@go-to-k/cdkd 0.83.1 → 0.84.0

package/README.md

@@ -395,6 +395,26 @@ modes (auto / selective / hybrid), `--resource-mapping` CDK CLI
 compatibility, CloudFormation migration flow, provider coverage, and the
 parity matrix vs upstream `cdk import`.
 
+## Exporting a stack back to CloudFormation
+
+`cdkd export` is the mirror of `cdkd import`: it hands a cdkd-managed
+stack over to CloudFormation via a CFn `ChangeSetType=IMPORT` changeset.
+AWS resources are unchanged across the migration; cdkd state for the
+exported stack is deleted on success. From then on the stack is managed
+by `cdk deploy` / `aws cloudformation`.
+
+```bash
+cdkd export MyStack                           # confirmation prompt; CFn stack name = cdkd stack name
+cdkd export MyStack --cfn-stack-name MyStack-CFn
+cdkd export MyStack --dry-run                 # print the import plan, do not call CFn
+cdkd export MyStack --template path.json      # skip synth, use a pre-rendered JSON template
+```
+
+MVP scope: JSON templates only (CDK-generated). The command refuses to
+proceed if any resource is not CFn-importable (Lambda-backed Custom
+Resources, nested `AWS::CloudFormation::Stack` references); destroy or
+accept abandoning those resources first.
+
 ## Drift detection
 
 `cdkd drift` (state-driven; no synth) compares each managed resource

package/dist/cli.js

@@ -17797,7 +17797,7 @@ var require_graphql2 = __commonJS({
 });
 
 // src/cli/index.ts
-import { Command as Command17 } from "commander";
+import { Command as Command18 } from "commander";
 
 // src/cli/commands/bootstrap.ts
 import { Command, Option as Option2 } from "commander";
@@ -78979,6 +78979,598 @@ function createLocalCommand() {
   return local;
 }
 
+// src/cli/commands/export.ts
+import * as readline8 from "node:readline/promises";
+import { readFileSync as readFileSync9 } from "node:fs";
+import { Command as Command17 } from "commander";
+import {
+  CreateChangeSetCommand,
+  DescribeChangeSetCommand,
+  ExecuteChangeSetCommand,
+  DescribeStacksCommand as DescribeStacksCommand2,
+  DescribeTypeCommand,
+  DeleteChangeSetCommand,
+  waitUntilChangeSetCreateComplete,
+  waitUntilStackImportComplete
+} from "@aws-sdk/client-cloudformation";
+init_aws_clients();
+var NEVER_IMPORTABLE_TYPES = /* @__PURE__ */ new Set([
+  "AWS::CDK::Metadata",
+  "AWS::CloudFormation::Stack"
+]);
+function isNeverImportableType(resourceType) {
+  if (NEVER_IMPORTABLE_TYPES.has(resourceType))
+    return true;
+  if (resourceType.startsWith("Custom::"))
+    return true;
+  return false;
+}
+var PRIMARY_IDENTIFIER_FALLBACK = {
+  "AWS::S3::Bucket": "BucketName",
+  "AWS::IAM::Role": "RoleName",
+  "AWS::IAM::ManagedPolicy": "PolicyArn",
+  "AWS::IAM::User": "UserName",
+  "AWS::IAM::Group": "GroupName",
+  "AWS::IAM::InstanceProfile": "InstanceProfileName",
+  "AWS::Lambda::Function": "FunctionName",
+  "AWS::DynamoDB::Table": "TableName",
+  "AWS::SQS::Queue": "QueueUrl",
+  "AWS::SNS::Topic": "TopicArn",
+  "AWS::Logs::LogGroup": "LogGroupName",
+  "AWS::EC2::VPC": "VpcId",
+  "AWS::EC2::Subnet": "SubnetId",
+  "AWS::EC2::SecurityGroup": "GroupId",
+  "AWS::EC2::InternetGateway": "InternetGatewayId",
+  "AWS::EC2::RouteTable": "RouteTableId",
+  "AWS::EC2::NatGateway": "NatGatewayId",
+  "AWS::CloudFront::Distribution": "Id",
+  "AWS::CloudFront::CloudFrontOriginAccessIdentity": "Id",
+  "AWS::Route53::HostedZone": "Id",
+  "AWS::SecretsManager::Secret": "Id",
+  "AWS::Events::Rule": "Arn",
+  "AWS::Events::EventBus": "Name",
+  "AWS::ApiGateway::RestApi": "RestApiId",
+  "AWS::ApiGatewayV2::Api": "ApiId",
+  "AWS::CloudWatch::Alarm": "AlarmName",
+  "AWS::Kinesis::Stream": "Name",
+  "AWS::SSM::Parameter": "Name",
