@go-to-k/cdkd 0.200.0 → 0.201.1

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-DWUnLza1.js";
-import { $ as uploadCfnTemplate, A as S3StateBackend, At as PATTERN_B_NAME_PROPERTIES, B as Synthesizer, C as assertRegionMatch, Ct as normalizeAwsError, D as DagBuilder, E as DiffCalculator, Et as getLogger, F as buildDockerImage, Ft as withStackName, G as resolveSkipPrefix, H as getLegacyStateBucketName, I as formatDockerLoginError, J as warnDeprecatedNoPrefixCliFlag, K as resolveStateBucketWithDefault, L as getDockerCmd, M as AssetPublisher, Mt as generateResourceName, N as stringifyValue, Nt as generateResourceNameWithFallback, O as TemplateParser, Ot as runStackBuffered, P as WorkGraph, Pt as withSkipPrefix, Q as findLargeInlineResources, R as runDockerForeground, S as CloudControlProvider, T as applyRoleArnIfSet, U as resolveApp, V as getDefaultStateBucketName, W as resolveCaptureObservedState, X as CFN_TEMPLATE_URL_LIMIT, Y as CFN_TEMPLATE_BODY_LIMIT, Z as MIGRATE_TMP_PREFIX, _ as matchesCdkPath, _t as StackHasActiveImportsError, a as withRetry, b as ProviderRegistry, c as bold, ct as LocalMigrateError, d as green, dt as MissingCdkCliError, et as AssemblyReader, f as red, ft as NestedStackChildDirectDestroyError, g as CDK_PATH_TAG, gt as ResourceUpdateNotSupportedError, h as collectInlinePolicyNamesManagedBySiblings, ht as ResourceTimeoutError, i as withResourceDeadline, it as CdkdError, j as shouldRetainResource, jt as PATTERN_B_RESOURCE_TYPES, k as LockManager, kt as getLiveRenderer, l as cyan, lt as LocalStartServiceError, m as IAMRoleProvider, mt as ProvisioningError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as resolveBucketRegion, o as IMPLICIT_DELETE_DEPENDENCIES, p as yellow, pt as PartialFailureError, q as resolveStateBucketWithDefaultAndSource, r as DeployEngine, s as formatResourceLine, st as LocalInvokeBuildError$1, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, v as normalizeAwsTagsToCfn, vt as StackTerminationProtectionError, w as IntrinsicFunctionResolver, wt as withErrorHandling, x as findActionableSilentDrops, y as resolveExplicitPhysicalId, z as runDockerStreaming } from "./deploy-engine-DAPAdI1e.js";
+import { $ as uploadCfnTemplate, A as S3StateBackend, At as PATTERN_B_NAME_PROPERTIES, B as Synthesizer, C as assertRegionMatch, Ct as normalizeAwsError, D as DagBuilder, E as DiffCalculator, Et as getLogger, F as buildDockerImage, Ft as withStackName, G as resolveSkipPrefix, H as getLegacyStateBucketName, I as formatDockerLoginError, J as warnDeprecatedNoPrefixCliFlag, K as resolveStateBucketWithDefault, L as getDockerCmd, M as AssetPublisher, Mt as generateResourceName, N as stringifyValue, Nt as generateResourceNameWithFallback, O as TemplateParser, Ot as runStackBuffered, P as WorkGraph, Pt as withSkipPrefix, Q as findLargeInlineResources, R as runDockerForeground, S as CloudControlProvider, T as applyRoleArnIfSet, U as resolveApp, V as getDefaultStateBucketName, W as resolveCaptureObservedState, X as CFN_TEMPLATE_URL_LIMIT, Y as CFN_TEMPLATE_BODY_LIMIT, Z as MIGRATE_TMP_PREFIX, _ as matchesCdkPath, _t as StackHasActiveImportsError, a as withRetry, b as ProviderRegistry, c as bold, ct as LocalMigrateError, d as green, dt as MissingCdkCliError, et as AssemblyReader, f as red, ft as NestedStackChildDirectDestroyError, g as CDK_PATH_TAG, gt as ResourceUpdateNotSupportedError, h