@go-to-k/cdkd 0.82.0 → 0.83.0

package/dist/cli.js

@@ -70040,6 +70040,76 @@ import { dirname as dirname7 } from "node:path";
 import * as path2 from "node:path";
 import { Command as Command16, Option as Option9 } from "commander";
 
+// src/cli/commands/local-state-loader.ts
+init_aws_clients();
+async function loadStateForStack(stackName, synthRegion, opts) {
+  const logger = getLogger();
+  const prefix = opts.logPrefix ?? "--from-state";
+  const region = opts.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? synthRegion ?? "us-east-1";
+  let stateBucket;
+  try {
+    stateBucket = await resolveStateBucketWithDefault(opts.stateBucket, region);
+  } catch (err) {
+    logger.warn(
+      `${prefix}: could not resolve state bucket: ${err instanceof Error ? err.message : String(err)}. Falling back.`
+    );
+    return void 0;
+  }
+  const awsClients = new AwsClients({
+    ...opts.region !== void 0 && { region: opts.region },
+    ...opts.profile !== void 0 && { profile: opts.profile }
+  });
+  setAwsClients(awsClients);
+  try {
+    const stateConfig = { bucket: stateBucket, prefix: opts.statePrefix };
+    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
+      ...opts.region !== void 0 && { region: opts.region },
+      ...opts.profile !== void 0 && { profile: opts.profile }
+    });
+    await stateBackend.verifyBucketExists();
+    const refs = (await stateBackend.listStacks()).filter((r) => r.stackName === stackName);
+    if (refs.length === 0) {
+      logger.warn(
+        `${prefix}: no cdkd state found for stack '${stackName}' in bucket '${stateBucket}'. Was it deployed via 'cdkd deploy'? Falling back.`
+      );
+      return void 0;
+    }
+    let targetRegion;
+    if (opts.stackRegion) {
+      const found = refs.find((r) => r.region === opts.stackRegion);
+      if (!found) {
+        const seen = refs.map((r) => r.region ?? "(legacy)").join(", ");
+        logger.warn(
+          `${prefix}: stack '${stackName}' has no state in region '${opts.stackRegion}' (available: ${seen}). Falling back.`
+        );
+        return void 0;
+      }
+      targetRegion = opts.stackRegion;
+    } else if (synthRegion && refs.some((r) => r.region === synthRegion)) {
+      targetRegion = synthRegion;
+    } else if (refs.length === 1) {
+      targetRegion = refs[0].region ?? synthRegion ?? region;
+    } else {
+      const seen = refs.map((r) => r.region ?? "(legacy)").join(", ");
+      logger.warn(
+        `${prefix}: stack '${stackName}' has state in multiple regions (${seen}). Re-run with --stack-region <region>. Falling back.`
+      );
+      return void 0;
+    }
+    const stateData = await stateBackend.getState(stackName, targetRegion);
+    if (!stateData) {
+      logger.warn(
+        `${prefix}: state record for '${stackName}' (${targetRegion}) returned empty. Falling back.`
+      );
+      return void 0;
+    }
+    logger.debug(`${prefix}: loaded state for ${stackName} (${targetRegion})`);
+    return { state: stateData.state, region: targetRegion };
+  } finally {
+    awsClients.destroy();
+  }
+}
+
 // src/local/lambda-resolver.ts
 import { existsSync as existsSync4, statSync as statSync3 } from "node:fs";
 import { dirname, isAbsolute, resolve as resolve4 } from "node:path";
@@ -71217,8 +71287,23 @@ function extractHashFromImageUri(imageUri) {
   return match?.[1];
 }
 
-// src/cli/commands/local-invoke.ts
-init_aws_clients();
+// src/utils/single-flight.ts
+function singleFlight(fn, onError) {
+  let promise;
+  return async () => {
+    if (!promise) {
+      promise = (async () => {
+        try {
+          await fn();
+        } catch (err) {
+          if (onError)
+            onError(err);
+        }
+      })();
+    }
+    await promise;
+  };
+}
 
 // src/cli/commands/local-start-api.ts
 import { cpSync, mkdirSync as mkdirSync2, mkdtempSync as mkdtempSync2, readFileSync as readFileSync6, rmSync as rmSync2, writeFileSync as writeFileSync5 } from "node:fs";
@@ -76047,21 +76132,12 @@ async function localStartApiCommand(options) {
     });
     logger.info(`Watching ${options.output} (and ${lastAssetPaths.value.length} asset dir(s))`);
   }
-  let shuttingDown = false;
