeleteJobCommand, DeleteSecurityConfigurationCommand, DeleteTableCommand as DeleteTableCommand$1, DeleteTriggerCommand, DeleteWorkflowCommand, EntityNotFoundException, GetConnectionCommand, GetCrawlerCommand, GetDatabaseCommand, GetDatabasesCommand, GetJobCommand, GetSecurityConfigurationCommand, GetSecurityConfigurationsCommand, GetTableCommand, GetTablesCommand, GetTagsCommand, GetTriggerCommand, GetWorkflowCommand, GlueClient, ListWorkflowsCommand, StartCrawlerScheduleCommand, StartTriggerCommand, StopCrawlerScheduleCommand, StopTriggerCommand, UpdateConnectionCommand, UpdateCrawlerCommand, UpdateDatabaseCommand, UpdateJobCommand, UpdateTableCommand as UpdateTableCommand$1, UpdateTriggerCommand, UpdateWorkflowCommand } from "@aws-sdk/client-glue";
-import { AddTagsToStreamCommand, CreateStreamCommand, DecreaseStreamRetentionPeriodCommand, DeleteStreamCommand, DeregisterStreamConsumerCommand, DescribeStreamCommand, DescribeStreamConsumerCommand, IncreaseStreamRetentionPeriodCommand, KinesisClient, ListStreamsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$17, ListTagsForStreamCommand, RegisterStreamConsumerCommand, RemoveTagsFromStreamCommand, ResourceNotFoundException as ResourceNotFoundException$8, StartStreamEncryptionCommand, StopStreamEncryptionCommand, TagResourceCommand as TagResourceCommand$14, UntagResourceCommand as UntagResourceCommand$13, UpdateShardCountCommand } from "@aws-sdk/client-kinesis";
+import { AddTagsToStreamCommand, CreateStreamCommand, DecreaseStreamRetentionPeriodCommand, DeleteStreamCommand, DeregisterStreamConsumerCommand, DescribeStreamCommand, DescribeStreamConsumerCommand, IncreaseStreamRetentionPeriodCommand, KinesisClient, ListStreamsCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$17, ListTagsForStreamCommand, RegisterStreamConsumerCommand, RemoveTagsFromStreamCommand, ResourceNotFoundException as ResourceNotFoundException$8, StartStreamEncryptionCommand, StopStreamEncryptionCommand, TagResourceCommand as TagResourceCommand$15, UntagResourceCommand as UntagResourceCommand$14, UpdateShardCountCommand } from "@aws-sdk/client-kinesis";
 import { AccessPointNotFound, CreateAccessPointCommand, CreateFileSystemCommand, CreateMountTargetCommand, DeleteAccessPointCommand, DeleteFileSystemCommand, DeleteMountTargetCommand, DescribeAccessPointsCommand, DescribeBackupPolicyCommand, DescribeFileSystemsCommand, DescribeLifecycleConfigurationCommand, DescribeMountTargetSecurityGroupsCommand, DescribeMountTargetsCommand, EFSClient, FileSystemNotFound, ModifyMountTargetSecurityGroupsCommand, MountTargetNotFound, UpdateFileSystemCommand } from "@aws-sdk/client-efs";
 import { CreateDeliveryStreamCommand, DeleteDeliveryStreamCommand, DescribeDeliveryStreamCommand, FirehoseClient, ListDeliveryStreamsCommand, ListTagsForDeliveryStreamCommand, ResourceNotFoundException as ResourceNotFoundException$9, TagDeliveryStreamCommand, UntagDeliveryStreamCommand, UpdateDestinationCommand } from "@aws-sdk/client-firehose";
 import { AddTagsCommand as AddTagsCommand$1, CloudTrailClient, CreateTrailCommand, DeleteTrailCommand, GetEventSelectorsCommand, GetInsightSelectorsCommand, GetTrailCommand, GetTrailStatusCommand, ListTagsCommand as ListTagsCommand$1, ListTrailsCommand, PutEventSelectorsCommand, PutInsightSelectorsCommand, RemoveTagsCommand as RemoveTagsCommand$1, StartLoggingCommand, StopLoggingCommand, TrailNotFoundException, UpdateTrailCommand } from "@aws-sdk/client-cloudtrail";
@@ -63,7 +62,7 @@ import { CreateNamespaceCommand, CreateTableBucketCommand, CreateTableCommand as
 import { AttachLoadBalancerTargetGroupsCommand, AttachLoadBalancersCommand, AttachTrafficSourcesCommand, AutoScalingClient, CreateAutoScalingGroupCommand, CreateOrUpdateTagsCommand, DeleteAutoScalingGroupCommand, DeleteLifecycleHookCommand, DeleteNotificationConfigurationCommand, DeleteTagsCommand as DeleteTagsCommand$1, DescribeAutoScalingGroupsCommand, DescribeLifecycleHooksCommand, DescribeNotificationConfigurationsCommand, DescribeTrafficSourcesCommand, DetachLoadBalancerTargetGroupsCommand, DetachLoadBalancersCommand, DetachTrafficSourcesCommand, DisableMetricsCollectionCommand, EnableMetricsCollectionCommand, PutLifecycleHookCommand, PutNotificationConfigurationCommand, UpdateAutoScalingGroupCommand } from "@aws-sdk/client-auto-scaling";
 import { Document, Pair, Scalar, YAMLMap, YAMLSeq, parse as parse$1, stringify } from "yaml";
 import { createLocalStateProvider, getEmbedConfig, isCfnFlagPresent, listTargets, rejectExplicitCfnStackWithMultipleStacks, resolveCfnFallbackRegion, setEmbedConfig, substituteAgainstState, substituteAgainstStateAsync, substituteEnvVarsFromState, substituteEnvVarsFromStateAsync } from "cdk-local";
-import { A2A_CONTAINER_PORT, A2A_PATH, AGENTCORE_A2A_PROTOCOL, AGENTCORE_AGUI_PROTOCOL, AGENTCORE_MCP_PROTOCOL, CloudMapRegistry, ConnectionRegistry, EcsTaskResolutionError, HOST_GATEWAY_MIN_VERSION, LocalInvokeBuildError, MCP_CONTAINER_PORT, MCP_PATH, a2aInvokeOnce, addCommonEcsServiceOptions, architectureToPlatform, attachAuthorizers, attachStageContext, availableApiIdentifiers, bufferToBody, buildAgentCoreCodeImage, buildCloudMapIndex, buildCognitoJwksUrl, buildConnectEvent, buildContainerImage, buildCorsConfigByApiId, buildCorsConfigFromCloudFrontChain, buildDisconnectEvent, buildJwksUrlFromIssuer, buildMessageEvent, buildMgmtEndpointEnvUrl, buildStageMap, createAuthorizerCache, createFileWatcher, createJwksCache, createWatchPredicates, defaultCredentialsLoader, derivePseudoParametersFromRegion, discoverRoutes, discoverWebSocketApis, downloadAndExtractS3Bundle, filterRoutesByApiIdentifier, getContainerNetworkIp, groupRoutesByServer, handleConnectionsRequest, invokeAgentCore, invokeAgentCoreWs, isApplicationLoadBalancer, materializeLayerFromArn, mcpInvokeOnce, parseConnectionsPath, parseSelectionExpressionPath, pickAgentCoreCandidateStack, probeHostGatewaySupport, readMtlsMaterialsFromDisk, resolveAgentCoreTarget, resolveAlbFrontDoor, resolveEnvVars, resolveRuntimeCodeMountPath, resolveRuntimeFileExtension, resolveRuntimeImage, resolveSingleTarget, resolveWatchConfig, runEcsServiceEmulator, signAgentCoreInvocation, startApiServer, substituteImagePlaceholders, tryResolveImageFnJoin, verifyJwtViaDiscovery, waitForAgentCorePing } from "cdk-local/internal";
+import { A2A_CONTAINER_PORT, A2A_PATH, AGENTCORE_A2A_PROTOCOL, AGENTCORE_AGUI_PROTOCOL, AGENTCORE_MCP_PROTOCOL, ConnectionRegistry, EcsTaskResolutionError, HOST_GATEWAY_MIN_VERSION, LocalInvokeBuildError, MCP_CONTAINER_PORT, MCP_PATH, a2aInvokeOnce, addCommonEcsServiceOptions, architectureToPlatform, attachAuthorizers, attachStageContext, availableApiIdentifiers, bufferToBody, buildAgentCoreCodeImage, buildCognitoJwksUrl, buildConnectEvent, buildContainerImage, buildCorsConfigByApiId, buildCorsConfigFromCloudFrontChain, buildDisconnectEvent, buildJwksUrlFromIssuer, buildMessageEvent, buildMgmtEndpointEnvUrl, buildStageMap, createAuthorizerCache, createFileWatcher, createJwksCache, createWatchPredicates, defaultCredentialsLoader, derivePseudoParametersFromRegion, discoverRoutes, discoverWebSocketApis, downloadAndExtractS3Bundle, filterRoutesByApiIdentifier, groupRoutesByServer, handleConnectionsRequest, invokeAgentCore, invokeAgentCoreWs, isApplicationLoadBalancer, materializeLayerFromArn, mcpInvokeOnce, parseConnectionsPath, parseSelectionExpressionPath, pickAgentCoreCandidateStack, probeHostGatewaySupport, readMtlsMaterialsFromDisk, resolveAgentCoreTarget, resolveAlbFrontDoor, resolveEnvVars, resolveRuntimeCodeMountPath, resolveRuntimeFileExtension, resolveRuntimeImage, resolveSingleTarget, resolveWatchConfig, runEcsServiceEmulator, signAgentCoreInvocation, startApiServer, substituteImagePlaceholders, tryResolveImageFnJoin, verifyJwtViaDiscovery, waitForAgentCorePing } from "cdk-local/internal";
 import { createServer } from "node:net";
 import { promisify } from "node:util";
 import { setTimeout as setTimeout$1 } from "node:timers/promises";
@@ -7054,7 +7053,8 @@ var LambdaFunctionProvider = class {
 		"ImageConfig",
 		"SnapStart",
 		"LoggingConfig",
-		"RecursiveLoop"
+		"RecursiveLoop",
+		"ReservedConcurrentExecutions"
 	])]]);
 	eniWaitTimeoutMs = 600 * 1e3;
 	eniWaitInitialDelayMs = 1e4;
@@ -7125,6 +7125,21 @@ var LambdaFunctionProvider = class {
 				}
 				throw new ProvisioningError(`Failed to set RecursiveLoop on Lambda function ${logicalId} (function was deleted to maintain atomicity): ${rlError instanceof Error ? rlError.message : String(rlError)}`, resourceType, logicalId, functionName, rlError instanceof Error ? rlError : void 0);
 			}
+			const reservedConcurrentExecutions = properties["ReservedConcurrentExecutions"];
+			if (reservedConcurrentExecutions !== void 0) try {
+				await this.lambdaClient.send(new PutFunctionConcurrencyCommand({
+					FunctionName: functionName,
+					ReservedConcurrentExecutions: reservedConcurrentExecutions
+				}));
+			} catch (pcError) {
+				this.logger.warn(`PutFunctionConcurrency failed for ${logicalId}: ${pcError instanceof Error ? pcError.message : String(pcError)} — deleting partially-created function to maintain atomicity`);
+				try {
+					await this.lambdaClient.send(new DeleteFunctionCommand({ FunctionName: functionName }));
+				} catch (deleteError) {
+					this.logger.error(`Cleanup DeleteFunction failed for ${logicalId} after PutFunctionConcurrency failure — function may be orphaned: ${deleteError instanceof Error ? deleteError.message : String(deleteError)}`);
+				}
+				throw new ProvisioningError(`Failed to set ReservedConcurrentExecutions on Lambda function ${logicalId} (function was deleted to maintain atomicity): ${pcError instanceof Error ? pcError.message : String(pcError)}`, resourceType, logicalId, functionName, pcError instanceof Error ? pcError : void 0);
+			}
 			this.logger.debug(`Successfully created Lambda function ${logicalId}: ${functionName}`);
 			return {
 				physicalId: response.FunctionName || functionName,
@@ -7218,6 +7233,17 @@ var LambdaFunctionProvider = class {
 				}));
 				this.logger.debug(`Updated RecursiveLoop for Lambda function ${physicalId} to '${newRecursiveLoop}'`);
 			}
+			const newReservedConcurrentExecutions = properties["ReservedConcurrentExecutions"];
+			if (newReservedConcurrentExecutions !== previousProperties["ReservedConcurrentExecutions"]) if (newReservedConcurrentExecutions === void 0) {
+				await this.lambdaClient.send(new DeleteFunctionConcurrencyCommand({ FunctionName: physicalId }));
+				this.logger.debug(`Cleared ReservedConcurrentExecutions for Lambda function ${physicalId} (template removed the property)`);
+			} else {
+				await this.lambdaClient.send(new PutFunctionConcurrencyCommand({
+					FunctionName: physicalId,
+					ReservedConcurrentExecutions: newReservedConcurrentExecutions
+				}));
+				this.logger.debug(`Updated ReservedConcurrentExecutions for Lambda function ${physicalId} to ${newReservedConcurrentExecutions}`);
+			}
 			const getResponse = await this.lambdaClient.send(new GetFunctionCommand({ FunctionName: physicalId }));
 			const functionArn = getResponse.Configuration?.FunctionArn;
 			await this.applyTagDiff(functionArn, previousProperties["Tags"], properties["Tags"]);
@@ -7743,6 +7769,12 @@ var LambdaFunctionProvider = class {
 			} catch (rlErr) {
 				if (!(rlErr instanceof ResourceNotFoundException)) this.logger.debug(`GetFunctionRecursionConfig failed for ${physicalId}: ${rlErr instanceof Error ? rlErr.message : String(rlErr)}`);
 			}
+			try {
+				const pcResp = await this.lambdaClient.send(new GetFunctionConcurrencyCommand({ FunctionName: physicalId }));
+				if (pcResp.ReservedConcurrentExecutions !== void 0) result["ReservedConcurrentExecutions"] = pcResp.ReservedConcurrentExecutions;
+			} catch (pcErr) {
+				if (!(pcErr instanceof ResourceNotFoundException)) this.logger.debug(`GetFunctionConcurrency failed for ${physicalId}: ${pcErr instanceof Error ? pcErr.message : String(pcErr)}`);
+			}
 			return result;
 		} catch (err) {
 			if (err instanceof ResourceNotFoundException) return void 0;
@@ -10862,14 +10894,14 @@ var LogsLogGroupProvider = class {
 			const arn = await this.buildArn(physicalId);
 			if (oldTags && oldTags.length > 0) {
 				const oldTagKeys = oldTags.map((t) => t.Key);
-				await this.logsClient.send(new UntagResourceCommand$7({
+				await this.logsClient.send(new UntagResourceCommand$8({
 					resourceArn: arn,
 					tagKeys: oldTagKeys
 				}));
 			}
 			if (newTags && newTags.length > 0) {
 				const tagsMap = Object.fromEntries(newTags.map((t) => [t.Key, t.Value]));
-				await this.logsClient.send(new TagResourceCommand$7({
+				await this.logsClient.send(new TagResourceCommand$8({
 					resourceArn: arn,
 					tags: tagsMap
 				}));
@@ -11225,14 +11257,14 @@ var CloudWatchAlarmProvider = class {
 		const tagsToRemove = [];
 		for (const k of oldMap.keys()) if (!newMap.has(k)) tagsToRemove.push(k);
 		if (tagsToRemove.length > 0) {
-			await this.cloudWatchClient.send(new UntagResourceCommand$6({
+			await this.cloudWatchClient.send(new UntagResourceCommand$7({
 				ResourceARN: resourceArn,
 				TagKeys: tagsToRemove
 			}));
 			this.logger.debug(`Removed ${tagsToRemove.length} tag(s) from alarm ${resourceArn}`);
 		}
 		if (tagsToAdd.length > 0) {
-			await this.cloudWatchClient.send(new TagResourceCommand$6({
+			await this.cloudWatchClient.send(new TagResourceCommand$7({
 				ResourceARN: resourceArn,
 				Tags: tagsToAdd
 			}));
@@ -17106,7 +17138,7 @@ const CACHE_BEHAVIOR_QUANTITY_FIELDS = [
 var CloudFrontDistributionProvider = class {
 	cloudFrontClient;
 	logger = getLogger().child("CloudFrontDistributionProvider");
-	handledProperties = new Map([["AWS::CloudFront::Distribution", new Set(["DistributionConfig"])]]);
+	handledProperties = new Map([["AWS::CloudFront::Distribution", new Set(["DistributionConfig", "Tags"])]]);
 	constructor() {
 		const awsClients = getAwsClients();
 		this.cloudFrontClient = awsClients.cloudFront;
@@ -17122,7 +17154,11 @@ var CloudFrontDistributionProvider = class {
 				...distributionConfig,
 				CallerReference: `${Date.now()}-${logicalId}-${Math.random().toString(36).slice(2, 8)}`
 			});
-			const distribution = (await this.cloudFrontClient.send(new CreateDistributionCommand({ DistributionConfig: sdkConfig }))).Distribution;
+			const sdkTags = this.toSdkTags(properties["Tags"]);
+			const distribution = (sdkTags ? await this.cloudFrontClient.send(new CreateDistributionWithTagsCommand({ DistributionConfigWithTags: {
+				DistributionConfig: sdkConfig,
+				Tags: { Items: sdkTags }
+			} })) : await this.cloudFrontClient.send(new CreateDistributionCommand({ DistributionConfig: sdkConfig }))).Distribution;
 			const distributionId = distribution.Id;
 			const domainName = distribution.DomainName;
 			this.logger.debug(`Created CloudFront Distribution: ${distributionId} (${domainName})`);
@@ -17149,7 +17185,7 @@ var CloudFrontDistributionProvider = class {
 	* Gets the current config via GetDistributionConfigCommand, merges new properties,
 	* then calls UpdateDistributionCommand with the required IfMatch ETag.