+  "AWS::StepFunctions::StateMachine": "Arn",
+  "AWS::Cognito::UserPool": "UserPoolId",
+  "AWS::ECR::Repository": "RepositoryName"
+};
+async function exportCommand(stackArg, options) {
+  const logger = getLogger();
+  if (options.verbose) {
+    logger.setLevel("debug");
+    process.env["CDKD_NO_LIVE"] = "1";
+  }
+  warnIfDeprecatedRegion(options);
+  refuseTransientContextIfUnsafe(options);
+  await applyRoleArnIfSet({ roleArn: options.roleArn, region: options.region });
+  const region = options.region || process.env["AWS_REGION"] || "us-east-1";
+  const stateBucket = await resolveStateBucketWithDefault(options.stateBucket, region);
+  if (options.region) {
+    process.env["AWS_REGION"] = options.region;
+    process.env["AWS_DEFAULT_REGION"] = options.region;
+  }
+  const awsClients = new AwsClients({
+    ...options.region && { region: options.region },
+    ...options.profile && { profile: options.profile }
+  });
+  setAwsClients(awsClients);
+  try {
+    const stateConfig = { bucket: stateBucket, prefix: options.statePrefix };
+    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig, {
+      ...options.region && { region: options.region },
+      ...options.profile && { profile: options.profile }
+    });
+    await stateBackend.verifyBucketExists();
+    const lockManager = new LockManager(awsClients.s3, stateConfig);
+    let template;
+    let resolvedStackName;
+    let synthedRegion;
+    if (options.template) {
+      if (!stackArg) {
+        throw new Error(
+          "--template requires a stack name as a positional argument to identify the cdkd state record."
+        );
+      }
+      template = parseTemplateFile(options.template);
+      resolvedStackName = stackArg;
+    } else {
+      const appCmd = options.app || resolveApp();
+      if (!appCmd) {
+        throw new Error(
+          "'cdkd export' requires a CDK app (pass --app or set it in cdk.json) OR a pre-rendered CFn template (--template <path>)."
+        );
+      }
+      logger.info("Synthesizing CDK app to read template...");
+      const synthesizer = new Synthesizer();
+      const context = parseContextOptions(options.context);
+      const result = await synthesizer.synthesize({
+        app: appCmd,
+        output: options.output || "cdk.out",
+        ...Object.keys(context).length > 0 && { context }
+      });
+      let stackInfo;
+      if (stackArg) {
+        stackInfo = result.stacks.find(
+          (s) => s.stackName === stackArg || s.displayName === stackArg
+        );
+        if (!stackInfo) {
+          throw new Error(
+            `Stack '${stackArg}' not found in synthesized app. Available: ${result.stacks.map((s) => s.stackName).join(", ")}`
+          );
+        }
+      } else if (result.stacks.length === 1) {
+        stackInfo = result.stacks[0];
+      } else {
+        throw new Error(
+          `Multiple stacks found: ${result.stacks.map((s) => s.stackName).join(", ")}. Specify the stack name as a positional argument.`
+        );
+      }
+      template = stackInfo.template;
+      resolvedStackName = stackInfo.stackName;
+      synthedRegion = stackInfo.region;
+    }
+    const cfnStackName = options.cfnStackName ?? resolvedStackName;
+    const targetRegion = await pickStackRegion2(
+      stateBackend,
+      resolvedStackName,
+      synthedRegion,
+      options.stackRegion
+    );
+    logger.info(
+      `Migrating cdkd stack '${resolvedStackName}' (${targetRegion}) \u2192 CloudFormation stack '${cfnStackName}'`
+    );
+    await assertCfnStackAbsent(awsClients.cloudFormation, cfnStackName);
+    const stateData = await stateBackend.getState(resolvedStackName, targetRegion);
