@go-to-k/cdkd 0.80.0 → 0.82.0

package/dist/cli.js

@@ -12448,7 +12448,7 @@ var require_graphql = __commonJS({
     var _validate2 = require_validate2();
     var _execute = require_execute();
     function graphql(args) {
-      return new Promise((resolve8) => resolve8(graphqlImpl(args)));
+      return new Promise((resolve9) => resolve9(graphqlImpl(args)));
     }
     function graphqlSync(args) {
       const result = graphqlImpl(args);
@@ -17797,7 +17797,7 @@ var require_graphql2 = __commonJS({
 });
 
 // src/cli/index.ts
-import { Command as Command16 } from "commander";
+import { Command as Command17 } from "commander";
 
 // src/cli/commands/bootstrap.ts
 import { Command, Option as Option2 } from "commander";
@@ -18869,7 +18869,7 @@ var IntrinsicFunctionResolver = class {
               this.logger.debug(
                 `VPC ${physicalId} IPv6 CIDR still associating (attempt ${attempt}/${maxAttempts}), waiting...`
               );
-              await new Promise((resolve8) => setTimeout(resolve8, 2e3));
+              await new Promise((resolve9) => setTimeout(resolve9, 2e3));
             }
             this.logger.warn(
               `VPC ${physicalId} IPv6 CIDR did not reach 'associated' state after ${maxAttempts} attempts`
@@ -19754,7 +19754,7 @@ var DagExecutor = class {
   async execute(concurrency, fn, cancelled = () => false) {
     let active = 0;
     const errors = [];
-    return new Promise((resolve8, reject) => {
+    return new Promise((resolve9, reject) => {
       const dispatch = () => {
         let changed = true;
         while (changed) {
@@ -19816,7 +19816,7 @@ var DagExecutor = class {
             );
             return;
           }
-          resolve8();
+          resolve9();
         }
       };
       dispatch();
@@ -20497,7 +20497,7 @@ Error: ${err.message || "Unknown error"}`,
    * Sleep for specified milliseconds
    */
   sleep(ms) {
-    return new Promise((resolve8) => setTimeout(resolve8, ms));
+    return new Promise((resolve9) => setTimeout(resolve9, ms));
   }
   /**
    * Check if a resource type is supported by Cloud Control API
@@ -21231,7 +21231,7 @@ var CustomResourceProvider = class _CustomResourceProvider {
     return result;
   }
   sleep(ms) {
-    return new Promise((resolve8) => setTimeout(resolve8, ms));
+    return new Promise((resolve9) => setTimeout(resolve9, ms));
   }
   /**
    * Adopt an existing custom resource into cdkd state.
@@ -21661,12 +21661,12 @@ function isRetryableTransientError(error, message) {
 }
 
 // src/deployment/retry.ts
-var defaultSleep = (ms) => new Promise((resolve8) => setTimeout(resolve8, ms));
+var defaultSleep = (ms) => new Promise((resolve9) => setTimeout(resolve9, ms));
 async function withRetry(operation, logicalId, opts = {}) {
   const maxRetries = opts.maxRetries ?? 8;
   const initialDelayMs = opts.initialDelayMs ?? 1e3;
   const maxDelayMs = opts.maxDelayMs ?? 8e3;
-  const sleep = opts.sleep ?? defaultSleep;
+  const sleep2 = opts.sleep ?? defaultSleep;
   let lastError;
   for (let attempt = 0; attempt <= maxRetries; attempt++) {
     try {
@@ -21686,7 +21686,7 @@ async function withRetry(operation, logicalId, opts = {}) {
         if (opts.isInterrupted?.()) {
           throw opts.onInterrupted ? opts.onInterrupted() : new Error("Interrupted");
         }
-        await sleep(Math.min(1e3, delay2 - waited));
+        await sleep2(Math.min(1e3, delay2 - waited));
       }
     }
   }
@@ -21716,7 +21716,7 @@ function validateOptions(opts) {
 async function withResourceDeadline(operation, opts) {
   validateOptions(opts);
   const startedAt = Date.now();
-  return new Promise((resolve8, reject) => {
+  return new Promise((resolve9, reject) => {
     let settled = false;
     let warnTimer;
     let timeoutTimer;
@@ -21756,7 +21756,7 @@ async function withResourceDeadline(operation, opts) {
           return;
         settled = true;
         cleanup();
-        resolve8(value);
+        resolve9(value);
       },
       (err) => {
         if (settled)
@@ -23791,7 +23791,7 @@ var AppExecutor = class {
    * Spawn subprocess and wait for completion
    */
   spawn(commandLine, env) {
-    return new Promise((resolve8, reject) => {
+    return new Promise((resolve9, reject) => {
       const proc = spawn(commandLine, {
         stdio: ["ignore", "pipe", "pipe"],
         shell: true,
@@ -23817,7 +23817,7 @@ var AppExecutor = class {
       });
       proc.on("close", (code) => {
         if (code === 0) {
-          resolve8();
+          resolve9();
         } else {
           const stderr = stderrChunks.join("\n");
           reject(
@@ -25339,11 +25339,11 @@ var FileAssetPublisher = class {
    */
   async uploadZip(client, dirPath, bucket, key) {
     const archiver = await import("archiver");
-    const body = await new Promise((resolve8, reject) => {
+    const body = await new Promise((resolve9, reject) => {
       const chunks = [];
       const archive = archiver.default("zip", { zlib: { level: 9 } });
       archive.on("data", (chunk) => chunks.push(chunk));
-      archive.on("end", () => resolve8(Buffer.concat(chunks)));
+      archive.on("end", () => resolve9(Buffer.concat(chunks)));
       archive.on("error", reject);
       const stat4 = statSync2(dirPath);
       if (stat4.isDirectory()) {
@@ -25528,7 +25528,7 @@ var DockerAssetPublisher = class {
     const token = Buffer.from(authData.authorizationToken, "base64").toString();
     const [username, password] = token.split(":");
     const endpoint = authData.proxyEndpoint || `https://${accountId}.dkr.ecr.${region}.amazonaws.com`;
-    await new Promise((resolve8, reject) => {
+    await new Promise((resolve9, reject) => {
       const proc = spawn2(
         "docker",
         ["login", "--username", username, "--password-stdin", endpoint],
@@ -25542,7 +25542,7 @@ var DockerAssetPublisher = class {
       });
       proc.on("close", (code) => {
         if (code === 0) {
-          resolve8();
+          resolve9();
         } else {
           reject(new AssetError(`ECR login failed: ${stderr.trim()}`));
         }
@@ -25595,7 +25595,7 @@ var WorkGraph = class {
   async execute(concurrency, fn) {
     const active = { "asset-build": 0, "asset-publish": 0, stack: 0 };
     const errors = [];
-    return new Promise((resolve8, reject) => {
+    return new Promise((resolve9, reject) => {
       const dispatch = () => {
         const ready = [];
         for (const node of this.nodes.values()) {
@@ -25667,7 +25667,7 @@ ${msg}`
             );
             return;
           }
-          resolve8();
+          resolve9();
         }
       };
       dispatch();
@@ -26658,7 +26658,7 @@ var LockManager = class {
           this.logger.info(
             `Stack '${stackName}' (${region}) is locked by ${lockInfo2.owner}${lockInfo2.operation ? ` (operation: ${lockInfo2.operation})` : ""}. Lock expires in ${this.formatDuration(remainingMs)}. Retrying in ${this.formatDuration(retryDelay)}... (attempt ${attempt + 1}/${maxRetries})`
           );
-          await new Promise((resolve8) => setTimeout(resolve8, retryDelay));
+          await new Promise((resolve9) => setTimeout(resolve9, retryDelay));
           continue;
         }
       }
@@ -35152,7 +35152,7 @@ var LambdaFunctionProvider = class {
     return enis;
   }
   sleep(ms) {
-    return new Promise((resolve8) => setTimeout(resolve8, ms));
+    return new Promise((resolve9) => setTimeout(resolve9, ms));
   }
   /**
    * Build Lambda Code parameter from CDK properties
@@ -37029,7 +37029,7 @@ var DynamoDBTableProvider = class {
       if (status !== "CREATING") {
         throw new Error(`Unexpected table status: ${status}`);
       }
-      await new Promise((resolve8) => setTimeout(resolve8, 1e3));
+      await new Promise((resolve9) => setTimeout(resolve9, 1e3));
     }
     throw new Error(`Table ${tableName} did not reach ACTIVE status within ${maxAttempts} seconds`);
   }
@@ -37049,7 +37049,7 @@ var DynamoDBTableProvider = class {
       if (status === "ACTIVE") {
         return;
       }
-      await new Promise((resolve8) => setTimeout(resolve8, 1e3));
+      await new Promise((resolve9) => setTimeout(resolve9, 1e3));
     }
     throw new Error(
       `Table ${tableName} did not reach ACTIVE status within ${maxAttempts} seconds after UpdateTable`
@@ -40229,7 +40229,7 @@ var EC2Provider = class {
           this.logger.debug(
             `VPC ${physicalId} has dependencies (attempt ${attempt}/${maxAttempts}), retrying in ${attempt * 5}s...`
           );
-          await new Promise((resolve8) => setTimeout(resolve8, attempt * 5e3));
+          await new Promise((resolve9) => setTimeout(resolve9, attempt * 5e3));
           continue;
         }
         const cause = error instanceof Error ? error : void 0;
@@ -40393,7 +40393,7 @@ var EC2Provider = class {
           this.logger.debug(
             `Subnet ${physicalId} has dependencies (attempt ${attempt}/${maxAttempts}), retrying in ${attempt * 5}s...`
           );
-          await new Promise((resolve8) => setTimeout(resolve8, attempt * 5e3));
+          await new Promise((resolve9) => setTimeout(resolve9, attempt * 5e3));
           continue;
         }
         const cause = error instanceof Error ? error : void 0;
@@ -41151,7 +41151,7 @@ var EC2Provider = class {
           this.logger.debug(
             `SecurityGroup ${physicalId} has dependent objects (attempt ${attempt}/${maxAttempts}), retrying in ${attempt * 5}s...`
           );
-          await new Promise((resolve8) => setTimeout(resolve8, attempt * 5e3));
+          await new Promise((resolve9) => setTimeout(resolve9, attempt * 5e3));
           continue;
         }
         const cause = error instanceof Error ? error : void 0;
@@ -42095,7 +42095,7 @@ var EC2Provider = class {
    * `setTimeout` globally.
    */
   sleep(ms) {
-    return new Promise((resolve8) => setTimeout(resolve8, ms));
+    return new Promise((resolve9) => setTimeout(resolve9, ms));
   }
   /**
    * Check if an error indicates the resource was not found
@@ -44195,7 +44195,7 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
    * Sleep for specified milliseconds
    */
   sleep(ms) {
-    return new Promise((resolve8) => setTimeout(resolve8, ms));
+    return new Promise((resolve9) => setTimeout(resolve9, ms));
   }
   /**
    * Convert CloudFormation Tags (Array<{Key, Value}>) to SDK tags (Record<string, string>).
@@ -44850,8 +44850,8 @@ var ApiGatewayV2Provider = class {
   async createRoute(logicalId, resourceType, properties) {
     this.logger.debug(`Creating API Gateway V2 Route ${logicalId}`);
     const apiId = properties["ApiId"];
-    const routeKey2 = properties["RouteKey"];
-    if (!apiId || !routeKey2) {
+    const routeKey = properties["RouteKey"];
+    if (!apiId || !routeKey) {
       throw new ProvisioningError(
         `ApiId and RouteKey are required for API Gateway V2 Route ${logicalId}`,
         resourceType,
@@ -44862,7 +44862,7 @@ var ApiGatewayV2Provider = class {
       const response = await this.getClient().send(
         new CreateRouteCommand2({
           ApiId: apiId,
-          RouteKey: routeKey2,
+          RouteKey: routeKey,
           Target: properties["Target"],
           AuthorizationType: properties["AuthorizationType"],
           AuthorizerId: properties["AuthorizerId"]
@@ -46087,7 +46087,7 @@ var CloudFrontDistributionProvider = class {
         );
         const sleepEnd = Date.now() + delay2;
         while (Date.now() < sleepEnd && !interrupted) {
-          await new Promise((resolve8) => setTimeout(resolve8, 1e3));
+          await new Promise((resolve9) => setTimeout(resolve9, 1e3));
         }
         delay2 = Math.min(delay2 * 1.5, maxDelay);
       }
@@ -49899,7 +49899,7 @@ var RDSProvider = class {
     throw new Error(`Timed out waiting for DBInstance ${dbInstanceIdentifier} to be deleted`);
   }
   sleep(ms) {
-    return new Promise((resolve8) => setTimeout(resolve8, ms));
+    return new Promise((resolve9) => setTimeout(resolve9, ms));
   }
   /**
    * Adopt an existing RDS resource into cdkd state.
@@ -50884,7 +50884,7 @@ var DocDBProvider = class {
     throw new Error(`Timed out waiting for DocDB DBInstance ${dbInstanceIdentifier} to be deleted`);
   }
   sleep(ms) {
-    return new Promise((resolve8) => setTimeout(resolve8, ms));
+    return new Promise((resolve9) => setTimeout(resolve9, ms));
   }
   /**
    * Adopt an existing DocDB resource into cdkd state.
@@ -51874,7 +51874,7 @@ var NeptuneProvider = class {
     );
   }
   sleep(ms) {
-    return new Promise((resolve8) => setTimeout(resolve8, ms));
+    return new Promise((resolve9) => setTimeout(resolve9, ms));
   }
   /**
    * Adopt an existing Neptune resource into cdkd state.
@@ -54414,7 +54414,7 @@ var ElastiCacheProvider = class {
     throw new Error(`Timed out waiting for CacheCluster ${cacheClusterId} to be deleted`);
   }
   sleep(ms) {
-    return new Promise((resolve8) => setTimeout(resolve8, ms));
+    return new Promise((resolve9) => setTimeout(resolve9, ms));
   }
   /**
    * Read the AWS-current ElastiCache resource configuration in CFn-property shape.
