@go-to-k/cdkd 0.51.1 → 0.51.3

package/dist/cli.js

@@ -15839,6 +15839,7 @@ import {
   DeleteEventSourceMappingCommand,
   UpdateEventSourceMappingCommand,
   GetEventSourceMappingCommand,
+  ListTagsCommand as ListTagsCommand2,
   TagResourceCommand as TagResourceCommand3,
   UntagResourceCommand as UntagResourceCommand3,
   ResourceNotFoundException as ResourceNotFoundException4
@@ -16152,21 +16153,24 @@ var LambdaEventSourceMappingProvider = class {
    * `LastProcessingResult`, `State`, `StateTransitionReason`,
    * `EventSourceMappingArn`) are filtered at the wire layer.
    *
-   * `FunctionName` is surfaced as the AWS `FunctionArn` (which is what
-   * `GetEventSourceMapping` returns) — cdkd state typically holds this
-   * resolved ARN form already after intrinsic resolution. The drift
-   * comparator can match against both forms when state holds a name vs an
-   * ARN; mismatched-shape false positives are out of scope for v1.
+   * `FunctionName`: AWS's `GetEventSourceMapping` always returns the
+   * resolved ARN. cdkd state typically holds the same ARN after intrinsic
+   * resolution, but a hand-authored state might carry the bare function
+   * name. We surface the form that matches state when possible: if the
+   * `properties?.FunctionName` is the bare name AND the AWS-current
+   * ARN's last segment matches that name, emit the bare name; otherwise
+   * emit the ARN. (The two forms address the same Lambda function — the
+   * shape-mismatch was the only reason a clean run fired drift.)
    *
-   * `Tags` is omitted: cdkd `create()` reshapes CFn tag arrays into a
-   * tags map at create time, but `GetEventSourceMapping` does not return
-   * tags (`ListTags(Resource: arn)` does). Same shape-decision rationale
-   * as Lambda function tags drift — out of scope for v1.
+   * `Tags` are surfaced via a follow-up `ListTags(Resource=<ESM ARN>)`
+   * call. Always-emit `[]` so a console-side tag ADD on a previously-
+   * untagged event source mapping is detectable on the v3
+   * observedProperties baseline.
    *
    * Returns `undefined` when the mapping is gone
    * (`ResourceNotFoundException`).
    */
-  async readCurrentState(physicalId, _logicalId, _resourceType) {
+  async readCurrentState(physicalId, _logicalId, _resourceType, properties) {
     let resp;
     try {
       resp = await this.lambdaClient.send(new GetEventSourceMappingCommand({ UUID: physicalId }));
@@ -16176,8 +16180,15 @@ var LambdaEventSourceMappingProvider = class {
       throw err;
     }
     const result = {};
-    if (resp.FunctionArn !== void 0)
-      result["FunctionName"] = resp.FunctionArn;
+    if (resp.FunctionArn !== void 0) {
+      const stateFn = properties?.["FunctionName"];
+      const arnTail = resp.FunctionArn.split(":").pop();
+      if (typeof stateFn === "string" && !stateFn.includes(":") && stateFn === arnTail) {
+        result["FunctionName"] = stateFn;
+      } else {
+        result["FunctionName"] = resp.FunctionArn;
+      }
+    }
     if (resp.EventSourceArn !== void 0)
       result["EventSourceArn"] = resp.EventSourceArn;
     if (resp.BatchSize !== void 0)
@@ -16236,6 +16247,20 @@ var LambdaEventSourceMappingProvider = class {
       const enabled = resp.State === "Enabled" || resp.State === "Enabling" || resp.State === "Updating";
       result["Enabled"] = enabled;
     }
+    let tags = [];
