@go-to-k/cdkd 0.68.0 → 0.70.0

package/dist/cli.js

@@ -4374,16 +4374,16 @@ var require_printer = __commonJS({
       },
       // Document
       Document: {
-        leave: (node) => join7(node.definitions, "\n\n")
+        leave: (node) => join8(node.definitions, "\n\n")
       },
       OperationDefinition: {
         leave(node) {
-          const varDefs = hasMultilineItems(node.variableDefinitions) ? wrap("(\n", join7(node.variableDefinitions, "\n"), "\n)") : wrap("(", join7(node.variableDefinitions, ", "), ")");
-          const prefix = wrap("", node.description, "\n") + join7(
+          const varDefs = hasMultilineItems(node.variableDefinitions) ? wrap("(\n", join8(node.variableDefinitions, "\n"), "\n)") : wrap("(", join8(node.variableDefinitions, ", "), ")");
+          const prefix = wrap("", node.description, "\n") + join8(
             [
               node.operation,
-              join7([node.name, varDefs]),
-              join7(node.directives, " ")
+              join8([node.name, varDefs]),
+              join8(node.directives, " ")
             ],
             " "
           );
@@ -4391,7 +4391,7 @@ var require_printer = __commonJS({
         }
       },
       VariableDefinition: {
-        leave: ({ variable, type, defaultValue, directives, description }) => wrap("", description, "\n") + variable + ": " + type + wrap(" = ", defaultValue) + wrap(" ", join7(directives, " "))
+        leave: ({ variable, type, defaultValue, directives, description }) => wrap("", description, "\n") + variable + ": " + type + wrap(" = ", defaultValue) + wrap(" ", join8(directives, " "))
       },
       SelectionSet: {
         leave: ({ selections }) => block(selections)
@@ -4399,11 +4399,11 @@ var require_printer = __commonJS({
       Field: {
         leave({ alias, name, arguments: args, directives, selectionSet }) {
           const prefix = wrap("", alias, ": ") + name;
-          let argsLine = prefix + wrap("(", join7(args, ", "), ")");
+          let argsLine = prefix + wrap("(", join8(args, ", "), ")");
           if (argsLine.length > MAX_LINE_LENGTH) {
-            argsLine = prefix + wrap("(\n", indent(join7(args, "\n")), "\n)");
+            argsLine = prefix + wrap("(\n", indent(join8(args, "\n")), "\n)");
           }
-          return join7([argsLine, join7(directives, " "), selectionSet], " ");
+          return join8([argsLine, join8(directives, " "), selectionSet], " ");
         }
       },
       Argument: {
@@ -4411,14 +4411,14 @@ var require_printer = __commonJS({
       },
       // Fragments
       FragmentSpread: {
-        leave: ({ name, directives }) => "..." + name + wrap(" ", join7(directives, " "))
+        leave: ({ name, directives }) => "..." + name + wrap(" ", join8(directives, " "))
       },
       InlineFragment: {
-        leave: ({ typeCondition, directives, selectionSet }) => join7(
+        leave: ({ typeCondition, directives, selectionSet }) => join8(
           [
             "...",
             wrap("on ", typeCondition),
-            join7(directives, " "),
+            join8(directives, " "),
             selectionSet
           ],
           " "
@@ -4434,7 +4434,7 @@ var require_printer = __commonJS({
           description
         }) => wrap("", description, "\n") + // Note: fragment variable definitions are experimental and may be changed
         // or removed in the future.
-        `fragment ${name}${wrap("(", join7(variableDefinitions, ", "), ")")} on ${typeCondition} ${wrap("", join7(directives, " "), " ")}` + selectionSet
+        `fragment ${name}${wrap("(", join8(variableDefinitions, ", "), ")")} on ${typeCondition} ${wrap("", join8(directives, " "), " ")}` + selectionSet
       },
       // Value
       IntValue: {
@@ -4456,17 +4456,17 @@ var require_printer = __commonJS({
         leave: ({ value }) => value
       },
       ListValue: {
-        leave: ({ values }) => "[" + join7(values, ", ") + "]"
+        leave: ({ values }) => "[" + join8(values, ", ") + "]"
       },
       ObjectValue: {
-        leave: ({ fields }) => "{" + join7(fields, ", ") + "}"
+        leave: ({ fields }) => "{" + join8(fields, ", ") + "}"
       },
       ObjectField: {
         leave: ({ name, value }) => name + ": " + value
       },
       // Directive
       Directive: {
-        leave: ({ name, arguments: args }) => "@" + name + wrap("(", join7(args, ", "), ")")
+        leave: ({ name, arguments: args }) => "@" + name + wrap("(", join8(args, ", "), ")")
       },
       // Type
       NamedType: {
@@ -4480,61 +4480,61 @@ var require_printer = __commonJS({
       },
       // Type System Definitions
       SchemaDefinition: {
-        leave: ({ description, directives, operationTypes }) => wrap("", description, "\n") + join7(["schema", join7(directives, " "), block(operationTypes)], " ")
+        leave: ({ description, directives, operationTypes }) => wrap("", description, "\n") + join8(["schema", join8(directives, " "), block(operationTypes)], " ")
       },
       OperationTypeDefinition: {
         leave: ({ operation, type }) => operation + ": " + type
       },
       ScalarTypeDefinition: {
-        leave: ({ description, name, directives }) => wrap("", description, "\n") + join7(["scalar", name, join7(directives, " ")], " ")
+        leave: ({ description, name, directives }) => wrap("", description, "\n") + join8(["scalar", name, join8(directives, " ")], " ")
       },
       ObjectTypeDefinition: {
-        leave: ({ description, name, interfaces, directives, fields }) => wrap("", description, "\n") + join7(
+        leave: ({ description, name, interfaces, directives, fields }) => wrap("", description, "\n") + join8(
           [
             "type",
             name,
-            wrap("implements ", join7(interfaces, " & ")),
-            join7(directives, " "),
+            wrap("implements ", join8(interfaces, " & ")),
+            join8(directives, " "),
             block(fields)
           ],
           " "
         )
       },
       FieldDefinition: {
-        leave: ({ description, name, arguments: args, type, directives }) => wrap("", description, "\n") + name + (hasMultilineItems(args) ? wrap("(\n", indent(join7(args, "\n")), "\n)") : wrap("(", join7(args, ", "), ")")) + ": " + type + wrap(" ", join7(directives, " "))
+        leave: ({ description, name, arguments: args, type, directives }) => wrap("", description, "\n") + name + (hasMultilineItems(args) ? wrap("(\n", indent(join8(args, "\n")), "\n)") : wrap("(", join8(args, ", "), ")")) + ": " + type + wrap(" ", join8(directives, " "))
       },
       InputValueDefinition: {
-        leave: ({ description, name, type, defaultValue, directives }) => wrap("", description, "\n") + join7(
-          [name + ": " + type, wrap("= ", defaultValue), join7(directives, " ")],
+        leave: ({ description, name, type, defaultValue, directives }) => wrap("", description, "\n") + join8(
+          [name + ": " + type, wrap("= ", defaultValue), join8(directives, " ")],
           " "
         )
       },
       InterfaceTypeDefinition: {
-        leave: ({ description, name, interfaces, directives, fields }) => wrap("", description, "\n") + join7(
+        leave: ({ description, name, interfaces, directives, fields }) => wrap("", description, "\n") + join8(
           [
             "interface",
             name,
-            wrap("implements ", join7(interfaces, " & ")),
-            join7(directives, " "),
+            wrap("implements ", join8(interfaces, " & ")),
+            join8(directives, " "),
             block(fields)
           ],
           " "
         )
       },
       UnionTypeDefinition: {
-        leave: ({ description, name, directives, types }) => wrap("", description, "\n") + join7(
-          ["union", name, join7(directives, " "), wrap("= ", join7(types, " | "))],
+        leave: ({ description, name, directives, types }) => wrap("", description, "\n") + join8(
+          ["union", name, join8(directives, " "), wrap("= ", join8(types, " | "))],
           " "
         )
       },
       EnumTypeDefinition: {
-        leave: ({ description, name, directives, values }) => wrap("", description, "\n") + join7(["enum", name, join7(directives, " "), block(values)], " ")
+        leave: ({ description, name, directives, values }) => wrap("", description, "\n") + join8(["enum", name, join8(directives, " "), block(values)], " ")
       },
       EnumValueDefinition: {
-        leave: ({ description, name, directives }) => wrap("", description, "\n") + join7([name, join7(directives, " ")], " ")
+        leave: ({ description, name, directives }) => wrap("", description, "\n") + join8([name, join8(directives, " ")], " ")
       },
       InputObjectTypeDefinition: {
-        leave: ({ description, name, directives, fields }) => wrap("", description, "\n") + join7(["input", name, join7(directives, " "), block(fields)], " ")
+        leave: ({ description, name, directives, fields }) => wrap("", description, "\n") + join8(["input", name, join8(directives, " "), block(fields)], " ")
       },
       DirectiveDefinition: {
         leave: ({
@@ -4544,84 +4544,84 @@ var require_printer = __commonJS({
