@go-to-k/cdkd 0.91.1 → 0.91.3

package/dist/cli.js

@@ -47837,22 +47837,32 @@ var ECSProvider = class {
       essential: def["Essential"],
       command: def["Command"],
       entryPoint: def["EntryPoint"],
-      environment: def["Environment"],
-      environmentFiles: def["EnvironmentFiles"],
-      secrets: def["Secrets"],
+      environment: this.convertEnvironment(
+        def["Environment"]
+      ),
+      environmentFiles: this.convertEnvironmentFiles(
+        def["EnvironmentFiles"]
+      ),
+      secrets: this.convertSecrets(def["Secrets"]),
       portMappings: this.convertPortMappings(
         def["PortMappings"]
       ),
-      mountPoints: def["MountPoints"],
-      volumesFrom: def["VolumesFrom"],
-      dependsOn: def["DependsOn"],
+      mountPoints: this.convertMountPoints(
+        def["MountPoints"]
+      ),
+      volumesFrom: this.convertVolumesFrom(
+        def["VolumesFrom"]
+      ),
+      dependsOn: this.convertDependsOn(
+        def["DependsOn"]
+      ),
       links: def["Links"],
       workingDirectory: def["WorkingDirectory"],
       disableNetworking: def["DisableNetworking"],
       privileged: def["Privileged"],
       readonlyRootFilesystem: def["ReadonlyRootFilesystem"],
       user: def["User"],
-      ulimits: def["Ulimits"],
+      ulimits: this.convertUlimits(def["Ulimits"]),
       logConfiguration: this.convertLogConfiguration(
         def["LogConfiguration"]
       ),
@@ -47881,6 +47891,103 @@ var ECSProvider = class {
       name: m["Name"]
     }));
   }
+  /**
+   * Convert CFn Environment (KeyValuePair) to ECS SDK format.
+   * CFn template emits `{Name, Value}` (PascalCase); ECS SDK requires
+   * `{name, value}` (camelCase). Pre-fix the cast `as KeyValuePair[]`
+   * silently dropped both fields and AWS rejected RegisterTaskDefinition
+   * with a generic null/empty validation error.
+   */
+  convertEnvironment(entries) {
+    if (!entries)
+      return void 0;
+    return entries.map((e) => ({
+      name: e["Name"],
+      value: e["Value"]
+    }));
+  }
+  /**
+   * Convert CFn EnvironmentFiles (S3-backed env-var files) to ECS SDK format.
+   * CFn: `{Type, Value}` → SDK: `{type, value}`.
+   */
+  convertEnvironmentFiles(entries) {
+    if (!entries)
+      return void 0;
+    return entries.map((e) => ({
+      type: e["Type"],
+      value: e["Value"]
+    }));
+  }
+  /**
+   * Convert CFn Secrets to ECS SDK format.
+   * CFn: `{Name, ValueFrom}` → SDK: `{name, valueFrom}`.
+   * Same PascalCase→camelCase trap as convertEnvironment — discovered
+   * end-to-end via the local-run-task-from-state integ on 2026-05-12
+   * (issue #291 fixture).
+   */
+  convertSecrets(entries) {
+    if (!entries)
+      return void 0;
+    return entries.map((e) => ({
+      name: e["Name"],
+      valueFrom: e["ValueFrom"]
+    }));
+  }
+  /**
+   * Convert CFn MountPoints to ECS SDK format.
+   * CFn: `{SourceVolume, ContainerPath, ReadOnly}` → SDK: `{sourceVolume,
+   * containerPath, readOnly}`.
+   */
+  convertMountPoints(entries) {
+    if (!entries)
+      return void 0;
+    return entries.map((e) => ({
+      sourceVolume: e["SourceVolume"],
+      containerPath: e["ContainerPath"],
+      readOnly: e["ReadOnly"]
+    }));
+  }
+  /**
+   * Convert CFn VolumesFrom to ECS SDK format.
+   * CFn: `{SourceContainer, ReadOnly}` → SDK: `{sourceContainer, readOnly}`.
+   */
+  convertVolumesFrom(entries) {
+    if (!entries)
+      return void 0;
+    return entries.map((e) => ({
+      sourceContainer: e["SourceContainer"],
+      readOnly: e["ReadOnly"]
+    }));
+  }
+  /**
+   * Convert CFn DependsOn to ECS SDK format.
+   * CFn: `{ContainerName, Condition}` → SDK: `{containerName, condition}`.
+   * The pre-existing local-run-task-multi-container integ was relying
+   * on ECS SDK being lenient about the dependsOn key casing on input,
+   * but per the SDK type definition the input is camelCase so this
+   * converter brings the actual wire shape in line with the contract.
+   */
+  convertDependsOn(entries) {
+    if (!entries)
+      return void 0;
+    return entries.map((e) => ({
+      containerName: e["ContainerName"],
+      condition: e["Condition"]
+    }));
+  }
+  /**
+   * Convert CFn Ulimits to ECS SDK format.
+   * CFn: `{Name, SoftLimit, HardLimit}` → SDK: `{name, softLimit, hardLimit}`.
+   */
+  convertUlimits(entries) {
+    if (!entries)
+      return void 0;
+    return entries.map((e) => ({
+      name: e["Name"],
+      softLimit: e["SoftLimit"],
+      hardLimit: e["HardLimit"]
+    }));
+  }
   /**
    * Convert CFn LogConfiguration to ECS SDK format
    */
@@ -70168,167 +70275,447 @@ async function loadStateForStack(stackName, synthRegion, opts) {
 // src/local/lambda-resolver.ts
 import { existsSync as existsSync4, statSync as statSync3 } from "node:fs";
 import { dirname, isAbsolute, resolve as resolve4 } from "node:path";
-var LocalInvokeResolutionError = class _LocalInvokeResolutionError extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "LocalInvokeResolutionError";
-    Object.setPrototypeOf(this, _LocalInvokeResolutionError.prototype);
-  }
-};
-function parseTarget(target) {
-  if (typeof target !== "string" || target.length === 0) {
-    throw new LocalInvokeResolutionError(
-      "Empty target. Pass a CDK display path (e.g. 'MyStack/MyApi/Handler') or stack-qualified logical ID (e.g. 'MyStack:MyApiHandler1234ABCD')."
-    );
-  }
-  const colonIdx = target.indexOf(":");
-  const slashIdx = target.indexOf("/");
-  if (colonIdx > 0 && (slashIdx === -1 || colonIdx < slashIdx)) {
-    const stackPattern = target.substring(0, colonIdx);
-    const pathOrId = target.substring(colonIdx + 1);
-    if (pathOrId.length === 0) {
-      throw new LocalInvokeResolutionError(`Target '${target}' has no logical ID after ':'.`);
-    }
-    return { stackPattern, pathOrId, isPath: pathOrId.includes("/") };
-  }
-  if (slashIdx > 0) {
-    return { stackPattern: target.substring(0, slashIdx), pathOrId: target, isPath: true };
+
+// src/local/intrinsic-image.ts
+function tryResolveImageFnJoin(raw, resources, context) {
+  if (!raw || typeof raw !== "object")
+    return { kind: "not-applicable" };
+  const obj = raw;
+  const arg = obj["Fn::Join"];
+  if (arg === void 0)
+    return { kind: "not-applicable" };
+  if (!Array.isArray(arg) || arg.length !== 2 || !Array.isArray(arg[1])) {
+    return { kind: "unsupported-join", reason: "Fn::Join must be [delimiter, [elements]]" };
   }
-  return { stackPattern: null, pathOrId: target, isPath: false };
-}
-function resolveLambdaTarget(target, stacks) {
-  if (stacks.length === 0) {
-    throw new LocalInvokeResolutionError("No stacks found in the synthesized assembly.");
+  const [delimiter, elements] = arg;
+  if (typeof delimiter !== "string") {
+    return {
+      kind: "unsupported-join",
+      reason: `Fn::Join delimiter must be a string, got ${typeof delimiter}`
+    };
   }
-  const parsed = parseTarget(target);
-  const stack = pickStack(parsed, stacks);
-  const template = stack.template;
-  const resources = template.Resources ?? {};
-  let match;
-  if (parsed.isPath) {
-    const index = buildCdkPathIndex(template);
-    const resolvedPaths = resolveCdkPathToLogicalIds(parsed.pathOrId, index);
-    const lambdaMatches = resolvedPaths.filter(
-      ({ logicalId: logicalId2 }) => resources[logicalId2]?.Type === "AWS::Lambda::Function"
-    );
-    if (lambdaMatches.length === 0) {
-      throw notFoundError(target, stack, resources);
-    }
-    if (lambdaMatches.length > 1) {
-      throw new LocalInvokeResolutionError(
-        `Target '${target}' matches ${lambdaMatches.length} Lambda functions in ${stack.stackName}: ` + lambdaMatches.map((m2) => m2.logicalId).join(", ") + ". Refine the path or use the stack:LogicalId form."
