@go-to-k/cdkd 0.196.0 → 0.198.0

package/dist/{deploy-engine-C6v_fcDw.js → deploy-engine-B3Xc-bxB.js}

@@ -1,6 +1,6 @@
-import { a as runDockerStreaming, c as getLogger, d as getLiveRenderer, g as generateResourceNameWithFallback, m as applyDefaultNameForFallback, n as formatDockerLoginError, o as spawnStreaming, r as getDockerCmd, v as withStackName } from "./docker-cmd-iDMcWcre.js";
-import { r as getAwsClients } from "./aws-clients-B15NAPbL.js";
-import { randomUUID } from "node:crypto";
+import { r as getAwsClients } from "./aws-clients-DWUnLza1.js";
+import { AsyncLocalStorage } from "node:async_hooks";
+import { createHash, randomUUID } from "node:crypto";
 import { DeleteObjectCommand, GetBucketLocationCommand, GetObjectCommand, HeadBucketCommand, HeadObjectCommand, ListObjectsV2Command, NoSuchKey, PutObjectCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
 import { CloudControlClient, CreateResourceCommand, DeleteResourceCommand, GetResourceCommand, GetResourceRequestStatusCommand, ListResourcesCommand, UpdateResourceCommand } from "@aws-sdk/client-cloudcontrol";
 import { AttachRolePolicyCommand, CreateRoleCommand, DeleteRoleCommand, DeleteRolePermissionsBoundaryCommand, DeleteRolePolicyCommand, DetachRolePolicyCommand, GetRoleCommand, GetRolePolicyCommand, IAMClient, ListAttachedRolePoliciesCommand, ListInstanceProfilesForRoleCommand, ListRolePoliciesCommand, ListRoleTagsCommand, ListRolesCommand, NoSuchEntityException, PutRolePermissionsBoundaryCommand, PutRolePolicyCommand, RemoveRoleFromInstanceProfileCommand, TagRoleCommand, UntagRoleCommand, UpdateAssumeRolePolicyCommand, UpdateRoleCommand } from "@aws-sdk/client-iam";
@@ -27,6 +27,806 @@ import graphlib from "graphlib";
 import { DescribeDBClustersCommand, RDSClient } from "@aws-sdk/client-rds";
 import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
 
+//#region src/provisioning/resource-name.ts
+/**
+* Per-async-context stack name. Resource-name generation reads this so that
+* concurrent deploys (`cdkd deploy --all` runs stacks in parallel up to
+* `--stack-concurrency`) don't fight over a single shared variable.
+*
+* History: this was `let currentStackName: string | undefined` until
+* 2026-05-01. Two parallel `deploy()` calls would each call
+* `setCurrentStackName(...)` and the second would overwrite the first;
+* any IAM Role / SQS Queue / etc. created by the first stack while the
+* second was active would get the second stack's prefix in its physical
+* name, then the second stack's own create attempt for the same logical
+* id would collide ("Role with name X already exists"). Switching to
+* `AsyncLocalStorage` scopes the value to each deploy's async chain.
+*/
+const stackNameStore = new AsyncLocalStorage();
+function withStackName(stackName, fn) {
+	return stackNameStore.run(stackName, fn);
+}
+/**
+* Read the current async context's stack name, if any.
+*
+* Returns `undefined` outside any `withStackName` / `setCurrentStackName`
+* scope. Used by the live renderer to scope per-stack in-flight task
+* entries so concurrent deploys don't clobber each other's tasks (same
+* `logicalId` in two stacks would collide on the singleton renderer's
+* task Map without this).
+*/
+function getCurrentStackName() {
+	return stackNameStore.getStore();
+}
+/**
+* Per-async-context "skip the stack-name prefix on user-supplied physical
+* names" flag. Read by `generateResourceName` when its caller passes
+* `userSupplied: true`; auto-generated-name paths
+* (`generateResourceName(logicalId, ...)`) ignore this flag.
+*
+* Scoped via AsyncLocalStorage so that `--stack-concurrency > 1` runs
+* cannot cross-contaminate — each deploy's body is wrapped in its own
+* `withSkipPrefix(...)` scope (the deploy CLI plumbs the resolved
+* `--no-prefix-user-supplied-names` value through here). Default
+* `false` preserves pre-PR behavior when the flag is not set.
+*/
+const skipPrefixStore = new AsyncLocalStorage();
+function withSkipPrefix(skip, fn) {
+	return skipPrefixStore.run(skip, fn);
+}
+/**
+* Read the current async context's skip-prefix flag. Defaults to
+* `false` when no `withSkipPrefix` scope is active.
+*
+* Public for unit tests; `generateResourceName` consumes this
+* internally.
+*/
+function getCurrentSkipPrefix() {
+	return skipPrefixStore.getStore() ?? false;
+}
+/**
+* Resource types whose pre-PR #297 code path ran user-supplied
+* physical names through `generateResourceName` (= got the stack-name
+* prefix). These are the only types affected by
+* `--no-prefix-user-supplied-names`; flipping the flag against an
+* existing stack proposes REPLACEMENT on every state resource of
+* one of these types whose `physicalId` is still prefixed.
+*
+* Pattern A providers (Lambda, S3, SNS, SQS, DynamoDB, Logs LogGroup,
+* Events Rule, etc.) historically short-circuited user-supplied names
+* **out** of `generateResourceName` entirely — those types never got
+* the prefix regardless of the flag, so they are NOT included here.
+*
+* Used by the deploy-time pre-flight migration check in
+* `src/cli/commands/prefix-migration-check.ts`. Keep in sync with the
+* Pattern B provider call sites that consume
+* `generateResourceNameWithFallback(...)`.
+*/
+const PATTERN_B_RESOURCE_TYPES = [
+	"AWS::IAM::Role",
+	"AWS::IAM::User",
+	"AWS::IAM::Group",
+	"AWS::IAM::InstanceProfile",
+	"AWS::IAM::ManagedPolicy",
+	"AWS::ElasticLoadBalancingV2::LoadBalancer",
+	"AWS::ElasticLoadBalancingV2::TargetGroup"
+];
+/**
+* For each Pattern B resource type, the CFn template `Properties` field
+* the user sets to supply a physical name (`new iam.Role(this, 'X',
+* { roleName: 'my-role' })` → `Properties.RoleName: 'my-role'`).
