@go-to-k/cdkd 0.47.0 → 0.49.0

package/README.md

@@ -171,6 +171,57 @@ the full per-type table.
 | CC API null value stripping | ✅ | Removes null values before API calls |
 | Retry with HTTP status codes | ✅ | 429/503 + cause chain inspection |
 
+### Drift detection
+
+`cdkd drift <stack>` (state-driven; no synth) compares each resource
+between the AWS-current snapshot returned by `provider.readCurrentState`
+and the **deploy-time AWS snapshot** stored in
+`ResourceState.observedProperties`. The observedProperties baseline is
+populated automatically on every successful `cdkd deploy` /
+`cdkd import`, so console-side changes to keys you did NOT template
+(IAM policies attached out-of-band, S3 public-access-block toggled,
+etc.) surface as drift instead of being silently ignored.
+
+State schema `version: 3` (the layout that carries observedProperties)
+is auto-migrated on the next write — no user action needed for new
+deploys. **For stacks already deployed with an older binary**, the
+upgrade story is:
+
+1. `cdkd 0.46.x` (or earlier) deployed your stack — state.json is
+   `version: 2`, no observedProperties on any resource.
+2. Upgrade cdkd to `0.47.0+`. The new binary reads v2 state cleanly,
+   and `cdkd drift` falls back to comparing against the user-templated
+   `properties` field (= the pre-v3 behavior) for any resource that
+   hasn't been refreshed yet.
+3. **Populate observedProperties** for the existing stack — pick one:
+
+   ```bash
+   # Option A (recommended): explicit refresh, no redeploy.
+   cdkd state refresh-observed MyStack
+
+   # Option B: trigger an UPDATE on each affected resource via the
+   # next `cdkd deploy`. NO_CHANGE-skipped resources are NOT refreshed
+   # by deploy alone — only the ones whose template changed get a
+   # readCurrentState call. Use this only if you're already changing
+   # the template; for an upgrade-and-refresh-only flow prefer A.
+   cdkd deploy MyStack
+   ```
+4. Re-run `cdkd drift MyStack` — now observed-baseline drift detection
+   is fully enabled.
+
+`cdkd state refresh-observed --all` does the same for every stack in
+the state bucket; `--dry-run` prints the per-stack refresh count
+without touching state. Resolve any drift the comparator finds with
+`cdkd drift <stack> --accept` (state ← AWS) or `--revert` (AWS ← state).
+
+`cdkd deploy --no-capture-observed-state` (or
+`cdk.json context.cdkd.captureObservedState: false`) opts out of the
+capture entirely if you care more about deploy speed than rich drift
+detection — drift then falls back to comparing against `properties`,
+the pre-v3 behavior. Bench measurements show roughly +0–4% deploy
+time with the capture on (lambda integ within noise; bench-cdk-sample
++3.4% median).
+
 ## Prerequisites
 
 - **Node.js** >= 20.0.0
@@ -300,6 +351,14 @@ cdkd drift MyStack --accept --yes
 # Resolve drift: AWS ← state (push state values back into AWS via provider.update)
 cdkd drift MyStack --revert --yes
 
+# Refresh the deploy-time AWS snapshot used as drift baseline.
+# Run this once after upgrading from a pre-v3 cdkd binary (= state schema
+# `version: 2`) so console-side changes to keys you didn't template can
+# be detected for resources that won't change in any near-future deploy.
+# Same idempotent behavior on the same v3 state — see "Drift detection"
+# below for the full upgrade story.
