npm - @go-to-k/cdkd - Versions diffs - 0.82.1 → 0.83.1 - Mend

@go-to-k/cdkd 0.82.1 → 0.83.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/cli.js +426 -106
package/dist/cli.js.map +4 -4
package/dist/go-to-k-cdkd-0.83.1.tgz +0 -0
package/dist/index.js +33 -0
package/dist/index.js.map +2 -2
package/package.json +1 -1
package/dist/go-to-k-cdkd-0.82.1.tgz +0 -0

package/dist/cli.js CHANGED Viewed

@@ -21471,6 +21471,39 @@ var TemplateParser = class {
       }
       return;
     }
+    if ("Fn::Sub" in obj) {
+      const subValue = obj["Fn::Sub"];
+      let body;
+      let mapKeys;
+      if (typeof subValue === "string") {
+        body = subValue;
+      } else if (Array.isArray(subValue) && subValue.length >= 1 && typeof subValue[0] === "string") {
+        body = subValue[0];
+        const variables = subValue[1];
+        if (variables && typeof variables === "object" && !Array.isArray(variables)) {
+          const varMap = variables;
+          mapKeys = new Set(Object.keys(varMap));
+          Object.values(varMap).forEach((v) => this.extractRefsFromValue(v, dependencies));
+        }
+      }
+      if (body !== void 0) {
+        for (const match of body.matchAll(/\$\{([^}]+)\}/g)) {
+          const placeholder = match[1];
+          if (!placeholder)
+            continue;
+          const dot = placeholder.indexOf(".");
+          const name = dot >= 0 ? placeholder.slice(0, dot) : placeholder;
+          if (!name)
+            continue;
+          if (name.startsWith("AWS::"))
+            continue;
+          if (mapKeys?.has(name))
+            continue;
+          dependencies.add(name);
+        }
+      }
+      return;
+    }
     Object.values(obj).forEach((v) => this.extractRefsFromValue(v, dependencies));
   }
   /**
@@ -70040,6 +70073,76 @@ import { dirname as dirname7 } from "node:path";
 import * as path2 from "node:path";
 import { Command as Command16, Option as Option9 } from "commander";
+// src/cli/commands/local-state-loader.ts
+init_aws_clients();
+async function loadStateForStack(stackName, synthRegion, opts) {
+  const logger = getLogger();
+  const prefix = opts.logPrefix ?? "--from-state";
+  const region = opts.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? synthRegion ?? "us-east-1";
+  let stateBucket;
+  try {
+    stateBucket = await resolveStateBucketWithDefault(opts.stateBucket, region);
+  } catch (err) {
+    logger.warn(
+      `${prefix}: could not resolve state bucket: ${err instanceof Error ? err.message : String(err)}. Falling back.`
+    );
+    return void 0;
+  }
+  const awsClients = new AwsClients({
+    ...opts.region !== void 0 && { region: opts.region },
+    ...opts.profile !== void 0 && { profile: opts.profile }
+  });
+  setAwsClients(awsClients);
+  try {
+    const stateConfig = { bucket: stateBucket, prefix: opts.statePrefix };
+    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
+      ...opts.region !== void 0 && { region: opts.region },
+      ...opts.profile !== void 0 && { profile: opts.profile }
+    });
+    await stateBackend.verifyBucketExists();
+    const refs = (await stateBackend.listStacks()).filter((r) => r.stackName === stackName);
+    if (refs.length === 0) {
+      logger.warn(
+        `${prefix}: no cdkd state found for stack '${stackName}' in bucket '${stateBucket}'. Was it deployed via 'cdkd deploy'? Falling back.`
+      );
+      return void 0;
+    }
+    let targetRegion;
+    if (opts.stackRegion) {
+      const found = refs.find((r) => r.region === opts.stackRegion);
+      if (!found) {
+        const seen = refs.map((r) => r.region ?? "(legacy)").join(", ");
+        logger.warn(
+          `${prefix}: stack '${stackName}' has no state in region '${opts.stackRegion}' (available: ${seen}). Falling back.`
+        );
+        return void 0;
+      }
