@yawlabs/aws-mcp 1.4.1 → 1.5.0

package/dist/index.js

@@ -53507,7 +53507,7 @@ function setProfile(name) {
   const trimmed = name.trim();
   if (!isValidProfileName(trimmed)) {
     throw new Error(
-      `Invalid profile name '${trimmed}'. Must be 1-128 chars from [A-Za-z0-9_+=,.@:-], must not start with '-' or '=', no whitespace or shell metacharacters.`
+      `Invalid profile name '${trimmed}'. Must be 1-128 chars from [A-Za-z0-9_+=,.@:-]; the first char must be a letter, digit, or one of _+,.@: (not '-' or '='); no whitespace or shell metacharacters.`
     );
   }
   sessionProfile = trimmed;
@@ -53546,9 +53546,10 @@ var MAX_ERROR_MSG_BYTES = 8 * 1024;
 var SAFE_NAME_RE = /^[a-z0-9][a-z0-9-]*$/;
 function redactDisplayArgs(args) {
   const out = [...args];
-  const idx = out.indexOf("--cli-input-json");
-  if (idx >= 0 && idx < out.length - 1) {
-    out[idx + 1] = `<redacted len=${out[idx + 1].length}>`;
+  for (let i = 0; i < out.length - 1; i++) {
+    if (out[i] === "--cli-input-json") {
+      out[i + 1] = `<redacted len=${out[i + 1].length}>`;
+    }
   }
   return out;
 }
@@ -53612,7 +53613,7 @@ function runAwsCall(opts) {
     return Promise.resolve({
       ok: false,
       kind: "bad_input",
-      error: `Invalid profile name '${profile}'. Must be 1-128 chars from [A-Za-z0-9_+=,.@:-], must not start with '-' or '='. Check the 'profile' arg or AWS_PROFILE env var.`
+      error: `Invalid profile name '${profile}'. Must be 1-128 chars from [A-Za-z0-9_+=,.@:-]; the first char must be a letter, digit, or one of _+,.@: (not '-' or '='). Check the 'profile' arg or AWS_PROFILE env var.`
     });
   }
   if (!isValidRegionName(region)) {
@@ -53642,6 +53643,13 @@ function runAwsCall(opts) {
     region
   ];
   if (opts.query !== void 0 && opts.query.trim().length > 0) {
+    if (opts.query.length > 2048) {
+      return Promise.resolve({
+        ok: false,
+        kind: "bad_input",
+        error: `query expression too long (${opts.query.length} chars; max 2048). Simplify the JMESPath expression.`
+      });
+    }
     args.push("--query", opts.query);
   }
   if (opts.params !== void 0 && Object.keys(opts.params).length > 0) {
@@ -53973,7 +53981,7 @@ function resolveTargetProfile(input) {
   if (input.targetProfile) {
     return input.targetProfile.startsWith("mcp-") ? input.targetProfile : `mcp-${input.targetProfile}`;
   }
-  return `mcp-${input.sessionName}`;
+  return input.sessionName.startsWith("mcp-") ? input.sessionName : `mcp-${input.sessionName}`;
 }
 var assumeTools = [
   {
@@ -53987,7 +53995,10 @@ var assumeTools = [
       openWorldHint: true
     },
     inputSchema: external_exports3.object({
-      roleArn: external_exports3.string().describe("Target role ARN, e.g. 'arn:aws:iam::123456789012:role/CrossAccountAdmin'."),
+      roleArn: external_exports3.string().regex(
+        /^arn:aws[a-z-]*:iam::[0-9]{12}:role\/.+$/,
+        "roleArn must match arn:aws[partition]:iam::<12-digit-account>:role/<name>"
+      ).describe("Target role ARN, e.g. 'arn:aws:iam::123456789012:role/CrossAccountAdmin'."),
       sessionName: external_exports3.string().min(2).max(64).regex(/^[\w+=,.@-]+$/, "sessionName must match [\\w+=,.@-]").describe("Role session name (shows up in CloudTrail). Alphanumeric + +=,.@- only."),
       durationSeconds: external_exports3.number().int().min(900).max(43200).optional().describe("Session duration in seconds (900-43200). Default 3600."),
       externalId: external_exports3.string().optional().describe("External ID (only required if the role's trust policy demands it)."),
@@ -54008,13 +54019,19 @@ var assumeTools = [
       if (!isValidProfileName(sourceProfile)) {
         return {
           ok: false,
-          error: `Invalid sourceProfile name '${sourceProfile}'. Must be 1-128 chars from [A-Za-z0-9_+=,.@:-], must not start with '-' or '='. Check the 'sourceProfile' arg or AWS_PROFILE env var.`
+          error: `Invalid sourceProfile name '${sourceProfile}'. Must be 1-128 chars from [A-Za-z0-9_+=,.@:-]; the first char must be a letter, digit, or one of _+,.@: (not '-' or '='). Check the 'sourceProfile' arg or AWS_PROFILE env var.`
         };
       }
       if (!isValidProfileName(targetProfile)) {
         return {
           ok: false,
-          error: `Invalid targetProfile name '${targetProfile}'. Must be 1-128 chars from [A-Za-z0-9_+=,.@:-], must not start with '-' or '='. Pick a different targetProfile or sessionName.`
+          error: `Invalid targetProfile name '${targetProfile}'. Must be 1-128 chars from [A-Za-z0-9_+=,.@:-]; the first char must be a letter, digit, or one of _+,.@: (not '-' or '='). Pick a different targetProfile or sessionName.`
+        };
+      }
+      if (!/^arn:aws[a-z-]*:iam::[0-9]{12}:role\/.+$/.test(i.roleArn)) {
+        return {
+          ok: false,
+          error: `Invalid roleArn '${i.roleArn}'. Must match arn:aws[partition]:iam::<12-digit-account>:role/<name>, e.g. 'arn:aws:iam::123456789012:role/CrossAccountAdmin'.`
         };
       }
       const params = {
@@ -54111,7 +54128,7 @@ function startSsoLogin(profile, opts = {}) {
   if (!isValidProfileName(profile)) {
     return Promise.resolve({
       ok: false,
-      error: `Invalid profile name '${profile}'. Must be 1-128 chars from [A-Za-z0-9_+=,.@:-], must not start with '-' or '='.`
+      error: `Invalid profile name '${profile}'. Must be 1-128 chars from [A-Za-z0-9_+=,.@:-]; the first char must be a letter, digit, or one of _+,.@: (not '-' or '=').`
     });
   }
   const key = dedupeKey(profile, opts);
@@ -54157,6 +54174,7 @@ function doStartSsoLogin(profile, opts) {
     let codeSeen = null;
     let settled = false;
     let registeredSession = null;
+    let exitResult = null;
     let completionResolve;
     const completion = new Promise((res) => {
       completionResolve = res;
@@ -54254,14 +54272,17 @@ ${stderrBuf}` : "");
           rawOutput
         };
       }
+      exitResult = result;
       completionResolve(result);
+    });
+    proc.on("close", () => {
       if (!settled) {
         settled = true;
         clearTimeout(urlTimeout);
         resolve({
           ok: false,
-          error: result.error ?? "aws sso login exited before printing a verification URL",
-          rawOutput: result.rawOutput
+          error: exitResult?.error ?? "aws sso login exited before printing a verification URL",
+          rawOutput: exitResult?.rawOutput
         });
       }
     });
@@ -54965,7 +54986,7 @@ function buildDocsTools(fetchImpl = fetch) {
       }),
       handler: async (input) => {
         const i = input;
-        const limit = i.limit ?? DEFAULT_SEARCH_LIMIT;
+        const limit = Math.min(Math.max(1, i.limit ?? DEFAULT_SEARCH_LIMIT), MAX_SEARCH_LIMIT);
         let response;
         try {
           response = await fetchWithTimeout(
@@ -55035,7 +55056,7 @@ function buildDocsTools(fetchImpl = fetch) {
         openWorldHint: true
       },
       inputSchema: external_exports3.object({
-        url: external_exports3.string().min(1).describe(
+        url: external_exports3.string().min(1).max(2048).describe(
           "AWS docs page URL: https://docs.aws.amazon.com/<...>.html. Usually from an aws_docs_search result."
         ),
         startIndex: external_exports3.number().int().min(0).optional().describe("Character offset to start from (for paginated reads). Default 0."),
@@ -55049,8 +55070,8 @@ function buildDocsTools(fetchImpl = fetch) {
             error: `Invalid url '${i.url}'. Must be an 'https://docs.aws.amazon.com/...html' page. Use aws_docs_search to find one.`
           };
         }
-        const startIndex = i.startIndex ?? 0;
-        const maxLength = i.maxLength ?? DEFAULT_MAX_LENGTH;
+        const startIndex = Math.max(0, i.startIndex ?? 0);
+        const maxLength = Math.min(Math.max(1, i.maxLength ?? DEFAULT_MAX_LENGTH), MAX_MAX_LENGTH);
         let markdown = docCache.get(i.url);
         let cached2 = true;
         if (markdown === void 0) {
@@ -55165,7 +55186,7 @@ function parseSimulationResults(raw) {
 var iamSimulateTools = [
   {
     name: "aws_iam_simulate",
-    description: "Simulate IAM permissions for a principal: can principal X do actions Y on resources Z? Wraps `iam simulate-principal-policy`. Returns one entry per (action, resource) pair with `decision` (allowed / explicitDeny / implicitDeny), `matchedStatementIds` (which IAM statements decided), and `missingContextValues` (context keys the policy needed but you didn't provide -- common for tag-based policies). Use this BEFORE a risky operation to avoid a 403; pairs with the post-failure Suggestion you get from aws_call. Requires iam:SimulatePrincipalPolicy on the caller.",
+    description: "Simulate IAM permissions for a principal: can principal X do actions Y on resources Z? Wraps `iam simulate-principal-policy`. Returns one entry per (action, resource) pair with `decision` (allowed / explicitDeny / implicitDeny / unknown -- unknown is the malformed-response fallback when EvalDecision is missing or unrecognised), `matchedStatementIds` (which IAM statements decided), and `missingContextValues` (context keys the policy needed but you didn't provide -- common for tag-based policies). Use this BEFORE a risky operation to avoid a 403; pairs with the post-failure Suggestion you get from aws_call. Requires iam:SimulatePrincipalPolicy on the caller.",
     annotations: {
       title: "Simulate IAM permissions for a principal",
       readOnlyHint: true,
@@ -55175,13 +55196,13 @@ var iamSimulateTools = [
     },
     inputSchema: external_exports3.object({
       principalArn: external_exports3.string().min(1).describe(
-        "ARN of the principal whose policies you want to evaluate, e.g. 'arn:aws:iam::123456789012:user/jeff' or 'arn:aws:iam::123:role/my-role'."
+        "ARN of the principal whose policies you want to evaluate, e.g. 'arn:aws:iam::123456789012:user/jeff' or 'arn:aws:iam::123456789012:role/my-role'."
       ),
       actions: external_exports3.array(external_exports3.string().min(1)).min(1).max(50).describe(
         "IAM action names to test, e.g. ['lambda:CreateFunction', 's3:GetObject']. 1-50 entries. Wildcards (e.g. 's3:*') are accepted."
       ),
       resources: external_exports3.array(external_exports3.string().min(1)).optional().describe(
-        "Resource ARNs to test against, e.g. ['arn:aws:s3:::my-bucket/*']. Omit to default to ['*'] (best-case 'is this action ever allowed?')."
+        "Resource ARNs to test against, e.g. ['arn:aws:s3:::my-bucket/*']. When omitted, AWS applies its own default of ['*'] server-side (best-case 'is this action ever allowed?') -- this tool does not inject a ['*'] itself."