+cdkd state refresh-observed MyStack
+
 # Dry run (plan only, no changes)
 cdkd deploy --dry-run
 

package/dist/cli.js

@@ -9181,8 +9181,7 @@ var IAMRoleProvider = class {
         marker = tagsResp.Marker;
       }
       const tags = normalizeAwsTagsToCfn(collected);
-      if (tags.length > 0)
-        result["Tags"] = tags;
+      result["Tags"] = tags;
     } catch (err) {
       if (!(err instanceof NoSuchEntityException))
         throw err;
@@ -12205,8 +12204,7 @@ var S3BucketProvider = class {
     try {
       const resp = await this.s3Client.send(new GetBucketTaggingCommand({ Bucket: physicalId }));
       const tags = normalizeAwsTagsToCfn(resp.TagSet);
-      if (tags.length > 0)
-        result["Tags"] = tags;
+      result["Tags"] = tags;
     } catch (err) {
       const e = err;
       if (e.name !== "NoSuchTagSet") {
@@ -12892,8 +12890,7 @@ var SQSQueueProvider = class {
         new ListQueueTagsCommand({ QueueUrl: physicalId })
       );
       const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
-      if (tags.length > 0)
-        result["Tags"] = tags;
+      result["Tags"] = tags;
     } catch (err) {
       if (err instanceof QueueDoesNotExist)
         return void 0;
@@ -13585,8 +13582,7 @@ var SNSTopicProvider = class {
         new ListTagsForResourceCommand({ ResourceArn: physicalId })
       );
       const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
-      if (tags.length > 0)
-        result["Tags"] = tags;
+      result["Tags"] = tags;
     } catch (err) {
       if (err instanceof NotFoundException)
         return void 0;
@@ -14872,8 +14868,7 @@ var LambdaFunctionProvider = class {
           result["VpcConfig"] = vpc;
       }
       const tags = normalizeAwsTagsToCfn(resp.Tags);
-      if (tags.length > 0)
-        result["Tags"] = tags;
+      result["Tags"] = tags;
       return result;
     } catch (err) {
       if (err instanceof ResourceNotFoundException)
@@ -16445,8 +16440,7 @@ var DynamoDBTableProvider = class {
             new ListTagsOfResourceCommand({ ResourceArn: table.TableArn })
           );
           const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
-          if (tags.length > 0)
-            result["Tags"] = tags;
+          result["Tags"] = tags;
         } catch (err) {
           if (err instanceof ResourceNotFoundException6)
             return void 0;
@@ -16811,8 +16805,7 @@ var LogsLogGroupProvider = class {
             new ListTagsForResourceCommand2({ resourceArn: arnForTags })
           );
           const tags = normalizeAwsTagsToCfn(tagsResp.tags);
-          if (tags.length > 0)
-            result["Tags"] = tags;
+          result["Tags"] = tags;
         } catch (err) {
           if (err instanceof ResourceNotFoundException7)
             return void 0;
@@ -17194,8 +17187,7 @@ var CloudWatchAlarmProvider = class {
           new ListTagsForResourceCommand3({ ResourceARN: alarm.AlarmArn })
         );
         const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
-        if (tags.length > 0)
-          result["Tags"] = tags;
+        result["Tags"] = tags;
       } catch (err) {
         this.logger.debug(
           `CloudWatch ListTagsForResource(${alarm.AlarmArn}) failed: ${err instanceof Error ? err.message : String(err)}`
@@ -17569,8 +17561,7 @@ var SecretsManagerSecretProvider = class {
         });
       }
       const tags = normalizeAwsTagsToCfn(resp.Tags);
-      if (tags.length > 0)
-        result["Tags"] = tags;
+      result["Tags"] = tags;
       return result;
     } catch (err) {
       if (err instanceof ResourceNotFoundException8)
@@ -17932,8 +17923,7 @@ var SSMParameterProvider = class {
         })
       );
       const tags = normalizeAwsTagsToCfn(tagsResp.TagList);
-      if (tags.length > 0)
-        result["Tags"] = tags;
+      result["Tags"] = tags;
     } catch {
     }
     return result;
@@ -18345,8 +18335,7 @@ var EventBridgeRuleProvider = class {
         new ListTagsForResourceCommand5({ ResourceARN: physicalId })
       );
       const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
-      if (tags.length > 0)
-        result["Tags"] = tags;
+      result["Tags"] = tags;
     } catch (err) {
