npm - @go-to-k/cdkd - Versions diffs - 0.81.0 → 0.82.0 - Mend

@go-to-k/cdkd 0.81.0 → 0.82.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md +2 -0
package/dist/cli.js +1553 -78
package/dist/cli.js.map +4 -4
package/dist/go-to-k-cdkd-0.82.0.tgz +0 -0
package/dist/index.js.map +2 -2
package/package.json +1 -1
package/dist/go-to-k-cdkd-0.81.0.tgz +0 -0

package/dist/cli.js CHANGED Viewed

@@ -12448,7 +12448,7 @@ var require_graphql = __commonJS({
     var _validate2 = require_validate2();
     var _execute = require_execute();
     function graphql(args) {
-      return new Promise((resolve8) => resolve8(graphqlImpl(args)));
+      return new Promise((resolve9) => resolve9(graphqlImpl(args)));
     }
     function graphqlSync(args) {
       const result = graphqlImpl(args);
@@ -17797,7 +17797,7 @@ var require_graphql2 = __commonJS({
 });
 // src/cli/index.ts
-import { Command as Command16 } from "commander";
+import { Command as Command17 } from "commander";
 // src/cli/commands/bootstrap.ts
 import { Command, Option as Option2 } from "commander";
@@ -18869,7 +18869,7 @@ var IntrinsicFunctionResolver = class {
               this.logger.debug(
                 `VPC ${physicalId} IPv6 CIDR still associating (attempt ${attempt}/${maxAttempts}), waiting...`
               );
-              await new Promise((resolve8) => setTimeout(resolve8, 2e3));
+              await new Promise((resolve9) => setTimeout(resolve9, 2e3));
             }
             this.logger.warn(
               `VPC ${physicalId} IPv6 CIDR did not reach 'associated' state after ${maxAttempts} attempts`
@@ -19754,7 +19754,7 @@ var DagExecutor = class {
   async execute(concurrency, fn, cancelled = () => false) {
     let active = 0;
     const errors = [];
-    return new Promise((resolve8, reject) => {
+    return new Promise((resolve9, reject) => {
       const dispatch = () => {
         let changed = true;
         while (changed) {
@@ -19816,7 +19816,7 @@ var DagExecutor = class {
             );
             return;
           }
-          resolve8();
+          resolve9();
         }
       };
       dispatch();
@@ -20497,7 +20497,7 @@ Error: ${err.message || "Unknown error"}`,
    * Sleep for specified milliseconds
    */
   sleep(ms) {
-    return new Promise((resolve8) => setTimeout(resolve8, ms));
+    return new Promise((resolve9) => setTimeout(resolve9, ms));
   }
   /**
    * Check if a resource type is supported by Cloud Control API
@@ -21231,7 +21231,7 @@ var CustomResourceProvider = class _CustomResourceProvider {
     return result;
   }
   sleep(ms) {
-    return new Promise((resolve8) => setTimeout(resolve8, ms));
+    return new Promise((resolve9) => setTimeout(resolve9, ms));
   }
   /**
    * Adopt an existing custom resource into cdkd state.
@@ -21661,12 +21661,12 @@ function isRetryableTransientError(error, message) {
 }
 // src/deployment/retry.ts
-var defaultSleep = (ms) => new Promise((resolve8) => setTimeout(resolve8, ms));
+var defaultSleep = (ms) => new Promise((resolve9) => setTimeout(resolve9, ms));
 async function withRetry(operation, logicalId, opts = {}) {
   const maxRetries = opts.maxRetries ?? 8;
   const initialDelayMs = opts.initialDelayMs ?? 1e3;
   const maxDelayMs = opts.maxDelayMs ?? 8e3;
-  const sleep = opts.sleep ?? defaultSleep;
+  const sleep2 = opts.sleep ?? defaultSleep;
   let lastError;
   for (let attempt = 0; attempt <= maxRetries; attempt++) {
     try {
@@ -21686,7 +21686,7 @@ async function withRetry(operation, logicalId, opts = {}) {
         if (opts.isInterrupted?.()) {
           throw opts.onInterrupted ? opts.onInterrupted() : new Error("Interrupted");
         }
-        await sleep(Math.min(1e3, delay2 - waited));
+        await sleep2(Math.min(1e3, delay2 - waited));
       }
     }
   }
@@ -21716,7 +21716,7 @@ function validateOptions(opts) {
 async function withResourceDeadline(operation, opts) {
   validateOptions(opts);
   const startedAt = Date.now();
-  return new Promise((resolve8, reject) => {
+  return new Promise((resolve9, reject) => {
     let settled = false;
     let warnTimer;
     let timeoutTimer;
@@ -21756,7 +21756,7 @@ async function withResourceDeadline(operation, opts) {
           return;
         settled = true;
         cleanup();
-        resolve8(value);
+        resolve9(value);
       },
       (err) => {
         if (settled)
@@ -23791,7 +23791,7 @@ var AppExecutor = class {
    * Spawn subprocess and wait for completion
    */
   spawn(commandLine, env) {
-    return new Promise((resolve8, reject) => {
+    return new Promise((resolve9, reject) => {
       const proc = spawn(commandLine, {
         stdio: ["ignore", "pipe", "pipe"],
         shell: true,
@@ -23817,7 +23817,7 @@ var AppExecutor = class {
       });
       proc.on("close", (code) => {
         if (code === 0) {
-          resolve8();
+          resolve9();
         } else {
           const stderr = stderrChunks.join("\n");
           reject(
@@ -25339,11 +25339,11 @@ var FileAssetPublisher = class {
    */
   async uploadZip(client, dirPath, bucket, key) {
     const archiver = await import("archiver");
-    const body = await new Promise((resolve8, reject) => {
+    const body = await new Promise((resolve9, reject) => {
       const chunks = [];
       const archive = archiver.default("zip", { zlib: { level: 9 } });
       archive.on("data", (chunk) => chunks.push(chunk));
-      archive.on("end", () => resolve8(Buffer.concat(chunks)));
+      archive.on("end", () => resolve9(Buffer.concat(chunks)));
       archive.on("error", reject);
       const stat4 = statSync2(dirPath);
       if (stat4.isDirectory()) {
@@ -25528,7 +25528,7 @@ var DockerAssetPublisher = class {
     const token = Buffer.from(authData.authorizationToken, "base64").toString();
     const [username, password] = token.split(":");
     const endpoint = authData.proxyEndpoint || `https://${accountId}.dkr.ecr.${region}.amazonaws.com`;
-    await new Promise((resolve8, reject) => {
+    await new Promise((resolve9, reject) => {
       const proc = spawn2(
         "docker",
         ["login", "--username", username, "--password-stdin", endpoint],
@@ -25542,7 +25542,7 @@ var DockerAssetPublisher = class {
       });
       proc.on("close", (code) => {
         if (code === 0) {
-          resolve8();
+          resolve9();
         } else {
           reject(new AssetError(`ECR login failed: ${stderr.trim()}`));
         }
@@ -25595,7 +25595,7 @@ var WorkGraph = class {
   async execute(concurrency, fn) {
     const active = { "asset-build": 0, "asset-publish": 0, stack: 0 };
     const errors = [];
-    return new Promise((resolve8, reject) => {
+    return new Promise((resolve9, reject) => {
       const dispatch = () => {
         const ready = [];
         for (const node of this.nodes.values()) {
@@ -25667,7 +25667,7 @@ ${msg}`
             );
             return;
           }
-          resolve8();
+          resolve9();
         }
       };
       dispatch();
@@ -26658,7 +26658,7 @@ var LockManager = class {
           this.logger.info(
             `Stack '${stackName}' (${region}) is locked by ${lockInfo2.owner}${lockInfo2.operation ? ` (operation: ${lockInfo2.operation})` : ""}. Lock expires in ${this.formatDuration(remainingMs)}. Retrying in ${this.formatDuration(retryDelay)}... (attempt ${attempt + 1}/${maxRetries})`
           );
-          await new Promise((resolve8) => setTimeout(resolve8, retryDelay));
+          await new Promise((resolve9) => setTimeout(resolve9, retryDelay));
           continue;
         }
       }
@@ -35152,7 +35152,7 @@ var LambdaFunctionProvider = class {
     return enis;
   }
   sleep(ms) {
-    return new Promise((resolve8) => setTimeout(resolve8, ms));
+    return new Promise((resolve9) => setTimeout(resolve9, ms));
   }
   /**
    * Build Lambda Code parameter from CDK properties
@@ -37029,7 +37029,7 @@ var DynamoDBTableProvider = class {
       if (status !== "CREATING") {
         throw new Error(`Unexpected table status: ${status}`);
       }
-      await new Promise((resolve8) => setTimeout(resolve8, 1e3));
+      await new Promise((resolve9) => setTimeout(resolve9, 1e3));
     }
     throw new Error(`Table ${tableName} did not reach ACTIVE status within ${maxAttempts} seconds`);
   }
@@ -37049,7 +37049,7 @@ var DynamoDBTableProvider = class {
       if (status === "ACTIVE") {
         return;
       }
-      await new Promise((resolve8) => setTimeout(resolve8, 1e3));
+      await new Promise((resolve9) => setTimeout(resolve9, 1e3));
     }
     throw new Error(
       `Table ${tableName} did not reach ACTIVE status within ${maxAttempts} seconds after UpdateTable`
@@ -40229,7 +40229,7 @@ var EC2Provider = class {
           this.logger.debug(
             `VPC ${physicalId} has dependencies (attempt ${attempt}/${maxAttempts}), retrying in ${attempt * 5}s...`
           );
-          await new Promise((resolve8) => setTimeout(resolve8, attempt * 5e3));
+          await new Promise((resolve9) => setTimeout(resolve9, attempt * 5e3));
           continue;
         }
         const cause = error instanceof Error ? error : void 0;
@@ -40393,7 +40393,7 @@ var EC2Provider = class {
           this.logger.debug(
             `Subnet ${physicalId} has dependencies (attempt ${attempt}/${maxAttempts}), retrying in ${attempt * 5}s...`
           );
-          await new Promise((resolve8) => setTimeout(resolve8, attempt * 5e3));
+          await new Promise((resolve9) => setTimeout(resolve9, attempt * 5e3));
           continue;
         }
         const cause = error instanceof Error ? error : void 0;
@@ -41151,7 +41151,7 @@ var EC2Provider = class {
           this.logger.debug(
             `SecurityGroup ${physicalId} has dependent objects (attempt ${attempt}/${maxAttempts}), retrying in ${attempt * 5}s...`
           );
-          await new Promise((resolve8) => setTimeout(resolve8, attempt * 5e3));
+          await new Promise((resolve9) => setTimeout(resolve9, attempt * 5e3));
           continue;
         }
         const cause = error instanceof Error ? error : void 0;
@@ -42095,7 +42095,7 @@ var EC2Provider = class {
    * `setTimeout` globally.