       ),
       contextEntries: external_exports3.array(
         external_exports3.object({
@@ -55251,13 +55272,14 @@ var iamSimulateTools = [
       const raw = result.data;
       const results = parseSimulationResults(raw?.EvaluationResults);
       const allowed = results.filter((r) => r.decision === "allowed").length;
-      const denied = results.length - allowed;
+      const unknown2 = results.filter((r) => r.decision === "unknown").length;
+      const denied = results.length - allowed - unknown2;
       return {
         ok: true,
         data: {
           command: result.command,
           principalArn: i.principalArn,
-          summary: { allowed, denied, total: results.length },
+          summary: { allowed, denied, unknown: unknown2, total: results.length },
           results,
           evaluationResults: raw?.EvaluationResults ?? []
         }
@@ -55384,736 +55406,288 @@ var logsTools = [
   }
 ];
 
-// src/tools/paginate.ts
-function extractNextToken(data) {
-  if (data && typeof data === "object" && "NextToken" in data) {
-    const token = data.NextToken;
-    if (typeof token === "string" && token.length > 0) return token;
+// src/tools/resource.ts
+var TYPE_NAME_RE = /^[A-Z][A-Za-z0-9]*::[A-Z][A-Za-z0-9]*::[A-Z][A-Za-z0-9]*$/;
+function isValidIdentifier(id) {
+  if (id.length === 0 || id.length > 2048) return false;
+  if (id.startsWith("-")) return false;
+  for (let i = 0; i < id.length; i++) {
+    if (id.charCodeAt(i) < 32) return false;
+  }
+  return true;
+}
+function isValidOpaqueToken(token) {
+  if (token.length === 0 || token.length > 128) return false;
+  if (token.startsWith("-")) return false;
+  for (let i = 0; i < token.length; i++) {
+    if (token.charCodeAt(i) < 32) return false;
+  }
+  return true;
+}
+function parseResourceProperties(raw) {
+  if (!raw || typeof raw !== "object") return { Properties: raw };
+  const rec = raw;
+  const identifier = typeof rec.Identifier === "string" ? rec.Identifier : void 0;
+  const rawProps = rec.Properties;
+  if (typeof rawProps !== "string") {
+    return { Identifier: identifier, Properties: rawProps };
+  }
+  try {
+    return { Identifier: identifier, Properties: JSON.parse(rawProps) };
+  } catch {
+    return { Identifier: identifier, Properties: rawProps, propertiesRaw: rawProps };
+  }
+}
+function validateTypeName(typeName) {
+  if (!TYPE_NAME_RE.test(typeName)) {
+    return `Invalid typeName '${typeName}'. Must be '<Namespace>::<Service>::<Resource>' in PascalCase, e.g. 'AWS::Lambda::Function', 'AWS::S3::Bucket'.`;
   }
   return null;
 }
-function wrapQueryForPagination(userQuery) {
-  return `{NextToken: NextToken, items: ${userQuery}}`;
+function validateIdentifier(id) {
+  if (!isValidIdentifier(id)) {
+    const preview = id.length > 40 ? `${id.slice(0, 40)}...` : id;
+    return `Invalid identifier '${preview}'. Must be 1-2048 chars, not start with '-', and contain no control characters.`;
+  }
+  return null;
 }
-var paginateTools = [
+function validateOpaqueToken(token, fieldName) {
+  if (!isValidOpaqueToken(token)) {
+    return `Invalid ${fieldName}. Must be 1-128 chars, not start with '-', and contain no control characters.`;
+  }
+  return null;
+}
+var TERMINAL_STATUSES = /* @__PURE__ */ new Set(["SUCCESS", "FAILED", "CANCEL_COMPLETE"]);
+var DEFAULT_POLL_INTERVAL_MS = 2e3;
+var DEFAULT_MAX_WAIT_MS = 5 * 6e4;
+var MIN_POLL_INTERVAL_MS = 500;
+var MAX_POLL_INTERVAL_MS = 3e4;
+var MIN_MAX_WAIT_MS = 1e3;
+var MAX_MAX_WAIT_MS = 30 * 6e4;
+function extractProgressFields(progressEvent) {
+  const pe = progressEvent && typeof progressEvent === "object" ? progressEvent : {};
+  const str = (k) => {
+    const v = pe[k];
+    return typeof v === "string" && v.length > 0 ? v : null;
+  };
+  return {
+    requestToken: str("RequestToken"),
+    operationStatus: str("OperationStatus"),
+    identifier: str("Identifier"),
+    errorCode: str("ErrorCode"),
+    statusMessage: str("StatusMessage"),
+    retryAfter: str("RetryAfter")
+  };
+}
+async function pollUntilTerminal(opts, awsCall = runAwsCall, sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms))) {
+  const start = Date.now();
+  let attempts = 0;
+  let lastEvent = null;
+  let lastCommand = "";
+  while (true) {
+    attempts++;
+    const result = await awsCall({
+      service: "cloudcontrol",
+      operation: "get-resource-request-status",
+      profile: opts.profile,
+      region: opts.region,
+      timeoutMs: opts.timeoutMs,
+      outputFormat: "json",
+      extraFlags: ["--request-token", opts.requestToken]
+    });
+    if (!result.ok) {
+      return {
+        ok: false,
+        progressEvent: lastEvent,
+        command: result.command ?? lastCommand,
+        attempts,
+        elapsedMs: Date.now() - start,
+        error: result.error,
+        kind: result.kind,
+        rawBody: result.rawStderr ?? result.rawStdout
+      };
+    }
+    lastCommand = result.command;
+    const raw = result.data;
+    lastEvent = raw?.ProgressEvent ?? null;
+    const status = lastEvent && typeof lastEvent.OperationStatus === "string" ? lastEvent.OperationStatus : null;
+    if (status && TERMINAL_STATUSES.has(status)) {
+      return { ok: true, progressEvent: lastEvent, command: lastCommand, attempts, elapsedMs: Date.now() - start };
+    }
+    const elapsed = Date.now() - start;
+    if (elapsed >= opts.maxWaitMs) {
+      return {
+        ok: false,
+        progressEvent: lastEvent,
+        command: lastCommand,
+        attempts,
+        elapsedMs: elapsed,
+        error: `Polled for ${Math.round(elapsed / 1e3)}s without reaching a terminal state (last status: ${status ?? "unknown"}). Increase maxWaitMs, or call aws_resource_status with requestToken='${opts.requestToken}' to keep checking.`
+      };
+    }
+    let waitMs = opts.pollIntervalMs;
+    const retryAfterRaw = lastEvent && typeof lastEvent.RetryAfter === "string" ? lastEvent.RetryAfter : null;
+    if (retryAfterRaw) {
+      const target = Date.parse(retryAfterRaw);
+      if (!Number.isNaN(target)) {
+        const ra = target - Date.now();
+        if (ra > 0) waitMs = ra;
+      }
+    }
+    waitMs = Math.min(waitMs, opts.maxWaitMs - elapsed);
+    if (waitMs > 0) await sleep(waitMs);
+  }
+}
+async function buildMutationResponse(initial, i) {
+  const raw = initial.data;
+  const progressEvent = raw?.ProgressEvent ?? null;
+  const fields = extractProgressFields(progressEvent);
+  const initialStatus = fields.operationStatus ?? "";
+  const alreadyTerminal = TERMINAL_STATUSES.has(initialStatus);
+  if (i.awaitCompletion && fields.requestToken && !alreadyTerminal) {
+    const polled = await pollUntilTerminal({
+      requestToken: fields.requestToken,
+      profile: i.profile,
+      region: i.region,
+      timeoutMs: i.timeoutMs,
+      pollIntervalMs: i.pollIntervalMs ?? DEFAULT_POLL_INTERVAL_MS,
+      maxWaitMs: i.maxWaitMs ?? DEFAULT_MAX_WAIT_MS
+    });
+    if (!polled.ok) {
+      if (polled.kind === "sso_expired" || polled.kind === "no_creds") {
+        const useProfile = i.profile ?? getProfile();
+        const reLoginHint = polled.kind === "sso_expired" ? `SSO session expired while awaiting completion. Call aws_login_start with profile='${useProfile}' to re-authenticate, then call aws_resource_status with requestToken='${fields.requestToken}' to check whether the mutation completed server-side.` : `No credentials available while awaiting completion. After fixing credentials for profile '${useProfile}', call aws_resource_status with requestToken='${fields.requestToken}' to check whether the mutation completed server-side. Underlying error: ${polled.error}`;
+        return { ok: false, error: reLoginHint, rawBody: polled.rawBody };
+      }
+      return { ok: false, error: polled.error ?? "Poll failed", rawBody: polled.rawBody };
+    }
+    const finalFields = extractProgressFields(polled.progressEvent);
+    return {
+      ok: true,
+      data: {
+        command: polled.command,
+        ...finalFields,
+        progressEvent: polled.progressEvent,
+        awaited: { attempts: polled.attempts, elapsedMs: polled.elapsedMs }
+      }
+    };
+  }
+  return {
+    ok: true,
+    data: { command: initial.command, ...fields, progressEvent }
+  };
+}
+var baseFields = {
+  profile: external_exports3.string().optional().describe("Override session profile for this call."),
+  region: external_exports3.string().optional().describe("Override session region for this call."),
+  timeoutMs: external_exports3.number().int().positive().optional().describe("Timeout in milliseconds. Default 60000.")
+};
+var awaitFields = {
+  awaitCompletion: external_exports3.boolean().optional().describe(
+    "If true, poll get-resource-request-status until the operation reaches SUCCESS / FAILED / CANCEL_COMPLETE and return the final ProgressEvent. Default false (returns immediately with IN_PROGRESS, caller polls via aws_resource_status)."
+  ),
+  pollIntervalMs: external_exports3.number().int().min(MIN_POLL_INTERVAL_MS).max(MAX_POLL_INTERVAL_MS).optional().describe(
+    `Poll interval in ms when awaitCompletion is true (range ${MIN_POLL_INTERVAL_MS}-${MAX_POLL_INTERVAL_MS}). Default ${DEFAULT_POLL_INTERVAL_MS}. ProgressEvent.RetryAfter overrides when CCAPI returns one.`
+  ),
+  maxWaitMs: external_exports3.number().int().min(MIN_MAX_WAIT_MS).max(MAX_MAX_WAIT_MS).optional().describe(
+    `Maximum total wait in ms when awaitCompletion is true (range ${MIN_MAX_WAIT_MS}-${MAX_MAX_WAIT_MS}). Default ${DEFAULT_MAX_WAIT_MS}. On timeout, returns the last seen status with a hint to keep polling.`
+  )
+};
+var resourceTools = [
   {
-    name: "aws_paginate",
-    description: "Fetch one page of a paginated AWS list/describe operation. Identical to aws_call plus `maxItems` (page size) and `startingToken` (resume cursor). Returns the parsed response, a `nextToken` (null when the list is exhausted), and `hasMore`. Call again with the returned nextToken as startingToken until hasMore is false. Use this instead of aws_call for operations that might exceed the 5 MB stdout cap: list-objects-v2, describe-instances, describe-log-streams, list-roles, etc.",
+    name: "aws_resource_get",
+    description: "Read a single AWS resource via Cloud Control API. Covers hundreds of resource types with a CloudFormation schema. `typeName` is '<Namespace>::<Service>::<Resource>' (e.g. 'AWS::Lambda::Function'); `identifier` is the primary key for that type (function name, bucket name, IAM role name, ARN, or composite id). Returns parsed Properties. For resources not covered by CCAPI or for data-plane operations, use aws_call.",
     annotations: {
-      title: "Fetch one page of a paginated AWS operation",
+      title: "Get an AWS resource by type + identifier",
       readOnlyHint: true,
       destructiveHint: false,
       idempotentHint: true,
       openWorldHint: true
     },
     inputSchema: external_exports3.object({
-      service: external_exports3.string().describe("AWS service in kebab-case: 's3api', 'ec2', 'iam', 'logs', etc."),
-      operation: external_exports3.string().describe("Paginated operation: 'list-objects-v2', 'describe-instances', 'list-roles', etc."),
-      params: external_exports3.record(external_exports3.string(), external_exports3.unknown()).optional().describe("Operation parameters (PascalCase keys) passed via --cli-input-json."),
-      query: external_exports3.string().optional().describe(
-        "JMESPath expression to extract fields from each page (--query). The query is wrapped server-side as {NextToken, items: <query>} so pagination still works even when the projection drops NextToken; the handler unwraps `items` before returning."
-      ),
-      maxItems: external_exports3.number().int().positive().optional().describe("Items per page. Default 100. Lower this if hitting the 5 MB output cap."),
-      startingToken: external_exports3.string().optional().describe("Resume cursor from the previous call's `nextToken`. Omit for the first page."),
-      profile: external_exports3.string().optional().describe("Override session profile for this call."),
-      region: external_exports3.string().optional().describe("Override session region for this call."),
-      timeoutMs: external_exports3.number().int().positive().optional().describe("Timeout in milliseconds. Default 60000.")
