@go-to-k/cdkd 0.207.4 → 0.207.6

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { a as setAwsClients, i as resetAwsClients, r as getAwsClients, t as AwsClients } from "./aws-clients-DWUnLza1.js";
-import { $ as findLargeInlineResources, A as LockManager, At as getLiveRenderer, B as runDockerStreaming, C as CloudControlProvider, D as DiffCalculator, Dt as getLogger, E as applyRoleArnIfSet, F as WorkGraph, Ft as withSkipPrefix, G as resolveCaptureObservedState, H as getDefaultStateBucketName, I as buildDockerImage, It as withStackName, J as resolveStateBucketWithDefaultAndSource, K as resolveSkipPrefix, L as formatDockerLoginError, M as shouldRetainResource, Mt as PATTERN_B_RESOURCE_TYPES, N as AssetPublisher, Nt as generateResourceName, O as DagBuilder, P as stringifyValue, Pt as generateResourceNameWithFallback, Q as MIGRATE_TMP_PREFIX, R as getDockerCmd, S as findActionableSilentDrops, T as IntrinsicFunctionResolver, Tt as withErrorHandling, U as getLegacyStateBucketName, V as Synthesizer, W as resolveApp, X as CFN_TEMPLATE_BODY_LIMIT, Y as warnDeprecatedNoPrefixCliFlag, Z as CFN_TEMPLATE_URL_LIMIT, _ as CDK_PATH_TAG, _t as ResourceUpdateNotSupportedError, a as withRetry, at as CdkdError, b as resolveExplicitPhysicalId, c as formatResourceLine, ct as LocalInvokeBuildError$1, d as gray, et as uploadCfnTemplate, f as green, ft as MissingCdkCliError, g as collectInlinePolicyNamesManagedBySiblings, gt as ResourceTimeoutError, h as IAMRoleProvider, ht as ProvisioningError, i as withResourceDeadline, j as S3StateBackend, jt as PATTERN_B_NAME_PROPERTIES, k as TemplateParser, kt as runStackBuffered, l as bold, lt as LocalMigrateError, m as yellow, mt as PartialFailureError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, o as isRetryableTransientError, p as red, pt as NestedStackChildDirectDestroyError, q as resolveStateBucketWithDefault, r as DeployEngine, rt as resolveBucketRegion, s as IMPLICIT_DELETE_DEPENDENCIES, t as DEFAULT_RESOURCE_TIMEOUT_MS, tt as AssemblyReader, u as cyan, ut as LocalStartServiceError, v as matchesCdkPath, vt as StackHasActiveImportsError, w as assertRegionMatch, wt as normalizeAwsError, x as ProviderRegistry, y as normalizeAwsTagsToCfn, yt as StackTerminationProtectionError, z as runDockerForeground } from "./deploy-engine-ai3rix-L.js";
+import { $ as CFN_TEMPLATE_URL_LIMIT, A as DagBuilder, B as getDockerCmd, C as CloudControlProvider, D as IntrinsicFunctionResolver, Dt as withErrorHandling, E as isTerminationProtectionPropagationError, Et as normalizeAwsError, F as AssetPublisher, Ft as generateResourceName, G as getLegacyStateBucketName, H as runDockerStreaming, I as stringifyValue, It as generateResourceNameWithFallback, J as resolveSkipPrefix, K as resolveApp, L as WorkGraph, Lt as withSkipPrefix, M as LockManager, Mt as getLiveRenderer, N as S3StateBackend, Nt as PATTERN_B_NAME_PROPERTIES, O as applyRoleArnIfSet, P as shouldRetainResource, Pt as PATTERN_B_RESOURCE_TYPES, Q as CFN_TEMPLATE_BODY_LIMIT, R as buildDockerImage, Rt as withStackName, S as findActionableSilentDrops, T as disableInstanceApiTermination, U as Synthesizer, V as runDockerForeground, W as getDefaultStateBucketName, X as resolveStateBucketWithDefaultAndSource, Y as resolveStateBucketWithDefault, Z as warnDeprecatedNoPrefixCliFlag, _ as CDK_PATH_TAG, _t as