@go-to-k/cdkd 0.91.2 → 0.91.3

package/README.md

@@ -24,7 +24,7 @@
 - **Rollback on failure**: When a deploy errors mid-stack, cdkd rolls back the resources it just created so the stack state stays consistent (CloudFormation parity — but cdkd does this without round-tripping through CFn). Pass `cdkd deploy --no-rollback` to skip rollback and keep the partial state for Terraform-style inspection / repair. See [Rollback behavior](#rollback-behavior).
 - **`--no-wait` for async resources**: Skip the multi-minute wait on CloudFront / RDS / ElastiCache / NAT Gateway and return as soon as the create call returns (CloudFormation always blocks)
 - **VPC route DependsOn relaxation (on by default)**: Drop CDK-injected defensive `DependsOn` edges from VPC Lambdas onto private-subnet routes so `CloudFront::Distribution` and `Lambda::Url` start their ~3-min propagation in parallel with NAT Gateway stabilization (~50% faster on VPC + Lambda + CloudFront stacks). Pass `--no-aggressive-vpc-parallel` to opt out.
-- **Local execution without deploying** (`cdkd local invoke` / `cdkd local start-api` / `cdkd local run-task`): run any Lambda — stand up every API Gateway route as a local HTTP server — or start every container in an `AWS::ECS::TaskDefinition` on a per-task docker network with the AWS-published metadata-endpoints sidecar. SAM-compatible mental model but reuses cdkd's synthesis / asset / route-discovery (no `template.yaml` round-trip). All AWS Lambda runtimes (Node.js / Python / Ruby / Java / .NET / `provided.*`) and one server per discovered API (HTTP API v2 / REST v1 / Function URL) with their own port / authorizers / CORS configs. `local run-task` is Phase 1 (single task, DependsOn ordering, IAM task-role via AssumeRole) — ECS Services / ALB routing / Service Connect are Phase 2 / Phase 3 follow-ups.
+- **Local execution without deploying** (`cdkd local invoke` / `cdkd local start-api` / `cdkd local run-task`): run any Lambda — stand up every API Gateway route as a local HTTP server — or start every container in an `AWS::ECS::TaskDefinition` on a per-task docker network with the AWS-published metadata-endpoints sidecar. SAM-compatible mental model but reuses cdkd's synthesis / asset / route-discovery (no `template.yaml` round-trip). All AWS Lambda runtimes (Node.js / Python / Ruby / Java / .NET / `provided.*`) and one server per discovered API (HTTP API v2 / REST v1 / Function URL) with their own port / authorizers / CORS configs. `local run-task` is Phase 1 (single task, DependsOn ordering, IAM task-role via AssumeRole) — ECS Services / ALB routing / Service Connect are Phase 2 / Phase 3 follow-ups. `cdkd local run-task --from-state` substitutes intrinsic-valued container `Environment[].Value` (`Ref` / `Fn::GetAtt` / `Fn::Sub` / `Fn::Join`) and `Secrets[].ValueFrom` against the deployed cdkd state — `table.tableName` / `ecs.Secret.fromSecretsManager(secret)` / `ecs.Secret.fromSsmParameter(param)` Just Work locally instead of silently dropping.
 
 > **Note**: Resource types not covered by either SDK Providers or Cloud Control API cannot be deployed with cdkd. If you encounter an unsupported resource type, deployment will fail with a clear error message.
 

package/dist/cli.js

@@ -47837,22 +47837,32 @@ var ECSProvider = class {
       essential: def["Essential"],
       command: def["Command"],
       entryPoint: def["EntryPoint"],
-      environment: def["Environment"],
-      environmentFiles: def["EnvironmentFiles"],
-      secrets: def["Secrets"],
+      environment: this.convertEnvironment(
+        def["Environment"]
+      ),
+      environmentFiles: this.convertEnvironmentFiles(
+        def["EnvironmentFiles"]
+      ),
+      secrets: this.convertSecrets(def["Secrets"]),
       portMappings: this.convertPortMappings(
         def["PortMappings"]
       ),
-      mountPoints: def["MountPoints"],
-      volumesFrom: def["VolumesFrom"],
-      dependsOn: def["DependsOn"],
+      mountPoints: this.convertMountPoints(
+        def["MountPoints"]
+      ),
+      volumesFrom: this.convertVolumesFrom(
+        def["VolumesFrom"]
+      ),
+      dependsOn: this.convertDependsOn(
+        def["DependsOn"]
+      ),
       links: def["Links"],
       workingDirectory: def["WorkingDirectory"],
       disableNetworking: def["DisableNetworking"],
       privileged: def["Privileged"],
       readonlyRootFilesystem: def["ReadonlyRootFilesystem"],
       user: def["User"],
-      ulimits: def["Ulimits"],
+      ulimits: this.convertUlimits(def["Ulimits"]),
       logConfiguration: this.convertLogConfiguration(
         def["LogConfiguration"]
       ),
@@ -47881,6 +47891,103 @@ var ECSProvider = class {
       name: m["Name"]
     }));
   }
+  /**
+   * Convert CFn Environment (KeyValuePair) to ECS SDK format.
