@go-to-k/cdkd 0.33.0 → 0.35.0

package/dist/cli.js

@@ -447,7 +447,7 @@ var init_aws_clients = __esm({
 });
 
 // src/cli/index.ts
-import { Command as Command13 } from "commander";
+import { Command as Command14 } from "commander";
 
 // src/cli/commands/bootstrap.ts
 import { Command, Option as Option2 } from "commander";
@@ -477,6 +477,10 @@ function parseContextOptions(contextArgs) {
 var commonOptions = [
   new Option("--verbose", "Enable verbose logging").default(false),
   new Option("--profile <profile>", "AWS profile"),
+  new Option(
+    "--role-arn <arn>",
+    "IAM role ARN to assume for AWS API calls (env: CDKD_ROLE_ARN); the role MUST have admin-equivalent permissions because cdkd issues raw service API calls and does not route through CloudFormation, so CDK CLI deploy-roles will NOT work"
+  ),
   new Option(
     "-y, --yes",
     "Automatically answer interactive prompts with the recommended response (e.g. confirm destroy)"
@@ -1202,7 +1206,10 @@ Caused by: ${error.cause.message}`;
 }
 function handleError(error) {
   const logger = getLogger();
-  logger.error(formatError(error));
+  const silent = error instanceof CdkdError && error.silent;
+  if (!silent) {
+    logger.error(formatError(error));
+  }
   if (error instanceof Error && error.stack) {
     logger.debug("Stack trace:", error.stack);
   }
@@ -1256,6 +1263,41 @@ function normalizeAwsError(err, context = {}) {
 // src/cli/commands/bootstrap.ts
 init_aws_clients();
 
+// src/utils/role-arn.ts
+import { STSClient as STSClient2, AssumeRoleCommand } from "@aws-sdk/client-sts";
+async function applyRoleArnIfSet(opts) {
+  const roleArn = opts.roleArn || process.env["CDKD_ROLE_ARN"];
+  if (!roleArn)
+    return;
+  const logger = getLogger().child("role-arn");
+  logger.debug(`Assuming role ${roleArn}...`);
+  const sts = new STSClient2({ ...opts.region && { region: opts.region } });
+  try {
+    const response = await sts.send(
+      new AssumeRoleCommand({
+        RoleArn: roleArn,
+        RoleSessionName: `cdkd-${Date.now()}`,
+        DurationSeconds: 3600
+      })
+    );
+    if (!response.Credentials) {
+      throw new Error(`AssumeRole returned no credentials for role ${roleArn}`);
+    }
+    const { AccessKeyId, SecretAccessKey, SessionToken, Expiration } = response.Credentials;
+    if (!AccessKeyId || !SecretAccessKey || !SessionToken) {
+      throw new Error(`AssumeRole response missing credentials fields for role ${roleArn}`);
+    }
+    process.env["AWS_ACCESS_KEY_ID"] = AccessKeyId;
+    process.env["AWS_SECRET_ACCESS_KEY"] = SecretAccessKey;
+    process.env["AWS_SESSION_TOKEN"] = SessionToken;
+    logger.info(
+      `Assumed role ${roleArn} (session expires ${Expiration?.toISOString() ?? "unknown"})`
+    );
+  } finally {
+    sts.destroy();
+  }
+}
+
 // src/cli/config-loader.ts
 import { readFileSync, existsSync } from "node:fs";
 import { resolve, join } from "node:path";
@@ -1409,6 +1451,7 @@ async function bootstrapCommand(options) {
   }
   logger.info("Starting cdkd bootstrap...");
   logger.debug("Options:", options);
+  await applyRoleArnIfSet({ roleArn: options.roleArn, region: options.region });
   const awsClients = new AwsClients({
     ...options.region && { region: options.region },
     ...options.profile && { profile: options.profile }
@@ -1553,7 +1596,7 @@ import { join as join4 } from "path";
 // src/synthesis/synthesizer.ts
 import { existsSync as existsSync3, mkdirSync, statSync } from "node:fs";
 import { resolve as resolve3 } from "node:path";
-import { GetCallerIdentityCommand as GetCallerIdentityCommand2, STSClient as STSClient2 } from "@aws-sdk/client-sts";
+import { GetCallerIdentityCommand as GetCallerIdentityCommand2, STSClient as STSClient3 } from "@aws-sdk/client-sts";
 
