@go-to-k/cdkd 0.34.0 → 0.36.0

package/dist/cli.js

@@ -447,7 +447,7 @@ var init_aws_clients = __esm({
 });
 
 // src/cli/index.ts
-import { Command as Command13 } from "commander";
+import { Command as Command14 } from "commander";
 
 // src/cli/commands/bootstrap.ts
 import { Command, Option as Option2 } from "commander";
@@ -1206,7 +1206,10 @@ Caused by: ${error.cause.message}`;
 }
 function handleError(error) {
   const logger = getLogger();
-  logger.error(formatError(error));
+  const silent = error instanceof CdkdError && error.silent;
+  if (!silent) {
+    logger.error(formatError(error));
+  }
   if (error instanceof Error && error.stack) {
     logger.debug("Stack trace:", error.stack);
   }
@@ -7579,6 +7582,50 @@ Error: ${err.message || "Unknown error"}`,
     }
     return resourceType.startsWith("AWS::");
   }
+  /**
+   * Read the AWS-current properties of a resource managed via Cloud Control
+   * API, for `cdkd drift` comparison.
+   *
+   * Strategy: `GetResource(TypeName, Identifier)` returns `ResourceModel` as
+   * a JSON string of every property AWS reports for the resource. Parse and
+   * surface it as the AWS-current snapshot — the drift command intersects
+   * this against the keys present in cdkd state, so AWS-only keys (timestamps,
+   * generated ids, etc.) are filtered out at compare time.
+   *
+   * Returns `undefined` for the unique cases that mean "drift unknown" (the
+   * resource was deleted out from under cdkd, or the response had no
+   * Properties field). Re-throws on any other error so the drift command can
+   * surface throttling / access-denied issues to the user.
+   *
+   * This single CC API implementation gives drift detection coverage to every
+   * resource type that goes through CC API — the majority of cdkd's surface.
+   * SDK Providers add their own `readCurrentState` incrementally (PR D).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    try {
+      const response = await this.cloudControlClient.send(
+        new GetResourceCommand2({
+          TypeName: resourceType,
+          Identifier: physicalId
+        })
+      );
+      const raw = response.ResourceDescription?.Properties;
+      if (typeof raw !== "string" || raw.length === 0) {
+        return void 0;
+      }
+      const parsed = JSON.parse(raw);
+      if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+        return void 0;
+      }
+      return parsed;
+    } catch (error) {
+      const err = error;
+      if (err.name === "ResourceNotFoundException") {
+        return void 0;
+      }
+      throw error;
+    }
+  }
   /**
    * Adopt an already-deployed resource into cdkd state via Cloud Control API.
    *
@@ -33456,8 +33503,321 @@ function createDiffCommand() {
   return cmd;
 }
 
+// src/cli/commands/drift.ts
+import { Command as Command6, Option as Option3 } from "commander";
+init_aws_clients();
+
+// src/analyzer/drift-calculator.ts
+function calculateResourceDrift(stateProperties, awsProperties) {
+  const drifts = [];
+  for (const key of Object.keys(stateProperties)) {
+    diffAt(key, stateProperties[key], awsProperties[key], drifts);
+  }
+  return drifts;
+}
+function diffAt(path, stateValue, awsValue, out) {
+  if (deepEqual(stateValue, awsValue))
+    return;
+  if (isPlainObject(stateValue) && isPlainObject(awsValue) && !Array.isArray(stateValue) && !Array.isArray(awsValue)) {
+    for (const key of Object.keys(stateValue)) {
+      diffAt(`${path}.${key}`, stateValue[key], awsValue[key], out);
+    }
+    return;
+  }
+  out.push({ path, stateValue, awsValue });
+}
+function deepEqual(a, b) {
+  if (a === b)
+    return true;
+  if (a === null || b === null || a === void 0 || b === void 0) {
+    return a === b;
+  }
+  if (typeof a !== typeof b)
+    return false;
+  if (typeof a !== "object")
+    return false;
+  if (Array.isArray(a) || Array.isArray(b)) {
+    if (!Array.isArray(a) || !Array.isArray(b))
+      return false;
+    if (a.length !== b.length)
+      return false;
+    return a.every((v, i) => deepEqual(v, b[i]));
+  }
+  const aObj = a;
+  const bObj = b;
+  const aKeys = Object.keys(aObj);
+  const bKeys = Object.keys(bObj);
+  if (aKeys.length !== bKeys.length)
+    return false;
+  for (const key of aKeys) {
+    if (!Object.prototype.hasOwnProperty.call(bObj, key))
+      return false;