+      targetRegion = opts.stackRegion;
+    } else if (synthRegion && refs.some((r) => r.region === synthRegion)) {
+      targetRegion = synthRegion;
+    } else if (refs.length === 1) {
+      targetRegion = refs[0].region ?? synthRegion ?? region;
+    } else {
+      const seen = refs.map((r) => r.region ?? "(legacy)").join(", ");
+      logger.warn(
+        `${prefix}: stack '${stackName}' has state in multiple regions (${seen}). Re-run with --stack-region <region>. Falling back.`
+      );
+      return void 0;
+    }
+    const stateData = await stateBackend.getState(stackName, targetRegion);
+    if (!stateData) {
+      logger.warn(
+        `${prefix}: state record for '${stackName}' (${targetRegion}) returned empty. Falling back.`
+      );
+      return void 0;
+    }
+    logger.debug(`${prefix}: loaded state for ${stackName} (${targetRegion})`);
+    return { state: stateData.state, region: targetRegion };
+  } finally {
+    awsClients.destroy();
+  }
+}
 // src/local/lambda-resolver.ts
 import { existsSync as existsSync4, statSync as statSync3 } from "node:fs";
 import { dirname, isAbsolute, resolve as resolve4 } from "node:path";
@@ -71217,9 +71320,6 @@ function extractHashFromImageUri(imageUri) {
   return match?.[1];
 }
-// src/cli/commands/local-invoke.ts
-init_aws_clients();
 // src/utils/single-flight.ts
 function singleFlight(fn, onError) {
   let promise;
@@ -76646,6 +76746,83 @@ var EcsTaskResolutionError = class _EcsTaskResolutionError extends Error {
     Object.setPrototypeOf(this, _EcsTaskResolutionError.prototype);
   }
 };
+function derivePartitionAndUrlSuffix(region) {
+  if (region.startsWith("cn-"))
+    return { partition: "aws-cn", urlSuffix: "amazonaws.com.cn" };
+  if (region.startsWith("us-gov-"))
+    return { partition: "aws-us-gov", urlSuffix: "amazonaws.com" };
+  if (region.startsWith("us-iso-"))
+    return { partition: "aws-iso", urlSuffix: "c2s.ic.gov" };
+  if (region.startsWith("us-isob-"))
+    return { partition: "aws-iso-b", urlSuffix: "sc2s.sgov.gov" };
+  return { partition: "aws", urlSuffix: "amazonaws.com" };
+}
+function detectEcsImageResolutionNeeds(stack) {
+  const resources = stack.template.Resources ?? {};
+  let needsPseudoParameters = false;
+  let needsStateResources = false;
+  for (const res of Object.values(resources)) {
+    if (res.Type !== "AWS::ECS::TaskDefinition")
+      continue;
+    const props = res.Properties ?? {};
+    const containers = Array.isArray(props["ContainerDefinitions"]) ? props["ContainerDefinitions"] : [];
+    for (const c of containers) {
+      if (!c || typeof c !== "object")
+        continue;
+      const image = c["Image"];
+      const need = inspectImageForSubstitutions(image, resources);
+      if (need.pseudo)
+        needsPseudoParameters = true;
+      if (need.state)
+        needsStateResources = true;
+      if (needsPseudoParameters && needsStateResources)
+        break;
+    }
+    if (needsPseudoParameters && needsStateResources)
+      break;
+  }
+  return { needsPseudoParameters, needsStateResources };
+}
+function inspectImageForSubstitutions(image, resources) {
+  if (!image || typeof image !== "object")
+    return { pseudo: false, state: false };
+  const obj = image;
+  const getAtt = obj["Fn::GetAtt"];
+  if (getAtt !== void 0) {
+    let lid;
+    if (Array.isArray(getAtt) && typeof getAtt[0] === "string")
+      lid = getAtt[0];
+    else if (typeof getAtt === "string")
+      lid = getAtt.split(".")[0];
+    if (lid && resources[lid]?.Type === "AWS::ECR::Repository") {
+      return { pseudo: false, state: true };
+    }
+  }
+  let sub;
+  const subRaw = obj["Fn::Sub"];
+  if (typeof subRaw === "string")
+    sub = subRaw;
+  else if (Array.isArray(subRaw) && typeof subRaw[0] === "string")
+    sub = subRaw[0];
+  if (!sub)