+    if (resp.EventSourceMappingArn) {
+      try {
+        const tagsResp = await this.lambdaClient.send(
+          new ListTagsCommand2({ Resource: resp.EventSourceMappingArn })
+        );
+        const tagMap = tagsResp.Tags ?? {};
+        tags = Object.entries(tagMap).filter(([k]) => !k.startsWith("aws:")).map(([Key, Value]) => ({ Key, Value })).sort((a, b) => a.Key.localeCompare(b.Key));
+      } catch (err) {
+        if (err instanceof ResourceNotFoundException4)
+          return void 0;
+      }
+    }
+    result["Tags"] = tags;
     return result;
   }
   /**
@@ -16267,7 +16292,7 @@ import {
   DeleteLayerVersionCommand,
   GetLayerVersionByArnCommand,
   ListLayersCommand,
-  ListTagsCommand as ListTagsCommand2,
+  ListTagsCommand as ListTagsCommand3,
   ResourceNotFoundException as ResourceNotFoundException5
 } from "@aws-sdk/client-lambda";
 init_aws_clients();
@@ -16526,7 +16551,7 @@ var LambdaLayerVersionProvider = class {
           continue;
         try {
           const tagsResp = await this.lambdaClient.send(
-            new ListTagsCommand2({ Resource: layer.LayerArn })
+            new ListTagsCommand3({ Resource: layer.LayerArn })
           );
           if (tagsResp.Tags?.[CDK_PATH_TAG] === input.cdkPath) {
             return {
@@ -17005,6 +17030,7 @@ var DynamoDBTableProvider = class {
 import {
   CreateLogGroupCommand,
   DeleteLogGroupCommand,
+  DescribeIndexPoliciesCommand,
   DescribeLogGroupsCommand,
   GetDataProtectionPolicyCommand,
   ListTagsForResourceCommand as ListTagsForResourceCommand2,
@@ -17258,16 +17284,26 @@ var LogsLogGroupProvider = class {
    * `RetentionInDays`).
    *
    * Coverage: `LogGroupName`, `KmsKeyId`, `RetentionInDays`,
-   * `LogGroupClass`, `Tags`, plus `DataProtectionPolicy` (via
+   * `LogGroupClass`, `Tags`, `DataProtectionPolicy` (via
    * `GetDataProtectionPolicy`, JSON-parsed back to the object form
-   * cdkd state holds). Still out of scope: `FieldIndexPolicies`
-   * (separate `DescribeFieldIndexPolicies` call, follow-up),
+   * cdkd state holds), `DeletionProtectionEnabled` and
+   * `BearerTokenAuthenticationEnabled` (both surfaced directly from
+   * `DescribeLogGroups` — the SDK's LogGroup type carries them as
+   * `deletionProtectionEnabled` / `bearerTokenAuthenticationEnabled`),
+   * and `FieldIndexPolicies` (via `DescribeIndexPolicies`, filtered to
+   * log-group-level policies and JSON-parsed). Still out of scope:
    * `ResourcePolicyDocument` (managed by the separate
    * `AWS::Logs::ResourcePolicy` resource type — account-wide, not
-   * per-log-group), `DeletionProtectionEnabled` (not surfaced by
-   * `DescribeLogGroups`; would need a yet-undocumented separate API),
-   * `BearerTokenAuthenticationEnabled` (specialized X-Ray / service-log
-   * endpoint feature, also not in `DescribeLogGroups`).
+   * per-log-group).
+   *
+   * Known limitation: cdkd's `create()` / `update()` flows do NOT yet
+   * apply `FieldIndexPolicies` / `DeletionProtectionEnabled` /
+   * `BearerTokenAuthenticationEnabled` — they're in `handledProperties`
+   * to prevent CC API fallback but no actual `PutIndexPolicy` /
+   * `PutLogGroupDeletionProtection` / `PutBearerTokenAuthentication`
+   * calls fire. Surfacing these in `readCurrentState` means a user
+   * who templates them will see drift on the first run; a follow-up
+   * needs to wire the create/update flow.