as collectInlinePolicyNamesManagedBySiblings, ht as ResourceTimeoutError, i as withResourceDeadline, it as CdkdError, j as shouldRetainResource, jt as PATTERN_B_RESOURCE_TYPES, k as LockManager, kt as getLiveRenderer, l as cyan, lt as LocalStartServiceError, m as IAMRoleProvider, mt as ProvisioningError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as resolveBucketRegion, o as IMPLICIT_DELETE_DEPENDENCIES, p as yellow, pt as PartialFailureError, q as resolveStateBucketWithDefaultAndSource, r as DeployEngine, s as formatResourceLine, st as LocalInvokeBuildError$1, t as DEFAULT_RESOURCE_TIMEOUT_MS, u as gray, v as normalizeAwsTagsToCfn, vt as StackTerminationProtectionError, w as IntrinsicFunctionResolver, wt as withErrorHandling, x as findActionableSilentDrops, y as resolveExplicitPhysicalId, z as runDockerStreaming } from "./deploy-engine-5CVA5VWR.js";
 import { AsyncLocalStorage } from "node:async_hooks";
 import { randomBytes, randomUUID } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
@@ -58,7 +58,7 @@ import { CreateDeliveryStreamCommand, DeleteDeliveryStreamCommand, DescribeDeliv
 import { AddTagsCommand as AddTagsCommand$1, CloudTrailClient, CreateTrailCommand, DeleteTrailCommand, GetEventSelectorsCommand, GetInsightSelectorsCommand, GetTrailCommand, GetTrailStatusCommand, ListTagsCommand as ListTagsCommand$1, ListTrailsCommand, PutEventSelectorsCommand, PutInsightSelectorsCommand, RemoveTagsCommand as RemoveTagsCommand$1, StartLoggingCommand, StopLoggingCommand, TrailNotFoundException, UpdateTrailCommand } from "@aws-sdk/client-cloudtrail";
 import { BatchGetProjectsCommand, CodeBuildClient, CreateProjectCommand, DeleteProjectCommand, ListProjectsCommand, ResourceNotFoundException as ResourceNotFoundException$10, UpdateProjectCommand } from "@aws-sdk/client-codebuild";
 import { CreateVectorBucketCommand, DeleteIndexCommand, DeleteVectorBucketCommand, GetVectorBucketCommand, ListIndexesCommand, ListTagsForResourceCommand as ListTagsForResourceCommand$18, ListVectorBucketsCommand, S3VectorsClient } from "@aws-sdk/client-s3vectors";
-import { CreateNamespaceCommand, CreateTableBucketCommand, CreateTableCommand as CreateTableCommand$2, DeleteNamespaceCommand as DeleteNamespaceCommand$1, DeleteTableBucketCommand, DeleteTableCommand as DeleteTableCommand$2, GetTableBucketCommand, GetTableCommand as GetTableCommand$1, ListNamespacesCommand as ListNamespacesCommand$1, ListTableBucketsCommand, ListTablesCommand as ListTablesCommand$1, ListTagsForResourceCommand as ListTagsForResourceCommand$19, NotFoundException as NotFoundException$5, S3TablesClient } from "@aws-sdk/client-s3tables";
+import { CreateNamespaceCommand, CreateTableBucketCommand, CreateTableCommand as CreateTableCommand$2, DeleteNamespaceCommand as DeleteNamespaceCommand$1, DeleteTableBucketCommand, DeleteTableCommand as DeleteTableCommand$2, GetTableBucketCommand, GetTableCommand as GetTableCommand$1, ListNamespacesCommand as ListNamespacesCommand$1, ListTableBucketsCommand, ListTablesCommand as ListTablesCommand$1, ListTagsForResourceCommand as ListTagsForResourceCommand$19, NotFoundException as NotFoundException$5, S3TablesClient, TagResourceCommand as TagResourceCommand$16, UntagResourceCommand as UntagResourceCommand$15 } from "@aws-sdk/client-s3tables";
