@go-to-k/cdkd 0.67.0 → 0.69.0

package/README.md

@@ -581,8 +581,9 @@ Lambda Runtime Interface Emulator (RIE). Modeled on `sam local invoke`
 but reusing cdkd's synthesis / asset / construct-path plumbing — no
 `template.yaml` to maintain, no `cdk synth | sam ...` round-trip.
 
-Requires Docker. v1 supports Node.js runtimes only (`nodejs18.x` /
-`nodejs20.x` / `nodejs22.x`); other runtimes follow in subsequent PRs.
+Requires Docker. v1 supports Node.js and Python runtimes (`nodejs18.x` /
+`nodejs20.x` / `nodejs22.x` / `python3.11` / `python3.12` / `python3.13`);
+other runtimes follow in subsequent PRs.
 
 ```bash
 # Invoke by CDK display path (single-stack apps may omit the prefix)
@@ -606,6 +607,14 @@ cdkd local invoke MyStack/Handler --assume-role arn:aws:iam::123456789012:role/M
 
 # Attach a Node debugger
 cdkd local invoke MyStack/Handler --debug-port 9229
+
+# After `cdkd deploy`, recover intrinsic-valued env vars (Ref / Fn::GetAtt
+# / Fn::Sub) from cdkd's S3 state instead of dropping them. Off by default
+# — keeps the local-only / unscoped flow safe; opt in when you want the
+# handler to see the deployed physical IDs (S3 bucket names, DDB table
+# names, IAM role ARNs, ...). Disambiguate with `--stack-region <region>`
+# when the same stack name has state in multiple regions.
+cdkd local invoke MyStack/Handler --from-state
 ```
 
 See [docs/cli-reference.md](docs/cli-reference.md#local-invoke-run-lambda-functions-locally)

package/dist/cli.js

@@ -70177,11 +70177,191 @@ function isLiteralEnvValue(value) {
   return typeof value === "string" || typeof value === "number" || typeof value === "boolean";
 }
 
+// src/local-invoke/state-resolver.ts
+function substituteAgainstState(value, resources) {
+  if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
+    return { kind: "literal", value };
+  }
+  if (value === null || typeof value !== "object") {
+    return {
+      kind: "unresolved",
+      reason: `unsupported value type: ${value === null ? "null" : typeof value}`
+    };
+  }
+  const obj = value;
+  const keys = Object.keys(obj);
+  if (keys.length !== 1) {
+    return {
+      kind: "unresolved",
+      reason: `expected an intrinsic with one key, got ${keys.length} keys`
+    };
+  }
+  const intrinsic = keys[0];
+  const arg = obj[intrinsic];
+  if (intrinsic === "Ref") {
+    return resolveRef(arg, resources);
+  }
+  if (intrinsic === "Fn::GetAtt") {
+    return resolveGetAtt(arg, resources);
+  }
+  if (intrinsic === "Fn::Sub") {
+    return resolveSub(arg, resources);
+  }
+  return {
+    kind: "unresolved",
+    reason: `unsupported intrinsic '${intrinsic}' (only Ref, Fn::GetAtt, Fn::Sub are wired in --from-state v1)`
+  };
+}
+function resolveRef(arg, resources) {
+  if (typeof arg !== "string" || arg.length === 0) {
+    return { kind: "unresolved", reason: `Ref expects a non-empty logical ID, got ${typeof arg}` };
+  }
+  const resource = resources[arg];
+  if (!resource) {
+    return {
+      kind: "unresolved",
+      reason: `Ref '${arg}': no record in cdkd state (was the resource deployed?)`
+    };
+  }
+  return { kind: "literal", value: resource.physicalId };
+}
+function resolveGetAtt(arg, resources) {
+  let logicalId;
+  let attr;
+  if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string") {
+    logicalId = arg[0];
+    if (typeof arg[1] !== "string") {
+      return {
+        kind: "unresolved",
+        reason: `Fn::GetAtt's second arg must be a string attribute name, got ${typeof arg[1]} (nested intrinsics in attribute names are not supported in --from-state v1)`
+      };
+    }
+    attr = arg[1];
+  } else if (typeof arg === "string") {
+    const dot = arg.indexOf(".");
+    if (dot <= 0 || dot === arg.length - 1) {
+      return {
+        kind: "unresolved",
+        reason: `Fn::GetAtt string form must be '<LogicalId>.<Attribute>', got '${arg}'`
+      };
+    }
+    logicalId = arg.slice(0, dot);
+    attr = arg.slice(dot + 1);