           directives,
           repeatable,
           locations
-        }) => wrap("", description, "\n") + "directive @" + name + (hasMultilineItems(args) ? wrap("(\n", indent(join7(args, "\n")), "\n)") : wrap("(", join7(args, ", "), ")")) + wrap(" ", join7(directives, " ")) + (repeatable ? " repeatable" : "") + " on " + join7(locations, " | ")
+        }) => wrap("", description, "\n") + "directive @" + name + (hasMultilineItems(args) ? wrap("(\n", indent(join8(args, "\n")), "\n)") : wrap("(", join8(args, ", "), ")")) + wrap(" ", join8(directives, " ")) + (repeatable ? " repeatable" : "") + " on " + join8(locations, " | ")
       },
       SchemaExtension: {
-        leave: ({ directives, operationTypes }) => join7(
-          ["extend schema", join7(directives, " "), block(operationTypes)],
+        leave: ({ directives, operationTypes }) => join8(
+          ["extend schema", join8(directives, " "), block(operationTypes)],
           " "
         )
       },
       ScalarTypeExtension: {
-        leave: ({ name, directives }) => join7(["extend scalar", name, join7(directives, " ")], " ")
+        leave: ({ name, directives }) => join8(["extend scalar", name, join8(directives, " ")], " ")
       },
       ObjectTypeExtension: {
-        leave: ({ name, interfaces, directives, fields }) => join7(
+        leave: ({ name, interfaces, directives, fields }) => join8(
           [
             "extend type",
             name,
-            wrap("implements ", join7(interfaces, " & ")),
-            join7(directives, " "),
+            wrap("implements ", join8(interfaces, " & ")),
+            join8(directives, " "),
             block(fields)
           ],
           " "
         )
       },
       InterfaceTypeExtension: {
-        leave: ({ name, interfaces, directives, fields }) => join7(
+        leave: ({ name, interfaces, directives, fields }) => join8(
           [
             "extend interface",
             name,
-            wrap("implements ", join7(interfaces, " & ")),
-            join7(directives, " "),
+            wrap("implements ", join8(interfaces, " & ")),
+            join8(directives, " "),
             block(fields)
           ],
           " "
         )
       },
       UnionTypeExtension: {
-        leave: ({ name, directives, types }) => join7(
+        leave: ({ name, directives, types }) => join8(
           [
             "extend union",
             name,
-            join7(directives, " "),
-            wrap("= ", join7(types, " | "))
+            join8(directives, " "),
+            wrap("= ", join8(types, " | "))
           ],
           " "
         )
       },
       EnumTypeExtension: {
-        leave: ({ name, directives, values }) => join7(["extend enum", name, join7(directives, " "), block(values)], " ")
+        leave: ({ name, directives, values }) => join8(["extend enum", name, join8(directives, " "), block(values)], " ")
       },
       InputObjectTypeExtension: {
-        leave: ({ name, directives, fields }) => join7(["extend input", name, join7(directives, " "), block(fields)], " ")
+        leave: ({ name, directives, fields }) => join8(["extend input", name, join8(directives, " "), block(fields)], " ")
       },
       DirectiveExtension: {
-        leave: ({ name, directives }) => join7(["extend directive @" + name, join7(directives, " ")], " ")
+        leave: ({ name, directives }) => join8(["extend directive @" + name, join8(directives, " ")], " ")
       },
       // Schema Coordinates
       TypeCoordinate: {
         leave: ({ name }) => name
       },
       MemberCoordinate: {
-        leave: ({ name, memberName }) => join7([name, wrap(".", memberName)])
+        leave: ({ name, memberName }) => join8([name, wrap(".", memberName)])
       },
       ArgumentCoordinate: {
-        leave: ({ name, fieldName, argumentName }) => join7([name, wrap(".", fieldName), wrap("(", argumentName, ":)")])
+        leave: ({ name, fieldName, argumentName }) => join8([name, wrap(".", fieldName), wrap("(", argumentName, ":)")])
       },
       DirectiveCoordinate: {
-        leave: ({ name }) => join7(["@", name])
+        leave: ({ name }) => join8(["@", name])
       },
       DirectiveArgumentCoordinate: {
-        leave: ({ name, argumentName }) => join7(["@", name, wrap("(", argumentName, ":)")])
+        leave: ({ name, argumentName }) => join8(["@", name, wrap("(", argumentName, ":)")])
       }
     };
-    function join7(maybeArray, separator = "") {
+    function join8(maybeArray, separator = "") {
       var _maybeArray$filter$jo;
       return (_maybeArray$filter$jo = maybeArray === null || maybeArray === void 0 ? void 0 : maybeArray.filter((x) => x).join(separator)) !== null && _maybeArray$filter$jo !== void 0 ? _maybeArray$filter$jo : "";
     }
     function block(array) {
-      return wrap("{\n", indent(join7(array, "\n")), "\n}");
+      return wrap("{\n", indent(join8(array, "\n")), "\n}");
     }
     function wrap(start, maybeString, end = "") {
       return maybeString != null && maybeString !== "" ? start + maybeString + end : "";
@@ -18319,6 +18319,13 @@ var AssetError = class _AssetError extends CdkdError {
     Object.setPrototypeOf(this, _AssetError.prototype);
   }
 };
+var LocalInvokeBuildError = class _LocalInvokeBuildError extends CdkdError {
+  constructor(message, cause) {
+    super(message, "LOCAL_INVOKE_BUILD_ERROR", cause);
+    this.name = "LocalInvokeBuildError";
+    Object.setPrototypeOf(this, _LocalInvokeBuildError.prototype);
+  }
+};
 var ProvisioningError = class _ProvisioningError extends CdkdError {
   constructor(message, resourceType, logicalId, physicalId, cause) {
     super(message, "PROVISIONING_ERROR", cause);
@@ -23436,11 +23443,11 @@ async function resolveStateBucketWithDefaultAndSource(cliBucket, region) {
     return syncResult;
   const logger = getLogger();
   logger.debug("No state bucket specified, resolving default from account...");
-  const { GetCallerIdentityCommand: GetCallerIdentityCommand11 } = await import("@aws-sdk/client-sts");
+  const { GetCallerIdentityCommand: GetCallerIdentityCommand12 } = await import("@aws-sdk/client-sts");
   const { S3Client: S3Client12 } = await import("@aws-sdk/client-s3");
   const { getAwsClients: getAwsClients2 } = await Promise.resolve().then(() => (init_aws_clients(), aws_clients_exports));
   const awsClients = getAwsClients2();
-  const identity = await awsClients.sts.send(new GetCallerIdentityCommand11({}));
+  const identity = await awsClients.sts.send(new GetCallerIdentityCommand12({}));
   const accountId = identity.Account;
   const newName = getDefaultStateBucketName(accountId);
   const legacyName = getLegacyStateBucketName(accountId, region);
@@ -25322,14 +25329,57 @@ var FileAssetPublisher = class {
 };
 
 // src/assets/docker-asset-publisher.ts
-import { execFile, spawn as spawn2 } from "node:child_process";
-import { promisify } from "node:util";
+import { execFile as execFile2, spawn as spawn2 } from "node:child_process";
+import { promisify as promisify2 } from "node:util";
 import {
   ECRClient,
   GetAuthorizationTokenCommand,
   DescribeImagesCommand as DescribeImagesCommand2
 } from "@aws-sdk/client-ecr";
+
+// src/assets/docker-build.ts
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
 var execFileAsync = promisify(execFile);
+async function buildDockerImage(asset, cdkOutDir, tag, options) {
+  const logger = getLogger().child("docker-build");
+  const args = ["build", "-t", tag];
+  if (options.platform) {
+    args.push("--platform", options.platform);
+  }
+  if (asset.source.dockerFile) {
+    args.push("-f", asset.source.dockerFile);
+  }
+  if (asset.source.dockerBuildArgs) {
+    for (const [key, value] of Object.entries(asset.source.dockerBuildArgs)) {
+      args.push("--build-arg", `${key}=${value}`);
+    }
+  }
+  if (asset.source.dockerBuildTarget) {
+    args.push("--target", asset.source.dockerBuildTarget);
+  }
+  if (asset.source.dockerOutputs) {
+    for (const output of asset.source.dockerOutputs) {
+      args.push("--output", output);
+    }
+  }
+  const contextDir = `${cdkOutDir}/${asset.source.directory}`;
+  args.push(contextDir);
+  logger.debug(`docker ${args.join(" ")}`);
+  try {
+    await execFileAsync("docker", args, {
+      maxBuffer: 50 * 1024 * 1024
+      // 50MB for build output
+    });
+  } catch (error) {
+    const err = error;
+    const stderr = err.stderr || err.message || String(error);
+    throw options.wrapError(stderr);
+  }
+}
+
+// src/assets/docker-asset-publisher.ts
+var execFileAsync2 = promisify2(execFile2);
 var DockerAssetPublisher = class {
   logger = getLogger().child("DockerAssetPublisher");
   /**
@@ -25412,38 +25462,17 @@ var DockerAssetPublisher = class {
     }
   }
   /**
-   * Build Docker image
+   * Build Docker image — delegates to the shared `buildDockerImage`
+   * helper so this code path stays in sync with `cdkd local invoke`'s
+   * container-Lambda build path. `--platform` is currently not threaded
+   * through here (publish-assets has no Architectures hint to consult);
+   * a follow-up can lift this once the asset manifest carries a
+   * platform field.
