@go-to-k/cdkd 0.24.0 → 0.26.0

package/dist/cli.js

@@ -508,6 +508,104 @@ var stateOptions = [
   new Option("--state-prefix <prefix>", "S3 key prefix for state files").default("cdkd")
 ];
 var stackOptions = [new Option("--stack <name>", "Stack name to operate on")];
+function parseDuration(value) {
+  if (typeof value !== "string" || value.length === 0) {
+    throw new Error(
+      `Invalid duration "${value}": expected <number>s, <number>m, or <number>h (e.g. 30s, 5m, 1h)`
+    );
+  }
+  const match = /^(\d+(?:\.\d+)?)([smh])$/.exec(value.trim());
+  if (!match) {
+    throw new Error(
+      `Invalid duration "${value}": expected <number>s, <number>m, or <number>h (e.g. 30s, 5m, 1h)`
+    );
+  }
+  const num = Number(match[1]);
+  if (!Number.isFinite(num) || num <= 0) {
+    throw new Error(`Invalid duration "${value}": must be greater than zero`);
+  }
+  const unit = match[2];
+  const multiplier = unit === "s" ? 1e3 : unit === "m" ? 6e4 : 36e5;
+  return Math.round(num * multiplier);
+}
+var RESOURCE_TYPE_REGEX = /^[A-Z][A-Za-z0-9]+::[A-Z][A-Za-z0-9]+::[A-Z][A-Za-z0-9]+$/;
+function parseResourceTimeoutToken(flagName) {
+  return (raw, previous) => {
+    const acc = previous ?? { perTypeMs: {} };
+    if (!acc.perTypeMs)
+      acc.perTypeMs = {};
+    const eqIndex = raw.indexOf("=");
+    if (eqIndex === -1) {
+      acc.globalMs = parseDuration(raw);
+      return acc;
+    }
+    const typePart = raw.substring(0, eqIndex).trim();
+    const durationPart = raw.substring(eqIndex + 1).trim();
+    if (!RESOURCE_TYPE_REGEX.test(typePart)) {
+      throw new Error(
+        `Invalid ${flagName} value "${raw}": left-hand side must be a CloudFormation resource type like AWS::Service::Resource (got "${typePart}")`
+      );
+    }
+    if (durationPart.length === 0) {
+      throw new Error(
+        `Invalid ${flagName} value "${raw}": missing duration after '=' (e.g. ${typePart}=1h)`
+      );
+    }
+    let ms;
+    try {
+      ms = parseDuration(durationPart);
+    } catch (err) {
+      const inner = err instanceof Error ? err.message : String(err);
+      throw new Error(`Invalid ${flagName} value "${raw}": ${inner}`);
+    }
+    acc.perTypeMs[typePart] = ms;
+    return acc;
+  };
+}
+var resourceTimeoutOptions = [
+  // Default is `undefined` (NOT a pre-seeded ResourceTimeoutOption) — the
+  // command handler resolves missing globalMs to DEFAULT_RESOURCE_*_MS
+  // at the call site. Pre-seeding here would force every accumulator
+  // call to carry a snapshot, and would also surprise unit tests that
+  // expect `opts.resourceTimeout` to be `undefined` when the flag is not
+  // passed.
+  new Option(
+    "--resource-warn-after <duration_or_type=duration>",
+    "Warn when a single resource operation exceeds this wall-clock duration. Repeatable: pass a bare duration (e.g. 5m) to set the global default, or TYPE=DURATION (e.g. AWS::CloudFront::Distribution=10m) for a per-type override."
+  ).default(void 0, "5m").argParser(parseResourceTimeoutToken("--resource-warn-after")),
+  new Option(
+    "--resource-timeout <duration_or_type=duration>",
+    "Abort a single resource operation that exceeds this wall-clock duration. Repeatable: pass a bare duration (e.g. 30m) to set the global default, or TYPE=DURATION (e.g. AWS::CloudFront::Distribution=1h) for a per-type override. Custom-Resource-heavy stacks may need to raise this above the default 30m (the Custom Resource provider's polling cap is 1h)."
+  ).default(void 0, "30m").argParser(parseResourceTimeoutToken("--resource-timeout"))
+];
+function validateResourceTimeouts(opts) {
+  const warn = opts.resourceWarnAfter;
+  const timeout = opts.resourceTimeout;
+  const globalWarn = warn?.globalMs;
+  const globalTimeout = timeout?.globalMs;
+  if (typeof globalWarn === "number" && typeof globalTimeout === "number") {
+    if (globalWarn >= globalTimeout) {
+      throw new Error(
+        `--resource-warn-after (${globalWarn}ms) must be less than --resource-timeout (${globalTimeout}ms)`
+      );
+    }
+  }
+  const warnPerType = warn?.perTypeMs ?? {};
+  const timeoutPerType = timeout?.perTypeMs ?? {};
+  const types = /* @__PURE__ */ new Set([...Object.keys(warnPerType), ...Object.keys(timeoutPerType)]);
+  for (const t of types) {
+    const effectiveWarn = warnPerType[t] ?? globalWarn;
+    const effectiveTimeout = timeoutPerType[t] ?? globalTimeout;
+    if (typeof effectiveWarn !== "number" || typeof effectiveTimeout !== "number") {
+      continue;
+    }
+    if (effectiveWarn >= effectiveTimeout) {
+      throw new Error(
+        `--resource-warn-after for ${t} (${effectiveWarn}ms) must be less than --resource-timeout for ${t} (${effectiveTimeout}ms)`
+      );
+    }
+  }
+}
 var deployOptions = [
   new Option("--concurrency <number>", "Maximum concurrent resource operations").default(10).argParser((value) => parseInt(value, 10)),
   new Option("--stack-concurrency <number>", "Maximum concurrent stack deployments").default(4).argParser((value) => parseInt(value, 10)),
@@ -523,7 +621,8 @@ var deployOptions = [
   new Option(
     "-e, --exclusively",
     "Only deploy requested stacks, do not include dependencies"
-  ).default(false)
+  ).default(false),
+  ...resourceTimeoutOptions
 ];
 var contextOptions = [
   new Option(
@@ -718,6 +817,22 @@ var LiveRenderer = class {
     if (this.active)
       this.draw();
   }
+  /**
+   * Replace the label of a previously-added task in place. No-op if the
+   * task is not currently tracked (e.g. it already finished). Used by the
+   * per-resource deadline wrapper to surface a "[taking longer than
+   * expected, Nm+]" suffix without disturbing the elapsed-time counter
+   * the renderer tracks via `startedAt`.
+   */
+  updateTaskLabel(id, label) {
+    const stackName = getCurrentStackName();
+    const task = this.tasks.get(scopedKey(id, stackName));
+    if (!task)
+      return;
+    task.label = label;
+    if (this.active)
+      this.draw();
+  }
   /**
    * Print content above the live area. Clears the live area, runs the writer,
    * then redraws the live area. When the renderer is inactive, the writer
@@ -1011,6 +1126,38 @@ var ProvisioningError = class _ProvisioningError extends CdkdError {
     Object.setPrototypeOf(this, _ProvisioningError.prototype);
   }
 };
+var ResourceTimeoutError = class _ResourceTimeoutError extends CdkdError {
+  constructor(logicalId, resourceType, region, elapsedMs, operation, timeoutMs) {
+    const elapsedLabel = formatDuration(elapsedMs);
+    const timeoutLabel = formatDuration(timeoutMs);
+    super(
+      `Resource ${logicalId} (${resourceType}) in ${region} timed out after ${timeoutLabel} during ${operation} (elapsed ${elapsedLabel}).