+  } else {
+    return {
+      kind: "unresolved",
+      reason: `Fn::GetAtt expects [LogicalId, Attribute] or 'LogicalId.Attribute', got ${Array.isArray(arg) ? `array of length ${arg.length}` : typeof arg}`
+    };
+  }
+  const resource = resources[logicalId];
+  if (!resource) {
+    return {
+      kind: "unresolved",
+      reason: `Fn::GetAtt '${logicalId}.${attr}': no record in cdkd state`
+    };
+  }
+  const cached = resource.attributes?.[attr];
+  if (cached === void 0) {
+    return {
+      kind: "unresolved",
+      reason: `Fn::GetAtt '${logicalId}.${attr}': attribute not captured in cdkd state at deploy time`
+    };
+  }
+  if (typeof cached === "string" || typeof cached === "number" || typeof cached === "boolean") {
+    return { kind: "literal", value: cached };
+  }
+  return { kind: "literal", value: JSON.stringify(cached) };
+}
+function resolveSub(arg, resources) {
+  let template;
+  let bindings = {};
+  if (typeof arg === "string") {
+    template = arg;
+  } else if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string" && arg[1] !== null && typeof arg[1] === "object" && !Array.isArray(arg[1])) {
+    template = arg[0];
+    bindings = arg[1];
+  } else {
+    return {
+      kind: "unresolved",
+      reason: `Fn::Sub expects a string or [string, object], got ${Array.isArray(arg) ? "malformed array" : typeof arg}`
+    };
+  }
+  const placeholderRegex = /\$\{([^}]+)\}/g;
+  const placeholders = [];
+  template.replace(placeholderRegex, (_, key) => {
+    placeholders.push(key);
+    return "";
+  });
+  const resolutions = /* @__PURE__ */ new Map();
+  for (const placeholder of placeholders) {
+    if (resolutions.has(placeholder))
+      continue;
+    if (placeholder in bindings) {
+      const sub = substituteAgainstState(bindings[placeholder], resources);
+      if (sub.kind !== "literal") {
+        return {
+          kind: "unresolved",
+          reason: `Fn::Sub placeholder '\${${placeholder}}': ${sub.reason}`
+        };
+      }
+      resolutions.set(placeholder, String(sub.value));
+      continue;
+    }
+    const dot = placeholder.indexOf(".");
+    if (dot === -1) {
+      const sub = resolveRef(placeholder, resources);
+      if (sub.kind !== "literal") {
+        return {
+          kind: "unresolved",
+          reason: `Fn::Sub placeholder '\${${placeholder}}': ${sub.reason}`
+        };
+      }
+      resolutions.set(placeholder, String(sub.value));
+    } else {
+      const sub = resolveGetAtt(placeholder, resources);
+      if (sub.kind !== "literal") {
+        return {
+          kind: "unresolved",
+          reason: `Fn::Sub placeholder '\${${placeholder}}': ${sub.reason}`
+        };
+      }
+      resolutions.set(placeholder, String(sub.value));
+    }
+  }
+  const out = template.replace(placeholderRegex, (_, key) => {
+    return resolutions.get(key) ?? "";
+  });
+  return { kind: "literal", value: out };
+}
+function substituteEnvVarsFromState(templateEnv, resources) {
+  const env = {};
+  const audit = { resolvedKeys: [], unresolved: [] };
+  if (!templateEnv)
+    return { env, audit };
+  for (const [key, value] of Object.entries(templateEnv)) {
+    if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
+      env[key] = value;
+      continue;
+    }
+    const result = substituteAgainstState(value, resources);
+    if (result.kind === "literal") {
+      env[key] = result.value;
+      audit.resolvedKeys.push(key);
+    } else {
+      audit.unresolved.push({ key, reason: result.reason });
+    }
+  }
+  return { env, audit };
+}
+
 // src/local-invoke/runtime-image.ts
-var NODEJS_RUNTIMES = {
-  "nodejs18.x": "public.ecr.aws/lambda/nodejs:18",
-  "nodejs20.x": "public.ecr.aws/lambda/nodejs:20",
-  "nodejs22.x": "public.ecr.aws/lambda/nodejs:22"
+var SUPPORTED_RUNTIMES = {
+  "nodejs18.x": { image: "public.ecr.aws/lambda/nodejs:18", fileExtension: ".js" },