 	*/
-	async update(logicalId, physicalId, resourceType, properties, _previousProperties) {
+	async update(logicalId, physicalId, resourceType, properties, previousProperties) {
 		this.logger.debug(`Updating CloudFront Distribution ${logicalId}: ${physicalId}`);
 		try {
 			const getConfigResponse = await this.cloudFrontClient.send(new GetDistributionConfigCommand({ Id: physicalId }));
@@ -17165,7 +17201,10 @@ var CloudFrontDistributionProvider = class {
 				IfMatch: etag,
 				DistributionConfig: sdkConfig
 			}));
-			const domainName = (await this.cloudFrontClient.send(new GetDistributionCommand({ Id: physicalId }))).Distribution?.DomainName ?? "";
+			const getResponse = await this.cloudFrontClient.send(new GetDistributionCommand({ Id: physicalId }));
+			const domainName = getResponse.Distribution?.DomainName ?? "";
+			const arn = getResponse.Distribution?.ARN;
+			await this.tryApplyTagDiff(arn, previousProperties["Tags"], properties["Tags"], physicalId);
 			this.logger.debug(`Updated CloudFront Distribution ${physicalId}`);
 			return {
 				physicalId,
@@ -17379,6 +17418,107 @@ var CloudFrontDistributionProvider = class {
 		}
 	}
 	/**
+	* Convert CFn `Tags: [{ Key, Value }]` to the CloudFront SDK's `Tag[]`
+	* shape (which happens to be the same `{ Key, Value }` per-entry shape),
+	* dropping entries missing a Key and normalizing missing-Value to `''`
+	* (matching `tagsArrayToMap`'s shape so the create-path and update-diff-
+	* path agree on what counts as "the same tag"). Returns `undefined`
+	* when the input is absent or empty so the caller can route to
+	* `CreateDistributionCommand` instead of `CreateDistributionWithTagsCommand`
+	* — passing an empty `Tags.Items: []` to the latter is a silent no-op
+	* but uses the tags-enabled control-plane path for nothing.
+	*/
+	toSdkTags(value) {
+		const map = this.tagsArrayToMap(value);
+		if (map.size === 0) return void 0;
+		return [...map.entries()].map(([Key, Value]) => ({
+			Key,
+			Value
+		}));
+	}
+	/**
+	* Compute the (removed-keys, upserted-tags) diff between two CFn `Tags`
+	* snapshots. Pure function — does NOT touch AWS, so the caller can
+	* decide on the basis of the result whether the ARN is actually needed
+	* (no diff = no ARN required).
+	*/
+	computeTagDiff(previousTags, newTags) {
+		const prev = this.tagsArrayToMap(previousTags);
+		const next = this.tagsArrayToMap(newTags);
+		const removed = [...prev.keys()].filter((k) => !next.has(k));
+		const upserts = [];
+		for (const [k, v] of next.entries()) if (prev.get(k) !== v) upserts.push({
+			Key: k,
+			Value: v
+		});
+		return {
+			removed,
+			upserts
+		};
+	}
+	/**
+	* Apply a tag diff to a distribution, best-effort.
+	*
+	* CloudFront has no atomic overlay API for tags — `TagResource` adds /
+	* overwrites and `UntagResource` removes. Run the removal first, then
+	* the upsert, so a same-key value rewrite (which lands in `upserts`)
+	* is not accidentally cleared by a stale Untag.
+	*
+	* Errors are logged but not rethrown — `update()` already succeeded
+	* the `UpdateDistribution` call before this is invoked, so propagating
+	* a tag-side error would flip a successful config update into a deploy
+	* failure that triggers an idempotent retry. A `warn` surfaces the
+	* unapplied delta to the operator without breaking the deploy.
+	*
+	* The ARN is unexpectedly absent only on a hypothetical SDK regression
+	* (`GetDistribution` returns ARN as a required string in every SDK
+	* shape verified so far). When that happens AND a tag delta exists,
+	* log a warn so the silent-drop this PR is closing does not silently
+	* resurface; when no delta exists, return without needing ARN.
+	*/
+	async tryApplyTagDiff(arn, previousTags, newTags, physicalId) {
+		const { removed, upserts } = this.computeTagDiff(previousTags, newTags);
+		if (removed.length === 0 && upserts.length === 0) return;
+		if (!arn) {
+			this.logger.warn(`CloudFront Distribution ${physicalId}: GetDistribution returned no ARN; skipping tag diff (removed=${removed.length}, upserts=${upserts.length}). Tags on AWS may drift from the template.`);
+			return;
+		}
+		try {
+			if (removed.length > 0) {
+				this.logger.debug(`Untagging CloudFront Distribution ${arn}: ${removed.join(", ")}`);
+				await this.cloudFrontClient.send(new UntagResourceCommand$6({
+					Resource: arn,
+					TagKeys: { Items: removed }
+				}));
+			}
+			if (upserts.length > 0) {
+				this.logger.debug(`Tagging CloudFront Distribution ${arn}: ${upserts.map((t) => t.Key).join(", ")}`);
+				await this.cloudFrontClient.send(new TagResourceCommand$6({
+					Resource: arn,
+					Tags: { Items: upserts }
+				}));
+			}
+		} catch (err) {
+			this.logger.warn(`CloudFront Distribution ${physicalId}: tag diff failed (removed=${removed.length}, upserts=${upserts.length}): ${err instanceof Error ? err.message : String(err)}. UpdateDistribution itself succeeded; tags on AWS may drift from the template until the next deploy.`);
+		}
+	}
+	/**
+	* Convert a CFn `Tags: [{ Key, Value }]` array to a plain map. Entries
+	* missing a `Key` are dropped; a missing `Value` becomes `''` so the
+	* diff treats `{ Key: 'k' }` and `{ Key: 'k', Value: '' }` the same.
+	*/
+	tagsArrayToMap(value) {
+		const map = /* @__PURE__ */ new Map();
+		if (!Array.isArray(value)) return map;
+		for (const entry of value) {
+			const key = entry["Key"];
+			if (typeof key !== "string") continue;
+			const val = entry["Value"];
+			map.set(key, typeof val === "string" ? val : "");
+		}
+		return map;
+	}
+	/**
 	* Adopt an existing CloudFront distribution into cdkd state.
 	*
 	* CloudFront distributions don't carry a template-supplied name
@@ -17942,14 +18082,14 @@ var StepFunctionsProvider = class {
 		const tagsToRemove = [];
 		for (const k of oldMap.keys()) if (!newMap.has(k)) tagsToRemove.push(k);
 		if (tagsToRemove.length > 0) {
-			await this.getClient().send(new UntagResourceCommand$9({
+			await this.getClient().send(new UntagResourceCommand$10({
 				resourceArn: stateMachineArn,
 				tagKeys: tagsToRemove
 			}));
 			this.logger.debug(`Removed ${tagsToRemove.length} tag(s) from SFN state machine ${stateMachineArn}`);
 		}
 		if (tagsToAdd.length > 0) {
-			await this.getClient().send(new TagResourceCommand$10({
+			await this.getClient().send(new TagResourceCommand$11({
 				resourceArn: stateMachineArn,
 				tags: tagsToAdd
 			}));
@@ -18457,14 +18597,14 @@ var ECSProvider = class {
 		const tagsToRemove = [];
 		for (const k of oldMap.keys()) if (!newMap.has(k)) tagsToRemove.push(k);
 		if (tagsToRemove.length > 0) {
-			await this.getClient().send(new UntagResourceCommand$10({
+			await this.getClient().send(new UntagResourceCommand$11({
 				resourceArn,
 				tagKeys: tagsToRemove
 			}));
 			this.logger.debug(`Removed ${tagsToRemove.length} tag(s) from ECS resource ${resourceArn}`);
 		}
 		if (tagsToAdd.length > 0) {
-			await this.getClient().send(new TagResourceCommand$11({
+			await this.getClient().send(new TagResourceCommand$12({
 				resourceArn,
 				tags: tagsToAdd
 			}));
@@ -23600,14 +23740,14 @@ var WAFv2WebACLProvider = class {
 		const tagsToRemove = [];
 		for (const k of oldMap.keys()) if (!newMap.has(k)) tagsToRemove.push(k);
 		if (tagsToRemove.length > 0) {
-			await this.getClient().send(new UntagResourceCommand$11({
+			await this.getClient().send(new UntagResourceCommand$12({
 				ResourceARN: arn,
 				TagKeys: tagsToRemove
 			}));
 			this.logger.debug(`Removed ${tagsToRemove.length} tag(s) from WAFv2 WebACL ${arn}`);
 		}
 		if (tagsToAdd.length > 0) {
-			await this.getClient().send(new TagResourceCommand$12({
+			await this.getClient().send(new TagResourceCommand$13({
 				ResourceARN: arn,
 				Tags: tagsToAdd
 			}));
@@ -25427,7 +25567,7 @@ var AppSyncProvider = class {
 		const tagsToAdd = {};
 		for (const [k, v] of Object.entries(newMap)) if (oldMap[k] !== v) tagsToAdd[k] = v;
 		if (tagKeysToRemove.length > 0) try {
-			await this.getClient().send(new UntagResourceCommand$12({
+			await this.getClient().send(new UntagResourceCommand$13({
 				resourceArn: arn,
 				tagKeys: tagKeysToRemove
 			}));
@@ -25435,7 +25575,7 @@ var AppSyncProvider = class {
 			throw this.wrapUpdateError(error, resourceType, logicalId, apiId, "GraphqlApi (untag)");
 		}
 		if (Object.keys(tagsToAdd).length > 0) try {
-			await this.getClient().send(new TagResourceCommand$13({
+			await this.getClient().send(new TagResourceCommand$14({
 				resourceArn: arn,
 				tags: tagsToAdd
 			}));
@@ -27889,14 +28029,14 @@ var KMSProvider = class {
 		const tagsToRemove = [];
 		for (const k of oldMap.keys()) if (!newMap.has(k)) tagsToRemove.push(k);
 		if (tagsToRemove.length > 0) {
-			await this.getClient().send(new UntagResourceCommand$8({
+			await this.getClient().send(new UntagResourceCommand$9({
 				KeyId: keyId,
 				TagKeys: tagsToRemove
 			}));
 			this.logger.debug(`Removed ${tagsToRemove.length} tag(s) from KMS Key ${keyId}`);
 		}
 		if (tagsToAdd.length > 0) {
-			await this.getClient().send(new TagResourceCommand$8({
+			await this.getClient().send(new TagResourceCommand$9({
 				KeyId: keyId,
 				Tags: tagsToAdd
 			}));
@@ -28678,14 +28818,14 @@ var KinesisStreamConsumerProvider = class {
 		const tagsToRemove = [];
 		for (const k of Object.keys(oldMap)) if (!(k in newMap)) tagsToRemove.push(k);
 		if (tagsToRemove.length > 0) {
-			await this.getClient().send(new UntagResourceCommand$13({
+			await this.getClient().send(new UntagResourceCommand$14({
 				ResourceARN: consumerArn,
 				TagKeys: tagsToRemove
 			}));
 			this.logger.debug(`Removed ${tagsToRemove.length} tag(s) from Kinesis stream consumer ${consumerArn}`);
 		}
 		if (Object.keys(tagsToAdd).length > 0) {
-			await this.getClient().send(new TagResourceCommand$14({
+			await this.getClient().send(new TagResourceCommand$15({
 				ResourceARN: consumerArn,
 				Tags: tagsToAdd
 			}));
@@ -32352,7 +32492,7 @@ var ECRProvider = class {
 			if (JSON.stringify(newTags) !== JSON.stringify(oldTags)) {
 				const repoArn = (await this.getClient().send(new DescribeRepositoriesCommand({ repositoryNames: [physicalId] }))).repositories?.[0]?.repositoryArn;
 				if (repoArn && newTags) {
-					await this.getClient().send(new TagResourceCommand$9({
+					await this.getClient().send(new TagResourceCommand$10({
 						resourceArn: repoArn,
 						tags: newTags
 					}));
@@ -43136,14 +43276,14 @@ function parseTarget(target) {
 function resolveLambdaTarget(target, stacks) {
 	if (stacks.length === 0) throw new LocalInvokeResolutionError("No stacks found in the synthesized assembly.");
 	const parsed = parseTarget(target);
-	const stack = pickStack$3(parsed, stacks);
+	const stack = pickStack$2(parsed, stacks);
 	const template = stack.template;
 	const resources = template.Resources ?? {};
 	let match;
 	if (parsed.isPath) {
 		const index = buildCdkPathIndex(template);
 		const lambdaMatches = resolveCdkPathToLogicalIds(parsed.pathOrId, index).filter(({ logicalId }) => resources[logicalId]?.Type === "AWS::Lambda::Function");
-		if (lambdaMatches.length === 0) throw notFoundError$2(target, stack, resources);
+		if (lambdaMatches.length === 0) throw notFoundError$1(target, stack, resources);
 		if (lambdaMatches.length > 1) throw new LocalInvokeResolutionError(`Target '${target}' matches ${lambdaMatches.length} Lambda functions in ${stack.stackName}: ` + lambdaMatches.map((m) => m.logicalId).join(", ") + ". Refine the path or use the stack:LogicalId form.");
 		const m = lambdaMatches[0];
 		match = {
@@ -43152,7 +43292,7 @@ function resolveLambdaTarget(target, stacks) {
 		};
 	} else {
 		const resource = resources[parsed.pathOrId];
-		if (!resource) throw notFoundError$2(target, stack, resources);
+		if (!resource) throw notFoundError$1(target, stack, resources);
 		match = {
 			logicalId: parsed.pathOrId,
 			resource
@@ -43170,7 +43310,7 @@ function resolveLambdaTarget(target, stacks) {
 * user may omit the stack prefix. Otherwise an explicit stack pattern is
 * required.