+      typeName: external_exports3.string().describe("CloudFormation type name, e.g. 'AWS::Lambda::Function', 'AWS::S3::Bucket', 'AWS::IAM::Role'."),
+      identifier: external_exports3.string().min(1).describe("Primary identifier for the resource (function name, bucket name, ARN, or composite id)."),
+      ...baseFields
     }),
     handler: async (input) => {
       const i = input;
-      const maxItems = i.maxItems ?? 100;
-      const extraFlags = ["--max-items", String(maxItems)];
-      if (i.startingToken) {
-        extraFlags.push("--starting-token", i.startingToken);
-      }
-      const userQuery = i.query?.trim();
-      const queryWrapped = userQuery ? wrapQueryForPagination(userQuery) : void 0;
+      const tnErr = validateTypeName(i.typeName);
+      if (tnErr) return { ok: false, error: tnErr };
+      const idErr = validateIdentifier(i.identifier);
+      if (idErr) return { ok: false, error: idErr };
       const result = await runAwsCall({
-        service: i.service,
-        operation: i.operation,
-        params: i.params,
-        query: queryWrapped,
+        service: "cloudcontrol",
+        operation: "get-resource",
         profile: i.profile,
         region: i.region,
-        outputFormat: "json",
         timeoutMs: i.timeoutMs,
-        extraFlags
+        outputFormat: "json",
+        extraFlags: ["--type-name", i.typeName, "--identifier", i.identifier]
       });
       if (!result.ok) {
         return { ok: false, error: result.error, rawBody: result.rawStderr ?? result.rawStdout };
       }
-      let resultBody;
-      let nextToken;
-      if (queryWrapped) {
-        const wrapped = result.data ?? {};
-        nextToken = extractNextToken(wrapped);
-        resultBody = wrapped.items ?? null;
-      } else {
-        nextToken = extractNextToken(result.data);
-        resultBody = result.data;
-      }
+      const raw = result.data;
+      const parsed = parseResourceProperties(raw?.ResourceDescription);
       return {
         ok: true,
         data: {
           command: result.command,
-          result: resultBody,
-          nextToken,
-          hasMore: nextToken !== null
-        }
-      };
-    }
-  }
-];
-
-// src/tools/metrics.ts
-var SIMPLE_STATS = ["Average", "Sum", "Maximum", "Minimum", "SampleCount"];
-var EXTENDED_STAT_RE = /^(p|tm|tc|wm|pr|ts|iqm)(\d{1,3}(\.\d{1,3})?)?$/i;
-function isValidStatistic(s) {
-  const lower = s.toLowerCase();
-  if (SIMPLE_STATS.some((stat) => stat.toLowerCase() === lower)) return true;
-  return EXTENDED_STAT_RE.test(s);
-}
-function canonicalizeStatistic(s) {
-  const lower = s.toLowerCase();
-  for (const stat of SIMPLE_STATS) {
-    if (stat.toLowerCase() === lower) return stat;
-  }
-  if (EXTENDED_STAT_RE.test(s)) return lower;
-  return s;
-}
-var QUERY_ID_RE = /^[a-z][A-Za-z0-9_]*$/;
-var MAX_QUERIES = 100;
-var CLOUDWATCH_MAX_DATAPOINTS = 100800;
-var PERIOD_3H_MS = 3 * 60 * 60 * 1e3;
-var PERIOD_24H_MS = 24 * 60 * 60 * 1e3;
-var PERIOD_15D_MS = 15 * 24 * 60 * 60 * 1e3;
-function pickAutoPeriodSeconds(startMs, endMs) {
-  const rangeMs = Math.max(0, endMs - startMs);
-  if (rangeMs <= PERIOD_3H_MS) return 60;
-  if (rangeMs <= PERIOD_24H_MS) return 300;
-  if (rangeMs <= PERIOD_15D_MS) return 900;
-  return 3600;
-}
-var RELATIVE_TIME_RE = /^\d+[smhdw]$/;
-var UNIT_MS = {
-  s: 1e3,
-  m: 60 * 1e3,
-  h: 60 * 60 * 1e3,
-  d: 24 * 60 * 60 * 1e3,
-  w: 7 * 24 * 60 * 60 * 1e3
-};
-function resolveTime(input, now) {
-  if (input === "now") return new Date(now);
-  const rel = input.match(RELATIVE_TIME_RE);
-  if (rel) {
-    const num = Number(input.slice(0, -1));
-    const unit = input.slice(-1);
-    const ms = UNIT_MS[unit];
-    if (!ms || !Number.isFinite(num)) return null;
-    return new Date(now - num * ms);
-  }
-  const t = new Date(input);
-  if (Number.isNaN(t.getTime())) return null;
-  return t;
-}
-function buildMetricDataQueries(inputs, autoPeriod) {
-  return inputs.map((q) => {
-    const base = { Id: q.id };
-    if (q.label !== void 0) base.Label = q.label;
-    if (q.returnData !== void 0) base.ReturnData = q.returnData;
-    if (q.expression !== void 0) {
-      base.Expression = q.expression;
-      if (q.period !== void 0) base.Period = q.period;
-      return base;
+          typeName: raw?.TypeName ?? i.typeName,
+          identifier: parsed.Identifier,
+          properties: parsed.Properties,
+          ...parsed.propertiesRaw ? { propertiesRaw: parsed.propertiesRaw } : {}
+        }
+      };
     }
-    const dimensions = q.dimensions ? Object.entries(q.dimensions).map(([Name, Value]) => ({ Name, Value })) : void 0;
-    const stat = {
-      Metric: {
-        Namespace: q.namespace,
-        MetricName: q.metricName,
-        ...dimensions ? { Dimensions: dimensions } : {}
-      },
-      Period: q.period ?? autoPeriod,
-      Stat: q.statistic !== void 0 ? canonicalizeStatistic(q.statistic) : "Average"
-    };
-    if (q.unit !== void 0) stat.Unit = q.unit;
-    base.MetricStat = stat;
-    return base;
-  });
-}
-var metricsTools = [
+  },
   {
-    name: "aws_metrics_query",
-    description: "Query CloudWatch metrics via GetMetricData (the modern multi-metric / expression-capable API, not the legacy get-metric-statistics). Pass `queries` as a flat array of {id, namespace, metricName, dimensions?, statistic?, period?, expression?, label?}; the tool shapes them into MetricDataQueries for you. `startTime`/`endTime` accept ISO 8601 or relative shorthand ('15m', '1h', '1d', '1w'); endTime defaults to 'now'. Period is auto-picked from the time range when omitted (60s for <=3h, 300s for <=24h, 900s for <=15d, 3600s otherwise) to stay under CloudWatch's ~100,800-datapoint response cap. Returns {series: [{id, label?, timestamps, values, period?, statusCode?}], messages?, periodSeconds, profile, region, nextToken, hasMore}. Each series' `period` is the effective granularity for that query (its explicit period, or the auto-pick it inherited); it is omitted for an expression query that didn't set one. The top-level `periodSeconds` is always the auto-pick. When CloudWatch truncates a large response, `hasMore` is true and `nextToken` carries the resume cursor -- call again with `nextToken` set to fetch the next page (rare for typical agent queries that stay within the per-request cap). Use for 'show me the CPU on this instance for the last hour', 'sum lambda invocations across these 3 functions', or expression-based 'p99 latency divided by average latency' lookups.",
+    name: "aws_resource_list",
+    description: "List resources of a given type via Cloud Control API, paginated. Returns an array of {identifier, properties}, a `nextToken` (null when exhausted), and `hasMore`. Some types need parent identifiers (e.g. nested resources under a cluster); pass those as `resourceModel`.",
     annotations: {
-      title: "Query CloudWatch metrics (GetMetricData)",
+      title: "List AWS resources of a type (paginated)",
       readOnlyHint: true,
       destructiveHint: false,
       idempotentHint: true,
       openWorldHint: true
     },
     inputSchema: external_exports3.object({
-      queries: external_exports3.array(
-        external_exports3.object({
-          id: external_exports3.string().regex(QUERY_ID_RE, "id must match /^[a-z][A-Za-z0-9_]*$/ (CloudWatch's MetricDataQuery.Id contract)"),
-          namespace: external_exports3.string().min(1).optional().describe("AWS metric namespace, e.g. 'AWS/Lambda', 'AWS/EC2'. Required unless `expression` is set."),
-          metricName: external_exports3.string().min(1).optional().describe("Metric name, e.g. 'Invocations', 'CPUUtilization'. Required unless `expression` is set."),
-          dimensions: external_exports3.record(external_exports3.string(), external_exports3.string()).optional().describe("Dimension Name -> Value map, e.g. {FunctionName: 'my-fn'}."),
-          statistic: external_exports3.string().optional().describe(
-            "Statistic: Average | Sum | Maximum | Minimum | SampleCount, or an extended stat like 'p99', 'p99.9', 'tm95'. Default 'Average'."
-          ),
-          period: external_exports3.number().int().positive().optional().describe("Period in seconds. Defaults to an auto-pick from the time range (60s/300s/900s/3600s)."),
-          expression: external_exports3.string().min(1).optional().describe(
-            `CloudWatch metric math expression, e.g. 'SUM([m1, m2])' or 'AVG(METRICS("AWS/Lambda"))'. Mutually exclusive with namespace/metricName/dimensions.`
-          ),
-          label: external_exports3.string().optional().describe("Human-readable label for the series in the response."),
-          returnData: external_exports3.boolean().optional().describe(
-            "Set false to compute this query but not return its data (useful for intermediate values in expressions). Default true."
-          ),
-          unit: external_exports3.string().optional().describe(
-            "Restrict to a specific Unit (e.g. 'Seconds', 'Bytes'). Default: no filter. Only meaningful on metric-stat queries."
-          )
-        })
-      ).min(1).max(MAX_QUERIES).describe(`1-${MAX_QUERIES} queries. Each is either a metric-stat (namespace + metricName) or an expression.`),
-      startTime: external_exports3.string().optional().describe("ISO 8601 timestamp or relative shorthand ('15m', '1h', '1d', '1w'). Default '1h' (one hour ago)."),
-      endTime: external_exports3.string().optional().describe("ISO 8601 timestamp or relative shorthand. Default 'now'."),
-      scanBy: external_exports3.enum(["TimestampAscending", "TimestampDescending"]).optional().describe("Sort order for returned datapoints. Default 'TimestampDescending' (matches CloudWatch's default)."),
-      maxDataPoints: external_exports3.number().int().positive().optional().describe(
-        "Target datapoint count. CloudWatch does not truncate to the first N points -- it widens (coarsens) the period server-side so the series aggregates down to fit this many points. CloudWatch's own ceiling is ~100,800; lower this to make CloudWatch return a coarser, smaller series. Forwarded as CloudWatch's MaxDatapoints (single 'p') field; the camelCase schema name follows this server's convention."
-      ),
-      nextToken: external_exports3.string().optional().describe(
-        "Resume cursor from a previous call's `nextToken`. Omit for the first page. Forwarded as CloudWatch's NextToken; only meaningful when a prior call returned `hasMore: true`."
-      ),
-      profile: external_exports3.string().optional().describe("Override session profile for this call."),
-      region: external_exports3.string().optional().describe("Override session region for this call."),
-      timeoutMs: external_exports3.number().int().positive().optional().describe("Timeout in milliseconds. Default 60000 (60s).")
+      typeName: external_exports3.string().describe("CloudFormation type name, e.g. 'AWS::Lambda::Function'."),
+      resourceModel: external_exports3.record(external_exports3.string(), external_exports3.unknown()).optional().describe("Parent identifier properties for nested types, e.g. {ClusterArn: '...'}."),
+      maxResults: external_exports3.number().int().positive().max(100).optional().describe("Page size (1-100). Default 100."),
+      nextToken: external_exports3.string().optional().describe("Resume cursor from the previous call's `nextToken`. Omit for the first page."),
+      ...baseFields
     }),
     handler: async (input) => {
       const i = input;
-      const seenIds = /* @__PURE__ */ new Map();
-      for (let qi = 0; qi < i.queries.length; qi++) {
-        const q = i.queries[qi];
-        const firstIdx = seenIds.get(q.id);
-        if (firstIdx !== void 0) {
-          return {
-            ok: false,
-            error: `Duplicate query id '${q.id}' at queries[${qi}]; first seen at queries[${firstIdx}]. Each MetricDataQuery.Id must be unique in a batch.`
-          };
-        }
-        seenIds.set(q.id, qi);
-        const hasMetricStat = q.namespace !== void 0 || q.metricName !== void 0 || q.dimensions !== void 0;
-        const hasExpression = q.expression !== void 0;
-        if (hasMetricStat && hasExpression) {
-          return {
-            ok: false,
-            error: `Query '${q.id}' mixes metric-stat fields (namespace/metricName/dimensions) with 'expression'. Pick one shape per query.`
-          };
-        }
-        if (!hasMetricStat && !hasExpression) {
-          return {
-            ok: false,
-            error: `Query '${q.id}' has neither metric-stat (namespace+metricName) nor 'expression'. One is required.`
-          };
-        }
-        if (hasMetricStat && (q.namespace === void 0 || q.metricName === void 0)) {
-          return {
-            ok: false,
-            error: `Query '${q.id}' must include BOTH 'namespace' and 'metricName' (or use 'expression' instead).`
-          };
-        }
-        if (q.statistic !== void 0 && !isValidStatistic(q.statistic)) {
-          return {
-            ok: false,
-            error: `Query '${q.id}' has invalid statistic '${q.statistic}'. Use Average | Sum | Maximum | Minimum | SampleCount, or an extended stat like p99 / p99.9 / tm95.`
-          };
-        }
-      }
-      const now = Date.now();
-      const startStr = i.startTime ?? "1h";
-      const endStr = i.endTime ?? "now";
-      const startDate = resolveTime(startStr, now);
-      const endDate = resolveTime(endStr, now);
-      if (!startDate) {
-        return {
-          ok: false,
-          error: `Invalid startTime '${startStr}'. Use ISO 8601 (e.g. '2026-05-16T10:00:00Z') or relative shorthand (e.g. '1h', '15m', '1d').`
-        };
-      }
-      if (!endDate) {
-        return {
-          ok: false,
-          error: `Invalid endTime '${endStr}'. Use ISO 8601 or relative shorthand, or 'now' for the current moment.`
-        };
-      }
-      if (endDate.getTime() <= startDate.getTime()) {
-        return {
-          ok: false,
-          error: `endTime (${endDate.toISOString()}) must be after startTime (${startDate.toISOString()}).`
-        };
+      const tnErr = validateTypeName(i.typeName);
+      if (tnErr) return { ok: false, error: tnErr };
+      if (i.nextToken !== void 0) {
+        const ntErr = validateOpaqueToken(i.nextToken, "nextToken");
+        if (ntErr) return { ok: false, error: ntErr };
       }
-      const rangeSeconds = (endDate.getTime() - startDate.getTime()) / 1e3;
-      for (const q of i.queries) {
-        if (q.period === void 0) continue;
-        if (q.period <= 0 || q.period % 60 !== 0) {
-          return {
-            ok: false,
-            error: `Query '${q.id}' has invalid period ${q.period}. CloudWatch requires period to be a positive multiple of 60 (seconds).`
-          };
-        }
-        const datapoints = Math.ceil(rangeSeconds / q.period);
-        if (datapoints > CLOUDWATCH_MAX_DATAPOINTS) {
-          return {
-            ok: false,
-            error: `Query '${q.id}' with period ${q.period}s over the requested range (${startDate.toISOString()} to ${endDate.toISOString()}) would request ${datapoints} datapoints, exceeding CloudWatch's per-request cap of ${CLOUDWATCH_MAX_DATAPOINTS}. Widen the period or narrow the time range.`
-          };
-        }
+      const extraFlags = ["--type-name", i.typeName, "--max-results", String(i.maxResults ?? 100)];
+      if (i.nextToken) extraFlags.push("--next-token", i.nextToken);
+      if (i.resourceModel && Object.keys(i.resourceModel).length > 0) {
+        extraFlags.push("--resource-model", JSON.stringify(i.resourceModel));
       }
-      const periodSeconds = pickAutoPeriodSeconds(startDate.getTime(), endDate.getTime());
-      const metricDataQueries = buildMetricDataQueries(i.queries, periodSeconds);
-      const params = {
-        MetricDataQueries: metricDataQueries,
-        StartTime: startDate.toISOString(),
-        EndTime: endDate.toISOString(),
-        ScanBy: i.scanBy ?? "TimestampDescending"
-      };
-      if (i.maxDataPoints !== void 0) params.MaxDatapoints = i.maxDataPoints;
-      if (i.nextToken !== void 0) params.NextToken = i.nextToken;
-      const effectiveProfile = i.profile ?? getProfile();
-      const effectiveRegion = i.region ?? getRegion();
       const result = await runAwsCall({
-        service: "cloudwatch",
-        operation: "get-metric-data",
+        service: "cloudcontrol",
+        operation: "list-resources",
         profile: i.profile,
         region: i.region,
         timeoutMs: i.timeoutMs,
         outputFormat: "json",
-        params
+        extraFlags
       });
       if (!result.ok) {
         return { ok: false, error: result.error, rawBody: result.rawStderr ?? result.rawStdout };
       }
-      const raw = result.data ?? {};
-      const queryById = new Map(i.queries.map((q) => [q.id, q]));
-      const series = (raw.MetricDataResults ?? []).map((r) => {
-        const q = queryById.get(r.Id ?? "");
-        const effectivePeriod = q?.period ?? (q && q.expression === void 0 ? periodSeconds : void 0);
-        return {
-          id: r.Id ?? "",
-          ...r.Label !== void 0 ? { label: r.Label } : {},
-          timestamps: r.Timestamps ?? [],
-          values: r.Values ?? [],
-          ...effectivePeriod !== void 0 ? { period: effectivePeriod } : {},
-          ...r.StatusCode !== void 0 ? { statusCode: r.StatusCode } : {}
-        };
-      });
-      const messages = raw.Messages?.filter((m) => m.Code || m.Value).map((m) => ({
-        code: m.Code,
-        value: m.Value
-      }));
-      const nextToken = extractNextToken(raw);
-      return {
-        ok: true,
-        data: {
-          command: result.command,
-          profile: effectiveProfile,
-          region: effectiveRegion,
-          startTime: startDate.toISOString(),
-          endTime: endDate.toISOString(),
-          periodSeconds,
-          series,
-          nextToken,
-          hasMore: nextToken !== null,
-          ...messages && messages.length > 0 ? { messages } : {}
-        }
-      };
-    }
-  }
-];
-
-// src/tools/multi-region.ts
-var DEFAULT_CONCURRENCY = 8;
-var MAX_CONCURRENCY = 32;
-var MAX_REGIONS = 32;
-async function runWithConcurrency(inputs, concurrency, fn) {
-  const results = new Array(inputs.length);
-  let next = 0;
-  const worker = async () => {
-    while (true) {
-      const i = next++;
-      if (i >= inputs.length) return;
-      results[i] = await fn(inputs[i], i);
-    }
-  };
-  const workerCount = Math.min(concurrency, inputs.length);
-  await Promise.all(Array.from({ length: workerCount }, () => worker()));
-  return results;
-}
-var multiRegionTools = [
-  {
-    name: "aws_multi_region",
-    description: "Run the same AWS API operation across multiple regions in parallel. Same shape as aws_call (service, operation, params?, query?, outputFormat?, timeoutMs?) but takes `regions: string[]` instead of `region`. Returns an array of `{region, ok, data?, command?, error?, errorKind?}` -- partial failure is expected (services aren't everywhere, perms may be region-scoped). Duplicate regions in the input are collapsed (first occurrence wins), so `results.length` may be less than `regions.length`; use the returned `regionCount` for the actual count run. Use for fleet-wide reads: 'describe-instances across all our regions', 'list buckets in every region', 'check IAM password policy everywhere'.",
-    annotations: {
-      title: "Run an AWS operation across multiple regions in parallel",
-      // The operation can be anything -- we conservatively annotate as not
-      // read-only / not destructive. The caller chooses what to invoke.
