@go-to-k/cdkd 0.219.2 → 0.219.3

package/dist/{deploy-engine-B6CuzOHi.js → deploy-engine-Drw_e42s.js}

@@ -1,13 +1,13 @@
-import { r as getAwsClients } from "./aws-clients-DWUnLza1.js";
-import { AsyncLocalStorage } from "node:async_hooks";
-import { createHash, randomUUID } from "node:crypto";
+import { B as generateResourceNameWithFallback, E as SynthesisError, F as getLiveRenderer, H as withStackName, M as getLogger, R as applyDefaultNameForFallback, T as StateError, a as assertRegionMatch, b as ProvisioningError, c as AssetError, d as DependencyError, g as MacroExpansionError, h as LockError, i as resolveExplicitPhysicalId, k as normalizeAwsError, n as matchesCdkPath, o as disableInstanceApiTermination, r as normalizeAwsTagsToCfn, s as isTerminationProtectionPropagationError, x as ResourceTimeoutError } from "./import-helpers-wLipXr5g.js";
+import { r as getAwsClients } from "./aws-clients-pjPwZz1r.js";
+import { randomUUID } from "node:crypto";
 import { DeleteObjectCommand, GetBucketLocationCommand, GetObjectCommand, HeadBucketCommand, HeadObjectCommand, ListObjectsV2Command, NoSuchKey, PutObjectCommand, S3Client, S3ServiceException } from "@aws-sdk/client-s3";
 import { CloudControlClient, CreateResourceCommand, DeleteResourceCommand, GetResourceCommand, GetResourceRequestStatusCommand, ListResourcesCommand, UpdateResourceCommand } from "@aws-sdk/client-cloudcontrol";
 import { AttachRolePolicyCommand, CreateRoleCommand, DeleteRoleCommand, DeleteRolePermissionsBoundaryCommand, DeleteRolePolicyCommand, DetachRolePolicyCommand, GetRoleCommand, GetRolePolicyCommand, IAMClient, ListAttachedRolePoliciesCommand, ListInstanceProfilesForRoleCommand, ListRolePoliciesCommand, ListRoleTagsCommand, ListRolesCommand, NoSuchEntityException, PutRolePermissionsBoundaryCommand, PutRolePolicyCommand, RemoveRoleFromInstanceProfileCommand, TagRoleCommand, UntagRoleCommand, UpdateAssumeRolePolicyCommand, UpdateRoleCommand } from "@aws-sdk/client-iam";
 import { PublishCommand, SNSClient } from "@aws-sdk/client-sns";
 import { GetFunctionUrlConfigCommand, InvokeCommand, LambdaClient, UpdateFunctionConfigurationCommand, waitUntilFunctionActiveV2, waitUntilFunctionUpdatedV2 } from "@aws-sdk/client-lambda";
 import { AssumeRoleCommand, GetCallerIdentityCommand, STSClient } from "@aws-sdk/client-sts";
-import { DescribeAvailabilityZonesCommand, DescribeImagesCommand, DescribeLaunchTemplatesCommand, DescribeRouteTablesCommand, DescribeSecurityGroupsCommand, DescribeSubnetsCommand, DescribeVpcsCommand, DescribeVpnGatewaysCommand, EC2Client, ModifyInstanceAttributeCommand } from "@aws-sdk/client-ec2";
+import { DescribeAvailabilityZonesCommand, DescribeImagesCommand, DescribeLaunchTemplatesCommand, DescribeRouteTablesCommand, DescribeSecurityGroupsCommand, DescribeSubnetsCommand, DescribeVpcsCommand, DescribeVpnGatewaysCommand, EC2Client } from "@aws-sdk/client-ec2";
 import { DescribeTableCommand } from "@aws-sdk/client-dynamodb";
 import { CloudFormationClient, CreateChangeSetCommand, DeleteStackCommand, DescribeChangeSetCommand, GetTemplateCommand, waitUntilChangeSetCreateComplete } from "@aws-sdk/client-cloudformation";
 import { GetRestApiCommand } from "@aws-sdk/client-api-gateway";
@@ -27,1330 +27,6 @@ import graphlib from "graphlib";
 import { DescribeDBClustersCommand, RDSClient } from "@aws-sdk/client-rds";
 import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
 
-//#region src/provisioning/resource-name.ts
-/**
-* Per-async-context stack name. Resource-name generation reads this so that
-* concurrent deploys (`cdkd deploy --all` runs stacks in parallel up to
-* `--stack-concurrency`) don't fight over a single shared variable.
-*
-* History: this was `let currentStackName: string | undefined` until
-* 2026-05-01. Two parallel `deploy()` calls would each call
-* `setCurrentStackName(...)` and the second would overwrite the first;
-* any IAM Role / SQS Queue / etc. created by the first stack while the
-* second was active would get the second stack's prefix in its physical
-* name, then the second stack's own create attempt for the same logical
-* id would collide ("Role with name X already exists"). Switching to
-* `AsyncLocalStorage` scopes the value to each deploy's async chain.
-*/
-const stackNameStore = new AsyncLocalStorage();
-function withStackName(stackName, fn) {
-	return stackNameStore.run(stackName, fn);
-}
-/**
-* Read the current async context's stack name, if any.
-*
-* Returns `undefined` outside any `withStackName` / `setCurrentStackName`
-* scope. Used by the live renderer to scope per-stack in-flight task
-* entries so concurrent deploys don't clobber each other's tasks (same
-* `logicalId` in two stacks would collide on the singleton renderer's
-* task Map without this).
-*/
-function getCurrentStackName() {
-	return stackNameStore.getStore();
-}
-/**
-* Per-async-context "skip the stack-name prefix on user-supplied physical
-* names" flag. Read by `generateResourceName` when its caller passes
-* `userSupplied: true`; auto-generated-name paths
-* (`generateResourceName(logicalId, ...)`) ignore this flag.
-*
-* Scoped via AsyncLocalStorage so that `--stack-concurrency > 1` runs
-* cannot cross-contaminate — each deploy's body is wrapped in its own
-* `withSkipPrefix(...)` scope (the deploy CLI plumbs the resolved
-* `--no-prefix-user-supplied-names` value through here). Default
-* `false` preserves pre-PR behavior when the flag is not set.
-*/
-const skipPrefixStore = new AsyncLocalStorage();
-function withSkipPrefix(skip, fn) {
-	return skipPrefixStore.run(skip, fn);
-}
-/**
-* Read the current async context's skip-prefix flag. Defaults to
-* `false` when no `withSkipPrefix` scope is active.
-*
-* Public for unit tests; `generateResourceName` consumes this
-* internally.
-*/
-function getCurrentSkipPrefix() {
-	return skipPrefixStore.getStore() ?? false;
-}
-/**
-* Resource types whose pre-PR #297 code path ran user-supplied
-* physical names through `generateResourceName` (= got the stack-name
-* prefix). These are the only types affected by
-* `--no-prefix-user-supplied-names`; flipping the flag against an
-* existing stack proposes REPLACEMENT on every state resource of
-* one of these types whose `physicalId` is still prefixed.
-*
-* Pattern A providers (Lambda, S3, SNS, SQS, DynamoDB, Logs LogGroup,
-* Events Rule, etc.) historically short-circuited user-supplied names
-* **out** of `generateResourceName` entirely — those types never got
-* the prefix regardless of the flag, so they are NOT included here.
-*
-* Used by the deploy-time pre-flight migration check in
-* `src/cli/commands/prefix-migration-check.ts`. Keep in sync with the
-* Pattern B provider call sites that consume
-* `generateResourceNameWithFallback(...)`.
-*/
-const PATTERN_B_RESOURCE_TYPES = [
-	"AWS::IAM::Role",
-	"AWS::IAM::User",
-	"AWS::IAM::Group",
-	"AWS::IAM::InstanceProfile",
-	"AWS::IAM::ManagedPolicy",
-	"AWS::ElasticLoadBalancingV2::LoadBalancer",
-	"AWS::ElasticLoadBalancingV2::TargetGroup"
-];
-/**
-* For each Pattern B resource type, the CFn template `Properties` field
-* the user sets to supply a physical name (`new iam.Role(this, 'X',
-* { roleName: 'my-role' })` → `Properties.RoleName: 'my-role'`).
-*
-* Used by the prefix-migration check to distinguish user-supplied
-* physical names (which the v0.94.0 default flip would actually
-* REPLACE on next deploy) from auto-generated logical-id-fallback
-* names (which keep the prefix in BOTH old and new default — no
-* REPLACE pending). Without this discriminator, the migration
-* check naively flags every prefix-style physicalId regardless of
-* its origin, surfacing a false-positive WARNING on auto-generated
-* names that won't actually be touched.
-*
-* Keep in sync with `PATTERN_B_RESOURCE_TYPES` and with each
-* provider's `Properties[<NameField>]` lookup in
-* `src/provisioning/providers/`.