+    return { pseudo: false, state: false };
+  let pseudo = false;
+  let state = false;
+  const placeholderRegex = /\$\{([^}]+)\}/g;
+  let m;
+  while ((m = placeholderRegex.exec(sub)) !== null) {
+    const key = m[1];
+    if (key.startsWith("AWS::")) {
+      pseudo = true;
+      continue;
+    }
+    const dot = key.indexOf(".");
+    const lid = dot === -1 ? key : key.slice(0, dot);
+    if (resources[lid]?.Type === "AWS::ECR::Repository")
+      state = true;
+  }
+  return { pseudo, state };
+}
 function parseEcsTarget(target) {
   if (typeof target !== "string" || target.length === 0) {
     throw new EcsTaskResolutionError(
@@ -76667,7 +76844,7 @@ function parseEcsTarget(target) {
   }
   return { stackPattern: null, pathOrId: target, isPath: false };
 }
-function resolveEcsTaskTarget(target, stacks) {
+function resolveEcsTaskTarget(target, stacks, context) {
   if (stacks.length === 0) {
     throw new EcsTaskResolutionError("No stacks found in the synthesized assembly.");
   }
@@ -76710,7 +76887,7 @@ function resolveEcsTaskTarget(target, stacks) {
       `Resource '${logicalId}' in ${stack.stackName} is ${resource.Type}, not an AWS::ECS::TaskDefinition.`
     );
   }
-  return extractTaskDefinitionProperties(stack, logicalId, resource);
+  return extractTaskDefinitionProperties(stack, logicalId, resource, context);
 }
 function pickStack2(parsed, stacks) {
   if (parsed.stackPattern === null) {
@@ -76733,7 +76910,7 @@ function pickStack2(parsed, stacks) {
   }
   return matched[0];
 }
-function extractTaskDefinitionProperties(stack, logicalId, resource) {
+function extractTaskDefinitionProperties(stack, logicalId, resource, context) {
   const props = resource.Properties ?? {};
   const warnings = [];
   const family = pickString(props["Family"]) ?? logicalId;
@@ -76760,7 +76937,7 @@ function extractTaskDefinitionProperties(stack, logicalId, resource) {
     throw new EcsTaskResolutionError(`Task definition '${logicalId}' has no ContainerDefinitions.`);
   }
   const containers = rawContainers.map(
-    (c, idx) => parseContainerDefinition(c, idx, logicalId, resources, stack)
+    (c, idx) => parseContainerDefinition(c, idx, logicalId, resources, stack, context)
   );
   const rawVolumes = props["Volumes"];
   const volumes = Array.isArray(rawVolumes) ? rawVolumes.map((v, idx) => parseVolume(v, idx, logicalId)) : [];
@@ -76806,7 +76983,7 @@ function parseRuntimePlatform(value) {
     return void 0;
   return { cpuArchitecture: cpu, operatingSystemFamily: os };
 }
-function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack) {
+function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack, context) {
   if (!raw || typeof raw !== "object") {
     throw new EcsTaskResolutionError(
       `Task '${taskLogicalId}' ContainerDefinitions[${idx}] is not an object.`
@@ -76819,7 +76996,7 @@ function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack) {
       `Task '${taskLogicalId}' ContainerDefinitions[${idx}] has no Name.`
     );
   }
-  const image = parseContainerImage(c["Image"], name, taskLogicalId, resources, stack);
+  const image = parseContainerImage(c["Image"], name, taskLogicalId, resources, stack, context);
   const command = pickStringArray2(c["Command"]);
   const entryPoint = pickStringArray2(c["EntryPoint"]);
   const workingDirectory = pickString(c["WorkingDirectory"]);
@@ -76965,7 +77142,11 @@ function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack) {
     out.readonlyRootFilesystem = readonlyRootFilesystem;
   return out;
 }
-function parseContainerImage(raw, containerName, taskLogicalId, resources, _stack) {
+function parseContainerImage(raw, containerName, taskLogicalId, resources, _stack, context) {
+  const getAttImage = tryResolveImageGetAtt(raw, resources, context);
+  if (getAttImage) {
+    return classifyResolvedImage(getAttImage);