-      readOnlyHint: false,
-      destructiveHint: false,
-      idempotentHint: false,
-      openWorldHint: true
-    },
-    inputSchema: external_exports3.object({
-      service: external_exports3.string().describe("AWS service in kebab-case: 's3api', 'ec2', 'iam', etc."),
-      operation: external_exports3.string().describe("Operation in kebab-case: 'describe-instances', 'list-buckets', etc."),
-      regions: external_exports3.array(external_exports3.string().min(1)).min(1).max(MAX_REGIONS).describe(
-        `Region IDs (e.g. ['us-east-1','us-west-2','eu-west-1']). 1-${MAX_REGIONS}. Validated for argv-safety; a bad region name yields a clear per-region error and skips its CLI spawn (per-region isolation comes from each region being a separate call, not from this pre-check).`
-      ),
-      params: external_exports3.record(external_exports3.string(), external_exports3.unknown()).optional().describe("Operation parameters (PascalCase keys) -- same shape as aws_call."),
-      query: external_exports3.string().optional().describe("JMESPath expression for --query (server-side trimming per region)."),
-      outputFormat: external_exports3.enum(["json", "text", "table", "yaml"]).optional().describe("Output format. Default 'json'."),
-      profile: external_exports3.string().optional().describe("Override session profile for the batch."),
-      timeoutMs: external_exports3.number().int().positive().optional().describe("Timeout in ms applied PER region. Default 60000."),
-      concurrency: external_exports3.number().int().positive().max(MAX_CONCURRENCY).optional().describe(`Max regions in flight at once (1-${MAX_CONCURRENCY}). Default ${DEFAULT_CONCURRENCY}.`)
-    }),
-    handler: async (input) => {
-      const i = input;
-      const seen = /* @__PURE__ */ new Set();
-      const regions = [];
-      for (const r of i.regions) {
-        if (!seen.has(r)) {
-          seen.add(r);
-          regions.push(r);
-        }
-      }
-      const concurrency = i.concurrency ?? DEFAULT_CONCURRENCY;
-      const results = await runWithConcurrency(regions, concurrency, async (region) => {
-        if (!isValidRegionName(region)) {
-          return {
-            region,
-            ok: false,
-            error: `Invalid region '${region}'. Must match ${REGION_NAME_RE} (e.g. 'us-east-1').`,
-            errorKind: "bad_input"
-          };
-        }
-        const r = await runAwsCall({
-          service: i.service,
-          operation: i.operation,
-          params: i.params,
-          query: i.query,
-          profile: i.profile,
-          region,
-          outputFormat: i.outputFormat,
-          timeoutMs: i.timeoutMs
-        });
-        if (!r.ok) {
-          return {
-            region,
-            ok: false,
-            command: r.command,
-            error: r.error,
-            errorKind: r.kind
-          };
-        }
-        return { region, ok: true, command: r.command, data: r.data };
-      });
-      const okCount = results.filter((r) => r.ok).length;
-      const errCount = results.length - okCount;
-      return {
-        ok: true,
-        data: {
-          service: i.service,
-          operation: i.operation,
-          regionCount: regions.length,
-          okCount,
-          errorCount: errCount,
-          results
-        }
-      };
-    }
-  }
-];
-
-// src/tools/resource.ts
-var TYPE_NAME_RE = /^[A-Z][A-Za-z0-9]*::[A-Z][A-Za-z0-9]*::[A-Z][A-Za-z0-9]*$/;
-function isValidIdentifier(id) {
-  if (id.length === 0 || id.length > 2048) return false;
-  if (id.startsWith("-")) return false;
-  for (let i = 0; i < id.length; i++) {
-    if (id.charCodeAt(i) < 32) return false;
-  }
-  return true;
-}
-function isValidOpaqueToken(token) {
-  if (token.length === 0 || token.length > 128) return false;
-  if (token.startsWith("-")) return false;
-  for (let i = 0; i < token.length; i++) {
-    if (token.charCodeAt(i) < 32) return false;
-  }
-  return true;
-}
-function parseResourceProperties(raw) {
-  if (!raw || typeof raw !== "object") return { Properties: raw };
-  const rec = raw;
-  const identifier = typeof rec.Identifier === "string" ? rec.Identifier : void 0;
-  const rawProps = rec.Properties;
-  if (typeof rawProps !== "string") {
-    return { Identifier: identifier, Properties: rawProps };
-  }
-  try {
-    return { Identifier: identifier, Properties: JSON.parse(rawProps) };
-  } catch {
-    return { Identifier: identifier, Properties: rawProps, propertiesRaw: rawProps };
-  }
-}
-function validateTypeName(typeName) {
-  if (!TYPE_NAME_RE.test(typeName)) {
-    return `Invalid typeName '${typeName}'. Must be '<Namespace>::<Service>::<Resource>' in PascalCase, e.g. 'AWS::Lambda::Function', 'AWS::S3::Bucket'.`;
-  }
-  return null;
-}
-function validateIdentifier(id) {
-  if (!isValidIdentifier(id)) {
-    const preview = id.length > 40 ? `${id.slice(0, 40)}...` : id;
-    return `Invalid identifier '${preview}'. Must be 1-2048 chars, not start with '-', and contain no control characters.`;
-  }
-  return null;
-}
-function validateOpaqueToken(token, fieldName) {
-  if (!isValidOpaqueToken(token)) {
-    return `Invalid ${fieldName}. Must be 1-128 chars, not start with '-', and contain no control characters.`;
-  }
-  return null;
-}
-var TERMINAL_STATUSES = /* @__PURE__ */ new Set(["SUCCESS", "FAILED", "CANCEL_COMPLETE"]);
-var DEFAULT_POLL_INTERVAL_MS = 2e3;
-var DEFAULT_MAX_WAIT_MS = 5 * 6e4;
-var MIN_POLL_INTERVAL_MS = 500;
-var MAX_POLL_INTERVAL_MS = 3e4;
-var MIN_MAX_WAIT_MS = 1e3;
-var MAX_MAX_WAIT_MS = 30 * 6e4;
-function extractProgressFields(progressEvent) {
-  const pe = progressEvent && typeof progressEvent === "object" ? progressEvent : {};
-  const str = (k) => {
-    const v = pe[k];
-    return typeof v === "string" && v.length > 0 ? v : null;
-  };
-  return {
-    requestToken: str("RequestToken"),
-    operationStatus: str("OperationStatus"),
-    identifier: str("Identifier"),
-    errorCode: str("ErrorCode"),
-    statusMessage: str("StatusMessage"),
-    retryAfter: str("RetryAfter")
-  };
-}
-async function pollUntilTerminal(opts, awsCall = runAwsCall, sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms))) {
-  const start = Date.now();
-  let attempts = 0;
-  let lastEvent = null;
-  let lastCommand = "";
-  while (true) {
-    attempts++;
-    const result = await awsCall({
-      service: "cloudcontrol",
-      operation: "get-resource-request-status",
-      profile: opts.profile,
-      region: opts.region,
-      timeoutMs: opts.timeoutMs,
-      outputFormat: "json",
-      extraFlags: ["--request-token", opts.requestToken]
-    });
-    if (!result.ok) {
-      return {
-        ok: false,
-        progressEvent: lastEvent,
-        command: result.command ?? lastCommand,
-        attempts,
-        elapsedMs: Date.now() - start,
-        error: result.error,
-        kind: result.kind,
-        rawBody: result.rawStderr ?? result.rawStdout
-      };
-    }
-    lastCommand = result.command;
-    const raw = result.data;
-    lastEvent = raw?.ProgressEvent ?? null;
-    const status = lastEvent && typeof lastEvent.OperationStatus === "string" ? lastEvent.OperationStatus : null;
-    if (status && TERMINAL_STATUSES.has(status)) {
-      return { ok: true, progressEvent: lastEvent, command: lastCommand, attempts, elapsedMs: Date.now() - start };
-    }
-    const elapsed = Date.now() - start;
-    if (elapsed >= opts.maxWaitMs) {
-      return {
-        ok: false,
-        progressEvent: lastEvent,
-        command: lastCommand,
-        attempts,
-        elapsedMs: elapsed,
-        error: `Polled for ${Math.round(elapsed / 1e3)}s without reaching a terminal state (last status: ${status ?? "unknown"}). Increase maxWaitMs, or call aws_resource_status with requestToken='${opts.requestToken}' to keep checking.`
-      };
-    }
-    let waitMs = opts.pollIntervalMs;
-    const retryAfterRaw = lastEvent && typeof lastEvent.RetryAfter === "string" ? lastEvent.RetryAfter : null;
-    if (retryAfterRaw) {
-      const target = Date.parse(retryAfterRaw);
-      if (!Number.isNaN(target)) {
-        const ra = target - Date.now();
-        if (ra > 0) waitMs = ra;
-      }
-    }
-    waitMs = Math.min(waitMs, opts.maxWaitMs - elapsed);
-    if (waitMs > 0) await sleep(waitMs);
-  }
-}
-async function buildMutationResponse(initial, i) {
-  const raw = initial.data;
-  const progressEvent = raw?.ProgressEvent ?? null;
-  const fields = extractProgressFields(progressEvent);
-  const initialStatus = fields.operationStatus ?? "";
-  const alreadyTerminal = TERMINAL_STATUSES.has(initialStatus);
-  if (i.awaitCompletion && fields.requestToken && !alreadyTerminal) {
-    const polled = await pollUntilTerminal({
-      requestToken: fields.requestToken,
-      profile: i.profile,
-      region: i.region,
-      timeoutMs: i.timeoutMs,
-      pollIntervalMs: i.pollIntervalMs ?? DEFAULT_POLL_INTERVAL_MS,
-      maxWaitMs: i.maxWaitMs ?? DEFAULT_MAX_WAIT_MS
-    });
-    if (!polled.ok) {
-      if (polled.kind === "sso_expired" || polled.kind === "no_creds") {
-        const useProfile = i.profile ?? getProfile();
-        const reLoginHint = polled.kind === "sso_expired" ? `SSO session expired while awaiting completion. Call aws_login_start with profile='${useProfile}' to re-authenticate, then call aws_resource_status with requestToken='${fields.requestToken}' to check whether the mutation completed server-side.` : `No credentials available while awaiting completion. After fixing credentials for profile '${useProfile}', call aws_resource_status with requestToken='${fields.requestToken}' to check whether the mutation completed server-side. Underlying error: ${polled.error}`;
-        return { ok: false, error: reLoginHint, rawBody: polled.rawBody };
-      }
-      return { ok: false, error: polled.error ?? "Poll failed", rawBody: polled.rawBody };
-    }
-    const finalFields = extractProgressFields(polled.progressEvent);
-    return {
-      ok: true,
-      data: {
-        command: polled.command,
-        ...finalFields,
-        progressEvent: polled.progressEvent,
-        awaited: { attempts: polled.attempts, elapsedMs: polled.elapsedMs }
-      }
-    };
-  }
-  return {
-    ok: true,
-    data: { command: initial.command, ...fields, progressEvent }
-  };
-}
-var baseFields = {
-  profile: external_exports3.string().optional().describe("Override session profile for this call."),
-  region: external_exports3.string().optional().describe("Override session region for this call."),
-  timeoutMs: external_exports3.number().int().positive().optional().describe("Timeout in milliseconds. Default 60000.")
-};
-var awaitFields = {
-  awaitCompletion: external_exports3.boolean().optional().describe(
-    "If true, poll get-resource-request-status until the operation reaches SUCCESS / FAILED / CANCEL_COMPLETE and return the final ProgressEvent. Default false (returns immediately with IN_PROGRESS, caller polls via aws_resource_status)."