-      );
-    }
-    const m = lambdaMatches[0];
-    match = { logicalId: m.logicalId, resource: resources[m.logicalId] };
-  } else {
-    const resource2 = resources[parsed.pathOrId];
-    if (!resource2) {
-      throw notFoundError(target, stack, resources);
-    }
-    match = { logicalId: parsed.pathOrId, resource: resource2 };
+  const repoLogicalId = findEcrRepositoryRefInTree(elements, resources);
+  const stateResources = context?.stateResources;
+  if (repoLogicalId && !stateResources) {
+    return { kind: "needs-state", repoLogicalId };
   }
-  const { logicalId, resource } = match;
-  if (resource.Type !== "AWS::Lambda::Function") {
-    if (resource.Type.startsWith("Custom::")) {
-      throw new LocalInvokeResolutionError(
-        `Resource '${logicalId}' in ${stack.stackName} is a Custom Resource (${resource.Type}), not a Lambda function. Custom Resources are invoked by the deploy framework, not by users. If you want to test the underlying handler, target the ServiceToken Lambda directly.`
-      );
+  const parts = [];
+  for (const element of elements) {
+    const r = resolveImageIntrinsic(element, resources, context);
+    if (r === void 0) {
+      if (!repoLogicalId)
+        return { kind: "not-applicable" };
+      return {
+        kind: "unsupported-join",
+        reason: "one or more Fn::Join elements could not be resolved"
+      };
     }
-    throw new LocalInvokeResolutionError(
-      `Resource '${logicalId}' in ${stack.stackName} is ${resource.Type}, not a Lambda function. cdkd local invoke only works on AWS::Lambda::Function resources in v1.`
-    );
+    parts.push(r);
   }
-  return extractLambdaProperties(stack, logicalId, resource);
+  return { kind: "resolved", uri: parts.join(delimiter) };
 }
-function pickStack(parsed, stacks) {
-  if (parsed.stackPattern === null) {
-    if (stacks.length === 1)
-      return stacks[0];
-    throw new LocalInvokeResolutionError(
-      `Multiple stacks in app, target '${parsed.pathOrId}' is missing a stack prefix. Use 'StackName:${parsed.pathOrId}' or 'StackName/...' (path form). Available stacks: ${stacks.map((s) => s.stackName).join(", ")}.`
-    );
-  }
-  const matched = matchStacks(stacks, [parsed.stackPattern]);
-  if (matched.length === 0) {
-    throw new LocalInvokeResolutionError(
-      `Stack '${parsed.stackPattern}' not found. Available stacks: ${stacks.map((s) => s.stackName).join(", ")}.`
-    );
-  }
-  if (matched.length > 1) {
-    throw new LocalInvokeResolutionError(
-      `Stack pattern '${parsed.stackPattern}' matched ${matched.length} stacks: ` + matched.map((s) => s.stackName).join(", ") + ". Use a more specific pattern."
-    );
+function findEcrRepositoryRefInTree(node, resources) {
+  if (node === null || node === void 0)
+    return void 0;
+  if (typeof node === "string" || typeof node === "number" || typeof node === "boolean") {
+    return void 0;
   }
-  return matched[0];
-}
-function extractLambdaProperties(stack, logicalId, resource) {
-  const props = resource.Properties ?? {};
-  const memoryMb = typeof props["MemorySize"] === "number" ? props["MemorySize"] : 128;
-  const timeoutSec = typeof props["Timeout"] === "number" ? props["Timeout"] : 3;
-  const code = props["Code"] ?? {};
-  const imageUri = extractImageUri(code["ImageUri"]);
-  if (imageUri !== void 0) {
-    return extractImageLambdaProperties({
-      stack,
-      logicalId,
-      resource,
-      memoryMb,
-      timeoutSec,
-      props,
-      imageUri
-    });
+  if (Array.isArray(node)) {
+    for (const item of node) {
+      const hit = findEcrRepositoryRefInTree(item, resources);
+      if (hit)
+        return hit;
+    }
+    return void 0;
   }
-  const runtime = typeof props["Runtime"] === "string" ? props["Runtime"] : "";
-  const handler = typeof props["Handler"] === "string" ? props["Handler"] : "";
-  if (!runtime) {
-    throw new LocalInvokeResolutionError(
-      `Lambda '${logicalId}' has no Runtime property and no Code.ImageUri. cdkd cannot tell if this is a ZIP or a container Lambda.`
-    );
+  if (typeof node !== "object")
+    return void 0;
+  const obj = node;
+  if (typeof obj["Ref"] === "string") {
+    const target = obj["Ref"];
+    if (resources[target]?.Type === "AWS::ECR::Repository")
+      return target;
+    return void 0;
   }
-  if (!handler) {
-    throw new LocalInvokeResolutionError(`Lambda '${logicalId}' has no Handler property.`);
+  const getAtt = obj["Fn::GetAtt"];
+  if (getAtt !== void 0) {
+    let lid;
+    if (Array.isArray(getAtt) && typeof getAtt[0] === "string")
+      lid = getAtt[0];
+    else if (typeof getAtt === "string")
+      lid = getAtt.split(".")[0];
+    if (lid && resources[lid]?.Type === "AWS::ECR::Repository")
+      return lid;
+    return void 0;
   }
-  const inlineCode = typeof code["ZipFile"] === "string" ? code["ZipFile"] : void 0;
-  let codePath = null;
-  if (!inlineCode) {
-    codePath = resolveAssetCodePath(stack, logicalId, resource);
+  for (const value of Object.values(obj)) {
+    const hit = findEcrRepositoryRefInTree(value, resources);
+    if (hit)
+      return hit;
   }
-  const layers = resolveLambdaLayers(stack, logicalId, props);
-  return {
-    kind: "zip",
-    stack,
-    logicalId,
-    resource,
-    runtime,
-    handler,
-    memoryMb,
-    timeoutSec,
-    codePath,
-    layers,
-    ...inlineCode !== void 0 && { inlineCode }
-  };
+  return void 0;
 }
-function extractImageUri(value) {
-  if (typeof value === "string" && value.length > 0)
-    return value;
-  if (value && typeof value === "object" && !Array.isArray(value)) {
-    const obj = value;
-    const sub = obj["Fn::Sub"];
-    if (typeof sub === "string" && sub.length > 0)
-      return sub;
-    if (Array.isArray(sub) && typeof sub[0] === "string")
-      return sub[0];
-  }
+function resolveImageIntrinsic(node, resources, context) {
+  const v = resolveImageIntrinsicAny(node, resources, context);
+  if (typeof v === "string")
+    return v;
+  if (typeof v === "number" || typeof v === "boolean")
+    return String(v);
   return void 0;
 }
-function extractImageLambdaProperties(args) {
-  const { stack, logicalId, resource, memoryMb, timeoutSec, props, imageUri } = args;
-  const rawImageConfig = props["ImageConfig"] ?? {};
-  const imageConfig = {};
-  if (Array.isArray(rawImageConfig["Command"])) {
