@go-to-k/cdkd 0.59.1 → 0.60.0

package/dist/cli.js

@@ -653,7 +653,7 @@ var destroyOptions = [
   ),
   new Option(
     "--remove-protection",
-    "Bypass deletion protection on protected resources by flipping the per-resource protection flag off in-place before delete. Covers stack-level terminationProtection (CDK property) and resource-level protection on AWS::Logs::LogGroup, AWS::RDS::DBInstance, AWS::RDS::DBCluster, AWS::DynamoDB::Table, AWS::EC2::Instance, and AWS::ElasticLoadBalancingV2::LoadBalancer."
+    "Bypass deletion protection on protected resources by flipping the per-resource protection flag off in-place before delete. Covers stack-level terminationProtection (CDK property) and resource-level protection on AWS::Logs::LogGroup, AWS::RDS::DBInstance, AWS::RDS::DBCluster, AWS::DocDB::DBCluster, AWS::Neptune::DBCluster, AWS::Neptune::DBInstance, AWS::DynamoDB::Table, AWS::EC2::Instance, AWS::Cognito::UserPool, AWS::AutoScaling::AutoScalingGroup, and AWS::ElasticLoadBalancingV2::LoadBalancer."
   ).default(false)
 ];
 
@@ -738,6 +738,32 @@ var FALLBACK_NAME_RULES = {
     nameProperty: "DBInstanceIdentifier",
     options: { maxLength: 63, lowercase: true }
   },
+  // DocumentDB — RDS-shaped API; same name constraints.
+  "AWS::DocDB::DBSubnetGroup": {
+    nameProperty: "DBSubnetGroupName",
+    options: { maxLength: 255, lowercase: true }
+  },
+  "AWS::DocDB::DBCluster": {
+    nameProperty: "DBClusterIdentifier",
+    options: { maxLength: 63, lowercase: true }
+  },
+  "AWS::DocDB::DBInstance": {
+    nameProperty: "DBInstanceIdentifier",
+    options: { maxLength: 63, lowercase: true }
+  },
+  // Neptune — RDS-shaped API; same name constraints.
+  "AWS::Neptune::DBSubnetGroup": {
+    nameProperty: "DBSubnetGroupName",
+    options: { maxLength: 255, lowercase: true }
+  },
+  "AWS::Neptune::DBCluster": {
+    nameProperty: "DBClusterIdentifier",
+    options: { maxLength: 63, lowercase: true }
+  },
+  "AWS::Neptune::DBInstance": {
+    nameProperty: "DBInstanceIdentifier",
+    options: { maxLength: 63, lowercase: true }
+  },
   "AWS::ElasticLoadBalancingV2::LoadBalancer": {
     nameProperty: "Name",
     options: { maxLength: 32 }
@@ -30019,70 +30045,89 @@ var RDSProvider = class {
   }
 };
 
-// src/provisioning/providers/route53-provider.ts
+// src/provisioning/providers/docdb-provider.ts
 import {
-  Route53Client as Route53Client2,
-  CreateHostedZoneCommand,
-  DeleteHostedZoneCommand,
-  GetHostedZoneCommand as GetHostedZoneCommand2,
-  ChangeResourceRecordSetsCommand,
-  UpdateHostedZoneCommentCommand,
-  ChangeTagsForResourceCommand,
-  AssociateVPCWithHostedZoneCommand,
-  DisassociateVPCFromHostedZoneCommand,
-  CreateQueryLoggingConfigCommand,
-  DeleteQueryLoggingConfigCommand,
-  ListQueryLoggingConfigsCommand,
-  ListHostedZonesByNameCommand as ListHostedZonesByNameCommand2,
-  ListHostedZonesCommand,
-  ListResourceRecordSetsCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand11
-} from "@aws-sdk/client-route-53";
-var Route53Provider = class {
-  route53Client;
+  DocDBClient,
+  CreateDBClusterCommand as CreateDBClusterCommand2,
+  DeleteDBClusterCommand as DeleteDBClusterCommand2,
+  ModifyDBClusterCommand as ModifyDBClusterCommand2,
+  DescribeDBClustersCommand as DescribeDBClustersCommand2,
+  CreateDBInstanceCommand as CreateDBInstanceCommand2,
+  DeleteDBInstanceCommand as DeleteDBInstanceCommand2,
+  ModifyDBInstanceCommand as ModifyDBInstanceCommand2,
+  DescribeDBInstancesCommand as DescribeDBInstancesCommand2,
+  CreateDBSubnetGroupCommand as CreateDBSubnetGroupCommand2,
+  DeleteDBSubnetGroupCommand as DeleteDBSubnetGroupCommand2,
+  DescribeDBSubnetGroupsCommand as DescribeDBSubnetGroupsCommand2,
+  ModifyDBSubnetGroupCommand as ModifyDBSubnetGroupCommand2,
+  ListTagsForResourceCommand as ListTagsForResourceCommand11,
+  AddTagsToResourceCommand as AddTagsToResourceCommand3,
+  RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand3
+} from "@aws-sdk/client-docdb";
+var DocDBProvider = class {
+  docdbClient;
   providerRegion = process.env["AWS_REGION"];
-  logger = getLogger().child("Route53Provider");
+  logger = getLogger().child("DocDBProvider");
   handledProperties = /* @__PURE__ */ new Map([
     [
-      "AWS::Route53::HostedZone",
-      /* @__PURE__ */ new Set(["Name", "HostedZoneConfig", "HostedZoneTags", "VPCs", "QueryLoggingConfig"])
+      "AWS::DocDB::DBSubnetGroup",
+      /* @__PURE__ */ new Set(["DBSubnetGroupName", "DBSubnetGroupDescription", "SubnetIds", "Tags"])
     ],
     [
-      "AWS::Route53::RecordSet",
+      "AWS::DocDB::DBCluster",
       /* @__PURE__ */ new Set([
-        "HostedZoneId",
-        "HostedZoneName",
-        "Name",
-        "Type",
-        "TTL",
-        "ResourceRecords",
-        "AliasTarget",
-        "SetIdentifier",
-        "Weight",
-        "Region",
-        "Failover",
-        "MultiValueAnswer",
-        "HealthCheckId",
-        "Comment",
-        "GeoLocation"
+        "DBClusterIdentifier",
+        "EngineVersion",
+        "MasterUsername",
+        "MasterUserPassword",
+        "Port",
+        "VpcSecurityGroupIds",
+        "DBSubnetGroupName",
+        "StorageEncrypted",
+        "KmsKeyId",
+        "BackupRetentionPeriod",
+        "PreferredBackupWindow",
+        "PreferredMaintenanceWindow",
+        "DBClusterParameterGroupName",
+        "DeletionProtection",
+        "Tags"
+      ])
+    ],
+    [
+      "AWS::DocDB::DBInstance",
+      // DocDB DBInstance does NOT support DeletionProtection (verified
+      // against the @aws-sdk/client-docdb CreateDBInstanceMessage type —
+      // the field is absent). Cluster-level DeletionProtection covers the
+      // common case anyway; instance deletes are gated by the cluster's
+      // protection flag in normal use.
+      /* @__PURE__ */ new Set([
+        "DBInstanceIdentifier",
+        "DBInstanceClass",
+        "DBClusterIdentifier",
+        "AvailabilityZone",
+        "PreferredMaintenanceWindow",
+        "AutoMinorVersionUpgrade",
+        "Tags"
       ])
     ]
   ]);
   getClient() {
-    if (!this.route53Client) {
-      this.route53Client = new Route53Client2(
+    if (!this.docdbClient) {
+      this.docdbClient = new DocDBClient(
         this.providerRegion ? { region: this.providerRegion } : {}
       );
     }
-    return this.route53Client;
+    return this.docdbClient;
   }
   // ─── Dispatch ─────────────────────────────────────────────────────
   async create(logicalId, resourceType, properties) {
     switch (resourceType) {
-      case "AWS::Route53::HostedZone":
-        return this.createHostedZone(logicalId, resourceType, properties);
-      case "AWS::Route53::RecordSet":
-        return this.createRecordSet(logicalId, resourceType, properties);
+      case "AWS::DocDB::DBSubnetGroup":
+        return this.createDBSubnetGroup(logicalId, resourceType, properties);
+      case "AWS::DocDB::DBCluster":
+        return this.createDBCluster(logicalId, resourceType, properties);
+      case "AWS::DocDB::DBInstance":
+        return this.createDBInstance(logicalId, resourceType, properties);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -30091,12 +30136,32 @@ var Route53Provider = class {
         );
     }
   }
-  async update(logicalId, physicalId, resourceType, properties, _previousProperties) {
+  async update(logicalId, physicalId, resourceType, properties, previousProperties) {
     switch (resourceType) {
-      case "AWS::Route53::HostedZone":
-        return this.updateHostedZone(logicalId, physicalId, resourceType, properties);
-      case "AWS::Route53::RecordSet":
-        return this.updateRecordSet(logicalId, physicalId, resourceType, properties);
+      case "AWS::DocDB::DBSubnetGroup":
+        return this.updateDBSubnetGroup(
+          logicalId,
+          physicalId,
+          resourceType,
+          properties,
+          previousProperties
+        );
+      case "AWS::DocDB::DBCluster":
+        return this.updateDBCluster(
+          logicalId,
+          physicalId,
+          resourceType,
+          properties,
+          previousProperties
+        );
+      case "AWS::DocDB::DBInstance":
+        return this.updateDBInstance(
+          logicalId,
+          physicalId,
+          resourceType,
+          properties,
+          previousProperties
+        );
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -30106,12 +30171,14 @@ var Route53Provider = class {
         );
     }
   }
-  async delete(logicalId, physicalId, resourceType, properties, context) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
-      case "AWS::Route53::HostedZone":
-        return this.deleteHostedZone(logicalId, physicalId, resourceType, context);
-      case "AWS::Route53::RecordSet":
-        return this.deleteRecordSet(logicalId, physicalId, resourceType, properties, context);
+      case "AWS::DocDB::DBSubnetGroup":
+        return this.deleteDBSubnetGroup(logicalId, physicalId, resourceType, context);
+      case "AWS::DocDB::DBCluster":
+        return this.deleteDBCluster(logicalId, physicalId, resourceType, context);
+      case "AWS::DocDB::DBInstance":
+        return this.deleteDBInstance(logicalId, physicalId, resourceType, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -30121,123 +30188,74 @@ var Route53Provider = class {
         );
     }
   }
-  async getAttribute(physicalId, resourceType, attributeName) {
-    switch (resourceType) {
-      case "AWS::Route53::HostedZone":
-        return this.getHostedZoneAttribute(physicalId, attributeName);
-      default:
-        return void 0;
-    }
-  }
-  // ─── AWS::Route53::HostedZone ──────────────────────────────────────
-  async createHostedZone(logicalId, resourceType, properties) {
-    this.logger.debug(`Creating Route 53 hosted zone ${logicalId}`);
-    const name = properties["Name"];
-    if (!name) {
-      throw new ProvisioningError(
-        `Name is required for hosted zone ${logicalId}`,
-        resourceType,
-        logicalId
-      );
-    }
+  // ─── DBSubnetGroup ────────────────────────────────────────────────
+  async createDBSubnetGroup(logicalId, resourceType, properties) {
+    this.logger.debug(`Creating DocDB DBSubnetGroup ${logicalId}`);
+    const dbSubnetGroupName = properties["DBSubnetGroupName"] || generateResourceName(logicalId, { maxLength: 255, lowercase: true });
     try {
-      const hostedZoneConfig = properties["HostedZoneConfig"];
-      const vpcs = properties["VPCs"];
-      const firstVpc = vpcs && vpcs.length > 0 ? vpcs[0] : void 0;
-      const response = await this.getClient().send(
-        new CreateHostedZoneCommand({
-          Name: name,
-          CallerReference: `${logicalId}-${Date.now()}`,
-          ...hostedZoneConfig && hostedZoneConfig["Comment"] ? {
-            HostedZoneConfig: {
-              Comment: hostedZoneConfig["Comment"],
-              // When VPCs are specified, this is a private hosted zone
-              ...firstVpc ? { PrivateZone: true } : {}
-            }
-          } : firstVpc ? { HostedZoneConfig: { PrivateZone: true } } : {},
-          ...firstVpc ? {
-            VPC: {
-              VPCId: firstVpc["VPCId"],
-              VPCRegion: firstVpc["VPCRegion"]
-            }
-          } : {}
+      const tags = this.buildTags(properties);
+      await this.getClient().send(
+        new CreateDBSubnetGroupCommand2({
+          DBSubnetGroupName: dbSubnetGroupName,
+          DBSubnetGroupDescription: properties["DBSubnetGroupDescription"] || `Subnet group for ${logicalId}`,
+          SubnetIds: properties["SubnetIds"],
+          ...tags.length > 0 && { Tags: tags }
         })
       );
-      const hostedZone = response.HostedZone;
-      if (!hostedZone?.Id) {
-        throw new Error("CreateHostedZone did not return HostedZone.Id");
-      }
-      const zoneId = hostedZone.Id.replace("/hostedzone/", "");
-      if (vpcs && vpcs.length > 1) {
-        for (let i = 1; i < vpcs.length; i++) {
-          const additionalVpc = vpcs[i];
-          this.logger.debug(
-            `Associating additional VPC ${String(additionalVpc["VPCId"])} with hosted zone ${zoneId}`
-          );
-          await this.getClient().send(
-            new AssociateVPCWithHostedZoneCommand({
-              HostedZoneId: zoneId,
-              VPC: {
-                VPCId: additionalVpc["VPCId"],
-                VPCRegion: additionalVpc["VPCRegion"]
-              }
-            })
-          );
-        }
-      }
-      await this.applyHostedZoneTags(zoneId, properties, logicalId);
-      await this.applyQueryLoggingConfig(zoneId, properties, logicalId);
-      const nameServers = response.DelegationSet?.NameServers ?? [];
-      this.logger.debug(`Successfully created hosted zone ${logicalId}: ${zoneId}`);
+      this.logger.debug(
+        `Successfully created DocDB DBSubnetGroup ${logicalId}: ${dbSubnetGroupName}`
+      );
       return {
-        physicalId: zoneId,
+        physicalId: dbSubnetGroupName,
         attributes: {
-          Id: zoneId,
-          NameServers: nameServers.join(",")
+          DBSubnetGroupName: dbSubnetGroupName
         }
       };
     } catch (error) {
-      if (error instanceof ProvisioningError)
-        throw error;
       const cause = error instanceof Error ? error : void 0;
       throw new ProvisioningError(
-        `Failed to create hosted zone ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        `Failed to create DocDB DBSubnetGroup ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
         resourceType,
         logicalId,
-        void 0,
+        dbSubnetGroupName,
         cause
       );
     }
   }
-  async updateHostedZone(logicalId, physicalId, resourceType, properties) {
-    this.logger.debug(`Updating Route 53 hosted zone ${logicalId}: ${physicalId}`);
+  async updateDBSubnetGroup(logicalId, physicalId, resourceType, properties, previousProperties) {
+    this.logger.debug(`Updating DocDB DBSubnetGroup ${logicalId}: ${physicalId}`);
     try {
-      const hostedZoneConfig = properties["HostedZoneConfig"];
-      const comment = hostedZoneConfig?.["Comment"] ?? "";
-      await this.getClient().send(
-        new UpdateHostedZoneCommentCommand({
-          Id: physicalId,
-          Comment: comment
-        })
+      const subnetIds = properties["SubnetIds"];
+      const sendSubnetIds = subnetIds !== void 0 && subnetIds.length > 0;
+      const modifyInput = {
+        DBSubnetGroupName: physicalId,
+        DBSubnetGroupDescription: properties["DBSubnetGroupDescription"],
+        ...sendSubnetIds && { SubnetIds: subnetIds }
+      };
+      await this.getClient().send(new ModifyDBSubnetGroupCommand2(modifyInput));
+      const desc = await this.getClient().send(
+        new DescribeDBSubnetGroupsCommand2({ DBSubnetGroupName: physicalId })
       );
-      await this.applyHostedZoneTags(physicalId, properties, logicalId);
-      await this.applyQueryLoggingConfig(physicalId, properties, logicalId);