       if (!(err instanceof ResourceNotFoundException9)) {
         throw err;
@@ -18762,8 +18751,7 @@ var EventBridgeBusProvider = class {
             new ListTagsForResourceCommand6({ ResourceARN: resp.Arn })
           );
           const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
-          if (tags.length > 0)
-            result["Tags"] = tags;
+          result["Tags"] = tags;
         } catch (err) {
           if (err instanceof ResourceNotFoundException10)
             return void 0;
@@ -23069,8 +23057,7 @@ var ApiGatewayV2Provider = class {
       if (resp.CorsConfiguration)
         result["CorsConfiguration"] = resp.CorsConfiguration;
       const tags = normalizeAwsTagsToCfn(resp.Tags);
-      if (tags.length > 0)
-        result["Tags"] = tags;
+      result["Tags"] = tags;
       return result;
     } catch (err) {
       if (err instanceof NotFoundException4)
@@ -24596,8 +24583,7 @@ var StepFunctionsProvider = class {
         new ListTagsForResourceCommand8({ resourceArn: physicalId })
       );
       const tags = normalizeAwsTagsToCfn(tagsResp.tags);
-      if (tags.length > 0)
-        result["Tags"] = tags;
+      result["Tags"] = tags;
     } catch (err) {
       if (!(err instanceof StateMachineDoesNotExist))
         throw err;
@@ -25489,8 +25475,7 @@ var ECSProvider = class {
       }));
     }
     const tags = normalizeAwsTagsToCfn(c.tags);
-    if (tags.length > 0)
-      result["Tags"] = tags;
+    result["Tags"] = tags;
     return result;
   }
   async readCurrentStateService(physicalId) {
@@ -25560,8 +25545,7 @@ var ECSProvider = class {
       result["ServiceRegistries"] = s.serviceRegistries;
     }
     const tags = normalizeAwsTagsToCfn(s.tags);
-    if (tags.length > 0)
-      result["Tags"] = tags;
+    result["Tags"] = tags;
     return result;
   }
   async readCurrentStateTaskDefinition(physicalId) {
@@ -25612,8 +25596,7 @@ var ECSProvider = class {
       result["ContainerDefinitions"] = td.containerDefinitions;
     }
     const tags = normalizeAwsTagsToCfn(resp.tags);
-    if (tags.length > 0)
-      result["Tags"] = tags;
+    result["Tags"] = tags;
     return result;
   }
   /**
@@ -26403,8 +26386,7 @@ var ELBv2Provider = class {
       const resp = await this.getClient().send(new DescribeTagsCommand({ ResourceArns: [arn] }));
       const tagDesc = resp.TagDescriptions?.[0];
       const tags = normalizeAwsTagsToCfn(tagDesc?.Tags);
-      if (tags.length > 0)
-        result["Tags"] = tags;
+      result["Tags"] = tags;
     } catch (err) {
       this.logger.debug(
         `ELBv2 DescribeTags(${arn}) failed: ${err instanceof Error ? err.message : String(err)}`
@@ -27316,8 +27298,7 @@ var RDSProvider = class {
         new ListTagsForResourceCommand10({ ResourceName: arn })
       );
       const tags = normalizeAwsTagsToCfn(tagsResp.TagList);
-      if (tags.length > 0)
-        result["Tags"] = tags;
+      result["Tags"] = tags;
     } catch (err) {
       this.logger.debug(
         `RDS ListTagsForResource(${arn}) failed: ${err instanceof Error ? err.message : String(err)}`
@@ -28615,8 +28596,7 @@ var WAFv2WebACLProvider = class {
         new ListTagsForResourceCommand12({ ResourceARN: physicalId })
       );
       const tags = normalizeAwsTagsToCfn(tagsResp.TagInfoForResource?.TagList);
-      if (tags.length > 0)
-        result["Tags"] = tags;
+      result["Tags"] = tags;
     } catch (err) {
       this.logger.debug(
         `WAFv2 ListTagsForResource(${physicalId}) failed: ${err instanceof Error ? err.message : String(err)}`
@@ -29747,8 +29727,7 @@ var ElastiCacheProvider = class {
         new ListTagsForResourceCommand14({ ResourceName: arn })
       );
       const tags = normalizeAwsTagsToCfn(tagsResp.TagList);
-      if (tags.length > 0)
-        result["Tags"] = tags;
+      result["Tags"] = tags;
     } catch (err) {
       this.logger.debug(
         `ElastiCache ListTagsForResource(${arn}) failed: ${err instanceof Error ? err.message : String(err)}`
@@ -30321,8 +30300,7 @@ var ServiceDiscoveryProvider = class {
         new ListTagsForResourceCommand15({ ResourceARN: arn })
       );
       const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
