cdk-local 0.3.1 → 0.5.0

package/dist/{local-start-service-EZy1JNYK.js → local-start-service-DquKcP26.js}

@@ -1,4 +1,4 @@
-import { a as runDockerStreaming, i as runDockerForeground, n as formatDockerLoginError, o as spawnStreaming, r as getDockerCmd, s as getLogger } from "./docker-cmd-DTPLXRqh.js";
+import { a as runDockerStreaming, c as getEmbedConfig, i as runDockerForeground, l as setEmbedConfig, n as formatDockerLoginError, o as spawnStreaming, r as getDockerCmd, s as getLogger } from "./docker-cmd-o4ovyAhR.js";
 import { cpSync, createWriteStream, existsSync, mkdirSync, mkdtempSync, readFileSync, rmSync, statSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import * as path from "node:path";
@@ -40,18 +40,23 @@ function parseContextOptions(contextArgs) {
 	return context;
 }
 /**
-* Options shared across every cdk-local command.
+* Options shared across every cdk-local command. Built per-call (not a
+* module-level const) so the `--role-arn` env-var hint reflects the active
+* embed config, which the command factory installs before calling this.
 *
 * `--region` is intentionally NOT in `commonOptions` — local commands
 * pick the region from `AWS_REGION` / profile / synthesized stack env.
 * The deprecated flag below remains for muscle-memory compatibility.
 */
-const commonOptions = [
-	new Option("--verbose", "Enable verbose logging").default(false),
-	new Option("--profile <profile>", "AWS profile"),
-	new Option("--role-arn <arn>", "IAM role ARN to assume for AWS API calls (env: CDKL_ROLE_ARN)"),
-	new Option("-y, --yes", "Automatically answer interactive prompts with the recommended response").default(false)
-];
+function commonOptions() {
+	const { envPrefix } = getEmbedConfig();
+	return [
+		new Option("--verbose", "Enable verbose logging").default(false),
+		new Option("--profile <profile>", "AWS profile"),
+		new Option("--role-arn <arn>", `IAM role ARN to assume for AWS API calls (env: ${envPrefix}_ROLE_ARN)`),
+		new Option("-y, --yes", "Automatically answer interactive prompts with the recommended response").default(false)
+	];
+}
 /**
 * Deprecated `--region` option attached to every command.
 *
@@ -68,13 +73,18 @@ function warnIfDeprecatedRegion(options) {
 	if (options.region !== void 0) process.stderr.write("Warning: --region is deprecated for this command and has no effect. Use the AWS_REGION environment variable or your AWS profile to override the SDK default region.\n");
 }
 /**
-* App options.
+* App options. Built per-call (not a module-level const) so the `--app`
+* env-var hint reflects the active embed config.
 *
-* `--app` is optional: falls back to `CDKL_APP` env var, then `cdk.json`
-* `app` field. Accepts either a shell command (e.g. `"node app.ts"`) or
-* a path to a pre-synthesized cloud assembly directory (e.g. `"cdk.out"`).
+* `--app` is optional: falls back to `${envPrefix}_APP` env var, then
+* `cdk.json` `app` field. Accepts either a shell command (e.g.
+* `"node app.ts"`) or a path to a pre-synthesized cloud assembly directory
+* (e.g. `"cdk.out"`).
 */
-const appOptions = [new Option("-a, --app <command>", "CDK app command (e.g., \"node app.ts\") or path to a pre-synthesized cloud assembly directory. Falls back to cdk.json or CDKL_APP env"), new Option("--output <path>", "Output directory for synthesis").default("cdk.out")];
+function appOptions() {
+	const { envPrefix } = getEmbedConfig();
+	return [new Option("-a, --app <command>", `CDK app command (e.g., "node app.ts") or path to a pre-synthesized cloud assembly directory. Falls back to cdk.json or ${envPrefix}_APP env`), new Option("--output <path>", "Output directory for synthesis").default("cdk.out")];
+}
 /**
 * Context options.
 */
@@ -125,7 +135,7 @@ function effectiveAssumeRoleArn(logicalId, opt) {
 * Default session duration is 1 hour.
 */
 async function applyRoleArnIfSet(opts) {
-	const roleArn = opts.roleArn || process.env["CDKL_ROLE_ARN"];
+	const roleArn = opts.roleArn || process.env[`${getEmbedConfig().envPrefix}_ROLE_ARN`];
 	if (!roleArn) return;
 	const logger = getLogger().child("role-arn");
 	logger.debug(`Assuming role ${roleArn}...`);
@@ -133,7 +143,7 @@ async function applyRoleArnIfSet(opts) {
 	try {
 		const response = await sts.send(new AssumeRoleCommand({
 			RoleArn: roleArn,
-			RoleSessionName: `cdkl-${Date.now()}`,
+			RoleSessionName: `${getEmbedConfig().binaryName}-${Date.now()}`,
 			DurationSeconds: 3600
 		}));
 		if (!response.Credentials) throw new Error(`AssumeRole returned no credentials for role ${roleArn}`);
@@ -405,7 +415,7 @@ function loadCdkJson() {
 */
 function resolveApp(cliApp) {
 	if (cliApp) return cliApp;
-	const envApp = process.env["CDKL_APP"];
+	const envApp = process.env[`${getEmbedConfig().envPrefix}_APP`];
 	if (envApp) return envApp;
 	return loadCdkJson()?.app ?? void 0;
 }
@@ -847,7 +857,7 @@ var LocalStateSourceError = class extends Error {
 function rejectExplicitCfnStackWithMultipleStacks(options, routedStackCount) {
 	if (routedStackCount <= 1) return;
 	if (typeof options.fromCfnStack !== "string") return;
-	throw new LocalStateSourceError(`--from-cfn-stack <name> cannot be used with multiple routed stacks (got ${routedStackCount}). An explicit CFn stack name applies to one stack only and would silently mismap logical IDs across siblings. Use bare --from-cfn-stack (each stack uses its own name as the CFn stack name) or run one cdkl invocation per stack.`);
+	throw new LocalStateSourceError(`--from-cfn-stack <name> cannot be used with multiple routed stacks (got ${routedStackCount}). An explicit CFn stack name applies to one stack only and would silently mismap logical IDs across siblings. Use bare --from-cfn-stack (each stack uses its own name as the CFn stack name) or run one ${getEmbedConfig().binaryName} invocation per stack.`);
 }
 /**
 * Pick and construct the right `LocalStateProvider` for the supplied
@@ -1317,7 +1327,7 @@ function resolveLambdaTarget(target, stacks) {
 	const { logicalId, resource } = match;
 	if (resource.Type !== "AWS::Lambda::Function") {
 		if (resource.Type.startsWith("Custom::")) throw new LocalInvokeResolutionError(`Resource '${logicalId}' in ${stack.stackName} is a Custom Resource (${resource.Type}), not a Lambda function. Custom Resources are invoked by the deploy framework, not by users. If you want to test the underlying handler, target the ServiceToken Lambda directly.`);
-		throw new LocalInvokeResolutionError(`Resource '${logicalId}' in ${stack.stackName} is ${resource.Type}, not a Lambda function. cdkl invoke only works on AWS::Lambda::Function resources in v1.`);
+		throw new LocalInvokeResolutionError(`Resource '${logicalId}' in ${stack.stackName} is ${resource.Type}, not a Lambda function. ${getEmbedConfig().cliName} invoke only works on AWS::Lambda::Function resources in v1.`);
 	}
 	return extractLambdaProperties(stack, logicalId, resource, resources);
 }
@@ -1366,7 +1376,7 @@ function extractLambdaProperties(stack, logicalId, resource, resources) {
 	});
 	const runtime = typeof props["Runtime"] === "string" ? props["Runtime"] : "";
 	const handler = typeof props["Handler"] === "string" ? props["Handler"] : "";
-	if (!runtime) throw new LocalInvokeResolutionError(`Lambda '${logicalId}' has no Runtime property and no Code.ImageUri. cdk-local cannot tell if this is a ZIP or a container Lambda.`);
+	if (!runtime) throw new LocalInvokeResolutionError(`Lambda '${logicalId}' has no Runtime property and no Code.ImageUri. ${getEmbedConfig().productName} cannot tell if this is a ZIP or a container Lambda.`);
 	if (!handler) throw new LocalInvokeResolutionError(`Lambda '${logicalId}' has no Handler property.`);
 	const inlineCode = typeof code["ZipFile"] === "string" ? code["ZipFile"] : void 0;
 	let codePath = null;
@@ -1461,9 +1471,10 @@ function extractImageUri$1(value, logicalId, stackName, resources, region) {
 			const pseudoParameters = derivePseudoParametersFromRegion(region);
 			const joinResolved = tryResolveImageFnJoin(value, resources, pseudoParameters ? { pseudoParameters } : void 0);
 			if (joinResolved.kind === "resolved") return joinResolved.uri;
-			if (joinResolved.kind === "needs-state") throw new LocalInvokeResolutionError(`Lambda '${logicalId}' in ${stackName} references same-stack ECR repository '${joinResolved.repoLogicalId}' via Fn::Join. cdkl invoke cannot resolve the repository URI without state — deploy the stack first (so cdk-local records the repository physical id), rebuild via lambda.DockerImageCode.fromImageAsset, or pin a public image.`);
-			if (joinResolved.kind === "unsupported-join") throw new LocalInvokeResolutionError(`Lambda '${logicalId}' in ${stackName} has an unsupported Fn::Join Code.ImageUri shape: ${joinResolved.reason}. cdkl invoke recognizes the canonical CDK 2.x lambda.DockerImageCode.fromEcr Fn::Join shape (delimiter "" with nested Fn::Select/Fn::Split over an ECR Repository Arn GetAtt + Ref to the repo).`);
-			throw new LocalInvokeResolutionError(`Lambda '${logicalId}' in ${stackName} has an Fn::Join Code.ImageUri that cdkl invoke cannot resolve${pseudoParameters ? " (likely ${AWS::AccountId}, which cdk-local cannot derive without --from-state or STS)" : ` (cdk-local could not derive AWS pseudo parameters because stack.region was undefined)`}. Workarounds: deploy first and run with --from-state, or pin a fully-literal public image URI.`);
+			if (joinResolved.kind === "needs-state") throw new LocalInvokeResolutionError(`Lambda '${logicalId}' in ${stackName} references same-stack ECR repository '${joinResolved.repoLogicalId}' via Fn::Join. ${getEmbedConfig().cliName} invoke cannot resolve the repository URI without state — deploy the stack first (so ${getEmbedConfig().productName} records the repository physical id), rebuild via lambda.DockerImageCode.fromImageAsset, or pin a public image.`);
+			if (joinResolved.kind === "unsupported-join") throw new LocalInvokeResolutionError(`Lambda '${logicalId}' in ${stackName} has an unsupported Fn::Join Code.ImageUri shape: ${joinResolved.reason}. ${getEmbedConfig().cliName} invoke recognizes the canonical CDK 2.x lambda.DockerImageCode.fromEcr Fn::Join shape (delimiter "" with nested Fn::Select/Fn::Split over an ECR Repository Arn GetAtt + Ref to the repo).`);
+			const accountIdHint = pseudoParameters ? ` (likely \${AWS::AccountId}, which ${getEmbedConfig().productName} cannot derive without --from-state or STS)` : ` (${getEmbedConfig().productName} could not derive AWS pseudo parameters because stack.region was undefined)`;
+			throw new LocalInvokeResolutionError(`Lambda '${logicalId}' in ${stackName} has an Fn::Join Code.ImageUri that ${getEmbedConfig().cliName} invoke cannot resolve${accountIdHint}. Workarounds: deploy first and run with --from-state, or pin a fully-literal public image URI.`);
 		}
 	}
 }
@@ -1485,7 +1496,7 @@ function extractImageLambdaProperties(args) {
 		const first = arches[0];
 		if (first === "arm64") architecture = "arm64";
 		else if (first === "x86_64") architecture = "x86_64";
-		else throw new LocalInvokeResolutionError(`Lambda '${logicalId}' has unsupported Architectures value '${String(first)}'. cdkl invoke supports x86_64 and arm64.`);
+		else throw new LocalInvokeResolutionError(`Lambda '${logicalId}' has unsupported Architectures value '${String(first)}'. ${getEmbedConfig().cliName} invoke supports x86_64 and arm64.`);
 	}
 	return {
 		kind: "image",
@@ -1515,7 +1526,7 @@ function extractImageLambdaProperties(args) {
 */
 function resolveAssetCodePath$1(stack, logicalId, resource) {
 	const assetPath = resource.Metadata?.["aws:asset:path"];
-	if (typeof assetPath !== "string" || assetPath.length === 0) throw new LocalInvokeResolutionError(`Lambda '${logicalId}' has no Metadata['aws:asset:path']. cdkl invoke needs this hint to find the local asset directory. Re-synthesize the app (without \`--output <stale-dir>\`) and retry.`);
+	if (typeof assetPath !== "string" || assetPath.length === 0) throw new LocalInvokeResolutionError(`Lambda '${logicalId}' has no Metadata['aws:asset:path']. ${getEmbedConfig().cliName} invoke needs this hint to find the local asset directory. Re-synthesize the app (without \`--output <stale-dir>\`) and retry.`);
 	const cdkOutDir = stack.assetManifestPath ? dirname(stack.assetManifestPath) : process.cwd();
 	const abs = isAbsolute(assetPath) ? assetPath : resolve(cdkOutDir, assetPath);
 	if (!existsSync(abs) || !statSync(abs).isDirectory()) throw new LocalInvokeResolutionError(`Lambda '${logicalId}' asset directory '${abs}' does not exist or is not a directory. Re-synthesize the app and retry.`);
@@ -1571,7 +1582,7 @@ function resolveLambdaLayers(stack, logicalId, props) {
 		const entry = layers[i];
 		if (typeof entry === "string") {
 			const parsed = parseLayerVersionArn(entry);
-			if (!parsed) throw new LocalInvokeResolutionError(`Lambda '${logicalId}' has a Layers entry [${i}] cdk-local cannot resolve locally: literal string '${entry}'. Expected a same-stack Ref / Fn::GetAtt to an AWS::Lambda::LayerVersion OR a literal layer-version ARN of the form arn:aws:lambda:<region>:<account>:layer:<name>:<version>.`);
+			if (!parsed) throw new LocalInvokeResolutionError(`Lambda '${logicalId}' has a Layers entry [${i}] ${getEmbedConfig().productName} cannot resolve locally: literal string '${entry}'. Expected a same-stack Ref / Fn::GetAtt to an AWS::Lambda::LayerVersion OR a literal layer-version ARN of the form arn:aws:lambda:<region>:<account>:layer:<name>:<version>.`);
 			out.push({
 				kind: "arn",
 				logicalId: parsed.arn,
@@ -1580,7 +1591,7 @@ function resolveLambdaLayers(stack, logicalId, props) {
 			continue;
 		}
 		const layerLogicalId = pickLayerLogicalId(entry);
-		if (!layerLogicalId) throw new LocalInvokeResolutionError(`Lambda '${logicalId}' has a Layers entry [${i}] cdk-local cannot resolve locally: ${describeLayerEntry(entry)}. Expected a same-stack Ref / Fn::GetAtt to an AWS::Lambda::LayerVersion OR a literal layer-version ARN of the form arn:aws:lambda:<region>:<account>:layer:<name>:<version>.`);
+		if (!layerLogicalId) throw new LocalInvokeResolutionError(`Lambda '${logicalId}' has a Layers entry [${i}] ${getEmbedConfig().productName} cannot resolve locally: ${describeLayerEntry(entry)}. Expected a same-stack Ref / Fn::GetAtt to an AWS::Lambda::LayerVersion OR a literal layer-version ARN of the form arn:aws:lambda:<region>:<account>:layer:<name>:<version>.`);
 		const layerResource = resources[layerLogicalId];
 		if (!layerResource) throw new LocalInvokeResolutionError(`Lambda '${logicalId}' Layers entry [${i}] references '${layerLogicalId}', but no resource with that logical ID exists in stack '${stack.stackName}'.`);
 		if (layerResource.Type !== "AWS::Lambda::LayerVersion") throw new LocalInvokeResolutionError(`Lambda '${logicalId}' Layers entry [${i}] references '${layerLogicalId}' (${layerResource.Type}), which is not an AWS::Lambda::LayerVersion.`);
@@ -1716,7 +1727,7 @@ async function materializeLayerFromArn(layer, options = {}) {
 	} catch (err) {
 		throw new LayerMaterializationError(`Layer ${layer.arn}: failed to download layer ZIP from the presigned URL: ${errMsg(err)}.`);
 	}
-	const dir = await mkdtemp(join(tmpdir(), `cdkl-arn-layer-${layer.name}-${layer.version}-`));
+	const dir = await mkdtemp(join(tmpdir(), `${getEmbedConfig().resourceNamePrefix}-arn-layer-${layer.name}-${layer.version}-`));
 	try {
 		await unzipBufferToDirectory(zipBytes, dir);
 	} catch (err) {
@@ -1782,7 +1793,7 @@ async function buildAssumeRoleCommand(roleArn) {
 	const { AssumeRoleCommand } = await import("@aws-sdk/client-sts");
 	return new AssumeRoleCommand({
 		RoleArn: roleArn,
-		RoleSessionName: `cdkl-layer-${Date.now()}`,
+		RoleSessionName: `${getEmbedConfig().resourceNamePrefix}-layer-${Date.now()}`,
 		DurationSeconds: 3600
 	});
 }
@@ -2841,7 +2852,7 @@ function resolveEcsTaskTarget(target, stacks, context) {
 		logicalId = parsed.pathOrId;
 	}
 	if (!logicalId || !resource) throw notFoundError$1(target, stack, resources);
-	if (resource.Type === "AWS::Lambda::Function") throw new EcsTaskResolutionError(`Resource '${logicalId}' in ${stack.stackName} is a Lambda function, not an ECS task definition. Use \`cdkl invoke\` for Lambda; \`cdkl run-task\` is ECS only.`);