-  ),
-  pollIntervalMs: external_exports3.number().int().min(MIN_POLL_INTERVAL_MS).max(MAX_POLL_INTERVAL_MS).optional().describe(
-    `Poll interval in ms when awaitCompletion is true (range ${MIN_POLL_INTERVAL_MS}-${MAX_POLL_INTERVAL_MS}). Default ${DEFAULT_POLL_INTERVAL_MS}. ProgressEvent.RetryAfter overrides when CCAPI returns one.`
-  ),
-  maxWaitMs: external_exports3.number().int().min(MIN_MAX_WAIT_MS).max(MAX_MAX_WAIT_MS).optional().describe(
-    `Maximum total wait in ms when awaitCompletion is true (range ${MIN_MAX_WAIT_MS}-${MAX_MAX_WAIT_MS}). Default ${DEFAULT_MAX_WAIT_MS}. On timeout, returns the last seen status with a hint to keep polling.`
-  )
-};
-var resourceTools = [
-  {
-    name: "aws_resource_get",
-    description: "Read a single AWS resource via Cloud Control API. Covers hundreds of resource types with a CloudFormation schema. `typeName` is '<Namespace>::<Service>::<Resource>' (e.g. 'AWS::Lambda::Function'); `identifier` is the primary key for that type (function name, bucket name, IAM role name, ARN, or composite id). Returns parsed Properties. For resources not covered by CCAPI or for data-plane operations, use aws_call.",
-    annotations: {
-      title: "Get an AWS resource by type + identifier",
-      readOnlyHint: true,
-      destructiveHint: false,
-      idempotentHint: true,
-      openWorldHint: true
-    },
-    inputSchema: external_exports3.object({
-      typeName: external_exports3.string().describe("CloudFormation type name, e.g. 'AWS::Lambda::Function', 'AWS::S3::Bucket', 'AWS::IAM::Role'."),
-      identifier: external_exports3.string().min(1).describe("Primary identifier for the resource (function name, bucket name, ARN, or composite id)."),
-      ...baseFields
-    }),
-    handler: async (input) => {
-      const i = input;
-      const tnErr = validateTypeName(i.typeName);
-      if (tnErr) return { ok: false, error: tnErr };
-      const idErr = validateIdentifier(i.identifier);
-      if (idErr) return { ok: false, error: idErr };
-      const result = await runAwsCall({
-        service: "cloudcontrol",
-        operation: "get-resource",
-        profile: i.profile,
-        region: i.region,
-        timeoutMs: i.timeoutMs,
-        outputFormat: "json",
-        extraFlags: ["--type-name", i.typeName, "--identifier", i.identifier]
-      });
-      if (!result.ok) {
-        return { ok: false, error: result.error, rawBody: result.rawStderr ?? result.rawStdout };
-      }
-      const raw = result.data;
-      const parsed = parseResourceProperties(raw?.ResourceDescription);
-      return {
-        ok: true,
-        data: {
-          command: result.command,
-          typeName: raw?.TypeName ?? i.typeName,
-          identifier: parsed.Identifier,
-          properties: parsed.Properties,
-          ...parsed.propertiesRaw ? { propertiesRaw: parsed.propertiesRaw } : {}
-        }
-      };
-    }
-  },
-  {
-    name: "aws_resource_list",
-    description: "List resources of a given type via Cloud Control API, paginated. Returns an array of {identifier, properties}, a `nextToken` (null when exhausted), and `hasMore`. Some types need parent identifiers (e.g. nested resources under a cluster); pass those as `resourceModel`.",
-    annotations: {
-      title: "List AWS resources of a type (paginated)",
-      readOnlyHint: true,
-      destructiveHint: false,
-      idempotentHint: true,
-      openWorldHint: true
-    },
-    inputSchema: external_exports3.object({
-      typeName: external_exports3.string().describe("CloudFormation type name, e.g. 'AWS::Lambda::Function'."),
-      resourceModel: external_exports3.record(external_exports3.string(), external_exports3.unknown()).optional().describe("Parent identifier properties for nested types, e.g. {ClusterArn: '...'}."),
-      maxResults: external_exports3.number().int().positive().max(100).optional().describe("Page size (1-100). Default 100."),
-      nextToken: external_exports3.string().optional().describe("Resume cursor from the previous call's `nextToken`. Omit for the first page."),
-      ...baseFields
-    }),
-    handler: async (input) => {
-      const i = input;
-      const tnErr = validateTypeName(i.typeName);
-      if (tnErr) return { ok: false, error: tnErr };
-      if (i.nextToken !== void 0) {
-        const ntErr = validateOpaqueToken(i.nextToken, "nextToken");
-        if (ntErr) return { ok: false, error: ntErr };
-      }
-      const extraFlags = ["--type-name", i.typeName, "--max-results", String(i.maxResults ?? 100)];
-      if (i.nextToken) extraFlags.push("--next-token", i.nextToken);
-      if (i.resourceModel && Object.keys(i.resourceModel).length > 0) {
-        extraFlags.push("--resource-model", JSON.stringify(i.resourceModel));
-      }
-      const result = await runAwsCall({
-        service: "cloudcontrol",
-        operation: "list-resources",
-        profile: i.profile,
-        region: i.region,
-        timeoutMs: i.timeoutMs,
-        outputFormat: "json",
-        extraFlags
-      });
-      if (!result.ok) {
-        return { ok: false, error: result.error, rawBody: result.rawStderr ?? result.rawStdout };
-      }
-      const raw = result.data;
-      const descriptions = Array.isArray(raw?.ResourceDescriptions) ? raw.ResourceDescriptions : [];
-      const resources = descriptions.map((d) => {
-        const p = parseResourceProperties(d);
-        return { identifier: p.Identifier, properties: p.Properties };
+      const raw = result.data;
+      const descriptions = Array.isArray(raw?.ResourceDescriptions) ? raw.ResourceDescriptions : [];
+      const resources = descriptions.map((d) => {
+        const p = parseResourceProperties(d);
+        return { identifier: p.Identifier, properties: p.Properties };
       });
       const nextToken = extractNextToken(raw);
       return {
@@ -56228,343 +55802,791 @@ var resourceTools = [
       if (!result.ok) {
         return { ok: false, error: result.error, rawBody: result.rawStderr ?? result.rawStdout };
       }
-      return buildMutationResponse({ command: result.command, data: result.data }, i);
+      return buildMutationResponse({ command: result.command, data: result.data }, i);
+    }
+  },
+  {
+    name: "aws_resource_delete",
+    description: "Delete an AWS resource via Cloud Control API. Async by default: returns a ProgressEvent with OperationStatus=IN_PROGRESS and a top-level `requestToken`. Pass `awaitCompletion: true` to have the server poll until terminal. Destructive -- double-check `identifier` before calling.",
+    annotations: {
+      title: "Delete an AWS resource (async via CCAPI)",
+      readOnlyHint: false,
+      destructiveHint: true,
+      idempotentHint: false,
+      openWorldHint: true
+    },
+    inputSchema: external_exports3.object({
+      typeName: external_exports3.string().describe("CloudFormation type name."),
+      identifier: external_exports3.string().min(1).describe("Primary identifier for the resource."),
+      clientToken: external_exports3.string().optional().describe("Idempotency token (max 128 chars)."),
+      ...baseFields,
+      ...awaitFields
+    }),
+    handler: async (input) => {
+      const i = input;
+      const tnErr = validateTypeName(i.typeName);
+      if (tnErr) return { ok: false, error: tnErr };
+      const idErr = validateIdentifier(i.identifier);
+      if (idErr) return { ok: false, error: idErr };
+      if (i.clientToken !== void 0) {
+        const ctErr = validateOpaqueToken(i.clientToken, "clientToken");
+        if (ctErr) return { ok: false, error: ctErr };
+      }
+      const extraFlags = ["--type-name", i.typeName, "--identifier", i.identifier];
+      if (i.clientToken) extraFlags.push("--client-token", i.clientToken);
+      const result = await runAwsCall({
+        service: "cloudcontrol",
+        operation: "delete-resource",
+        profile: i.profile,
+        region: i.region,
+        timeoutMs: i.timeoutMs,
+        outputFormat: "json",
+        extraFlags
+      });
+      if (!result.ok) {
+        return { ok: false, error: result.error, rawBody: result.rawStderr ?? result.rawStdout };
+      }
+      return buildMutationResponse({ command: result.command, data: result.data }, i);
+    }
+  },
+  {
+    name: "aws_resource_status",
+    description: "Poll the status of an async Cloud Control API request (create/update/delete). Pass the `requestToken` returned by those tools. Returns the current ProgressEvent with OperationStatus: PENDING | IN_PROGRESS | SUCCESS | FAILED | CANCEL_IN_PROGRESS | CANCEL_COMPLETE.",
+    annotations: {
+      title: "Get the status of an async CCAPI request",
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    inputSchema: external_exports3.object({
+      requestToken: external_exports3.string().min(1).describe("RequestToken from a previous create/update/delete call."),
+      ...baseFields
+    }),
+    handler: async (input) => {
+      const i = input;
+      const rtErr = validateOpaqueToken(i.requestToken, "requestToken");
+      if (rtErr) return { ok: false, error: rtErr };
+      const result = await runAwsCall({
+        service: "cloudcontrol",
+        operation: "get-resource-request-status",
+        profile: i.profile,
+        region: i.region,
+        timeoutMs: i.timeoutMs,
+        outputFormat: "json",
+        extraFlags: ["--request-token", i.requestToken]
+      });
+      if (!result.ok) {
+        return { ok: false, error: result.error, rawBody: result.rawStderr ?? result.rawStdout };
+      }
+      const raw = result.data;
+      const progressEvent = raw?.ProgressEvent ?? null;
+      const fields = extractProgressFields(progressEvent);
+      return {
+        ok: true,
+        data: { command: result.command, ...fields, progressEvent }
+      };
+    }
+  },
+  {
+    name: "aws_resource_diff",
+    description: "Dry-run a CCAPI update: fetch the current resource state, simulate applying a JSON Patch in memory, and return before/after plus a flat list of changed paths. No mutation is sent to AWS. Use this before aws_resource_update to verify the patch does what you expect. Supports the add/remove/replace subset of RFC 6902 (covers the vast majority of CCAPI updates); 'move'/'copy'/'test' are rejected at schema validation -- use aws_resource_update directly if you need those (CCAPI accepts them, this preview tool just doesn't simulate them locally).",
+    annotations: {
+      title: "Preview a CCAPI update without applying it",
+      readOnlyHint: true,
+      destructiveHint: false,
+      idempotentHint: true,
+      openWorldHint: true
+    },
+    inputSchema: external_exports3.object({
+      typeName: external_exports3.string().describe("CloudFormation type name, e.g. 'AWS::Lambda::Function'."),
+      identifier: external_exports3.string().min(1).describe("Primary identifier for the resource."),
+      patchDocument: external_exports3.array(
+        external_exports3.object({
+          // Diff simulates patches locally via applyJsonPatch; only the
+          // add/remove/replace subset is implemented. Reject the other
+          // three RFC 6902 ops here so the model gets schema-validation
+          // feedback instead of a runtime "not implemented" error
+          // surfaced as a generic "Patch application failed". The
+          // sibling aws_resource_update tool accepts the full op set
+          // because CCAPI does -- only this preview tool is restricted.
+          op: external_exports3.enum(["add", "remove", "replace"]),
+          path: external_exports3.string(),
+          value: external_exports3.unknown().optional(),
+          from: external_exports3.string().optional()
+        })
+      ).min(1).describe(
+        "RFC 6902 JSON Patch (add/remove/replace subset). For move/copy/test, use aws_resource_update directly."