-      await this.syncVPCAssociations(physicalId, properties, logicalId);
-      const getResponse = await this.getClient().send(new GetHostedZoneCommand2({ Id: physicalId }));
-      const nameServers = getResponse.DelegationSet?.NameServers ?? [];
-      this.logger.debug(`Successfully updated hosted zone ${logicalId}`);
+      const arn = desc.DBSubnetGroups?.[0]?.DBSubnetGroupArn;
+      if (arn) {
+        await this.applyTagDiff(
+          arn,
+          previousProperties["Tags"],
+          properties["Tags"]
+        );
+      }
+      this.logger.debug(`Successfully updated DocDB DBSubnetGroup ${logicalId}`);
       return {
         physicalId,
         wasReplaced: false,
         attributes: {
-          Id: physicalId,
-          NameServers: nameServers.join(",")
+          DBSubnetGroupName: physicalId
         }
       };
     } catch (error) {
       const cause = error instanceof Error ? error : void 0;
       throw new ProvisioningError(
-        `Failed to update hosted zone ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        `Failed to update DocDB DBSubnetGroup ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
         resourceType,
         logicalId,
         physicalId,
@@ -30245,14 +30263,17 @@ var Route53Provider = class {
       );
     }
   }
-  async deleteHostedZone(logicalId, physicalId, resourceType, context) {
-    this.logger.debug(`Deleting Route 53 hosted zone ${logicalId}: ${physicalId}`);
+  async deleteDBSubnetGroup(logicalId, physicalId, resourceType, context) {
+    this.logger.debug(`Deleting DocDB DBSubnetGroup ${logicalId}: ${physicalId}`);
     try {
-      await this.deleteQueryLoggingConfigForZone(physicalId, logicalId);
-      await this.getClient().send(new DeleteHostedZoneCommand({ Id: physicalId }));
-      this.logger.debug(`Successfully deleted hosted zone ${logicalId}`);
+      await this.getClient().send(
+        new DeleteDBSubnetGroupCommand2({
+          DBSubnetGroupName: physicalId
+        })
+      );
+      this.logger.debug(`Successfully deleted DocDB DBSubnetGroup ${logicalId}`);
     } catch (error) {
-      if (error instanceof Error && error.name === "NoSuchHostedZone") {
+      if (this.isNotFoundError(error, "DBSubnetGroupNotFoundFault")) {
         const clientRegion = await this.getClient().config.region();
         assertRegionMatch(
           clientRegion,
@@ -30261,12 +30282,12 @@ var Route53Provider = class {
           logicalId,
           physicalId
         );
-        this.logger.debug(`Hosted zone ${physicalId} does not exist, skipping deletion`);
+        this.logger.debug(`DocDB DBSubnetGroup ${physicalId} does not exist, skipping deletion`);
         return;
       }
       const cause = error instanceof Error ? error : void 0;
       throw new ProvisioningError(
-        `Failed to delete hosted zone ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        `Failed to delete DocDB DBSubnetGroup ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
         resourceType,
         logicalId,
         physicalId,
@@ -30274,98 +30295,111 @@ var Route53Provider = class {
       );
     }
   }
-  async getHostedZoneAttribute(physicalId, attributeName) {
-    switch (attributeName) {
-      case "Id":
-        return physicalId;
-      case "NameServers": {
-        const response = await this.getClient().send(new GetHostedZoneCommand2({ Id: physicalId }));
-        return (response.DelegationSet?.NameServers ?? []).join(",");
-      }
-      default:
-        return void 0;
-    }
-  }
-  // ─── AWS::Route53::RecordSet ───────────────────────────────────────
-  async createRecordSet(logicalId, resourceType, properties) {
-    this.logger.debug(`Creating Route 53 record set ${logicalId}`);
-    const hostedZoneId = await this.resolveHostedZoneId(properties, logicalId, resourceType);
-    const recordName = properties["Name"];
-    const recordType = properties["Type"];
+  // ─── DBCluster ────────────────────────────────────────────────────
+  async createDBCluster(logicalId, resourceType, properties) {
+    this.logger.debug(`Creating DocDB DBCluster ${logicalId}`);
+    const dbClusterIdentifier = properties["DBClusterIdentifier"] || generateResourceName(logicalId, { maxLength: 63, lowercase: true });
     try {
-      const resourceRecordSet = this.buildResourceRecordSet(properties);
-      const comment = properties["Comment"];
-      await this.getClient().send(
-        new ChangeResourceRecordSetsCommand({
-          HostedZoneId: hostedZoneId,
-          ChangeBatch: {
-            ...comment ? { Comment: comment } : {},
-            Changes: [
-              {
-                Action: "CREATE",
-                ResourceRecordSet: resourceRecordSet
-              }
-            ]
-          }
+      const tags = this.buildTags(properties);
+      const response = await this.getClient().send(
+        new CreateDBClusterCommand2({
+          DBClusterIdentifier: dbClusterIdentifier,
+          // DocDB engine value is fixed: only `docdb` is accepted.
+          Engine: "docdb",
+          EngineVersion: properties["EngineVersion"],
+          MasterUsername: properties["MasterUsername"],
+          MasterUserPassword: properties["MasterUserPassword"],
+          Port: properties["Port"] != null ? Number(properties["Port"]) : void 0,
+          VpcSecurityGroupIds: properties["VpcSecurityGroupIds"],
+          DBSubnetGroupName: properties["DBSubnetGroupName"],
+          StorageEncrypted: properties["StorageEncrypted"],
+          KmsKeyId: properties["KmsKeyId"],
+          BackupRetentionPeriod: properties["BackupRetentionPeriod"] != null ? Number(properties["BackupRetentionPeriod"]) : void 0,
+          PreferredBackupWindow: properties["PreferredBackupWindow"],
+          PreferredMaintenanceWindow: properties["PreferredMaintenanceWindow"],
+          DBClusterParameterGroupName: properties["DBClusterParameterGroupName"],
+          DeletionProtection: properties["DeletionProtection"],
+          ...tags.length > 0 && { Tags: tags }
         })
       );
-      const compositeId = `${hostedZoneId}|${recordName}|${recordType}`;
-      this.logger.debug(`Successfully created record set ${logicalId}: ${compositeId}`);
+      const cluster = response.DBCluster;
+      if (!cluster) {
+        throw new Error("CreateDBCluster did not return DBCluster");
+      }
+      this.logger.debug(
+        `Successfully created DocDB DBCluster ${logicalId}: ${dbClusterIdentifier}`
+      );
+      if (process.env["CDKD_NO_WAIT"] !== "true") {
+        await this.waitForClusterAvailable(dbClusterIdentifier);
+      }
+      const described = await this.describeDBCluster(dbClusterIdentifier);
       return {
-        physicalId: compositeId,
-        attributes: {}
+        physicalId: dbClusterIdentifier,
+        attributes: {
+          "Endpoint.Address": described?.Endpoint ?? "",
+          "Endpoint.Port": String(described?.Port ?? ""),
+          "ReadEndpoint.Address": described?.ReaderEndpoint ?? "",
+          Arn: described?.DBClusterArn ?? "",
+          ClusterResourceId: described?.DbClusterResourceId ?? ""
+        }
       };
     } catch (error) {
       if (error instanceof ProvisioningError)
         throw error;
       const cause = error instanceof Error ? error : void 0;
       throw new ProvisioningError(
-        `Failed to create record set ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        `Failed to create DocDB DBCluster ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
         resourceType,
         logicalId,
-        void 0,
+        dbClusterIdentifier,
         cause
       );
     }
   }
-  async updateRecordSet(logicalId, physicalId, resourceType, properties) {
-    this.logger.debug(`Updating Route 53 record set ${logicalId}: ${physicalId}`);
-    const hostedZoneId = await this.resolveHostedZoneId(
-      properties,
-      logicalId,
-      resourceType,
-      physicalId
-    );
-    const recordName = properties["Name"];
-    const recordType = properties["Type"];
+  async updateDBCluster(logicalId, physicalId, resourceType, properties, previousProperties) {
+    this.logger.debug(`Updating DocDB DBCluster ${logicalId}: ${physicalId}`);
     try {
-      const resourceRecordSet = this.buildResourceRecordSet(properties);
-      const comment = properties["Comment"];
+      const vpcSgIds = properties["VpcSecurityGroupIds"];
+      const sendVpcSgIds = vpcSgIds !== void 0 && vpcSgIds.length > 0;
       await this.getClient().send(
-        new ChangeResourceRecordSetsCommand({
-          HostedZoneId: hostedZoneId,
-          ChangeBatch: {
-            ...comment ? { Comment: comment } : {},
-            Changes: [
-              {
-                Action: "UPSERT",
-                ResourceRecordSet: resourceRecordSet
-              }
-            ]
-          }
+        new ModifyDBClusterCommand2({
+          DBClusterIdentifier: physicalId,
+          EngineVersion: properties["EngineVersion"],
+          DeletionProtection: properties["DeletionProtection"],
+          BackupRetentionPeriod: properties["BackupRetentionPeriod"] != null ? Number(properties["BackupRetentionPeriod"]) : void 0,
+          PreferredBackupWindow: properties["PreferredBackupWindow"],
+          PreferredMaintenanceWindow: properties["PreferredMaintenanceWindow"],
+          DBClusterParameterGroupName: properties["DBClusterParameterGroupName"],
+          ...sendVpcSgIds && { VpcSecurityGroupIds: vpcSgIds },
+          MasterUserPassword: properties["MasterUserPassword"],
+          Port: properties["Port"] != null ? Number(properties["Port"]) : void 0,
+          ApplyImmediately: true
         })
       );
-      const compositeId = `${hostedZoneId}|${recordName}|${recordType}`;
-      this.logger.debug(`Successfully updated record set ${logicalId}`);
+      this.logger.debug(`Successfully updated DocDB DBCluster ${logicalId}`);
+      const described = await this.describeDBCluster(physicalId);
+      if (described?.DBClusterArn) {
+        await this.applyTagDiff(
+          described.DBClusterArn,
+          previousProperties["Tags"],
+          properties["Tags"]
+        );
+      }
       return {
-        physicalId: compositeId,
+        physicalId,
         wasReplaced: false,
-        attributes: {}
+        attributes: {
+          "Endpoint.Address": described?.Endpoint ?? "",
+          "Endpoint.Port": String(described?.Port ?? ""),
+          "ReadEndpoint.Address": described?.ReaderEndpoint ?? "",
+          Arn: described?.DBClusterArn ?? "",
+          ClusterResourceId: described?.DbClusterResourceId ?? ""
+        }
       };
     } catch (error) {
       const cause = error instanceof Error ? error : void 0;
       throw new ProvisioningError(
-        `Failed to update record set ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        `Failed to update DocDB DBCluster ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
         resourceType,
         logicalId,
         physicalId,
@@ -30373,44 +30407,39 @@ var Route53Provider = class {
       );
     }
   }
-  async deleteRecordSet(logicalId, physicalId, resourceType, properties, context) {
-    this.logger.debug(`Deleting Route 53 record set ${logicalId}: ${physicalId}`);
-    const parts = physicalId.split("|");
-    if (parts.length !== 3) {
-      throw new ProvisioningError(
-        `Invalid record set physical ID format: ${physicalId}`,
-        resourceType,
-        logicalId,
-        physicalId
-      );
-    }
-    const [hostedZoneId] = parts;
-    if (!properties) {
-      throw new ProvisioningError(
-        `Properties required to delete record set ${logicalId}`,
-        resourceType,
-        logicalId,
-        physicalId
-      );
-    }
+  async deleteDBCluster(logicalId, physicalId, resourceType, context) {
+    this.logger.debug(`Deleting DocDB DBCluster ${logicalId}: ${physicalId}`);
     try {
-      const resourceRecordSet = this.buildResourceRecordSet(properties);
-      await this.getClient().send(
-        new ChangeResourceRecordSetsCommand({
-          HostedZoneId: hostedZoneId,
-          ChangeBatch: {
-            Changes: [
-              {
-                Action: "DELETE",
-                ResourceRecordSet: resourceRecordSet
-              }
-            ]
+      if (context?.removeProtection === true) {
+        try {
+          await this.getClient().send(
+            new ModifyDBClusterCommand2({
+              DBClusterIdentifier: physicalId,
+              DeletionProtection: false,
+              ApplyImmediately: true
+            })
+          );
+          this.logger.debug(
+            `Disabled DeletionProtection on DocDB DBCluster ${logicalId} before delete`
+          );
+        } catch (disableError) {
+          if (!this.isNotFoundError(disableError, "DBClusterNotFoundFault")) {
+            this.logger.debug(
+              `Could not disable deletion protection for ${physicalId}: ${disableError instanceof Error ? disableError.message : String(disableError)}`
+            );
           }
+        }
+      }
+      await this.getClient().send(
+        new DeleteDBClusterCommand2({
+          DBClusterIdentifier: physicalId,
+          SkipFinalSnapshot: true
         })
       );
-      this.logger.debug(`Successfully deleted record set ${logicalId}`);
+      this.logger.debug(`Successfully initiated deletion of DocDB DBCluster ${logicalId}`);
+      await this.waitForClusterDeleted(physicalId);
     } catch (error) {
-      if (error instanceof Error && (error.name === "InvalidChangeBatch" || error.message.includes("it was not found"))) {
+      if (this.isNotFoundError(error, "DBClusterNotFoundFault")) {
         const clientRegion = await this.getClient().config.region();
         assertRegionMatch(
           clientRegion,
@@ -30419,18 +30448,12 @@ var Route53Provider = class {
           logicalId,
           physicalId
         );
-        this.logger.debug(`Record set ${physicalId} does not exist, skipping deletion`);
-        return;
-      }
-      if (error instanceof Error && error.name === "NoSuchHostedZone") {
-        this.logger.debug(
-          `Hosted zone for record set ${physicalId} does not exist, skipping deletion`
-        );
+        this.logger.debug(`DocDB DBCluster ${physicalId} does not exist, skipping deletion`);
         return;
       }
       const cause = error instanceof Error ? error : void 0;
       throw new ProvisioningError(
-        `Failed to delete record set ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        `Failed to delete DocDB DBCluster ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
         resourceType,
         logicalId,
         physicalId,
@@ -30438,45 +30461,2007 @@ var Route53Provider = class {
       );
     }
   }
-  // ─── Helpers ───────────────────────────────────────────────────────
-  /**
-   * Build a ResourceRecordSet object from CDK properties.