 */
-function pickStack$3(parsed, stacks) {
+function pickStack$2(parsed, stacks) {
 	if (parsed.stackPattern === null) {
 		if (stacks.length === 1) return stacks[0];
 		throw new LocalInvokeResolutionError(`Multiple stacks in app, target '${parsed.pathOrId}' is missing a stack prefix. Use 'StackName:${parsed.pathOrId}' or 'StackName/...' (path form). Available stacks: ${stacks.map((s) => s.stackName).join(", ")}.`);
@@ -43508,7 +43648,7 @@ function describeLayerEntry(entry) {
 * the resolved stack so the user can copy/paste a valid target. Mirrors
 * the format the issue spec calls out.
 */
-function notFoundError$2(target, stack, resources) {
+function notFoundError$1(target, stack, resources) {
 	const lambdas = [];
 	for (const [logicalId, resource] of Object.entries(resources)) {
 		if (resource.Type !== "AWS::Lambda::Function") continue;
@@ -43793,28 +43933,28 @@ function parseEcsTarget(target) {
 function resolveEcsTaskTarget(target, stacks, context) {
 	if (stacks.length === 0) throw new EcsTaskResolutionError("No stacks found in the synthesized assembly.");
 	const parsed = parseEcsTarget(target);
-	const stack = pickStack$2(parsed, stacks);
+	const stack = pickStack$1(parsed, stacks);
 	const resources = stack.template.Resources ?? {};
 	let logicalId;
 	let resource;
 	if (parsed.isPath) {
 		const index = buildCdkPathIndex(stack.template);
 		const taskDefs = resolveCdkPathToLogicalIds(parsed.pathOrId, index).filter(({ logicalId: l }) => resources[l]?.Type === "AWS::ECS::TaskDefinition");
-		if (taskDefs.length === 0) throw notFoundError$1(target, stack, resources);
+		if (taskDefs.length === 0) throw notFoundError(target, stack, resources);
 		if (taskDefs.length > 1) throw new EcsTaskResolutionError(`Target '${target}' matches ${taskDefs.length} task definitions in ${stack.stackName}: ` + taskDefs.map((t) => t.logicalId).join(", ") + ". Refine the path or use the stack:LogicalId form.");
 		logicalId = taskDefs[0].logicalId;
 		resource = resources[logicalId];
 	} else {
 		resource = resources[parsed.pathOrId];
-		if (!resource) throw notFoundError$1(target, stack, resources);
+		if (!resource) throw notFoundError(target, stack, resources);
 		logicalId = parsed.pathOrId;
 	}
-	if (!logicalId || !resource) throw notFoundError$1(target, stack, resources);
+	if (!logicalId || !resource) throw notFoundError(target, stack, resources);
 	if (resource.Type === "AWS::Lambda::Function") throw new EcsTaskResolutionError(`Resource '${logicalId}' in ${stack.stackName} is a Lambda function, not an ECS task definition. Use \`cdkd local invoke\` for Lambda; \`cdkd local run-task\` is ECS only.`);
 	if (resource.Type !== "AWS::ECS::TaskDefinition") throw new EcsTaskResolutionError(`Resource '${logicalId}' in ${stack.stackName} is ${resource.Type}, not an AWS::ECS::TaskDefinition.`);
 	return extractTaskDefinitionProperties(stack, logicalId, resource, context);
 }
-function pickStack$2(parsed, stacks) {
+function pickStack$1(parsed, stacks) {
 	if (parsed.stackPattern === null) {
 		if (stacks.length === 1) return stacks[0];
 		throw new EcsTaskResolutionError(`Multiple stacks in app, target '${parsed.pathOrId}' is missing a stack prefix. Use 'StackName:${parsed.pathOrId}' or 'StackName/...' (path form). Available stacks: ${stacks.map((s) => s.stackName).join(", ")}.`);
@@ -44340,7 +44480,7 @@ function pickStringArray(value) {
 	for (const v of value) if (typeof v === "string") out.push(v);
 	return out;
 }
-function notFoundError$1(target, stack, resources) {
+function notFoundError(target, stack, resources) {
 	const tasks = [];
 	for (const [logicalId, resource] of Object.entries(resources)) {
 		if (resource.Type !== "AWS::ECS::TaskDefinition") continue;
@@ -46233,7 +46373,7 @@ async function localStartApiCommand(target, options) {
 	await ensureDockerAvailable();
 	const appCmd = resolveApp(options.app);
 	if (!appCmd) throw new Error("No CDK app specified. Pass --app, set CDKD_APP, or add \"app\" to cdk.json.");
-	const overrides = readEnvOverridesFile$4(options.envVars);
+	const overrides = readEnvOverridesFile$3(options.envVars);
 	const debugPortBase = options.debugPortBase ? parseDebugPort(options.debugPortBase) : void 0;
 	const perLambdaConcurrency = parsePerLambdaConcurrency(options.perLambdaConcurrency);
 	const inlineTmpDirs = /* @__PURE__ */ new Set();
@@ -47199,7 +47339,7 @@ function getTemplateEnv$1(resource) {
 	return vars;
 }
 /** Read the SAM-shape `--env-vars` JSON file. */
-function readEnvOverridesFile$4(filePath) {
+function readEnvOverridesFile$3(filePath) {
 	if (!filePath) return void 0;
 	let raw;
 	try {
@@ -47637,7 +47777,9 @@ const execFileAsync$2 = promisify(execFile);
 * metadata AND `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=/role/<role-arn>`
 * for IAM task-role credentials. cdkd does NOT re-implement the sidecar
 * — pulling the AWS-published image keeps cdkd in lock-step with whatever
-* ECS-Agent fidelity AWS chooses to provide.
+* ECS-Agent fidelity AWS chooses to provide. The `cdkd local start-service`
+* / `start-alb` shared-network shape lives in cdk-local's bundled ECS
+* service emulator engine (see `src/cli/commands/ecs-service-emulator.ts`).
 */
 /** AWS-published sidecar image (latest tag). amd64 is the only image AWS ships. */
 const METADATA_ENDPOINT_IMAGE = "amazon/amazon-ecs-local-container-endpoints:latest-amd64";
@@ -47645,29 +47787,18 @@ const METADATA_ENDPOINT_IMAGE = "amazon/amazon-ecs-local-container-endpoints:lat
 * Default well-known IP for the ECS local-container-endpoints sidecar —
 * matches the documented AWS task-metadata endpoint address. Containers
 * inject `ECS_CONTAINER_METADATA_URI_V4=http://169.254.170.2/v4/<id>`
-* to reach it. `cdkd local run-task` keeps this verbatim; `cdkd local
-* start-service` creates ONE shared network at CLI startup (design
-* § 5 Option A) — the shared sidecar lives at `169.254.171.2` (see
-* `SHARED_SVC_SUBNET_OCTET` below), one octet up so the two CLI
-* variants can run on the same host without bridge-pool collision.
+* to reach it.
 */
 const METADATA_ENDPOINT_IP = "169.254.170.2";
 /** Default subnet — used when no `subnetOctet` override is supplied. */
 const DEFAULT_METADATA_ENDPOINT_SUBNET = "169.254.170.0/24";
 /**
 * Pure-functional subnet allocator. `cdkd local run-task` uses the
-* default subnet; `cdkd local start-service` walks `subnetOctet=170,
-* 171, 172, ...` (one per replica) to keep parallel docker networks
-* from clashing. The link-local 169.254.0.0/16 space is reserved AWS-
-* wide for cloud metadata so collisions with user workloads are
-* unlikely, but each replica still gets its own /24 to ensure
-* docker's `--subnet` allocator does not reject "Pool overlaps".
-*
-* `subnetOctet` is the second-from-last byte of the network: 170 →
-* 169.254.170.0/24 (default), 171 → 169.254.171.0/24, etc. Valid
-* range is 1..254; the runner clamps to `(170 + replicaIndex) % 84`
-* + 170 in practice (rolling window) — exported here so the runner
-* keeps the allocation logic in one place.
+* default subnet (`subnetOctet=170`). The link-local 169.254.0.0/16
+* space is reserved AWS-wide for cloud metadata so collisions with
+* user workloads are unlikely. `subnetOctet` is the second-from-last
+* byte of the network: 170 → 169.254.170.0/24 (default). Valid range
+* is 1..254.
 */
 function buildEndpointSubnet(subnetOctet) {
 	if (subnetOctet < 1 || subnetOctet > 254 || !Number.isInteger(subnetOctet)) throw new Error(`buildEndpointSubnet: subnetOctet must be an integer in 1..254 (got ${subnetOctet}).`);
@@ -47677,50 +47808,12 @@ function buildEndpointSubnet(subnetOctet) {
 	};
 }
 /**
-* Subnet octet for the shared-service docker network used by
-* `cdkd local start-service`. One octet up from `cdkd local run-task`'s
-* default (170 → 171) so the two CLI variants can run on the same host
-* without docker rejecting the second `--subnet`. The shared-service
-* network reuses the same `createTaskNetwork` machinery; the sidecar at
-* `169.254.171.2` serves the same metadata-endpoint API to every
-* container that joins this one network.
-*/
-const SHARED_SVC_SUBNET_OCTET = 171;
-/**
-* Create the one shared docker network + metadata-endpoints sidecar
-* used by every service-replica boot in a single
-* `cdkd local start-service` invocation. This is design doc § 5
-* Option A — one network per CLI invocation instead of one network
-* per task — so peer services can reach each other by IP / network
-* alias without docker `--network connect` choreography (Option B,
-* rejected in design § 5 as "unwieldy and racy"). The returned
-* `TaskNetwork` carries `ownedByCaller: true` so `cleanupEcsRun()`
-* (called per replica by the service runner) does NOT teardown — the
-* CLI tears down ONCE at the end of the run.
-*/
-async function createSharedSvcNetwork(options = {}) {
-	const networkName = `${options.prefix ?? "cdkd-local"}-svc-${randomBytes(4).toString("hex")}`;
-	const { cidr, sidecarIp } = buildEndpointSubnet(171);
-	return {
-		networkName,
-		sidecarContainerId: await createNetworkAndSidecar({
-			networkName,
-			cidr,
-			sidecarIp,
-			skipPull: options.skipPull ?? false,
-			...options.credentials !== void 0 ? { credentials: options.credentials } : {},
-			...options.cluster !== void 0 ? { cluster: options.cluster } : {}
-		}),
-		sidecarIp,
-		ownedByCaller: true
-	};
-}
-/**
-* Internal helper shared by `createTaskNetwork` (per-task) and
-* `createSharedSvcNetwork` (per-CLI-run). Creates the docker network,
-* pulls the sidecar image, and starts the sidecar at the documented
-* IP. Throws `DockerRunnerError` with a hint when the network already
-* exists (the typical "leftover from previous run" path).