    */
   async buildImage(asset, cdkOutputDir, tag) {
-    const args = ["build", "-t", tag];
-    if (asset.source.dockerFile) {
-      args.push("-f", asset.source.dockerFile);
-    }
-    if (asset.source.dockerBuildArgs) {
-      for (const [key, value] of Object.entries(asset.source.dockerBuildArgs)) {
-        args.push("--build-arg", `${key}=${value}`);
-      }
-    }
-    if (asset.source.dockerBuildTarget) {
-      args.push("--target", asset.source.dockerBuildTarget);
-    }
-    if (asset.source.dockerOutputs) {
-      for (const output of asset.source.dockerOutputs) {
-        args.push("--output", output);
-      }
-    }
-    const contextDir = `${cdkOutputDir}/${asset.source.directory}`;
-    args.push(contextDir);
-    this.logger.debug(`docker ${args.join(" ")}`);
-    try {
-      await execFileAsync("docker", args, {
-        maxBuffer: 50 * 1024 * 1024
-        // 50MB for build output
-      });
-    } catch (error) {
-      const err = error;
-      throw new AssetError(`Docker build failed: ${err.stderr || err.message || String(error)}`);
-    }
+    await buildDockerImage(asset, cdkOutputDir, tag, {
+      wrapError: (stderr) => new AssetError(`Docker build failed: ${stderr}`)
+    });
   }
   /**
    * Authenticate with ECR
@@ -25487,7 +25516,7 @@ var DockerAssetPublisher = class {
    * Tag Docker image
    */
   async tagImage(source, target) {
-    await execFileAsync("docker", ["tag", source, target]);
+    await execFileAsync2("docker", ["tag", source, target]);
   }
   /**
    * Push Docker image
@@ -25495,7 +25524,7 @@ var DockerAssetPublisher = class {
   async pushImage(uri) {
     this.logger.debug(`Pushing: ${uri}`);
     try {
-      await execFileAsync("docker", ["push", uri], {
+      await execFileAsync2("docker", ["push", uri], {
         maxBuffer: 50 * 1024 * 1024
       });
     } catch (error) {
@@ -25718,9 +25747,9 @@ var AssetPublisher = class {
       const region = options.region || process.env["AWS_REGION"] || "us-east-1";
       let accountId = options.accountId;
       if (!accountId) {
-        const { STSClient: STSClient10, GetCallerIdentityCommand: GetCallerIdentityCommand11 } = await import("@aws-sdk/client-sts");
-        const stsClient = new STSClient10({ region });
-        const identity = await stsClient.send(new GetCallerIdentityCommand11({}));
+        const { STSClient: STSClient11, GetCallerIdentityCommand: GetCallerIdentityCommand12 } = await import("@aws-sdk/client-sts");
+        const stsClient = new STSClient11({ region });
+        const identity = await stsClient.send(new GetCallerIdentityCommand12({}));
         accountId = identity.Account;
         stsClient.destroy();
       }
@@ -65303,11 +65332,11 @@ async function deployCommand(stacks, options) {
         addDependencies(stack.stackName);
       }
     }
-    const { STSClient: STSClient10, GetCallerIdentityCommand: GetCallerIdentityCommand11 } = await import("@aws-sdk/client-sts");
-    const stsClient = new STSClient10({
+    const { STSClient: STSClient11, GetCallerIdentityCommand: GetCallerIdentityCommand12 } = await import("@aws-sdk/client-sts");
+    const stsClient = new STSClient11({
       region: options.region || process.env["AWS_REGION"] || "us-east-1"
     });
-    const callerIdentity = await stsClient.send(new GetCallerIdentityCommand11({}));
+    const callerIdentity = await stsClient.send(new GetCallerIdentityCommand12({}));
     const accountId = callerIdentity.Account;
     stsClient.destroy();
     const assetPublisher = new AssetPublisher();
@@ -67780,9 +67809,9 @@ async function publishAssetsCommand(stacks, options) {
     );
   }
   const baseRegion = options.region || process.env["AWS_REGION"] || "us-east-1";
-  const { STSClient: STSClient10, GetCallerIdentityCommand: GetCallerIdentityCommand11 } = await import("@aws-sdk/client-sts");
-  const stsClient = new STSClient10({ region: baseRegion });
-  const callerIdentity = await stsClient.send(new GetCallerIdentityCommand11({}));
+  const { STSClient: STSClient11, GetCallerIdentityCommand: GetCallerIdentityCommand12 } = await import("@aws-sdk/client-sts");
+  const stsClient = new STSClient11({ region: baseRegion });
+  const callerIdentity = await stsClient.send(new GetCallerIdentityCommand12({}));
   const accountId = callerIdentity.Account;
   stsClient.destroy();
   const assetPublisher = new AssetPublisher();
@@ -69963,12 +69992,13 @@ async function captureObservedForImportedResources(stackState, providerRegistry,
 }
 
 // src/cli/commands/local-invoke.ts
-import { mkdtempSync as mkdtempSync2, mkdirSync as mkdirSync2, readFileSync as readFileSync6, writeFileSync as writeFileSync5 } from "node:fs";
+import { mkdtempSync as mkdtempSync2, mkdirSync as mkdirSync2, readFileSync as readFileSync6, rmSync as rmSync2, writeFileSync as writeFileSync5 } from "node:fs";
 import { tmpdir as tmpdir2 } from "node:os";
+import { dirname as dirname2 } from "node:path";
 import * as path from "node:path";
 import { Command as Command14, Option as Option7 } from "commander";
 
-// src/local-invoke/lambda-resolver.ts
+// src/local/lambda-resolver.ts
 import { existsSync as existsSync4, statSync as statSync3 } from "node:fs";
 import { dirname, isAbsolute, resolve as resolve4 } from "node:path";
 var LocalInvokeResolutionError = class _LocalInvokeResolutionError extends Error {
@@ -70067,25 +70097,38 @@ function pickStack(parsed, stacks) {
 }
 function extractLambdaProperties(stack, logicalId, resource) {
   const props = resource.Properties ?? {};
-  const runtime = typeof props["Runtime"] === "string" ? props["Runtime"] : "";
-  const handler = typeof props["Handler"] === "string" ? props["Handler"] : "";
   const memoryMb = typeof props["MemorySize"] === "number" ? props["MemorySize"] : 128;
   const timeoutSec = typeof props["Timeout"] === "number" ? props["Timeout"] : 3;
+  const code = props["Code"] ?? {};
+  const imageUri = extractImageUri(code["ImageUri"]);
+  if (imageUri !== void 0) {
+    return extractImageLambdaProperties({
+      stack,
+      logicalId,
+      resource,
+      memoryMb,
+      timeoutSec,
+      props,
+      imageUri
+    });
+  }
+  const runtime = typeof props["Runtime"] === "string" ? props["Runtime"] : "";
+  const handler = typeof props["Handler"] === "string" ? props["Handler"] : "";
   if (!runtime) {
     throw new LocalInvokeResolutionError(
-      `Lambda '${logicalId}' has no Runtime property. Container-image Lambdas (Code.ImageUri) are not supported in cdkd local invoke v1.`
+      `Lambda '${logicalId}' has no Runtime property and no Code.ImageUri. cdkd cannot tell if this is a ZIP or a container Lambda.`
     );
   }
   if (!handler) {
     throw new LocalInvokeResolutionError(`Lambda '${logicalId}' has no Handler property.`);
   }
-  const code = props["Code"] ?? {};
   const inlineCode = typeof code["ZipFile"] === "string" ? code["ZipFile"] : void 0;
   let codePath = null;
   if (!inlineCode) {
     codePath = resolveAssetCodePath(stack, logicalId, resource);
   }
   return {
+    kind: "zip",
     stack,
     logicalId,
     resource,
@@ -70097,6 +70140,62 @@ function extractLambdaProperties(stack, logicalId, resource) {
     ...inlineCode !== void 0 && { inlineCode }
   };
 }
+function extractImageUri(value) {
+  if (typeof value === "string" && value.length > 0)
+    return value;
+  if (value && typeof value === "object" && !Array.isArray(value)) {
+    const obj = value;
+    const sub = obj["Fn::Sub"];
+    if (typeof sub === "string" && sub.length > 0)
+      return sub;
+    if (Array.isArray(sub) && typeof sub[0] === "string")
+      return sub[0];
+  }
+  return void 0;
+}
+function extractImageLambdaProperties(args) {
+  const { stack, logicalId, resource, memoryMb, timeoutSec, props, imageUri } = args;
+  const rawImageConfig = props["ImageConfig"] ?? {};
+  const imageConfig = {};
+  if (Array.isArray(rawImageConfig["Command"])) {
+    imageConfig.command = rawImageConfig["Command"].filter(
+      (s) => typeof s === "string"
+    );
+  }