+	if (resource.Type === "AWS::Lambda::Function") throw new EcsTaskResolutionError(`Resource '${logicalId}' in ${stack.stackName} is a Lambda function, not an ECS task definition. Use \`${getEmbedConfig().cliName} invoke\` for Lambda; \`${getEmbedConfig().cliName} run-task\` is ECS only.`);
 	if (resource.Type !== "AWS::ECS::TaskDefinition") throw new EcsTaskResolutionError(`Resource '${logicalId}' in ${stack.stackName} is ${resource.Type}, not an AWS::ECS::TaskDefinition.`);
 	return extractTaskDefinitionProperties(stack, logicalId, resource, context);
 }
@@ -2864,7 +2875,7 @@ function extractTaskDefinitionProperties(stack, logicalId, resource, context) {
 	if (rawNetworkMode === "bridge" || rawNetworkMode === "awsvpc" || rawNetworkMode === "host" || rawNetworkMode === "none") networkMode = rawNetworkMode;
 	else throw new EcsTaskResolutionError(`Task definition '${logicalId}' has unsupported NetworkMode '${rawNetworkMode}'. Supported values: bridge / awsvpc / host / none.`);
 	if (networkMode === "awsvpc") warnings.push(`NetworkMode 'awsvpc' on '${logicalId}' is mapped to docker bridge locally — docker cannot emulate ENI-per-task. AWS SDK calls still reach public endpoints via the developer network.`);
-	if (props["ProxyConfiguration"]) warnings.push(`Task definition '${logicalId}' declares 'ProxyConfiguration' (custom Envoy / App Mesh bootstrap), which is NOT honored by 'cdkl start-service' / 'cdkl run-task' in v1. Local execution will run without the configured proxy. See design doc § 2 for the rationale.`);
+	if (props["ProxyConfiguration"]) warnings.push(`Task definition '${logicalId}' declares 'ProxyConfiguration' (custom Envoy / App Mesh bootstrap), which is NOT honored by '${getEmbedConfig().cliName} start-service' / '${getEmbedConfig().cliName} run-task' in v1. Local execution will run without the configured proxy. See design doc § 2 for the rationale.`);
 	const resources = stack.template.Resources ?? {};
 	const subContext = buildSubstitutionContextFromImageContext(context);
 	const taskRoleArn = resolveRoleArn(props["TaskRoleArn"], resources, subContext);
@@ -3122,10 +3133,10 @@ function parseContainerImage(raw, containerName, taskLogicalId, resources, _stac
 	if (getAttImage) return classifyResolvedImage(getAttImage);
 	const joinResolved = tryResolveImageFnJoin(raw, resources, context);
 	if (joinResolved.kind === "resolved") return classifyResolvedImage(joinResolved.uri);
-	if (joinResolved.kind === "needs-state") throw new EcsTaskResolutionError(`Container '${containerName}' in task '${taskLogicalId}' references same-stack ECR repository '${joinResolved.repoLogicalId}' via Fn::Join. cdkl run-task cannot resolve the repository URI without state — pass --from-state (the stack must have been deployed via cdkd deploy), build via ContainerImage.fromAsset, or pin a public image.`);
-	if (joinResolved.kind === "unsupported-join") throw new EcsTaskResolutionError(`Container '${containerName}' in task '${taskLogicalId}' has an unsupported Fn::Join Image shape: ${joinResolved.reason}. cdkl run-task recognizes the canonical CDK 2.x ContainerImage.fromEcrRepository Fn::Join shape (delimiter "" with nested Fn::Select/Fn::Split over an ECR Repository Arn GetAtt + Ref to the repo).`);
+	if (joinResolved.kind === "needs-state") throw new EcsTaskResolutionError(`Container '${containerName}' in task '${taskLogicalId}' references same-stack ECR repository '${joinResolved.repoLogicalId}' via Fn::Join. ${getEmbedConfig().cliName} run-task cannot resolve the repository URI without state — pass --from-state (the stack must have been deployed via cdkd deploy), build via ContainerImage.fromAsset, or pin a public image.`);
+	if (joinResolved.kind === "unsupported-join") throw new EcsTaskResolutionError(`Container '${containerName}' in task '${taskLogicalId}' has an unsupported Fn::Join Image shape: ${joinResolved.reason}. ${getEmbedConfig().cliName} run-task recognizes the canonical CDK 2.x ContainerImage.fromEcrRepository Fn::Join shape (delimiter "" with nested Fn::Select/Fn::Split over an ECR Repository Arn GetAtt + Ref to the repo).`);
 	const flat = extractImageString(raw);
-	if (!flat) throw new EcsTaskResolutionError(`Container '${containerName}' in task '${taskLogicalId}' has an unparseable Image property. cdkl run-task v1 supports flat string images, single-key Fn::Sub bodies, and CDK-asset Image references.`);
+	if (!flat) throw new EcsTaskResolutionError(`Container '${containerName}' in task '${taskLogicalId}' has an unparseable Image property. ${getEmbedConfig().cliName} run-task v1 supports flat string images, single-key Fn::Sub bodies, and CDK-asset Image references.`);
 	if (flat.includes("cdk-hnb659fds-container-assets-")) {
 		const hashMatch = /:([a-f0-9]{8,})$/.exec(flat);
 		const out = { kind: "cdk-asset" };
@@ -3135,9 +3146,9 @@ function parseContainerImage(raw, containerName, taskLogicalId, resources, _stac
 	const substituted = substituteImagePlaceholders(flat, resources, context);
 	if (substituted.includes("${")) {
 		const unresolvedRepoRef = findUnresolvedEcrRepositoryRef(substituted, resources);
-		if (unresolvedRepoRef) throw new EcsTaskResolutionError(`Container '${containerName}' in task '${taskLogicalId}' references same-stack ECR repository '${unresolvedRepoRef}'. cdkl run-task v1 cannot resolve the repository URI without state — pass --from-state (the stack must have been deployed via cdkd deploy), build via ContainerImage.fromAsset, or pin a public image.`);
-		if (substituted.includes("AWS::")) throw new EcsTaskResolutionError(`Container '${containerName}' in task '${taskLogicalId}' has an Image that references AWS pseudo parameters (${substituted}). cdk-local could not resolve them: confirm AWS credentials are configured so STS GetCallerIdentity succeeds, and that --region / AWS_REGION names the target region. Workaround: build the image locally (ContainerImage.fromAsset) or pin a public image.`);
-		throw new EcsTaskResolutionError(`Container '${containerName}' in task '${taskLogicalId}' has an Image with unresolved \${...} placeholders (${substituted}). cdkl run-task v1 only resolves AWS pseudo parameters and same-stack AWS::ECR::Repository refs.`);
+		if (unresolvedRepoRef) throw new EcsTaskResolutionError(`Container '${containerName}' in task '${taskLogicalId}' references same-stack ECR repository '${unresolvedRepoRef}'. ${getEmbedConfig().cliName} run-task v1 cannot resolve the repository URI without state — pass --from-state (the stack must have been deployed via cdkd deploy), build via ContainerImage.fromAsset, or pin a public image.`);
+		if (substituted.includes("AWS::")) throw new EcsTaskResolutionError(`Container '${containerName}' in task '${taskLogicalId}' has an Image that references AWS pseudo parameters (${substituted}). ${getEmbedConfig().productName} could not resolve them: confirm AWS credentials are configured so STS GetCallerIdentity succeeds, and that --region / AWS_REGION names the target region. Workaround: build the image locally (ContainerImage.fromAsset) or pin a public image.`);
+		throw new EcsTaskResolutionError(`Container '${containerName}' in task '${taskLogicalId}' has an Image with unresolved \${...} placeholders (${substituted}). ${getEmbedConfig().cliName} run-task v1 only resolves AWS pseudo parameters and same-stack AWS::ECR::Repository refs.`);
 	}
 	const ecrMatch = /^(\d{12})\.dkr\.ecr\.([^.]+)\.amazonaws\.com(?:\.cn)?\//.exec(substituted);
 	if (ecrMatch) return {
@@ -3242,8 +3253,8 @@ function parseVolume(raw, idx, taskLogicalId, subContext) {
 	const v = raw;
 	const name = pickString(v["Name"]);
 	if (!name) throw new EcsTaskResolutionError(`Task '${taskLogicalId}' Volumes[${idx}] has no Name.`);
-	if (v["EFSVolumeConfiguration"]) throw new EcsTaskResolutionError(`Task '${taskLogicalId}' Volumes[${idx}] '${name}' uses EFSVolumeConfiguration, which cdkl run-task cannot proxy locally. Workaround: bind-mount a local directory at the same containerPath via Host: { SourcePath: '<local-path>' }, or override at runtime via --env-vars semantics for a Phase 2 follow-up.`);
-	if (v["FSxWindowsFileServerVolumeConfiguration"]) throw new EcsTaskResolutionError(`Task '${taskLogicalId}' Volumes[${idx}] '${name}' uses FSxWindowsFileServerVolumeConfiguration, which cdkl run-task cannot proxy locally.`);
+	if (v["EFSVolumeConfiguration"]) throw new EcsTaskResolutionError(`Task '${taskLogicalId}' Volumes[${idx}] '${name}' uses EFSVolumeConfiguration, which ${getEmbedConfig().cliName} run-task cannot proxy locally. Workaround: bind-mount a local directory at the same containerPath via Host: { SourcePath: '<local-path>' }, or override at runtime via --env-vars semantics for a Phase 2 follow-up.`);
+	if (v["FSxWindowsFileServerVolumeConfiguration"]) throw new EcsTaskResolutionError(`Task '${taskLogicalId}' Volumes[${idx}] '${name}' uses FSxWindowsFileServerVolumeConfiguration, which ${getEmbedConfig().cliName} run-task cannot proxy locally.`);
 	const dockerCfg = v["DockerVolumeConfiguration"];
 	if (dockerCfg && typeof dockerCfg === "object") {
 		const d = dockerCfg;
@@ -3487,6 +3498,43 @@ async function applyCrossStackResolverToTask(task, context) {
 
 //#endregion
 //#region src/local/runtime-image.ts
+/**
+* Map a CloudFormation `Runtime` string to the AWS Lambda base image that
+* bundles the matching runtime + the Lambda Runtime Interface Emulator (RIE),
+* plus the source-file extension for inline-code materialization.
+*
+* Per D1 in the issue, cdk-local uses the **full** base image
+* (`public.ecr.aws/lambda/<lang>:<version>`, ~600MB) over SAM's lighter
+* `public.ecr.aws/sam/emulation-<lang>` (~150MB). The size cost is one-time
+* per machine; in exchange the local runtime is the same artifact AWS runs
+* for container Lambdas, so a "works locally, breaks in AWS" mismatch is
+* almost always a config issue rather than an image divergence.
+*
+* Supports every current AWS Lambda runtime — Node.js, Python, Ruby,
+* Java, .NET, and the OS-only `provided.al2` / `provided.al2023` (the
+* canonical hosts for Go via a `bootstrap` binary, Rust, C/C++, or any
+* other compiled native runtime). The deprecated `go1.x` runtime is
+* explicitly rejected with a migration pointer to `provided.al2023`.
+*
+* Truly unknown runtime strings (e.g. typos like `nodejs99.x`, or
+* back-revs AWS retired well before cdk-local existed) fall through to a
+* generic error that lists every supported runtime.
+*
+* Ruby uses the same `<file>.<func>` handler grammar as Node.js and Python,
+* so the inline-code materializer's `lastIndexOf('.')` parse works
+* unchanged; only the file extension (`.rb`) differs.
+*
+* Java, .NET, and `provided.*` are **asset-backed only** — the Handler
+* value names a compiled artifact (`package.Class::method` for Java's
+* JVM class on the classpath; `Assembly::Namespace.Class::Method` for
+* .NET's CLR assembly / DLL; an arbitrary identifier per the user's
+* `bootstrap` binary for `provided.*`), which can only be supplied as a
+* compiled artifact directory packaged via `lambda.Code.fromAsset(...)`.
+* Inline `Code.ZipFile` has no meaning for any of them, so
+* `fileExtension` is `null` for every Java / .NET / `provided.*` entry
+* and `resolveRuntimeFileExtension` throws a runtime-specific message
+* routing the user to `Code.fromAsset(...)`.
+*/
 const SUPPORTED_RUNTIMES = {
 	"nodejs18.x": {
 		image: "public.ecr.aws/lambda/nodejs:18",
@@ -3608,7 +3656,7 @@ function resolveRuntimeSpec(runtime) {
 	const spec = SUPPORTED_RUNTIMES[runtime];
 	if (spec) return spec;
 	if (runtime === "go1.x") throw new UnsupportedRuntimeError(runtime, "Runtime 'go1.x' was deprecated by AWS Lambda on 2024-01-08 and is no longer available. Migrate to the OS-only runtime: build your Go program as a `bootstrap` binary and set the CDK runtime to `lambda.Runtime.PROVIDED_AL2023` (or `lambda.Runtime.PROVIDED_AL2`). See https://docs.aws.amazon.com/lambda/latest/dg/lambda-golang.html");
-	throw new UnsupportedRuntimeError(runtime, `Unknown runtime '${runtime}'. cdkl invoke supports nodejs18.x / nodejs20.x / nodejs22.x / nodejs24.x / python3.11 / python3.12 / python3.13 / python3.14 / ruby3.2 / ruby3.3 / java8.al2 / java11 / java17 / java21 / dotnet6 / dotnet8 / provided.al2 / provided.al2023.`);
+	throw new UnsupportedRuntimeError(runtime, `Unknown runtime '${runtime}'. ${getEmbedConfig().cliName} invoke supports nodejs18.x / nodejs20.x / nodejs22.x / nodejs24.x / python3.11 / python3.12 / python3.13 / python3.14 / ruby3.2 / ruby3.3 / java8.al2 / java11 / java17 / java21 / dotnet6 / dotnet8 / provided.al2 / provided.al2023.`);
 }
 /**
 * In-container path where cdk-local should bind-mount the function's
@@ -3794,7 +3842,7 @@ async function ensureDockerAvailable() {
 		]);
 	} catch (error) {
 		const err = error;
-		if (err.code === "ENOENT") throw new DockerRunnerError(`${cmd} is not installed or not on PATH. cdkl invoke needs Docker (or a compatible CLI specified via CDK_DOCKER) — install it and retry.`);
+		if (err.code === "ENOENT") throw new DockerRunnerError(`${cmd} is not installed or not on PATH. ${getEmbedConfig().cliName} invoke needs Docker (or a compatible CLI specified via CDK_DOCKER) — install it and retry.`);
 		throw new DockerRunnerError(`${cmd} daemon is not reachable: ${err.stderr?.trim() || err.message || String(error)}. Start Docker Desktop / the docker daemon and retry.`);
 	}
 }
@@ -4041,7 +4089,7 @@ function isCredentialFresh(creds) {
 async function pullEcrImage(imageUri, options) {
 	const logger = getLogger().child("ecr-puller");
 	const parsed = parseEcrUri(imageUri);
-	if (!parsed) throw new LocalInvokeBuildError(`Image URI '${imageUri}' is not an ECR URI. cdkl invoke v1 only authenticates against ECR for the deployed-image fallback path.`);
+	if (!parsed) throw new LocalInvokeBuildError(`Image URI '${imageUri}' is not an ECR URI. ${getEmbedConfig().cliName} invoke v1 only authenticates against ECR for the deployed-image fallback path.`);
 	const callerRegion = options.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"];
 	if (options.skipPull) {
 		logger.info(`Skipping ECR pull (--no-pull). Verifying ${imageUri} is in local cache...`);
@@ -4107,7 +4155,7 @@ async function assumeRoleForEcr(roleArn, callerRegion, logger) {
 	try {
 		const creds = (await sts.send(new AssumeRoleCommand({
 			RoleArn: roleArn,
-			RoleSessionName: `cdkl-ecr-${Date.now()}`,
+			RoleSessionName: `${getEmbedConfig().resourceNamePrefix}-ecr-${Date.now()}`,
 			DurationSeconds: 3600
 		}))).Credentials;
 		if (!creds || !creds.AccessKeyId || !creds.SecretAccessKey || !creds.SessionToken) throw new LocalInvokeBuildError(`AssumeRole(${roleArn}) returned no usable credentials. Verify the role's trust policy allows your identity to assume it.`);
@@ -4162,7 +4210,7 @@ async function verifyImageInLocalCache(imageUri) {
 			imageUri
 		]);
 	} catch {
-		throw new LocalInvokeBuildError(`Image '${imageUri}' is not in the local docker cache and --no-pull was set. Either remove --no-pull (cdk-local will pull from ECR) or pre-pull the image manually with \`docker pull\`.`);
+		throw new LocalInvokeBuildError(`Image '${imageUri}' is not in the local docker cache and --no-pull was set. Either remove --no-pull (${getEmbedConfig().productName} will pull from ECR) or pre-pull the image manually with \`docker pull\`.`);
 	}
 }
 /**
@@ -4265,7 +4313,7 @@ function computeLocalTag(source) {
 	pushField(hash, "dockerOutputs", (source.dockerOutputs ?? []).join(""));
 	pushField(hash, "cacheFrom", (source.cacheFrom ?? []).map((o) => JSON.stringify(o)).join(""));
 	pushField(hash, "cacheTo", source.cacheTo ? JSON.stringify(source.cacheTo) : "");
-	return `cdkl-invoke-${hash.digest("hex").slice(0, 16)}`;
+	return `${getEmbedConfig().resourceNamePrefix}-invoke-${hash.digest("hex").slice(0, 16)}`;
 }
 function pushField(hash, name, value) {
 	hash.update(name);
@@ -4852,16 +4900,19 @@ function singleFlight(fn, onError) {
 //#region src/cli/commands/local-profile-credentials-file.ts
 /**
 * Path inside the container where the credentials file is mounted. Fixed
-* (not user-configurable) so the env-var injection is stable.