    */
   sleep(ms) {
-    return new Promise((resolve8) => setTimeout(resolve8, ms));
+    return new Promise((resolve9) => setTimeout(resolve9, ms));
   }
   /**
    * Check if an error indicates the resource was not found
@@ -44195,7 +44195,7 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
    * Sleep for specified milliseconds
    */
   sleep(ms) {
-    return new Promise((resolve8) => setTimeout(resolve8, ms));
+    return new Promise((resolve9) => setTimeout(resolve9, ms));
   }
   /**
    * Convert CloudFormation Tags (Array<{Key, Value}>) to SDK tags (Record<string, string>).
@@ -46087,7 +46087,7 @@ var CloudFrontDistributionProvider = class {
         );
         const sleepEnd = Date.now() + delay2;
         while (Date.now() < sleepEnd && !interrupted) {
-          await new Promise((resolve8) => setTimeout(resolve8, 1e3));
+          await new Promise((resolve9) => setTimeout(resolve9, 1e3));
         }
         delay2 = Math.min(delay2 * 1.5, maxDelay);
       }
@@ -49899,7 +49899,7 @@ var RDSProvider = class {
     throw new Error(`Timed out waiting for DBInstance ${dbInstanceIdentifier} to be deleted`);
   }
   sleep(ms) {
-    return new Promise((resolve8) => setTimeout(resolve8, ms));
+    return new Promise((resolve9) => setTimeout(resolve9, ms));
   }
   /**
    * Adopt an existing RDS resource into cdkd state.
@@ -50884,7 +50884,7 @@ var DocDBProvider = class {
     throw new Error(`Timed out waiting for DocDB DBInstance ${dbInstanceIdentifier} to be deleted`);
   }
   sleep(ms) {
-    return new Promise((resolve8) => setTimeout(resolve8, ms));
+    return new Promise((resolve9) => setTimeout(resolve9, ms));
   }
   /**
    * Adopt an existing DocDB resource into cdkd state.
@@ -51874,7 +51874,7 @@ var NeptuneProvider = class {
     );
   }
   sleep(ms) {
-    return new Promise((resolve8) => setTimeout(resolve8, ms));
+    return new Promise((resolve9) => setTimeout(resolve9, ms));
   }
   /**
    * Adopt an existing Neptune resource into cdkd state.
@@ -54414,7 +54414,7 @@ var ElastiCacheProvider = class {
     throw new Error(`Timed out waiting for CacheCluster ${cacheClusterId} to be deleted`);
   }
   sleep(ms) {
-    return new Promise((resolve8) => setTimeout(resolve8, ms));
+    return new Promise((resolve9) => setTimeout(resolve9, ms));
   }
   /**
    * Read the AWS-current ElastiCache resource configuration in CFn-property shape.
@@ -55129,7 +55129,7 @@ var ServiceDiscoveryProvider = class {
           logicalId
         );
       }
-      await new Promise((resolve8) => setTimeout(resolve8, delay2));
+      await new Promise((resolve9) => setTimeout(resolve9, delay2));
       delay2 = Math.min(delay2 * 2, 1e4);
     }
     throw new ProvisioningError(
@@ -59654,7 +59654,7 @@ var KinesisStreamProvider = class {
       if (status !== "CREATING" && status !== "UPDATING") {
         throw new Error(`Unexpected stream status: ${status}`);
       }
-      await new Promise((resolve8) => setTimeout(resolve8, 2e3));
+      await new Promise((resolve9) => setTimeout(resolve9, 2e3));
     }
     throw new Error(
       `Stream ${streamName} did not reach ACTIVE status within ${maxAttempts * 2} seconds`
@@ -59987,7 +59987,7 @@ var KinesisStreamConsumerProvider = class {
       if (status !== "CREATING") {
         throw new Error(`Unexpected consumer status: ${status}`);
       }
-      await new Promise((resolve8) => setTimeout(resolve8, 1e3));
+      await new Promise((resolve9) => setTimeout(resolve9, 1e3));
     }
     throw new Error(
       `Consumer ${consumerArn} did not reach ACTIVE status within ${maxAttempts} seconds`
@@ -60292,7 +60292,7 @@ var EFSProvider = class {
       this.logger.debug(
         `FileSystem ${fileSystemId} state: ${fs?.LifeCycleState ?? "unknown"}, waiting...`
       );
-      await new Promise((resolve8) => setTimeout(resolve8, pollIntervalMs));
+      await new Promise((resolve9) => setTimeout(resolve9, pollIntervalMs));
     }
     throw new ProvisioningError(
       `Timed out waiting for EFS FileSystem ${fileSystemId} to become available (60s)`,
@@ -60370,7 +60370,7 @@ var EFSProvider = class {
       this.logger.debug(
         `MountTarget ${mountTargetId} state: ${mountTarget?.LifeCycleState ?? "unknown"}, waiting...`
       );
-      await new Promise((resolve8) => setTimeout(resolve8, pollIntervalMs));
+      await new Promise((resolve9) => setTimeout(resolve9, pollIntervalMs));
     }
     throw new ProvisioningError(
       `Timed out waiting for EFS MountTarget ${mountTargetId} to become available (120s)`,
@@ -60436,7 +60436,7 @@ var EFSProvider = class {
         }
         throw error;
       }
-      await new Promise((resolve8) => setTimeout(resolve8, pollIntervalMs));
+      await new Promise((resolve9) => setTimeout(resolve9, pollIntervalMs));
     }
     this.logger.warn(
       `Timed out waiting for EFS MountTarget ${mountTargetId} deletion for ${logicalId} (120s)`
@@ -61394,7 +61394,7 @@ var FirehoseProvider = class {
       this.logger.debug(
         `Firehose ${logicalId} status: ${status} (attempt ${attempt}/${maxAttempts})`
       );
-      await new Promise((resolve8) => setTimeout(resolve8, 2e3));
+      await new Promise((resolve9) => setTimeout(resolve9, 2e3));
     }
     this.logger.warn(`Firehose ${logicalId} did not reach ACTIVE after ${maxAttempts} attempts`);
   }
@@ -64864,7 +64864,7 @@ var ASGProvider = class {
     );
   }
   sleep(ms) {
-    return new Promise((resolve8) => setTimeout(resolve8, ms));
+    return new Promise((resolve9) => setTimeout(resolve9, ms));
   }
   // ─── Sub-shape diff helpers ───────────────────────────────────────
   // Each helper is a no-op when before/after JSON is identical (the cheap
@@ -66804,7 +66804,7 @@ Acquiring lock for stack ${stackName}...`);
                   logger.debug(
                     `  \u23F3 Retrying delete ${logicalId} in ${delay2 / 1e3}s (attempt ${attempt + 1}/${maxAttempts})`
                   );
-                  await new Promise((resolve8) => setTimeout(resolve8, delay2));
+                  await new Promise((resolve9) => setTimeout(resolve9, delay2));
                 }
               }
               if (lastDeleteError)
@@ -70034,11 +70034,11 @@ async function captureObservedForImportedResources(stackState, providerRegistry,
 }
 // src/cli/commands/local-invoke.ts
-import { cpSync as cpSync2, mkdtempSync as mkdtempSync3, mkdirSync as mkdirSync3, readFileSync as readFileSync7, rmSync as rmSync3, writeFileSync as writeFileSync6 } from "node:fs";
+import { cpSync as cpSync2, mkdtempSync as mkdtempSync3, mkdirSync as mkdirSync3, readFileSync as readFileSync8, rmSync as rmSync3, writeFileSync as writeFileSync6 } from "node:fs";
 import { tmpdir as tmpdir3 } from "node:os";
-import { dirname as dirname5 } from "node:path";
+import { dirname as dirname7 } from "node:path";
 import * as path2 from "node:path";
-import { Command as Command15, Option as Option8 } from "commander";
+import { Command as Command16, Option as Option9 } from "commander";
 // src/local/lambda-resolver.ts
 import { existsSync as existsSync4, statSync as statSync3 } from "node:fs";
@@ -70689,6 +70689,9 @@ async function runDetached(opts) {
   if (opts.name) {
     args.push("--name", opts.name);
   }
+  if (opts.network) {
+    args.push("--network", opts.network);
+  }
   if (opts.platform) {
     args.push("--platform", opts.platform);
   }
@@ -70909,7 +70912,7 @@ async function ecrLogin(client, accountId, region) {
   const token = Buffer.from(authData.authorizationToken, "base64").toString();
   const [username, password] = token.split(":");
   const endpoint = authData.proxyEndpoint || `https://${accountId}.dkr.ecr.${region}.amazonaws.com`;
-  await new Promise((resolve8, reject) => {
+  await new Promise((resolve9, reject) => {
     const proc = spawn4("docker", ["login", "--username", username, "--password-stdin", endpoint], {
       stdio: ["pipe", "pipe", "pipe"]
     });
@@ -70919,7 +70922,7 @@ async function ecrLogin(client, accountId, region) {
     });
     proc.on("close", (code) => {
       if (code === 0)
-        resolve8();
+        resolve9();
       else
         reject(new LocalInvokeBuildError(`ECR login failed: ${stderr.trim()}`));
     });
@@ -70948,12 +70951,12 @@ async function isImageInLocalCache(imageRef) {
   }
 }
 function runForeground2(cmd, args) {
-  return new Promise((resolve8, reject) => {
+  return new Promise((resolve9, reject) => {
     const proc = spawn4(cmd, args, { stdio: "inherit" });
     proc.on("error", (err) => reject(new LocalInvokeBuildError(`${cmd} failed: ${err.message}`)));
     proc.on("close", (code) => {
       if (code === 0)
-        resolve8();
+        resolve9();
       else
         reject(new LocalInvokeBuildError(`${cmd} exited with code ${code}`));
     });
@@ -71742,9 +71745,9 @@ function createContainerPool(specs, options) {
       if (disposed) {
         entry.warm.push(handle);
         if (entry.inUse.size === 0) {
-          for (const resolve8 of entry.drainResolvers.splice(0, entry.drainResolvers.length)) {
+          for (const resolve9 of entry.drainResolvers.splice(0, entry.drainResolvers.length)) {
             try {
-              resolve8();
+              resolve9();
             } catch {
             }
           }
@@ -71760,9 +71763,9 @@ function createContainerPool(specs, options) {
       entry.warm.push(handle);
       resetIdleTimer(entry);
       if (entry.inUse.size === 0 && entry.drainResolvers.length > 0) {
-        for (const resolve8 of entry.drainResolvers.splice(0, entry.drainResolvers.length)) {
+        for (const resolve9 of entry.drainResolvers.splice(0, entry.drainResolvers.length)) {
           try {
-            resolve8();
+            resolve9();
           } catch {
           }
         }
@@ -74728,9 +74731,9 @@ var NodeFsHandler = class {
     if (this.fsw.closed) {
       return;
     }
-    const dirname7 = sp.dirname(file);
+    const dirname9 = sp.dirname(file);
     const basename4 = sp.basename(file);
-    const parent = this.fsw._getWatchedDir(dirname7);
+    const parent = this.fsw._getWatchedDir(dirname9);
     let prevStats = stats;
     if (parent.has(basename4))
       return;
@@ -74757,7 +74760,7 @@ var NodeFsHandler = class {
             prevStats = newStats2;
           }
         } catch (error) {
-          this.fsw._remove(dirname7, basename4);
+          this.fsw._remove(dirname9, basename4);
         }
       } else if (parent.has(basename4)) {
         const at = newStats.atimeMs;
@@ -74854,7 +74857,7 @@ var NodeFsHandler = class {
         this._addToNodeFs(path3, initialAdd, wh, depth + 1);
       }
     }).on(EV.ERROR, this._boundHandleError);
-    return new Promise((resolve8, reject) => {
+    return new Promise((resolve9, reject) => {
       if (!stream)
         return reject();
       stream.once(STR_END, () => {
@@ -74863,7 +74866,7 @@ var NodeFsHandler = class {
           return;
         }
         const wasThrottled = throttler ? throttler.clear() : false;
-        resolve8(void 0);
+        resolve9(void 0);
         previous.getChildren().filter((item) => {
           return item !== directory && !current.has(item);
         }).forEach((item) => {
@@ -76604,6 +76607,1477 @@ function createLocalStartApiCommand() {
   return startApi;
 }
+// src/cli/commands/local-run-task.ts
+import { readFileSync as readFileSync7 } from "node:fs";
+import { Command as Command15, Option as Option8 } from "commander";
+// src/local/ecs-task-resolver.ts
+import { dirname as dirname5, isAbsolute as isAbsolute4, resolve as resolve8 } from "node:path";
+import { existsSync as existsSync5, statSync as statSync4 } from "node:fs";
+var EcsTaskResolutionError = class _EcsTaskResolutionError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "EcsTaskResolutionError";
+    Object.setPrototypeOf(this, _EcsTaskResolutionError.prototype);
+  }
+};
+function parseEcsTarget(target) {
+  if (typeof target !== "string" || target.length === 0) {
+    throw new EcsTaskResolutionError(
+      "Empty target. Pass a CDK display path (e.g. 'MyStack/MyService/TaskDef') or stack-qualified logical ID (e.g. 'MyStack:MyServiceTaskDefXYZ1234')."