+  let shutdownStarted = false;
+  let firstSignal;
+  let firstExitCode = 0;
   let forceExitArmed = false;
-  const shutdown = async (signal, exitCode) => {
-    if (shuttingDown) {
-      if (!forceExitArmed) {
-        forceExitArmed = true;
-        logger.warn(
-          `Received second ${signal}; force-exiting. Orphan containers may remain \u2014 run 'docker ps --filter name=cdkd-local-' and 'docker rm -f' to clean up.`
-        );
-        process.exit(130);
-      }
-      return;
-    }
-    shuttingDown = true;
-    logger.info(`Received ${signal}, shutting down...`);
+  const runCleanup = singleFlight(async () => {
+    logger.info(`Received ${firstSignal}, shutting down...`);
     if (watcher) {
       try {
         await watcher.close();
@@ -76109,7 +76185,23 @@ async function localStartApiCommand(options) {
         );
       }
     }
-    process.exit(exitCode);
+  });
+  const shutdown = async (signal, exitCode) => {
+    if (shutdownStarted) {
+      if (!forceExitArmed) {
+        forceExitArmed = true;
+        logger.warn(
+          `Received second ${signal}; force-exiting. Orphan containers may remain \u2014 run 'docker ps --filter name=cdkd-local-' and 'docker rm -f' to clean up.`
+        );
+        process.exit(130);
+      }
+      return;
+    }
+    shutdownStarted = true;
+    firstSignal = signal;
+    firstExitCode = exitCode;
+    await runCleanup();
+    process.exit(firstExitCode);
   };
   process.on("SIGINT", () => {
     void shutdown("SIGINT", 130);
@@ -76621,6 +76713,83 @@ var EcsTaskResolutionError = class _EcsTaskResolutionError extends Error {
     Object.setPrototypeOf(this, _EcsTaskResolutionError.prototype);
   }
 };
+function derivePartitionAndUrlSuffix(region) {
+  if (region.startsWith("cn-"))
+    return { partition: "aws-cn", urlSuffix: "amazonaws.com.cn" };
+  if (region.startsWith("us-gov-"))
+    return { partition: "aws-us-gov", urlSuffix: "amazonaws.com" };
+  if (region.startsWith("us-iso-"))
+    return { partition: "aws-iso", urlSuffix: "c2s.ic.gov" };
+  if (region.startsWith("us-isob-"))
+    return { partition: "aws-iso-b", urlSuffix: "sc2s.sgov.gov" };
+  return { partition: "aws", urlSuffix: "amazonaws.com" };
+}
+function detectEcsImageResolutionNeeds(stack) {
+  const resources = stack.template.Resources ?? {};
+  let needsPseudoParameters = false;
+  let needsStateResources = false;
+  for (const res of Object.values(resources)) {
+    if (res.Type !== "AWS::ECS::TaskDefinition")
+      continue;
+    const props = res.Properties ?? {};
+    const containers = Array.isArray(props["ContainerDefinitions"]) ? props["ContainerDefinitions"] : [];
+    for (const c of containers) {
+      if (!c || typeof c !== "object")
+        continue;
+      const image = c["Image"];
+      const need = inspectImageForSubstitutions(image, resources);
+      if (need.pseudo)
+        needsPseudoParameters = true;
+      if (need.state)
+        needsStateResources = true;
+      if (needsPseudoParameters && needsStateResources)
+        break;
+    }
+    if (needsPseudoParameters && needsStateResources)
+      break;
+  }
+  return { needsPseudoParameters, needsStateResources };
+}
+function inspectImageForSubstitutions(image, resources) {
+  if (!image || typeof image !== "object")
+    return { pseudo: false, state: false };
+  const obj = image;
+  const getAtt = obj["Fn::GetAtt"];
+  if (getAtt !== void 0) {
+    let lid;
+    if (Array.isArray(getAtt) && typeof getAtt[0] === "string")
+      lid = getAtt[0];
+    else if (typeof getAtt === "string")
+      lid = getAtt.split(".")[0];
+    if (lid && resources[lid]?.Type === "AWS::ECR::Repository") {
+      return { pseudo: false, state: true };
+    }
+  }
+  let sub;
+  const subRaw = obj["Fn::Sub"];
+  if (typeof subRaw === "string")
+    sub = subRaw;
+  else if (Array.isArray(subRaw) && typeof subRaw[0] === "string")
+    sub = subRaw[0];
+  if (!sub)
+    return { pseudo: false, state: false };
+  let pseudo = false;
+  let state = false;
+  const placeholderRegex = /\$\{([^}]+)\}/g;
+  let m;
+  while ((m = placeholderRegex.exec(sub)) !== null) {
+    const key = m[1];