+    if (!deepEqual(aObj[key], bObj[key]))
+      return false;
+  }
+  return true;
+}
+function isPlainObject(value) {
+  return typeof value === "object" && value !== null;
+}
+
+// src/cli/commands/drift.ts
+var DriftDetectedError = class _DriftDetectedError extends CdkdError {
+  silent = true;
+  constructor() {
+    super("drift detected", "DRIFT_DETECTED");
+    this.name = "DriftDetectedError";
+    Object.setPrototypeOf(this, _DriftDetectedError.prototype);
+  }
+};
+async function driftCommand(stacks, options) {
+  const logger = getLogger();
+  if (options.verbose) {
+    logger.setLevel("debug");
+  }
+  warnIfDeprecatedRegion(options);
+  if (!options.all && stacks.length === 0) {
+    throw new Error("Stack name is required. Usage: cdkd drift <stack> [<stack>...] | --all");
+  }
+  await applyRoleArnIfSet({ roleArn: options.roleArn, region: options.region });
+  const awsClients = new AwsClients({
+    ...options.region && { region: options.region },
+    ...options.profile && { profile: options.profile }
+  });
+  setAwsClients(awsClients);
+  try {
+    const region = options.region || process.env["AWS_REGION"] || "us-east-1";
+    const bucket = await resolveStateBucketWithDefault(options.stateBucket, region);
+    const prefix = options.statePrefix;
+    const stateBackend = new S3StateBackend(
+      awsClients.s3,
+      { bucket, prefix },
+      {
+        region,
+        ...options.profile && { profile: options.profile }
+      }
+    );
+    await stateBackend.verifyBucketExists();
+    const providerRegistry = new ProviderRegistry();
+    registerAllProviders(providerRegistry);
+    providerRegistry.setCustomResourceResponseBucket(bucket);
+    const stateRefs = await stateBackend.listStacks();
+    const targetRefs = resolveTargetRefs(stacks, stateRefs, options);
+    const reports = [];
+    for (const ref of targetRefs) {
+      if (!ref.region) {
+        throw new Error(
+          `Stack '${ref.stackName}' has only a legacy state record without a region. Run 'cdkd deploy ${ref.stackName}' (or any cdkd write) to migrate it to the region-scoped layout, then re-run drift detection.`
+        );
+      }
+      const report = await runDriftForStack(
+        ref.stackName,
+        ref.region,
+        stateBackend,
+        providerRegistry
+      );
+      reports.push(report);
+    }
+    if (options.json) {
+      writeJsonReport(reports);
+    } else {
+      writeHumanReport(reports);
+    }
+    const drifted = reports.some((r) => r.outcomes.some((o) => o.kind === "drifted"));
+    if (drifted) {
+      throw new DriftDetectedError();
+    }
+  } finally {
+    awsClients.destroy();
+  }
+}
+function resolveTargetRefs(stacks, stateRefs, options) {
+  if (options.all) {
+    if (stateRefs.length === 0) {
+      throw new Error("No stacks found in state bucket.");
+    }
+    if (options.stackRegion) {
+      return stateRefs.filter((r) => r.region === options.stackRegion);
+    }
+    return stateRefs;
+  }
+  const out = [];
+  for (const stackName of stacks) {
+    const matches = stateRefs.filter((r) => r.stackName === stackName);
+    if (matches.length === 0) {
+      throw new Error(
+        `No state found for stack '${stackName}'. Run 'cdkd state list' to see available stacks.`
+      );
+    }
+    if (options.stackRegion) {
+      const ref = matches.find((r) => r.region === options.stackRegion);
+      if (!ref) {
+        const seen = matches.map((r) => r.region ?? "(legacy)").join(", ");
+        throw new Error(
+          `No state found for stack '${stackName}' in region '${options.stackRegion}'. Available regions: ${seen}.`
+        );
+      }
+      out.push(ref);
+      continue;
+    }
+    if (matches.length === 1) {
+      out.push(matches[0]);
+      continue;
+    }
+    const regions = matches.map((r) => r.region ?? "(legacy)").join(", ");
+    throw new Error(
+      `Stack '${stackName}' has state in multiple regions: ${regions}. Re-run with --stack-region <region> to disambiguate.`
+    );
+  }
+  return out;
+}
+async function runDriftForStack(stackName, region, stateBackend, providerRegistry) {
+  const result = await stateBackend.getState(stackName, region);
+  if (!result) {
+    throw new Error(
+      `No state found for stack '${stackName}' (${region}). Run 'cdkd state list' to see available stacks.`