+   * CFn template emits `{Name, Value}` (PascalCase); ECS SDK requires
+   * `{name, value}` (camelCase). Pre-fix the cast `as KeyValuePair[]`
+   * silently dropped both fields and AWS rejected RegisterTaskDefinition
+   * with a generic null/empty validation error.
+   */
+  convertEnvironment(entries) {
+    if (!entries)
+      return void 0;
+    return entries.map((e) => ({
+      name: e["Name"],
+      value: e["Value"]
+    }));
+  }
+  /**
+   * Convert CFn EnvironmentFiles (S3-backed env-var files) to ECS SDK format.
+   * CFn: `{Type, Value}` → SDK: `{type, value}`.
+   */
+  convertEnvironmentFiles(entries) {
+    if (!entries)
+      return void 0;
+    return entries.map((e) => ({
+      type: e["Type"],
+      value: e["Value"]
+    }));
+  }
+  /**
+   * Convert CFn Secrets to ECS SDK format.
+   * CFn: `{Name, ValueFrom}` → SDK: `{name, valueFrom}`.
+   * Same PascalCase→camelCase trap as convertEnvironment — discovered
+   * end-to-end via the local-run-task-from-state integ on 2026-05-12
+   * (issue #291 fixture).
+   */
+  convertSecrets(entries) {
+    if (!entries)
+      return void 0;
+    return entries.map((e) => ({
+      name: e["Name"],
+      valueFrom: e["ValueFrom"]
+    }));
+  }
+  /**
+   * Convert CFn MountPoints to ECS SDK format.
+   * CFn: `{SourceVolume, ContainerPath, ReadOnly}` → SDK: `{sourceVolume,
+   * containerPath, readOnly}`.
+   */
+  convertMountPoints(entries) {
+    if (!entries)
+      return void 0;
+    return entries.map((e) => ({
+      sourceVolume: e["SourceVolume"],
+      containerPath: e["ContainerPath"],
+      readOnly: e["ReadOnly"]
+    }));
+  }
+  /**
+   * Convert CFn VolumesFrom to ECS SDK format.
+   * CFn: `{SourceContainer, ReadOnly}` → SDK: `{sourceContainer, readOnly}`.
+   */
+  convertVolumesFrom(entries) {
+    if (!entries)
+      return void 0;
+    return entries.map((e) => ({
+      sourceContainer: e["SourceContainer"],
+      readOnly: e["ReadOnly"]
+    }));
+  }
+  /**
+   * Convert CFn DependsOn to ECS SDK format.
+   * CFn: `{ContainerName, Condition}` → SDK: `{containerName, condition}`.
+   * The pre-existing local-run-task-multi-container integ was relying
+   * on ECS SDK being lenient about the dependsOn key casing on input,
+   * but per the SDK type definition the input is camelCase so this
+   * converter brings the actual wire shape in line with the contract.
+   */
+  convertDependsOn(entries) {
+    if (!entries)
+      return void 0;
+    return entries.map((e) => ({
+      containerName: e["ContainerName"],
+      condition: e["Condition"]
+    }));
+  }
+  /**
+   * Convert CFn Ulimits to ECS SDK format.
+   * CFn: `{Name, SoftLimit, HardLimit}` → SDK: `{name, softLimit, hardLimit}`.