+      ),
+      ...baseFields
+    }),
+    handler: async (input) => {
+      const i = input;
+      const tnErr = validateTypeName(i.typeName);
+      if (tnErr) return { ok: false, error: tnErr };
+      const idErr = validateIdentifier(i.identifier);
+      if (idErr) return { ok: false, error: idErr };
+      const getResult = await runAwsCall({
+        service: "cloudcontrol",
+        operation: "get-resource",
+        profile: i.profile,
+        region: i.region,
+        timeoutMs: i.timeoutMs,
+        outputFormat: "json",
+        extraFlags: ["--type-name", i.typeName, "--identifier", i.identifier]
+      });
+      if (!getResult.ok) {
+        return { ok: false, error: getResult.error, rawBody: getResult.rawStderr ?? getResult.rawStdout };
+      }
+      const raw = getResult.data;
+      const parsed = parseResourceProperties(raw?.ResourceDescription);
+      const before = parsed.Properties;
+      let after;
+      try {
+        after = applyJsonPatch(before, i.patchDocument);
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        return { ok: false, error: `Patch application failed: ${msg}` };
+      }
+      const changes = summarizePatch(i.patchDocument, before, after);
+      return {
+        ok: true,
+        data: {
+          command: getResult.command,
+          typeName: i.typeName,
+          identifier: parsed.Identifier ?? i.identifier,
+          before,
+          after,
+          changes,
+          changeCount: changes.length
+        }
+      };
+    }
+  }
+];
+function parseJsonPointer(pointer) {
+  if (pointer === "") return [];
+  if (!pointer.startsWith("/")) {
+    throw new Error(`Invalid JSON Pointer '${pointer}': must start with '/' or be empty.`);
+  }
+  return pointer.slice(1).split("/").map((t) => t.replace(/~1/g, "/").replace(/~0/g, "~"));
+}
+function clone2(v) {
+  return v === void 0 ? v : JSON.parse(JSON.stringify(v));
+}
+function isObj(v) {
+  return v !== null && typeof v === "object" && !Array.isArray(v);
+}
+function applyJsonPatch(original, ops) {
+  const doc = clone2(original);
+  return _applyJsonPatchInPlace(doc, ops);
+}
+function _applyJsonPatchInPlace(doc, ops) {
+  let root = doc;
+  for (let i = 0; i < ops.length; i++) {
+    const op = ops[i];
+    if (op.op === "move" || op.op === "copy" || op.op === "test") {
+      throw new Error(`op '${op.op}' at index ${i} is not implemented in aws_resource_diff (use add/remove/replace).`);
+    }
+    const tokens = parseJsonPointer(op.path);
+    if (tokens.length === 0) {
+      if (op.op === "remove") {
+        throw new Error(`Cannot remove the document root at index ${i}.`);
+      }
+      root = clone2(op.value);
+      continue;
+    }
+    const parentTokens = tokens.slice(0, -1);
+    const lastToken = tokens[tokens.length - 1];
+    let parent = root;
+    for (let t = 0; t < parentTokens.length; t++) {
+      const segment = parentTokens[t];
+      if (Array.isArray(parent)) {
+        const idx = Number.parseInt(segment, 10);
+        if (!Number.isInteger(idx) || idx < 0) {
+          throw new Error(`Path '${op.path}' segment '${segment}' is not a valid array index at op index ${i}.`);
+        }
+        if (idx >= parent.length) {
+          throw new Error(
+            `Path '${op.path}' cannot traverse into intermediate array element at segment '${segment}': array has length ${parent.length}, so index ${idx} does not exist yet (at op index ${i}).`
+          );
+        }
+        parent = parent[idx];
+      } else if (isObj(parent)) {
+        if (!(segment in parent)) {
+          if (op.op === "add") {
+            parent[segment] = {};
+            parent = parent[segment];
+            continue;
+          }
+          throw new Error(`Path '${op.path}' segment '${segment}' does not exist at index ${i}.`);
+        }
+        parent = parent[segment];
+      } else {
+        throw new Error(`Path '${op.path}' traverses a non-container value at index ${i}.`);
+      }
     }
-  },
-  {
-    name: "aws_resource_delete",
-    description: "Delete an AWS resource via Cloud Control API. Async by default: returns a ProgressEvent with OperationStatus=IN_PROGRESS and a top-level `requestToken`. Pass `awaitCompletion: true` to have the server poll until terminal. Destructive -- double-check `identifier` before calling.",
-    annotations: {
-      title: "Delete an AWS resource (async via CCAPI)",
-      readOnlyHint: false,
-      destructiveHint: true,
-      idempotentHint: false,
-      openWorldHint: true
-    },
-    inputSchema: external_exports3.object({
-      typeName: external_exports3.string().describe("CloudFormation type name."),
-      identifier: external_exports3.string().min(1).describe("Primary identifier for the resource."),
-      clientToken: external_exports3.string().optional().describe("Idempotency token (max 128 chars)."),
-      ...baseFields,
-      ...awaitFields
-    }),
-    handler: async (input) => {
-      const i = input;
-      const tnErr = validateTypeName(i.typeName);
-      if (tnErr) return { ok: false, error: tnErr };
-      const idErr = validateIdentifier(i.identifier);
-      if (idErr) return { ok: false, error: idErr };
-      if (i.clientToken !== void 0) {
-        const ctErr = validateOpaqueToken(i.clientToken, "clientToken");
-        if (ctErr) return { ok: false, error: ctErr };
+    if (Array.isArray(parent)) {
+      if (lastToken === "-") {
+        if (op.op === "remove") {
+          throw new Error(`Cannot remove '-' (end-of-array) at index ${i}.`);
+        }
+        parent.push(clone2(op.value));
+        continue;
       }
-      const extraFlags = ["--type-name", i.typeName, "--identifier", i.identifier];
-      if (i.clientToken) extraFlags.push("--client-token", i.clientToken);
-      const result = await runAwsCall({
-        service: "cloudcontrol",
-        operation: "delete-resource",
-        profile: i.profile,
-        region: i.region,
-        timeoutMs: i.timeoutMs,
-        outputFormat: "json",
-        extraFlags
-      });
-      if (!result.ok) {
-        return { ok: false, error: result.error, rawBody: result.rawStderr ?? result.rawStdout };
+      const idx = Number.parseInt(lastToken, 10);
+      if (!Number.isInteger(idx) || idx < 0) {
+        throw new Error(`Path '${op.path}' has non-integer array index '${lastToken}' at index ${i}.`);
       }
-      return buildMutationResponse({ command: result.command, data: result.data }, i);
+      if (op.op === "add") {
+        if (idx > parent.length) {
+          throw new Error(`Add index ${idx} out of bounds for array of length ${parent.length} at index ${i}.`);
+        }
+        parent.splice(idx, 0, clone2(op.value));
+      } else if (op.op === "remove") {
+        if (idx >= parent.length) {
+          throw new Error(`Remove index ${idx} out of bounds for array of length ${parent.length} at index ${i}.`);
+        }
+        parent.splice(idx, 1);
+      } else {
+        if (idx >= parent.length) {
+          throw new Error(`Replace index ${idx} out of bounds for array of length ${parent.length} at index ${i}.`);
+        }
+        parent[idx] = clone2(op.value);
+      }
+    } else if (isObj(parent)) {
+      if (op.op === "remove") {
+        if (!(lastToken in parent)) {
+          throw new Error(`Cannot remove missing key '${lastToken}' at index ${i}.`);
+        }
+        delete parent[lastToken];
+      } else if (op.op === "replace") {
+        if (!(lastToken in parent)) {
+          throw new Error(`Cannot replace missing key '${lastToken}' at index ${i} (use 'add' to create it).`);
+        }
+        parent[lastToken] = clone2(op.value);
+      } else {
+        parent[lastToken] = clone2(op.value);
+      }
+    } else {
+      throw new Error(`Path '${op.path}' parent is not a container at index ${i}.`);
     }
-  },
+  }
+  return root;
+}
+function summarizePatch(ops, before, after) {
+  let working;
+  let replayOk = true;
+  try {
+    working = clone2(before);
+  } catch {
+    replayOk = false;
+    working = void 0;
+  }
+  const out = [];
+  for (const op of ops) {
+    const beforeAt = resolvePointer(before, op.path);
+    let afterAt;
+    if (replayOk) {
+      try {
+        working = _applyJsonPatchInPlace(working, [op]);
+        afterAt = resolvePointer(working, op.path);
+      } catch {
+        replayOk = false;
+        afterAt = resolvePointer(after, op.path);
+      }
+    } else {
+      afterAt = resolvePointer(after, op.path);
+    }
+    if (op.op === "add" && afterAt === void 0 && op.path.endsWith("/-")) {
+      afterAt = op.value;
+    }
+    out.push({ op: op.op, path: op.path, before: beforeAt, after: afterAt });
+  }
+  return out;
+}
+function resolvePointer(doc, pointer) {
+  let tokens;
+  try {
+    tokens = parseJsonPointer(pointer);
+  } catch {
+    return void 0;
+  }
+  let cur = doc;
+  for (const t of tokens) {
+    if (Array.isArray(cur)) {
+      if (t === "-") return void 0;
+      const idx = Number.parseInt(t, 10);
+      if (!Number.isInteger(idx) || idx < 0 || idx >= cur.length) return void 0;
+      cur = cur[idx];
+    } else if (isObj(cur)) {
+      if (!(t in cur)) return void 0;
+      cur = cur[t];
+    } else {
+      return void 0;
+    }
+  }
+  return cur;
+}
+
+// src/tools/paginate.ts
+function extractNextToken(data) {
+  if (data && typeof data === "object" && "NextToken" in data) {
+    const token = data.NextToken;
+    if (typeof token === "string" && token.length > 0) return token;
+  }
+  return null;
+}
+function wrapQueryForPagination(userQuery) {
+  return `{NextToken: NextToken, items: ${userQuery}}`;
+}
+var paginateTools = [
   {
-    name: "aws_resource_status",
-    description: "Poll the status of an async Cloud Control API request (create/update/delete). Pass the `requestToken` returned by those tools. Returns the current ProgressEvent with OperationStatus: PENDING | IN_PROGRESS | SUCCESS | FAILED | CANCEL_IN_PROGRESS | CANCEL_COMPLETE.",
+    name: "aws_paginate",
+    description: "Fetch one page of a paginated AWS list/describe operation. Identical to aws_call plus `maxItems` (page size) and `startingToken` (resume cursor). When `query` is supplied it is wrapped server-side as {NextToken, items: <query>} so pagination survives a projection that would otherwise drop NextToken; the handler unwraps `items` before returning. Returns the parsed response, a `nextToken` (null when the list is exhausted), and `hasMore`. Call again with the returned nextToken as startingToken until hasMore is false. Use this instead of aws_call for operations that might exceed the 5 MB stdout cap: list-objects-v2, describe-instances, describe-log-streams, list-roles, etc.",
     annotations: {
-      title: "Get the status of an async CCAPI request",
+      title: "Fetch one page of a paginated AWS operation",
       readOnlyHint: true,
       destructiveHint: false,
       idempotentHint: true,
       openWorldHint: true
     },
     inputSchema: external_exports3.object({
-      requestToken: external_exports3.string().min(1).describe("RequestToken from a previous create/update/delete call."),
-      ...baseFields
+      service: external_exports3.string().describe("AWS service in kebab-case: 's3api', 'ec2', 'iam', 'logs', etc."),
+      operation: external_exports3.string().describe("Paginated operation: 'list-objects-v2', 'describe-instances', 'list-roles', etc."),
+      params: external_exports3.record(external_exports3.string(), external_exports3.unknown()).optional().describe("Operation parameters (PascalCase keys) passed via --cli-input-json."),
+      query: external_exports3.string().optional().describe(
+        "JMESPath expression to extract fields from each page (--query). The query is wrapped server-side as {NextToken, items: <query>} so pagination still works even when the projection drops NextToken; the handler unwraps `items` before returning."
+      ),
+      maxItems: external_exports3.number().int().positive().max(1e4).optional().describe("Items per page (1-10000). Default 100. Lower this if hitting the 5 MB output cap."),
+      startingToken: external_exports3.string().optional().describe("Resume cursor from the previous call's `nextToken`. Omit for the first page."),
+      profile: external_exports3.string().optional().describe("Override session profile for this call."),
+      region: external_exports3.string().optional().describe("Override session region for this call."),
+      timeoutMs: external_exports3.number().int().positive().optional().describe("Timeout in milliseconds. Default 60000.")
     }),
     handler: async (input) => {
       const i = input;
-      const rtErr = validateOpaqueToken(i.requestToken, "requestToken");
-      if (rtErr) return { ok: false, error: rtErr };
+      if (i.startingToken !== void 0) {
+        const stErr = validateOpaqueToken(i.startingToken, "startingToken");
+        if (stErr) return { ok: false, error: stErr };
+      }
+      const maxItems = Math.min(Math.max(1, i.maxItems ?? 100), 1e4);
+      const extraFlags = ["--max-items", String(maxItems)];
+      if (i.startingToken) {
+        extraFlags.push("--starting-token", i.startingToken);
+      }
+      const userQuery = i.query?.trim();
+      const queryWrapped = userQuery ? wrapQueryForPagination(userQuery) : void 0;
       const result = await runAwsCall({
-        service: "cloudcontrol",
-        operation: "get-resource-request-status",
+        service: i.service,
+        operation: i.operation,
+        params: i.params,
+        query: queryWrapped,
         profile: i.profile,
         region: i.region,
-        timeoutMs: i.timeoutMs,
         outputFormat: "json",
-        extraFlags: ["--request-token", i.requestToken]
+        timeoutMs: i.timeoutMs,
+        extraFlags
       });
       if (!result.ok) {
         return { ok: false, error: result.error, rawBody: result.rawStderr ?? result.rawStdout };
       }
-      const raw = result.data;
-      const progressEvent = raw?.ProgressEvent ?? null;
-      const fields = extractProgressFields(progressEvent);
+      let resultBody;
+      let nextToken;
+      if (queryWrapped) {
+        const wrapped = result.data ?? {};
+        nextToken = extractNextToken(wrapped);
+        resultBody = wrapped.items ?? null;
+      } else {
+        nextToken = extractNextToken(result.data);
+        resultBody = result.data;
+      }
       return {
         ok: true,
-        data: { command: result.command, ...fields, progressEvent }
+        data: {
+          command: result.command,
+          result: resultBody,
+          nextToken,
+          hasMore: nextToken !== null
+        }
       };
     }
-  },
+  }
+];
+
+// src/tools/metrics.ts
+var SIMPLE_STATS = ["Average", "Sum", "Maximum", "Minimum", "SampleCount"];
+var EXTENDED_STAT_RE = /^((p|tm|tc|wm|pr|ts)(\d{1,3}(\.\d{1,3})?)?|iqm)$/i;
+function isValidStatistic(s) {
+  const lower = s.toLowerCase();
+  if (SIMPLE_STATS.some((stat) => stat.toLowerCase() === lower)) return true;
+  return EXTENDED_STAT_RE.test(s);
+}
+function canonicalizeStatistic(s) {
+  const lower = s.toLowerCase();
+  for (const stat of SIMPLE_STATS) {
+    if (stat.toLowerCase() === lower) return stat;
+  }
+  if (EXTENDED_STAT_RE.test(s)) return lower;
+  return s;
+}
+var QUERY_ID_RE = /^[a-z][A-Za-z0-9_]*$/;
+var MAX_QUERIES = 100;
+var CLOUDWATCH_MAX_DATAPOINTS = 100800;
+var PERIOD_3H_MS = 3 * 60 * 60 * 1e3;
+var PERIOD_24H_MS = 24 * 60 * 60 * 1e3;
+var PERIOD_15D_MS = 15 * 24 * 60 * 60 * 1e3;
+function pickAutoPeriodSeconds(startMs, endMs) {
+  const rangeMs = Math.max(0, endMs - startMs);
+  if (rangeMs <= PERIOD_3H_MS) return 60;
+  if (rangeMs <= PERIOD_24H_MS) return 300;
+  if (rangeMs <= PERIOD_15D_MS) return 900;
+  return 3600;
+}
+var RELATIVE_TIME_RE = /^\d+[smhdw]$/;
+var UNIT_MS = {
+  s: 1e3,
+  m: 60 * 1e3,
+  h: 60 * 60 * 1e3,
+  d: 24 * 60 * 60 * 1e3,
+  w: 7 * 24 * 60 * 60 * 1e3
+};
+function resolveTime(input, now) {
+  if (input === "now") return new Date(now);
+  const rel = input.match(RELATIVE_TIME_RE);
+  if (rel) {
+    const num = Number(input.slice(0, -1));
+    const unit = input.slice(-1);
+    const ms = UNIT_MS[unit];
+    if (!ms || !Number.isFinite(num)) return null;
+    return new Date(now - num * ms);
+  }
+  const t = new Date(input);
+  if (Number.isNaN(t.getTime())) return null;
+  return t;
+}
+function buildMetricDataQueries(inputs, autoPeriod) {
+  return inputs.map((q) => {
+    const base = { Id: q.id };
+    if (q.label !== void 0) base.Label = q.label;
+    if (q.returnData !== void 0) base.ReturnData = q.returnData;
+    if (q.expression !== void 0) {
+      base.Expression = q.expression;
+      if (q.period !== void 0) base.Period = q.period;
+      return base;
+    }
+    const dimensions = q.dimensions ? Object.entries(q.dimensions).map(([Name, Value]) => ({ Name, Value })) : void 0;
+    const stat = {
+      Metric: {
+        Namespace: q.namespace,
+        MetricName: q.metricName,
+        ...dimensions ? { Dimensions: dimensions } : {}
+      },
+      Period: q.period ?? autoPeriod,
+      Stat: q.statistic !== void 0 ? canonicalizeStatistic(q.statistic) : "Average"
+    };
+    if (q.unit !== void 0) stat.Unit = q.unit;
+    base.MetricStat = stat;
+    return base;
+  });
+}
+var metricsTools = [
   {
-    name: "aws_resource_diff",
-    description: "Dry-run a CCAPI update: fetch the current resource state, simulate applying a JSON Patch in memory, and return before/after plus a flat list of changed paths. No mutation is sent to AWS. Use this before aws_resource_update to verify the patch does what you expect. Supports the add/remove/replace subset of RFC 6902 (covers the vast majority of CCAPI updates); 'move'/'copy'/'test' are rejected at schema validation -- use aws_resource_update directly if you need those (CCAPI accepts them, this preview tool just doesn't simulate them locally).",
+    name: "aws_metrics_query",
+    description: "Query CloudWatch metrics via GetMetricData (the modern multi-metric / expression-capable API, not the legacy get-metric-statistics). Pass `queries` as a flat array of {id, namespace, metricName, dimensions?, statistic?, period?, expression?, label?}; the tool shapes them into MetricDataQueries for you. `startTime`/`endTime` accept ISO 8601 or relative shorthand ('15m', '1h', '1d', '1w'); endTime defaults to 'now'. Period is auto-picked from the time range when omitted (60s for <=3h, 300s for <=24h, 900s for <=15d, 3600s otherwise) to stay under CloudWatch's ~100,800-datapoint response cap. Returns {series: [{id, label?, timestamps, values, period?, statusCode?}], messages?, periodSeconds, profile, region, nextToken, hasMore}. Each series' `period` is the effective granularity for that query (its explicit period, or the auto-pick it inherited); it is omitted for an expression query that didn't set one. The top-level `periodSeconds` is always the auto-pick. When CloudWatch truncates a large response, `hasMore` is true and `nextToken` carries the resume cursor -- call again with `nextToken` set to fetch the next page (rare for typical agent queries that stay within the per-request cap). Use for 'show me the CPU on this instance for the last hour', 'sum lambda invocations across these 3 functions', or expression-based 'p99 latency divided by average latency' lookups.",
     annotations: {
-      title: "Preview a CCAPI update without applying it",
+      title: "Query CloudWatch metrics (GetMetricData)",
       readOnlyHint: true,
       destructiveHint: false,
       idempotentHint: true,
       openWorldHint: true
     },
     inputSchema: external_exports3.object({
-      typeName: external_exports3.string().describe("CloudFormation type name, e.g. 'AWS::Lambda::Function'."),
-      identifier: external_exports3.string().min(1).describe("Primary identifier for the resource."),
-      patchDocument: external_exports3.array(
+      queries: external_exports3.array(
         external_exports3.object({
-          // Diff simulates patches locally via applyJsonPatch; only the
-          // add/remove/replace subset is implemented. Reject the other
-          // three RFC 6902 ops here so the model gets schema-validation
-          // feedback instead of a runtime "not implemented" error
-          // surfaced as a generic "Patch application failed". The
-          // sibling aws_resource_update tool accepts the full op set
-          // because CCAPI does -- only this preview tool is restricted.