@@ -55129,7 +55129,7 @@ var ServiceDiscoveryProvider = class {
           logicalId
         );
       }
-      await new Promise((resolve8) => setTimeout(resolve8, delay2));
+      await new Promise((resolve9) => setTimeout(resolve9, delay2));
       delay2 = Math.min(delay2 * 2, 1e4);
     }
     throw new ProvisioningError(
@@ -59654,7 +59654,7 @@ var KinesisStreamProvider = class {
       if (status !== "CREATING" && status !== "UPDATING") {
         throw new Error(`Unexpected stream status: ${status}`);
       }
-      await new Promise((resolve8) => setTimeout(resolve8, 2e3));
+      await new Promise((resolve9) => setTimeout(resolve9, 2e3));
     }
     throw new Error(
       `Stream ${streamName} did not reach ACTIVE status within ${maxAttempts * 2} seconds`
@@ -59987,7 +59987,7 @@ var KinesisStreamConsumerProvider = class {
       if (status !== "CREATING") {
         throw new Error(`Unexpected consumer status: ${status}`);
       }
-      await new Promise((resolve8) => setTimeout(resolve8, 1e3));
+      await new Promise((resolve9) => setTimeout(resolve9, 1e3));
     }
     throw new Error(
       `Consumer ${consumerArn} did not reach ACTIVE status within ${maxAttempts} seconds`
@@ -60292,7 +60292,7 @@ var EFSProvider = class {
       this.logger.debug(
         `FileSystem ${fileSystemId} state: ${fs?.LifeCycleState ?? "unknown"}, waiting...`
       );
-      await new Promise((resolve8) => setTimeout(resolve8, pollIntervalMs));
+      await new Promise((resolve9) => setTimeout(resolve9, pollIntervalMs));
     }
     throw new ProvisioningError(
       `Timed out waiting for EFS FileSystem ${fileSystemId} to become available (60s)`,
@@ -60370,7 +60370,7 @@ var EFSProvider = class {
       this.logger.debug(
         `MountTarget ${mountTargetId} state: ${mountTarget?.LifeCycleState ?? "unknown"}, waiting...`
       );
-      await new Promise((resolve8) => setTimeout(resolve8, pollIntervalMs));
+      await new Promise((resolve9) => setTimeout(resolve9, pollIntervalMs));
     }
     throw new ProvisioningError(
       `Timed out waiting for EFS MountTarget ${mountTargetId} to become available (120s)`,
@@ -60436,7 +60436,7 @@ var EFSProvider = class {
         }
         throw error;
       }
-      await new Promise((resolve8) => setTimeout(resolve8, pollIntervalMs));
+      await new Promise((resolve9) => setTimeout(resolve9, pollIntervalMs));
     }
     this.logger.warn(
       `Timed out waiting for EFS MountTarget ${mountTargetId} deletion for ${logicalId} (120s)`
@@ -61394,7 +61394,7 @@ var FirehoseProvider = class {
       this.logger.debug(
         `Firehose ${logicalId} status: ${status} (attempt ${attempt}/${maxAttempts})`
       );
-      await new Promise((resolve8) => setTimeout(resolve8, 2e3));
+      await new Promise((resolve9) => setTimeout(resolve9, 2e3));
     }
     this.logger.warn(`Firehose ${logicalId} did not reach ACTIVE after ${maxAttempts} attempts`);
   }
@@ -64864,7 +64864,7 @@ var ASGProvider = class {
     );
   }
   sleep(ms) {
-    return new Promise((resolve8) => setTimeout(resolve8, ms));
+    return new Promise((resolve9) => setTimeout(resolve9, ms));
   }
   // ─── Sub-shape diff helpers ───────────────────────────────────────
   // Each helper is a no-op when before/after JSON is identical (the cheap
@@ -66804,7 +66804,7 @@ Acquiring lock for stack ${stackName}...`);
                   logger.debug(
                     `  \u23F3 Retrying delete ${logicalId} in ${delay2 / 1e3}s (attempt ${attempt + 1}/${maxAttempts})`
                   );
-                  await new Promise((resolve8) => setTimeout(resolve8, delay2));
+                  await new Promise((resolve9) => setTimeout(resolve9, delay2));
                 }
               }
               if (lastDeleteError)
@@ -70034,11 +70034,11 @@ async function captureObservedForImportedResources(stackState, providerRegistry,
 }
 
 // src/cli/commands/local-invoke.ts
-import { cpSync as cpSync2, mkdtempSync as mkdtempSync3, mkdirSync as mkdirSync3, readFileSync as readFileSync7, rmSync as rmSync3, writeFileSync as writeFileSync6 } from "node:fs";
+import { cpSync as cpSync2, mkdtempSync as mkdtempSync3, mkdirSync as mkdirSync3, readFileSync as readFileSync8, rmSync as rmSync3, writeFileSync as writeFileSync6 } from "node:fs";
 import { tmpdir as tmpdir3 } from "node:os";
-import { dirname as dirname5 } from "node:path";
+import { dirname as dirname7 } from "node:path";
 import * as path2 from "node:path";
-import { Command as Command15, Option as Option8 } from "commander";
+import { Command as Command16, Option as Option9 } from "commander";
 
 // src/local/lambda-resolver.ts
 import { existsSync as existsSync4, statSync as statSync3 } from "node:fs";
@@ -70651,14 +70651,47 @@ async function pullImage(image, skipPull) {
     logger.debug(`Skipping docker pull for ${image} (--no-pull)`);
     return;
   }
-  logger.info(`Pulling ${image}...`);
-  await runForeground("docker", ["pull", image]);
+  if (getLogger().getLevel() === "debug") {
+    logger.info(`Pulling ${image}...`);
+    await runForeground("docker", ["pull", image]);
+    return;
+  }
+  logger.debug(`Pulling ${image} (silent \u2014 pass --verbose to stream progress)`);
+  await runCaptured("docker", ["pull", image], image);
+}
+function runCaptured(cmd, args, image) {
+  return new Promise((resolveProc, rejectProc) => {
+    const proc = spawn3(cmd, args, { stdio: ["ignore", "pipe", "pipe"] });
+    let stdout = "";
+    let stderr = "";
+    proc.stdout?.on("data", (chunk) => {
+      stdout += chunk.toString("utf-8");
+    });
+    proc.stderr?.on("data", (chunk) => {
+      stderr += chunk.toString("utf-8");
+    });
+    proc.on(
+      "error",
+      (err) => rejectProc(new DockerRunnerError(`${cmd} pull ${image} failed: ${err.message}`))
+    );
+    proc.on("close", (code) => {
+      if (code === 0) {
+        resolveProc();
+        return;
+      }
+      const detail = stderr.trim() || stdout.trim() || "(no output)";
+      rejectProc(new DockerRunnerError(`docker pull ${image} exited with code ${code}: ${detail}`));
+    });
+  });
 }
 async function runDetached(opts) {
   const args = ["run", "-d", "--rm"];
   if (opts.name) {
     args.push("--name", opts.name);
   }
+  if (opts.network) {
+    args.push("--network", opts.network);
+  }
   if (opts.platform) {
     args.push("--platform", opts.platform);
   }
@@ -70879,7 +70912,7 @@ async function ecrLogin(client, accountId, region) {
   const token = Buffer.from(authData.authorizationToken, "base64").toString();
   const [username, password] = token.split(":");
   const endpoint = authData.proxyEndpoint || `https://${accountId}.dkr.ecr.${region}.amazonaws.com`;
-  await new Promise((resolve8, reject) => {
+  await new Promise((resolve9, reject) => {
     const proc = spawn4("docker", ["login", "--username", username, "--password-stdin", endpoint], {
       stdio: ["pipe", "pipe", "pipe"]
     });
@@ -70889,7 +70922,7 @@ async function ecrLogin(client, accountId, region) {
     });
     proc.on("close", (code) => {
       if (code === 0)
-        resolve8();
+        resolve9();
       else
         reject(new LocalInvokeBuildError(`ECR login failed: ${stderr.trim()}`));
     });
@@ -70918,12 +70951,12 @@ async function isImageInLocalCache(imageRef) {
   }
 }
 function runForeground2(cmd, args) {
-  return new Promise((resolve8, reject) => {
+  return new Promise((resolve9, reject) => {
     const proc = spawn4(cmd, args, { stdio: "inherit" });
     proc.on("error", (err) => reject(new LocalInvokeBuildError(`${cmd} failed: ${err.message}`)));
     proc.on("close", (code) => {
       if (code === 0)
-        resolve8();
+        resolve9();
       else
         reject(new LocalInvokeBuildError(`${cmd} exited with code ${code}`));
     });
@@ -71367,8 +71400,8 @@ function discoverHttpApiRoute(logicalId, resource, template, stackName) {
       );
     }
   }
-  const routeKey2 = props["RouteKey"];
-  if (typeof routeKey2 !== "string" || routeKey2.length === 0) {
+  const routeKey = props["RouteKey"];
+  if (typeof routeKey !== "string" || routeKey.length === 0) {
     throw new Error(
       `${stackName}/${logicalId} (AWS::ApiGatewayV2::Route): RouteKey must be a string`
     );
@@ -71404,7 +71437,7 @@ function discoverHttpApiRoute(logicalId, resource, template, stackName) {
     integrationProps["IntegrationUri"],
     `${stackName}/${integrationLogicalId}.IntegrationUri`
   );
-  const { method, pathPattern } = parseRouteKey(routeKey2);
+  const { method, pathPattern } = parseRouteKey(routeKey);
   return [
     {
       method,
@@ -71519,14 +71552,14 @@ function parseHttpApiTargetIntegration(target, location) {
     )}).`
   );
 }
-function parseRouteKey(routeKey2) {
-  if (routeKey2 === "$default") {
+function parseRouteKey(routeKey) {
+  if (routeKey === "$default") {
     return { method: "ANY", pathPattern: "$default" };
   }
-  const m = /^([A-Za-z]+)\s+(\S+)$/.exec(routeKey2);
+  const m = /^([A-Za-z]+)\s+(\S+)$/.exec(routeKey);
   if (!m) {
     throw new Error(
-      `RouteKey '${routeKey2}' is malformed: expected '<METHOD> <path>' (e.g. 'GET /items/{id}') or '$default'.`
+      `RouteKey '${routeKey}' is malformed: expected '<METHOD> <path>' (e.g. 'GET /items/{id}') or '$default'.`
     );
   }
   return { method: m[1].toUpperCase(), pathPattern: m[2] };
@@ -71712,9 +71745,9 @@ function createContainerPool(specs, options) {
       if (disposed) {
         entry.warm.push(handle);
         if (entry.inUse.size === 0) {
-          for (const resolve8 of entry.drainResolvers.splice(0, entry.drainResolvers.length)) {
+          for (const resolve9 of entry.drainResolvers.splice(0, entry.drainResolvers.length)) {
             try {
-              resolve8();
+              resolve9();
             } catch {
             }
           }
@@ -71730,9 +71763,9 @@ function createContainerPool(specs, options) {
       entry.warm.push(handle);
       resetIdleTimer(entry);
       if (entry.inUse.size === 0 && entry.drainResolvers.length > 0) {
-        for (const resolve8 of entry.drainResolvers.splice(0, entry.drainResolvers.length)) {
+        for (const resolve9 of entry.drainResolvers.splice(0, entry.drainResolvers.length)) {
           try {
-            resolve8();
+            resolve9();
           } catch {
           }
         }
@@ -71867,10 +71900,10 @@ function buildHttpApiV2Event(req, ctx, opts = {}) {
   const contentType = headers["content-type"] ?? "";
   const { body, isBase64Encoded } = encodeBody(req.body, contentType);
   const now = opts.now ? opts.now() : /* @__PURE__ */ new Date();
-  const routeKey2 = ctx.route.pathPattern === "$default" ? "$default" : `${ctx.route.method} ${ctx.route.pathPattern}`;
+  const routeKey = ctx.route.pathPattern === "$default" ? "$default" : `${ctx.route.method} ${ctx.route.pathPattern}`;
   const event = {
     version: "2.0",
-    routeKey: routeKey2,
+    routeKey,
     rawPath,
     rawQueryString,
     cookies,
@@ -71894,7 +71927,7 @@ function buildHttpApiV2Event(req, ctx, opts = {}) {
         userAgent
       },
       requestId: randomUUID(),
-      routeKey: routeKey2,
+      routeKey,
       stage: ctx.route.stage,
       time: formatRequestTime(now),
       timeEpoch: now.getTime(),
@@ -73798,6 +73831,74 @@ function writeError(res, statusCode, body = '{"message":"Internal server error"}
   res.end(body);
 }
 
+// src/local/api-server-grouping.ts
+function groupRoutesByServer(routes) {
+  const order = [];
+  const byKey = /* @__PURE__ */ new Map();
+  for (const rwa of routes) {
+    const r = rwa.route;
+    let serverKey;
+    let kind;
+    let identifier;
+    let displayName;
+    if (r.source === "function-url") {
+      identifier = r.lambdaLogicalId;
+      serverKey = `function-url:${identifier}`;
+      kind = "function-url";
+      displayName = `${identifier} (Function URL)`;
+    } else if (r.source === "http-api") {
+      identifier = r.apiLogicalId ?? "<unknown>";
+      serverKey = `http-api:${identifier}`;
+      kind = "http-api";
+      displayName = `${identifier} (HTTP API v2)`;
+    } else {
+      identifier = r.apiLogicalId ?? "<unknown>";
+      serverKey = `rest-v1:${identifier}`;
+      kind = "rest-v1";
+      displayName = `${identifier} (REST API v1)`;
+    }
+    const existing = byKey.get(serverKey);
+    if (existing) {
+      existing.routes.push(rwa);
+    } else {
+      byKey.set(serverKey, { displayName, kind, identifier, routes: [rwa] });
+      order.push(serverKey);
+    }
+  }
+  return order.map((key) => {
+    const entry = byKey.get(key);
+    return {
+      serverKey: key,
+      displayName: entry.displayName,
+      kind: entry.kind,
+      identifier: entry.identifier,
+      routes: entry.routes
+    };
+  });
+}
+function filterRoutesByApiIdentifier(routes, identifier) {
+  return routes.filter((rwa) => {
+    const r = rwa.route;
+    if (r.source === "function-url") {
+      return r.lambdaLogicalId === identifier;
+    }
+    return r.apiLogicalId === identifier;
+  });
+}
+function availableApiIdentifiers(routes) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const rwa of routes) {
+    const r = rwa.route;
+    const id = r.source === "function-url" ? r.lambdaLogicalId : r.apiLogicalId ?? "<unknown>";
+    if (!seen.has(id)) {
+      seen.add(id);
+      out.push(id);
+    }
+  }
+  return out;
+}
+
 // src/local/stage-resolver.ts
 function buildStageMap(template, stageOverride) {
   const out = /* @__PURE__ */ new Map();
@@ -74630,9 +74731,9 @@ var NodeFsHandler = class {
     if (this.fsw.closed) {
       return;
     }
-    const dirname7 = sp.dirname(file);
+    const dirname9 = sp.dirname(file);
     const basename4 = sp.basename(file);
-    const parent = this.fsw._getWatchedDir(dirname7);
+    const parent = this.fsw._getWatchedDir(dirname9);
     let prevStats = stats;
     if (parent.has(basename4))
       return;
@@ -74659,7 +74760,7 @@ var NodeFsHandler = class {
             prevStats = newStats2;
           }
         } catch (error) {
-          this.fsw._remove(dirname7, basename4);
+          this.fsw._remove(dirname9, basename4);
         }
       } else if (parent.has(basename4)) {
         const at = newStats.atimeMs;
@@ -74756,7 +74857,7 @@ var NodeFsHandler = class {
         this._addToNodeFs(path3, initialAdd, wh, depth + 1);
       }
     }).on(EV.ERROR, this._boundHandleError);
-    return new Promise((resolve8, reject) => {
+    return new Promise((resolve9, reject) => {
       if (!stream)
         return reject();
       stream.once(STR_END, () => {
@@ -74765,7 +74866,7 @@ var NodeFsHandler = class {
           return;
         }