ProvisioningError, a as withRetry, at as resolveBucketRegion, b as resolveExplicitPhysicalId, bt as StackHasActiveImportsError, c as formatResourceLine, d as gray, dt as LocalMigrateError, et as MIGRATE_TMP_PREFIX, f as green, ft as LocalStartServiceError, g as collectInlinePolicyNamesManagedBySiblings, gt as PartialFailureError, h as IAMRoleProvider, ht as NestedStackChildDirectDestroyError, i as withResourceDeadline, j as TemplateParser, jt as runStackBuffered, k as DiffCalculator, kt as getLogger, l as bold, m as yellow, mt as MissingCdkCliError, n as DEFAULT_RESOURCE_WARN_AFTER_MS, nt as uploadCfnTemplate, o as isRetryableTransientError, p as red, q as resolveCaptureObservedState, r as DeployEngine, rt as AssemblyReader, s as IMPLICIT_DELETE_DEPENDENCIES, st as CdkdError, t as DEFAULT_RESOURCE_TIMEOUT_MS, tt as findLargeInlineResources, u as cyan, ut as LocalInvokeBuildError$1, v as matchesCdkPath, vt as ResourceTimeoutError, w as assertRegionMatch, x as ProviderRegistry, xt as StackTerminationProtectionError, y as normalizeAwsTagsToCfn, yt as ResourceUpdateNotSupportedError, z as formatDockerLoginError } from "./deploy-engine-DMggQBl4.js";
 import { AsyncLocalStorage } from "node:async_hooks";
 import { randomBytes, randomUUID } from "node:crypto";
 import { CopyObjectCommand, CreateBucketCommand, DeleteBucketAnalyticsConfigurationCommand, DeleteBucketCommand, DeleteBucketCorsCommand, DeleteBucketIntelligentTieringConfigurationCommand, DeleteBucketInventoryConfigurationCommand, DeleteBucketLifecycleCommand, DeleteBucketMetricsConfigurationCommand, DeleteBucketPolicyCommand, DeleteBucketReplicationCommand, DeleteBucketTaggingCommand, DeleteBucketWebsiteCommand, DeleteObjectsCommand, GetBucketAccelerateConfigurationCommand, GetBucketCorsCommand, GetBucketEncryptionCommand, GetBucketLifecycleConfigurationCommand, GetBucketLocationCommand, GetBucketLoggingCommand, GetBucketNotificationConfigurationCommand, GetBucketPolicyCommand, GetBucketReplicationCommand, GetBucketTaggingCommand, GetBucketVersioningCommand, GetBucketWebsiteCommand, GetObjectCommand, GetObjectLockConfigurationCommand, GetPublicAccessBlockCommand, HeadBucketCommand, ListBucketAnalyticsConfigurationsCommand, ListBucketIntelligentTieringConfigurationsCommand, ListBucketInventoryConfigurationsCommand, ListBucketMetricsConfigurationsCommand, ListBucketsCommand, ListDirectoryBucketsCommand, ListObjectVersionsCommand, ListObjectsV2Command, NoSuchBucket, PutBucketAccelerateConfigurationCommand, PutBucketAnalyticsConfigurationCommand, PutBucketCorsCommand, PutBucketEncryptionCommand, PutBucketIntelligentTieringConfigurationCommand, PutBucketInventoryConfigurationCommand, PutBucketLifecycleConfigurationCommand, PutBucketLoggingCommand, PutBucketMetricsConfigurationCommand, PutBucketNotificationConfigurationCommand, PutBucketOwnershipControlsCommand, PutBucketPolicyCommand, PutBucketReplicationCommand, PutBucketTaggingCommand, PutBucketVersioningCommand, PutBucketWebsiteCommand, PutObjectCommand, PutObjectLockConfigurationCommand, PutPublicAccessBlockCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
@@ -9,7 +9,7 @@ import { CreateQueueCommand, DeleteQueueCommand, GetQueueAttributesCommand, GetQ