-   *
-   * Handles conversion of CDK-style ResourceRecords (array of strings)
-   * to SDK-style ResourceRecords (array of {Value}).
-   * Also handles routing policy properties: Weight, Region, Failover,
-   * MultiValueAnswer, GeoLocation, SetIdentifier, and HealthCheckId.
-   */
-  buildResourceRecordSet(properties) {
-    const name = properties["Name"];
-    const type = properties["Type"];
-    const ttl = properties["TTL"];
-    const resourceRecords = properties["ResourceRecords"];
-    const aliasTarget = properties["AliasTarget"];
-    const recordSet = {
-      Name: name,
-      Type: type
-    };
-    if (aliasTarget) {
-      recordSet.AliasTarget = {
-        HostedZoneId: aliasTarget["HostedZoneId"],
-        DNSName: aliasTarget["DNSName"],
-        EvaluateTargetHealth: aliasTarget["EvaluateTargetHealth"] ?? false
-      };
-    } else {
-      if (ttl !== void 0) {
-        recordSet.TTL = Number(ttl);
-      }
-      if (resourceRecords) {
-        recordSet.ResourceRecords = resourceRecords.map((record) => {
-          if (typeof record === "string") {
-            return { Value: record };
-          }
-          return record;
-        });
+  // ─── DBInstance ───────────────────────────────────────────────────
+  async createDBInstance(logicalId, resourceType, properties) {
+    this.logger.debug(`Creating DocDB DBInstance ${logicalId}`);
+    const dbInstanceIdentifier = properties["DBInstanceIdentifier"] || generateResourceName(logicalId, { maxLength: 63, lowercase: true });
+    try {
+      const tags = this.buildTags(properties);
+      const response = await this.getClient().send(
+        new CreateDBInstanceCommand2({
+          DBInstanceIdentifier: dbInstanceIdentifier,
+          DBInstanceClass: properties["DBInstanceClass"],
+          // DocDB engine value is fixed: only `docdb` is accepted.
+          Engine: "docdb",
+          DBClusterIdentifier: properties["DBClusterIdentifier"],
+          AvailabilityZone: properties["AvailabilityZone"],
+          PreferredMaintenanceWindow: properties["PreferredMaintenanceWindow"],
+          AutoMinorVersionUpgrade: properties["AutoMinorVersionUpgrade"],
+          ...tags.length > 0 && { Tags: tags }
+        })
+      );
+      const instance = response.DBInstance;
+      if (!instance) {
+        throw new Error("CreateDBInstance did not return DBInstance");
       }
-    }
-    const setIdentifier = properties["SetIdentifier"];
+      this.logger.debug(
+        `Successfully created DocDB DBInstance ${logicalId}: ${dbInstanceIdentifier}`
+      );
+      if (process.env["CDKD_NO_WAIT"] !== "true") {
+        await this.waitForInstanceAvailable(dbInstanceIdentifier);
+      }
+      const described = await this.describeDBInstance(dbInstanceIdentifier);
+      return {
+        physicalId: dbInstanceIdentifier,
+        attributes: {
+          "Endpoint.Address": described?.Endpoint?.Address ?? "",
+          "Endpoint.Port": String(described?.Endpoint?.Port ?? ""),
+          Arn: described?.DBInstanceArn ?? ""
+        }
+      };
+    } catch (error) {
+      if (error instanceof ProvisioningError)
+        throw error;
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to create DocDB DBInstance ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        dbInstanceIdentifier,
+        cause
+      );
+    }
+  }
+  async updateDBInstance(logicalId, physicalId, resourceType, properties, previousProperties) {
+    this.logger.debug(`Updating DocDB DBInstance ${logicalId}: ${physicalId}`);
+    try {
+      await this.getClient().send(
+        new ModifyDBInstanceCommand2({
+          DBInstanceIdentifier: physicalId,
+          DBInstanceClass: properties["DBInstanceClass"],
+          PreferredMaintenanceWindow: properties["PreferredMaintenanceWindow"],
+          AutoMinorVersionUpgrade: properties["AutoMinorVersionUpgrade"],
+          ApplyImmediately: true
+        })
+      );
+      this.logger.debug(`Successfully updated DocDB DBInstance ${logicalId}`);
+      const described = await this.describeDBInstance(physicalId);
+      if (described?.DBInstanceArn) {
+        await this.applyTagDiff(
+          described.DBInstanceArn,
+          previousProperties["Tags"],
+          properties["Tags"]
+        );
+      }
+      return {
+        physicalId,
+        wasReplaced: false,
+        attributes: {
+          "Endpoint.Address": described?.Endpoint?.Address ?? "",
+          "Endpoint.Port": String(described?.Endpoint?.Port ?? ""),
+          Arn: described?.DBInstanceArn ?? ""
+        }
+      };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update DocDB DBInstance ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  async deleteDBInstance(logicalId, physicalId, resourceType, context) {
+    this.logger.debug(`Deleting DocDB DBInstance ${logicalId}: ${physicalId}`);
+    try {
+      await this.getClient().send(
+        new DeleteDBInstanceCommand2({
+          DBInstanceIdentifier: physicalId
+        })
+      );
+      this.logger.debug(`Successfully initiated deletion of DocDB DBInstance ${logicalId}`);
+      await this.waitForInstanceDeleted(physicalId);
+    } catch (error) {
+      if (this.isNotFoundError(error, "DBInstanceNotFoundFault")) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+        this.logger.debug(`DocDB DBInstance ${physicalId} does not exist, skipping deletion`);
+        return;
+      }
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to delete DocDB DBInstance ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  // ─── Helpers ──────────────────────────────────────────────────────
+  /**
+   * Apply a diff between old and new CFn-shape Tags arrays via DocDB's
+   * `AddTagsToResource` / `RemoveTagsFromResource` APIs (keyed by
+   * `ResourceName=arn`).
+   */
+  async applyTagDiff(arn, oldTagsRaw, newTagsRaw) {
+    const toMap = (tags) => {
+      const m = /* @__PURE__ */ new Map();
+      for (const t of tags ?? []) {
+        if (t.Key !== void 0 && t.Value !== void 0)
+          m.set(t.Key, t.Value);
+      }
+      return m;
+    };
+    const oldMap = toMap(oldTagsRaw);
+    const newMap = toMap(newTagsRaw);
+    const tagsToAdd = [];
+    for (const [k, v] of newMap) {
+      if (oldMap.get(k) !== v)
+        tagsToAdd.push({ Key: k, Value: v });
+    }
+    const tagsToRemove = [];
+    for (const k of oldMap.keys()) {
+      if (!newMap.has(k))
+        tagsToRemove.push(k);
+    }
+    if (tagsToRemove.length > 0) {
+      await this.getClient().send(
+        new RemoveTagsFromResourceCommand3({ ResourceName: arn, TagKeys: tagsToRemove })
+      );
+      this.logger.debug(`Removed ${tagsToRemove.length} tag(s) from DocDB resource ${arn}`);
+    }
+    if (tagsToAdd.length > 0) {
+      await this.getClient().send(
+        new AddTagsToResourceCommand3({ ResourceName: arn, Tags: tagsToAdd })
+      );
+      this.logger.debug(`Added/updated ${tagsToAdd.length} tag(s) on DocDB resource ${arn}`);
+    }
+  }
+  buildTags(properties) {
+    if (!properties["Tags"])
+      return [];
+    return properties["Tags"];
+  }
+  isNotFoundError(error, faultName) {
+    if (!(error instanceof Error))
+      return false;
+    const name = error.name ?? "";
+    const message = error.message.toLowerCase();
+    return name === faultName || message.includes("not found") || message.includes("does not exist");
+  }
+  async describeDBCluster(dbClusterIdentifier) {
+    const response = await this.getClient().send(
+      new DescribeDBClustersCommand2({
+        DBClusterIdentifier: dbClusterIdentifier
+      })
+    );
+    return response.DBClusters?.[0];
+  }
+  async describeDBInstance(dbInstanceIdentifier) {
+    const response = await this.getClient().send(
+      new DescribeDBInstancesCommand2({
+        DBInstanceIdentifier: dbInstanceIdentifier
+      })
+    );
+    return response.DBInstances?.[0];
+  }
+  /**
+   * Wait for a DBCluster to become available. DocDB's SDK does not ship a
+   * `waitUntilDBClusterAvailable` waiter (only DBInstance has waiters),
+   * so we poll Status manually with exponential backoff.
+   */
+  async waitForClusterAvailable(dbClusterIdentifier, maxWaitMs = 18e5) {
+    const startTime = Date.now();
+    let delay = 5e3;
+    while (Date.now() - startTime < maxWaitMs) {
+      const cluster = await this.describeDBCluster(dbClusterIdentifier);
+      const status = cluster?.Status;
+      this.logger.debug(`DocDB DBCluster ${dbClusterIdentifier} status: ${status}`);
+      if (status === "available")
+        return;
+      await this.sleep(delay);
+      delay = Math.min(delay * 2, 3e4);
+    }
+    throw new Error(
+      `Timed out waiting for DocDB DBCluster ${dbClusterIdentifier} to become available`
+    );
+  }
+  /**
+   * Wait for a DBCluster to be deleted (no SDK waiter — manual poll).
+   */
+  async waitForClusterDeleted(dbClusterIdentifier, maxWaitMs = 18e5) {
+    const startTime = Date.now();
+    let delay = 5e3;
+    while (Date.now() - startTime < maxWaitMs) {
+      try {
+        const cluster = await this.describeDBCluster(dbClusterIdentifier);
+        const status = cluster?.Status;
+        this.logger.debug(`DocDB DBCluster ${dbClusterIdentifier} status: ${status}`);
+        if (!cluster)
+          return;
+      } catch (error) {
+        if (this.isNotFoundError(error, "DBClusterNotFoundFault")) {
+          return;
+        }
+        throw error;
+      }
+      await this.sleep(delay);
+      delay = Math.min(delay * 2, 3e4);
+    }
+    throw new Error(`Timed out waiting for DocDB DBCluster ${dbClusterIdentifier} to be deleted`);
+  }
+  /**
+   * Wait for a DBInstance to become available (manual poll — matches RDS).
+   */
+  async waitForInstanceAvailable(dbInstanceIdentifier, maxWaitMs = 18e5) {
+    const startTime = Date.now();
+    let delay = 1e4;
+    while (Date.now() - startTime < maxWaitMs) {
+      const instance = await this.describeDBInstance(dbInstanceIdentifier);
+      const status = instance?.DBInstanceStatus;
+      this.logger.debug(`DocDB DBInstance ${dbInstanceIdentifier} status: ${status}`);
+      if (status === "available")
+        return;
+      await this.sleep(delay);
+      delay = Math.min(delay * 2, 3e4);
+    }
+    throw new Error(
+      `Timed out waiting for DocDB DBInstance ${dbInstanceIdentifier} to become available`
+    );
+  }
+  async waitForInstanceDeleted(dbInstanceIdentifier, maxWaitMs = 18e5) {
+    const startTime = Date.now();
+    let delay = 1e4;
+    while (Date.now() - startTime < maxWaitMs) {
+      try {
+        const instance = await this.describeDBInstance(dbInstanceIdentifier);
+        const status = instance?.DBInstanceStatus;
+        this.logger.debug(`DocDB DBInstance ${dbInstanceIdentifier} status: ${status}`);
+        if (!instance)
+          return;
+      } catch (error) {
+        if (this.isNotFoundError(error, "DBInstanceNotFoundFault")) {
+          return;
+        }
+        throw error;
+      }
+      await this.sleep(delay);
+      delay = Math.min(delay * 2, 3e4);
+    }
+    throw new Error(`Timed out waiting for DocDB DBInstance ${dbInstanceIdentifier} to be deleted`);
+  }
+  sleep(ms) {
+    return new Promise((resolve4) => setTimeout(resolve4, ms));
+  }
+  /**
+   * Adopt an existing DocDB resource into cdkd state.
+   *
+   * Supported types: `AWS::DocDB::DBInstance`, `AWS::DocDB::DBCluster`,
+   * `AWS::DocDB::DBSubnetGroup`. Identifier name properties (`DBInstance
+   * Identifier` / `DBClusterIdentifier` / `DBSubnetGroupName`) are usually
+   * present in CDK templates; fall back to `aws:cdk:path` tag lookup via
+   * the corresponding `Describe*` + `ListTagsForResource` pair otherwise.
+   */
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::DocDB::DBInstance":
+        return this.importDBInstance(input);
+      case "AWS::DocDB::DBCluster":
+        return this.importDBCluster(input);
+      case "AWS::DocDB::DBSubnetGroup":
+        return this.importDBSubnetGroup(input);
+      default:
+        return null;
+    }
+  }
+  /**
+   * Read the AWS-current DocDB resource configuration in CFn-property shape.
+   *
+   * Each branch surfaces only the keys cdkd's `create()` accepts. Sensitive
+   * fields like `MasterUserPassword` are NEVER surfaced (DocDB does not
+   * return them in the Describe responses). `Tags` are surfaced via a
+   * follow-up `ListTagsForResource(ResourceName=arn)` call.
+   *
+   * Returns `undefined` when the resource is gone (`*NotFoundFault`).