+This may indicate a stuck Cloud Control polling loop, hung Custom Resource, or
+slow ENI provisioning. Re-run with --resource-timeout 1h if the resource genuinely
+needs more time, or --verbose to see the underlying provider activity.`,
+      "RESOURCE_TIMEOUT"
+    );
+    this.logicalId = logicalId;
+    this.resourceType = resourceType;
+    this.region = region;
+    this.elapsedMs = elapsedMs;
+    this.operation = operation;
+    this.timeoutMs = timeoutMs;
+    this.name = "ResourceTimeoutError";
+    Object.setPrototypeOf(this, _ResourceTimeoutError.prototype);
+  }
+};
+function formatDuration(ms) {
+  if (ms < 6e4) {
+    return `${Math.round(ms / 1e3)}s`;
+  }
+  const totalMinutes = Math.round(ms / 6e4);
+  if (totalMinutes < 60)
+    return `${totalMinutes}m`;
+  const hours = Math.floor(totalMinutes / 60);
+  const minutes = totalMinutes % 60;
+  return minutes === 0 ? `${hours}h` : `${hours}h${minutes}m`;
+}
 var DependencyError = class _DependencyError extends CdkdError {
   constructor(message, cause) {
     super(message, "DEPENDENCY_ERROR", cause);
@@ -30781,7 +30928,85 @@ async function withRetry(operation, logicalId, opts = {}) {
   throw lastError;
 }
 
+// src/deployment/resource-deadline.ts
+var InvalidResourceDeadlineError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "InvalidResourceDeadlineError";
+  }
+};
+function validateOptions(opts) {
+  const { warnAfterMs, timeoutMs } = opts;
+  if (!Number.isFinite(warnAfterMs) || !Number.isFinite(timeoutMs) || warnAfterMs <= 0 || timeoutMs <= 0) {
+    throw new InvalidResourceDeadlineError(
+      `withResourceDeadline: warnAfterMs and timeoutMs must be positive finite numbers (got warnAfterMs=${warnAfterMs}, timeoutMs=${timeoutMs})`
+    );
+  }
+  if (warnAfterMs >= timeoutMs) {
+    throw new InvalidResourceDeadlineError(
+      `withResourceDeadline: warnAfterMs (${warnAfterMs}ms) must be less than timeoutMs (${timeoutMs}ms)`
+    );
+  }
+}
+async function withResourceDeadline(operation, opts) {
+  validateOptions(opts);
+  const startedAt = Date.now();
+  return new Promise((resolve4, reject) => {
+    let settled = false;
+    let warnTimer;
+    let timeoutTimer;
+    const cleanup = () => {
+      if (warnTimer !== void 0)
+        clearTimeout(warnTimer);
+      if (timeoutTimer !== void 0)
+        clearTimeout(timeoutTimer);
+      warnTimer = void 0;
+      timeoutTimer = void 0;
+    };
+    if (opts.onWarn) {
+      warnTimer = setTimeout(() => {
+        if (settled)
+          return;
+        try {
+          opts.onWarn(Date.now() - startedAt);
+        } catch {
+        }
+      }, opts.warnAfterMs);
+      if (typeof warnTimer.unref === "function")
+        warnTimer.unref();
+    }
+    timeoutTimer = setTimeout(() => {
+      if (settled)
+        return;
+      settled = true;
+      cleanup();
+      const elapsed = Date.now() - startedAt;
+      reject(opts.onTimeout(elapsed));
+    }, opts.timeoutMs);
+    if (typeof timeoutTimer.unref === "function")
+      timeoutTimer.unref();
+    Promise.resolve().then(() => operation()).then(
+      (value) => {
+        if (settled)
+          return;
+        settled = true;
+        cleanup();
+        resolve4(value);
+      },
+      (err) => {
+        if (settled)
+          return;
+        settled = true;
+        cleanup();
+        reject(err);
+      }
+    );
+  });
+}
+
 // src/deployment/deploy-engine.ts
+var DEFAULT_RESOURCE_WARN_AFTER_MS = 5 * 60 * 1e3;
+var DEFAULT_RESOURCE_TIMEOUT_MS = 30 * 60 * 1e3;
 var InterruptedError = class extends Error {
   constructor() {
     super("Deployment interrupted by user (Ctrl+C)");
@@ -30802,6 +31027,8 @@ var DeployEngine = class {
     this.options.dryRun = options.dryRun ?? false;
     this.options.lockTimeout = options.lockTimeout ?? 5 * 60 * 1e3;
     this.options.noRollback = options.noRollback ?? false;
+    this.options.resourceWarnAfterMs = options.resourceWarnAfterMs ?? DEFAULT_RESOURCE_WARN_AFTER_MS;
+    this.options.resourceTimeoutMs = options.resourceTimeoutMs ?? DEFAULT_RESOURCE_TIMEOUT_MS;
   }
   logger = getLogger().child("DeployEngine");
   resolver;
@@ -31400,259 +31627,305 @@ var DeployEngine = class {
    */
   async provisionResource(logicalId, change, stateResources, stackName, template, parameterValues, conditions, counts, progress) {
     const resourceType = change.resourceType;
-    const provider = this.providerRegistry.getProvider(resourceType);
     const renderer = getLiveRenderer();
     const needsReplacement = change.changeType === "UPDATE" && (change.propertyChanges?.some((pc) => pc.requiresReplacement) ?? false);
     const verb = change.changeType === "CREATE" ? "Creating" : change.changeType === "DELETE" ? "Deleting" : needsReplacement ? "Replacing" : "Updating";
-    renderer.addTask(logicalId, `${verb} ${logicalId} (${resourceType})`);
-    try {
-      switch (change.changeType) {
-        case "CREATE": {
-          const desiredProps = change.desiredProperties || {};
-          const context = {
+    const baseLabel = `${verb} ${logicalId} (${resourceType})`;
+    renderer.addTask(logicalId, baseLabel);
+    const operationKind = change.changeType === "CREATE" ? "CREATE" : change.changeType === "DELETE" ? "DELETE" : "UPDATE";
+    const warnAfterMs = this.options.resourceWarnAfterByType?.[resourceType] ?? this.options.resourceWarnAfterMs ?? DEFAULT_RESOURCE_WARN_AFTER_MS;
+    const timeoutMs = this.options.resourceTimeoutByType?.[resourceType] ?? this.options.resourceTimeoutMs ?? DEFAULT_RESOURCE_TIMEOUT_MS;
+    try {
+      await withResourceDeadline(
+        async () => {
+          await this.provisionResourceBody(
+            logicalId,
+            change,
+            stateResources,
+            stackName,
             template,
-            resources: stateResources,
-            ...parameterValues && Object.keys(parameterValues).length > 0 && { parameters: parameterValues },
-            ...conditions && Object.keys(conditions).length > 0 && { conditions },
-            stateBackend: this.stateBackend,
-            stackName
-          };
-          const resolvedProps = await this.resolver.resolve(desiredProps, context);
-          const { provider: createProvider, properties: createProps } = this.selectProviderWithSafetyNet(provider, resourceType, resolvedProps, logicalId);
-          const result = await this.withRetry(
-            () => createProvider.create(logicalId, resourceType, createProps),
+            parameterValues,
+            conditions,
+            counts,
+            progress
+          );
+        },
+        {
+          warnAfterMs,
+          timeoutMs,
+          onWarn: (elapsedMs) => {
+            const minutes = Math.max(1, Math.round(elapsedMs / 6e4));
+            const warnSuffix = ` [taking longer than expected, ${minutes}m+]`;
+            renderer.updateTaskLabel(logicalId, `${baseLabel}${warnSuffix}`);
+            renderer.printAbove(() => {
+              this.logger.warn(
+                `${logicalId} (${resourceType}) has been ${operationKind === "CREATE" ? "creating" : operationKind === "DELETE" ? "deleting" : "updating"} for ${minutes}m \u2014 still waiting`
+              );
+            });
+          },
+          onTimeout: (elapsedMs) => new ResourceTimeoutError(
+            logicalId,
+            resourceType,
+            this.stackRegion,
+            elapsedMs,
+            operationKind,
+            timeoutMs
+          )
+        }
+      );
+    } catch (error) {
+      renderer.removeTask(logicalId);
+      const message = error instanceof Error ? error.message : String(error);
+      this.logger.error(`Failed to ${change.changeType.toLowerCase()} ${logicalId}: ${message}`);
+      throw new ProvisioningError(
+        `Failed to ${change.changeType.toLowerCase()} resource ${logicalId}`,
+        resourceType,
+        logicalId,
+        stateResources[logicalId]?.physicalId,
+        error instanceof Error ? error : void 0
+      );
+    } finally {
+      renderer.removeTask(logicalId);
+    }
+  }
+  /**
+   * Inner body of provisionResource, extracted so the outer wrapper can
+   * apply the per-resource deadline (`withResourceDeadline`) without
+   * having the timeout / warn timer code dwarf the real provisioning
+   * logic. Behaviour is unchanged from the pre-deadline implementation.
+   */
+  async provisionResourceBody(logicalId, change, stateResources, stackName, template, parameterValues, conditions, counts, progress) {
+    const resourceType = change.resourceType;
+    const provider = this.providerRegistry.getProvider(resourceType);
+    const renderer = getLiveRenderer();
+    switch (change.changeType) {
+      case "CREATE": {
+        const desiredProps = change.desiredProperties || {};
+        const context = {
+          template,
+          resources: stateResources,
+          ...parameterValues && Object.keys(parameterValues).length > 0 && { parameters: parameterValues },
+          ...conditions && Object.keys(conditions).length > 0 && { conditions },
+          stateBackend: this.stateBackend,
+          stackName
+        };
+        const resolvedProps = await this.resolver.resolve(desiredProps, context);
+        const { provider: createProvider, properties: createProps } = this.selectProviderWithSafetyNet(provider, resourceType, resolvedProps, logicalId);
+        const result = await this.withRetry(
+          () => createProvider.create(logicalId, resourceType, createProps),
+          logicalId
+        );
+        const dependencies = this.extractAllDependencies(template, logicalId);
+        stateResources[logicalId] = {
+          physicalId: result.physicalId,
+          resourceType,
+          properties: resolvedProps,
+          ...result.attributes && { attributes: result.attributes },
+          ...dependencies && dependencies.length > 0 && { dependencies }
+        };
+        if (counts)
+          counts.created++;
+        if (progress)
+          progress.current++;
+        const createPrefix = progress ? `[${progress.current}/${progress.total}] ` : "  ";
+        renderer.removeTask(logicalId);
+        this.logger.info(`${createPrefix}\u2705 ${logicalId} (${resourceType}) created`);
+        break;
+      }
+      case "UPDATE": {
+        const currentResource = stateResources[logicalId];
+        if (!currentResource) {
+          throw new Error(`Cannot update ${logicalId}: resource not found in state`);
+        }
+        const desiredProps = change.desiredProperties || {};
+        const currentProps = change.currentProperties || {};
+        const context = {
+          template,
+          resources: stateResources,
+          ...parameterValues && Object.keys(parameterValues).length > 0 && { parameters: parameterValues },
+          ...conditions && Object.keys(conditions).length > 0 && { conditions },