         const wasThrottled = throttler ? throttler.clear() : false;
-        resolve8(void 0);
+        resolve9(void 0);
         previous.getChildren().filter((item) => {
           return item !== directory && !current.has(item);
         }).forEach((item) => {
@@ -75689,92 +75790,6 @@ function createFileWatcher(options) {
   };
 }
 
-// src/local/reload-orchestrator.ts
-function createReloadOrchestrator(deps) {
-  const logger = getLogger().child("start-api-reload");
-  let chain = Promise.resolve();
-  return {
-    reload() {
-      const next = chain.then(() => runOneReload(deps, logger));
-      chain = next.catch(() => void 0);
-      return next;
-    }
-  };
-}
-async function runOneReload(deps, logger) {
-  const previousState = deps.getServerState();
-  const start = Date.now();
-  let material;
-  try {
-    material = await deps.synthesizeAndBuild();
-  } catch (err) {
-    const reason = err instanceof Error ? err.message : String(err);
-    logger.warn(`cdk synth failed during reload; keeping previous version. (${reason})`);
-    return { ok: false, reason, added: [], removed: [], rebuiltLambdas: [] };
-  }
-  const oldRoutes = previousState.routes;
-  const newRoutes = material.routes;
-  const oldKeys = new Set(oldRoutes.map((r) => routeKey(r.route)));
-  const newKeys = new Set(newRoutes.map((r) => routeKey(r.route)));
-  const added = newRoutes.filter((r) => !oldKeys.has(routeKey(r.route)));
-  const removed = oldRoutes.filter((r) => !newKeys.has(routeKey(r.route)));
-  const previousSpecs = pickSpecsFromState(previousState);
-  const rebuiltLambdas = [];
-  for (const [logicalId, newSpec] of material.specs) {
-    const oldSpec = previousSpecs.get(logicalId);
-    if (!oldSpec)
-      continue;
-    if (specSignature(oldSpec) !== specSignature(newSpec)) {
-      rebuiltLambdas.push(logicalId);
-    }
-  }
-  const newPool = deps.buildPool(material.specs);
-  Object.defineProperty(newPool, "__cdkdSpecs", {
-    value: material.specs,
-    enumerable: false,
-    configurable: true
-  });
-  const newState = {
-    routes: material.routes,
-    pool: newPool,
-    corsConfigByApiId: material.corsConfigByApiId
-  };
-  deps.setServerState(newState);
-  void previousState.pool.dispose().catch(
-    (err) => logger.debug(
-      `Previous pool dispose() failed: ${err instanceof Error ? err.message : String(err)}`
-    )
-  );
-  const elapsed = Date.now() - start;
-  logger.info(
-    `Reloaded in ${elapsed}ms: +${added.length} route(s), -${removed.length} route(s), ${rebuiltLambdas.length} Lambda(s) rebuilt.`
-  );
-  return {
-    ok: true,
-    added,
-    removed,
-    rebuiltLambdas,
-    newState
-  };
-}
-function routeKey(route) {
-  return [route.method, route.pathPattern, route.lambdaLogicalId, route.source, route.apiVersion].map((s) => String(s)).join("|");
-}
-function specSignature(spec) {
-  return JSON.stringify({
-    codeDir: spec.codeDir,
-    env: spec.env,
-    handler: spec.lambda.handler,
-    runtime: spec.lambda.runtime,
-    containerHost: spec.containerHost,
-    debugPort: spec.debugPort ?? null
-  });
-}
-function pickSpecsFromState(state) {
-  const tagged = state.pool.__cdkdSpecs;
-  return tagged ?? /* @__PURE__ */ new Map();
-}
-
 // src/local/authorizer-cache.ts
 function createAuthorizerCache(opts = {}) {
   const now = opts.now ?? (() => Date.now());
@@ -75880,7 +75895,17 @@ async function localStartApiCommand(options) {
       }
     }
     attachStageContext(routes, stageMap);
-    const routesWithAuth = attachAuthorizers(targetStacks, routes);
+    let routesWithAuth = attachAuthorizers(targetStacks, routes);
+    if (options.api) {
+      const filtered = filterRoutesByApiIdentifier(routesWithAuth, options.api);
+      if (filtered.length === 0) {
+        const available = availableApiIdentifiers(routesWithAuth).join(", ") || "(none)";
+        throw new Error(
+          `--api '${options.api}' did not match any discovered API. Available identifiers: ${available}.`
+        );
+      }
+      routesWithAuth = filtered;
+    }
     const corsConfigByApiId = /* @__PURE__ */ new Map();
     for (const stack of targetStacks) {
       const m = buildCorsConfigByApiId(stack.template);
@@ -75933,88 +75958,91 @@ async function localStartApiCommand(options) {
     return [...assetPaths];
   };
   const initialMaterial = await synthesizeAndBuild();
-  const initialPool = buildPool(initialMaterial.specs);
   lastAssetPaths.value = computeAssetPaths(initialMaterial.specs);
   await prewarmJwks(initialMaterial.routes, jwksCache);
   warnVpcConfigLambdas(initialMaterial.routes, initialMaterial.stacks ?? []);
-  if (options.warm) {
-    logger.info(`Pre-warming ${initialMaterial.specs.size} container(s)...`);
-    const handles = await Promise.allSettled(
-      [...initialMaterial.specs.keys()].map((id) => initialPool.acquire(id))
-    );
-    for (const result of handles) {
-      if (result.status === "fulfilled") {
-        initialPool.release(result.value);
-      } else {
-        logger.warn(
-          `Pre-warm failed for one Lambda (cold start cost will apply on first request): ${result.reason instanceof Error ? result.reason.message : String(result.reason)}`
-        );
-      }
-    }
-  }
   let maxTimeoutSec = 0;
   for (const spec of initialMaterial.specs.values()) {
     if (spec.lambda.timeoutSec > maxTimeoutSec)
       maxTimeoutSec = spec.lambda.timeoutSec;
   }
   const rieTimeoutMs = Math.max(3e4, maxTimeoutSec * 2 * 1e3);
-  const port = parseInt(options.port, 10);
-  if (!Number.isFinite(port) || port < 0 || port > 65535) {
+  const basePort = parseInt(options.port, 10);
+  if (!Number.isFinite(basePort) || basePort < 0 || basePort > 65535) {
     throw new Error(`--port must be 0..65535 (got ${options.port}).`);
   }
-  const initialState = {
-    routes: initialMaterial.routes,
-    pool: initialPool,
-    corsConfigByApiId: initialMaterial.corsConfigByApiId
-  };
-  const server = await startApiServer({
-    state: initialState,
-    rieTimeoutMs,
-    host: options.host,
-    port,
-    authorizerCache,
-    jwksCache,
-    jwksWarnedUrls
-  });
-  printRouteTable(initialMaterial.routes);
+  const initialGroups = groupRoutesByServer(initialMaterial.routes);
+  const servers = [];
+  let nextPort = basePort;
+  for (const group of initialGroups) {
+    const groupSpecs = filterSpecsForGroup(group, initialMaterial.specs);
+    const groupPool = buildPool(groupSpecs);
+    const groupState = {
+      routes: group.routes,
+      pool: groupPool,
+      corsConfigByApiId: initialMaterial.corsConfigByApiId
+    };
+    if (options.warm) {
+      logger.info(`Pre-warming ${groupSpecs.size} container(s) for ${group.displayName}...`);
+      const handles = await Promise.allSettled(
+        [...groupSpecs.keys()].map((id) => groupPool.acquire(id))
+      );
+      for (const result of handles) {
+        if (result.status === "fulfilled") {
+          groupPool.release(result.value);
+        } else {
+          logger.warn(
+            `Pre-warm failed for one Lambda in ${group.displayName} (cold start cost will apply on first request): ${result.reason instanceof Error ? result.reason.message : String(result.reason)}`
+          );
+        }
+      }
+    }
+    const started = await startApiServer({
+      state: groupState,
+      rieTimeoutMs,
+      host: options.host,
+      // Increment per server; basePort=0 leaves every server on auto-alloc.
+      port: basePort === 0 ? 0 : nextPort,
+      authorizerCache,
+      jwksCache,
+      jwksWarnedUrls
+    });
+    servers.push({ group, server: started });
+    if (basePort !== 0)
+      nextPort += 1;
+  }
+  printPerServerRouteTables(servers);
   logger.info(
     `Per-Lambda concurrency: ${perLambdaConcurrency} (override with --per-lambda-concurrency)`
   );
-  process.stdout.write(`Server listening on http://${server.host}:${server.port}
-`);
+  for (const { group, server } of servers) {
+    process.stdout.write(
+      `Server listening on http://${server.host}:${server.port}  (${group.displayName})
+`
+    );
+  }
   process.stdout.write("^C to stop and clean up containers.\n");
   let watcher;
-  let orchestrator;
+  let reloadChain = Promise.resolve();
   if (options.watch) {
-    orchestrator = createReloadOrchestrator({
-      synthesizeAndBuild,
-      buildPool,
-      setServerState: server.setServerState,
-      getServerState: server.getServerState
-    });
     const initialWatchPaths = [options.output, ...lastAssetPaths.value];
     watcher = createFileWatcher({
       paths: initialWatchPaths,
       onChange: () => {
-        if (!orchestrator)
-          return;
         logger.info("Detected file change; reloading...");
-        void orchestrator.reload().then((result) => {
-          if (result.ok && watcher && result.newState) {
-            const taggedSpecs = result.newState.pool.__cdkdSpecs;
-            if (taggedSpecs) {
-              lastAssetPaths.value = computeAssetPaths(taggedSpecs);
-            }
-            watcher.update([options.output, ...lastAssetPaths.value]);
-            if (result.added.length > 0 || result.removed.length > 0) {
-              printRouteTable(result.newState.routes);
-            }
-          }
-        }).catch((err) => {
-          logger.warn(
-            `Reload failed: ${err instanceof Error ? err.message : String(err)}. Keeping previous version.`
-          );
-        });
+        const next = reloadChain.then(
+          () => reloadAllServers({
+            synthesizeAndBuild,
+            servers,
+            buildPool,
+            computeAssetPaths,
+            lastAssetPaths,
+            watcher,
+            output: options.output,
+            logger
+          })
+        );
+        reloadChain = next.catch(() => void 0);
       }
     });
     logger.info(`Watching ${options.output} (and ${lastAssetPaths.value.length} asset dir(s))`);
@@ -76041,16 +76069,28 @@ async function localStartApiCommand(options) {
         logger.warn(`watcher.close() failed: ${err instanceof Error ? err.message : String(err)}`);
       }
     }
-    try {
-      await server.close();
-    } catch (err) {
-      logger.warn(`server.close() failed: ${err instanceof Error ? err.message : String(err)}`);
-    }
-    try {
-      await server.getServerState().pool.dispose();
-    } catch (err) {
-      logger.warn(`pool.dispose() failed: ${err instanceof Error ? err.message : String(err)}`);
-    }
+    await Promise.allSettled(
+      servers.map(async ({ server, group }) => {
+        try {
+          await server.close();
+        } catch (err) {
+          logger.warn(
+            `server.close() failed for ${group.displayName}: ${err instanceof Error ? err.message : String(err)}`
+          );
+        }
+      })
+    );
+    await Promise.allSettled(
+      servers.map(async ({ server, group }) => {
+        try {
+          await server.getServerState().pool.dispose();
+        } catch (err) {
+          logger.warn(
+            `pool.dispose() failed for ${group.displayName}: ${err instanceof Error ? err.message : String(err)}`
+          );
+        }
+      })
+    );
     for (const dir of inlineTmpDirs) {
       try {
         rmSync2(dir, { recursive: true, force: true });
@@ -76422,6 +76462,91 @@ function parsePerLambdaConcurrency(raw) {
   }
   return parsed;
 }
+function filterSpecsForGroup(group, allSpecs) {
+  const ids = /* @__PURE__ */ new Set();
+  for (const rwa of group.routes) {
+    ids.add(rwa.route.lambdaLogicalId);
+    const auth = rwa.authorizer;
+    if (auth && (auth.kind === "lambda-token" || auth.kind === "lambda-request")) {
+      ids.add(auth.lambdaLogicalId);
+    }
+  }
+  const out = /* @__PURE__ */ new Map();
+  for (const id of ids) {
+    const spec = allSpecs.get(id);
+    if (spec)
+      out.set(id, spec);
+  }
+  return out;
+}
+function printPerServerRouteTables(servers) {
+  for (const { group, server } of servers) {
+    process.stdout.write(`
+${group.displayName}  (http://${server.host}:${server.port})
+`);
+    printRouteTable(group.routes);
+  }
+}
+async function reloadAllServers(args) {
+  const {
+    synthesizeAndBuild,
+    servers,
+    buildPool,
+    computeAssetPaths,
+    lastAssetPaths,
+    watcher,
+    output,
+    logger
+  } = args;
+  let material;
+  try {
+    material = await synthesizeAndBuild();
+  } catch (err) {
+    logger.warn(
+      `cdk synth failed during reload; keeping previous version. (${err instanceof Error ? err.message : String(err)})`
+    );
+    return;
+  }
+  const newGroups = groupRoutesByServer(material.routes);
+  const newByKey = new Map(newGroups.map((g) => [g.serverKey, g]));
+  const oldKeys = new Set(servers.map((s) => s.group.serverKey));
+  const newKeys = new Set(newByKey.keys());
+  const added = [...newKeys].filter((k) => !oldKeys.has(k));
+  const removed = [...oldKeys].filter((k) => !newKeys.has(k));
+  if (added.length > 0) {
+    logger.warn(
+      `Reload detected new API surface(s): ${added.join(", ")}. Restart 'cdkd local start-api' to serve them.`
+    );
+  }
+  if (removed.length > 0) {
+    logger.warn(
+      `Reload detected removed API surface(s): ${removed.join(", ")}. Their servers will keep serving stale routes until restart.`
+    );
+  }
+  for (const booted of servers) {
+    const group = newByKey.get(booted.group.serverKey);
+    if (!group)
+      continue;
+    const groupSpecs = filterSpecsForGroup(group, material.specs);
+    const newPool = buildPool(groupSpecs);
+    const newState = {
+      routes: group.routes,
+      pool: newPool,
+      corsConfigByApiId: material.corsConfigByApiId
+    };
+    const previousState = booted.server.setServerState(newState);
+    void previousState.pool.dispose().catch((err) => {
+      logger.debug(
+        `Previous pool dispose() failed for ${group.displayName}: ${err instanceof Error ? err.message : String(err)}`
+      );
+    });
+  }
+  lastAssetPaths.value = computeAssetPaths(material.specs);
+  if (watcher) {
+    watcher.update([output, ...lastAssetPaths.value]);
+  }
+  printPerServerRouteTables(servers);
+}
 function parseDebugPort(raw) {
   const parsed = parseInt(raw, 10);
   if (!Number.isFinite(parsed) || parsed < 1 || parsed > 65535) {
@@ -76444,8 +76569,8 @@ function createLocalStartApiCommand() {
   ).addOption(new Option7("--no-pull", "Skip docker pull (cached image)")).addOption(
     new Option7(
       "--container-host <host>",
-      "Hostname/IP the container reaches the host on"
-    ).default("host.docker.internal")
+      "IP the host uses to bind/probe the RIE port (must be a numeric IP \u2014 `docker run -p <ip>:<port>:8080` rejects hostnames). Defaults to 127.0.0.1."