+    );
+  }
+  const colonIdx = target.indexOf(":");
+  const slashIdx = target.indexOf("/");
+  if (colonIdx > 0 && (slashIdx === -1 || colonIdx < slashIdx)) {
+    const stackPattern = target.substring(0, colonIdx);
+    const pathOrId = target.substring(colonIdx + 1);
+    if (pathOrId.length === 0) {
+      throw new EcsTaskResolutionError(`Target '${target}' has no logical ID after ':'.`);
+    }
+    return { stackPattern, pathOrId, isPath: pathOrId.includes("/") };
+  }
+  if (slashIdx > 0) {
+    return { stackPattern: target.substring(0, slashIdx), pathOrId: target, isPath: true };
+  }
+  return { stackPattern: null, pathOrId: target, isPath: false };
+}
+function resolveEcsTaskTarget(target, stacks) {
+  if (stacks.length === 0) {
+    throw new EcsTaskResolutionError("No stacks found in the synthesized assembly.");
+  }
+  const parsed = parseEcsTarget(target);
+  const stack = pickStack2(parsed, stacks);
+  const resources = stack.template.Resources ?? {};
+  let logicalId;
+  let resource;
+  if (parsed.isPath) {
+    const index = buildCdkPathIndex(stack.template);
+    const resolved = resolveCdkPathToLogicalIds(parsed.pathOrId, index);
+    const taskDefs = resolved.filter(
+      ({ logicalId: l }) => resources[l]?.Type === "AWS::ECS::TaskDefinition"
+    );
+    if (taskDefs.length === 0) {
+      throw notFoundError2(target, stack, resources);
+    }
+    if (taskDefs.length > 1) {
+      throw new EcsTaskResolutionError(
+        `Target '${target}' matches ${taskDefs.length} task definitions in ${stack.stackName}: ` + taskDefs.map((t) => t.logicalId).join(", ") + ". Refine the path or use the stack:LogicalId form."
+      );
+    }
+    logicalId = taskDefs[0].logicalId;
+    resource = resources[logicalId];
+  } else {
+    resource = resources[parsed.pathOrId];
+    if (!resource)
+      throw notFoundError2(target, stack, resources);
+    logicalId = parsed.pathOrId;
+  }
+  if (!logicalId || !resource)
+    throw notFoundError2(target, stack, resources);
+  if (resource.Type === "AWS::Lambda::Function") {
+    throw new EcsTaskResolutionError(
+      `Resource '${logicalId}' in ${stack.stackName} is a Lambda function, not an ECS task definition. Use \`cdkd local invoke\` for Lambda; \`cdkd local run-task\` is ECS only.`
+    );
+  }
+  if (resource.Type !== "AWS::ECS::TaskDefinition") {
+    throw new EcsTaskResolutionError(
+      `Resource '${logicalId}' in ${stack.stackName} is ${resource.Type}, not an AWS::ECS::TaskDefinition.`
+    );
+  }
+  return extractTaskDefinitionProperties(stack, logicalId, resource);
+}
+function pickStack2(parsed, stacks) {
+  if (parsed.stackPattern === null) {
+    if (stacks.length === 1)
+      return stacks[0];
+    throw new EcsTaskResolutionError(
+      `Multiple stacks in app, target '${parsed.pathOrId}' is missing a stack prefix. Use 'StackName:${parsed.pathOrId}' or 'StackName/...' (path form). Available stacks: ${stacks.map((s) => s.stackName).join(", ")}.`
+    );
+  }
+  const matched = matchStacks(stacks, [parsed.stackPattern]);
+  if (matched.length === 0) {
+    throw new EcsTaskResolutionError(
+      `Stack '${parsed.stackPattern}' not found. Available stacks: ${stacks.map((s) => s.stackName).join(", ")}.`
+    );
+  }
+  if (matched.length > 1) {
+    throw new EcsTaskResolutionError(
+      `Stack pattern '${parsed.stackPattern}' matched ${matched.length} stacks: ` + matched.map((s) => s.stackName).join(", ") + ". Use a more specific pattern."
+    );
+  }
+  return matched[0];
+}
+function extractTaskDefinitionProperties(stack, logicalId, resource) {
+  const props = resource.Properties ?? {};
+  const warnings = [];
+  const family = pickString(props["Family"]) ?? logicalId;
+  const rawNetworkMode = pickString(props["NetworkMode"]) ?? "bridge";
+  let networkMode;
+  if (rawNetworkMode === "bridge" || rawNetworkMode === "awsvpc" || rawNetworkMode === "host" || rawNetworkMode === "none") {
+    networkMode = rawNetworkMode;
+  } else {
+    throw new EcsTaskResolutionError(
+      `Task definition '${logicalId}' has unsupported NetworkMode '${rawNetworkMode}'. Supported values: bridge / awsvpc / host / none.`
+    );
+  }
+  if (networkMode === "awsvpc") {
+    warnings.push(
+      `NetworkMode 'awsvpc' on '${logicalId}' is mapped to docker bridge locally \u2014 docker cannot emulate ENI-per-task. AWS SDK calls still reach public endpoints via the developer network.`
+    );
+  }
+  const resources = stack.template.Resources ?? {};
+  const taskRoleArn = resolveRoleArn(props["TaskRoleArn"], resources);
+  const executionRoleArn = resolveRoleArn(props["ExecutionRoleArn"], resources);
+  const runtimePlatform = parseRuntimePlatform(props["RuntimePlatform"]);
+  const rawContainers = props["ContainerDefinitions"];
+  if (!Array.isArray(rawContainers) || rawContainers.length === 0) {
+    throw new EcsTaskResolutionError(`Task definition '${logicalId}' has no ContainerDefinitions.`);
+  }
+  const containers = rawContainers.map(
+    (c, idx) => parseContainerDefinition(c, idx, logicalId, resources, stack)
+  );
+  const rawVolumes = props["Volumes"];
+  const volumes = Array.isArray(rawVolumes) ? rawVolumes.map((v, idx) => parseVolume(v, idx, logicalId)) : [];
+  const containerNames = new Set(containers.map((c) => c.name));
+  for (const c of containers) {
+    for (const d of c.dependsOn) {
+      if (!containerNames.has(d.containerName)) {
+        throw new EcsTaskResolutionError(
+          `Container '${c.name}' depends on '${d.containerName}', which is not defined in task '${logicalId}'.`
+        );
+      }
+    }
+  }
+  const out = {
+    stack,
+    taskDefinitionLogicalId: logicalId,
+    resource,
+    family,
+    networkMode,
+    containers,
+    volumes,
+    warnings
+  };
+  if (taskRoleArn !== void 0)
+    out.taskRoleArn = taskRoleArn;
+  if (executionRoleArn !== void 0)
+    out.executionRoleArn = executionRoleArn;
+  if (runtimePlatform !== void 0)
+    out.runtimePlatform = runtimePlatform;
+  return out;
+}
+function parseRuntimePlatform(value) {
+  if (!value || typeof value !== "object")
+    return void 0;
+  const obj = value;
+  const cpu = obj["CpuArchitecture"];
+  const os = obj["OperatingSystemFamily"];
+  if (typeof cpu !== "string" || typeof os !== "string")
+    return void 0;
+  if (cpu !== "X86_64" && cpu !== "ARM64")
+    return void 0;
+  if (os !== "LINUX")
+    return void 0;
+  return { cpuArchitecture: cpu, operatingSystemFamily: os };
+}
+function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack) {
+  if (!raw || typeof raw !== "object") {
+    throw new EcsTaskResolutionError(
+      `Task '${taskLogicalId}' ContainerDefinitions[${idx}] is not an object.`
+    );
+  }
+  const c = raw;
+  const name = pickString(c["Name"]);
+  if (!name) {
+    throw new EcsTaskResolutionError(
+      `Task '${taskLogicalId}' ContainerDefinitions[${idx}] has no Name.`
+    );
+  }
+  const image = parseContainerImage(c["Image"], name, taskLogicalId, resources, stack);
+  const command = pickStringArray2(c["Command"]);
+  const entryPoint = pickStringArray2(c["EntryPoint"]);
+  const workingDirectory = pickString(c["WorkingDirectory"]);
+  const environment = {};
+  if (Array.isArray(c["Environment"])) {
+    for (const entry of c["Environment"]) {
+      if (!entry || typeof entry !== "object")
+        continue;
+      const e = entry;
+      const key = pickString(e["Name"]);
+      const value = e["Value"];
+      if (!key)
+        continue;
+      if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
+        environment[key] = String(value);
+      }
+    }
+  }
+  const secrets = [];
+  if (Array.isArray(c["Secrets"])) {
+    for (const entry of c["Secrets"]) {
+      if (!entry || typeof entry !== "object")
+        continue;
+      const e = entry;
+      const sName = pickString(e["Name"]);
+      const valueFrom = pickString(e["ValueFrom"]);
+      if (sName && valueFrom)
+        secrets.push({ name: sName, valueFrom });
+    }
+  }
+  const portMappings = [];
+  if (Array.isArray(c["PortMappings"])) {
+    for (const entry of c["PortMappings"]) {
+      if (!entry || typeof entry !== "object")
+        continue;
+      const p = entry;
+      const containerPort = typeof p["ContainerPort"] === "number" ? p["ContainerPort"] : void 0;
+      if (containerPort === void 0)
+        continue;
+      const hostPort = typeof p["HostPort"] === "number" ? p["HostPort"] : void 0;
+      const protocol = pickString(p["Protocol"]) === "udp" ? "udp" : "tcp";
+      const pm = { containerPort, protocol };
+      if (hostPort !== void 0)
+        pm.hostPort = hostPort;
+      portMappings.push(pm);
+    }
+  }
+  const mountPoints = [];
+  if (Array.isArray(c["MountPoints"])) {
+    for (const entry of c["MountPoints"]) {
+      if (!entry || typeof entry !== "object")
+        continue;
+      const m = entry;
+      const sourceVolume = pickString(m["SourceVolume"]);
+      const containerPath = pickString(m["ContainerPath"]);
+      if (!sourceVolume || !containerPath)
+        continue;
+      mountPoints.push({
+        sourceVolume,
+        containerPath,
+        readOnly: m["ReadOnly"] === true
+      });
+    }
+  }
+  const dependsOn = [];
+  if (Array.isArray(c["DependsOn"])) {
+    for (const entry of c["DependsOn"]) {
+      if (!entry || typeof entry !== "object")