+  "nodejs20.x": { image: "public.ecr.aws/lambda/nodejs:20", fileExtension: ".js" },
+  "nodejs22.x": { image: "public.ecr.aws/lambda/nodejs:22", fileExtension: ".js" },
+  "python3.11": { image: "public.ecr.aws/lambda/python:3.11", fileExtension: ".py" },
+  "python3.12": { image: "public.ecr.aws/lambda/python:3.12", fileExtension: ".py" },
+  "python3.13": { image: "public.ecr.aws/lambda/python:3.13", fileExtension: ".py" }
 };
 var UnsupportedRuntimeError = class _UnsupportedRuntimeError extends Error {
   constructor(runtime, message) {
@@ -70192,24 +70372,30 @@ var UnsupportedRuntimeError = class _UnsupportedRuntimeError extends Error {
   }
 };
 function resolveRuntimeImage(runtime) {
+  return resolveRuntimeSpec(runtime).image;
+}
+function resolveRuntimeFileExtension(runtime) {
+  return resolveRuntimeSpec(runtime).fileExtension;
+}
+function resolveRuntimeSpec(runtime) {
   if (typeof runtime !== "string" || runtime.length === 0) {
     throw new UnsupportedRuntimeError(
       String(runtime),
       "Lambda function has no Runtime property. Container-image Lambdas (Code.ImageUri) are not supported in cdkd local invoke v1."
     );
   }
-  const image = NODEJS_RUNTIMES[runtime];
-  if (image)
-    return image;
-  if (runtime.startsWith("python") || runtime.startsWith("java") || runtime.startsWith("dotnet") || runtime.startsWith("ruby") || runtime.startsWith("go") || runtime.startsWith("provided")) {
+  const spec = SUPPORTED_RUNTIMES[runtime];
+  if (spec)
+    return spec;
+  if (runtime.startsWith("java") || runtime.startsWith("dotnet") || runtime.startsWith("ruby") || runtime.startsWith("go") || runtime.startsWith("provided")) {
     throw new UnsupportedRuntimeError(
       runtime,
-      `Runtime '${runtime}' is not supported in cdkd local invoke v1. Only Node.js runtimes (nodejs18.x / nodejs20.x / nodejs22.x) are supported. Python is planned for the next iteration; other runtimes follow.`
+      `Runtime '${runtime}' is not supported in cdkd local invoke v1. Only Node.js (nodejs18.x / nodejs20.x / nodejs22.x) and Python (python3.11 / python3.12 / python3.13) runtimes are supported. Other runtimes follow in subsequent PRs.`
     );
   }
   throw new UnsupportedRuntimeError(
     runtime,
-    `Unknown runtime '${runtime}'. cdkd local invoke v1 supports nodejs18.x / nodejs20.x / nodejs22.x.`
+    `Unknown runtime '${runtime}'. cdkd local invoke v1 supports nodejs18.x / nodejs20.x / nodejs22.x / python3.11 / python3.12 / python3.13.`
   );
 }
 
@@ -70343,9 +70529,11 @@ async function waitForRieReady(host, port, timeoutMs = 5e3) {
   let lastError;
   while (Date.now() < deadline) {
     try {
-      const ok = await tcpProbe(host, port, 500);
-      if (ok)
+      const ok = await httpProbe(host, port, 500);
+      if (ok) {
+        await delay(250);
         return;
+      }
     } catch (err) {
       lastError = err;
     }
@@ -70356,19 +70544,50 @@ async function waitForRieReady(host, port, timeoutMs = 5e3) {
     `RIE did not become ready on ${host}:${port} within ${timeoutMs}ms${tail}. The container may have exited early \u2014 check 'docker logs' output.`
   );
 }
-async function invokeRie(host, port, event, timeoutMs) {
-  const url = `http://${host}:${port}${INVOKE_PATH}`;
-  const body = JSON.stringify(event ?? {});
+async function httpProbe(host, port, timeoutMs) {
   const controller = new AbortController();
   const timer = setTimeout(() => controller.abort(), timeoutMs);
-  let response;
   try {
-    response = await fetch(url, {
+    const response = await fetch(`http://${host}:${port}/`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
-      body,
+      body: "{}",
       signal: controller.signal
     });
+    await response.text().catch(() => void 0);
+    return true;
+  } catch (err) {
+    if (isTransientNetworkError(err))
+      return false;
+    throw err;
+  } finally {
+    clearTimeout(timer);
+  }
+}
+function isTransientNetworkError(err) {
+  if (!(err instanceof Error))