+    ).default("127.0.0.1")
   ).addOption(
     new Option7(
       "--debug-port-base <port>",
@@ -76471,12 +76596,1488 @@ function createLocalStartApiCommand() {
       "--stage <name>",
       "Select an API Gateway Stage by its 'StageName'. Default: the first Stage attached to each API. Drives event.stageVariables for both REST v1 and HTTP API v2. NOTE: For HTTP API v2 routes, requestContext.stage is always '$default' regardless of this flag (AWS-side limitation \u2014 HTTP API only exposes one stage to the integration event); only event.stageVariables is affected for v2 routes. For REST v1 routes the selected StageName is also threaded into requestContext.stage."
     )
+  ).addOption(
+    new Option7(
+      "--api <id>",
+      "Restrict to a single API surface by its logical id (HTTP API / REST API logical id, or the backing Lambda's logical id for Function URLs). When unset, every discovered API gets its own server on its own port (basePort, basePort+1, ... when --port is set; auto-allocated otherwise)."
+    )
   ).action(withErrorHandling(localStartApiCommand));
   [...commonOptions, ...appOptions, ...contextOptions].forEach((opt) => startApi.addOption(opt));
   startApi.addOption(deprecatedRegionOption);
   return startApi;
 }
 
+// src/cli/commands/local-run-task.ts
+import { readFileSync as readFileSync7 } from "node:fs";
+import { Command as Command15, Option as Option8 } from "commander";
+
+// src/local/ecs-task-resolver.ts
+import { dirname as dirname5, isAbsolute as isAbsolute4, resolve as resolve8 } from "node:path";
+import { existsSync as existsSync5, statSync as statSync4 } from "node:fs";
+var EcsTaskResolutionError = class _EcsTaskResolutionError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "EcsTaskResolutionError";
+    Object.setPrototypeOf(this, _EcsTaskResolutionError.prototype);
+  }
+};
+function parseEcsTarget(target) {
+  if (typeof target !== "string" || target.length === 0) {
+    throw new EcsTaskResolutionError(
+      "Empty target. Pass a CDK display path (e.g. 'MyStack/MyService/TaskDef') or stack-qualified logical ID (e.g. 'MyStack:MyServiceTaskDefXYZ1234')."
+    );
+  }
+  const colonIdx = target.indexOf(":");
+  const slashIdx = target.indexOf("/");
+  if (colonIdx > 0 && (slashIdx === -1 || colonIdx < slashIdx)) {
+    const stackPattern = target.substring(0, colonIdx);
+    const pathOrId = target.substring(colonIdx + 1);
+    if (pathOrId.length === 0) {
+      throw new EcsTaskResolutionError(`Target '${target}' has no logical ID after ':'.`);
+    }
+    return { stackPattern, pathOrId, isPath: pathOrId.includes("/") };
+  }
+  if (slashIdx > 0) {
+    return { stackPattern: target.substring(0, slashIdx), pathOrId: target, isPath: true };
+  }
+  return { stackPattern: null, pathOrId: target, isPath: false };
+}
+function resolveEcsTaskTarget(target, stacks) {
+  if (stacks.length === 0) {
+    throw new EcsTaskResolutionError("No stacks found in the synthesized assembly.");
+  }
+  const parsed = parseEcsTarget(target);
+  const stack = pickStack2(parsed, stacks);
+  const resources = stack.template.Resources ?? {};
+  let logicalId;
+  let resource;
+  if (parsed.isPath) {
+    const index = buildCdkPathIndex(stack.template);
+    const resolved = resolveCdkPathToLogicalIds(parsed.pathOrId, index);
+    const taskDefs = resolved.filter(
+      ({ logicalId: l }) => resources[l]?.Type === "AWS::ECS::TaskDefinition"
+    );
+    if (taskDefs.length === 0) {
+      throw notFoundError2(target, stack, resources);
+    }
+    if (taskDefs.length > 1) {
+      throw new EcsTaskResolutionError(
+        `Target '${target}' matches ${taskDefs.length} task definitions in ${stack.stackName}: ` + taskDefs.map((t) => t.logicalId).join(", ") + ". Refine the path or use the stack:LogicalId form."
+      );
+    }
+    logicalId = taskDefs[0].logicalId;
+    resource = resources[logicalId];
+  } else {
+    resource = resources[parsed.pathOrId];
+    if (!resource)
+      throw notFoundError2(target, stack, resources);
+    logicalId = parsed.pathOrId;
+  }
+  if (!logicalId || !resource)
+    throw notFoundError2(target, stack, resources);
+  if (resource.Type === "AWS::Lambda::Function") {
+    throw new EcsTaskResolutionError(
+      `Resource '${logicalId}' in ${stack.stackName} is a Lambda function, not an ECS task definition. Use \`cdkd local invoke\` for Lambda; \`cdkd local run-task\` is ECS only.`
+    );
+  }
+  if (resource.Type !== "AWS::ECS::TaskDefinition") {
+    throw new EcsTaskResolutionError(
+      `Resource '${logicalId}' in ${stack.stackName} is ${resource.Type}, not an AWS::ECS::TaskDefinition.`
+    );
+  }
+  return extractTaskDefinitionProperties(stack, logicalId, resource);
+}
+function pickStack2(parsed, stacks) {
+  if (parsed.stackPattern === null) {
+    if (stacks.length === 1)
+      return stacks[0];
+    throw new EcsTaskResolutionError(
+      `Multiple stacks in app, target '${parsed.pathOrId}' is missing a stack prefix. Use 'StackName:${parsed.pathOrId}' or 'StackName/...' (path form). Available stacks: ${stacks.map((s) => s.stackName).join(", ")}.`
+    );
+  }
+  const matched = matchStacks(stacks, [parsed.stackPattern]);
+  if (matched.length === 0) {
+    throw new EcsTaskResolutionError(
+      `Stack '${parsed.stackPattern}' not found. Available stacks: ${stacks.map((s) => s.stackName).join(", ")}.`
+    );
+  }
+  if (matched.length > 1) {
+    throw new EcsTaskResolutionError(
+      `Stack pattern '${parsed.stackPattern}' matched ${matched.length} stacks: ` + matched.map((s) => s.stackName).join(", ") + ". Use a more specific pattern."
+    );
+  }
+  return matched[0];
+}
+function extractTaskDefinitionProperties(stack, logicalId, resource) {
+  const props = resource.Properties ?? {};
+  const warnings = [];
+  const family = pickString(props["Family"]) ?? logicalId;
+  const rawNetworkMode = pickString(props["NetworkMode"]) ?? "bridge";
+  let networkMode;
+  if (rawNetworkMode === "bridge" || rawNetworkMode === "awsvpc" || rawNetworkMode === "host" || rawNetworkMode === "none") {
+    networkMode = rawNetworkMode;
+  } else {
+    throw new EcsTaskResolutionError(
+      `Task definition '${logicalId}' has unsupported NetworkMode '${rawNetworkMode}'. Supported values: bridge / awsvpc / host / none.`
+    );
+  }
+  if (networkMode === "awsvpc") {
+    warnings.push(
+      `NetworkMode 'awsvpc' on '${logicalId}' is mapped to docker bridge locally \u2014 docker cannot emulate ENI-per-task. AWS SDK calls still reach public endpoints via the developer network.`
+    );
+  }
+  const resources = stack.template.Resources ?? {};
+  const taskRoleArn = resolveRoleArn(props["TaskRoleArn"], resources);
+  const executionRoleArn = resolveRoleArn(props["ExecutionRoleArn"], resources);
+  const runtimePlatform = parseRuntimePlatform(props["RuntimePlatform"]);
+  const rawContainers = props["ContainerDefinitions"];
+  if (!Array.isArray(rawContainers) || rawContainers.length === 0) {
+    throw new EcsTaskResolutionError(`Task definition '${logicalId}' has no ContainerDefinitions.`);
+  }
+  const containers = rawContainers.map(
+    (c, idx) => parseContainerDefinition(c, idx, logicalId, resources, stack)
+  );
+  const rawVolumes = props["Volumes"];
+  const volumes = Array.isArray(rawVolumes) ? rawVolumes.map((v, idx) => parseVolume(v, idx, logicalId)) : [];
+  const containerNames = new Set(containers.map((c) => c.name));
+  for (const c of containers) {
+    for (const d of c.dependsOn) {
+      if (!containerNames.has(d.containerName)) {
+        throw new EcsTaskResolutionError(
+          `Container '${c.name}' depends on '${d.containerName}', which is not defined in task '${logicalId}'.`
+        );
+      }
+    }
+  }
+  const out = {
+    stack,
+    taskDefinitionLogicalId: logicalId,
+    resource,
+    family,
+    networkMode,
+    containers,
+    volumes,
+    warnings
+  };
+  if (taskRoleArn !== void 0)
+    out.taskRoleArn = taskRoleArn;
+  if (executionRoleArn !== void 0)
+    out.executionRoleArn = executionRoleArn;
+  if (runtimePlatform !== void 0)
+    out.runtimePlatform = runtimePlatform;
+  return out;
+}
+function parseRuntimePlatform(value) {
+  if (!value || typeof value !== "object")
+    return void 0;
+  const obj = value;
+  const cpu = obj["CpuArchitecture"];
+  const os = obj["OperatingSystemFamily"];
+  if (typeof cpu !== "string" || typeof os !== "string")
+    return void 0;
+  if (cpu !== "X86_64" && cpu !== "ARM64")
+    return void 0;
+  if (os !== "LINUX")
+    return void 0;
+  return { cpuArchitecture: cpu, operatingSystemFamily: os };
+}
+function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack) {
+  if (!raw || typeof raw !== "object") {
+    throw new EcsTaskResolutionError(
+      `Task '${taskLogicalId}' ContainerDefinitions[${idx}] is not an object.`
+    );
+  }
+  const c = raw;
+  const name = pickString(c["Name"]);
+  if (!name) {
+    throw new EcsTaskResolutionError(
+      `Task '${taskLogicalId}' ContainerDefinitions[${idx}] has no Name.`
+    );
+  }
+  const image = parseContainerImage(c["Image"], name, taskLogicalId, resources, stack);
+  const command = pickStringArray2(c["Command"]);
+  const entryPoint = pickStringArray2(c["EntryPoint"]);
+  const workingDirectory = pickString(c["WorkingDirectory"]);
+  const environment = {};
+  if (Array.isArray(c["Environment"])) {
+    for (const entry of c["Environment"]) {
+      if (!entry || typeof entry !== "object")
+        continue;
+      const e = entry;
+      const key = pickString(e["Name"]);
+      const value = e["Value"];
+      if (!key)
+        continue;
+      if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
+        environment[key] = String(value);
+      }
+    }
+  }
+  const secrets = [];
+  if (Array.isArray(c["Secrets"])) {
+    for (const entry of c["Secrets"]) {
+      if (!entry || typeof entry !== "object")
+        continue;
+      const e = entry;
+      const sName = pickString(e["Name"]);
+      const valueFrom = pickString(e["ValueFrom"]);
+      if (sName && valueFrom)
+        secrets.push({ name: sName, valueFrom });
+    }
+  }
+  const portMappings = [];
+  if (Array.isArray(c["PortMappings"])) {
+    for (const entry of c["PortMappings"]) {
+      if (!entry || typeof entry !== "object")
+        continue;
+      const p = entry;
+      const containerPort = typeof p["ContainerPort"] === "number" ? p["ContainerPort"] : void 0;