+*
+* Used by the prefix-migration check to distinguish user-supplied
+* physical names (which the v0.94.0 default flip would actually
+* REPLACE on next deploy) from auto-generated logical-id-fallback
+* names (which keep the prefix in BOTH old and new default — no
+* REPLACE pending). Without this discriminator, the migration
+* check naively flags every prefix-style physicalId regardless of
+* its origin, surfacing a false-positive WARNING on auto-generated
+* names that won't actually be touched.
+*
+* Keep in sync with `PATTERN_B_RESOURCE_TYPES` and with each
+* provider's `Properties[<NameField>]` lookup in
+* `src/provisioning/providers/`.
+*/
+const PATTERN_B_NAME_PROPERTIES = {
+	"AWS::IAM::Role": "RoleName",
+	"AWS::IAM::User": "UserName",
+	"AWS::IAM::Group": "GroupName",
+	"AWS::IAM::InstanceProfile": "InstanceProfileName",
+	"AWS::IAM::ManagedPolicy": "ManagedPolicyName",
+	"AWS::ElasticLoadBalancingV2::LoadBalancer": "Name",
+	"AWS::ElasticLoadBalancingV2::TargetGroup": "Name"
+};
+/**
+* Generate a unique resource name from the logical ID.
+*
+* Generates names in CloudFormation-compatible format:
+* `{StackName}-{LogicalId}-{Hash}` (truncated to maxLength).
+*
+* @param name The raw name (from properties or logicalId fallback)
+* @param options Length and character constraints
+* @returns A sanitized, truncated name that fits the constraints
+*/
+function generateResourceName(name, options) {
+	const { maxLength, lowercase = false, allowedPattern = /[^a-zA-Z0-9-]/g, userSupplied = false } = options;
+	const currentStackName = stackNameStore.getStore();
+	const fullName = currentStackName && !(userSupplied && getCurrentSkipPrefix()) ? `${currentStackName}-${name}` : name;
+	let sanitized = lowercase ? fullName.toLowerCase() : fullName;
+	sanitized = sanitized.replace(allowedPattern, "-");
+	sanitized = sanitized.replace(/-{2,}/g, "-").replace(/^-+|-+$/g, "");
+	if (sanitized.length <= maxLength) return sanitized;
+	const hash = createHash("sha256").update(fullName).digest("hex").substring(0, 8);
+	const maxPrefixLength = maxLength - hash.length - 1;
+	return `${sanitized.substring(0, maxPrefixLength).replace(/-+$/, "")}-${hash}`;
+}
+/**
+* Generate a resource name from a user-declared physical name OR
+* fall back to the logical id.
+*
+* Wraps {@link generateResourceName} to express the Pattern B call-site
+* shape (`generateResourceName((properties['Name'] as string | undefined)
+* || logicalId, opts)`) as a single typed helper. The user-supplied
+* branch passes `userSupplied: true`, which makes the per-deploy
+* `withSkipPrefix(true)` flag drop the stack-name prefix on that name.
+* The fallback (logical-id) branch is `userSupplied: false` and keeps
+* the prefix regardless of the flag — auto-generated names rely on
+* the prefix for cross-stack uniqueness.
+*
+* Use at every Pattern B provider call site (currently IAM Role, IAM
+* User, IAM Group, IAM InstanceProfile, ELBv2 LoadBalancer, ELBv2
+* TargetGroup) so the `--no-prefix-user-supplied-names` flag controls
+* those types consistently. Pattern A providers (Lambda, S3, SNS,
+* SQS, DynamoDB, etc.) do NOT need this helper — they already
+* short-circuit the user-supplied name out of the
+* `generateResourceName` call entirely, so the prefix is never
+* applied to user-supplied names regardless of the flag.
+*/
+function generateResourceNameWithFallback(userSuppliedName, logicalId, options) {
+	if (userSuppliedName !== void 0 && userSuppliedName !== "") return generateResourceName(userSuppliedName, {
+		...options,
+		userSupplied: true
+	});
+	return generateResourceName(logicalId, {
+		...options,
+		userSupplied: false
+	});
+}
+/**
+* Default name generation rules for CC API fallback.
+*
+* When an SDK provider falls back to CC API, the resource may need a
+* default name that the SDK provider would have generated. This map
+* defines the name property and generation options for each resource type.