+* Internal helper that creates the docker network, pulls the sidecar image,
+* and starts the sidecar at the documented IP. Throws `DockerRunnerError`
+* with a hint when the network already exists (the typical "leftover from
+* previous run" path). Used by `createTaskNetwork` (per-task) only;
+* `cdkd local start-service` / `start-alb` share-network creation is owned
+* by cdk-local's bundled ECS service emulator engine.
 */
 async function createNetworkAndSidecar(args) {
 	const logger = getLogger().child("ecs-network");
@@ -48226,7 +48319,7 @@ async function waitForContainerHealthy(containerId, displayName) {
 			if (err instanceof EcsTaskRunnerError) throw err;
 			logger.debug(`docker inspect on '${displayName}' failed: ${err instanceof Error ? err.message : String(err)}`);
 		}
-		await sleep$1(1e3);
+		await sleep(1e3);
 	}
 	throw new EcsTaskRunnerError(`Container '${displayName}' did not become healthy within 5 minutes.`);
 }
@@ -48250,7 +48343,7 @@ async function stopContainer(containerId, graceSeconds) {
 		]);
 	} catch {}
 }
-function sleep$1(ms) {
+function sleep(ms) {
 	return new Promise((res) => setTimeout(res, ms));
 }
 /**
@@ -48554,9 +48647,9 @@ async function localRunTaskCommand(target, options) {
 			...options.profile && { macroExpandS3ClientOpts: { profile: options.profile } }
 		};
 		const { stacks } = await synthesizer.synthesize(synthOpts);
-		const candidate = pickCandidateStack$1(parseEcsTarget(target).stackPattern, stacks);
+		const candidate = pickCandidateStack(parseEcsTarget(target).stackPattern, stacks);
 		stateProvider = createLocalStateProvider$1(options, candidate?.stackName ?? "", candidate?.region);
-		const imageContext = await buildEcsImageResolutionContext$2(candidate, stateProvider, options);
+		const imageContext = await buildEcsImageResolutionContext$1(candidate, stateProvider, options);
 		const task = resolveEcsTaskTarget(target, stacks, imageContext);
 		logger.info(`Target: ${task.stack.stackName}/${task.taskDefinitionLogicalId} (family=${task.family}, containers=${task.containers.length})`);
 		const taskNeeds = detectEcsImageResolutionNeeds(stacks.find((s) => s.stackName === task.stack.stackName) ?? task.stack);
@@ -48584,15 +48677,15 @@ async function localRunTaskCommand(target, options) {
 		let resolvedRoleArn;
 		if (options.assumeTaskRole === true) {
 			if (!task.taskRoleArn) throw new Error("--assume-task-role passed without an ARN but the task definition has no resolvable TaskRoleArn. Either the task definition does not set TaskRoleArn, or it points at a resource cdkd cannot resolve to an IAM Role at synth time. Pass the ARN explicitly: --assume-task-role <arn>");
-			resolvedRoleArn = await resolvePlaceholderAccount$1(task.taskRoleArn, options.region);
-			assumedCredentials = await assumeTaskRole$1(resolvedRoleArn, options.region);
+			resolvedRoleArn = await resolvePlaceholderAccount(task.taskRoleArn, options.region);
+			assumedCredentials = await assumeTaskRole(resolvedRoleArn, options.region);
 		} else if (typeof options.assumeTaskRole === "string") {
 			resolvedRoleArn = options.assumeTaskRole;
-			assumedCredentials = await assumeTaskRole$1(resolvedRoleArn, options.region);
+			assumedCredentials = await assumeTaskRole(resolvedRoleArn, options.region);
 		}
 		const sidecarCredentials = await resolveSidecarCredentials(options, assumedCredentials);
 		if (options.profile && sidecarCredentials && !assumedCredentials) profileCredsFile = await writeProfileCredentialsFile(options.profile, sidecarCredentials);
-		const envOverrides = readEnvOverridesFile$3(options.envVars);
+		const envOverrides = readEnvOverridesFile$2(options.envVars);
 		const runOpts = {
 			cluster: options.cluster,
 			containerHost: options.containerHost,
@@ -48633,7 +48726,7 @@ async function localRunTaskCommand(target, options) {
 * Lazy: callers should only invoke this when the resolved ARN is actually
 * going to be used (i.e. on the bare `--assume-task-role` path).
 */
-async function resolvePlaceholderAccount$1(arn, region) {
+async function resolvePlaceholderAccount(arn, region) {
 	if (!arn.includes("${AWS::AccountId}")) return arn;
 	const { STSClient, GetCallerIdentityCommand } = await import("@aws-sdk/client-sts");
 	const sts = new STSClient({ ...region && { region } });
@@ -48649,7 +48742,7 @@ async function resolvePlaceholderAccount$1(arn, region) {
 * Assume `roleArn` and return temp credentials. Mirrors the same flow
 * `cdkd local invoke --assume-role` uses.
 */
-async function assumeTaskRole$1(roleArn, region) {
+async function assumeTaskRole(roleArn, region) {
 	const { STSClient, AssumeRoleCommand } = await import("@aws-sdk/client-sts");
 	const sts = new STSClient({ ...region && { region } });
 	try {
@@ -48680,7 +48773,7 @@ async function assumeTaskRole$1(roleArn, region) {
 * `--from-state` and `--from-cfn-stack` produce the same downstream
 * context shape (issue #606).
 */
-async function buildEcsImageResolutionContext$2(candidate, stateProvider, options) {
+async function buildEcsImageResolutionContext$1(candidate, stateProvider, options) {
 	const logger = getLogger();
 	if (!candidate) return void 0;
 	const needs = detectEcsImageResolutionNeeds(candidate);
@@ -48692,7 +48785,7 @@ async function buildEcsImageResolutionContext$2(candidate, stateProvider, option
 		if (!region) logger.warn("Resolver references ${AWS::Region} but cdkd could not determine the target region. Pass --region, set AWS_REGION, or declare env.region on the CDK stack.");
 		let accountId;
 		try {
-			accountId = await resolveCallerAccountId$2(region);
+			accountId = await resolveCallerAccountId$1(region);
 		} catch (err) {
 			logger.warn(`Resolver needs \${AWS::AccountId} but STS GetCallerIdentity failed: ${err instanceof Error ? err.message : String(err)}. Substitution will be skipped; affected env / secret entries will be dropped with per-key warnings.`);
 		}
@@ -48714,7 +48807,7 @@ async function buildEcsImageResolutionContext$2(candidate, stateProvider, option
 	else if (!stateProvider && needs.needsEnvOrSecretSubstitution) logger.warn("Container Environment / Secrets entries contain CloudFormation intrinsics (Ref / Fn::GetAtt / Fn::Sub / Fn::Join). Pass --from-state (cdkd-deployed) or --from-cfn-stack (cdk-deployed) to substitute them against deployed state. Without a state source these entries are dropped (per-key warnings will follow).");
 	return ctx;
 }
-function pickCandidateStack$1(stackPattern, stacks) {
+function pickCandidateStack(stackPattern, stacks) {
 	if (stackPattern === null) {
 		if (stacks.length === 1) return stacks[0];
 		return;
@@ -48722,7 +48815,7 @@ function pickCandidateStack$1(stackPattern, stacks) {
 	const matched = matchStacks(stacks, [stackPattern]);
 	if (matched.length === 1) return matched[0];
 }
-async function resolveCallerAccountId$2(region) {
+async function resolveCallerAccountId$1(region) {
 	const { STSClient, GetCallerIdentityCommand } = await import("@aws-sdk/client-sts");
 	const sts = new STSClient({ ...region && { region } });
 	try {
@@ -48736,7 +48829,7 @@ async function resolveCallerAccountId$2(region) {
 * `cdkd local invoke --env-vars`: top-level keys are container names, with
 * `Parameters` reserved for global entries.
 */
-function readEnvOverridesFile$3(filePath) {
+function readEnvOverridesFile$2(filePath) {
 	if (!filePath) return void 0;
 	let raw;
 	try {
@@ -48788,1072 +48881,42 @@ function createLocalRunTaskCommand() {
 	return cmd;
 }
 
-//#endregion
-//#region src/local/ecs-service-resolver.ts
-/**
-* Walk the synth template to locate an `AWS::ECS::Service` by display
-* path or stack-qualified logical id, resolve its `TaskDefinition`
-* reference, and chain into the existing `resolveEcsTaskTarget` machinery
-* to produce a `ResolvedEcsService` carrying both the service knobs and
-* the underlying task descriptor.
-*
-* Target shape mirrors `cdkd local run-task`: `<Stack>/<DisplayPath>` or
-* `<Stack>:<LogicalId>`; single-stack apps may omit the stack prefix.
-*
-* Optional `context` (same as the task resolver) carries the ECR image
-* substitution data — pseudo parameters (Tier 1) + state-recorded
-* resources (Tier 2). The CLI builds it lazily when the candidate
-* service's task definition actually needs substitution.
-*/
-function resolveEcsServiceTarget(target, stacks, context) {
-	if (stacks.length === 0) throw new EcsTaskResolutionError("No stacks found in the synthesized assembly.");
-	const parsed = parseEcsTarget(target);
-	const stack = pickStack$1(parsed, stacks);
-	const resources = stack.template.Resources ?? {};
-	let serviceLogicalId;
-	let serviceResource;
-	if (parsed.isPath) {
-		const index = buildCdkPathIndex(stack.template);
-		const services = resolveCdkPathToLogicalIds(parsed.pathOrId, index).filter(({ logicalId: l }) => resources[l]?.Type === "AWS::ECS::Service");
-		if (services.length === 0) throw notFoundError(target, stack, resources);
-		if (services.length > 1) throw new EcsTaskResolutionError(`Target '${target}' matches ${services.length} ECS services in ${stack.stackName}: ` + services.map((s) => s.logicalId).join(", ") + ". Refine the path or use the stack:LogicalId form.");
-		serviceLogicalId = services[0].logicalId;
-		serviceResource = resources[serviceLogicalId];
-	} else {
-		serviceResource = resources[parsed.pathOrId];
-		if (!serviceResource) throw notFoundError(target, stack, resources);
-		serviceLogicalId = parsed.pathOrId;
-	}
-	if (!serviceLogicalId || !serviceResource) throw notFoundError(target, stack, resources);
-	if (serviceResource.Type === "AWS::ECS::TaskDefinition") throw new EcsTaskResolutionError(`Resource '${serviceLogicalId}' in ${stack.stackName} is an ECS TaskDefinition, not a Service. Use \`cdkd local run-task\` for one-shot tasks; \`cdkd local start-service\` is Service-only.`);
-	if (serviceResource.Type !== "AWS::ECS::Service") throw new EcsTaskResolutionError(`Resource '${serviceLogicalId}' in ${stack.stackName} is ${serviceResource.Type}, not an AWS::ECS::Service.`);
-	return extractServiceProperties(stack, serviceLogicalId, serviceResource, stacks, context);
-}
-/**
-* Pure-functional extraction from the synth resource. Exposed for unit
-* testing the per-field resolution rules (DesiredCount default, missing
-* TaskDefinition, intrinsic shapes).
-*/
-function extractServiceProperties(stack, serviceLogicalId, resource, stacks, context) {
-	const props = resource.Properties ?? {};
-	const warnings = [];
-	const taskDefRef = props["TaskDefinition"];
-	if (taskDefRef === void 0 || taskDefRef === null) throw new EcsTaskResolutionError(`ECS Service '${serviceLogicalId}' in ${stack.stackName} has no TaskDefinition property.`);
-	const taskDefLogicalId = resolveTaskDefinitionReference(taskDefRef, stack, serviceLogicalId);
-	const task = resolveEcsTaskTarget(`${stack.stackName}:${taskDefLogicalId}`, stacks, context);
-	const desiredCount = parseDesiredCount(props["DesiredCount"], serviceLogicalId);
-	const healthCheckGracePeriodSeconds = parseHealthCheckGrace(props["HealthCheckGracePeriodSeconds"], serviceLogicalId);
-	const serviceName = parseServiceName(props["ServiceName"], serviceLogicalId);
-	if (Array.isArray(props["LoadBalancers"]) && props["LoadBalancers"].length > 0) warnings.push(`ECS Service '${serviceLogicalId}' declares LoadBalancers, but local load-balancer emulation is deferred to a follow-up PR. Containers are NOT registered to a local listener; reach them via their published ports.`);
-	const serviceConnect = extractServiceConnect(props["ServiceConnectConfiguration"], task);
-	const out = {
-		stack,
-		serviceLogicalId,
-		resource,
-		serviceName,
-		desiredCount,
-		healthCheckGracePeriodSeconds,
-		task,
-		serviceRegistries: extractServiceRegistries(props["ServiceRegistries"], serviceLogicalId, warnings),
-		warnings
-	};
-	if (serviceConnect) out.serviceConnect = serviceConnect;
-	return out;
-}
-/**
-* Parse `ServiceConnectConfiguration` against the producer TaskDef.
-* Returns `undefined` when the block is missing OR `Enabled: false`.
-*
-* Reject conditions (surface as resolver-time errors so the user sees
-* them BEFORE the docker network is created):
-*   - `Namespace` is not a literal string. CDK 2.x always emits a
-*     literal string here (verified 2026-05-22); cross-stack /
-*     intrinsic shapes are out of scope.
-*   - `Services[].PortName` doesn't match any of the TaskDef's
-*     `ContainerDefinitions[].PortMappings[].Name` entries.
-*
-* Note on `clientAliases[]` shape: each ClientAlias can declare a
-* `DnsName` (the bare short-name peers connect to, e.g. `orders`) AND
-* a `Port` (the listening port the alias maps to inside the consumer).
-* cdkd surfaces both verbatim; the registry / `--add-host` overlay
-* publishes each `DnsName` as a bare alias pointing at the same IP as
-* the canonical fqdn.