-          op: external_exports3.enum(["add", "remove", "replace"]),
-          path: external_exports3.string(),
-          value: external_exports3.unknown().optional(),
-          from: external_exports3.string().optional()
+          id: external_exports3.string().regex(QUERY_ID_RE, "id must match /^[a-z][A-Za-z0-9_]*$/ (CloudWatch's MetricDataQuery.Id contract)"),
+          namespace: external_exports3.string().min(1).optional().describe("AWS metric namespace, e.g. 'AWS/Lambda', 'AWS/EC2'. Required unless `expression` is set."),
+          metricName: external_exports3.string().min(1).optional().describe("Metric name, e.g. 'Invocations', 'CPUUtilization'. Required unless `expression` is set."),
+          dimensions: external_exports3.record(external_exports3.string(), external_exports3.string()).optional().describe("Dimension Name -> Value map, e.g. {FunctionName: 'my-fn'}."),
+          statistic: external_exports3.string().optional().describe(
+            "Statistic: Average | Sum | Maximum | Minimum | SampleCount, or an extended stat like 'p99', 'p99.9', 'tm95'. Default 'Average'."
+          ),
+          period: external_exports3.number().int().positive().optional().describe("Period in seconds. Defaults to an auto-pick from the time range (60s/300s/900s/3600s)."),
+          expression: external_exports3.string().min(1).optional().describe(
+            `CloudWatch metric math expression, e.g. 'SUM([m1, m2])' or 'AVG(METRICS("AWS/Lambda"))'. Mutually exclusive with namespace/metricName/dimensions.`
+          ),
+          label: external_exports3.string().optional().describe("Human-readable label for the series in the response."),
+          returnData: external_exports3.boolean().optional().describe(
+            "Set false to compute this query but not return its data (useful for intermediate values in expressions). Default true."
+          ),
+          unit: external_exports3.string().optional().describe(
+            "Restrict to a specific Unit (e.g. 'Seconds', 'Bytes'). Default: no filter. Only meaningful on metric-stat queries."
+          )
         })
-      ).min(1).describe(
-        "RFC 6902 JSON Patch (add/remove/replace subset). For move/copy/test, use aws_resource_update directly."
+      ).min(1).max(MAX_QUERIES).describe(`1-${MAX_QUERIES} queries. Each is either a metric-stat (namespace + metricName) or an expression.`),
+      startTime: external_exports3.string().optional().describe("ISO 8601 timestamp or relative shorthand ('15m', '1h', '1d', '1w'). Default '1h' (one hour ago)."),
+      endTime: external_exports3.string().optional().describe("ISO 8601 timestamp or relative shorthand. Default 'now'."),
+      scanBy: external_exports3.enum(["TimestampAscending", "TimestampDescending"]).optional().describe("Sort order for returned datapoints. Default 'TimestampDescending' (matches CloudWatch's default)."),
+      maxDataPoints: external_exports3.number().int().positive().optional().describe(
+        "Target datapoint count. CloudWatch does not truncate to the first N points -- it widens (coarsens) the period server-side so the series aggregates down to fit this many points. CloudWatch's own ceiling is ~100,800; lower this to make CloudWatch return a coarser, smaller series. Forwarded as CloudWatch's MaxDatapoints (single 'p') field; the camelCase schema name follows this server's convention."
       ),
-      ...baseFields
+      nextToken: external_exports3.string().optional().describe(
+        "Resume cursor from a previous call's `nextToken`. Omit for the first page. Forwarded as CloudWatch's NextToken; only meaningful when a prior call returned `hasMore: true`."
+      ),
+      profile: external_exports3.string().optional().describe("Override session profile for this call."),
+      region: external_exports3.string().optional().describe("Override session region for this call."),
+      timeoutMs: external_exports3.number().int().positive().optional().describe("Timeout in milliseconds. Default 60000 (60s).")
     }),
     handler: async (input) => {
       const i = input;
-      const tnErr = validateTypeName(i.typeName);
-      if (tnErr) return { ok: false, error: tnErr };
-      const idErr = validateIdentifier(i.identifier);
-      if (idErr) return { ok: false, error: idErr };
-      const getResult = await runAwsCall({
-        service: "cloudcontrol",
-        operation: "get-resource",
+      const seenIds = /* @__PURE__ */ new Map();
+      for (let qi = 0; qi < i.queries.length; qi++) {
+        const q = i.queries[qi];
+        const firstIdx = seenIds.get(q.id);
+        if (firstIdx !== void 0) {
+          return {
+            ok: false,
+            error: `Duplicate query id '${q.id}' at queries[${qi}]; first seen at queries[${firstIdx}]. Each MetricDataQuery.Id must be unique in a batch.`
+          };
+        }
+        seenIds.set(q.id, qi);
+        const hasMetricStat = q.namespace !== void 0 || q.metricName !== void 0 || q.dimensions !== void 0;
+        const hasExpression = q.expression !== void 0;
+        if (hasMetricStat && hasExpression) {
+          return {
+            ok: false,
+            error: `Query '${q.id}' mixes metric-stat fields (namespace/metricName/dimensions) with 'expression'. Pick one shape per query.`
+          };
+        }
+        if (!hasMetricStat && !hasExpression) {
+          return {
+            ok: false,
+            error: `Query '${q.id}' has neither metric-stat (namespace+metricName) nor 'expression'. One is required.`
+          };
+        }
+        if (hasMetricStat && (q.namespace === void 0 || q.metricName === void 0)) {
+          return {
+            ok: false,
+            error: `Query '${q.id}' must include BOTH 'namespace' and 'metricName' (or use 'expression' instead).`
+          };
+        }
+        if (q.statistic !== void 0 && !isValidStatistic(q.statistic)) {
+          return {
+            ok: false,
+            error: `Query '${q.id}' has invalid statistic '${q.statistic}'. Use Average | Sum | Maximum | Minimum | SampleCount, or an extended stat like p99 / p99.9 / tm95.`
+          };
+        }
+      }
+      const now = Date.now();
+      const startStr = i.startTime ?? "1h";
+      const endStr = i.endTime ?? "now";
+      const startDate = resolveTime(startStr, now);
+      const endDate = resolveTime(endStr, now);
+      if (!startDate) {
+        return {
+          ok: false,
+          error: `Invalid startTime '${startStr}'. Use ISO 8601 (e.g. '2026-05-16T10:00:00Z') or relative shorthand (e.g. '1h', '15m', '1d').`
+        };
+      }
+      if (!endDate) {
+        return {
+          ok: false,
+          error: `Invalid endTime '${endStr}'. Use ISO 8601 or relative shorthand, or 'now' for the current moment.`
+        };
+      }
+      if (endDate.getTime() <= startDate.getTime()) {
+        return {
+          ok: false,
+          error: `endTime (${endDate.toISOString()}) must be after startTime (${startDate.toISOString()}).`
+        };
+      }
+      const rangeSeconds = (endDate.getTime() - startDate.getTime()) / 1e3;
+      for (const q of i.queries) {
+        if (q.period === void 0) continue;
+        if (q.period <= 0 || q.period % 60 !== 0) {
+          return {
+            ok: false,
+            error: `Query '${q.id}' has invalid period ${q.period}. CloudWatch requires period to be a positive multiple of 60 (seconds).`
+          };
+        }
+        const datapoints = Math.ceil(rangeSeconds / q.period);
+        if (datapoints > CLOUDWATCH_MAX_DATAPOINTS) {
+          return {
+            ok: false,
+            error: `Query '${q.id}' with period ${q.period}s over the requested range (${startDate.toISOString()} to ${endDate.toISOString()}) would request ${datapoints} datapoints, exceeding CloudWatch's per-request cap of ${CLOUDWATCH_MAX_DATAPOINTS}. Widen the period or narrow the time range.`
+          };
+        }
+      }
+      const periodSeconds = pickAutoPeriodSeconds(startDate.getTime(), endDate.getTime());
+      const metricDataQueries = buildMetricDataQueries(i.queries, periodSeconds);
+      const params = {
+        MetricDataQueries: metricDataQueries,
+        StartTime: startDate.toISOString(),
+        EndTime: endDate.toISOString(),
+        ScanBy: i.scanBy ?? "TimestampDescending"
+      };
+      if (i.maxDataPoints !== void 0) params.MaxDatapoints = i.maxDataPoints;
+      if (i.nextToken !== void 0) params.NextToken = i.nextToken;
+      const effectiveProfile = i.profile ?? getProfile();
+      const effectiveRegion = i.region ?? getRegion();
+      const result = await runAwsCall({
+        service: "cloudwatch",
+        operation: "get-metric-data",
         profile: i.profile,
         region: i.region,
         timeoutMs: i.timeoutMs,
         outputFormat: "json",
-        extraFlags: ["--type-name", i.typeName, "--identifier", i.identifier]
+        params
       });
-      if (!getResult.ok) {
-        return { ok: false, error: getResult.error, rawBody: getResult.rawStderr ?? getResult.rawStdout };
-      }
-      const raw = getResult.data;
-      const parsed = parseResourceProperties(raw?.ResourceDescription);
-      const before = parsed.Properties;
-      let after;
-      try {
-        after = applyJsonPatch(before, i.patchDocument);
-      } catch (err) {
-        const msg = err instanceof Error ? err.message : String(err);
-        return { ok: false, error: `Patch application failed: ${msg}` };
+      if (!result.ok) {
+        return { ok: false, error: result.error, rawBody: result.rawStderr ?? result.rawStdout };
       }
-      const changes = summarizePatch(i.patchDocument, before, after);
+      const raw = result.data ?? {};
+      const queryById = new Map(i.queries.map((q) => [q.id, q]));
+      const series = (raw.MetricDataResults ?? []).map((r) => {
+        const q = queryById.get(r.Id ?? "");
+        const effectivePeriod = q?.period ?? (q && q.expression === void 0 ? periodSeconds : void 0);
+        return {
+          id: r.Id ?? "",
+          ...r.Label !== void 0 ? { label: r.Label } : {},
+          timestamps: r.Timestamps ?? [],
+          values: r.Values ?? [],
+          ...effectivePeriod !== void 0 ? { period: effectivePeriod } : {},
+          ...r.StatusCode !== void 0 ? { statusCode: r.StatusCode } : {}
+        };
+      });
+      const messages = raw.Messages?.filter((m) => m.Code || m.Value).map((m) => ({
+        code: m.Code,
+        value: m.Value
+      }));
+      const nextToken = extractNextToken(raw);
       return {
         ok: true,
         data: {
-          command: getResult.command,
-          typeName: i.typeName,
-          identifier: parsed.Identifier ?? i.identifier,
-          before,
-          after,
-          changes,
-          changeCount: changes.length
+          command: result.command,
+          profile: effectiveProfile,
+          region: effectiveRegion,
+          startTime: startDate.toISOString(),
+          endTime: endDate.toISOString(),
+          periodSeconds,
+          series,
+          nextToken,
+          hasMore: nextToken !== null,
+          ...messages && messages.length > 0 ? { messages } : {}
         }
       };
     }
   }
 ];
-function parseJsonPointer(pointer) {
-  if (pointer === "") return [];
-  if (!pointer.startsWith("/")) {
-    throw new Error(`Invalid JSON Pointer '${pointer}': must start with '/' or be empty.`);
-  }
-  return pointer.slice(1).split("/").map((t) => t.replace(/~1/g, "/").replace(/~0/g, "~"));
-}
-function clone2(v) {
-  return v === void 0 ? v : JSON.parse(JSON.stringify(v));
-}
-function isObj(v) {
-  return v !== null && typeof v === "object" && !Array.isArray(v);
-}
-function applyJsonPatch(original, ops) {
-  const doc = clone2(original);
-  return _applyJsonPatchInPlace(doc, ops);
-}
-function _applyJsonPatchInPlace(doc, ops) {
-  let root = doc;
-  for (let i = 0; i < ops.length; i++) {
-    const op = ops[i];
-    if (op.op === "move" || op.op === "copy" || op.op === "test") {
-      throw new Error(`op '${op.op}' at index ${i} is not implemented in aws_resource_diff (use add/remove/replace).`);
-    }
