@go-to-k/cdkd 0.91.2 → 0.91.4

package/dist/cli.js

@@ -47837,22 +47837,32 @@ var ECSProvider = class {
       essential: def["Essential"],
       command: def["Command"],
       entryPoint: def["EntryPoint"],
-      environment: def["Environment"],
-      environmentFiles: def["EnvironmentFiles"],
-      secrets: def["Secrets"],
+      environment: this.convertEnvironment(
+        def["Environment"]
+      ),
+      environmentFiles: this.convertEnvironmentFiles(
+        def["EnvironmentFiles"]
+      ),
+      secrets: this.convertSecrets(def["Secrets"]),
       portMappings: this.convertPortMappings(
         def["PortMappings"]
       ),
-      mountPoints: def["MountPoints"],
-      volumesFrom: def["VolumesFrom"],
-      dependsOn: def["DependsOn"],
+      mountPoints: this.convertMountPoints(
+        def["MountPoints"]
+      ),
+      volumesFrom: this.convertVolumesFrom(
+        def["VolumesFrom"]
+      ),
+      dependsOn: this.convertDependsOn(
+        def["DependsOn"]
+      ),
       links: def["Links"],
       workingDirectory: def["WorkingDirectory"],
       disableNetworking: def["DisableNetworking"],
       privileged: def["Privileged"],
       readonlyRootFilesystem: def["ReadonlyRootFilesystem"],
       user: def["User"],
-      ulimits: def["Ulimits"],
+      ulimits: this.convertUlimits(def["Ulimits"]),
       logConfiguration: this.convertLogConfiguration(
         def["LogConfiguration"]
       ),
@@ -47881,6 +47891,103 @@ var ECSProvider = class {
       name: m["Name"]
     }));
   }
+  /**
+   * Convert CFn Environment (KeyValuePair) to ECS SDK format.
+   * CFn template emits `{Name, Value}` (PascalCase); ECS SDK requires
+   * `{name, value}` (camelCase). Pre-fix the cast `as KeyValuePair[]`
+   * silently dropped both fields and AWS rejected RegisterTaskDefinition
+   * with a generic null/empty validation error.
+   */
+  convertEnvironment(entries) {
+    if (!entries)
+      return void 0;
+    return entries.map((e) => ({
+      name: e["Name"],
+      value: e["Value"]
+    }));
+  }
+  /**
+   * Convert CFn EnvironmentFiles (S3-backed env-var files) to ECS SDK format.
+   * CFn: `{Type, Value}` → SDK: `{type, value}`.
+   */
+  convertEnvironmentFiles(entries) {
+    if (!entries)
+      return void 0;
+    return entries.map((e) => ({
+      type: e["Type"],
+      value: e["Value"]
+    }));
+  }
+  /**
+   * Convert CFn Secrets to ECS SDK format.
+   * CFn: `{Name, ValueFrom}` → SDK: `{name, valueFrom}`.
+   * Same PascalCase→camelCase trap as convertEnvironment — discovered
+   * end-to-end via the local-run-task-from-state integ on 2026-05-12
+   * (issue #291 fixture).
+   */
+  convertSecrets(entries) {
+    if (!entries)
+      return void 0;
+    return entries.map((e) => ({
+      name: e["Name"],
+      valueFrom: e["ValueFrom"]
+    }));
+  }
+  /**
+   * Convert CFn MountPoints to ECS SDK format.
+   * CFn: `{SourceVolume, ContainerPath, ReadOnly}` → SDK: `{sourceVolume,
+   * containerPath, readOnly}`.
+   */
+  convertMountPoints(entries) {
+    if (!entries)
+      return void 0;
+    return entries.map((e) => ({
+      sourceVolume: e["SourceVolume"],
+      containerPath: e["ContainerPath"],
+      readOnly: e["ReadOnly"]
+    }));
+  }
+  /**
+   * Convert CFn VolumesFrom to ECS SDK format.