+   */
+  convertUlimits(entries) {
+    if (!entries)
+      return void 0;
+    return entries.map((e) => ({
+      name: e["Name"],
+      softLimit: e["SoftLimit"],
+      hardLimit: e["HardLimit"]
+    }));
+  }
   /**
    * Convert CFn LogConfiguration to ECS SDK format
    */
@@ -70791,7 +70898,8 @@ function isLiteralEnvValue(value) {
 }
 
 // src/local/state-resolver.ts
-function substituteAgainstState(value, resources) {
+function substituteAgainstState(value, contextOrResources) {
+  const context = isContext(contextOrResources) ? contextOrResources : { resources: contextOrResources };
   if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
     return { kind: "literal", value };
   }
@@ -70812,24 +70920,40 @@ function substituteAgainstState(value, resources) {
   const intrinsic = keys[0];
   const arg = obj[intrinsic];
   if (intrinsic === "Ref") {
-    return resolveRef(arg, resources);
+    return resolveRef(arg, context);
   }
   if (intrinsic === "Fn::GetAtt") {
-    return resolveGetAtt(arg, resources);
+    return resolveGetAtt(arg, context);
   }
   if (intrinsic === "Fn::Sub") {
-    return resolveSub(arg, resources);
+    return resolveSub(arg, context);
+  }
+  if (intrinsic === "Fn::Join") {
+    return resolveJoin(arg, context);
   }
   return {
     kind: "unresolved",
-    reason: `unsupported intrinsic '${intrinsic}' (only Ref, Fn::GetAtt, Fn::Sub are wired in --from-state v1)`
+    reason: `unsupported intrinsic '${intrinsic}' (supported: Ref, Fn::GetAtt, Fn::Sub, Fn::Join)`
   };
 }
-function resolveRef(arg, resources) {
+function isContext(v) {
+  if (typeof v !== "object" || v === null)
+    return false;
+  const r = v["resources"];
+  if (r === void 0)
+    return false;
+  if (typeof r !== "object" || r === null)
+    return false;
+  return !("physicalId" in r);
+}
+function resolveRef(arg, context) {
   if (typeof arg !== "string" || arg.length === 0) {
     return { kind: "unresolved", reason: `Ref expects a non-empty logical ID, got ${typeof arg}` };
   }
-  const resource = resources[arg];
+  if (arg.startsWith("AWS::")) {
+    return resolvePseudoParameter(arg, context.pseudoParameters);
+  }
+  const resource = context.resources[arg];
   if (!resource) {
     return {
       kind: "unresolved",
@@ -70838,7 +70962,39 @@ function resolveRef(arg, resources) {
   }
   return { kind: "literal", value: resource.physicalId };
 }
-function resolveGetAtt(arg, resources) {
+function resolvePseudoParameter(name, pseudo) {
+  if (!pseudo) {
+    return {
+      kind: "unresolved",
+      reason: `Ref '${name}': pseudo parameter not supplied (need --from-state context)`
+    };
+  }
+  switch (name) {
+    case "AWS::AccountId":
+      if (pseudo.accountId !== void 0)
+        return { kind: "literal", value: pseudo.accountId };
+      break;
+    case "AWS::Region":
+      if (pseudo.region !== void 0)
+        return { kind: "literal", value: pseudo.region };
+      break;
+    case "AWS::Partition":
+      if (pseudo.partition !== void 0)
+        return { kind: "literal", value: pseudo.partition };
+      break;
+    case "AWS::URLSuffix":
+      if (pseudo.urlSuffix !== void 0)
+        return { kind: "literal", value: pseudo.urlSuffix };
+      break;
+    default:
+      return {
+        kind: "unresolved",
+        reason: `Ref '${name}': pseudo parameter not supported (supported: AWS::AccountId, AWS::Region, AWS::Partition, AWS::URLSuffix)`
+      };
+  }
+  return { kind: "unresolved", reason: `Ref '${name}': pseudo parameter value not resolved` };
+}
+function resolveGetAtt(arg, context) {
   let logicalId;
   let attr;
   if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string") {
@@ -70846,7 +71002,7 @@ function resolveGetAtt(arg, resources) {
     if (typeof arg[1] !== "string") {
       return {
         kind: "unresolved",
-        reason: `Fn::GetAtt's second arg must be a string attribute name, got ${typeof arg[1]} (nested intrinsics in attribute names are not supported in --from-state v1)`
+        reason: `Fn::GetAtt's second arg must be a string attribute name, got ${typeof arg[1]} (nested intrinsics in attribute names are not supported)`
       };
     }
     attr = arg[1];
@@ -70866,7 +71022,7 @@ function resolveGetAtt(arg, resources) {
       reason: `Fn::GetAtt expects [LogicalId, Attribute] or 'LogicalId.Attribute', got ${Array.isArray(arg) ? `array of length ${arg.length}` : typeof arg}`
     };
   }
-  const resource = resources[logicalId];
+  const resource = context.resources[logicalId];