+      if (containerPort === void 0)
+        continue;
+      const hostPort = typeof p["HostPort"] === "number" ? p["HostPort"] : void 0;
+      const protocol = pickString(p["Protocol"]) === "udp" ? "udp" : "tcp";
+      const pm = { containerPort, protocol };
+      if (hostPort !== void 0)
+        pm.hostPort = hostPort;
+      portMappings.push(pm);
+    }
+  }
+  const mountPoints = [];
+  if (Array.isArray(c["MountPoints"])) {
+    for (const entry of c["MountPoints"]) {
+      if (!entry || typeof entry !== "object")
+        continue;
+      const m = entry;
+      const sourceVolume = pickString(m["SourceVolume"]);
+      const containerPath = pickString(m["ContainerPath"]);
+      if (!sourceVolume || !containerPath)
+        continue;
+      mountPoints.push({
+        sourceVolume,
+        containerPath,
+        readOnly: m["ReadOnly"] === true
+      });
+    }
+  }
+  const dependsOn = [];
+  if (Array.isArray(c["DependsOn"])) {
+    for (const entry of c["DependsOn"]) {
+      if (!entry || typeof entry !== "object")
+        continue;
+      const d = entry;
+      const containerName = pickString(d["ContainerName"]);
+      const condition = pickString(d["Condition"]);
+      if (!containerName || !condition)
+        continue;
+      if (condition !== "START" && condition !== "COMPLETE" && condition !== "SUCCESS" && condition !== "HEALTHY") {
+        throw new EcsTaskResolutionError(
+          `Container '${name}' has invalid DependsOn condition '${condition}'. Accepted values: START / COMPLETE / SUCCESS / HEALTHY.`
+        );
+      }
+      dependsOn.push({ containerName, condition });
+    }
+  }
+  const links = pickStringArray2(c["Links"]) ?? [];
+  const essential = c["Essential"] === false ? false : true;
+  let healthCheck;
+  if (c["HealthCheck"] && typeof c["HealthCheck"] === "object") {
+    const h = c["HealthCheck"];
+    const command2 = pickStringArray2(h["Command"]);
+    if (command2 && command2.length > 0) {
+      healthCheck = { command: command2 };
+      if (typeof h["Interval"] === "number")
+        healthCheck.interval = h["Interval"];
+      if (typeof h["Timeout"] === "number")
+        healthCheck.timeout = h["Timeout"];
+      if (typeof h["Retries"] === "number")
+        healthCheck.retries = h["Retries"];
+      if (typeof h["StartPeriod"] === "number")
+        healthCheck.startPeriod = h["StartPeriod"];
+    }
+  }
+  const user = pickString(c["User"]);
+  const privileged = c["Privileged"] === true ? true : void 0;
+  const readonlyRootFilesystem = c["ReadonlyRootFilesystem"] === true ? true : void 0;
+  const ulimits = [];
+  if (Array.isArray(c["Ulimits"])) {
+    for (const entry of c["Ulimits"]) {
+      if (!entry || typeof entry !== "object")
+        continue;
+      const u = entry;
+      const uName = pickString(u["Name"]);
+      const soft = typeof u["SoftLimit"] === "number" ? u["SoftLimit"] : void 0;
+      const hard = typeof u["HardLimit"] === "number" ? u["HardLimit"] : void 0;
+      if (!uName || soft === void 0 || hard === void 0)
+        continue;
+      ulimits.push({ name: uName, softLimit: soft, hardLimit: hard });
+    }
+  }
+  const out = {
+    name,
+    image,
+    environment,
+    secrets,
+    portMappings,
+    mountPoints,
+    dependsOn,
+    links,
+    essential,
+    ulimits
+  };
+  if (command !== void 0)
+    out.command = command;
+  if (entryPoint !== void 0)
+    out.entryPoint = entryPoint;
+  if (workingDirectory !== void 0)
+    out.workingDirectory = workingDirectory;
+  if (healthCheck !== void 0)
+    out.healthCheck = healthCheck;
+  if (user !== void 0)
+    out.user = user;
+  if (privileged !== void 0)
+    out.privileged = privileged;
+  if (readonlyRootFilesystem !== void 0)
+    out.readonlyRootFilesystem = readonlyRootFilesystem;
+  return out;
+}
+function parseContainerImage(raw, containerName, taskLogicalId, resources, _stack) {
+  const flat = extractImageString(raw);
+  if (!flat) {
+    throw new EcsTaskResolutionError(
+      `Container '${containerName}' in task '${taskLogicalId}' has an unparseable Image property. cdkd local run-task v1 supports flat string images, single-key Fn::Sub bodies, and CDK-asset Image references.`
+    );
+  }
+  if (flat.includes("cdk-hnb659fds-container-assets-")) {
+    const hashMatch = /:([a-f0-9]{8,})$/.exec(flat);
+    const out = { kind: "cdk-asset" };
+    if (hashMatch)
+      out.assetHash = hashMatch[1];
+    return out;
+  }
+  const ecrMatch = /^(\d{12})\.dkr\.ecr\.([^.]+)\.amazonaws\.com(?:\.cn)?\//.exec(flat);
+  if (ecrMatch) {
+    return { kind: "ecr", uri: flat, account: ecrMatch[1], region: ecrMatch[2] };
+  }
+  if (flat.includes("${") && flat.includes("AWS::AccountId")) {
+    throw new EcsTaskResolutionError(
+      `Container '${containerName}' in task '${taskLogicalId}' has an Image that references AWS pseudo parameters (${flat}). cdkd local run-task v1 cannot resolve account-scoped ECR repos at synth time. Build the image locally (CDK ContainerImage.fromAsset) or pin to a public image to test locally.`
+    );
+  }
+  for (const [refLogicalId, res] of Object.entries(resources)) {
+    if (res.Type === "AWS::ECR::Repository" && flat.includes(refLogicalId)) {
+      throw new EcsTaskResolutionError(
+        `Container '${containerName}' in task '${taskLogicalId}' references same-stack ECR repository '${refLogicalId}'. cdkd local run-task v1 cannot resolve the repository URI without state \u2014 build via ContainerImage.fromAsset or pin a public image.`
+      );
+    }
+  }
+  return { kind: "public", uri: flat };
+}
+function extractImageString(value) {
+  if (typeof value === "string" && value.length > 0)
+    return value;
+  if (value && typeof value === "object") {
+    const obj = value;
+    const sub = obj["Fn::Sub"];
+    if (typeof sub === "string" && sub.length > 0)
+      return sub;
+    if (Array.isArray(sub) && typeof sub[0] === "string")
+      return sub[0];
+    const join11 = obj["Fn::Join"];
+    if (Array.isArray(join11) && join11.length === 2 && Array.isArray(join11[1])) {
+      const sep = typeof join11[0] === "string" ? join11[0] : "";
+      const parts = join11[1].map((p) => typeof p === "string" ? p : extractImageString(p)).filter((p) => p !== void 0);
+      if (parts.length === join11[1].length)
+        return parts.join(sep);
+    }
+  }
+  return void 0;
+}
+function parseVolume(raw, idx, taskLogicalId) {
+  if (!raw || typeof raw !== "object") {
+    throw new EcsTaskResolutionError(`Task '${taskLogicalId}' Volumes[${idx}] is not an object.`);
+  }
+  const v = raw;
+  const name = pickString(v["Name"]);
+  if (!name) {
+    throw new EcsTaskResolutionError(`Task '${taskLogicalId}' Volumes[${idx}] has no Name.`);
+  }
+  if (v["EFSVolumeConfiguration"]) {
+    throw new EcsTaskResolutionError(
+      `Task '${taskLogicalId}' Volumes[${idx}] '${name}' uses EFSVolumeConfiguration, which cdkd local run-task cannot proxy locally. Workaround: bind-mount a local directory at the same containerPath via Host: { SourcePath: '<local-path>' }, or override at runtime via --env-vars semantics for a Phase 2 follow-up.`
+    );
+  }
+  if (v["FSxWindowsFileServerVolumeConfiguration"]) {
+    throw new EcsTaskResolutionError(
+      `Task '${taskLogicalId}' Volumes[${idx}] '${name}' uses FSxWindowsFileServerVolumeConfiguration, which cdkd local run-task cannot proxy locally.`
+    );
+  }
+  const dockerCfg = v["DockerVolumeConfiguration"];
+  if (dockerCfg && typeof dockerCfg === "object") {
+    const d = dockerCfg;
+    const scope = pickString(d["Scope"]) === "shared" ? "shared" : "task";
+    const cfg = { scope };
+    if (typeof d["Autoprovision"] === "boolean")
+      cfg.autoprovision = d["Autoprovision"];
+    const driver = pickString(d["Driver"]);
+    if (driver)
+      cfg.driver = driver;
+    if (d["DriverOpts"] && typeof d["DriverOpts"] === "object") {
+      const opts = {};
+      for (const [k, val] of Object.entries(d["DriverOpts"])) {
+        if (typeof val === "string")
+          opts[k] = val;
+      }
+      cfg.driverOpts = opts;
+    }
+    if (d["Labels"] && typeof d["Labels"] === "object") {
+      const labels = {};
+      for (const [k, val] of Object.entries(d["Labels"])) {
+        if (typeof val === "string")
+          labels[k] = val;
+      }
+      cfg.labels = labels;
+    }
+    return { name, kind: "docker", dockerVolumeConfig: cfg };
+  }
+  const host = v["Host"];
+  if (host && typeof host === "object") {
+    const sourcePath = pickString(host["SourcePath"]);
+    if (sourcePath) {
+      const abs = isAbsolute4(sourcePath) ? sourcePath : resolve8(process.cwd(), sourcePath);
+      return { name, kind: "host", hostPath: abs };
+    }
+  }
+  return { name, kind: "host" };
+}
+function resolveRoleArn(value, resources) {
+  if (value === void 0 || value === null)
+    return void 0;
+  if (typeof value === "string")
+    return value;
+  if (typeof value !== "object")
+    return void 0;
+  const obj = value;
+  if ("Ref" in obj && typeof obj["Ref"] === "string") {
+    const refLogicalId = obj["Ref"];
+    const role = resources[refLogicalId];
+    if (role?.Type === "AWS::IAM::Role") {
+      return void 0;
+    }
+  }
+  if ("Fn::GetAtt" in obj) {
+    const arg = obj["Fn::GetAtt"];
+    if (Array.isArray(arg) && typeof arg[0] === "string") {
+      const refLogicalId = arg[0];
+      const role = resources[refLogicalId];
+      if (role?.Type === "AWS::IAM::Role") {
+        return void 0;
+      }
+    }
+  }
+  return void 0;
+}
+function pickString(value) {
+  return typeof value === "string" && value.length > 0 ? value : void 0;
+}
+function pickStringArray2(value) {
+  if (!Array.isArray(value))
+    return void 0;
+  const out = [];
+  for (const v of value) {
+    if (typeof v === "string")
+      out.push(v);
+  }
+  return out;
+}
+function notFoundError2(target, stack, resources) {
+  const tasks = [];
+  for (const [logicalId, resource] of Object.entries(resources)) {
+    if (resource.Type !== "AWS::ECS::TaskDefinition")
+      continue;
+    const meta = resource.Metadata;
+    const cdkPath = typeof meta?.["aws:cdk:path"] === "string" ? meta["aws:cdk:path"] : "";
+    tasks.push({ displayPath: cdkPath || logicalId, logicalId });
+  }
+  let msg = `target '${target}' did not match any ECS task definition in ${stack.stackName}.