+    if (key.startsWith("AWS::")) {
+      pseudo = true;
+      continue;
+    }
+    const dot = key.indexOf(".");
+    const lid = dot === -1 ? key : key.slice(0, dot);
+    if (resources[lid]?.Type === "AWS::ECR::Repository")
+      state = true;
+  }
+  return { pseudo, state };
+}
 function parseEcsTarget(target) {
   if (typeof target !== "string" || target.length === 0) {
     throw new EcsTaskResolutionError(
@@ -76642,7 +76811,7 @@ function parseEcsTarget(target) {
   }
   return { stackPattern: null, pathOrId: target, isPath: false };
 }
-function resolveEcsTaskTarget(target, stacks) {
+function resolveEcsTaskTarget(target, stacks, context) {
   if (stacks.length === 0) {
     throw new EcsTaskResolutionError("No stacks found in the synthesized assembly.");
   }
@@ -76685,7 +76854,7 @@ function resolveEcsTaskTarget(target, stacks) {
       `Resource '${logicalId}' in ${stack.stackName} is ${resource.Type}, not an AWS::ECS::TaskDefinition.`
     );
   }
-  return extractTaskDefinitionProperties(stack, logicalId, resource);
+  return extractTaskDefinitionProperties(stack, logicalId, resource, context);
 }
 function pickStack2(parsed, stacks) {
   if (parsed.stackPattern === null) {
@@ -76708,7 +76877,7 @@ function pickStack2(parsed, stacks) {
   }
   return matched[0];
 }
-function extractTaskDefinitionProperties(stack, logicalId, resource) {
+function extractTaskDefinitionProperties(stack, logicalId, resource, context) {
   const props = resource.Properties ?? {};
   const warnings = [];
   const family = pickString(props["Family"]) ?? logicalId;
@@ -76735,7 +76904,7 @@ function extractTaskDefinitionProperties(stack, logicalId, resource) {
     throw new EcsTaskResolutionError(`Task definition '${logicalId}' has no ContainerDefinitions.`);
   }
   const containers = rawContainers.map(
-    (c, idx) => parseContainerDefinition(c, idx, logicalId, resources, stack)
+    (c, idx) => parseContainerDefinition(c, idx, logicalId, resources, stack, context)
   );
   const rawVolumes = props["Volumes"];
   const volumes = Array.isArray(rawVolumes) ? rawVolumes.map((v, idx) => parseVolume(v, idx, logicalId)) : [];
@@ -76781,7 +76950,7 @@ function parseRuntimePlatform(value) {
     return void 0;
   return { cpuArchitecture: cpu, operatingSystemFamily: os };
 }
-function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack) {
+function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack, context) {
   if (!raw || typeof raw !== "object") {
     throw new EcsTaskResolutionError(
       `Task '${taskLogicalId}' ContainerDefinitions[${idx}] is not an object.`
@@ -76794,7 +76963,7 @@ function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack) {
       `Task '${taskLogicalId}' ContainerDefinitions[${idx}] has no Name.`
     );
   }
-  const image = parseContainerImage(c["Image"], name, taskLogicalId, resources, stack);
+  const image = parseContainerImage(c["Image"], name, taskLogicalId, resources, stack, context);
   const command = pickStringArray2(c["Command"]);
   const entryPoint = pickStringArray2(c["EntryPoint"]);
   const workingDirectory = pickString(c["WorkingDirectory"]);
@@ -76940,7 +77109,11 @@ function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack) {
     out.readonlyRootFilesystem = readonlyRootFilesystem;
   return out;
 }
-function parseContainerImage(raw, containerName, taskLogicalId, resources, _stack) {
+function parseContainerImage(raw, containerName, taskLogicalId, resources, _stack, context) {
+  const getAttImage = tryResolveImageGetAtt(raw, resources, context);
+  if (getAttImage) {
+    return classifyResolvedImage(getAttImage);
+  }
   const flat = extractImageString(raw);
   if (!flat) {
     throw new EcsTaskResolutionError(
@@ -76954,23 +77127,123 @@ function parseContainerImage(raw, containerName, taskLogicalId, resources, _stac
       out.assetHash = hashMatch[1];
     return out;
   }
-  const ecrMatch = /^(\d{12})\.dkr\.ecr\.([^.]+)\.amazonaws\.com(?:\.cn)?\//.exec(flat);
-  if (ecrMatch) {
-    return { kind: "ecr", uri: flat, account: ecrMatch[1], region: ecrMatch[2] };
-  }
-  if (flat.includes("${") && flat.includes("AWS::AccountId")) {