+*
+* Format: resourceType → { nameProperty, options, postProcess? }
+*/
+const FALLBACK_NAME_RULES = {
+	"AWS::S3::Bucket": {
+		nameProperty: "BucketName",
+		options: {
+			maxLength: 63,
+			lowercase: true
+		}
+	},
+	"AWS::SQS::Queue": {
+		nameProperty: "QueueName",
+		options: { maxLength: 80 }
+	},
+	"AWS::SNS::Topic": {
+		nameProperty: "TopicName",
+		options: { maxLength: 256 }
+	},
+	"AWS::Lambda::Function": {
+		nameProperty: "FunctionName",
+		options: { maxLength: 64 }
+	},
+	"AWS::Lambda::LayerVersion": {
+		nameProperty: "LayerName",
+		options: { maxLength: 64 }
+	},
+	"AWS::IAM::Role": {
+		nameProperty: "RoleName",
+		options: { maxLength: 64 }
+	},
+	"AWS::IAM::Policy": {
+		nameProperty: "PolicyName",
+		options: { maxLength: 64 }
+	},
+	"AWS::IAM::ManagedPolicy": {
+		nameProperty: "ManagedPolicyName",
+		options: { maxLength: 128 }
+	},
+	"AWS::IAM::User": {
+		nameProperty: "UserName",
+		options: { maxLength: 64 }
+	},
+	"AWS::IAM::Group": {
+		nameProperty: "GroupName",
+		options: { maxLength: 128 }
+	},
+	"AWS::IAM::InstanceProfile": {
+		nameProperty: "InstanceProfileName",
+		options: { maxLength: 128 }
+	},
+	"AWS::DynamoDB::Table": {
+		nameProperty: "TableName",
+		options: { maxLength: 255 }
+	},
+	"AWS::ECR::Repository": {
+		nameProperty: "RepositoryName",
+		options: {
+			maxLength: 256,
+			lowercase: true
+		}
+	},
+	"AWS::ECS::Cluster": {
+		nameProperty: "ClusterName",
+		options: { maxLength: 255 }
+	},
+	"AWS::ECS::Service": {
+		nameProperty: "ServiceName",
+		options: { maxLength: 255 }
+	},
+	"AWS::Logs::LogGroup": {
+		nameProperty: "LogGroupName",
+		options: { maxLength: 512 }
+	},
+	"AWS::CloudWatch::Alarm": {
+		nameProperty: "AlarmName",
+		options: { maxLength: 256 }
+	},
+	"AWS::Events::Rule": {
+		nameProperty: "Name",
+		options: { maxLength: 64 }
+	},
+	"AWS::Events::EventBus": {
+		nameProperty: "Name",
+		options: { maxLength: 256 }
+	},
+	"AWS::Kinesis::Stream": {
+		nameProperty: "Name",
+		options: { maxLength: 128 }
+	},
+	"AWS::StepFunctions::StateMachine": {
+		nameProperty: "StateMachineName",
+		options: { maxLength: 80 }
+	},
+	"AWS::SecretsManager::Secret": {
+		nameProperty: "Name",
+		options: {
+			maxLength: 512,
+			allowedPattern: /[^a-zA-Z0-9-/_]/g
+		}
+	},
+	"AWS::SSM::Parameter": {
+		nameProperty: "Name",
+		options: { maxLength: 2048 }
+	},
+	"AWS::Cognito::UserPool": {
+		nameProperty: "UserPoolName",
+		options: { maxLength: 128 }
+	},
+	"AWS::ElastiCache::SubnetGroup": {
+		nameProperty: "CacheSubnetGroupName",
+		options: {
+			maxLength: 255,
+			lowercase: true
+		}
+	},
+	"AWS::ElastiCache::CacheCluster": {
+		nameProperty: "ClusterName",
+		options: {
+			maxLength: 40,
+			lowercase: true
+		}
+	},
+	"AWS::RDS::DBSubnetGroup": {
+		nameProperty: "DBSubnetGroupName",
+		options: {
+			maxLength: 255,
+			lowercase: true
+		}
+	},
+	"AWS::RDS::DBCluster": {
+		nameProperty: "DBClusterIdentifier",
+		options: {
+			maxLength: 63,
+			lowercase: true
+		}
+	},
+	"AWS::RDS::DBInstance": {
+		nameProperty: "DBInstanceIdentifier",
+		options: {
+			maxLength: 63,
+			lowercase: true
+		}
+	},
+	"AWS::DocDB::DBSubnetGroup": {
+		nameProperty: "DBSubnetGroupName",
+		options: {
+			maxLength: 255,
+			lowercase: true
+		}
+	},
+	"AWS::DocDB::DBCluster": {
+		nameProperty: "DBClusterIdentifier",
+		options: {
+			maxLength: 63,
+			lowercase: true
+		}
+	},
+	"AWS::DocDB::DBInstance": {
+		nameProperty: "DBInstanceIdentifier",
+		options: {
+			maxLength: 63,
+			lowercase: true
+		}
+	},
+	"AWS::Neptune::DBSubnetGroup": {
+		nameProperty: "DBSubnetGroupName",
+		options: {
+			maxLength: 255,
+			lowercase: true
+		}
+	},
+	"AWS::Neptune::DBCluster": {
+		nameProperty: "DBClusterIdentifier",
+		options: {
+			maxLength: 63,
+			lowercase: true
+		}
+	},
+	"AWS::Neptune::DBInstance": {
+		nameProperty: "DBInstanceIdentifier",
+		options: {
+			maxLength: 63,
+			lowercase: true
+		}
+	},
+	"AWS::ElasticLoadBalancingV2::LoadBalancer": {
+		nameProperty: "Name",
+		options: { maxLength: 32 }
+	},
+	"AWS::ElasticLoadBalancingV2::TargetGroup": {
+		nameProperty: "Name",
+		options: { maxLength: 32 }
+	},
+	"AWS::WAFv2::WebACL": {
+		nameProperty: "Name",
+		options: { maxLength: 128 }
+	},
+	"AWS::CodeBuild::Project": {
+		nameProperty: "Name",
+		options: { maxLength: 255 }
+	},
+	"AWS::S3Express::DirectoryBucket": {
+		nameProperty: "BucketName",
+		options: {
+			maxLength: 63,
+			lowercase: true
+		}
+	}
+};
+/**
+* Apply default name generation for CC API fallback.
+*
+* When a resource doesn't have an explicit name property set,
+* generates the same default name that the SDK provider would have created.
+* This ensures consistent naming regardless of whether SDK or CC API handles the resource.
+*
+* @param logicalId Logical ID from the template
+* @param resourceType CloudFormation resource type
+* @param properties Resource properties (will not be mutated)
+* @returns Properties with default name applied if needed, or original properties if no rule exists
+*/
+function applyDefaultNameForFallback(logicalId, resourceType, properties) {
+	const rule = FALLBACK_NAME_RULES[resourceType];
+	if (!rule) return properties;
+	if (properties[rule.nameProperty]) return properties;
+	const generatedName = generateResourceName(logicalId, rule.options);
+	return {
+		...properties,
+		[rule.nameProperty]: generatedName
+	};
+}
+
+//#endregion
+//#region src/utils/live-renderer.ts
+/**
+* Live multi-line progress renderer for the bottom of the terminal.
+*
+* Maintains a "live area" listing in-flight tasks (Creating MyBucket...),
+* redrawn on a spinner timer. Other log output is routed through
+* {@link LiveRenderer.printAbove} so it appears above the live area without
+* disturbing the currently-displayed in-flight tasks.
+*
+* Design notes:
+* - Multiple resources can be in flight concurrently (cdkd uses parallel DAG
+*   dispatch), so a single in-place line overwrite is not enough — each
+*   in-flight resource is its own line in the live area.