 // src/synthesis/app-executor.ts
 import { spawn } from "node:child_process";
@@ -2744,7 +2787,7 @@ var Synthesizer = class {
     const region = options.region || process.env["AWS_REGION"] || process.env["AWS_DEFAULT_REGION"];
     let accountId;
     try {
-      const stsClient = new STSClient2({ ...region && { region } });
+      const stsClient = new STSClient3({ ...region && { region } });
       const identity = await stsClient.send(new GetCallerIdentityCommand2({}));
       accountId = identity.Account;
       stsClient.destroy();
@@ -2876,6 +2919,7 @@ async function synthCommand(options) {
     logger.setLevel("debug");
   }
   warnIfDeprecatedRegion(options);
+  await applyRoleArnIfSet({ roleArn: options.roleArn, region: options.region });
   const app = resolveApp(options.app);
   if (!app) {
     throw new Error(
@@ -3007,6 +3051,7 @@ async function listCommand(patterns, options) {
     logger.setLevel("debug");
   }
   warnIfDeprecatedRegion(options);
+  await applyRoleArnIfSet({ roleArn: options.roleArn, region: options.region });
   const app = resolveApp(options.app);
   if (!app) {
     throw new Error(
@@ -3597,8 +3642,8 @@ var AssetPublisher = class {
       const region = options.region || process.env["AWS_REGION"] || "us-east-1";
       let accountId = options.accountId;
       if (!accountId) {
-        const { STSClient: STSClient9, GetCallerIdentityCommand: GetCallerIdentityCommand11 } = await import("@aws-sdk/client-sts");
-        const stsClient = new STSClient9({ region });
+        const { STSClient: STSClient10, GetCallerIdentityCommand: GetCallerIdentityCommand11 } = await import("@aws-sdk/client-sts");
+        const stsClient = new STSClient10({ region });
         const identity = await stsClient.send(new GetCallerIdentityCommand11({}));
         accountId = identity.Account;
         stsClient.destroy();
@@ -7537,6 +7582,50 @@ Error: ${err.message || "Unknown error"}`,
     }
     return resourceType.startsWith("AWS::");
   }
+  /**
+   * Read the AWS-current properties of a resource managed via Cloud Control
+   * API, for `cdkd drift` comparison.
+   *
+   * Strategy: `GetResource(TypeName, Identifier)` returns `ResourceModel` as
+   * a JSON string of every property AWS reports for the resource. Parse and
+   * surface it as the AWS-current snapshot — the drift command intersects
+   * this against the keys present in cdkd state, so AWS-only keys (timestamps,
+   * generated ids, etc.) are filtered out at compare time.
+   *
+   * Returns `undefined` for the unique cases that mean "drift unknown" (the
+   * resource was deleted out from under cdkd, or the response had no
+   * Properties field). Re-throws on any other error so the drift command can
+   * surface throttling / access-denied issues to the user.
+   *
+   * This single CC API implementation gives drift detection coverage to every
+   * resource type that goes through CC API — the majority of cdkd's surface.
+   * SDK Providers add their own `readCurrentState` incrementally (PR D).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    try {
+      const response = await this.cloudControlClient.send(
+        new GetResourceCommand2({
+          TypeName: resourceType,
+          Identifier: physicalId
+        })
+      );
+      const raw = response.ResourceDescription?.Properties;
+      if (typeof raw !== "string" || raw.length === 0) {
+        return void 0;
+      }
+      const parsed = JSON.parse(raw);
+      if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+        return void 0;
+      }
+      return parsed;
+    } catch (error) {
+      const err = error;
+      if (err.name === "ResourceNotFoundException") {
+        return void 0;
+      }
+      throw error;
+    }
+  }
   /**
    * Adopt an already-deployed resource into cdkd state via Cloud Control API.
    *
@@ -25556,7 +25645,7 @@ import {
   ModifyCacheClusterCommand,
   ListTagsForResourceCommand as ListTagsForResourceCommand14
 } from "@aws-sdk/client-elasticache";
-import { STSClient as STSClient5, GetCallerIdentityCommand as GetCallerIdentityCommand6 } from "@aws-sdk/client-sts";
+import { STSClient as STSClient6, GetCallerIdentityCommand as GetCallerIdentityCommand6 } from "@aws-sdk/client-sts";
 var ElastiCacheProvider = class {
   client;
   stsClient;
@@ -26079,7 +26168,7 @@ var ElastiCacheProvider = class {
     if (this.cachedAccountId)
       return this.cachedAccountId;
     if (!this.stsClient) {
-      this.stsClient = new STSClient5(this.providerRegion ? { region: this.providerRegion } : {});
+      this.stsClient = new STSClient6(this.providerRegion ? { region: this.providerRegion } : {});
     }
     const identity = await this.stsClient.send(new GetCallerIdentityCommand6({}));
     if (!identity.Account) {
@@ -26106,7 +26195,7 @@ import {
   NamespaceNotFound,
   ServiceNotFound
 } from "@aws-sdk/client-servicediscovery";
-import { STSClient as STSClient6, GetCallerIdentityCommand as GetCallerIdentityCommand7 } from "@aws-sdk/client-sts";
+import { STSClient as STSClient7, GetCallerIdentityCommand as GetCallerIdentityCommand7 } from "@aws-sdk/client-sts";
 var ServiceDiscoveryProvider = class {
   client;
   stsClient;
@@ -26138,7 +26227,7 @@ var ServiceDiscoveryProvider = class {
   }
   getStsClient() {
     if (!this.stsClient) {
-      this.stsClient = new STSClient6(this.providerRegion ? { region: this.providerRegion } : {});
+      this.stsClient = new STSClient7(this.providerRegion ? { region: this.providerRegion } : {});
     }
     return this.stsClient;
   }
@@ -27121,7 +27210,7 @@ import {
   GetTagsCommand,
   EntityNotFoundException
 } from "@aws-sdk/client-glue";
-import { STSClient as STSClient7, GetCallerIdentityCommand as GetCallerIdentityCommand8 } from "@aws-sdk/client-sts";
+import { STSClient as STSClient8, GetCallerIdentityCommand as GetCallerIdentityCommand8 } from "@aws-sdk/client-sts";
 var GlueProvider = class {
   client;
   stsClient;
@@ -27648,7 +27737,7 @@ var GlueProvider = class {
     if (this.cachedAccountId)
       return this.cachedAccountId;
     if (!this.stsClient) {
-      this.stsClient = new STSClient7(this.providerRegion ? { region: this.providerRegion } : {});
+      this.stsClient = new STSClient8(this.providerRegion ? { region: this.providerRegion } : {});
     }
     const identity = await this.stsClient.send(new GetCallerIdentityCommand8({}));
     if (!identity.Account) {
@@ -32919,6 +33008,7 @@ async function deployCommand(stacks, options) {
     ...options.resourceWarnAfter && { resourceWarnAfter: options.resourceWarnAfter },
     ...options.resourceTimeout && { resourceTimeout: options.resourceTimeout }
   });
+  await applyRoleArnIfSet({ roleArn: options.roleArn, region: options.region });
   if (!options.wait) {
     process.env["CDKD_NO_WAIT"] = "true";
   }
@@ -33020,8 +33110,8 @@ async function deployCommand(stacks, options) {
         addDependencies(stack.stackName);
       }
     }
-    const { STSClient: STSClient9, GetCallerIdentityCommand: GetCallerIdentityCommand11 } = await import("@aws-sdk/client-sts");
-    const stsClient = new STSClient9({
+    const { STSClient: STSClient10, GetCallerIdentityCommand: GetCallerIdentityCommand11 } = await import("@aws-sdk/client-sts");
+    const stsClient = new STSClient10({
       region: options.region || process.env["AWS_REGION"] || "us-east-1"
     });
     const callerIdentity = await stsClient.send(new GetCallerIdentityCommand11({}));
@@ -33265,6 +33355,7 @@ async function diffCommand(stacks, options) {
     logger.setLevel("debug");
   }
   warnIfDeprecatedRegion(options);
+  await applyRoleArnIfSet({ roleArn: options.roleArn, region: options.region });
   const app = resolveApp(options.app);
   if (!app) {
     throw new Error(
@@ -33412,8 +33503,321 @@ function createDiffCommand() {
   return cmd;
 }
 