+    );
+  }
+  return await withStackName(stackName, async () => {
+    const outcomes = [];
+    const state = result.state;
+    const entries = Object.entries(state.resources ?? {}).sort(([a], [b]) => a.localeCompare(b));
+    for (const [logicalId, resource] of entries) {
+      if (providerRegistry.shouldSkipResource(resource.resourceType)) {
+        continue;
+      }
+      let provider;
+      try {
+        provider = providerRegistry.getProvider(resource.resourceType);
+      } catch {
+        outcomes.push({
+          kind: "unsupported",
+          logicalId,
+          resourceType: resource.resourceType
+        });
+        continue;
+      }
+      if (!provider.readCurrentState) {
+        outcomes.push({
+          kind: "unsupported",
+          logicalId,
+          resourceType: resource.resourceType
+        });
+        continue;
+      }
+      const aws = await provider.readCurrentState(
+        resource.physicalId,
+        logicalId,
+        resource.resourceType
+      );
+      if (aws === void 0) {
+        outcomes.push({
+          kind: "unsupported",
+          logicalId,
+          resourceType: resource.resourceType
+        });
+        continue;
+      }
+      const changes = calculateResourceDrift(resource.properties ?? {}, aws);
+      if (changes.length === 0) {
+        outcomes.push({ kind: "clean", logicalId, resourceType: resource.resourceType });
+      } else {
+        outcomes.push({
+          kind: "drifted",
+          logicalId,
+          resourceType: resource.resourceType,
+          changes
+        });
+      }
+    }
+    return { stackName, region, outcomes };
+  });
+}
+function writeJsonReport(reports) {
+  const payload = reports.map((r) => {
+    const drifted = r.outcomes.filter((o) => o.kind === "drifted").map((o) => ({ logicalId: o.logicalId, type: o.resourceType, changes: o.changes }));
+    const clean = r.outcomes.filter((o) => o.kind === "clean").map((o) => ({ logicalId: o.logicalId, type: o.resourceType }));
+    const notSupported = r.outcomes.filter((o) => o.kind === "unsupported").map((o) => ({ logicalId: o.logicalId, type: o.resourceType }));
+    return { stack: r.stackName, region: r.region, drifted, clean, notSupported };
+  });
+  process.stdout.write(`${JSON.stringify(payload, null, 2)}
+`);
+}
+function writeHumanReport(reports) {
+  for (const report of reports) {
+    const drifted = report.outcomes.filter(
+      (o) => o.kind === "drifted"
+    );
+    const unsupported = report.outcomes.filter(
+      (o) => o.kind === "unsupported"
+    );
+    const total = report.outcomes.length;
+    if (drifted.length === 0) {
+      process.stdout.write(
+        `\u2713 ${report.stackName} (${report.region}): no drift detected (${total} resource${total === 1 ? "" : "s"} checked, ${unsupported.length} unsupported)
+`
+      );
+    } else {
+      const word = drifted.length === 1 ? "resource" : "resources";
+      process.stdout.write(
+        `
+\u26A0 ${report.stackName} (${report.region}): drift detected on ${drifted.length} ${word}
+
+`
+      );
+      for (const o of drifted) {
+        process.stdout.write(`  ~ ${o.logicalId} (${o.resourceType})
+`);
+        for (const change of o.changes) {
+          process.stdout.write(`    - ${change.path}: ${formatScalar(change.stateValue)}
+`);
+          process.stdout.write(`    + ${change.path}: ${formatScalar(change.awsValue)}
+`);
+        }
+        process.stdout.write("\n");
+      }
+    }
+    if (unsupported.length > 0) {
+      process.stdout.write(
+        `
+  ${unsupported.length} resource(s) reported as drift unknown \u2014 provider does not yet support drift detection:
+`
+      );
+      for (const o of unsupported) {
+        process.stdout.write(`    ? ${o.logicalId} (${o.resourceType})
+`);
+      }
+    }
+  }
+}
+function formatScalar(value) {
+  if (value === null)
+    return "null";
+  if (value === void 0)
+    return "undefined";
+  if (typeof value === "string")
+    return value;
+  if (typeof value === "number" || typeof value === "boolean")
+    return String(value);
+  return JSON.stringify(value);
+}
+function stackRegionOption() {
+  return new Option3(
+    "--stack-region <region>",
+    "Region of the stack record to inspect. Required when the same stack name has state in multiple regions."