+  const substituted = substituteImagePlaceholders(flat, resources, context);
+  if (substituted.includes("${")) {
+    const unresolvedRepoRef = findUnresolvedEcrRepositoryRef(substituted, resources);
+    if (unresolvedRepoRef) {
+      throw new EcsTaskResolutionError(
+        `Container '${containerName}' in task '${taskLogicalId}' references same-stack ECR repository '${unresolvedRepoRef}'. cdkd local run-task v1 cannot resolve the repository URI without state \u2014 pass --from-state (the stack must have been deployed via cdkd deploy), build via ContainerImage.fromAsset, or pin a public image.`
+      );
+    }
+    if (substituted.includes("AWS::")) {
+      throw new EcsTaskResolutionError(
+        `Container '${containerName}' in task '${taskLogicalId}' has an Image that references AWS pseudo parameters (${substituted}). cdkd could not resolve them: confirm AWS credentials are configured so STS GetCallerIdentity succeeds, and that --region / AWS_REGION names the target region. Workaround: build the image locally (ContainerImage.fromAsset) or pin a public image.`
+      );
+    }
     throw new EcsTaskResolutionError(
-      `Container '${containerName}' in task '${taskLogicalId}' has an Image that references AWS pseudo parameters (${flat}). cdkd local run-task v1 cannot resolve account-scoped ECR repos at synth time. Build the image locally (CDK ContainerImage.fromAsset) or pin to a public image to test locally.`
+      `Container '${containerName}' in task '${taskLogicalId}' has an Image with unresolved \${...} placeholders (${substituted}). cdkd local run-task v1 only resolves AWS pseudo parameters and same-stack AWS::ECR::Repository refs.`
     );
   }
-  for (const [refLogicalId, res] of Object.entries(resources)) {
-    if (res.Type === "AWS::ECR::Repository" && flat.includes(refLogicalId)) {
-      throw new EcsTaskResolutionError(
-        `Container '${containerName}' in task '${taskLogicalId}' references same-stack ECR repository '${refLogicalId}'. cdkd local run-task v1 cannot resolve the repository URI without state \u2014 build via ContainerImage.fromAsset or pin a public image.`
-      );
+  const ecrMatch = /^(\d{12})\.dkr\.ecr\.([^.]+)\.amazonaws\.com(?:\.cn)?\//.exec(substituted);
+  if (ecrMatch) {
+    return { kind: "ecr", uri: substituted, account: ecrMatch[1], region: ecrMatch[2] };
+  }
+  return { kind: "public", uri: substituted };
+}
+function findUnresolvedEcrRepositoryRef(substituted, resources) {
+  const placeholderRegex = /\$\{([^}]+)\}/g;
+  let m;
+  while ((m = placeholderRegex.exec(substituted)) !== null) {
+    const key = m[1];
+    if (key.startsWith("AWS::"))
+      continue;
+    const dot = key.indexOf(".");
+    const lid = dot === -1 ? key : key.slice(0, dot);
+    if (resources[lid]?.Type === "AWS::ECR::Repository")
+      return lid;
+  }
+  return void 0;
+}
+function classifyResolvedImage(uri) {
+  if (uri.includes("cdk-hnb659fds-container-assets-")) {
+    const hashMatch = /:([a-f0-9]{8,})$/.exec(uri);
+    const out = { kind: "cdk-asset" };
+    if (hashMatch)
+      out.assetHash = hashMatch[1];
+    return out;
+  }
+  const ecrMatch = /^(\d{12})\.dkr\.ecr\.([^.]+)\.amazonaws\.com(?:\.cn)?\//.exec(uri);
+  if (ecrMatch) {
+    return { kind: "ecr", uri, account: ecrMatch[1], region: ecrMatch[2] };
+  }
+  return { kind: "public", uri };
+}
+function substituteImagePlaceholders(flat, resources, context) {
+  if (!flat.includes("${"))
+    return flat;
+  return flat.replace(/\$\{([^}]+)\}/g, (full, key) => {
+    if (context?.pseudoParameters) {
+      if (key === "AWS::AccountId" && context.pseudoParameters.accountId) {
+        return context.pseudoParameters.accountId;
+      }
+      if (key === "AWS::Region" && context.pseudoParameters.region) {
+        return context.pseudoParameters.region;
+      }
+      if (key === "AWS::Partition" && context.pseudoParameters.partition) {
+        return context.pseudoParameters.partition;
+      }
+      if (key === "AWS::URLSuffix" && context.pseudoParameters.urlSuffix) {
+        return context.pseudoParameters.urlSuffix;
+      }
+    }
+    if (context?.stateResources) {
+      const dot = key.indexOf(".");
+      const logicalId = dot === -1 ? key : key.slice(0, dot);
