@go-to-k/cdkd 0.25.0 → 0.27.0

package/dist/cli.js

@@ -528,29 +528,82 @@ function parseDuration(value) {
   const multiplier = unit === "s" ? 1e3 : unit === "m" ? 6e4 : 36e5;
   return Math.round(num * multiplier);
 }
+var RESOURCE_TYPE_REGEX = /^[A-Z][A-Za-z0-9]+::[A-Z][A-Za-z0-9]+::[A-Z][A-Za-z0-9]+$/;
+function parseResourceTimeoutToken(flagName) {
+  return (raw, previous) => {
+    const acc = previous ?? { perTypeMs: {} };
+    if (!acc.perTypeMs)
+      acc.perTypeMs = {};
+    const eqIndex = raw.indexOf("=");
+    if (eqIndex === -1) {
+      acc.globalMs = parseDuration(raw);
+      return acc;
+    }
+    const typePart = raw.substring(0, eqIndex).trim();
+    const durationPart = raw.substring(eqIndex + 1).trim();
+    if (!RESOURCE_TYPE_REGEX.test(typePart)) {
+      throw new Error(
+        `Invalid ${flagName} value "${raw}": left-hand side must be a CloudFormation resource type like AWS::Service::Resource (got "${typePart}")`
+      );
+    }
+    if (durationPart.length === 0) {
+      throw new Error(
+        `Invalid ${flagName} value "${raw}": missing duration after '=' (e.g. ${typePart}=1h)`
+      );
+    }
+    let ms;
+    try {
+      ms = parseDuration(durationPart);
+    } catch (err) {
+      const inner = err instanceof Error ? err.message : String(err);
+      throw new Error(`Invalid ${flagName} value "${raw}": ${inner}`);
+    }
+    acc.perTypeMs[typePart] = ms;
+    return acc;
+  };
+}
 var resourceTimeoutOptions = [
-  // Default values are stored as parsed milliseconds (NOT the source
-  // string) because commander's `argParser` only runs on user-supplied
-  // values, never on defaults — without this every command handler
-  // would see `'5m'` (string) when the user did not pass the flag and
-  // `300_000` (number) when they did. The second `defaultValueDescription`
-  // argument keeps `--help` showing the human-readable form.
+  // Default is `undefined` (NOT a pre-seeded ResourceTimeoutOption) — the
+  // command handler resolves missing globalMs to DEFAULT_RESOURCE_*_MS
+  // at the call site. Pre-seeding here would force every accumulator
+  // call to carry a snapshot, and would also surprise unit tests that
+  // expect `opts.resourceTimeout` to be `undefined` when the flag is not
+  // passed.
   new Option(
-    "--resource-warn-after <duration>",
-    "Warn when a single resource operation exceeds this wall-clock duration (e.g. 5m, 90s, 1h)"
-  ).default(parseDuration("5m"), "5m").argParser(parseDuration),
+    "--resource-warn-after <duration_or_type=duration>",
+    "Warn when a single resource operation exceeds this wall-clock duration. Repeatable: pass a bare duration (e.g. 5m) to set the global default, or TYPE=DURATION (e.g. AWS::CloudFront::Distribution=10m) for a per-type override."
+  ).default(void 0, "5m").argParser(parseResourceTimeoutToken("--resource-warn-after")),
   new Option(
-    "--resource-timeout <duration>",
-    "Abort a single resource operation that exceeds this wall-clock duration. Custom-Resource-heavy stacks may need to raise this above the default 30m (the Custom Resource provider's polling cap is 1h)."
-  ).default(parseDuration("30m"), "30m").argParser(parseDuration)
+    "--resource-timeout <duration_or_type=duration>",
+    "Abort a single resource operation that exceeds this wall-clock duration. Repeatable: pass a bare duration (e.g. 30m) to set the global default, or TYPE=DURATION (e.g. AWS::CloudFront::Distribution=1h) for a per-type override. Custom-Resource-heavy stacks may need to raise this above the default 30m (the Custom Resource provider's polling cap is 1h)."
+  ).default(void 0, "30m").argParser(parseResourceTimeoutToken("--resource-timeout"))
 ];
 function validateResourceTimeouts(opts) {
   const warn = opts.resourceWarnAfter;
   const timeout = opts.resourceTimeout;
-  if (typeof warn === "number" && typeof timeout === "number" && warn >= timeout) {
-    throw new Error(
-      `--resource-warn-after (${warn}ms) must be less than --resource-timeout (${timeout}ms)`
-    );
+  const globalWarn = warn?.globalMs;
+  const globalTimeout = timeout?.globalMs;
+  if (typeof globalWarn === "number" && typeof globalTimeout === "number") {
+    if (globalWarn >= globalTimeout) {
+      throw new Error(
+        `--resource-warn-after (${globalWarn}ms) must be less than --resource-timeout (${globalTimeout}ms)`
+      );
+    }
+  }
+  const warnPerType = warn?.perTypeMs ?? {};
+  const timeoutPerType = timeout?.perTypeMs ?? {};
+  const types = /* @__PURE__ */ new Set([...Object.keys(warnPerType), ...Object.keys(timeoutPerType)]);
+  for (const t of types) {
+    const effectiveWarn = warnPerType[t] ?? globalWarn;
+    const effectiveTimeout = timeoutPerType[t] ?? globalTimeout;
+    if (typeof effectiveWarn !== "number" || typeof effectiveTimeout !== "number") {
+      continue;
+    }
+    if (effectiveWarn >= effectiveTimeout) {
+      throw new Error(
+        `--resource-warn-after for ${t} (${effectiveWarn}ms) must be less than --resource-timeout for ${t} (${effectiveTimeout}ms)`
+      );
+    }
   }
 }
 var deployOptions = [
@@ -8585,6 +8638,33 @@ var IAMRoleProvider = class {
       this.logger.debug(`Added/updated ${tagsToAdd.length} tags on role ${roleName}`);
     }
   }
+  /**
+   * Resolve a single `Fn::GetAtt` attribute for an existing IAM role.
+   *
+   * CloudFormation's `AWS::IAM::Role` exposes `Arn` and `RoleId`; both are
+   * available from the `GetRole` response. See:
+   * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html#aws-resource-iam-role-return-values
+   *
+   * Used by `cdkd orphan` to live-fetch attribute values that need to be
+   * substituted into sibling references.
+   */
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    try {
+      const resp = await this.iamClient.send(new GetRoleCommand({ RoleName: physicalId }));
+      switch (attributeName) {
+        case "Arn":
+          return resp.Role?.Arn;
+        case "RoleId":
+          return resp.Role?.RoleId;
+        default:
+          return void 0;
+      }
+    } catch (err) {
+      if (err instanceof NoSuchEntityException)
+        return void 0;
+      throw err;
+    }
+  }
   /**
    * Adopt an existing IAM role into cdkd state.
    *
@@ -10435,17 +10515,35 @@ var S3BucketProvider = class {
     return region || "us-east-1";
   }
   /**
-   * Build attributes for an S3 bucket
+   * Build attributes for an S3 bucket.
+   *
+   * Covers every CloudFormation `Fn::GetAtt` return value for
+   * `AWS::S3::Bucket`. All fields are derivable from `bucketName` + region —
+   * no extra AWS API call is needed. See:
+   * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket.html#aws-properties-s3-bucket-return-values
    */
   async buildAttributes(bucketName) {
     const region = await this.getRegion();
     return {
       Arn: `arn:aws:s3:::${bucketName}`,
       DomainName: `${bucketName}.s3.amazonaws.com`,
+      DualStackDomainName: `${bucketName}.s3.dualstack.${region}.amazonaws.com`,
       RegionalDomainName: `${bucketName}.s3.${region}.amazonaws.com`,
       WebsiteURL: `http://${bucketName}.s3-website-${region}.amazonaws.com`
     };
   }
+  /**
+   * Resolve a single `Fn::GetAtt` attribute for an existing bucket.