-    imageConfig.command = rawImageConfig["Command"].filter(
-      (s) => typeof s === "string"
+function resolveImageIntrinsicAny(node, resources, context) {
+  if (node === null || node === void 0)
+    return void 0;
+  if (typeof node === "string" || typeof node === "number" || typeof node === "boolean") {
+    return node;
+  }
+  if (Array.isArray(node)) {
+    return void 0;
+  }
+  if (typeof node !== "object")
+    return void 0;
+  const obj = node;
+  const keys = Object.keys(obj);
+  if (keys.length !== 1)
+    return void 0;
+  const intrinsic = keys[0];
+  const arg = obj[intrinsic];
+  if (intrinsic === "Ref") {
+    if (typeof arg !== "string")
+      return void 0;
+    if (arg.startsWith("AWS::")) {
+      const p = context?.pseudoParameters;
+      if (!p)
+        return void 0;
+      if (arg === "AWS::URLSuffix")
+        return p.urlSuffix;
+      if (arg === "AWS::Partition")
+        return p.partition;
+      if (arg === "AWS::Region")
+        return p.region;
+      if (arg === "AWS::AccountId")
+        return p.accountId;
+      return void 0;
+    }
+    const refResource = resources[arg];
+    if (refResource?.Type !== "AWS::ECR::Repository")
+      return void 0;
+    const stateEntry = context?.stateResources?.[arg];
+    if (!stateEntry)
+      return void 0;
+    return stateEntry.physicalId;
+  }
+  if (intrinsic === "Fn::GetAtt") {
+    let logicalId;
+    let attr;
+    if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string" && typeof arg[1] === "string") {
+      logicalId = arg[0];
+      attr = arg[1];
+    } else if (typeof arg === "string") {
+      const dot = arg.indexOf(".");
+      if (dot > 0 && dot < arg.length - 1) {
+        logicalId = arg.slice(0, dot);
+        attr = arg.slice(dot + 1);
+      }
+    }
+    if (!logicalId || !attr)
+      return void 0;
+    if (resources[logicalId]?.Type !== "AWS::ECR::Repository")
+      return void 0;
+    const cached = context?.stateResources?.[logicalId]?.attributes?.[attr];
+    if (typeof cached === "string" && cached.length > 0)
+      return cached;
+    return void 0;
+  }
+  if (intrinsic === "Fn::Split") {
+    if (!Array.isArray(arg) || arg.length !== 2)
+      return void 0;
+    const argArr = arg;
+    const delim = argArr[0];
+    if (typeof delim !== "string")
+      return void 0;
+    const src = resolveImageIntrinsicAny(argArr[1], resources, context);
+    if (typeof src !== "string")
+      return void 0;
+    return src.split(delim);
+  }
+  if (intrinsic === "Fn::Select") {
+    if (!Array.isArray(arg) || arg.length !== 2)
+      return void 0;
+    const argArr = arg;
+    const rawIndex = argArr[0];
+    let index;
+    if (typeof rawIndex === "number") {
+      index = rawIndex;
+    } else if (typeof rawIndex === "string" && /^-?\d+$/.test(rawIndex)) {
+      index = Number.parseInt(rawIndex, 10);
+    }
+    if (index === void 0 || !Number.isFinite(index))
+      return void 0;
+    const list = resolveImageIntrinsicAny(argArr[1], resources, context);
+    if (Array.isArray(list)) {
+      if (index < 0 || index >= list.length)
+        return void 0;
+      const picked = list[index];
+      if (typeof picked === "string")
+        return picked;
+      return void 0;
+    }
+    if (Array.isArray(argArr[1])) {
+      const listLiteral = argArr[1];
+      if (index < 0 || index >= listLiteral.length)
+        return void 0;
+      return resolveImageIntrinsic(listLiteral[index], resources, context);
+    }
+    return void 0;
+  }
+  if (intrinsic === "Fn::Join") {
+    if (!Array.isArray(arg) || arg.length !== 2)
+      return void 0;
+    const [delim, parts] = arg;
+    if (typeof delim !== "string" || !Array.isArray(parts))
+      return void 0;
+    const resolved = [];
+    for (const part of parts) {
+      const r = resolveImageIntrinsic(part, resources, context);
+      if (r === void 0)
+        return void 0;
+      resolved.push(r);
+    }
+    return resolved.join(delim);
+  }
+  if (intrinsic === "Fn::Sub") {
+    let template;
+    if (typeof arg === "string")
+      template = arg;
+    else if (Array.isArray(arg) && typeof arg[0] === "string")
+      template = arg[0];
+    if (template === void 0)
+      return void 0;
+    const out = substituteImagePlaceholders(template, resources, context);
+    if (out.includes("${"))
+      return void 0;
+    return out;
+  }
+  return void 0;
+}
+function substituteImagePlaceholders(flat, resources, context) {
+  if (!flat.includes("${"))
+    return flat;
+  return flat.replace(/\$\{([^}]+)\}/g, (full, key) => {
+    if (context?.pseudoParameters) {
+      if (key === "AWS::AccountId" && context.pseudoParameters.accountId) {
+        return context.pseudoParameters.accountId;
+      }
+      if (key === "AWS::Region" && context.pseudoParameters.region) {
+        return context.pseudoParameters.region;
+      }
+      if (key === "AWS::Partition" && context.pseudoParameters.partition) {
+        return context.pseudoParameters.partition;
+      }
+      if (key === "AWS::URLSuffix" && context.pseudoParameters.urlSuffix) {
+        return context.pseudoParameters.urlSuffix;
+      }
+    }
+    if (context?.stateResources) {
+      const dot = key.indexOf(".");
+      const logicalId = dot === -1 ? key : key.slice(0, dot);
+      const refResource = resources[logicalId];
+      const stateEntry = context.stateResources[logicalId];
+      if (refResource?.Type === "AWS::ECR::Repository" && stateEntry) {
+        if (dot === -1) {
+          return stateEntry.physicalId;
+        }
+        const attr = key.slice(dot + 1);
+        const cached = stateEntry.attributes?.[attr];
+        if (typeof cached === "string")
+          return cached;
+      }
+    }
+    return full;
+  });
+}
+
+// src/local/lambda-resolver.ts
+var LocalInvokeResolutionError = class _LocalInvokeResolutionError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "LocalInvokeResolutionError";
+    Object.setPrototypeOf(this, _LocalInvokeResolutionError.prototype);
+  }
+};
+function parseTarget(target) {
+  if (typeof target !== "string" || target.length === 0) {
+    throw new LocalInvokeResolutionError(
+      "Empty target. Pass a CDK display path (e.g. 'MyStack/MyApi/Handler') or stack-qualified logical ID (e.g. 'MyStack:MyApiHandler1234ABCD')."