+    if (!stateData) {
+      throw new Error(
+        `No cdkd state found for stack '${resolvedStackName}' (${targetRegion}). Nothing to migrate.`
+      );
+    }
+    const { state, etag, migrationPending } = stateData;
+    const owner = `${process.env["USER"] || "unknown"}@${process.env["HOSTNAME"] || "host"}:${process.pid}`;
+    if (!options.dryRun) {
+      const acquired = await lockManager.acquireLock(
+        resolvedStackName,
+        targetRegion,
+        owner,
+        "export"
+      );
+      if (!acquired) {
+        throw new Error(
+          `Could not acquire lock for stack '${resolvedStackName}' (${targetRegion}) \u2014 another cdkd process holds it. Wait for it to finish, or run 'cdkd force-unlock ${resolvedStackName}' if you are certain no other process is active.`
+        );
+      }
+    }
+    try {
+      const { plan, skipped } = await buildImportPlan(state, template, awsClients.cloudFormation);
+      if (skipped.length > 0) {
+        logger.error("The following resources cannot be imported into CloudFormation:");
+        for (const s of skipped) {
+          logger.error(`  - ${s.logicalId} (${s.resourceType}): ${s.reason}`);
+        }
+        throw new Error(
+          `${skipped.length} resource(s) cannot be imported. CloudFormation IMPORT requires every template resource to map to an importable AWS resource. Either destroy these resources first (cdkd destroy / cdkd state destroy cherry-picked), or accept abandoning them by removing them from the CDK app and re-synthesizing.`
+        );
+      }
+      if (plan.length === 0) {
+        logger.warn("No resources to import \u2014 cdkd state is empty.");
+        return;
+      }
+      printPlan(plan, cfnStackName);
+      if (options.dryRun) {
+        logger.info("--dry-run: no CloudFormation changeset will be created.");
+        return;
+      }
+      if (!options.yes) {
+        const ok = await confirmPrompt6(
+          `Create CloudFormation stack '${cfnStackName}' by importing ${plan.length} resource(s) from cdkd state '${resolvedStackName}' (${targetRegion})? AWS resources are unchanged. cdkd state for '${resolvedStackName}' will be deleted on success.`
+        );
+        if (!ok) {
+          logger.info("Migration cancelled. cdkd state and CloudFormation are unchanged.");
+          return;
+        }
+      }
+      const filteredTemplate = filterTemplateForImport(template, plan);
+      await executeImportChangeSet(awsClients.cloudFormation, cfnStackName, filteredTemplate, plan);
+      logger.info(
+        `\u2713 CloudFormation stack '${cfnStackName}' created via IMPORT. ${plan.length} resource(s) are now managed by CloudFormation.`
+      );
+      await stateBackend.deleteState(resolvedStackName, targetRegion);
+      logger.info(
+        `cdkd state for '${resolvedStackName}' (${targetRegion}) removed. Manage the stack with 'cdk deploy' or 'aws cloudformation' from here on.`
+      );
+      printNextSteps({
+        cfnStackName,
+        cdkStackName: resolvedStackName,
+        contextOverrides: options.context ?? []
+      });
+    } finally {
+      if (!options.dryRun) {
+        await lockManager.releaseLock(resolvedStackName, targetRegion).catch((err) => {
+          logger.warn(
+            `Failed to release lock: ${err instanceof Error ? err.message : String(err)}`
+          );
+        });
+      }
+    }
+  } finally {
+    awsClients.destroy();
+  }
+}
+async function pickStackRegion2(stateBackend, stackName, synthRegion, flag) {
+  const refs = (await stateBackend.listStacks()).filter((r) => r.stackName === stackName);
+  if (refs.length === 0) {
+    if (flag)
+      return flag;
+    if (synthRegion)