    *
    * Tags are read via `ListTagsForResource` (using the log-group ARN from
    * the same `DescribeLogGroups` response). CDK's `aws:*` auto-tags are
@@ -17291,6 +17327,8 @@ var LogsLogGroupProvider = class {
       result["RetentionInDays"] = found.retentionInDays ?? 0;
       if (found.logGroupClass !== void 0)
         result["LogGroupClass"] = found.logGroupClass;
+      result["DeletionProtectionEnabled"] = found.deletionProtectionEnabled ?? false;
+      result["BearerTokenAuthenticationEnabled"] = found.bearerTokenAuthenticationEnabled ?? false;
       let tags = [];
       if (found.arn) {
         const arnForTags = found.arn.replace(/:\*$/, "");
@@ -17321,6 +17359,24 @@ var LogsLogGroupProvider = class {
       } catch {
       }
       result["DataProtectionPolicy"] = dpp;
+      let fieldIndexPolicies = [];
+      try {
+        const idxResp = await this.logsClient.send(
+          new DescribeIndexPoliciesCommand({ logGroupIdentifiers: [physicalId] })
+        );
+        const logGroupLevel = (idxResp.indexPolicies ?? []).filter((p) => p.source !== "ACCOUNT");
+        fieldIndexPolicies = logGroupLevel.map((p) => {
+          if (!p.policyDocument)
+            return void 0;
+          try {
+            return JSON.parse(p.policyDocument);
+          } catch {
+            return p.policyDocument;
+          }
+        }).filter((p) => p !== void 0);
+      } catch {
+      }
+      result["FieldIndexPolicies"] = fieldIndexPolicies;
       return result;
     } catch (err) {
       if (err instanceof ResourceNotFoundException7)
@@ -18394,10 +18450,21 @@ var SSMParameterProvider = class {
    *
    * `Name` is set to the physical id. `Tags` is surfaced via a follow-up
    * `ListTagsForResource(ResourceType=Parameter)` call, with CDK's `aws:*`
-   * auto-tags filtered out. `Policies` is intentionally out of scope:
-   * `DescribeParameters.Policies` returns a structured array but cdkd state
-   * holds the raw JSON string the user typed — comparing the two accurately
-   * needs more work.
+   * auto-tags filtered out.
+   *
+   * `Policies` is surfaced from the same `DescribeParameters` response.
+   * AWS returns `Parameters[0].Policies` as
+   * `[{PolicyText, PolicyType, PolicyStatus}]`; cdkd state holds a JSON
+   * string of the user-templated policy array (CFn's documented shape).
+   * To compare cleanly we parse each `PolicyText` (itself JSON) into
+   * objects, drop the AWS-managed `PolicyStatus` (Pending / InSync /
+   * Expired), and emit the parsed object array. On the v3
+   * `observedProperties` baseline this matches `observedProperties` (which
+   * stored our parsed output at deploy time) exactly. On the v2 fallback
+   * baseline (state.properties = JSON string) the comparator reports a
+   * one-time drift on first run; users resolve via
+   * `cdkd state refresh-observed`. Always-emit `[]` placeholder for
+   * console-side ADD detection.
    *
    * **Note**: For `SecureString` parameters, AWS returns the encrypted
    * blob in `Value` (we pass `WithDecryption: false`). cdkd state usually
@@ -18429,6 +18496,7 @@ var SSMParameterProvider = class {
       result["Value"] = param.Value;
     if (param.DataType !== void 0)
       result["DataType"] = param.DataType;
+    let policiesEmitted = false;
     try {
       const desc = await this.ssmClient.send(
         new DescribeParametersCommand({
@@ -18441,8 +18509,22 @@ var SSMParameterProvider = class {
       if (meta?.Tier !== void 0) {
         result["Tier"] = meta.Tier;
       }
+      const parsedPolicies = [];
+      for (const p of meta?.Policies ?? []) {
+        if (!p.PolicyText)
+          continue;
+        try {
+          parsedPolicies.push(JSON.parse(p.PolicyText));
+        } catch {
+          parsedPolicies.push(p.PolicyText);
+        }
+      }
+      result["Policies"] = parsedPolicies;
+      policiesEmitted = true;
     } catch {
     }
+    if (!policiesEmitted)
+      result["Policies"] = [];
     try {
       const tagsResp = await this.ssmClient.send(
         new ListTagsForResourceCommand4({
@@ -24930,10 +25012,13 @@ var AgentCoreRuntimeProvider = class {
    *
    * `ProtocolConfiguration` parity: `create()` accepts a CFn-style string
    * (`"HTTP"`) and converts it to `{serverProtocol: "HTTP"}` for the SDK.