+   *
+   * Used by `cdkd orphan` to live-fetch attribute values that need to be
+   * substituted into sibling references. All S3 Bucket attributes are
+   * derivable from bucket name + region, so this avoids the round trip and
+   * reuses the same templating as `buildAttributes`.
+   */
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    const attrs = await this.buildAttributes(physicalId);
+    return attrs[attributeName];
+  }
   /**
    * Apply versioning configuration if specified
    */
@@ -11740,6 +11838,43 @@ var SQSQueueProvider = class {
       return `arn:aws:sqs:unknown:unknown:${queueName}`;
     }
   }
+  /**
+   * Resolve a single `Fn::GetAtt` attribute for an existing SQS queue.
+   *
+   * CloudFormation's `AWS::SQS::Queue` exposes `Arn`, `QueueName` and
+   * `QueueUrl`. The cdkd physicalId is the queue URL; `QueueUrl` and
+   * `QueueName` are derivable from it without an AWS call, while `Arn`
+   * requires `GetQueueAttributes`. See:
+   * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sqs-queues.html#aws-properties-sqs-queues-return-values
+   *
+   * Used by `cdkd orphan` to live-fetch attribute values that need to be
+   * substituted into sibling references.
+   */
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    switch (attributeName) {
+      case "QueueUrl":
+        return physicalId;
+      case "QueueName":
+        return physicalId.substring(physicalId.lastIndexOf("/") + 1);
+      case "Arn": {
+        try {
+          const resp = await this.sqsClient.send(
+            new GetQueueAttributesCommand({
+              QueueUrl: physicalId,
+              AttributeNames: ["QueueArn"]
+            })
+          );
+          return resp.Attributes?.["QueueArn"];
+        } catch (err) {
+          if (err instanceof QueueDoesNotExist)
+            return void 0;
+          throw err;
+        }
+      }
+      default:
+        return void 0;
+    }
+  }
   /**
    * Adopt an existing SQS queue into cdkd state.
    *
@@ -12275,6 +12410,28 @@ var SNSTopicProvider = class {
       );
     }
   }
+  /**
+   * Resolve a single `Fn::GetAtt` attribute for an existing SNS topic.
+   *
+   * CloudFormation's `AWS::SNS::Topic` exposes `TopicName` and `TopicArn`.
+   * The cdkd physicalId is the topic ARN, so both are derivable without
+   * an AWS call. See:
+   * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-sns-topic.html#aws-properties-sns-topic-return-values
+   *
+   * Used by `cdkd orphan` to live-fetch attribute values that need to be
+   * substituted into sibling references.
+   */
+  // eslint-disable-next-line @typescript-eslint/require-await -- consistent async signature with other providers
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    switch (attributeName) {
+      case "TopicArn":
+        return physicalId;
+      case "TopicName":
+        return physicalId.split(":").pop();
+      default:
+        return void 0;
+    }
+  }
   /**
    * Adopt an existing SNS topic into cdkd state.
    *
@@ -13256,6 +13413,43 @@ var LambdaFunctionProvider = class {
     }
     return (crc ^ 4294967295) >>> 0;
   }
+  /**
+   * Resolve a single `Fn::GetAtt` attribute for an existing Lambda function.
+   *
+   * CloudFormation's `AWS::Lambda::Function` exposes `Arn`,
+   * `SnapStartResponse.ApplyOn`, and `SnapStartResponse.OptimizationStatus`
+   * as documented at
+   * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-function.html#aws-resource-lambda-function-return-values.
+   *
+   * All three live in the same `GetFunction` response (`Configuration.FunctionArn`
+   * and `Configuration.SnapStart.{ApplyOn,OptimizationStatus}`), so a single API
+   * call covers every supported attr. Used by `cdkd orphan` to live-fetch
+   * attribute values that need to be substituted into sibling references.
+   */
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    if (attributeName !== "Arn" && attributeName !== "SnapStartResponse.ApplyOn" && attributeName !== "SnapStartResponse.OptimizationStatus") {
+      return void 0;
+    }
+    try {
+      const resp = await this.lambdaClient.send(
+        new GetFunctionCommand({ FunctionName: physicalId })
+      );
+      switch (attributeName) {
+        case "Arn":
+          return resp.Configuration?.FunctionArn;
+        case "SnapStartResponse.ApplyOn":
+          return resp.Configuration?.SnapStart?.ApplyOn;
+        case "SnapStartResponse.OptimizationStatus":
+          return resp.Configuration?.SnapStart?.OptimizationStatus;
+        default:
+          return void 0;
+      }
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException)
+        return void 0;
+      throw err;
+    }
+  }
   /**
    * Adopt an existing Lambda function into cdkd state.
    *
@@ -13528,6 +13722,7 @@ var LambdaPermissionProvider = class {
 import {
   CreateFunctionUrlConfigCommand,
   DeleteFunctionUrlConfigCommand,
+  GetFunctionUrlConfigCommand as GetFunctionUrlConfigCommand2,
   UpdateFunctionUrlConfigCommand,
   ResourceNotFoundException as ResourceNotFoundException3
 } from "@aws-sdk/client-lambda";
@@ -13655,6 +13850,36 @@ var LambdaUrlProvider = class {
       );
     }
   }
+  /**
+   * Resolve a single `Fn::GetAtt` attribute for an existing Lambda Function
+   * URL.
+   *
+   * CloudFormation's `AWS::Lambda::Url` exposes `FunctionArn` and
+   * `FunctionUrl`. Both come from `GetFunctionUrlConfig`. See:
+   * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-url.html#aws-resource-lambda-url-return-values
+   *
+   * Used by `cdkd orphan` to live-fetch attribute values that need to be
+   * substituted into sibling references.
+   */
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    try {
+      const resp = await this.lambdaClient.send(
+        new GetFunctionUrlConfigCommand2({ FunctionName: physicalId })
+      );
+      switch (attributeName) {
+        case "FunctionArn":
+          return resp.FunctionArn;
+        case "FunctionUrl":
+          return resp.FunctionUrl;
+        default:
+          return void 0;
+      }
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException3)
+        return void 0;
+      throw err;
+    }
+  }
   /**
    * Adopt an existing Lambda Function URL into cdkd state.
    *
@@ -14366,6 +14591,40 @@ var DynamoDBTableProvider = class {
     }
     throw new Error(`Table ${tableName} did not reach ACTIVE status within ${maxAttempts} seconds`);
   }
+  /**
+   * Resolve a single `Fn::GetAtt` attribute for an existing DynamoDB table.
+   *
+   * CloudFormation's `AWS::DynamoDB::Table` exposes `Arn`, `StreamArn`
+   * (a.k.a. `LatestStreamArn` in the SDK; CFn returns the latest enabled
+   * stream's ARN), and `LatestStreamLabel`. All three are sibling fields on
+   * the same `DescribeTable` response, so a single API call covers every
+   * supported attr. See:
+   * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-table.html#aws-resource-dynamodb-table-return-values
+   *
+   * Used by `cdkd orphan` to live-fetch attribute values that need to be
+   * substituted into sibling references.
+   */
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    try {
+      const resp = await this.dynamoDBClient.send(
+        new DescribeTableCommand2({ TableName: physicalId })
+      );
+      switch (attributeName) {
+        case "Arn":
+          return resp.Table?.TableArn;
+        case "StreamArn":
+          return resp.Table?.LatestStreamArn;
+        case "LatestStreamLabel":
+          return resp.Table?.LatestStreamLabel;
+        default:
+          return void 0;
+      }
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException6)
+        return void 0;
+      throw err;
+    }
+  }
   /**
    * Adopt an existing DynamoDB table into cdkd state.