+      return synthRegion;
+    throw new Error(
+      `No state found for stack '${stackName}'. Run 'cdkd state list' to see available stacks.`
+    );
+  }
+  if (flag) {
+    const found = refs.find((r) => r.region === flag);
+    if (!found) {
+      const seen = refs.map((r) => r.region ?? "(legacy)").join(", ");
+      throw new Error(
+        `No state found for stack '${stackName}' in region '${flag}'. Available regions: ${seen}.`
+      );
+    }
+    return flag;
+  }
+  if (synthRegion) {
+    const found = refs.find((r) => r.region === synthRegion);
+    if (found)
+      return synthRegion;
+  }
+  if (refs.length === 1) {
+    return refs[0].region ?? synthRegion ?? "";
+  }
+  const regions = refs.map((r) => r.region ?? "(legacy)").join(", ");
+  throw new Error(
+    `Stack '${stackName}' has state in multiple regions: ${regions}. Re-run with --stack-region <region> to disambiguate.`
+  );
+}
+function parseTemplateFile(path3) {
+  let raw;
+  try {
+    raw = readFileSync9(path3, "utf-8");
+  } catch (err) {
+    throw new Error(
+      `Failed to read template file '${path3}': ` + (err instanceof Error ? err.message : String(err))
+    );
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    throw new Error(
+      `Template file '${path3}' is not valid JSON. cdkd export only supports JSON templates (CDK-generated). Cause: ` + (err instanceof Error ? err.message : String(err))
+    );
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new Error(`Template file '${path3}' is not a JSON object.`);
+  }
+  return parsed;
+}
+async function assertCfnStackAbsent(cfnClient, stackName) {
+  try {
+    const resp = await cfnClient.send(new DescribeStacksCommand2({ StackName: stackName }));
+    const stack = resp.Stacks?.[0];
+    if (!stack)
+      return;
+    throw new Error(
+      `CloudFormation stack '${stackName}' already exists (status: ${stack.StackStatus ?? "unknown"}). cdkd export only creates new stacks via IMPORT \u2014 delete or rename the existing stack first, or pass --cfn-stack-name to choose a different name.`
+    );
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (/does not exist/i.test(msg)) {
+      return;
+    }
+    throw err;
+  }
+}
+async function buildImportPlan(state, template, cfnClient) {
+  const templateResources = template["Resources"];
+  if (!templateResources || typeof templateResources !== "object" || Array.isArray(templateResources)) {
+    throw new Error("Template has no Resources section.");
+  }
+  const plan = [];
+  const skipped = [];
+  const identifierCache = /* @__PURE__ */ new Map();
+  for (const [logicalId, raw] of Object.entries(templateResources)) {
+    if (!raw || typeof raw !== "object" || Array.isArray(raw))
+      continue;
+    const resource = raw;
+    const resourceType = resource.Type ?? "";
+    if (!resourceType)
+      continue;
+    if (isNeverImportableType(resourceType)) {
+      if (resourceType === "AWS::CDK::Metadata")
+        continue;
+      skipped.push({
+        logicalId,
+        resourceType,
+        reason: "CloudFormation IMPORT does not support this resource type"
+      });
+      continue;
+    }
+    const stateEntry = state.resources[logicalId];
+    if (!stateEntry || !stateEntry.physicalId) {
+      skipped.push({
+        logicalId,
+        resourceType,
+        reason: "no entry in cdkd state (resource is in template but was not deployed by cdkd)"
+      });
+      continue;
+    }
+    let identifierKey;
+    try {
+      identifierKey = await resolvePrimaryIdentifier(resourceType, cfnClient, identifierCache);
+    } catch (err) {
+      skipped.push({
+        logicalId,
+        resourceType,