-   * The SDK returns the object form. We surface the object form here; if
-   * cdkd state holds the original string the comparator will report drift
-   * — users can inspect and dismiss this case manually. (A more elaborate
-   * shape negotiation belongs in a follow-up that knows about both forms.)
+   * The SDK returns the object form. We surface the **string form** here
+   * (extract `serverProtocol` from the SDK object) since CFn's
+   * `AWS::BedrockAgentCore::Runtime.ProtocolConfiguration` is documented
+   * as a string and that's what cdkd state typically holds after CDK
+   * synth. If state happens to carry the object form (legacy / hand-
+   * authored), the comparator will report a one-time drift the user can
+   * resolve via `cdkd state refresh-observed`.
    *
    * `ClientToken` is omitted: AWS does not surface it back via
    * `GetAgentRuntime` (it's an idempotency token only meaningful at create
@@ -24968,7 +25053,13 @@ var AgentCoreRuntimeProvider = class {
       result["AuthorizerConfiguration"] = camelToPascalCaseKeys(resp.authorizerConfiguration);
     }
     if (resp.protocolConfiguration !== void 0) {
-      result["ProtocolConfiguration"] = camelToPascalCaseKeys(resp.protocolConfiguration);
+      const proto = resp.protocolConfiguration;
+      const keys = Object.keys(proto);
+      if (keys.length === 1 && keys[0] === "serverProtocol" && typeof proto["serverProtocol"] === "string") {
+        result["ProtocolConfiguration"] = proto["serverProtocol"];
+      } else {
+        result["ProtocolConfiguration"] = camelToPascalCaseKeys(resp.protocolConfiguration);
+      }
     }
     if (resp.lifecycleConfiguration !== void 0) {
       result["LifecycleConfiguration"] = camelToPascalCaseKeys(resp.lifecycleConfiguration);
@@ -35127,20 +35218,26 @@ var FirehoseProvider = class {
    * `KinesisStreamSourceConfiguration` parent fields when present (the
    * `DescribeDeliveryStream` response splits source under `Source.KinesisStreamSourceDescription`).
    *
-   * Destination configurations (`*DestinationConfiguration` in CFn vs.
-   * `*DestinationDescription` in `DescribeDeliveryStream`) are intentionally
-   * not re-shaped here. Their nested fields are large and the description
-   * vs. configuration shape divergence (extra metadata, write-only fields
-   * like `Password` redacted) makes a clean comparator surface impossible
-   * for v1. We do surface the destination *kind* under a stable key so
-   * users at least see destination drift across types, but not the inner
-   * fields. Drift on destination contents is best chased manually via
-   * `aws firehose describe-delivery-stream` for now.
+   * **Destination configurations**: partial coverage. AWS returns destination
+   * config under `Destinations[0].*DestinationDescription` (note:
+   * `Description`, not `Configuration`). For S3 / ExtendedS3 destinations
+   * the top-level fields with a clean reverse-mapping are surfaced —
+   * `BucketARN`, `RoleARN`, `Prefix`, `ErrorOutputPrefix`, `BufferingHints`,
+   * `CompressionFormat`, plus `S3BackupMode` for Extended. Inner nested
+   * fields (`EncryptionConfiguration`, `CloudWatchLoggingOptions`,
+   * `ProcessingConfiguration`, `DataFormatConversionConfiguration`,
+   * `DynamicPartitioningConfiguration`, `S3BackupConfiguration`) are not
+   * re-shaped — AWS auto-defaults / extra-metadata / write-only redaction
+   * (`Password`) make the round-trip unsafe; they're declared via
+   * `getDriftUnknownPaths()` so the comparator skips them instead of firing
+   * false drift. Non-S3 destination types
+   * (`Redshift`/`Elasticsearch`/`Amazonopensearchservice`/`Splunk`/`HttpEndpoint`/`AmazonOpenSearchServerless`)
+   * stay drift-unknown for v1 — same shape-divergence problem at scale.