+          stateBackend: this.stateBackend,
+          stackName
+        };
+        const resolvedProps = await this.resolver.resolve(desiredProps, context);
+        if (JSON.stringify(resolvedProps) === JSON.stringify(currentProps)) {
+          this.logger.debug(
+            `Skipping ${logicalId}: no actual changes after intrinsic function resolution`
+          );
+          if (counts)
+            counts.skipped++;
+          break;
+        }
+        const needsReplacement = change.propertyChanges?.some((pc) => pc.requiresReplacement);
+        const dependencies = this.extractAllDependencies(template, logicalId);
+        if (needsReplacement) {
+          const replacedProps = change.propertyChanges?.filter((pc) => pc.requiresReplacement).map((pc) => pc.path).join(", ");
+          this.logger.info(
+            `Replacing ${logicalId} (${resourceType}) - immutable properties changed: ${replacedProps}`
+          );
+          this.logger.info(`  Creating new ${logicalId}...`);
+          const { provider: replaceProvider, properties: replaceProps } = this.selectProviderWithSafetyNet(provider, resourceType, resolvedProps, logicalId);
+          const createResult = await this.withRetry(
+            () => replaceProvider.create(logicalId, resourceType, replaceProps),
             logicalId
           );
-          const dependencies = this.extractAllDependencies(template, logicalId);
+          const updateReplacePolicy = template?.Resources?.[logicalId]?.UpdateReplacePolicy;
+          if (updateReplacePolicy === "Retain") {
+            this.logger.info(
+              `  Retaining old ${logicalId} (${currentResource.physicalId}) - UpdateReplacePolicy: Retain`
+            );
+          } else {
+            this.logger.info(`  Deleting old ${logicalId} (${currentResource.physicalId})...`);
+            try {
+              await provider.delete(
+                logicalId,
+                currentResource.physicalId,
+                resourceType,
+                currentResource.properties,
+                { expectedRegion: this.stackRegion }
+              );
+              this.logger.info(`  \u2713 Old resource deleted`);
+            } catch (deleteError) {
+              this.logger.warn(
+                `  \u26A0 Failed to delete old resource ${logicalId} (${currentResource.physicalId}): ${deleteError instanceof Error ? deleteError.message : String(deleteError)}`
+              );
+            }
+          }
           stateResources[logicalId] = {
-            physicalId: result.physicalId,
+            physicalId: createResult.physicalId,
             resourceType,
             properties: resolvedProps,
-            ...result.attributes && { attributes: result.attributes },
+            ...createResult.attributes && { attributes: createResult.attributes },
             ...dependencies && dependencies.length > 0 && { dependencies }
           };
           if (counts)
-            counts.created++;
+            counts.updated++;
           if (progress)
             progress.current++;
-          const createPrefix = progress ? `[${progress.current}/${progress.total}] ` : "  ";
+          const replacePrefix = progress ? `[${progress.current}/${progress.total}] ` : "  ";
           renderer.removeTask(logicalId);
-          this.logger.info(`${createPrefix}\u2705 ${logicalId} (${resourceType}) created`);
-          break;
-        }
-        case "UPDATE": {
-          const currentResource = stateResources[logicalId];
-          if (!currentResource) {
-            throw new Error(`Cannot update ${logicalId}: resource not found in state`);
-          }
-          const desiredProps = change.desiredProperties || {};
-          const currentProps = change.currentProperties || {};
-          const context = {
-            template,
-            resources: stateResources,
-            ...parameterValues && Object.keys(parameterValues).length > 0 && { parameters: parameterValues },
-            ...conditions && Object.keys(conditions).length > 0 && { conditions },
-            stateBackend: this.stateBackend,
-            stackName
-          };
-          const resolvedProps = await this.resolver.resolve(desiredProps, context);
-          if (JSON.stringify(resolvedProps) === JSON.stringify(currentProps)) {
-            this.logger.debug(
-              `Skipping ${logicalId}: no actual changes after intrinsic function resolution`
-            );
-            if (counts)
-              counts.skipped++;
-            break;
-          }
-          const needsReplacement2 = change.propertyChanges?.some((pc) => pc.requiresReplacement);
-          const dependencies = this.extractAllDependencies(template, logicalId);
-          if (needsReplacement2) {
-            const replacedProps = change.propertyChanges?.filter((pc) => pc.requiresReplacement).map((pc) => pc.path).join(", ");
-            this.logger.info(
-              `Replacing ${logicalId} (${resourceType}) - immutable properties changed: ${replacedProps}`
-            );
-            this.logger.info(`  Creating new ${logicalId}...`);
-            const { provider: replaceProvider, properties: replaceProps } = this.selectProviderWithSafetyNet(provider, resourceType, resolvedProps, logicalId);
-            const createResult = await this.withRetry(
-              () => replaceProvider.create(logicalId, resourceType, replaceProps),
+          this.logger.info(`${replacePrefix}\u2705 ${logicalId} (${resourceType}) replaced`);
+        } else {
+          this.logger.debug(`Updating ${logicalId} (${resourceType})`);
+          const { provider: updateProvider, properties: updateProps } = this.selectProviderWithSafetyNet(provider, resourceType, resolvedProps, logicalId);
+          let result;
+          try {
+            result = await this.withRetry(
+              () => updateProvider.update(
+                logicalId,
+                currentResource.physicalId,
+                resourceType,
+                updateProps,
+                currentProps
+              ),
               logicalId
             );
-            const updateReplacePolicy = template?.Resources?.[logicalId]?.UpdateReplacePolicy;
-            if (updateReplacePolicy === "Retain") {
+          } catch (updateError) {
+            const msg = updateError instanceof Error ? updateError.message : String(updateError);
+            if (msg.includes("UnsupportedActionException") || msg.includes("does not support UPDATE")) {
               this.logger.info(
-                `  Retaining old ${logicalId} (${currentResource.physicalId}) - UpdateReplacePolicy: Retain`
+                `UPDATE not supported for ${logicalId} (${resourceType}), replacing (DELETE \u2192 CREATE)`
               );
-            } else {
-              this.logger.info(`  Deleting old ${logicalId} (${currentResource.physicalId})...`);
               try {
                 await provider.delete(
                   logicalId,
                   currentResource.physicalId,
                   resourceType,
-                  currentResource.properties,
+                  currentProps,
                   { expectedRegion: this.stackRegion }
                 );
-                this.logger.info(`  \u2713 Old resource deleted`);
               } catch (deleteError) {
-                this.logger.warn(
-                  `  \u26A0 Failed to delete old resource ${logicalId} (${currentResource.physicalId}): ${deleteError instanceof Error ? deleteError.message : String(deleteError)}`
-                );
-              }
-            }
-            stateResources[logicalId] = {
-              physicalId: createResult.physicalId,
-              resourceType,
-              properties: resolvedProps,
-              ...createResult.attributes && { attributes: createResult.attributes },
-              ...dependencies && dependencies.length > 0 && { dependencies }
-            };
-            if (counts)
-              counts.updated++;
-            if (progress)
-              progress.current++;
-            const replacePrefix = progress ? `[${progress.current}/${progress.total}] ` : "  ";
-            renderer.removeTask(logicalId);
-            this.logger.info(`${replacePrefix}\u2705 ${logicalId} (${resourceType}) replaced`);
-          } else {
-            this.logger.debug(`Updating ${logicalId} (${resourceType})`);
-            const { provider: updateProvider, properties: updateProps } = this.selectProviderWithSafetyNet(provider, resourceType, resolvedProps, logicalId);
-            let result;
-            try {
-              result = await this.withRetry(
-                () => updateProvider.update(
-                  logicalId,
-                  currentResource.physicalId,
-                  resourceType,
-                  updateProps,
-                  currentProps
-                ),
-                logicalId
-              );
-            } catch (updateError) {
-              const msg = updateError instanceof Error ? updateError.message : String(updateError);
-              if (msg.includes("UnsupportedActionException") || msg.includes("does not support UPDATE")) {
-                this.logger.info(
-                  `UPDATE not supported for ${logicalId} (${resourceType}), replacing (DELETE \u2192 CREATE)`
-                );
-                try {
-                  await provider.delete(
-                    logicalId,
-                    currentResource.physicalId,
-                    resourceType,
-                    currentProps,
-                    { expectedRegion: this.stackRegion }
+                const deleteMsg = deleteError instanceof Error ? deleteError.message : String(deleteError);
+                if (deleteMsg.includes("does not exist") || deleteMsg.includes("not found") || deleteMsg.includes("NotFound")) {
+                  this.logger.debug(
+                    `Old resource ${logicalId} already gone, proceeding with CREATE`
                   );
-                } catch (deleteError) {
-                  const deleteMsg = deleteError instanceof Error ? deleteError.message : String(deleteError);
-                  if (deleteMsg.includes("does not exist") || deleteMsg.includes("not found") || deleteMsg.includes("NotFound")) {
-                    this.logger.debug(
-                      `Old resource ${logicalId} already gone, proceeding with CREATE`
-                    );
-                  } else {
-                    throw deleteError;
-                  }
+                } else {
+                  throw deleteError;
                 }
-                const { provider: replProvider, properties: replProps } = this.selectProviderWithSafetyNet(
-                  provider,
-                  resourceType,
-                  resolvedProps,
-                  logicalId
-                );