+        reason: "could not resolve primary identifier: " + (err instanceof Error ? err.message : String(err))
+      });
+      continue;
+    }
+    plan.push({
+      logicalId,
+      resourceType,
+      physicalId: stateEntry.physicalId,
+      identifierKey
+    });
+  }
+  return { plan, skipped };
+}
+async function resolvePrimaryIdentifier(resourceType, cfnClient, cache2) {
+  const cached = cache2.get(resourceType);
+  if (cached !== void 0)
+    return cached;
+  try {
+    const resp = await cfnClient.send(
+      new DescribeTypeCommand({ Type: "RESOURCE", TypeName: resourceType })
+    );
+    if (resp.Schema) {
+      const parsed = JSON.parse(resp.Schema);
+      const primary = parsed.primaryIdentifier;
+      if (Array.isArray(primary) && primary.length === 1 && typeof primary[0] === "string") {
+        const propName = primary[0].replace(/^\/properties\//, "");
+        cache2.set(resourceType, propName);
+        return propName;
+      }
+      if (Array.isArray(primary) && primary.length > 1) {
+        throw new Error(
+          `resource type uses a composite primary identifier (${primary.length} fields); cdkd does not yet support composite identifiers for cdkd export`
+        );
+      }
+    }
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    getLogger().debug(`DescribeType failed for ${resourceType}: ${msg} \u2014 using fallback`);
+  }
+  const fallback = PRIMARY_IDENTIFIER_FALLBACK[resourceType];
+  if (fallback) {
+    cache2.set(resourceType, fallback);
+    return fallback;
+  }
+  throw new Error(
+    `primary identifier unknown (DescribeType returned no usable schema and no fallback is registered). Add ${resourceType} to PRIMARY_IDENTIFIER_FALLBACK in export.ts, or open an issue.`
+  );
+}
+function filterTemplateForImport(template, plan) {
+  const allow = new Set(plan.map((p) => p.logicalId));
+  const original = template["Resources"];
+  const filteredResources = {};
+  for (const [logicalId, resource] of Object.entries(original)) {
+    if (allow.has(logicalId)) {
+      filteredResources[logicalId] = resource;
+    }
+  }
+  const result = { ...template, Resources: filteredResources };
+  const outputs = template["Outputs"];
+  if (outputs && typeof outputs === "object" && !Array.isArray(outputs)) {
+    const filteredOutputs = {};
+    for (const [name, output] of Object.entries(outputs)) {
+      if (referencesOnly(output, allow)) {
+        filteredOutputs[name] = output;
+      }
+    }
+    if (Object.keys(filteredOutputs).length > 0) {
+      result["Outputs"] = filteredOutputs;
+    } else {
+      delete result["Outputs"];
+    }
+  }
+  return result;
+}
+function referencesOnly(node, allow) {
+  if (!node || typeof node !== "object")
+    return true;
+  if (Array.isArray(node)) {
+    return node.every((item) => referencesOnly(item, allow));
+  }
+  for (const [key, value] of Object.entries(node)) {
+    if (key === "Ref" && typeof value === "string") {
+      if (!allow.has(value))
+        return false;
+      continue;
+    }
+    if (key === "Fn::GetAtt") {
+      const target = Array.isArray(value) && typeof value[0] === "string" ? value[0] : typeof value === "string" ? value.split(".")[0] : void 0;
+      if (target && !allow.has(target))
+        return false;
+      continue;
+    }
+    if (!referencesOnly(value, allow))
+      return false;
+  }
+  return true;
+}
+function printPlan(plan, cfnStackName) {
+  const logger = getLogger();
+  logger.info("");
+  logger.info(`Import plan for CloudFormation stack '${cfnStackName}':`);
+  for (const entry of plan) {
+    logger.info(
+      `  ${entry.logicalId} (${entry.resourceType}) \u2190 ${entry.identifierKey}=${entry.physicalId}`