+  }
   const flat = extractImageString(raw);
   if (!flat) {
     throw new EcsTaskResolutionError(
@@ -76979,23 +77160,123 @@ function parseContainerImage(raw, containerName, taskLogicalId, resources, _stac
       out.assetHash = hashMatch[1];
     return out;
   }
-  const ecrMatch = /^(\d{12})\.dkr\.ecr\.([^.]+)\.amazonaws\.com(?:\.cn)?\//.exec(flat);
-  if (ecrMatch) {
-    return { kind: "ecr", uri: flat, account: ecrMatch[1], region: ecrMatch[2] };
-  }
-  if (flat.includes("${") && flat.includes("AWS::AccountId")) {
+  const substituted = substituteImagePlaceholders(flat, resources, context);
+  if (substituted.includes("${")) {
+    const unresolvedRepoRef = findUnresolvedEcrRepositoryRef(substituted, resources);
+    if (unresolvedRepoRef) {
+      throw new EcsTaskResolutionError(
+        `Container '${containerName}' in task '${taskLogicalId}' references same-stack ECR repository '${unresolvedRepoRef}'. cdkd local run-task v1 cannot resolve the repository URI without state \u2014 pass --from-state (the stack must have been deployed via cdkd deploy), build via ContainerImage.fromAsset, or pin a public image.`
+      );
+    }
+    if (substituted.includes("AWS::")) {
+      throw new EcsTaskResolutionError(
+        `Container '${containerName}' in task '${taskLogicalId}' has an Image that references AWS pseudo parameters (${substituted}). cdkd could not resolve them: confirm AWS credentials are configured so STS GetCallerIdentity succeeds, and that --region / AWS_REGION names the target region. Workaround: build the image locally (ContainerImage.fromAsset) or pin a public image.`
+      );
+    }
     throw new EcsTaskResolutionError(
-      `Container '${containerName}' in task '${taskLogicalId}' has an Image that references AWS pseudo parameters (${flat}). cdkd local run-task v1 cannot resolve account-scoped ECR repos at synth time. Build the image locally (CDK ContainerImage.fromAsset) or pin to a public image to test locally.`
+      `Container '${containerName}' in task '${taskLogicalId}' has an Image with unresolved \${...} placeholders (${substituted}). cdkd local run-task v1 only resolves AWS pseudo parameters and same-stack AWS::ECR::Repository refs.`
     );
   }
-  for (const [refLogicalId, res] of Object.entries(resources)) {
-    if (res.Type === "AWS::ECR::Repository" && flat.includes(refLogicalId)) {
-      throw new EcsTaskResolutionError(
-        `Container '${containerName}' in task '${taskLogicalId}' references same-stack ECR repository '${refLogicalId}'. cdkd local run-task v1 cannot resolve the repository URI without state \u2014 build via ContainerImage.fromAsset or pin a public image.`
-      );
+  const ecrMatch = /^(\d{12})\.dkr\.ecr\.([^.]+)\.amazonaws\.com(?:\.cn)?\//.exec(substituted);
+  if (ecrMatch) {
+    return { kind: "ecr", uri: substituted, account: ecrMatch[1], region: ecrMatch[2] };
+  }
+  return { kind: "public", uri: substituted };
+}
+function findUnresolvedEcrRepositoryRef(substituted, resources) {
+  const placeholderRegex = /\$\{([^}]+)\}/g;
+  let m;
+  while ((m = placeholderRegex.exec(substituted)) !== null) {
+    const key = m[1];
+    if (key.startsWith("AWS::"))
+      continue;
+    const dot = key.indexOf(".");
+    const lid = dot === -1 ? key : key.slice(0, dot);
+    if (resources[lid]?.Type === "AWS::ECR::Repository")
+      return lid;
+  }
+  return void 0;
+}
+function classifyResolvedImage(uri) {
+  if (uri.includes("cdk-hnb659fds-container-assets-")) {
+    const hashMatch = /:([a-f0-9]{8,})$/.exec(uri);
+    const out = { kind: "cdk-asset" };
+    if (hashMatch)
+      out.assetHash = hashMatch[1];
+    return out;
+  }
+  const ecrMatch = /^(\d{12})\.dkr\.ecr\.([^.]+)\.amazonaws\.com(?:\.cn)?\//.exec(uri);
+  if (ecrMatch) {
+    return { kind: "ecr", uri, account: ecrMatch[1], region: ecrMatch[2] };