    *
@@ -14653,6 +14912,23 @@ var LogsLogGroupProvider = class {
       return `arn:aws:logs:unknown:unknown:log-group:${logGroupName}:*`;
     }
   }
+  /**
+   * Resolve a single `Fn::GetAtt` attribute for an existing log group.
+   *
+   * CloudFormation's `AWS::Logs::LogGroup` exposes only `Arn`. The ARN is
+   * derivable from the log group name + account + region via the existing
+   * `buildArn` helper. See:
+   * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-logs-loggroup.html#aws-resource-logs-loggroup-return-values
+   *
+   * Used by `cdkd orphan` to live-fetch attribute values that need to be
+   * substituted into sibling references.
+   */
+  async getAttribute(physicalId, _resourceType, attributeName) {
+    if (attributeName !== "Arn") {
+      return void 0;
+    }
+    return this.buildArn(physicalId);
+  }
   /**
    * Adopt an existing CloudWatch Logs log group into cdkd state.
    *
@@ -16690,29 +16966,63 @@ var EC2Provider = class {
       }
     }
   }
+  /**
+   * Resolve a single `Fn::GetAtt` attribute for an `AWS::EC2::VPC`.
+   *
+   * CloudFormation returns `CidrBlock`, `CidrBlockAssociations`,
+   * `DefaultNetworkAcl`, `DefaultSecurityGroup`, and `Ipv6CidrBlocks`. See:
+   * https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpc.html#aws-resource-ec2-vpc-return-values
+   *
+   * `DefaultNetworkAcl` and `DefaultSecurityGroup` previously returned wrong
+   * values (DHCP options id and `undefined` respectively); the AWS console
+   * surfaces these the same way as CFn — by filtering the relevant
+   * `Describe*` API on `vpc-id` + the `default` flag.
+   */
   async getVpcAttribute(physicalId, attributeName) {
-    if (attributeName === "VpcId")
-      return physicalId;
     try {
-      const response = await this.ec2Client.send(new DescribeVpcsCommand2({ VpcIds: [physicalId] }));
-      const vpc = response.Vpcs?.[0];
-      if (!vpc)
-        return void 0;
       switch (attributeName) {
-        case "CidrBlock":
-          return vpc.CidrBlock;
-        case "Ipv6CidrBlocks":
-          return vpc.Ipv6CidrBlockAssociationSet?.filter(
-            (a) => a.Ipv6CidrBlockState?.State === "associated"
-          ).map((a) => a.Ipv6CidrBlock) || [];
-        case "CidrBlockAssociations":
-          return vpc.CidrBlockAssociationSet?.map((a) => a.AssociationId) || [];
-        case "DefaultNetworkAcl":
-          return vpc.DhcpOptionsId;
-        case "DefaultSecurityGroup":
-          return void 0;
-        default:
-          return void 0;
+        case "DefaultNetworkAcl": {
+          const resp = await this.ec2Client.send(
+            new DescribeNetworkAclsCommand({
+              Filters: [
+                { Name: "vpc-id", Values: [physicalId] },
+                { Name: "default", Values: ["true"] }
+              ]
+            })
+          );
+          return resp.NetworkAcls?.[0]?.NetworkAclId;
+        }
+        case "DefaultSecurityGroup": {
+          const resp = await this.ec2Client.send(
+            new DescribeSecurityGroupsCommand2({
+              Filters: [
+                { Name: "vpc-id", Values: [physicalId] },
+                { Name: "group-name", Values: ["default"] }
+              ]
+            })
+          );
+          return resp.SecurityGroups?.[0]?.GroupId;
+        }
+        default: {
+          const response = await this.ec2Client.send(
+            new DescribeVpcsCommand2({ VpcIds: [physicalId] })
+          );
+          const vpc = response.Vpcs?.[0];
+          if (!vpc)
+            return void 0;
+          switch (attributeName) {
+            case "CidrBlock":
+              return vpc.CidrBlock;
+            case "Ipv6CidrBlocks":
+              return vpc.Ipv6CidrBlockAssociationSet?.filter(
+                (a) => a.Ipv6CidrBlockState?.State === "associated"
+              ).map((a) => a.Ipv6CidrBlock) || [];
+            case "CidrBlockAssociations":
+              return vpc.CidrBlockAssociationSet?.map((a) => a.AssociationId) || [];
+            default:
+              return void 0;
+          }
+        }
       }
     } catch {
       return void 0;
@@ -31580,8 +31890,8 @@ var DeployEngine = class {
     const baseLabel = `${verb} ${logicalId} (${resourceType})`;
     renderer.addTask(logicalId, baseLabel);
     const operationKind = change.changeType === "CREATE" ? "CREATE" : change.changeType === "DELETE" ? "DELETE" : "UPDATE";
-    const warnAfterMs = this.options.resourceWarnAfterMs ?? DEFAULT_RESOURCE_WARN_AFTER_MS;
-    const timeoutMs = this.options.resourceTimeoutMs ?? DEFAULT_RESOURCE_TIMEOUT_MS;
+    const warnAfterMs = this.options.resourceWarnAfterByType?.[resourceType] ?? this.options.resourceWarnAfterMs ?? DEFAULT_RESOURCE_WARN_AFTER_MS;
+    const timeoutMs = this.options.resourceTimeoutByType?.[resourceType] ?? this.options.resourceTimeoutMs ?? DEFAULT_RESOURCE_TIMEOUT_MS;
     try {
       await withResourceDeadline(
         async () => {
@@ -32085,8 +32395,8 @@ async function deployCommand(stacks, options) {
   }
   warnIfDeprecatedRegion(options);
   validateResourceTimeouts({
-    resourceWarnAfter: options.resourceWarnAfter,
-    resourceTimeout: options.resourceTimeout
+    ...options.resourceWarnAfter && { resourceWarnAfter: options.resourceWarnAfter },
+    ...options.resourceTimeout && { resourceTimeout: options.resourceTimeout }
   });
   if (!options.wait) {
     process.env["CDKD_NO_WAIT"] = "true";
@@ -32281,8 +32591,18 @@ Deploying stack: ${stackInfo.stackName}${stackRegion !== baseRegion ? ` (region:
           concurrency: options.concurrency,
           dryRun: options.dryRun,
           noRollback: !options.rollback,
-          resourceWarnAfterMs: options.resourceWarnAfter,
-          resourceTimeoutMs: options.resourceTimeout
+          ...options.resourceWarnAfter?.globalMs !== void 0 && {
+            resourceWarnAfterMs: options.resourceWarnAfter.globalMs
+          },
+          ...options.resourceTimeout?.globalMs !== void 0 && {
+            resourceTimeoutMs: options.resourceTimeout.globalMs
+          },
+          ...options.resourceWarnAfter?.perTypeMs && {
+            resourceWarnAfterByType: options.resourceWarnAfter.perTypeMs
+          },
+          ...options.resourceTimeout?.perTypeMs && {
+            resourceTimeoutByType: options.resourceTimeout.perTypeMs