+   * CFn: `{SourceContainer, ReadOnly}` → SDK: `{sourceContainer, readOnly}`.
+   */
+  convertVolumesFrom(entries) {
+    if (!entries)
+      return void 0;
+    return entries.map((e) => ({
+      sourceContainer: e["SourceContainer"],
+      readOnly: e["ReadOnly"]
+    }));
+  }
+  /**
+   * Convert CFn DependsOn to ECS SDK format.
+   * CFn: `{ContainerName, Condition}` → SDK: `{containerName, condition}`.
+   * The pre-existing local-run-task-multi-container integ was relying
+   * on ECS SDK being lenient about the dependsOn key casing on input,
+   * but per the SDK type definition the input is camelCase so this
+   * converter brings the actual wire shape in line with the contract.
+   */
+  convertDependsOn(entries) {
+    if (!entries)
+      return void 0;
+    return entries.map((e) => ({
+      containerName: e["ContainerName"],
+      condition: e["Condition"]
+    }));
+  }
+  /**
+   * Convert CFn Ulimits to ECS SDK format.
+   * CFn: `{Name, SoftLimit, HardLimit}` → SDK: `{name, softLimit, hardLimit}`.
+   */
+  convertUlimits(entries) {
+    if (!entries)
+      return void 0;
+    return entries.map((e) => ({
+      name: e["Name"],
+      softLimit: e["SoftLimit"],
+      hardLimit: e["HardLimit"]
+    }));
+  }
   /**
    * Convert CFn LogConfiguration to ECS SDK format
    */
@@ -70791,7 +70898,8 @@ function isLiteralEnvValue(value) {
 }
 
 // src/local/state-resolver.ts
-function substituteAgainstState(value, resources) {
+function substituteAgainstState(value, contextOrResources) {
+  const context = isContext(contextOrResources) ? contextOrResources : { resources: contextOrResources };
   if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
     return { kind: "literal", value };
   }
@@ -70812,24 +70920,40 @@ function substituteAgainstState(value, resources) {
   const intrinsic = keys[0];
   const arg = obj[intrinsic];
   if (intrinsic === "Ref") {
-    return resolveRef(arg, resources);
+    return resolveRef(arg, context);
   }
   if (intrinsic === "Fn::GetAtt") {
-    return resolveGetAtt(arg, resources);
+    return resolveGetAtt(arg, context);
   }
   if (intrinsic === "Fn::Sub") {
-    return resolveSub(arg, resources);
+    return resolveSub(arg, context);
+  }
+  if (intrinsic === "Fn::Join") {
+    return resolveJoin(arg, context);
   }
   return {
     kind: "unresolved",
-    reason: `unsupported intrinsic '${intrinsic}' (only Ref, Fn::GetAtt, Fn::Sub are wired in --from-state v1)`
+    reason: `unsupported intrinsic '${intrinsic}' (supported: Ref, Fn::GetAtt, Fn::Sub, Fn::Join)`
   };
 }
-function resolveRef(arg, resources) {
+function isContext(v) {
+  if (typeof v !== "object" || v === null)
+    return false;
+  const r = v["resources"];
+  if (r === void 0)
+    return false;
+  if (typeof r !== "object" || r === null)
+    return false;
+  return !("physicalId" in r);
+}
+function resolveRef(arg, context) {
   if (typeof arg !== "string" || arg.length === 0) {
     return { kind: "unresolved", reason: `Ref expects a non-empty logical ID, got ${typeof arg}` };
   }
-  const resource = resources[arg];
+  if (arg.startsWith("AWS::")) {
+    return resolvePseudoParameter(arg, context.pseudoParameters);
+  }
+  const resource = context.resources[arg];
   if (!resource) {
     return {
       kind: "unresolved",
@@ -70838,7 +70962,39 @@ function resolveRef(arg, resources) {
   }
   return { kind: "literal", value: resource.physicalId };
 }
-function resolveGetAtt(arg, resources) {
+function resolvePseudoParameter(name, pseudo) {
+  if (!pseudo) {
+    return {
+      kind: "unresolved",
+      reason: `Ref '${name}': pseudo parameter not supplied (need --from-state context)`
+    };
+  }