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::DocDB::DBInstance":
+        return this.readCurrentStateDBInstance(physicalId);
+      case "AWS::DocDB::DBCluster":
+        return this.readCurrentStateDBCluster(physicalId);
+      case "AWS::DocDB::DBSubnetGroup":
+        return this.readCurrentStateDBSubnetGroup(physicalId);
+      default:
+        return void 0;
+    }
+  }
+  async readCurrentStateDBInstance(physicalId) {
+    let inst;
+    try {
+      inst = await this.describeDBInstance(physicalId);
+    } catch (err) {
+      if (this.isNotFoundError(err, "DBInstanceNotFoundFault"))
+        return void 0;
+      throw err;
+    }
+    if (!inst)
+      return void 0;
+    const result = {};
+    if (inst.DBInstanceIdentifier !== void 0) {
+      result["DBInstanceIdentifier"] = inst.DBInstanceIdentifier;
+    }
+    if (inst.DBInstanceClass !== void 0)
+      result["DBInstanceClass"] = inst.DBInstanceClass;
+    if (inst.DBClusterIdentifier !== void 0) {
+      result["DBClusterIdentifier"] = inst.DBClusterIdentifier;
+    }
+    if (inst.AvailabilityZone !== void 0)
+      result["AvailabilityZone"] = inst.AvailabilityZone;
+    if (inst.PreferredMaintenanceWindow !== void 0) {
+      result["PreferredMaintenanceWindow"] = inst.PreferredMaintenanceWindow;
+    }
+    if (inst.AutoMinorVersionUpgrade !== void 0) {
+      result["AutoMinorVersionUpgrade"] = inst.AutoMinorVersionUpgrade;
+    }
+    if (inst.DBInstanceArn)
+      await this.attachTags(result, inst.DBInstanceArn);
+    return result;
+  }
+  async readCurrentStateDBCluster(physicalId) {
+    let cluster;
+    try {
+      cluster = await this.describeDBCluster(physicalId);
+    } catch (err) {
+      if (this.isNotFoundError(err, "DBClusterNotFoundFault"))
+        return void 0;
+      throw err;
+    }
+    if (!cluster)
+      return void 0;
+    const result = {};
+    if (cluster.DBClusterIdentifier !== void 0) {
+      result["DBClusterIdentifier"] = cluster.DBClusterIdentifier;
+    }
+    if (cluster.EngineVersion !== void 0)
+      result["EngineVersion"] = cluster.EngineVersion;
+    if (cluster.MasterUsername !== void 0)
+      result["MasterUsername"] = cluster.MasterUsername;
+    if (cluster.Port !== void 0)
+      result["Port"] = cluster.Port;
+    result["VpcSecurityGroupIds"] = (cluster.VpcSecurityGroups ?? []).map((sg) => sg.VpcSecurityGroupId).filter((id) => !!id);
+    if (cluster.DBSubnetGroup !== void 0)
+      result["DBSubnetGroupName"] = cluster.DBSubnetGroup;
+    if (cluster.StorageEncrypted !== void 0) {
+      result["StorageEncrypted"] = cluster.StorageEncrypted;
+    }
+    if (cluster.KmsKeyId !== void 0)
+      result["KmsKeyId"] = cluster.KmsKeyId;
+    if (cluster.BackupRetentionPeriod !== void 0) {
+      result["BackupRetentionPeriod"] = cluster.BackupRetentionPeriod;
+    }
+    if (cluster.PreferredBackupWindow !== void 0) {
+      result["PreferredBackupWindow"] = cluster.PreferredBackupWindow;
+    }
+    if (cluster.PreferredMaintenanceWindow !== void 0) {
+      result["PreferredMaintenanceWindow"] = cluster.PreferredMaintenanceWindow;
+    }
+    if (cluster.DBClusterParameterGroup !== void 0) {
+      result["DBClusterParameterGroupName"] = cluster.DBClusterParameterGroup;
+    }
+    if (cluster.DeletionProtection !== void 0) {
+      result["DeletionProtection"] = cluster.DeletionProtection;
+    }
+    if (cluster.DBClusterArn)
+      await this.attachTags(result, cluster.DBClusterArn);
+    return result;
+  }
+  async readCurrentStateDBSubnetGroup(physicalId) {
+    let resp;
+    try {
+      resp = await this.getClient().send(
+        new DescribeDBSubnetGroupsCommand2({ DBSubnetGroupName: physicalId })
+      );
+    } catch (err) {
+      if (this.isNotFoundError(err, "DBSubnetGroupNotFoundFault"))
+        return void 0;
+      throw err;
+    }
+    const sg = resp.DBSubnetGroups?.[0];
+    if (!sg)
+      return void 0;
+    const result = {};
+    if (sg.DBSubnetGroupName !== void 0)
+      result["DBSubnetGroupName"] = sg.DBSubnetGroupName;
+    if (sg.DBSubnetGroupDescription !== void 0) {
+      result["DBSubnetGroupDescription"] = sg.DBSubnetGroupDescription;
+    }
+    result["SubnetIds"] = (sg.Subnets ?? []).map((s) => s.SubnetIdentifier).filter((id) => !!id);
+    if (sg.DBSubnetGroupArn)
+      await this.attachTags(result, sg.DBSubnetGroupArn);
+    return result;
+  }
+  /**
+   * Fetch tags via `ListTagsForResource(ResourceName=arn)` and merge them
+   * into the result under `Tags` (CFn shape, `aws:*` filtered out, omitted
+   * when empty). Best-effort: tag-fetch failures are logged at debug and
+   * the key is simply left out — drift detection on configuration is more
+   * important than fail-closing on a missing tag permission.
+   */
+  async attachTags(result, arn) {
+    try {
+      const tagsResp = await this.getClient().send(
+        new ListTagsForResourceCommand11({ ResourceName: arn })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.TagList);
+      result["Tags"] = tags;
+    } catch (err) {
+      this.logger.debug(
+        `DocDB ListTagsForResource(${arn}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+  async importDBInstance(input) {
+    const explicit = resolveExplicitPhysicalId(input, "DBInstanceIdentifier");
+    if (explicit) {
+      try {
+        await this.getClient().send(
+          new DescribeDBInstancesCommand2({ DBInstanceIdentifier: explicit })
+        );
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err.name === "DBInstanceNotFoundFault")
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new DescribeDBInstancesCommand2({ ...marker && { Marker: marker } })
+      );
+      for (const inst of list.DBInstances ?? []) {
+        if (!inst.DBInstanceIdentifier || !inst.DBInstanceArn)
+          continue;
+        const tagsResp = await this.getClient().send(
+          new ListTagsForResourceCommand11({ ResourceName: inst.DBInstanceArn })
+        );
+        if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
+          return { physicalId: inst.DBInstanceIdentifier, attributes: {} };
+        }
+      }
+      marker = list.Marker;
+    } while (marker);
+    return null;
+  }
+  async importDBCluster(input) {
+    const explicit = resolveExplicitPhysicalId(input, "DBClusterIdentifier");
+    if (explicit) {
+      try {
+        await this.getClient().send(
+          new DescribeDBClustersCommand2({ DBClusterIdentifier: explicit })
+        );
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err.name === "DBClusterNotFoundFault")
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new DescribeDBClustersCommand2({ ...marker && { Marker: marker } })
+      );
+      for (const c of list.DBClusters ?? []) {
+        if (!c.DBClusterIdentifier || !c.DBClusterArn)
+          continue;
+        const tagsResp = await this.getClient().send(
+          new ListTagsForResourceCommand11({ ResourceName: c.DBClusterArn })
+        );
+        if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
+          return { physicalId: c.DBClusterIdentifier, attributes: {} };
+        }
+      }
+      marker = list.Marker;
+    } while (marker);
+    return null;
+  }
+  async importDBSubnetGroup(input) {
+    const explicit = resolveExplicitPhysicalId(input, "DBSubnetGroupName");
+    if (explicit) {
+      try {
+        await this.getClient().send(
+          new DescribeDBSubnetGroupsCommand2({ DBSubnetGroupName: explicit })
+        );
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err.name === "DBSubnetGroupNotFoundFault")
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new DescribeDBSubnetGroupsCommand2({ ...marker && { Marker: marker } })
+      );
+      for (const sg of list.DBSubnetGroups ?? []) {
+        if (!sg.DBSubnetGroupName || !sg.DBSubnetGroupArn)
+          continue;
+        const tagsResp = await this.getClient().send(
+          new ListTagsForResourceCommand11({ ResourceName: sg.DBSubnetGroupArn })
+        );
+        if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
+          return { physicalId: sg.DBSubnetGroupName, attributes: {} };
+        }
+      }
+      marker = list.Marker;
+    } while (marker);
+    return null;
+  }
+};
+
+// src/provisioning/providers/neptune-provider.ts
+import {
+  NeptuneClient,
+  CreateDBClusterCommand as CreateDBClusterCommand3,
+  DeleteDBClusterCommand as DeleteDBClusterCommand3,
+  ModifyDBClusterCommand as ModifyDBClusterCommand3,
+  DescribeDBClustersCommand as DescribeDBClustersCommand3,
+  CreateDBInstanceCommand as CreateDBInstanceCommand3,
+  DeleteDBInstanceCommand as DeleteDBInstanceCommand3,
+  ModifyDBInstanceCommand as ModifyDBInstanceCommand3,
+  DescribeDBInstancesCommand as DescribeDBInstancesCommand3,
+  CreateDBSubnetGroupCommand as CreateDBSubnetGroupCommand3,
+  DeleteDBSubnetGroupCommand as DeleteDBSubnetGroupCommand3,
+  DescribeDBSubnetGroupsCommand as DescribeDBSubnetGroupsCommand3,
+  ModifyDBSubnetGroupCommand as ModifyDBSubnetGroupCommand3,
+  ListTagsForResourceCommand as ListTagsForResourceCommand12,
+  AddTagsToResourceCommand as AddTagsToResourceCommand4,
+  RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand4
+} from "@aws-sdk/client-neptune";
+var NeptuneProvider = class {
+  neptuneClient;
+  providerRegion = process.env["AWS_REGION"];
+  logger = getLogger().child("NeptuneProvider");
+  handledProperties = /* @__PURE__ */ new Map([
+    [
+      "AWS::Neptune::DBSubnetGroup",
+      /* @__PURE__ */ new Set(["DBSubnetGroupName", "DBSubnetGroupDescription", "SubnetIds", "Tags"])
+    ],
+    [
+      "AWS::Neptune::DBCluster",
+      /* @__PURE__ */ new Set([
+        "DBClusterIdentifier",
+        "EngineVersion",
+        "Port",
+        "VpcSecurityGroupIds",
+        "DBSubnetGroupName",
+        "StorageEncrypted",
+        "KmsKeyId",
+        "BackupRetentionPeriod",
+        "PreferredBackupWindow",
+        "PreferredMaintenanceWindow",
+        "DBClusterParameterGroupName",
+        "IamAuthEnabled",
+        "DeletionProtection",
+        "Tags"
+      ])
+    ],
+    [
+      "AWS::Neptune::DBInstance",
+      /* @__PURE__ */ new Set([
+        "DBInstanceIdentifier",
+        "DBInstanceClass",
+        "DBClusterIdentifier",
+        "DBSubnetGroupName",
+        "DBParameterGroupName",
+        "AvailabilityZone",
+        "PreferredMaintenanceWindow",
+        "AutoMinorVersionUpgrade",
+        "DeletionProtection",
+        "Tags"
+      ])
+    ]
+  ]);
+  getClient() {
+    if (!this.neptuneClient) {
+      this.neptuneClient = new NeptuneClient(
+        this.providerRegion ? { region: this.providerRegion } : {}
+      );
+    }
+    return this.neptuneClient;
+  }
+  // ─── Dispatch ─────────────────────────────────────────────────────
+  async create(logicalId, resourceType, properties) {
+    switch (resourceType) {
+      case "AWS::Neptune::DBSubnetGroup":
+        return this.createDBSubnetGroup(logicalId, resourceType, properties);
+      case "AWS::Neptune::DBCluster":
+        return this.createDBCluster(logicalId, resourceType, properties);
+      case "AWS::Neptune::DBInstance":
+        return this.createDBInstance(logicalId, resourceType, properties);
+      default:
+        throw new ProvisioningError(
+          `Unsupported resource type: ${resourceType}`,
+          resourceType,
+          logicalId
+        );
+    }
+  }
+  async update(logicalId, physicalId, resourceType, properties, previousProperties) {
+    switch (resourceType) {
+      case "AWS::Neptune::DBSubnetGroup":
+        return this.updateDBSubnetGroup(
+          logicalId,
+          physicalId,
+          resourceType,
+          properties,
+          previousProperties
+        );
+      case "AWS::Neptune::DBCluster":
+        return this.updateDBCluster(
+          logicalId,
+          physicalId,
+          resourceType,
+          properties,
+          previousProperties
+        );
+      case "AWS::Neptune::DBInstance":
+        return this.updateDBInstance(
+          logicalId,
+          physicalId,
+          resourceType,
+          properties,
+          previousProperties
+        );
+      default:
+        throw new ProvisioningError(
+          `Unsupported resource type: ${resourceType}`,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+    }
+  }
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
+    switch (resourceType) {
+      case "AWS::Neptune::DBSubnetGroup":
+        return this.deleteDBSubnetGroup(logicalId, physicalId, resourceType, context);
+      case "AWS::Neptune::DBCluster":
+        return this.deleteDBCluster(logicalId, physicalId, resourceType, context);
+      case "AWS::Neptune::DBInstance":
+        return this.deleteDBInstance(logicalId, physicalId, resourceType, context);
+      default:
+        throw new ProvisioningError(
+          `Unsupported resource type: ${resourceType}`,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+    }
+  }
+  // ─── DBSubnetGroup ────────────────────────────────────────────────
+  async createDBSubnetGroup(logicalId, resourceType, properties) {
+    this.logger.debug(`Creating Neptune DBSubnetGroup ${logicalId}`);
+    const dbSubnetGroupName = properties["DBSubnetGroupName"] || generateResourceName(logicalId, { maxLength: 255, lowercase: true });
+    try {
+      const tags = this.buildTags(properties);
+      await this.getClient().send(
+        new CreateDBSubnetGroupCommand3({
+          DBSubnetGroupName: dbSubnetGroupName,
+          DBSubnetGroupDescription: properties["DBSubnetGroupDescription"] || `Subnet group for ${logicalId}`,
+          SubnetIds: properties["SubnetIds"],
+          ...tags.length > 0 && { Tags: tags }
+        })
+      );
+      this.logger.debug(
+        `Successfully created Neptune DBSubnetGroup ${logicalId}: ${dbSubnetGroupName}`
+      );
+      return {
+        physicalId: dbSubnetGroupName,
+        attributes: {
+          DBSubnetGroupName: dbSubnetGroupName
+        }
+      };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to create Neptune DBSubnetGroup ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        dbSubnetGroupName,
+        cause
+      );
+    }
+  }
+  async updateDBSubnetGroup(logicalId, physicalId, resourceType, properties, previousProperties) {
+    this.logger.debug(`Updating Neptune DBSubnetGroup ${logicalId}: ${physicalId}`);
+    try {
+      const subnetIds = properties["SubnetIds"];
+      const sendSubnetIds = subnetIds !== void 0 && subnetIds.length > 0;
+      const modifyInput = {
+        DBSubnetGroupName: physicalId,
+        DBSubnetGroupDescription: properties["DBSubnetGroupDescription"],
+        ...sendSubnetIds && { SubnetIds: subnetIds }
+      };
+      await this.getClient().send(new ModifyDBSubnetGroupCommand3(modifyInput));
+      const desc = await this.getClient().send(
+        new DescribeDBSubnetGroupsCommand3({ DBSubnetGroupName: physicalId })
+      );
+      const arn = desc.DBSubnetGroups?.[0]?.DBSubnetGroupArn;
+      if (arn) {
+        await this.applyTagDiff(
+          arn,
+          previousProperties["Tags"],
+          properties["Tags"]
+        );
+      }
+      this.logger.debug(`Successfully updated Neptune DBSubnetGroup ${logicalId}`);
+      return {
+        physicalId,
+        wasReplaced: false,
+        attributes: {
+          DBSubnetGroupName: physicalId
+        }
+      };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update Neptune DBSubnetGroup ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  async deleteDBSubnetGroup(logicalId, physicalId, resourceType, context) {
+    this.logger.debug(`Deleting Neptune DBSubnetGroup ${logicalId}: ${physicalId}`);
+    try {
+      await this.getClient().send(
+        new DeleteDBSubnetGroupCommand3({
+          DBSubnetGroupName: physicalId
+        })
+      );
+      this.logger.debug(`Successfully deleted Neptune DBSubnetGroup ${logicalId}`);
+    } catch (error) {
+      if (this.isNotFoundError(error, "DBSubnetGroupNotFoundFault")) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+        this.logger.debug(`Neptune DBSubnetGroup ${physicalId} does not exist, skipping deletion`);
+        return;
+      }
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to delete Neptune DBSubnetGroup ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  // ─── DBCluster ────────────────────────────────────────────────────
+  async createDBCluster(logicalId, resourceType, properties) {
+    this.logger.debug(`Creating Neptune DBCluster ${logicalId}`);
+    const dbClusterIdentifier = properties["DBClusterIdentifier"] || generateResourceName(logicalId, { maxLength: 63, lowercase: true });
+    try {
+      const tags = this.buildTags(properties);
+      const response = await this.getClient().send(
+        new CreateDBClusterCommand3({
+          DBClusterIdentifier: dbClusterIdentifier,
+          // Neptune engine value is fixed: only `neptune` is accepted.