-*/
-const PATTERN_B_NAME_PROPERTIES = {
-	"AWS::IAM::Role": "RoleName",
-	"AWS::IAM::User": "UserName",
-	"AWS::IAM::Group": "GroupName",
-	"AWS::IAM::InstanceProfile": "InstanceProfileName",
-	"AWS::IAM::ManagedPolicy": "ManagedPolicyName",
-	"AWS::ElasticLoadBalancingV2::LoadBalancer": "Name",
-	"AWS::ElasticLoadBalancingV2::TargetGroup": "Name"
-};
-/**
-* Generate a unique resource name from the logical ID.
-*
-* Generates names in CloudFormation-compatible format:
-* `{StackName}-{LogicalId}-{Hash}` (truncated to maxLength).
-*
-* @param name The raw name (from properties or logicalId fallback)
-* @param options Length and character constraints
-* @returns A sanitized, truncated name that fits the constraints
-*/
-function generateResourceName(name, options) {
-	const { maxLength, lowercase = false, allowedPattern = /[^a-zA-Z0-9-]/g, userSupplied = false } = options;
-	const currentStackName = stackNameStore.getStore();
-	const fullName = currentStackName && !(userSupplied && getCurrentSkipPrefix()) ? `${currentStackName}-${name}` : name;
-	let sanitized = lowercase ? fullName.toLowerCase() : fullName;
-	sanitized = sanitized.replace(allowedPattern, "-");
-	sanitized = sanitized.replace(/-{2,}/g, "-").replace(/^-+|-+$/g, "");
-	if (sanitized.length <= maxLength) return sanitized;
-	const hash = createHash("sha256").update(fullName).digest("hex").substring(0, 8);
-	const maxPrefixLength = maxLength - hash.length - 1;
-	return `${sanitized.substring(0, maxPrefixLength).replace(/-+$/, "")}-${hash}`;
-}
-/**
-* Generate a resource name from a user-declared physical name OR
-* fall back to the logical id.
-*
-* Wraps {@link generateResourceName} to express the Pattern B call-site
-* shape (`generateResourceName((properties['Name'] as string | undefined)
-* || logicalId, opts)`) as a single typed helper. The user-supplied
-* branch passes `userSupplied: true`, which makes the per-deploy
-* `withSkipPrefix(true)` flag drop the stack-name prefix on that name.
-* The fallback (logical-id) branch is `userSupplied: false` and keeps
-* the prefix regardless of the flag — auto-generated names rely on
-* the prefix for cross-stack uniqueness.
-*
-* Use at every Pattern B provider call site (currently IAM Role, IAM
-* User, IAM Group, IAM InstanceProfile, ELBv2 LoadBalancer, ELBv2
-* TargetGroup) so the `--no-prefix-user-supplied-names` flag controls
-* those types consistently. Pattern A providers (Lambda, S3, SNS,
-* SQS, DynamoDB, etc.) do NOT need this helper — they already
-* short-circuit the user-supplied name out of the
-* `generateResourceName` call entirely, so the prefix is never
-* applied to user-supplied names regardless of the flag.
-*/
-function generateResourceNameWithFallback(userSuppliedName, logicalId, options) {
-	if (userSuppliedName !== void 0 && userSuppliedName !== "") return generateResourceName(userSuppliedName, {
-		...options,
-		userSupplied: true
-	});
-	return generateResourceName(logicalId, {
-		...options,
-		userSupplied: false
-	});
-}
-/**
-* Default name generation rules for CC API fallback.
-*
-* When an SDK provider falls back to CC API, the resource may need a
-* default name that the SDK provider would have generated. This map
-* defines the name property and generation options for each resource type.
-*
-* Format: resourceType → { nameProperty, options, postProcess? }
-*/
-const FALLBACK_NAME_RULES = {
-	"AWS::S3::Bucket": {
-		nameProperty: "BucketName",
-		options: {
-			maxLength: 63,
-			lowercase: true
-		}
-	},
-	"AWS::SQS::Queue": {
-		nameProperty: "QueueName",
-		options: { maxLength: 80 }
-	},
-	"AWS::SNS::Topic": {
-		nameProperty: "TopicName",
-		options: { maxLength: 256 }
-	},
-	"AWS::Lambda::Function": {
-		nameProperty: "FunctionName",
-		options: { maxLength: 64 }
-	},
-	"AWS::Lambda::LayerVersion": {
-		nameProperty: "LayerName",
-		options: { maxLength: 64 }
-	},
-	"AWS::IAM::Role": {
-		nameProperty: "RoleName",
-		options: { maxLength: 64 }
-	},
-	"AWS::IAM::Policy": {
-		nameProperty: "PolicyName",
-		options: { maxLength: 64 }
-	},
-	"AWS::IAM::ManagedPolicy": {
-		nameProperty: "ManagedPolicyName",
-		options: { maxLength: 128 }
-	},
-	"AWS::IAM::User": {
-		nameProperty: "UserName",
-		options: { maxLength: 64 }
-	},
-	"AWS::IAM::Group": {
-		nameProperty: "GroupName",
-		options: { maxLength: 128 }
-	},
-	"AWS::IAM::InstanceProfile": {
-		nameProperty: "InstanceProfileName",
-		options: { maxLength: 128 }
-	},
-	"AWS::DynamoDB::Table": {
-		nameProperty: "TableName",
-		options: { maxLength: 255 }
-	},
-	"AWS::ECR::Repository": {
-		nameProperty: "RepositoryName",
-		options: {
-			maxLength: 256,
-			lowercase: true
-		}
-	},
-	"AWS::ECS::Cluster": {
-		nameProperty: "ClusterName",
-		options: { maxLength: 255 }
-	},
-	"AWS::ECS::Service": {
-		nameProperty: "ServiceName",
-		options: { maxLength: 255 }
-	},
-	"AWS::Logs::LogGroup": {
-		nameProperty: "LogGroupName",
-		options: { maxLength: 512 }
-	},
-	"AWS::CloudWatch::Alarm": {
-		nameProperty: "AlarmName",
-		options: { maxLength: 256 }
-	},
-	"AWS::Events::Rule": {
-		nameProperty: "Name",
-		options: { maxLength: 64 }
-	},
-	"AWS::Events::EventBus": {
-		nameProperty: "Name",
-		options: { maxLength: 256 }
-	},
-	"AWS::Kinesis::Stream": {
-		nameProperty: "Name",
-		options: { maxLength: 128 }
-	},
-	"AWS::StepFunctions::StateMachine": {
-		nameProperty: "StateMachineName",
-		options: { maxLength: 80 }
-	},
-	"AWS::SecretsManager::Secret": {
-		nameProperty: "Name",
-		options: {
-			maxLength: 512,
-			allowedPattern: /[^a-zA-Z0-9-/_]/g
-		}
-	},
-	"AWS::SSM::Parameter": {
-		nameProperty: "Name",
-		options: { maxLength: 2048 }
-	},
-	"AWS::Cognito::UserPool": {
-		nameProperty: "UserPoolName",
-		options: { maxLength: 128 }
-	},
-	"AWS::ElastiCache::SubnetGroup": {
-		nameProperty: "CacheSubnetGroupName",
-		options: {
-			maxLength: 255,
-			lowercase: true
-		}
-	},
-	"AWS::ElastiCache::CacheCluster": {
-		nameProperty: "ClusterName",
-		options: {
-			maxLength: 40,
-			lowercase: true
-		}
-	},
-	"AWS::RDS::DBSubnetGroup": {
-		nameProperty: "DBSubnetGroupName",
-		options: {
-			maxLength: 255,
-			lowercase: true
-		}
-	},
-	"AWS::RDS::DBCluster": {
-		nameProperty: "DBClusterIdentifier",
-		options: {
-			maxLength: 63,
-			lowercase: true
-		}
-	},
-	"AWS::RDS::DBInstance": {
-		nameProperty: "DBInstanceIdentifier",
-		options: {
-			maxLength: 63,
-			lowercase: true
-		}
-	},
-	"AWS::DocDB::DBSubnetGroup": {
-		nameProperty: "DBSubnetGroupName",
-		options: {
-			maxLength: 255,
-			lowercase: true
-		}
-	},
-	"AWS::DocDB::DBCluster": {
-		nameProperty: "DBClusterIdentifier",
-		options: {
-			maxLength: 63,
-			lowercase: true
-		}
-	},
-	"AWS::DocDB::DBInstance": {
-		nameProperty: "DBInstanceIdentifier",
-		options: {
-			maxLength: 63,
-			lowercase: true
-		}
-	},
-	"AWS::Neptune::DBSubnetGroup": {
-		nameProperty: "DBSubnetGroupName",
-		options: {
-			maxLength: 255,
-			lowercase: true
-		}
-	},
-	"AWS::Neptune::DBCluster": {
-		nameProperty: "DBClusterIdentifier",
-		options: {
-			maxLength: 63,
-			lowercase: true
-		}
-	},
-	"AWS::Neptune::DBInstance": {
-		nameProperty: "DBInstanceIdentifier",
-		options: {
-			maxLength: 63,
-			lowercase: true
-		}
-	},
-	"AWS::ElasticLoadBalancingV2::LoadBalancer": {
-		nameProperty: "Name",
-		options: { maxLength: 32 }
-	},
-	"AWS::ElasticLoadBalancingV2::TargetGroup": {
-		nameProperty: "Name",
-		options: { maxLength: 32 }
-	},
-	"AWS::WAFv2::WebACL": {
-		nameProperty: "Name",
-		options: { maxLength: 128 }
-	},
-	"AWS::CodeBuild::Project": {
-		nameProperty: "Name",
-		options: { maxLength: 255 }
-	},
-	"AWS::S3Express::DirectoryBucket": {
-		nameProperty: "BucketName",
-		options: {
-			maxLength: 63,
-			lowercase: true
-		}
-	}
-};
-/**
-* Apply default name generation for CC API fallback.