+  }
+  return { kind: "public", uri };
+}
+function substituteImagePlaceholders(flat, resources, context) {
+  if (!flat.includes("${"))
+    return flat;
+  return flat.replace(/\$\{([^}]+)\}/g, (full, key) => {
+    if (context?.pseudoParameters) {
+      if (key === "AWS::AccountId" && context.pseudoParameters.accountId) {
+        return context.pseudoParameters.accountId;
+      }
+      if (key === "AWS::Region" && context.pseudoParameters.region) {
+        return context.pseudoParameters.region;
+      }
+      if (key === "AWS::Partition" && context.pseudoParameters.partition) {
+        return context.pseudoParameters.partition;
+      }
+      if (key === "AWS::URLSuffix" && context.pseudoParameters.urlSuffix) {
+        return context.pseudoParameters.urlSuffix;
+      }
+    }
+    if (context?.stateResources) {
+      const dot = key.indexOf(".");
+      const logicalId = dot === -1 ? key : key.slice(0, dot);
+      const refResource = resources[logicalId];
+      const stateEntry = context.stateResources[logicalId];
+      if (refResource?.Type === "AWS::ECR::Repository" && stateEntry) {
+        if (dot === -1) {
+          return stateEntry.physicalId;
+        }
+        const attr = key.slice(dot + 1);
+        const cached = stateEntry.attributes?.[attr];
+        if (typeof cached === "string")
+          return cached;
+      }
+    }
+    return full;
+  });
+}
+function tryResolveImageGetAtt(raw, resources, context) {
+  if (!raw || typeof raw !== "object")
+    return void 0;
+  const obj = raw;
+  const arg = obj["Fn::GetAtt"];
+  if (arg === void 0)
+    return void 0;
+  let logicalId;
+  let attr;
+  if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string" && typeof arg[1] === "string") {
+    logicalId = arg[0];
+    attr = arg[1];
+  } else if (typeof arg === "string") {
+    const dot = arg.indexOf(".");
+    if (dot > 0 && dot < arg.length - 1) {
+      logicalId = arg.slice(0, dot);
+      attr = arg.slice(dot + 1);
     }
   }
-  return { kind: "public", uri: flat };
+  if (!logicalId || !attr)
+    return void 0;
+  const refResource = resources[logicalId];
+  if (refResource?.Type !== "AWS::ECR::Repository")
+    return void 0;
+  if (attr !== "RepositoryUri" && attr !== "Arn")
+    return void 0;
+  const cached = context?.stateResources?.[logicalId]?.attributes?.[attr];
+  if (typeof cached === "string" && cached.length > 0)
+    return cached;
+  return void 0;
 }
 function extractImageString(value) {
   if (typeof value === "string" && value.length > 0)
@@ -77074,6 +77355,7 @@ function parseVolume(raw, idx, taskLogicalId) {
   }
   return { name, kind: "host" };
 }
+var TASK_ROLE_ACCOUNT_PLACEHOLDER = "${AWS::AccountId}";
 function resolveRoleArn(value, resources) {
   if (value === void 0 || value === null)
     return void 0;
@@ -77082,24 +77364,23 @@ function resolveRoleArn(value, resources) {
   if (typeof value !== "object")
     return void 0;
   const obj = value;
+  let refLogicalId;
   if ("Ref" in obj && typeof obj["Ref"] === "string") {
-    const refLogicalId = obj["Ref"];
-    const role = resources[refLogicalId];
-    if (role?.Type === "AWS::IAM::Role") {
-      return void 0;
-    }
-  }
-  if ("Fn::GetAtt" in obj) {
+    refLogicalId = obj["Ref"];
+  } else if ("Fn::GetAtt" in obj) {
     const arg = obj["Fn::GetAtt"];
     if (Array.isArray(arg) && typeof arg[0] === "string") {
-      const refLogicalId = arg[0];
-      const role = resources[refLogicalId];
-      if (role?.Type === "AWS::IAM::Role") {
-        return void 0;
-      }
+      const attr = typeof arg[1] === "string" ? arg[1] : "";
+      if (attr === "" || attr === "Arn")
+        refLogicalId = arg[0];
     }
   }
-  return void 0;
+  if (refLogicalId === void 0)
+    return void 0;