+        continue;
+      const d = entry;
+      const containerName = pickString(d["ContainerName"]);
+      const condition = pickString(d["Condition"]);
+      if (!containerName || !condition)
+        continue;
+      if (condition !== "START" && condition !== "COMPLETE" && condition !== "SUCCESS" && condition !== "HEALTHY") {
+        throw new EcsTaskResolutionError(
+          `Container '${name}' has invalid DependsOn condition '${condition}'. Accepted values: START / COMPLETE / SUCCESS / HEALTHY.`
+        );
+      }
+      dependsOn.push({ containerName, condition });
+    }
+  }
+  const links = pickStringArray2(c["Links"]) ?? [];
+  const essential = c["Essential"] === false ? false : true;
+  let healthCheck;
+  if (c["HealthCheck"] && typeof c["HealthCheck"] === "object") {
+    const h = c["HealthCheck"];
+    const command2 = pickStringArray2(h["Command"]);
+    if (command2 && command2.length > 0) {
+      healthCheck = { command: command2 };
+      if (typeof h["Interval"] === "number")
+        healthCheck.interval = h["Interval"];
+      if (typeof h["Timeout"] === "number")
+        healthCheck.timeout = h["Timeout"];
+      if (typeof h["Retries"] === "number")
+        healthCheck.retries = h["Retries"];
+      if (typeof h["StartPeriod"] === "number")
+        healthCheck.startPeriod = h["StartPeriod"];
+    }
+  }
+  const user = pickString(c["User"]);
+  const privileged = c["Privileged"] === true ? true : void 0;
+  const readonlyRootFilesystem = c["ReadonlyRootFilesystem"] === true ? true : void 0;
+  const ulimits = [];
+  if (Array.isArray(c["Ulimits"])) {
+    for (const entry of c["Ulimits"]) {
+      if (!entry || typeof entry !== "object")
+        continue;
+      const u = entry;
+      const uName = pickString(u["Name"]);
+      const soft = typeof u["SoftLimit"] === "number" ? u["SoftLimit"] : void 0;
+      const hard = typeof u["HardLimit"] === "number" ? u["HardLimit"] : void 0;
+      if (!uName || soft === void 0 || hard === void 0)
+        continue;
+      ulimits.push({ name: uName, softLimit: soft, hardLimit: hard });
+    }
+  }
+  const out = {
+    name,
+    image,
+    environment,
+    secrets,
+    portMappings,
+    mountPoints,
+    dependsOn,
+    links,
+    essential,
+    ulimits
+  };
+  if (command !== void 0)
+    out.command = command;
+  if (entryPoint !== void 0)
+    out.entryPoint = entryPoint;
+  if (workingDirectory !== void 0)
+    out.workingDirectory = workingDirectory;
+  if (healthCheck !== void 0)
+    out.healthCheck = healthCheck;
+  if (user !== void 0)
+    out.user = user;
+  if (privileged !== void 0)
+    out.privileged = privileged;
+  if (readonlyRootFilesystem !== void 0)
+    out.readonlyRootFilesystem = readonlyRootFilesystem;
+  return out;
+}
+function parseContainerImage(raw, containerName, taskLogicalId, resources, _stack) {
+  const flat = extractImageString(raw);
+  if (!flat) {
+    throw new EcsTaskResolutionError(
+      `Container '${containerName}' in task '${taskLogicalId}' has an unparseable Image property. cdkd local run-task v1 supports flat string images, single-key Fn::Sub bodies, and CDK-asset Image references.`
+    );
+  }
+  if (flat.includes("cdk-hnb659fds-container-assets-")) {
+    const hashMatch = /:([a-f0-9]{8,})$/.exec(flat);
+    const out = { kind: "cdk-asset" };
+    if (hashMatch)
+      out.assetHash = hashMatch[1];
+    return out;
+  }
+  const ecrMatch = /^(\d{12})\.dkr\.ecr\.([^.]+)\.amazonaws\.com(?:\.cn)?\//.exec(flat);
+  if (ecrMatch) {
+    return { kind: "ecr", uri: flat, account: ecrMatch[1], region: ecrMatch[2] };
+  }
+  if (flat.includes("${") && flat.includes("AWS::AccountId")) {
+    throw new EcsTaskResolutionError(
+      `Container '${containerName}' in task '${taskLogicalId}' has an Image that references AWS pseudo parameters (${flat}). cdkd local run-task v1 cannot resolve account-scoped ECR repos at synth time. Build the image locally (CDK ContainerImage.fromAsset) or pin to a public image to test locally.`
+    );
+  }
+  for (const [refLogicalId, res] of Object.entries(resources)) {
+    if (res.Type === "AWS::ECR::Repository" && flat.includes(refLogicalId)) {
+      throw new EcsTaskResolutionError(
+        `Container '${containerName}' in task '${taskLogicalId}' references same-stack ECR repository '${refLogicalId}'. cdkd local run-task v1 cannot resolve the repository URI without state \u2014 build via ContainerImage.fromAsset or pin a public image.`
+      );
+    }
+  }
+  return { kind: "public", uri: flat };
+}
+function extractImageString(value) {
+  if (typeof value === "string" && value.length > 0)
+    return value;
+  if (value && typeof value === "object") {
+    const obj = value;
+    const sub = obj["Fn::Sub"];
+    if (typeof sub === "string" && sub.length > 0)
+      return sub;
+    if (Array.isArray(sub) && typeof sub[0] === "string")
+      return sub[0];
+    const join11 = obj["Fn::Join"];
+    if (Array.isArray(join11) && join11.length === 2 && Array.isArray(join11[1])) {
+      const sep = typeof join11[0] === "string" ? join11[0] : "";
+      const parts = join11[1].map((p) => typeof p === "string" ? p : extractImageString(p)).filter((p) => p !== void 0);
+      if (parts.length === join11[1].length)
+        return parts.join(sep);
+    }
+  }
+  return void 0;
+}
+function parseVolume(raw, idx, taskLogicalId) {
+  if (!raw || typeof raw !== "object") {
+    throw new EcsTaskResolutionError(`Task '${taskLogicalId}' Volumes[${idx}] is not an object.`);
+  }
+  const v = raw;
+  const name = pickString(v["Name"]);
+  if (!name) {
+    throw new EcsTaskResolutionError(`Task '${taskLogicalId}' Volumes[${idx}] has no Name.`);
+  }
+  if (v["EFSVolumeConfiguration"]) {
+    throw new EcsTaskResolutionError(
+      `Task '${taskLogicalId}' Volumes[${idx}] '${name}' uses EFSVolumeConfiguration, which cdkd local run-task cannot proxy locally. Workaround: bind-mount a local directory at the same containerPath via Host: { SourcePath: '<local-path>' }, or override at runtime via --env-vars semantics for a Phase 2 follow-up.`
+    );
+  }
+  if (v["FSxWindowsFileServerVolumeConfiguration"]) {
+    throw new EcsTaskResolutionError(
+      `Task '${taskLogicalId}' Volumes[${idx}] '${name}' uses FSxWindowsFileServerVolumeConfiguration, which cdkd local run-task cannot proxy locally.`
+    );
+  }
+  const dockerCfg = v["DockerVolumeConfiguration"];
+  if (dockerCfg && typeof dockerCfg === "object") {
+    const d = dockerCfg;
+    const scope = pickString(d["Scope"]) === "shared" ? "shared" : "task";
+    const cfg = { scope };
+    if (typeof d["Autoprovision"] === "boolean")
+      cfg.autoprovision = d["Autoprovision"];
+    const driver = pickString(d["Driver"]);
+    if (driver)
+      cfg.driver = driver;
+    if (d["DriverOpts"] && typeof d["DriverOpts"] === "object") {
+      const opts = {};
+      for (const [k, val] of Object.entries(d["DriverOpts"])) {
+        if (typeof val === "string")
+          opts[k] = val;
+      }
+      cfg.driverOpts = opts;
+    }
+    if (d["Labels"] && typeof d["Labels"] === "object") {
+      const labels = {};
+      for (const [k, val] of Object.entries(d["Labels"])) {
+        if (typeof val === "string")
+          labels[k] = val;
+      }
+      cfg.labels = labels;
+    }
+    return { name, kind: "docker", dockerVolumeConfig: cfg };
+  }
+  const host = v["Host"];
+  if (host && typeof host === "object") {
+    const sourcePath = pickString(host["SourcePath"]);
+    if (sourcePath) {
+      const abs = isAbsolute4(sourcePath) ? sourcePath : resolve8(process.cwd(), sourcePath);
+      return { name, kind: "host", hostPath: abs };
+    }
+  }
+  return { name, kind: "host" };
+}
+function resolveRoleArn(value, resources) {
+  if (value === void 0 || value === null)
+    return void 0;
+  if (typeof value === "string")
+    return value;
+  if (typeof value !== "object")
+    return void 0;
+  const obj = value;
+  if ("Ref" in obj && typeof obj["Ref"] === "string") {
+    const refLogicalId = obj["Ref"];
+    const role = resources[refLogicalId];
+    if (role?.Type === "AWS::IAM::Role") {
+      return void 0;
+    }
+  }
+  if ("Fn::GetAtt" in obj) {
+    const arg = obj["Fn::GetAtt"];
+    if (Array.isArray(arg) && typeof arg[0] === "string") {
+      const refLogicalId = arg[0];
+      const role = resources[refLogicalId];
+      if (role?.Type === "AWS::IAM::Role") {
+        return void 0;
+      }
+    }
+  }
+  return void 0;
+}
+function pickString(value) {
+  return typeof value === "string" && value.length > 0 ? value : void 0;
+}
+function pickStringArray2(value) {
+  if (!Array.isArray(value))
+    return void 0;
+  const out = [];
+  for (const v of value) {
+    if (typeof v === "string")
+      out.push(v);
+  }
+  return out;
+}
+function notFoundError2(target, stack, resources) {
+  const tasks = [];
+  for (const [logicalId, resource] of Object.entries(resources)) {
+    if (resource.Type !== "AWS::ECS::TaskDefinition")
+      continue;
+    const meta = resource.Metadata;
+    const cdkPath = typeof meta?.["aws:cdk:path"] === "string" ? meta["aws:cdk:path"] : "";
+    tasks.push({ displayPath: cdkPath || logicalId, logicalId });
+  }
+  let msg = `target '${target}' did not match any ECS task definition in ${stack.stackName}.