+    return false;
+  if (err.name === "AbortError")
+    return true;
+  if (err.name === "TypeError" && err.message === "fetch failed")
+    return true;
+  const cause = err.cause;
+  if (cause?.code === "ECONNRESET")
+    return true;
+  if (cause?.code === "ECONNREFUSED")
+    return true;
+  if (cause?.code === "UND_ERR_SOCKET")
+    return true;
+  return false;
+}
+async function invokeRie(host, port, event, timeoutMs) {
+  const url = `http://${host}:${port}${INVOKE_PATH}`;
+  const body = JSON.stringify(event ?? {});
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  let response;
+  try {
+    response = await fetchWithStartupRetry(url, body, controller.signal);
   } catch (err) {
     if (err.name === "AbortError") {
       throw new Error(
@@ -70387,36 +70606,32 @@ async function invokeRie(host, port, event, timeoutMs) {
   }
   return { payload, raw };
 }
-async function tcpProbe(host, port, timeoutMs) {
-  const { Socket } = await import("node:net");
-  return new Promise((resolveProbe, rejectProbe) => {
-    const socket = new Socket();
-    const cleanup = () => {
-      socket.removeAllListeners();
-      socket.destroy();
-    };
-    socket.setTimeout(timeoutMs);
-    socket.once("connect", () => {
-      cleanup();
-      resolveProbe(true);
-    });
-    socket.once("timeout", () => {
-      cleanup();
-      resolveProbe(false);
-    });
-    socket.once("error", (err) => {
-      cleanup();
-      if (err.code === "ECONNREFUSED" || err.code === "ECONNRESET") {
-        resolveProbe(false);
-        return;
-      }
-      rejectProbe(err);
-    });
-    socket.connect(port, host);
-  });
+async function fetchWithStartupRetry(url, body, signal) {
+  const maxAttempts = 3;
+  let lastError;
+  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+    try {
+      return await fetch(url, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body,
+        signal
+      });
+    } catch (err) {
+      const name = err.name;
+      if (name === "AbortError")
+        throw err;
+      lastError = err;
+      if (attempt === maxAttempts)
+        break;
+      await delay(200);
+    }
+  }
+  throw lastError;
 }
 
 // src/cli/commands/local-invoke.ts
+init_aws_clients();
 async function localInvokeCommand(target, options) {
   const logger = getLogger();
   if (options.verbose) {
@@ -70442,14 +70657,49 @@ async function localInvokeCommand(target, options) {
   const { stacks } = await synthesizer.synthesize(synthOpts);
   const lambda = resolveLambdaTarget(target, stacks);
   logger.info(`Target: ${lambda.stack.stackName}/${lambda.logicalId} (${lambda.runtime})`);
-  const codeDir = lambda.codePath ?? materializeInlineCode(lambda.handler, lambda.inlineCode ?? "");
+  const codeDir = lambda.codePath ?? materializeInlineCode(
+    lambda.handler,
+    lambda.inlineCode ?? "",
+    resolveRuntimeFileExtension(lambda.runtime)
+  );
+  let stateAudit;
+  let templateEnv = getTemplateEnv(lambda.resource);
+  let stateForRoleHint;
+  if (options.fromState) {
+    const loaded = await loadStateForStack(lambda.stack.stackName, lambda.stack.region, {
+      ...options.stackRegion !== void 0 && { stackRegion: options.stackRegion },
+      ...options.stateBucket !== void 0 && { stateBucket: options.stateBucket },
+      statePrefix: options.statePrefix,
+      ...options.region !== void 0 && { region: options.region },
+      ...options.profile !== void 0 && { profile: options.profile }
+    });
+    if (loaded) {
+      stateForRoleHint = loaded.state;
+      const { env, audit } = substituteEnvVarsFromState(templateEnv, loaded.state.resources);
+      templateEnv = env;
+      stateAudit = audit;
+      for (const key of audit.resolvedKeys) {
+        logger.debug(`--from-state: substituted env var ${key} from cdkd state`);
+      }
+      for (const { key, reason } of audit.unresolved) {
+        logger.warn(
+          `--from-state: could not substitute env var ${key} (${reason}). Override it via --env-vars or it will be dropped.`