+          }
         },
         stackRegion
       );
@@ -32692,8 +33012,6 @@ Acquiring lock for stack ${stackName}...`);
       logger.debug(
         `Deletion level ${executionLevels.length - levelIndex}/${executionLevels.length} (${level.length} resources)`
       );
-      const warnAfterMs = ctx.resourceWarnAfterMs ?? DEFAULT_RESOURCE_WARN_AFTER_MS;
-      const timeoutMs = ctx.resourceTimeoutMs ?? DEFAULT_RESOURCE_TIMEOUT_MS;
       const stackRegion2 = state.region ?? ctx.baseRegion;
       const deletePromises = level.map(async (logicalId) => {
         const resource = state.resources[logicalId];
@@ -32701,6 +33019,8 @@ Acquiring lock for stack ${stackName}...`);
           logger.warn(`Resource ${logicalId} not found in state, skipping`);
           return;
         }
+        const warnAfterMs = ctx.resourceWarnAfterByType?.[resource.resourceType] ?? ctx.resourceWarnAfterMs ?? DEFAULT_RESOURCE_WARN_AFTER_MS;
+        const timeoutMs = ctx.resourceTimeoutByType?.[resource.resourceType] ?? ctx.resourceTimeoutMs ?? DEFAULT_RESOURCE_TIMEOUT_MS;
         const baseLabel = `Deleting ${logicalId} (${resource.resourceType})`;
         renderer.addTask(logicalId, baseLabel);
         try {
@@ -32821,8 +33141,8 @@ async function destroyCommand(stackArgs, options) {
   }
   warnIfDeprecatedRegion(options);
   validateResourceTimeouts({
-    resourceWarnAfter: options.resourceWarnAfter,
-    resourceTimeout: options.resourceTimeout
+    ...options.resourceWarnAfter && { resourceWarnAfter: options.resourceWarnAfter },
+    ...options.resourceTimeout && { resourceTimeout: options.resourceTimeout }
   });
   const region = options.region || process.env["AWS_REGION"] || "us-east-1";
   const stateBucket = await resolveStateBucketWithDefault(options.stateBucket, region);
@@ -32956,8 +33276,18 @@ Preparing to destroy stack: ${stackName}`);
         ...options.profile && { profile: options.profile },
         stateBucket,
         skipConfirmation: options.yes || options.force,
-        resourceWarnAfterMs: options.resourceWarnAfter,
-        resourceTimeoutMs: options.resourceTimeout
+        ...options.resourceWarnAfter?.globalMs !== void 0 && {
+          resourceWarnAfterMs: options.resourceWarnAfter.globalMs
+        },
+        ...options.resourceTimeout?.globalMs !== void 0 && {
+          resourceTimeoutMs: options.resourceTimeout.globalMs
+        },
+        ...options.resourceWarnAfter?.perTypeMs && {
+          resourceWarnAfterByType: options.resourceWarnAfter.perTypeMs
+        },
+        ...options.resourceTimeout?.perTypeMs && {
+          resourceTimeoutByType: options.resourceTimeout.perTypeMs
+        }
       });
     }
   } finally {
@@ -32986,15 +33316,432 @@ function createDestroyCommand() {
 import * as readline2 from "node:readline/promises";
 import { Command as Command7 } from "commander";
 init_aws_clients();
-async function orphanCommand(stackArgs, options) {
+
+// src/cli/cdk-path.ts
+function readCdkPath(resource) {
+  const meta = resource.Metadata;
+  if (!meta)
+    return "";
+  const v = meta["aws:cdk:path"];
+  return typeof v === "string" ? v : "";
+}
+function buildCdkPathIndex(template) {
+  const index = /* @__PURE__ */ new Map();
+  for (const [logicalId, resource] of Object.entries(template.Resources)) {
+    const path = readCdkPath(resource);
+    if (path)
+      index.set(path, logicalId);
+  }
+  return index;
+}
+
+// src/analyzer/orphan-rewriter.ts
+var AttributeFetcher = class {
+  constructor(orphans, providerRegistry, options) {
+    this.orphans = orphans;
+    this.providerRegistry = providerRegistry;
+    this.options = options;
+  }
+  cache = /* @__PURE__ */ new Map();
+  logger = getLogger().child("OrphanRewriter");
+  /**
+   * Return the orphan's resolved value for `Ref` (its physicalId) — never
+   * needs an AWS call.
+   */
+  ref(orphanLogicalId) {
+    const o = this.orphans[orphanLogicalId];
+    if (!o) {
+      throw new Error(
+        `Internal: Ref to '${orphanLogicalId}' has no orphan entry \u2014 should have been filtered out`
+      );
+    }
+    return o.physicalId;
+  }
+  /**
+   * Return the orphan's resolved value for `Fn::GetAtt`. Hits the live
+   * provider on first call; subsequent calls reuse the cached result.
+   *
+   * Returns `{ ok: true, value }` on success; `{ ok: false, reason }`
+   * when the live fetch failed AND the `--force` cache fallback either
+   * was disabled or also lacked the attribute. In the cache-fallback
+   * success path returns `{ ok: true, value, fromCache: true }`.
+   */
+  async getAtt(orphanLogicalId, attribute) {
+    const cacheKey = `${orphanLogicalId}\0${attribute}`;
+    if (this.cache.has(cacheKey)) {
+      return { ok: true, value: this.cache.get(cacheKey) };
+    }
+    const orphan = this.orphans[orphanLogicalId];
+    if (!orphan) {
+      return {
+        ok: false,
+        reason: `Internal: GetAtt to '${orphanLogicalId}' has no orphan entry`
+      };
+    }
+    let provider;
+    try {
+      provider = this.providerRegistry.getProvider(orphan.resourceType);
+    } catch (err) {
+      return {
+        ok: false,
+        reason: `no provider available for ${orphan.resourceType}: ${err instanceof Error ? err.message : String(err)}`
+      };
+    }
+    if (!provider.getAttribute) {
+      return this.cacheFallback(
+        orphanLogicalId,
+        attribute,
+        `provider for ${orphan.resourceType} does not implement getAttribute`
+      );
+    }
+    try {
+      const value = await provider.getAttribute(orphan.physicalId, orphan.resourceType, attribute);
+      if (value === void 0) {
+        return this.cacheFallback(
+          orphanLogicalId,
+          attribute,
+          `provider returned undefined for ${orphan.resourceType}.${attribute}`
+        );
+      }
+      this.cache.set(cacheKey, value);
+      return { ok: true, value };
+    } catch (err) {
+      return this.cacheFallback(
+        orphanLogicalId,
+        attribute,
+        err instanceof Error ? err.message : String(err)
+      );
+    }
+  }
+  /**
+   * Try the orphan's `state.attributes[attribute]` as a last-resort value
+   * source under `--force`. Without `--force`, returns the original
+   * failure reason unchanged (caller pushes to `unresolvable`).