-                const createResult = await this.withRetry(
-                  () => replProvider.create(logicalId, resourceType, replProps),
-                  logicalId
-                );
-                result = {
-                  physicalId: createResult.physicalId,
-                  attributes: createResult.attributes,
-                  wasReplaced: true
-                };
-              } else {
-                throw updateError;
               }
-            }
-            if (result.wasReplaced) {
-              this.logger.info(
-                `Resource ${logicalId} was replaced: ${currentResource.physicalId} -> ${result.physicalId}`
+              const { provider: replProvider, properties: replProps } = this.selectProviderWithSafetyNet(provider, resourceType, resolvedProps, logicalId);
+              const createResult = await this.withRetry(
+                () => replProvider.create(logicalId, resourceType, replProps),
+                logicalId
               );
+              result = {
+                physicalId: createResult.physicalId,
+                attributes: createResult.attributes,
+                wasReplaced: true
+              };
+            } else {
+              throw updateError;
             }
-            stateResources[logicalId] = {
-              physicalId: result.physicalId,
-              resourceType,
-              properties: resolvedProps,
-              ...result.attributes && { attributes: result.attributes },
-              ...dependencies && dependencies.length > 0 && { dependencies }
-            };
-            if (counts)
-              counts.updated++;
-            if (progress)
-              progress.current++;
-            const updatePrefix = progress ? `[${progress.current}/${progress.total}] ` : "  ";
-            renderer.removeTask(logicalId);
-            this.logger.info(`${updatePrefix}\u2705 ${logicalId} (${resourceType}) updated`);
-          }
-          break;
-        }
-        case "DELETE": {
-          const currentResource = stateResources[logicalId];
-          if (!currentResource) {
-            throw new Error(`Cannot delete ${logicalId}: resource not found in state`);
-          }
-          const deletionPolicy = template?.Resources?.[logicalId]?.DeletionPolicy;
-          if (deletionPolicy === "Retain") {
-            this.logger.info(`Retaining ${logicalId} (${resourceType}) - DeletionPolicy: Retain`);
-            delete stateResources[logicalId];
-            break;
           }
-          this.logger.debug(`Deleting ${logicalId} (${resourceType})`);
-          try {
-            await this.withRetry(
-              () => provider.delete(
-                logicalId,
-                currentResource.physicalId,
-                resourceType,
-                currentResource.properties,
-                { expectedRegion: this.stackRegion }
-              ),
-              logicalId,
-              3,
-              // fewer retries for DELETE
-              5e3
+          if (result.wasReplaced) {
+            this.logger.info(
+              `Resource ${logicalId} was replaced: ${currentResource.physicalId} -> ${result.physicalId}`
             );
-          } catch (deleteError) {
-            const msg = deleteError instanceof Error ? deleteError.message : String(deleteError);
-            if (msg.includes("does not exist") || msg.includes("was not found") || msg.includes("not found") || msg.includes("No policy found") || msg.includes("NoSuchEntity") || msg.includes("NotFoundException") || msg.includes("ResourceNotFoundException")) {
-              this.logger.debug(
-                `Resource ${logicalId} already deleted (${msg}), removing from state`
-              );
-            } else {
-              throw deleteError;
-            }
           }
-          delete stateResources[logicalId];
+          stateResources[logicalId] = {
+            physicalId: result.physicalId,
+            resourceType,
+            properties: resolvedProps,
+            ...result.attributes && { attributes: result.attributes },
+            ...dependencies && dependencies.length > 0 && { dependencies }
+          };
           if (counts)
-            counts.deleted++;
+            counts.updated++;
           if (progress)
             progress.current++;
-          const deletePrefix = progress ? `[${progress.current}/${progress.total}] ` : "  ";
+          const updatePrefix = progress ? `[${progress.current}/${progress.total}] ` : "  ";
           renderer.removeTask(logicalId);
-          this.logger.info(`${deletePrefix}\u2705 ${logicalId} (${resourceType}) deleted`);
+          this.logger.info(`${updatePrefix}\u2705 ${logicalId} (${resourceType}) updated`);
+        }
+        break;
+      }
+      case "DELETE": {
+        const currentResource = stateResources[logicalId];
+        if (!currentResource) {
+          throw new Error(`Cannot delete ${logicalId}: resource not found in state`);
+        }
+        const deletionPolicy = template?.Resources?.[logicalId]?.DeletionPolicy;
+        if (deletionPolicy === "Retain") {
+          this.logger.info(`Retaining ${logicalId} (${resourceType}) - DeletionPolicy: Retain`);
+          delete stateResources[logicalId];
           break;
         }
+        this.logger.debug(`Deleting ${logicalId} (${resourceType})`);
+        try {
+          await this.withRetry(
+            () => provider.delete(
+              logicalId,
+              currentResource.physicalId,
+              resourceType,
+              currentResource.properties,
+              { expectedRegion: this.stackRegion }
+            ),
+            logicalId,
+            3,
+            // fewer retries for DELETE
+            5e3
+          );
+        } catch (deleteError) {
+          const msg = deleteError instanceof Error ? deleteError.message : String(deleteError);
+          if (msg.includes("does not exist") || msg.includes("was not found") || msg.includes("not found") || msg.includes("No policy found") || msg.includes("NoSuchEntity") || msg.includes("NotFoundException") || msg.includes("ResourceNotFoundException")) {
+            this.logger.debug(
+              `Resource ${logicalId} already deleted (${msg}), removing from state`
+            );
+          } else {
+            throw deleteError;
+          }
+        }
+        delete stateResources[logicalId];
+        if (counts)
+          counts.deleted++;
+        if (progress)
+          progress.current++;
+        const deletePrefix = progress ? `[${progress.current}/${progress.total}] ` : "  ";
+        renderer.removeTask(logicalId);
+        this.logger.info(`${deletePrefix}\u2705 ${logicalId} (${resourceType}) deleted`);
+        break;
       }
-    } catch (error) {
-      renderer.removeTask(logicalId);
-      const message = error instanceof Error ? error.message : String(error);
-      this.logger.error(`Failed to ${change.changeType.toLowerCase()} ${logicalId}: ${message}`);
-      throw new ProvisioningError(
-        `Failed to ${change.changeType.toLowerCase()} resource ${logicalId}`,
-        resourceType,
-        logicalId,
-        stateResources[logicalId]?.physicalId,
-        error instanceof Error ? error : void 0
-      );
-    } finally {
-      renderer.removeTask(logicalId);
     }
   }
   /**
@@ -31864,6 +32137,10 @@ async function deployCommand(stacks, options) {
     process.env["CDKD_NO_LIVE"] = "1";
   }
   warnIfDeprecatedRegion(options);
+  validateResourceTimeouts({
+    ...options.resourceWarnAfter && { resourceWarnAfter: options.resourceWarnAfter },
+    ...options.resourceTimeout && { resourceTimeout: options.resourceTimeout }
+  });
   if (!options.wait) {
     process.env["CDKD_NO_WAIT"] = "true";
   }
@@ -32056,7 +32333,19 @@ Deploying stack: ${stackInfo.stackName}${stackRegion !== baseRegion ? ` (region:
         {
           concurrency: options.concurrency,
           dryRun: options.dryRun,
-          noRollback: !options.rollback
+          noRollback: !options.rollback,
+          ...options.resourceWarnAfter?.globalMs !== void 0 && {
+            resourceWarnAfterMs: options.resourceWarnAfter.globalMs
+          },
+          ...options.resourceTimeout?.globalMs !== void 0 && {
+            resourceTimeoutMs: options.resourceTimeout.globalMs
+          },
+          ...options.resourceWarnAfter?.perTypeMs && {
+            resourceWarnAfterByType: options.resourceWarnAfter.perTypeMs
+          },
+          ...options.resourceTimeout?.perTypeMs && {
+            resourceTimeoutByType: options.resourceTimeout.perTypeMs
+          }
         },
         stackRegion
       );
@@ -32466,41 +32755,73 @@ Acquiring lock for stack ${stackName}...`);
       logger.debug(
         `Deletion level ${executionLevels.length - levelIndex}/${executionLevels.length} (${level.length} resources)`
       );
+      const stackRegion2 = state.region ?? ctx.baseRegion;
       const deletePromises = level.map(async (logicalId) => {
         const resource = state.resources[logicalId];
         if (!resource) {
           logger.warn(`Resource ${logicalId} not found in state, skipping`);
           return;
         }
-        renderer.addTask(logicalId, `Deleting ${logicalId} (${resource.resourceType})`);
+        const warnAfterMs = ctx.resourceWarnAfterByType?.[resource.resourceType] ?? ctx.resourceWarnAfterMs ?? DEFAULT_RESOURCE_WARN_AFTER_MS;
+        const timeoutMs = ctx.resourceTimeoutByType?.[resource.resourceType] ?? ctx.resourceTimeoutMs ?? DEFAULT_RESOURCE_TIMEOUT_MS;
+        const baseLabel = `Deleting ${logicalId} (${resource.resourceType})`;
+        renderer.addTask(logicalId, baseLabel);
         try {
           const provider = destroyProviderRegistry.getProvider(resource.resourceType);
-          let lastDeleteError;
-          for (let attempt = 0; attempt <= 3; attempt++) {
-            try {
-              await provider.delete(
+          await withResourceDeadline(
+            async () => {
+              let lastDeleteError;
+              for (let attempt = 0; attempt <= 3; attempt++) {
+                try {
+                  await provider.delete(
+                    logicalId,
+                    resource.physicalId,
+                    resource.resourceType,
+                    resource.properties
+                  );
+                  lastDeleteError = null;
+                  break;
+                } catch (retryError) {
+                  lastDeleteError = retryError;
+                  const msg = retryError instanceof Error ? retryError.message : String(retryError);
+                  const isRetryable = msg.includes("Too Many Requests") || msg.includes("has dependencies") || msg.includes("can't be deleted since") || msg.includes("DependencyViolation");
+                  if (!isRetryable || attempt >= 3)
+                    break;