-*/
-function extractServiceConnect(raw, task) {
-	if (!raw || typeof raw !== "object") return void 0;
-	const cfg = raw;
-	if (cfg["Enabled"] === false) return void 0;
-	const namespaceName = pickServiceConnectNamespace(cfg["Namespace"]);
-	if (!namespaceName) throw new EcsTaskResolutionError(`ServiceConnectConfiguration.Namespace must be a literal string (the Cloud Map namespace name like 'cdkd-local.local'); got ${JSON.stringify(cfg["Namespace"])}. Intrinsic / cross-stack namespace references are not supported in v1.`);
-	const rawServices = cfg["Services"];
-	if (!Array.isArray(rawServices) || rawServices.length === 0) return {
-		namespaceName,
-		services: []
-	};
-	const portByName = /* @__PURE__ */ new Map();
-	for (const c of task.containers) for (const pm of c.portMappings) if (pm.name) portByName.set(pm.name, pm.containerPort);
-	const services = [];
-	for (const entry of rawServices) {
-		if (!entry || typeof entry !== "object") continue;
-		const e = entry;
-		const portName = typeof e["PortName"] === "string" ? e["PortName"] : void 0;
-		if (!portName) throw new EcsTaskResolutionError(`ServiceConnectConfiguration.Services[] entry has no PortName: ${JSON.stringify(entry)}. Every Service entry must reference a producer-side PortMappings[].Name.`);
-		const containerPort = portByName.get(portName);
-		if (containerPort === void 0) throw new EcsTaskResolutionError(`ServiceConnectConfiguration.Services[].PortName='${portName}' does not match any PortMappings[].Name on the producer TaskDef (available: ${[...portByName.keys()].join(", ") || "(none)"}).`);
-		const clientAliases = [];
-		if (Array.isArray(e["ClientAliases"])) for (const ca of e["ClientAliases"]) {
-			if (!ca || typeof ca !== "object") continue;
-			const caObj = ca;
-			const dnsName = typeof caObj["DnsName"] === "string" ? caObj["DnsName"] : void 0;
-			const aliasEntry = { port: typeof caObj["Port"] === "number" ? caObj["Port"] : containerPort };
-			if (dnsName !== void 0) aliasEntry.dnsName = dnsName;
-			clientAliases.push(aliasEntry);
-		}
-		const discoveryName = clientAliases.find((c) => c.dnsName !== void 0)?.dnsName ?? portName;
-		services.push({
-			portName,
-			containerPort,
-			discoveryName,
-			clientAliases
-		});
-	}
-	return {
-		namespaceName,
-		services
-	};
-}
-/**
-* Parse `ServiceRegistries[]`. Each entry's `RegistryArn` is the
-* canonical `Fn::GetAtt: [<CloudMapServiceLogicalId>, 'Arn']` shape;
-* cdkd surfaces the logical id (the AWS-side ARN is irrelevant
-* locally — the registry is in-process).
-*
-* Issue #544 — entries with a literal-string `RegistryArn` (rare
-* locally — would imply the user bound to an existing Cloud Map
-* service deployed out-of-band) are skipped with a warning, since the
-* in-process registry cannot resolve an external Cloud Map service
-* back to its `(namespace, name)` pair. Pre-fix this was a silent
-* `continue` and the user got no feedback about why the registration
-* didn't show up.
-*/
-function extractServiceRegistries(raw, serviceLogicalId, warnings) {
-	if (!Array.isArray(raw)) return [];
-	const out = [];
-	for (const entry of raw) {
-		if (!entry || typeof entry !== "object") continue;
-		const e = entry;
-		const registryArn = e["RegistryArn"];
-		let cloudMapServiceLogicalId;
-		if (typeof registryArn === "string") {
-			warnings.push(`ECS Service '${serviceLogicalId}' ServiceRegistries[] entry has a literal-string RegistryArn ('${registryArn}'); cdkd cannot resolve external Cloud Map services locally. Skipping this registration; peer services will not discover this endpoint through the in-process registry. Use Fn::GetAtt: [<CloudMapServiceLogicalId>, "Arn"] instead so cdkd can resolve the namespace + service name from the synthesized template.`);
-			continue;
-		}
-		if (registryArn && typeof registryArn === "object" && !Array.isArray(registryArn)) {
-			const getAtt = registryArn["Fn::GetAtt"];
-			if (Array.isArray(getAtt) && typeof getAtt[0] === "string") cloudMapServiceLogicalId = getAtt[0];
-		}
-		if (!cloudMapServiceLogicalId) continue;
-		const reg = { cloudMapServiceLogicalId };
-		if (typeof e["ContainerName"] === "string") reg.containerName = e["ContainerName"];
-		if (typeof e["ContainerPort"] === "number") reg.containerPort = e["ContainerPort"];
-		out.push(reg);
-	}
-	return out;
-}
-function pickServiceConnectNamespace(raw) {
-	if (typeof raw === "string" && raw.length > 0) return raw;
-}
-/**
-* Resolve `Properties.TaskDefinition` to a logical id in the same stack.
-* Accepted shapes — verified against real CDK 2.x `cdk synth` output on
-* 2026-05-22 (per `feedback_verify_cdk_synth_shape_before_resolver.md`):
-*   - `{Ref: '<TaskDefLogicalId>'}` — the CDK-canonical shape emitted by
-*     `new ecs.FargateService({ taskDefinition })`.
-*   - flat string `'<TaskDefLogicalId>'` — accepted defensively but CDK
-*     rarely emits this for cross-resource refs.
-* Other intrinsic shapes (`Fn::ImportValue` / `Fn::GetAtt` / etc.) are
-* rejected — cross-stack task definitions and `Fn::GetAtt` shapes have
-* no clean local resolution and would land here only as user errors.
-*/
-function resolveTaskDefinitionReference(taskDefRef, stack, serviceLogicalId) {
-	if (typeof taskDefRef === "string") return taskDefRef;
-	if (taskDefRef && typeof taskDefRef === "object" && !Array.isArray(taskDefRef)) {
-		const refValue = taskDefRef["Ref"];
-		if (typeof refValue === "string") {
-			const target = (stack.template.Resources ?? {})[refValue];
-			if (!target) throw new EcsTaskResolutionError(`ECS Service '${serviceLogicalId}' references TaskDefinition '${refValue}' but no such resource exists in ${stack.stackName}.`);
-			if (target.Type !== "AWS::ECS::TaskDefinition") throw new EcsTaskResolutionError(`ECS Service '${serviceLogicalId}' references '${refValue}' as TaskDefinition but it is of type ${target.Type}, not AWS::ECS::TaskDefinition.`);
-			return refValue;
-		}
-	}
-	throw new EcsTaskResolutionError(`ECS Service '${serviceLogicalId}' has an unsupported TaskDefinition reference shape: ${JSON.stringify(taskDefRef)}. cdkd local start-service v1 supports only Ref to a same-stack AWS::ECS::TaskDefinition; cross-stack TaskDefinitions are deferred.`);
-}
-function parseDesiredCount(raw, serviceLogicalId) {
-	if (raw === void 0 || raw === null) return 1;
-	if (typeof raw === "number" && Number.isFinite(raw) && raw >= 0) return Math.floor(raw);
-	if (typeof raw === "string" && /^\d+$/.test(raw)) return parseInt(raw, 10);
-	throw new EcsTaskResolutionError(`ECS Service '${serviceLogicalId}' has an unsupported DesiredCount value: ${JSON.stringify(raw)}. Must be a non-negative integer.`);
-}
-function parseHealthCheckGrace(raw, _serviceLogicalId) {
-	if (raw === void 0 || raw === null) return 30;
-	if (typeof raw === "number" && Number.isFinite(raw) && raw >= 0) return Math.floor(raw);
-	if (typeof raw === "string" && /^\d+$/.test(raw)) return parseInt(raw, 10);
-	return 30;
-}
-function parseServiceName(raw, serviceLogicalId) {
-	if (typeof raw === "string" && raw.length > 0) return raw;
-	return serviceLogicalId;
-}
-/**
-* Local copy of the same `pickStack` helper used by the task resolver.
-* Kept in-file rather than exported from `ecs-task-resolver.ts` so future
-* service-specific extensions (e.g. cross-stack service-to-task refs)
-* can diverge without breaking the run-task code path.
-*/
-function pickStack$1(parsed, stacks) {
-	if (parsed.stackPattern === null) {
-		if (stacks.length === 1) return stacks[0];
-		throw new EcsTaskResolutionError(`Target has no stack prefix, and the assembly contains ${stacks.length} stacks: ${stacks.map((s) => s.stackName).join(", ")}. Pass the target as 'Stack/Path' or 'Stack:LogicalId'.`);
-	}
-	const matched = matchStacks(stacks, [parsed.stackPattern]);
-	if (matched.length === 0) throw new EcsTaskResolutionError(`No stack matches '${parsed.stackPattern}'. Available stacks: ${stacks.map((s) => s.stackName).join(", ")}.`);
-	if (matched.length > 1) throw new EcsTaskResolutionError(`Multiple stacks match '${parsed.stackPattern}': ${matched.map((s) => s.stackName).join(", ")}. Refine the pattern.`);
-	return matched[0];
-}
-function notFoundError(target, stack, resources) {
-	const services = Object.entries(resources).filter(([, r]) => r.Type === "AWS::ECS::Service").map(([id]) => id);
-	if (services.length === 0) return new EcsTaskResolutionError(`Target '${target}' did not match any resource in ${stack.stackName}, and the stack declares no AWS::ECS::Service resources at all.`);
-	return new EcsTaskResolutionError(`Target '${target}' did not match any ECS Service in ${stack.stackName}. Available services: ${services.join(", ")}.`);
-}
-
-//#endregion
-//#region src/local/ecs-service-runner.ts
-/**
-* Phase 2 of #262 — long-running ECS Service emulator. Wraps the existing
-* `ecs-task-runner` machinery in a replica pool: N concurrent task
-* instances per `DesiredCount`, each with its own docker network +
-* metadata sidecar + container set. Tasks that exit non-zero AFTER the
-* health-check grace period are restarted with exponential backoff so a
-* crash-looping container does not hammer docker.
-*
-* v1 scope (per the issue's PR-split recommendation):
-*   - Replica pool sizing via `DesiredCount` clamped by `--max-tasks`.
-*   - Restart-on-exit with exponential backoff (1s → 30s, capped) +
-*     a per-instance retry counter so a permanently-broken container
-*     stops compounding cleanup work.
-*   - Long-running lifecycle (returns only on shutdown).
-*
-* Phase 3 of #262 (Issue #460) — Cloud Map / Service Connect peer
-* discovery is wired through `ServiceRunnerOptions.discovery`. When
-* supplied, every booted replica discovers its docker IP, registers
-* itself into the shared in-process `CloudMapRegistry`, and emits
-* `--add-host` flags so consumer containers reach peer services via
-* the canonical `<discoveryName>.<namespace>` fqdn. Envoy L7 sidecar
-* emulation (design Layer B) is deferred to a follow-up PR per the
-* design's §O5 "--no-envoy by default" recommendation.
-*
-* Deferred to follow-up PRs:
-*   - Local load-balancer emulation (LB listener + target-group health
-*     check + round-robin) — separate PR per the issue's PR-split.
-*   - Envoy sidecar for Service Connect L7 routing / retries / circuit
-*     breaking (Cloud Map DNS-only mode ships now).
-*   - Rolling deployment (`--reload` / `--watch`).
-*/
-var EcsServiceRunnerError = class EcsServiceRunnerError extends Error {
-	constructor(message) {
-		super(message);
-		this.name = "EcsServiceRunnerError";
-		Object.setPrototypeOf(this, EcsServiceRunnerError.prototype);
-	}
-};
-function createServiceRunState() {
-	return {
-		replicas: [],
-		shuttingDown: false
-	};
-}
-/**
-* Compute the effective replica count for a service: the smaller of
-* `service.desiredCount` and `--max-tasks`, floored at 1. Pure-
-* functional so the CLI can show the user what cdkd is about to do
-* before any docker calls fire.
-*/
-function computeReplicaCount(desiredCount, maxTasks) {
-	if (maxTasks < 1) throw new EcsServiceRunnerError(`--max-tasks must be >= 1 (got ${maxTasks}); local dev needs at least one running replica.`);
-	if (desiredCount <= 0) return 1;
-	return Math.min(desiredCount, maxTasks);
-}
-/**
-* Exponential backoff schedule: 1s, 2s, 4s, 8s, 16s, 30s, 30s, ... Used
-* between restarts of a crash-looping replica so docker is not hammered
-* by the watcher loop. Exposed for unit testing.
-*/
-function backoffDelayMs(restartCount) {
-	return Math.min(1e3 * Math.pow(2, Math.min(restartCount, 10)), 3e4);
-}
-/**
-* Maximum number of replica indices the per-replica subnet allocator
-* can serve without modulo-wrap collision. The allocator below walks
-* the link-local /24 range `169.254.170.0..169.254.253.0` (84 octets)
-* and **skips 171** because that octet is owned by the shared-service
-* network in design § 5 Option A (see `SHARED_SVC_SUBNET_OCTET`), so
-* the usable count is 83. The CLI's `--max-tasks` parser enforces this
-* cap before any boot work fires.
-*/
-const SUBNET_ALLOCATOR_RANGE = 83;
-/**
-* Defensive per-replica subnet octet allocator (Issue #544). Only used
-* when callers bypass the CLI's `sharedNetwork` construction — i.e.
-* test paths that hand-build `ServiceRunnerOptions.discovery` without
-* `sharedNetwork`, or the bare `cdkd local run-task`-shaped path that
-* runs one network per task. Production `cdkd local start-service`
-* runs always go through the shared network (design § 5 Option A) so
-* this allocator is unreachable in the standard path.
-*
-* Returns the second-from-last octet of the per-replica /24 (170 →
-* `169.254.170.0/24`). Walks the 83-slot output range
-* `[170, 172, 173, ..., 253]` — 171 is intentionally **skipped**
-* because it's reserved for the shared-service network sidecar
-* (`SHARED_SVC_SUBNET_OCTET`), and assigning a per-replica network
-* the same /24 would have docker reject the duplicate-subnet
-* `network create` with the cryptic "Pool overlaps with other one on
-* this address space" error.