+    );
+  }
+  const colonIdx = target.indexOf(":");
+  const slashIdx = target.indexOf("/");
+  if (colonIdx > 0 && (slashIdx === -1 || colonIdx < slashIdx)) {
+    const stackPattern = target.substring(0, colonIdx);
+    const pathOrId = target.substring(colonIdx + 1);
+    if (pathOrId.length === 0) {
+      throw new LocalInvokeResolutionError(`Target '${target}' has no logical ID after ':'.`);
+    }
+    return { stackPattern, pathOrId, isPath: pathOrId.includes("/") };
+  }
+  if (slashIdx > 0) {
+    return { stackPattern: target.substring(0, slashIdx), pathOrId: target, isPath: true };
+  }
+  return { stackPattern: null, pathOrId: target, isPath: false };
+}
+function resolveLambdaTarget(target, stacks) {
+  if (stacks.length === 0) {
+    throw new LocalInvokeResolutionError("No stacks found in the synthesized assembly.");
+  }
+  const parsed = parseTarget(target);
+  const stack = pickStack(parsed, stacks);
+  const template = stack.template;
+  const resources = template.Resources ?? {};
+  let match;
+  if (parsed.isPath) {
+    const index = buildCdkPathIndex(template);
+    const resolvedPaths = resolveCdkPathToLogicalIds(parsed.pathOrId, index);
+    const lambdaMatches = resolvedPaths.filter(
+      ({ logicalId: logicalId2 }) => resources[logicalId2]?.Type === "AWS::Lambda::Function"
+    );
+    if (lambdaMatches.length === 0) {
+      throw notFoundError(target, stack, resources);
+    }
+    if (lambdaMatches.length > 1) {
+      throw new LocalInvokeResolutionError(
+        `Target '${target}' matches ${lambdaMatches.length} Lambda functions in ${stack.stackName}: ` + lambdaMatches.map((m2) => m2.logicalId).join(", ") + ". Refine the path or use the stack:LogicalId form."
+      );
+    }
+    const m = lambdaMatches[0];
+    match = { logicalId: m.logicalId, resource: resources[m.logicalId] };
+  } else {
+    const resource2 = resources[parsed.pathOrId];
+    if (!resource2) {
+      throw notFoundError(target, stack, resources);
+    }
+    match = { logicalId: parsed.pathOrId, resource: resource2 };
+  }
+  const { logicalId, resource } = match;
+  if (resource.Type !== "AWS::Lambda::Function") {
+    if (resource.Type.startsWith("Custom::")) {
+      throw new LocalInvokeResolutionError(
+        `Resource '${logicalId}' in ${stack.stackName} is a Custom Resource (${resource.Type}), not a Lambda function. Custom Resources are invoked by the deploy framework, not by users. If you want to test the underlying handler, target the ServiceToken Lambda directly.`
+      );
+    }
+    throw new LocalInvokeResolutionError(
+      `Resource '${logicalId}' in ${stack.stackName} is ${resource.Type}, not a Lambda function. cdkd local invoke only works on AWS::Lambda::Function resources in v1.`
+    );
+  }
+  return extractLambdaProperties(stack, logicalId, resource, resources);
+}
+function pickStack(parsed, stacks) {
+  if (parsed.stackPattern === null) {
+    if (stacks.length === 1)
+      return stacks[0];
+    throw new LocalInvokeResolutionError(
+      `Multiple stacks in app, target '${parsed.pathOrId}' is missing a stack prefix. Use 'StackName:${parsed.pathOrId}' or 'StackName/...' (path form). Available stacks: ${stacks.map((s) => s.stackName).join(", ")}.`
+    );
+  }
+  const matched = matchStacks(stacks, [parsed.stackPattern]);
+  if (matched.length === 0) {
+    throw new LocalInvokeResolutionError(
+      `Stack '${parsed.stackPattern}' not found. Available stacks: ${stacks.map((s) => s.stackName).join(", ")}.`
+    );
+  }
+  if (matched.length > 1) {
+    throw new LocalInvokeResolutionError(
+      `Stack pattern '${parsed.stackPattern}' matched ${matched.length} stacks: ` + matched.map((s) => s.stackName).join(", ") + ". Use a more specific pattern."
+    );
+  }
+  return matched[0];
+}
+function extractLambdaProperties(stack, logicalId, resource, resources) {
+  const props = resource.Properties ?? {};
+  const memoryMb = typeof props["MemorySize"] === "number" ? props["MemorySize"] : 128;
+  const timeoutSec = typeof props["Timeout"] === "number" ? props["Timeout"] : 3;
+  const code = props["Code"] ?? {};
+  const imageUri = extractImageUri(code["ImageUri"], logicalId, stack.stackName, resources);
+  if (imageUri !== void 0) {
+    return extractImageLambdaProperties({
+      stack,
+      logicalId,
+      resource,
+      memoryMb,
+      timeoutSec,
+      props,
+      imageUri
+    });
+  }
+  const runtime = typeof props["Runtime"] === "string" ? props["Runtime"] : "";
+  const handler = typeof props["Handler"] === "string" ? props["Handler"] : "";
+  if (!runtime) {
+    throw new LocalInvokeResolutionError(
+      `Lambda '${logicalId}' has no Runtime property and no Code.ImageUri. cdkd cannot tell if this is a ZIP or a container Lambda.`
+    );
+  }
+  if (!handler) {
+    throw new LocalInvokeResolutionError(`Lambda '${logicalId}' has no Handler property.`);
+  }
+  const inlineCode = typeof code["ZipFile"] === "string" ? code["ZipFile"] : void 0;
+  let codePath = null;
+  if (!inlineCode) {
+    codePath = resolveAssetCodePath(stack, logicalId, resource);
+  }
+  const layers = resolveLambdaLayers(stack, logicalId, props);
+  return {
+    kind: "zip",
+    stack,
+    logicalId,
+    resource,
+    runtime,
+    handler,
+    memoryMb,
+    timeoutSec,
+    codePath,
+    layers,
+    ...inlineCode !== void 0 && { inlineCode }
+  };
+}
+function extractImageUri(value, logicalId, stackName, resources) {
+  if (typeof value === "string" && value.length > 0)
+    return value;
+  if (value && typeof value === "object" && !Array.isArray(value)) {
+    const obj = value;
+    const sub = obj["Fn::Sub"];
+    if (typeof sub === "string" && sub.length > 0)
+      return sub;
+    if (Array.isArray(sub) && typeof sub[0] === "string")
+      return sub[0];
+    if ("Fn::Join" in obj) {
+      const joinResolved = tryResolveImageFnJoin(value, resources, void 0);
+      if (joinResolved.kind === "resolved")
+        return joinResolved.uri;
+      if (joinResolved.kind === "needs-state") {
+        throw new LocalInvokeResolutionError(
+          `Lambda '${logicalId}' in ${stackName} references same-stack ECR repository '${joinResolved.repoLogicalId}' via Fn::Join. cdkd local invoke cannot resolve the repository URI without state \u2014 deploy the stack first (so cdkd records the repository physical id), rebuild via lambda.DockerImageCode.fromImageAsset, or pin a public image.`
+        );
+      }
+      if (joinResolved.kind === "unsupported-join") {
+        throw new LocalInvokeResolutionError(
+          `Lambda '${logicalId}' in ${stackName} has an unsupported Fn::Join Code.ImageUri shape: ${joinResolved.reason}. cdkd local invoke recognizes the canonical CDK 2.x lambda.DockerImageCode.fromEcr Fn::Join shape (delimiter "" with nested Fn::Select/Fn::Split over an ECR Repository Arn GetAtt + Ref to the repo).`
+        );
+      }
+      throw new LocalInvokeResolutionError(
+        `Lambda '${logicalId}' in ${stackName} has an Fn::Join Code.ImageUri that cdkd local invoke cannot resolve. The shape likely references AWS pseudo parameters (e.g. \${AWS::URLSuffix}) for an imported ECR repository. Workarounds: rebuild via lambda.DockerImageCode.fromImageAsset, or pin a fully-literal public image URI.`
+      );
+    }
+  }
+  return void 0;
+}
+function extractImageLambdaProperties(args) {