+                  const delay = 5e3 * Math.pow(2, attempt);
+                  logger.debug(
+                    `  \u23F3 Retrying delete ${logicalId} in ${delay / 1e3}s (attempt ${attempt + 1}/3)`
+                  );
+                  await new Promise((resolve4) => setTimeout(resolve4, delay));
+                }
+              }
+              if (lastDeleteError)
+                throw lastDeleteError;
+            },
+            {
+              warnAfterMs,
+              timeoutMs,
+              onWarn: (elapsedMs) => {
+                const minutes = Math.max(1, Math.round(elapsedMs / 6e4));
+                renderer.updateTaskLabel(
+                  logicalId,
+                  `${baseLabel} [taking longer than expected, ${minutes}m+]`
+                );
+                renderer.printAbove(() => {
+                  logger.warn(
+                    `${logicalId} (${resource.resourceType}) has been deleting for ${minutes}m \u2014 still waiting`
+                  );
+                });
+              },
+              onTimeout: (elapsedMs) => new ResourceTimeoutError(
                 logicalId,
-                resource.physicalId,
                 resource.resourceType,
-                resource.properties
-              );
-              lastDeleteError = null;
-              break;
-            } catch (retryError) {
-              lastDeleteError = retryError;
-              const msg = retryError instanceof Error ? retryError.message : String(retryError);
-              const isRetryable = msg.includes("Too Many Requests") || msg.includes("has dependencies") || msg.includes("can't be deleted since") || msg.includes("DependencyViolation");
-              if (!isRetryable || attempt >= 3)
-                break;
-              const delay = 5e3 * Math.pow(2, attempt);
-              logger.debug(
-                `  \u23F3 Retrying delete ${logicalId} in ${delay / 1e3}s (attempt ${attempt + 1}/3)`
-              );
-              await new Promise((resolve4) => setTimeout(resolve4, delay));
+                stackRegion2,
+                elapsedMs,
+                "DELETE",
+                timeoutMs
+              )
             }
-          }
-          if (lastDeleteError)
-            throw lastDeleteError;
+          );
           renderer.removeTask(logicalId);
           logger.info(`  \u2705 ${logicalId} (${resource.resourceType}) deleted`);
           result.deletedCount++;
@@ -32510,6 +32831,16 @@ Acquiring lock for stack ${stackName}...`);
           if (msg.includes("does not exist") || msg.includes("not found") || msg.includes("No policy found") || msg.includes("NoSuchEntity") || msg.includes("NotFoundException")) {
             logger.debug(`  ${logicalId} already deleted, removing from state`);
             result.deletedCount++;
+          } else if (error instanceof ResourceTimeoutError) {
+            const wrapped = new ProvisioningError(
+              error.message,
+              resource.resourceType,
+              logicalId,
+              resource.physicalId,
+              error
+            );
+            logger.error(`  \u2717 Failed to delete ${logicalId}:`, wrapped.message);
+            result.errorCount++;
           } else {
             logger.error(`  \u2717 Failed to delete ${logicalId}:`, String(error));
             result.errorCount++;
@@ -32552,6 +32883,10 @@ async function destroyCommand(stackArgs, options) {
     process.env["CDKD_NO_LIVE"] = "1";
   }
   warnIfDeprecatedRegion(options);
+  validateResourceTimeouts({
+    ...options.resourceWarnAfter && { resourceWarnAfter: options.resourceWarnAfter },
+    ...options.resourceTimeout && { resourceTimeout: options.resourceTimeout }
+  });
   const region = options.region || process.env["AWS_REGION"] || "us-east-1";
   const stateBucket = await resolveStateBucketWithDefault(options.stateBucket, region);
   logger.info("Starting stack destruction...");
@@ -32683,7 +33018,19 @@ Preparing to destroy stack: ${stackName}`);
         baseRegion: region,
         ...options.profile && { profile: options.profile },
         stateBucket,
-        skipConfirmation: options.yes || options.force
+        skipConfirmation: options.yes || options.force,
+        ...options.resourceWarnAfter?.globalMs !== void 0 && {
+          resourceWarnAfterMs: options.resourceWarnAfter.globalMs
+        },
+        ...options.resourceTimeout?.globalMs !== void 0 && {
+          resourceTimeoutMs: options.resourceTimeout.globalMs
+        },
+        ...options.resourceWarnAfter?.perTypeMs && {
+          resourceWarnAfterByType: options.resourceWarnAfter.perTypeMs
+        },
+        ...options.resourceTimeout?.perTypeMs && {
+          resourceTimeoutByType: options.resourceTimeout.perTypeMs
+        }
       });
     }
   } finally {
@@ -32701,6 +33048,7 @@ function createDestroyCommand() {
     ...stateOptions,
     ...stackOptions,
     ...destroyOptions,
+    ...resourceTimeoutOptions,
     ...contextOptions
   ].forEach((opt) => cmd.addOption(opt));
   cmd.addOption(deprecatedRegionOption);
@@ -32711,15 +33059,432 @@ function createDestroyCommand() {
 import * as readline2 from "node:readline/promises";
 import { Command as Command7 } from "commander";
 init_aws_clients();
-async function orphanCommand(stackArgs, options) {
+
+// src/cli/cdk-path.ts
+function readCdkPath(resource) {
+  const meta = resource.Metadata;
+  if (!meta)
+    return "";
+  const v = meta["aws:cdk:path"];
+  return typeof v === "string" ? v : "";
+}
+function buildCdkPathIndex(template) {
+  const index = /* @__PURE__ */ new Map();
+  for (const [logicalId, resource] of Object.entries(template.Resources)) {
+    const path = readCdkPath(resource);
+    if (path)
+      index.set(path, logicalId);
+  }
+  return index;
+}
+
+// src/analyzer/orphan-rewriter.ts
+var AttributeFetcher = class {
+  constructor(orphans, providerRegistry, options) {
+    this.orphans = orphans;
+    this.providerRegistry = providerRegistry;
+    this.options = options;
+  }
+  cache = /* @__PURE__ */ new Map();
+  logger = getLogger().child("OrphanRewriter");
+  /**
+   * Return the orphan's resolved value for `Ref` (its physicalId) — never
+   * needs an AWS call.
+   */
+  ref(orphanLogicalId) {
+    const o = this.orphans[orphanLogicalId];
+    if (!o) {
+      throw new Error(
+        `Internal: Ref to '${orphanLogicalId}' has no orphan entry \u2014 should have been filtered out`
+      );
+    }
+    return o.physicalId;
+  }
+  /**
+   * Return the orphan's resolved value for `Fn::GetAtt`. Hits the live
+   * provider on first call; subsequent calls reuse the cached result.
+   *
+   * Returns `{ ok: true, value }` on success; `{ ok: false, reason }`
+   * when the live fetch failed AND the `--force` cache fallback either
+   * was disabled or also lacked the attribute. In the cache-fallback
+   * success path returns `{ ok: true, value, fromCache: true }`.
+   */
+  async getAtt(orphanLogicalId, attribute) {
+    const cacheKey = `${orphanLogicalId}\0${attribute}`;
+    if (this.cache.has(cacheKey)) {
+      return { ok: true, value: this.cache.get(cacheKey) };
+    }
+    const orphan = this.orphans[orphanLogicalId];
+    if (!orphan) {
+      return {
+        ok: false,
+        reason: `Internal: GetAtt to '${orphanLogicalId}' has no orphan entry`
+      };
+    }
+    let provider;
+    try {
+      provider = this.providerRegistry.getProvider(orphan.resourceType);
+    } catch (err) {
+      return {
+        ok: false,
+        reason: `no provider available for ${orphan.resourceType}: ${err instanceof Error ? err.message : String(err)}`
+      };
+    }
+    if (!provider.getAttribute) {
+      return this.cacheFallback(
+        orphanLogicalId,
+        attribute,
+        `provider for ${orphan.resourceType} does not implement getAttribute`
+      );
+    }
+    try {
+      const value = await provider.getAttribute(orphan.physicalId, orphan.resourceType, attribute);
+      if (value === void 0) {
+        return this.cacheFallback(
+          orphanLogicalId,
+          attribute,
+          `provider returned undefined for ${orphan.resourceType}.${attribute}`
+        );
+      }
+      this.cache.set(cacheKey, value);
+      return { ok: true, value };
+    } catch (err) {
+      return this.cacheFallback(
+        orphanLogicalId,
+        attribute,
+        err instanceof Error ? err.message : String(err)
+      );
+    }
+  }
+  /**
+   * Try the orphan's `state.attributes[attribute]` as a last-resort value
+   * source under `--force`. Without `--force`, returns the original
+   * failure reason unchanged (caller pushes to `unresolvable`).
+   */
+  cacheFallback(orphanLogicalId, attribute, reason) {
+    if (!this.options.force) {
+      return { ok: false, reason };
+    }
+    const orphan = this.orphans[orphanLogicalId];
+    const cached = orphan.attributes?.[attribute];
+    if (cached === void 0) {
+      this.logger.warn(
+        `--force: state.attributes also lacks '${orphanLogicalId}.${attribute}'; leaving the original intrinsic in place.`
+      );
+      return {
+        ok: false,
+        reason: `${reason}; state.attributes cache also has no value for '${attribute}'`
+      };
+    }
+    this.logger.warn(
+      `--force: live fetch failed for '${orphanLogicalId}.${attribute}' (${reason}); falling back to cached value from state.attributes.`
+    );
+    const cacheKey = `${orphanLogicalId}\0${attribute}`;
+    this.cache.set(cacheKey, cached);
+    return { ok: true, value: cached, fromCache: true };
+  }
+};
+async function rewriteResourceReferences(state, orphanLogicalIds, providerRegistry, options = {}) {
+  const orphanSet = new Set(orphanLogicalIds);
+  const orphans = {};
+  for (const id of orphanLogicalIds) {
+    const r = state.resources[id];
+    if (!r) {
+      throw new Error(`rewriteResourceReferences: orphan '${id}' not found in state.resources`);
+    }
+    orphans[id] = r;
+  }
+  const fetcher = new AttributeFetcher(orphans, providerRegistry, options);
+  const rewrites = [];
+  const unresolvable = [];
+  const newResources = {};
+  for (const [logicalId, resource] of Object.entries(state.resources)) {
+    if (orphanSet.has(logicalId))
+      continue;
+    const rewrittenProperties = await rewriteValue(
+      resource.properties,
+      `properties`,
+      logicalId,
+      orphanSet,
+      fetcher,
+      rewrites,
+      unresolvable
+    );
+    const rewrittenAttributes = resource.attributes ? await rewriteValue(
+      resource.attributes,
+      `attributes`,
+      logicalId,
+      orphanSet,
+      fetcher,
+      rewrites,
+      unresolvable
+    ) : void 0;
+    const newDeps = (resource.dependencies ?? []).filter((dep) => {
+      if (orphanSet.has(dep)) {
+        rewrites.push({
+          logicalId,
+          path: "dependencies",