+* - On non-TTY (CI/log-collection), the renderer stays inactive and
+*   {@link LiveRenderer.printAbove} falls through to a direct write, so output
+*   matches the previous append-only behavior.
+* - In verbose mode (debug level) the caller should not start the renderer:
+*   debug logs would interleave too aggressively with the live area.
+*/
+const SPINNER_FRAMES = [
+	"⠋",
+	"⠙",
+	"⠹",
+	"⠸",
+	"⠼",
+	"⠴",
+	"⠦",
+	"⠧",
+	"⠇",
+	"⠏"
+];
+const FRAME_INTERVAL_MS = 80;
+const ESC = "\x1B[";
+/**
+* Scope a task `id` to its calling stack so two stacks running in
+* parallel — `cdkd deploy --all` with `--stack-concurrency > 1` — don't
+* collide on the same `logicalId` in the renderer's task Map. Without
+* this, stack B's `addTask('MyQueue', ...)` would overwrite stack A's
+* entry, and stack A's later `removeTask('MyQueue')` would erase
+* stack B's.
+*/
+function scopedKey(id, stackName) {
+	return stackName ? `${stackName}:${id}` : id;
+}
+var LiveRenderer = class {
+	tasks = /* @__PURE__ */ new Map();
+	active = false;
+	spinnerIndex = 0;
+	interval = null;
+	linesDrawn = 0;
+	cursorHidden = false;
+	exitListener = null;
+	stream;
+	constructor(stream = process.stdout) {
+		this.stream = stream;
+	}
+	isActive() {
+		return this.active;
+	}
+	/**
+	* Enable the live renderer. No-op if stdout is not a TTY or if
+	* `CDKD_NO_LIVE=1`. Returns true if successfully enabled.
+	*/
+	start() {
+		if (this.active) return true;
+		if (!this.stream.isTTY) return false;
+		if (process.env["CDKD_NO_LIVE"] === "1") return false;
+		this.active = true;
+		this.hideCursor();
+		if (!this.exitListener) {
+			this.exitListener = () => this.showCursor();
+			process.on("exit", this.exitListener);
+		}
+		this.interval = setInterval(() => this.draw(), FRAME_INTERVAL_MS);
+		if (typeof this.interval.unref === "function") this.interval.unref();
+		return true;
+	}
+	stop() {
+		if (!this.active) return;
+		if (this.interval) {
+			clearInterval(this.interval);
+			this.interval = null;
+		}
+		this.clear();
+		this.showCursor();
+		if (this.exitListener) {
+			process.removeListener("exit", this.exitListener);
+			this.exitListener = null;
+		}
+		this.tasks.clear();
+		this.active = false;
+	}
+	addTask(id, label) {
+		const stackName = getCurrentStackName();
+		this.tasks.set(scopedKey(id, stackName), {
+			label,
+			startedAt: Date.now(),
+			stackName
+		});
+		if (this.active) this.draw();
+	}
+	removeTask(id) {
+		const stackName = getCurrentStackName();
+		if (!this.tasks.delete(scopedKey(id, stackName))) return;
+		if (this.active) this.draw();
+	}
+	/**
+	* Replace the label of a previously-added task in place. No-op if the
+	* task is not currently tracked (e.g. it already finished). Used by the
+	* per-resource deadline wrapper to surface a "[taking longer than
+	* expected, Nm+]" suffix without disturbing the elapsed-time counter
+	* the renderer tracks via `startedAt`.
+	*/
+	updateTaskLabel(id, label) {
+		const stackName = getCurrentStackName();
+		const task = this.tasks.get(scopedKey(id, stackName));
+		if (!task) return;
+		task.label = label;
+		if (this.active) this.draw();
+	}
+	/**
+	* Print content above the live area. Clears the live area, runs the writer,
+	* then redraws the live area. When the renderer is inactive, the writer
+	* runs directly so callers can use this unconditionally.
+	*/
+	printAbove(write) {
+		if (!this.active) {
+			write();
+			return;
+		}
+		this.clear();
+		write();
+		this.draw();
+	}
+	clear() {
+		if (this.linesDrawn === 0) return;
+		this.stream.write("\r");
+		for (let i = 0; i < this.linesDrawn; i++) this.stream.write(`${ESC}1A${ESC}2K`);
+		this.linesDrawn = 0;
+	}
+	draw() {
+		if (!this.active) return;
+		this.clear();
+		if (this.tasks.size === 0) return;
+		const frame = SPINNER_FRAMES[this.spinnerIndex % SPINNER_FRAMES.length];
+		this.spinnerIndex++;
+		const distinctStacks = /* @__PURE__ */ new Set();
+		for (const task of this.tasks.values()) distinctStacks.add(task.stackName);
+		const showStackPrefix = distinctStacks.size > 1;
+		const cols = this.stream.columns ?? 80;
+		const lines = [];
+		for (const task of this.tasks.values()) {
+			const elapsed = ((Date.now() - task.startedAt) / 1e3).toFixed(1);
+			const raw = `  ${frame} ${showStackPrefix && task.stackName ? `[${task.stackName}] ` : ""}${task.label} (${elapsed}s)`;
+			lines.push(this.truncate(raw, cols));
+		}
+		this.stream.write(lines.join("\n") + "\n");
+		this.linesDrawn = lines.length;
+	}
+	truncate(s, maxLen) {
+		if (s.length <= maxLen) return s;
+		if (maxLen <= 1) return "…";
+		return s.substring(0, maxLen - 1) + "…";
+	}
+	hideCursor() {
+		if (this.cursorHidden) return;
+		this.stream.write(`${ESC}?25l`);
+		this.cursorHidden = true;
+	}
+	showCursor() {
+		if (!this.cursorHidden) return;
+		this.stream.write(`${ESC}?25h`);
+		this.cursorHidden = false;
+	}
+};
+let globalRenderer = null;
+function getLiveRenderer() {
+	if (!globalRenderer) globalRenderer = new LiveRenderer();
+	return globalRenderer;
+}
+
+//#endregion
+//#region src/utils/stack-context.ts
+const outputBufferStore = new AsyncLocalStorage();
+/**
+* Run `fn` with a fresh log buffer scoped to its async chain. Any
+* `logger.info / debug / warn / error` calls inside `fn` (and any
+* `await`s) push into the buffer instead of writing to stdout/stderr.