+// src/cli/commands/drift.ts
+import { Command as Command6, Option as Option3 } from "commander";
+init_aws_clients();
+
+// src/analyzer/drift-calculator.ts
+function calculateResourceDrift(stateProperties, awsProperties) {
+  const drifts = [];
+  for (const key of Object.keys(stateProperties)) {
+    diffAt(key, stateProperties[key], awsProperties[key], drifts);
+  }
+  return drifts;
+}
+function diffAt(path, stateValue, awsValue, out) {
+  if (deepEqual(stateValue, awsValue))
+    return;
+  if (isPlainObject(stateValue) && isPlainObject(awsValue) && !Array.isArray(stateValue) && !Array.isArray(awsValue)) {
+    for (const key of Object.keys(stateValue)) {
+      diffAt(`${path}.${key}`, stateValue[key], awsValue[key], out);
+    }
+    return;
+  }
+  out.push({ path, stateValue, awsValue });
+}
+function deepEqual(a, b) {
+  if (a === b)
+    return true;
+  if (a === null || b === null || a === void 0 || b === void 0) {
+    return a === b;
+  }
+  if (typeof a !== typeof b)
+    return false;
+  if (typeof a !== "object")
+    return false;
+  if (Array.isArray(a) || Array.isArray(b)) {
+    if (!Array.isArray(a) || !Array.isArray(b))
+      return false;
+    if (a.length !== b.length)
+      return false;
+    return a.every((v, i) => deepEqual(v, b[i]));
+  }
+  const aObj = a;
+  const bObj = b;
+  const aKeys = Object.keys(aObj);
+  const bKeys = Object.keys(bObj);
+  if (aKeys.length !== bKeys.length)
+    return false;
+  for (const key of aKeys) {
+    if (!Object.prototype.hasOwnProperty.call(bObj, key))
+      return false;
+    if (!deepEqual(aObj[key], bObj[key]))
+      return false;
+  }
+  return true;
+}
+function isPlainObject(value) {
+  return typeof value === "object" && value !== null;
+}
+
+// src/cli/commands/drift.ts
+var DriftDetectedError = class _DriftDetectedError extends CdkdError {
+  silent = true;
+  constructor() {
+    super("drift detected", "DRIFT_DETECTED");
+    this.name = "DriftDetectedError";
+    Object.setPrototypeOf(this, _DriftDetectedError.prototype);
+  }
+};
+async function driftCommand(stacks, options) {
+  const logger = getLogger();
+  if (options.verbose) {
+    logger.setLevel("debug");
+  }
+  warnIfDeprecatedRegion(options);
+  if (!options.all && stacks.length === 0) {
+    throw new Error("Stack name is required. Usage: cdkd drift <stack> [<stack>...] | --all");
+  }
+  await applyRoleArnIfSet({ roleArn: options.roleArn, region: options.region });
+  const awsClients = new AwsClients({
+    ...options.region && { region: options.region },
+    ...options.profile && { profile: options.profile }
+  });
+  setAwsClients(awsClients);
+  try {
+    const region = options.region || process.env["AWS_REGION"] || "us-east-1";
+    const bucket = await resolveStateBucketWithDefault(options.stateBucket, region);
+    const prefix = options.statePrefix;
+    const stateBackend = new S3StateBackend(
+      awsClients.s3,
+      { bucket, prefix },
+      {
+        region,
+        ...options.profile && { profile: options.profile }
+      }
+    );
+    await stateBackend.verifyBucketExists();
+    const providerRegistry = new ProviderRegistry();
+    registerAllProviders(providerRegistry);
+    providerRegistry.setCustomResourceResponseBucket(bucket);
+    const stateRefs = await stateBackend.listStacks();
+    const targetRefs = resolveTargetRefs(stacks, stateRefs, options);
+    const reports = [];
+    for (const ref of targetRefs) {
+      if (!ref.region) {
+        throw new Error(
+          `Stack '${ref.stackName}' has only a legacy state record without a region. Run 'cdkd deploy ${ref.stackName}' (or any cdkd write) to migrate it to the region-scoped layout, then re-run drift detection.`
+        );
+      }
+      const report = await runDriftForStack(
+        ref.stackName,
+        ref.region,
+        stateBackend,
+        providerRegistry
+      );
+      reports.push(report);
+    }
+    if (options.json) {
+      writeJsonReport(reports);
+    } else {
+      writeHumanReport(reports);
+    }
+    const drifted = reports.some((r) => r.outcomes.some((o) => o.kind === "drifted"));
+    if (drifted) {
+      throw new DriftDetectedError();
+    }
+  } finally {
+    awsClients.destroy();
+  }
+}
+function resolveTargetRefs(stacks, stateRefs, options) {
+  if (options.all) {
+    if (stateRefs.length === 0) {
+      throw new Error("No stacks found in state bucket.");
+    }
+    if (options.stackRegion) {
+      return stateRefs.filter((r) => r.region === options.stackRegion);
+    }
+    return stateRefs;
+  }
+  const out = [];
+  for (const stackName of stacks) {
+    const matches = stateRefs.filter((r) => r.stackName === stackName);
+    if (matches.length === 0) {
+      throw new Error(
+        `No state found for stack '${stackName}'. Run 'cdkd state list' to see available stacks.`
+      );
+    }
+    if (options.stackRegion) {
+      const ref = matches.find((r) => r.region === options.stackRegion);
+      if (!ref) {
+        const seen = matches.map((r) => r.region ?? "(legacy)").join(", ");
+        throw new Error(
+          `No state found for stack '${stackName}' in region '${options.stackRegion}'. Available regions: ${seen}.`
+        );
+      }
+      out.push(ref);
+      continue;
+    }
+    if (matches.length === 1) {
+      out.push(matches[0]);
+      continue;
+    }
+    const regions = matches.map((r) => r.region ?? "(legacy)").join(", ");
+    throw new Error(