+      const refResource = resources[logicalId];
+      const stateEntry = context.stateResources[logicalId];
+      if (refResource?.Type === "AWS::ECR::Repository" && stateEntry) {
+        if (dot === -1) {
+          return stateEntry.physicalId;
+        }
+        const attr = key.slice(dot + 1);
+        const cached = stateEntry.attributes?.[attr];
+        if (typeof cached === "string")
+          return cached;
+      }
+    }
+    return full;
+  });
+}
+function tryResolveImageGetAtt(raw, resources, context) {
+  if (!raw || typeof raw !== "object")
+    return void 0;
+  const obj = raw;
+  const arg = obj["Fn::GetAtt"];
+  if (arg === void 0)
+    return void 0;
+  let logicalId;
+  let attr;
+  if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string" && typeof arg[1] === "string") {
+    logicalId = arg[0];
+    attr = arg[1];
+  } else if (typeof arg === "string") {
+    const dot = arg.indexOf(".");
+    if (dot > 0 && dot < arg.length - 1) {
+      logicalId = arg.slice(0, dot);
+      attr = arg.slice(dot + 1);
     }
   }
-  return { kind: "public", uri: flat };
+  if (!logicalId || !attr)
+    return void 0;
+  const refResource = resources[logicalId];
+  if (refResource?.Type !== "AWS::ECR::Repository")
+    return void 0;
+  if (attr !== "RepositoryUri" && attr !== "Arn")
+    return void 0;
+  const cached = context?.stateResources?.[logicalId]?.attributes?.[attr];
+  if (typeof cached === "string" && cached.length > 0)
+    return cached;
+  return void 0;
 }
 function extractImageString(value) {
   if (typeof value === "string" && value.length > 0)
@@ -77049,6 +77322,7 @@ function parseVolume(raw, idx, taskLogicalId) {
   }
   return { name, kind: "host" };
 }
+var TASK_ROLE_ACCOUNT_PLACEHOLDER = "${AWS::AccountId}";
 function resolveRoleArn(value, resources) {
   if (value === void 0 || value === null)
     return void 0;
@@ -77057,24 +77331,23 @@ function resolveRoleArn(value, resources) {
   if (typeof value !== "object")
     return void 0;
   const obj = value;
+  let refLogicalId;
   if ("Ref" in obj && typeof obj["Ref"] === "string") {
-    const refLogicalId = obj["Ref"];
-    const role = resources[refLogicalId];
-    if (role?.Type === "AWS::IAM::Role") {
-      return void 0;
-    }
-  }
-  if ("Fn::GetAtt" in obj) {
+    refLogicalId = obj["Ref"];
+  } else if ("Fn::GetAtt" in obj) {
     const arg = obj["Fn::GetAtt"];
     if (Array.isArray(arg) && typeof arg[0] === "string") {
-      const refLogicalId = arg[0];
-      const role = resources[refLogicalId];
-      if (role?.Type === "AWS::IAM::Role") {
-        return void 0;
-      }
+      const attr = typeof arg[1] === "string" ? arg[1] : "";
+      if (attr === "" || attr === "Arn")
+        refLogicalId = arg[0];
     }
   }
-  return void 0;
+  if (refLogicalId === void 0)
+    return void 0;
+  const role = resources[refLogicalId];
+  if (role?.Type !== "AWS::IAM::Role")
+    return void 0;
+  return `arn:aws:iam::${TASK_ROLE_ACCOUNT_PLACEHOLDER}:role/${refLogicalId}`;
 }
 function pickString(value) {
   return typeof value === "string" && value.length > 0 ? value : void 0;
@@ -77911,7 +78184,8 @@ async function localRunTaskCommand(target, options) {
       ...Object.keys(context).length > 0 && { context }
     };
     const { stacks } = await synthesizer.synthesize(synthOpts);
-    const task = resolveEcsTaskTarget(target, stacks);
+    const imageContext = await buildEcsImageResolutionContext(target, stacks, options);
+    const task = resolveEcsTaskTarget(target, stacks, imageContext);
     logger.info(
       `Target: ${task.stack.stackName}/${task.taskDefinitionLogicalId} (family=${task.family}, containers=${task.containers.length})`
     );
@@ -77930,10 +78204,10 @@ async function localRunTaskCommand(target, options) {
     if (options.assumeTaskRole === true) {
       if (!task.taskRoleArn) {
         throw new Error(
-          `--assume-task-role passed without an ARN but the task definition's TaskRoleArn could not be resolved statically. Pass the ARN explicitly: --assume-task-role <arn>`