-* `/cdk-local-aws/` is outside `/var/task` (the Lambda code mount) and
-* outside `/root/` (which the user's handler may bind-mount or modify),
-* so there is no collision risk with the user's payload.
+* per run (not user-configurable) so the env-var injection is stable. The
+* default `/cdk-local-aws/` is outside `/var/task` (the Lambda code mount)
+* and outside `/root/` (which the user's handler may bind-mount or
+* modify), so there is no collision risk with the user's payload. The
+* `${awsBindMountPath}` segment honors the active embed config.
 */
-const CONTAINER_AWS_CREDENTIALS_PATH = "/cdk-local-aws/credentials";
+function getContainerAwsCredentialsPath() {
+	return `${getEmbedConfig().awsBindMountPath}/credentials`;
+}
 /**
 * Write a temporary AWS shared-credentials file containing the resolved
 * `--profile <name>` credentials, ready to bind-mount into a Lambda
-* container at {@link CONTAINER_AWS_CREDENTIALS_PATH}.
+* container at {@link getContainerAwsCredentialsPath}.
 *
 * The file content is the standard `[profile-name]` INI shape:
 *
@@ -4882,7 +4933,7 @@ const CONTAINER_AWS_CREDENTIALS_PATH = "/cdk-local-aws/credentials";
 async function writeProfileCredentialsFile(profileName, creds) {
 	if (profileName === "") throw new Error("writeProfileCredentialsFile: profile name must not be empty.");
 	if (/[\r\n[\]]/.test(profileName)) throw new Error(`writeProfileCredentialsFile: profile name '${profileName}' contains a forbidden character (any of CR, LF, '[', ']' would corrupt the INI file or the docker -e env var).`);
-	const dir = await mkdtemp(path.join(tmpdir(), "cdk-local-profile-creds-"));
+	const dir = await mkdtemp(path.join(tmpdir(), `${getEmbedConfig().productName}-profile-creds-`));
 	const hostPath = path.join(dir, "credentials");
 	const lines = [
 		`[${profileName}]`,
@@ -4893,7 +4944,7 @@ async function writeProfileCredentialsFile(profileName, creds) {
 	await writeFile(hostPath, lines.join("\n") + "\n", { mode: 384 });
 	return {
 		hostPath,
-		containerPath: CONTAINER_AWS_CREDENTIALS_PATH,
+		containerPath: getContainerAwsCredentialsPath(),
 		profileName,
 		dispose: async () => {
 			await rm(dir, {
@@ -4977,7 +5028,7 @@ async function localInvokeCommand(target, options, extraStateProviders) {
 		const profileCredentials = options.profile ? await resolveProfileCredentials$1(options.profile) : void 0;
 		if (options.profile && profileCredentials) profileCredsFile = await writeProfileCredentialsFile(options.profile, profileCredentials);
 		const appCmd = resolveApp(options.app);
-		if (!appCmd) throw new Error("No CDK app specified. Pass --app, set CDKL_APP, or add \"app\" to cdk.json.");
+		if (!appCmd) throw new Error(`No CDK app specified. Pass --app, set ${getEmbedConfig().envPrefix}_APP, or add "app" to cdk.json.`);
 		logger.info("Synthesizing CDK app...");
 		const synthesizer = new Synthesizer();
 		const context = parseContextOptions(options.context);
@@ -5198,7 +5249,7 @@ function materializeLambdaLayers$1(layers) {
 		containerPath: "/opt",
 		readOnly: true
 	} };
-	const tmpDir = mkdtempSync(path.join(tmpdir(), "cdkl-invoke-layers-"));
+	const tmpDir = mkdtempSync(path.join(tmpdir(), `${getEmbedConfig().resourceNamePrefix}-invoke-layers-`));
 	for (const layer of layers) cpSync(layer.assetPath, tmpDir, {
 		recursive: true,
 		force: true
@@ -5222,7 +5273,7 @@ async function resolveContainerImagePlan(lambda, options) {
 		noBuild: options.build === false
 	});
 	else {
-		if (!parseEcrUri(lambda.imageUri)) throw new Error(`Container Lambda '${lambda.logicalId}' has no matching asset in cdk.out, and Code.ImageUri '${lambda.imageUri}' is not an ECR URI cdkl can authenticate against. Re-synthesize the CDK app (so cdk.out includes the build context) or deploy the image to ECR first.`);
+		if (!parseEcrUri(lambda.imageUri)) throw new Error(`Container Lambda '${lambda.logicalId}' has no matching asset in cdk.out, and Code.ImageUri '${lambda.imageUri}' is not an ECR URI ${getEmbedConfig().binaryName} can authenticate against. Re-synthesize the CDK app (so cdk.out includes the build context) or deploy the image to ECR first.`);
 		logger.info(`No matching cdk.out asset for ${lambda.imageUri}; falling back to ECR pull (same-acct/region only)...`);
 		imageRef = await pullEcrImage(lambda.imageUri, {
 			skipPull: options.pull === false,
@@ -5276,7 +5327,7 @@ function envHasCrossStackIntrinsic(templateEnv) {
 async function resolvePseudoParametersForInvoke(stackRegion, options) {
 	const logger = getLogger();
 	const region = options.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? stackRegion;
-	if (!region) logger.warn("Resolver references ${AWS::Region} but cdkl could not determine the target region. Pass --region, set AWS_REGION, or declare env.region on the CDK stack.");
+	if (!region) logger.warn(`Resolver references \${AWS::Region} but ${getEmbedConfig().binaryName} could not determine the target region. Pass --region, set AWS_REGION, or declare env.region on the CDK stack.`);
 	let accountId;
 	try {
 		const { STSClient, GetCallerIdentityCommand } = await import("@aws-sdk/client-sts");
@@ -5348,7 +5399,7 @@ async function assumeLambdaExecutionRole$1(roleArn, region) {
 	try {
 		const creds = (await sts.send(new AssumeRoleCommand({
 			RoleArn: roleArn,
-			RoleSessionName: `cdkl-invoke-${Date.now()}`,
+			RoleSessionName: `${getEmbedConfig().resourceNamePrefix}-invoke-${Date.now()}`,
 			DurationSeconds: 3600
 		}))).Credentials;
 		if (!creds?.AccessKeyId || !creds.SecretAccessKey || !creds.SessionToken) throw new Error(`AssumeRole(${roleArn}) returned no usable credentials.`);
@@ -5405,7 +5456,7 @@ function materializeInlineCode$1(handler, source, fileExtension) {
 	const lastDot = handler.lastIndexOf(".");
 	if (lastDot <= 0) throw new Error(`Handler '${handler}' is malformed: expected '<modulePath>.<exportName>'.`);
 	const modulePath = handler.substring(0, lastDot);
-	const dir = mkdtempSync(path.join(tmpdir(), "cdkl-invoke-"));
+	const dir = mkdtempSync(path.join(tmpdir(), `${getEmbedConfig().resourceNamePrefix}-invoke-`));
 	const filePath = path.join(dir, `${modulePath}${fileExtension}`);
 	mkdirSync(path.dirname(filePath), { recursive: true });
 	writeFileSync(filePath, source, "utf-8");
@@ -5438,12 +5489,13 @@ function pickReferencedLogicalId(intrinsic) {
 	}
 }
 function createLocalInvokeCommand(opts = {}) {
+	setEmbedConfig(opts.embedConfig);
 	const invoke = new Command("invoke").description("Run a Lambda function locally in a Docker container (RIE-backed). Target accepts a CDK display path (MyStack/MyApi/Handler) or stack-qualified logical ID (MyStack:MyApiHandler1234ABCD). Single-stack apps may omit the stack prefix.").argument("<target>", "CDK display path or stack-qualified logical ID of the Lambda to invoke").addOption(new Option("-e, --event <file>", "JSON event payload file (default: {})")).addOption(new Option("--event-stdin", "Read event JSON from stdin").default(false)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}})")).addOption(new Option("--no-pull", "Skip docker pull (use cached image) — no-op for IMAGE local-build path; `docker build` does not pull base layers by default")).addOption(new Option("--no-build", "Skip docker build on the IMAGE local-build path (use the previously-built tag). Requires the deterministic tag to already be in the local registry; errors with an actionable message when missing. No-op for ZIP Lambdas and the IMAGE ECR-pull path. Compatible with --no-pull.")).addOption(new Option("--debug-port <port>", "Node --inspect-brk port (default: off)")).addOption(new Option("--container-host <host>", "Host to bind the RIE port to").default("127.0.0.1")).addOption(new Option("--assume-role [arn]", "Assume the Lambda's deployed execution role and forward STS-issued temp credentials to the container so the handler runs with the deployed function's narrow permissions. Three forms: (1) `--assume-role <arn>` assumes the explicit ARN; (2) `--assume-role` (bare) auto-resolves the function's execution role ARN from state (requires an active state source); (3) `--no-assume-role` explicitly opts out. Off by default — when omitted, the developer's shell credentials are forwarded unchanged (SAM-compatible default). STS failures degrade to a warn + dev-creds fallback.")).addOption(new Option("--layer-role-arn <arn>", "Role to sts:AssumeRole before calling lambda:GetLayerVersion on every literal-ARN entry in Properties.Layers. Use only when the dev credentials cannot read the layer — typically cross-account layers. AWS-published public layers (e.g. Lambda Powertools) are readable from every account and need no role.")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries. Issues sts:AssumeRole via the default credential chain and uses the temporary credentials for ecr:GetAuthorizationToken + docker pull. Required when the caller does not have direct cross-account access to the target repository. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via DescribeStackResources and substitute Ref / Fn::ImportValue in env vars with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (`cdk deploy`). Bare form uses the resolved stack name; pass an explicit value when CFn stack name differs. Fn::GetAtt is warn-and-dropped in v1 (CFn DescribeStackResources does not return per-attribute values).")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).action(withErrorHandling(async (target, options) => {
 		await localInvokeCommand(target, options, opts.extraStateProviders);
 	}));
 	[
-		...commonOptions,
-		...appOptions,
+		...commonOptions(),
+		...appOptions(),
 		...contextOptions
 	].forEach((option) => invoke.addOption(option));
 	invoke.addOption(deprecatedRegionOption);
@@ -5815,7 +5867,7 @@ async function dispatchSfnStopExecution(params, region) {
 	return okJson(await client.send(new mod.StopExecutionCommand(input)));
 }
 async function dispatchAppConfigGetConfiguration(params, region) {
-	return errorResponse(501, "AppConfig-GetConfiguration is recognized but cdk-local does not yet bundle @aws-sdk/client-appconfig. Use the deployed API for this subtype, or open an issue if you need local emulation.");
+	return errorResponse(501, `AppConfig-GetConfiguration is recognized but ${getEmbedConfig().productName} does not yet bundle @aws-sdk/client-appconfig. Use the deployed API for this subtype, or open an issue if you need local emulation.`);
 }
 function requireParams(params, required) {
 	const missing = required.filter((k) => !params[k] || params[k].trim() === "");
@@ -6044,7 +6096,7 @@ function discoverRoutes(stacks) {
 			errors.push(err instanceof Error ? err.message : String(err));
 		}
 	}
-	if (errors.length > 0) throw new RouteDiscoveryError(`cdkl start-api: ${errors.length} malformed route(s) in the synthesized template:\n` + errors.map((e) => `  - ${e}`).join("\n"));
+	if (errors.length > 0) throw new RouteDiscoveryError(`${getEmbedConfig().cliName} start-api: ${errors.length} malformed route(s) in the synthesized template:\n` + errors.map((e) => `  - ${e}`).join("\n"));
 	return routes;
 }
 /**
@@ -6177,7 +6229,7 @@ function discoverRestV1Method(logicalId, resource, template, stackName) {
 		method: httpMethod,
 		pathPattern: path,
 		lambdaLogicalId: "",
-		unsupported: { reason: `${stackName}/${logicalId}.Integration.Uri: ${arnOutcome.detail} (got ${shortJson$1(integrationUri)}). Lambda Arn intrinsics on cross-stack / imported references are not resolvable locally; deploy the producer stack and use \`cdkl invoke --from-state\` shapes if you need it.` }
+		unsupported: { reason: `${stackName}/${logicalId}.Integration.Uri: ${arnOutcome.detail} (got ${shortJson$1(integrationUri)}). Lambda Arn intrinsics on cross-stack / imported references are not resolvable locally; deploy the producer stack and use \`${getEmbedConfig().cliName} invoke --from-state\` shapes if you need it.` }
 	}];
 	return [{
 		...baseRoute,
@@ -6271,7 +6323,7 @@ function buildHttpProxyIntegrationConfig(integration, stackName, logicalId) {
 	const uri = integration["Uri"];
 	if (typeof uri !== "string" || uri.length === 0) return {
 		kind: "unsupported",
-		reason: `${stackName}/${logicalId}: HTTP_PROXY Integration.Uri must be a literal string in v1 (cdkl start-api does not resolve Fn::Sub / Fn::Join in HTTP_PROXY Uris); got ${shortJson$1(uri)}.`
+		reason: `${stackName}/${logicalId}: HTTP_PROXY Integration.Uri must be a literal string in v1 (${getEmbedConfig().cliName} start-api does not resolve Fn::Sub / Fn::Join in HTTP_PROXY Uris); got ${shortJson$1(uri)}.`
 	};
 	const integrationHttpMethod = pickStringField(integration, "IntegrationHttpMethod");
 	const requestParameters = pickStringRecord(integration["RequestParameters"]);
@@ -6295,7 +6347,7 @@ function buildHttpIntegrationConfig(integration, stackName, logicalId) {
 	const uri = integration["Uri"];
 	if (typeof uri !== "string" || uri.length === 0) return {
 		kind: "unsupported",
-		reason: `${stackName}/${logicalId}: HTTP Integration.Uri must be a literal string in v1 (cdkl start-api does not resolve Fn::Sub / Fn::Join in HTTP Uris); got ${shortJson$1(uri)}.`
+		reason: `${stackName}/${logicalId}: HTTP Integration.Uri must be a literal string in v1 (${getEmbedConfig().cliName} start-api does not resolve Fn::Sub / Fn::Join in HTTP Uris); got ${shortJson$1(uri)}.`
 	};
 	const integrationHttpMethod = pickStringField(integration, "IntegrationHttpMethod");
 	const requestParameters = pickStringRecord(integration["RequestParameters"]);
@@ -6329,7 +6381,7 @@ function buildAwsIntegrationConfig(integration, stackName, logicalId) {
 	const uri = integration["Uri"];
 	if (!uriContainsLambdaMarker(uri)) return {
 		kind: "unsupported",
-		reason: `${stackName}/${logicalId}: REST v1 AWS integration targeting a non-Lambda service (Uri ${shortJson$1(uri)}) is not emulated locally in cdkl v1. Lambda non-proxy AWS integrations are supported; direct AWS service integrations (S3 / SQS / SNS / DynamoDB) require deploying to AWS. See https://github.com/go-to-k/cdkd/blob/main/docs/local-emulation.md.`
+		reason: `${stackName}/${logicalId}: REST v1 AWS integration targeting a non-Lambda service (Uri ${shortJson$1(uri)}) is not emulated locally in ${getEmbedConfig().binaryName} v1. Lambda non-proxy AWS integrations are supported; direct AWS service integrations (S3 / SQS / SNS / DynamoDB) require deploying to AWS. See https://github.com/go-to-k/cdkd/blob/main/docs/local-emulation.md.`
 	};
 	const arnOutcome = resolveLambdaArnOutcome(uri);
 	if (arnOutcome.kind === "unsupported") return {
@@ -6552,7 +6604,7 @@ function classifyServiceIntegrationRoute(baseRoute, integrationProps, stackName,
 	if (!isSupportedSubtype(subtypeRaw)) return {
 		...baseRoute,
 		lambdaLogicalId: "",
-		unsupported: { reason: `${declaredAt}: HTTP API v2 service integration subtype '${stringifyValue(subtypeRaw)}' is not supported by cdkl start-api (see https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-integrations-aws-services-reference.html for the supported list).` }
+		unsupported: { reason: `${declaredAt}: HTTP API v2 service integration subtype '${stringifyValue(subtypeRaw)}' is not supported by ${getEmbedConfig().cliName} start-api (see https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-develop-integrations-aws-services-reference.html for the supported list).` }
 	};
 	const requestParameters = integrationProps["RequestParameters"];
 	if (!requestParameters || typeof requestParameters !== "object" || Array.isArray(requestParameters)) return {
@@ -6823,7 +6875,7 @@ function discoverOneApi(logicalId, resource, template, stackName) {
 	const routes = collectRoutesForApi(logicalId, template, stackName);
 	if (routes.length === 0) throw new Error(`${declaredAt}: WebSocket API has no AWS::ApiGatewayV2::Route children — at least one route (typically '$connect') is required to dispatch.`);
 	const authRoutes = collectAuthRoutesForApi(logicalId, template, stackName);
-	const unsupported = authRoutes.length > 0 ? { reason: `WebSocket API requires authorizer support, which cdkl v1 does not emulate. Affected route(s): ${authRoutes.map((r) => `${r.routeKey} [AuthorizationType=${r.authorizationType}]`).join(", ")}. The API will be discovered but no upgrade requests will be accepted on this server.` } : void 0;
+	const unsupported = authRoutes.length > 0 ? { reason: `WebSocket API requires authorizer support, which ${getEmbedConfig().binaryName} v1 does not emulate. Affected route(s): ${authRoutes.map((r) => `${r.routeKey} [AuthorizationType=${r.authorizationType}]`).join(", ")}. The API will be discovered but no upgrade requests will be accepted on this server.` } : void 0;
 	return {
 		apiLogicalId: logicalId,
 		apiStackName: stackName,
@@ -6879,7 +6931,7 @@ function collectAuthRoutesForApi(apiLogicalId, template, _stackName) {
 * fuller JSONPath / VTL evaluator and are out of scope for v1.