+          Engine: "neptune",
+          EngineVersion: properties["EngineVersion"],
+          Port: properties["Port"] != null ? Number(properties["Port"]) : void 0,
+          VpcSecurityGroupIds: properties["VpcSecurityGroupIds"],
+          DBSubnetGroupName: properties["DBSubnetGroupName"],
+          StorageEncrypted: properties["StorageEncrypted"],
+          KmsKeyId: properties["KmsKeyId"],
+          BackupRetentionPeriod: properties["BackupRetentionPeriod"] != null ? Number(properties["BackupRetentionPeriod"]) : void 0,
+          PreferredBackupWindow: properties["PreferredBackupWindow"],
+          PreferredMaintenanceWindow: properties["PreferredMaintenanceWindow"],
+          DBClusterParameterGroupName: properties["DBClusterParameterGroupName"],
+          EnableIAMDatabaseAuthentication: properties["IamAuthEnabled"],
+          DeletionProtection: properties["DeletionProtection"],
+          ...tags.length > 0 && { Tags: tags }
+        })
+      );
+      const cluster = response.DBCluster;
+      if (!cluster) {
+        throw new Error("CreateDBCluster did not return DBCluster");
+      }
+      this.logger.debug(
+        `Successfully created Neptune DBCluster ${logicalId}: ${dbClusterIdentifier}`
+      );
+      if (process.env["CDKD_NO_WAIT"] !== "true") {
+        await this.waitForClusterAvailable(dbClusterIdentifier);
+      }
+      const described = await this.describeDBCluster(dbClusterIdentifier);
+      return {
+        physicalId: dbClusterIdentifier,
+        attributes: {
+          "Endpoint.Address": described?.Endpoint ?? "",
+          "Endpoint.Port": String(described?.Port ?? ""),
+          "ReadEndpoint.Address": described?.ReaderEndpoint ?? "",
+          ClusterResourceId: described?.DbClusterResourceId ?? ""
+        }
+      };
+    } catch (error) {
+      if (error instanceof ProvisioningError)
+        throw error;
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to create Neptune DBCluster ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        dbClusterIdentifier,
+        cause
+      );
+    }
+  }
+  async updateDBCluster(logicalId, physicalId, resourceType, properties, previousProperties) {
+    this.logger.debug(`Updating Neptune DBCluster ${logicalId}: ${physicalId}`);
+    try {
+      const vpcSgIds = properties["VpcSecurityGroupIds"];
+      const sendVpcSgIds = vpcSgIds !== void 0 && vpcSgIds.length > 0;
+      await this.getClient().send(
+        new ModifyDBClusterCommand3({
+          DBClusterIdentifier: physicalId,
+          EngineVersion: properties["EngineVersion"],
+          DeletionProtection: properties["DeletionProtection"],
+          BackupRetentionPeriod: properties["BackupRetentionPeriod"] != null ? Number(properties["BackupRetentionPeriod"]) : void 0,
+          PreferredBackupWindow: properties["PreferredBackupWindow"],
+          PreferredMaintenanceWindow: properties["PreferredMaintenanceWindow"],
+          DBClusterParameterGroupName: properties["DBClusterParameterGroupName"],
+          EnableIAMDatabaseAuthentication: properties["IamAuthEnabled"],
+          ...sendVpcSgIds && { VpcSecurityGroupIds: vpcSgIds },
+          Port: properties["Port"] != null ? Number(properties["Port"]) : void 0,
+          ApplyImmediately: true
+        })
+      );
+      this.logger.debug(`Successfully updated Neptune DBCluster ${logicalId}`);
+      const described = await this.describeDBCluster(physicalId);
+      if (described?.DBClusterArn) {
+        await this.applyTagDiff(
+          described.DBClusterArn,
+          previousProperties["Tags"],
+          properties["Tags"]
+        );
+      }
+      return {
+        physicalId,
+        wasReplaced: false,
+        attributes: {
+          "Endpoint.Address": described?.Endpoint ?? "",
+          "Endpoint.Port": String(described?.Port ?? ""),
+          "ReadEndpoint.Address": described?.ReaderEndpoint ?? "",
+          ClusterResourceId: described?.DbClusterResourceId ?? ""
+        }
+      };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update Neptune DBCluster ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  async deleteDBCluster(logicalId, physicalId, resourceType, context) {
+    this.logger.debug(`Deleting Neptune DBCluster ${logicalId}: ${physicalId}`);
+    try {
+      if (context?.removeProtection === true) {
+        try {
+          await this.getClient().send(
+            new ModifyDBClusterCommand3({
+              DBClusterIdentifier: physicalId,
+              DeletionProtection: false,
+              ApplyImmediately: true
+            })
+          );
+          this.logger.debug(
+            `Disabled DeletionProtection on Neptune DBCluster ${logicalId} before delete`
+          );
+        } catch (disableError) {
+          if (!this.isNotFoundError(disableError, "DBClusterNotFoundFault")) {
+            this.logger.debug(
+              `Could not disable deletion protection for ${physicalId}: ${disableError instanceof Error ? disableError.message : String(disableError)}`
+            );
+          }
+        }
+      }
+      await this.getClient().send(
+        new DeleteDBClusterCommand3({
+          DBClusterIdentifier: physicalId,
+          SkipFinalSnapshot: true
+        })
+      );
+      this.logger.debug(`Successfully initiated deletion of Neptune DBCluster ${logicalId}`);
+      await this.waitForClusterDeleted(physicalId);
+    } catch (error) {
+      if (this.isNotFoundError(error, "DBClusterNotFoundFault")) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+        this.logger.debug(`Neptune DBCluster ${physicalId} does not exist, skipping deletion`);
+        return;
+      }
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to delete Neptune DBCluster ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  // ─── DBInstance ───────────────────────────────────────────────────
+  async createDBInstance(logicalId, resourceType, properties) {
+    this.logger.debug(`Creating Neptune DBInstance ${logicalId}`);
+    const dbInstanceIdentifier = properties["DBInstanceIdentifier"] || generateResourceName(logicalId, { maxLength: 63, lowercase: true });
+    try {
+      const tags = this.buildTags(properties);
+      const response = await this.getClient().send(
+        new CreateDBInstanceCommand3({
+          DBInstanceIdentifier: dbInstanceIdentifier,
+          DBInstanceClass: properties["DBInstanceClass"],
+          // Neptune engine value is fixed: only `neptune` is accepted.
+          Engine: "neptune",
+          DBClusterIdentifier: properties["DBClusterIdentifier"],
+          DBSubnetGroupName: properties["DBSubnetGroupName"],
+          DBParameterGroupName: properties["DBParameterGroupName"],
+          AvailabilityZone: properties["AvailabilityZone"],
+          PreferredMaintenanceWindow: properties["PreferredMaintenanceWindow"],
+          AutoMinorVersionUpgrade: properties["AutoMinorVersionUpgrade"],
+          DeletionProtection: properties["DeletionProtection"],
+          ...tags.length > 0 && { Tags: tags }
+        })
+      );
+      const instance = response.DBInstance;
+      if (!instance) {
+        throw new Error("CreateDBInstance did not return DBInstance");
+      }
+      this.logger.debug(
+        `Successfully created Neptune DBInstance ${logicalId}: ${dbInstanceIdentifier}`
+      );
+      if (process.env["CDKD_NO_WAIT"] !== "true") {
+        await this.waitForInstanceAvailable(dbInstanceIdentifier);
+      }
+      const described = await this.describeDBInstance(dbInstanceIdentifier);
+      return {
+        physicalId: dbInstanceIdentifier,
+        attributes: {
+          "Endpoint.Address": described?.Endpoint?.Address ?? "",
+          "Endpoint.Port": String(described?.Endpoint?.Port ?? "")
+        }
+      };
+    } catch (error) {
+      if (error instanceof ProvisioningError)
+        throw error;
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to create Neptune DBInstance ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        dbInstanceIdentifier,
+        cause
+      );
+    }
+  }
+  async updateDBInstance(logicalId, physicalId, resourceType, properties, previousProperties) {
+    this.logger.debug(`Updating Neptune DBInstance ${logicalId}: ${physicalId}`);
+    try {
+      await this.getClient().send(
+        new ModifyDBInstanceCommand3({
+          DBInstanceIdentifier: physicalId,
+          DBInstanceClass: properties["DBInstanceClass"],
+          DBParameterGroupName: properties["DBParameterGroupName"],
+          PreferredMaintenanceWindow: properties["PreferredMaintenanceWindow"],
+          AutoMinorVersionUpgrade: properties["AutoMinorVersionUpgrade"],
+          DeletionProtection: properties["DeletionProtection"],
+          ApplyImmediately: true
+        })
+      );
+      this.logger.debug(`Successfully updated Neptune DBInstance ${logicalId}`);
+      const described = await this.describeDBInstance(physicalId);
+      if (described?.DBInstanceArn) {
+        await this.applyTagDiff(
+          described.DBInstanceArn,
+          previousProperties["Tags"],
+          properties["Tags"]
+        );
+      }
+      return {
+        physicalId,
+        wasReplaced: false,
+        attributes: {
+          "Endpoint.Address": described?.Endpoint?.Address ?? "",
+          "Endpoint.Port": String(described?.Endpoint?.Port ?? "")
+        }
+      };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update Neptune DBInstance ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  async deleteDBInstance(logicalId, physicalId, resourceType, context) {
+    this.logger.debug(`Deleting Neptune DBInstance ${logicalId}: ${physicalId}`);
+    try {
+      if (context?.removeProtection === true) {
+        try {
+          await this.getClient().send(
+            new ModifyDBInstanceCommand3({
+              DBInstanceIdentifier: physicalId,
+              DeletionProtection: false,
+              ApplyImmediately: true
+            })
+          );
+          this.logger.debug(
+            `Disabled DeletionProtection on Neptune DBInstance ${logicalId} before delete`
+          );
+        } catch (disableError) {
+          if (!this.isNotFoundError(disableError, "DBInstanceNotFoundFault")) {
+            this.logger.debug(
+              `Could not disable deletion protection for ${physicalId}: ${disableError instanceof Error ? disableError.message : String(disableError)}`
+            );
+          }
+        }
+      }
+      await this.getClient().send(
+        new DeleteDBInstanceCommand3({
+          DBInstanceIdentifier: physicalId,
+          SkipFinalSnapshot: true
+        })
+      );
+      this.logger.debug(`Successfully initiated deletion of Neptune DBInstance ${logicalId}`);
+      await this.waitForInstanceDeleted(physicalId);
+    } catch (error) {
+      if (this.isNotFoundError(error, "DBInstanceNotFoundFault")) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+        this.logger.debug(`Neptune DBInstance ${physicalId} does not exist, skipping deletion`);
+        return;
+      }
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to delete Neptune DBInstance ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  // ─── Helpers ──────────────────────────────────────────────────────
+  /**
+   * Apply a diff between old and new CFn-shape Tags arrays via Neptune's
+   * `AddTagsToResource` / `RemoveTagsFromResource` APIs (keyed by
+   * `ResourceName=arn`).
+   */
+  async applyTagDiff(arn, oldTagsRaw, newTagsRaw) {
+    const toMap = (tags) => {
+      const m = /* @__PURE__ */ new Map();
+      for (const t of tags ?? []) {
+        if (t.Key !== void 0 && t.Value !== void 0)
+          m.set(t.Key, t.Value);
+      }
+      return m;
+    };
+    const oldMap = toMap(oldTagsRaw);
+    const newMap = toMap(newTagsRaw);
+    const tagsToAdd = [];
+    for (const [k, v] of newMap) {
+      if (oldMap.get(k) !== v)
+        tagsToAdd.push({ Key: k, Value: v });
+    }
+    const tagsToRemove = [];
+    for (const k of oldMap.keys()) {
+      if (!newMap.has(k))
+        tagsToRemove.push(k);
+    }
+    if (tagsToRemove.length > 0) {
+      await this.getClient().send(
+        new RemoveTagsFromResourceCommand4({ ResourceName: arn, TagKeys: tagsToRemove })
+      );
+      this.logger.debug(`Removed ${tagsToRemove.length} tag(s) from Neptune resource ${arn}`);
+    }
+    if (tagsToAdd.length > 0) {
+      await this.getClient().send(
+        new AddTagsToResourceCommand4({ ResourceName: arn, Tags: tagsToAdd })
+      );
+      this.logger.debug(`Added/updated ${tagsToAdd.length} tag(s) on Neptune resource ${arn}`);
+    }
+  }
+  buildTags(properties) {
+    if (!properties["Tags"])
+      return [];
+    return properties["Tags"];
+  }
+  isNotFoundError(error, faultName) {
+    if (!(error instanceof Error))
+      return false;
+    const name = error.name ?? "";
+    const message = error.message.toLowerCase();
+    return name === faultName || message.includes("not found") || message.includes("does not exist");
+  }
+  async describeDBCluster(dbClusterIdentifier) {
+    const response = await this.getClient().send(
+      new DescribeDBClustersCommand3({
+        DBClusterIdentifier: dbClusterIdentifier
+      })
+    );
+    return response.DBClusters?.[0];
+  }
+  async describeDBInstance(dbInstanceIdentifier) {
+    const response = await this.getClient().send(
+      new DescribeDBInstancesCommand3({
+        DBInstanceIdentifier: dbInstanceIdentifier
+      })
+    );
+    return response.DBInstances?.[0];
+  }
+  /**
+   * Wait for a DBCluster to become available (no SDK waiter — manual poll).