+      `Stack '${stackName}' has state in multiple regions: ${regions}. Re-run with --stack-region <region> to disambiguate.`
+    );
+  }
+  return out;
+}
+async function runDriftForStack(stackName, region, stateBackend, providerRegistry) {
+  const result = await stateBackend.getState(stackName, region);
+  if (!result) {
+    throw new Error(
+      `No state found for stack '${stackName}' (${region}). Run 'cdkd state list' to see available stacks.`
+    );
+  }
+  return await withStackName(stackName, async () => {
+    const outcomes = [];
+    const state = result.state;
+    const entries = Object.entries(state.resources ?? {}).sort(([a], [b]) => a.localeCompare(b));
+    for (const [logicalId, resource] of entries) {
+      if (providerRegistry.shouldSkipResource(resource.resourceType)) {
+        continue;
+      }
+      let provider;
+      try {
+        provider = providerRegistry.getProvider(resource.resourceType);
+      } catch {
+        outcomes.push({
+          kind: "unsupported",
+          logicalId,
+          resourceType: resource.resourceType
+        });
+        continue;
+      }
+      if (!provider.readCurrentState) {
+        outcomes.push({
+          kind: "unsupported",
+          logicalId,
+          resourceType: resource.resourceType
+        });
+        continue;
+      }
+      const aws = await provider.readCurrentState(
+        resource.physicalId,
+        logicalId,
+        resource.resourceType
+      );
+      if (aws === void 0) {
+        outcomes.push({
+          kind: "unsupported",
+          logicalId,
+          resourceType: resource.resourceType
+        });
+        continue;
+      }
+      const changes = calculateResourceDrift(resource.properties ?? {}, aws);
+      if (changes.length === 0) {
+        outcomes.push({ kind: "clean", logicalId, resourceType: resource.resourceType });
+      } else {
+        outcomes.push({
+          kind: "drifted",
+          logicalId,
+          resourceType: resource.resourceType,
+          changes
+        });
+      }
+    }
+    return { stackName, region, outcomes };
+  });
+}
+function writeJsonReport(reports) {
+  const payload = reports.map((r) => {
+    const drifted = r.outcomes.filter((o) => o.kind === "drifted").map((o) => ({ logicalId: o.logicalId, type: o.resourceType, changes: o.changes }));
+    const clean = r.outcomes.filter((o) => o.kind === "clean").map((o) => ({ logicalId: o.logicalId, type: o.resourceType }));
+    const notSupported = r.outcomes.filter((o) => o.kind === "unsupported").map((o) => ({ logicalId: o.logicalId, type: o.resourceType }));
+    return { stack: r.stackName, region: r.region, drifted, clean, notSupported };
+  });
+  process.stdout.write(`${JSON.stringify(payload, null, 2)}
+`);
+}
+function writeHumanReport(reports) {
+  for (const report of reports) {
+    const drifted = report.outcomes.filter(
+      (o) => o.kind === "drifted"
+    );
+    const unsupported = report.outcomes.filter(
+      (o) => o.kind === "unsupported"
+    );
+    const total = report.outcomes.length;
+    if (drifted.length === 0) {
+      process.stdout.write(
+        `\u2713 ${report.stackName} (${report.region}): no drift detected (${total} resource${total === 1 ? "" : "s"} checked, ${unsupported.length} unsupported)
+`
+      );
+    } else {
+      const word = drifted.length === 1 ? "resource" : "resources";
+      process.stdout.write(
+        `
+\u26A0 ${report.stackName} (${report.region}): drift detected on ${drifted.length} ${word}
+
+`
+      );
+      for (const o of drifted) {
+        process.stdout.write(`  ~ ${o.logicalId} (${o.resourceType})
+`);
+        for (const change of o.changes) {
+          process.stdout.write(`    - ${change.path}: ${formatScalar(change.stateValue)}
+`);
+          process.stdout.write(`    + ${change.path}: ${formatScalar(change.awsValue)}
+`);
+        }
+        process.stdout.write("\n");
+      }
+    }
+    if (unsupported.length > 0) {
+      process.stdout.write(
+        `
+  ${unsupported.length} resource(s) reported as drift unknown \u2014 provider does not yet support drift detection:
+`
+      );
+      for (const o of unsupported) {
+        process.stdout.write(`    ? ${o.logicalId} (${o.resourceType})
+`);
+      }
+    }
+  }
+}
+function formatScalar(value) {
+  if (value === null)
+    return "null";
+  if (value === void 0)
+    return "undefined";
+  if (typeof value === "string")
+    return value;
+  if (typeof value === "number" || typeof value === "boolean")
+    return String(value);
+  return JSON.stringify(value);
+}
+function stackRegionOption() {
+  return new Option3(
+    "--stack-region <region>",
+    "Region of the stack record to inspect. Required when the same stack name has state in multiple regions."
+  );
+}
+function createDriftCommand() {
+  const cmd = new Command6("drift").description(
+    "Detect drift between cdkd state and AWS reality. Exits 0 when no drift, 1 when drift is detected."
+  ).argument("[stacks...]", "Stack name(s) to check (physical CloudFormation names)").option("--all", "Check every stack in the state bucket", false).option("--json", "Output as JSON", false).addOption(stackRegionOption()).action(withErrorHandling(driftCommand));
+  [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
+  cmd.addOption(deprecatedRegionOption);
+  return cmd;
+}
+
 // src/cli/commands/destroy.ts
-import { Command as Command6 } from "commander";
+import { Command as Command7 } from "commander";
 init_aws_clients();
 