 */
 function assertSupportedSelectionExpression(expr, declaredAt) {
-	if (!/^\$request\.body(?:\.[A-Za-z_][A-Za-z0-9_]*)+$/.test(expr)) throw new Error(`${declaredAt}: RouteSelectionExpression '${expr}' is not supported in cdkl start-api v1 — only '$request.body.<key>' shapes (optionally nested via dots) are recognized. File a follow-up issue if you need '$request.header.X' / '$context.X' / array-index access.`);
+	if (!/^\$request\.body(?:\.[A-Za-z_][A-Za-z0-9_]*)+$/.test(expr)) throw new Error(`${declaredAt}: RouteSelectionExpression '${expr}' is not supported in ${getEmbedConfig().cliName} start-api v1 — only '$request.body.<key>' shapes (optionally nested via dots) are recognized. File a follow-up issue if you need '$request.header.X' / '$context.X' / array-index access.`);
 }
 /**
 * Parse a `$request.body.x.y` selection expression into the JSON-path
@@ -6933,7 +6985,7 @@ function collectRoutesForApi(apiLogicalId, template, stackName) {
 		if (!integration || integration.Type !== "AWS::ApiGatewayV2::Integration") throw new Error(`${declaredAt}: Target points at '${targetLogicalId}' which is not an AWS::ApiGatewayV2::Integration.`);
 		const integrationProps = integration.Properties ?? {};
 		const integrationType = integrationProps["IntegrationType"];
-		if (integrationType !== "AWS_PROXY") throw new Error(`${declaredAt}: WebSocket route IntegrationType '${String(integrationType)}' is not supported in cdkl start-api v1 — only AWS_PROXY (Lambda) integrations are emulated.`);
+		if (integrationType !== "AWS_PROXY") throw new Error(`${declaredAt}: WebSocket route IntegrationType '${String(integrationType)}' is not supported in ${getEmbedConfig().cliName} start-api v1 — only AWS_PROXY (Lambda) integrations are emulated.`);
 		const arnOutcome = resolveLambdaArnIntrinsic(integrationProps["IntegrationUri"]);
 		if (arnOutcome.kind === "unsupported") throw new Error(`${stackName}/${targetLogicalId}.IntegrationUri: ${arnOutcome.detail} — WebSocket routes must point at a same-template Lambda.`);
 		result.push({
@@ -7920,6 +7972,85 @@ async function probeHostGatewaySupport() {
 
 //#endregion
 //#region src/local/vtl-engine.ts
+/**
+* AWS API Gateway VTL (Velocity Template Language) evaluator — hand-rolled
+* minimal subset for `cdkl start-api`'s REST v1 non-AWS_PROXY
+* integrations (#457).
+*
+* Background
+* ----------
+*
+* AWS API Gateway uses VTL to map between HTTP request / response shapes
+* and integration backend (Lambda non-proxy / HTTP / MOCK / AWS service)
+* request / response shapes. The full VTL spec is large; AWS API Gateway
+* exposes a SUBSET plus three AWS-specific built-in variables (`$input`,
+* `$context`, `$util`). cdk-local implements the SUBSET that real CDK apps
+* use in practice — anything outside it surfaces a clear error rather
+* than silently producing wrong output. See the
+* `VtlEvaluationError.message` field for the exact name when something
+* is unsupported.
+*
+* Supported VTL features
+* ----------------------
+*
+*   - Variable references: `$var` / `${var}` / `$obj.field` /
+*     `$obj.field.subField` (Velocity property notation).
+*   - Method calls on built-ins: `$input.body` / `$input.json('$.path')` /
+*     `$input.path('$.path')` / `$input.params()` / `$input.params('name')` /
+*     `$input.params('header')` / `$context.*` / `$util.escapeJavaScript(x)` /
+*     `$util.base64Encode(x)` / `$util.base64Decode(x)` / `$util.urlEncode(x)` /
+*     `$util.urlDecode(x)` / `$util.parseJson(x)`.
+*   - `#set($var = expr)` directives.
+*   - `#if(cond) ... #elseif(cond) ... #else ... #end` blocks.
+*   - `#foreach($x in $list) ... #end` loops.
+*   - String / number / boolean / null literals: `"text"`, `'text'`, `42`,
+*     `3.14`, `true`, `false`, `null`.
+*   - Logical operators: `&&`, `||`, `!`.
+*   - Comparison operators: `==`, `!=`, `<`, `<=`, `>`, `>=`.
+*   - Implicit string concatenation (literal text + interpolated `$var`).
+*
+* NOT supported (intentionally)
+* -----------------------------
+*
+*   - User-defined macros (`#macro`).
+*   - `#parse` / `#include`.
+*   - Velocity's arithmetic operators (`+ - * /`) outside literal concat.
+*   - Range operator (`[1..5]`).
+*   - `$velocityCount` and other Velocity context built-ins.
+*
+* AWS API Gateway-specific bindings
+* ---------------------------------
+*
+*   `$input.body` — the raw request body as a string.
+*   `$input.json('$.path.to.field')` — JSONPath against the body,
+*     returned as a JSON-stringified value (so primitives are JSON-quoted).
+*   `$input.path('$.path.to.field')` — JSONPath against the body, returned
+*     as the native value (primitives unquoted).
+*   `$input.params()` — `{header: {...}, querystring: {...}, path: {...}}`.
+*   `$input.params('name')` — order: path > query > header (deployed
+*     behavior; AWS docs).
+*   `$input.params('header').<name>` — header lookup.
+*   `$input.params('querystring').<name>` — querystring lookup.
+*   `$input.params('path').<name>` — path-parameter lookup.
+*
+*   `$context.requestId` — synthesized per request.
+*   `$context.identity.sourceIp` — request client IP.
+*   `$context.identity.userAgent` — request user agent.
+*   `$context.httpMethod` — request method.
+*   `$context.resourcePath` — the route's pathPattern.
+*   `$context.stage` — the route's stage name (`$default` if no stage).
+*
+*   `$util.escapeJavaScript(s)` — escape `\`, `'`, `"`, `\n`, `\r`, `\t`
+*     for embedding inside a JavaScript string literal.
+*   `$util.base64Encode(s)` — base64 (no padding stripped).
+*   `$util.base64Decode(s)` — UTF-8 decode of base64.
+*   `$util.urlEncode(s)` / `$util.urlDecode(s)` — RFC 3986 encoding.
+*   `$util.parseJson(s)` — `JSON.parse(s)`.
+*
+* Mismatches between cdk-local's evaluator and AWS-deployed VTL surface as
+* `VtlEvaluationError`. Spurious whitespace / formatting differences are
+* acceptable and not in the contract.
+*/
 /** Error thrown when a template references an unsupported VTL feature. */
 var VtlEvaluationError = class VtlEvaluationError extends Error {
 	constructor(message) {
@@ -8063,7 +8194,7 @@ var VtlEvaluator = class {
 			case "else":
 			case "elseif":
 			case "end": throw new VtlEvaluationError(`Unexpected #${name} outside of a #if / #foreach block`);
-			default: throw new VtlEvaluationError(`Unsupported VTL directive #${name} (cdkl start-api supports #set / #if / #elseif / #else / #foreach / #end / ##)`);
+			default: throw new VtlEvaluationError(`Unsupported VTL directive #${name} (${getEmbedConfig().cliName} start-api supports #set / #if / #elseif / #else / #foreach / #end / ##)`);
 		}
 	}
 	/**
@@ -8335,7 +8466,7 @@ var VtlEvaluator = class {
 	* value must be a function or a special-cased built-in.
 	*/
 	callValueAsMethod(value, argsRaw, refPath) {
-		if (typeof value !== "function") throw new VtlEvaluationError(`Reference '$${refPath}' is not callable (got ${typeof value}). cdk-local supports calling $input / $util / $context method-style references only.`);
+		if (typeof value !== "function") throw new VtlEvaluationError(`Reference '$${refPath}' is not callable (got ${typeof value}). ${getEmbedConfig().productName} supports calling $input / $util / $context method-style references only.`);
 		return value(...this.parseArgList(argsRaw));
 	}
 	/**
@@ -8654,7 +8785,7 @@ function applyJsonPath(root, expr) {
 		if (c === ".") {
 			i++;
 			const m = /^[a-zA-Z_][a-zA-Z_0-9]*/.exec(trimmed.slice(i));
-			if (!m) throw new VtlEvaluationError(`Unsupported JSONPath syntax at position ${i}: '${trimmed}' (cdk-local supports $, $.field, $.field.sub, $.array[index] only).`);
+			if (!m) throw new VtlEvaluationError(`Unsupported JSONPath syntax at position ${i}: '${trimmed}' (${getEmbedConfig().productName} supports $, $.field, $.field.sub, $.array[index] only).`);
 			cursor = lookupField(cursor, m[0]);
 			i += m[0].length;
 			continue;
@@ -8668,7 +8799,7 @@ function applyJsonPath(root, expr) {
 				if (Array.isArray(cursor)) cursor = cursor[idx];
 				else cursor = null;
 			} else if (inside.startsWith("\"") && inside.endsWith("\"") || inside.startsWith("'") && inside.endsWith("'")) cursor = lookupField(cursor, inside.slice(1, -1));
-			else throw new VtlEvaluationError(`Unsupported JSONPath bracket expression: '${inside}' (cdk-local supports integer indices and quoted string keys only).`);
+			else throw new VtlEvaluationError(`Unsupported JSONPath bracket expression: '${inside}' (${getEmbedConfig().productName} supports integer indices and quoted string keys only).`);
 			i = close + 1;
 			continue;
 		}
@@ -8802,7 +8933,7 @@ function evaluateResponseParameters(responseParameters, opts = {}) {
 	for (const [key, value] of Object.entries(responseParameters)) {
 		const headerMatch = /^method\.response\.header\.(.+)$/.exec(key);
 		if (!headerMatch) {
-			opts.onUnsupported?.(key, value, `Only method.response.header.<name> keys are supported on REST v1 ResponseParameters; cdk-local cannot map ${key}.`);
+			opts.onUnsupported?.(key, value, `Only method.response.header.<name> keys are supported on REST v1 ResponseParameters; ${getEmbedConfig().productName} cannot map ${key}.`);
 			continue;
 		}
 		const headerName = headerMatch[1].toLowerCase();
@@ -8814,7 +8945,7 @@ function evaluateResponseParameters(responseParameters, opts = {}) {
 			out[headerName] = value.slice(1, -1);
 			continue;
 		}
-		opts.onUnsupported?.(key, value, `ResponseParameter value '${value}' is a mapping expression (integration.response.* / context.*) which cdkl start-api does not emulate. Only single-quoted literals are honored.`);
+		opts.onUnsupported?.(key, value, `ResponseParameter value '${value}' is a mapping expression (integration.response.* / context.*) which ${getEmbedConfig().cliName} start-api does not emulate. Only single-quoted literals are honored.`);
 	}
 	return out;
 }
@@ -9270,7 +9401,7 @@ function warnSsrfRiskyUri(uri, routeLabel, warn) {
 		return;
 	}
 	const classification = classifyInternalHost(host);
-	if (classification !== void 0) warn(`Integration URI for ${routeLabel} points at ${host} — ${classification}. cdk-local does NOT block this; ensure the upstream is intentional.`);
+	if (classification !== void 0) warn(`Integration URI for ${routeLabel} points at ${host} — ${classification}. ${getEmbedConfig().productName} does NOT block this; ensure the upstream is intentional.`);
 }
 function safeJsonParse(s) {
 	try {
@@ -9318,8 +9449,8 @@ function applyRequestParameters(requestParameters, req, out) {
 		const queryMatch = /^integration\.request\.querystring\.(.+)$/.exec(key);
 		const pathMatch = /^integration\.request\.path\.(.+)$/.exec(key);
 		if (headerMatch) out.headers[headerMatch[1].toLowerCase()] = resolved;
-		else if (queryMatch) logger.warn(`RequestParameter '${key}' (querystring rewrite) is recognized but cdk-local applies querystring rewrites only via URI placeholder substitution; ignoring.`);
-		else if (pathMatch) logger.warn(`RequestParameter '${key}' (path rewrite) is recognized but cdk-local substitutes path placeholders via {param} in the URI; ignoring.`);
+		else if (queryMatch) logger.warn(`RequestParameter '${key}' (querystring rewrite) is recognized but ${getEmbedConfig().productName} applies querystring rewrites only via URI placeholder substitution; ignoring.`);
+		else if (pathMatch) logger.warn(`RequestParameter '${key}' (path rewrite) is recognized but ${getEmbedConfig().productName} substitutes path placeholders via {param} in the URI; ignoring.`);
 		else logger.warn(`Unsupported RequestParameter key '${key}'; skipping.`);
 	}
 }
@@ -9431,7 +9562,7 @@ function createContainerPool(specs, options) {
 	*/
 	async function startOne(spec) {
 		const hostPort = await pickFreePort();
-		const name = `cdkl-${spec.lambda.logicalId}-${process.pid}-${Math.floor(Math.random() * 1e6)}`;
+		const name = `${getEmbedConfig().resourceNamePrefix}-${spec.lambda.logicalId}-${process.pid}-${Math.floor(Math.random() * 1e6)}`;
 		logger.debug(`Starting container ${name} for ${spec.lambda.logicalId} (kind=${spec.kind}) on ${spec.containerHost}:${hostPort}`);
 		let containerId;
 		if (spec.kind === "zip") {
@@ -9660,7 +9791,7 @@ function createContainerPool(specs, options) {
 				let anyTimedOut = false;
 				for (const r of drainResults) if (r.timedOut) {
 					anyTimedOut = true;
-					logger.warn(`Container pool dispose timed out waiting for ${r.entry.inUse.size} in-flight handle(s) on ${r.entry.logicalId} after ${drainTimeoutMs}ms; tearing down anyway. The verify.sh \`docker rm -f cdkl-*\` sweep is the safety net.`);
+					logger.warn(`Container pool dispose timed out waiting for ${r.entry.inUse.size} in-flight handle(s) on ${r.entry.logicalId} after ${drainTimeoutMs}ms; tearing down anyway. The verify.sh \`docker rm -f ${getEmbedConfig().resourceNamePrefix}-*\` sweep is the safety net.`);
 				}
 				if (!anyTimedOut) logger.debug(`In-flight drain completed in ${Date.now() - drainStart}ms`);
 			}
@@ -10515,6 +10646,72 @@ function buildCorsConfigFromCloudFrontChain(template) {
 	return out;
 }
 /**
+* Determine whether a Function URL (`AWS::Lambda::Url`, identified by its
+* logical id) is fronted by a CloudFront Distribution origin that uses
+* Origin Access Control (OAC) to SIGN origin requests.
+*
+* Production-correct CDK pattern (`FunctionUrlOrigin.withOriginAccessControl`):
+* the Function URL declares `AuthType: AWS_IAM`, but the END client never
+* signs as the IAM principal — CloudFront re-signs the origin request with
+* its own SigV4 credentials (service `lambda`) via the OAC, and the Function
+* URL's auto-generated resource policy trusts `cloudfront.amazonaws.com`.
+* Locally there is no CloudFront in the path, so no client signature can
+* reproduce CloudFront's. Callers use this to relax SigV4 verification
+* (warn-and-pass) for these Function URLs without forcing
+* `--allow-unverified-sigv4`.
+*
+* Detection: a CloudFront origin whose `DomainName` matches the canonical
+* `Fn::GetAtt[<fnUrlLogicalId>, 'FunctionUrl']` chain (see
+* {@link pickFnUrlLogicalIdFromOriginDomainName}) AND carries an
+* `OriginAccessControlId`. When that id resolves to an
+* `AWS::CloudFront::OriginAccessControl` whose `SigningBehavior` is
+* explicitly `never`, CloudFront does NOT sign — so we do NOT relax (the
+* AWS_IAM + never-sign combination is non-functional in production too).
+* Any other signing behavior (`always` — the CDK default — or `no-override`)
+* counts as OAC-fronted. An `OriginAccessControlId` that can't be resolved
+* to a local resource (imported literal id) also counts — its presence on a
+* Function URL origin is the signal.