-      if (tags.length > 0)
-        result["Tags"] = tags;
+      result["Tags"] = tags;
     } catch (err) {
       this.logger.debug(
         `ServiceDiscovery ListTagsForResource(${arn}) failed: ${err instanceof Error ? err.message : String(err)}`
@@ -31046,8 +31024,7 @@ var AppSyncProvider = class {
         result["LogConfig"] = log;
     }
     const tags = normalizeAwsTagsToCfn(api.tags);
-    if (tags.length > 0)
-      result["Tags"] = tags;
+    result["Tags"] = tags;
     return result;
   }
   async readDataSource(physicalId) {
@@ -32346,8 +32323,7 @@ var KMSProvider = class {
           new ListResourceTagsCommand({ KeyId: md.KeyId })
         );
         const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
-        if (tags.length > 0)
-          result["Tags"] = tags;
+        result["Tags"] = tags;
       } catch (err) {
         if (err instanceof NotFoundException5)
           return void 0;
@@ -32791,8 +32767,7 @@ var KinesisStreamProvider = class {
         new ListTagsForStreamCommand({ StreamName: physicalId })
       );
       const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
-      if (tags.length > 0)
-        result["Tags"] = tags;
+      result["Tags"] = tags;
     } catch (err) {
       if (err instanceof ResourceNotFoundException13)
         return void 0;
@@ -33992,8 +33967,7 @@ var FirehoseProvider = class {
         new ListTagsForDeliveryStreamCommand({ DeliveryStreamName: physicalId })
       );
       const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
-      if (tags.length > 0)
-        result["Tags"] = tags;
+      result["Tags"] = tags;
     } catch (err) {
       if (err instanceof ResourceNotFoundException14)
         return void 0;
@@ -34410,8 +34384,7 @@ var CloudTrailProvider = class {
           new ListTagsCommand3({ ResourceIdList: [trail.TrailARN] })
         );
         const tags = normalizeAwsTagsToCfn(tagsResp.ResourceTagList?.[0]?.TagsList);
-        if (tags.length > 0)
-          result["Tags"] = tags;
+        result["Tags"] = tags;
       } catch (err) {
         this.logger.debug(
           `CloudTrail ListTags(${trail.TrailARN}) failed: ${err instanceof Error ? err.message : String(err)}`
@@ -34875,8 +34848,7 @@ var CodeBuildProvider = class {
         result["Environment"] = env;
     }
     const tags = normalizeAwsTagsToCfn(project.tags);
-    if (tags.length > 0)
-      result["Tags"] = tags;
+    result["Tags"] = tags;
     return result;
   }
   async import(input) {
@@ -36471,8 +36443,7 @@ var ECRProvider = class {
           new ListTagsForResourceCommand18({ resourceArn: r.repositoryArn })
         );
         const tags = normalizeAwsTagsToCfn(tagsResp.tags);
-        if (tags.length > 0)
-          result["Tags"] = tags;
+        result["Tags"] = tags;
       } catch (err) {
         if (!(err instanceof RepositoryNotFoundException))
           throw err;
@@ -39057,6 +39028,14 @@ async function runDriftForStack(stackName, region, stateBackend, providerRegistr
           resource.properties ?? {}
         );
       } else {
+        if (resource.resourceType.startsWith("Custom::")) {
+          outcomes.push({
+            kind: "unsupported",
+            logicalId,
+            resourceType: resource.resourceType
+          });
+          continue;
+        }
         if (CC_API_FALLBACK_DENY_LIST[resource.resourceType]) {
           outcomes.push({
             kind: "unsupported",
@@ -41875,6 +41854,215 @@ function createStateInfoCommand() {
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   return cmd;
 }
+async function stateRefreshObservedCommand(stackArgs, options) {
+  const logger = getLogger();
+  if (options.verbose)
+    logger.setLevel("debug");
+  if (!options.all && stackArgs.length === 0) {
+    throw new Error(
+      "Stack name is required. Usage: cdkd state refresh-observed <stack> [<stack>...] | --all"
+    );
+  }
+  const setup = await setupStateBackend(options);
+  const providerRegistry = new ProviderRegistry();
+  registerAllProviders(providerRegistry);
+  providerRegistry.setCustomResourceResponseBucket(setup.bucket);
+  try {
+    const stateRefs = await setup.stateBackend.listStacks();