+   * `DeliveryStreamEncryptionConfigurationInput` also drift-unknown.
    *
    * Tags are surfaced via a follow-up `ListTagsForDeliveryStream` call
-   * with `aws:*` filtered out and the result key omitted when empty.
-   * `DeliveryStreamEncryptionConfigurationInput` is still skipped (shape
-   * decision deferred).
+   * with `aws:*` filtered out and always emitted as `[]` placeholder when
+   * no user tags remain.
    *
    * Returns `undefined` when the stream is gone (`ResourceNotFoundException`).
    */
@@ -35176,6 +35273,60 @@ var FirehoseProvider = class {
         result["KinesisStreamSourceConfiguration"] = srcOut;
       }
     }
+    const dest = desc.Destinations?.[0];
+    if (dest?.ExtendedS3DestinationDescription) {
+      const ext = dest.ExtendedS3DestinationDescription;
+      const out = {};
+      if (ext.BucketARN !== void 0)
+        out["BucketARN"] = ext.BucketARN;
+      if (ext.RoleARN !== void 0)
+        out["RoleARN"] = ext.RoleARN;
+      if (ext.Prefix !== void 0)
+        out["Prefix"] = ext.Prefix;
+      if (ext.ErrorOutputPrefix !== void 0)
+        out["ErrorOutputPrefix"] = ext.ErrorOutputPrefix;
+      if (ext.CompressionFormat !== void 0)
+        out["CompressionFormat"] = ext.CompressionFormat;
+      if (ext.BufferingHints) {
+        const hints = {};
+        if (ext.BufferingHints.SizeInMBs !== void 0)
+          hints["SizeInMBs"] = ext.BufferingHints.SizeInMBs;
+        if (ext.BufferingHints.IntervalInSeconds !== void 0)
+          hints["IntervalInSeconds"] = ext.BufferingHints.IntervalInSeconds;
+        if (Object.keys(hints).length > 0)
+          out["BufferingHints"] = hints;
+      }
+      if (ext.S3BackupMode !== void 0)
+        out["S3BackupMode"] = ext.S3BackupMode;
+      if (Object.keys(out).length > 0) {
+        result["ExtendedS3DestinationConfiguration"] = out;
+      }
+    } else if (dest?.S3DestinationDescription) {
+      const s3 = dest.S3DestinationDescription;
+      const out = {};
+      if (s3.BucketARN !== void 0)
+        out["BucketARN"] = s3.BucketARN;
+      if (s3.RoleARN !== void 0)
+        out["RoleARN"] = s3.RoleARN;
+      if (s3.Prefix !== void 0)
+        out["Prefix"] = s3.Prefix;
+      if (s3.ErrorOutputPrefix !== void 0)
+        out["ErrorOutputPrefix"] = s3.ErrorOutputPrefix;
+      if (s3.CompressionFormat !== void 0)
+        out["CompressionFormat"] = s3.CompressionFormat;
+      if (s3.BufferingHints) {
+        const hints = {};
+        if (s3.BufferingHints.SizeInMBs !== void 0)
+          hints["SizeInMBs"] = s3.BufferingHints.SizeInMBs;
+        if (s3.BufferingHints.IntervalInSeconds !== void 0)
+          hints["IntervalInSeconds"] = s3.BufferingHints.IntervalInSeconds;
+        if (Object.keys(hints).length > 0)
+          out["BufferingHints"] = hints;
+      }
+      if (Object.keys(out).length > 0) {
+        result["S3DestinationConfiguration"] = out;
+      }
+    }
     try {
       const tagsResp = await this.getClient().send(
         new ListTagsForDeliveryStreamCommand({ DeliveryStreamName: physicalId })
@@ -35191,6 +35342,45 @@ var FirehoseProvider = class {
     }
     return result;
   }
+  /**
+   * Drift-unknown paths for `AWS::KinesisFirehose::DeliveryStream`.
+   *
+   * The drift comparator skips these state property paths so they never
+   * fire false-positive drift on every run. See the `readCurrentState`
+   * docstring for the full rationale per category.