+   */
+  cacheFallback(orphanLogicalId, attribute, reason) {
+    if (!this.options.force) {
+      return { ok: false, reason };
+    }
+    const orphan = this.orphans[orphanLogicalId];
+    const cached = orphan.attributes?.[attribute];
+    if (cached === void 0) {
+      this.logger.warn(
+        `--force: state.attributes also lacks '${orphanLogicalId}.${attribute}'; leaving the original intrinsic in place.`
+      );
+      return {
+        ok: false,
+        reason: `${reason}; state.attributes cache also has no value for '${attribute}'`
+      };
+    }
+    this.logger.warn(
+      `--force: live fetch failed for '${orphanLogicalId}.${attribute}' (${reason}); falling back to cached value from state.attributes.`
+    );
+    const cacheKey = `${orphanLogicalId}\0${attribute}`;
+    this.cache.set(cacheKey, cached);
+    return { ok: true, value: cached, fromCache: true };
+  }
+};
+async function rewriteResourceReferences(state, orphanLogicalIds, providerRegistry, options = {}) {
+  const orphanSet = new Set(orphanLogicalIds);
+  const orphans = {};
+  for (const id of orphanLogicalIds) {
+    const r = state.resources[id];
+    if (!r) {
+      throw new Error(`rewriteResourceReferences: orphan '${id}' not found in state.resources`);
+    }
+    orphans[id] = r;
+  }
+  const fetcher = new AttributeFetcher(orphans, providerRegistry, options);
+  const rewrites = [];
+  const unresolvable = [];
+  const newResources = {};
+  for (const [logicalId, resource] of Object.entries(state.resources)) {
+    if (orphanSet.has(logicalId))
+      continue;
+    const rewrittenProperties = await rewriteValue(
+      resource.properties,
+      `properties`,
+      logicalId,
+      orphanSet,
+      fetcher,
+      rewrites,
+      unresolvable
+    );
+    const rewrittenAttributes = resource.attributes ? await rewriteValue(
+      resource.attributes,
+      `attributes`,
+      logicalId,
+      orphanSet,
+      fetcher,
+      rewrites,
+      unresolvable
+    ) : void 0;
+    const newDeps = (resource.dependencies ?? []).filter((dep) => {
+      if (orphanSet.has(dep)) {
+        rewrites.push({
+          logicalId,
+          path: "dependencies",
+          kind: "dependency",
+          before: dep,
+          after: null,
+          orphanLogicalId: dep
+        });
+        return false;
+      }
+      return true;
+    });
+    newResources[logicalId] = {
+      ...resource,
+      properties: rewrittenProperties,
+      ...rewrittenAttributes !== void 0 && {
+        attributes: rewrittenAttributes
+      },
+      dependencies: newDeps
+    };
+  }
+  const newOutputs = {};
+  for (const [name, value] of Object.entries(state.outputs ?? {})) {
+    newOutputs[name] = await rewriteValue(
+      value,
+      `outputs.${name}`,
+      `<output:${name}>`,
+      orphanSet,
+      fetcher,
+      rewrites,
+      unresolvable
+    );
+  }
+  return {
+    state: {
+      ...state,
+      resources: newResources,
+      outputs: newOutputs,
+      lastModified: Date.now()
+    },
+    rewrites,
+    unresolvable
+  };
+}
+async function rewriteValue(value, pathPrefix, ownerLogicalId, orphanSet, fetcher, rewrites, unresolvable) {
+  if (typeof value !== "object" || value === null)
+    return value;
+  if (Array.isArray(value)) {
+    const out2 = [];
+    for (let i = 0; i < value.length; i++) {
+      out2.push(
+        await rewriteValue(
+          value[i],
+          `${pathPrefix}[${i}]`,
+          ownerLogicalId,
+          orphanSet,
+          fetcher,
+          rewrites,
+          unresolvable
+        )
+      );
+    }
+    return out2;
+  }
+  const obj = value;
+  if ("Ref" in obj && Object.keys(obj).length === 1 && typeof obj["Ref"] === "string") {
+    const target = obj["Ref"];
+    if (orphanSet.has(target)) {
+      const replaced = fetcher.ref(target);
+      rewrites.push({
+        logicalId: ownerLogicalId,
+        path: pathPrefix,
+        kind: "ref",
+        before: { Ref: target },
+        after: replaced,
+        orphanLogicalId: target
+      });
+      return replaced;
+    }
+    return value;
+  }
+  if ("Fn::GetAtt" in obj && Object.keys(obj).length === 1) {
+    const arg = obj["Fn::GetAtt"];
+    let target;
+    let attribute;
+    if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string" && typeof arg[1] === "string") {
+      target = arg[0];
+      attribute = arg[1];
+    } else if (typeof arg === "string") {
+      const dot = arg.indexOf(".");
+      if (dot > 0) {
+        target = arg.slice(0, dot);
+        attribute = arg.slice(dot + 1);
+      }
+    }
+    if (target && attribute && orphanSet.has(target)) {
+      const result = await fetcher.getAtt(target, attribute);
+      if (result.ok) {
+        rewrites.push({
+          logicalId: ownerLogicalId,
+          path: pathPrefix,
+          kind: "getAtt",
+          before: { "Fn::GetAtt": [target, attribute] },
+          after: result.value,
+          orphanLogicalId: target
+        });
+        return result.value;
+      }
+      unresolvable.push({
+        logicalId: ownerLogicalId,
+        path: pathPrefix,
+        orphanLogicalId: target,
+        attribute,
+        reason: result.reason
+      });
+      return value;
+    }
+    return value;
+  }
+  if ("Fn::Sub" in obj && Object.keys(obj).length === 1) {
+    const arg = obj["Fn::Sub"];
+    let template;
+    let varMap;
+    if (typeof arg === "string") {
+      template = arg;
+    } else if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string" && typeof arg[1] === "object" && arg[1] !== null) {
+      template = arg[0];
+      varMap = arg[1];
+    }
+    if (template !== void 0) {
+      const { rewritten, didChange, hasUnresolvable } = await rewriteSubTemplate(
+        template,
+        ownerLogicalId,
+        pathPrefix,
+        orphanSet,
+        fetcher,
+        rewrites,
+        unresolvable,
+        varMap
+      );
+      if (didChange) {
+        const stillHasIntrinsics = /\$\{[^}]+\}/.test(rewritten);
+        if (varMap && stillHasIntrinsics) {
+          return { "Fn::Sub": [rewritten, varMap] };
+        }
+        if (stillHasIntrinsics) {
+          return { "Fn::Sub": rewritten };
+        }
+        return rewritten;
+      }
+      return value;
+    }
+    return value;
+  }
+  const out = {};
+  for (const [k, v] of Object.entries(obj)) {
+    out[k] = await rewriteValue(
+      v,
+      pathPrefix === "" ? k : `${pathPrefix}.${k}`,
+      ownerLogicalId,
+      orphanSet,
+      fetcher,
+      rewrites,
+      unresolvable
+    );
+  }
+  return out;
+}
+async function rewriteSubTemplate(template, ownerLogicalId, pathPrefix, orphanSet, fetcher, rewrites, unresolvable, varMap) {
+  const placeholderRe = /\$\{([^}]+)\}/g;
+  const matches = [...template.matchAll(placeholderRe)];
+  if (matches.length === 0) {
+    return { rewritten: template, didChange: false, hasUnresolvable: false };
+  }
+  let didChange = false;
+  let hasUnresolvable = false;
+  let cursor = 0;
+  let out = "";
+  for (const m of matches) {
+    const inner = m[1] ?? "";
+    const start = m.index ?? 0;
+    out += template.slice(cursor, start);
+    cursor = start + m[0].length;
+    if (varMap && inner in varMap) {
+      out += m[0];
+      continue;
+    }
+    const dot = inner.indexOf(".");
+    if (dot < 0) {
+      if (orphanSet.has(inner)) {
+        const replaced = fetcher.ref(inner);
+        rewrites.push({
+          logicalId: ownerLogicalId,
+          path: pathPrefix,
+          kind: "sub",
+          before: m[0],
+          after: replaced,
+          orphanLogicalId: inner
+        });
+        out += replaced;
+        didChange = true;
+      } else {
+        out += m[0];
+      }
+    } else {
+      const target = inner.slice(0, dot);
+      const attribute = inner.slice(dot + 1);
+      if (orphanSet.has(target)) {
+        const result = await fetcher.getAtt(target, attribute);
+        if (result.ok) {
+          const stringified = String(result.value);
+          rewrites.push({
+            logicalId: ownerLogicalId,
+            path: pathPrefix,
+            kind: "sub",
+            before: m[0],
+            after: stringified,
+            orphanLogicalId: target
+          });
+          out += stringified;
+          didChange = true;
+        } else {
+          unresolvable.push({
+            logicalId: ownerLogicalId,
+            path: pathPrefix,
+            orphanLogicalId: target,
+            attribute,
+            reason: result.reason
+          });
+          out += m[0];
+          hasUnresolvable = true;
+        }
+      } else {
+        out += m[0];
+      }
+    }
+  }
+  out += template.slice(cursor);
+  return { rewritten: out, didChange, hasUnresolvable };
+}
+
+// src/cli/commands/orphan.ts
+async function orphanCommand(pathArgs, options) {
   const logger = getLogger();
   if (options.verbose)
     logger.setLevel("debug");
   warnIfDeprecatedRegion(options);
+  if (pathArgs.length === 0) {
+    throw new Error(
+      "'cdkd orphan' requires at least one construct path, e.g. 'cdkd orphan MyStack/MyTable'.\n       To remove a stack's state record (the previous behavior), use:\n         cdkd state orphan MyStack"
+    );
+  }
+  for (const p of pathArgs) {
+    if (!p.includes("/")) {
+      throw new Error(
+        `'cdkd orphan' now expects a construct path like 'MyStack/MyTable'.