+    let targets;
+    if (options.all) {
+      targets = options.stackRegion ? stateRefs.filter((r) => r.region === options.stackRegion) : stateRefs;
+      if (targets.length === 0) {
+        logger.info("No stacks found in state");
+        return;
+      }
+    } else {
+      targets = [];
+      for (const stackName of stackArgs) {
+        const matches = stateRefs.filter((r) => r.stackName === stackName);
+        if (matches.length === 0) {
+          throw new Error(
+            `No state found for stack '${stackName}'. Run 'cdkd state list' to see available stacks.`
+          );
+        }
+        if (options.stackRegion) {
+          const ref = matches.find((r) => r.region === options.stackRegion);
+          if (!ref) {
+            const seen = matches.map((r) => r.region ?? "(legacy)").join(", ");
+            throw new Error(
+              `No state found for stack '${stackName}' in region '${options.stackRegion}'. Available regions: ${seen}.`
+            );
+          }
+          targets.push(ref);
+        } else if (matches.length === 1) {
+          targets.push(matches[0]);
+        } else {
+          const regions = matches.map((r) => r.region ?? "(legacy)").join(", ");
+          throw new Error(
+            `Stack '${stackName}' has state in multiple regions: ${regions}. Re-run with --stack-region <region> to disambiguate.`
+          );
+        }
+      }
+    }
+    if (!options.yes && !options.dryRun) {
+      const targetList = targets.map(formatStackRef).join(", ");
+      const ok = await confirmRefresh(
+        `Refresh observedProperties for ${targets.length} stack(s) (${targetList})?`
+      );
+      if (!ok) {
+        logger.info("Aborted.");
+        return;
+      }
+    }
+    let totalRefreshed = 0;
+    let totalUnsupported = 0;
+    let totalFailed = 0;
+    for (const target of targets) {
+      if (!target.region) {
+        throw new Error(
+          `Stack '${target.stackName}' has only a legacy state record without a region. Run 'cdkd deploy ${target.stackName}' (or any cdkd write) first to migrate it to the region-scoped layout, then re-run refresh-observed.`
+        );
+      }
+      const counts = await refreshObservedForStack(
+        target.stackName,
+        target.region,
+        setup.stateBackend,
+        setup.lockManager,
+        providerRegistry,
+        { dryRun: options.dryRun ?? false, logger }
+      );
+      totalRefreshed += counts.refreshed;
+      totalUnsupported += counts.unsupported;
+      totalFailed += counts.failed;
+    }
+    const summary = options.dryRun ? `Plan: ${totalRefreshed} resource(s) would be refreshed, ${totalUnsupported} unsupported, ${totalFailed} would fail (--dry-run, no state was written)` : `Done: ${totalRefreshed} resource(s) refreshed, ${totalUnsupported} unsupported, ${totalFailed} failed`;
+    logger.info(`
+${summary}`);
+    if (totalFailed > 0) {
+      throw new PartialFailureError(
+        `Refresh completed with ${totalFailed} per-resource readCurrentState failure(s). Affected resources keep their previous observedProperties (or no observedProperties at all). Re-run 'cdkd state refresh-observed' to retry.`
+      );
+    }
+  } finally {
+    setup.dispose();
+  }
+}
+async function refreshObservedForStack(stackName, region, stateBackend, lockManager, providerRegistry, opts) {
+  const { logger } = opts;
+  const result = await stateBackend.getState(stackName, region);
+  if (!result) {
+    throw new Error(
+      `No state found for stack '${stackName}' (${region}). Run 'cdkd state list' to see available stacks.`
+    );
+  }
+  const { state, etag, migrationPending } = result;
+  const entries = Object.entries(state.resources ?? {});
+  if (entries.length === 0) {
+    logger.info(`\u2713 ${stackName} (${region}): no resources in state, skipping`);
+    return { refreshed: 0, unsupported: 0, failed: 0 };
+  }
+  if (opts.dryRun) {
+    let wouldRefresh = 0;
+    let wouldUnsupported = 0;
+    for (const [, resource] of entries) {
+      let provider;
+      try {
+        provider = providerRegistry.getProvider(resource.resourceType);
+      } catch {
+        wouldUnsupported++;
+        continue;