 import { CreateTopicCommand, DeleteTopicCommand, GetSubscriptionAttributesCommand, GetTopicAttributesCommand, ListTagsForResourceCommand, ListTopicsCommand, NotFoundException, SNSClient, SetTopicAttributesCommand, SubscribeCommand, TagResourceCommand, UnsubscribeCommand, UntagResourceCommand } from "@aws-sdk/client-sns";
 import { AddPermissionCommand, CreateEventSourceMappingCommand, CreateFunctionCommand, CreateFunctionUrlConfigCommand, DeleteEventSourceMappingCommand, DeleteFunctionCommand, DeleteFunctionConcurrencyCommand, DeleteFunctionUrlConfigCommand, DeleteLayerVersionCommand, GetEventSourceMappingCommand, GetFunctionCommand, GetFunctionConcurrencyCommand, GetFunctionRecursionConfigCommand, GetFunctionUrlConfigCommand, GetLayerVersionByArnCommand, GetPolicyCommand as GetPolicyCommand$1, LambdaClient, ListFunctionsCommand, ListLayersCommand, ListTagsCommand, PublishLayerVersionCommand, PutFunctionConcurrencyCommand, PutFunctionRecursionConfigCommand, RemovePermissionCommand, ResourceNotFoundException, TagResourceCommand as TagResourceCommand$1, UntagResourceCommand as UntagResourceCommand$1, UpdateEventSourceMappingCommand, UpdateFunctionCodeCommand, UpdateFunctionConfigurationCommand, UpdateFunctionUrlConfigCommand, waitUntilFunctionUpdatedV2 } from "@aws-sdk/client-lambda";
 import { AssumeRoleCommand, GetCallerIdentityCommand, STSClient } from "@aws-sdk/client-sts";
-import { AssociateRouteTableCommand, AttachInternetGatewayCommand, AuthorizeSecurityGroupEgressCommand, AuthorizeSecurityGroupIngressCommand, CreateInternetGatewayCommand, CreateNatGatewayCommand, CreateNetworkAclCommand, CreateNetworkAclEntryCommand, CreateRouteCommand, CreateRouteTableCommand, CreateSecurityGroupCommand, CreateSubnetCommand, CreateTagsCommand, CreateVpcCommand, DeleteInternetGatewayCommand, DeleteNatGatewayCommand, DeleteNetworkAclCommand, DeleteNetworkAclEntryCommand, DeleteNetworkInterfaceCommand, DeleteRouteCommand, DeleteRouteTableCommand, DeleteSecurityGroupCommand, DeleteSubnetCommand, DeleteTagsCommand, DeleteVpcCommand, DescribeAvailabilityZonesCommand, DescribeInstanceAttributeCommand, DescribeInstancesCommand, DescribeInternetGatewaysCommand, DescribeNatGatewaysCommand, DescribeNetworkAclsCommand, DescribeNetworkInterfacesCommand, DescribeRouteTablesCommand, DescribeSecurityGroupsCommand, DescribeSubnetsCommand, DescribeVolumesCommand, DescribeVpcAttributeCommand, DescribeVpcsCommand, DetachInternetGatewayCommand, DisassociateRouteTableCommand, EC2Client, ModifyInstanceAttributeCommand, ModifySubnetAttributeCommand, ModifyVpcAttributeCommand, ReplaceNetworkAclAssociationCommand, RevokeSecurityGroupEgressCommand, RevokeSecurityGroupIngressCommand, RunInstancesCommand, TerminateInstancesCommand, waitUntilInstanceRunning, waitUntilInstanceTerminated, waitUntilNatGatewayAvailable, waitUntilNatGatewayDeleted } from "@aws-sdk/client-ec2";
+import { AssociateRouteTableCommand, AttachInternetGatewayCommand, AuthorizeSecurityGroupEgressCommand, AuthorizeSecurityGroupIngressCommand, CreateInternetGatewayCommand, CreateNatGatewayCommand, CreateNetworkAclCommand, CreateNetworkAclEntryCommand, CreateRouteCommand, CreateRouteTableCommand, CreateSecurityGroupCommand, CreateSubnetCommand, CreateTagsCommand, CreateVpcCommand, DeleteInternetGatewayCommand, DeleteNatGatewayCommand, DeleteNetworkAclCommand, DeleteNetworkAclEntryCommand, DeleteNetworkInterfaceCommand, DeleteRouteCommand, DeleteRouteTableCommand, DeleteSecurityGroupCommand, DeleteSubnetCommand, DeleteTagsCommand, DeleteVpcCommand, DescribeAvailabilityZonesCommand, DescribeInstanceAttributeCommand, DescribeInstancesCommand, DescribeInternetGatewaysCommand, DescribeNatGatewaysCommand, DescribeNetworkAclsCommand, DescribeNetworkInterfacesCommand, DescribeRouteTablesCommand, DescribeSecurityGroupsCommand, DescribeSubnetsCommand, DescribeVolumesCommand, DescribeVpcAttributeCommand, DescribeVpcsCommand, DetachInternetGatewayCommand, DisassociateRouteTableCommand, EC2Client, ModifySubnetAttributeCommand, ModifyVpcAttributeCommand, ReplaceNetworkAclAssociationCommand, RevokeSecurityGroupEgressCommand, RevokeSecurityGroupIngressCommand, RunInstancesCommand, TerminateInstancesCommand, waitUntilInstanceRunning, waitUntilInstanceTerminated, waitUntilNatGatewayAvailable, waitUntilNatGatewayDeleted } from "@aws-sdk/client-ec2";
 import { CreateTableCommand, DeleteTableCommand, DescribeContinuousBackupsCommand, DescribeContributorInsightsCommand, DescribeKinesisStreamingDestinationCommand, DescribeTableCommand, DescribeTimeToLiveCommand, DynamoDBClient, ListTablesCommand, ListTagsOfResourceCommand, ResourceNotFoundException as ResourceNotFoundException$1, TagResourceCommand as TagResourceCommand$2, UntagResourceCommand as UntagResourceCommand$2, UpdateContinuousBackupsCommand, UpdateTableCommand, UpdateTimeToLiveCommand } from "@aws-sdk/client-dynamodb";
 import { CloudFormationClient, CreateChangeSetCommand, DeleteChangeSetCommand, DeleteStackCommand, DescribeChangeSetCommand, DescribeStackEventsCommand, DescribeStackResourcesCommand, DescribeStacksCommand, DescribeTypeCommand, ExecuteChangeSetCommand, GetTemplateCommand, UpdateStackCommand, waitUntilChangeSetCreateComplete, waitUntilStackDeleteComplete, waitUntilStackImportComplete, waitUntilStackUpdateComplete } from "@aws-sdk/client-cloudformation";
 import { APIGatewayClient, CreateAuthorizerCommand, CreateDeploymentCommand, CreateResourceCommand, CreateStageCommand, DeleteAuthorizerCommand, DeleteDeploymentCommand, DeleteMethodCommand, DeleteResourceCommand, DeleteStageCommand, GetAccountCommand, GetAuthorizerCommand, GetDeploymentCommand, GetMethodCommand, GetResourceCommand, GetStageCommand, NotFoundException as NotFoundException$1, PutIntegrationCommand, PutIntegrationResponseCommand, PutMethodCommand, PutMethodResponseCommand, TagResourceCommand as TagResourceCommand$3, UntagResourceCommand as UntagResourceCommand$3, UpdateAccountCommand, UpdateAuthorizerCommand, UpdateMethodCommand, UpdateStageCommand } from "@aws-sdk/client-api-gateway";
@@ -11888,6 +11888,33 @@ var SSMParameterProvider = class {
 		this.ssmClient = awsClients.ssm;
 	}
 	/**
+	* Normalize a CFn `AWS::SSM::Parameter.Tags` value into the SDK `Tag[]`
+	* shape. Unlike most CFn resources (whose `Tags` is a `{Key,Value}[]` list),
+	* `AWS::SSM::Parameter.Tags` is a key->value **map** (`{ "Env": "prod" }`) —
+	* CDK synthesizes the map form, so `properties['Tags'].map(...)` throws
+	* `Tags.map is not a function`. Accept the map (canonical) AND the list
+	* (defensive, in case a hand-authored / escape-hatched template supplies it),
+	* coerce each value to a string (SSM tag values must be strings), and drop
+	* `aws:`-prefixed reserved keys (AWS rejects user attempts to set them).