-*
-* When a resource doesn't have an explicit name property set,
-* generates the same default name that the SDK provider would have created.
-* This ensures consistent naming regardless of whether SDK or CC API handles the resource.
-*
-* @param logicalId Logical ID from the template
-* @param resourceType CloudFormation resource type
-* @param properties Resource properties (will not be mutated)
-* @returns Properties with default name applied if needed, or original properties if no rule exists
-*/
-function applyDefaultNameForFallback(logicalId, resourceType, properties) {
-	const rule = FALLBACK_NAME_RULES[resourceType];
-	if (!rule) return properties;
-	if (properties[rule.nameProperty]) return properties;
-	const generatedName = generateResourceName(logicalId, rule.options);
-	return {
-		...properties,
-		[rule.nameProperty]: generatedName
-	};
-}
-
-//#endregion
-//#region src/utils/live-renderer.ts
-/**
-* Live multi-line progress renderer for the bottom of the terminal.
-*
-* Maintains a "live area" listing in-flight tasks (Creating MyBucket...),
-* redrawn on a spinner timer. Other log output is routed through
-* {@link LiveRenderer.printAbove} so it appears above the live area without
-* disturbing the currently-displayed in-flight tasks.
-*
-* Design notes:
-* - Multiple resources can be in flight concurrently (cdkd uses parallel DAG
-*   dispatch), so a single in-place line overwrite is not enough — each
-*   in-flight resource is its own line in the live area.
-* - On non-TTY (CI/log-collection), the renderer stays inactive and
-*   {@link LiveRenderer.printAbove} falls through to a direct write, so output
-*   matches the previous append-only behavior.
-* - In verbose mode (debug level) the caller should not start the renderer:
-*   debug logs would interleave too aggressively with the live area.
-*/
-const SPINNER_FRAMES = [
-	"⠋",
-	"⠙",
-	"⠹",
-	"⠸",
-	"⠼",
-	"⠴",
-	"⠦",
-	"⠧",
-	"⠇",
-	"⠏"
-];
-const FRAME_INTERVAL_MS = 80;
-const ESC = "\x1B[";
-/**
-* Scope a task `id` to its calling stack so two stacks running in
-* parallel — `cdkd deploy --all` with `--stack-concurrency > 1` — don't
-* collide on the same `logicalId` in the renderer's task Map. Without
-* this, stack B's `addTask('MyQueue', ...)` would overwrite stack A's
-* entry, and stack A's later `removeTask('MyQueue')` would erase
-* stack B's.
-*/
-function scopedKey(id, stackName) {
-	return stackName ? `${stackName}:${id}` : id;
-}
-var LiveRenderer = class {
-	tasks = /* @__PURE__ */ new Map();
-	active = false;
-	spinnerIndex = 0;
-	interval = null;
-	linesDrawn = 0;
-	cursorHidden = false;
-	exitListener = null;
-	stream;
-	constructor(stream = process.stdout) {
-		this.stream = stream;
-	}
-	isActive() {
-		return this.active;
-	}
-	/**
-	* Enable the live renderer. No-op if stdout is not a TTY or if
-	* `CDKD_NO_LIVE=1`. Returns true if successfully enabled.
-	*/
-	start() {
-		if (this.active) return true;
-		if (!this.stream.isTTY) return false;
-		if (process.env["CDKD_NO_LIVE"] === "1") return false;
-		this.active = true;
-		this.hideCursor();
-		if (!this.exitListener) {
-			this.exitListener = () => this.showCursor();
-			process.on("exit", this.exitListener);
-		}
-		this.interval = setInterval(() => this.draw(), FRAME_INTERVAL_MS);
-		if (typeof this.interval.unref === "function") this.interval.unref();
-		return true;
-	}
-	stop() {
-		if (!this.active) return;
-		if (this.interval) {
-			clearInterval(this.interval);
-			this.interval = null;
-		}
-		this.clear();
-		this.showCursor();
-		if (this.exitListener) {
-			process.removeListener("exit", this.exitListener);
-			this.exitListener = null;
-		}
-		this.tasks.clear();
-		this.active = false;
-	}
-	addTask(id, label) {
-		const stackName = getCurrentStackName();
-		this.tasks.set(scopedKey(id, stackName), {
-			label,
-			startedAt: Date.now(),
-			stackName
-		});
-		if (this.active) this.draw();
-	}
-	removeTask(id) {
-		const stackName = getCurrentStackName();
-		if (!this.tasks.delete(scopedKey(id, stackName))) return;
-		if (this.active) this.draw();
-	}
-	/**
-	* Replace the label of a previously-added task in place. No-op if the
-	* task is not currently tracked (e.g. it already finished). Used by the
-	* per-resource deadline wrapper to surface a "[taking longer than
-	* expected, Nm+]" suffix without disturbing the elapsed-time counter
-	* the renderer tracks via `startedAt`.
-	*/
-	updateTaskLabel(id, label) {
-		const stackName = getCurrentStackName();
-		const task = this.tasks.get(scopedKey(id, stackName));
-		if (!task) return;
-		task.label = label;
-		if (this.active) this.draw();
-	}
-	/**
-	* Print content above the live area. Clears the live area, runs the writer,
-	* then redraws the live area. When the renderer is inactive, the writer
-	* runs directly so callers can use this unconditionally.
-	*/
-	printAbove(write) {
-		if (!this.active) {
-			write();
-			return;
-		}
-		this.clear();
-		write();
-		this.draw();
-	}
-	clear() {
-		if (this.linesDrawn === 0) return;
-		this.stream.write("\r");
-		for (let i = 0; i < this.linesDrawn; i++) this.stream.write(`${ESC}1A${ESC}2K`);
-		this.linesDrawn = 0;
-	}
-	draw() {
-		if (!this.active) return;
-		this.clear();
-		if (this.tasks.size === 0) return;
-		const frame = SPINNER_FRAMES[this.spinnerIndex % SPINNER_FRAMES.length];
-		this.spinnerIndex++;
-		const distinctStacks = /* @__PURE__ */ new Set();
-		for (const task of this.tasks.values()) distinctStacks.add(task.stackName);
-		const showStackPrefix = distinctStacks.size > 1;
-		const cols = this.stream.columns ?? 80;
-		const lines = [];
-		for (const task of this.tasks.values()) {
-			const elapsed = ((Date.now() - task.startedAt) / 1e3).toFixed(1);
-			const raw = `  ${frame} ${showStackPrefix && task.stackName ? `[${task.stackName}] ` : ""}${task.label} (${elapsed}s)`;
-			lines.push(this.truncate(raw, cols));
-		}
-		this.stream.write(lines.join("\n") + "\n");
-		this.linesDrawn = lines.length;
-	}
-	truncate(s, maxLen) {
-		if (s.length <= maxLen) return s;
-		if (maxLen <= 1) return "…";
-		return s.substring(0, maxLen - 1) + "…";
-	}
-	hideCursor() {
-		if (this.cursorHidden) return;
-		this.stream.write(`${ESC}?25l`);
-		this.cursorHidden = true;
-	}
-	showCursor() {
-		if (!this.cursorHidden) return;
-		this.stream.write(`${ESC}?25h`);
-		this.cursorHidden = false;
-	}
-};
-let globalRenderer = null;
-function getLiveRenderer() {
-	if (!globalRenderer) globalRenderer = new LiveRenderer();
-	return globalRenderer;
-}
-
-//#endregion
-//#region src/utils/stack-context.ts
-const outputBufferStore = new AsyncLocalStorage();
-/**
-* Run `fn` with a fresh log buffer scoped to its async chain. Any
-* `logger.info / debug / warn / error` calls inside `fn` (and any
-* `await`s) push into the buffer instead of writing to stdout/stderr.
-* Returns the buffered lines (and either `result` or `error`) so the
-* caller can flush them in one block.
-*/
-async function runStackBuffered(fn) {
-	const buffer = { lines: [] };
-	return outputBufferStore.run(buffer, async () => {
-		try {
-			return {
-				ok: true,
-				result: await fn(),
-				lines: buffer.lines
-			};
-		} catch (error) {
-			return {
-				ok: false,
-				error,
-				lines: buffer.lines
-			};
-		}
-	});
-}
-/**
-* Get the current async context's stack output buffer, or `undefined`
-* if no `runStackBuffered` is active. The logger consults this on every
-* call: present → push to buffer; absent → fall through to live
-* renderer / console.
-*/
-function getCurrentStackOutputBuffer() {
-	return outputBufferStore.getStore();
-}
-
-//#endregion
-//#region src/utils/logger.ts
-/**
-* ANSI color codes
-*
-* Kept internal — `ConsoleLogger.formatMessage` references these for the
-* verbose/compact mode level prefixes. For inline color wrapping in
-* production code, import from `./colors.js` instead (which lives in a
-* separate module so unit tests that mock `logger.ts` don't strip color
-* helpers as a side effect).