+`;
+  if (tasks.length === 0) {
+    msg += `Stack ${stack.stackName} has no AWS::ECS::TaskDefinition resources.`;
+  } else {
+    const width = Math.max(...tasks.map((t) => t.displayPath.length));
+    msg += `Available task definitions in ${stack.stackName}:
+`;
+    for (const t of tasks) {
+      msg += `  ${t.displayPath.padEnd(width)}  (${t.logicalId})
+`;
+    }
+  }
+  return new EcsTaskResolutionError(msg.trimEnd());
+}
+function checkVolumeHostPath(hostPath) {
+  try {
+    return existsSync5(hostPath) && statSync4(hostPath).isDirectory();
+  } catch {
+    return false;
+  }
+}
+// src/local/ecs-task-runner.ts
+import { execFile as execFile6, spawn as spawn5 } from "node:child_process";
+import { randomBytes as randomBytes2 } from "node:crypto";
+import { dirname as dirname6 } from "node:path";
+import { promisify as promisify6 } from "node:util";
+import graphlib2 from "graphlib";
+// src/local/ecs-network.ts
+import { execFile as execFile5 } from "node:child_process";
+import { randomBytes } from "node:crypto";
+import { promisify as promisify5 } from "node:util";
+var execFileAsync5 = promisify5(execFile5);
+var METADATA_ENDPOINT_IMAGE = "amazon/amazon-ecs-local-container-endpoints:latest-amd64";
+var METADATA_ENDPOINT_IP = "169.254.170.2";
+var METADATA_ENDPOINT_SUBNET = "169.254.170.0/24";
+async function createTaskNetwork(options = {}) {
+  const logger = getLogger().child("ecs-network");
+  const prefix = options.prefix ?? "cdkd-local";
+  const suffix = randomBytes(4).toString("hex");
+  const networkName = `${prefix}-task-${suffix}`;
+  await pullImage(METADATA_ENDPOINT_IMAGE, options.skipPull ?? false);
+  logger.info(`Creating docker network ${networkName} (subnet ${METADATA_ENDPOINT_SUBNET})...`);
+  try {
+    await execFileAsync5("docker", [
+      "network",
+      "create",
+      "--driver",
+      "bridge",
+      "--subnet",
+      METADATA_ENDPOINT_SUBNET,
+      networkName
+    ]);
+  } catch (err) {
+    const e = err;
+    throw new DockerRunnerError(
+      `docker network create failed: ${e.stderr?.trim() || e.message || String(err)}. Hint: another cdkd run-task on the same host may already own subnet ${METADATA_ENDPOINT_SUBNET}; wait for it to finish, or remove the leftover network with \`docker network ls\` + \`docker network rm\`.`
+    );
+  }
+  const sidecarArgs = [
+    "run",
+    "-d",
+    "--rm",
+    "--name",
+    `${networkName}-metadata`,
+    "--network",
+    networkName,
+    "--ip",
+    METADATA_ENDPOINT_IP
+  ];
+  const sidecarEnv = {};
+  if (options.credentials) {
+    sidecarEnv["AWS_ACCESS_KEY_ID"] = options.credentials.accessKeyId;
+    sidecarEnv["AWS_SECRET_ACCESS_KEY"] = options.credentials.secretAccessKey;
+    if (options.credentials.sessionToken) {
+      sidecarEnv["AWS_SESSION_TOKEN"] = options.credentials.sessionToken;
+    }
+  }
+  if (options.cluster)
+    sidecarEnv["CLUSTER"] = options.cluster;
+  for (const [k, v] of Object.entries(sidecarEnv)) {
+    sidecarArgs.push("-e", `${k}=${v}`);
+  }
+  sidecarArgs.push(METADATA_ENDPOINT_IMAGE);
+  logger.info("Starting ECS local-container-endpoints sidecar at 169.254.170.2...");
+  let sidecarContainerId;
+  try {
+    const { stdout } = await execFileAsync5("docker", sidecarArgs, {
+      maxBuffer: 10 * 1024 * 1024
+    });
+    sidecarContainerId = stdout.trim();
+  } catch (err) {
+    await destroyNetworkOnly(networkName);
+    const e = err;
+    throw new DockerRunnerError(
+      `Failed to start metadata-endpoints sidecar: ${e.stderr?.trim() || e.message || String(err)}`
+    );
+  }
+  return { networkName, sidecarContainerId };
+}
+function buildMetadataEnv(opts) {
+  const env = {
+    ECS_CONTAINER_METADATA_URI_V4: `http://${METADATA_ENDPOINT_IP}/v4/${opts.containerName}`,
+    ECS_CONTAINER_METADATA_URI: `http://${METADATA_ENDPOINT_IP}/v3/${opts.containerName}`
+  };
+  if (opts.roleArn) {
+    env["AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"] = `/role/${encodeURIComponent(opts.roleArn)}`;
+  }
+  if (opts.region)
+    env["AWS_REGION"] = opts.region;
+  return env;
+}
+async function destroyTaskNetwork(net) {
+  if (!net)
+    return;
+  await removeContainer(net.sidecarContainerId);
+  await destroyNetworkOnly(net.networkName);
+}
+async function destroyNetworkOnly(networkName) {
+  if (!networkName)
+    return;
+  const logger = getLogger().child("ecs-network");
+  try {
+    await execFileAsync5("docker", ["network", "rm", networkName]);
+    logger.debug(`Removed docker network ${networkName}`);
+  } catch (err) {
+    const e = err;
+    logger.debug(
+      `docker network rm ${networkName} failed: ${e.stderr || e.message || String(err)}`
+    );
+  }
+}
+// src/local/ecs-secrets-resolver.ts
+import { SecretsManagerClient as SecretsManagerClient3, GetSecretValueCommand as GetSecretValueCommand2 } from "@aws-sdk/client-secrets-manager";
+import { SSMClient as SSMClient4, GetParameterCommand as GetParameterCommand4 } from "@aws-sdk/client-ssm";
+var EcsSecretsResolutionError = class _EcsSecretsResolutionError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "EcsSecretsResolutionError";
+    Object.setPrototypeOf(this, _EcsSecretsResolutionError.prototype);
+  }
+};
+async function resolveEcsSecrets(entries, options = {}) {
+  if (entries.length === 0)
+    return [];
+  const logger = getLogger().child("ecs-secrets");
+  const secretsClient = options.secretsManagerClient ?? new SecretsManagerClient3({ ...options.region && { region: options.region } });
+  const ssmClient = options.ssmClient ?? new SSMClient4({ ...options.region && { region: options.region } });
+  const ownsSecretsClient = options.secretsManagerClient === void 0;
+  const ownsSsmClient = options.ssmClient === void 0;
+  try {
+    const results = await Promise.all(
+      entries.map(async (entry) => {
+        const value = await resolveOne(entry, secretsClient, ssmClient);
+        logger.debug(`Resolved secret ${entry.containerName}.${entry.name} (${entry.valueFrom})`);
+        return { ...entry, value };
+      })
+    );
+    return results;
+  } finally {
+    if (ownsSecretsClient)
+      secretsClient.destroy();
+    if (ownsSsmClient)
+      ssmClient.destroy();
+  }
+}
+async function resolveOne(entry, secretsClient, ssmClient) {
+  const arn = entry.valueFrom;
+  const shape = classifySecretArn(arn);
+  switch (shape.kind) {
+    case "secrets-manager":
+      return resolveSecretsManager(entry, shape, secretsClient);
+    case "ssm":
+      return resolveSsm(entry, shape, ssmClient);
+    case "unknown":
+      throw new EcsSecretsResolutionError(
+        `Container '${entry.containerName}' secret '${entry.name}' references an unsupported ValueFrom shape '${arn}'. Expected Secrets Manager ARN (optionally with :<json-key>::) or SSM Parameter ARN.`
+      );
+  }
+}
+function classifySecretArn(arn) {
+  if (!arn.startsWith("arn:"))
+    return { kind: "unknown" };
+  const smMatch = /^(arn:[^:]+:secretsmanager:[^:]+:\d+:secret:[^:]+)(?::([^:]+)::?)?$/.exec(arn);
+  if (smMatch) {
+    const out = { kind: "secrets-manager", baseArn: smMatch[1] };
+    if (smMatch[2])
+      out.jsonKey = smMatch[2];
+    return out;
+  }
+  const ssmMatch = /^arn:[^:]+:ssm:[^:]+:\d+:parameter(\/.+)$/.exec(arn);
+  if (ssmMatch) {
+    return { kind: "ssm", name: ssmMatch[1] };
+  }
+  return { kind: "unknown" };
+}
+async function resolveSecretsManager(entry, shape, client) {
+  let secretString;
+  try {
+    const resp = await client.send(new GetSecretValueCommand2({ SecretId: shape.baseArn }));
+    secretString = resp.SecretString;
+  } catch (err) {
+    throw new EcsSecretsResolutionError(
+      `Failed to resolve Secrets Manager secret for container '${entry.containerName}' / env '${entry.name}' (${shape.baseArn}): ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  if (secretString === void 0) {
+    throw new EcsSecretsResolutionError(
+      `Secrets Manager returned no SecretString for container '${entry.containerName}' / env '${entry.name}' (${shape.baseArn}). Binary secrets are not supported.`
+    );
+  }
+  if (shape.jsonKey === void 0)
+    return secretString;
+  let parsed;
+  try {
+    parsed = JSON.parse(secretString);
+  } catch (err) {
+    throw new EcsSecretsResolutionError(
+      `Container '${entry.containerName}' secret '${entry.name}' specified json-key '${shape.jsonKey}' but the secret value is not valid JSON: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new EcsSecretsResolutionError(
+      `Container '${entry.containerName}' secret '${entry.name}' specified json-key '${shape.jsonKey}' but the secret root is not a JSON object.`
+    );
+  }
+  const value = parsed[shape.jsonKey];
+  if (value === void 0) {
+    throw new EcsSecretsResolutionError(
+      `Container '${entry.containerName}' secret '${entry.name}' specified json-key '${shape.jsonKey}' but no such key exists in the secret JSON.`
+    );
+  }
+  return typeof value === "string" ? value : JSON.stringify(value);
+}
+async function resolveSsm(entry, shape, client) {
+  try {
+    const resp = await client.send(
+      new GetParameterCommand4({ Name: shape.name, WithDecryption: true })
+    );
+    const value = resp.Parameter?.Value;
+    if (value === void 0) {
+      throw new EcsSecretsResolutionError(
+        `SSM parameter '${shape.name}' returned no Value for container '${entry.containerName}' / env '${entry.name}'.`
+      );
+    }
+    return value;
+  } catch (err) {
+    if (err instanceof EcsSecretsResolutionError)
+      throw err;
+    throw new EcsSecretsResolutionError(
+      `Failed to resolve SSM parameter for container '${entry.containerName}' / env '${entry.name}' (${shape.name}): ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+}
+// src/local/ecs-task-runner.ts
+var execFileAsync6 = promisify6(execFile6);
+var EcsTaskRunnerError = class _EcsTaskRunnerError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "EcsTaskRunnerError";
+    Object.setPrototypeOf(this, _EcsTaskRunnerError.prototype);
+  }
+};
+function createEcsRunState() {
+  return { network: void 0, dockerVolumeNames: [], startedContainers: [], logStoppers: [] };
+}
+async function cleanupEcsRun(state, options) {
+  const logger = getLogger().child("ecs-runner");
+  for (const stop of state.logStoppers) {
+    try {
+      stop();
+    } catch (err) {
+      logger.debug(`log stream stop failed: ${err instanceof Error ? err.message : String(err)}`);