+  const { stack, logicalId, resource, memoryMb, timeoutSec, props, imageUri } = args;
+  const rawImageConfig = props["ImageConfig"] ?? {};
+  const imageConfig = {};
+  if (Array.isArray(rawImageConfig["Command"])) {
+    imageConfig.command = rawImageConfig["Command"].filter(
+      (s) => typeof s === "string"
     );
   }
   if (Array.isArray(rawImageConfig["EntryPoint"])) {
@@ -70511,7 +70898,8 @@ function isLiteralEnvValue(value) {
 }
 
 // src/local/state-resolver.ts
-function substituteAgainstState(value, resources) {
+function substituteAgainstState(value, contextOrResources) {
+  const context = isContext(contextOrResources) ? contextOrResources : { resources: contextOrResources };
   if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
     return { kind: "literal", value };
   }
@@ -70532,24 +70920,40 @@ function substituteAgainstState(value, resources) {
   const intrinsic = keys[0];
   const arg = obj[intrinsic];
   if (intrinsic === "Ref") {
-    return resolveRef(arg, resources);
+    return resolveRef(arg, context);
   }
   if (intrinsic === "Fn::GetAtt") {
-    return resolveGetAtt(arg, resources);
+    return resolveGetAtt(arg, context);
   }
   if (intrinsic === "Fn::Sub") {
-    return resolveSub(arg, resources);
+    return resolveSub(arg, context);
+  }
+  if (intrinsic === "Fn::Join") {
+    return resolveJoin(arg, context);
   }
   return {
     kind: "unresolved",
-    reason: `unsupported intrinsic '${intrinsic}' (only Ref, Fn::GetAtt, Fn::Sub are wired in --from-state v1)`
+    reason: `unsupported intrinsic '${intrinsic}' (supported: Ref, Fn::GetAtt, Fn::Sub, Fn::Join)`
   };
 }
-function resolveRef(arg, resources) {
+function isContext(v) {
+  if (typeof v !== "object" || v === null)
+    return false;
+  const r = v["resources"];
+  if (r === void 0)
+    return false;
+  if (typeof r !== "object" || r === null)
+    return false;
+  return !("physicalId" in r);
+}
+function resolveRef(arg, context) {
   if (typeof arg !== "string" || arg.length === 0) {
     return { kind: "unresolved", reason: `Ref expects a non-empty logical ID, got ${typeof arg}` };
   }
-  const resource = resources[arg];
+  if (arg.startsWith("AWS::")) {
+    return resolvePseudoParameter(arg, context.pseudoParameters);
+  }
+  const resource = context.resources[arg];
   if (!resource) {
     return {
       kind: "unresolved",
@@ -70558,7 +70962,39 @@ function resolveRef(arg, resources) {
   }
   return { kind: "literal", value: resource.physicalId };
 }
-function resolveGetAtt(arg, resources) {
+function resolvePseudoParameter(name, pseudo) {
+  if (!pseudo) {
+    return {
+      kind: "unresolved",
+      reason: `Ref '${name}': pseudo parameter not supplied (need --from-state context)`
+    };
+  }
+  switch (name) {
+    case "AWS::AccountId":
+      if (pseudo.accountId !== void 0)
+        return { kind: "literal", value: pseudo.accountId };
+      break;
+    case "AWS::Region":
+      if (pseudo.region !== void 0)
+        return { kind: "literal", value: pseudo.region };
+      break;
+    case "AWS::Partition":
+      if (pseudo.partition !== void 0)
+        return { kind: "literal", value: pseudo.partition };
+      break;
+    case "AWS::URLSuffix":
+      if (pseudo.urlSuffix !== void 0)
+        return { kind: "literal", value: pseudo.urlSuffix };
+      break;
+    default:
+      return {
+        kind: "unresolved",
+        reason: `Ref '${name}': pseudo parameter not supported (supported: AWS::AccountId, AWS::Region, AWS::Partition, AWS::URLSuffix)`
+      };
+  }
+  return { kind: "unresolved", reason: `Ref '${name}': pseudo parameter value not resolved` };
+}
+function resolveGetAtt(arg, context) {
   let logicalId;
   let attr;
   if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string") {
@@ -70566,7 +71002,7 @@ function resolveGetAtt(arg, resources) {
     if (typeof arg[1] !== "string") {
       return {
         kind: "unresolved",
-        reason: `Fn::GetAtt's second arg must be a string attribute name, got ${typeof arg[1]} (nested intrinsics in attribute names are not supported in --from-state v1)`
+        reason: `Fn::GetAtt's second arg must be a string attribute name, got ${typeof arg[1]} (nested intrinsics in attribute names are not supported)`
       };
     }
     attr = arg[1];
@@ -70586,7 +71022,7 @@ function resolveGetAtt(arg, resources) {
       reason: `Fn::GetAtt expects [LogicalId, Attribute] or 'LogicalId.Attribute', got ${Array.isArray(arg) ? `array of length ${arg.length}` : typeof arg}`
     };
   }
-  const resource = resources[logicalId];
+  const resource = context.resources[logicalId];
   if (!resource) {
     return {
       kind: "unresolved",
@@ -70605,7 +71041,7 @@ function resolveGetAtt(arg, resources) {
   }
   return { kind: "literal", value: JSON.stringify(cached) };
 }
-function resolveSub(arg, resources) {
+function resolveSub(arg, context) {
   let template;
   let bindings = {};
   if (typeof arg === "string") {
@@ -70630,7 +71066,18 @@ function resolveSub(arg, resources) {
     if (resolutions.has(placeholder))
       continue;
     if (placeholder in bindings) {
-      const sub = substituteAgainstState(bindings[placeholder], resources);
+      const sub = substituteAgainstState(bindings[placeholder], context);
+      if (sub.kind !== "literal") {
+        return {
+          kind: "unresolved",
+          reason: `Fn::Sub placeholder '\${${placeholder}}': ${sub.reason}`
+        };
+      }
+      resolutions.set(placeholder, String(sub.value));
+      continue;
+    }
+    if (placeholder.startsWith("AWS::")) {
+      const sub = resolvePseudoParameter(placeholder, context.pseudoParameters);
       if (sub.kind !== "literal") {
         return {
           kind: "unresolved",
@@ -70642,7 +71089,7 @@ function resolveSub(arg, resources) {
     }
     const dot = placeholder.indexOf(".");
     if (dot === -1) {
-      const sub = resolveRef(placeholder, resources);
+      const sub = resolveRef(placeholder, context);
       if (sub.kind !== "literal") {
         return {
           kind: "unresolved",
@@ -70651,7 +71098,7 @@ function resolveSub(arg, resources) {
       }
       resolutions.set(placeholder, String(sub.value));
     } else {
-      const sub = resolveGetAtt(placeholder, resources);
+      const sub = resolveGetAtt(placeholder, context);
       if (sub.kind !== "literal") {
         return {
           kind: "unresolved",
@@ -70666,17 +71113,45 @@ function resolveSub(arg, resources) {
   });
   return { kind: "literal", value: out };
 }
-function substituteEnvVarsFromState(templateEnv, resources) {
+function resolveJoin(arg, context) {
+  if (!Array.isArray(arg) || arg.length !== 2 || !Array.isArray(arg[1])) {
+    return {
+      kind: "unresolved",
+      reason: `Fn::Join expects [delimiter, [elements]], got ${Array.isArray(arg) ? `array of length ${arg.length}` : typeof arg}`
+    };
+  }
+  const [delimiterRaw, elements] = arg;
+  if (typeof delimiterRaw !== "string") {
+    return {
+      kind: "unresolved",
+      reason: `Fn::Join delimiter must be a string, got ${typeof delimiterRaw}`
+    };
+  }
+  const parts = [];
+  for (let i = 0; i < elements.length; i += 1) {
+    const sub = substituteAgainstState(elements[i], context);
+    if (sub.kind !== "literal") {
+      return {
+        kind: "unresolved",