+          `--assume-task-role passed without an ARN but the task definition has no resolvable TaskRoleArn. Either the task definition does not set TaskRoleArn, or it points at a resource cdkd cannot resolve to an IAM Role at synth time. Pass the ARN explicitly: --assume-task-role <arn>`
         );
       }
-      resolvedRoleArn = task.taskRoleArn;
+      resolvedRoleArn = await resolvePlaceholderAccount(task.taskRoleArn, options.region);
       assumedCredentials = await assumeTaskRole(resolvedRoleArn, options.region);
     } else if (typeof options.assumeTaskRole === "string") {
       resolvedRoleArn = options.assumeTaskRole;
@@ -77981,6 +78255,24 @@ async function localRunTaskCommand(target, options) {
       await cleanup();
   }
 }
+async function resolvePlaceholderAccount(arn, region) {
+  if (!arn.includes(TASK_ROLE_ACCOUNT_PLACEHOLDER))
+    return arn;
+  const { STSClient: STSClient11, GetCallerIdentityCommand: GetCallerIdentityCommand12 } = await import("@aws-sdk/client-sts");
+  const sts = new STSClient11({ ...region && { region } });
+  try {
+    const identity = await sts.send(new GetCallerIdentityCommand12({}));
+    const account = identity.Account;
+    if (!account) {
+      throw new Error(
+        `--assume-task-role: GetCallerIdentity returned no Account; cannot resolve placeholder ARN '${arn}'. Pass the ARN explicitly: --assume-task-role <arn>`
+      );
+    }
+    return arn.split(TASK_ROLE_ACCOUNT_PLACEHOLDER).join(account);
+  } finally {
+    sts.destroy();
+  }
+}
 async function assumeTaskRole(roleArn, region) {
   const { STSClient: STSClient11, AssumeRoleCommand: AssumeRoleCommand2 } = await import("@aws-sdk/client-sts");
   const sts = new STSClient11({ ...region && { region } });
@@ -78005,6 +78297,80 @@ async function assumeTaskRole(roleArn, region) {
     sts.destroy();
   }
 }
+async function buildEcsImageResolutionContext(target, stacks, options) {
+  const logger = getLogger();
+  const parsed = parseEcsTarget(target);
+  const candidate = pickCandidateStack(parsed.stackPattern, stacks);
+  if (!candidate)
+    return void 0;
+  const needs = detectEcsImageResolutionNeeds(candidate);
+  if (!needs.needsPseudoParameters && !needs.needsStateResources)
+    return void 0;
+  const ctx = {};
+  if (needs.needsPseudoParameters) {
+    const region = options.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? candidate.region;
+    if (!region) {
+      logger.warn(
+        "Container Image references ${AWS::Region} but cdkd could not determine the target region. Pass --region, set AWS_REGION, or declare env.region on the CDK stack."
+      );
+    }
+    let accountId;
+    try {
+      accountId = await resolveCallerAccountId(region);
+    } catch (err) {
+      logger.warn(
+        `Container Image references \${AWS::AccountId} but STS GetCallerIdentity failed: ${err instanceof Error ? err.message : String(err)}. Substitution will be skipped; the resolver will surface its existing error.`
+      );
+    }
+    const partitionAndSuffix = region ? derivePartitionAndUrlSuffix(region) : void 0;
+    ctx.pseudoParameters = {
+      ...accountId !== void 0 && { accountId },
+      ...region !== void 0 && { region },
+      ...partitionAndSuffix && {
+        partition: partitionAndSuffix.partition,
+        urlSuffix: partitionAndSuffix.urlSuffix
+      }
+    };
+  }
+  if (options.fromState && needs.needsStateResources) {
+    const loaded = await loadStateForStack(candidate.stackName, candidate.region, {
+      ...options.stackRegion !== void 0 && { stackRegion: options.stackRegion },
+      ...options.stateBucket !== void 0 && { stateBucket: options.stateBucket },
+      statePrefix: options.statePrefix,
+      ...options.region !== void 0 && { region: options.region },
+      ...options.profile !== void 0 && { profile: options.profile }
+    });
+    if (loaded) {
+      ctx.stateResources = loaded.state.resources;
+    }
+  } else if (!options.fromState && needs.needsStateResources) {
+    logger.warn(
+      "Container Image references a same-stack AWS::ECR::Repository. Pass --from-state to substitute the deployed repository URI (requires the stack to have been deployed via cdkd deploy). Otherwise the resolver will surface its existing error."