 import { AttachLoadBalancerTargetGroupsCommand, AttachLoadBalancersCommand, AttachTrafficSourcesCommand, AutoScalingClient, CreateAutoScalingGroupCommand, CreateOrUpdateTagsCommand, DeleteAutoScalingGroupCommand, DeleteLifecycleHookCommand, DeleteNotificationConfigurationCommand, DeleteTagsCommand as DeleteTagsCommand$1, DescribeAutoScalingGroupsCommand, DescribeLifecycleHooksCommand, DescribeNotificationConfigurationsCommand, DescribeTrafficSourcesCommand, DetachLoadBalancerTargetGroupsCommand, DetachLoadBalancersCommand, DetachTrafficSourcesCommand, DisableMetricsCollectionCommand, EnableMetricsCollectionCommand, PutLifecycleHookCommand, PutNotificationConfigurationCommand, UpdateAutoScalingGroupCommand } from "@aws-sdk/client-auto-scaling";
 import { Document, Pair, Scalar, YAMLMap, YAMLSeq, parse as parse$1, stringify } from "yaml";
 import { createLocalStateProvider, getEmbedConfig, isCfnFlagPresent, listTargets, rejectExplicitCfnStackWithMultipleStacks, resolveCfnFallbackRegion, setEmbedConfig, substituteAgainstState, substituteAgainstStateAsync, substituteEnvVarsFromState, substituteEnvVarsFromStateAsync } from "cdk-local";
@@ -17236,7 +17236,7 @@ var CloudFrontDistributionProvider = class {
 			const getResponse = await this.cloudFrontClient.send(new GetDistributionCommand({ Id: physicalId }));
 			const domainName = getResponse.Distribution?.DomainName ?? "";
 			const arn = getResponse.Distribution?.ARN;
-			await this.tryApplyTagDiff(arn, previousProperties["Tags"], properties["Tags"], physicalId);
+			await this.applyTagDiff(arn, previousProperties["Tags"], properties["Tags"], physicalId, logicalId, resourceType);
 			this.logger.debug(`Updated CloudFront Distribution ${physicalId}`);
 			return {
 				physicalId,
@@ -17489,32 +17489,44 @@ var CloudFrontDistributionProvider = class {
 		};
 	}
 	/**
-	* Apply a tag diff to a distribution, best-effort.
+	* Apply a tag diff to a distribution.
 	*
 	* CloudFront has no atomic overlay API for tags — `TagResource` adds /
 	* overwrites and `UntagResource` removes. Run the removal first, then
 	* the upsert, so a same-key value rewrite (which lands in `upserts`)
 	* is not accidentally cleared by a stale Untag.
 	*
-	* Errors are logged but not rethrown — `update()` already succeeded
-	* the `UpdateDistribution` call before this is invoked, so propagating
-	* a tag-side error would flip a successful config update into a deploy
-	* failure that triggers an idempotent retry. A `warn` surfaces the
-	* unapplied delta to the operator without breaking the deploy.
+	* Errors are RETHROWN as `ProvisioningError` (issue #740 fix) so the
+	* deploy engine sees a failed update() and (a) does NOT write the new
+	* properties.Tags into state — the next deploy retries the tag-diff
+	* against the still-old state, (b) surfaces the failure to the user
+	* via the standard error path. The deploy engine's `withRetry` MAY
+	* pick up some transient AWS errors via the cause-message-pattern
+	* match (`retryable-errors.ts`'s `RETRYABLE_ERROR_MESSAGE_PATTERNS`),
+	* but bare HTTP 429 throttles wrapped by update()'s outer catch reach
+	* the classifier two levels deep and slip past its single-level
+	* `.cause` walk — so the **load-bearing retry guarantee is the
+	* next-deploy retry**, not in-deploy retry. This is acceptable: the
+	* user sees the failure, can react, and the next `cdkd deploy`
+	* re-fires the tag-diff against the still-old state cleanly.