+    );
+  }
+  logger.info("");
+}
+async function executeImportChangeSet(cfnClient, stackName, template, plan) {
+  const logger = getLogger();
+  const changeSetName = `cdkd-migrate-${Date.now()}`;
+  const templateBody = JSON.stringify(template, null, 2);
+  const resourcesToImport = plan.map((entry) => ({
+    ResourceType: entry.resourceType,
+    LogicalResourceId: entry.logicalId,
+    ResourceIdentifier: { [entry.identifierKey]: entry.physicalId }
+  }));
+  logger.info(
+    `Creating IMPORT changeset '${changeSetName}' for stack '${stackName}' (${plan.length} resource(s), ${templateBody.length} bytes)...`
+  );
+  if (templateBody.length > 51200) {
+    throw new Error(
+      `Filtered template is ${templateBody.length} bytes, over the 51,200-byte inline TemplateBody limit. Templates that large require TemplateURL upload (not yet implemented for cdkd export; please file an issue if you hit this).`
+    );
+  }
+  try {
+    await cfnClient.send(
+      new CreateChangeSetCommand({
+        StackName: stackName,
+        ChangeSetName: changeSetName,
+        ChangeSetType: "IMPORT",
+        TemplateBody: templateBody,
+        ResourcesToImport: resourcesToImport,
+        // CDK templates routinely require CAPABILITY_IAM /
+        // CAPABILITY_NAMED_IAM. Forward both so the user does not have to
+        // re-discover and re-pass them.
+        Capabilities: ["CAPABILITY_IAM", "CAPABILITY_NAMED_IAM", "CAPABILITY_AUTO_EXPAND"]
+      })
+    );
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    throw new Error(`Failed to create IMPORT changeset: ${msg}`);
+  }
+  try {
+    await waitUntilChangeSetCreateComplete(
+      { client: cfnClient, maxWaitTime: 600 },
+      { StackName: stackName, ChangeSetName: changeSetName }
+    );
+  } catch (err) {
+    try {
+      const desc = await cfnClient.send(
+        new DescribeChangeSetCommand({ StackName: stackName, ChangeSetName: changeSetName })
+      );
+      const reason = desc.StatusReason ?? "unknown";
+      await cfnClient.send(new DeleteChangeSetCommand({ StackName: stackName, ChangeSetName: changeSetName })).catch(() => {
+      });
+      throw new Error(`IMPORT changeset FAILED: ${reason}`);
+    } catch (innerErr) {
+      if (innerErr instanceof Error && innerErr.message.startsWith("IMPORT changeset FAILED")) {
+        throw innerErr;
+      }
+      throw err;
+    }
+  }
+  logger.info(`Executing IMPORT changeset...`);
+  try {
+    await cfnClient.send(
+      new ExecuteChangeSetCommand({ StackName: stackName, ChangeSetName: changeSetName })
+    );
+    await waitUntilStackImportComplete(
+      { client: cfnClient, maxWaitTime: 3600 },
+      { StackName: stackName }
+    );
+  } catch (err) {
+    await cfnClient.send(new DeleteChangeSetCommand({ StackName: stackName, ChangeSetName: changeSetName })).catch(() => {
+    });
+    throw err;
+  }
+}
+function refuseTransientContextIfUnsafe(options) {
+  const overrides = options.context ?? [];
+  if (overrides.length === 0)
+    return;
+  if (!options.acceptTransientContext) {
+    const indented = overrides.map((v) => `    -c ${v}`).join("\n");
+    throw new Error(
+      `Refusing to export: ${overrides.length} CLI context override(s) supplied via -c are not persisted to cdk.json / cdk.context.json, so subsequent \`cdk deploy\` invocations will synthesize a different template and CFn will see drift or replace resources.
+
+Supplied:
+${indented}
+
+Choose one:
+  (recommended) Move these values into cdk.json's "context": { ... } field, then re-run
+                cdkd export without -c. CDK CLI reads cdk.json on every synth, so they
+                will be picked up automatically.