-    const tokens = parseJsonPointer(op.path);
-    if (tokens.length === 0) {
-      if (op.op === "remove") {
-        throw new Error(`Cannot remove the document root at index ${i}.`);
-      }
-      root = clone2(op.value);
-      continue;
-    }
-    const parentTokens = tokens.slice(0, -1);
-    const lastToken = tokens[tokens.length - 1];
-    let parent = root;
-    for (let t = 0; t < parentTokens.length; t++) {
-      const segment = parentTokens[t];
-      if (Array.isArray(parent)) {
-        const idx = Number.parseInt(segment, 10);
-        if (!Number.isInteger(idx) || idx < 0) {
-          throw new Error(`Path '${op.path}' segment '${segment}' is not a valid array index at op index ${i}.`);
-        }
-        if (idx >= parent.length) {
-          throw new Error(
-            `Path '${op.path}' cannot traverse into intermediate array element at segment '${segment}': array has length ${parent.length}, so index ${idx} does not exist yet (at op index ${i}).`
-          );
-        }
-        parent = parent[idx];
-      } else if (isObj(parent)) {
-        if (!(segment in parent)) {
-          if (op.op === "add") {
-            parent[segment] = {};
-            parent = parent[segment];
-            continue;
-          }
-          throw new Error(`Path '${op.path}' segment '${segment}' does not exist at index ${i}.`);
-        }
-        parent = parent[segment];
-      } else {
-        throw new Error(`Path '${op.path}' traverses a non-container value at index ${i}.`);
-      }
+
+// src/tools/multi-region.ts
+var DEFAULT_CONCURRENCY = 8;
+var MAX_CONCURRENCY = 32;
+var MAX_REGIONS = 32;
+async function runWithConcurrency(inputs, concurrency, fn) {
+  const results = new Array(inputs.length);
+  let next = 0;
+  const worker = async () => {
+    while (true) {
+      const i = next++;
+      if (i >= inputs.length) return;
+      results[i] = await fn(inputs[i], i);
     }
-    if (Array.isArray(parent)) {
-      if (lastToken === "-") {
-        if (op.op === "remove") {
-          throw new Error(`Cannot remove '-' (end-of-array) at index ${i}.`);
+  };
+  const workerCount = Math.min(concurrency, inputs.length);
+  await Promise.all(Array.from({ length: workerCount }, () => worker()));
+  return results;
+}
+var multiRegionTools = [
+  {
+    name: "aws_multi_region",
+    description: "Run the same AWS API operation across multiple regions in parallel. Same shape as aws_call (service, operation, params?, query?, outputFormat?, timeoutMs?) but takes `regions: string[]` instead of `region`. Returns an array of `{region, ok, data?, command?, error?, errorKind?}` -- partial failure is expected (services aren't everywhere, perms may be region-scoped). Duplicate regions in the input are collapsed (first occurrence wins), so `results.length` may be less than `regions.length`; use the returned `regionCount` for the actual count run. Use for fleet-wide reads: 'describe-instances across all our regions', 'list buckets in every region', 'check IAM password policy everywhere'.",
+    annotations: {
+      title: "Run an AWS operation across multiple regions in parallel",
+      // The operation can be anything -- we conservatively annotate as not
+      // read-only / not destructive. The caller chooses what to invoke.
+      readOnlyHint: false,
+      destructiveHint: false,
+      idempotentHint: false,
+      openWorldHint: true
+    },
+    inputSchema: external_exports3.object({
+      service: external_exports3.string().describe("AWS service in kebab-case: 's3api', 'ec2', 'iam', etc."),
+      operation: external_exports3.string().describe("Operation in kebab-case: 'describe-instances', 'list-buckets', etc."),
+      regions: external_exports3.array(external_exports3.string().min(1)).min(1).max(MAX_REGIONS).describe(
+        `Region IDs (e.g. ['us-east-1','us-west-2','eu-west-1']). 1-${MAX_REGIONS}. Validated for argv-safety; a bad region name yields a clear per-region error and skips its CLI spawn (per-region isolation comes from each region being a separate call, not from this pre-check).`
+      ),
+      params: external_exports3.record(external_exports3.string(), external_exports3.unknown()).optional().describe("Operation parameters (PascalCase keys) -- same shape as aws_call."),
+      query: external_exports3.string().optional().describe("JMESPath expression for --query (server-side trimming per region)."),
+      outputFormat: external_exports3.enum(["json", "text", "table", "yaml"]).optional().describe("Output format. Default 'json'."),
+      profile: external_exports3.string().optional().describe("Override session profile for the batch."),
+      timeoutMs: external_exports3.number().int().positive().optional().describe("Timeout in ms applied PER region. Default 60000."),
+      concurrency: external_exports3.number().int().positive().max(MAX_CONCURRENCY).optional().describe(`Max regions in flight at once (1-${MAX_CONCURRENCY}). Default ${DEFAULT_CONCURRENCY}.`)
+    }),
+    handler: async (input) => {
+      const i = input;
+      const seen = /* @__PURE__ */ new Set();
+      const regions = [];
+      for (const r of i.regions) {
+        if (!seen.has(r)) {
+          seen.add(r);
+          regions.push(r);
         }
-        parent.push(clone2(op.value));
-        continue;
       }
-      const idx = Number.parseInt(lastToken, 10);
-      if (!Number.isInteger(idx) || idx < 0) {
-        throw new Error(`Path '${op.path}' has non-integer array index '${lastToken}' at index ${i}.`);
-      }
-      if (op.op === "add") {
-        if (idx > parent.length) {
-          throw new Error(`Add index ${idx} out of bounds for array of length ${parent.length} at index ${i}.`);
-        }
-        parent.splice(idx, 0, clone2(op.value));
-      } else if (op.op === "remove") {
-        if (idx >= parent.length) {
-          throw new Error(`Remove index ${idx} out of bounds for array of length ${parent.length} at index ${i}.`);
-        }
-        parent.splice(idx, 1);
-      } else {
-        if (idx >= parent.length) {
-          throw new Error(`Replace index ${idx} out of bounds for array of length ${parent.length} at index ${i}.`);
+      const concurrency = i.concurrency ?? DEFAULT_CONCURRENCY;
+      const results = await runWithConcurrency(regions, concurrency, async (region) => {
+        if (!isValidRegionName(region)) {
+          return {
+            region,
+            ok: false,
+            error: `Invalid region '${region}'. Must match ${REGION_NAME_RE} (e.g. 'us-east-1').`,
+            errorKind: "bad_input"
+          };
         }
-        parent[idx] = clone2(op.value);
-      }
-    } else if (isObj(parent)) {
-      if (op.op === "remove") {
-        if (!(lastToken in parent)) {
-          throw new Error(`Cannot remove missing key '${lastToken}' at index ${i}.`);
+        const r = await runAwsCall({
+          service: i.service,
+          operation: i.operation,
+          params: i.params,
+          query: i.query,
+          profile: i.profile,
+          region,
+          outputFormat: i.outputFormat,
+          timeoutMs: i.timeoutMs
+        });
+        if (!r.ok) {
+          return {
+            region,
+            ok: false,
+            command: r.command,
+            error: r.error,
+            errorKind: r.kind
+          };
         }
-        delete parent[lastToken];
-      } else if (op.op === "replace") {
-        if (!(lastToken in parent)) {
-          throw new Error(`Cannot replace missing key '${lastToken}' at index ${i} (use 'add' to create it).`);
+        return { region, ok: true, command: r.command, data: r.data };
+      });
+      const okCount = results.filter((r) => r.ok).length;
+      const errCount = results.length - okCount;
+      return {
+        ok: true,
+        data: {
+          service: i.service,
+          operation: i.operation,
+          regionCount: regions.length,
+          okCount,
+          errorCount: errCount,
+          results
         }
-        parent[lastToken] = clone2(op.value);
-      } else {
-        parent[lastToken] = clone2(op.value);
-      }
-    } else {
-      throw new Error(`Path '${op.path}' parent is not a container at index ${i}.`);
-    }
-  }
-  return root;
-}
-function summarizePatch(ops, before, after) {
-  let working;
-  let replayOk = true;
-  try {
-    working = clone2(before);
-  } catch {
-    replayOk = false;
-    working = void 0;
-  }
-  const out = [];
-  for (const op of ops) {
-    if (op.op === "move" || op.op === "copy" || op.op === "test") {
-      out.push({ op: "replace", path: op.path });
-      continue;
-    }
-    const beforeAt = resolvePointer(before, op.path);
-    let afterAt;
-    if (replayOk) {
-      try {
-        working = _applyJsonPatchInPlace(working, [op]);
-        afterAt = resolvePointer(working, op.path);
-      } catch {
-        replayOk = false;
-        afterAt = resolvePointer(after, op.path);
-      }
-    } else {
-      afterAt = resolvePointer(after, op.path);
-    }
-    if (op.op === "add" && afterAt === void 0 && op.path.endsWith("/-")) {
-      afterAt = op.value;
-    }
-    out.push({ op: op.op, path: op.path, before: beforeAt, after: afterAt });
-  }
-  return out;
-}
-function resolvePointer(doc, pointer) {
-  let tokens;
-  try {
-    tokens = parseJsonPointer(pointer);
-  } catch {
-    return void 0;
-  }
-  let cur = doc;
-  for (const t of tokens) {
-    if (Array.isArray(cur)) {
-      if (t === "-") return void 0;
-      const idx = Number.parseInt(t, 10);
-      if (!Number.isInteger(idx) || idx < 0 || idx >= cur.length) return void 0;
-      cur = cur[idx];
-    } else if (isObj(cur)) {
-      if (!(t in cur)) return void 0;
-      cur = cur[t];
-    } else {
-      return void 0;
+      };
     }
   }
-  return cur;
-}
+];
 
 // src/tools/script.ts
 import { createContext, runInContext } from "node:vm";
 var DEFAULT_TIMEOUT_MS2 = 6e4;
 var MAX_TIMEOUT_MS = 5 * 6e4;
 var MAX_LOG_LINES = 500;
-var MAX_LOG_LINE_BYTES = 4 * 1024;
+var MAX_LOG_LINE_CHARS = 4 * 1024;
 var DEFAULT_MAX_PAGES = 50;
 var MAX_PAGES_HARD_CAP = 1e3;
 function findTool(name, source) {
@@ -56664,7 +56686,7 @@ async function runScript(opts, handlers = defaultScriptHandlers()) {
         }
       }
     }).join(" ");
-    const capped = text.length > MAX_LOG_LINE_BYTES ? `${text.slice(0, MAX_LOG_LINE_BYTES)}... [line truncated]` : text;
+    const capped = text.length > MAX_LOG_LINE_CHARS ? `${text.slice(0, MAX_LOG_LINE_CHARS)}... [line truncated]` : text;
     logs.push(`[${level}] ${capped}`);
   };
   const ctx = createContext(
@@ -56797,9 +56819,11 @@ var scriptTools = [
     annotations: {
       title: "Run a JS snippet that orchestrates AWS tool calls",
       // The script may invoke destructive tools (resource.create/update/delete)
-      // so we conservatively annotate as non-read-only.
+      // so annotate the worst case honestly: non-read-only AND destructive.
+      // Cautious clients may confirm read-only scripts too -- acceptable cost;
+      // an unflagged delete is not.
       readOnlyHint: false,
-      destructiveHint: false,
+      destructiveHint: true,
       idempotentHint: false,
       openWorldHint: true
     },
@@ -56865,7 +56889,7 @@ var sessionTools = [
         if (!isValidProfileName(trimmed)) {
           return {
             ok: false,
-            error: `Invalid profile name '${trimmed}'. Must be 1-128 chars from [A-Za-z0-9_+=,.@:-], must not start with '-' or '=', no whitespace or shell metacharacters.`
+            error: `Invalid profile name '${trimmed}'. Must be 1-128 chars from [A-Za-z0-9_+=,.@:-]; the first char must be a letter, digit, or one of _+,.@: (not '-' or '='); no whitespace or shell metacharacters.`
           };
         }
       }
@@ -56952,7 +56976,7 @@ function errorToMcpResult(err, toolName) {
     isError: true
   };
 }
-var version2 = true ? "1.4.1" : (await null).createRequire(import.meta.url)("../package.json").version;
+var version2 = true ? "1.5.0" : (await null).createRequire(import.meta.url)("../package.json").version;
 var isEntryPoint = (() => {
   const entry = process.argv[1];
   if (!entry) return false;