+*/
+function isFunctionUrlOacFronted(template, fnUrlLogicalId) {
+	const resources = template.Resources ?? {};
+	for (const [, resource] of Object.entries(resources)) {
+		if (resource.Type !== "AWS::CloudFront::Distribution") continue;
+		const distConfig = (resource.Properties ?? {})["DistributionConfig"];
+		if (!distConfig || typeof distConfig !== "object") continue;
+		const origins = Array.isArray(distConfig["Origins"]) ? distConfig["Origins"] : [];
+		for (const origin of origins) {
+			if (!origin || typeof origin !== "object") continue;
+			const o = origin;
+			if (pickFnUrlLogicalIdFromOriginDomainName(o["DomainName"]) !== fnUrlLogicalId) continue;
+			const oacRef = o["OriginAccessControlId"];
+			if (oacRef === void 0 || oacRef === "") continue;
+			const oacLogicalId = pickOacRefLogicalId(oacRef);
+			if (!oacLogicalId) return true;
+			const oac = resources[oacLogicalId];
+			if (!oac || oac.Type !== "AWS::CloudFront::OriginAccessControl") return true;
+			const oacConfig = (oac.Properties ?? {})["OriginAccessControlConfig"];
+			if ((oacConfig && typeof oacConfig === "object" ? oacConfig["SigningBehavior"] : void 0) === "never") continue;
+			return true;
+		}
+	}
+	return false;
+}
+/**
+* Unwrap an origin's `OriginAccessControlId` to the referenced
+* `AWS::CloudFront::OriginAccessControl` logical id. CDK synthesizes this
+* as `{ "Fn::GetAtt": [<id>, "Id"] }`; `{ Ref: <id> }` is also accepted.
+* Returns undefined for a literal id string (imported OAC) or any other
+* shape.
+*/
+function pickOacRefLogicalId(value) {
+	if (!value || typeof value !== "object") return void 0;
+	const obj = value;
+	const ref = obj["Ref"];
+	if (typeof ref === "string" && ref.length > 0) return ref;
+	const getAtt = obj["Fn::GetAtt"];
+	if (Array.isArray(getAtt) && getAtt.length === 2 && typeof getAtt[0] === "string") return getAtt[0];
+}
+/**
 * Detect the canonical CDK 2.x `DomainName` shape that points a
 * CloudFront Origin at a Function URL:
 *   {Fn::Select: [2, {Fn::Split: ['/', {Fn::GetAtt: [<id>, 'FunctionUrl']}]}]}
@@ -10812,7 +11009,7 @@ function resolveRestV1Authorizer(authorizerLogicalId, template, stackName, decla
 			declaredAt
 		};
 	}
-	throw new RouteDiscoveryError(`${stackName}/${authorizerLogicalId}: AWS::ApiGateway::Authorizer.Type '${String(type)}' is not supported by cdkl start-api (only TOKEN / REQUEST / COGNITO_USER_POOLS are accepted at the Authorizer resource).`);
+	throw new RouteDiscoveryError(`${stackName}/${authorizerLogicalId}: AWS::ApiGateway::Authorizer.Type '${String(type)}' is not supported by ${getEmbedConfig().cliName} start-api (only TOKEN / REQUEST / COGNITO_USER_POOLS are accepted at the Authorizer resource).`);
 }
 /**
 * Resolve an `AWS::ApiGatewayV2::Authorizer`. HTTP v2 has only `REQUEST`
@@ -10853,7 +11050,7 @@ function resolveHttpApiAuthorizer(authorizerLogicalId, routeAuthorizationScopes,
 			declaredAt
 		};
 	}
-	throw new RouteDiscoveryError(`${stackName}/${authorizerLogicalId}: AWS::ApiGatewayV2::Authorizer.AuthorizerType '${String(authType)}' is not supported by cdkl start-api (only REQUEST / JWT).`);
+	throw new RouteDiscoveryError(`${stackName}/${authorizerLogicalId}: AWS::ApiGatewayV2::Authorizer.AuthorizerType '${String(authType)}' is not supported by ${getEmbedConfig().cliName} start-api (only REQUEST / JWT).`);
 }
 /**
 * Thrown by {@link resolveLambdaArn} when the authorizer's
@@ -11053,8 +11250,8 @@ function pickStringFromArn(value, location) {
 			const arg = obj["Fn::GetAtt"];
 			if (Array.isArray(arg) && arg.length === 2 && typeof arg[0] === "string" && arg[1] === "Arn") {
 				const logicalId = arg[0];
-				getLogger().warn(`${location}: uses Fn::GetAtt against logical ID '${logicalId}'. cdkl start-api cannot resolve the deployed user pool ARN — synthesizing an unreachable placeholder so JWKS pass-through admits every token. For real signature verification, set 'providerArns: [pool.userPoolArn]' explicitly on the CDK construct.`);
-				return `arn:aws:cognito-idp:us-east-1:000000000000:userpool/us-east-1_cdklplaceholder${logicalId}`;
+				getLogger().warn(`${location}: uses Fn::GetAtt against logical ID '${logicalId}'. ${getEmbedConfig().cliName} start-api cannot resolve the deployed user pool ARN — synthesizing an unreachable placeholder so JWKS pass-through admits every token. For real signature verification, set 'providerArns: [pool.userPoolArn]' explicitly on the CDK construct.`);
+				return `arn:aws:cognito-idp:us-east-1:000000000000:userpool/us-east-1_${getEmbedConfig().binaryName}placeholder${logicalId}`;
 			}
 		}
 	}
@@ -11116,7 +11313,7 @@ function attachAuthorizers(stacks, routes) {
 			errors.push(err instanceof Error ? err.message : String(err));
 		}
 	}
-	if (errors.length > 0) throw new RouteDiscoveryError(`cdkl start-api: ${errors.length} authorizer error(s):\n` + errors.map((e) => `  - ${e}`).join("\n"));
+	if (errors.length > 0) throw new RouteDiscoveryError(`${getEmbedConfig().cliName} start-api: ${errors.length} authorizer error(s):\n` + errors.map((e) => `  - ${e}`).join("\n"));
 	return out;
 }
 /**
@@ -11151,7 +11348,8 @@ function detectFunctionUrlAuthorizer(urlResource, urlLogicalId, stack) {
 	return {
 		kind: "iam",
 		logicalId: "AWS_IAM",
-		declaredAt: `${stack.stackName}/${urlLogicalId}`
+		declaredAt: `${stack.stackName}/${urlLogicalId}`,
+		...isFunctionUrlOacFronted(stack.template, urlLogicalId) && { oacFronted: true }
 	};
 }
 function detectRestV1Authorizer(methodResource, methodLogicalId, stack) {
@@ -11919,11 +12117,16 @@ function defaultCredentialsLoader() {
 *   - **Signature mismatch** under the dev's own credentials → `{allow: false}`.
 *     The http-server maps this to 403 (REST v1 `policy-deny`).
 *   - **Different `Credential` access-key-id than the dev has** →
-*     `{allow: true}` plus a one-line warn (warn-and-pass; we can't
-*     reproduce a signing key we don't have).
+*     `{allow: false}` by default (we can't reproduce a signing key we
+*     don't have). With `allowUnverified` (the `--allow-unverified-sigv4`
+*     flag, or `oacFronted` routes) → `{allow: true}` plus a one-line warn
+*     (warn-and-pass).
 *   - **Valid signature with the dev's credentials** → `{allow: true}`.
 *     The principal id surfaced to the handler is the parsed
 *     `Credential` access-key-id.
+*   - **`oacFronted` route** → the caller forces `allowUnverified` on, so
+*     foreign / no-creds requests pass through (CloudFront re-signs origin
+*     requests in production) and the warn lines reference CloudFront OAC.
 */
 async function verifySigV4(req, loadCredentials, opts = {}) {
 	const logger = getLogger();
@@ -11990,7 +12193,7 @@ async function verifySigV4(req, loadCredentials, opts = {}) {
 				identityHash: void 0
 			};
 		}
-		logger.warn(`AWS_IAM authorizer: failed to resolve local AWS credentials (${reason}). --allow-unverified-sigv4 is set; passing through with unverified principalId 'unverified-no-creds'. Do NOT trust event.requestContext.identity.accessKey in handler code.`);
+		logger.warn(opts.oacFronted ? `AWS_IAM authorizer: Function URL is fronted by CloudFront OAC (CloudFront re-signs origin requests in production), and local AWS credentials could not be resolved (${reason}). Passing through with unverified principalId 'unverified-no-creds'. Do NOT trust event.requestContext.identity.accessKey in handler code.` : `AWS_IAM authorizer: failed to resolve local AWS credentials (${reason}). --allow-unverified-sigv4 is set; passing through with unverified principalId 'unverified-no-creds'. Do NOT trust event.requestContext.identity.accessKey in handler code.`);
 		return {
 			allow: true,
 			principalId: "unverified-no-creds",
@@ -12011,7 +12214,7 @@ async function verifySigV4(req, loadCredentials, opts = {}) {
 			};
 		}
 		if (!warned || !warned.has(dedupKey)) {
-			logger.warn(`AWS_IAM authorizer: request signed with foreign access-key-id '${parsed.credentialAccessKeyId}'. --allow-unverified-sigv4 is set; passing through with unverified principalId 'unverified-foreign-identity'. Do NOT trust event.requestContext.authorizer.principalId in handler code.`);
+			logger.warn(opts.oacFronted ? `AWS_IAM authorizer: Function URL is fronted by CloudFront OAC — in production CloudFront re-signs the origin request, so the local client's signature (access-key-id '${parsed.credentialAccessKeyId}') cannot be verified. Passing through with unverified principalId 'unverified-foreign-identity'. Do NOT trust event.requestContext.authorizer.principalId in handler code.` : `AWS_IAM authorizer: request signed with foreign access-key-id '${parsed.credentialAccessKeyId}'. --allow-unverified-sigv4 is set; passing through with unverified principalId 'unverified-foreign-identity'. Do NOT trust event.requestContext.authorizer.principalId in handler code.`);
 			warned?.add(dedupKey);
 		}
 		return {
@@ -12974,6 +13177,7 @@ async function runAuthorizerPass(authorizer, snapshot, matchCtx, state, opts, re
 				denyKind: "policy-deny"
 			};
 		}
+		const oacFronted = authorizer.oacFronted === true;
 		const sigResult = await verifySigV4({
 			method: snapshot.method,
 			rawUrl: snapshot.rawUrl,
@@ -12981,7 +13185,8 @@ async function runAuthorizerPass(authorizer, snapshot, matchCtx, state, opts, re
 			body: snapshot.body
 		}, opts.sigV4CredentialsLoader, {
 			...opts.sigV4WarnedForeignIds && { warnedForeignIds: opts.sigV4WarnedForeignIds },
-			...opts.sigV4AllowUnverified !== void 0 && { allowUnverified: opts.sigV4AllowUnverified }
+			allowUnverified: oacFronted || opts.sigV4AllowUnverified === true,
+			...oacFronted && { oacFronted: true }
 		});
 		if (!sigResult.allow) return {
 			result: { allow: false },
@@ -13312,7 +13517,7 @@ function flattenHeadersForMapping(req) {
 * absent values.
 */
 function buildServiceIntegrationContextVars(req, route) {
-	const requestId = `cdkl-${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 10)}`;
+	const requestId = `${getEmbedConfig().binaryName}-${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 10)}`;
 	const sourceIp = req.socket.remoteAddress ?? "127.0.0.1";
 	return {
 		requestId,
@@ -13913,7 +14118,7 @@ async function localStartApiCommand(target, options, extraStateProviders) {
 	let apiFilter = target;
 	if (options.api !== void 0) {
 		if (target !== void 0) throw new Error(`Cannot specify both positional target ('${target}') and --api flag ('${options.api}'). Use one or the other. The positional form is preferred — '--api' is a deprecated alias.`);
-		logger.warn("[deprecated] --api <id> will be removed in a future major release. Use the positional argument instead: 'cdkl start-api <id>'.");
+		logger.warn(`[deprecated] --api <id> will be removed in a future major release. Use the positional argument instead: '${getEmbedConfig().cliName} start-api <id>'.`);
 		apiFilter = options.api;
 	}
 	warnIfDeprecatedRegion(options);
@@ -13923,7 +14128,7 @@ async function localStartApiCommand(target, options, extraStateProviders) {
 	});
 	await ensureDockerAvailable();
 	const appCmd = resolveApp(options.app);
-	if (!appCmd) throw new Error("No CDK app specified. Pass --app, set CDKL_APP, or add \"app\" to cdk.json.");
+	if (!appCmd) throw new Error(`No CDK app specified. Pass --app, set ${getEmbedConfig().envPrefix}_APP, or add "app" to cdk.json.`);
 	const overrides = readEnvOverridesFile$2(options.envVars);
 	const debugPortBase = options.debugPortBase ? parseDebugPort(options.debugPortBase) : void 0;
 	const perLambdaConcurrency = parsePerLambdaConcurrency(options.perLambdaConcurrency);
@@ -13966,13 +14171,13 @@ async function localStartApiCommand(target, options, extraStateProviders) {
 		if (targetStacks.length === 0) throw new Error("No stacks matched. Pass --stack <name> (or --from-cfn-stack <name>) or run from a single-stack app.");
 		const routedStackNames = targetStacks.map((s) => s.stackName);
 		tryEmitFromCfnRedundancyTipOnce(options.fromCfnStack, routedStackNames, fromCfnTipEmitted, (routedStackName) => {
-			logger.info(`tip: --from-cfn-stack value matches the routed stack name (${routedStackName}); you can omit the value: \`cdkl start-api ... --from-cfn-stack\` (bare flag) resolves to the same value.`);
+			logger.info(`tip: --from-cfn-stack value matches the routed stack name (${routedStackName}); you can omit the value: \`${getEmbedConfig().cliName} start-api ... --from-cfn-stack\` (bare flag) resolves to the same value.`);
 		});
 		const routes = discoverRoutes(targetStacks);
 		const wsDiscovery = discoverWebSocketApis(targetStacks);
 		if (wsDiscovery.errors.length > 0) for (const e of wsDiscovery.errors) logger.warn(`WebSocket discovery: ${e}`);
 		const webSocketApis = wsDiscovery.apis;
-		if (routes.length === 0 && webSocketApis.length === 0) throw new Error("No supported API routes were discovered. cdkl start-api supports AWS::ApiGateway::* (REST v1), AWS::ApiGatewayV2::* (HTTP + WebSocket), and AWS::Lambda::Url (Function URL) with AWS_PROXY integrations only.");
+		if (routes.length === 0 && webSocketApis.length === 0) throw new Error(`No supported API routes were discovered. ${getEmbedConfig().cliName} start-api supports AWS::ApiGateway::* (REST v1), AWS::ApiGatewayV2::* (HTTP + WebSocket), and AWS::Lambda::Url (Function URL) with AWS_PROXY integrations only.`);
 		const stageMap = /* @__PURE__ */ new Map();
 		for (const stack of targetStacks) {
 			const m = buildStageMap(stack.template, options.stage);
@@ -14135,7 +14340,7 @@ async function localStartApiCommand(target, options, extraStateProviders) {
 	warnUnsupportedWebSocketApis(initialWsApis, logger);
 	if (initialWsApis.filter((api) => !api.unsupported).length > 0) {
 		const probe = await probeHostGatewaySupport();
-		if (!probe.supported) throw new Error(`cdkl start-api requires Docker ${HOST_GATEWAY_MIN_VERSION.major}.${HOST_GATEWAY_MIN_VERSION.minor}+ for WebSocket API support (--add-host=host.docker.internal:host-gateway needs the 20.10 host-gateway alias). Detected server version: ${probe.rawVersion || "<empty — daemon unreachable or output stripped>"}. Upgrade Docker, or remove the WebSocket API from this app to fall back to HTTP-only start-api.`);
+		if (!probe.supported) throw new Error(`${getEmbedConfig().cliName} start-api requires Docker ${HOST_GATEWAY_MIN_VERSION.major}.${HOST_GATEWAY_MIN_VERSION.minor}+ for WebSocket API support (--add-host=host.docker.internal:host-gateway needs the 20.10 host-gateway alias). Detected server version: ${probe.rawVersion || "<empty — daemon unreachable or output stripped>"}. Upgrade Docker, or remove the WebSocket API from this app to fall back to HTTP-only start-api.`);
 		if (probe.parsed === null) logger.warn(`Docker server version "${probe.rawVersion}" did not match the canonical "<major>.<minor>" shape; assuming host-gateway support. If WebSocket containers fail to reach the local server, verify your Docker-compatible CLI honors --add-host=host.docker.internal:host-gateway.`);
 	}
 	for (const api of initialWsApis) {
@@ -14311,7 +14516,7 @@ async function localStartApiCommand(target, options, extraStateProviders) {
 		if (shutdownStarted) {
 			if (!forceExitArmed) {
 				forceExitArmed = true;
-				logger.warn(`Received second ${signal}; force-exiting. Orphan containers may remain — run 'docker ps --filter name=cdkl-' and 'docker rm -f' to clean up.`);
+				logger.warn(`Received second ${signal}; force-exiting. Orphan containers may remain — run 'docker ps --filter name=${getEmbedConfig().resourceNamePrefix}-' and 'docker rm -f' to clean up.`);
 				process.exit(130);
 			}
 			return;
@@ -14497,10 +14702,21 @@ function warnVpcConfigLambdas(routesWithAuth, stacks) {
 function warnIamRoutes(routesWithAuth) {
 	const logger = getLogger();
 	const iamRoutes = [];
-	for (const entry of routesWithAuth) if (entry.authorizer?.kind === "iam") iamRoutes.push(entry.route.declaredAt);
-	if (iamRoutes.length === 0) return false;
-	logger.warn(`${iamRoutes.length} route(s) declare AuthorizationType: AWS_IAM — cdkl start-api verifies SigV4 signatures against your local AWS credentials, but does NOT emulate IAM policy evaluation (resource / action / condition rules). Signature-verified callers reach the handler under their own identity; downstream authorization is the dev's responsibility.`);
-	for (const declaredAt of iamRoutes) logger.warn(`  - ${declaredAt}`);
+	const oacRoutes = [];
+	for (const entry of routesWithAuth) {
+		if (entry.authorizer?.kind !== "iam") continue;
+		if (entry.authorizer.oacFronted === true) oacRoutes.push(entry.route.declaredAt);
+		else iamRoutes.push(entry.route.declaredAt);
+	}
+	if (iamRoutes.length === 0 && oacRoutes.length === 0) return false;
+	if (iamRoutes.length > 0) {
+		logger.warn(`${iamRoutes.length} route(s) declare AuthorizationType: AWS_IAM — ${getEmbedConfig().cliName} start-api verifies SigV4 signatures against your local AWS credentials, but does NOT emulate IAM policy evaluation (resource / action / condition rules). Signature-verified callers reach the handler under their own identity; downstream authorization is the dev's responsibility.`);