+   */
+  async waitForClusterAvailable(dbClusterIdentifier, maxWaitMs = 18e5) {
+    const startTime = Date.now();
+    let delay = 5e3;
+    while (Date.now() - startTime < maxWaitMs) {
+      const cluster = await this.describeDBCluster(dbClusterIdentifier);
+      const status = cluster?.Status;
+      this.logger.debug(`Neptune DBCluster ${dbClusterIdentifier} status: ${status}`);
+      if (status === "available")
+        return;
+      await this.sleep(delay);
+      delay = Math.min(delay * 2, 3e4);
+    }
+    throw new Error(
+      `Timed out waiting for Neptune DBCluster ${dbClusterIdentifier} to become available`
+    );
+  }
+  /**
+   * Wait for a DBCluster to be deleted (no SDK waiter — manual poll).
+   */
+  async waitForClusterDeleted(dbClusterIdentifier, maxWaitMs = 18e5) {
+    const startTime = Date.now();
+    let delay = 5e3;
+    while (Date.now() - startTime < maxWaitMs) {
+      try {
+        const cluster = await this.describeDBCluster(dbClusterIdentifier);
+        const status = cluster?.Status;
+        this.logger.debug(`Neptune DBCluster ${dbClusterIdentifier} status: ${status}`);
+        if (!cluster)
+          return;
+      } catch (error) {
+        if (this.isNotFoundError(error, "DBClusterNotFoundFault")) {
+          return;
+        }
+        throw error;
+      }
+      await this.sleep(delay);
+      delay = Math.min(delay * 2, 3e4);
+    }
+    throw new Error(`Timed out waiting for Neptune DBCluster ${dbClusterIdentifier} to be deleted`);
+  }
+  /**
+   * Wait for a DBInstance to become available (manual poll).
+   */
+  async waitForInstanceAvailable(dbInstanceIdentifier, maxWaitMs = 18e5) {
+    const startTime = Date.now();
+    let delay = 1e4;
+    while (Date.now() - startTime < maxWaitMs) {
+      const instance = await this.describeDBInstance(dbInstanceIdentifier);
+      const status = instance?.DBInstanceStatus;
+      this.logger.debug(`Neptune DBInstance ${dbInstanceIdentifier} status: ${status}`);
+      if (status === "available")
+        return;
+      await this.sleep(delay);
+      delay = Math.min(delay * 2, 3e4);
+    }
+    throw new Error(
+      `Timed out waiting for Neptune DBInstance ${dbInstanceIdentifier} to become available`
+    );
+  }
+  async waitForInstanceDeleted(dbInstanceIdentifier, maxWaitMs = 18e5) {
+    const startTime = Date.now();
+    let delay = 1e4;
+    while (Date.now() - startTime < maxWaitMs) {
+      try {
+        const instance = await this.describeDBInstance(dbInstanceIdentifier);
+        const status = instance?.DBInstanceStatus;
+        this.logger.debug(`Neptune DBInstance ${dbInstanceIdentifier} status: ${status}`);
+        if (!instance)
+          return;
+      } catch (error) {
+        if (this.isNotFoundError(error, "DBInstanceNotFoundFault")) {
+          return;
+        }
+        throw error;
+      }
+      await this.sleep(delay);
+      delay = Math.min(delay * 2, 3e4);
+    }
+    throw new Error(
+      `Timed out waiting for Neptune DBInstance ${dbInstanceIdentifier} to be deleted`
+    );
+  }
+  sleep(ms) {
+    return new Promise((resolve4) => setTimeout(resolve4, ms));
+  }
+  /**
+   * Adopt an existing Neptune resource into cdkd state.
+   */
+  async import(input) {
+    switch (input.resourceType) {
+      case "AWS::Neptune::DBInstance":
+        return this.importDBInstance(input);
+      case "AWS::Neptune::DBCluster":
+        return this.importDBCluster(input);
+      case "AWS::Neptune::DBSubnetGroup":
+        return this.importDBSubnetGroup(input);
+      default:
+        return null;
+    }
+  }
+  /**
+   * Read the AWS-current Neptune resource configuration in CFn-property
+   * shape. Each branch surfaces only the keys cdkd's `create()` accepts.
+   * Sensitive fields are NEVER surfaced. `Tags` are surfaced via a
+   * follow-up `ListTagsForResource(ResourceName=arn)` call.
+   */
+  async readCurrentState(physicalId, _logicalId, resourceType) {
+    switch (resourceType) {
+      case "AWS::Neptune::DBInstance":
+        return this.readCurrentStateDBInstance(physicalId);
+      case "AWS::Neptune::DBCluster":
+        return this.readCurrentStateDBCluster(physicalId);
+      case "AWS::Neptune::DBSubnetGroup":
+        return this.readCurrentStateDBSubnetGroup(physicalId);
+      default:
+        return void 0;
+    }
+  }
+  async readCurrentStateDBInstance(physicalId) {
+    let inst;
+    try {
+      inst = await this.describeDBInstance(physicalId);
+    } catch (err) {
+      if (this.isNotFoundError(err, "DBInstanceNotFoundFault"))
+        return void 0;
+      throw err;
+    }
+    if (!inst)
+      return void 0;
+    const result = {};
+    if (inst.DBInstanceIdentifier !== void 0) {
+      result["DBInstanceIdentifier"] = inst.DBInstanceIdentifier;
+    }
+    if (inst.DBInstanceClass !== void 0)
+      result["DBInstanceClass"] = inst.DBInstanceClass;
+    if (inst.DBClusterIdentifier !== void 0) {
+      result["DBClusterIdentifier"] = inst.DBClusterIdentifier;
+    }
+    if (inst.DBSubnetGroup?.DBSubnetGroupName !== void 0) {
+      result["DBSubnetGroupName"] = inst.DBSubnetGroup.DBSubnetGroupName;
+    }
+    if (inst.AvailabilityZone !== void 0)
+      result["AvailabilityZone"] = inst.AvailabilityZone;
+    if (inst.PreferredMaintenanceWindow !== void 0) {
+      result["PreferredMaintenanceWindow"] = inst.PreferredMaintenanceWindow;
+    }
+    if (inst.AutoMinorVersionUpgrade !== void 0) {
+      result["AutoMinorVersionUpgrade"] = inst.AutoMinorVersionUpgrade;
+    }
+    if (inst.DeletionProtection !== void 0) {
+      result["DeletionProtection"] = inst.DeletionProtection;
+    }
+    const pg = inst.DBParameterGroups?.[0]?.DBParameterGroupName;
+    if (pg !== void 0)
+      result["DBParameterGroupName"] = pg;
+    if (inst.DBInstanceArn)
+      await this.attachTags(result, inst.DBInstanceArn);
+    return result;
+  }
+  async readCurrentStateDBCluster(physicalId) {
+    let cluster;
+    try {
+      cluster = await this.describeDBCluster(physicalId);
+    } catch (err) {
+      if (this.isNotFoundError(err, "DBClusterNotFoundFault"))
+        return void 0;
+      throw err;
+    }
+    if (!cluster)
+      return void 0;
+    const result = {};
+    if (cluster.DBClusterIdentifier !== void 0) {
+      result["DBClusterIdentifier"] = cluster.DBClusterIdentifier;
+    }
+    if (cluster.EngineVersion !== void 0)
+      result["EngineVersion"] = cluster.EngineVersion;
+    if (cluster.Port !== void 0)
+      result["Port"] = cluster.Port;
+    result["VpcSecurityGroupIds"] = (cluster.VpcSecurityGroups ?? []).map((sg) => sg.VpcSecurityGroupId).filter((id) => !!id);
+    if (cluster.DBSubnetGroup !== void 0)
+      result["DBSubnetGroupName"] = cluster.DBSubnetGroup;
+    if (cluster.StorageEncrypted !== void 0) {
+      result["StorageEncrypted"] = cluster.StorageEncrypted;
+    }
+    if (cluster.KmsKeyId !== void 0)
+      result["KmsKeyId"] = cluster.KmsKeyId;
+    if (cluster.BackupRetentionPeriod !== void 0) {
+      result["BackupRetentionPeriod"] = cluster.BackupRetentionPeriod;
+    }
+    if (cluster.PreferredBackupWindow !== void 0) {
+      result["PreferredBackupWindow"] = cluster.PreferredBackupWindow;
+    }
+    if (cluster.PreferredMaintenanceWindow !== void 0) {
+      result["PreferredMaintenanceWindow"] = cluster.PreferredMaintenanceWindow;
+    }
+    if (cluster.DBClusterParameterGroup !== void 0) {
+      result["DBClusterParameterGroupName"] = cluster.DBClusterParameterGroup;
+    }
+    if (cluster.IAMDatabaseAuthenticationEnabled !== void 0) {
+      result["IamAuthEnabled"] = cluster.IAMDatabaseAuthenticationEnabled;
+    }
+    if (cluster.DeletionProtection !== void 0) {
+      result["DeletionProtection"] = cluster.DeletionProtection;
+    }
+    if (cluster.DBClusterArn)
+      await this.attachTags(result, cluster.DBClusterArn);
+    return result;
+  }
+  async readCurrentStateDBSubnetGroup(physicalId) {
+    let resp;
+    try {
+      resp = await this.getClient().send(
+        new DescribeDBSubnetGroupsCommand3({ DBSubnetGroupName: physicalId })
+      );
+    } catch (err) {
+      if (this.isNotFoundError(err, "DBSubnetGroupNotFoundFault"))
+        return void 0;
+      throw err;
+    }
+    const sg = resp.DBSubnetGroups?.[0];
+    if (!sg)
+      return void 0;
+    const result = {};
+    if (sg.DBSubnetGroupName !== void 0)
+      result["DBSubnetGroupName"] = sg.DBSubnetGroupName;
+    if (sg.DBSubnetGroupDescription !== void 0) {
+      result["DBSubnetGroupDescription"] = sg.DBSubnetGroupDescription;
+    }
+    result["SubnetIds"] = (sg.Subnets ?? []).map((s) => s.SubnetIdentifier).filter((id) => !!id);
+    if (sg.DBSubnetGroupArn)
+      await this.attachTags(result, sg.DBSubnetGroupArn);
+    return result;
+  }
+  /**
+   * Fetch tags via `ListTagsForResource` and merge them into the result
+   * under `Tags` (CFn shape). Best-effort.