   if (!resource) {
     return {
       kind: "unresolved",
@@ -70885,7 +71041,7 @@ function resolveGetAtt(arg, resources) {
   }
   return { kind: "literal", value: JSON.stringify(cached) };
 }
-function resolveSub(arg, resources) {
+function resolveSub(arg, context) {
   let template;
   let bindings = {};
   if (typeof arg === "string") {
@@ -70910,7 +71066,18 @@ function resolveSub(arg, resources) {
     if (resolutions.has(placeholder))
       continue;
     if (placeholder in bindings) {
-      const sub = substituteAgainstState(bindings[placeholder], resources);
+      const sub = substituteAgainstState(bindings[placeholder], context);
+      if (sub.kind !== "literal") {
+        return {
+          kind: "unresolved",
+          reason: `Fn::Sub placeholder '\${${placeholder}}': ${sub.reason}`
+        };
+      }
+      resolutions.set(placeholder, String(sub.value));
+      continue;
+    }
+    if (placeholder.startsWith("AWS::")) {
+      const sub = resolvePseudoParameter(placeholder, context.pseudoParameters);
       if (sub.kind !== "literal") {
         return {
           kind: "unresolved",
@@ -70922,7 +71089,7 @@ function resolveSub(arg, resources) {
     }
     const dot = placeholder.indexOf(".");
     if (dot === -1) {
-      const sub = resolveRef(placeholder, resources);
+      const sub = resolveRef(placeholder, context);
       if (sub.kind !== "literal") {
         return {
           kind: "unresolved",
@@ -70931,7 +71098,7 @@ function resolveSub(arg, resources) {
       }
       resolutions.set(placeholder, String(sub.value));
     } else {
-      const sub = resolveGetAtt(placeholder, resources);
+      const sub = resolveGetAtt(placeholder, context);
       if (sub.kind !== "literal") {
         return {
           kind: "unresolved",
@@ -70946,17 +71113,45 @@ function resolveSub(arg, resources) {
   });
   return { kind: "literal", value: out };
 }
-function substituteEnvVarsFromState(templateEnv, resources) {
+function resolveJoin(arg, context) {
+  if (!Array.isArray(arg) || arg.length !== 2 || !Array.isArray(arg[1])) {
+    return {
+      kind: "unresolved",
+      reason: `Fn::Join expects [delimiter, [elements]], got ${Array.isArray(arg) ? `array of length ${arg.length}` : typeof arg}`
+    };
+  }
+  const [delimiterRaw, elements] = arg;
+  if (typeof delimiterRaw !== "string") {
+    return {
+      kind: "unresolved",
+      reason: `Fn::Join delimiter must be a string, got ${typeof delimiterRaw}`
+    };
+  }
+  const parts = [];
+  for (let i = 0; i < elements.length; i += 1) {
+    const sub = substituteAgainstState(elements[i], context);
+    if (sub.kind !== "literal") {
+      return {
+        kind: "unresolved",
+        reason: `Fn::Join element [${i}]: ${sub.reason}`
+      };
+    }
+    parts.push(String(sub.value));
+  }
+  return { kind: "literal", value: parts.join(delimiterRaw) };
+}
+function substituteEnvVarsFromState(templateEnv, contextOrResources) {
   const env = {};
   const audit = { resolvedKeys: [], unresolved: [] };
   if (!templateEnv)
     return { env, audit };
+  const context = isContext(contextOrResources) ? contextOrResources : { resources: contextOrResources };
   for (const [key, value] of Object.entries(templateEnv)) {
     if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
       env[key] = value;
       continue;
     }
-    const result = substituteAgainstState(value, resources);
+    const result = substituteAgainstState(value, context);
     if (result.kind === "literal") {
       env[key] = result.value;
       audit.resolvedKeys.push(key);
@@ -77063,6 +77258,7 @@ function detectEcsImageResolutionNeeds(stack) {
   const resources = stack.template.Resources ?? {};
   let needsPseudoParameters = false;
   let needsStateResources = false;
+  let needsEnvOrSecretSubstitution = false;
   for (const res of Object.values(resources)) {
     if (res.Type !== "AWS::ECS::TaskDefinition")
       continue;
@@ -77071,19 +77267,42 @@ function detectEcsImageResolutionNeeds(stack) {
     for (const c of containers) {
       if (!c || typeof c !== "object")
         continue;
-      const image = c["Image"];
+      const co = c;
+      const image = co["Image"];
       const need = inspectImageForSubstitutions(image, resources);
       if (need.pseudo)
         needsPseudoParameters = true;
       if (need.state)
         needsStateResources = true;
-      if (needsPseudoParameters && needsStateResources)
-        break;
+      if (containerHasIntrinsicEnvOrSecret(co))