+	*/
+	cfnTagsToSdkTags(raw) {
+		if (raw === void 0 || raw === null) return [];
+		const coerce = (v) => typeof v === "string" ? v : typeof v === "number" || typeof v === "boolean" ? String(v) : "";
+		let entries;
+		if (Array.isArray(raw)) entries = raw.map((t) => [t?.["Key"], t?.["Value"]]);
+		else if (typeof raw === "object") entries = Object.entries(raw);
+		else entries = [];
+		const out = [];
+		for (const [key, value] of entries) {
+			if (typeof key !== "string" || key.length === 0 || key.startsWith("aws:")) continue;
+			out.push({
+				Key: key,
+				Value: coerce(value)
+			});
+		}
+		return out;
+	}
+	/**
 	* Create an SSM parameter
 	*/
 	async create(logicalId, resourceType, properties) {
@@ -11913,17 +11940,12 @@ var SSMParameterProvider = class {
 			if (properties["DataType"]) putParams.DataType = properties["DataType"];
 			await this.ssmClient.send(new PutParameterCommand(putParams));
 			try {
-				if (properties["Tags"]) {
-					const ssmTags = properties["Tags"].map((t) => ({
-						Key: t.Key,
-						Value: t.Value
-					}));
-					await this.ssmClient.send(new AddTagsToResourceCommand({
-						ResourceType: "Parameter",
-						ResourceId: name,
-						Tags: ssmTags
-					}));
-				}
+				const ssmTags = this.cfnTagsToSdkTags(properties["Tags"]);
+				if (ssmTags.length > 0) await this.ssmClient.send(new AddTagsToResourceCommand({
+					ResourceType: "Parameter",
+					ResourceId: name,
+					Tags: ssmTags
+				}));
 			} catch (innerError) {
 				try {
 					await this.ssmClient.send(new DeleteParameterCommand({ Name: name }));
@@ -11967,25 +11989,21 @@ var SSMParameterProvider = class {
 			if (properties["Policies"] !== void 0) putParams.Policies = properties["Policies"];
 			if (properties["DataType"] !== void 0) putParams.DataType = properties["DataType"];
 			await this.ssmClient.send(new PutParameterCommand(putParams));
-			const newTags = properties["Tags"];
-			const oldTags = previousProperties["Tags"];
-			if (JSON.stringify(newTags) !== JSON.stringify(oldTags)) {
-				if (oldTags && oldTags.length > 0) await this.ssmClient.send(new RemoveTagsFromResourceCommand({
+			const newTags = this.cfnTagsToSdkTags(properties["Tags"]);
+			const oldTags = this.cfnTagsToSdkTags(previousProperties["Tags"]);
+			const tagKey = (t) => t.Key;
+			const sortedJson = (tags) => JSON.stringify([...tags].sort((a, b) => tagKey(a).localeCompare(tagKey(b))));
+			if (sortedJson(newTags) !== sortedJson(oldTags)) {
+				if (oldTags.length > 0) await this.ssmClient.send(new RemoveTagsFromResourceCommand({
 					ResourceType: "Parameter",
 					ResourceId: physicalId,
 					TagKeys: oldTags.map((t) => t.Key)
 				}));
-				if (newTags && newTags.length > 0) {
-					const ssmTags = newTags.map((t) => ({
-						Key: t.Key,
-						Value: t.Value
-					}));
-					await this.ssmClient.send(new AddTagsToResourceCommand({
-						ResourceType: "Parameter",
-						ResourceId: physicalId,
-						Tags: ssmTags
-					}));
-				}
+				if (newTags.length > 0) await this.ssmClient.send(new AddTagsToResourceCommand({
+					ResourceType: "Parameter",
+					ResourceId: physicalId,
+					Tags: newTags
+				}));
 				this.logger.debug(`Updated tags for SSM parameter ${physicalId}`);
 			}
 			this.logger.debug(`Successfully updated SSM parameter ${logicalId}`);
@@ -12096,10 +12114,11 @@ var SSMParameterProvider = class {
 		} catch {}
 		if (!policiesEmitted) result["Policies"] = [];
 		try {
-			result["Tags"] = normalizeAwsTagsToCfn((await this.ssmClient.send(new ListTagsForResourceCommand$2({
+			const tagArr = normalizeAwsTagsToCfn((await this.ssmClient.send(new ListTagsForResourceCommand$2({