+  if (Array.isArray(rawImageConfig["EntryPoint"])) {
+    imageConfig.entryPoint = rawImageConfig["EntryPoint"].filter(
+      (s) => typeof s === "string"
+    );
+  }
+  if (typeof rawImageConfig["WorkingDirectory"] === "string") {
+    imageConfig.workingDirectory = rawImageConfig["WorkingDirectory"];
+  }
+  const arches = props["Architectures"];
+  let architecture = "x86_64";
+  if (Array.isArray(arches) && arches.length > 0) {
+    const first = arches[0];
+    if (first === "arm64")
+      architecture = "arm64";
+    else if (first === "x86_64")
+      architecture = "x86_64";
+    else {
+      throw new LocalInvokeResolutionError(
+        `Lambda '${logicalId}' has unsupported Architectures value '${String(first)}'. cdkd local invoke supports x86_64 and arm64.`
+      );
+    }
+  }
+  return {
+    kind: "image",
+    stack,
+    logicalId,
+    resource,
+    memoryMb,
+    timeoutSec,
+    imageUri,
+    imageConfig,
+    architecture
+  };
+}
 function resolveAssetCodePath(stack, logicalId, resource) {
   const meta = resource.Metadata;
   const assetPath = meta?.["aws:asset:path"];
@@ -70140,7 +70239,7 @@ function notFoundError(target, stack, resources) {
   return new LocalInvokeResolutionError(msg.trimEnd());
 }
 
-// src/local-invoke/env-resolver.ts
+// src/local/env-resolver.ts
 function resolveEnvVars(logicalId, templateEnv, overrides) {
   const resolved = {};
   const unresolved = [];
@@ -70177,7 +70276,184 @@ function isLiteralEnvValue(value) {
   return typeof value === "string" || typeof value === "number" || typeof value === "boolean";
 }
 
-// src/local-invoke/runtime-image.ts
+// src/local/state-resolver.ts
+function substituteAgainstState(value, resources) {
+  if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
+    return { kind: "literal", value };
+  }
+  if (value === null || typeof value !== "object") {
+    return {
+      kind: "unresolved",
+      reason: `unsupported value type: ${value === null ? "null" : typeof value}`
+    };
+  }
+  const obj = value;
+  const keys = Object.keys(obj);
+  if (keys.length !== 1) {
+    return {
+      kind: "unresolved",
+      reason: `expected an intrinsic with one key, got ${keys.length} keys`
+    };
+  }
+  const intrinsic = keys[0];
+  const arg = obj[intrinsic];
+  if (intrinsic === "Ref") {
+    return resolveRef(arg, resources);
+  }
+  if (intrinsic === "Fn::GetAtt") {
+    return resolveGetAtt(arg, resources);
+  }
+  if (intrinsic === "Fn::Sub") {
+    return resolveSub(arg, resources);
+  }
+  return {
+    kind: "unresolved",
+    reason: `unsupported intrinsic '${intrinsic}' (only Ref, Fn::GetAtt, Fn::Sub are wired in --from-state v1)`
+  };
+}
+function resolveRef(arg, resources) {
+  if (typeof arg !== "string" || arg.length === 0) {
+    return { kind: "unresolved", reason: `Ref expects a non-empty logical ID, got ${typeof arg}` };
+  }
+  const resource = resources[arg];
+  if (!resource) {
+    return {
+      kind: "unresolved",
+      reason: `Ref '${arg}': no record in cdkd state (was the resource deployed?)`
+    };
+  }
+  return { kind: "literal", value: resource.physicalId };
+}
+function resolveGetAtt(arg, resources) {
+  let logicalId;
+  let attr;
+  if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string") {
+    logicalId = arg[0];
+    if (typeof arg[1] !== "string") {
+      return {
+        kind: "unresolved",
+        reason: `Fn::GetAtt's second arg must be a string attribute name, got ${typeof arg[1]} (nested intrinsics in attribute names are not supported in --from-state v1)`
+      };
+    }
+    attr = arg[1];
+  } else if (typeof arg === "string") {
+    const dot = arg.indexOf(".");
+    if (dot <= 0 || dot === arg.length - 1) {
+      return {
+        kind: "unresolved",
+        reason: `Fn::GetAtt string form must be '<LogicalId>.<Attribute>', got '${arg}'`
+      };
+    }
+    logicalId = arg.slice(0, dot);
+    attr = arg.slice(dot + 1);
+  } else {
+    return {
+      kind: "unresolved",
+      reason: `Fn::GetAtt expects [LogicalId, Attribute] or 'LogicalId.Attribute', got ${Array.isArray(arg) ? `array of length ${arg.length}` : typeof arg}`
+    };
+  }
+  const resource = resources[logicalId];
+  if (!resource) {
+    return {
+      kind: "unresolved",
+      reason: `Fn::GetAtt '${logicalId}.${attr}': no record in cdkd state`
+    };
+  }
+  const cached = resource.attributes?.[attr];
+  if (cached === void 0) {
+    return {
+      kind: "unresolved",
+      reason: `Fn::GetAtt '${logicalId}.${attr}': attribute not captured in cdkd state at deploy time`
+    };
+  }
+  if (typeof cached === "string" || typeof cached === "number" || typeof cached === "boolean") {
+    return { kind: "literal", value: cached };
+  }
+  return { kind: "literal", value: JSON.stringify(cached) };
+}
+function resolveSub(arg, resources) {
+  let template;
+  let bindings = {};
+  if (typeof arg === "string") {
+    template = arg;
+  } else if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string" && arg[1] !== null && typeof arg[1] === "object" && !Array.isArray(arg[1])) {
+    template = arg[0];
+    bindings = arg[1];
+  } else {
+    return {
+      kind: "unresolved",
+      reason: `Fn::Sub expects a string or [string, object], got ${Array.isArray(arg) ? "malformed array" : typeof arg}`
+    };
+  }
+  const placeholderRegex = /\$\{([^}]+)\}/g;
+  const placeholders = [];
+  template.replace(placeholderRegex, (_, key) => {
+    placeholders.push(key);
+    return "";
+  });
+  const resolutions = /* @__PURE__ */ new Map();
+  for (const placeholder of placeholders) {
+    if (resolutions.has(placeholder))
+      continue;
+    if (placeholder in bindings) {
+      const sub = substituteAgainstState(bindings[placeholder], resources);
+      if (sub.kind !== "literal") {
+        return {
+          kind: "unresolved",
+          reason: `Fn::Sub placeholder '\${${placeholder}}': ${sub.reason}`
+        };
+      }
+      resolutions.set(placeholder, String(sub.value));
+      continue;
+    }
+    const dot = placeholder.indexOf(".");
+    if (dot === -1) {
+      const sub = resolveRef(placeholder, resources);
+      if (sub.kind !== "literal") {
+        return {
+          kind: "unresolved",
+          reason: `Fn::Sub placeholder '\${${placeholder}}': ${sub.reason}`
+        };
+      }
+      resolutions.set(placeholder, String(sub.value));
+    } else {
+      const sub = resolveGetAtt(placeholder, resources);
+      if (sub.kind !== "literal") {
+        return {
+          kind: "unresolved",
+          reason: `Fn::Sub placeholder '\${${placeholder}}': ${sub.reason}`
+        };
+      }
+      resolutions.set(placeholder, String(sub.value));
+    }
+  }
+  const out = template.replace(placeholderRegex, (_, key) => {
+    return resolutions.get(key) ?? "";
+  });
+  return { kind: "literal", value: out };
+}
+function substituteEnvVarsFromState(templateEnv, resources) {
+  const env = {};
+  const audit = { resolvedKeys: [], unresolved: [] };
+  if (!templateEnv)
+    return { env, audit };
+  for (const [key, value] of Object.entries(templateEnv)) {
+    if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
+      env[key] = value;
+      continue;
+    }
+    const result = substituteAgainstState(value, resources);
+    if (result.kind === "literal") {
+      env[key] = result.value;
+      audit.resolvedKeys.push(key);
+    } else {
+      audit.unresolved.push({ key, reason: result.reason });
+    }
+  }
+  return { env, audit };
+}
+
+// src/local/runtime-image.ts
 var SUPPORTED_RUNTIMES = {
   "nodejs18.x": { image: "public.ecr.aws/lambda/nodejs:18", fileExtension: ".js" },
   "nodejs20.x": { image: "public.ecr.aws/lambda/nodejs:20", fileExtension: ".js" },
@@ -70204,7 +70480,7 @@ function resolveRuntimeSpec(runtime) {
   if (typeof runtime !== "string" || runtime.length === 0) {
     throw new UnsupportedRuntimeError(
       String(runtime),
-      "Lambda function has no Runtime property. Container-image Lambdas (Code.ImageUri) are not supported in cdkd local invoke v1."