+  );
+}
+function createDriftCommand() {
+  const cmd = new Command6("drift").description(
+    "Detect drift between cdkd state and AWS reality. Exits 0 when no drift, 1 when drift is detected."
+  ).argument("[stacks...]", "Stack name(s) to check (physical CloudFormation names)").option("--all", "Check every stack in the state bucket", false).option("--json", "Output as JSON", false).addOption(stackRegionOption()).action(withErrorHandling(driftCommand));
+  [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
+  cmd.addOption(deprecatedRegionOption);
+  return cmd;
+}
+
 // src/cli/commands/destroy.ts
-import { Command as Command6 } from "commander";
+import { Command as Command7 } from "commander";
 init_aws_clients();
 
 // src/cli/commands/destroy-runner.ts
@@ -33880,7 +34240,7 @@ Preparing to destroy stack: ${stackName}`);
   }
 }
 function createDestroyCommand() {
-  const cmd = new Command6("destroy").description("Destroy all resources in the stack").argument(
+  const cmd = new Command7("destroy").description("Destroy all resources in the stack").argument(
     "[stacks...]",
     "Stack name(s) to destroy. Accepts physical CloudFormation names (e.g. 'MyStage-Api') or CDK display paths (e.g. 'MyStage/Api'). Supports wildcards (e.g. 'MyStage/*')."
   ).option("--all", "Destroy all stacks", false).action(withErrorHandling(destroyCommand));
@@ -33899,7 +34259,7 @@ function createDestroyCommand() {
 
 // src/cli/commands/orphan.ts
 import * as readline2 from "node:readline/promises";
-import { Command as Command7 } from "commander";
+import { Command as Command8 } from "commander";
 init_aws_clients();
 
 // src/cli/cdk-path.ts
@@ -34580,7 +34940,7 @@ async function confirmPrompt(prompt) {
   }
 }
 function createOrphanCommand() {
-  const cmd = new Command7("orphan").description(
+  const cmd = new Command8("orphan").description(
     "Remove one or more resources from cdkd state by construct path (does NOT delete AWS resources). Mirrors aws-cdk-cli's 'cdk orphan --unstable=orphan'. Synth-driven; for the previous whole-stack-orphan behavior, use 'cdkd state orphan <stack>'."