 				ResourceType: "Parameter",
 				ResourceId: physicalId
 			}))).TagList);
+			result["Tags"] = Object.fromEntries(tagArr.map((t) => [t.Key, t.Value]));
 		} catch {}
 		return result;
 	}
@@ -13815,16 +13834,10 @@ var EC2Provider = class {
 	}
 	async deleteInstance(logicalId, physicalId, resourceType, context) {
 		this.logger.debug(`Terminating EC2 Instance ${logicalId}: ${physicalId}`);
-		if (context?.removeProtection === true) try {
-			await this.ec2Client.send(new ModifyInstanceAttributeCommand({
-				InstanceId: physicalId,
-				DisableApiTermination: { Value: false }
-			}));
-			this.logger.debug(`Disabled DisableApiTermination on EC2 Instance ${logicalId} before termination`);
-		} catch (flipError) {
-			if (!this.isNotFoundError(flipError)) this.logger.debug(`Could not disable DisableApiTermination on ${physicalId}: ${flipError instanceof Error ? flipError.message : String(flipError)}`);
-		}
-		try {
+		const removeProtection = context?.removeProtection === true;
+		if (removeProtection) await disableInstanceApiTermination(this.ec2Client, physicalId, this.logger);
+		const maxTerminateAttempts = removeProtection ? 5 : 1;
+		for (let attempt = 1;; attempt++) try {
 			await this.ec2Client.send(new TerminateInstancesCommand({ InstanceIds: [physicalId] }));
 			this.logger.debug(`Terminate requested for EC2 Instance ${logicalId}, waiting...`);
 			await waitUntilInstanceTerminated({
@@ -13832,14 +13845,22 @@ var EC2Provider = class {
 				maxWaitTime: 300
 			}, { InstanceIds: [physicalId] });
 			this.logger.debug(`EC2 Instance ${logicalId} terminated: ${physicalId}`);
+			return;
 		} catch (error) {
 			if (this.isNotFoundError(error)) {
 				assertRegionMatch(await this.ec2Client.config.region(), context?.expectedRegion, resourceType, logicalId, physicalId);
 				this.logger.debug(`EC2 Instance ${physicalId} already terminated (not found), treating as success`);
 				return;
 			}
+			const msg = error instanceof Error ? error.message : String(error);
+			if (removeProtection && isTerminationProtectionPropagationError(msg) && attempt < maxTerminateAttempts) {
+				this.logger.debug(`Terminate of EC2 Instance ${logicalId} raced the DisableApiTermination flip-off (attempt ${attempt}/${maxTerminateAttempts}); re-flipping and retrying`);
+				await disableInstanceApiTermination(this.ec2Client, physicalId, this.logger);
+				await this.sleep(3e3 * attempt);
+				continue;
+			}
 			const cause = error instanceof Error ? error : void 0;
-			throw new ProvisioningError(`Failed to terminate EC2 Instance ${logicalId}: ${error instanceof Error ? error.message : String(error)}`, resourceType, logicalId, physicalId, cause);
+			throw new ProvisioningError(`Failed to terminate EC2 Instance ${logicalId}: ${msg}`, resourceType, logicalId, physicalId, cause);
 		}
 	}
 	async getInstanceAttribute(physicalId, attributeName) {
@@ -52657,6 +52678,31 @@ function createMigrateCommand() {
 	return new Command("migrate").description("Adopt a plain (non-CDK) CloudFormation stack into a cdkd-managed CDK app. Generates new CDK code via upstream `cdk migrate`, builds a logical-ID mapping between the source CFn template and the synth template, writes cdkd state, and (optionally) retires the source CFn stack. AWS resources are never modified.").argument("[stack]", "Source CFn stack name. Alias for --from-cfn-stack.").addOption(new Option("--from-cfn-stack <name>", "Source CloudFormation stack name to adopt. Required (or pass positionally).")).addOption(new Option("--output-dir <dir>", "Directory to write the generated CDK app to. Defaults to <cwd>/<CfnStackName>.")).addOption(new Option("--language <choice>", "Generated code