-*/
-const colors = {
-	reset: "\x1B[0m",
-	bright: "\x1B[1m",
-	dim: "\x1B[2m",
-	red: "\x1B[31m",
-	green: "\x1B[32m",
-	yellow: "\x1B[33m",
-	blue: "\x1B[34m",
-	cyan: "\x1B[36m",
-	gray: "\x1B[90m"
-};
-/**
-* Format timestamp
-*/
-function formatTimestamp() {
-	return (/* @__PURE__ */ new Date()).toISOString();
-}
-/**
-* Console logger implementation
-*
-* Supports two output modes:
-* - verbose (debug level): timestamps, module prefixes, all details
-* - compact (info level): clean output without timestamps or prefixes
-*/
-var ConsoleLogger = class {
-	level;
-	useColors;
-	constructor(level = "info", useColors = true) {
-		this.level = level;
-		this.useColors = useColors;
-	}
-	shouldLog(level) {
-		const levels = [
-			"debug",
-			"info",
-			"warn",
-			"error"
-		];
-		const currentLevelIndex = levels.indexOf(this.level);
-		return levels.indexOf(level) >= currentLevelIndex;
-	}
-	formatMessage(level, message, ...args) {
-		const formattedArgs = args.length > 0 ? " " + args.map((a) => JSON.stringify(a)).join(" ") : "";
-		if (this.level === "debug") {
-			const timestamp = formatTimestamp();
-			const levelStr = level.toUpperCase().padEnd(5);
-			if (this.useColors) {
-				const levelColor = {
-					debug: colors.gray,
-					info: colors.blue,
-					warn: colors.yellow,
-					error: colors.red
-				}[level];
-				return `${colors.dim}${timestamp}${colors.reset} ${levelColor}${levelStr}${colors.reset} ${message}${formattedArgs}`;
-			}
-			return `${timestamp} ${levelStr} ${message}${formattedArgs}`;
-		}
-		if (this.useColors) {
-			if (level === "error") return `${colors.red}${message}${formattedArgs}${colors.reset}`;
-			if (level === "warn") return `${colors.yellow}${message}${formattedArgs}${colors.reset}`;
-			return `${message}${formattedArgs}`;
-		}
-		return `${message}${formattedArgs}`;
-	}
-	/**
-	* Route a formatted log line. When a per-stack output buffer is active in
-	* the current async context (parallel multi-stack deploy), capture the
-	* line into the buffer so it can be flushed as one atomic block when the
-	* stack finishes. Otherwise fall through to the live renderer / console
-	* as before.
-	*/
-	emit(level, formatted) {
-		const buffer = getCurrentStackOutputBuffer();
-		if (buffer) {
-			buffer.lines.push(formatted);
-			return;
-		}
-		getLiveRenderer().printAbove(() => {
-			if (level === "error") console.error(formatted);
-			else if (level === "warn") console.warn(formatted);
-			else if (level === "info") console.info(formatted);
-			else console.debug(formatted);
-		});
-	}
-	debug(message, ...args) {
-		if (this.shouldLog("debug")) this.emit("debug", this.formatMessage("debug", message, ...args));
-	}
-	info(message, ...args) {
-		if (this.shouldLog("info")) this.emit("info", this.formatMessage("info", message, ...args));
-	}
-	warn(message, ...args) {
-		if (this.shouldLog("warn")) this.emit("warn", this.formatMessage("warn", message, ...args));
-	}
-	error(message, ...args) {
-		if (this.shouldLog("error")) this.emit("error", this.formatMessage("error", message, ...args));
-	}
-	/**
-	* Set log level
-	*/
-	setLevel(level) {
-		this.level = level;
-	}
-	getLevel() {
-		return this.level;
-	}
-	/**
-	* Create a child logger with a prefix
-	*
-	* In verbose mode, prefix is shown as [Prefix]. In compact mode, prefix is hidden.
-	*/
-	child(prefix) {
-		return new ChildLogger(prefix, this.useColors);
-	}
-};
-/**
-* Child logger that always syncs level from global logger
-*/
-var ChildLogger = class extends ConsoleLogger {
-	prefix;
-	constructor(prefix, useColors) {
-		super("info", useColors);
-		this.prefix = prefix;
-	}
-	syncLevel() {
-		if (globalLogger) this.setLevel(globalLogger.getLevel());
-	}
-	debug(message, ...args) {
-		this.syncLevel();
-		super.debug(`[${this.prefix}] ${message}`, ...args);
-	}
-	info(message, ...args) {
-		this.syncLevel();
-		const msg = this.getLevel() === "debug" ? `[${this.prefix}] ${message}` : message;
-		super.info(msg, ...args);
-	}
-	warn(message, ...args) {
-		this.syncLevel();
-		const msg = this.getLevel() === "debug" ? `[${this.prefix}] ${message}` : message;
-		super.warn(msg, ...args);
-	}
-	error(message, ...args) {
-		this.syncLevel();
-		const msg = this.getLevel() === "debug" ? `[${this.prefix}] ${message}` : message;
-		super.error(msg, ...args);
-	}
-};
-/**
-* Global logger instance
-*/
-let globalLogger = null;
-/**
-* Get or create global logger
-*/
-function getLogger() {
-	if (!globalLogger) globalLogger = new ConsoleLogger();
-	return globalLogger;
-}
-/**
-* Set global logger instance
-*/
-function setLogger(logger) {
-	globalLogger = logger;
-}
-
-//#endregion
-//#region src/utils/error-handler.ts
-/**
-* Base error class for cdkd
-*/
-var CdkdError = class CdkdError extends Error {
-	code;
-	cause;
-	constructor(message, code, cause) {
-		super(message);
-		this.code = code;
-		this.cause = cause;
-		this.name = "CdkdError";
-		Object.setPrototypeOf(this, CdkdError.prototype);
-	}
-};
-/**
-* State management errors
-*/
-var StateError = class StateError extends CdkdError {
-	constructor(message, cause) {
-		super(message, "STATE_ERROR", cause);
-		this.name = "StateError";
-		Object.setPrototypeOf(this, StateError.prototype);
-	}
-};
-/**
-* Lock acquisition errors
-*/
-var LockError = class LockError extends CdkdError {
-	constructor(message, cause) {
-		super(message, "LOCK_ERROR", cause);
-		this.name = "LockError";
-		Object.setPrototypeOf(this, LockError.prototype);
-	}
-};
-/**
-* Synthesis errors
-*/
-var SynthesisError = class SynthesisError extends CdkdError {
-	constructor(message, cause) {
-		super(message, "SYNTHESIS_ERROR", cause);
-		this.name = "SynthesisError";
-		Object.setPrototypeOf(this, SynthesisError.prototype);
-	}
-};
-/**
-* Asset errors
-*/
-var AssetError = class AssetError extends CdkdError {
-	constructor(message, cause) {
-		super(message, "ASSET_ERROR", cause);
-		this.name = "AssetError";
-		Object.setPrototypeOf(this, AssetError.prototype);
-	}
-};
-/**
-* Local-invoke `docker build` failures.
-*
-* Surfaces the stderr captured from `docker build` so the user can
-* re-run the same command directly to debug Dockerfile syntax errors
-* or missing build context. Used by `src/local/docker-image-builder.ts`
-* (PR 5) for container Lambdas; the parallel `AssetError` covers the
-* `cdkd publish-assets` / `cdkd deploy` build path. Kept distinct from
-* `AssetError` so `cdkd local invoke` failures don't show up under the
-* "asset" error class.
-*/
-var LocalInvokeBuildError = class LocalInvokeBuildError extends CdkdError {
-	constructor(message, cause) {
-		super(message, "LOCAL_INVOKE_BUILD_ERROR", cause);
-		this.name = "LocalInvokeBuildError";
-		Object.setPrototypeOf(this, LocalInvokeBuildError.prototype);
-	}
-};
-/**
-* Resource provisioning errors
-*/
-var ProvisioningError = class ProvisioningError extends CdkdError {
-	resourceType;
-	logicalId;
-	physicalId;
-	constructor(message, resourceType, logicalId, physicalId, cause) {
-		super(message, "PROVISIONING_ERROR", cause);
-		this.resourceType = resourceType;
-		this.logicalId = logicalId;
-		this.physicalId = physicalId;
-		this.name = "ProvisioningError";
-		Object.setPrototypeOf(this, ProvisioningError.prototype);
-	}
-};
-/**
-* Resource provisioning timeout errors (per-resource wall-clock deadline).
-*
-* Thrown by `withResourceDeadline` when a single CREATE / UPDATE / DELETE
-* operation exceeds the user-configured `--resource-timeout`. The deploy
-* engine catches this, wraps it in {@link ProvisioningError}, and lets the
-* existing failure path (interrupt siblings → pre-rollback save → rollback
-* unless `--no-rollback`) take over.