+  const role = resources[refLogicalId];
+  if (role?.Type !== "AWS::IAM::Role")
+    return void 0;
+  return `arn:aws:iam::${TASK_ROLE_ACCOUNT_PLACEHOLDER}:role/${refLogicalId}`;
 }
 function pickString(value) {
   return typeof value === "string" && value.length > 0 ? value : void 0;
@@ -77936,7 +78217,8 @@ async function localRunTaskCommand(target, options) {
       ...Object.keys(context).length > 0 && { context }
     };
     const { stacks } = await synthesizer.synthesize(synthOpts);
-    const task = resolveEcsTaskTarget(target, stacks);
+    const imageContext = await buildEcsImageResolutionContext(target, stacks, options);
+    const task = resolveEcsTaskTarget(target, stacks, imageContext);
     logger.info(
       `Target: ${task.stack.stackName}/${task.taskDefinitionLogicalId} (family=${task.family}, containers=${task.containers.length})`
     );
@@ -77955,10 +78237,10 @@ async function localRunTaskCommand(target, options) {
     if (options.assumeTaskRole === true) {
       if (!task.taskRoleArn) {
         throw new Error(
-          `--assume-task-role passed without an ARN but the task definition's TaskRoleArn could not be resolved statically. Pass the ARN explicitly: --assume-task-role <arn>`
+          `--assume-task-role passed without an ARN but the task definition has no resolvable TaskRoleArn. Either the task definition does not set TaskRoleArn, or it points at a resource cdkd cannot resolve to an IAM Role at synth time. Pass the ARN explicitly: --assume-task-role <arn>`
         );
       }
-      resolvedRoleArn = task.taskRoleArn;
+      resolvedRoleArn = await resolvePlaceholderAccount(task.taskRoleArn, options.region);
       assumedCredentials = await assumeTaskRole(resolvedRoleArn, options.region);
     } else if (typeof options.assumeTaskRole === "string") {
       resolvedRoleArn = options.assumeTaskRole;
@@ -78006,6 +78288,24 @@ async function localRunTaskCommand(target, options) {
       await cleanup();
   }
 }
+async function resolvePlaceholderAccount(arn, region) {
+  if (!arn.includes(TASK_ROLE_ACCOUNT_PLACEHOLDER))
+    return arn;
+  const { STSClient: STSClient11, GetCallerIdentityCommand: GetCallerIdentityCommand12 } = await import("@aws-sdk/client-sts");
+  const sts = new STSClient11({ ...region && { region } });
+  try {
+    const identity = await sts.send(new GetCallerIdentityCommand12({}));
+    const account = identity.Account;
+    if (!account) {
+      throw new Error(
+        `--assume-task-role: GetCallerIdentity returned no Account; cannot resolve placeholder ARN '${arn}'. Pass the ARN explicitly: --assume-task-role <arn>`
+      );
+    }
+    return arn.split(TASK_ROLE_ACCOUNT_PLACEHOLDER).join(account);
+  } finally {
+    sts.destroy();
+  }
+}
 async function assumeTaskRole(roleArn, region) {
   const { STSClient: STSClient11, AssumeRoleCommand: AssumeRoleCommand2 } = await import("@aws-sdk/client-sts");
   const sts = new STSClient11({ ...region && { region } });
@@ -78030,6 +78330,80 @@ async function assumeTaskRole(roleArn, region) {
     sts.destroy();
   }
 }
+async function buildEcsImageResolutionContext(target, stacks, options) {
+  const logger = getLogger();
+  const parsed = parseEcsTarget(target);
+  const candidate = pickCandidateStack(parsed.stackPattern, stacks);
+  if (!candidate)
+    return void 0;
+  const needs = detectEcsImageResolutionNeeds(candidate);
+  if (!needs.needsPseudoParameters && !needs.needsStateResources)
+    return void 0;
+  const ctx = {};
+  if (needs.needsPseudoParameters) {
+    const region = options.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? candidate.region;
+    if (!region) {
+      logger.warn(
+        "Container Image references ${AWS::Region} but cdkd could not determine the target region. Pass --region, set AWS_REGION, or declare env.region on the CDK stack."