+       Got: '${p}'
+       To remove a stack's state record (the previous behavior), use:
+         cdkd state orphan ${p}`
+      );
+    }
+  }
   const region = options.region || process.env["AWS_REGION"] || "us-east-1";
   const stateBucket = await resolveStateBucketWithDefault(options.stateBucket, region);
-  logger.info("Starting stack orphan...");
-  logger.debug("Options:", options);
   if (options.region) {
     process.env["AWS_REGION"] = options.region;
     process.env["AWS_DEFAULT_REGION"] = options.region;
@@ -33005,10 +33752,7 @@ async function orphanCommand(stackArgs, options) {
   });
   setAwsClients(awsClients);
   try {
-    const stateConfig = {
-      bucket: stateBucket,
-      prefix: options.statePrefix
-    };
+    const stateConfig = { bucket: stateBucket, prefix: options.statePrefix };
     const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
       ...options.region && { region: options.region },
       ...options.profile && { profile: options.profile }
@@ -33016,150 +33760,245 @@ async function orphanCommand(stackArgs, options) {
     await stateBackend.verifyBucketExists();
     const lockManager = new LockManager(awsClients.s3, stateConfig);
     const appCmd = options.app || resolveApp();
-    let appStacks = [];
-    if (appCmd) {
-      try {
-        const synthesizer = new Synthesizer();
-        const context = parseContextOptions(options.context);
-        const result = await synthesizer.synthesize({
-          app: appCmd,
-          output: options.output || "cdk.out",
-          ...Object.keys(context).length > 0 && { context }
-        });
-        appStacks = result.stacks.map((s) => ({
-          stackName: s.stackName,
-          displayName: s.displayName,
-          ...s.region && { region: s.region }
-        }));
-      } catch {
-        logger.debug("Could not synthesize app, falling back to state-based stack list");
-      }
-    }
-    const allStateRefs = await stateBackend.listStacks();
-    let candidateStacks;
-    if (appStacks.length > 0) {
-      const stateNames = new Set(allStateRefs.map((r) => r.stackName));
-      candidateStacks = appStacks.filter((s) => stateNames.has(s.stackName));
-    } else if (stackArgs.length > 0 || options.stack || options.all) {
-      const seen = /* @__PURE__ */ new Set();
-      candidateStacks = [];
-      for (const ref of allStateRefs) {
-        if (seen.has(ref.stackName))
-          continue;
-        seen.add(ref.stackName);
-        candidateStacks.push({ stackName: ref.stackName });
-      }
-    } else {
-      throw new Error(
-        "Could not determine which stacks belong to this app. Specify stack names explicitly, use --all, or ensure --app / cdk.json is configured."
-      );
-    }
-    const stackPatterns = stackArgs.length > 0 ? stackArgs : options.stack ? [options.stack] : [];
-    let stackNames;
-    if (options.all) {
-      stackNames = candidateStacks.map((s) => s.stackName);
-    } else if (stackPatterns.length > 0) {
-      stackNames = matchStacks(candidateStacks, stackPatterns).map((s) => s.stackName);
-    } else if (candidateStacks.length === 1) {
-      stackNames = candidateStacks.map((s) => s.stackName);
-    } else if (candidateStacks.length === 0) {
-      logger.info("No stacks found in state");
-      return;
-    } else {
+    if (!appCmd) {
       throw new Error(
-        `Multiple stacks found: ${candidateStacks.map(describeStack).join(", ")}. Specify stack name(s) or use --all`
+        "'cdkd orphan' requires a CDK app: pass --app or set it in cdk.json. The template is read to resolve construct paths to logical IDs."
       );
     }
-    if (stackNames.length === 0) {
-      logger.info("No matching stacks found in state");
-      return;
-    }
-    logger.info(`Found ${stackNames.length} stack(s) to orphan: ${stackNames.join(", ")}`);
-    const stateRefsByName = /* @__PURE__ */ new Map();
-    for (const ref of allStateRefs) {
-      const arr = stateRefsByName.get(ref.stackName) ?? [];
-      arr.push(ref);
-      stateRefsByName.set(ref.stackName, arr);
+    logger.info("Synthesizing CDK app to read template...");
+    const synthesizer = new Synthesizer();
+    const context = parseContextOptions(options.context);
+    const result = await synthesizer.synthesize({
+      app: appCmd,
+      output: options.output || "cdk.out",
+      ...Object.keys(context).length > 0 && { context }
+    });
+    const resolved = resolveConstructPaths(pathArgs, result.stacks);
+    const stackInfo = resolved.stack;
+    const orphanLogicalIds = resolved.logicalIds;
+    const targetRegion = await pickStackRegion(
+      stateBackend,
+      stackInfo.stackName,
+      stackInfo.region,
+      options.stackRegion
+    );
+    logger.info(
+      `Target: ${stackInfo.stackName} (${targetRegion}); orphaning ${orphanLogicalIds.length} resource(s): ${orphanLogicalIds.join(", ")}`
+    );
+    const owner = `${process.env["USER"] || "unknown"}@${process.env["HOSTNAME"] || "host"}:${process.pid}`;
+    if (!options.dryRun) {
+      await lockManager.acquireLock(stackInfo.stackName, targetRegion, owner, "orphan");
     }
-    const skipConfirmation = options.yes || options.force;
-    for (const stackName of stackNames) {
-      const refs = stateRefsByName.get(stackName) ?? [];
-      if (refs.length === 0) {
-        logger.info(`No state found for stack: ${stackName}, skipping`);
-        continue;
+    try {
+      const stateData = await stateBackend.getState(stackInfo.stackName, targetRegion);
+      if (!stateData) {
+        throw new Error(
+          `No state found for stack '${stackInfo.stackName}' (${targetRegion}). Nothing to orphan. (Did the stack get deployed?)`
+        );
       }
-      const targets = options.stackRegion ? refs.filter((r) => r.region === options.stackRegion) : refs;
-      if (targets.length === 0) {
-        const seen = refs.map((r) => r.region ?? "(legacy)").join(", ");
+      const { state, etag, migrationPending } = stateData;
+      const missing = orphanLogicalIds.filter((id) => !(id in state.resources));
+      if (missing.length > 0) {
+        const have = Object.keys(state.resources).join(", ");
         throw new Error(
-          `No state found for stack '${stackName}' in region '${options.stackRegion}'. Available regions: ${seen}.`
+          `Resource(s) not in state for stack '${stackInfo.stackName}' (${targetRegion}): ${missing.join(", ")}.
+Available logical IDs: ${have}`
         );
       }
-      if (!options.force) {
-        for (const target of targets) {
-          const locked = await lockManager.isLocked(stackName, target.region);
-          if (locked) {
-            const where = target.region ?? "(legacy)";
-            throw new Error(
-              `Stack '${stackName}' (${where}) is locked. Run 'cdkd force-unlock ${stackName}${target.region ? ` --stack-region ${target.region}` : ""}' first, or pass --force to orphan anyway.`
-            );
-          }
-        }
+      const providerRegistry = new ProviderRegistry();
+      registerAllProviders(providerRegistry);
+      const rewriteResult = await rewriteResourceReferences(
+        state,
+        orphanLogicalIds,
+        providerRegistry,
+        { force: options.force }
+      );
+      printRewriteSummary(rewriteResult.rewrites, orphanLogicalIds);
+      if (rewriteResult.unresolvable.length > 0 && !options.force) {
+        printUnresolvable(rewriteResult.unresolvable);
+        throw new Error(
+          `Orphan aborted: ${rewriteResult.unresolvable.length} reference(s) could not be resolved.