language. v1: typescript only.").choices(["typescript"]).default("typescript")).addOption(new Option("--region <region>", "AWS region. Defaults to AWS_REGION env / profile.")).addOption(new Option("--account <id>", "AWS account ID. Auto-detected via STS when omitted.")).addOption(new Option("--retire-cfn-stack", "After cdkd state is written, inject DeletionPolicy=Retain on every resource in the source CFn stack and DeleteStack. AWS resources stay; the CFn stack record is gone. Off by default.").default(false)).addOption(new Option("--filter <key=value>", "Pass-through to `cdk migrate --filter` for resource subsetting. Repeatable.").argParser((value, previous) => [...previous ?? [], value]).default([])).addOption(new Option("--skip-install", "Skip `npm install` after codegen.").default(false)).addOption(new Option("--skip-synth", "Skip `cdk synth` (does NOT write cdkd state). Mutually exclusive with --retire-cfn-stack.").default(false)).addOption(new Option("--dry-run", "Print the import plan without writing state or retiring the CFn stack. Mutually exclusive with --retire-cfn-stack.").default(false)).addOption(new Option("-y, --yes", "Auto-confirm the import + retirement prompts.").default(false)).addOption(new Option("--cdk-bin <path>", "Override the `cdk` binary path.")).addOption(new Option("--resource-mapping <file>", `Path to a JSON file of {sourceLogicalId: synthLogicalId} overrides. Same shape as the auto-written ${RESOURCE_MAPPING_FILENAME}.`)).addOption(new Option("--state-bucket <name>", "cdkd state bucket. Defaults to cdkd-state-<accountId>.")).addOption(new Option("--state-prefix <prefix>", "cdkd state prefix inside the bucket.").default("cdkd")).addOption(new Option("--profile <name>", "AWS profile name.")).addOption(new Option("--role-arn <arn>", "IAM role to assume before any AWS call.")).addOption(new Option("--verbose", "Enable debug-level logging.").default(false)).action(withErrorHandling(migrateCommandAction));
 }
 
+//#endregion
+//#region src/cli/pipe-close-handler.ts
+/**
+* Exit cleanly when a downstream consumer closes our stdout/stderr early.
+*
+* Piping a cdkd command into a reader that stops reading — `cdkd state list |
+* grep -q foo`, `... | head`, `... | less` then `q` — closes the pipe while
+* cdkd is still writing. Node then emits an unhandled `'error'` (EPIPE) on the
+* stream and the process dies with a stack trace + non-zero exit. That is
+* normal Unix behavior for the *consumer* to stop reading, so the CLI must
+* treat it as success, not a crash. (Surfaced by the `remove-protection` integ,
+* whose `cdkd state list | grep -q` assertion crashed cdkd on EPIPE and the
+* test misread the non-zero exit as a stripped-state failure.)
+*
+* Installed once before any command runs so it covers every subcommand's
+* output, including long / streamed listings. Non-EPIPE stream errors are
+* re-thrown unchanged (they are real faults, not a closed pipe).
+*/
+function installPipeCloseHandler(streams = [process.stdout, process.stderr], exit = process.exit) {
+	for (const stream of streams) stream.on("error", (err) => {
+		if (err.code !== "EPIPE") throw err;
+		exit(0);
+	});
+}
+
 //#endregion
 //#region src/cli/index.ts
 const SUBCOMMANDS = new Set([
@@ -52698,8 +52744,9 @@ function reorderArgs(argv) {
 * Main CLI program
 */
 async function main() {
+	installPipeCloseHandler();
 	const program = new Command();
-	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.207.4");
+	program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.207.6");
 	program.addCommand(createBootstrapCommand());
 	program.addCommand(createSynthCommand());
 	program.addCommand(createListCommand());