+   *
+   * Categories:
+   *  - Inner nested fields under S3 / ExtendedS3 destinations: shape
+   *    divergence between `Configuration` (CFn input) and `Description`
+   *    (AWS read), AWS auto-defaults, write-only fields.
+   *  - Non-S3 destination types: same shape-divergence problem at scale,
+   *    deferred to a follow-up.
+   *  - `DeliveryStreamEncryptionConfigurationInput`: input-only shape
+   *    (`KeyARN` + `KeyType`) vs. read-side `DeliveryStreamEncryptionConfiguration`
+   *    (extra status / failure fields); not yet round-tripped.
+   */
+  getDriftUnknownPaths() {
+    return [
+      // S3 / ExtendedS3 nested fields with shape divergence
+      "S3DestinationConfiguration.EncryptionConfiguration",
+      "S3DestinationConfiguration.CloudWatchLoggingOptions",
+      "ExtendedS3DestinationConfiguration.EncryptionConfiguration",
+      "ExtendedS3DestinationConfiguration.CloudWatchLoggingOptions",
+      "ExtendedS3DestinationConfiguration.ProcessingConfiguration",
+      "ExtendedS3DestinationConfiguration.DataFormatConversionConfiguration",
+      "ExtendedS3DestinationConfiguration.DynamicPartitioningConfiguration",
+      "ExtendedS3DestinationConfiguration.S3BackupConfiguration",
+      // Non-S3 destinations (drift-unknown for v1)
+      "RedshiftDestinationConfiguration",
+      "ElasticsearchDestinationConfiguration",
+      "AmazonopensearchserviceDestinationConfiguration",
+      "SplunkDestinationConfiguration",
+      "HttpEndpointDestinationConfiguration",
+      "AmazonOpenSearchServerlessDestinationConfiguration",
+      // Encryption input shape (deferred)
+      "DeliveryStreamEncryptionConfigurationInput"
+    ];
+  }
   async import(input) {
     const explicit = resolveExplicitPhysicalId(input, "DeliveryStreamName");
     if (explicit) {
@@ -35270,7 +35460,7 @@ import {
   GetEventSelectorsCommand,
   GetInsightSelectorsCommand,
   ListTrailsCommand,
-  ListTagsCommand as ListTagsCommand3,
+  ListTagsCommand as ListTagsCommand4,
   AddTagsCommand as AddTagsCommand2,
   RemoveTagsCommand as RemoveTagsCommand2,
   TrailNotFoundException
@@ -35647,7 +35837,7 @@ var CloudTrailProvider = class {
     if (trail.TrailARN) {
       try {
         const tagsResp = await this.getClient().send(
-          new ListTagsCommand3({ ResourceIdList: [trail.TrailARN] })
+          new ListTagsCommand4({ ResourceIdList: [trail.TrailARN] })
         );
         tags = normalizeAwsTagsToCfn(tagsResp.ResourceTagList?.[0]?.TagsList);
       } catch (err) {
@@ -35683,7 +35873,7 @@ var CloudTrailProvider = class {
           continue;
         try {
           const tagsResp = await this.getClient().send(
-            new ListTagsCommand3({ ResourceIdList: [trail.TrailARN] })
+            new ListTagsCommand4({ ResourceIdList: [trail.TrailARN] })
           );
           const list2 = tagsResp.ResourceTagList?.[0];
           if (matchesCdkPath(list2?.TagsList, input.cdkPath)) {
@@ -36160,6 +36350,98 @@ var CodeBuildProvider = class {
         cache2["Modes"] = project.cache.modes;
       result["Cache"] = cache2;
     }
+    result["SecondarySources"] = (project.secondarySources ?? []).map((s) => {
+      const out = {};
+      if (s.type !== void 0)
+        out["Type"] = s.type;
+      if (s.location !== void 0)
+        out["Location"] = s.location;
+      if (s.buildspec !== void 0)
+        out["BuildSpec"] = s.buildspec;
+      if (s.gitCloneDepth !== void 0)
+        out["GitCloneDepth"] = s.gitCloneDepth;
+      if (s.insecureSsl !== void 0)
+        out["InsecureSsl"] = s.insecureSsl;