+  switch (name) {
+    case "AWS::AccountId":
+      if (pseudo.accountId !== void 0)
+        return { kind: "literal", value: pseudo.accountId };
+      break;
+    case "AWS::Region":
+      if (pseudo.region !== void 0)
+        return { kind: "literal", value: pseudo.region };
+      break;
+    case "AWS::Partition":
+      if (pseudo.partition !== void 0)
+        return { kind: "literal", value: pseudo.partition };
+      break;
+    case "AWS::URLSuffix":
+      if (pseudo.urlSuffix !== void 0)
+        return { kind: "literal", value: pseudo.urlSuffix };
+      break;
+    default:
+      return {
+        kind: "unresolved",
+        reason: `Ref '${name}': pseudo parameter not supported (supported: AWS::AccountId, AWS::Region, AWS::Partition, AWS::URLSuffix)`
+      };
+  }
+  return { kind: "unresolved", reason: `Ref '${name}': pseudo parameter value not resolved` };
+}
+function resolveGetAtt(arg, context) {
   let logicalId;
   let attr;
   if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string") {
@@ -70846,7 +71002,7 @@ function resolveGetAtt(arg, resources) {
     if (typeof arg[1] !== "string") {
       return {
         kind: "unresolved",
-        reason: `Fn::GetAtt's second arg must be a string attribute name, got ${typeof arg[1]} (nested intrinsics in attribute names are not supported in --from-state v1)`
+        reason: `Fn::GetAtt's second arg must be a string attribute name, got ${typeof arg[1]} (nested intrinsics in attribute names are not supported)`
       };
     }
     attr = arg[1];
@@ -70866,7 +71022,7 @@ function resolveGetAtt(arg, resources) {
       reason: `Fn::GetAtt expects [LogicalId, Attribute] or 'LogicalId.Attribute', got ${Array.isArray(arg) ? `array of length ${arg.length}` : typeof arg}`
     };
   }
-  const resource = resources[logicalId];
+  const resource = context.resources[logicalId];
   if (!resource) {
     return {
       kind: "unresolved",
@@ -70885,7 +71041,7 @@ function resolveGetAtt(arg, resources) {
   }
   return { kind: "literal", value: JSON.stringify(cached) };
 }
-function resolveSub(arg, resources) {
+function resolveSub(arg, context) {
   let template;
   let bindings = {};
   if (typeof arg === "string") {
@@ -70910,7 +71066,18 @@ function resolveSub(arg, resources) {
     if (resolutions.has(placeholder))
       continue;
     if (placeholder in bindings) {
-      const sub = substituteAgainstState(bindings[placeholder], resources);
+      const sub = substituteAgainstState(bindings[placeholder], context);
+      if (sub.kind !== "literal") {
+        return {
+          kind: "unresolved",
+          reason: `Fn::Sub placeholder '\${${placeholder}}': ${sub.reason}`
+        };
+      }
+      resolutions.set(placeholder, String(sub.value));
+      continue;
+    }
+    if (placeholder.startsWith("AWS::")) {
+      const sub = resolvePseudoParameter(placeholder, context.pseudoParameters);
       if (sub.kind !== "literal") {
         return {
           kind: "unresolved",
@@ -70922,7 +71089,7 @@ function resolveSub(arg, resources) {
     }
     const dot = placeholder.indexOf(".");
     if (dot === -1) {
-      const sub = resolveRef(placeholder, resources);
+      const sub = resolveRef(placeholder, context);
       if (sub.kind !== "literal") {
         return {
           kind: "unresolved",
@@ -70931,7 +71098,7 @@ function resolveSub(arg, resources) {
       }
       resolutions.set(placeholder, String(sub.value));
     } else {
-      const sub = resolveGetAtt(placeholder, resources);
+      const sub = resolveGetAtt(placeholder, context);
       if (sub.kind !== "literal") {
         return {
           kind: "unresolved",