+        );
+      }
+    }
+  }
   const overrides = readEnvOverridesFile(options.envVars);
-  const envResult = resolveEnvVars(lambda.logicalId, getTemplateEnv(lambda.resource), overrides);
+  const envResult = resolveEnvVars(lambda.logicalId, templateEnv, overrides);
   for (const key of envResult.unresolved) {
+    if (stateAudit && stateAudit.unresolved.some((u) => u.key === key))
+      continue;
     logger.warn(
-      `Environment variable ${key} contains a CloudFormation intrinsic and was dropped. Override it with --env-vars (e.g. {"${lambda.logicalId}":{"${key}":"<literal>"}}) or wait for --from-state in PR 2.`
+      `Environment variable ${key} contains a CloudFormation intrinsic and was dropped. Override it with --env-vars (e.g. {"${lambda.logicalId}":{"${key}":"<literal>"}}) or pass --from-state to recover deployed values.`
     );
   }
+  if (options.fromState && !options.assumeRole && stateForRoleHint) {
+    suggestAssumeRoleFromState(stateForRoleHint, lambda.logicalId);
+  }
   const event = await readEvent(options);
   const image = resolveRuntimeImage(lambda.runtime);
   const dockerEnv = {
@@ -70616,18 +70866,121 @@ function forwardAwsEnv(env) {
       env[key] = value;
   }
 }
-function materializeInlineCode(handler, source) {
+function materializeInlineCode(handler, source, fileExtension) {
   const lastDot = handler.lastIndexOf(".");
   if (lastDot <= 0) {
     throw new Error(`Handler '${handler}' is malformed: expected '<modulePath>.<exportName>'.`);
   }
   const modulePath = handler.substring(0, lastDot);
   const dir = mkdtempSync2(path.join(tmpdir2(), "cdkd-local-invoke-"));
-  const filePath = path.join(dir, `${modulePath}.js`);
+  const filePath = path.join(dir, `${modulePath}${fileExtension}`);
   mkdirSync2(path.dirname(filePath), { recursive: true });
   writeFileSync5(filePath, source, "utf-8");
   return dir;
 }
+async function loadStateForStack(stackName, synthRegion, opts) {
+  const logger = getLogger();
+  const region = opts.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? synthRegion ?? "us-east-1";
+  let stateBucket;
+  try {
+    stateBucket = await resolveStateBucketWithDefault(opts.stateBucket, region);
+  } catch (err) {
+    logger.warn(
+      `--from-state: could not resolve state bucket: ${err instanceof Error ? err.message : String(err)}. Falling back to PR 1 warn-and-drop semantics.`
+    );
+    return void 0;
+  }
+  const awsClients = new AwsClients({
+    ...opts.region !== void 0 && { region: opts.region },
+    ...opts.profile !== void 0 && { profile: opts.profile }
+  });
+  setAwsClients(awsClients);
+  try {
+    const stateConfig = { bucket: stateBucket, prefix: opts.statePrefix };
+    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
+      ...opts.region !== void 0 && { region: opts.region },
+      ...opts.profile !== void 0 && { profile: opts.profile }
+    });
+    await stateBackend.verifyBucketExists();
+    const refs = (await stateBackend.listStacks()).filter((r) => r.stackName === stackName);
+    if (refs.length === 0) {
+      logger.warn(
+        `--from-state: no cdkd state found for stack '${stackName}' in bucket '${stateBucket}'. Was it deployed via 'cdkd deploy'? Falling back to PR 1 warn-and-drop semantics.`
+      );
+      return void 0;
+    }
+    let targetRegion;
+    if (opts.stackRegion) {
+      const found = refs.find((r) => r.region === opts.stackRegion);
+      if (!found) {
+        const seen = refs.map((r) => r.region ?? "(legacy)").join(", ");
+        logger.warn(
+          `--from-state: stack '${stackName}' has no state in region '${opts.stackRegion}' (available: ${seen}). Falling back.`
+        );
+        return void 0;
+      }
+      targetRegion = opts.stackRegion;
+    } else if (synthRegion && refs.some((r) => r.region === synthRegion)) {
+      targetRegion = synthRegion;
+    } else if (refs.length === 1) {