+
+`;
+  if (tasks.length === 0) {
+    msg += `Stack ${stack.stackName} has no AWS::ECS::TaskDefinition resources.`;
+  } else {
+    const width = Math.max(...tasks.map((t) => t.displayPath.length));
+    msg += `Available task definitions in ${stack.stackName}:
+`;
+    for (const t of tasks) {
+      msg += `  ${t.displayPath.padEnd(width)}  (${t.logicalId})
+`;
+    }
+  }
+  return new EcsTaskResolutionError(msg.trimEnd());
+}
+function checkVolumeHostPath(hostPath) {
+  try {
+    return existsSync5(hostPath) && statSync4(hostPath).isDirectory();
+  } catch {
+    return false;
+  }
+}
+
+// src/local/ecs-task-runner.ts
+import { execFile as execFile6, spawn as spawn5 } from "node:child_process";
+import { randomBytes as randomBytes2 } from "node:crypto";
+import { dirname as dirname6 } from "node:path";
+import { promisify as promisify6 } from "node:util";
+import graphlib2 from "graphlib";
+
+// src/local/ecs-network.ts
+import { execFile as execFile5 } from "node:child_process";
+import { randomBytes } from "node:crypto";
+import { promisify as promisify5 } from "node:util";
+var execFileAsync5 = promisify5(execFile5);
+var METADATA_ENDPOINT_IMAGE = "amazon/amazon-ecs-local-container-endpoints:latest-amd64";
+var METADATA_ENDPOINT_IP = "169.254.170.2";
+var METADATA_ENDPOINT_SUBNET = "169.254.170.0/24";
+async function createTaskNetwork(options = {}) {
+  const logger = getLogger().child("ecs-network");
+  const prefix = options.prefix ?? "cdkd-local";
+  const suffix = randomBytes(4).toString("hex");
+  const networkName = `${prefix}-task-${suffix}`;
+  await pullImage(METADATA_ENDPOINT_IMAGE, options.skipPull ?? false);
+  logger.info(`Creating docker network ${networkName} (subnet ${METADATA_ENDPOINT_SUBNET})...`);
+  try {
+    await execFileAsync5("docker", [
+      "network",
+      "create",
+      "--driver",
+      "bridge",
+      "--subnet",
+      METADATA_ENDPOINT_SUBNET,
+      networkName
+    ]);
+  } catch (err) {
+    const e = err;
+    throw new DockerRunnerError(
+      `docker network create failed: ${e.stderr?.trim() || e.message || String(err)}. Hint: another cdkd run-task on the same host may already own subnet ${METADATA_ENDPOINT_SUBNET}; wait for it to finish, or remove the leftover network with \`docker network ls\` + \`docker network rm\`.`
+    );
+  }
+  const sidecarArgs = [
+    "run",
+    "-d",
+    "--rm",
+    "--name",
+    `${networkName}-metadata`,
+    "--network",
+    networkName,
+    "--ip",
+    METADATA_ENDPOINT_IP
+  ];
+  const sidecarEnv = {};
+  if (options.credentials) {
+    sidecarEnv["AWS_ACCESS_KEY_ID"] = options.credentials.accessKeyId;
+    sidecarEnv["AWS_SECRET_ACCESS_KEY"] = options.credentials.secretAccessKey;
+    if (options.credentials.sessionToken) {
+      sidecarEnv["AWS_SESSION_TOKEN"] = options.credentials.sessionToken;
+    }
+  }
+  if (options.cluster)
+    sidecarEnv["CLUSTER"] = options.cluster;
+  for (const [k, v] of Object.entries(sidecarEnv)) {
+    sidecarArgs.push("-e", `${k}=${v}`);
+  }
+  sidecarArgs.push(METADATA_ENDPOINT_IMAGE);
+  logger.info("Starting ECS local-container-endpoints sidecar at 169.254.170.2...");
+  let sidecarContainerId;
+  try {
+    const { stdout } = await execFileAsync5("docker", sidecarArgs, {
+      maxBuffer: 10 * 1024 * 1024
+    });
+    sidecarContainerId = stdout.trim();
+  } catch (err) {
+    await destroyNetworkOnly(networkName);
+    const e = err;
+    throw new DockerRunnerError(
+      `Failed to start metadata-endpoints sidecar: ${e.stderr?.trim() || e.message || String(err)}`
+    );
+  }
+  return { networkName, sidecarContainerId };
+}
+function buildMetadataEnv(opts) {
+  const env = {
+    ECS_CONTAINER_METADATA_URI_V4: `http://${METADATA_ENDPOINT_IP}/v4/${opts.containerName}`,
+    ECS_CONTAINER_METADATA_URI: `http://${METADATA_ENDPOINT_IP}/v3/${opts.containerName}`
+  };
+  if (opts.roleArn) {
+    env["AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"] = `/role/${encodeURIComponent(opts.roleArn)}`;
+  }
+  if (opts.region)
+    env["AWS_REGION"] = opts.region;
+  return env;
+}
+async function destroyTaskNetwork(net) {
+  if (!net)
+    return;
+  await removeContainer(net.sidecarContainerId);
+  await destroyNetworkOnly(net.networkName);
+}
+async function destroyNetworkOnly(networkName) {
+  if (!networkName)
+    return;
+  const logger = getLogger().child("ecs-network");
+  try {
+    await execFileAsync5("docker", ["network", "rm", networkName]);
+    logger.debug(`Removed docker network ${networkName}`);
+  } catch (err) {
+    const e = err;
+    logger.debug(
+      `docker network rm ${networkName} failed: ${e.stderr || e.message || String(err)}`
+    );
+  }
+}
+
+// src/local/ecs-secrets-resolver.ts
+import { SecretsManagerClient as SecretsManagerClient3, GetSecretValueCommand as GetSecretValueCommand2 } from "@aws-sdk/client-secrets-manager";
+import { SSMClient as SSMClient4, GetParameterCommand as GetParameterCommand4 } from "@aws-sdk/client-ssm";
+var EcsSecretsResolutionError = class _EcsSecretsResolutionError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "EcsSecretsResolutionError";
+    Object.setPrototypeOf(this, _EcsSecretsResolutionError.prototype);
+  }
+};
+async function resolveEcsSecrets(entries, options = {}) {
+  if (entries.length === 0)
+    return [];
+  const logger = getLogger().child("ecs-secrets");
+  const secretsClient = options.secretsManagerClient ?? new SecretsManagerClient3({ ...options.region && { region: options.region } });
+  const ssmClient = options.ssmClient ?? new SSMClient4({ ...options.region && { region: options.region } });
+  const ownsSecretsClient = options.secretsManagerClient === void 0;
+  const ownsSsmClient = options.ssmClient === void 0;
+  try {
+    const results = await Promise.all(
+      entries.map(async (entry) => {
+        const value = await resolveOne(entry, secretsClient, ssmClient);
+        logger.debug(`Resolved secret ${entry.containerName}.${entry.name} (${entry.valueFrom})`);
+        return { ...entry, value };
+      })
+    );
+    return results;
+  } finally {
+    if (ownsSecretsClient)
+      secretsClient.destroy();
+    if (ownsSsmClient)
+      ssmClient.destroy();
+  }
+}
+async function resolveOne(entry, secretsClient, ssmClient) {
+  const arn = entry.valueFrom;
+  const shape = classifySecretArn(arn);
+  switch (shape.kind) {
+    case "secrets-manager":
+      return resolveSecretsManager(entry, shape, secretsClient);
+    case "ssm":
+      return resolveSsm(entry, shape, ssmClient);
+    case "unknown":
+      throw new EcsSecretsResolutionError(
+        `Container '${entry.containerName}' secret '${entry.name}' references an unsupported ValueFrom shape '${arn}'. Expected Secrets Manager ARN (optionally with :<json-key>::) or SSM Parameter ARN.`
+      );
+  }
+}
+function classifySecretArn(arn) {
+  if (!arn.startsWith("arn:"))
+    return { kind: "unknown" };
+  const smMatch = /^(arn:[^:]+:secretsmanager:[^:]+:\d+:secret:[^:]+)(?::([^:]+)::?)?$/.exec(arn);
+  if (smMatch) {
+    const out = { kind: "secrets-manager", baseArn: smMatch[1] };
+    if (smMatch[2])
+      out.jsonKey = smMatch[2];
+    return out;
+  }
+  const ssmMatch = /^arn:[^:]+:ssm:[^:]+:\d+:parameter(\/.+)$/.exec(arn);
+  if (ssmMatch) {
+    return { kind: "ssm", name: ssmMatch[1] };
+  }
+  return { kind: "unknown" };
+}
+async function resolveSecretsManager(entry, shape, client) {
+  let secretString;
+  try {
+    const resp = await client.send(new GetSecretValueCommand2({ SecretId: shape.baseArn }));
+    secretString = resp.SecretString;
+  } catch (err) {
+    throw new EcsSecretsResolutionError(
+      `Failed to resolve Secrets Manager secret for container '${entry.containerName}' / env '${entry.name}' (${shape.baseArn}): ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  if (secretString === void 0) {
+    throw new EcsSecretsResolutionError(
+      `Secrets Manager returned no SecretString for container '${entry.containerName}' / env '${entry.name}' (${shape.baseArn}). Binary secrets are not supported.`
+    );
+  }
+  if (shape.jsonKey === void 0)
+    return secretString;
+  let parsed;
+  try {
+    parsed = JSON.parse(secretString);
+  } catch (err) {
+    throw new EcsSecretsResolutionError(
+      `Container '${entry.containerName}' secret '${entry.name}' specified json-key '${shape.jsonKey}' but the secret value is not valid JSON: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new EcsSecretsResolutionError(
+      `Container '${entry.containerName}' secret '${entry.name}' specified json-key '${shape.jsonKey}' but the secret root is not a JSON object.`
+    );
+  }
+  const value = parsed[shape.jsonKey];
+  if (value === void 0) {
+    throw new EcsSecretsResolutionError(
+      `Container '${entry.containerName}' secret '${entry.name}' specified json-key '${shape.jsonKey}' but no such key exists in the secret JSON.`
+    );
+  }
+  return typeof value === "string" ? value : JSON.stringify(value);
+}
+async function resolveSsm(entry, shape, client) {
+  try {
+    const resp = await client.send(
+      new GetParameterCommand4({ Name: shape.name, WithDecryption: true })
+    );
+    const value = resp.Parameter?.Value;
+    if (value === void 0) {
+      throw new EcsSecretsResolutionError(
+        `SSM parameter '${shape.name}' returned no Value for container '${entry.containerName}' / env '${entry.name}'.`
+      );
+    }
+    return value;
+  } catch (err) {
+    if (err instanceof EcsSecretsResolutionError)
+      throw err;
+    throw new EcsSecretsResolutionError(
+      `Failed to resolve SSM parameter for container '${entry.containerName}' / env '${entry.name}' (${shape.name}): ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+}
+
+// src/local/ecs-task-runner.ts
+var execFileAsync6 = promisify6(execFile6);
+var EcsTaskRunnerError = class _EcsTaskRunnerError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "EcsTaskRunnerError";
+    Object.setPrototypeOf(this, _EcsTaskRunnerError.prototype);
+  }
+};
+function createEcsRunState() {
+  return { network: void 0, dockerVolumeNames: [], startedContainers: [], logStoppers: [] };
+}
+async function cleanupEcsRun(state, options) {
+  const logger = getLogger().child("ecs-runner");
+  for (const stop of state.logStoppers) {
+    try {
+      stop();
+    } catch (err) {
+      logger.debug(`log stream stop failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+  state.logStoppers = [];
+  if (!options.keepRunning) {
+    for (const c of state.startedContainers) {
+      try {
+        await stopContainer(c.id, 10);
+      } catch (err) {
+        logger.debug(
+          `docker stop ${c.id} failed: ${err instanceof Error ? err.message : String(err)}`
+        );
+      }
+      try {
+        await removeContainer(c.id);
+      } catch (err) {
+        logger.debug(
+          `docker rm -f ${c.id} failed: ${err instanceof Error ? err.message : String(err)}`
+        );
+      }
+    }
+    state.startedContainers = [];
+  }
+  await destroyTaskNetwork(state.network);
+  state.network = void 0;
+  for (const v of state.dockerVolumeNames) {
+    try {
+      await execFileAsync6("docker", ["volume", "rm", v]);
+      logger.debug(`Removed docker volume ${v}`);
+    } catch (err) {
+      logger.debug(
+        `docker volume rm ${v} failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+  state.dockerVolumeNames = [];
+}
+async function runEcsTask(task, options, state) {
+  const logger = getLogger();
+  if (task.containers.length === 0) {
+    throw new EcsTaskRunnerError(
+      `Task '${task.taskDefinitionLogicalId}' has no containers \u2014 nothing to run.`
+    );
+  }
+  for (const w of task.warnings)
+    logger.warn(w);
+  const dag = buildDependencyGraph(task.containers);
+  const startOrder = topoSort(dag, task.containers);
+  const imagePlan = options.imagePlanByContainer ?? /* @__PURE__ */ new Map();
+  if (!options.imagePlanByContainer) {
+    await prepareImages(task, imagePlan, options);
+  }
+  const allSecrets = [];
+  for (const c of task.containers) {
+    for (const s of c.secrets) {
+      allSecrets.push({ containerName: c.name, name: s.name, valueFrom: s.valueFrom });
+    }
+  }
+  const resolvedSecrets = await resolveEcsSecrets(allSecrets, {
+    ...options.region !== void 0 && { region: options.region }
+  });
+  const secretsByContainer = groupSecretsByContainer(resolvedSecrets);
+  const netCreateOpts = {
+    prefix: options.cluster,
+    skipPull: options.skipPull
+  };
+  if (options.taskCredentials)
+    netCreateOpts.credentials = options.taskCredentials;
+  if (options.cluster)
+    netCreateOpts.cluster = options.cluster;
+  state.network = await createTaskNetwork(netCreateOpts);
+  const volumeByName = await realizeDockerVolumes(task.volumes, state);
+  const dockerCmds = /* @__PURE__ */ new Map();
+  for (const container of task.containers) {
+    const image = imagePlan.get(container.name);
+    if (!image) {
+      throw new EcsTaskRunnerError(
+        `Internal: no resolved image for container '${container.name}'.`
+      );
+    }
+    dockerCmds.set(
+      container.name,
+      buildDockerRunArgs({
+        task,
+        container,
+        image,
+        network: state.network.networkName,
+        volumeByName,
+        secrets: secretsByContainer.get(container.name) ?? [],
+        envOverrides: options.envOverrides,
+        containerHost: options.containerHost,
+        roleArn: options.taskRoleArn,
+        platformOverride: options.platformOverride,
+        region: options.region
+      })
+    );
+  }
+  const startedByName = /* @__PURE__ */ new Map();
+  for (const containerName of startOrder) {
+    const container = task.containers.find((c) => c.name === containerName);
+    await awaitDependencies(container, startedByName);
+    const args = dockerCmds.get(container.name);