+* Returns the buffered lines (and either `result` or `error`) so the
+* caller can flush them in one block.
+*/
+async function runStackBuffered(fn) {
+	const buffer = { lines: [] };
+	return outputBufferStore.run(buffer, async () => {
+		try {
+			return {
+				ok: true,
+				result: await fn(),
+				lines: buffer.lines
+			};
+		} catch (error) {
+			return {
+				ok: false,
+				error,
+				lines: buffer.lines
+			};
+		}
+	});
+}
+/**
+* Get the current async context's stack output buffer, or `undefined`
+* if no `runStackBuffered` is active. The logger consults this on every
+* call: present → push to buffer; absent → fall through to live
+* renderer / console.
+*/
+function getCurrentStackOutputBuffer() {
+	return outputBufferStore.getStore();
+}
+
+//#endregion
+//#region src/utils/logger.ts
+/**
+* ANSI color codes
+*
+* Kept internal — `ConsoleLogger.formatMessage` references these for the
+* verbose/compact mode level prefixes. For inline color wrapping in
+* production code, import from `./colors.js` instead (which lives in a
+* separate module so unit tests that mock `logger.ts` don't strip color
+* helpers as a side effect).
+*/
+const colors = {
+	reset: "\x1B[0m",
+	bright: "\x1B[1m",
+	dim: "\x1B[2m",
+	red: "\x1B[31m",
+	green: "\x1B[32m",
+	yellow: "\x1B[33m",
+	blue: "\x1B[34m",
+	cyan: "\x1B[36m",
+	gray: "\x1B[90m"
+};
+/**
+* Format timestamp
+*/
+function formatTimestamp() {
+	return (/* @__PURE__ */ new Date()).toISOString();
+}
+/**
+* Console logger implementation
+*
+* Supports two output modes:
+* - verbose (debug level): timestamps, module prefixes, all details
+* - compact (info level): clean output without timestamps or prefixes
+*/
+var ConsoleLogger = class {
+	level;
+	useColors;
+	constructor(level = "info", useColors = true) {
+		this.level = level;
+		this.useColors = useColors;
+	}
+	shouldLog(level) {
+		const levels = [
+			"debug",
+			"info",
+			"warn",
+			"error"
+		];
+		const currentLevelIndex = levels.indexOf(this.level);
+		return levels.indexOf(level) >= currentLevelIndex;
+	}
+	formatMessage(level, message, ...args) {
+		const formattedArgs = args.length > 0 ? " " + args.map((a) => JSON.stringify(a)).join(" ") : "";
+		if (this.level === "debug") {
+			const timestamp = formatTimestamp();
+			const levelStr = level.toUpperCase().padEnd(5);
+			if (this.useColors) {
+				const levelColor = {
+					debug: colors.gray,
+					info: colors.blue,
+					warn: colors.yellow,
+					error: colors.red
+				}[level];
+				return `${colors.dim}${timestamp}${colors.reset} ${levelColor}${levelStr}${colors.reset} ${message}${formattedArgs}`;
+			}
+			return `${timestamp} ${levelStr} ${message}${formattedArgs}`;
+		}
+		if (this.useColors) {
+			if (level === "error") return `${colors.red}${message}${formattedArgs}${colors.reset}`;
+			if (level === "warn") return `${colors.yellow}${message}${formattedArgs}${colors.reset}`;
+			return `${message}${formattedArgs}`;
+		}
+		return `${message}${formattedArgs}`;
+	}
+	/**
+	* Route a formatted log line. When a per-stack output buffer is active in
+	* the current async context (parallel multi-stack deploy), capture the
+	* line into the buffer so it can be flushed as one atomic block when the
+	* stack finishes. Otherwise fall through to the live renderer / console
+	* as before.
+	*/
+	emit(level, formatted) {
+		const buffer = getCurrentStackOutputBuffer();
+		if (buffer) {
+			buffer.lines.push(formatted);
+			return;
+		}
+		getLiveRenderer().printAbove(() => {
+			if (level === "error") console.error(formatted);
+			else if (level === "warn") console.warn(formatted);
+			else if (level === "info") console.info(formatted);
+			else console.debug(formatted);
+		});
+	}
+	debug(message, ...args) {
+		if (this.shouldLog("debug")) this.emit("debug", this.formatMessage("debug", message, ...args));
+	}
+	info(message, ...args) {
+		if (this.shouldLog("info")) this.emit("info", this.formatMessage("info", message, ...args));
+	}
+	warn(message, ...args) {
+		if (this.shouldLog("warn")) this.emit("warn", this.formatMessage("warn", message, ...args));
+	}
+	error(message, ...args) {
+		if (this.shouldLog("error")) this.emit("error", this.formatMessage("error", message, ...args));
+	}
+	/**
+	* Set log level
+	*/
+	setLevel(level) {
+		this.level = level;
+	}
+	getLevel() {
+		return this.level;
+	}
+	/**
+	* Create a child logger with a prefix
+	*
+	* In verbose mode, prefix is shown as [Prefix]. In compact mode, prefix is hidden.