-*/
-function pickSubnetOctet(index) {
-	const candidate = 170 + (index % 83 + 83) % 83;
-	return candidate < 171 ? candidate : candidate + 1;
-}
-/**
-* Decide whether a replica that just exited should restart. Pure-
-* functional so the watcher loop's policy is easy to unit-test.
-*/
-function shouldRestart(exitCode, policy) {
-	if (policy === "none") return false;
-	if (policy === "always") return true;
-	return exitCode !== 0;
-}
-/**
-* Long-running entry point. Boots `replicaCount` instances of the
-* service's task descriptor, returns a controller object the CLI uses
-* to (1) wait for the first failure that gives up restarting and (2)
-* shut every replica down on SIGINT / SIGTERM.
-*
-* The returned `shutdown()` is idempotent and safe to call from
-* multiple SIGINT handlers (CLI's single-flight pattern wraps it
-* anyway).
-*/
-async function startEcsService(service, options, runState) {
-	const logger = getLogger().child("ecs-service");
-	for (const w of service.warnings) logger.warn(w);
-	const replicaCount = computeReplicaCount(service.desiredCount, options.maxTasks);
-	if (replicaCount < service.desiredCount) logger.warn(`Service '${service.serviceName}' template DesiredCount=${service.desiredCount} exceeds --max-tasks=${options.maxTasks}; running ${replicaCount} replica(s) locally. Raise --max-tasks to lift the cap, or accept the reduced concurrency for local dev.`);
-	logger.info(`Starting ECS service '${service.serviceName}' with ${replicaCount} replica(s) (restartPolicy=${options.restartPolicy})`);
-	for (let i = 0; i < replicaCount; i++) {
-		const instance = {
-			index: i,
-			state: createEcsRunState(),
-			restartCount: 0,
-			shuttingDown: false,
-			inFlightBoot: void 0,
-			cloudMapHandles: []
-		};
-		runState.replicas.push(instance);
-		const bootPromise = bootReplica(service, options, instance);
-		instance.inFlightBoot = bootPromise;
-		try {
-			await bootPromise;
-		} catch (err) {
-			instance.lastError = err instanceof Error ? err : new Error(String(err));
-			throw new EcsServiceRunnerError(`Failed to boot replica ${i} of service '${service.serviceName}': ${instance.lastError.message}`);
-		} finally {
-			instance.inFlightBoot = void 0;
-		}
-	}
-	for (const instance of runState.replicas) watchReplica(service, options, instance, runState);
-	return new ServiceController(service, runState, options);
-}
-/**
-* Public controller surface. The CLI awaits `controller.waitForShutdown()`
-* to block until the user ^Cs. `controller.shutdown()` is wired into the
-* SIGINT / SIGTERM handlers.
-*/
-var ServiceController = class {
-	service;
-	runState;
-	options;
-	shutdownResolve;
-	shutdownPromise;
-	/**
-	* Single-flight wrapper for `shutdown()` so the fan-out cleanup runs
-	* exactly once even when SIGINT and the CLI's outer `finally` both
-	* fire (the canonical pattern documented in
-	* `feedback_sigint_finally_cleanup_singleflight.md`). Built in the
-	* constructor so every call to `shutdown()` resolves against the same
-	* underlying promise.
-	*/
-	runShutdown;
-	constructor(service, runState, options) {
-		this.service = service;
-		this.runState = runState;
-		this.options = options;
-		this.shutdownPromise = new Promise((resolve) => {
-			this.shutdownResolve = resolve;
-		});
-		this.runShutdown = singleFlight(() => this.doShutdown());
-	}
-	/**
-	* Returns the count of currently-active (non-shutting-down) replicas.
-	* Exposed so the CLI can surface a one-line "service is degraded"
-	* banner when restarts stop firing.
-	*/
-	activeReplicaCount() {
-		return this.runState.replicas.filter((r) => !r.shuttingDown).length;
-	}
-	/**
-	* Block until `shutdown()` is called. Used by the CLI as the
-	* long-running blocking point — the SIGINT handler resolves it.
-	*/
-	waitForShutdown() {
-		return this.shutdownPromise;
-	}
-	/**
-	* Idempotent fan-out shutdown across every active replica. Wired into
-	* both SIGINT and the outer `finally` of the CLI command; the
-	* `singleFlight`-wrapped `runShutdown` collapses concurrent / repeated
-	* callers to one underlying invocation.
-	*/
-	async shutdown() {
-		await this.runShutdown();
-		return this.shutdownPromise;
-	}
-	async doShutdown() {
-		this.runState.shuttingDown = true;
-		const logger = getLogger().child("ecs-service");
-		logger.info(`Shutting down service '${this.service.serviceName}'...`);
-		for (const r of this.runState.replicas) r.shuttingDown = true;
-		const inFlightBoots = this.runState.replicas.map((r) => r.inFlightBoot).filter((p) => p !== void 0);
-		if (inFlightBoots.length > 0) {
-			logger.debug(`Awaiting ${inFlightBoots.length} in-flight bootReplica() call(s) before cleanup...`);
-			await Promise.allSettled(inFlightBoots);
-		}
-		await Promise.allSettled(this.runState.replicas.map(async (instance) => {
-			if (this.options.discovery) {
-				for (const handle of instance.cloudMapHandles) try {
-					this.options.discovery.registry.unregister(handle);
-				} catch {}
-				instance.cloudMapHandles = [];
-			}
-			try {
-				await cleanupEcsRun(instance.state, { keepRunning: this.options.taskOptions.keepRunning });
-			} catch (err) {
-				logger.debug(`Replica ${instance.index} cleanup failed: ${err instanceof Error ? err.message : String(err)}`);
-			}
-		}));
-		this.shutdownResolve?.();
-	}
-};
-/**
-* Build the `--network-alias` map for one service's containers (design
-* doc § 5 Option A). For every Service Connect entry, attach the
-* fqdn (`<discoveryName>.<namespaceName>`), the bare discoveryName,
-* AND every ClientAlias DnsName to the container that owns the
-* matching PortName. Other containers in the task get NO extra
-* aliases (only their default `--name`-derived alias from
-* `buildDockerRunArgs`).
-*
-* Aliases per container are de-duplicated so docker doesn't reject
-* a `--network-alias X` repeated against the same container.
-*
-* Returns an empty map when the service has no Service Connect — the
-* runner's `... .size > 0 ? { networkAliasesByContainer } : {}` guard
-* short-circuits in that case so backward-compat callers pay no cost.
-*/
-function buildNetworkAliasesByContainer(service) {
-	const out = /* @__PURE__ */ new Map();
-	const sc = service.serviceConnect;
-	if (!sc) return out;
-	for (const entry of sc.services) {
-		const owner = service.task.containers.find((c) => c.portMappings.some((pm) => pm.name === entry.portName));
-		if (!owner) continue;
-		const aliases = [];
-		aliases.push(entry.discoveryName);
-		aliases.push(`${entry.discoveryName}.${sc.namespaceName}`);
-		for (const ca of entry.clientAliases) if (ca.dnsName) aliases.push(ca.dnsName);
-		const existing = out.get(owner.name) ?? [];
-		for (const a of aliases) if (!existing.includes(a)) existing.push(a);
-		out.set(owner.name, existing);
-	}
-	return out;
-}
-/**
-* Boot a single replica. Mutates the supplied `instance.state` so the
-* shutdown path's `cleanupEcsRun(instance.state)` covers every partial
-* side effect. Network names are suffixed with the replica index so
-* docker doesn't collide on shared per-task network names when N > 1.
-*/
-async function bootReplica(service, options, instance) {
-	const logger = getLogger().child("ecs-service");
-	const perReplicaCluster = `${options.taskOptions.cluster}-svc-${service.serviceLogicalId.toLowerCase()}-r${instance.index}`;
-	const ownerKeyPrefix = `${service.serviceLogicalId}:r${instance.index}`;
-	const addHostFlags = options.discovery?.registry ? options.discovery.registry.buildAddHostFlags(ownerKeyPrefix) : [];
-	const sharedNetwork = options.discovery?.sharedNetwork;
-	const networkAliasesByContainer = buildNetworkAliasesByContainer(service);
-	const skipHostPortPublish = computeReplicaCount(service.desiredCount, options.maxTasks) > 1;
-	const perReplicaTaskOptions = {
-		...options.taskOptions,
-		cluster: perReplicaCluster,
-		detach: true,
-		...skipHostPortPublish ? { skipHostPortPublish: true } : {},
-		...sharedNetwork ? { existingNetwork: sharedNetwork } : { subnetOctet: pickSubnetOctet(instance.index) },
-		...addHostFlags.length > 0 ? { addHostFlags } : {},
-		...networkAliasesByContainer.size > 0 ? { networkAliasesByContainer } : {}
-	};
-	logger.info(`Booting replica ${instance.index} (${perReplicaCluster})`);
-	await runEcsTask(service.task, perReplicaTaskOptions, instance.state);
-	if (options.discovery) await publishReplicaToCloudMap(service, instance, options.discovery, ownerKeyPrefix);
-}
-/**
-* After the replica's main container is up, discover its docker
-* network IP and publish the configured Service Connect + Cloud Map
-* endpoints into the shared registry. The handles are tracked on the
-* instance so the shutdown / restart path can unregister symmetrically.
-*
-* Errors here are best-effort: docker inspect can fail right after run
-* (container vanished, network not fully wired), and the registry is
-* advisory — losing one replica's registration means peer services
-* can't reach it via the overlay, but it doesn't break that replica's
-* own work or AWS SDK calls.
-*/
-async function publishReplicaToCloudMap(service, instance, discovery, ownerKeyPrefix) {
-	const logger = getLogger().child("ecs-service");
-	const networkName = instance.state.network?.networkName;
-	if (!networkName) return;
-	const essential = service.task.containers.find((c) => c.essential) ?? service.task.containers[0];
-	if (!essential) return;
-	const started = instance.state.startedContainers.find((c) => c.name === essential.name);
-	if (!started) return;
-	let ip;
-	try {
-		ip = await getContainerNetworkIp(started.id, networkName);
-	} catch (err) {
-		logger.warn(`Replica ${instance.index}: docker inspect failed before Cloud Map publish: ${err instanceof Error ? err.message : String(err)}`);
-		return;
-	}
-	if (!ip) {
-		logger.warn(`Replica ${instance.index}: no docker IP discovered on network ${networkName}; skipping Cloud Map publish for this replica.`);
-		return;
-	}
-	if (service.serviceConnect) {
-		const ns = service.serviceConnect.namespaceName;
-		const index = discovery.cloudMapIndexByStack.get(service.stack.stackName);
-		if (index && !index.namespacesByName.has(ns)) logger.warn(`ECS Service '${service.serviceLogicalId}' ServiceConnectConfiguration.Namespace='${ns}' does not match any AWS::ServiceDiscovery::PrivateDnsNamespace declared in stack ${service.stack.stackName}. Publishing under the literal name anyway; peer services using the same literal will still discover this endpoint.`);
-		let i = 0;
-		for (const entry of service.serviceConnect.services) {
-			const ownerKey = `${ownerKeyPrefix}:sc:${i}`;
-			const handle = discovery.registry.register(ns, entry.discoveryName, {
-				ip,
-				port: entry.containerPort,
-				ownerKey
-			});
-			instance.cloudMapHandles.push(handle);
-			for (const alias of entry.clientAliases) if (alias.dnsName) discovery.registry.registerAlias(alias.dnsName, handle.fqdn);
-			i++;
-		}
-	}
-	if (service.serviceRegistries.length > 0) {
-		const index = discovery.cloudMapIndexByStack.get(service.stack.stackName);
-		if (!index) {
-			logger.warn(`ECS Service '${service.serviceLogicalId}' declares ServiceRegistries[] but cdkd has no Cloud Map index for stack ${service.stack.stackName}. Skipping registration.`);
-			return;
-		}
-		let j = 0;
-		for (const reg of service.serviceRegistries) {
-			const cm = index.servicesByLogicalId.get(reg.cloudMapServiceLogicalId);
-			if (!cm) {
-				logger.warn(`ECS Service '${service.serviceLogicalId}' ServiceRegistries[].cloudMapServiceLogicalId='${reg.cloudMapServiceLogicalId}' did not resolve to an AWS::ServiceDiscovery::Service in stack ${service.stack.stackName}. Skipping this registration.`);
-				continue;
-			}
-			let port = reg.containerPort;
-			if (port === void 0 && essential.portMappings.length > 0) port = essential.portMappings[0].containerPort;
-			if (port === void 0) {
-				logger.warn(`ECS Service '${service.serviceLogicalId}' ServiceRegistries[] entry for Cloud Map service '${cm.logicalId}' has no resolvable container port; skipping.`);
-				continue;
-			}
-			const ownerKey = `${ownerKeyPrefix}:sr:${j}`;
-			const handle = discovery.registry.register(cm.namespaceName, cm.name, {
-				ip,
-				port,
-				ownerKey
-			});
-			instance.cloudMapHandles.push(handle);
-			j++;
-		}
-	}
-}
-/**
-* Long-running watcher loop for one replica. Polls the essential
-* container's exit code via `docker wait`; on exit, decides whether to
-* restart per `restartPolicy` + applies exponential backoff. The loop
-* exits only when the replica's `shuttingDown` flag is set.