+          kind: "dependency",
+          before: dep,
+          after: null,
+          orphanLogicalId: dep
+        });
+        return false;
+      }
+      return true;
+    });
+    newResources[logicalId] = {
+      ...resource,
+      properties: rewrittenProperties,
+      ...rewrittenAttributes !== void 0 && {
+        attributes: rewrittenAttributes
+      },
+      dependencies: newDeps
+    };
+  }
+  const newOutputs = {};
+  for (const [name, value] of Object.entries(state.outputs ?? {})) {
+    newOutputs[name] = await rewriteValue(
+      value,
+      `outputs.${name}`,
+      `<output:${name}>`,
+      orphanSet,
+      fetcher,
+      rewrites,
+      unresolvable
+    );
+  }
+  return {
+    state: {
+      ...state,
+      resources: newResources,
+      outputs: newOutputs,
+      lastModified: Date.now()
+    },
+    rewrites,
+    unresolvable
+  };
+}
+async function rewriteValue(value, pathPrefix, ownerLogicalId, orphanSet, fetcher, rewrites, unresolvable) {
+  if (typeof value !== "object" || value === null)
+    return value;
+  if (Array.isArray(value)) {
+    const out2 = [];
+    for (let i = 0; i < value.length; i++) {
+      out2.push(
+        await rewriteValue(
+          value[i],
+          `${pathPrefix}[${i}]`,
+          ownerLogicalId,
+          orphanSet,
+          fetcher,
+          rewrites,
+          unresolvable
+        )
+      );
+    }
+    return out2;
+  }
+  const obj = value;
+  if ("Ref" in obj && Object.keys(obj).length === 1 && typeof obj["Ref"] === "string") {
+    const target = obj["Ref"];
+    if (orphanSet.has(target)) {
+      const replaced = fetcher.ref(target);
+      rewrites.push({
+        logicalId: ownerLogicalId,
+        path: pathPrefix,
+        kind: "ref",
+        before: { Ref: target },
+        after: replaced,
+        orphanLogicalId: target
+      });
+      return replaced;
+    }
+    return value;
+  }
+  if ("Fn::GetAtt" in obj && Object.keys(obj).length === 1) {
+    const arg = obj["Fn::GetAtt"];
+    let target;
+    let attribute;
+    if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string" && typeof arg[1] === "string") {
+      target = arg[0];
+      attribute = arg[1];
+    } else if (typeof arg === "string") {
+      const dot = arg.indexOf(".");
+      if (dot > 0) {
+        target = arg.slice(0, dot);
+        attribute = arg.slice(dot + 1);
+      }
+    }
+    if (target && attribute && orphanSet.has(target)) {
+      const result = await fetcher.getAtt(target, attribute);
+      if (result.ok) {
+        rewrites.push({
+          logicalId: ownerLogicalId,
+          path: pathPrefix,
+          kind: "getAtt",
+          before: { "Fn::GetAtt": [target, attribute] },
+          after: result.value,
+          orphanLogicalId: target
+        });
+        return result.value;
+      }
+      unresolvable.push({
+        logicalId: ownerLogicalId,
+        path: pathPrefix,
+        orphanLogicalId: target,
+        attribute,
+        reason: result.reason
+      });
+      return value;
+    }
+    return value;
+  }
+  if ("Fn::Sub" in obj && Object.keys(obj).length === 1) {
+    const arg = obj["Fn::Sub"];
+    let template;
+    let varMap;
+    if (typeof arg === "string") {
+      template = arg;
+    } else if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string" && typeof arg[1] === "object" && arg[1] !== null) {
+      template = arg[0];
+      varMap = arg[1];
+    }
+    if (template !== void 0) {
+      const { rewritten, didChange, hasUnresolvable } = await rewriteSubTemplate(
+        template,
+        ownerLogicalId,
+        pathPrefix,
+        orphanSet,
+        fetcher,
+        rewrites,
+        unresolvable,
+        varMap
+      );
+      if (didChange) {
+        const stillHasIntrinsics = /\$\{[^}]+\}/.test(rewritten);
+        if (varMap && stillHasIntrinsics) {
+          return { "Fn::Sub": [rewritten, varMap] };
+        }
+        if (stillHasIntrinsics) {
+          return { "Fn::Sub": rewritten };
+        }
+        return rewritten;
+      }
+      return value;
+    }
+    return value;
+  }
+  const out = {};
+  for (const [k, v] of Object.entries(obj)) {
+    out[k] = await rewriteValue(
+      v,
+      pathPrefix === "" ? k : `${pathPrefix}.${k}`,
+      ownerLogicalId,
+      orphanSet,
+      fetcher,
+      rewrites,
+      unresolvable
+    );
+  }
+  return out;
+}
+async function rewriteSubTemplate(template, ownerLogicalId, pathPrefix, orphanSet, fetcher, rewrites, unresolvable, varMap) {
+  const placeholderRe = /\$\{([^}]+)\}/g;
+  const matches = [...template.matchAll(placeholderRe)];
+  if (matches.length === 0) {
+    return { rewritten: template, didChange: false, hasUnresolvable: false };
+  }
+  let didChange = false;
+  let hasUnresolvable = false;
+  let cursor = 0;
+  let out = "";
+  for (const m of matches) {
+    const inner = m[1] ?? "";
+    const start = m.index ?? 0;
+    out += template.slice(cursor, start);
+    cursor = start + m[0].length;
+    if (varMap && inner in varMap) {
+      out += m[0];
+      continue;
+    }
+    const dot = inner.indexOf(".");
+    if (dot < 0) {
+      if (orphanSet.has(inner)) {
+        const replaced = fetcher.ref(inner);
+        rewrites.push({
+          logicalId: ownerLogicalId,
+          path: pathPrefix,
+          kind: "sub",
+          before: m[0],
+          after: replaced,
+          orphanLogicalId: inner
+        });
+        out += replaced;
+        didChange = true;
+      } else {
+        out += m[0];
+      }
+    } else {
+      const target = inner.slice(0, dot);
+      const attribute = inner.slice(dot + 1);
+      if (orphanSet.has(target)) {
+        const result = await fetcher.getAtt(target, attribute);
+        if (result.ok) {
+          const stringified = String(result.value);
+          rewrites.push({
+            logicalId: ownerLogicalId,
+            path: pathPrefix,
+            kind: "sub",
+            before: m[0],
+            after: stringified,
+            orphanLogicalId: target
+          });
+          out += stringified;
+          didChange = true;
+        } else {
+          unresolvable.push({
+            logicalId: ownerLogicalId,
+            path: pathPrefix,
+            orphanLogicalId: target,
+            attribute,
+            reason: result.reason
+          });
+          out += m[0];
+          hasUnresolvable = true;
+        }
+      } else {
+        out += m[0];
+      }
+    }
+  }
+  out += template.slice(cursor);
+  return { rewritten: out, didChange, hasUnresolvable };
+}
+
+// src/cli/commands/orphan.ts
+async function orphanCommand(pathArgs, options) {
   const logger = getLogger();
   if (options.verbose)
     logger.setLevel("debug");
   warnIfDeprecatedRegion(options);
+  if (pathArgs.length === 0) {
+    throw new Error(
+      "'cdkd orphan' requires at least one construct path, e.g. 'cdkd orphan MyStack/MyTable'.\n       To remove a stack's state record (the previous behavior), use:\n         cdkd state orphan MyStack"
+    );
+  }
+  for (const p of pathArgs) {
+    if (!p.includes("/")) {
+      throw new Error(
+        `'cdkd orphan' now expects a construct path like 'MyStack/MyTable'.
+       Got: '${p}'
+       To remove a stack's state record (the previous behavior), use:
+         cdkd state orphan ${p}`
+      );
+    }
+  }
   const region = options.region || process.env["AWS_REGION"] || "us-east-1";
   const stateBucket = await resolveStateBucketWithDefault(options.stateBucket, region);
-  logger.info("Starting stack orphan...");
-  logger.debug("Options:", options);
   if (options.region) {
     process.env["AWS_REGION"] = options.region;
     process.env["AWS_DEFAULT_REGION"] = options.region;
@@ -32730,10 +33495,7 @@ async function orphanCommand(stackArgs, options) {
   });
   setAwsClients(awsClients);
   try {
-    const stateConfig = {
-      bucket: stateBucket,
-      prefix: options.statePrefix
-    };
+    const stateConfig = { bucket: stateBucket, prefix: options.statePrefix };
     const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
       ...options.region && { region: options.region },
       ...options.profile && { profile: options.profile }
@@ -32741,150 +33503,245 @@ async function orphanCommand(stackArgs, options) {
     await stateBackend.verifyBucketExists();
     const lockManager = new LockManager(awsClients.s3, stateConfig);
     const appCmd = options.app || resolveApp();
-    let appStacks = [];
-    if (appCmd) {
-      try {
-        const synthesizer = new Synthesizer();
-        const context = parseContextOptions(options.context);
-        const result = await synthesizer.synthesize({
-          app: appCmd,
-          output: options.output || "cdk.out",
-          ...Object.keys(context).length > 0 && { context }
-        });
-        appStacks = result.stacks.map((s) => ({
-          stackName: s.stackName,
-          displayName: s.displayName,
-          ...s.region && { region: s.region }
-        }));
-      } catch {
-        logger.debug("Could not synthesize app, falling back to state-based stack list");
-      }
-    }
-    const allStateRefs = await stateBackend.listStacks();
-    let candidateStacks;
-    if (appStacks.length > 0) {
-      const stateNames = new Set(allStateRefs.map((r) => r.stackName));
-      candidateStacks = appStacks.filter((s) => stateNames.has(s.stackName));
-    } else if (stackArgs.length > 0 || options.stack || options.all) {
-      const seen = /* @__PURE__ */ new Set();
-      candidateStacks = [];
-      for (const ref of allStateRefs) {
-        if (seen.has(ref.stackName))
-          continue;
-        seen.add(ref.stackName);
-        candidateStacks.push({ stackName: ref.stackName });
-      }
-    } else {
-      throw new Error(
-        "Could not determine which stacks belong to this app. Specify stack names explicitly, use --all, or ensure --app / cdk.json is configured."
-      );
-    }
-    const stackPatterns = stackArgs.length > 0 ? stackArgs : options.stack ? [options.stack] : [];
-    let stackNames;
-    if (options.all) {
-      stackNames = candidateStacks.map((s) => s.stackName);
-    } else if (stackPatterns.length > 0) {
-      stackNames = matchStacks(candidateStacks, stackPatterns).map((s) => s.stackName);
-    } else if (candidateStacks.length === 1) {
-      stackNames = candidateStacks.map((s) => s.stackName);
-    } else if (candidateStacks.length === 0) {
-      logger.info("No stacks found in state");
-      return;
-    } else {
+    if (!appCmd) {
       throw new Error(
-        `Multiple stacks found: ${candidateStacks.map(describeStack).join(", ")}. Specify stack name(s) or use --all`
+        "'cdkd orphan' requires a CDK app: pass --app or set it in cdk.json. The template is read to resolve construct paths to logical IDs."