+        reason: `Fn::Join element [${i}]: ${sub.reason}`
+      };
+    }
+    parts.push(String(sub.value));
+  }
+  return { kind: "literal", value: parts.join(delimiterRaw) };
+}
+function substituteEnvVarsFromState(templateEnv, contextOrResources) {
   const env = {};
   const audit = { resolvedKeys: [], unresolved: [] };
   if (!templateEnv)
     return { env, audit };
+  const context = isContext(contextOrResources) ? contextOrResources : { resources: contextOrResources };
   for (const [key, value] of Object.entries(templateEnv)) {
     if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
       env[key] = value;
       continue;
     }
-    const result = substituteAgainstState(value, resources);
+    const result = substituteAgainstState(value, context);
     if (result.kind === "literal") {
       env[key] = result.value;
       audit.resolvedKeys.push(key);
@@ -76783,6 +77258,7 @@ function detectEcsImageResolutionNeeds(stack) {
   const resources = stack.template.Resources ?? {};
   let needsPseudoParameters = false;
   let needsStateResources = false;
+  let needsEnvOrSecretSubstitution = false;
   for (const res of Object.values(resources)) {
     if (res.Type !== "AWS::ECS::TaskDefinition")
       continue;
@@ -76791,19 +77267,42 @@ function detectEcsImageResolutionNeeds(stack) {
     for (const c of containers) {
       if (!c || typeof c !== "object")
         continue;
-      const image = c["Image"];
+      const co = c;
+      const image = co["Image"];
       const need = inspectImageForSubstitutions(image, resources);
       if (need.pseudo)
         needsPseudoParameters = true;
       if (need.state)
         needsStateResources = true;
-      if (needsPseudoParameters && needsStateResources)
-        break;
+      if (containerHasIntrinsicEnvOrSecret(co))
+        needsEnvOrSecretSubstitution = true;
     }
-    if (needsPseudoParameters && needsStateResources)
-      break;
   }
-  return { needsPseudoParameters, needsStateResources };
+  return { needsPseudoParameters, needsStateResources, needsEnvOrSecretSubstitution };
+}
+function containerHasIntrinsicEnvOrSecret(c) {
+  const env = c["Environment"];
+  if (Array.isArray(env)) {
+    for (const entry of env) {
+      if (!entry || typeof entry !== "object")
+        continue;
+      const v = entry["Value"];
+      if (v !== void 0 && typeof v !== "string" && typeof v !== "number" && typeof v !== "boolean") {
+        return true;
+      }
+    }
+  }
+  const secrets = c["Secrets"];
+  if (Array.isArray(secrets)) {
+    for (const entry of secrets) {
+      if (!entry || typeof entry !== "object")
+        continue;
+      const v = entry["ValueFrom"];
+      if (v !== void 0 && typeof v !== "string")
+        return true;
+    }
+  }
+  return false;
 }
 function inspectImageForSubstitutions(image, resources) {
   if (!image || typeof image !== "object")
@@ -77004,6 +77503,11 @@ function extractTaskDefinitionProperties(stack, logicalId, resource, context) {
   const containers = rawContainers.map(
     (c, idx) => parseContainerDefinition(c, idx, logicalId, resources, stack, context)
   );
+  for (const ctr of containers) {
+    for (const w of ctr.warnings) {
+      warnings.push(`Container '${ctr.name}': ${w}`);
+    }
+  }
   const rawVolumes = props["Volumes"];
   const volumes = Array.isArray(rawVolumes) ? rawVolumes.map((v, idx) => parseVolume(v, idx, logicalId)) : [];
   const containerNames = new Set(containers.map((c) => c.name));
@@ -77065,7 +77569,9 @@ function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack, con
   const command = pickStringArray2(c["Command"]);
   const entryPoint = pickStringArray2(c["EntryPoint"]);
   const workingDirectory = pickString(c["WorkingDirectory"]);
+  const subContext = buildSubstitutionContextFromImageContext(context);
   const environment = {};
+  const droppedEnvKeys = [];
   if (Array.isArray(c["Environment"])) {
     for (const entry of c["Environment"]) {
       if (!entry || typeof entry !== "object")
@@ -77077,19 +77583,54 @@ function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack, con
         continue;
       if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
         environment[key] = String(value);
+        continue;
+      }
+      if (subContext) {
+        const sub = substituteAgainstState(value, subContext);
+        if (sub.kind === "literal") {
+          environment[key] = String(sub.value);
+          continue;
+        }
+        droppedEnvKeys.push({ key, reason: sub.reason });
+      } else {
+        droppedEnvKeys.push({
+          key,
+          reason: "intrinsic-valued; pass --from-state to substitute against deployed state"
+        });
       }
     }
   }
   const secrets = [];
+  const droppedSecretKeys = [];
   if (Array.isArray(c["Secrets"])) {
     for (const entry of c["Secrets"]) {
       if (!entry || typeof entry !== "object")
         continue;
       const e = entry;
       const sName = pickString(e["Name"]);
-      const valueFrom = pickString(e["ValueFrom"]);
-      if (sName && valueFrom)
-        secrets.push({ name: sName, valueFrom });
+      const valueFromRaw = e["ValueFrom"];
+      if (!sName)
+        continue;
+      if (typeof valueFromRaw === "string" && valueFromRaw.length > 0) {
+        secrets.push({ name: sName, valueFrom: valueFromRaw });
+        continue;
+      }
+      if (subContext) {
+        const sub = substituteAgainstState(valueFromRaw, subContext);
+        if (sub.kind === "literal" && typeof sub.value === "string" && sub.value.length > 0) {
+          secrets.push({ name: sName, valueFrom: sub.value });
+          continue;
+        }
+        droppedSecretKeys.push({
+          key: sName,
+          reason: sub.kind === "literal" ? "resolved to non-string / empty value" : sub.reason
+        });
+      } else {
+        droppedSecretKeys.push({
+          key: sName,
+          reason: "intrinsic-valued ValueFrom; pass --from-state to resolve the deployed ARN"
+        });
+      }
     }
   }
   const portMappings = [];
@@ -77179,6 +77720,13 @@ function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack, con
       ulimits.push({ name: uName, softLimit: soft, hardLimit: hard });
     }
   }
+  const warnings = [];
+  for (const d of droppedEnvKeys) {
+    warnings.push(`Environment '${d.key}' dropped: ${d.reason}`);
+  }
+  for (const d of droppedSecretKeys) {
+    warnings.push(`Secret '${d.key}' dropped: ${d.reason}`);
+  }
   const out = {
     name,
     image,
@@ -77189,7 +77737,8 @@ function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack, con
     dependsOn,
     links,
     essential,
-    ulimits
+    ulimits,
+    warnings
   };
   if (command !== void 0)
     out.command = command;
@@ -77207,6 +77756,15 @@ function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack, con
     out.readonlyRootFilesystem = readonlyRootFilesystem;
   return out;
 }
+function buildSubstitutionContextFromImageContext(context) {
+  if (!context?.stateResources)
+    return void 0;
+  const subContext = { resources: context.stateResources };
+  if (context.pseudoParameters) {
+    subContext.pseudoParameters = { ...context.pseudoParameters };
+  }
+  return subContext;
+}
 function parseContainerImage(raw, containerName, taskLogicalId, resources, _stack, context) {
   const getAttImage = tryResolveImageGetAtt(raw, resources, context);