+      );
+    }
+    let accountId;
+    try {
+      accountId = await resolveCallerAccountId(region);
+    } catch (err) {
+      logger.warn(
+        `Container Image references \${AWS::AccountId} but STS GetCallerIdentity failed: ${err instanceof Error ? err.message : String(err)}. Substitution will be skipped; the resolver will surface its existing error.`
+      );
+    }
+    const partitionAndSuffix = region ? derivePartitionAndUrlSuffix(region) : void 0;
+    ctx.pseudoParameters = {
+      ...accountId !== void 0 && { accountId },
+      ...region !== void 0 && { region },
+      ...partitionAndSuffix && {
+        partition: partitionAndSuffix.partition,
+        urlSuffix: partitionAndSuffix.urlSuffix
+      }
+    };
+  }
+  if (options.fromState && needs.needsStateResources) {
+    const loaded = await loadStateForStack(candidate.stackName, candidate.region, {
+      ...options.stackRegion !== void 0 && { stackRegion: options.stackRegion },
+      ...options.stateBucket !== void 0 && { stateBucket: options.stateBucket },
+      statePrefix: options.statePrefix,
+      ...options.region !== void 0 && { region: options.region },
+      ...options.profile !== void 0 && { profile: options.profile }
+    });
+    if (loaded) {
+      ctx.stateResources = loaded.state.resources;
+    }
+  } else if (!options.fromState && needs.needsStateResources) {
+    logger.warn(
+      "Container Image references a same-stack AWS::ECR::Repository. Pass --from-state to substitute the deployed repository URI (requires the stack to have been deployed via cdkd deploy). Otherwise the resolver will surface its existing error."
+    );
+  }
+  return ctx;
+}
+function pickCandidateStack(stackPattern, stacks) {
+  if (stackPattern === null) {
+    if (stacks.length === 1)
+      return stacks[0];
+    return void 0;
+  }
+  const matched = matchStacks(stacks, [stackPattern]);
+  if (matched.length === 1)
+    return matched[0];
+  return void 0;
+}
+async function resolveCallerAccountId(region) {
+  const { STSClient: STSClient11, GetCallerIdentityCommand: GetCallerIdentityCommand12 } = await import("@aws-sdk/client-sts");
+  const sts = new STSClient11({ ...region && { region } });
+  try {
+    const identity = await sts.send(new GetCallerIdentityCommand12({}));
+    return identity.Account;
+  } finally {
+    sts.destroy();
+  }
+}
 function readEnvOverridesFile2(filePath) {
   if (!filePath)
     return void 0;
@@ -78097,8 +78471,20 @@ function createLocalRunTaskCommand() {
       "--detach",
       "Start the containers in the background and exit (skip log streaming + auto teardown). Useful in CI smoke tests; caller manages container lifecycle."
     ).default(false)
+  ).addOption(
+    new Option8(
+      "--from-state",
+      "Read cdkd S3 state for the target stack and substitute Fn::Sub / Fn::GetAtt references to same-stack AWS::ECR::Repository resources with the deployed URI. Off by default \u2014 only the AWS pseudo-parameter tier (${AWS::AccountId} / ${AWS::Region}) is resolved without this flag."