+      "Lambda function has no Runtime property. This branch is only reached for ZIP Lambdas; container-image Lambdas (Code.ImageUri) take a different code path that does not consult the Runtime property."
     );
   }
   const spec = SUPPORTED_RUNTIMES[runtime];
@@ -70222,11 +70498,11 @@ function resolveRuntimeSpec(runtime) {
   );
 }
 
-// src/local-invoke/docker-runner.ts
-import { execFile as execFile2, spawn as spawn3 } from "node:child_process";
+// src/local/docker-runner.ts
+import { execFile as execFile3, spawn as spawn3 } from "node:child_process";
 import { createServer } from "node:net";
-import { promisify as promisify2 } from "node:util";
-var execFileAsync2 = promisify2(execFile2);
+import { promisify as promisify3 } from "node:util";
+var execFileAsync3 = promisify3(execFile3);
 var DockerRunnerError = class _DockerRunnerError extends Error {
   constructor(message) {
     super(message);
@@ -70245,6 +70521,12 @@ async function pullImage(image, skipPull) {
 }
 async function runDetached(opts) {
   const args = ["run", "-d", "--rm"];
+  if (opts.name) {
+    args.push("--name", opts.name);
+  }
+  if (opts.platform) {
+    args.push("--platform", opts.platform);
+  }
   const host = opts.host ?? "127.0.0.1";
   args.push("-p", `${host}:${opts.hostPort}:8080`);
   if (opts.debugPort !== void 0) {
@@ -70257,11 +70539,19 @@ async function runDetached(opts) {
   for (const [k, v] of Object.entries(opts.env)) {
     args.push("-e", `${k}=${v}`);
   }
-  args.push(opts.image, ...opts.cmd);
+  if (opts.workingDir) {
+    args.push("--workdir", opts.workingDir);
+  }
+  let entryPointTail = [];
+  if (opts.entryPoint && opts.entryPoint.length > 0) {
+    args.push("--entrypoint", opts.entryPoint[0]);
+    entryPointTail = opts.entryPoint.slice(1);
+  }
+  args.push(opts.image, ...entryPointTail, ...opts.cmd);
   const logger = getLogger().child("docker");
-  logger.debug(`docker ${args.join(" ")}`);
+  logger.debug(`docker ${redactAwsCredentialsInArgs(args).join(" ")}`);
   try {
-    const { stdout } = await execFileAsync2("docker", args, {
+    const { stdout } = await execFileAsync3("docker", args, {
       maxBuffer: 10 * 1024 * 1024
     });
     return stdout.trim();
@@ -70290,7 +70580,7 @@ async function removeContainer(containerId) {
     return;
   const logger = getLogger().child("docker");
   try {
-    await execFileAsync2("docker", ["rm", "-f", containerId]);
+    await execFileAsync3("docker", ["rm", "-f", containerId]);
     logger.debug(`Removed container ${containerId}`);
   } catch (error) {
     const err = error;
@@ -70301,7 +70591,7 @@ async function removeContainer(containerId) {
 }
 async function ensureDockerAvailable() {
   try {
-    await execFileAsync2("docker", ["version", "--format", "{{.Server.Version}}"]);
+    await execFileAsync3("docker", ["version", "--format", "{{.Server.Version}}"]);
   } catch (error) {
     const err = error;
     if (err.code === "ENOENT") {
@@ -70331,6 +70621,31 @@ function pickFreePort() {
     });
   });
 }
+var REDACTED_ENV_KEYS = /* @__PURE__ */ new Set([
+  "AWS_ACCESS_KEY_ID",
+  "AWS_SECRET_ACCESS_KEY",
+  "AWS_SESSION_TOKEN"
+]);
+function redactAwsCredentialsInArgs(args) {
+  const out = [];
+  for (let i = 0; i < args.length; i++) {
+    const cur = args[i];
+    const next = args[i + 1];
+    if (cur === "-e" && typeof next === "string") {
+      const eqIdx = next.indexOf("=");
+      if (eqIdx > 0) {
+        const key = next.substring(0, eqIdx);
+        if (REDACTED_ENV_KEYS.has(key)) {
+          out.push("-e", `${key}=***`);
+          i++;
+          continue;
+        }
+      }
+    }
+    out.push(cur);
+  }
+  return out;
+}
 function runForeground(cmd, args) {
   return new Promise((resolveProc, rejectProc) => {
     const proc = spawn3(cmd, args, { stdio: "inherit" });
@@ -70344,7 +70659,164 @@ function runForeground(cmd, args) {
   });
 }
 
-// src/local-invoke/rie-client.ts
+// src/local/docker-image-builder.ts
+import { createHash as createHash2 } from "node:crypto";
+async function buildContainerImage(asset, cdkOutDir, options) {
+  const tag = computeLocalTag(asset.source);
+  const platform = architectureToPlatform(options.architecture);
+  const logger = getLogger().child("local-invoke-build");
+  logger.info(`Building container image (platform=${platform})...`);
+  logger.debug(`Local tag: ${tag}`);
+  await buildDockerImage(asset, cdkOutDir, tag, {
+    platform,
+    wrapError: (stderr) => new LocalInvokeBuildError(
+      `docker build failed for container Lambda asset (${asset.source.directory}): ${stderr}`
+    )
+  });
+  return tag;
+}
+function architectureToPlatform(architecture) {
+  return architecture === "arm64" ? "linux/arm64" : "linux/amd64";
+}
+function computeLocalTag(source) {
+  const hash = createHash2("sha256");
+  hash.update(source.directory);
+  hash.update("\0");
+  hash.update(source.dockerFile ?? "");
+  hash.update("\0");
+  hash.update(source.dockerBuildTarget ?? "");
+  hash.update("\0");
+  if (source.dockerBuildArgs) {
+    for (const [k, v] of Object.entries(source.dockerBuildArgs)) {
+      hash.update(k);
+      hash.update("=");
+      hash.update(v);
+      hash.update("\0");
+    }
+  }
+  return `cdkd-local-invoke-${hash.digest("hex").slice(0, 16)}`;
+}
+
+// src/local/ecr-puller.ts
+import { execFile as execFile4, spawn as spawn4 } from "node:child_process";
+import { promisify as promisify4 } from "node:util";
+import { ECRClient as ECRClient3, GetAuthorizationTokenCommand as GetAuthorizationTokenCommand2 } from "@aws-sdk/client-ecr";
+import { GetCallerIdentityCommand as GetCallerIdentityCommand11, STSClient as STSClient10 } from "@aws-sdk/client-sts";
+var execFileAsync4 = promisify4(execFile4);
+var ECR_URI_REGEX = /^(\d{12})\.dkr\.ecr\.([^.]+)\.amazonaws\.com(?:\.cn)?\/([^:]+):(.+)$/;
+function parseEcrUri(imageUri) {
+  const m = ECR_URI_REGEX.exec(imageUri);
+  if (!m)
+    return void 0;
+  return {
+    accountId: m[1],
+    region: m[2],
+    repository: m[3],
+    tag: m[4]
+  };
+}
+async function pullEcrImage(imageUri, options) {
+  const logger = getLogger().child("ecr-puller");
+  const parsed = parseEcrUri(imageUri);
+  if (!parsed) {
+    throw new LocalInvokeBuildError(
+      `Image URI '${imageUri}' is not an ECR URI. cdkd local invoke v1 only authenticates against ECR for the deployed-image fallback path.`
+    );
+  }
+  const sts = new STSClient10({ region: parsed.region });
+  let callerAccount;
+  try {
+    const identity = await sts.send(new GetCallerIdentityCommand11({}));
+    if (!identity.Account) {
+      throw new LocalInvokeBuildError(
+        "STS GetCallerIdentity returned no Account. Verify your AWS credentials."