 // src/cli/commands/destroy-runner.ts
@@ -33677,6 +34081,7 @@ async function destroyCommand(stackArgs, options) {
     ...options.resourceWarnAfter && { resourceWarnAfter: options.resourceWarnAfter },
     ...options.resourceTimeout && { resourceTimeout: options.resourceTimeout }
   });
+  await applyRoleArnIfSet({ roleArn: options.roleArn, region: options.region });
   const region = options.region || process.env["AWS_REGION"] || "us-east-1";
   const stateBucket = await resolveStateBucketWithDefault(options.stateBucket, region);
   logger.info("Starting stack destruction...");
@@ -33835,7 +34240,7 @@ Preparing to destroy stack: ${stackName}`);
   }
 }
 function createDestroyCommand() {
-  const cmd = new Command6("destroy").description("Destroy all resources in the stack").argument(
+  const cmd = new Command7("destroy").description("Destroy all resources in the stack").argument(
     "[stacks...]",
     "Stack name(s) to destroy. Accepts physical CloudFormation names (e.g. 'MyStage-Api') or CDK display paths (e.g. 'MyStage/Api'). Supports wildcards (e.g. 'MyStage/*')."
   ).option("--all", "Destroy all stacks", false).action(withErrorHandling(destroyCommand));
@@ -33854,7 +34259,7 @@ function createDestroyCommand() {
 