+	*/
+	child(prefix) {
+		return new ChildLogger(prefix, this.useColors);
+	}
+};
+/**
+* Child logger that always syncs level from global logger
+*/
+var ChildLogger = class extends ConsoleLogger {
+	prefix;
+	constructor(prefix, useColors) {
+		super("info", useColors);
+		this.prefix = prefix;
+	}
+	syncLevel() {
+		if (globalLogger) this.setLevel(globalLogger.getLevel());
+	}
+	debug(message, ...args) {
+		this.syncLevel();
+		super.debug(`[${this.prefix}] ${message}`, ...args);
+	}
+	info(message, ...args) {
+		this.syncLevel();
+		const msg = this.getLevel() === "debug" ? `[${this.prefix}] ${message}` : message;
+		super.info(msg, ...args);
+	}
+	warn(message, ...args) {
+		this.syncLevel();
+		const msg = this.getLevel() === "debug" ? `[${this.prefix}] ${message}` : message;
+		super.warn(msg, ...args);
+	}
+	error(message, ...args) {
+		this.syncLevel();
+		const msg = this.getLevel() === "debug" ? `[${this.prefix}] ${message}` : message;
+		super.error(msg, ...args);
+	}
+};
+/**
+* Global logger instance
+*/
+let globalLogger = null;
+/**
+* Get or create global logger
+*/
+function getLogger() {
+	if (!globalLogger) globalLogger = new ConsoleLogger();
+	return globalLogger;
+}
+/**
+* Set global logger instance
+*/
+function setLogger(logger) {
+	globalLogger = logger;
+}
+
+//#endregion
 //#region src/utils/error-handler.ts
 /**
 * Base error class for cdkd
@@ -2412,7 +3212,7 @@ async function resolveStateBucketWithDefaultAndSource(cliBucket, region) {
 	logger.debug("No state bucket specified, resolving default from account...");
 	const { GetCallerIdentityCommand } = await import("@aws-sdk/client-sts");
 	const { S3Client } = await import("@aws-sdk/client-s3");
-	const { getAwsClients } = await import("./aws-clients-B15NAPbL.js").then((n) => n.n);
+	const { getAwsClients } = await import("./aws-clients-DWUnLza1.js").then((n) => n.n);
 	const accountId = (await getAwsClients().sts.send(new GetCallerIdentityCommand({}))).Account;
 	const newName = getDefaultStateBucketName(accountId);
 	const legacyName = getLegacyStateBucketName(accountId, region);
@@ -2787,6 +3587,195 @@ var FileAssetPublisher = class {
 	}
 };
 
+//#endregion
+//#region src/utils/docker-cmd.ts
+/**
+* Shared helpers for invoking the docker-compatible CLI binary across cdkd.
+*
+* Two parity decisions with `aws-cdk-cli`'s `cdk-assets-lib`:
+*   1. `CDK_DOCKER` env var swaps the binary so podman / finch users can
+*      run cdkd without code changes (`CDK_DOCKER=podman cdkd deploy`).
+*   2. `runDockerStreaming` uses streaming spawn rather than `execFile`'s
+*      buffered `maxBuffer` ceiling. BuildKit's progress output can run to
+*      tens of MB on multi-stage builds with `# syntax=docker/dockerfile:1`
+*      frontend downloads + heredoc / `RUN --mount=...` features; the 50 MB
+*      `execFile` ceiling cdkd used to set silently killed those builds
+*      with `ERR_CHILD_PROCESS_STDIO_MAXBUFFER`.
+*
+* Output handling: stdout/stderr are collected in memory unconditionally so
+* `runDockerStreaming` can return them to the caller for error wrapping.
+* When the logger is at debug level (i.e. the user passed `--verbose`),
+* the chunks are ALSO mirrored to `process.stdout` / `process.stderr` so
+* the user sees live build progress.
+*/
+/**
+* Return the docker-compatible CLI binary to invoke. Matches CDK CLI:
+* `CDK_DOCKER` env var overrides the default `docker` so users on
+* podman / finch / nerdctl can swap without changing cdkd code.
+*/
+function getDockerCmd() {
+	const override = process.env["CDK_DOCKER"];
+	return override && override.length > 0 ? override : "docker";
+}
+/**
+* Spawn a docker-compatible CLI binary (resolved via `getDockerCmd`) with
+* streaming I/O. Collects stdout/stderr in memory and resolves with both
+* on exit code 0; rejects with a `SpawnError` carrying both streams on any
+* non-zero exit so the caller can wrap with its own error class without
+* losing the upstream output.
+*
+* No `maxBuffer` ceiling: BuildKit progress output frequently exceeds the
+* `child_process.execFile` default of 1 MB (cdkd previously bumped to 50 MB
+* but BuildKit + frontend pulls can still exceed that on first-time builds).
+*/
+async function runDockerStreaming(args, options = {}) {
+	return spawnStreaming(getDockerCmd(), args, options);
+}
+/**
+* Generic streaming spawn — used by `runDockerStreaming` AND by the
+* `executable` source mode in `docker-build.ts` (which runs an arbitrary
+* user-supplied build command, not docker).
+*/
+async function spawnStreaming(cmd, args, options = {}) {
+	const streamLive = options.streamLive ?? getLogger().getLevel() === "debug";
+	const env = options.env ? mergeEnv(options.env) : void 0;
+	return new Promise((resolve, reject) => {
+		const child = spawn(cmd, args, {
+			cwd: options.cwd,
+			env,
+			stdio: [
+				options.input ? "pipe" : "ignore",
+				"pipe",
+				"pipe"
+			]
+		});
+		const stdoutChunks = [];
+		const stderrChunks = [];
+		child.stdout.on("data", (chunk) => {
+			stdoutChunks.push(chunk);
+			if (streamLive) process.stdout.write(chunk);
+		});
+		child.stderr.on("data", (chunk) => {
+			stderrChunks.push(chunk);
+			if (streamLive) process.stderr.write(chunk);
+		});
+		child.once("error", (err) => {
+			if (err.code === "ENOENT") {
+				const usingOverride = process.env["CDK_DOCKER"] === cmd && cmd !== "docker";
+				reject(/* @__PURE__ */ new Error(usingOverride ? `Failed to find and execute '${cmd}' (resolved via CDK_DOCKER). Install '${cmd}' or unset CDK_DOCKER to fall back to 'docker'.` : `Failed to find and execute '${cmd}'. Install Docker (or set the 'CDK_DOCKER' environment variable to a compatible binary such as podman / finch).`));
+			} else reject(err);
+		});
+		child.once("close", (code) => {
+			const stdout = Buffer.concat(stdoutChunks).toString("utf-8");
+			const stderr = Buffer.concat(stderrChunks).toString("utf-8");
+			if (code === 0) resolve({
+				stdout,
+				stderr
+			});
+			else {
+				const message = stderr.trim() || stdout.trim() || `${cmd} ${args[0] ?? ""} exited with code ${code}`;
+				const err = new Error(message);
+				err.stderr = stderr;
+				err.stdout = stdout;
+				err.exitCode = code;
+				reject(err);
+			}
+		});
+		if (options.input !== void 0) {
+			child.stdin.on("error", () => {});
+			child.stdin.write(options.input);
+			child.stdin.end();
+		}
+	});
+}
+/**
+* Spawn a docker-compatible CLI binary (resolved via `getDockerCmd`) attached
+* to the parent process's stdio so the user sees live output (`docker pull`
+* layer progress, `docker login` interactive prompts that should never fire
+* with `--password-stdin` but still safe to inherit, etc.). Resolves on exit
+* code 0; rejects with a plain `Error` carrying the exit code on any non-zero
+* exit, so the caller can wrap with its own error class.