+    );
+  }
+  return ctx;
+}
+function pickCandidateStack(stackPattern, stacks) {
+  if (stackPattern === null) {
+    if (stacks.length === 1)
+      return stacks[0];
+    return void 0;
+  }
+  const matched = matchStacks(stacks, [stackPattern]);
+  if (matched.length === 1)
+    return matched[0];
+  return void 0;
+}
+async function resolveCallerAccountId(region) {
+  const { STSClient: STSClient11, GetCallerIdentityCommand: GetCallerIdentityCommand12 } = await import("@aws-sdk/client-sts");
+  const sts = new STSClient11({ ...region && { region } });
+  try {
+    const identity = await sts.send(new GetCallerIdentityCommand12({}));
+    return identity.Account;
+  } finally {
+    sts.destroy();
+  }
+}
 function readEnvOverridesFile2(filePath) {
   if (!filePath)
     return void 0;
@@ -78072,8 +78438,20 @@ function createLocalRunTaskCommand() {
       "--detach",
       "Start the containers in the background and exit (skip log streaming + auto teardown). Useful in CI smoke tests; caller manages container lifecycle."
     ).default(false)
+  ).addOption(
+    new Option8(
+      "--from-state",
+      "Read cdkd S3 state for the target stack and substitute Fn::Sub / Fn::GetAtt references to same-stack AWS::ECR::Repository resources with the deployed URI. Off by default \u2014 only the AWS pseudo-parameter tier (${AWS::AccountId} / ${AWS::Region}) is resolved without this flag."
+    ).default(false)
+  ).addOption(
+    new Option8(
+      "--stack-region <region>",
+      "Region of the cdkd state record to read (used with --from-state when the same stack name has state in multiple regions)."
+    )
   ).action(withErrorHandling(localRunTaskCommand));
-  [...commonOptions, ...appOptions, ...contextOptions].forEach((opt) => cmd.addOption(opt));
+  [...commonOptions, ...appOptions, ...contextOptions, ...stateOptions].forEach(
+    (opt) => cmd.addOption(opt)
+  );
   cmd.addOption(deprecatedRegionOption);
   return cmd;
 }
@@ -78089,44 +78467,49 @@ async function localInvokeCommand(target, options) {
   let containerId;
   let stopLogs;
   let sigintHandler;
-  const cleanup = async () => {
-    if (stopLogs) {
-      try {
-        stopLogs();
-      } catch (err) {
-        getLogger().debug(
-          `streamLogs stop failed: ${err instanceof Error ? err.message : String(err)}`
-        );
+  const cleanup = singleFlight(
+    async () => {
+      if (stopLogs) {
+        try {
+          stopLogs();
+        } catch (err) {
+          getLogger().debug(
+            `streamLogs stop failed: ${err instanceof Error ? err.message : String(err)}`
+          );
+        }
       }
-    }
-    if (containerId) {
-      try {
-        await removeContainer(containerId);
-      } catch (err) {
-        getLogger().debug(
-          `removeContainer(${containerId}) failed: ${err instanceof Error ? err.message : String(err)}`
-        );
+      if (containerId) {
+        try {
+          await removeContainer(containerId);
+        } catch (err) {
+          getLogger().debug(
+            `removeContainer(${containerId}) failed: ${err instanceof Error ? err.message : String(err)}`
+          );
+        }
       }
-    }
-    if (imagePlan?.inlineTmpDir) {
-      try {
-        rmSync3(imagePlan.inlineTmpDir, { recursive: true, force: true });
-      } catch (err) {
-        getLogger().debug(
-          `Failed to remove inline-code tmpdir ${imagePlan.inlineTmpDir}: ${err instanceof Error ? err.message : String(err)}`
-        );
+      if (imagePlan?.inlineTmpDir) {
+        try {
+          rmSync3(imagePlan.inlineTmpDir, { recursive: true, force: true });
+        } catch (err) {
+          getLogger().debug(
+            `Failed to remove inline-code tmpdir ${imagePlan.inlineTmpDir}: ${err instanceof Error ? err.message : String(err)}`
+          );
+        }
       }
-    }
-    if (imagePlan?.layersTmpDir) {
-      try {
-        rmSync3(imagePlan.layersTmpDir, { recursive: true, force: true });
-      } catch (err) {
-        getLogger().debug(