-*/
-async function watchReplica(service, options, instance, runState) {
-	const logger = getLogger().child("ecs-service");
-	while (!instance.shuttingDown && !runState.shuttingDown) {
-		const essentialId = pickEssentialContainerId(instance, service);
-		if (!essentialId) {
-			await sleep(500);
-			continue;
-		}
-		let exitCode;
-		try {
-			exitCode = await waitForExitImpl(essentialId);
-		} catch (err) {
-			logger.debug(`docker wait failed for replica ${instance.index}: ${err instanceof Error ? err.message : String(err)}`);
-			exitCode = -1;
-		}
-		if (instance.shuttingDown || runState.shuttingDown) return;
-		logger.warn(`Replica ${instance.index} essential container exited with code ${exitCode} (restartCount=${instance.restartCount}).`);
-		if (!shouldRestart(exitCode, options.restartPolicy)) {
-			logger.warn(`Replica ${instance.index} not restarting (policy=${options.restartPolicy}, exit=${exitCode}). Service running in degraded mode.`);
-			instance.shuttingDown = true;
-			return;
-		}
-		const delay = backoffDelayMs(instance.restartCount);
-		logger.info(`Restarting replica ${instance.index} in ${delay}ms...`);
-		await sleep(delay);
-		if (instance.shuttingDown || runState.shuttingDown) return;
-		if (options.discovery) {
-			for (const handle of instance.cloudMapHandles) try {
-				options.discovery.registry.unregister(handle);
-			} catch {}
-			instance.cloudMapHandles = [];
-		}
-		try {
-			await cleanupEcsRun(instance.state, { keepRunning: false });
-		} catch (err) {
-			logger.debug(`Replica ${instance.index} pre-restart cleanup failed: ${err instanceof Error ? err.message : String(err)}`);
-		}
-		instance.state = createEcsRunState();
-		instance.restartCount += 1;
-		const bootPromise = bootReplica(service, options, instance);
-		instance.inFlightBoot = bootPromise;
-		try {
-			await bootPromise;
-		} catch (err) {
-			instance.lastError = err instanceof Error ? err : new Error(String(err));
-			logger.error(`Replica ${instance.index} restart failed: ${instance.lastError.message}. Service running in degraded mode.`);
-			instance.shuttingDown = true;
-			return;
-		} finally {
-			instance.inFlightBoot = void 0;
-		}
-	}
-}
-function pickEssentialContainerId(instance, service) {
-	if (service) {
-		const essential = service.task.containers.find((c) => c.essential) ?? service.task.containers[0];
-		if (essential) {
-			const started = instance.state.startedContainers.find((c) => c.name === essential.name);
-			if (started) return started.id;
-		}
-	}
-	return instance.state.startedContainers[0]?.id;
-}
-/**
-* Production `docker wait <id>` implementation. Captured once so the
-* test override can restore it without duplicating the body.
-*/
-const defaultWaitForExitImpl = async (containerId) => {
-	const { execFile } = await import("node:child_process");
-	const { promisify } = await import("node:util");
-	const { getDockerCmd } = await import("./docker-cmd-iDMcWcre.js").then((n) => n.t);
-	const { stdout } = await promisify(execFile)(getDockerCmd(), ["wait", containerId], { maxBuffer: 1024 * 1024 });
-	const code = parseInt(stdout.trim(), 10);
-	return Number.isFinite(code) ? code : -1;
-};
-/**
-* `docker wait <id>` returns the exit code on stdout. Extracted as a
-* test-overridable function so unit tests do not need a real container.
-*/
-let waitForExitImpl = defaultWaitForExitImpl;
-const defaultSleepImpl = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
-let sleepImpl = defaultSleepImpl;
-function sleep(ms) {
-	return sleepImpl(ms);
-}
-
 //#endregion
 //#region src/cli/commands/local-start-service.ts
 /**
-* `cdkd local start-service <Stack/Service>` — Phase 2 of #262. Spins up
-* `DesiredCount` task replicas locally (clamped by `--max-tasks`) using
-* the existing `ecs-task-runner` per replica. Long-running; ^C cleans
-* every replica + sidecar + per-task network.
-*
-* Deferred to follow-up PRs (matches the issue's PR-split):
-*   - Local LB emulator (listener + round-robin + target-group health
-*     check) — PR C of #466.
-*   - Rolling deployment (`--watch` / `--reload`) — PR D of #466.
-*   - Service Connect / Cloud Map — tracked separately in #460.
+* `cdkl start-service` strategy — name one or more ECS services and the engine
+* boots their replicas. There is no front-door listener (services are reached
+* directly via their published container ports). Mirrors `albStrategy` in
+* shape, with `frontDoor` omitted and `lbPortOverrides` empty.
 */
-async function localStartServiceCommand(targets, options) {
-	const logger = getLogger();
-	if (options.verbose) logger.setLevel("debug");
-	warnIfDeprecatedRegion(options);
-	const skipPull = options.pull === false;
-	if (!targets || targets.length === 0) throw new LocalStartServiceError("cdkd local start-service requires at least one <target>. Pass one or more service paths like 'Stack/Orders' 'Stack/Frontend'.");
-	rejectExplicitCfnStackWithMultipleStacks(options, targets.length);
-	const perTarget = targets.map((t) => ({
-		target: t,
-		runState: createServiceRunState()
-	}));
-	let sigintHandler;
-	let sigintCount = 0;
-	let sharedNetwork;
-	let profileCredsFile;
-	const cleanup = singleFlight(async () => {
-		await Promise.allSettled(perTarget.map(async (pt) => {
-			if (pt.controller) await pt.controller.shutdown();
-			else {
-				await Promise.allSettled(pt.runState.replicas.map((r) => r.inFlightBoot).filter((p) => p !== void 0));
-				await Promise.allSettled(pt.runState.replicas.map((r) => cleanupEcsRun(r.state, { keepRunning: false }).catch(() => void 0)));
-			}
-		}));
-		if (profileCredsFile) {
-			try {
-				await profileCredsFile.dispose();
-			} catch (err) {
-				getLogger().warn(`Failed to remove profile credentials tmpdir ${profileCredsFile.hostPath}: ${err instanceof Error ? err.message : String(err)}`);
-			}
-			profileCredsFile = void 0;
-		}
-		if (sharedNetwork) {
-			try {
-				await destroyTaskNetwork(sharedNetwork);
-			} catch (err) {
-				getLogger().warn(`shared service network teardown failed: ${err instanceof Error ? err.message : String(err)}`);
-			}
-			sharedNetwork = void 0;
-		}
-	}, (err) => getLogger().warn(`service cleanup failed: ${err instanceof Error ? err.message : String(err)}`));
-	try {
-		await applyRoleArnIfSet({
-			roleArn: options.roleArn,
-			region: options.region
-		});
-		await ensureDockerAvailable();
-		const appCmd = resolveApp(options.app);
-		if (!appCmd) throw new Error("No CDK app specified. Pass --app, set CDKD_APP, or add \"app\" to cdk.json.");
-		logger.info("Synthesizing CDK app...");
-		const synthesizer = new Synthesizer();
-		const context = parseContextOptions(options.context);
-		const synthOpts = {
-			app: appCmd,
-			output: options.output,
-			...options.region && { region: options.region },
-			...options.profile && { profile: options.profile },
-			...Object.keys(context).length > 0 && { context },
-			...options.stateBucket && { stateBucket: options.stateBucket },
-			...options.profile && { macroExpandS3ClientOpts: { profile: options.profile } }
-		};
-		const { stacks } = await synthesizer.synthesize(synthOpts);
-		const cloudMapIndexByStack = /* @__PURE__ */ new Map();
-		for (const stack of stacks) {
-			const index = buildCloudMapIndex(stack);
-			cloudMapIndexByStack.set(stack.stackName, index);
-			for (const w of index.warnings) logger.warn(w);
-		}
-		const registry = new CloudMapRegistry();
-		const sidecarCredentials = await resolveSharedSidecarCredentials$1(options);
-		try {
-			sharedNetwork = await createSharedSvcNetwork({
-				prefix: options.cluster,
-				skipPull,
-				cluster: options.cluster,
-				...sidecarCredentials !== void 0 && { credentials: sidecarCredentials }
-			});
-		} catch (err) {
-			throw new LocalStartServiceError(`Failed to create shared service network: ${err instanceof Error ? err.message : String(err)}`);
-		}
-		if (options.profile && sidecarCredentials) profileCredsFile = await writeProfileCredentialsFile(options.profile, sidecarCredentials);
-		const discovery = {
-			registry,
-			cloudMapIndexByStack,
-			sharedNetwork
-		};
-		sigintHandler = () => {
-			sigintCount += 1;
-			if (sigintCount >= 2) {
-				process.stderr.write("Force-exit on second ^C; container cleanup skipped.\n");
-				process.exit(130);
-			}
-			logger.info("Stopping service(s)...");
-			cleanup().then(() => process.exit(130));
-		};
-		process.on("SIGINT", sigintHandler);
-		process.on("SIGTERM", sigintHandler);
-		for (const pt of perTarget) pt.controller = await bootOneTarget(pt.target, pt.runState, stacks, options, discovery, skipPull, profileCredsFile);
-		const summary = perTarget.map((pt) => `${pt.controller.service.serviceName} (${pt.controller.activeReplicaCount()} replica(s))`).join(", ");
-		logger.info(`Service(s) running: ${summary}. Press ^C to shut down.`);
-		await Promise.all(perTarget.map((pt) => pt.controller.waitForShutdown()));
-	} finally {
-		if (sigintHandler) {
-			process.off("SIGINT", sigintHandler);
-			process.off("SIGTERM", sigintHandler);
-		}
-		await cleanup();
-	}
-}
-/**
-* Boot one target. Extracted from the loop so each per-service block
-* (image context, cross-stack resolver, task-role credentials, runner
-* options) is scoped locally. Returns the started controller for the
-* outer code to wait + tear down.
-*/
-async function bootOneTarget(target, runState, stacks, options, discovery, skipPull, profileCredsFile) {
-	const candidate = pickCandidateStack(parseEcsTarget(target).stackPattern, stacks);
-	const stateProvider = createLocalStateProvider$1(options, candidate?.stackName ?? "", candidate?.region);
-	try {
-		return await runOneTarget(target, runState, stacks, options, discovery, skipPull, stateProvider, profileCredsFile);
-	} finally {
-		if (stateProvider) stateProvider.dispose();
-	}
-}
-async function runOneTarget(target, runState, stacks, options, discovery, skipPull, stateProvider, profileCredsFile) {
-	const logger = getLogger();
-	const imageContext = await buildEcsImageResolutionContext$1(target, stacks, options, stateProvider);
-	const service = resolveEcsServiceTarget(target, stacks, imageContext);
-	logger.info(`Target: ${service.stack.stackName}/${service.serviceLogicalId} (service=${service.serviceName}, desiredCount=${service.desiredCount}, task=${service.task.taskDefinitionLogicalId})`);
-	for (const w of service.warnings) logger.warn(w);
-	if (service.serviceConnect) logger.info(`Service Connect: namespace='${service.serviceConnect.namespaceName}', ${service.serviceConnect.services.length} service(s) registered for peer discovery.`);
-	if (service.serviceRegistries.length > 0) logger.info(`Cloud Map: ${service.serviceRegistries.length} ServiceRegistry binding(s).`);
-	const taskNeeds = detectEcsImageResolutionNeeds(stacks.find((s) => s.stackName === service.stack.stackName) ?? service.stack);
-	if (stateProvider && taskNeeds.needsCrossStackResolver) {
-		const consumerRegion = options.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? service.stack.region ?? "us-east-1";
-		const resolver = await stateProvider.buildCrossStackResolver(consumerRegion);
-		if (resolver) {
-			const subContext = {
-				resources: imageContext?.stateResources ?? {},
-				...imageContext?.pseudoParameters && { pseudoParameters: imageContext.pseudoParameters },
-				consumerRegion,
-				crossStackResolver: resolver
-			};
-			await applyCrossStackResolverToTask(service.task, subContext);
-		}
-	} else if (!stateProvider && taskNeeds.needsCrossStackResolver) logger.warn("Container Environment / Secrets entries contain Fn::ImportValue / Fn::GetStackOutput intrinsics. Pass --from-state (cdkd-deployed) or --from-cfn-stack (cdk-deployed) to substitute them against deployed state.");
-	let assumedCredentials;
-	let resolvedRoleArn;
-	if (options.assumeTaskRole === true) {
-		if (!service.task.taskRoleArn) throw new LocalStartServiceError(`--assume-task-role passed without an ARN but service '${service.serviceLogicalId}' has no resolvable TaskRoleArn. Pass the ARN explicitly: --assume-task-role <arn>`);
-		resolvedRoleArn = await resolvePlaceholderAccount(service.task.taskRoleArn, options.region);
-		assumedCredentials = await assumeTaskRole(resolvedRoleArn, options.region);
-	} else if (typeof options.assumeTaskRole === "string") {
-		resolvedRoleArn = options.assumeTaskRole;
-		assumedCredentials = await assumeTaskRole(resolvedRoleArn, options.region);
-	}
-	const envOverrides = readEnvOverridesFile$2(options.envVars);
-	const taskOpts = {
-		cluster: options.cluster,
-		containerHost: options.containerHost,
-		skipPull,
-		keepRunning: false,
-		detach: true
-	};
-	if (envOverrides) taskOpts.envOverrides = envOverrides;
-	if (assumedCredentials) taskOpts.taskCredentials = assumedCredentials;
-	if (resolvedRoleArn) taskOpts.taskRoleArn = resolvedRoleArn;
-	if (options.platform) taskOpts.platformOverride = options.platform;
-	if (options.region) taskOpts.region = options.region;
-	if (options.ecrRoleArn) taskOpts.ecrRoleArn = options.ecrRoleArn;
-	if (profileCredsFile && !assumedCredentials) taskOpts.profileCredentialsFile = {
-		hostPath: profileCredsFile.hostPath,
-		containerPath: profileCredsFile.containerPath,
-		profileName: profileCredsFile.profileName
+function serviceStrategy(_options) {
+	return {
+		pickEntries: (stacks) => listTargets(stacks).ecsServices,
+		pickerMessage: "Select one or more ECS services to run",
+		pickerNoun: "ECS services",
+		onMissing: () => new LocalStartServiceError(`${getEmbedConfig().cliName} start-service requires at least one <target>. Pass one or more service paths like 'Stack/Orders' 'Stack/Frontend', or run it in a TTY to pick interactively.`),
+		resolveBoots: (_stacks, chosenTargets) => ({
+			boots: chosenTargets.map((target) => ({ target })),
+			warnings: []
+		}),
+		lbPortOverrides: {}
 	};
-	return startEcsService(service, {
-		maxTasks: options.maxTasks,
-		restartPolicy: options.restartPolicy,
-		taskOptions: taskOpts,
-		discovery
-	}, runState);
-}
-async function resolvePlaceholderAccount(arn, region) {
-	if (!arn.includes("${AWS::AccountId}")) return arn;
-	const { STSClient, GetCallerIdentityCommand } = await import("@aws-sdk/client-sts");
-	const sts = new STSClient({ ...region && { region } });
-	try {
-		const account = (await sts.send(new GetCallerIdentityCommand({}))).Account;
-		if (!account) throw new LocalStartServiceError(`--assume-task-role: GetCallerIdentity returned no Account; cannot resolve placeholder ARN '${arn}'.`);
-		return arn.split(TASK_ROLE_ACCOUNT_PLACEHOLDER).join(account);
-	} finally {
-		sts.destroy();
-	}
-}
-async function assumeTaskRole(roleArn, region) {
-	const { STSClient, AssumeRoleCommand } = await import("@aws-sdk/client-sts");
-	const sts = new STSClient({ ...region && { region } });
-	try {
-		const creds = (await sts.send(new AssumeRoleCommand({
-			RoleArn: roleArn,
-			RoleSessionName: `cdkd-local-start-service-${Date.now()}`,
-			DurationSeconds: 3600
-		}))).Credentials;
-		if (!creds?.AccessKeyId || !creds.SecretAccessKey || !creds.SessionToken) throw new LocalStartServiceError(`AssumeRole(${roleArn}) returned no usable credentials.`);
-		return {
-			accessKeyId: creds.AccessKeyId,
-			secretAccessKey: creds.SecretAccessKey,
-			sessionToken: creds.SessionToken
-		};
-	} finally {
-		sts.destroy();
-	}
 }
 /**
-* Build the substitution context the ECS resolver consumes. Identical
-* shape to `local-run-task.ts:buildEcsImageResolutionContext` — only
-* the candidate stack picker differs because services and tasks share
-* the same stack-pattern grammar.