 // src/cli/commands/orphan.ts
 import * as readline2 from "node:readline/promises";
-import { Command as Command7 } from "commander";
+import { Command as Command8 } from "commander";
 init_aws_clients();
 
 // src/cli/cdk-path.ts
@@ -34278,6 +34683,7 @@ async function orphanCommand(pathArgs, options) {
   if (options.verbose)
     logger.setLevel("debug");
   warnIfDeprecatedRegion(options);
+  await applyRoleArnIfSet({ roleArn: options.roleArn, region: options.region });
   if (pathArgs.length === 0) {
     throw new Error(
       "'cdkd orphan' requires at least one construct path, e.g. 'cdkd orphan MyStack/MyTable'.\n       To remove a stack's state record (the previous behavior), use:\n         cdkd state orphan MyStack"
@@ -34534,7 +34940,7 @@ async function confirmPrompt(prompt) {
   }
 }
 function createOrphanCommand() {
-  const cmd = new Command7("orphan").description(
+  const cmd = new Command8("orphan").description(
     "Remove one or more resources from cdkd state by construct path (does NOT delete AWS resources). Mirrors aws-cdk-cli's 'cdk orphan --unstable=orphan'. Synth-driven; for the previous whole-stack-orphan behavior, use 'cdkd state orphan <stack>'."
   ).argument(
     "<paths...>",
@@ -34560,13 +34966,14 @@ function createOrphanCommand() {
 }
 
 // src/cli/commands/publish-assets.ts
-import { Option as Option3, Command as Command8 } from "commander";
+import { Option as Option4, Command as Command9 } from "commander";
 async function publishAssetsCommand(options) {
   const logger = getLogger();
   if (options.verbose) {
     logger.setLevel("debug");
   }
   warnIfDeprecatedRegion(options);
+  await applyRoleArnIfSet({ roleArn: options.roleArn, region: options.region });
   logger.info("Publishing assets...");
   logger.debug("Asset manifest path:", options.path);
   const publisher = new AssetPublisher();
@@ -34579,13 +34986,13 @@ async function publishAssetsCommand(options) {
   logger.info("\u2705 Asset publishing complete");
 }
 function createPublishAssetsCommand() {
-  const cmd = new Command8("publish-assets").description("Publish assets to S3/ECR from asset manifest").requiredOption("--path <path>", "Path to asset manifest file or directory").addOption(
-    new Option3(
+  const cmd = new Command9("publish-assets").description("Publish assets to S3/ECR from asset manifest").requiredOption("--path <path>", "Path to asset manifest file or directory").addOption(
+    new Option4(
       "--asset-publish-concurrency <number>",
       "Maximum concurrent asset publish operations"
     ).default(8).argParser((value) => parseInt(value, 10))
   ).addOption(
-    new Option3("--image-build-concurrency <number>", "Maximum concurrent Docker image builds").default(4).argParser((value) => parseInt(value, 10))
+    new Option4("--image-build-concurrency <number>", "Maximum concurrent Docker image builds").default(4).argParser((value) => parseInt(value, 10))
   ).action(withErrorHandling(publishAssetsCommand));
   commonOptions.forEach((opt) => cmd.addOption(opt));
   cmd.addOption(deprecatedRegionOption);
@@ -34593,7 +35000,7 @@ function createPublishAssetsCommand() {
 }
 
 // src/cli/commands/force-unlock.ts
-import { Command as Command9, Option as Option4 } from "commander";
+import { Command as Command10, Option as Option5 } from "commander";
 init_aws_clients();
 async function forceUnlockCommand(stackArgs, options) {
   const logger = getLogger();
@@ -34601,6 +35008,7 @@ async function forceUnlockCommand(stackArgs, options) {
     logger.setLevel("debug");
   }
   warnIfDeprecatedRegion(options);
+  await applyRoleArnIfSet({ roleArn: options.roleArn, region: options.region });
   const stackPatterns = stackArgs.length > 0 ? stackArgs : options.stack ? [options.stack] : [];
   if (stackPatterns.length === 0) {
     throw new Error("Stack name is required. Usage: cdkd force-unlock <stack-name>");
@@ -34653,8 +35061,8 @@ async function forceUnlockCommand(stackArgs, options) {
   }
 }
 function createForceUnlockCommand() {
-  const cmd = new Command9("force-unlock").description("Force-release a stale lock on a stack").argument("[stacks...]", "Stack name(s) to unlock").addOption(
-    new Option4(
+  const cmd = new Command10("force-unlock").description("Force-release a stale lock on a stack").argument("[stacks...]", "Stack name(s) to unlock").addOption(
+    new Option5(
       "--stack-region <region>",
       "Stack region whose lock to release (use when the same stack name has locks in multiple regions). Defaults to all regions where the stack has state."
     )
@@ -34666,7 +35074,7 @@ function createForceUnlockCommand() {
 