+	*
+	* Trade-off: a tag-side failure flips an otherwise-successful
+	* `UpdateDistribution` into a deploy failure, and the retry will
+	* re-issue UpdateDistribution against the (now-current) config —
+	* AWS accepts the no-op idempotently. The cost of that secondary
+	* noise is much lower than the cost of silent tag drift the pre-#740
+	* swallow caused.
 	*
 	* The ARN is unexpectedly absent only on a hypothetical SDK regression
 	* (`GetDistribution` returns ARN as a required string in every SDK
 	* shape verified so far). When that happens AND a tag delta exists,
-	* log a warn so the silent-drop this PR is closing does not silently
-	* resurface; when no delta exists, return without needing ARN.
+	* THROW so the silent-drop does not silently resurface; when no delta
+	* exists, return without needing ARN.
 	*/
-	async tryApplyTagDiff(arn, previousTags, newTags, physicalId) {
+	async applyTagDiff(arn, previousTags, newTags, physicalId, logicalId, resourceType) {
 		const { removed, upserts } = this.computeTagDiff(previousTags, newTags);
 		if (removed.length === 0 && upserts.length === 0) return;
-		if (!arn) {
-			this.logger.warn(`CloudFront Distribution ${physicalId}: GetDistribution returned no ARN; skipping tag diff (removed=${removed.length}, upserts=${upserts.length}). Tags on AWS may drift from the template.`);
-			return;
-		}
+		if (!arn) throw new ProvisioningError(`CloudFront Distribution ${physicalId}: GetDistribution returned no ARN; cannot apply tag diff (removed=${removed.length}, upserts=${upserts.length}). Refusing to silently drop the tag update — retry on next deploy or check SDK version.`, resourceType, logicalId, physicalId);
 		try {
 			if (removed.length > 0) {
 				this.logger.debug(`Untagging CloudFront Distribution ${arn}: ${removed.join(", ")}`);
@@ -17531,7 +17543,8 @@ var CloudFrontDistributionProvider = class {
 				}));
 			}
 		} catch (err) {
-			this.logger.warn(`CloudFront Distribution ${physicalId}: tag diff failed (removed=${removed.length}, upserts=${upserts.length}): ${err instanceof Error ? err.message : String(err)}. UpdateDistribution itself succeeded; tags on AWS may drift from the template until the next deploy.`);
+			const cause = err instanceof Error ? err : void 0;
+			throw new ProvisioningError(`CloudFront Distribution ${physicalId}: tag diff failed (removed=${removed.length}, upserts=${upserts.length}): ${err instanceof Error ? err.message : String(err)}. UpdateDistribution succeeded but TagResource/UntagResource did not — state has NOT been updated so the next deploy will retry the tag-diff.`, resourceType, logicalId, physicalId, cause);
 		}
 	}
 	/**
@@ -32005,7 +32018,9 @@ var S3TablesProvider = class {
 			"Namespace",
 			"TableName",
 			"Name",
-			"Format"
+			"OpenTableFormat",
+			"Format",
+			"Tags"
 		])]
 	]);
 	getClient() {
@@ -32020,12 +32035,13 @@ var S3TablesProvider = class {
 			default: throw new ProvisioningError(`Unsupported resource type: ${resourceType}`, resourceType, logicalId);
 		}
 	}
-	update(logicalId, physicalId, resourceType, _properties, _previousProperties) {
-		this.logger.debug(`Update is no-op for ${resourceType} ${logicalId}`);
-		return Promise.resolve({
+	async update(logicalId, physicalId, resourceType, properties, previousProperties) {
+		if (resourceType === "AWS::S3Tables::Table") await this.applyTableTagsDiff(logicalId, physicalId, resourceType, previousProperties["Tags"], properties["Tags"]);
+		else this.logger.debug(`Update is no-op for ${resourceType} ${logicalId}`);
+		return {
 			physicalId,
 			wasReplaced: false
-		});
+		};
 	}
 	async delete(logicalId, physicalId, resourceType, _properties, context) {
 		switch (resourceType) {
@@ -32121,9 +32137,11 @@ var S3TablesProvider = class {
 		this.logger.debug(`Creating S3 Tables Namespace ${logicalId}`);
 		const tableBucketARN = properties["TableBucketARN"];