+        needsEnvOrSecretSubstitution = true;
+    }
+  }
+  return { needsPseudoParameters, needsStateResources, needsEnvOrSecretSubstitution };
+}
+function containerHasIntrinsicEnvOrSecret(c) {
+  const env = c["Environment"];
+  if (Array.isArray(env)) {
+    for (const entry of env) {
+      if (!entry || typeof entry !== "object")
+        continue;
+      const v = entry["Value"];
+      if (v !== void 0 && typeof v !== "string" && typeof v !== "number" && typeof v !== "boolean") {
+        return true;
+      }
+    }
+  }
+  const secrets = c["Secrets"];
+  if (Array.isArray(secrets)) {
+    for (const entry of secrets) {
+      if (!entry || typeof entry !== "object")
+        continue;
+      const v = entry["ValueFrom"];
+      if (v !== void 0 && typeof v !== "string")
+        return true;
     }
-    if (needsPseudoParameters && needsStateResources)
-      break;
   }
-  return { needsPseudoParameters, needsStateResources };
+  return false;
 }
 function inspectImageForSubstitutions(image, resources) {
   if (!image || typeof image !== "object")
@@ -77284,6 +77503,11 @@ function extractTaskDefinitionProperties(stack, logicalId, resource, context) {
   const containers = rawContainers.map(
     (c, idx) => parseContainerDefinition(c, idx, logicalId, resources, stack, context)
   );
+  for (const ctr of containers) {
+    for (const w of ctr.warnings) {
+      warnings.push(`Container '${ctr.name}': ${w}`);
+    }
+  }
   const rawVolumes = props["Volumes"];
   const volumes = Array.isArray(rawVolumes) ? rawVolumes.map((v, idx) => parseVolume(v, idx, logicalId)) : [];
   const containerNames = new Set(containers.map((c) => c.name));
@@ -77345,7 +77569,9 @@ function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack, con
   const command = pickStringArray2(c["Command"]);
   const entryPoint = pickStringArray2(c["EntryPoint"]);
   const workingDirectory = pickString(c["WorkingDirectory"]);
+  const subContext = buildSubstitutionContextFromImageContext(context);
   const environment = {};
+  const droppedEnvKeys = [];
   if (Array.isArray(c["Environment"])) {
     for (const entry of c["Environment"]) {
       if (!entry || typeof entry !== "object")
@@ -77357,19 +77583,54 @@ function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack, con
         continue;
       if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
         environment[key] = String(value);
+        continue;
+      }
+      if (subContext) {
+        const sub = substituteAgainstState(value, subContext);
+        if (sub.kind === "literal") {
+          environment[key] = String(sub.value);
+          continue;
+        }
+        droppedEnvKeys.push({ key, reason: sub.reason });
+      } else {
+        droppedEnvKeys.push({
+          key,
+          reason: "intrinsic-valued; pass --from-state to substitute against deployed state"
+        });
       }
     }
   }
   const secrets = [];
+  const droppedSecretKeys = [];
   if (Array.isArray(c["Secrets"])) {
     for (const entry of c["Secrets"]) {
       if (!entry || typeof entry !== "object")
         continue;
       const e = entry;
       const sName = pickString(e["Name"]);
-      const valueFrom = pickString(e["ValueFrom"]);
-      if (sName && valueFrom)
-        secrets.push({ name: sName, valueFrom });
+      const valueFromRaw = e["ValueFrom"];
+      if (!sName)
+        continue;
+      if (typeof valueFromRaw === "string" && valueFromRaw.length > 0) {
+        secrets.push({ name: sName, valueFrom: valueFromRaw });
+        continue;
+      }
+      if (subContext) {
+        const sub = substituteAgainstState(valueFromRaw, subContext);
+        if (sub.kind === "literal" && typeof sub.value === "string" && sub.value.length > 0) {
+          secrets.push({ name: sName, valueFrom: sub.value });
+          continue;
+        }
+        droppedSecretKeys.push({
+          key: sName,
+          reason: sub.kind === "literal" ? "resolved to non-string / empty value" : sub.reason
+        });
+      } else {
+        droppedSecretKeys.push({
+          key: sName,
+          reason: "intrinsic-valued ValueFrom; pass --from-state to resolve the deployed ARN"
+        });
+      }
     }
   }
   const portMappings = [];
@@ -77459,6 +77720,13 @@ function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack, con
       ulimits.push({ name: uName, softLimit: soft, hardLimit: hard });
     }
   }
+  const warnings = [];
+  for (const d of droppedEnvKeys) {
+    warnings.push(`Environment '${d.key}' dropped: ${d.reason}`);