+    logger.info(`Starting container '${container.name}' (image=${imagePlan.get(container.name)})`);
+    let id;
+    try {
+      const { stdout } = await execFileAsync6("docker", args, { maxBuffer: 10 * 1024 * 1024 });
+      id = stdout.trim();
+    } catch (err) {
+      const e = err;
+      throw new DockerRunnerError(
+        `docker run failed for container '${container.name}': ${e.stderr?.trim() || e.message || String(err)}`
+      );
+    }
+    state.startedContainers.push({ name: container.name, id });
+    startedByName.set(container.name, { id, container });
+    if (!options.detach) {
+      state.logStoppers.push(streamContainerLogs(container.name, id));
+    }
+  }
+  if (options.detach) {
+    return { exitCode: 0, state };
+  }
+  const essential = task.containers.find((c) => c.essential) ?? task.containers[0];
+  const essentialId = startedByName.get(essential.name)?.id;
+  if (!essentialId) {
+    throw new EcsTaskRunnerError(`Essential container '${essential.name}' did not start.`);
+  }
+  const exitCode = await waitForContainerExit(essentialId);
+  return { exitCode, essentialContainerName: essential.name, state };
+}
+function buildDependencyGraph(containers) {
+  const g = new graphlib2.Graph({ directed: true });
+  for (const c of containers)
+    g.setNode(c.name);
+  for (const c of containers) {
+    for (const d of c.dependsOn) {
+      g.setEdge(c.name, d.containerName);
+    }
+  }
+  const cycles = graphlib2.alg.findCycles(g);
+  if (cycles.length > 0) {
+    throw new EcsTaskRunnerError(
+      `Cyclic DependsOn detected: ${cycles.map((c) => c.join(" -> ")).join("; ")}`
+    );
+  }
+  return g;
+}
+function topoSort(g, containers) {
+  const sorted = graphlib2.alg.topsort(g);
+  const byPosition = /* @__PURE__ */ new Map();
+  containers.forEach((c, idx) => byPosition.set(c.name, idx));
+  return [...sorted].reverse().sort((a, b) => {
+    return (byPosition.get(a) ?? 0) - (byPosition.get(b) ?? 0);
+  });
+}
+async function awaitDependencies(container, started) {
+  for (const dep of container.dependsOn) {
+    const entry = started.get(dep.containerName);
+    if (!entry) {
+      throw new EcsTaskRunnerError(
+        `Container '${container.name}' depends on '${dep.containerName}' but the latter never started.`
+      );
+    }
+    switch (dep.condition) {
+      case "START":
+        break;
+      case "COMPLETE":
+        await waitForContainerExit(entry.id);
+        break;
+      case "SUCCESS": {
+        const code = await waitForContainerExit(entry.id);
+        if (code !== 0) {
+          throw new EcsTaskRunnerError(
+            `Container '${container.name}' requires dependency '${dep.containerName}' to exit 0, but it exited ${code}.`
+          );
+        }
+        break;
+      }
+      case "HEALTHY":
+        await waitForContainerHealthy(entry.id, dep.containerName);
+        break;
+    }
+  }
+}
+async function waitForContainerHealthy(containerId, displayName) {
+  const logger = getLogger().child("ecs-runner");
+  const deadline = Date.now() + 5 * 60 * 1e3;
+  let lastStatus = "";
+  while (Date.now() < deadline) {
+    try {
+      const { stdout } = await execFileAsync6("docker", [
+        "inspect",
+        "--format",
+        "{{.State.Health.Status}}",
+        containerId
+      ]);
+      const status = stdout.trim();
+      if (status !== lastStatus) {
+        logger.debug(`Container '${displayName}' health status: ${status}`);
+        lastStatus = status;
+      }
+      if (status === "healthy")
+        return;
+      if (status === "unhealthy") {
+        throw new EcsTaskRunnerError(
+          `Container '${displayName}' health status is 'unhealthy'; aborting before dependents start.`
+        );
+      }
+    } catch (err) {
+      if (err instanceof EcsTaskRunnerError)
+        throw err;
+      logger.debug(
+        `docker inspect on '${displayName}' failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+    await sleep(1e3);
+  }
+  throw new EcsTaskRunnerError(
+    `Container '${displayName}' did not become healthy within 5 minutes.`
+  );
+}
+async function waitForContainerExit(containerId) {
+  try {
+    const { stdout } = await execFileAsync6("docker", ["wait", containerId], {
+      maxBuffer: 1024 * 1024
+    });
+    const code = Number.parseInt(stdout.trim(), 10);
+    return Number.isFinite(code) ? code : 1;
+  } catch (err) {
+    const e = err;
+    throw new DockerRunnerError(
+      `docker wait failed: ${e.stderr?.trim() || e.message || String(err)}`
+    );
+  }
+}
+async function stopContainer(containerId, graceSeconds) {
+  try {
+    await execFileAsync6("docker", ["stop", "-t", String(graceSeconds), containerId]);
+  } catch {
+  }
+}
+function sleep(ms) {
+  return new Promise((res) => setTimeout(res, ms));
+}
+function streamContainerLogs(containerName, containerId) {
+  const proc = spawn5("docker", ["logs", "-f", containerId], {
+    stdio: ["ignore", "pipe", "pipe"]
+  });
+  const prefix = `[${containerName}] `;
+  let stdoutBuf = "";
+  let stderrBuf = "";
+  proc.stdout?.on("data", (chunk) => {
+    stdoutBuf = writePrefixed(prefix, stdoutBuf + chunk.toString("utf-8"), process.stdout);
+  });
+  proc.stderr?.on("data", (chunk) => {
+    stderrBuf = writePrefixed(prefix, stderrBuf + chunk.toString("utf-8"), process.stderr);
+  });
+  proc.on("error", () => {
+  });
+  return () => {
+    if (stdoutBuf)
+      process.stdout.write(prefix + stdoutBuf + "\n");
+    if (stderrBuf)
+      process.stderr.write(prefix + stderrBuf + "\n");
+    if (!proc.killed)
+      proc.kill("SIGTERM");
+  };
+}
+function writePrefixed(prefix, buffer, out) {
+  const lines = buffer.split("\n");
+  const remainder = lines.pop() ?? "";
+  for (const line of lines) {
+    out.write(prefix + line + "\n");
+  }
+  return remainder;
+}
+async function prepareImages(task, out, options) {
+  const logger = getLogger().child("ecs-runner");
+  for (const container of task.containers) {
+    const image = await prepareOneImage(task, container, options);
+    out.set(container.name, image);
+    logger.debug(`Container '${container.name}' image=${image}`);
+  }
+}
+async function prepareOneImage(task, container, options) {
+  const image = container.image;
+  switch (image.kind) {
+    case "public": {
+      await pullImage(image.uri, options.skipPull);
+      return image.uri;
+    }
+    case "ecr": {
+      return pullEcrImage(image.uri, {
+        skipPull: options.skipPull,
+        ...options.region !== void 0 && { region: options.region }
+      });
+    }
+    case "cdk-asset": {
+      const cdkOutDir = task.stack.assetManifestPath ? dirname6(task.stack.assetManifestPath) : void 0;
+      if (!cdkOutDir) {
+        throw new EcsTaskRunnerError(
+          `Container '${container.name}' uses a CDK asset image but the stack has no asset manifest. Re-synthesize the app (without \`--output <stale-dir>\`) and retry.`
+        );
+      }
+      const loader = new AssetManifestLoader();
+      const manifest = await loader.loadManifest(cdkOutDir, task.stack.stackName);
+      if (!manifest) {
+        throw new EcsTaskRunnerError(
+          `No asset manifest at ${cdkOutDir} for stack ${task.stack.stackName}.`
+        );
+      }
+      const dockerImages = manifest.dockerImages ?? {};
+      const entries = Object.entries(dockerImages);
+      let asset;
+      if (image.assetHash && dockerImages[image.assetHash]) {
+        asset = dockerImages[image.assetHash];
+      } else if (entries.length === 1) {
+        asset = entries[0][1];
+      }
+      if (!asset) {
+        throw new EcsTaskRunnerError(
+          `Container '${container.name}' references a CDK asset image but no matching entry was found in cdk.out. Re-synthesize the CDK app and retry.`
+        );
+      }
+      const tag = `cdkd-local-run-task-${(image.assetHash ?? "single").slice(0, 16)}`;
+      await buildDockerImage(asset, cdkOutDir, tag, {
+        ...options.platformOverride !== void 0 && { platform: options.platformOverride },
+        wrapError: (stderr) => new LocalInvokeBuildError(
+          `docker build failed for ECS container '${container.name}' (${asset.source.directory}): ${stderr}`
+        )
+      });
+      return tag;
+    }
+  }
+}
+async function realizeDockerVolumes(volumes, state) {
+  const logger = getLogger().child("ecs-runner");
+  const out = /* @__PURE__ */ new Map();
+  for (const v of volumes) {
+    if (v.kind === "host") {
+      if (v.hostPath && !checkVolumeHostPath(v.hostPath)) {
+        logger.warn(
+          `Volume '${v.name}': host path '${v.hostPath}' does not exist or is not a directory. Docker will create an anonymous bind mount; create the host path before run-task if you expected to bind-mount it.`
+        );
+      }
+      out.set(v.name, v);
+      continue;
+    }
+    const cfg = v.dockerVolumeConfig;
+    const args = ["volume", "create"];
+    if (cfg?.driver)
+      args.push("--driver", cfg.driver);
+    if (cfg?.driverOpts) {
+      for (const [k, val] of Object.entries(cfg.driverOpts))
+        args.push("--opt", `${k}=${val}`);
+    }
+    if (cfg?.labels) {
+      for (const [k, val] of Object.entries(cfg.labels))
+        args.push("--label", `${k}=${val}`);
+    }
+    const dockerVolumeName = `cdkd-local-${v.name}-${randHex(4)}`;
+    args.push(dockerVolumeName);
+    try {
+      await execFileAsync6("docker", args);
+      state.dockerVolumeNames.push(dockerVolumeName);
+      logger.debug(`Created docker volume ${dockerVolumeName} for task volume '${v.name}'`);
+    } catch (err) {
+      const e = err;
+      throw new DockerRunnerError(
+        `docker volume create failed for '${v.name}': ${e.stderr?.trim() || e.message || String(err)}`
+      );
+    }
+    out.set(v.name, { ...v, dockerVolumeName });
+  }
+  return out;
+}
+function randHex(bytes) {
+  return randomBytes2(bytes).toString("hex");
+}
+function groupSecretsByContainer(resolved) {
+  const out = /* @__PURE__ */ new Map();
+  for (const r of resolved) {
+    const arr = out.get(r.containerName) ?? [];
+    arr.push({ name: r.name, value: r.value });
+    out.set(r.containerName, arr);
+  }
+  return out;
+}
+function buildDockerRunArgs(opts) {
+  const { task, container, image, network, volumeByName, secrets, containerHost, roleArn } = opts;
+  const args = ["run", "-d"];
+  args.push("--name", `cdkd-local-${task.family}-${container.name}-${randHex(3)}`);
+  args.push("--network", network);
+  args.push("--network-alias", container.name);
+  if (opts.platformOverride) {
+    args.push("--platform", opts.platformOverride);
+  } else if (task.runtimePlatform) {
+    args.push(
+      "--platform",
+      task.runtimePlatform.cpuArchitecture === "ARM64" ? "linux/arm64" : "linux/amd64"
+    );
+  }
+  for (const pm of container.portMappings) {
+    const hostPort = pm.hostPort ?? pm.containerPort;
+    args.push("-p", `${containerHost}:${hostPort}:${pm.containerPort}/${pm.protocol}`);
+  }
+  for (const mp of container.mountPoints) {
+    const v = volumeByName.get(mp.sourceVolume);
+    if (!v)
+      continue;
+    if (v.kind === "host") {
+      if (v.hostPath) {
+        const ro = mp.readOnly ? ":ro" : "";
+        args.push("-v", `${v.hostPath}:${mp.containerPath}${ro}`);
+      } else {
+        args.push("-v", mp.containerPath);
+      }
+    } else {
+      const name = v.dockerVolumeName ?? v.name;
+      const ro = mp.readOnly ? ":ro" : "";
+      args.push("-v", `${name}:${mp.containerPath}${ro}`);
+    }
+  }
+  const finalEnv = {};
+  const metaEnv = buildMetadataEnv({
+    containerName: container.name,
+    ...roleArn !== void 0 && { roleArn },
+    ...opts.region !== void 0 && { region: opts.region }
+  });
+  Object.assign(finalEnv, metaEnv);
+  Object.assign(finalEnv, container.environment);
+  for (const s of secrets)
+    finalEnv[s.name] = s.value;
+  const overrides = opts.envOverrides;
+  if (overrides) {
+    applyOverrideMap2(finalEnv, overrides["Parameters"]);
+    applyOverrideMap2(finalEnv, overrides[container.name]);
+  }
+  for (const [k, v] of Object.entries(finalEnv)) {
+    args.push("-e", `${k}=${v}`);
+  }
+  if (container.user)
+    args.push("--user", container.user);
+  if (container.privileged)
+    args.push("--privileged");
+  if (container.readonlyRootFilesystem)
+    args.push("--read-only");
+  if (container.workingDirectory)
+    args.push("--workdir", container.workingDirectory);
+  for (const u of container.ulimits) {
+    args.push("--ulimit", `${u.name}=${u.softLimit}:${u.hardLimit}`);
+  }
+  for (const link of container.links)
+    args.push("--link", link);
+  if (container.healthCheck) {
+    args.push("--health-cmd", shellJoin(container.healthCheck.command));
+    if (container.healthCheck.interval !== void 0) {
+      args.push("--health-interval", `${container.healthCheck.interval}s`);
+    }
+    if (container.healthCheck.timeout !== void 0) {
+      args.push("--health-timeout", `${container.healthCheck.timeout}s`);
+    }
+    if (container.healthCheck.retries !== void 0) {
+      args.push("--health-retries", String(container.healthCheck.retries));
+    }
+    if (container.healthCheck.startPeriod !== void 0) {
+      args.push("--health-start-period", `${container.healthCheck.startPeriod}s`);
+    }
+  }
+  let entryPointTail = [];
+  if (container.entryPoint && container.entryPoint.length > 0) {
+    args.push("--entrypoint", container.entryPoint[0]);
+    entryPointTail = container.entryPoint.slice(1);
+  }
+  args.push(image, ...entryPointTail, ...container.command ?? []);
+  return args;
+}
+function applyOverrideMap2(acc, map) {
+  if (!map)
+    return;
+  for (const [k, v] of Object.entries(map)) {
+    if (v === null)
+      delete acc[k];
+    else if (typeof v === "string" || typeof v === "number" || typeof v === "boolean") {