-*
-* The message intentionally names the resource, type, region, elapsed time
-* and operation, plus how to override the default. Long-running providers
-* (e.g. Custom Resource: 1h polling cap) self-report their needed budget
-* via `getMinResourceTimeoutMs()`, so the user only needs a per-type
-* override (`--resource-timeout TYPE=DURATION`) when they want to bump a
-* specific non-self-reporting type or shorten a self-reported one.
-*/
-var ResourceTimeoutError = class ResourceTimeoutError extends CdkdError {
-	logicalId;
-	resourceType;
-	region;
-	elapsedMs;
-	operation;
-	timeoutMs;
-	constructor(logicalId, resourceType, region, elapsedMs, operation, timeoutMs) {
-		const elapsedLabel = formatDuration(elapsedMs);
-		const timeoutLabel = formatDuration(timeoutMs);
-		super(`Resource ${logicalId} (${resourceType}) in ${region} timed out after ${timeoutLabel} during ${operation} (elapsed ${elapsedLabel}).\nThis may indicate a stuck Cloud Control polling loop, hung Custom Resource, or
-slow ENI provisioning. Re-run with --resource-timeout ${resourceType}=<DURATION>\nto bump the budget for this resource type only, or --verbose to see the
-underlying provider activity.`, "RESOURCE_TIMEOUT");
-		this.logicalId = logicalId;
-		this.resourceType = resourceType;
-		this.region = region;
-		this.elapsedMs = elapsedMs;
-		this.operation = operation;
-		this.timeoutMs = timeoutMs;
-		this.name = "ResourceTimeoutError";
-		Object.setPrototypeOf(this, ResourceTimeoutError.prototype);
-	}
-};
-/**
-* Format a duration in milliseconds as a short human-readable label
-* (`30m`, `1h30m`, `45s`). Used by {@link ResourceTimeoutError} so the
-* error message stays compact.
-*/
-function formatDuration(ms) {
-	if (ms < 6e4) return `${Math.round(ms / 1e3)}s`;
-	const totalMinutes = Math.round(ms / 6e4);
-	if (totalMinutes < 60) return `${totalMinutes}m`;
-	const hours = Math.floor(totalMinutes / 60);
-	const minutes = totalMinutes % 60;
-	return minutes === 0 ? `${hours}h` : `${hours}h${minutes}m`;
-}
-/**
-* Dependency resolution errors
-*/
-var DependencyError = class DependencyError extends CdkdError {
-	constructor(message, cause) {
-		super(message, "DEPENDENCY_ERROR", cause);
-		this.name = "DependencyError";
-		Object.setPrototypeOf(this, DependencyError.prototype);
-	}
-};
-/**
-* Configuration errors
-*/
-var ConfigError = class ConfigError extends CdkdError {
-	constructor(message, cause) {
-		super(message, "CONFIG_ERROR", cause);
-		this.name = "ConfigError";
-		Object.setPrototypeOf(this, ConfigError.prototype);
-	}
-};
-/**
-* Signals a partial-failure outcome that should map to exit code 2 (not 1).
-*
-* Used by `cdkd destroy` and `cdkd state destroy` when one or more
-* per-resource deletes failed but the overall command finished its work
-* (state.json is preserved, the rest of the stack was deleted, and the
-* user can re-run to clean up the remaining resources).
-*
-* Exit code conventions:
-*   - 0: command completed successfully, no resources left in error state.
-*   - 1: command-level failure (auth error, bad arguments, synth crash,
-*        unhandled exception). Default for any thrown error.
-*   - 2: partial failure — work completed but some resources are still in
-*        an error state. Re-running typically resolves it. Documented in
-*        README's "Exit codes" section.
-*
-* `handleError` recognizes this class via `instanceof` and uses its
-* `exitCode` instead of the default 1.
-*/
-var PartialFailureError = class PartialFailureError extends CdkdError {
-	exitCode = 2;
-	constructor(message, cause) {
-		super(message, "PARTIAL_FAILURE", cause);
-		this.name = "PartialFailureError";
-		Object.setPrototypeOf(this, PartialFailureError.prototype);
-	}
-};
-/**
-* Signals that a provider cannot perform an in-place `update` for a
-* resource type — most commonly because the AWS resource is structurally
-* immutable (`AWS::Lambda::LayerVersion`, `AWS::S3Tables::TableBucket` once
-* created, certain `AWS::EC2::*` sub-resources) or because the provider
-* surfaces a sub-resource attachment whose only mutation pattern is
-* delete + add (Lambda permission statements, IAM policy attachments).
-*
-* Surfaced through `cdkd drift --revert`, which calls
-* `provider.update(logicalId, physicalId, type, stateProps, awsProps)` to
-* push cdkd state values back into AWS for every drifted resource. When a
-* provider throws this error, the drift command collects it as a
-* per-resource outcome distinct from a generic AWS update failure: the
-* fix is to re-deploy with `--replace` (or recreate the resource), not to
-* retry the update.
-*
-* Carries the same `exitCode = 2` as {@link PartialFailureError} so a
-* drift run that hits one immutable resource is reported as partial-
-* success rather than fatal — the rest of the drifted resources still
-* had their `update` invoked, and the user has a clear next step printed
-* for the unsupported one.
-*/
-var ResourceUpdateNotSupportedError = class ResourceUpdateNotSupportedError extends CdkdError {
-	exitCode = 2;
-	resourceType;
-	logicalId;
-	/**
-	* Human-readable hint printed alongside the error. The default is
-	* "use cdkd deploy with --replace, or change the resource definition
-	* to create a new version" — providers are encouraged to override
-	* with a more specific suggestion when one is available (e.g.
-	* Lambda::Permission's "delete + add a new statement").
-	*/
-	suggestion;
-	constructor(resourceType, logicalId, suggestion, cause) {
-		super(`${resourceType} (${logicalId}) cannot be updated in place: ${suggestion ? suggestion : "use cdkd deploy with --replace, or change the resource definition to create a new version"}.`, "RESOURCE_UPDATE_NOT_SUPPORTED", cause);
-		this.resourceType = resourceType;
-		this.logicalId = logicalId;
-		this.suggestion = suggestion;
-		this.name = "ResourceUpdateNotSupportedError";
-		Object.setPrototypeOf(this, ResourceUpdateNotSupportedError.prototype);
-	}
-};
-/**
-* Signals a refusal to destroy a stack whose CDK manifest has
-* `terminationProtection: true`.
-*
-* Surfaced from `cdkd destroy <stack>` / `cdkd destroy --all` BEFORE
-* any lock acquisition or per-resource delete. In multi-stack runs
-* (e.g. `--all`) this counts as a per-stack failure and the rest of
-* the targets continue — the aggregated count is wrapped in
-* {@link PartialFailureError} so the command exits with code 2.
-*
-* The bypass workflow is documented in the message: edit the CDK code
-* (`new Stack(app, '...', { terminationProtection: false })`),
-* redeploy, then retry the destroy. A future `--remove-protection`
-* flag (separate scope) will provide an explicit one-shot bypass.
-*
-* Note: `cdkd state destroy` (state-only, no synth) does NOT honor
-* `terminationProtection` — the flag is a CDK property not persisted
-* in cdkd's state.json. Use `cdkd destroy` when synth is available.
-*/
-var StackTerminationProtectionError = class StackTerminationProtectionError extends CdkdError {
-	stackName;
-	constructor(stackName, cause) {
-		super(`Stack '${stackName}' has terminationProtection: true and cannot be destroyed. Set terminationProtection: false in the CDK code, redeploy, then retry 'cdkd destroy ${stackName}'.`, "STACK_TERMINATION_PROTECTION", cause);
-		this.stackName = stackName;
-		this.name = "StackTerminationProtectionError";
-		Object.setPrototypeOf(this, StackTerminationProtectionError.prototype);
-	}
-};
-/**
-* `cdkd destroy <child>` refused because the named stack is a nested
-* child of another stack. Mirrors CloudFormation's `you can't directly
-* destroy a nested stack` semantic — destroying the child without
-* touching the parent would leave the parent's `AWS::CloudFormation::Stack`
-* record pointing at non-existent resources, and the parent's next
-* deploy would silently try to re-create them.
-*
-* Detected by reading the loaded state's v6 `parentStack` field — only
-* state files written by `NestedStackProvider.create` (or by the
-* recursive `cdkd import --migrate-from-cloudformation` walk) carry
-* this field; top-level stacks have `parentStack: undefined` and pass
-* the guard unchanged.
-*
-* Fires from `cdkd destroy` AFTER state load but BEFORE lock
-* acquisition or any per-resource delete, so the refusal is cheap.
-* Surfaced as a per-stack failure (wrapped in {@link PartialFailureError},
-* exit code 2) in multi-stack runs — siblings continue.
-*
-* Bypass paths (both intentional escape hatches):
-*
-*  1. `cdkd destroy <parent>` — the normal cascading-destroy path; the
-*     parent's reverse-DAG walks into the child via
-*     `NestedStackProvider.delete` and removes both layers atomically.
-*  2. `cdkd state destroy <child>` — state-only destroy with no parent
-*     coupling check. The state-driven entry point intentionally
-*     bypasses this guard for the same reason `cdkd state destroy`
-*     bypasses `terminationProtection`: it's the "I know what I'm
-*     doing" path for cleaning up state when synth is unavailable or
-*     the user accepts leaving the parent's reference dangling.