   if (getAttImage) {
@@ -77258,73 +77816,37 @@ function parseContainerImage(raw, containerName, taskLogicalId, resources, _stac
   }
   const ecrMatch = /^(\d{12})\.dkr\.ecr\.([^.]+)\.amazonaws\.com(?:\.cn)?\//.exec(substituted);
   if (ecrMatch) {
-    return { kind: "ecr", uri: substituted, account: ecrMatch[1], region: ecrMatch[2] };
-  }
-  return { kind: "public", uri: substituted };
-}
-function findUnresolvedEcrRepositoryRef(substituted, resources) {
-  const placeholderRegex = /\$\{([^}]+)\}/g;
-  let m;
-  while ((m = placeholderRegex.exec(substituted)) !== null) {
-    const key = m[1];
-    if (key.startsWith("AWS::"))
-      continue;
-    const dot = key.indexOf(".");
-    const lid = dot === -1 ? key : key.slice(0, dot);
-    if (resources[lid]?.Type === "AWS::ECR::Repository")
-      return lid;
-  }
-  return void 0;
-}
-function classifyResolvedImage(uri) {
-  if (uri.includes("cdk-hnb659fds-container-assets-")) {
-    const hashMatch = /:([a-f0-9]{8,})$/.exec(uri);
-    const out = { kind: "cdk-asset" };
-    if (hashMatch)
-      out.assetHash = hashMatch[1];
-    return out;
-  }
-  const ecrMatch = /^(\d{12})\.dkr\.ecr\.([^.]+)\.amazonaws\.com(?:\.cn)?\//.exec(uri);
-  if (ecrMatch) {
-    return { kind: "ecr", uri, account: ecrMatch[1], region: ecrMatch[2] };
-  }
-  return { kind: "public", uri };
-}
-function substituteImagePlaceholders(flat, resources, context) {
-  if (!flat.includes("${"))
-    return flat;
-  return flat.replace(/\$\{([^}]+)\}/g, (full, key) => {
-    if (context?.pseudoParameters) {
-      if (key === "AWS::AccountId" && context.pseudoParameters.accountId) {
-        return context.pseudoParameters.accountId;
-      }
-      if (key === "AWS::Region" && context.pseudoParameters.region) {
-        return context.pseudoParameters.region;
-      }
-      if (key === "AWS::Partition" && context.pseudoParameters.partition) {
-        return context.pseudoParameters.partition;
-      }
-      if (key === "AWS::URLSuffix" && context.pseudoParameters.urlSuffix) {
-        return context.pseudoParameters.urlSuffix;
-      }
-    }
-    if (context?.stateResources) {
-      const dot = key.indexOf(".");
-      const logicalId = dot === -1 ? key : key.slice(0, dot);
-      const refResource = resources[logicalId];
-      const stateEntry = context.stateResources[logicalId];
-      if (refResource?.Type === "AWS::ECR::Repository" && stateEntry) {
-        if (dot === -1) {
-          return stateEntry.physicalId;
-        }
-        const attr = key.slice(dot + 1);
-        const cached = stateEntry.attributes?.[attr];
-        if (typeof cached === "string")
-          return cached;
-      }
-    }
-    return full;
-  });
+    return { kind: "ecr", uri: substituted, account: ecrMatch[1], region: ecrMatch[2] };
+  }
+  return { kind: "public", uri: substituted };
+}
+function findUnresolvedEcrRepositoryRef(substituted, resources) {
+  const placeholderRegex = /\$\{([^}]+)\}/g;
+  let m;
+  while ((m = placeholderRegex.exec(substituted)) !== null) {
+    const key = m[1];
+    if (key.startsWith("AWS::"))
+      continue;
+    const dot = key.indexOf(".");
+    const lid = dot === -1 ? key : key.slice(0, dot);
+    if (resources[lid]?.Type === "AWS::ECR::Repository")
+      return lid;
+  }
+  return void 0;
+}
+function classifyResolvedImage(uri) {
+  if (uri.includes("cdk-hnb659fds-container-assets-")) {
+    const hashMatch = /:([a-f0-9]{8,})$/.exec(uri);
+    const out = { kind: "cdk-asset" };
+    if (hashMatch)
+      out.assetHash = hashMatch[1];
+    return out;
+  }
+  const ecrMatch = /^(\d{12})\.dkr\.ecr\.([^.]+)\.amazonaws\.com(?:\.cn)?\//.exec(uri);
+  if (ecrMatch) {
+    return { kind: "ecr", uri, account: ecrMatch[1], region: ecrMatch[2] };
+  }
+  return { kind: "public", uri };
 }
 function tryResolveImageGetAtt(raw, resources, context) {
   if (!raw || typeof raw !== "object")
@@ -77377,228 +77899,6 @@ function extractImageString(value) {
   }
   return void 0;
 }
-function tryResolveImageFnJoin(raw, resources, context) {
-  if (!raw || typeof raw !== "object")
-    return { kind: "not-applicable" };
-  const obj = raw;
-  const arg = obj["Fn::Join"];
-  if (arg === void 0)
-    return { kind: "not-applicable" };
-  if (!Array.isArray(arg) || arg.length !== 2 || !Array.isArray(arg[1])) {
-    return { kind: "unsupported-join", reason: "Fn::Join must be [delimiter, [elements]]" };
-  }
-  const [delimiter, elements] = arg;
-  if (typeof delimiter !== "string") {
-    return {
-      kind: "unsupported-join",
-      reason: `Fn::Join delimiter must be a string, got ${typeof delimiter}`
-    };
-  }
-  const repoLogicalId = findEcrRepositoryRefInTree(elements, resources);
-  const stateResources = context?.stateResources;
-  if (repoLogicalId && !stateResources) {
-    return { kind: "needs-state", repoLogicalId };
-  }
-  const parts = [];
-  for (const element of elements) {
-    const r = resolveImageIntrinsic(element, resources, context);
-    if (r === void 0) {
-      if (!repoLogicalId)
-        return { kind: "not-applicable" };
-      return {
-        kind: "unsupported-join",
-        reason: "one or more Fn::Join elements could not be resolved"
-      };
-    }
-    parts.push(r);
-  }
-  return { kind: "resolved", uri: parts.join(delimiter) };
-}
-function findEcrRepositoryRefInTree(node, resources) {
-  if (node === null || node === void 0)
-    return void 0;
-  if (typeof node === "string" || typeof node === "number" || typeof node === "boolean") {
-    return void 0;
-  }
-  if (Array.isArray(node)) {
-    for (const item of node) {
-      const hit = findEcrRepositoryRefInTree(item, resources);
-      if (hit)
-        return hit;
-    }
-    return void 0;
-  }
-  if (typeof node !== "object")
-    return void 0;
-  const obj = node;
-  if (typeof obj["Ref"] === "string") {
-    const target = obj["Ref"];
-    if (resources[target]?.Type === "AWS::ECR::Repository")
-      return target;
-    return void 0;
-  }
-  const getAtt = obj["Fn::GetAtt"];
-  if (getAtt !== void 0) {
-    let lid;
-    if (Array.isArray(getAtt) && typeof getAtt[0] === "string")
-      lid = getAtt[0];
-    else if (typeof getAtt === "string")
-      lid = getAtt.split(".")[0];
-    if (lid && resources[lid]?.Type === "AWS::ECR::Repository")
-      return lid;
-    return void 0;
-  }
-  for (const value of Object.values(obj)) {
-    const hit = findEcrRepositoryRefInTree(value, resources);
-    if (hit)
-      return hit;
-  }
-  return void 0;
-}
-function resolveImageIntrinsic(node, resources, context) {
-  const v = resolveImageIntrinsicAny(node, resources, context);
-  if (typeof v === "string")
-    return v;
-  if (typeof v === "number" || typeof v === "boolean")
-    return String(v);
-  return void 0;
-}
-function resolveImageIntrinsicAny(node, resources, context) {
-  if (node === null || node === void 0)
-    return void 0;
-  if (typeof node === "string" || typeof node === "number" || typeof node === "boolean") {
-    return node;
-  }
-  if (Array.isArray(node)) {
-    return void 0;
-  }
-  if (typeof node !== "object")
-    return void 0;
-  const obj = node;
-  const keys = Object.keys(obj);
-  if (keys.length !== 1)
-    return void 0;
-  const intrinsic = keys[0];
-  const arg = obj[intrinsic];
-  if (intrinsic === "Ref") {
-    if (typeof arg !== "string")
-      return void 0;