 // src/cli/commands/state.ts
 import * as readline4 from "node:readline/promises";
-import { Command as Command11, Option as Option5 } from "commander";
+import { Command as Command12, Option as Option6 } from "commander";
 import {
   GetBucketLocationCommand as GetBucketLocationCommand2,
   GetObjectCommand as GetObjectCommand4,
@@ -34676,7 +35084,7 @@ init_aws_clients();
 
 // src/cli/commands/state-migrate.ts
 import * as readline3 from "node:readline/promises";
-import { Command as Command10 } from "commander";
+import { Command as Command11 } from "commander";
 import {
   CopyObjectCommand,
   CreateBucketCommand as CreateBucketCommand4,
@@ -34696,6 +35104,7 @@ async function stateMigrateCommand(options) {
   const logger = getLogger();
   if (options.verbose)
     logger.setLevel("debug");
+  await applyRoleArnIfSet({ roleArn: options.roleArn, region: options.region });
   const region = options.region || process.env["AWS_REGION"] || "us-east-1";
   const awsClients = new AwsClients({
     region,
@@ -34959,7 +35368,7 @@ async function confirmPrompt2(prompt) {
   }
 }
 function createStateMigrateCommand() {
-  const cmd = new Command10("migrate").description(
+  const cmd = new Command11("migrate").description(
     "Migrate state from the legacy region-suffixed bucket (cdkd-state-{account}-{region}) to the new region-free default (cdkd-state-{account}). Source bucket is kept by default; pass --remove-legacy to delete it after a successful migration."
   ).option(
     "--region <region>",
@@ -35009,6 +35418,7 @@ function resolveSingleRegion(stackName, refs, requestedRegion) {
 }
 async function setupStateBackend(options) {
   warnIfDeprecatedRegion(options);
+  await applyRoleArnIfSet({ roleArn: options.roleArn, region: options.region });
   const awsClients = new AwsClients({
     ...options.region && { region: options.region },
     ...options.profile && { profile: options.profile }
@@ -35117,7 +35527,7 @@ async function stateListCommand(options) {
   }
 }
 function createStateListCommand() {
-  const cmd = new Command11("list").alias("ls").description("List stacks registered in the cdkd state bucket").option("-l, --long", "Show resource count, last-modified time, and lock status", false).option("--json", "Output as JSON", false).action(withErrorHandling(stateListCommand));
+  const cmd = new Command12("list").alias("ls").description("List stacks registered in the cdkd state bucket").option("-l, --long", "Show resource count, last-modified time, and lock status", false).option("--json", "Output as JSON", false).action(withErrorHandling(stateListCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   cmd.addOption(deprecatedRegionOption);
   return cmd;
@@ -35221,7 +35631,7 @@ function formatLockSummary(lockInfo) {
   return `locked by ${lockInfo.owner}${opStr}, ${expiresStr}`;
 }
 function createStateResourcesCommand() {
-  const cmd = new Command11("resources").description("List resources recorded in a stack's state").argument("<stack>", "Stack name (physical CloudFormation name)").option("-l, --long", "Include dependencies and attributes per resource", false).option("--json", "Output as JSON", false).addOption(stackRegionOption()).action(withErrorHandling(stateResourcesCommand));
+  const cmd = new Command12("resources").description("List resources recorded in a stack's state").argument("<stack>", "Stack name (physical CloudFormation name)").option("-l, --long", "Include dependencies and attributes per resource", false).option("--json", "Output as JSON", false).addOption(stackRegionOption2()).action(withErrorHandling(stateResourcesCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   cmd.addOption(deprecatedRegionOption);
   return cmd;
@@ -35309,7 +35719,7 @@ async function stateShowCommand(stackName, options) {
   }
 }
 function createStateShowCommand() {
-  const cmd = new Command11("show").description("Show the full cdkd state record for a stack (metadata, outputs, resources)").argument("<stack>", "Stack name (physical CloudFormation name)").option("--json", "Output the raw state and lock as JSON", false).addOption(stackRegionOption()).action(withErrorHandling(stateShowCommand));
+  const cmd = new Command12("show").description("Show the full cdkd state record for a stack (metadata, outputs, resources)").argument("<stack>", "Stack name (physical CloudFormation name)").option("--json", "Output the raw state and lock as JSON", false).addOption(stackRegionOption2()).action(withErrorHandling(stateShowCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   cmd.addOption(deprecatedRegionOption);
   return cmd;
@@ -35385,16 +35795,16 @@ Use 'cdkd destroy ${stackName}' if you want to delete the actual resources.
     setup.dispose();
   }
 }
-function stackRegionOption() {
-  return new Option5(
+function stackRegionOption2() {
+  return new Option6(
     "--stack-region <region>",
     "Region of the stack record to operate on. Required when the same stack name has state in multiple regions."
   );
 }
 function createStateOrphanCommand() {
-  const cmd = new Command11("orphan").description(
+  const cmd = new Command12("orphan").description(
     "Orphan one or more stacks from cdkd state (removes the state record; does NOT delete AWS resources)"
-  ).argument("<stacks...>", "Stack name(s) to orphan from state").option("-f, --force", "Skip confirmation and remove even if the stack is locked", false).addOption(stackRegionOption()).action(withErrorHandling(stateOrphanCommand));
+  ).argument("<stacks...>", "Stack name(s) to orphan from state").option("-f, --force", "Skip confirmation and remove even if the stack is locked", false).addOption(stackRegionOption2()).action(withErrorHandling(stateOrphanCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   cmd.addOption(deprecatedRegionOption);
   return cmd;
@@ -35535,9 +35945,9 @@ Preparing to destroy stack: ${stackName}${ref.region ? ` (${ref.region})` : ""}`
   }
 }
 function createStateDestroyCommand() {
-  const cmd = new Command11("destroy").description(
+  const cmd = new Command12("destroy").description(
     "Destroy a stack's AWS resources and remove its state record without requiring the CDK app. For removing only the state record (keeping AWS resources intact), use 'cdkd state orphan'."
-  ).argument("[stacks...]", "Stack name(s) to destroy (physical CloudFormation names)").option("--all", "Destroy every stack in the state bucket", false).addOption(stackRegionOption()).addHelpText(
+  ).argument("[stacks...]", "Stack name(s) to destroy (physical CloudFormation names)").option("--all", "Destroy every stack in the state bucket", false).addOption(stackRegionOption2()).addHelpText(
     "after",
     [
       "",
@@ -35624,6 +36034,7 @@ async function stateInfoCommand(options) {
   const logger = getLogger();
   if (options.verbose)
     logger.setLevel("debug");
+  await applyRoleArnIfSet({ roleArn: options.roleArn, region: options.region });
   const awsClients = new AwsClients({
     ...options.region && { region: options.region },
     ...options.profile && { profile: options.profile }
@@ -35669,14 +36080,14 @@ async function stateInfoCommand(options) {
   }
 }
 function createStateInfoCommand() {
-  const cmd = new Command11("info").description(
+  const cmd = new Command12("info").description(
     "Show cdkd state bucket info (bucket name, region, source, schema version, stack count)"
   ).option("--json", "Output as JSON", false).action(withErrorHandling(stateInfoCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   return cmd;
 }
 function createStateCommand() {
-  const cmd = new Command11("state").description("Manage cdkd state stored in S3");
+  const cmd = new Command12("state").description("Manage cdkd state stored in S3");
   cmd.addCommand(createStateInfoCommand());
   cmd.addCommand(createStateListCommand());
   cmd.addCommand(createStateResourcesCommand());
@@ -35690,7 +36101,7 @@ function createStateCommand() {
 // src/cli/commands/import.ts
 import { readFileSync as readFileSync5, writeFileSync as writeFileSync4 } from "node:fs";
 import * as readline6 from "node:readline/promises";
-import { Command as Command12 } from "commander";
+import { Command as Command13 } from "commander";
 init_aws_clients();
 