@@ -70946,17 +71113,45 @@ function resolveSub(arg, resources) {
   });
   return { kind: "literal", value: out };
 }
-function substituteEnvVarsFromState(templateEnv, resources) {
+function resolveJoin(arg, context) {
+  if (!Array.isArray(arg) || arg.length !== 2 || !Array.isArray(arg[1])) {
+    return {
+      kind: "unresolved",
+      reason: `Fn::Join expects [delimiter, [elements]], got ${Array.isArray(arg) ? `array of length ${arg.length}` : typeof arg}`
+    };
+  }
+  const [delimiterRaw, elements] = arg;
+  if (typeof delimiterRaw !== "string") {
+    return {
+      kind: "unresolved",
+      reason: `Fn::Join delimiter must be a string, got ${typeof delimiterRaw}`
+    };
+  }
+  const parts = [];
+  for (let i = 0; i < elements.length; i += 1) {
+    const sub = substituteAgainstState(elements[i], context);
+    if (sub.kind !== "literal") {
+      return {
+        kind: "unresolved",
+        reason: `Fn::Join element [${i}]: ${sub.reason}`
+      };
+    }
+    parts.push(String(sub.value));
+  }
+  return { kind: "literal", value: parts.join(delimiterRaw) };
+}
+function substituteEnvVarsFromState(templateEnv, contextOrResources) {
   const env = {};
   const audit = { resolvedKeys: [], unresolved: [] };
   if (!templateEnv)
     return { env, audit };
+  const context = isContext(contextOrResources) ? contextOrResources : { resources: contextOrResources };
   for (const [key, value] of Object.entries(templateEnv)) {
     if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
       env[key] = value;
       continue;
     }
-    const result = substituteAgainstState(value, resources);
+    const result = substituteAgainstState(value, context);
     if (result.kind === "literal") {
       env[key] = result.value;
       audit.resolvedKeys.push(key);
@@ -77063,6 +77258,7 @@ function detectEcsImageResolutionNeeds(stack) {
   const resources = stack.template.Resources ?? {};
   let needsPseudoParameters = false;
   let needsStateResources = false;
+  let needsEnvOrSecretSubstitution = false;
   for (const res of Object.values(resources)) {
     if (res.Type !== "AWS::ECS::TaskDefinition")
       continue;
@@ -77071,19 +77267,42 @@ function detectEcsImageResolutionNeeds(stack) {
     for (const c of containers) {
       if (!c || typeof c !== "object")
         continue;
-      const image = c["Image"];
+      const co = c;
+      const image = co["Image"];
       const need = inspectImageForSubstitutions(image, resources);
       if (need.pseudo)
         needsPseudoParameters = true;
       if (need.state)
         needsStateResources = true;
-      if (needsPseudoParameters && needsStateResources)
-        break;
+      if (containerHasIntrinsicEnvOrSecret(co))
+        needsEnvOrSecretSubstitution = true;
+    }
+  }
+  return { needsPseudoParameters, needsStateResources, needsEnvOrSecretSubstitution };
+}
+function containerHasIntrinsicEnvOrSecret(c) {
+  const env = c["Environment"];
+  if (Array.isArray(env)) {
+    for (const entry of env) {
+      if (!entry || typeof entry !== "object")
+        continue;
+      const v = entry["Value"];
+      if (v !== void 0 && typeof v !== "string" && typeof v !== "number" && typeof v !== "boolean") {
+        return true;
+      }
     }
-    if (needsPseudoParameters && needsStateResources)
-      break;
   }
-  return { needsPseudoParameters, needsStateResources };
+  const secrets = c["Secrets"];
+  if (Array.isArray(secrets)) {
+    for (const entry of secrets) {
+      if (!entry || typeof entry !== "object")
+        continue;
+      const v = entry["ValueFrom"];
+      if (v !== void 0 && typeof v !== "string")
+        return true;
+    }
+  }
+  return false;
 }
 function inspectImageForSubstitutions(image, resources) {