+  }
+  for (const d of droppedSecretKeys) {
+    warnings.push(`Secret '${d.key}' dropped: ${d.reason}`);
+  }
   const out = {
     name,
     image,
@@ -77469,7 +77737,8 @@ function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack, con
     dependsOn,
     links,
     essential,
-    ulimits
+    ulimits,
+    warnings
   };
   if (command !== void 0)
     out.command = command;
@@ -77487,6 +77756,15 @@ function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack, con
     out.readonlyRootFilesystem = readonlyRootFilesystem;
   return out;
 }
+function buildSubstitutionContextFromImageContext(context) {
+  if (!context?.stateResources)
+    return void 0;
+  const subContext = { resources: context.stateResources };
+  if (context.pseudoParameters) {
+    subContext.pseudoParameters = { ...context.pseudoParameters };
+  }
+  return subContext;
+}
 function parseContainerImage(raw, containerName, taskLogicalId, resources, _stack, context) {
   const getAttImage = tryResolveImageGetAtt(raw, resources, context);
   if (getAttImage) {
@@ -78681,14 +78959,16 @@ async function buildEcsImageResolutionContext(target, stacks, options) {
   if (!candidate)
     return void 0;
   const needs = detectEcsImageResolutionNeeds(candidate);
-  if (!needs.needsPseudoParameters && !needs.needsStateResources)
+  if (!needs.needsPseudoParameters && !needs.needsStateResources && !needs.needsEnvOrSecretSubstitution) {
     return void 0;
+  }
   const ctx = {};
-  if (needs.needsPseudoParameters) {
+  const wantsPseudoForEnvOrSecret = options.fromState && needs.needsEnvOrSecretSubstitution;
+  if (needs.needsPseudoParameters || wantsPseudoForEnvOrSecret) {
     const region = options.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? candidate.region;
     if (!region) {
       logger.warn(
-        "Container Image references ${AWS::Region} but cdkd could not determine the target region. Pass --region, set AWS_REGION, or declare env.region on the CDK stack."
+        "Resolver references ${AWS::Region} but cdkd could not determine the target region. Pass --region, set AWS_REGION, or declare env.region on the CDK stack."
       );
     }
     let accountId;
@@ -78696,7 +78976,7 @@ async function buildEcsImageResolutionContext(target, stacks, options) {
       accountId = await resolveCallerAccountId(region);
     } catch (err) {
       logger.warn(
-        `Container Image references \${AWS::AccountId} but STS GetCallerIdentity failed: ${err instanceof Error ? err.message : String(err)}. Substitution will be skipped; the resolver will surface its existing error.`
+        `Resolver needs \${AWS::AccountId} but STS GetCallerIdentity failed: ${err instanceof Error ? err.message : String(err)}. Substitution will be skipped; affected env / secret entries will be dropped with per-key warnings.`
       );
     }
     const partitionAndSuffix = region ? derivePartitionAndUrlSuffix(region) : void 0;
@@ -78709,7 +78989,8 @@ async function buildEcsImageResolutionContext(target, stacks, options) {
       }
     };
   }
-  if (options.fromState && needs.needsStateResources) {
+  const wantsState = needs.needsStateResources || needs.needsEnvOrSecretSubstitution;
+  if (options.fromState && wantsState) {
     const loaded = await loadStateForStack(candidate.stackName, candidate.region, {
       ...options.stackRegion !== void 0 && { stackRegion: options.stackRegion },
       ...options.stateBucket !== void 0 && { stateBucket: options.stateBucket },
@@ -78724,6 +79005,10 @@ async function buildEcsImageResolutionContext(target, stacks, options) {
     logger.warn(
       "Container Image references a same-stack AWS::ECR::Repository. Pass --from-state to substitute the deployed repository URI (requires the stack to have been deployed via cdkd deploy). Otherwise the resolver will surface its existing error."
     );
+  } else if (!options.fromState && needs.needsEnvOrSecretSubstitution) {
+    logger.warn(
+      "Container Environment / Secrets entries contain CloudFormation intrinsics (Ref / Fn::GetAtt / Fn::Sub / Fn::Join). Pass --from-state to substitute them against the deployed cdkd state. Without --from-state these entries are dropped (per-key warnings will follow)."
+    );
   }
   return ctx;
 }
@@ -80308,7 +80593,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command18();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.91.2");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.91.3");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());