+      targetRegion = refs[0].region ?? synthRegion ?? region;
+    } else {
+      const seen = refs.map((r) => r.region ?? "(legacy)").join(", ");
+      logger.warn(
+        `--from-state: stack '${stackName}' has state in multiple regions (${seen}). Re-run with --stack-region <region>. Falling back.`
+      );
+      return void 0;
+    }
+    const stateData = await stateBackend.getState(stackName, targetRegion);
+    if (!stateData) {
+      logger.warn(
+        `--from-state: state record for '${stackName}' (${targetRegion}) returned empty. Falling back.`
+      );
+      return void 0;
+    }
+    logger.debug(`--from-state: loaded state for ${stackName} (${targetRegion})`);
+    return { state: stateData.state, region: targetRegion };
+  } finally {
+    awsClients.destroy();
+  }
+}
+function suggestAssumeRoleFromState(state, logicalId) {
+  const logger = getLogger();
+  const lambda = state.resources[logicalId];
+  if (!lambda)
+    return;
+  const roleRef = lambda.properties?.["Role"] ?? lambda.observedProperties?.["Role"];
+  let roleArn;
+  if (typeof roleRef === "string" && roleRef.startsWith("arn:")) {
+    roleArn = roleRef;
+  } else if (typeof roleRef === "object" && roleRef !== null) {
+    const refLogicalId = pickReferencedLogicalId(roleRef);
+    if (refLogicalId) {
+      const roleResource = state.resources[refLogicalId];
+      const cached = roleResource?.attributes?.["Arn"];
+      if (typeof cached === "string" && cached.startsWith("arn:")) {
+        roleArn = cached;
+      }
+    }
+  }
+  if (roleArn) {
+    logger.info(
+      `Hint: the deployed function uses execution role ${roleArn}. Re-run with --assume-role <that-arn> to invoke under the deployed function's narrow permissions.`
+    );
+  }
+}
+function pickReferencedLogicalId(intrinsic) {
+  if ("Ref" in intrinsic && typeof intrinsic["Ref"] === "string")
+    return intrinsic["Ref"];
+  if ("Fn::GetAtt" in intrinsic) {
+    const arg = intrinsic["Fn::GetAtt"];
+    if (Array.isArray(arg) && typeof arg[0] === "string")
+      return arg[0];
+    if (typeof arg === "string")
+      return arg.split(".")[0];
+  }
+  return void 0;
+}
 function createLocalCommand() {
   const local = new Command14("local").description(
     "Local Lambda execution against the AWS Lambda Runtime Interface Emulator (Docker required)"
@@ -70646,8 +70999,20 @@ function createLocalCommand() {
       "--assume-role <arn>",
       `Assume the Lambda's deployed execution role and forward STS-issued temp credentials to the container so the handler runs with the deployed function's narrow permissions (closes the "developer admin / function narrow" skew). Off by default \u2014 when omitted, the developer's shell credentials are forwarded unchanged (SAM-compatible default).`
     )
+  ).addOption(
+    new Option7(
+      "--from-state",
+      "Read cdkd S3 state for the target stack and substitute Ref / Fn::GetAtt / Fn::Sub in env vars with the deployed physical IDs / attributes. Off by default \u2014 keep PR 1 warn-and-drop semantics; turn on for stacks already deployed via cdkd deploy."
+    ).default(false)
+  ).addOption(
+    new Option7(
+      "--stack-region <region>",
+      "Region of the cdkd state record to read (used with --from-state when the same stack name has state in multiple regions)."
+    )
   ).action(withErrorHandling(localInvokeCommand));
-  [...commonOptions, ...appOptions, ...contextOptions].forEach((opt) => invoke.addOption(opt));
+  [...commonOptions, ...appOptions, ...contextOptions, ...stateOptions].forEach(
+    (opt) => invoke.addOption(opt)
+  );
   invoke.addOption(deprecatedRegionOption);
   local.addCommand(invoke);
   return local;
@@ -70682,7 +71047,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command15();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.67.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.69.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());