-    if (arg.startsWith("AWS::")) {
-      const p = context?.pseudoParameters;
-      if (!p)
-        return void 0;
-      if (arg === "AWS::URLSuffix")
-        return p.urlSuffix;
-      if (arg === "AWS::Partition")
-        return p.partition;
-      if (arg === "AWS::Region")
-        return p.region;
-      if (arg === "AWS::AccountId")
-        return p.accountId;
-      return void 0;
-    }
-    const refResource = resources[arg];
-    if (refResource?.Type !== "AWS::ECR::Repository")
-      return void 0;
-    const stateEntry = context?.stateResources?.[arg];
-    if (!stateEntry)
-      return void 0;
-    return stateEntry.physicalId;
-  }
-  if (intrinsic === "Fn::GetAtt") {
-    let logicalId;
-    let attr;
-    if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string" && typeof arg[1] === "string") {
-      logicalId = arg[0];
-      attr = arg[1];
-    } else if (typeof arg === "string") {
-      const dot = arg.indexOf(".");
-      if (dot > 0 && dot < arg.length - 1) {
-        logicalId = arg.slice(0, dot);
-        attr = arg.slice(dot + 1);
-      }
-    }
-    if (!logicalId || !attr)
-      return void 0;
-    if (resources[logicalId]?.Type !== "AWS::ECR::Repository")
-      return void 0;
-    const cached = context?.stateResources?.[logicalId]?.attributes?.[attr];
-    if (typeof cached === "string" && cached.length > 0)
-      return cached;
-    return void 0;
-  }
-  if (intrinsic === "Fn::Split") {
-    if (!Array.isArray(arg) || arg.length !== 2)
-      return void 0;
-    const argArr = arg;
-    const delim = argArr[0];
-    if (typeof delim !== "string")
-      return void 0;
-    const src = resolveImageIntrinsicAny(argArr[1], resources, context);
-    if (typeof src !== "string")
-      return void 0;
-    return src.split(delim);
-  }
-  if (intrinsic === "Fn::Select") {
-    if (!Array.isArray(arg) || arg.length !== 2)
-      return void 0;
-    const argArr = arg;
-    const rawIndex = argArr[0];
-    let index;
-    if (typeof rawIndex === "number") {
-      index = rawIndex;
-    } else if (typeof rawIndex === "string" && /^-?\d+$/.test(rawIndex)) {
-      index = Number.parseInt(rawIndex, 10);
-    }
-    if (index === void 0 || !Number.isFinite(index))
-      return void 0;
-    const list = resolveImageIntrinsicAny(argArr[1], resources, context);
-    if (Array.isArray(list)) {
-      if (index < 0 || index >= list.length)
-        return void 0;
-      const picked = list[index];
-      if (typeof picked === "string")
-        return picked;
-      return void 0;
-    }
-    if (Array.isArray(argArr[1])) {
-      const listLiteral = argArr[1];
-      if (index < 0 || index >= listLiteral.length)
-        return void 0;
-      return resolveImageIntrinsic(listLiteral[index], resources, context);
-    }
-    return void 0;
-  }
-  if (intrinsic === "Fn::Join") {
-    if (!Array.isArray(arg) || arg.length !== 2)
-      return void 0;
-    const [delim, parts] = arg;
-    if (typeof delim !== "string" || !Array.isArray(parts))
-      return void 0;
-    const resolved = [];
-    for (const part of parts) {
-      const r = resolveImageIntrinsic(part, resources, context);
-      if (r === void 0)
-        return void 0;
-      resolved.push(r);
-    }
-    return resolved.join(delim);
-  }
-  if (intrinsic === "Fn::Sub") {
-    let template;
-    if (typeof arg === "string")
-      template = arg;
-    else if (Array.isArray(arg) && typeof arg[0] === "string")
-      template = arg[0];
-    if (template === void 0)
-      return void 0;
-    const out = substituteImagePlaceholders(template, resources, context);
-    if (out.includes("${"))
-      return void 0;
-    return out;
-  }
-  return void 0;
-}
 function parseVolume(raw, idx, taskLogicalId) {
   if (!raw || typeof raw !== "object") {
     throw new EcsTaskResolutionError(`Task '${taskLogicalId}' Volumes[${idx}] is not an object.`);
@@ -78659,14 +78959,16 @@ async function buildEcsImageResolutionContext(target, stacks, options) {
   if (!candidate)
     return void 0;
   const needs = detectEcsImageResolutionNeeds(candidate);
-  if (!needs.needsPseudoParameters && !needs.needsStateResources)
+  if (!needs.needsPseudoParameters && !needs.needsStateResources && !needs.needsEnvOrSecretSubstitution) {
     return void 0;
+  }
   const ctx = {};
-  if (needs.needsPseudoParameters) {
+  const wantsPseudoForEnvOrSecret = options.fromState && needs.needsEnvOrSecretSubstitution;
+  if (needs.needsPseudoParameters || wantsPseudoForEnvOrSecret) {
     const region = options.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? candidate.region;
     if (!region) {
       logger.warn(
-        "Container Image references ${AWS::Region} but cdkd could not determine the target region. Pass --region, set AWS_REGION, or declare env.region on the CDK stack."
+        "Resolver references ${AWS::Region} but cdkd could not determine the target region. Pass --region, set AWS_REGION, or declare env.region on the CDK stack."
       );
     }
     let accountId;
@@ -78674,7 +78976,7 @@ async function buildEcsImageResolutionContext(target, stacks, options) {
       accountId = await resolveCallerAccountId(region);
     } catch (err) {
       logger.warn(
-        `Container Image references \${AWS::AccountId} but STS GetCallerIdentity failed: ${err instanceof Error ? err.message : String(err)}. Substitution will be skipped; the resolver will surface its existing error.`
+        `Resolver needs \${AWS::AccountId} but STS GetCallerIdentity failed: ${err instanceof Error ? err.message : String(err)}. Substitution will be skipped; affected env / secret entries will be dropped with per-key warnings.`
       );
     }
     const partitionAndSuffix = region ? derivePartitionAndUrlSuffix(region) : void 0;
@@ -78687,7 +78989,8 @@ async function buildEcsImageResolutionContext(target, stacks, options) {
       }
     };
   }
-  if (options.fromState && needs.needsStateResources) {
+  const wantsState = needs.needsStateResources || needs.needsEnvOrSecretSubstitution;
+  if (options.fromState && wantsState) {
     const loaded = await loadStateForStack(candidate.stackName, candidate.region, {
       ...options.stackRegion !== void 0 && { stackRegion: options.stackRegion },
       ...options.stateBucket !== void 0 && { stateBucket: options.stateBucket },
@@ -78702,6 +79005,10 @@ async function buildEcsImageResolutionContext(target, stacks, options) {
     logger.warn(
       "Container Image references a same-stack AWS::ECR::Repository. Pass --from-state to substitute the deployed repository URI (requires the stack to have been deployed via cdkd deploy). Otherwise the resolver will surface its existing error."
     );
+  } else if (!options.fromState && needs.needsEnvOrSecretSubstitution) {
+    logger.warn(
+      "Container Environment / Secrets entries contain CloudFormation intrinsics (Ref / Fn::GetAtt / Fn::Sub / Fn::Join). Pass --from-state to substitute them against the deployed cdkd state. Without --from-state these entries are dropped (per-key warnings will follow)."
+    );
   }
   return ctx;
 }
@@ -80286,7 +80593,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command18();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.91.1");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.91.3");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());