-*/
-var NestedStackChildDirectDestroyError = class NestedStackChildDirectDestroyError extends CdkdError {
-	stackName;
-	parentStack;
-	parentLogicalId;
-	constructor(stackName, parentStack, parentLogicalId, cause) {
-		const logicalIdSuffix = parentLogicalId ? ` (parent's logical id: ${parentLogicalId})` : "";
-		super(`Stack '${stackName}' is a nested child of '${parentStack}'${logicalIdSuffix}; directly destroying a nested stack is not supported. Either run 'cdkd destroy ${parentStack}' to cascade-delete this child along with its parent, or run 'cdkd state destroy ${stackName}' if you intentionally want to leave the parent's reference dangling (the state-only escape hatch).`, "NESTED_STACK_CHILD_DIRECT_DESTROY", cause);
-		this.stackName = stackName;
-		this.parentStack = parentStack;
-		if (parentLogicalId !== void 0) this.parentLogicalId = parentLogicalId;
-		this.name = "NestedStackChildDirectDestroyError";
-		Object.setPrototypeOf(this, NestedStackChildDirectDestroyError.prototype);
-	}
-};
-/**
-* `cdkd destroy <producer>` refused because at least one consumer stack
-* still records an `Fn::ImportValue` reference to one of the producer's
-* outputs. This matches CloudFormation's strong-reference semantics —
-* CFn rejects `DeleteStack` for an exporter while an importer exists.
-*
-* cdkd has no `--force` escape hatch for this (intentionally, mirroring
-* CFn). The error message lists every offending consumer and points the
-* user at the two valid resolution paths:
-*
-*  1. Destroy the consumer first: `cdkd destroy <consumer>`
-*  2. Remove the `Fn::ImportValue` from the consumer's template and
-*     redeploy, then retry the producer destroy.
-*
-* Weak-reference consumers (`Fn::GetStackOutput`, cdkd-specific) never
-* trigger this error by design — the producer stays deletable
-* independently of consumers when the user intentionally chose a weak
-* reference at template-authoring time.
-*
-* Exit code 2 (same as `PartialFailureError`) so multi-stack `cdkd
-* destroy --all` runs that partially succeed still surface as
-* non-zero without being indistinguishable from a fatal cdkd error.
-*/
-var StackHasActiveImportsError = class StackHasActiveImportsError extends CdkdError {
-	exitCode = 2;
-	producerStack;
-	producerRegion;
-	consumers;
-	constructor(producerStack, producerRegion, consumers, cause) {
-		const lines = consumers.map((c) => `  - ${c.consumerStack} (${c.consumerRegion}): imports export '${c.exportName}'`);
-		super(`Cannot destroy stack '${producerStack}' (${producerRegion}): the following stacks still import its outputs via Fn::ImportValue:\n${lines.join("\n")}\n\nThis matches CloudFormation's strong-reference semantics — exports are\nprotected as long as a consumer references them.\n\nTo proceed:\n  1. Destroy the consumer first: cdkd destroy <consumer-stack>\n  2. Or remove the Fn::ImportValue from the consumer's template\n     (e.g. inline the value, or refactor) and re-deploy the consumer,\n     then retry this destroy.\n\nNote: cdkd's Fn::GetStackOutput intrinsic is a weak alternative that\ndoes NOT protect the producer — use it when you intentionally want\nthe producer to be deletable independently of consumers.`, "STACK_HAS_ACTIVE_IMPORTS", cause);
-		this.producerStack = producerStack;
-		this.producerRegion = producerRegion;
-		this.consumers = consumers;
-		this.name = "StackHasActiveImportsError";
-		Object.setPrototypeOf(this, StackHasActiveImportsError.prototype);
-	}
-};
-/**
-* Signals a `cdkd local start-service` orchestration failure (Phase 2
-* of #262 — `AWS::ECS::Service` emulator). Distinct from
-* `LocalRunTaskError` because the service runner has its own lifecycle
-* (long-running replica pool, restart-on-exit), so a failure inside it
-* carries different operator semantics than a one-shot task failure.
-*/
-var LocalStartServiceError = class LocalStartServiceError extends CdkdError {
-	constructor(message, cause) {
-		super(message, "LOCAL_START_SERVICE_ERROR", cause);
-		this.name = "LocalStartServiceError";
-		Object.setPrototypeOf(this, LocalStartServiceError.prototype);
-	}
-};
-/**
-* Signals that the upstream `cdk` CLI is not available on PATH (or at
-* the override path passed via `--cdk-bin`). Surfaced from `cdkd migrate`
-* (#465 PR A) before any other work runs.
-*
-* The message includes the install hint `npm install -g aws-cdk@latest`
-* so users on a fresh machine see exactly how to recover.
-*/
-var MissingCdkCliError = class MissingCdkCliError extends CdkdError {
-	constructor(detail, cause) {
-		super(`${detail ?? "upstream 'cdk' CLI not found on PATH"}. 'cdkd migrate' shells out to the upstream aws-cdk CLI for L1 codegen — install it with 'npm install -g aws-cdk@latest' (or pass --cdk-bin <path>).`, "MISSING_CDK_CLI", cause);
-		this.name = "MissingCdkCliError";
-		Object.setPrototypeOf(this, MissingCdkCliError.prototype);
-	}
-};
-/**
-* Generic local-migrate orchestration failure (#465 PR A). Used by
-* `cdkd migrate` for pre-flight rejections (Custom Resource / nested
-* stack / non-terminal CFn stack state), output-dir collisions, and
-* `cdk migrate` subprocess failures whose underlying stderr is folded
-* into the error message. Exit code 2 (partial-failure family) because
-* some pre-flight failures leave the user with a partially-populated
-* output directory that's still useful for debugging.
-*/
-var LocalMigrateError = class LocalMigrateError extends CdkdError {
-	exitCode = 2;
-	constructor(message, cause) {
-		super(message, "LOCAL_MIGRATE_ERROR", cause);
-		this.name = "LocalMigrateError";
-		Object.setPrototypeOf(this, LocalMigrateError.prototype);
-	}
-};
-/**
-* CloudFormation macro / `Fn::Transform` expansion failure (#463).
-*
-* cdkd hands templates that declare `Transform: [...]` (or carry
-* `Fn::Transform: {...}` snippets) to CloudFormation server-side via a
-* transient `CreateChangeSet --change-set-type CREATE` against a
-* `cdkd-macro-expand-<id>` stack name. This error wraps every failure
-* mode of that round-trip:
-*
-*   - `CreateChangeSet` rejection (bad template, missing macro IAM
-*     permission, custom macro not found in the account).
-*   - Changeset settles in `FAILED` (`StatusReason` from CFn is
-*     surfaced verbatim — typically a custom macro Lambda error).
-*   - Waiter timeout (the macro Lambda is stuck or oversized).
-*   - `GetTemplate --template-stage Processed` returns no body (would
-*     indicate a CFn-side regression — fail loud rather than silently
-*     proceed with the un-expanded template).
-*   - Multi-stage detection: the expanded template still contains
-*     macros, which cdkd v1 does not support (the design intentionally
-*     rejects this so a second round-trip is not silently triggered).
-*
-* The error surfaces at exit code 2 (partial-failure family) — the
-* cleanup `finally` in the expander always runs `DeleteChangeSet` +
-* `DeleteStack` regardless of this error firing, so a failed
-* expansion never leaves a transient CFn stack behind in a routine
-* case. The user can re-run `cdkd deploy` once the upstream cause is
-* fixed.
-*/
-var MacroExpansionError = class MacroExpansionError extends CdkdError {
-	exitCode = 2;
-	constructor(message, cause) {
-		super(message, "MACRO_EXPANSION_ERROR", cause);
-		this.name = "MacroExpansionError";
-		Object.setPrototypeOf(this, MacroExpansionError.prototype);
-	}
-};
-/**
-* Check if error is a cdkd error
-*/
-function isCdkdError(error) {
-	return error instanceof CdkdError;
-}
-/**
-* Format error for display
-*/
-function formatError(error) {
-	if (isCdkdError(error)) {
-		let message = `${error.name}: ${error.message}`;
-		if (error.cause) message += `\nCaused by: ${error.cause.message}`;
-		return message;
-	}
-	if (error instanceof Error) return `${error.name}: ${error.message}`;
-	return String(error);
-}
-/**
-* Global error handler
-*
-* Default exit code is 1 (general error). `PartialFailureError`
-* overrides it to 2 so callers can distinguish "command crashed /
-* unauthorized / bad arguments" from "command completed but some
-* resources are still in an error state, re-run to clean up".
-*
-* A {@link CdkdError} subclass may set `silent = true` to suppress the
-* default `logger.error` line — used by `cdkd drift` where the command
-* has already printed a richer report and only needs the exit code.