 		if (!tableBucketARN) throw new ProvisioningError(`TableBucketARN is required for S3 Tables Namespace ${logicalId}`, resourceType, logicalId);
-		const namespace = properties["Namespace"];
-		if (!namespace || namespace.length === 0) throw new ProvisioningError(`Namespace is required for S3 Tables Namespace ${logicalId}`, resourceType, logicalId);
-		const namespaceName = namespace[0];
+		const rawNs = properties["Namespace"];
+		let namespaceName;
+		if (Array.isArray(rawNs) && rawNs.length > 0 && typeof rawNs[0] === "string") namespaceName = rawNs[0];
+		else if (typeof rawNs === "string" && rawNs.length > 0) namespaceName = rawNs;
+		if (!namespaceName) throw new ProvisioningError(`Namespace is required for S3 Tables Namespace ${logicalId}`, resourceType, logicalId);
 		try {
 			await this.getClient().send(new CreateNamespaceCommand({
 				tableBucketARN,
@@ -32168,20 +32186,24 @@ var S3TablesProvider = class {
 		if (!namespace) throw new ProvisioningError(`Namespace is required for S3 Tables Table ${logicalId}`, resourceType, logicalId);
 		const name = properties["TableName"] ?? properties["Name"];
 		if (!name) throw new ProvisioningError(`TableName is required for S3 Tables Table ${logicalId}`, resourceType, logicalId);
-		const format = properties["Format"];
-		if (!format) throw new ProvisioningError(`Format is required for S3 Tables Table ${logicalId}`, resourceType, logicalId);
+		const format = properties["OpenTableFormat"] ?? properties["Format"];
+		if (!format) throw new ProvisioningError(`OpenTableFormat is required for S3 Tables Table ${logicalId}`, resourceType, logicalId);
+		const tags = this.cfnTagsToSdkMap(properties["Tags"]);
 		try {
-			await this.getClient().send(new CreateTableCommand$2({
+			const response = await this.getClient().send(new CreateTableCommand$2({
 				tableBucketARN,
 				namespace,
 				name,
-				format
+				format,
+				...tags !== void 0 && { tags }
 			}));
 			const physicalId = `${tableBucketARN}|${namespace}|${name}`;
+			if (!response.tableARN) throw new ProvisioningError(`CreateTable did not return a tableARN for ${logicalId} (${physicalId}) — refusing to record an empty TableARN attribute`, resourceType, logicalId, physicalId);
+			const tableARN = response.tableARN;
 			this.logger.debug(`Successfully created S3 Tables Table ${logicalId}: ${physicalId}`);
 			return {
 				physicalId,
-				attributes: {}
+				attributes: { TableARN: tableARN }
 			};
 		} catch (error) {
 			const cause = error instanceof Error ? error : void 0;
@@ -32233,7 +32255,7 @@ var S3TablesProvider = class {
 		if (!tableBucketARN || !namespaceName) return void 0;
 		return {
 			TableBucketARN: tableBucketARN,
-			Namespace: [namespaceName]
+			Namespace: namespaceName
 		};
 	}
 	async readTableCurrentState(physicalId) {
@@ -32259,7 +32281,11 @@ var S3TablesProvider = class {
 			Name: tableNameValue,
 			TableName: tableNameValue
 		};
-		if (resp.format !== void 0) result["Format"] = resp.format;
+		if (resp.format !== void 0) {
+			result["OpenTableFormat"] = resp.format;
+			result["Format"] = resp.format;
+		}
+		result["Tags"] = resp.tableARN ? await this.readTagsBestEffort(resp.tableARN) : [];
 		return result;
 	}
 	/**
@@ -32416,6 +32442,131 @@ var S3TablesProvider = class {
 			throw new ProvisioningError(`Failed to delete S3 Tables Table ${logicalId}: ${error instanceof Error ? error.message : String(error)}`, resourceType, logicalId, physicalId, cause);
 		}
 	}
+	/**
+	* Convert CFn `Tags: [{ Key, Value }]` to the S3Tables SDK's
+	* `Record<string, string>` shape. Returns `undefined` when the input
+	* is absent, empty, or invalid (so the caller can omit the field
+	* from CreateTableCommand — the SDK rejects an empty `tags: {}` map
+	* with InvalidRequestException). Entries missing a `Key` are skipped;
+	* a missing `Value` is normalized to `''` (matches the on-AWS
+	* representation — empty-string tag values are legal).