   ).argument(
     "<paths...>",
@@ -34606,41 +34966,174 @@ function createOrphanCommand() {
 }
 
 // src/cli/commands/publish-assets.ts
-import { Option as Option3, Command as Command8 } from "commander";
-async function publishAssetsCommand(options) {
+import { Option as Option4, Command as Command9 } from "commander";
+async function publishAssetsCommand(stacks, options) {
   const logger = getLogger();
   if (options.verbose) {
     logger.setLevel("debug");
   }
   warnIfDeprecatedRegion(options);
   await applyRoleArnIfSet({ roleArn: options.roleArn, region: options.region });
-  logger.info("Publishing assets...");
-  logger.debug("Asset manifest path:", options.path);
-  const publisher = new AssetPublisher();
-  await publisher.publishFromManifest(options.path, {
-    ...options.profile && { profile: options.profile },
+  const app = resolveApp(options.app);
+  if (!app) {
+    throw new Error(
+      'No app command specified. Use --app, set CDKD_APP env var, or add "app" to cdk.json'
+    );
+  }
+  logger.info("Synthesizing CDK app...");
+  const synthesizer = new Synthesizer();
+  const context = parseContextOptions(options.context);
+  const synthOptions = {
+    app,
+    output: options.output,
     ...options.region && { region: options.region },
-    assetPublishConcurrency: options.assetPublishConcurrency,
-    imageBuildConcurrency: options.imageBuildConcurrency
-  });
-  logger.info("\u2705 Asset publishing complete");
+    ...options.profile && { profile: options.profile },
+    ...Object.keys(context).length > 0 && { context }
+  };
+  const result = await synthesizer.synthesize(synthOptions);
+  const { stacks: allStacks } = result;
+  logger.debug(`Found ${allStacks.length} stack(s) in assembly`);
+  const stackPatterns = stacks.length > 0 ? stacks : options.stack ? [options.stack] : [];
+  let targetStacks;
+  if (options.all) {
+    targetStacks = allStacks;
+  } else if (stackPatterns.length > 0) {
+    targetStacks = matchStacks(allStacks, stackPatterns);
+  } else if (allStacks.length === 1) {
+    targetStacks = allStacks;
+  } else {
+    throw new Error(
+      `Multiple stacks found: ${allStacks.map(describeStack).join(", ")}. Specify stack name(s) or use --all`
+    );
+  }
+  if (targetStacks.length === 0) {
+    throw new Error(
+      stackPatterns.length > 0 ? `No stacks matching ${stackPatterns.join(", ")} found in assembly. Available: ${allStacks.map(describeStack).join(", ")}` : "No stacks found in assembly"
+    );
+  }
+  const baseRegion = options.region || process.env["AWS_REGION"] || "us-east-1";
+  const { STSClient: STSClient10, GetCallerIdentityCommand: GetCallerIdentityCommand11 } = await import("@aws-sdk/client-sts");
+  const stsClient = new STSClient10({ region: baseRegion });
+  const callerIdentity = await stsClient.send(new GetCallerIdentityCommand11({}));
+  const accountId = callerIdentity.Account;
+  stsClient.destroy();
+  const assetPublisher = new AssetPublisher();
+  const results = [];
+  for (const stack of targetStacks) {
+    const startedAt = Date.now();
+    let assetCount = 0;
+    let error;
+    try {
+      if (!stack.assetManifestPath) {
+        logger.debug(`Stack ${stack.stackName} has no asset manifest; nothing to publish`);
+        results.push({
+          stackName: stack.stackName,
+          displayName: stack.displayName,
+          assetCount: 0,
+          durationMs: Date.now() - startedAt
+        });
+        continue;
+      }
+      logger.info(`
+Publishing assets for stack: ${describeStack(stack)}`);
+      const workGraph = new WorkGraph();
+      let nodeIds = [];
+      try {
+        nodeIds = assetPublisher.addAssetsToGraph(workGraph, stack.assetManifestPath, {
+          accountId,
+          region: stack.region || baseRegion,
+          ...options.profile && { profile: options.profile },
+          nodePrefix: `${stack.stackName}:`
+        });
+      } catch (err) {
+        const e = err;
+        if (e.code === "ENOENT") {
+          logger.debug(
+            `Asset manifest not found for ${stack.stackName} (${stack.assetManifestPath}); skipping`
+          );
+          results.push({
+            stackName: stack.stackName,
+            displayName: stack.displayName,
+            assetCount: 0,
+            durationMs: Date.now() - startedAt
+          });
+          continue;
+        }
+        throw err;
+      }