+		for (const declaredAt of iamRoutes) logger.warn(`  - ${declaredAt}`);
+	}
+	if (oacRoutes.length > 0) {
+		logger.warn(`${oacRoutes.length} Function URL route(s) with AuthType: AWS_IAM are fronted by a CloudFront Origin Access Control. In production CloudFront re-signs the origin request, so no local client signature can be verified — ${getEmbedConfig().cliName} start-api passes these through (warn-and-pass) WITHOUT requiring --allow-unverified-sigv4. Do NOT trust the request identity in handler code.`);
+		for (const declaredAt of oacRoutes) logger.warn(`  - ${declaredAt}`);
+	}
 	return true;
 }
 /**
@@ -14625,7 +14841,7 @@ async function resolveContainerImageForStartApi(lambda, skipPull) {
 	const logger = getLogger();
 	const localBuild = await resolveLocalBuildPlan(lambda);
 	if (localBuild) return { imageRef: await buildContainerImage(localBuild.asset, localBuild.cdkOutDir, { architecture: lambda.architecture }) };
-	if (!parseEcrUri(lambda.imageUri)) throw new Error(`Container Lambda '${lambda.logicalId}' has no matching asset in cdk.out, and Code.ImageUri '${lambda.imageUri}' is not an ECR URI cdkl can authenticate against. Re-synthesize the CDK app (so cdk.out includes the build context) or deploy the image to ECR first.`);
+	if (!parseEcrUri(lambda.imageUri)) throw new Error(`Container Lambda '${lambda.logicalId}' has no matching asset in cdk.out, and Code.ImageUri '${lambda.imageUri}' is not an ECR URI ${getEmbedConfig().binaryName} can authenticate against. Re-synthesize the CDK app (so cdk.out includes the build context) or deploy the image to ECR first.`);
 	logger.info(`No matching cdk.out asset for ${lambda.imageUri}; falling back to ECR pull (same-acct/region only)...`);
 	return { imageRef: await pullEcrImage(lambda.imageUri, { skipPull }) };
 }
@@ -14697,7 +14913,7 @@ async function materializeLambdaLayers(layers, layerTmpDirs, layerRoleArn) {
 		});
 	}
 	if (flat.length === 1) return flat[0].assetPath;
-	const dir = mkdtempSync(path.join(tmpdir(), "cdkl-start-api-layers-"));
+	const dir = mkdtempSync(path.join(tmpdir(), `${getEmbedConfig().resourceNamePrefix}-start-api-layers-`));
 	for (const layer of flat) cpSync(layer.assetPath, dir, {
 		recursive: true,
 		force: true
@@ -14725,7 +14941,7 @@ function resolveLambdaByLogicalId(logicalId, stacks) {
 		});
 		const runtime = typeof props["Runtime"] === "string" ? props["Runtime"] : "";
 		const handler = typeof props["Handler"] === "string" ? props["Handler"] : "";
-		if (!runtime) throw new Error(`Lambda '${logicalId}' has no Runtime property and no Code.ImageUri. cdkl start-api cannot tell if this is a ZIP or a container Lambda.`);
+		if (!runtime) throw new Error(`Lambda '${logicalId}' has no Runtime property and no Code.ImageUri. ${getEmbedConfig().cliName} start-api cannot tell if this is a ZIP or a container Lambda.`);
 		if (!handler) throw new Error(`Lambda '${logicalId}' has no Handler property.`);
 		const inlineCode = typeof code["ZipFile"] === "string" ? code["ZipFile"] : void 0;
 		let codePath = null;
@@ -14785,9 +15001,10 @@ function extractImageUri(value, logicalId, stackName, resources, region) {
 			const pseudoParameters = derivePseudoParametersFromRegion(region);
 			const joinResolved = tryResolveImageFnJoin(value, resources, pseudoParameters ? { pseudoParameters } : void 0);
 			if (joinResolved.kind === "resolved") return joinResolved.uri;
-			if (joinResolved.kind === "needs-state") throw new Error(`Lambda '${logicalId}' in ${stackName} references same-stack ECR repository '${joinResolved.repoLogicalId}' via Fn::Join. cdkl start-api cannot resolve the repository URI without state — deploy the stack first, rebuild via lambda.DockerImageCode.fromImageAsset, or pin a public image.`);
-			if (joinResolved.kind === "unsupported-join") throw new Error(`Lambda '${logicalId}' in ${stackName} has an unsupported Fn::Join Code.ImageUri shape: ${joinResolved.reason}. cdkl start-api recognizes the canonical CDK 2.x lambda.DockerImageCode.fromEcr Fn::Join shape (delimiter "" with nested Fn::Select/Fn::Split over an ECR Repository Arn GetAtt + Ref to the repo).`);
-			throw new Error(`Lambda '${logicalId}' in ${stackName} has an Fn::Join Code.ImageUri that cdkl start-api cannot resolve${pseudoParameters ? " (likely ${AWS::AccountId}, which cdkl cannot derive without a state source or STS)" : ` (cdkl could not derive AWS pseudo parameters because stack.region was undefined)`}. Workarounds: deploy first and run with a state-source flag (e.g. --from-cfn-stack or a host-provided extension), or pin a fully-literal public image URI.`);
+			if (joinResolved.kind === "needs-state") throw new Error(`Lambda '${logicalId}' in ${stackName} references same-stack ECR repository '${joinResolved.repoLogicalId}' via Fn::Join. ${getEmbedConfig().cliName} start-api cannot resolve the repository URI without state — deploy the stack first, rebuild via lambda.DockerImageCode.fromImageAsset, or pin a public image.`);
+			if (joinResolved.kind === "unsupported-join") throw new Error(`Lambda '${logicalId}' in ${stackName} has an unsupported Fn::Join Code.ImageUri shape: ${joinResolved.reason}. ${getEmbedConfig().cliName} start-api recognizes the canonical CDK 2.x lambda.DockerImageCode.fromEcr Fn::Join shape (delimiter "" with nested Fn::Select/Fn::Split over an ECR Repository Arn GetAtt + Ref to the repo).`);
+			const accountIdHint = pseudoParameters ? ` (likely \${AWS::AccountId}, which ${getEmbedConfig().binaryName} cannot derive without a state source or STS)` : ` (${getEmbedConfig().binaryName} could not derive AWS pseudo parameters because stack.region was undefined)`;
+			throw new Error(`Lambda '${logicalId}' in ${stackName} has an Fn::Join Code.ImageUri that ${getEmbedConfig().cliName} start-api cannot resolve${accountIdHint}. Workarounds: deploy first and run with a state-source flag (e.g. --from-cfn-stack or a host-provided extension), or pin a fully-literal public image URI.`);
 		}
 	}
 }
@@ -14810,7 +15027,7 @@ function resolveImageLambda(args) {
 		const first = arches[0];
 		if (first === "arm64") architecture = "arm64";
 		else if (first === "x86_64") architecture = "x86_64";
-		else throw new Error(`Lambda '${logicalId}' has unsupported Architectures value '${String(first)}'. cdkl start-api supports x86_64 and arm64.`);
+		else throw new Error(`Lambda '${logicalId}' has unsupported Architectures value '${String(first)}'. ${getEmbedConfig().cliName} start-api supports x86_64 and arm64.`);
 	}
 	const ephemeralStorageMb = extractEphemeralStorageMb(props, logicalId);
 	return {
@@ -14834,7 +15051,7 @@ function resolveImageLambda(args) {
 */
 function resolveAssetCodePath(stack, logicalId, resource) {
 	const assetPath = resource.Metadata?.["aws:asset:path"];
-	if (typeof assetPath !== "string" || assetPath.length === 0) throw new Error(`Lambda '${logicalId}' has no Metadata['aws:asset:path']. cdkl start-api needs this hint to find the local asset directory. Re-synthesize the app and retry.`);
+	if (typeof assetPath !== "string" || assetPath.length === 0) throw new Error(`Lambda '${logicalId}' has no Metadata['aws:asset:path']. ${getEmbedConfig().cliName} start-api needs this hint to find the local asset directory. Re-synthesize the app and retry.`);
 	const cdkOutDir = stack.assetManifestPath ? path.dirname(stack.assetManifestPath) : process.cwd();
 	return path.isAbsolute(assetPath) ? assetPath : path.resolve(cdkOutDir, assetPath);
 }
@@ -14891,7 +15108,7 @@ function materializeInlineCode(handler, source, fileExtension, tmpDirsOut) {
 	const lastDot = handler.lastIndexOf(".");
 	if (lastDot <= 0) throw new Error(`Handler '${handler}' is malformed: expected '<modulePath>.<exportName>'.`);
 	const modulePath = handler.substring(0, lastDot);
-	const dir = mkdtempSync(path.join(tmpdir(), "cdkl-start-api-"));
+	const dir = mkdtempSync(path.join(tmpdir(), `${getEmbedConfig().resourceNamePrefix}-start-api-`));
 	tmpDirsOut.add(dir);
 	const filePath = path.join(dir, `${modulePath}${fileExtension}`);
 	mkdirSync(path.dirname(filePath), { recursive: true });
@@ -15000,7 +15217,7 @@ async function assumeLambdaExecutionRole(roleArn, region) {
 	try {
 		const creds = (await sts.send(new AssumeRoleCommand({
 			RoleArn: roleArn,
-			RoleSessionName: `cdkl-start-api-${Date.now()}`,
+			RoleSessionName: `${getEmbedConfig().resourceNamePrefix}-start-api-${Date.now()}`,
 			DurationSeconds: 3600
 		}))).Credentials;
 		if (!creds?.AccessKeyId || !creds.SecretAccessKey || !creds.SessionToken) throw new Error(`AssumeRole(${roleArn}) returned no usable credentials.`);
@@ -15146,7 +15363,7 @@ async function reloadAllServers(args) {
 	const newKeys = new Set(newByKey.keys());
 	const added = [...newKeys].filter((k) => !oldKeys.has(k));
 	const removed = [...oldKeys].filter((k) => !newKeys.has(k));
-	if (added.length > 0) logger.warn(`Reload detected new API surface(s): ${added.join(", ")}. Restart 'cdkl start-api' to serve them.`);
+	if (added.length > 0) logger.warn(`Reload detected new API surface(s): ${added.join(", ")}. Restart '${getEmbedConfig().cliName} start-api' to serve them.`);
 	if (removed.length > 0) logger.warn(`Reload detected removed API surface(s): ${removed.join(", ")}. Their servers will keep serving stale routes until restart.`);
 	for (const booted of servers) {
 		const group = newByKey.get(booted.group.serverKey);
@@ -15334,12 +15551,13 @@ function resolveMtlsConfig(options) {
 * Builder for the `start-api` subcommand.
 */
 function createLocalStartApiCommand(opts = {}) {
-	const startApi = new Command("start-api").description("Run a long-running local HTTP server that maps API Gateway routes (REST v1, HTTP API, Function URL) to Lambda invocations against the AWS Lambda Runtime Interface Emulator (Docker required). Supports Lambda TOKEN/REQUEST authorizers, Cognito User Pool / HTTP v2 JWT authorizers, and AWS_IAM auth (REST v1 `AuthorizationType: AWS_IAM` and Function URL `AuthType: AWS_IAM` — SigV4 signature verification only; IAM policy evaluation is NOT emulated). When JWKS is unreachable, JWT authorizers fall back to pass-through (every token accepted) with a warn line — local dev fallback. VPC-config Lambdas run locally and surface a warn line at startup; their containers do NOT get attached to the deployed VPC subnets, so calls to private RDS / ElastiCache will fail.").argument("[target]", "Optional API filter. Accepts the bare CDK logical id ('MyHttpApi'; single-stack apps only), stack-qualified logical id ('MyStack:MyHttpApi'), full CDK Construct path ('MyStack/MyHttpApi/Resource'), or an ancestor Construct path that prefix-matches ('MyStack/MyHttpApi'). When omitted, every discovered API gets its own server. Mirrors `cdkl invoke` / `cdkl run-task` target syntax.").addOption(new Option("--port <port>", "HTTP server port (default: auto-allocate)").default("0")).addOption(new Option("--host <host>", "Bind address").default("127.0.0.1")).addOption(new Option("--stack <name>", "Stack to start (single-stack apps auto-detect)")).addOption(new Option("--warm", "Pre-start one container per Lambda at server boot").default(false)).addOption(new Option("--per-lambda-concurrency <n>", "Pool size cap per Lambda (default 2, max 4)").default("2")).addOption(new Option("--no-pull", "Skip docker pull (cached image)")).addOption(new Option("--container-host <host>", "IP the host uses to bind/probe the RIE port (must be a numeric IP — `docker run -p <ip>:<port>:8080` rejects hostnames). Defaults to 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--debug-port-base <port>", "Reserve a contiguous --debug-port range (one per Lambda)")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}, \"Parameters\": {...}})")).addOption(new Option("--assume-role <arn-or-pair>", "Assume the Lambda's execution role and forward STS-issued temp creds. Bare <arn> = global default; <LogicalId>=<arn> = per-Lambda override (repeatable). Per-Lambda > global > unset (developer creds passed through).").argParser((raw, prev) => parseAssumeRoleToken(raw, prev))).addOption(new Option("--watch", "Hot-reload: re-synth + re-discover routes when cdk.out/ or asset directories change. Off by default; the server keeps the previous version serving when synth fails mid-reload.").default(false)).addOption(new Option("--stage <name>", "Select an API Gateway Stage by its 'StageName'. Default: the first Stage attached to each API. Drives event.stageVariables for both REST v1 and HTTP API v2. NOTE: For HTTP API v2 routes, requestContext.stage is always '$default' regardless of this flag (AWS-side limitation — HTTP API only exposes one stage to the integration event); only event.stageVariables is affected for v2 routes. For REST v1 routes the selected StageName is also threaded into requestContext.stage.")).addOption(new Option("--api <id>", "DEPRECATED — use the positional <target> argument instead. Same accepted forms (bare logical id, stack-qualified, Construct path, ancestor prefix). Will be removed in a future major release.")).addOption(new Option("--layer-role-arn <arn>", "Role to sts:AssumeRole before calling lambda:GetLayerVersion on every literal-ARN entry in Properties.Layers (issue #448). Use only when the dev credentials cannot read the layer — typically cross-account layers. AWS-published public layers (e.g. Lambda Powertools) are readable from every account and need no role.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via DescribeStackResources and substitute Ref / Fn::ImportValue in Lambda env vars with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (`cdk deploy`). Bare form uses the resolved stack name per routed stack; pass an explicit value when a single CFn stack should serve every routed stack. Fn::GetAtt is warn-and-dropped in v1 (CFn DescribeStackResources does not return per-attribute values).")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).addOption(new Option("--mtls-truststore <path>", "PEM-encoded CA bundle for client-certificate verification (mutual TLS). When set, the local server switches from HTTP to HTTPS and the TLS handshake rejects clients whose certificate doesn't chain to one of these CAs. Verified certs are surfaced on the Lambda event under requestContext.identity.clientCert (REST v1) / requestContext.authentication.clientCert (HTTP API v2). Must be set together with --mtls-cert + --mtls-key; partial flag sets are rejected. Generate a CA + server + client cert for local dev: openssl req -x509 -newkey rsa:2048 -nodes -keyout ca-key.pem -out ca.pem -subj \"/CN=cdkl-ca\" -days 365; openssl req -newkey rsa:2048 -nodes -keyout server-key.pem -out server-csr.pem -subj \"/CN=localhost\"; openssl x509 -req -in server-csr.pem -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -days 365; openssl req -newkey rsa:2048 -nodes -keyout client-key.pem -out client-csr.pem -subj \"/CN=client\"; openssl x509 -req -in client-csr.pem -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -days 365; curl --cacert ca.pem --cert client-cert.pem --key client-key.pem https://localhost:<port>/...")).addOption(new Option("--mtls-cert <path>", "PEM-encoded server certificate for mutual TLS. Self-signed is fine for local dev. Must be set together with --mtls-truststore + --mtls-key.")).addOption(new Option("--mtls-key <path>", "PEM-encoded server private key matching --mtls-cert. Must be set together with --mtls-truststore + --mtls-cert.")).addOption(new Option("--allow-unverified-sigv4", "Opt-in: allow AWS_IAM SigV4 requests that cannot be cryptographically verified (foreign access-key-id, OR no local AWS credentials configured) to pass through with a placeholder principalId. DEFAULT off — fail-closed so unauthenticated bypass is impossible against `event.requestContext.identity.accessKey`-trusting handler code. Use only in dev loops where you understand the risk.").default(false)).action(withErrorHandling(async (target, options) => {
+	setEmbedConfig(opts.embedConfig);