+*
+* Differs from {@link runDockerStreaming} in two ways:
+*   1. `stdio: 'inherit'` — output is NOT captured, so terminal control codes
+*      (color, progress bar overwrites) flow through unchanged. This is the
+*      load-bearing reason for the split: `docker pull`'s progress bars only
+*      animate properly when stdout is a real TTY connected to the parent.
+*   2. No `input` / `streamLive` options — inherit-mode has nothing to
+*      capture and nothing to mirror.
+*
+* Used by the `--verbose`-mode `docker pull` plumbing in `docker-runner.ts`
+* and `ecr-puller.ts` (visible layer progress). Non-verbose pulls go through
+* {@link runDockerStreaming} so stderr can be folded into the error message.
+*/
+async function runDockerForeground(args, options = {}) {
+	return spawnForeground(getDockerCmd(), args, options);
+}
+/**
+* Foreground (stdio-inherit) spawn — the inherit-mode counterpart to
+* {@link spawnStreaming}. Used by {@link runDockerForeground} for docker-CLI
+* subprocesses.
+*
+* The ENOENT branch crafts a docker-specific install hint ("Install Docker
+* (or set CDK_DOCKER ...)"), so non-docker callers reusing this helper
+* would see a misleading error on missing-binary failures. Keep the binary
+* docker-shaped, or update the ENOENT message before adding a non-docker
+* call site.
+*/
+async function spawnForeground(cmd, args, options = {}) {
+	const env = options.env ? mergeEnv(options.env) : void 0;
+	return new Promise((resolve, reject) => {
+		const child = spawn(cmd, args, {
+			cwd: options.cwd,
+			env,
+			stdio: "inherit"
+		});
+		child.once("error", (err) => {
+			if (err.code === "ENOENT") {
+				const usingOverride = process.env["CDK_DOCKER"] === cmd && cmd !== "docker";
+				reject(/* @__PURE__ */ new Error(usingOverride ? `Failed to find and execute '${cmd}' (resolved via CDK_DOCKER). Install '${cmd}' or unset CDK_DOCKER to fall back to 'docker'.` : `Failed to find and execute '${cmd}'. Install Docker (or set the 'CDK_DOCKER' environment variable to a compatible binary such as podman / finch).`));
+			} else reject(/* @__PURE__ */ new Error(`${cmd} failed: ${err.message}`));
+		});
+		child.once("close", (code) => {
+			if (code === 0) resolve();
+			else reject(/* @__PURE__ */ new Error(`${cmd} exited with code ${code}`));
+		});
+	});
+}
+/**
+* Format the stderr from a failed `docker login` so the surfaced cdkd
+* error gives the user an actionable workaround when the underlying
+* failure is a credential-helper persistence bug (which has nothing to
+* do with cdkd, AWS, or IAM perms — the docker CLI itself fails to
+* save the auth token to the platform's credential store). The most
+* common shape is `osxkeychain` on macOS rejecting an overwrite for
+* an existing entry, but `wincred` (Windows), `pass` (Linux), and
+* `secretservice` (Linux) hit the same class of `Error saving
+* credentials` failure, so the rewritten message stays platform-
+* agnostic — `docker logout <endpoint>` is the correct recovery on
+* every backend.
+*
+* Detected docker / docker-credential-* output patterns:
+*   - `error storing credentials - err: exit status 1, out: \`The
+*     specified item already exists in the keychain.\`` (osxkeychain)
+*   - `Error saving credentials: ...` (any backend)
+*
+* Non-matching failures (genuine IAM / network / endpoint problems)
+* pass through with just the stderr trimmed — the original message
+* stays load-bearing for diagnosis.
+*/
+function formatDockerLoginError(stderr, endpoint) {
+	const trimmed = stderr.trim();
+	if (trimmed.includes("already exists in the keychain") || trimmed.includes("Error saving credentials")) return `docker's credential helper (osxkeychain on macOS / wincred on Windows / pass / secretservice on Linux) failed to persist the ECR auth token. The "already exists in the keychain" / "Error saving credentials" output is a known docker-credential-helpers issue — unrelated to cdkd, AWS credentials, or IAM perms. Quick fix: run \`docker logout ${endpoint}\` to clear the stale entry, then retry the cdkd command. Permanent fix: edit ~/.docker/config.json and remove (or empty) the platform-specific "credsStore" entry (e.g. "osxkeychain" → "" or "desktop" on macOS Docker Desktop). Original docker stderr: ${trimmed}`;
+	return trimmed;
+}
+function mergeEnv(overrides) {
+	const merged = { ...process.env };
+	for (const [k, v] of Object.entries(overrides)) if (v === void 0) delete merged[k];
+	else merged[k] = v;
+	return merged;
+}
+
 //#endregion
 //#region src/assets/docker-build.ts
 /**
@@ -8325,8 +9314,8 @@ const PROPERTY_COVERAGE_BY_TYPE = new Map([
 		silentDrop: /* @__PURE__ */ new Map()
 	}],
 	["AWS::CloudFront::Distribution", {
-		handled: new Set(["DistributionConfig"]),
-		silentDrop: new Map([["Tags", "not yet implemented by cdkd"]])
+		handled: new Set(["DistributionConfig", "Tags"]),
+		silentDrop: /* @__PURE__ */ new Map()
 	}],
 	["AWS::CloudTrail::Trail", {