+      assetCount = nodeIds.filter((id) => id.startsWith("asset-publish:")).length;
+      if (assetCount === 0) {
+        logger.info("  (no assets to publish)");
+        results.push({
+          stackName: stack.stackName,
+          displayName: stack.displayName,
+          assetCount: 0,
+          durationMs: Date.now() - startedAt
+        });
+        continue;
+      }
+      await workGraph.execute(
+        {
+          "asset-build": options.imageBuildConcurrency,
+          "asset-publish": options.assetPublishConcurrency,
+          stack: 0
+        },
+        (node) => assetPublisher.executeNode(node)
+      );
+      logger.info(
+        `  \u2713 Published ${assetCount} asset(s) in ${((Date.now() - startedAt) / 1e3).toFixed(2)}s`
+      );
+    } catch (err) {
+      error = err instanceof Error ? err : new Error(String(err));
+      logger.error(`  \u2717 ${stack.stackName}: ${error.message}`);
+    }
+    results.push({
+      stackName: stack.stackName,
+      displayName: stack.displayName,
+      assetCount,
+      durationMs: Date.now() - startedAt,
+      ...error && { error }
+    });
+  }
+  const failed = results.filter((r) => r.error);
+  const totalAssets = results.reduce((sum, r) => sum + r.assetCount, 0);
+  logger.info("\nPublish Summary:");
+  for (const r of results) {
+    const tag = r.error ? "\u2717" : "\u2713";
+    const id = r.displayName === r.stackName ? r.stackName : `${r.displayName} (${r.stackName})`;
+    const detail = r.error ? `failed: ${r.error.message}` : `${r.assetCount} asset(s), ${(r.durationMs / 1e3).toFixed(2)}s`;
+    logger.info(`  ${tag} ${id} \u2014 ${detail}`);
+  }
+  if (failed.length > 0) {
+    throw new PartialFailureError(
+      `Asset publishing completed with ${failed.length} stack failure(s) (${totalAssets} asset(s) published successfully across the rest).`
+    );
+  }
+  logger.info(`
+\u2705 Asset publishing complete (${totalAssets} asset(s))`);
 }
 function createPublishAssetsCommand() {
-  const cmd = new Command8("publish-assets").description("Publish assets to S3/ECR from asset manifest").requiredOption("--path <path>", "Path to asset manifest file or directory").addOption(
-    new Option3(
+  const cmd = new Command9("publish-assets").description(
+    "Synthesize the CDK app and publish assets to S3/ECR for the selected stack(s) without deploying"
+  ).argument(
+    "[stacks...]",
+    "Stack name(s) to publish assets for. Accepts physical CloudFormation names (e.g. 'MyStage-Api') or CDK display paths (e.g. 'MyStage/Api'). Supports wildcards."
+  ).option("--all", "Publish assets for all stacks", false).addOption(
+    new Option4(
       "--asset-publish-concurrency <number>",
       "Maximum concurrent asset publish operations"
     ).default(8).argParser((value) => parseInt(value, 10))
   ).addOption(
-    new Option3("--image-build-concurrency <number>", "Maximum concurrent Docker image builds").default(4).argParser((value) => parseInt(value, 10))
+    new Option4("--image-build-concurrency <number>", "Maximum concurrent Docker image builds").default(4).argParser((value) => parseInt(value, 10))
   ).action(withErrorHandling(publishAssetsCommand));
-  commonOptions.forEach((opt) => cmd.addOption(opt));
+  [...commonOptions, ...appOptions, ...contextOptions].forEach((opt) => cmd.addOption(opt));
+  cmd.addOption(new Option4("--stack <name>", "Stack name to publish (alternative to positional)"));
   cmd.addOption(deprecatedRegionOption);
   return cmd;
 }
 
 // src/cli/commands/force-unlock.ts
-import { Command as Command9, Option as Option4 } from "commander";
+import { Command as Command10, Option as Option5 } from "commander";
 init_aws_clients();
 async function forceUnlockCommand(stackArgs, options) {
   const logger = getLogger();
@@ -34701,8 +35194,8 @@ async function forceUnlockCommand(stackArgs, options) {
   }
 }
 function createForceUnlockCommand() {
-  const cmd = new Command9("force-unlock").description("Force-release a stale lock on a stack").argument("[stacks...]", "Stack name(s) to unlock").addOption(
-    new Option4(
+  const cmd = new Command10("force-unlock").description("Force-release a stale lock on a stack").argument("[stacks...]", "Stack name(s) to unlock").addOption(
+    new Option5(
       "--stack-region <region>",
       "Stack region whose lock to release (use when the same stack name has locks in multiple regions). Defaults to all regions where the stack has state."