+      );
+    }
+    callerAccount = identity.Account;
+  } finally {
+    sts.destroy();
+  }
+  if (callerAccount !== parsed.accountId) {
+    throw new LocalInvokeBuildError(
+      `Image URI '${imageUri}' is in account ${parsed.accountId}, but the caller is ${callerAccount}. Cross-account ECR pull is not supported in cdkd local invoke v1 \u2014 deferred to a follow-up PR. Workaround: assume a role in the target account before invoking, or build the image locally with \`cdkd local invoke -a cdk.out\` (no ECR pull).`
+    );
+  }
+  const callerRegion = options.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"];
+  if (callerRegion && callerRegion !== parsed.region) {
+    throw new LocalInvokeBuildError(
+      `Image URI '${imageUri}' is in region ${parsed.region}, but the caller's region is ${callerRegion}. Cross-region ECR pull is not supported in cdkd local invoke v1 \u2014 deferred to a follow-up PR. Workaround: re-run with AWS_REGION=${parsed.region} set, or build the image locally with -a cdk.out.`
+    );
+  }
+  if (options.skipPull) {
+    logger.info(`Skipping ECR pull (--no-pull). Verifying ${imageUri} is in local cache...`);
+    await verifyImageInLocalCache(imageUri);
+    return imageUri;
+  }
+  const ecr = new ECRClient3({ region: parsed.region });
+  try {
+    await ecrLogin(ecr, parsed.accountId, parsed.region);
+  } finally {
+    ecr.destroy();
+  }
+  logger.info(`Pulling ${imageUri}...`);
+  await runForeground2("docker", ["pull", imageUri]);
+  return imageUri;
+}
+async function ecrLogin(client, accountId, region) {
+  const logger = getLogger().child("ecr-puller");
+  logger.debug(`ECR login (account=${accountId}, region=${region})`);
+  const response = await client.send(new GetAuthorizationTokenCommand2({}));
+  const authData = response.authorizationData?.[0];
+  if (!authData?.authorizationToken) {
+    throw new LocalInvokeBuildError("Failed to get ECR authorization token");
+  }
+  const token = Buffer.from(authData.authorizationToken, "base64").toString();
+  const [username, password] = token.split(":");
+  const endpoint = authData.proxyEndpoint || `https://${accountId}.dkr.ecr.${region}.amazonaws.com`;
+  await new Promise((resolve5, reject) => {
+    const proc = spawn4("docker", ["login", "--username", username, "--password-stdin", endpoint], {
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    let stderr = "";
+    proc.stderr?.on("data", (data) => {
+      stderr += data.toString();
+    });
+    proc.on("close", (code) => {
+      if (code === 0)
+        resolve5();
+      else
+        reject(new LocalInvokeBuildError(`ECR login failed: ${stderr.trim()}`));
+    });
+    proc.on("error", (err) => {
+      reject(new LocalInvokeBuildError(`ECR login failed: ${err.message}`));
+    });
+    proc.stdin?.write(password);
+    proc.stdin?.end();
+  });
+}
+async function verifyImageInLocalCache(imageUri) {
+  try {
+    await execFileAsync4("docker", ["image", "inspect", imageUri]);
+  } catch {
+    throw new LocalInvokeBuildError(
+      `Image '${imageUri}' is not in the local docker cache and --no-pull was set. Either remove --no-pull (cdkd will pull from ECR) or pre-pull the image manually with \`docker pull\`.`
+    );
+  }
+}
+function runForeground2(cmd, args) {
+  return new Promise((resolve5, reject) => {
+    const proc = spawn4(cmd, args, { stdio: "inherit" });
+    proc.on("error", (err) => reject(new LocalInvokeBuildError(`${cmd} failed: ${err.message}`)));
+    proc.on("close", (code) => {
+      if (code === 0)
+        resolve5();
+      else
+        reject(new LocalInvokeBuildError(`${cmd} exited with code ${code}`));
+    });
+  });
+}
+
+// src/local/rie-client.ts
 import { setTimeout as delay } from "node:timers/promises";
 var INVOKE_PATH = "/2015-03-31/functions/function/invocations";
 async function waitForRieReady(host, port, timeoutMs = 5e3) {
@@ -70353,8 +70825,10 @@ async function waitForRieReady(host, port, timeoutMs = 5e3) {
   while (Date.now() < deadline) {
     try {
       const ok = await httpProbe(host, port, 500);
-      if (ok)
+      if (ok) {
+        await delay(250);
         return;
+      }
     } catch (err) {
       lastError = err;
     }
@@ -70408,12 +70882,7 @@ async function invokeRie(host, port, event, timeoutMs) {
   const timer = setTimeout(() => controller.abort(), timeoutMs);
   let response;
   try {
-    response = await fetch(url, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body,
-      signal: controller.signal
-    });
+    response = await fetchWithStartupRetry(url, body, controller.signal);
   } catch (err) {
     if (err.name === "AbortError") {
       throw new Error(
@@ -70432,8 +70901,130 @@ async function invokeRie(host, port, event, timeoutMs) {
   }
   return { payload, raw };
 }
+async function fetchWithStartupRetry(url, body, signal) {
+  const maxAttempts = 3;
+  let lastError;
+  for (let attempt = 1; attempt <= maxAttempts; attempt++) {
+    try {
+      return await fetch(url, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body,
+        signal
+      });
+    } catch (err) {
+      const name = err.name;
+      if (name === "AbortError")
+        throw err;
+      lastError = err;
+      if (attempt === maxAttempts)
+        break;
+      await delay(200);
+    }
+  }
+  throw lastError;
+}
+
+// src/assets/asset-manifest-loader.ts
+import { readFile } from "fs/promises";
+import { join as join6 } from "path";
+var AssetManifestLoader = class {
+  logger = getLogger().child("AssetManifestLoader");
+  /**
+   * Load asset manifest from CDK output directory
+   *
+   * @param cdkOutputDir CDK output directory (e.g., "cdk.out")
+   * @param stackName Stack name
+   * @returns Asset manifest or null if not found
+   */
+  async loadManifest(cdkOutputDir, stackName) {
+    const manifestPath = join6(cdkOutputDir, `${stackName}.assets.json`);
+    try {
+      this.logger.debug(`Loading asset manifest from: ${manifestPath}`);
+      const content = await readFile(manifestPath, "utf-8");
+      const manifest = JSON.parse(content);
+      this.logger.debug(
+        `Loaded asset manifest: ${Object.keys(manifest.files).length} file assets, ${Object.keys(manifest.dockerImages).length} docker image assets`
+      );
+      return manifest;
+    } catch (error) {
+      if (error.code === "ENOENT") {
+        this.logger.debug(`Asset manifest not found: ${manifestPath}`);
+        return null;
+      }
+      throw new Error(
+        `Failed to load asset manifest from ${manifestPath}: ${error instanceof Error ? error.message : String(error)}`
+      );
+    }
+  }
+  /**
+   * Get file assets from manifest (excludes CloudFormation templates)
+   *
+   * @param manifest Asset manifest
+   * @returns Map of asset hash to file asset
+   */
+  getFileAssets(manifest) {
+    const fileAssets = /* @__PURE__ */ new Map();
+    for (const [assetHash, asset] of Object.entries(manifest.files)) {
+      if (asset.source.path.endsWith(".json") || asset.source.path.endsWith(".template.json")) {
+        this.logger.debug(`Skipping CloudFormation template asset: ${asset.displayName}`);
+        continue;
+      }
+      fileAssets.set(assetHash, asset);
+    }
+    this.logger.debug(`Found ${fileAssets.size} file assets (excluding templates)`);
+    return fileAssets;
+  }
+  /**
+   * Get asset source path (absolute path)
+   *
+   * @param cdkOutputDir CDK output directory
+   * @param asset File asset
+   * @returns Absolute path to asset source
+   */
+  getAssetSourcePath(cdkOutputDir, asset) {
+    return join6(cdkOutputDir, asset.source.path);
+  }
+  /**
+   * Resolve asset destination values (replace ${AWS::AccountId}, ${AWS::Region}, etc.)