       );
     }
-    if (stackNames.length === 0) {
-      logger.info("No matching stacks found in state");
-      return;
-    }
-    logger.info(`Found ${stackNames.length} stack(s) to orphan: ${stackNames.join(", ")}`);
-    const stateRefsByName = /* @__PURE__ */ new Map();
-    for (const ref of allStateRefs) {
-      const arr = stateRefsByName.get(ref.stackName) ?? [];
-      arr.push(ref);
-      stateRefsByName.set(ref.stackName, arr);
+    logger.info("Synthesizing CDK app to read template...");
+    const synthesizer = new Synthesizer();
+    const context = parseContextOptions(options.context);
+    const result = await synthesizer.synthesize({
+      app: appCmd,
+      output: options.output || "cdk.out",
+      ...Object.keys(context).length > 0 && { context }
+    });
+    const resolved = resolveConstructPaths(pathArgs, result.stacks);
+    const stackInfo = resolved.stack;
+    const orphanLogicalIds = resolved.logicalIds;
+    const targetRegion = await pickStackRegion(
+      stateBackend,
+      stackInfo.stackName,
+      stackInfo.region,
+      options.stackRegion
+    );
+    logger.info(
+      `Target: ${stackInfo.stackName} (${targetRegion}); orphaning ${orphanLogicalIds.length} resource(s): ${orphanLogicalIds.join(", ")}`
+    );
+    const owner = `${process.env["USER"] || "unknown"}@${process.env["HOSTNAME"] || "host"}:${process.pid}`;
+    if (!options.dryRun) {
+      await lockManager.acquireLock(stackInfo.stackName, targetRegion, owner, "orphan");
     }
-    const skipConfirmation = options.yes || options.force;
-    for (const stackName of stackNames) {
-      const refs = stateRefsByName.get(stackName) ?? [];
-      if (refs.length === 0) {
-        logger.info(`No state found for stack: ${stackName}, skipping`);
-        continue;
+    try {
+      const stateData = await stateBackend.getState(stackInfo.stackName, targetRegion);
+      if (!stateData) {
+        throw new Error(
+          `No state found for stack '${stackInfo.stackName}' (${targetRegion}). Nothing to orphan. (Did the stack get deployed?)`
+        );
       }
-      const targets = options.stackRegion ? refs.filter((r) => r.region === options.stackRegion) : refs;
-      if (targets.length === 0) {
-        const seen = refs.map((r) => r.region ?? "(legacy)").join(", ");
+      const { state, etag, migrationPending } = stateData;
+      const missing = orphanLogicalIds.filter((id) => !(id in state.resources));
+      if (missing.length > 0) {
+        const have = Object.keys(state.resources).join(", ");
         throw new Error(
-          `No state found for stack '${stackName}' in region '${options.stackRegion}'. Available regions: ${seen}.`
+          `Resource(s) not in state for stack '${stackInfo.stackName}' (${targetRegion}): ${missing.join(", ")}.
+Available logical IDs: ${have}`
         );
       }
-      if (!options.force) {
-        for (const target of targets) {
-          const locked = await lockManager.isLocked(stackName, target.region);
-          if (locked) {
-            const where = target.region ?? "(legacy)";
-            throw new Error(
-              `Stack '${stackName}' (${where}) is locked. Run 'cdkd force-unlock ${stackName}${target.region ? ` --stack-region ${target.region}` : ""}' first, or pass --force to orphan anyway.`
-            );
-          }
-        }
+      const providerRegistry = new ProviderRegistry();
+      registerAllProviders(providerRegistry);
+      const rewriteResult = await rewriteResourceReferences(
+        state,
+        orphanLogicalIds,
+        providerRegistry,
+        { force: options.force }
+      );
+      printRewriteSummary(rewriteResult.rewrites, orphanLogicalIds);
+      if (rewriteResult.unresolvable.length > 0 && !options.force) {
+        printUnresolvable(rewriteResult.unresolvable);
+        throw new Error(
+          `Orphan aborted: ${rewriteResult.unresolvable.length} reference(s) could not be resolved.
+Re-run with --force to fall back to cached attribute values from state, or fix the underlying provider/AWS issue and retry.`
+        );
       }
-      if (!skipConfirmation) {
-        const targetList = targets.map((t) => t.region ? `${stackName} (${t.region})` : stackName).join(", ");
-        process.stdout.write(
-          `
-WARNING: This removes cdkd's state record for [${targetList}] only. AWS resources will NOT be deleted.
-Use 'cdkd destroy ${stackName}' if you want to delete the actual resources.
-
-`
+      if (rewriteResult.unresolvable.length > 0) {
+        printUnresolvable(rewriteResult.unresolvable);
+        logger.warn(
+          `--force: continuing despite ${rewriteResult.unresolvable.length} unresolved reference(s); the original intrinsic was left in place where the cache also lacked the value.`
         );
-        const rl = readline2.createInterface({
-          input: process.stdin,
-          output: process.stdout
-        });
-        const answer = await rl.question(
-          `Orphan state for ${targetList} from s3://${stateBucket}/${options.statePrefix}/? (y/N): `
+      }
+      if (options.dryRun) {
+        logger.info("--dry-run: state will NOT be written. Re-run without --dry-run to apply.");
+        return;
+      }
+      if (!options.yes && !options.force) {
+        const ok = await confirmPrompt(
+          `Orphan ${orphanLogicalIds.length} resource(s) from cdkd state for ${stackInfo.stackName} (${targetRegion})? AWS resources will NOT be deleted.`
         );
-        rl.close();
-        const trimmed = answer.trim().toLowerCase();
-        if (trimmed !== "y" && trimmed !== "yes") {
-          logger.info(`Cancelled orphan of stack: ${stackName}`);
-          continue;
+        if (!ok) {
+          logger.info("Orphan cancelled.");
+          return;
         }
       }
-      for (const target of targets) {
-        if (target.region) {
-          await stateBackend.deleteState(stackName, target.region);
-          await lockManager.forceReleaseLock(stackName, target.region);
-        } else {
-          await lockManager.forceReleaseLock(stackName, void 0);
-        }
-        const label = target.region ? `${stackName} (${target.region})` : stackName;
-        logger.info(`\u2713 Orphaned state for stack: ${label}`);
+      await stateBackend.saveState(stackInfo.stackName, targetRegion, rewriteResult.state, {
+        expectedEtag: etag,
+        ...migrationPending && { migrateLegacy: true }
+      });
+      logger.info(
+        `Orphaned ${orphanLogicalIds.length} resource(s) from state: ${stackInfo.stackName} (${targetRegion}). AWS resources are still in AWS; cdkd will no longer manage them.`
+      );
+    } finally {
+      if (!options.dryRun) {
+        await lockManager.releaseLock(stackInfo.stackName, targetRegion).catch((err) => {
+          logger.warn(
+            `Failed to release lock: ${err instanceof Error ? err.message : String(err)}`
+          );
+        });
       }
     }
   } finally {
     awsClients.destroy();
   }
 }
+function resolveConstructPaths(paths, stacks) {
+  const byStackName = /* @__PURE__ */ new Map();
+  const byDisplayName = /* @__PURE__ */ new Map();
+  for (const s of stacks) {
+    byStackName.set(s.stackName, s);
+    byDisplayName.set(s.displayName, s);
+  }
+  let stack;
+  const logicalIds = [];
+  for (const p of paths) {
+    const slash = p.indexOf("/");
+    if (slash <= 0 || slash === p.length - 1) {
+      throw new Error(`Invalid construct path '${p}'. Expected '<StackName>/<Path/To/Resource>'.`);
+    }
+    const head = p.slice(0, slash);
+    const candidate = byDisplayName.get(head) ?? byStackName.get(head);
+    if (!candidate) {
+      const available = stacks.map((s) => s.displayName ?? s.stackName).join(", ");
+      throw new Error(
+        `Construct path '${p}': stack '${head}' not found in synthesized app. Available: ${available}`
+      );
+    }
+    if (stack === void 0) {
+      stack = candidate;
+    } else if (stack.stackName !== candidate.stackName) {
+      throw new Error(
+        `All construct paths must reference the same stack. Got '${stack.stackName}' and '${candidate.stackName}'. Run 'cdkd orphan' once per stack.`
+      );
+    }
+    const cdkPath = p;
+    const index = buildCdkPathIndex(candidate.template);
+    const logicalId = index.get(cdkPath);
+    if (!logicalId) {
+      const available = [...index.keys()].sort().join("\n  ");
+      throw new Error(
+        `Construct path '${cdkPath}' not found in template for stack '${candidate.stackName}'.
+Available paths:
+  ${available}`
+      );
+    }
+    if (!logicalIds.includes(logicalId)) {
+      logicalIds.push(logicalId);
+    }
+  }
+  if (!stack) {
+    throw new Error("No construct paths supplied.");
+  }
+  return { stack, logicalIds };
+}
+async function pickStackRegion(stateBackend, stackName, synthRegion, flag) {
+  const refs = (await stateBackend.listStacks()).filter((r) => r.stackName === stackName);
+  if (refs.length === 0) {
+    if (flag)
+      return flag;
+    if (synthRegion)
+      return synthRegion;
+    throw new Error(
+      `No state found for stack '${stackName}'. Run 'cdkd state list' to see available stacks.`
+    );
+  }
+  if (flag) {
+    const found = refs.find((r) => r.region === flag);
+    if (!found) {
+      const seen = refs.map((r) => r.region ?? "(legacy)").join(", ");
+      throw new Error(
+        `No state found for stack '${stackName}' in region '${flag}'. Available regions: ${seen}.`
+      );
+    }
+    return flag;
+  }
+  if (synthRegion) {
+    const found = refs.find((r) => r.region === synthRegion);
+    if (found)
+      return synthRegion;
+  }
+  if (refs.length === 1) {
+    return refs[0].region ?? synthRegion ?? "";
+  }
+  const regions = refs.map((r) => r.region ?? "(legacy)").join(", ");
+  throw new Error(
+    `Stack '${stackName}' has state in multiple regions: ${regions}. Re-run with --stack-region <region> to disambiguate.`
+  );
+}
+function printRewriteSummary(rewrites, orphanLogicalIds) {
+  const logger = getLogger();
+  logger.info("");
+  logger.info(`Orphaning ${orphanLogicalIds.length} resource(s): ${orphanLogicalIds.join(", ")}`);
+  if (rewrites.length === 0) {
+    logger.info("  No sibling references \u2014 every reference was already to a non-orphan resource.");
+    return;
+  }
+  logger.info(`Applied ${rewrites.length} rewrite(s):`);
+  for (const r of rewrites) {
+    const before = stringifyForAudit(r.before);
+    const after = r.kind === "dependency" ? "(dropped)" : stringifyForAudit(r.after);
+    logger.info(`  [${r.kind}] ${r.logicalId}.${r.path}: ${before} \u2192 ${after}`);
+  }
+}
+function printUnresolvable(unresolvable) {
+  const logger = getLogger();
+  logger.error(`${unresolvable.length} reference(s) could not be resolved:`);
+  for (const u of unresolvable) {
+    logger.error(`  ${u.logicalId}.${u.path}: ${u.orphanLogicalId}.${u.attribute} \u2014 ${u.reason}`);
+  }
+}
+function stringifyForAudit(value) {
+  if (typeof value === "string")
+    return JSON.stringify(value);
+  return JSON.stringify(value);
+}
+async function confirmPrompt(prompt) {
+  const rl = readline2.createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    const ans = await rl.question(`${prompt} [y/N] `);
+    return /^y(es)?$/i.test(ans.trim());
+  } finally {
+    rl.close();
+  }
+}
 function createOrphanCommand() {
   const cmd = new Command7("orphan").description(
-    "Remove cdkd's state record for one or more stacks (does NOT delete AWS resources). Synth-driven; for the CDK-app-free version use 'cdkd state orphan'."