+Re-run with --force to fall back to cached attribute values from state, or fix the underlying provider/AWS issue and retry.`
+        );
       }
-      if (!skipConfirmation) {
-        const targetList = targets.map((t) => t.region ? `${stackName} (${t.region})` : stackName).join(", ");
-        process.stdout.write(
-          `
-WARNING: This removes cdkd's state record for [${targetList}] only. AWS resources will NOT be deleted.
-Use 'cdkd destroy ${stackName}' if you want to delete the actual resources.
-
-`
+      if (rewriteResult.unresolvable.length > 0) {
+        printUnresolvable(rewriteResult.unresolvable);
+        logger.warn(
+          `--force: continuing despite ${rewriteResult.unresolvable.length} unresolved reference(s); the original intrinsic was left in place where the cache also lacked the value.`
         );
-        const rl = readline2.createInterface({
-          input: process.stdin,
-          output: process.stdout
-        });
-        const answer = await rl.question(
-          `Orphan state for ${targetList} from s3://${stateBucket}/${options.statePrefix}/? (y/N): `
+      }
+      if (options.dryRun) {
+        logger.info("--dry-run: state will NOT be written. Re-run without --dry-run to apply.");
+        return;
+      }
+      if (!options.yes && !options.force) {
+        const ok = await confirmPrompt(
+          `Orphan ${orphanLogicalIds.length} resource(s) from cdkd state for ${stackInfo.stackName} (${targetRegion})? AWS resources will NOT be deleted.`
         );
-        rl.close();
-        const trimmed = answer.trim().toLowerCase();
-        if (trimmed !== "y" && trimmed !== "yes") {
-          logger.info(`Cancelled orphan of stack: ${stackName}`);
-          continue;
+        if (!ok) {
+          logger.info("Orphan cancelled.");
+          return;
         }
       }
-      for (const target of targets) {
-        if (target.region) {
-          await stateBackend.deleteState(stackName, target.region);
-          await lockManager.forceReleaseLock(stackName, target.region);
-        } else {
-          await lockManager.forceReleaseLock(stackName, void 0);
-        }
-        const label = target.region ? `${stackName} (${target.region})` : stackName;
-        logger.info(`\u2713 Orphaned state for stack: ${label}`);
+      await stateBackend.saveState(stackInfo.stackName, targetRegion, rewriteResult.state, {
+        expectedEtag: etag,
+        ...migrationPending && { migrateLegacy: true }
+      });
+      logger.info(
+        `Orphaned ${orphanLogicalIds.length} resource(s) from state: ${stackInfo.stackName} (${targetRegion}). AWS resources are still in AWS; cdkd will no longer manage them.`
+      );
+    } finally {
+      if (!options.dryRun) {
+        await lockManager.releaseLock(stackInfo.stackName, targetRegion).catch((err) => {
+          logger.warn(
+            `Failed to release lock: ${err instanceof Error ? err.message : String(err)}`
+          );
+        });
       }
     }
   } finally {
     awsClients.destroy();
   }
 }
+function resolveConstructPaths(paths, stacks) {
+  const byStackName = /* @__PURE__ */ new Map();
+  const byDisplayName = /* @__PURE__ */ new Map();
+  for (const s of stacks) {
+    byStackName.set(s.stackName, s);
+    byDisplayName.set(s.displayName, s);
+  }
+  let stack;
+  const logicalIds = [];
+  for (const p of paths) {
+    const slash = p.indexOf("/");
+    if (slash <= 0 || slash === p.length - 1) {
+      throw new Error(`Invalid construct path '${p}'. Expected '<StackName>/<Path/To/Resource>'.`);
+    }
+    const head = p.slice(0, slash);
+    const candidate = byDisplayName.get(head) ?? byStackName.get(head);
+    if (!candidate) {
+      const available = stacks.map((s) => s.displayName ?? s.stackName).join(", ");
+      throw new Error(
+        `Construct path '${p}': stack '${head}' not found in synthesized app. Available: ${available}`
+      );
+    }
+    if (stack === void 0) {
+      stack = candidate;
+    } else if (stack.stackName !== candidate.stackName) {
+      throw new Error(
+        `All construct paths must reference the same stack. Got '${stack.stackName}' and '${candidate.stackName}'. Run 'cdkd orphan' once per stack.`
+      );
+    }
+    const cdkPath = p;
+    const index = buildCdkPathIndex(candidate.template);
+    const logicalId = index.get(cdkPath);
+    if (!logicalId) {
+      const available = [...index.keys()].sort().join("\n  ");
+      throw new Error(
+        `Construct path '${cdkPath}' not found in template for stack '${candidate.stackName}'.
+Available paths:
+  ${available}`
+      );
+    }
+    if (!logicalIds.includes(logicalId)) {
+      logicalIds.push(logicalId);
+    }
+  }
+  if (!stack) {
+    throw new Error("No construct paths supplied.");
+  }
+  return { stack, logicalIds };
+}
+async function pickStackRegion(stateBackend, stackName, synthRegion, flag) {
+  const refs = (await stateBackend.listStacks()).filter((r) => r.stackName === stackName);
+  if (refs.length === 0) {
+    if (flag)
+      return flag;
+    if (synthRegion)
+      return synthRegion;
+    throw new Error(
+      `No state found for stack '${stackName}'. Run 'cdkd state list' to see available stacks.`
+    );
+  }
+  if (flag) {
+    const found = refs.find((r) => r.region === flag);
+    if (!found) {
+      const seen = refs.map((r) => r.region ?? "(legacy)").join(", ");
+      throw new Error(
+        `No state found for stack '${stackName}' in region '${flag}'. Available regions: ${seen}.`
+      );
+    }
+    return flag;
+  }
+  if (synthRegion) {
+    const found = refs.find((r) => r.region === synthRegion);
+    if (found)
+      return synthRegion;
+  }
+  if (refs.length === 1) {
+    return refs[0].region ?? synthRegion ?? "";
+  }
+  const regions = refs.map((r) => r.region ?? "(legacy)").join(", ");
+  throw new Error(
+    `Stack '${stackName}' has state in multiple regions: ${regions}. Re-run with --stack-region <region> to disambiguate.`
+  );
+}
+function printRewriteSummary(rewrites, orphanLogicalIds) {
+  const logger = getLogger();
+  logger.info("");
+  logger.info(`Orphaning ${orphanLogicalIds.length} resource(s): ${orphanLogicalIds.join(", ")}`);
+  if (rewrites.length === 0) {
+    logger.info("  No sibling references \u2014 every reference was already to a non-orphan resource.");
+    return;
+  }
+  logger.info(`Applied ${rewrites.length} rewrite(s):`);
+  for (const r of rewrites) {
+    const before = stringifyForAudit(r.before);
+    const after = r.kind === "dependency" ? "(dropped)" : stringifyForAudit(r.after);
+    logger.info(`  [${r.kind}] ${r.logicalId}.${r.path}: ${before} \u2192 ${after}`);
+  }
+}
+function printUnresolvable(unresolvable) {
+  const logger = getLogger();
+  logger.error(`${unresolvable.length} reference(s) could not be resolved:`);
+  for (const u of unresolvable) {
+    logger.error(`  ${u.logicalId}.${u.path}: ${u.orphanLogicalId}.${u.attribute} \u2014 ${u.reason}`);
+  }
+}
+function stringifyForAudit(value) {
+  if (typeof value === "string")
+    return JSON.stringify(value);
+  return JSON.stringify(value);
+}
+async function confirmPrompt(prompt) {
+  const rl = readline2.createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    const ans = await rl.question(`${prompt} [y/N] `);
+    return /^y(es)?$/i.test(ans.trim());
+  } finally {
+    rl.close();
+  }
+}
 function createOrphanCommand() {
   const cmd = new Command7("orphan").description(
-    "Remove cdkd's state record for one or more stacks (does NOT delete AWS resources). Synth-driven; for the CDK-app-free version use 'cdkd state orphan'."