+	const startApi = new Command("start-api").description("Run a long-running local HTTP server that maps API Gateway routes (REST v1, HTTP API, Function URL) to Lambda invocations against the AWS Lambda Runtime Interface Emulator (Docker required). Supports Lambda TOKEN/REQUEST authorizers, Cognito User Pool / HTTP v2 JWT authorizers, and AWS_IAM auth (REST v1 `AuthorizationType: AWS_IAM` and Function URL `AuthType: AWS_IAM` — SigV4 signature verification only; IAM policy evaluation is NOT emulated). When JWKS is unreachable, JWT authorizers fall back to pass-through (every token accepted) with a warn line — local dev fallback. VPC-config Lambdas run locally and surface a warn line at startup; their containers do NOT get attached to the deployed VPC subnets, so calls to private RDS / ElastiCache will fail.").argument("[target]", `Optional API filter. Accepts the bare CDK logical id ('MyHttpApi'; single-stack apps only), stack-qualified logical id ('MyStack:MyHttpApi'), full CDK Construct path ('MyStack/MyHttpApi/Resource'), or an ancestor Construct path that prefix-matches ('MyStack/MyHttpApi'). When omitted, every discovered API gets its own server. Mirrors \`${getEmbedConfig().cliName} invoke\` / \`${getEmbedConfig().cliName} run-task\` target syntax.`).addOption(new Option("--port <port>", "HTTP server port (default: auto-allocate)").default("0")).addOption(new Option("--host <host>", "Bind address").default("127.0.0.1")).addOption(new Option("--stack <name>", "Stack to start (single-stack apps auto-detect)")).addOption(new Option("--warm", "Pre-start one container per Lambda at server boot").default(false)).addOption(new Option("--per-lambda-concurrency <n>", "Pool size cap per Lambda (default 2, max 4)").default("2")).addOption(new Option("--no-pull", "Skip docker pull (cached image)")).addOption(new Option("--container-host <host>", "IP the host uses to bind/probe the RIE port (must be a numeric IP — `docker run -p <ip>:<port>:8080` rejects hostnames). Defaults to 127.0.0.1.").default("127.0.0.1")).addOption(new Option("--debug-port-base <port>", "Reserve a contiguous --debug-port range (one per Lambda)")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"LogicalId\":{\"KEY\":\"VALUE\"}, \"Parameters\": {...}})")).addOption(new Option("--assume-role <arn-or-pair>", "Assume the Lambda's execution role and forward STS-issued temp creds. Bare <arn> = global default; <LogicalId>=<arn> = per-Lambda override (repeatable). Per-Lambda > global > unset (developer creds passed through).").argParser((raw, prev) => parseAssumeRoleToken(raw, prev))).addOption(new Option("--watch", "Hot-reload: re-synth + re-discover routes when cdk.out/ or asset directories change. Off by default; the server keeps the previous version serving when synth fails mid-reload.").default(false)).addOption(new Option("--stage <name>", "Select an API Gateway Stage by its 'StageName'. Default: the first Stage attached to each API. Drives event.stageVariables for both REST v1 and HTTP API v2. NOTE: For HTTP API v2 routes, requestContext.stage is always '$default' regardless of this flag (AWS-side limitation — HTTP API only exposes one stage to the integration event); only event.stageVariables is affected for v2 routes. For REST v1 routes the selected StageName is also threaded into requestContext.stage.")).addOption(new Option("--api <id>", "DEPRECATED — use the positional <target> argument instead. Same accepted forms (bare logical id, stack-qualified, Construct path, ancestor prefix). Will be removed in a future major release.")).addOption(new Option("--layer-role-arn <arn>", "Role to sts:AssumeRole before calling lambda:GetLayerVersion on every literal-ARN entry in Properties.Layers (issue #448). Use only when the dev credentials cannot read the layer — typically cross-account layers. AWS-published public layers (e.g. Lambda Powertools) are readable from every account and need no role.")).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via DescribeStackResources and substitute Ref / Fn::ImportValue in Lambda env vars with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (`cdk deploy`). Bare form uses the resolved stack name per routed stack; pass an explicit value when a single CFn stack should serve every routed stack. Fn::GetAtt is warn-and-dropped in v1 (CFn DescribeStackResources does not return per-attribute values).")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).addOption(new Option("--mtls-truststore <path>", `PEM-encoded CA bundle for client-certificate verification (mutual TLS). When set, the local server switches from HTTP to HTTPS and the TLS handshake rejects clients whose certificate doesn't chain to one of these CAs. Verified certs are surfaced on the Lambda event under requestContext.identity.clientCert (REST v1) / requestContext.authentication.clientCert (HTTP API v2). Must be set together with --mtls-cert + --mtls-key; partial flag sets are rejected. Generate a CA + server + client cert for local dev: openssl req -x509 -newkey rsa:2048 -nodes -keyout ca-key.pem -out ca.pem -subj "/CN=${getEmbedConfig().resourceNamePrefix}-ca" -days 365; openssl req -newkey rsa:2048 -nodes -keyout server-key.pem -out server-csr.pem -subj "/CN=localhost"; openssl x509 -req -in server-csr.pem -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -days 365; openssl req -newkey rsa:2048 -nodes -keyout client-key.pem -out client-csr.pem -subj "/CN=client"; openssl x509 -req -in client-csr.pem -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -days 365; curl --cacert ca.pem --cert client-cert.pem --key client-key.pem https://localhost:<port>/...`)).addOption(new Option("--mtls-cert <path>", "PEM-encoded server certificate for mutual TLS. Self-signed is fine for local dev. Must be set together with --mtls-truststore + --mtls-key.")).addOption(new Option("--mtls-key <path>", "PEM-encoded server private key matching --mtls-cert. Must be set together with --mtls-truststore + --mtls-cert.")).addOption(new Option("--allow-unverified-sigv4", "Opt-in: allow AWS_IAM SigV4 requests that cannot be cryptographically verified (foreign access-key-id, OR no local AWS credentials configured) to pass through with a placeholder principalId. DEFAULT off — fail-closed so unauthenticated bypass is impossible against `event.requestContext.identity.accessKey`-trusting handler code. Use only in dev loops where you understand the risk.").default(false)).action(withErrorHandling(async (target, options) => {
 		await localStartApiCommand(target, options, opts.extraStateProviders);
 	}));
 	[
-		...commonOptions,
-		...appOptions,
+		...commonOptions(),
+		...appOptions(),
 		...contextOptions
 	].forEach((opt) => startApi.addOption(opt));
 	startApi.addOption(deprecatedRegionOption);
@@ -15419,7 +15637,7 @@ const SHARED_SVC_SUBNET_OCTET = 171;
 * CLI tears down ONCE at the end of the run.
 */
 async function createSharedSvcNetwork(options = {}) {
-	const networkName = `${options.prefix ?? "cdkl"}-svc-${randomBytes(4).toString("hex")}`;
+	const networkName = `${options.prefix ?? getEmbedConfig().resourceNamePrefix}-svc-${randomBytes(4).toString("hex")}`;
 	const { cidr, sidecarIp } = buildEndpointSubnet(171);
 	return {
 		networkName,
@@ -15459,7 +15677,7 @@ async function createNetworkAndSidecar(args) {
 		]);
 	} catch (err) {
 		const e = err;
-		throw new DockerRunnerError(`docker network create failed: ${e.stderr?.trim() || e.message || String(err)}. Hint: another cdk-local run may already own subnet ${cidr}; wait for it to finish, or remove the leftover network with \`docker network ls\` + \`docker network rm\`. \`cdkl start-service\` shares one network across every service in the run; bare \`cdkl run-task\` uses a per-task network so only one run can be active at a time.`);
+		throw new DockerRunnerError(`docker network create failed: ${e.stderr?.trim() || e.message || String(err)}. Hint: another ${getEmbedConfig().productName} run may already own subnet ${cidr}; wait for it to finish, or remove the leftover network with \`docker network ls\` + \`docker network rm\`. \`${getEmbedConfig().cliName} start-service\` shares one network across every service in the run; bare \`${getEmbedConfig().cliName} run-task\` uses a per-task network so only one run can be active at a time.`);
 	}
 	const sidecarArgs = [
 		"run",
@@ -15498,7 +15716,7 @@ async function createNetworkAndSidecar(args) {
 * lookup at container start doesn't race.
 */
 async function createTaskNetwork(options = {}) {
-	const networkName = `${options.prefix ?? "cdkl"}-task-${randomBytes(4).toString("hex")}`;
+	const networkName = `${options.prefix ?? getEmbedConfig().resourceNamePrefix}-task-${randomBytes(4).toString("hex")}`;
 	const { cidr, sidecarIp } = options.subnetOctet === void 0 ? {
 		cidr: DEFAULT_METADATA_ENDPOINT_SUBNET,
 		sidecarIp: METADATA_ENDPOINT_IP
@@ -16045,7 +16263,7 @@ async function prepareOneImage(task, container, options) {
 			if (image.assetHash && dockerImages[image.assetHash]) asset = dockerImages[image.assetHash];
 			else if (entries.length === 1) asset = entries[0][1];
 			if (!asset) throw new EcsTaskRunnerError(`Container '${container.name}' references a CDK asset image but no matching entry was found in cdk.out. Re-synthesize the CDK app and retry.`);
-			const tag = `cdkl-run-task-${(image.assetHash ?? "single").slice(0, 16)}`;
+			const tag = `${getEmbedConfig().resourceNamePrefix}-run-task-${(image.assetHash ?? "single").slice(0, 16)}`;
 			const actualTag = await buildDockerImage(asset, cdkOutDir, {
 				tag,
 				...options.platformOverride !== void 0 && { platform: options.platformOverride },
@@ -16084,7 +16302,7 @@ async function realizeDockerVolumes(volumes, state) {
 		if (cfg?.driver) args.push("--driver", cfg.driver);
 		if (cfg?.driverOpts) for (const [k, val] of Object.entries(cfg.driverOpts)) args.push("--opt", `${k}=${val}`);
 		if (cfg?.labels) for (const [k, val] of Object.entries(cfg.labels)) args.push("--label", `${k}=${val}`);
-		const dockerVolumeName = `cdkl-${v.name}-${randHex(4)}`;
+		const dockerVolumeName = `${getEmbedConfig().resourceNamePrefix}-${v.name}-${randHex(4)}`;
 		args.push(dockerVolumeName);
 		try {
 			await execFileAsync$1(getDockerCmd(), args);
@@ -16124,7 +16342,7 @@ function groupSecretsByContainer(resolved) {
 function buildDockerRunArgs(opts) {
 	const { task, container, image, network, volumeByName, secrets, containerHost, roleArn } = opts;
 	const args = ["run", "-d"];
-	args.push("--name", `cdkl-${task.family}-${container.name}-${randHex(3)}`);
+	args.push("--name", `${getEmbedConfig().resourceNamePrefix}-${task.family}-${container.name}-${randHex(3)}`);
 	args.push("--network", network);
 	args.push("--network-alias", container.name);
 	if (opts.networkAliases && opts.networkAliases.length > 0) {
@@ -16256,7 +16474,7 @@ async function localRunTaskCommand(target, options, extraStateProviders) {
 		});
 		await ensureDockerAvailable();
 		const appCmd = resolveApp(options.app);
-		if (!appCmd) throw new Error("No CDK app specified. Pass --app, set CDKL_APP, or add \"app\" to cdk.json.");
+		if (!appCmd) throw new Error(`No CDK app specified. Pass --app, set ${getEmbedConfig().envPrefix}_APP, or add "app" to cdk.json.`);
 		logger.info("Synthesizing CDK app...");
 		const synthesizer = new Synthesizer();
 		const context = parseContextOptions(options.context);
@@ -16297,7 +16515,7 @@ async function localRunTaskCommand(target, options, extraStateProviders) {
 		let assumedCredentials;
 		let resolvedRoleArn;
 		if (options.assumeTaskRole === true) {
-			if (!task.taskRoleArn) throw new Error("--assume-task-role passed without an ARN but the task definition has no resolvable TaskRoleArn. Either the task definition does not set TaskRoleArn, or it points at a resource cdkl cannot resolve to an IAM Role at synth time. Pass the ARN explicitly: --assume-task-role <arn>");
+			if (!task.taskRoleArn) throw new Error(`--assume-task-role passed without an ARN but the task definition has no resolvable TaskRoleArn. Either the task definition does not set TaskRoleArn, or it points at a resource ${getEmbedConfig().binaryName} cannot resolve to an IAM Role at synth time. Pass the ARN explicitly: --assume-task-role <arn>`);
 			resolvedRoleArn = await resolvePlaceholderAccount$1(task.taskRoleArn, options.region);
 			assumedCredentials = await assumeTaskRole$1(resolvedRoleArn, options.region);
 		} else if (typeof options.assumeTaskRole === "string") {
@@ -16327,7 +16545,7 @@ async function localRunTaskCommand(target, options, extraStateProviders) {
 		};
 		const result = await runEcsTask(task, runOpts, state);
 		if (options.detach) {
-			logger.info("Task containers started in detached mode; cdkl is exiting.");
+			logger.info(`Task containers started in detached mode; ${getEmbedConfig().binaryName} is exiting.`);
 			logger.info(`Use 'docker ps --filter network=${result.state.network?.networkName ?? "<network>"}' to inspect; tear down with 'docker rm -f' and 'docker network rm'.`);
 			sigintCount = 99;
 			return;
@@ -16366,7 +16584,7 @@ async function assumeTaskRole$1(roleArn, region) {
 	try {
 		const creds = (await sts.send(new AssumeRoleCommand({
 			RoleArn: roleArn,
-			RoleSessionName: `cdkl-run-task-${Date.now()}`,
+			RoleSessionName: `${getEmbedConfig().resourceNamePrefix}-run-task-${Date.now()}`,
 			DurationSeconds: 3600
 		}))).Credentials;
 		if (!creds?.AccessKeyId || !creds.SecretAccessKey || !creds.SessionToken) throw new Error(`AssumeRole(${roleArn}) returned no usable credentials.`);
@@ -16393,7 +16611,7 @@ async function buildEcsImageResolutionContext$1(candidate, stateProvider, option
 	const wantsPseudoForEnvOrSecret = !!stateProvider && needs.needsEnvOrSecretSubstitution;
 	if (needs.needsPseudoParameters || wantsPseudoForEnvOrSecret) {
 		const region = options.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? candidate.region;
-		if (!region) logger.warn("Resolver references ${AWS::Region} but cdkl could not determine the target region. Pass --region, set AWS_REGION, or declare env.region on the CDK stack.");
+		if (!region) logger.warn(`Resolver references \${AWS::Region} but ${getEmbedConfig().binaryName} could not determine the target region. Pass --region, set AWS_REGION, or declare env.region on the CDK stack.`);
 		let accountId;
 		try {
 			accountId = await resolveCallerAccountId$1(region);
@@ -16481,12 +16699,13 @@ async function resolveSidecarCredentials(options, assumedCredentials) {
 	if (options.profile) return resolveProfileCredentials(options.profile);
 }
 function createLocalRunTaskCommand(opts = {}) {
-	const cmd = new Command("run-task").description("Run an AWS::ECS::TaskDefinition locally — pulls/builds images, sets up a per-task docker network with the AWS-published metadata-endpoints sidecar, and starts every container in dependsOn order. Target accepts a CDK display path (MyStack/MyService/TaskDef) or stack-qualified logical ID (MyStack:MyServiceTaskDefXYZ1234). Single-stack apps may omit the stack prefix.").argument("<target>", "CDK display path or stack-qualified logical ID of the AWS::ECS::TaskDefinition to run").addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default("cdkl")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed function role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries. Issues sts:AssumeRole via the default credential chain and uses the temporary credentials for ecr:GetAuthorizationToken + docker pull. Required when the caller does not have direct cross-account access to the target repository. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--keep-running", "Don't docker rm -f the user containers on task exit (network + sidecar are still torn down). Use when you want to docker exec into a stopped container for post-mortems.").default(false)).addOption(new Option("--detach", "Start the containers in the background and exit (skip log streaming + auto teardown). Useful in CI smoke tests; caller manages container lifecycle.").default(false)).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via DescribeStackResources and substitute Ref / Fn::ImportValue in container env vars / secrets / image URIs with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (`cdk deploy`). Bare form uses the cdkl stack name; pass an explicit value when the CFn stack name differs. Fn::GetAtt is warn-and-dropped in v1 (CFn DescribeStackResources does not return per-attribute values).")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).action(withErrorHandling(async (target, options) => {
+	setEmbedConfig(opts.embedConfig);
+	const cmd = new Command("run-task").description("Run an AWS::ECS::TaskDefinition locally — pulls/builds images, sets up a per-task docker network with the AWS-published metadata-endpoints sidecar, and starts every container in dependsOn order. Target accepts a CDK display path (MyStack/MyService/TaskDef) or stack-qualified logical ID (MyStack:MyServiceTaskDefXYZ1234). Single-stack apps may omit the stack prefix.").argument("<target>", "CDK display path or stack-qualified logical ID of the AWS::ECS::TaskDefinition to run").addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default(getEmbedConfig().resourceNamePrefix)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed function role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries. Issues sts:AssumeRole via the default credential chain and uses the temporary credentials for ecr:GetAuthorizationToken + docker pull. Required when the caller does not have direct cross-account access to the target repository. Same-account / same-region pulls do not need this flag.")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--keep-running", "Don't docker rm -f the user containers on task exit (network + sidecar are still torn down). Use when you want to docker exec into a stopped container for post-mortems.").default(false)).addOption(new Option("--detach", "Start the containers in the background and exit (skip log streaming + auto teardown). Useful in CI smoke tests; caller manages container lifecycle.").default(false)).addOption(new Option("--from-cfn-stack [cfn-stack-name]", `Read a deployed CloudFormation stack via DescribeStackResources and substitute Ref / Fn::ImportValue in container env vars / secrets / image URIs with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (\`cdk deploy\`). Bare form uses the ${getEmbedConfig().binaryName} stack name; pass an explicit value when the CFn stack name differs. Fn::GetAtt is warn-and-dropped in v1 (CFn DescribeStackResources does not return per-attribute values).`)).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).action(withErrorHandling(async (target, options) => {