+    }
+  }
+  state.logStoppers = [];
+  if (!options.keepRunning) {
+    for (const c of state.startedContainers) {
+      try {
+        await stopContainer(c.id, 10);
+      } catch (err) {
+        logger.debug(
+          `docker stop ${c.id} failed: ${err instanceof Error ? err.message : String(err)}`
+        );
+      }
+      try {
+        await removeContainer(c.id);
+      } catch (err) {
+        logger.debug(
+          `docker rm -f ${c.id} failed: ${err instanceof Error ? err.message : String(err)}`
+        );
+      }
+    }
+    state.startedContainers = [];
+  }
+  await destroyTaskNetwork(state.network);
+  state.network = void 0;
+  for (const v of state.dockerVolumeNames) {
+    try {
+      await execFileAsync6("docker", ["volume", "rm", v]);
+      logger.debug(`Removed docker volume ${v}`);
+    } catch (err) {
+      logger.debug(
+        `docker volume rm ${v} failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+  state.dockerVolumeNames = [];
+}
+async function runEcsTask(task, options, state) {
+  const logger = getLogger();
+  if (task.containers.length === 0) {
+    throw new EcsTaskRunnerError(
+      `Task '${task.taskDefinitionLogicalId}' has no containers \u2014 nothing to run.`
+    );
+  }
+  for (const w of task.warnings)
+    logger.warn(w);
+  const dag = buildDependencyGraph(task.containers);
+  const startOrder = topoSort(dag, task.containers);
+  const imagePlan = options.imagePlanByContainer ?? /* @__PURE__ */ new Map();
+  if (!options.imagePlanByContainer) {
+    await prepareImages(task, imagePlan, options);
+  }
+  const allSecrets = [];
+  for (const c of task.containers) {
+    for (const s of c.secrets) {
+      allSecrets.push({ containerName: c.name, name: s.name, valueFrom: s.valueFrom });
+    }
+  }
+  const resolvedSecrets = await resolveEcsSecrets(allSecrets, {
+    ...options.region !== void 0 && { region: options.region }
+  });
+  const secretsByContainer = groupSecretsByContainer(resolvedSecrets);
+  const netCreateOpts = {
+    prefix: options.cluster,
+    skipPull: options.skipPull
+  };
+  if (options.taskCredentials)
+    netCreateOpts.credentials = options.taskCredentials;
+  if (options.cluster)
+    netCreateOpts.cluster = options.cluster;
+  state.network = await createTaskNetwork(netCreateOpts);
+  const volumeByName = await realizeDockerVolumes(task.volumes, state);
+  const dockerCmds = /* @__PURE__ */ new Map();
+  for (const container of task.containers) {
+    const image = imagePlan.get(container.name);
+    if (!image) {
+      throw new EcsTaskRunnerError(
+        `Internal: no resolved image for container '${container.name}'.`
+      );
+    }
+    dockerCmds.set(
+      container.name,
+      buildDockerRunArgs({
+        task,
+        container,
+        image,
+        network: state.network.networkName,
+        volumeByName,
+        secrets: secretsByContainer.get(container.name) ?? [],
+        envOverrides: options.envOverrides,
+        containerHost: options.containerHost,
+        roleArn: options.taskRoleArn,
+        platformOverride: options.platformOverride,
+        region: options.region
+      })
+    );
+  }
+  const startedByName = /* @__PURE__ */ new Map();
+  for (const containerName of startOrder) {
+    const container = task.containers.find((c) => c.name === containerName);
+    await awaitDependencies(container, startedByName);
+    const args = dockerCmds.get(container.name);
+    logger.info(`Starting container '${container.name}' (image=${imagePlan.get(container.name)})`);
+    let id;
+    try {
+      const { stdout } = await execFileAsync6("docker", args, { maxBuffer: 10 * 1024 * 1024 });
+      id = stdout.trim();
+    } catch (err) {
+      const e = err;
+      throw new DockerRunnerError(
+        `docker run failed for container '${container.name}': ${e.stderr?.trim() || e.message || String(err)}`
+      );
+    }
+    state.startedContainers.push({ name: container.name, id });
+    startedByName.set(container.name, { id, container });
+    if (!options.detach) {
+      state.logStoppers.push(streamContainerLogs(container.name, id));
+    }
+  }
+  if (options.detach) {
+    return { exitCode: 0, state };
+  }
+  const essential = task.containers.find((c) => c.essential) ?? task.containers[0];
+  const essentialId = startedByName.get(essential.name)?.id;
+  if (!essentialId) {
+    throw new EcsTaskRunnerError(`Essential container '${essential.name}' did not start.`);
+  }
+  const exitCode = await waitForContainerExit(essentialId);
+  return { exitCode, essentialContainerName: essential.name, state };
+}
+function buildDependencyGraph(containers) {
+  const g = new graphlib2.Graph({ directed: true });
+  for (const c of containers)
+    g.setNode(c.name);
+  for (const c of containers) {
+    for (const d of c.dependsOn) {
+      g.setEdge(c.name, d.containerName);
+    }
+  }
+  const cycles = graphlib2.alg.findCycles(g);
+  if (cycles.length > 0) {
+    throw new EcsTaskRunnerError(
+      `Cyclic DependsOn detected: ${cycles.map((c) => c.join(" -> ")).join("; ")}`
+    );
+  }
+  return g;
+}
+function topoSort(g, containers) {
+  const sorted = graphlib2.alg.topsort(g);
+  const byPosition = /* @__PURE__ */ new Map();
+  containers.forEach((c, idx) => byPosition.set(c.name, idx));
+  return [...sorted].reverse().sort((a, b) => {
+    return (byPosition.get(a) ?? 0) - (byPosition.get(b) ?? 0);
+  });
+}
+async function awaitDependencies(container, started) {
+  for (const dep of container.dependsOn) {
+    const entry = started.get(dep.containerName);
+    if (!entry) {
+      throw new EcsTaskRunnerError(
+        `Container '${container.name}' depends on '${dep.containerName}' but the latter never started.`
+      );
+    }
+    switch (dep.condition) {
+      case "START":
+        break;
+      case "COMPLETE":
+        await waitForContainerExit(entry.id);
+        break;
+      case "SUCCESS": {
+        const code = await waitForContainerExit(entry.id);
+        if (code !== 0) {
+          throw new EcsTaskRunnerError(
+            `Container '${container.name}' requires dependency '${dep.containerName}' to exit 0, but it exited ${code}.`
+          );
+        }
+        break;
+      }
+      case "HEALTHY":
+        await waitForContainerHealthy(entry.id, dep.containerName);
+        break;
+    }
+  }
+}
+async function waitForContainerHealthy(containerId, displayName) {
+  const logger = getLogger().child("ecs-runner");
+  const deadline = Date.now() + 5 * 60 * 1e3;
+  let lastStatus = "";
+  while (Date.now() < deadline) {
+    try {
+      const { stdout } = await execFileAsync6("docker", [
+        "inspect",
+        "--format",
+        "{{.State.Health.Status}}",
+        containerId
+      ]);
+      const status = stdout.trim();
+      if (status !== lastStatus) {
+        logger.debug(`Container '${displayName}' health status: ${status}`);
+        lastStatus = status;
+      }
+      if (status === "healthy")
+        return;
+      if (status === "unhealthy") {
+        throw new EcsTaskRunnerError(
+          `Container '${displayName}' health status is 'unhealthy'; aborting before dependents start.`
+        );
+      }
+    } catch (err) {
+      if (err instanceof EcsTaskRunnerError)
+        throw err;
+      logger.debug(
+        `docker inspect on '${displayName}' failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+    await sleep(1e3);
+  }
+  throw new EcsTaskRunnerError(
+    `Container '${displayName}' did not become healthy within 5 minutes.`
+  );
+}
+async function waitForContainerExit(containerId) {
+  try {
+    const { stdout } = await execFileAsync6("docker", ["wait", containerId], {
+      maxBuffer: 1024 * 1024
+    });
+    const code = Number.parseInt(stdout.trim(), 10);
+    return Number.isFinite(code) ? code : 1;
+  } catch (err) {
+    const e = err;
+    throw new DockerRunnerError(
+      `docker wait failed: ${e.stderr?.trim() || e.message || String(err)}`
+    );
+  }
+}
+async function stopContainer(containerId, graceSeconds) {
+  try {
+    await execFileAsync6("docker", ["stop", "-t", String(graceSeconds), containerId]);
+  } catch {
+  }
+}
+function sleep(ms) {
+  return new Promise((res) => setTimeout(res, ms));
+}
+function streamContainerLogs(containerName, containerId) {
+  const proc = spawn5("docker", ["logs", "-f", containerId], {
+    stdio: ["ignore", "pipe", "pipe"]
+  });
+  const prefix = `[${containerName}] `;
+  let stdoutBuf = "";
+  let stderrBuf = "";
+  proc.stdout?.on("data", (chunk) => {
+    stdoutBuf = writePrefixed(prefix, stdoutBuf + chunk.toString("utf-8"), process.stdout);
+  });
+  proc.stderr?.on("data", (chunk) => {
+    stderrBuf = writePrefixed(prefix, stderrBuf + chunk.toString("utf-8"), process.stderr);
+  });
+  proc.on("error", () => {
+  });
+  return () => {
+    if (stdoutBuf)
+      process.stdout.write(prefix + stdoutBuf + "\n");
+    if (stderrBuf)
+      process.stderr.write(prefix + stderrBuf + "\n");
+    if (!proc.killed)
+      proc.kill("SIGTERM");
+  };
+}
+function writePrefixed(prefix, buffer, out) {
+  const lines = buffer.split("\n");
+  const remainder = lines.pop() ?? "";
+  for (const line of lines) {
+    out.write(prefix + line + "\n");
+  }
+  return remainder;
+}
+async function prepareImages(task, out, options) {
+  const logger = getLogger().child("ecs-runner");
+  for (const container of task.containers) {
+    const image = await prepareOneImage(task, container, options);
+    out.set(container.name, image);
+    logger.debug(`Container '${container.name}' image=${image}`);
+  }
+}
+async function prepareOneImage(task, container, options) {
+  const image = container.image;
+  switch (image.kind) {
+    case "public": {
+      await pullImage(image.uri, options.skipPull);
+      return image.uri;
+    }
+    case "ecr": {
+      return pullEcrImage(image.uri, {
+        skipPull: options.skipPull,
+        ...options.region !== void 0 && { region: options.region }
+      });
+    }
+    case "cdk-asset": {
+      const cdkOutDir = task.stack.assetManifestPath ? dirname6(task.stack.assetManifestPath) : void 0;
+      if (!cdkOutDir) {
+        throw new EcsTaskRunnerError(
+          `Container '${container.name}' uses a CDK asset image but the stack has no asset manifest. Re-synthesize the app (without \`--output <stale-dir>\`) and retry.`