+* `cdkl start-service <Stack/Service>...` — run one or more `AWS::ECS::Service`
+* resources locally as a long-running emulator. Spins up DesiredCount task
+* replicas per service (clamped by --max-tasks) using the same per-task
+* docker network + metadata sidecar pattern as `cdkd local run-task`, then
+* keeps each replica running and restarts it on exit per --restart-policy.
+* ^C tears every replica + sidecar + network down. When two or more
+* <target>s are supplied, every service is booted into a shared Cloud Map /
+* Service Connect registry so peer services discover each other via docker
+* --add-host overlay (Issue #460).
 */
-async function buildEcsImageResolutionContext$1(target, stacks, options, stateProvider) {
-	const logger = getLogger();
-	const candidate = pickCandidateStack(parseEcsTarget(target).stackPattern, stacks);
-	if (!candidate) return void 0;
-	const needs = detectEcsImageResolutionNeeds(candidate);
-	if (!needs.needsPseudoParameters && !needs.needsStateResources && !needs.needsEnvOrSecretSubstitution) return;
-	const ctx = {};
-	const wantsPseudoForEnvOrSecret = !!stateProvider && needs.needsEnvOrSecretSubstitution;
-	if (needs.needsPseudoParameters || wantsPseudoForEnvOrSecret) {
-		const region = options.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? candidate.region;
-		if (!region) logger.warn("Resolver references ${AWS::Region} but cdkd could not determine the target region. Pass --region, set AWS_REGION, or declare env.region on the CDK stack.");
-		let accountId;
-		try {
-			accountId = await resolveCallerAccountId$1(region);
-		} catch (err) {
-			logger.warn(`Resolver needs \${AWS::AccountId} but STS GetCallerIdentity failed: ${err instanceof Error ? err.message : String(err)}. Substitution will be skipped; affected env / secret entries will be dropped with per-key warnings.`);
-		}
-		const partitionAndSuffix = region ? derivePartitionAndUrlSuffix(region) : void 0;
-		ctx.pseudoParameters = {
-			...accountId !== void 0 && { accountId },
-			...region !== void 0 && { region },
-			...partitionAndSuffix && {
-				partition: partitionAndSuffix.partition,
-				urlSuffix: partitionAndSuffix.urlSuffix
-			}
-		};
-	}
-	const wantsState = needs.needsStateResources || needs.needsEnvOrSecretSubstitution;
-	if (stateProvider && wantsState) {
-		const loaded = await stateProvider.load(candidate.stackName, candidate.region);
-		if (loaded) ctx.stateResources = loaded.resources;
-	} else if (!stateProvider && needs.needsStateResources) logger.warn("Container Image references a same-stack AWS::ECR::Repository. Pass --from-state (cdkd-deployed) or --from-cfn-stack (cdk-deployed) to substitute the deployed repository URI.");
-	else if (!stateProvider && needs.needsEnvOrSecretSubstitution) logger.warn("Container Environment / Secrets entries contain CloudFormation intrinsics. Pass --from-state (cdkd-deployed) or --from-cfn-stack (cdk-deployed) to substitute them against the deployed cdkd state.");
-	return ctx;
-}
-function pickCandidateStack(stackPattern, stacks) {
-	if (stackPattern === null) {
-		if (stacks.length === 1) return stacks[0];
-		return;
-	}
-	const matched = matchStacks(stacks, [stackPattern]);
-	if (matched.length === 1) return matched[0];
-}
-async function resolveCallerAccountId$1(region) {
-	const { STSClient, GetCallerIdentityCommand } = await import("@aws-sdk/client-sts");
-	const sts = new STSClient({ ...region && { region } });
-	try {
-		return (await sts.send(new GetCallerIdentityCommand({}))).Account;
-	} finally {
-		sts.destroy();
-	}
-}
-function readEnvOverridesFile$2(filePath) {
-	if (!filePath) return void 0;
-	let raw;
-	try {
-		raw = readFileSync(filePath, "utf-8");
-	} catch (err) {
-		throw new LocalStartServiceError(`Failed to read --env-vars file '${filePath}': ${err instanceof Error ? err.message : String(err)}`);
-	}
-	let parsed;
-	try {
-		parsed = JSON.parse(raw);
-	} catch (err) {
-		throw new LocalStartServiceError(`Failed to parse --env-vars file '${filePath}' as JSON: ${err instanceof Error ? err.message : String(err)}`);
-	}
-	if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) throw new LocalStartServiceError(`--env-vars file '${filePath}' must contain a JSON object at the top level.`);
-	return parsed;
-}
-function parsePositiveInt(raw, flagName) {
-	const parsed = parseInt(raw, 10);
-	if (!Number.isFinite(parsed) || parsed < 1) throw new LocalStartServiceError(`${flagName} must be a positive integer (got '${raw}').`);
-	return parsed;
-}
-/**
-* Hard cap on `--max-tasks` driven by the per-replica subnet allocator
-* in `ecs-service-runner.ts:pickSubnetOctet`. The allocator walks the
-* link-local /24 range `169.254.170.0..169.254.253.0` and **skips 171**
-* because that octet is owned by the shared-service network
-* (`SHARED_SVC_SUBNET_OCTET`) — assigning a per-replica network the
-* same /24 would have docker reject the duplicate-subnet `network
-* create`. The usable count is therefore 83 (Issue #544); beyond
-* that, the modulo-wrap collapses replica N's `/24` onto replica 0's
-* allocation and docker rejects the duplicate-subnet network creation
-* with a cryptic "Pool overlaps with other one on this address space"
-* error 30s into the boot — by which time some early replicas may
-* have spent docker-run budget. Reject at parse time so the user
-* gets an actionable error before any boot work fires.
-*
-* Raising this requires extending the allocator to walk a different
-* IP range.
-*/
-const MAX_TASKS_SUBNET_RANGE_CAP$1 = 83;
-function parseMaxTasks$1(raw) {
-	const parsed = parsePositiveInt(raw, "--max-tasks");
-	if (parsed > 83) throw new LocalStartServiceError(`--max-tasks ${parsed} exceeds the per-replica link-local /24 subnet allocator's range (${83}). The allocator in ecs-service-runner.ts assigns each replica its own 169.254.x.0/24 from the range 169.254.170.0..169.254.253.0; replica indices >= ${83} would collide with earlier replicas via modulo wrap. Lower --max-tasks to <= ${83}, or accept reduced local concurrency for high-DesiredCount services.`);
-	return parsed;
-}
-function parseRestartPolicy$1(raw) {
-	if (raw === "on-failure" || raw === "always" || raw === "none") return raw;
-	throw new LocalStartServiceError(`--restart-policy must be one of 'on-failure', 'always', or 'none' (got '${raw}').`);
-}
-/**
-* Issue #658: pick the credentials forwarded to the AWS-published
-* `amazon-ecs-local-container-endpoints` sidecar. `cdkd local
-* start-service`'s sidecar is SHARED across every replica boot in one
-* CLI invocation (design § 5 Option A), so this resolves ONCE at
-* startup. Precedence:
-*   1. `--profile <p>` → resolved via {@link resolveProfileCredentials}
-*      (the SDK's default credential provider chain — SSO / IAM
-*      Identity Center / fromIni / role-assumption). NEW in this PR.
-*   2. Not set → `undefined`; the sidecar runs with its own default
-*      credential chain (typically empty inside a fresh container —
-*      user containers will get 4xx from the credentials endpoint).
-*
-* Note: per-service `--assume-task-role <Service>=<arn>` overrides are
-* INTENTIONALLY NOT consulted here. The shared sidecar has no concept
-* of per-service IAM — per-service `TaskRoleArn` flows into each
-* container's env via `buildMetadataEnv` at boot time, where the
-* sidecar's `/role/<role-arn>` path resolves per-request. The shared
-* sidecar's OWN startup credentials govern only the fallback path
-* (containers that did not bind a `TaskRoleArn`).
-*
-* Extracted as an exported helper so a unit test can exercise both
-* branches without having to mock the full Synth + Docker + AWS
-* pipeline (the strategy PR #655 used for the Lambda container path).
-*/
-async function resolveSharedSidecarCredentials$1(options) {
-	if (options.profile) return resolveProfileCredentials(options.profile);
-}
 function createLocalStartServiceCommand() {
-	const cmd = new Command("start-service").description("Run one or more AWS::ECS::Service resources locally as a long-running emulator. Spins up DesiredCount task replicas per service (clamped by --max-tasks) using the same per-task docker network + metadata sidecar pattern as `cdkd local run-task`, then keeps each replica running and restarts it on exit per --restart-policy. ^C tears every replica + sidecar + network down. Each <target> accepts a CDK display path (MyStack/MyService) or stack-qualified logical ID (MyStack:MyServiceXYZ); single-stack apps may omit the stack prefix. When two or more <target>s are supplied, every service is booted into a shared Cloud Map / Service Connect registry so peer services discover each other via docker --add-host overlay (Issue #460).").argument("<targets...>", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ECS::Service resources to run").addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default("cdkd-local")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed task role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries.")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--max-tasks <n>", `Hard cap on local replica count. Caps the template DesiredCount so local dev machines don't run an unbounded number of containers. Cannot exceed ${83} due to the per-replica link-local /24 subnet allocator's range.`).default(3).argParser(parseMaxTasks$1)).addOption(new Option("--restart-policy <policy>", "How to react when an essential container exits. 'on-failure' (default) restarts only on non-zero exit; 'always' restarts on every exit; 'none' shuts the replica down and runs the service degraded.").default("on-failure").argParser(parseRestartPolicy$1)).addOption(new Option("--from-state", "Read cdkd S3 state for the target stack and substitute Fn::Sub / Fn::GetAtt / Fn::ImportValue / Fn::GetStackOutput intrinsics in container images, environment variables, secrets, role ARNs, and volumes.").default(false)).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via DescribeStackResources and substitute Ref / Fn::ImportValue in container env vars / secrets / image URIs with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (`cdk deploy`). Bare form uses the cdkd stack name; pass an explicit value when the CFn stack name differs. Mutually exclusive with --from-state. Fn::GetAtt is warn-and-dropped in v1 (CFn DescribeStackResources does not return per-attribute values).")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-state when the same stack name has state in multiple regions, and with --from-cfn-stack as the CFn client region (cdkd does not have a separate --cfn-stack-region flag).")).action(withErrorHandling(localStartServiceCommand));
-	[
-		...commonOptions,
-		...appOptions,
-		...contextOptions,
-		...stateOptions
-	].forEach((opt) => cmd.addOption(opt));
-	cmd.addOption(deprecatedRegionOption);
-	return cmd;
+	return addCommonEcsServiceOptions(new Command("start-service").description("Run one or more AWS::ECS::Service resources locally as a long-running emulator. Spins up DesiredCount task replicas per service (clamped by --max-tasks) using the same per-task docker network + metadata sidecar pattern as `cdkd local run-task`, then keeps each replica running and restarts it on exit per --restart-policy. ^C tears every replica + sidecar + network down. Each <target> accepts a CDK display path (MyStack/MyService) or stack-qualified logical ID (MyStack:MyServiceXYZ); single-stack apps may omit the stack prefix. When two or more <target>s are supplied, every service is booted into a shared Cloud Map / Service Connect registry so peer services discover each other via docker --add-host overlay (Issue #460). Omit <targets> in an interactive terminal to multi-select the ECS services from a list.").argument("[targets...]", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ECS::Service resources to run (omit to multi-select interactively in a TTY)").addOption(new Option("--from-state", "Read cdkd's S3 state for the target stack and substitute Ref / Fn::GetAtt / Fn::Sub / Fn::ImportValue / Fn::GetStackOutput intrinsics in container images, environment variables, secrets, role ARNs, and volumes. Mutually exclusive with --from-cfn-stack.").default(false)).addOption(new Option("--state-bucket <bucket>", "S3 bucket for --from-state. Falls back to CDKD_STATE_BUCKET env or cdk.json context.cdkd.stateBucket.")).addOption(new Option("--state-prefix <prefix>", "S3 key prefix for --from-state state files.").default("cdkd")).action(withErrorHandling(async (targets, options) => {
+		await runEcsServiceEmulator(targets, options, serviceStrategy(options), cdkdExtraStateProviders);
+	})));
 }
 
 //#endregion
@@ -52761,7 +51824,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.196.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.198.0");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());