+    "Remove one or more resources from cdkd state by construct path (does NOT delete AWS resources). Mirrors aws-cdk-cli's 'cdk orphan --unstable=orphan'. Synth-driven; for the previous whole-stack-orphan behavior, use 'cdkd state orphan <stack>'."
   ).argument(
-    "[stacks...]",
-    "Stack name(s) to orphan. Accepts physical CloudFormation names (e.g. 'MyStage-Api') or CDK display paths (e.g. 'MyStage/Api'). Supports wildcards (e.g. 'MyStage/*')."
-  ).option("--all", "Orphan all stacks in the current app", false).option(
+    "<paths...>",
+    "Construct paths to orphan, e.g. 'MyStack/MyTable'. Multiple paths must reference the same stack."
+  ).option(
     "--stack-region <region>",
     "Region of the stack record to operate on. Required when the same stack name has state in multiple regions."
+  ).option(
+    "--dry-run",
+    "Compute and print the rewrite audit table without acquiring a lock or saving state.",
+    false
   ).action(withErrorHandling(orphanCommand));
   [
     ...commonOptions,
     ...appOptions,
     ...stateOptions,
-    ...stackOptions,
     ...destroyOptions,
+    // adds -f / --force (escape hatch for unresolvable references + skip confirm)
     ...contextOptions
   ].forEach((opt) => cmd.addOption(opt));
   cmd.addOption(deprecatedRegionOption);
@@ -33076,7 +33933,7 @@ async function stateMigrateCommand(options) {
       }
       if (!options.yes) {
         const action = options.removeLegacy ? "and DELETE the source bucket" : "(source bucket will be kept)";
-        const ok = await confirmPrompt(
+        const ok = await confirmPrompt2(
           `Copy ${sourceObjects.length} object(s) from ${legacyBucket} -> ${newBucket} ${action}?`
         );
         if (!ok) {
@@ -33281,7 +34138,7 @@ async function emptyBucketAllVersions(s3, bucket) {
     versionIdMarker = resp.NextVersionIdMarker;
   } while (keyMarker || versionIdMarker);
 }
-async function confirmPrompt(prompt) {
+async function confirmPrompt2(prompt) {
   const rl = readline3.createInterface({ input: process.stdin, output: process.stdout });
   try {
     const ans = await rl.question(`${prompt} [y/N] `);
@@ -33536,7 +34393,7 @@ function formatAttributeValue(value) {
   }
   return JSON.stringify(value);
 }
-function formatDuration(ms) {
+function formatDuration2(ms) {
   const seconds = Math.floor(ms / 1e3);
   if (seconds < 60)
     return `${seconds}s`;
@@ -33549,7 +34406,7 @@ function formatLockSummary(lockInfo) {
     return "unlocked";
   const opStr = lockInfo.operation ? ` (operation: ${lockInfo.operation})` : "";
   const expiresInMs = lockInfo.expiresAt - Date.now();
-  const expiresStr = expiresInMs > 0 ? `expires in ${formatDuration(expiresInMs)}` : `expired ${formatDuration(-expiresInMs)} ago`;
+  const expiresStr = expiresInMs > 0 ? `expires in ${formatDuration2(expiresInMs)}` : `expired ${formatDuration2(-expiresInMs)} ago`;
   return `locked by ${lockInfo.owner}${opStr}, ${expiresStr}`;
 }
 function createStateResourcesCommand() {
@@ -33737,6 +34594,10 @@ async function stateDestroyCommand(stackArgs, options) {
     logger.setLevel("debug");
     process.env["CDKD_NO_LIVE"] = "1";
   }
+  validateResourceTimeouts({
+    ...options.resourceWarnAfter && { resourceWarnAfter: options.resourceWarnAfter },
+    ...options.resourceTimeout && { resourceTimeout: options.resourceTimeout }
+  });
   if (!options.all && stackArgs.length === 0) {
     throw new Error(
       "Stack name is required. Usage: cdkd state destroy <stack> [<stack>...] | --all"
@@ -33836,7 +34697,19 @@ Preparing to destroy stack: ${stackName}${ref.region ? ` (${ref.region})` : ""}`
           // and the per-stack prompt inside the runner. Per-stack prompts are
           // skipped when `options.yes` is set OR `--all` was set (the user
           // already accepted the batch prompt).
-          skipConfirmation: options.yes || options.all === true
+          skipConfirmation: options.yes || options.all === true,
+          ...options.resourceWarnAfter?.globalMs !== void 0 && {
+            resourceWarnAfterMs: options.resourceWarnAfter.globalMs
+          },
+          ...options.resourceTimeout?.globalMs !== void 0 && {
+            resourceTimeoutMs: options.resourceTimeout.globalMs
+          },
+          ...options.resourceWarnAfter?.perTypeMs && {
+            resourceWarnAfterByType: options.resourceWarnAfter.perTypeMs
+          },
+          ...options.resourceTimeout?.perTypeMs && {
+            resourceTimeoutByType: options.resourceTimeout.perTypeMs
+          }
         });
         totalErrors += result.errorCount;
       }
@@ -33867,7 +34740,9 @@ function createStateDestroyCommand() {
       "For removing only the state record (keeping AWS resources intact), use 'cdkd state orphan'."
     ].join("\n")
   ).action(withErrorHandling(stateDestroyCommand));
-  [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
+  [...commonOptions, ...stateOptions, ...resourceTimeoutOptions].forEach(
+    (opt) => cmd.addOption(opt)
+  );
   cmd.addOption(deprecatedRegionOption);
   return cmd;
 }
@@ -34002,7 +34877,7 @@ function createStateCommand() {
 }
 
 // src/cli/commands/import.ts
-import { readFileSync as readFileSync5 } from "node:fs";
+import { readFileSync as readFileSync5, writeFileSync as writeFileSync4 } from "node:fs";
 import * as readline5 from "node:readline/promises";
 import { Command as Command12 } from "commander";
 init_aws_clients();
@@ -34121,6 +34996,9 @@ async function importCommand(stackArg, options) {
         rows.push(outcome);
       }
       printSummary(rows);
+      if (options.recordResourceMapping) {
+        writeRecordedMapping(options.recordResourceMapping, rows);
+      }
       if (options.dryRun) {
         logger.info("--dry-run: state will NOT be written. Re-run without --dry-run to apply.");
         return;
@@ -34131,7 +35009,7 @@ async function importCommand(stackArg, options) {
         return;
       }
       if (!options.yes) {
-        const ok = await confirmPrompt2(
+        const ok = await confirmPrompt3(
           `Write state for ${stackInfo.stackName} (${targetRegion}) with ${importedRows.length} resource(s)?`
         );
         if (!ok) {
@@ -34274,12 +35152,24 @@ function parseMappingJson(raw, source) {
   }
   return out;
 }
-function readCdkPath(resource) {
-  const meta = resource.Metadata;
-  if (!meta)
-    return "";
-  const v = meta["aws:cdk:path"];
-  return typeof v === "string" ? v : "";
+function writeRecordedMapping(filePath, rows) {
+  const logger = getLogger();
+  const map = {};
+  for (const row of rows) {
+    if (row.outcome === "imported" && row.physicalId) {
+      map[row.logicalId] = row.physicalId;
+    }
+  }
+  const body = JSON.stringify(map, null, 2) + "\n";
+  try {
+    writeFileSync4(filePath, body, "utf-8");
+    logger.info(`Wrote resolved mapping to ${filePath} (${Object.keys(map).length} entry(ies))`);
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    logger.error(
+      `Failed to write --record-resource-mapping file '${filePath}': ${msg}. Continuing \u2014 the import already resolved every physical id in memory.`
+    );
+  }
 }
 function collectImportableResources(template) {
   const out = [];
@@ -34352,7 +35242,7 @@ function formatOutcome(outcome) {
       return "\u2717";
   }
 }
-async function confirmPrompt2(prompt) {
+async function confirmPrompt3(prompt) {
   const rl = readline5.createInterface({ input: process.stdin, output: process.stdout });
   try {
     const ans = await rl.question(`${prompt} [y/N] `);
@@ -34378,6 +35268,9 @@ function createImportCommand() {
   ).option(
     "--resource-mapping-inline <json>",
     "Inline JSON object of {logicalId: physicalId} overrides (CDK CLI `cdk import --resource-mapping-inline` compatible). Same shape as --resource-mapping but supplied as a string \u2014 useful for non-TTY CI scripts that do not want a separate file. Implies selective mode unless --auto is set. Mutually exclusive with --resource-mapping."
+  ).option(
+    "--record-resource-mapping <file>",
+    'After cdkd resolves every logical ID (via --resource / --resource-mapping / tag-based auto-lookup), write the resulting {logicalId: physicalId} map to <file> as JSON. Useful in auto / hybrid mode for capturing the tag-resolved mapping and feeding it back as --resource-mapping in non-interactive CI re-runs. Written before the confirmation prompt (so the user can review the file before saying "yes") and even when the user says "no". Mirrors `cdk import --record-resource-mapping`.'
   ).option(
     "--auto",
     "Hybrid mode: when explicit overrides are supplied, ALSO tag-import every other resource in the template. Without this flag, --resource / --resource-mapping behave as a whitelist (CDK CLI parity).",
@@ -34423,7 +35316,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command13();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.24.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.26.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());