+   *
+   * @param value Value with placeholders
+   * @param accountId AWS account ID
+   * @param region AWS region
+   * @param partition AWS partition (default: "aws")
+   * @returns Resolved value
+   */
+  resolveAssetDestinationValue(value, accountId, region, partition = "aws") {
+    return value.replace(/\$\{AWS::AccountId\}/g, accountId).replace(/\$\{AWS::Region\}/g, region).replace(/\$\{AWS::Partition\}/g, partition);
+  }
+};
+function getDockerImageBySourceHash(manifest, imageUri) {
+  const dockerImages = manifest.dockerImages ?? {};
+  const entries = Object.entries(dockerImages);
+  if (entries.length === 0)
+    return void 0;
+  const hash = extractHashFromImageUri(imageUri);
+  if (hash !== void 0) {
+    const asset = dockerImages[hash];
+    if (asset) {
+      return { hash, asset };
+    }
+  }
+  if (entries.length === 1) {
+    const [singleHash, singleAsset] = entries[0];
+    return { hash: singleHash, asset: singleAsset };
+  }
+  return void 0;
+}
+function extractHashFromImageUri(imageUri) {
+  if (imageUri.includes("@sha256:"))
+    return void 0;
+  const match = /:([a-f0-9]{8,})$/.exec(imageUri);
+  return match?.[1];
+}
 
 // src/cli/commands/local-invoke.ts
+init_aws_clients();
 async function localInvokeCommand(target, options) {
   const logger = getLogger();
   if (options.verbose) {
@@ -70458,21 +71049,48 @@ async function localInvokeCommand(target, options) {
   };
   const { stacks } = await synthesizer.synthesize(synthOpts);
   const lambda = resolveLambdaTarget(target, stacks);
-  logger.info(`Target: ${lambda.stack.stackName}/${lambda.logicalId} (${lambda.runtime})`);
-  const codeDir = lambda.codePath ?? materializeInlineCode(
-    lambda.handler,
-    lambda.inlineCode ?? "",
-    resolveRuntimeFileExtension(lambda.runtime)
-  );
+  const targetLabel = lambda.kind === "zip" ? lambda.runtime : "container image";
+  logger.info(`Target: ${lambda.stack.stackName}/${lambda.logicalId} (${targetLabel})`);
+  const imagePlan = await resolveImagePlan(lambda, options);
+  let stateAudit;
+  let templateEnv = getTemplateEnv(lambda.resource);
+  let stateForRoleHint;
+  if (options.fromState) {
+    const loaded = await loadStateForStack(lambda.stack.stackName, lambda.stack.region, {
+      ...options.stackRegion !== void 0 && { stackRegion: options.stackRegion },
+      ...options.stateBucket !== void 0 && { stateBucket: options.stateBucket },
+      statePrefix: options.statePrefix,
+      ...options.region !== void 0 && { region: options.region },
+      ...options.profile !== void 0 && { profile: options.profile }
+    });
+    if (loaded) {
+      stateForRoleHint = loaded.state;
+      const { env, audit } = substituteEnvVarsFromState(templateEnv, loaded.state.resources);
+      templateEnv = env;
+      stateAudit = audit;
+      for (const key of audit.resolvedKeys) {
+        logger.debug(`--from-state: substituted env var ${key} from cdkd state`);
+      }
+      for (const { key, reason } of audit.unresolved) {
+        logger.warn(
+          `--from-state: could not substitute env var ${key} (${reason}). Override it via --env-vars or it will be dropped.`
+        );
+      }
+    }
+  }
   const overrides = readEnvOverridesFile(options.envVars);
-  const envResult = resolveEnvVars(lambda.logicalId, getTemplateEnv(lambda.resource), overrides);
+  const envResult = resolveEnvVars(lambda.logicalId, templateEnv, overrides);
   for (const key of envResult.unresolved) {
+    if (stateAudit && stateAudit.unresolved.some((u) => u.key === key))
+      continue;
     logger.warn(
-      `Environment variable ${key} contains a CloudFormation intrinsic and was dropped. Override it with --env-vars (e.g. {"${lambda.logicalId}":{"${key}":"<literal>"}}) or wait for --from-state in PR 2.`
+      `Environment variable ${key} contains a CloudFormation intrinsic and was dropped. Override it with --env-vars (e.g. {"${lambda.logicalId}":{"${key}":"<literal>"}}) or pass --from-state to recover deployed values.`
     );
   }
+  if (options.fromState && !options.assumeRole && stateForRoleHint) {
+    suggestAssumeRoleFromState(stateForRoleHint, lambda.logicalId);
+  }
   const event = await readEvent(options);
-  const image = resolveRuntimeImage(lambda.runtime);
   const dockerEnv = {
     AWS_LAMBDA_FUNCTION_NAME: lambda.logicalId,
     AWS_LAMBDA_FUNCTION_MEMORY_SIZE: String(lambda.memoryMb),
@@ -70500,19 +71118,26 @@ async function localInvokeCommand(target, options) {
       throw new Error(`--debug-port must be an integer in 1..65535, got '${options.debugPort}'`);
     }
     dockerEnv["NODE_OPTIONS"] = `--inspect-brk=0.0.0.0:${debugPort}`;
+    if (lambda.kind === "image") {
+      logger.warn(
+        "--debug-port sets NODE_OPTIONS unconditionally on container Lambdas. If the image's runtime is not Node.js, this flag is a no-op."
+      );
+    }
   }
-  await pullImage(image, options.pull === false);
   const hostPort = await pickFreePort();
-  const containerHost = options.containerHost || "127.0.0.1";
-  logger.info(`Starting container (image=${image}, port=${hostPort})...`);
+  const containerHost = options.containerHost;
+  logger.info(`Starting container (image=${imagePlan.image}, port=${hostPort})...`);
   const containerId = await runDetached({
-    image,
-    mounts: [{ hostPath: codeDir, containerPath: "/var/task", readOnly: true }],
+    image: imagePlan.image,
+    mounts: imagePlan.mounts,
     env: dockerEnv,
-    cmd: [lambda.handler],
+    cmd: imagePlan.cmd,
     hostPort,
     host: containerHost,
-    ...debugPort !== void 0 && { debugPort }
+    ...debugPort !== void 0 && { debugPort },
+    ...imagePlan.platform !== void 0 && { platform: imagePlan.platform },
+    ...imagePlan.entryPoint !== void 0 && { entryPoint: imagePlan.entryPoint },
+    ...imagePlan.workingDir !== void 0 && { workingDir: imagePlan.workingDir }
   });
   const stopLogs = streamLogs(containerId);
   const sigintHandler = () => {
@@ -70533,7 +71158,92 @@ async function localInvokeCommand(target, options) {
     process.off("SIGINT", sigintHandler);
     stopLogs();
     await removeContainer(containerId);
+    if (imagePlan.inlineTmpDir) {
+      try {
+        rmSync2(imagePlan.inlineTmpDir, { recursive: true, force: true });
+      } catch (err) {
+        getLogger().debug(
+          `Failed to remove inline-code tmpdir ${imagePlan.inlineTmpDir}: ${err instanceof Error ? err.message : String(err)}`
+        );
+      }
+    }
+  }
+}
+async function resolveImagePlan(lambda, options) {
+  if (lambda.kind === "zip") {
+    return resolveZipImagePlan(lambda, options);
+  }
+  return resolveContainerImagePlan(lambda, options);
+}
+async function resolveZipImagePlan(lambda, options) {
+  let inlineTmpDir;
+  let codeDir = lambda.codePath;
+  if (codeDir === null) {
+    inlineTmpDir = materializeInlineCode(
+      lambda.handler,
+      lambda.inlineCode ?? "",
+      resolveRuntimeFileExtension(lambda.runtime)
+    );
+    codeDir = inlineTmpDir;
   }
+  const image = resolveRuntimeImage(lambda.runtime);
+  await pullImage(image, options.pull === false);
+  return {
+    image,
+    mounts: [{ hostPath: codeDir, containerPath: "/var/task", readOnly: true }],
+    cmd: [lambda.handler],
+    ...inlineTmpDir !== void 0 && { inlineTmpDir }
+  };
+}
+async function resolveContainerImagePlan(lambda, options) {
+  const logger = getLogger();
+  const platform = architectureToPlatform(lambda.architecture);
+  const localBuild = await resolveLocalBuildPlan(lambda);
+  let imageRef;
+  if (localBuild) {
+    imageRef = await buildContainerImage(localBuild.asset, localBuild.cdkOutDir, {
+      architecture: lambda.architecture
+    });
+  } else {
+    if (!parseEcrUri(lambda.imageUri)) {
+      throw new Error(
+        `Container Lambda '${lambda.logicalId}' has no matching asset in cdk.out, and Code.ImageUri '${lambda.imageUri}' is not an ECR URI cdkd can authenticate against. Re-synthesize the CDK app (so cdk.out includes the build context) or deploy the image to ECR first.`
+      );
+    }
+    logger.info(
+      `No matching cdk.out asset for ${lambda.imageUri}; falling back to ECR pull (same-acct/region only)...`
+    );
+    imageRef = await pullEcrImage(lambda.imageUri, {
+      skipPull: options.pull === false,
+      ...options.region !== void 0 && { region: options.region }
+    });
+  }
+  return {
+    image: imageRef,