-*/
-function handleError(error) {
-	const logger = getLogger();
-	if (!(error instanceof CdkdError && error.silent)) logger.error(formatError(error));
-	if (error instanceof Error && error.stack) logger.debug("Stack trace:", error.stack);
-	const customExitCode = error instanceof CdkdError ? error.exitCode : void 0;
-	const exitCode = typeof customExitCode === "number" ? customExitCode : 1;
-	process.exit(exitCode);
-}
-/**
-* Wrap async function with error handling
-*
-* Note: Uses `any[]` for args to support Commander.js action handlers
-* which can have various parameter types
-*/
-function withErrorHandling(fn) {
-	return async (...args) => {
-		try {
-			await fn(...args);
-		} catch (error) {
-			handleError(error);
-		}
-	};
-}
-/**
-* Convert AWS SDK v3's synthetic `Unknown` / `UnknownError` exception into
-* an actionable `Error` keyed off `$metadata.httpStatusCode`.
-*
-* Background — why this helper exists:
-*   AWS SDK v3 produces a synthetic `name: 'Unknown'`, `message:
-*   'UnknownError'` exception when the protocol parser hits a HEAD response
-*   with an empty body. The most common trigger is `HeadBucket` against a
-*   bucket in a different region than the client (S3 returns 301
-*   PermanentRedirect with `x-amz-bucket-region` set, but the redirect
-*   middleware doesn't recover from the empty body). Surfacing the literal
-*   string `UnknownError` to users is uninformative.
-*
-* Behavior:
-*   - Non-AWS-SDK errors (anything where `name` is not `Unknown` and
-*     `message` is not `UnknownError`) pass through unchanged.
-*   - AWS SDK Unknown errors are mapped by HTTP status:
-*     - 301 → `Bucket '<name>' is in a different region…` (auto-resolved
-*       elsewhere; if this surfaces, it's a bug worth reporting).
-*     - 403 → `Access denied to bucket '<name>'.`
-*     - 404 → `Bucket '<name>' does not exist.`
-*     - other / unknown → `S3 error during <operation> on '<bucket>' (HTTP
-*       <status>).`
-*/
-function normalizeAwsError(err, context = {}) {
-	if (!(err instanceof Error)) return new Error(String(err));
-	if (!(err.name === "Unknown" || err.message === "UnknownError")) return err;
-	const status = err.$metadata?.httpStatusCode;
-	const bucket = context.bucket ?? "<unknown bucket>";
-	const operation = context.operation ?? "operation";
-	switch (status) {
-		case 301: {
-			const responseHeaders = err.$response?.headers;
-			const region = responseHeaders?.["x-amz-bucket-region"] ?? responseHeaders?.["X-Amz-Bucket-Region"];
-			const where = region ? ` (in ${region})` : "";
-			return /* @__PURE__ */ new Error(`Bucket '${bucket}'${where} is in a different region than the client. cdkd resolves this automatically; if you see this message, please report it.`);
-		}
-		case 403: return /* @__PURE__ */ new Error(`Access denied to bucket '${bucket}'. Verify credentials and bucket policy.`);
-		case 404: return /* @__PURE__ */ new Error(`Bucket '${bucket}' does not exist.`);
-		default: {
-			const statusStr = status !== void 0 ? `HTTP ${status}` : "unknown HTTP status";
-			return /* @__PURE__ */ new Error(`S3 error during ${operation} on '${bucket}' (${statusStr}). See CloudTrail for details.`);
-		}
-	}
-}
-
-//#endregion
 //#region src/utils/aws-region-resolver.ts
 /**
 * Per-bucket region cache.
@@ -3212,7 +1888,7 @@ async function resolveStateBucketWithDefaultAndSource(cliBucket, region) {
 	logger.debug("No state bucket specified, resolving default from account...");
 	const { GetCallerIdentityCommand } = await import("@aws-sdk/client-sts");
 	const { S3Client } = await import("@aws-sdk/client-s3");
-	const { getAwsClients } = await import("./aws-clients-DWUnLza1.js").then((n) => n.n);
+	const { getAwsClients } = await import("./aws-clients-pjPwZz1r.js").then((n) => n.n);
 	const accountId = (await getAwsClients().sts.send(new GetCallerIdentityCommand({}))).Account;
 	const newName = getDefaultStateBucketName(accountId);
 	const legacyName = getLegacyStateBucketName(accountId, region);
@@ -7616,36 +6292,6 @@ var IntrinsicFunctionResolver = class {
 	}
 };
 
-//#endregion
-//#region src/provisioning/ec2-termination-protection.ts
-/**
-* Flip `DisableApiTermination` off on an instance. Idempotent — EC2 accepts the
-* call when the attribute is already false. Non-fatal: a NotFound (already
-* gone) or any other error is swallowed at debug so the actual delete still
-* proceeds (it will surface the real failure if the instance truly cannot be
-* deleted).
-*/
-async function disableInstanceApiTermination(client, instanceId, logger) {
-	try {
-		await client.send(new ModifyInstanceAttributeCommand({
-			InstanceId: instanceId,
-			DisableApiTermination: { Value: false }
-		}));
-		logger.debug(`Disabled DisableApiTermination on EC2 Instance ${instanceId} before deletion`);
-	} catch (flipError) {
-		logger.debug(`Could not disable DisableApiTermination on ${instanceId}: ${flipError instanceof Error ? flipError.message : String(flipError)}`);
-	}
-}
-/**
-* Does this error message indicate the terminate / delete raced the
-* `DisableApiTermination` flip-off propagation (so re-flipping + retrying is
-* the right move)? Matches both the SDK `TerminateInstances` 400 and the Cloud
-* Control `DeleteResource` wrapper of the same underlying EC2 error.
-*/
-function isTerminationProtectionPropagationError(message) {
-	return /may not be terminated|disableApiTermination/i.test(message);
-}
-
 //#endregion
 //#region src/provisioning/json-patch-generator.ts
 /**
@@ -7742,45 +6388,6 @@ var JsonPatchGenerator = class {
 	}
 };
 
-//#endregion
-//#region src/provisioning/region-check.ts
-/**
-* Verify that the AWS client's region matches the region the resource is
-* expected to live in before treating a `NotFound` error as idempotent
-* delete success.
-*
-* Why: a destroy run with the wrong region would otherwise receive
-* `*NotFound` for every resource and silently strip them all from state,
-* leaving the actual AWS resources orphaned in the real region. The
-* silent-failure incident that motivated this check was a Lambda in
-* `us-west-2` removed from state by a destroy that ran with a `us-east-1`
-* client.
-*
-* Behavior:
-* - If `expectedRegion` is unset, this is a no-op (back-compat: existing
-*   idempotent semantics preserved for callers that have not been
-*   threaded with state region).
-* - If `clientRegion` matches `expectedRegion`, returns silently.
-* - Otherwise throws `ProvisioningError` so the caller surfaces the
-*   mismatch instead of swallowing the NotFound.
-*
-* @param clientRegion Region resolved from the AWS SDK client config
-*   (typically `await client.config.region()`).
-* @param expectedRegion Region recorded in stack state, or undefined if
-*   the caller has no expected region.
-* @param resourceType CloudFormation resource type, used in the error
-*   message and on the thrown ProvisioningError.
-* @param logicalId Logical ID of the resource, used in the error message
-*   and on the thrown ProvisioningError.
-* @param physicalId Optional physical ID, used in the error message and
-*   on the thrown ProvisioningError.
-*/
-function assertRegionMatch(clientRegion, expectedRegion, resourceType, logicalId, physicalId) {
-	if (!expectedRegion) return;
-	if (!clientRegion) throw new ProvisioningError(`Refusing to treat NotFound as idempotent delete success for ${logicalId} (${resourceType}): AWS client region is unknown but stack state expects ${expectedRegion}. The resource may exist in ${expectedRegion} and would be silently removed from state if this NotFound were trusted.`, resourceType, logicalId, physicalId);
-	if (clientRegion !== expectedRegion) throw new ProvisioningError(`Refusing to treat NotFound as idempotent delete success for ${logicalId} (${resourceType}): AWS client region ${clientRegion} does not match stack state region ${expectedRegion}. The resource likely still exists in ${expectedRegion}; rerun the destroy with the correct region (e.g. --region ${expectedRegion}).`, resourceType, logicalId, physicalId);
-}
-
 //#endregion
 //#region src/provisioning/unsupported-types.generated.ts
 /**
@@ -8127,6 +6734,12 @@ var CloudControlProvider = class {
 	*/
 	async delete(logicalId, physicalId, resourceType, _properties, context) {
 		this.logger.debug(`Deleting resource ${logicalId} (${resourceType}), physical ID: ${physicalId}`);
+		if (context?.removeProtection === true && resourceType === "AWS::AutoScaling::AutoScalingGroup") {
+			this.logger.debug(`Delegating protected AutoScalingGroup ${logicalId} delete to the SDK ASGProvider (Cloud Control cannot force-delete a protected ASG)`);
+			const { ASGProvider } = await import("./asg-provider-B_hrCxRx.js").then((n) => n.n);
+			await new ASGProvider().delete(logicalId, physicalId, resourceType, _properties, context);
+			return;
+		}
 		const isProtectedEc2Instance = context?.removeProtection === true && resourceType === "AWS::EC2::Instance";
 		if (isProtectedEc2Instance) await disableInstanceApiTermination(getAwsClients().ec2, physicalId, this.logger);
 		const maxAttempts = isProtectedEc2Instance ? 5 : 1;
@@ -11426,91 +10039,6 @@ function isCustomResource(resourceType) {
 	return resourceType.startsWith("Custom::") || resourceType === "AWS::CloudFormation::CustomResource";
 }
 
-//#endregion
-//#region src/provisioning/import-helpers.ts
-/**
-* Read an explicit name field from template properties. Returns `undefined`
-* when the property is missing or not a string — callers fall back to
-* tag-based lookup in that case.