   if (!image || typeof image !== "object")
@@ -77284,6 +77503,11 @@ function extractTaskDefinitionProperties(stack, logicalId, resource, context) {
   const containers = rawContainers.map(
     (c, idx) => parseContainerDefinition(c, idx, logicalId, resources, stack, context)
   );
+  for (const ctr of containers) {
+    for (const w of ctr.warnings) {
+      warnings.push(`Container '${ctr.name}': ${w}`);
+    }
+  }
   const rawVolumes = props["Volumes"];
   const volumes = Array.isArray(rawVolumes) ? rawVolumes.map((v, idx) => parseVolume(v, idx, logicalId)) : [];
   const containerNames = new Set(containers.map((c) => c.name));
@@ -77345,7 +77569,9 @@ function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack, con
   const command = pickStringArray2(c["Command"]);
   const entryPoint = pickStringArray2(c["EntryPoint"]);
   const workingDirectory = pickString(c["WorkingDirectory"]);
+  const subContext = buildSubstitutionContextFromImageContext(context);
   const environment = {};
+  const droppedEnvKeys = [];
   if (Array.isArray(c["Environment"])) {
     for (const entry of c["Environment"]) {
       if (!entry || typeof entry !== "object")
@@ -77357,19 +77583,54 @@ function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack, con
         continue;
       if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
         environment[key] = String(value);
+        continue;
+      }
+      if (subContext) {
+        const sub = substituteAgainstState(value, subContext);
+        if (sub.kind === "literal") {
+          environment[key] = String(sub.value);
+          continue;
+        }
+        droppedEnvKeys.push({ key, reason: sub.reason });
+      } else {
+        droppedEnvKeys.push({
+          key,
+          reason: "intrinsic-valued; pass --from-state to substitute against deployed state"
+        });
       }
     }
   }
   const secrets = [];
+  const droppedSecretKeys = [];
   if (Array.isArray(c["Secrets"])) {
     for (const entry of c["Secrets"]) {
       if (!entry || typeof entry !== "object")
         continue;
       const e = entry;
       const sName = pickString(e["Name"]);
-      const valueFrom = pickString(e["ValueFrom"]);
-      if (sName && valueFrom)
-        secrets.push({ name: sName, valueFrom });
+      const valueFromRaw = e["ValueFrom"];
+      if (!sName)
+        continue;
+      if (typeof valueFromRaw === "string" && valueFromRaw.length > 0) {
+        secrets.push({ name: sName, valueFrom: valueFromRaw });
+        continue;
+      }
+      if (subContext) {
+        const sub = substituteAgainstState(valueFromRaw, subContext);
+        if (sub.kind === "literal" && typeof sub.value === "string" && sub.value.length > 0) {
+          secrets.push({ name: sName, valueFrom: sub.value });
+          continue;
+        }
+        droppedSecretKeys.push({
+          key: sName,
+          reason: sub.kind === "literal" ? "resolved to non-string / empty value" : sub.reason
+        });
+      } else {
+        droppedSecretKeys.push({
+          key: sName,
+          reason: "intrinsic-valued ValueFrom; pass --from-state to resolve the deployed ARN"
+        });
+      }
     }
   }
   const portMappings = [];
@@ -77459,6 +77720,13 @@ function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack, con
       ulimits.push({ name: uName, softLimit: soft, hardLimit: hard });
     }
   }
+  const warnings = [];
+  for (const d of droppedEnvKeys) {
+    warnings.push(`Environment '${d.key}' dropped: ${d.reason}`);
+  }
+  for (const d of droppedSecretKeys) {
+    warnings.push(`Secret '${d.key}' dropped: ${d.reason}`);
+  }
   const out = {
     name,
     image,