+        );
+      }
+      const loader = new AssetManifestLoader();
+      const manifest = await loader.loadManifest(cdkOutDir, task.stack.stackName);
+      if (!manifest) {
+        throw new EcsTaskRunnerError(
+          `No asset manifest at ${cdkOutDir} for stack ${task.stack.stackName}.`
+        );
+      }
+      const dockerImages = manifest.dockerImages ?? {};
+      const entries = Object.entries(dockerImages);
+      let asset;
+      if (image.assetHash && dockerImages[image.assetHash]) {
+        asset = dockerImages[image.assetHash];
+      } else if (entries.length === 1) {
+        asset = entries[0][1];
+      }
+      if (!asset) {
+        throw new EcsTaskRunnerError(
+          `Container '${container.name}' references a CDK asset image but no matching entry was found in cdk.out. Re-synthesize the CDK app and retry.`
+        );
+      }
+      const tag = `cdkd-local-run-task-${(image.assetHash ?? "single").slice(0, 16)}`;
+      await buildDockerImage(asset, cdkOutDir, tag, {
+        ...options.platformOverride !== void 0 && { platform: options.platformOverride },
+        wrapError: (stderr) => new LocalInvokeBuildError(
+          `docker build failed for ECS container '${container.name}' (${asset.source.directory}): ${stderr}`
+        )
+      });
+      return tag;
+    }
+  }
+}
+async function realizeDockerVolumes(volumes, state) {
+  const logger = getLogger().child("ecs-runner");
+  const out = /* @__PURE__ */ new Map();
+  for (const v of volumes) {
+    if (v.kind === "host") {
+      if (v.hostPath && !checkVolumeHostPath(v.hostPath)) {
+        logger.warn(
+          `Volume '${v.name}': host path '${v.hostPath}' does not exist or is not a directory. Docker will create an anonymous bind mount; create the host path before run-task if you expected to bind-mount it.`
+        );
+      }
+      out.set(v.name, v);
+      continue;
+    }
+    const cfg = v.dockerVolumeConfig;
+    const args = ["volume", "create"];
+    if (cfg?.driver)
+      args.push("--driver", cfg.driver);
+    if (cfg?.driverOpts) {
+      for (const [k, val] of Object.entries(cfg.driverOpts))
+        args.push("--opt", `${k}=${val}`);
+    }
+    if (cfg?.labels) {
+      for (const [k, val] of Object.entries(cfg.labels))
+        args.push("--label", `${k}=${val}`);
+    }
+    const dockerVolumeName = `cdkd-local-${v.name}-${randHex(4)}`;
+    args.push(dockerVolumeName);
+    try {
+      await execFileAsync6("docker", args);
+      state.dockerVolumeNames.push(dockerVolumeName);
+      logger.debug(`Created docker volume ${dockerVolumeName} for task volume '${v.name}'`);
+    } catch (err) {
+      const e = err;
+      throw new DockerRunnerError(
+        `docker volume create failed for '${v.name}': ${e.stderr?.trim() || e.message || String(err)}`
+      );
+    }
+    out.set(v.name, { ...v, dockerVolumeName });
+  }
+  return out;
+}
+function randHex(bytes) {
+  return randomBytes2(bytes).toString("hex");
+}
+function groupSecretsByContainer(resolved) {
+  const out = /* @__PURE__ */ new Map();
+  for (const r of resolved) {
+    const arr = out.get(r.containerName) ?? [];
+    arr.push({ name: r.name, value: r.value });
+    out.set(r.containerName, arr);
+  }
+  return out;
+}
+function buildDockerRunArgs(opts) {
+  const { task, container, image, network, volumeByName, secrets, containerHost, roleArn } = opts;
+  const args = ["run", "-d"];
+  args.push("--name", `cdkd-local-${task.family}-${container.name}-${randHex(3)}`);
+  args.push("--network", network);
+  args.push("--network-alias", container.name);
+  if (opts.platformOverride) {
+    args.push("--platform", opts.platformOverride);
+  } else if (task.runtimePlatform) {
+    args.push(
+      "--platform",
+      task.runtimePlatform.cpuArchitecture === "ARM64" ? "linux/arm64" : "linux/amd64"
+    );
+  }
+  for (const pm of container.portMappings) {
+    const hostPort = pm.hostPort ?? pm.containerPort;
+    args.push("-p", `${containerHost}:${hostPort}:${pm.containerPort}/${pm.protocol}`);
+  }
+  for (const mp of container.mountPoints) {
+    const v = volumeByName.get(mp.sourceVolume);
+    if (!v)
+      continue;
+    if (v.kind === "host") {
+      if (v.hostPath) {
+        const ro = mp.readOnly ? ":ro" : "";
+        args.push("-v", `${v.hostPath}:${mp.containerPath}${ro}`);
+      } else {
+        args.push("-v", mp.containerPath);
+      }
+    } else {
+      const name = v.dockerVolumeName ?? v.name;
+      const ro = mp.readOnly ? ":ro" : "";
+      args.push("-v", `${name}:${mp.containerPath}${ro}`);
+    }
+  }
+  const finalEnv = {};
+  const metaEnv = buildMetadataEnv({
+    containerName: container.name,
+    ...roleArn !== void 0 && { roleArn },
+    ...opts.region !== void 0 && { region: opts.region }
+  });
+  Object.assign(finalEnv, metaEnv);
+  Object.assign(finalEnv, container.environment);
+  for (const s of secrets)
+    finalEnv[s.name] = s.value;
+  const overrides = opts.envOverrides;
+  if (overrides) {
+    applyOverrideMap2(finalEnv, overrides["Parameters"]);
+    applyOverrideMap2(finalEnv, overrides[container.name]);
+  }
+  for (const [k, v] of Object.entries(finalEnv)) {
+    args.push("-e", `${k}=${v}`);
+  }
+  if (container.user)
+    args.push("--user", container.user);
+  if (container.privileged)
+    args.push("--privileged");
+  if (container.readonlyRootFilesystem)
+    args.push("--read-only");
+  if (container.workingDirectory)
+    args.push("--workdir", container.workingDirectory);
+  for (const u of container.ulimits) {
+    args.push("--ulimit", `${u.name}=${u.softLimit}:${u.hardLimit}`);
+  }
+  for (const link of container.links)
+    args.push("--link", link);
+  if (container.healthCheck) {
+    args.push("--health-cmd", shellJoin(container.healthCheck.command));
+    if (container.healthCheck.interval !== void 0) {
+      args.push("--health-interval", `${container.healthCheck.interval}s`);
+    }
+    if (container.healthCheck.timeout !== void 0) {
+      args.push("--health-timeout", `${container.healthCheck.timeout}s`);
+    }
+    if (container.healthCheck.retries !== void 0) {
+      args.push("--health-retries", String(container.healthCheck.retries));
+    }
+    if (container.healthCheck.startPeriod !== void 0) {
+      args.push("--health-start-period", `${container.healthCheck.startPeriod}s`);
+    }
+  }
+  let entryPointTail = [];
+  if (container.entryPoint && container.entryPoint.length > 0) {
+    args.push("--entrypoint", container.entryPoint[0]);
+    entryPointTail = container.entryPoint.slice(1);
+  }
+  args.push(image, ...entryPointTail, ...container.command ?? []);
+  return args;
+}
+function applyOverrideMap2(acc, map) {
+  if (!map)
+    return;
+  for (const [k, v] of Object.entries(map)) {
+    if (v === null)
+      delete acc[k];
+    else if (typeof v === "string" || typeof v === "number" || typeof v === "boolean") {
+      acc[k] = String(v);
+    }
+  }
+}
+function shellJoin(parts) {
+  return parts.map((p) => {
+    if (/^[A-Za-z0-9_\-./=:]+$/.test(p))
+      return p;
+    return `'${p.replace(/'/g, "'\\''")}'`;
+  }).join(" ");
+}
+// src/cli/commands/local-run-task.ts
+async function localRunTaskCommand(target, options) {
+  const logger = getLogger();
+  if (options.verbose)
+    logger.setLevel("debug");
+  warnIfDeprecatedRegion(options);
+  const state = createEcsRunState();
+  let sigintHandler;
+  let sigintCount = 0;
+  let cleanupPromise;
+  const cleanup = async () => {
+    if (!cleanupPromise) {
+      cleanupPromise = (async () => {
+        try {
+          await cleanupEcsRun(state, { keepRunning: options.keepRunning });
+        } catch (err) {
+          getLogger().debug(`cleanup failed: ${err instanceof Error ? err.message : String(err)}`);
+        }
+      })();
+    }
+    await cleanupPromise;
+  };
+  try {
+    await applyRoleArnIfSet({ roleArn: options.roleArn, region: options.region });
+    await ensureDockerAvailable();
+    const appCmd = resolveApp(options.app);
+    if (!appCmd) {
+      throw new Error('No CDK app specified. Pass --app, set CDKD_APP, or add "app" to cdk.json.');
+    }
+    logger.info("Synthesizing CDK app...");
+    const synthesizer = new Synthesizer();
+    const context = parseContextOptions(options.context);
+    const synthOpts = {
+      app: appCmd,
+      output: options.output,
+      ...options.region && { region: options.region },
+      ...options.profile && { profile: options.profile },
+      ...Object.keys(context).length > 0 && { context }
+    };
+    const { stacks } = await synthesizer.synthesize(synthOpts);
+    const task = resolveEcsTaskTarget(target, stacks);
+    logger.info(
+      `Target: ${task.stack.stackName}/${task.taskDefinitionLogicalId} (family=${task.family}, containers=${task.containers.length})`
+    );
+    sigintHandler = () => {
+      sigintCount += 1;
+      if (sigintCount >= 2) {
+        process.stderr.write("Force-exit on second ^C; container cleanup skipped.\n");
+        process.exit(130);
+      }
+      logger.info("Stopping task...");
+      void cleanup().then(() => process.exit(130));
+    };
+    process.on("SIGINT", sigintHandler);
+    let assumedCredentials;
+    let resolvedRoleArn;
+    if (options.assumeTaskRole === true) {
+      if (!task.taskRoleArn) {
+        throw new Error(
+          `--assume-task-role passed without an ARN but the task definition's TaskRoleArn could not be resolved statically. Pass the ARN explicitly: --assume-task-role <arn>`
+        );
+      }
+      resolvedRoleArn = task.taskRoleArn;
+      assumedCredentials = await assumeTaskRole(resolvedRoleArn, options.region);
+    } else if (typeof options.assumeTaskRole === "string") {
+      resolvedRoleArn = options.assumeTaskRole;
+      assumedCredentials = await assumeTaskRole(resolvedRoleArn, options.region);
+    }
+    const envOverrides = readEnvOverridesFile2(options.envVars);
+    const runOpts = {
+      cluster: options.cluster,
+      containerHost: options.containerHost,
+      skipPull: options.pull === false,
+      keepRunning: options.keepRunning,
+      detach: options.detach
+    };
+    if (envOverrides)
+      runOpts.envOverrides = envOverrides;
+    if (assumedCredentials)
+      runOpts.taskCredentials = assumedCredentials;
+    if (resolvedRoleArn)
+      runOpts.taskRoleArn = resolvedRoleArn;
+    if (options.platform)