+    "Remove one or more resources from cdkd state by construct path (does NOT delete AWS resources). Mirrors aws-cdk-cli's 'cdk orphan --unstable=orphan'. Synth-driven; for the previous whole-stack-orphan behavior, use 'cdkd state orphan <stack>'."
   ).argument(
-    "[stacks...]",
-    "Stack name(s) to orphan. Accepts physical CloudFormation names (e.g. 'MyStage-Api') or CDK display paths (e.g. 'MyStage/Api'). Supports wildcards (e.g. 'MyStage/*')."
-  ).option("--all", "Orphan all stacks in the current app", false).option(
+    "<paths...>",
+    "Construct paths to orphan, e.g. 'MyStack/MyTable'. Multiple paths must reference the same stack."
+  ).option(
     "--stack-region <region>",
     "Region of the stack record to operate on. Required when the same stack name has state in multiple regions."
+  ).option(
+    "--dry-run",
+    "Compute and print the rewrite audit table without acquiring a lock or saving state.",
+    false
   ).action(withErrorHandling(orphanCommand));
   [
     ...commonOptions,
     ...appOptions,
     ...stateOptions,
-    ...stackOptions,
     ...destroyOptions,
+    // adds -f / --force (escape hatch for unresolvable references + skip confirm)
     ...contextOptions
   ].forEach((opt) => cmd.addOption(opt));
   cmd.addOption(deprecatedRegionOption);
@@ -33351,7 +34190,7 @@ async function stateMigrateCommand(options) {
       }
       if (!options.yes) {
         const action = options.removeLegacy ? "and DELETE the source bucket" : "(source bucket will be kept)";
-        const ok = await confirmPrompt(
+        const ok = await confirmPrompt2(
           `Copy ${sourceObjects.length} object(s) from ${legacyBucket} -> ${newBucket} ${action}?`
         );
         if (!ok) {
@@ -33556,7 +34395,7 @@ async function emptyBucketAllVersions(s3, bucket) {
     versionIdMarker = resp.NextVersionIdMarker;
   } while (keyMarker || versionIdMarker);
 }
-async function confirmPrompt(prompt) {
+async function confirmPrompt2(prompt) {
   const rl = readline3.createInterface({ input: process.stdin, output: process.stdout });
   try {
     const ans = await rl.question(`${prompt} [y/N] `);
@@ -34013,8 +34852,8 @@ async function stateDestroyCommand(stackArgs, options) {
     process.env["CDKD_NO_LIVE"] = "1";
   }
   validateResourceTimeouts({
-    resourceWarnAfter: options.resourceWarnAfter,
-    resourceTimeout: options.resourceTimeout
+    ...options.resourceWarnAfter && { resourceWarnAfter: options.resourceWarnAfter },
+    ...options.resourceTimeout && { resourceTimeout: options.resourceTimeout }
   });
   if (!options.all && stackArgs.length === 0) {
     throw new Error(
@@ -34116,8 +34955,18 @@ Preparing to destroy stack: ${stackName}${ref.region ? ` (${ref.region})` : ""}`
           // skipped when `options.yes` is set OR `--all` was set (the user
           // already accepted the batch prompt).
           skipConfirmation: options.yes || options.all === true,
-          resourceWarnAfterMs: options.resourceWarnAfter,
-          resourceTimeoutMs: options.resourceTimeout
+          ...options.resourceWarnAfter?.globalMs !== void 0 && {
+            resourceWarnAfterMs: options.resourceWarnAfter.globalMs
+          },
+          ...options.resourceTimeout?.globalMs !== void 0 && {
+            resourceTimeoutMs: options.resourceTimeout.globalMs
+          },
+          ...options.resourceWarnAfter?.perTypeMs && {
+            resourceWarnAfterByType: options.resourceWarnAfter.perTypeMs
+          },
+          ...options.resourceTimeout?.perTypeMs && {
+            resourceTimeoutByType: options.resourceTimeout.perTypeMs
+          }
         });
         totalErrors += result.errorCount;
       }
@@ -34285,7 +35134,7 @@ function createStateCommand() {
 }
 
 // src/cli/commands/import.ts
-import { readFileSync as readFileSync5 } from "node:fs";
+import { readFileSync as readFileSync5, writeFileSync as writeFileSync4 } from "node:fs";
 import * as readline5 from "node:readline/promises";
 import { Command as Command12 } from "commander";
 init_aws_clients();
@@ -34404,6 +35253,9 @@ async function importCommand(stackArg, options) {
         rows.push(outcome);
       }
       printSummary(rows);
+      if (options.recordResourceMapping) {
+        writeRecordedMapping(options.recordResourceMapping, rows);
+      }
       if (options.dryRun) {
         logger.info("--dry-run: state will NOT be written. Re-run without --dry-run to apply.");
         return;
@@ -34414,7 +35266,7 @@ async function importCommand(stackArg, options) {
         return;
       }
       if (!options.yes) {
-        const ok = await confirmPrompt2(
+        const ok = await confirmPrompt3(
           `Write state for ${stackInfo.stackName} (${targetRegion}) with ${importedRows.length} resource(s)?`
         );
         if (!ok) {
@@ -34557,12 +35409,24 @@ function parseMappingJson(raw, source) {
   }
   return out;
 }
-function readCdkPath(resource) {
-  const meta = resource.Metadata;
-  if (!meta)
-    return "";
-  const v = meta["aws:cdk:path"];
-  return typeof v === "string" ? v : "";
+function writeRecordedMapping(filePath, rows) {
+  const logger = getLogger();
+  const map = {};
+  for (const row of rows) {
+    if (row.outcome === "imported" && row.physicalId) {
+      map[row.logicalId] = row.physicalId;
+    }
+  }
+  const body = JSON.stringify(map, null, 2) + "\n";
+  try {
+    writeFileSync4(filePath, body, "utf-8");
+    logger.info(`Wrote resolved mapping to ${filePath} (${Object.keys(map).length} entry(ies))`);
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    logger.error(
+      `Failed to write --record-resource-mapping file '${filePath}': ${msg}. Continuing \u2014 the import already resolved every physical id in memory.`
+    );
+  }
 }
 function collectImportableResources(template) {
   const out = [];
@@ -34635,7 +35499,7 @@ function formatOutcome(outcome) {
       return "\u2717";
   }
 }
-async function confirmPrompt2(prompt) {
+async function confirmPrompt3(prompt) {
   const rl = readline5.createInterface({ input: process.stdin, output: process.stdout });
   try {
     const ans = await rl.question(`${prompt} [y/N] `);
@@ -34661,6 +35525,9 @@ function createImportCommand() {
   ).option(
     "--resource-mapping-inline <json>",
     "Inline JSON object of {logicalId: physicalId} overrides (CDK CLI `cdk import --resource-mapping-inline` compatible). Same shape as --resource-mapping but supplied as a string \u2014 useful for non-TTY CI scripts that do not want a separate file. Implies selective mode unless --auto is set. Mutually exclusive with --resource-mapping."
+  ).option(
+    "--record-resource-mapping <file>",
+    'After cdkd resolves every logical ID (via --resource / --resource-mapping / tag-based auto-lookup), write the resulting {logicalId: physicalId} map to <file> as JSON. Useful in auto / hybrid mode for capturing the tag-resolved mapping and feeding it back as --resource-mapping in non-interactive CI re-runs. Written before the confirmation prompt (so the user can review the file before saying "yes") and even when the user says "no". Mirrors `cdk import --record-resource-mapping`.'
   ).option(
     "--auto",
     "Hybrid mode: when explicit overrides are supplied, ALSO tag-import every other resource in the template. Without this flag, --resource / --resource-mapping behave as a whitelist (CDK CLI parity).",
@@ -34706,7 +35573,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command13();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.25.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.27.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());