+      if (s.reportBuildStatus !== void 0)
+        out["ReportBuildStatus"] = s.reportBuildStatus;
+      if (s.sourceIdentifier !== void 0)
+        out["SourceIdentifier"] = s.sourceIdentifier;
+      return out;
+    });
+    result["SecondaryArtifacts"] = (project.secondaryArtifacts ?? []).map((a) => {
+      const out = {};
+      if (a.type !== void 0)
+        out["Type"] = a.type;
+      if (a.location !== void 0)
+        out["Location"] = a.location;
+      if (a.path !== void 0)
+        out["Path"] = a.path;
+      if (a.name !== void 0)
+        out["Name"] = a.name;
+      if (a.namespaceType !== void 0)
+        out["NamespaceType"] = a.namespaceType;
+      if (a.packaging !== void 0)
+        out["Packaging"] = a.packaging;
+      if (a.encryptionDisabled !== void 0)
+        out["EncryptionDisabled"] = a.encryptionDisabled;
+      if (a.overrideArtifactName !== void 0) {
+        out["OverrideArtifactName"] = a.overrideArtifactName;
+      }
+      if (a.artifactIdentifier !== void 0)
+        out["ArtifactIdentifier"] = a.artifactIdentifier;
+      return out;
+    });
+    result["SecondarySourceVersions"] = (project.secondarySourceVersions ?? []).map((v) => {
+      const out = {};
+      if (v.sourceIdentifier !== void 0)
+        out["SourceIdentifier"] = v.sourceIdentifier;
+      if (v.sourceVersion !== void 0)
+        out["SourceVersion"] = v.sourceVersion;
+      return out;
+    });
+    result["FileSystemLocations"] = (project.fileSystemLocations ?? []).map((f) => {
+      const out = {};
+      if (f.type !== void 0)
+        out["Type"] = f.type;
+      if (f.location !== void 0)
+        out["Location"] = f.location;
+      if (f.mountPoint !== void 0)
+        out["MountPoint"] = f.mountPoint;
+      if (f.identifier !== void 0)
+        out["Identifier"] = f.identifier;
+      if (f.mountOptions !== void 0)
+        out["MountOptions"] = f.mountOptions;
+      return out;
+    });
+    if (project.buildBatchConfig) {
+      const bbc = {};
+      if (project.buildBatchConfig.serviceRole !== void 0) {
+        bbc["ServiceRole"] = project.buildBatchConfig.serviceRole;
+      }
+      if (project.buildBatchConfig.restrictions !== void 0) {
+        const r = {};
+        if (project.buildBatchConfig.restrictions.maximumBuildsAllowed !== void 0) {
+          r["MaximumBuildsAllowed"] = project.buildBatchConfig.restrictions.maximumBuildsAllowed;
+        }
+        if (project.buildBatchConfig.restrictions.computeTypesAllowed !== void 0) {
+          r["ComputeTypesAllowed"] = project.buildBatchConfig.restrictions.computeTypesAllowed;
+        }
+        bbc["Restrictions"] = r;
+      }
+      if (project.buildBatchConfig.timeoutInMins !== void 0) {
+        bbc["TimeoutInMins"] = project.buildBatchConfig.timeoutInMins;
+      }
+      if (project.buildBatchConfig.batchReportMode !== void 0) {
+        bbc["BatchReportMode"] = project.buildBatchConfig.batchReportMode;
+      }
+      if (project.buildBatchConfig.combineArtifacts !== void 0) {
+        bbc["CombineArtifacts"] = project.buildBatchConfig.combineArtifacts;
+      }
+      result["BuildBatchConfig"] = bbc;
+    } else {
+      result["BuildBatchConfig"] = {};
+    }
+    result["ResourceAccessRole"] = project.resourceAccessRole ?? "";
     const tags = normalizeAwsTagsToCfn(project.tags);
     result["Tags"] = tags;
     return result;
@@ -44299,7 +44581,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.51.1");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.51.3");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());