@@ -77469,7 +77737,8 @@ function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack, con
     dependsOn,
     links,
     essential,
-    ulimits
+    ulimits,
+    warnings
   };
   if (command !== void 0)
     out.command = command;
@@ -77487,6 +77756,15 @@ function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack, con
     out.readonlyRootFilesystem = readonlyRootFilesystem;
   return out;
 }
+function buildSubstitutionContextFromImageContext(context) {
+  if (!context?.stateResources)
+    return void 0;
+  const subContext = { resources: context.stateResources };
+  if (context.pseudoParameters) {
+    subContext.pseudoParameters = { ...context.pseudoParameters };
+  }
+  return subContext;
+}
 function parseContainerImage(raw, containerName, taskLogicalId, resources, _stack, context) {
   const getAttImage = tryResolveImageGetAtt(raw, resources, context);
   if (getAttImage) {
@@ -78681,14 +78959,16 @@ async function buildEcsImageResolutionContext(target, stacks, options) {
   if (!candidate)
     return void 0;
   const needs = detectEcsImageResolutionNeeds(candidate);
-  if (!needs.needsPseudoParameters && !needs.needsStateResources)
+  if (!needs.needsPseudoParameters && !needs.needsStateResources && !needs.needsEnvOrSecretSubstitution) {
     return void 0;
+  }
   const ctx = {};
-  if (needs.needsPseudoParameters) {
+  const wantsPseudoForEnvOrSecret = options.fromState && needs.needsEnvOrSecretSubstitution;
+  if (needs.needsPseudoParameters || wantsPseudoForEnvOrSecret) {
     const region = options.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? candidate.region;
     if (!region) {
       logger.warn(
-        "Container Image references ${AWS::Region} but cdkd could not determine the target region. Pass --region, set AWS_REGION, or declare env.region on the CDK stack."
+        "Resolver references ${AWS::Region} but cdkd could not determine the target region. Pass --region, set AWS_REGION, or declare env.region on the CDK stack."
       );
     }
     let accountId;
@@ -78696,7 +78976,7 @@ async function buildEcsImageResolutionContext(target, stacks, options) {
       accountId = await resolveCallerAccountId(region);
     } catch (err) {
       logger.warn(
-        `Container Image references \${AWS::AccountId} but STS GetCallerIdentity failed: ${err instanceof Error ? err.message : String(err)}. Substitution will be skipped; the resolver will surface its existing error.`
+        `Resolver needs \${AWS::AccountId} but STS GetCallerIdentity failed: ${err instanceof Error ? err.message : String(err)}. Substitution will be skipped; affected env / secret entries will be dropped with per-key warnings.`
       );
     }
     const partitionAndSuffix = region ? derivePartitionAndUrlSuffix(region) : void 0;
@@ -78709,7 +78989,8 @@ async function buildEcsImageResolutionContext(target, stacks, options) {
       }
     };
   }
-  if (options.fromState && needs.needsStateResources) {
+  const wantsState = needs.needsStateResources || needs.needsEnvOrSecretSubstitution;
+  if (options.fromState && wantsState) {
     const loaded = await loadStateForStack(candidate.stackName, candidate.region, {
       ...options.stackRegion !== void 0 && { stackRegion: options.stackRegion },
       ...options.stateBucket !== void 0 && { stateBucket: options.stateBucket },
@@ -78724,6 +79005,10 @@ async function buildEcsImageResolutionContext(target, stacks, options) {
     logger.warn(
       "Container Image references a same-stack AWS::ECR::Repository. Pass --from-state to substitute the deployed repository URI (requires the stack to have been deployed via cdkd deploy). Otherwise the resolver will surface its existing error."