 // src/cli/commands/retire-cfn-stack.ts
@@ -35916,6 +36327,7 @@ async function importCommand(stackArg, options) {
     logger.setLevel("debug");
     process.env["CDKD_NO_LIVE"] = "1";
   }
+  await applyRoleArnIfSet({ roleArn: options.roleArn, region: options.region });
   const region = options.region || process.env["AWS_REGION"] || "us-east-1";
   const stateBucket = await resolveStateBucketWithDefault(options.stateBucket, region);
   if (options.region) {
@@ -36369,7 +36781,7 @@ async function confirmPrompt4(prompt) {
   }
 }
 function createImportCommand() {
-  const cmd = new Command12("import").description(
+  const cmd = new Command13("import").description(
     "Adopt already-deployed AWS resources into cdkd state. Reads the CDK app to find logical IDs, resource types, and dependencies. With no flags, imports every resource via the aws:cdk:path tag. With --resource / --resource-mapping, only the listed resources are imported (CDK CLI parity); pass --auto to also tag-import the rest."
   ).argument(
     "[stack]",
@@ -36417,6 +36829,7 @@ var SUBCOMMANDS = /* @__PURE__ */ new Set([
   "ls",
   "deploy",
   "diff",
+  "drift",
   "destroy",
   "orphan",
   "import",
@@ -36435,13 +36848,14 @@ function reorderArgs(argv) {
   return [...prefix, ...cmdAndAfter, ...beforeCmd];
 }
 async function main() {
-  const program = new Command13();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.33.0");
+  const program = new Command14();
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.35.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());
   program.addCommand(createDeployCommand());
   program.addCommand(createDiffCommand());
+  program.addCommand(createDriftCommand());
   program.addCommand(createDestroyCommand());
   program.addCommand(createOrphanCommand());
   program.addCommand(createImportCommand());