+      }
+      if (provider.readCurrentState)
+        wouldRefresh++;
+      else
+        wouldUnsupported++;
+    }
+    logger.info(
+      `Plan ${stackName} (${region}): ${wouldRefresh} resource(s) would be refreshed, ${wouldUnsupported} unsupported`
+    );
+    return { refreshed: wouldRefresh, unsupported: wouldUnsupported, failed: 0 };
+  }
+  const owner = `${process.env["USER"] || "unknown"}@${process.env["HOSTNAME"] || "host"}:${process.pid}`;
+  await lockManager.acquireLock(stackName, region, owner, "state-refresh-observed");
+  try {
+    let refreshed = 0;
+    let unsupported = 0;
+    let failed = 0;
+    await withStackName(stackName, async () => {
+      const tasks = entries.map(async ([logicalId, resource]) => {
+        if (providerRegistry.shouldSkipResource(resource.resourceType)) {
+          unsupported++;
+          return;
+        }
+        let provider;
+        try {
+          provider = providerRegistry.getProvider(resource.resourceType);
+        } catch {
+          unsupported++;
+          return;
+        }
+        if (!provider.readCurrentState) {
+          unsupported++;
+          return;
+        }
+        try {
+          const observed = await provider.readCurrentState(
+            resource.physicalId,
+            logicalId,
+            resource.resourceType,
+            resource.properties ?? {}
+          );
+          if (observed === void 0) {
+            unsupported++;
+            return;
+          }
+          resource.observedProperties = observed;
+          refreshed++;
+        } catch (err) {
+          failed++;
+          logger.warn(
+            `  \u2717 ${stackName}/${logicalId} (${resource.resourceType}): readCurrentState failed \u2014 ${err instanceof Error ? err.message : String(err)}`
+          );
+        }
+      });
+      await Promise.all(tasks);
+    });
+    state.lastModified = Date.now();
+    const saveOptions = {
+      expectedEtag: etag
+    };
+    if (migrationPending)
+      saveOptions.migrateLegacy = true;
+    await stateBackend.saveState(stackName, region, state, saveOptions);
+    logger.info(
+      `\u2713 ${stackName} (${region}): ${refreshed} refreshed, ${unsupported} unsupported, ${failed} failed`
+    );
+    return { refreshed, unsupported, failed };
+  } finally {
+    await lockManager.releaseLock(stackName, region).catch((err) => {
+      logger.warn(
+        `Failed to release lock for ${stackName} (${region}): ` + (err instanceof Error ? err.message : String(err))
+      );
+    });
+  }
+}
+async function confirmRefresh(prompt) {
+  const rl = readline5.createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    const ans = await rl.question(`${prompt} [y/N] `);
+    return /^y(es)?$/i.test(ans.trim());
+  } finally {
+    rl.close();
+  }
+}
+function createStateRefreshObservedCommand() {
+  const cmd = new Command12("refresh-observed").description(
+    "Refresh observedProperties for every resource in a stack by calling provider.readCurrentState \u2014 populates the drift baseline for stacks deployed before state schema v3, without redeploying."
+  ).argument("[stacks...]", "Stack name(s) to refresh (physical CloudFormation names)").option("--all", "Refresh every stack in the state bucket", false).option("--dry-run", "Print the per-stack refresh count without writing state", false).addOption(stackRegionOption2()).action(withErrorHandling(stateRefreshObservedCommand));
+  [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
+  cmd.addOption(deprecatedRegionOption);
+  return cmd;
+}
 function createStateCommand() {
   const cmd = new Command12("state").description("Manage cdkd state stored in S3");
   cmd.addCommand(createStateInfoCommand());
@@ -41884,6 +42072,7 @@ function createStateCommand() {
   cmd.addCommand(createStateOrphanCommand());
   cmd.addCommand(createStateDestroyCommand());
   cmd.addCommand(createStateMigrateCommand());
+  cmd.addCommand(createStateRefreshObservedCommand());
   return cmd;
 }
 
@@ -42666,7 +42855,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.47.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.49.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());