-*/
-function readNameProperty(input, propertyName) {
-	const value = input.properties?.[propertyName];
-	return typeof value === "string" && value.length > 0 ? value : void 0;
-}
-/**
-* Resolve the physical id when the template provides an explicit name OR the
-* caller passed `--resource`/`--resource-mapping`. Returns `undefined` when
-* neither shortcut applies — caller must then fall back to tag-based lookup.
-*
-* Does NOT verify the resource exists: callers should follow up with a
-* service-specific `Head*`/`Get*`/`Describe*` to fail fast if the named
-* resource is missing.
-*/
-function resolveExplicitPhysicalId(input, nameProperty) {
-	if (input.knownPhysicalId) return input.knownPhysicalId;
-	if (nameProperty) {
-		const name = readNameProperty(input, nameProperty);
-		if (name) return name;
-	}
-}
-/**
-* The standard tag CDK puts on every deployed resource — its construct path
-* within the app, e.g. `MyStack/MyConstruct/MyBucket`. Used as the lookup key
-* when no explicit name is in the template.
-*/
-const CDK_PATH_TAG = "aws:cdk:path";
-/**
-* Match an AWS resource's tag set against the CDK path the template carries.
-* Returns true if the resource was deployed by the same CDK construct.
-*/
-function matchesCdkPath(tags, cdkPath) {
-	if (!tags || !cdkPath) return false;
-	for (const t of tags) if (t.Key === "aws:cdk:path" && t.Value === cdkPath) return true;
-	return false;
-}
-/**
-* Re-shape an AWS tag list (any of the common shapes — array of `{Key, Value}`,
-* map keyed by tag name, or v2-style array of `{TagKey, TagValue}`) into the
-* canonical CFn shape (`Array<{Key, Value}>`) that cdkd state holds, with
-* `aws:`-prefixed entries filtered out.
-*
-* AWS reserves the `aws:` tag prefix; CDK injects `aws:cdk:path` (and
-* sometimes `aws:cdk:metadata`) on every resource it deploys. Those tags are
-* NOT in cdkd state's `Tags` (they come from CDK template `Metadata`, not
-* `Properties.Tags`), so leaving them in the AWS-current snapshot would fire
-* false-positive drift on every CDK-deployed resource.
-*
-* Returns an empty array `[]` when AWS reports no user tags. Callers decide
-* whether to surface `Tags: []` (most providers — matches the typical
-* CFn behavior of always emitting Tags in templates) or omit the key
-* entirely (when the corresponding `create()` only sets Tags when the user
-* explicitly passes them — see each provider's docstring).
-*/
-function normalizeAwsTagsToCfn(tags) {
-	if (!tags) return [];
-	const out = [];
-	if (Array.isArray(tags)) for (const t of tags) {
-		const obj = t;
-		const k = (typeof obj["Key"] === "string" ? obj["Key"] : void 0) ?? (typeof obj["TagKey"] === "string" ? obj["TagKey"] : void 0) ?? (typeof obj["key"] === "string" ? obj["key"] : void 0);
-		const v = (typeof obj["Value"] === "string" ? obj["Value"] : void 0) ?? (typeof obj["TagValue"] === "string" ? obj["TagValue"] : void 0) ?? (typeof obj["value"] === "string" ? obj["value"] : void 0);
-		if (typeof k !== "string" || k.length === 0) continue;
-		if (k.startsWith("aws:")) continue;
-		out.push({
-			Key: k,
-			Value: typeof v === "string" ? v : ""
-		});
-	}
-	else for (const [k, v] of Object.entries(tags)) {
-		if (!k || k.startsWith("aws:")) continue;
-		out.push({
-			Key: k,
-			Value: typeof v === "string" ? v : ""
-		});
-	}
-	out.sort((a, b) => a.Key < b.Key ? -1 : a.Key > b.Key ? 1 : 0);
-	return out;
-}
-
 //#endregion
 //#region src/provisioning/providers/iam-role-provider.ts
 /**
@@ -13742,5 +12270,5 @@ var DeployEngine = class {
 };
 
 //#endregion
-export { CFN_TEMPLATE_URL_LIMIT as $, DagBuilder as A, setLogger as At, getDockerCmd as B, CloudControlProvider as C, SynthesisError as Ct, IntrinsicFunctionResolver as D, withErrorHandling as Dt, isTerminationProtectionPropagationError as E, normalizeAwsError as Et, AssetPublisher as F, generateResourceName as Ft, getLegacyStateBucketName as G, runDockerStreaming as H, stringifyValue as I, generateResourceNameWithFallback as It, resolveSkipPrefix as J, resolveApp as K, WorkGraph as L, withSkipPrefix as Lt, LockManager as M, getLiveRenderer as Mt, S3StateBackend as N, PATTERN_B_NAME_PROPERTIES as Nt, applyRoleArnIfSet as O, ConsoleLogger as Ot, shouldRetainResource as P, PATTERN_B_RESOURCE_TYPES as Pt, CFN_TEMPLATE_BODY_LIMIT as Q, buildDockerImage as R, withStackName as Rt, findActionableSilentDrops as S, StateError as St, disableInstanceApiTermination as T, isCdkdError as Tt, Synthesizer as U, runDockerForeground as V, getDefaultStateBucketName as W, resolveStateBucketWithDefaultAndSource as X, resolveStateBucketWithDefault as Y, warnDeprecatedNoPrefixCliFlag as Z, CDK_PATH_TAG as _, ProvisioningError as _t, withRetry as a, resolveBucketRegion as at, resolveExplicitPhysicalId as b, StackHasActiveImportsError as bt, formatResourceLine as c, ConfigError as ct, gray as d, LocalMigrateError as dt, MIGRATE_TMP_PREFIX as et, green as f, LocalStartServiceError as ft, collectInlinePolicyNamesManagedBySiblings as g, PartialFailureError as gt, IAMRoleProvider as h, NestedStackChildDirectDestroyError as ht, withResourceDeadline as i, clearBucketRegionCache as it, TemplateParser as j, runStackBuffered as jt, DiffCalculator as k, getLogger as kt, bold as l, DependencyError as lt, yellow as m, MissingCdkCliError as mt, DEFAULT_RESOURCE_WARN_AFTER_MS as n, uploadCfnTemplate as nt, isRetryableTransientError as o, AssetError as ot, red as p, LockError as pt, resolveCaptureObservedState as q, DeployEngine as r, AssemblyReader as rt, IMPLICIT_DELETE_DEPENDENCIES as s, CdkdError as st, DEFAULT_RESOURCE_TIMEOUT_MS as t, findLargeInlineResources as tt, cyan as u, LocalInvokeBuildError as ut, matchesCdkPath as v, ResourceTimeoutError as vt, assertRegionMatch as w, formatError as wt, ProviderRegistry as x, StackTerminationProtectionError as xt, normalizeAwsTagsToCfn as y, ResourceUpdateNotSupportedError as yt, formatDockerLoginError as z };
-//# sourceMappingURL=deploy-engine-B6CuzOHi.js.map
+export { WorkGraph as A, resolveCaptureObservedState as B, DagBuilder as C, shouldRetainResource as D, S3StateBackend as E, runDockerStreaming as F, CFN_TEMPLATE_BODY_LIMIT as G, resolveStateBucketWithDefault as H, Synthesizer as I, findLargeInlineResources as J, CFN_TEMPLATE_URL_LIMIT as K, getDefaultStateBucketName as L, formatDockerLoginError as M, getDockerCmd as N, AssetPublisher as O, runDockerForeground as P, resolveBucketRegion as Q, getLegacyStateBucketName as R, DiffCalculator as S, LockManager as T, resolveStateBucketWithDefaultAndSource as U, resolveSkipPrefix as V, warnDeprecatedNoPrefixCliFlag as W, AssemblyReader as X, uploadCfnTemplate as Y, clearBucketRegionCache as Z, ProviderRegistry as _, withRetry as a, IntrinsicFunctionResolver as b, formatResourceLine as c, gray as d, green as f, collectInlinePolicyNamesManagedBySiblings as g, IAMRoleProvider as h, withResourceDeadline as i, buildDockerImage as j, stringifyValue as k, bold as l, yellow as m, DEFAULT_RESOURCE_WARN_AFTER_MS as n, isRetryableTransientError as o, red as p, MIGRATE_TMP_PREFIX as q, DeployEngine as r, IMPLICIT_DELETE_DEPENDENCIES as s, DEFAULT_RESOURCE_TIMEOUT_MS as t, cyan as u, findActionableSilentDrops as v, TemplateParser as w, applyRoleArnIfSet as x, CloudControlProvider as y, resolveApp as z };
+//# sourceMappingURL=deploy-engine-Drw_e42s.js.map