     );
+  } else if (!options.fromState && needs.needsEnvOrSecretSubstitution) {
+    logger.warn(
+      "Container Environment / Secrets entries contain CloudFormation intrinsics (Ref / Fn::GetAtt / Fn::Sub / Fn::Join). Pass --from-state to substitute them against the deployed cdkd state. Without --from-state these entries are dropped (per-key warnings will follow)."
+    );
   }
   return ctx;
 }
@@ -79330,6 +79615,7 @@ import { Command as Command17 } from "commander";
 import {
   CreateChangeSetCommand,
   DescribeChangeSetCommand,
+  DescribeStackEventsCommand,
   ExecuteChangeSetCommand,
   DescribeStacksCommand as DescribeStacksCommand2,
   DescribeTypeCommand,
@@ -79346,10 +79632,13 @@ var NEVER_IMPORTABLE_TYPES = /* @__PURE__ */ new Set([
 function isNeverImportableType(resourceType) {
   if (NEVER_IMPORTABLE_TYPES.has(resourceType))
     return true;
-  if (resourceType.startsWith("Custom::"))
+  if (isCustomResourceType(resourceType))
     return true;
   return false;
 }
+function isCustomResourceType(resourceType) {
+  return resourceType === "AWS::CloudFormation::CustomResource" || resourceType.startsWith("Custom::");
+}
 var PRIMARY_IDENTIFIER_FALLBACK = {
   "AWS::S3::Bucket": "BucketName",
   "AWS::IAM::Role": "RoleName",
@@ -79613,6 +79902,12 @@ async function exportCommand(stackArg, options) {
         );
       }
       const phase1Template = filterTemplateForImport(template, phase1Imports);
+      const injectedCount = injectDeletionPolicyForImport(phase1Template);
+      if (injectedCount > 0) {
+        logger.info(
+          `Injected DeletionPolicy: Retain on ${injectedCount} resource(s) without an explicit DeletionPolicy (required by CFn IMPORT). The first \`cdk deploy\` after export will reset each to your CDK-declared value.`
+        );
+      }
       await executeImportChangeSet(
         awsClients.cloudFormation,
         cfnStackName,
@@ -79744,7 +80039,7 @@ async function assertCfnStackAbsent(cfnClient, stackName) {
   }
 }
 function isPhase2CreatableType(resourceType) {
-  return resourceType.startsWith("Custom::");
+  return isCustomResourceType(resourceType);
 }
 async function buildImportPlan(state, template, cfnClient) {
   const templateResources = template["Resources"];
@@ -79926,32 +80221,49 @@ function resolveTemplateParameters(template, userOverrides) {
   }
   return { parameters, missing };
 }
+function injectDeletionPolicyForImport(template) {
+  const resources = template["Resources"];
+  if (!resources || typeof resources !== "object" || Array.isArray(resources)) {
+    return 0;
+  }
+  let injected = 0;
+  for (const [, resource] of Object.entries(resources)) {
+    if (!resource || typeof resource !== "object" || Array.isArray(resource))
+      continue;
+    const r = resource;
+    if (r["DeletionPolicy"] === void 0) {
+      r["DeletionPolicy"] = "Retain";
+      injected++;
+    }
+  }
+  return injected;
+}
 function filterTemplateForImport(template, plan) {
-  const allow = new Set(plan.map((p) => p.logicalId));
+  const allow = new Map(plan.map((p) => [p.logicalId, p]));
   const original = template["Resources"];
   const filteredResources = {};
   for (const [logicalId, resource] of Object.entries(original)) {
-    if (allow.has(logicalId)) {
-      filteredResources[logicalId] = resource;
-    }
+    const entry = allow.get(logicalId);
+    if (!entry)
+      continue;
+    filteredResources[logicalId] = overlayResourceIdentifierOnProperties(resource, entry);
   }
   const result = { ...template, Resources: filteredResources };
-  const outputs = template["Outputs"];
-  if (outputs && typeof outputs === "object" && !Array.isArray(outputs)) {
-    const filteredOutputs = {};
-    for (const [name, output] of Object.entries(outputs)) {
-      if (referencesOnly(output, allow)) {