+   */
+  async attachTags(result, arn) {
+    try {
+      const tagsResp = await this.getClient().send(
+        new ListTagsForResourceCommand12({ ResourceName: arn })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.TagList);
+      result["Tags"] = tags;
+    } catch (err) {
+      this.logger.debug(
+        `Neptune ListTagsForResource(${arn}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+  async importDBInstance(input) {
+    const explicit = resolveExplicitPhysicalId(input, "DBInstanceIdentifier");
+    if (explicit) {
+      try {
+        await this.getClient().send(
+          new DescribeDBInstancesCommand3({ DBInstanceIdentifier: explicit })
+        );
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err.name === "DBInstanceNotFoundFault")
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new DescribeDBInstancesCommand3({ ...marker && { Marker: marker } })
+      );
+      for (const inst of list.DBInstances ?? []) {
+        if (!inst.DBInstanceIdentifier || !inst.DBInstanceArn)
+          continue;
+        const tagsResp = await this.getClient().send(
+          new ListTagsForResourceCommand12({ ResourceName: inst.DBInstanceArn })
+        );
+        if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
+          return { physicalId: inst.DBInstanceIdentifier, attributes: {} };
+        }
+      }
+      marker = list.Marker;
+    } while (marker);
+    return null;
+  }
+  async importDBCluster(input) {
+    const explicit = resolveExplicitPhysicalId(input, "DBClusterIdentifier");
+    if (explicit) {
+      try {
+        await this.getClient().send(
+          new DescribeDBClustersCommand3({ DBClusterIdentifier: explicit })
+        );
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err.name === "DBClusterNotFoundFault")
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new DescribeDBClustersCommand3({ ...marker && { Marker: marker } })
+      );
+      for (const c of list.DBClusters ?? []) {
+        if (!c.DBClusterIdentifier || !c.DBClusterArn)
+          continue;
+        const tagsResp = await this.getClient().send(
+          new ListTagsForResourceCommand12({ ResourceName: c.DBClusterArn })
+        );
+        if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
+          return { physicalId: c.DBClusterIdentifier, attributes: {} };
+        }
+      }
+      marker = list.Marker;
+    } while (marker);
+    return null;
+  }
+  async importDBSubnetGroup(input) {
+    const explicit = resolveExplicitPhysicalId(input, "DBSubnetGroupName");
+    if (explicit) {
+      try {
+        await this.getClient().send(
+          new DescribeDBSubnetGroupsCommand3({ DBSubnetGroupName: explicit })
+        );
+        return { physicalId: explicit, attributes: {} };
+      } catch (err) {
+        if (err.name === "DBSubnetGroupNotFoundFault")
+          return null;
+        throw err;
+      }
+    }
+    if (!input.cdkPath)
+      return null;
+    let marker;
+    do {
+      const list = await this.getClient().send(
+        new DescribeDBSubnetGroupsCommand3({ ...marker && { Marker: marker } })
+      );
+      for (const sg of list.DBSubnetGroups ?? []) {
+        if (!sg.DBSubnetGroupName || !sg.DBSubnetGroupArn)
+          continue;
+        const tagsResp = await this.getClient().send(
+          new ListTagsForResourceCommand12({ ResourceName: sg.DBSubnetGroupArn })
+        );
+        if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
+          return { physicalId: sg.DBSubnetGroupName, attributes: {} };
+        }
+      }
+      marker = list.Marker;
+    } while (marker);
+    return null;
+  }
+};
+
+// src/provisioning/providers/route53-provider.ts
+import {
+  Route53Client as Route53Client2,
+  CreateHostedZoneCommand,
+  DeleteHostedZoneCommand,
+  GetHostedZoneCommand as GetHostedZoneCommand2,
+  ChangeResourceRecordSetsCommand,
+  UpdateHostedZoneCommentCommand,
+  ChangeTagsForResourceCommand,
+  AssociateVPCWithHostedZoneCommand,
+  DisassociateVPCFromHostedZoneCommand,
+  CreateQueryLoggingConfigCommand,
+  DeleteQueryLoggingConfigCommand,
+  ListQueryLoggingConfigsCommand,
+  ListHostedZonesByNameCommand as ListHostedZonesByNameCommand2,
+  ListHostedZonesCommand,
+  ListResourceRecordSetsCommand,
+  ListTagsForResourceCommand as ListTagsForResourceCommand13
+} from "@aws-sdk/client-route-53";
+var Route53Provider = class {
+  route53Client;
+  providerRegion = process.env["AWS_REGION"];
+  logger = getLogger().child("Route53Provider");
+  handledProperties = /* @__PURE__ */ new Map([
+    [
+      "AWS::Route53::HostedZone",
+      /* @__PURE__ */ new Set(["Name", "HostedZoneConfig", "HostedZoneTags", "VPCs", "QueryLoggingConfig"])
+    ],
+    [
+      "AWS::Route53::RecordSet",
+      /* @__PURE__ */ new Set([
+        "HostedZoneId",
+        "HostedZoneName",
+        "Name",
+        "Type",
+        "TTL",
+        "ResourceRecords",
+        "AliasTarget",
+        "SetIdentifier",
+        "Weight",
+        "Region",
+        "Failover",
+        "MultiValueAnswer",
+        "HealthCheckId",
+        "Comment",
+        "GeoLocation"
+      ])
+    ]
+  ]);
+  getClient() {
+    if (!this.route53Client) {
+      this.route53Client = new Route53Client2(
+        this.providerRegion ? { region: this.providerRegion } : {}
+      );
+    }
+    return this.route53Client;
+  }
+  // ─── Dispatch ─────────────────────────────────────────────────────
+  async create(logicalId, resourceType, properties) {
+    switch (resourceType) {
+      case "AWS::Route53::HostedZone":
+        return this.createHostedZone(logicalId, resourceType, properties);
+      case "AWS::Route53::RecordSet":
+        return this.createRecordSet(logicalId, resourceType, properties);
+      default:
+        throw new ProvisioningError(
+          `Unsupported resource type: ${resourceType}`,
+          resourceType,
+          logicalId
+        );
+    }
+  }
+  async update(logicalId, physicalId, resourceType, properties, _previousProperties) {
+    switch (resourceType) {
+      case "AWS::Route53::HostedZone":
+        return this.updateHostedZone(logicalId, physicalId, resourceType, properties);
+      case "AWS::Route53::RecordSet":
+        return this.updateRecordSet(logicalId, physicalId, resourceType, properties);
+      default:
+        throw new ProvisioningError(
+          `Unsupported resource type: ${resourceType}`,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+    }
+  }
+  async delete(logicalId, physicalId, resourceType, properties, context) {
+    switch (resourceType) {
+      case "AWS::Route53::HostedZone":
+        return this.deleteHostedZone(logicalId, physicalId, resourceType, context);
+      case "AWS::Route53::RecordSet":
+        return this.deleteRecordSet(logicalId, physicalId, resourceType, properties, context);
+      default:
+        throw new ProvisioningError(
+          `Unsupported resource type: ${resourceType}`,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+    }
+  }
+  async getAttribute(physicalId, resourceType, attributeName) {
+    switch (resourceType) {
+      case "AWS::Route53::HostedZone":
+        return this.getHostedZoneAttribute(physicalId, attributeName);
+      default:
+        return void 0;
+    }
+  }
+  // ─── AWS::Route53::HostedZone ──────────────────────────────────────
+  async createHostedZone(logicalId, resourceType, properties) {
+    this.logger.debug(`Creating Route 53 hosted zone ${logicalId}`);
+    const name = properties["Name"];
+    if (!name) {
+      throw new ProvisioningError(
+        `Name is required for hosted zone ${logicalId}`,
+        resourceType,
+        logicalId
+      );
+    }
+    try {
+      const hostedZoneConfig = properties["HostedZoneConfig"];
+      const vpcs = properties["VPCs"];
+      const firstVpc = vpcs && vpcs.length > 0 ? vpcs[0] : void 0;
+      const response = await this.getClient().send(
+        new CreateHostedZoneCommand({
+          Name: name,
+          CallerReference: `${logicalId}-${Date.now()}`,
+          ...hostedZoneConfig && hostedZoneConfig["Comment"] ? {
+            HostedZoneConfig: {
+              Comment: hostedZoneConfig["Comment"],
+              // When VPCs are specified, this is a private hosted zone
+              ...firstVpc ? { PrivateZone: true } : {}
+            }
+          } : firstVpc ? { HostedZoneConfig: { PrivateZone: true } } : {},
+          ...firstVpc ? {
+            VPC: {
+              VPCId: firstVpc["VPCId"],
+              VPCRegion: firstVpc["VPCRegion"]
+            }
+          } : {}
+        })
+      );
+      const hostedZone = response.HostedZone;
+      if (!hostedZone?.Id) {
+        throw new Error("CreateHostedZone did not return HostedZone.Id");
+      }
+      const zoneId = hostedZone.Id.replace("/hostedzone/", "");
+      if (vpcs && vpcs.length > 1) {
+        for (let i = 1; i < vpcs.length; i++) {
+          const additionalVpc = vpcs[i];
+          this.logger.debug(
+            `Associating additional VPC ${String(additionalVpc["VPCId"])} with hosted zone ${zoneId}`
+          );
+          await this.getClient().send(
+            new AssociateVPCWithHostedZoneCommand({
+              HostedZoneId: zoneId,
+              VPC: {
+                VPCId: additionalVpc["VPCId"],
+                VPCRegion: additionalVpc["VPCRegion"]
+              }
+            })
+          );
+        }
+      }
+      await this.applyHostedZoneTags(zoneId, properties, logicalId);
+      await this.applyQueryLoggingConfig(zoneId, properties, logicalId);
+      const nameServers = response.DelegationSet?.NameServers ?? [];
+      this.logger.debug(`Successfully created hosted zone ${logicalId}: ${zoneId}`);
+      return {
+        physicalId: zoneId,
+        attributes: {
+          Id: zoneId,
+          NameServers: nameServers.join(",")
+        }
+      };
+    } catch (error) {
+      if (error instanceof ProvisioningError)
+        throw error;
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to create hosted zone ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        void 0,
+        cause
+      );
+    }
+  }
+  async updateHostedZone(logicalId, physicalId, resourceType, properties) {
+    this.logger.debug(`Updating Route 53 hosted zone ${logicalId}: ${physicalId}`);
+    try {
+      const hostedZoneConfig = properties["HostedZoneConfig"];
+      const comment = hostedZoneConfig?.["Comment"] ?? "";
+      await this.getClient().send(
+        new UpdateHostedZoneCommentCommand({
+          Id: physicalId,
+          Comment: comment
+        })
+      );
+      await this.applyHostedZoneTags(physicalId, properties, logicalId);
+      await this.applyQueryLoggingConfig(physicalId, properties, logicalId);
+      await this.syncVPCAssociations(physicalId, properties, logicalId);
+      const getResponse = await this.getClient().send(new GetHostedZoneCommand2({ Id: physicalId }));
+      const nameServers = getResponse.DelegationSet?.NameServers ?? [];
+      this.logger.debug(`Successfully updated hosted zone ${logicalId}`);
+      return {
+        physicalId,
+        wasReplaced: false,
+        attributes: {
+          Id: physicalId,
+          NameServers: nameServers.join(",")
+        }
+      };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update hosted zone ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  async deleteHostedZone(logicalId, physicalId, resourceType, context) {
+    this.logger.debug(`Deleting Route 53 hosted zone ${logicalId}: ${physicalId}`);
+    try {
+      await this.deleteQueryLoggingConfigForZone(physicalId, logicalId);
+      await this.getClient().send(new DeleteHostedZoneCommand({ Id: physicalId }));
+      this.logger.debug(`Successfully deleted hosted zone ${logicalId}`);
+    } catch (error) {
+      if (error instanceof Error && error.name === "NoSuchHostedZone") {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+        this.logger.debug(`Hosted zone ${physicalId} does not exist, skipping deletion`);
+        return;
+      }
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to delete hosted zone ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  async getHostedZoneAttribute(physicalId, attributeName) {
+    switch (attributeName) {
+      case "Id":
+        return physicalId;
+      case "NameServers": {
+        const response = await this.getClient().send(new GetHostedZoneCommand2({ Id: physicalId }));
+        return (response.DelegationSet?.NameServers ?? []).join(",");
+      }
+      default:
+        return void 0;
+    }
+  }
+  // ─── AWS::Route53::RecordSet ───────────────────────────────────────
+  async createRecordSet(logicalId, resourceType, properties) {
+    this.logger.debug(`Creating Route 53 record set ${logicalId}`);
+    const hostedZoneId = await this.resolveHostedZoneId(properties, logicalId, resourceType);
+    const recordName = properties["Name"];
+    const recordType = properties["Type"];
+    try {
+      const resourceRecordSet = this.buildResourceRecordSet(properties);
+      const comment = properties["Comment"];
+      await this.getClient().send(
+        new ChangeResourceRecordSetsCommand({
+          HostedZoneId: hostedZoneId,
+          ChangeBatch: {
+            ...comment ? { Comment: comment } : {},
+            Changes: [
+              {
+                Action: "CREATE",
+                ResourceRecordSet: resourceRecordSet
+              }
+            ]
+          }
+        })
+      );
+      const compositeId = `${hostedZoneId}|${recordName}|${recordType}`;
+      this.logger.debug(`Successfully created record set ${logicalId}: ${compositeId}`);
+      return {
+        physicalId: compositeId,
+        attributes: {}
+      };
+    } catch (error) {
+      if (error instanceof ProvisioningError)
+        throw error;
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to create record set ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        void 0,
+        cause
+      );
+    }
+  }
+  async updateRecordSet(logicalId, physicalId, resourceType, properties) {
+    this.logger.debug(`Updating Route 53 record set ${logicalId}: ${physicalId}`);
+    const hostedZoneId = await this.resolveHostedZoneId(
+      properties,
+      logicalId,
+      resourceType,
+      physicalId
+    );
+    const recordName = properties["Name"];
+    const recordType = properties["Type"];
+    try {
+      const resourceRecordSet = this.buildResourceRecordSet(properties);
+      const comment = properties["Comment"];
+      await this.getClient().send(
+        new ChangeResourceRecordSetsCommand({
+          HostedZoneId: hostedZoneId,
+          ChangeBatch: {
+            ...comment ? { Comment: comment } : {},
+            Changes: [
+              {
+                Action: "UPSERT",
+                ResourceRecordSet: resourceRecordSet
+              }
+            ]
+          }
+        })
+      );
+      const compositeId = `${hostedZoneId}|${recordName}|${recordType}`;
+      this.logger.debug(`Successfully updated record set ${logicalId}`);
+      return {
+        physicalId: compositeId,
+        wasReplaced: false,
+        attributes: {}
+      };
+    } catch (error) {
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to update record set ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  async deleteRecordSet(logicalId, physicalId, resourceType, properties, context) {
+    this.logger.debug(`Deleting Route 53 record set ${logicalId}: ${physicalId}`);
+    const parts = physicalId.split("|");
+    if (parts.length !== 3) {
+      throw new ProvisioningError(
+        `Invalid record set physical ID format: ${physicalId}`,
+        resourceType,
+        logicalId,
+        physicalId
+      );
+    }
+    const [hostedZoneId] = parts;
+    if (!properties) {
+      throw new ProvisioningError(
+        `Properties required to delete record set ${logicalId}`,
+        resourceType,
+        logicalId,
+        physicalId
+      );
+    }
+    try {
+      const resourceRecordSet = this.buildResourceRecordSet(properties);
+      await this.getClient().send(
+        new ChangeResourceRecordSetsCommand({
+          HostedZoneId: hostedZoneId,
+          ChangeBatch: {
+            Changes: [
+              {
+                Action: "DELETE",
+                ResourceRecordSet: resourceRecordSet
+              }
+            ]
+          }
+        })
+      );
+      this.logger.debug(`Successfully deleted record set ${logicalId}`);
+    } catch (error) {
+      if (error instanceof Error && (error.name === "InvalidChangeBatch" || error.message.includes("it was not found"))) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
+        this.logger.debug(`Record set ${physicalId} does not exist, skipping deletion`);
+        return;
+      }
+      if (error instanceof Error && error.name === "NoSuchHostedZone") {
+        this.logger.debug(
+          `Hosted zone for record set ${physicalId} does not exist, skipping deletion`
+        );
+        return;
+      }
+      const cause = error instanceof Error ? error : void 0;
+      throw new ProvisioningError(
+        `Failed to delete record set ${logicalId}: ${error instanceof Error ? error.message : String(error)}`,
+        resourceType,
+        logicalId,
+        physicalId,
+        cause
+      );
+    }
+  }
+  // ─── Helpers ───────────────────────────────────────────────────────
+  /**
+   * Build a ResourceRecordSet object from CDK properties.
+   *
+   * Handles conversion of CDK-style ResourceRecords (array of strings)
+   * to SDK-style ResourceRecords (array of {Value}).
+   * Also handles routing policy properties: Weight, Region, Failover,
+   * MultiValueAnswer, GeoLocation, SetIdentifier, and HealthCheckId.