+      acc[k] = String(v);
+    }
+  }
+}
+function shellJoin(parts) {
+  return parts.map((p) => {
+    if (/^[A-Za-z0-9_\-./=:]+$/.test(p))
+      return p;
+    return `'${p.replace(/'/g, "'\\''")}'`;
+  }).join(" ");
+}
+
+// src/cli/commands/local-run-task.ts
+async function localRunTaskCommand(target, options) {
+  const logger = getLogger();
+  if (options.verbose)
+    logger.setLevel("debug");
+  warnIfDeprecatedRegion(options);
+  const state = createEcsRunState();
+  let sigintHandler;
+  let sigintCount = 0;
+  let cleanupPromise;
+  const cleanup = async () => {
+    if (!cleanupPromise) {
+      cleanupPromise = (async () => {
+        try {
+          await cleanupEcsRun(state, { keepRunning: options.keepRunning });
+        } catch (err) {
+          getLogger().debug(`cleanup failed: ${err instanceof Error ? err.message : String(err)}`);
+        }
+      })();
+    }
+    await cleanupPromise;
+  };
+  try {
+    await applyRoleArnIfSet({ roleArn: options.roleArn, region: options.region });
+    await ensureDockerAvailable();
+    const appCmd = resolveApp(options.app);
+    if (!appCmd) {
+      throw new Error('No CDK app specified. Pass --app, set CDKD_APP, or add "app" to cdk.json.');
+    }
+    logger.info("Synthesizing CDK app...");
+    const synthesizer = new Synthesizer();
+    const context = parseContextOptions(options.context);
+    const synthOpts = {
+      app: appCmd,
+      output: options.output,
+      ...options.region && { region: options.region },
+      ...options.profile && { profile: options.profile },
+      ...Object.keys(context).length > 0 && { context }
+    };
+    const { stacks } = await synthesizer.synthesize(synthOpts);
+    const task = resolveEcsTaskTarget(target, stacks);
+    logger.info(
+      `Target: ${task.stack.stackName}/${task.taskDefinitionLogicalId} (family=${task.family}, containers=${task.containers.length})`
+    );
+    sigintHandler = () => {
+      sigintCount += 1;
+      if (sigintCount >= 2) {
+        process.stderr.write("Force-exit on second ^C; container cleanup skipped.\n");
+        process.exit(130);
+      }
+      logger.info("Stopping task...");
+      void cleanup().then(() => process.exit(130));
+    };
+    process.on("SIGINT", sigintHandler);
+    let assumedCredentials;
+    let resolvedRoleArn;
+    if (options.assumeTaskRole === true) {
+      if (!task.taskRoleArn) {
+        throw new Error(
+          `--assume-task-role passed without an ARN but the task definition's TaskRoleArn could not be resolved statically. Pass the ARN explicitly: --assume-task-role <arn>`
+        );
+      }
+      resolvedRoleArn = task.taskRoleArn;
+      assumedCredentials = await assumeTaskRole(resolvedRoleArn, options.region);
+    } else if (typeof options.assumeTaskRole === "string") {
+      resolvedRoleArn = options.assumeTaskRole;
+      assumedCredentials = await assumeTaskRole(resolvedRoleArn, options.region);
+    }
+    const envOverrides = readEnvOverridesFile2(options.envVars);
+    const runOpts = {
+      cluster: options.cluster,
+      containerHost: options.containerHost,
+      skipPull: options.pull === false,
+      keepRunning: options.keepRunning,
+      detach: options.detach
+    };
+    if (envOverrides)
+      runOpts.envOverrides = envOverrides;
+    if (assumedCredentials)
+      runOpts.taskCredentials = assumedCredentials;
+    if (resolvedRoleArn)
+      runOpts.taskRoleArn = resolvedRoleArn;
+    if (options.platform)
+      runOpts.platformOverride = options.platform;
+    if (options.region)
+      runOpts.region = options.region;
+    const result = await runEcsTask(task, runOpts, state);
+    if (options.detach) {
+      logger.info("Task containers started in detached mode; cdkd is exiting.");
+      logger.info(
+        `Use 'docker ps --filter network=${result.state.network?.networkName ?? "<network>"}' to inspect; tear down with 'docker rm -f' and 'docker network rm'.`
+      );
+      sigintCount = 99;
+      return;
+    }
+    if (result.essentialContainerName) {
+      logger.info(
+        `Essential container '${result.essentialContainerName}' exited with code ${result.exitCode}.`
+      );
+    }
+    if (result.exitCode !== 0) {
+      process.exitCode = result.exitCode;
+    }
+  } finally {
+    if (sigintHandler)
+      process.off("SIGINT", sigintHandler);
+    if (!options.detach)
+      await cleanup();
+  }
+}
+async function assumeTaskRole(roleArn, region) {
+  const { STSClient: STSClient11, AssumeRoleCommand: AssumeRoleCommand2 } = await import("@aws-sdk/client-sts");
+  const sts = new STSClient11({ ...region && { region } });
+  try {
+    const response = await sts.send(
+      new AssumeRoleCommand2({
+        RoleArn: roleArn,
+        RoleSessionName: `cdkd-local-run-task-${Date.now()}`,
+        DurationSeconds: 3600
+      })
+    );
+    const creds = response.Credentials;
+    if (!creds?.AccessKeyId || !creds.SecretAccessKey || !creds.SessionToken) {
+      throw new Error(`AssumeRole(${roleArn}) returned no usable credentials.`);
+    }
+    return {
+      accessKeyId: creds.AccessKeyId,
+      secretAccessKey: creds.SecretAccessKey,
+      sessionToken: creds.SessionToken
+    };
+  } finally {
+    sts.destroy();
+  }
+}
+function readEnvOverridesFile2(filePath) {
+  if (!filePath)
+    return void 0;
+  let raw;
+  try {
+    raw = readFileSync7(filePath, "utf-8");
+  } catch (err) {
+    throw new Error(
+      `Failed to read --env-vars file '${filePath}': ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    throw new Error(
+      `Failed to parse --env-vars file '${filePath}' as JSON: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new Error(`--env-vars file '${filePath}' must contain a JSON object at the top level.`);
+  }
+  return parsed;
+}
+function createLocalRunTaskCommand() {
+  const cmd = new Command15("run-task").description(
+    "Run an AWS::ECS::TaskDefinition locally \u2014 pulls/builds images, sets up a per-task docker network with the AWS-published metadata-endpoints sidecar, and starts every container in dependsOn order. Target accepts a CDK display path (MyStack/MyService/TaskDef) or stack-qualified logical ID (MyStack:MyServiceTaskDefXYZ1234). Single-stack apps may omit the stack prefix."
+  ).argument(
+    "<target>",
+    "CDK display path or stack-qualified logical ID of the AWS::ECS::TaskDefinition to run"
+  ).addOption(
+    new Option8(
+      "--cluster <name>",
+      "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix"
+    ).default("cdkd-local")
+  ).addOption(
+    new Option8(
+      "--env-vars <file>",
+      'JSON env-var overrides (SAM-compatible: {"ContainerName":{"KEY":"VALUE"}, "Parameters":{}})'
+    )
+  ).addOption(
+    new Option8(
+      "--container-host <ip>",
+      "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)"
+    ).default("127.0.0.1")
+  ).addOption(
+    new Option8(
+      "--assume-task-role [arn]",
+      "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed function role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override."
+    )
+  ).addOption(
+    new Option8("--no-pull", "Skip docker pull for every container image and the metadata sidecar")
+  ).addOption(
+    new Option8(
+      "--platform <platform>",
+      "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture"
+    )
+  ).addOption(
+    new Option8(
+      "--keep-running",
+      "Don't docker rm -f the user containers on task exit (network + sidecar are still torn down). Use when you want to docker exec into a stopped container for post-mortems."
+    ).default(false)
+  ).addOption(
+    new Option8(
+      "--detach",
+      "Start the containers in the background and exit (skip log streaming + auto teardown). Useful in CI smoke tests; caller manages container lifecycle."
+    ).default(false)
+  ).action(withErrorHandling(localRunTaskCommand));
+  [...commonOptions, ...appOptions, ...contextOptions].forEach((opt) => cmd.addOption(opt));
+  cmd.addOption(deprecatedRegionOption);
+  return cmd;
+}
+
 // src/cli/commands/local-invoke.ts
 async function localInvokeCommand(target, options) {
   const logger = getLogger();
@@ -76574,7 +78175,7 @@ async function localInvokeCommand(target, options) {
         }
       }
     }
-    const overrides = readEnvOverridesFile2(options.envVars);
+    const overrides = readEnvOverridesFile3(options.envVars);
     const envResult = resolveEnvVars(lambda.logicalId, templateEnv, overrides);
     for (const key of envResult.unresolved) {
       if (stateAudit && stateAudit.unresolved.some((u) => u.key === key))
@@ -76752,7 +78353,7 @@ async function resolveLocalBuildPlan(lambda) {
   const manifestPath = lambda.stack.assetManifestPath;
   if (!manifestPath)
     return void 0;
-  const cdkOutDir = dirname5(manifestPath);
+  const cdkOutDir = dirname7(manifestPath);
   const loader = new AssetManifestLoader();
   const manifest = await loader.loadManifest(cdkOutDir, lambda.stack.stackName);
   if (!manifest)
@@ -76772,12 +78373,12 @@ function getTemplateEnv2(resource) {
     return void 0;
   return vars;
 }
-function readEnvOverridesFile2(filePath) {
+function readEnvOverridesFile3(filePath) {
   if (!filePath)
     return void 0;
   let raw;
   try {
-    raw = readFileSync7(filePath, "utf-8");
+    raw = readFileSync8(filePath, "utf-8");
   } catch (err) {
     throw new Error(
       `Failed to read --env-vars file '${filePath}': ${err instanceof Error ? err.message : String(err)}`
@@ -76805,7 +78406,7 @@ async function readEvent(options) {
     return parseEvent(raw, "<stdin>");
   }
   if (options.event) {
-    const raw = readFileSync7(options.event, "utf-8");
+    const raw = readFileSync8(options.event, "utf-8");
     return parseEvent(raw, options.event);
   }
   return {};
@@ -76980,40 +78581,40 @@ function pickReferencedLogicalId(intrinsic) {
   return void 0;
 }
 function createLocalCommand() {
-  const local = new Command15("local").description(
-    "Local Lambda execution against the AWS Lambda Runtime Interface Emulator (Docker required)"
+  const local = new Command16("local").description(
+    "Local execution of Lambda functions (RIE) and ECS task definitions (Docker required)"
   );
-  const invoke = new Command15("invoke").description(
+  const invoke = new Command16("invoke").description(
     "Run a Lambda function locally in a Docker container (RIE-backed). Target accepts a CDK display path (MyStack/MyApi/Handler) or stack-qualified logical ID (MyStack:MyApiHandler1234ABCD). Single-stack apps may omit the stack prefix."
-  ).argument("<target>", "CDK display path or stack-qualified logical ID of the Lambda to invoke").addOption(new Option8("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option8("--event-stdin", "Read event JSON from stdin").default(false)).addOption(
-    new Option8(
+  ).argument("<target>", "CDK display path or stack-qualified logical ID of the Lambda to invoke").addOption(new Option9("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option9("--event-stdin", "Read event JSON from stdin").default(false)).addOption(
+    new Option9(
       "--env-vars <file>",
       'JSON env-var overrides (SAM-compatible: {"LogicalId":{"KEY":"VALUE"}})'
     )
   ).addOption(
-    new Option8(
+    new Option9(
       "--no-pull",
       "Skip docker pull (use cached image) \u2014 no-op for IMAGE local-build path; `docker build` does not pull base layers by default"
     )
   ).addOption(
-    new Option8(
+    new Option9(
       "--no-build",
       "Skip docker build on the IMAGE local-build path (use the previously-built tag). Requires the deterministic tag to already be in the local registry; errors with an actionable message when missing. No-op for ZIP Lambdas and the IMAGE ECR-pull path. Compatible with --no-pull."
     )
-  ).addOption(new Option8("--debug-port <port>", "Node --inspect-brk port (default: off)")).addOption(
-    new Option8("--container-host <host>", "Host to bind the RIE port to").default("127.0.0.1")
+  ).addOption(new Option9("--debug-port <port>", "Node --inspect-brk port (default: off)")).addOption(
+    new Option9("--container-host <host>", "Host to bind the RIE port to").default("127.0.0.1")
   ).addOption(
-    new Option8(
+    new Option9(
       "--assume-role <arn>",
       `Assume the Lambda's deployed execution role and forward STS-issued temp credentials to the container so the handler runs with the deployed function's narrow permissions (closes the "developer admin / function narrow" skew). Off by default \u2014 when omitted, the developer's shell credentials are forwarded unchanged (SAM-compatible default).`
     )
   ).addOption(
-    new Option8(
+    new Option9(
       "--from-state",
       "Read cdkd S3 state for the target stack and substitute Ref / Fn::GetAtt / Fn::Sub in env vars with the deployed physical IDs / attributes. Off by default \u2014 keep PR 1 warn-and-drop semantics; turn on for stacks already deployed via cdkd deploy."
     ).default(false)
   ).addOption(
-    new Option8(
+    new Option9(
       "--stack-region <region>",
       "Region of the cdkd state record to read (used with --from-state when the same stack name has state in multiple regions)."
     )
@@ -77024,6 +78625,7 @@ function createLocalCommand() {
   invoke.addOption(deprecatedRegionOption);
   local.addCommand(invoke);
   local.addCommand(createLocalStartApiCommand());
+  local.addCommand(createLocalRunTaskCommand());
   return local;
 }
 
@@ -77055,8 +78657,8 @@ function reorderArgs(argv) {
   return [...prefix, ...cmdAndAfter, ...beforeCmd];
 }
 async function main() {
-  const program = new Command16();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.80.0");
+  const program = new Command17();
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.82.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());