-        filteredOutputs[name] = output;
-      }
-    }
-    if (Object.keys(filteredOutputs).length > 0) {
-      result["Outputs"] = filteredOutputs;
-    } else {
-      delete result["Outputs"];
-    }
-  }
+  delete result["Outputs"];
   return result;
 }
+function overlayResourceIdentifierOnProperties(resource, entry) {
+  if (!resource || typeof resource !== "object" || Array.isArray(resource)) {
+    return resource;
+  }
+  const r = resource;
+  const existingProperties = r["Properties"];
+  const properties = existingProperties && typeof existingProperties === "object" && !Array.isArray(existingProperties) ? { ...existingProperties } : {};
+  for (const [field, value] of Object.entries(entry.resourceIdentifier)) {
+    properties[field] = value;
+  }
+  return { ...r, Properties: properties };
+}
 function reportDriftBaselineGaps(state, logger) {
   const entries = Object.entries(state.resources ?? {});
   if (entries.length === 0)
@@ -80022,29 +80334,6 @@ function walkForGetStackOutput(node, path3, emit) {
     walkForGetStackOutput(value, path3 ? `${path3}.${key}` : key, emit);
   }
 }
-function referencesOnly(node, allow) {
-  if (!node || typeof node !== "object")
-    return true;
-  if (Array.isArray(node)) {
-    return node.every((item) => referencesOnly(item, allow));
-  }
-  for (const [key, value] of Object.entries(node)) {
-    if (key === "Ref" && typeof value === "string") {
-      if (!allow.has(value))
-        return false;
-      continue;
-    }
-    if (key === "Fn::GetAtt") {
-      const target = Array.isArray(value) && typeof value[0] === "string" ? value[0] : typeof value === "string" ? value.split(".")[0] : void 0;
-      if (target && !allow.has(target))
-        return false;
-      continue;
-    }
-    if (!referencesOnly(value, allow))
-      return false;
-  }
-  return true;
-}
 function printPlan(plan, cfnStackName) {
   const logger = getLogger();
   logger.info("");
@@ -80122,11 +80411,41 @@ async function executeImportChangeSet(cfnClient, stackName, template, plan, para
       { StackName: stackName }
     );
   } catch (err) {
+    const failureSummary = await collectImportFailureSummary(cfnClient, stackName).catch(() => "");
     await cfnClient.send(new DeleteChangeSetCommand({ StackName: stackName, ChangeSetName: changeSetName })).catch(() => {
     });
+    if (failureSummary) {
+      throw new Error(`IMPORT changeset failed:
+${failureSummary}`, { cause: err });
+    }
     throw err;
   }
 }
+async function collectImportFailureSummary(cfnClient, stackName) {
+  const resp = await cfnClient.send(new DescribeStackEventsCommand({ StackName: stackName }));
+  const events = resp.StackEvents ?? [];
+  const failures = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const e of events) {
+    if (!e.ResourceStatus || !e.ResourceStatus.endsWith("FAILED"))
+      continue;
+    if (!e.LogicalResourceId)
+      continue;
+    if (seen.has(e.LogicalResourceId))
+      continue;
+    seen.add(e.LogicalResourceId);
+    failures.push({
+      logicalId: e.LogicalResourceId,
+      type: e.ResourceType ?? "<unknown>",
+      reason: e.ResourceStatusReason ?? "<no reason reported>"
+    });
+    if (failures.length >= 5)
+      break;
+  }
+  if (failures.length === 0)
+    return "";
+  return failures.map((f) => `  - ${f.logicalId} (${f.type}): ${f.reason}`).join("\n");
+}
 async function executeUpdateChangeSet(cfnClient, stackName, template, parameters) {
   const logger = getLogger();
   const changeSetName = `cdkd-phase2-${Date.now()}`;
@@ -80308,7 +80627,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command18();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.91.2");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.91.4");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());