+  (escape)      Pass --accept-transient-context to proceed. You will then need to
+                pass the SAME -c flags to every future \`cdk deploy\` for this stack.`
+    );
+  }
+  const logger = getLogger();
+  logger.warn(
+    `--accept-transient-context: ${overrides.length} CLI context override(s) will not be persisted to cdk.json / cdk.context.json. Remember to pass the same -c flags to every future \`cdk deploy\` for this stack, or move them to cdk.json before then.`
+  );
+  for (const v of overrides) {
+    logger.warn(`  -c ${v}`);
+  }
+}
+function printNextSteps(args) {
+  const logger = getLogger();
+  const ctxArgs = args.contextOverrides.map((v) => ` -c ${v}`).join("");
+  const stackId = args.cdkStackName;
+  logger.info("");
+  logger.info("Next steps \u2014 manage the stack with CDK CLI from now on:");
+  logger.info(`  cdk diff ${stackId}${ctxArgs}    # verify synth matches what CFn now holds`);
+  logger.info(`  cdk deploy ${stackId}${ctxArgs}  # subsequent updates`);
+  if (args.contextOverrides.length > 0) {
+    logger.info("");
+    logger.info(
+      `  NOTE: the -c flags above were captured from this export run. They MUST be passed on every future cdk invocation, or moved into cdk.json's "context" field.`
+    );
+  }
+  logger.info("");
+}
+async function confirmPrompt6(prompt) {
+  const rl = readline8.createInterface({ input: process.stdin, output: process.stdout });
+  try {
+    const ans = await rl.question(`${prompt} [y/N] `);
+    return /^y(es)?$/i.test(ans.trim());
+  } finally {
+    rl.close();
+  }
+}
+function createExportCommand() {
+  const cmd = new Command17("export").description(
+    "Hand a cdkd-managed stack over to CloudFormation via CFn IMPORT (changeset). AWS resources are unchanged; cdkd state for the stack is deleted on success. Mirror of `cdkd import` (AWS \u2192 cdkd) in the reverse direction (cdkd \u2192 CFn). JSON templates only. Aborts if any resource is not CFn-importable."
+  ).argument("[stack]", "Stack name to export (auto-detected for single-stack apps)").option(
+    "--cfn-stack-name <name>",
+    "Name of the destination CloudFormation stack. Defaults to the cdkd stack name."
+  ).option(
+    "--template <path>",
+    "Path to a pre-rendered CloudFormation template (JSON). Skips synth."
+  ).option(
+    "--stack-region <region>",
+    "Region of the cdkd state record to operate on. Required when the same stack name has state in multiple regions."
+  ).option("--dry-run", "Print the import plan without creating a changeset.", false).option(
+    "--accept-transient-context",
+    "Allow CLI -c key=value overrides at export time even though they are not persisted to cdk.json / cdk.context.json (default: refuse). When set, the user is responsible for passing the same -c flags to every future cdk deploy.",
+    false
+  ).action(withErrorHandling(exportCommand));
+  [...commonOptions, ...appOptions, ...stateOptions, ...contextOptions].forEach(
+    (opt) => cmd.addOption(opt)
+  );
+  cmd.addOption(deprecatedRegionOption);
+  return cmd;
+}
+
 // src/cli/index.ts
 var SUBCOMMANDS = /* @__PURE__ */ new Set([
   "bootstrap",
@@ -78991,6 +79583,7 @@ var SUBCOMMANDS = /* @__PURE__ */ new Set([
   "destroy",
   "orphan",
   "import",
+  "export",
   "publish-assets",
   "force-unlock",
   "state",
@@ -79007,8 +79600,8 @@ function reorderArgs(argv) {
   return [...prefix, ...cmdAndAfter, ...beforeCmd];
 }
 async function main() {
-  const program = new Command17();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.83.1");
+  const program = new Command18();
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.84.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());
@@ -79022,6 +79615,7 @@ async function main() {
   program.addCommand(createForceUnlockCommand());
   program.addCommand(createStateCommand());
   program.addCommand(createLocalCommand());
+  program.addCommand(createExportCommand());
   const args = reorderArgs(process.argv);
   await program.parseAsync(args);
 }