     )
@@ -34714,7 +35207,7 @@ function createForceUnlockCommand() {
 
 // src/cli/commands/state.ts
 import * as readline4 from "node:readline/promises";
-import { Command as Command11, Option as Option5 } from "commander";
+import { Command as Command12, Option as Option6 } from "commander";
 import {
   GetBucketLocationCommand as GetBucketLocationCommand2,
   GetObjectCommand as GetObjectCommand4,
@@ -34724,7 +35217,7 @@ init_aws_clients();
 
 // src/cli/commands/state-migrate.ts
 import * as readline3 from "node:readline/promises";
-import { Command as Command10 } from "commander";
+import { Command as Command11 } from "commander";
 import {
   CopyObjectCommand,
   CreateBucketCommand as CreateBucketCommand4,
@@ -35008,7 +35501,7 @@ async function confirmPrompt2(prompt) {
   }
 }
 function createStateMigrateCommand() {
-  const cmd = new Command10("migrate").description(
+  const cmd = new Command11("migrate").description(
     "Migrate state from the legacy region-suffixed bucket (cdkd-state-{account}-{region}) to the new region-free default (cdkd-state-{account}). Source bucket is kept by default; pass --remove-legacy to delete it after a successful migration."
   ).option(
     "--region <region>",
@@ -35167,7 +35660,7 @@ async function stateListCommand(options) {
   }
 }
 function createStateListCommand() {
-  const cmd = new Command11("list").alias("ls").description("List stacks registered in the cdkd state bucket").option("-l, --long", "Show resource count, last-modified time, and lock status", false).option("--json", "Output as JSON", false).action(withErrorHandling(stateListCommand));
+  const cmd = new Command12("list").alias("ls").description("List stacks registered in the cdkd state bucket").option("-l, --long", "Show resource count, last-modified time, and lock status", false).option("--json", "Output as JSON", false).action(withErrorHandling(stateListCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   cmd.addOption(deprecatedRegionOption);
   return cmd;
@@ -35271,7 +35764,7 @@ function formatLockSummary(lockInfo) {
   return `locked by ${lockInfo.owner}${opStr}, ${expiresStr}`;
 }
 function createStateResourcesCommand() {
-  const cmd = new Command11("resources").description("List resources recorded in a stack's state").argument("<stack>", "Stack name (physical CloudFormation name)").option("-l, --long", "Include dependencies and attributes per resource", false).option("--json", "Output as JSON", false).addOption(stackRegionOption()).action(withErrorHandling(stateResourcesCommand));
+  const cmd = new Command12("resources").description("List resources recorded in a stack's state").argument("<stack>", "Stack name (physical CloudFormation name)").option("-l, --long", "Include dependencies and attributes per resource", false).option("--json", "Output as JSON", false).addOption(stackRegionOption2()).action(withErrorHandling(stateResourcesCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   cmd.addOption(deprecatedRegionOption);
   return cmd;
@@ -35359,7 +35852,7 @@ async function stateShowCommand(stackName, options) {
   }
 }
 function createStateShowCommand() {
-  const cmd = new Command11("show").description("Show the full cdkd state record for a stack (metadata, outputs, resources)").argument("<stack>", "Stack name (physical CloudFormation name)").option("--json", "Output the raw state and lock as JSON", false).addOption(stackRegionOption()).action(withErrorHandling(stateShowCommand));
+  const cmd = new Command12("show").description("Show the full cdkd state record for a stack (metadata, outputs, resources)").argument("<stack>", "Stack name (physical CloudFormation name)").option("--json", "Output the raw state and lock as JSON", false).addOption(stackRegionOption2()).action(withErrorHandling(stateShowCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   cmd.addOption(deprecatedRegionOption);
   return cmd;
@@ -35435,16 +35928,16 @@ Use 'cdkd destroy ${stackName}' if you want to delete the actual resources.
     setup.dispose();
   }
 }
-function stackRegionOption() {
-  return new Option5(
+function stackRegionOption2() {
+  return new Option6(
     "--stack-region <region>",
     "Region of the stack record to operate on. Required when the same stack name has state in multiple regions."