+      runOpts.platformOverride = options.platform;
+    if (options.region)
+      runOpts.region = options.region;
+    const result = await runEcsTask(task, runOpts, state);
+    if (options.detach) {
+      logger.info("Task containers started in detached mode; cdkd is exiting.");
+      logger.info(
+        `Use 'docker ps --filter network=${result.state.network?.networkName ?? "<network>"}' to inspect; tear down with 'docker rm -f' and 'docker network rm'.`
+      );
+      sigintCount = 99;
+      return;
+    }
+    if (result.essentialContainerName) {
+      logger.info(
+        `Essential container '${result.essentialContainerName}' exited with code ${result.exitCode}.`
+      );
+    }
+    if (result.exitCode !== 0) {
+      process.exitCode = result.exitCode;
+    }
+  } finally {
+    if (sigintHandler)
+      process.off("SIGINT", sigintHandler);
+    if (!options.detach)
+      await cleanup();
+  }
+}
+async function assumeTaskRole(roleArn, region) {
+  const { STSClient: STSClient11, AssumeRoleCommand: AssumeRoleCommand2 } = await import("@aws-sdk/client-sts");
+  const sts = new STSClient11({ ...region && { region } });
+  try {
+    const response = await sts.send(
+      new AssumeRoleCommand2({
+        RoleArn: roleArn,
+        RoleSessionName: `cdkd-local-run-task-${Date.now()}`,
+        DurationSeconds: 3600
+      })
+    );
+    const creds = response.Credentials;
+    if (!creds?.AccessKeyId || !creds.SecretAccessKey || !creds.SessionToken) {
+      throw new Error(`AssumeRole(${roleArn}) returned no usable credentials.`);
+    }
+    return {
+      accessKeyId: creds.AccessKeyId,
+      secretAccessKey: creds.SecretAccessKey,
+      sessionToken: creds.SessionToken
+    };
+  } finally {
+    sts.destroy();
+  }
+}
+function readEnvOverridesFile2(filePath) {
+  if (!filePath)
+    return void 0;
+  let raw;
+  try {
+    raw = readFileSync7(filePath, "utf-8");
+  } catch (err) {
+    throw new Error(
+      `Failed to read --env-vars file '${filePath}': ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    throw new Error(
+      `Failed to parse --env-vars file '${filePath}' as JSON: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new Error(`--env-vars file '${filePath}' must contain a JSON object at the top level.`);
+  }
+  return parsed;
+}
+function createLocalRunTaskCommand() {
+  const cmd = new Command15("run-task").description(
+    "Run an AWS::ECS::TaskDefinition locally \u2014 pulls/builds images, sets up a per-task docker network with the AWS-published metadata-endpoints sidecar, and starts every container in dependsOn order. Target accepts a CDK display path (MyStack/MyService/TaskDef) or stack-qualified logical ID (MyStack:MyServiceTaskDefXYZ1234). Single-stack apps may omit the stack prefix."
+  ).argument(
+    "<target>",
+    "CDK display path or stack-qualified logical ID of the AWS::ECS::TaskDefinition to run"
+  ).addOption(
+    new Option8(
+      "--cluster <name>",
+      "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix"
+    ).default("cdkd-local")
+  ).addOption(
+    new Option8(
+      "--env-vars <file>",
+      'JSON env-var overrides (SAM-compatible: {"ContainerName":{"KEY":"VALUE"}, "Parameters":{}})'
+    )
+  ).addOption(
+    new Option8(
+      "--container-host <ip>",
+      "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)"
+    ).default("127.0.0.1")
+  ).addOption(
+    new Option8(
+      "--assume-task-role [arn]",
+      "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed function role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override."
+    )
+  ).addOption(
+    new Option8("--no-pull", "Skip docker pull for every container image and the metadata sidecar")
+  ).addOption(
+    new Option8(
+      "--platform <platform>",
+      "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture"
+    )
+  ).addOption(
+    new Option8(
+      "--keep-running",
+      "Don't docker rm -f the user containers on task exit (network + sidecar are still torn down). Use when you want to docker exec into a stopped container for post-mortems."
+    ).default(false)
+  ).addOption(
+    new Option8(
+      "--detach",
+      "Start the containers in the background and exit (skip log streaming + auto teardown). Useful in CI smoke tests; caller manages container lifecycle."
+    ).default(false)
+  ).action(withErrorHandling(localRunTaskCommand));
+  [...commonOptions, ...appOptions, ...contextOptions].forEach((opt) => cmd.addOption(opt));
+  cmd.addOption(deprecatedRegionOption);
+  return cmd;
+}
 // src/cli/commands/local-invoke.ts
 async function localInvokeCommand(target, options) {
   const logger = getLogger();
@@ -76701,7 +78175,7 @@ async function localInvokeCommand(target, options) {
         }
       }
     }
-    const overrides = readEnvOverridesFile2(options.envVars);
+    const overrides = readEnvOverridesFile3(options.envVars);
     const envResult = resolveEnvVars(lambda.logicalId, templateEnv, overrides);
     for (const key of envResult.unresolved) {
       if (stateAudit && stateAudit.unresolved.some((u) => u.key === key))
@@ -76879,7 +78353,7 @@ async function resolveLocalBuildPlan(lambda) {
   const manifestPath = lambda.stack.assetManifestPath;
   if (!manifestPath)
     return void 0;
-  const cdkOutDir = dirname5(manifestPath);
+  const cdkOutDir = dirname7(manifestPath);
   const loader = new AssetManifestLoader();
   const manifest = await loader.loadManifest(cdkOutDir, lambda.stack.stackName);
   if (!manifest)
@@ -76899,12 +78373,12 @@ function getTemplateEnv2(resource) {
     return void 0;
   return vars;
 }
-function readEnvOverridesFile2(filePath) {
+function readEnvOverridesFile3(filePath) {
   if (!filePath)
     return void 0;
   let raw;
   try {
-    raw = readFileSync7(filePath, "utf-8");
+    raw = readFileSync8(filePath, "utf-8");
   } catch (err) {
     throw new Error(
       `Failed to read --env-vars file '${filePath}': ${err instanceof Error ? err.message : String(err)}`
@@ -76932,7 +78406,7 @@ async function readEvent(options) {
     return parseEvent(raw, "<stdin>");
   }
   if (options.event) {
-    const raw = readFileSync7(options.event, "utf-8");
+    const raw = readFileSync8(options.event, "utf-8");
     return parseEvent(raw, options.event);
   }
   return {};
@@ -77107,40 +78581,40 @@ function pickReferencedLogicalId(intrinsic) {
   return void 0;
 }
 function createLocalCommand() {
-  const local = new Command15("local").description(
-    "Local Lambda execution against the AWS Lambda Runtime Interface Emulator (Docker required)"
+  const local = new Command16("local").description(
+    "Local execution of Lambda functions (RIE) and ECS task definitions (Docker required)"
   );
-  const invoke = new Command15("invoke").description(
+  const invoke = new Command16("invoke").description(
     "Run a Lambda function locally in a Docker container (RIE-backed). Target accepts a CDK display path (MyStack/MyApi/Handler) or stack-qualified logical ID (MyStack:MyApiHandler1234ABCD). Single-stack apps may omit the stack prefix."
-  ).argument("<target>", "CDK display path or stack-qualified logical ID of the Lambda to invoke").addOption(new Option8("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option8("--event-stdin", "Read event JSON from stdin").default(false)).addOption(
-    new Option8(
+  ).argument("<target>", "CDK display path or stack-qualified logical ID of the Lambda to invoke").addOption(new Option9("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option9("--event-stdin", "Read event JSON from stdin").default(false)).addOption(
+    new Option9(
       "--env-vars <file>",
       'JSON env-var overrides (SAM-compatible: {"LogicalId":{"KEY":"VALUE"}})'
     )
   ).addOption(
-    new Option8(
+    new Option9(
       "--no-pull",
       "Skip docker pull (use cached image) \u2014 no-op for IMAGE local-build path; `docker build` does not pull base layers by default"
     )
   ).addOption(
-    new Option8(
+    new Option9(
       "--no-build",
       "Skip docker build on the IMAGE local-build path (use the previously-built tag). Requires the deterministic tag to already be in the local registry; errors with an actionable message when missing. No-op for ZIP Lambdas and the IMAGE ECR-pull path. Compatible with --no-pull."
     )
-  ).addOption(new Option8("--debug-port <port>", "Node --inspect-brk port (default: off)")).addOption(
-    new Option8("--container-host <host>", "Host to bind the RIE port to").default("127.0.0.1")
+  ).addOption(new Option9("--debug-port <port>", "Node --inspect-brk port (default: off)")).addOption(
+    new Option9("--container-host <host>", "Host to bind the RIE port to").default("127.0.0.1")
   ).addOption(
-    new Option8(
+    new Option9(
       "--assume-role <arn>",
       `Assume the Lambda's deployed execution role and forward STS-issued temp credentials to the container so the handler runs with the deployed function's narrow permissions (closes the "developer admin / function narrow" skew). Off by default \u2014 when omitted, the developer's shell credentials are forwarded unchanged (SAM-compatible default).`
     )
   ).addOption(
-    new Option8(
+    new Option9(
       "--from-state",
       "Read cdkd S3 state for the target stack and substitute Ref / Fn::GetAtt / Fn::Sub in env vars with the deployed physical IDs / attributes. Off by default \u2014 keep PR 1 warn-and-drop semantics; turn on for stacks already deployed via cdkd deploy."
     ).default(false)
   ).addOption(
-    new Option8(
+    new Option9(
       "--stack-region <region>",
       "Region of the cdkd state record to read (used with --from-state when the same stack name has state in multiple regions)."
     )
@@ -77151,6 +78625,7 @@ function createLocalCommand() {
   invoke.addOption(deprecatedRegionOption);
   local.addCommand(invoke);
   local.addCommand(createLocalStartApiCommand());
+  local.addCommand(createLocalRunTaskCommand());
   return local;
 }
@@ -77182,8 +78657,8 @@ function reorderArgs(argv) {
   return [...prefix, ...cmdAndAfter, ...beforeCmd];
 }
 async function main() {
-  const program = new Command16();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.81.0");
+  const program = new Command17();
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.82.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());