+    mounts: [],
+    cmd: lambda.imageConfig.command ?? [],
+    platform,
+    ...lambda.imageConfig.entryPoint && lambda.imageConfig.entryPoint.length > 0 && {
+      entryPoint: lambda.imageConfig.entryPoint
+    },
+    ...lambda.imageConfig.workingDirectory !== void 0 && {
+      workingDir: lambda.imageConfig.workingDirectory
+    }
+  };
+}
+async function resolveLocalBuildPlan(lambda) {
+  const manifestPath = lambda.stack.assetManifestPath;
+  if (!manifestPath)
+    return void 0;
+  const cdkOutDir = dirname2(manifestPath);
+  const loader = new AssetManifestLoader();
+  const manifest = await loader.loadManifest(cdkOutDir, lambda.stack.stackName);
+  if (!manifest)
+    return void 0;
+  const entry = getDockerImageBySourceHash(manifest, lambda.imageUri);
+  if (!entry)
+    return void 0;
+  return { asset: entry.asset, cdkOutDir };
 }
 function getTemplateEnv(resource) {
   const props = resource.Properties ?? {};
@@ -70600,8 +71310,8 @@ async function readStdin() {
   return Buffer.concat(chunks).toString("utf-8");
 }
 async function assumeLambdaExecutionRole(roleArn, region) {
-  const { STSClient: STSClient10, AssumeRoleCommand: AssumeRoleCommand2 } = await import("@aws-sdk/client-sts");
-  const sts = new STSClient10({ ...region && { region } });
+  const { STSClient: STSClient11, AssumeRoleCommand: AssumeRoleCommand2 } = await import("@aws-sdk/client-sts");
+  const sts = new STSClient11({ ...region && { region } });
   try {
     const response = await sts.send(
       new AssumeRoleCommand2({
@@ -70649,6 +71359,109 @@ function materializeInlineCode(handler, source, fileExtension) {
   writeFileSync5(filePath, source, "utf-8");
   return dir;
 }
+async function loadStateForStack(stackName, synthRegion, opts) {
+  const logger = getLogger();
+  const region = opts.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? synthRegion ?? "us-east-1";
+  let stateBucket;
+  try {
+    stateBucket = await resolveStateBucketWithDefault(opts.stateBucket, region);
+  } catch (err) {
+    logger.warn(
+      `--from-state: could not resolve state bucket: ${err instanceof Error ? err.message : String(err)}. Falling back to PR 1 warn-and-drop semantics.`
+    );
+    return void 0;
+  }
+  const awsClients = new AwsClients({
+    ...opts.region !== void 0 && { region: opts.region },
+    ...opts.profile !== void 0 && { profile: opts.profile }
+  });
+  setAwsClients(awsClients);
+  try {
+    const stateConfig = { bucket: stateBucket, prefix: opts.statePrefix };
+    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
+      ...opts.region !== void 0 && { region: opts.region },
+      ...opts.profile !== void 0 && { profile: opts.profile }
+    });
+    await stateBackend.verifyBucketExists();
+    const refs = (await stateBackend.listStacks()).filter((r) => r.stackName === stackName);
+    if (refs.length === 0) {
+      logger.warn(
+        `--from-state: no cdkd state found for stack '${stackName}' in bucket '${stateBucket}'. Was it deployed via 'cdkd deploy'? Falling back to PR 1 warn-and-drop semantics.`
+      );
+      return void 0;
+    }
+    let targetRegion;
+    if (opts.stackRegion) {
+      const found = refs.find((r) => r.region === opts.stackRegion);
+      if (!found) {
+        const seen = refs.map((r) => r.region ?? "(legacy)").join(", ");
+        logger.warn(
+          `--from-state: stack '${stackName}' has no state in region '${opts.stackRegion}' (available: ${seen}). Falling back.`
+        );
+        return void 0;
+      }
+      targetRegion = opts.stackRegion;
+    } else if (synthRegion && refs.some((r) => r.region === synthRegion)) {
+      targetRegion = synthRegion;
+    } else if (refs.length === 1) {
+      targetRegion = refs[0].region ?? synthRegion ?? region;
+    } else {
+      const seen = refs.map((r) => r.region ?? "(legacy)").join(", ");
+      logger.warn(
+        `--from-state: stack '${stackName}' has state in multiple regions (${seen}). Re-run with --stack-region <region>. Falling back.`
+      );
+      return void 0;
+    }
+    const stateData = await stateBackend.getState(stackName, targetRegion);
+    if (!stateData) {
+      logger.warn(
+        `--from-state: state record for '${stackName}' (${targetRegion}) returned empty. Falling back.`
+      );
+      return void 0;
+    }
+    logger.debug(`--from-state: loaded state for ${stackName} (${targetRegion})`);
+    return { state: stateData.state, region: targetRegion };
+  } finally {
+    awsClients.destroy();
+  }
+}
+function suggestAssumeRoleFromState(state, logicalId) {
+  const logger = getLogger();
+  const lambda = state.resources[logicalId];
+  if (!lambda)
+    return;
+  const roleRef = lambda.properties?.["Role"] ?? lambda.observedProperties?.["Role"];
+  let roleArn;
+  if (typeof roleRef === "string" && roleRef.startsWith("arn:")) {
+    roleArn = roleRef;
+  } else if (typeof roleRef === "object" && roleRef !== null) {
+    const refLogicalId = pickReferencedLogicalId(roleRef);
+    if (refLogicalId) {
+      const roleResource = state.resources[refLogicalId];
+      const cached = roleResource?.attributes?.["Arn"];
+      if (typeof cached === "string" && cached.startsWith("arn:")) {
+        roleArn = cached;
+      }
+    }
+  }
+  if (roleArn) {
+    logger.info(
+      `Hint: the deployed function uses execution role ${roleArn}. Re-run with --assume-role <that-arn> to invoke under the deployed function's narrow permissions.`
+    );
+  }
+}
+function pickReferencedLogicalId(intrinsic) {
+  if ("Ref" in intrinsic && typeof intrinsic["Ref"] === "string")
+    return intrinsic["Ref"];
+  if ("Fn::GetAtt" in intrinsic) {
+    const arg = intrinsic["Fn::GetAtt"];
+    if (Array.isArray(arg) && typeof arg[0] === "string")
+      return arg[0];
+    if (typeof arg === "string")
+      return arg.split(".")[0];
+  }
+  return void 0;
+}
 function createLocalCommand() {
   const local = new Command14("local").description(
     "Local Lambda execution against the AWS Lambda Runtime Interface Emulator (Docker required)"
@@ -70660,15 +71473,32 @@ function createLocalCommand() {
       "--env-vars <file>",
       'JSON env-var overrides (SAM-compatible: {"LogicalId":{"KEY":"VALUE"}})'
     )
-  ).addOption(new Option7("--no-pull", "Skip docker pull (use cached image)")).addOption(new Option7("--debug-port <port>", "Node --inspect-brk port (default: off)")).addOption(
+  ).addOption(
+    new Option7(
+      "--no-pull",
+      "Skip docker pull (use cached image) \u2014 no-op for IMAGE local-build path; `docker build` does not pull base layers by default"
+    )
+  ).addOption(new Option7("--debug-port <port>", "Node --inspect-brk port (default: off)")).addOption(
     new Option7("--container-host <host>", "Host to bind the RIE port to").default("127.0.0.1")
   ).addOption(
     new Option7(
       "--assume-role <arn>",
       `Assume the Lambda's deployed execution role and forward STS-issued temp credentials to the container so the handler runs with the deployed function's narrow permissions (closes the "developer admin / function narrow" skew). Off by default \u2014 when omitted, the developer's shell credentials are forwarded unchanged (SAM-compatible default).`
     )
+  ).addOption(
+    new Option7(
+      "--from-state",
+      "Read cdkd S3 state for the target stack and substitute Ref / Fn::GetAtt / Fn::Sub in env vars with the deployed physical IDs / attributes. Off by default \u2014 keep PR 1 warn-and-drop semantics; turn on for stacks already deployed via cdkd deploy."
+    ).default(false)
+  ).addOption(
+    new Option7(
+      "--stack-region <region>",
+      "Region of the cdkd state record to read (used with --from-state when the same stack name has state in multiple regions)."
+    )
   ).action(withErrorHandling(localInvokeCommand));
-  [...commonOptions, ...appOptions, ...contextOptions].forEach((opt) => invoke.addOption(opt));
+  [...commonOptions, ...appOptions, ...contextOptions, ...stateOptions].forEach(
+    (opt) => invoke.addOption(opt)
+  );
   invoke.addOption(deprecatedRegionOption);
   local.addCommand(invoke);
   return local;
@@ -70703,7 +71533,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command15();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.68.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.70.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());