   );
 }
 function createStateOrphanCommand() {
-  const cmd = new Command11("orphan").description(
+  const cmd = new Command12("orphan").description(
     "Orphan one or more stacks from cdkd state (removes the state record; does NOT delete AWS resources)"
-  ).argument("<stacks...>", "Stack name(s) to orphan from state").option("-f, --force", "Skip confirmation and remove even if the stack is locked", false).addOption(stackRegionOption()).action(withErrorHandling(stateOrphanCommand));
+  ).argument("<stacks...>", "Stack name(s) to orphan from state").option("-f, --force", "Skip confirmation and remove even if the stack is locked", false).addOption(stackRegionOption2()).action(withErrorHandling(stateOrphanCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   cmd.addOption(deprecatedRegionOption);
   return cmd;
@@ -35585,9 +36078,9 @@ Preparing to destroy stack: ${stackName}${ref.region ? ` (${ref.region})` : ""}`
   }
 }
 function createStateDestroyCommand() {
-  const cmd = new Command11("destroy").description(
+  const cmd = new Command12("destroy").description(
     "Destroy a stack's AWS resources and remove its state record without requiring the CDK app. For removing only the state record (keeping AWS resources intact), use 'cdkd state orphan'."
-  ).argument("[stacks...]", "Stack name(s) to destroy (physical CloudFormation names)").option("--all", "Destroy every stack in the state bucket", false).addOption(stackRegionOption()).addHelpText(
+  ).argument("[stacks...]", "Stack name(s) to destroy (physical CloudFormation names)").option("--all", "Destroy every stack in the state bucket", false).addOption(stackRegionOption2()).addHelpText(
     "after",
     [
       "",
@@ -35720,14 +36213,14 @@ async function stateInfoCommand(options) {
   }
 }
 function createStateInfoCommand() {
-  const cmd = new Command11("info").description(
+  const cmd = new Command12("info").description(
     "Show cdkd state bucket info (bucket name, region, source, schema version, stack count)"
   ).option("--json", "Output as JSON", false).action(withErrorHandling(stateInfoCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   return cmd;
 }
 function createStateCommand() {
-  const cmd = new Command11("state").description("Manage cdkd state stored in S3");
+  const cmd = new Command12("state").description("Manage cdkd state stored in S3");
   cmd.addCommand(createStateInfoCommand());
   cmd.addCommand(createStateListCommand());
   cmd.addCommand(createStateResourcesCommand());
@@ -35741,7 +36234,7 @@ function createStateCommand() {
 // src/cli/commands/import.ts
 import { readFileSync as readFileSync5, writeFileSync as writeFileSync4 } from "node:fs";
 import * as readline6 from "node:readline/promises";
-import { Command as Command12 } from "commander";
+import { Command as Command13 } from "commander";
 init_aws_clients();
 
 // src/cli/commands/retire-cfn-stack.ts
@@ -36421,7 +36914,7 @@ async function confirmPrompt4(prompt) {
   }
 }
 function createImportCommand() {
-  const cmd = new Command12("import").description(
+  const cmd = new Command13("import").description(
     "Adopt already-deployed AWS resources into cdkd state. Reads the CDK app to find logical IDs, resource types, and dependencies. With no flags, imports every resource via the aws:cdk:path tag. With --resource / --resource-mapping, only the listed resources are imported (CDK CLI parity); pass --auto to also tag-import the rest."
   ).argument(
     "[stack]",
@@ -36469,6 +36962,7 @@ var SUBCOMMANDS = /* @__PURE__ */ new Set([
   "ls",
   "deploy",
   "diff",
+  "drift",
   "destroy",
   "orphan",
   "import",
@@ -36487,13 +36981,14 @@ function reorderArgs(argv) {
   return [...prefix, ...cmdAndAfter, ...beforeCmd];
 }
 async function main() {
-  const program = new Command13();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.34.0");
+  const program = new Command14();
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.36.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());
   program.addCommand(createDeployCommand());
   program.addCommand(createDiffCommand());
+  program.addCommand(createDriftCommand());
   program.addCommand(createDestroyCommand());
   program.addCommand(createOrphanCommand());
   program.addCommand(createImportCommand());