+	*/
+	cfnTagsToSdkMap(value) {
+		if (!Array.isArray(value) || value.length === 0) return void 0;
+		const map = {};
+		for (const entry of value) {
+			if (!entry || typeof entry !== "object") continue;
+			const key = entry.Key;
+			if (typeof key !== "string" || key.length === 0) continue;
+			const raw = entry.Value;
+			if (typeof raw === "string") map[key] = raw;
+			else if (raw === void 0 || raw === null) map[key] = "";
+			else if (typeof raw === "number" || typeof raw === "boolean") map[key] = String(raw);
+			else continue;
+		}
+		return Object.keys(map).length > 0 ? map : void 0;
+	}
+	/**
+	* Look up a table's real AWS ARN given its cdkd-compound physical
+	* id parts. The real ARN is opaque (NOT `<bucketArn>/table/<ns>/<name>`
+	* — that shape returns BadRequestException) and only AWS knows it,
+	* so we call `GetTable` and pull `tableARN` from the response. Used
+	* by the tag-diff path in update() and the readback's tag-fetch leg.
+	* Returns null if the table is gone (NotFoundException → caller can
+	* skip the tag op gracefully).
+	*/
+	async lookupTableArn(tableBucketARN, namespace, name) {
+		try {
+			return (await this.getClient().send(new GetTableCommand$1({
+				tableBucketARN,
+				namespace,
+				name
+			}))).tableARN ?? null;
+		} catch (err) {
+			if (err instanceof NotFoundException$5) return null;
+			throw err;
+		}
+	}
+	/**
+	* Best-effort tag readback. ListTagsForResource against a freshly-
+	* created table can briefly 404 due to eventual consistency; emit
+	* `[]` on any failure rather than propagate (matches the S3Vectors /
+	* CloudFront patterns and keeps the drift comparator happy).
+	*/
+	async readTagsBestEffort(resourceArn) {
+		try {
+			const tags = (await this.getClient().send(new ListTagsForResourceCommand$19({ resourceArn }))).tags ?? {};
+			const out = [];
+			for (const [Key, Value] of Object.entries(tags)) out.push({
+				Key,
+				Value
+			});
+			return out;
+		} catch (err) {
+			this.logger.debug(`readTagsBestEffort: ListTagsForResource failed for ${resourceArn}: ${err instanceof Error ? err.message : String(err)} — emitting Tags: []`);
+			return [];
+		}
+	}
+	/**
+	* Apply a tag-diff against a Table resource ARN: keys present in
+	* `previousTags` but absent / value-changed in `newTags` go through
+	* `UntagResource`, then the full upsert set (additions + value
+	* rewrites) goes through `TagResource`. Removal runs FIRST so a
+	* value-only rewrite on key K isn't accidentally cleared by a stale
+	* UntagResource pass (matches the CloudFront / S3Vectors pattern).