+    ).default(false)
+  ).addOption(
+    new Option8(
+      "--stack-region <region>",
+      "Region of the cdkd state record to read (used with --from-state when the same stack name has state in multiple regions)."
+    )
   ).action(withErrorHandling(localRunTaskCommand));
-  [...commonOptions, ...appOptions, ...contextOptions].forEach((opt) => cmd.addOption(opt));
+  [...commonOptions, ...appOptions, ...contextOptions, ...stateOptions].forEach(
+    (opt) => cmd.addOption(opt)
+  );
   cmd.addOption(deprecatedRegionOption);
   return cmd;
 }
@@ -78507,72 +78893,6 @@ function materializeInlineCode2(handler, source, fileExtension) {
   writeFileSync6(filePath, source, "utf-8");
   return dir;
 }
-async function loadStateForStack(stackName, synthRegion, opts) {
-  const logger = getLogger();
-  const region = opts.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? synthRegion ?? "us-east-1";
-  let stateBucket;
-  try {
-    stateBucket = await resolveStateBucketWithDefault(opts.stateBucket, region);
-  } catch (err) {
-    logger.warn(
-      `--from-state: could not resolve state bucket: ${err instanceof Error ? err.message : String(err)}. Falling back to PR 1 warn-and-drop semantics.`
-    );
-    return void 0;
-  }
-  const awsClients = new AwsClients({
-    ...opts.region !== void 0 && { region: opts.region },
-    ...opts.profile !== void 0 && { profile: opts.profile }
-  });
-  setAwsClients(awsClients);
-  try {
-    const stateConfig = { bucket: stateBucket, prefix: opts.statePrefix };
-    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
-      ...opts.region !== void 0 && { region: opts.region },
-      ...opts.profile !== void 0 && { profile: opts.profile }
-    });
-    await stateBackend.verifyBucketExists();
-    const refs = (await stateBackend.listStacks()).filter((r) => r.stackName === stackName);
-    if (refs.length === 0) {
-      logger.warn(
-        `--from-state: no cdkd state found for stack '${stackName}' in bucket '${stateBucket}'. Was it deployed via 'cdkd deploy'? Falling back to PR 1 warn-and-drop semantics.`
-      );
-      return void 0;
-    }
-    let targetRegion;
-    if (opts.stackRegion) {
-      const found = refs.find((r) => r.region === opts.stackRegion);
-      if (!found) {
-        const seen = refs.map((r) => r.region ?? "(legacy)").join(", ");
-        logger.warn(
-          `--from-state: stack '${stackName}' has no state in region '${opts.stackRegion}' (available: ${seen}). Falling back.`
-        );
-        return void 0;
-      }
-      targetRegion = opts.stackRegion;
-    } else if (synthRegion && refs.some((r) => r.region === synthRegion)) {
-      targetRegion = synthRegion;
-    } else if (refs.length === 1) {
-      targetRegion = refs[0].region ?? synthRegion ?? region;
-    } else {
-      const seen = refs.map((r) => r.region ?? "(legacy)").join(", ");
-      logger.warn(
-        `--from-state: stack '${stackName}' has state in multiple regions (${seen}). Re-run with --stack-region <region>. Falling back.`
-      );
-      return void 0;
-    }
-    const stateData = await stateBackend.getState(stackName, targetRegion);
-    if (!stateData) {
-      logger.warn(
-        `--from-state: state record for '${stackName}' (${targetRegion}) returned empty. Falling back.`
-      );
-      return void 0;
-    }
-    logger.debug(`--from-state: loaded state for ${stackName} (${targetRegion})`);
-    return { state: stateData.state, region: targetRegion };
-  } finally {
-    awsClients.destroy();
-  }
-}
 function suggestAssumeRoleFromState(state, logicalId) {
   const logger = getLogger();
   const lambda = state.resources[logicalId];
@@ -78688,7 +79008,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command17();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.82.1");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.83.1");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());