 		handled: new Set([
@@ -9273,6 +10262,7 @@ const PROPERTY_COVERAGE_BY_TYPE = new Map([
 			"MemorySize",
 			"PackageType",
 			"RecursiveLoop",
+			"ReservedConcurrentExecutions",
 			"Role",
 			"Runtime",
 			"SnapStart",
@@ -9287,7 +10277,6 @@ const PROPERTY_COVERAGE_BY_TYPE = new Map([
 			["DurableConfig", "not yet implemented by cdkd"],
 			["FunctionScalingConfig", "not yet implemented by cdkd"],
 			["PublishToLatestPublished", "not yet implemented by cdkd"],
-			["ReservedConcurrentExecutions", "not yet implemented by cdkd"],
 			["RuntimeManagementConfig", "not yet implemented by cdkd"],
 			["TenancyConfig", "not yet implemented by cdkd"]
 		])
@@ -12597,5 +13586,5 @@ var DeployEngine = class {
 };
 
 //#endregion
-export { AssetError as $, S3StateBackend as A, resolveCaptureObservedState as B, assertRegionMatch as C, DagBuilder as D, DiffCalculator as E, buildDockerImage as F, CFN_TEMPLATE_BODY_LIMIT as G, resolveStateBucketWithDefault as H, Synthesizer as I, findLargeInlineResources as J, CFN_TEMPLATE_URL_LIMIT as K, getDefaultStateBucketName as L, AssetPublisher as M, stringifyValue as N, TemplateParser as O, WorkGraph as P, resolveBucketRegion as Q, getLegacyStateBucketName as R, CloudControlProvider as S, applyRoleArnIfSet as T, resolveStateBucketWithDefaultAndSource as U, resolveSkipPrefix as V, warnDeprecatedNoPrefixCliFlag as W, AssemblyReader as X, uploadCfnTemplate as Y, clearBucketRegionCache as Z, matchesCdkPath as _, formatError as _t, withRetry as a, LocalStartServiceError as at, ProviderRegistry as b, withErrorHandling as bt, bold as c, NestedStackChildDirectDestroyError as ct, green as d, ResourceTimeoutError as dt, CdkdError as et, red as f, ResourceUpdateNotSupportedError as ft, CDK_PATH_TAG as g, SynthesisError as gt, collectInlinePolicyNamesManagedBySiblings as h, StateError as ht, withResourceDeadline as i, LocalMigrateError as it, shouldRetainResource as j, LockManager as k, cyan as l, PartialFailureError as lt, IAMRoleProvider as m, StackTerminationProtectionError as mt, DEFAULT_RESOURCE_WARN_AFTER_MS as n, DependencyError as nt, IMPLICIT_DELETE_DEPENDENCIES as o, LockError as ot, yellow as p, StackHasActiveImportsError as pt, MIGRATE_TMP_PREFIX as q, DeployEngine as r, LocalInvokeBuildError as rt, formatResourceLine as s, MissingCdkCliError as st, DEFAULT_RESOURCE_TIMEOUT_MS as t, ConfigError as tt, gray as u, ProvisioningError as ut, normalizeAwsTagsToCfn as v, isCdkdError as vt, IntrinsicFunctionResolver as w, findActionableSilentDrops as x, resolveExplicitPhysicalId as y, normalizeAwsError as yt, resolveApp as z };
-//# sourceMappingURL=deploy-engine-C6v_fcDw.js.map
+export { uploadCfnTemplate as $, S3StateBackend as A, PATTERN_B_NAME_PROPERTIES as At, Synthesizer as B, assertRegionMatch as C, normalizeAwsError as Ct, DagBuilder as D, setLogger as Dt, DiffCalculator as E, getLogger as Et, buildDockerImage as F, withStackName as Ft, resolveSkipPrefix as G, getLegacyStateBucketName as H, formatDockerLoginError as I, warnDeprecatedNoPrefixCliFlag as J, resolveStateBucketWithDefault as K, getDockerCmd as L, AssetPublisher as M, generateResourceName as Mt, stringifyValue as N, generateResourceNameWithFallback as Nt, TemplateParser as O, runStackBuffered as Ot, WorkGraph as P, withSkipPrefix as Pt, findLargeInlineResources as Q, runDockerForeground as R, CloudControlProvider as S, isCdkdError as St, applyRoleArnIfSet as T, ConsoleLogger as Tt, resolveApp as U, getDefaultStateBucketName as V, resolveCaptureObservedState as W, CFN_TEMPLATE_URL_LIMIT as X, CFN_TEMPLATE_BODY_LIMIT as Y, MIGRATE_TMP_PREFIX as Z, matchesCdkPath as _, StackHasActiveImportsError as _t, withRetry as a, ConfigError as at, ProviderRegistry as b, SynthesisError as bt, bold as c, LocalMigrateError as ct, green as d, MissingCdkCliError as dt, AssemblyReader as et, red as f, NestedStackChildDirectDestroyError as ft, CDK_PATH_TAG as g, ResourceUpdateNotSupportedError as gt, collectInlinePolicyNamesManagedBySiblings as h, ResourceTimeoutError as ht, withResourceDeadline as i, CdkdError as it, shouldRetainResource as j, PATTERN_B_RESOURCE_TYPES as jt, LockManager as k, getLiveRenderer as kt, cyan as l, LocalStartServiceError as lt, IAMRoleProvider as m, ProvisioningError as mt, DEFAULT_RESOURCE_WARN_AFTER_MS as n, resolveBucketRegion as nt, IMPLICIT_DELETE_DEPENDENCIES as o, DependencyError as ot, yellow as p, PartialFailureError as pt, resolveStateBucketWithDefaultAndSource as q, DeployEngine as r, AssetError as rt, formatResourceLine as s, LocalInvokeBuildError as st, DEFAULT_RESOURCE_TIMEOUT_MS as t, clearBucketRegionCache as tt, gray as u, LockError as ut, normalizeAwsTagsToCfn as v, StackTerminationProtectionError as vt, IntrinsicFunctionResolver as w, withErrorHandling as wt, findActionableSilentDrops as x, formatError as xt, resolveExplicitPhysicalId as y, StateError as yt, runDockerStreaming as z };
+//# sourceMappingURL=deploy-engine-B3Xc-bxB.js.map