+	*
+	* Tag-side failures THROW `ProvisioningError` (issue #740 fix): a
+	* silent swallow would let the deploy engine write the new properties.Tags
+	* to state as if applied, and the next deploy's diff (template Tags
+	* vs new state Tags) sees no change → tag-diff never re-fires → AWS
+	* tags stay stale forever. Throwing means: (a) state is NOT written,
+	* (b) the next deploy retries the tag-diff against the still-old
+	* state. The deploy engine's `withRetry` MAY pick up transient AWS
+	* errors via the cause-message-pattern match in `retryable-errors.ts`,
+	* but bare HTTP 429 throttles can slip past the classifier's
+	* single-level `.cause` walk depending on wrapping — so the
+	* **load-bearing retry guarantee is the next-deploy retry**, not
+	* in-deploy retry. For the S3Tables Table case `update()` is
+	* otherwise a no-op (the Table itself is immutable), so a tag-side
+	* throw cleanly turns the whole update into a retry without
+	* side-effects.
+	*
+	* The malformed-physicalId / GetTable-NotFound branches throw too
+	* — both indicate a state-vs-AWS divergence the user needs to see,
+	* not silently skip past.
+	*/
+	async applyTableTagsDiff(logicalId, physicalId, resourceType, previousTags, newTags) {
+		const prev = this.cfnTagsToSdkMap(previousTags) ?? {};
+		const next = this.cfnTagsToSdkMap(newTags) ?? {};
+		const removedKeys = Object.keys(prev).filter((k) => !(k in next));
+		const upserts = {};
+		for (const [k, v] of Object.entries(next)) if (prev[k] !== v) upserts[k] = v;
+		if (removedKeys.length === 0 && Object.keys(upserts).length === 0) return;
+		const parts = physicalId.split("|");
+		if (parts.length < 3) throw new ProvisioningError(`applyTableTagsDiff: cannot derive table ARN from physicalId '${physicalId}' (expected '<bucketArn>|<namespace>|<name>') — refusing to silently drop the tag update`, resourceType, logicalId, physicalId);
+		const [tableBucketARN, namespace, name] = parts;
+		if (!tableBucketARN || !namespace || !name) throw new ProvisioningError(`applyTableTagsDiff: cannot derive table ARN from malformed physicalId '${physicalId}' (empty part after split) — refusing to silently drop the tag update`, resourceType, logicalId, physicalId);
+		const resourceArn = await this.lookupTableArn(tableBucketARN, namespace, name);
+		if (!resourceArn) throw new ProvisioningError(`applyTableTagsDiff: GetTable returned no tableARN for ${physicalId} — table is gone or state is out-of-sync. Refusing to silently drop the tag update (run 'cdkd state orphan ${logicalId}' to clean up if the table was deleted out-of-band).`, resourceType, logicalId, physicalId);
+		if (removedKeys.length > 0) try {
+			await this.getClient().send(new UntagResourceCommand$15({
+				resourceArn,
+				tagKeys: removedKeys
+			}));
+		} catch (err) {
+			const cause = err instanceof Error ? err : void 0;
+			throw new ProvisioningError(`applyTableTagsDiff: UntagResource failed for ${resourceArn} (keys: ${removedKeys.join(", ")}): ${err instanceof Error ? err.message : String(err)}. State has NOT been updated so the next deploy will retry the tag-diff.`, resourceType, logicalId, physicalId, cause);
+		}
+		if (Object.keys(upserts).length > 0) try {
+			await this.getClient().send(new TagResourceCommand$16({
+				resourceArn,
+				tags: upserts
+			}));
+		} catch (err) {
+			const cause = err instanceof Error ? err : void 0;
+			throw new ProvisioningError(`applyTableTagsDiff: TagResource failed for ${resourceArn} (keys: ${Object.keys(upserts).join(", ")}): ${err instanceof Error ? err.message : String(err)}. State has NOT been updated so the next deploy will retry the tag-diff.`, resourceType, logicalId, physicalId, cause);
+		}
+	}
 };
 
 //#endregion
@@ -51726,7 +51877,7 @@ function reorderArgs(argv) {
 */
 async function main() {
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.200.0");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.201.1");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());