-          `Failed to remove merged-layers tmpdir ${imagePlan.layersTmpDir}: ${err instanceof Error ? err.message : String(err)}`
-        );
+      if (imagePlan?.layersTmpDir) {
+        try {
+          rmSync3(imagePlan.layersTmpDir, { recursive: true, force: true });
+        } catch (err) {
+          getLogger().debug(
+            `Failed to remove merged-layers tmpdir ${imagePlan.layersTmpDir}: ${err instanceof Error ? err.message : String(err)}`
+          );
+        }
       }
+    },
+    (err) => {
+      getLogger().debug(`cleanup failed: ${err instanceof Error ? err.message : String(err)}`);
     }
-  };
+  );
   try {
     await applyRoleArnIfSet({ roleArn: options.roleArn, region: options.region });
     await ensureDockerAvailable();
@@ -78477,72 +78860,6 @@ function materializeInlineCode2(handler, source, fileExtension) {
   writeFileSync6(filePath, source, "utf-8");
   return dir;
 }
-async function loadStateForStack(stackName, synthRegion, opts) {
-  const logger = getLogger();
-  const region = opts.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? synthRegion ?? "us-east-1";
-  let stateBucket;
-  try {
-    stateBucket = await resolveStateBucketWithDefault(opts.stateBucket, region);
-  } catch (err) {
-    logger.warn(
-      `--from-state: could not resolve state bucket: ${err instanceof Error ? err.message : String(err)}. Falling back to PR 1 warn-and-drop semantics.`
-    );
-    return void 0;
-  }
-  const awsClients = new AwsClients({
-    ...opts.region !== void 0 && { region: opts.region },
-    ...opts.profile !== void 0 && { profile: opts.profile }
-  });
-  setAwsClients(awsClients);
-  try {
-    const stateConfig = { bucket: stateBucket, prefix: opts.statePrefix };
-    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
-      ...opts.region !== void 0 && { region: opts.region },
-      ...opts.profile !== void 0 && { profile: opts.profile }
-    });
-    await stateBackend.verifyBucketExists();
-    const refs = (await stateBackend.listStacks()).filter((r) => r.stackName === stackName);
-    if (refs.length === 0) {
-      logger.warn(
-        `--from-state: no cdkd state found for stack '${stackName}' in bucket '${stateBucket}'. Was it deployed via 'cdkd deploy'? Falling back to PR 1 warn-and-drop semantics.`
-      );
-      return void 0;
-    }
-    let targetRegion;
-    if (opts.stackRegion) {
-      const found = refs.find((r) => r.region === opts.stackRegion);
-      if (!found) {
-        const seen = refs.map((r) => r.region ?? "(legacy)").join(", ");
-        logger.warn(
-          `--from-state: stack '${stackName}' has no state in region '${opts.stackRegion}' (available: ${seen}). Falling back.`
-        );
-        return void 0;
-      }
-      targetRegion = opts.stackRegion;
-    } else if (synthRegion && refs.some((r) => r.region === synthRegion)) {
-      targetRegion = synthRegion;
-    } else if (refs.length === 1) {
-      targetRegion = refs[0].region ?? synthRegion ?? region;
-    } else {
-      const seen = refs.map((r) => r.region ?? "(legacy)").join(", ");
-      logger.warn(
-        `--from-state: stack '${stackName}' has state in multiple regions (${seen}). Re-run with --stack-region <region>. Falling back.`
-      );
-      return void 0;
-    }
-    const stateData = await stateBackend.getState(stackName, targetRegion);
-    if (!stateData) {
-      logger.warn(
-        `--from-state: state record for '${stackName}' (${targetRegion}) returned empty. Falling back.`
-      );
-      return void 0;
-    }
-    logger.debug(`--from-state: loaded state for ${stackName} (${targetRegion})`);
-    return { state: stateData.state, region: targetRegion };
-  } finally {
-    awsClients.destroy();
-  }
-}
 function suggestAssumeRoleFromState(state, logicalId) {
   const logger = getLogger();
   const lambda = state.resources[logicalId];
@@ -78658,7 +78975,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command17();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.82.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.83.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());