+   */
+  buildResourceRecordSet(properties) {
+    const name = properties["Name"];
+    const type = properties["Type"];
+    const ttl = properties["TTL"];
+    const resourceRecords = properties["ResourceRecords"];
+    const aliasTarget = properties["AliasTarget"];
+    const recordSet = {
+      Name: name,
+      Type: type
+    };
+    if (aliasTarget) {
+      recordSet.AliasTarget = {
+        HostedZoneId: aliasTarget["HostedZoneId"],
+        DNSName: aliasTarget["DNSName"],
+        EvaluateTargetHealth: aliasTarget["EvaluateTargetHealth"] ?? false
+      };
+    } else {
+      if (ttl !== void 0) {
+        recordSet.TTL = Number(ttl);
+      }
+      if (resourceRecords) {
+        recordSet.ResourceRecords = resourceRecords.map((record) => {
+          if (typeof record === "string") {
+            return { Value: record };
+          }
+          return record;
+        });
+      }
+    }
+    const setIdentifier = properties["SetIdentifier"];
     if (setIdentifier !== void 0) {
       recordSet.SetIdentifier = setIdentifier;
     }
@@ -30750,7 +32735,7 @@ var Route53Provider = class {
     const idTail = physicalId.replace(/^\/hostedzone\//, "");
     try {
       const tagsResp = await this.getClient().send(
-        new ListTagsForResourceCommand11({ ResourceType: "hostedzone", ResourceId: idTail })
+        new ListTagsForResourceCommand13({ ResourceType: "hostedzone", ResourceId: idTail })
       );
       const tags = normalizeAwsTagsToCfn(tagsResp.ResourceTagSet?.Tags);
       result["HostedZoneTags"] = tags;
@@ -30900,7 +32885,7 @@ var Route53Provider = class {
         const zoneId = zone.Id.replace("/hostedzone/", "");
         try {
           const tagsResp = await this.getClient().send(
-            new ListTagsForResourceCommand11({
+            new ListTagsForResourceCommand13({
               ResourceType: "hostedzone",
               ResourceId: zoneId
             })
@@ -30928,7 +32913,7 @@ import {
   DeleteWebACLCommand,
   GetWebACLCommand,
   ListWebACLsCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand12,
+  ListTagsForResourceCommand as ListTagsForResourceCommand14,
   TagResourceCommand as TagResourceCommand13,
   UntagResourceCommand as UntagResourceCommand13,
   WAFNonexistentItemException
@@ -31256,7 +33241,7 @@ var WAFv2WebACLProvider = class {
     }
     try {
       const tagsResp = await this.getClient().send(
-        new ListTagsForResourceCommand12({ ResourceARN: physicalId })
+        new ListTagsForResourceCommand14({ ResourceARN: physicalId })
       );
       const tags = normalizeAwsTagsToCfn(tagsResp.TagInfoForResource?.TagList);
       result["Tags"] = tags;
@@ -31304,7 +33289,7 @@ var WAFv2WebACLProvider = class {
         if (!item.ARN)
           continue;
         const tagsResp = await this.getClient().send(
-          new ListTagsForResourceCommand12({ ResourceARN: item.ARN })
+          new ListTagsForResourceCommand14({ ResourceARN: item.ARN })
         );
         const tagList = tagsResp.TagInfoForResource?.TagList;
         if (matchesCdkPath(tagList, input.cdkPath)) {
@@ -31325,7 +33310,7 @@ import {
   UpdateUserPoolCommand,
   DescribeUserPoolCommand,
   ListUserPoolsCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand13,
+  ListTagsForResourceCommand as ListTagsForResourceCommand15,
   ResourceNotFoundException as ResourceNotFoundException12
 } from "@aws-sdk/client-cognito-identity-provider";
 function isEmptyObjectPlaceholder(value) {
@@ -31794,7 +33779,7 @@ var CognitoUserPoolProvider = class {
             if (!arn)
               continue;
             const tagsResp = await this.getClient().send(
-              new ListTagsForResourceCommand13({ ResourceArn: arn })
+              new ListTagsForResourceCommand15({ ResourceArn: arn })
             );
             if (tagsResp.Tags?.[CDK_PATH_TAG] === input.cdkPath) {
               return { physicalId: pool.Id, attributes: {} };
@@ -31823,9 +33808,9 @@ import {
   DeleteCacheSubnetGroupCommand,
   ModifyCacheSubnetGroupCommand,
   ModifyCacheClusterCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand14,
-  AddTagsToResourceCommand as AddTagsToResourceCommand3,
-  RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand3
+  ListTagsForResourceCommand as ListTagsForResourceCommand16,
+  AddTagsToResourceCommand as AddTagsToResourceCommand5,
+  RemoveTagsFromResourceCommand as RemoveTagsFromResourceCommand5
 } from "@aws-sdk/client-elasticache";
 import { STSClient as STSClient6, GetCallerIdentityCommand as GetCallerIdentityCommand6 } from "@aws-sdk/client-sts";
 var ElastiCacheProvider = class {
@@ -32211,13 +34196,13 @@ var ElastiCacheProvider = class {
     }
     if (tagsToRemove.length > 0) {
       await this.getClient().send(
-        new RemoveTagsFromResourceCommand3({ ResourceName: arn, TagKeys: tagsToRemove })
+        new RemoveTagsFromResourceCommand5({ ResourceName: arn, TagKeys: tagsToRemove })
       );
       this.logger.debug(`Removed ${tagsToRemove.length} tag(s) from ElastiCache resource ${arn}`);
     }
     if (tagsToAdd.length > 0) {
       await this.getClient().send(
-        new AddTagsToResourceCommand3({ ResourceName: arn, Tags: tagsToAdd })
+        new AddTagsToResourceCommand5({ ResourceName: arn, Tags: tagsToAdd })
       );
       this.logger.debug(`Added/updated ${tagsToAdd.length} tag(s) on ElastiCache resource ${arn}`);
     }
@@ -32417,7 +34402,7 @@ var ElastiCacheProvider = class {
   async attachTags(result, arn) {
     try {
       const tagsResp = await this.getClient().send(
-        new ListTagsForResourceCommand14({ ResourceName: arn })
+        new ListTagsForResourceCommand16({ ResourceName: arn })
       );
       const tags = normalizeAwsTagsToCfn(tagsResp.TagList);
       result["Tags"] = tags;
@@ -32479,7 +34464,7 @@ var ElastiCacheProvider = class {
           continue;
         const arn = c.ARN ?? await this.buildClusterArn(c.CacheClusterId);
         const tagsResp = await this.getClient().send(
-          new ListTagsForResourceCommand14({ ResourceName: arn })
+          new ListTagsForResourceCommand16({ ResourceName: arn })
         );
         if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
           return { physicalId: c.CacheClusterId, attributes: {} };
@@ -32516,7 +34501,7 @@ var ElastiCacheProvider = class {
           continue;
         const arn = g.ARN ?? await this.buildSubnetGroupArn(g.CacheSubnetGroupName);
         const tagsResp = await this.getClient().send(
-          new ListTagsForResourceCommand14({ ResourceName: arn })
+          new ListTagsForResourceCommand16({ ResourceName: arn })
         );
         if (matchesCdkPath(tagsResp.TagList, input.cdkPath)) {
           return { physicalId: g.CacheSubnetGroupName, attributes: {} };
@@ -32569,7 +34554,7 @@ import {
   GetServiceCommand,
   ListNamespacesCommand,
   ListServicesCommand as ListServicesCommand2,
-  ListTagsForResourceCommand as ListTagsForResourceCommand15,
+  ListTagsForResourceCommand as ListTagsForResourceCommand17,
   NamespaceNotFound,
   ServiceNotFound
 } from "@aws-sdk/client-servicediscovery";
@@ -33133,7 +35118,7 @@ var ServiceDiscoveryProvider = class {
   async attachTags(result, arn) {
     try {
       const tagsResp = await this.getClient().send(
-        new ListTagsForResourceCommand15({ ResourceARN: arn })
+        new ListTagsForResourceCommand17({ ResourceARN: arn })
       );
       const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
       result["Tags"] = tags;
@@ -33179,7 +35164,7 @@ var ServiceDiscoveryProvider = class {
         if (input.cdkPath) {
           try {
             const tagsResp = await this.getClient().send(
-              new ListTagsForResourceCommand15({ ResourceARN: ns.Arn })
+              new ListTagsForResourceCommand17({ ResourceARN: ns.Arn })
             );
             if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
               return { physicalId: ns.Id, attributes: {} };
@@ -33218,7 +35203,7 @@ var ServiceDiscoveryProvider = class {
           continue;
         try {
           const tagsResp = await this.getClient().send(
-            new ListTagsForResourceCommand15({ ResourceARN: svc.Arn })
+            new ListTagsForResourceCommand17({ ResourceARN: svc.Arn })
           );
           if (matchesCdkPath(tagsResp.Tags, input.cdkPath)) {
             return { physicalId: svc.Id, attributes: {} };
@@ -38416,7 +40401,7 @@ import {
   GetVectorBucketCommand,
   ListIndexesCommand,
   ListVectorBucketsCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand16,
+  ListTagsForResourceCommand as ListTagsForResourceCommand18,
   DeleteIndexCommand
 } from "@aws-sdk/client-s3vectors";
 var S3VectorsProvider = class {
@@ -38650,7 +40635,7 @@ var S3VectorsProvider = class {
           continue;
         try {
           const tagsResp = await this.getClient().send(
-            new ListTagsForResourceCommand16({ resourceArn: bucket.vectorBucketArn })
+            new ListTagsForResourceCommand18({ resourceArn: bucket.vectorBucketArn })
           );
           if (tagsResp.tags?.[CDK_PATH_TAG] === input.cdkPath) {
             return { physicalId: bucket.vectorBucketName, attributes: {} };
@@ -38994,7 +40979,7 @@ import {
   ListNamespacesCommand as ListNamespacesCommand2,
   ListTablesCommand as ListTablesCommand2,
   ListTableBucketsCommand,
-  ListTagsForResourceCommand as ListTagsForResourceCommand17,
+  ListTagsForResourceCommand as ListTagsForResourceCommand19,
   NotFoundException as NotFoundException6
 } from "@aws-sdk/client-s3tables";
 var S3TablesProvider = class {
@@ -39478,7 +41463,7 @@ var S3TablesProvider = class {
         if (input.cdkPath) {
           try {
             const tagsResp = await this.getClient().send(
-              new ListTagsForResourceCommand17({ resourceArn: bucket.arn })
+              new ListTagsForResourceCommand19({ resourceArn: bucket.arn })
             );
             if (tagsResp.tags?.[CDK_PATH_TAG] === input.cdkPath) {
               return { physicalId: bucket.arn, attributes: {} };
@@ -39558,7 +41543,7 @@ var S3TablesProvider = class {
                   continue;
                 try {
                   const tagsResp = await this.getClient().send(
-                    new ListTagsForResourceCommand17({ resourceArn: table.tableARN })
+                    new ListTagsForResourceCommand19({ resourceArn: table.tableARN })
                   );
                   if (tagsResp.tags?.[CDK_PATH_TAG] === input.cdkPath) {
                     return {
@@ -39644,7 +41629,7 @@ import {
   PutImageScanningConfigurationCommand,
   PutImageTagMutabilityCommand,
   TagResourceCommand as TagResourceCommand15,
-  ListTagsForResourceCommand as ListTagsForResourceCommand18,
+  ListTagsForResourceCommand as ListTagsForResourceCommand20,
   LifecyclePolicyNotFoundException,
   RepositoryNotFoundException
 } from "@aws-sdk/client-ecr";
@@ -39974,7 +41959,7 @@ var ECRProvider = class {
     if (r.repositoryArn) {
       try {
         const tagsResp = await this.getClient().send(
-          new ListTagsForResourceCommand18({ resourceArn: r.repositoryArn })
+          new ListTagsForResourceCommand20({ resourceArn: r.repositoryArn })
         );
         const tags = normalizeAwsTagsToCfn(tagsResp.tags);
         result["Tags"] = tags;
@@ -40020,7 +42005,7 @@ var ECRProvider = class {
           continue;
         try {
           const tagsResp = await this.getClient().send(
-            new ListTagsForResourceCommand18({ resourceArn: repo.repositoryArn })
+            new ListTagsForResourceCommand20({ resourceArn: repo.repositoryArn })
           );
           if (matchesCdkPath(tagsResp.tags, input.cdkPath)) {
             return { physicalId: repo.repositoryName, attributes: {} };
@@ -40749,6 +42734,14 @@ function registerAllProviders(registry) {
   registry.register("AWS::RDS::DBSubnetGroup", rdsProvider);
   registry.register("AWS::RDS::DBCluster", rdsProvider);
   registry.register("AWS::RDS::DBInstance", rdsProvider);
+  const docdbProvider = new DocDBProvider();
+  registry.register("AWS::DocDB::DBSubnetGroup", docdbProvider);
+  registry.register("AWS::DocDB::DBCluster", docdbProvider);
+  registry.register("AWS::DocDB::DBInstance", docdbProvider);
+  const neptuneProvider = new NeptuneProvider();
+  registry.register("AWS::Neptune::DBSubnetGroup", neptuneProvider);
+  registry.register("AWS::Neptune::DBCluster", neptuneProvider);
+  registry.register("AWS::Neptune::DBInstance", neptuneProvider);
   const route53Provider = new Route53Provider();
   registry.register("AWS::Route53::HostedZone", route53Provider);
   registry.register("AWS::Route53::RecordSet", route53Provider);
@@ -43750,6 +45743,14 @@ var PROTECTION_PROPERTY_BY_TYPE = {
   "AWS::Logs::LogGroup": "DeletionProtectionEnabled",
   "AWS::RDS::DBInstance": "DeletionProtection",
   "AWS::RDS::DBCluster": "DeletionProtection",
+  // DocDB: cluster-level only. The DocDB DBInstance shape does NOT
+  // expose a DeletionProtection field (verified against the
+  // @aws-sdk/client-docdb CreateDBInstanceMessage type — the field is
+  // absent), so there is nothing to flip on destroy of an instance.
+  "AWS::DocDB::DBCluster": "DeletionProtection",
+  // Neptune: both cluster and instance expose DeletionProtection.
+  "AWS::Neptune::DBCluster": "DeletionProtection",
+  "AWS::Neptune::DBInstance": "DeletionProtection",
   "AWS::DynamoDB::Table": "DeletionProtectionEnabled",
   "AWS::EC2::Instance": "DisableApiTermination",
   "AWS::Cognito::UserPool": "DeletionProtection",
@@ -46070,7 +48071,7 @@ function createStateDestroyCommand() {
     "Destroy a stack's AWS resources and remove its state record without requiring the CDK app. For removing only the state record (keeping AWS resources intact), use 'cdkd state orphan'."
   ).argument("[stacks...]", "Stack name(s) to destroy (physical CloudFormation names)").option("--all", "Destroy every stack in the state bucket", false).option(
     "--remove-protection",
-    "Bypass deletion protection on protected resources by flipping the per-resource protection flag off in-place before delete. Covers AWS::Logs::LogGroup, AWS::RDS::DBInstance, AWS::RDS::DBCluster, AWS::DynamoDB::Table, AWS::EC2::Instance, and AWS::ElasticLoadBalancingV2::LoadBalancer.",
+    "Bypass deletion protection on protected resources by flipping the per-resource protection flag off in-place before delete. Covers AWS::Logs::LogGroup, AWS::RDS::DBInstance, AWS::RDS::DBCluster, AWS::DocDB::DBCluster, AWS::Neptune::DBCluster, AWS::Neptune::DBInstance, AWS::DynamoDB::Table, AWS::EC2::Instance, AWS::Cognito::UserPool, AWS::AutoScaling::AutoScalingGroup, and AWS::ElasticLoadBalancingV2::LoadBalancer.",
     false
   ).addOption(stackRegionOption2()).addHelpText(
     "after",
@@ -47212,7 +49213,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.59.1");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.60.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());