 		await localRunTaskCommand(target, options, opts.extraStateProviders);
 	}));
 	[
-		...commonOptions,
-		...appOptions,
+		...commonOptions(),
+		...appOptions(),
 		...contextOptions
 	].forEach((opt) => cmd.addOption(opt));
 	cmd.addOption(deprecatedRegionOption);
@@ -16530,7 +16749,7 @@ function resolveEcsServiceTarget(target, stacks, context) {
 		serviceLogicalId = parsed.pathOrId;
 	}
 	if (!serviceLogicalId || !serviceResource) throw notFoundError(target, stack, resources);
-	if (serviceResource.Type === "AWS::ECS::TaskDefinition") throw new EcsTaskResolutionError(`Resource '${serviceLogicalId}' in ${stack.stackName} is an ECS TaskDefinition, not a Service. Use \`cdkl run-task\` for one-shot tasks; \`cdkl start-service\` is Service-only.`);
+	if (serviceResource.Type === "AWS::ECS::TaskDefinition") throw new EcsTaskResolutionError(`Resource '${serviceLogicalId}' in ${stack.stackName} is an ECS TaskDefinition, not a Service. Use \`${getEmbedConfig().cliName} run-task\` for one-shot tasks; \`${getEmbedConfig().cliName} start-service\` is Service-only.`);
 	if (serviceResource.Type !== "AWS::ECS::Service") throw new EcsTaskResolutionError(`Resource '${serviceLogicalId}' in ${stack.stackName} is ${serviceResource.Type}, not an AWS::ECS::Service.`);
 	return extractServiceProperties(stack, serviceLogicalId, serviceResource, stacks, context);
 }
@@ -16589,7 +16808,7 @@ function extractServiceConnect(raw, task) {
 	const cfg = raw;
 	if (cfg["Enabled"] === false) return void 0;
 	const namespaceName = pickServiceConnectNamespace(cfg["Namespace"]);
-	if (!namespaceName) throw new EcsTaskResolutionError(`ServiceConnectConfiguration.Namespace must be a literal string (the Cloud Map namespace name like 'cdkl.local'); got ${JSON.stringify(cfg["Namespace"])}. Intrinsic / cross-stack namespace references are not supported in v1.`);
+	if (!namespaceName) throw new EcsTaskResolutionError(`ServiceConnectConfiguration.Namespace must be a literal string (the Cloud Map namespace name like '${getEmbedConfig().resourceNamePrefix}.local'); got ${JSON.stringify(cfg["Namespace"])}. Intrinsic / cross-stack namespace references are not supported in v1.`);
 	const rawServices = cfg["Services"];
 	if (!Array.isArray(rawServices) || rawServices.length === 0) return {
 		namespaceName,
@@ -16650,7 +16869,7 @@ function extractServiceRegistries(raw, serviceLogicalId, warnings) {
 		const registryArn = e["RegistryArn"];
 		let cloudMapServiceLogicalId;
 		if (typeof registryArn === "string") {
-			warnings.push(`ECS Service '${serviceLogicalId}' ServiceRegistries[] entry has a literal-string RegistryArn ('${registryArn}'); cdk-local cannot resolve external Cloud Map services locally. Skipping this registration; peer services will not discover this endpoint through the in-process registry. Use Fn::GetAtt: [<CloudMapServiceLogicalId>, "Arn"] instead so cdk-local can resolve the namespace + service name from the synthesized template.`);
+			warnings.push(`ECS Service '${serviceLogicalId}' ServiceRegistries[] entry has a literal-string RegistryArn ('${registryArn}'); ${getEmbedConfig().productName} cannot resolve external Cloud Map services locally. Skipping this registration; peer services will not discover this endpoint through the in-process registry. Use Fn::GetAtt: [<CloudMapServiceLogicalId>, "Arn"] instead so ${getEmbedConfig().productName} can resolve the namespace + service name from the synthesized template.`);
 			continue;
 		}
 		if (registryArn && typeof registryArn === "object" && !Array.isArray(registryArn)) {
@@ -16691,7 +16910,7 @@ function resolveTaskDefinitionReference(taskDefRef, stack, serviceLogicalId) {
 			return refValue;
 		}
 	}
-	throw new EcsTaskResolutionError(`ECS Service '${serviceLogicalId}' has an unsupported TaskDefinition reference shape: ${JSON.stringify(taskDefRef)}. cdkl start-service v1 supports only Ref to a same-stack AWS::ECS::TaskDefinition; cross-stack TaskDefinitions are deferred.`);
+	throw new EcsTaskResolutionError(`ECS Service '${serviceLogicalId}' has an unsupported TaskDefinition reference shape: ${JSON.stringify(taskDefRef)}. ${getEmbedConfig().cliName} start-service v1 supports only Ref to a same-stack AWS::ECS::TaskDefinition; cross-stack TaskDefinitions are deferred.`);
 }
 function parseDesiredCount(raw, serviceLogicalId) {
 	if (raw === void 0 || raw === null) return 1;
@@ -17104,7 +17323,7 @@ async function publishReplicaToCloudMap(service, instance, discovery, ownerKeyPr
 	if (service.serviceRegistries.length > 0) {
 		const index = discovery.cloudMapIndexByStack.get(service.stack.stackName);
 		if (!index) {
-			logger.warn(`ECS Service '${service.serviceLogicalId}' declares ServiceRegistries[] but cdk-local has no Cloud Map index for stack ${service.stack.stackName}. Skipping registration.`);
+			logger.warn(`ECS Service '${service.serviceLogicalId}' declares ServiceRegistries[] but ${getEmbedConfig().productName} has no Cloud Map index for stack ${service.stack.stackName}. Skipping registration.`);
 			return;
 		}
 		let j = 0;
@@ -17207,7 +17426,7 @@ function pickEssentialContainerId(instance, service) {
 const defaultWaitForExitImpl = async (containerId) => {
 	const { execFile } = await import("node:child_process");
 	const { promisify } = await import("node:util");
-	const { getDockerCmd } = await import("./docker-cmd-DTPLXRqh.js").then((n) => n.t);
+	const { getDockerCmd } = await import("./docker-cmd-o4ovyAhR.js").then((n) => n.t);
 	const { stdout } = await promisify(execFile)(getDockerCmd(), ["wait", containerId], { maxBuffer: 1024 * 1024 });
 	const code = parseInt(stdout.trim(), 10);
 	return Number.isFinite(code) ? code : -1;
@@ -17457,7 +17676,7 @@ function buildCloudMapIndex(stack) {
 	const warnings = [];
 	const resources = stack.template.Resources ?? {};
 	for (const [logicalId, resource] of Object.entries(resources)) {
-		if (resource.Type === "AWS::ServiceDiscovery::PublicDnsNamespace") throw new EcsTaskResolutionError(`Stack ${stack.stackName}: AWS::ServiceDiscovery::PublicDnsNamespace '${logicalId}' is not supported by local emulation — public DNS defeats the "local" point. Use a PrivateDnsNamespace for cdkl start-service.`);
+		if (resource.Type === "AWS::ServiceDiscovery::PublicDnsNamespace") throw new EcsTaskResolutionError(`Stack ${stack.stackName}: AWS::ServiceDiscovery::PublicDnsNamespace '${logicalId}' is not supported by local emulation — public DNS defeats the "local" point. Use a PrivateDnsNamespace for ${getEmbedConfig().cliName} start-service.`);
 		if (resource.Type === "AWS::ServiceDiscovery::HttpNamespace") throw new EcsTaskResolutionError(`Stack ${stack.stackName}: AWS::ServiceDiscovery::HttpNamespace '${logicalId}' is not supported by local emulation — HttpNamespace uses the AWS Cloud Map DiscoverInstances API directly (no DNS), which would require shimming the AWS SDK inside every container. Use a PrivateDnsNamespace + DnsConfig instead.`);
 		if (resource.Type !== "AWS::ServiceDiscovery::PrivateDnsNamespace") continue;
 		const props = resource.Properties ?? {};
@@ -17551,7 +17770,7 @@ async function localStartServiceCommand(targets, options, extraStateProviders) {
 	if (options.verbose) logger.setLevel("debug");
 	warnIfDeprecatedRegion(options);
 	const skipPull = options.pull === false;
-	if (!targets || targets.length === 0) throw new LocalStartServiceError("cdkl start-service requires at least one <target>. Pass one or more service paths like 'Stack/Orders' 'Stack/Frontend'.");
+	if (!targets || targets.length === 0) throw new LocalStartServiceError(`${getEmbedConfig().cliName} start-service requires at least one <target>. Pass one or more service paths like 'Stack/Orders' 'Stack/Frontend'.`);
 	rejectExplicitCfnStackWithMultipleStacks(options, targets.length);
 	const perTarget = targets.map((t) => ({
 		target: t,
@@ -17593,7 +17812,7 @@ async function localStartServiceCommand(targets, options, extraStateProviders) {
 		});
 		await ensureDockerAvailable();
 		const appCmd = resolveApp(options.app);
-		if (!appCmd) throw new Error("No CDK app specified. Pass --app, set CDKL_APP, or add \"app\" to cdk.json.");
+		if (!appCmd) throw new Error(`No CDK app specified. Pass --app, set ${getEmbedConfig().envPrefix}_APP, or add "app" to cdk.json.`);
 		logger.info("Synthesizing CDK app...");
 		const synthesizer = new Synthesizer();
 		const context = parseContextOptions(options.context);
@@ -17741,7 +17960,7 @@ async function assumeTaskRole(roleArn, region) {
 	try {
 		const creds = (await sts.send(new AssumeRoleCommand({
 			RoleArn: roleArn,
-			RoleSessionName: `cdkl-start-service-${Date.now()}`,
+			RoleSessionName: `${getEmbedConfig().resourceNamePrefix}-start-service-${Date.now()}`,
 			DurationSeconds: 3600
 		}))).Credentials;
 		if (!creds?.AccessKeyId || !creds.SecretAccessKey || !creds.SessionToken) throw new LocalStartServiceError(`AssumeRole(${roleArn}) returned no usable credentials.`);
@@ -17767,7 +17986,7 @@ async function buildEcsImageResolutionContext(target, stacks, options, stateProv
 	const wantsPseudoForEnvOrSecret = !!stateProvider && needs.needsEnvOrSecretSubstitution;
 	if (needs.needsPseudoParameters || wantsPseudoForEnvOrSecret) {
 		const region = options.region ?? process.env["AWS_REGION"] ?? process.env["AWS_DEFAULT_REGION"] ?? candidate.region;
-		if (!region) logger.warn("Resolver references ${AWS::Region} but cdkl could not determine the target region. Pass --region, set AWS_REGION, or declare env.region on the CDK stack.");
+		if (!region) logger.warn(`Resolver references \${AWS::Region} but ${getEmbedConfig().binaryName} could not determine the target region. Pass --region, set AWS_REGION, or declare env.region on the CDK stack.`);
 		let accountId;
 		try {
 			accountId = await resolveCallerAccountId(region);
@@ -17874,12 +18093,13 @@ async function resolveSharedSidecarCredentials(options) {
 	if (options.profile) return resolveProfileCredentials(options.profile);
 }
 function createLocalStartServiceCommand(opts = {}) {
-	const cmd = new Command("start-service").description("Run one or more AWS::ECS::Service resources locally as a long-running emulator. Spins up DesiredCount task replicas per service (clamped by --max-tasks) using the same per-task docker network + metadata sidecar pattern as `cdkl run-task`, then keeps each replica running and restarts it on exit per --restart-policy. ^C tears every replica + sidecar + network down. Each <target> accepts a CDK display path (MyStack/MyService) or stack-qualified logical ID (MyStack:MyServiceXYZ); single-stack apps may omit the stack prefix. When two or more <target>s are supplied, every service is booted into a shared Cloud Map / Service Connect registry so peer services discover each other via docker --add-host overlay.").argument("<targets...>", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ECS::Service resources to run").addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default("cdkl")).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed task role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries.")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--max-tasks <n>", `Hard cap on local replica count. Caps the template DesiredCount so local dev machines don't run an unbounded number of containers. Cannot exceed ${83} due to the per-replica link-local /24 subnet allocator's range.`).default(3).argParser(parseMaxTasks)).addOption(new Option("--restart-policy <policy>", "How to react when an essential container exits. 'on-failure' (default) restarts only on non-zero exit; 'always' restarts on every exit; 'none' shuts the replica down and runs the service degraded.").default("on-failure").argParser(parseRestartPolicy)).addOption(new Option("--from-cfn-stack [cfn-stack-name]", "Read a deployed CloudFormation stack via DescribeStackResources and substitute Ref / Fn::ImportValue in container env vars / secrets / image URIs with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (`cdk deploy`). Bare form uses the cdkl stack name; pass an explicit value when the CFn stack name differs. Fn::GetAtt is warn-and-dropped in v1 (CFn DescribeStackResources does not return per-attribute values).")).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).action(withErrorHandling(async (targets, options) => {
+	setEmbedConfig(opts.embedConfig);
+	const cmd = new Command("start-service").description(`Run one or more AWS::ECS::Service resources locally as a long-running emulator. Spins up DesiredCount task replicas per service (clamped by --max-tasks) using the same per-task docker network + metadata sidecar pattern as \`${getEmbedConfig().cliName} run-task\`, then keeps each replica running and restarts it on exit per --restart-policy. ^C tears every replica + sidecar + network down. Each <target> accepts a CDK display path (MyStack/MyService) or stack-qualified logical ID (MyStack:MyServiceXYZ); single-stack apps may omit the stack prefix. When two or more <target>s are supplied, every service is booted into a shared Cloud Map / Service Connect registry so peer services discover each other via docker --add-host overlay.`).argument("<targets...>", "One or more CDK display paths or stack-qualified logical IDs of the AWS::ECS::Service resources to run").addOption(new Option("--cluster <name>", "Cluster name surfaced to ECS_CONTAINER_METADATA_URI_V4 and used as the docker network prefix").default(getEmbedConfig().resourceNamePrefix)).addOption(new Option("--env-vars <file>", "JSON env-var overrides (SAM-compatible: {\"ContainerName\":{\"KEY\":\"VALUE\"}, \"Parameters\":{}})")).addOption(new Option("--container-host <ip>", "Host IP to bind published container ports to. Must be a numeric IP (Docker rejects hostnames here)").default("127.0.0.1")).addOption(new Option("--assume-task-role [arn]", "Assume the task definition's TaskRoleArn (or the supplied ARN) and forward STS-issued temp credentials via the metadata sidecar so containers run with the deployed task role. Bare flag uses the template's TaskRoleArn; pass an explicit ARN to override.")).addOption(new Option("--no-pull", "Skip docker pull for every container image and the metadata sidecar")).addOption(new Option("--ecr-role-arn <arn>", "Role ARN to assume before authenticating against ECR for cross-account / centralized registries.")).addOption(new Option("--platform <platform>", "Force docker --platform (linux/amd64 or linux/arm64). Default: inferred from task RuntimePlatform.CpuArchitecture")).addOption(new Option("--max-tasks <n>", `Hard cap on local replica count. Caps the template DesiredCount so local dev machines don't run an unbounded number of containers. Cannot exceed ${83} due to the per-replica link-local /24 subnet allocator's range.`).default(3).argParser(parseMaxTasks)).addOption(new Option("--restart-policy <policy>", "How to react when an essential container exits. 'on-failure' (default) restarts only on non-zero exit; 'always' restarts on every exit; 'none' shuts the replica down and runs the service degraded.").default("on-failure").argParser(parseRestartPolicy)).addOption(new Option("--from-cfn-stack [cfn-stack-name]", `Read a deployed CloudFormation stack via DescribeStackResources and substitute Ref / Fn::ImportValue in container env vars / secrets / image URIs with the deployed physical IDs / exports. Use for CDK apps deployed via the upstream CDK CLI (\`cdk deploy\`). Bare form uses the ${getEmbedConfig().binaryName} stack name; pass an explicit value when the CFn stack name differs. Fn::GetAtt is warn-and-dropped in v1 (CFn DescribeStackResources does not return per-attribute values).`)).addOption(new Option("--stack-region <region>", "Region of the state record to read. Used with --from-cfn-stack as the CFn client region.")).action(withErrorHandling(async (targets, options) => {
 		await localStartServiceCommand(targets, options, opts.extraStateProviders);
 	}));
 	[
-		...commonOptions,
-		...appOptions,
+		...commonOptions(),
+		...appOptions(),
 		...contextOptions
 	].forEach((opt) => cmd.addOption(opt));
 	cmd.addOption(deprecatedRegionOption);
@@ -17888,4 +18108,4 @@ function createLocalStartServiceCommand(opts = {}) {
 
 //#endregion
 export { LocalStateSourceError as a, rejectExplicitCfnStackWithMultipleStacks as c, CfnLocalStateProvider as d, createLocalInvokeCommand as i, resolveCfnRegion as l, createLocalRunTaskCommand as n, createLocalStateProvider as o, createLocalStartApiCommand as r, isCfnFlagPresent as s, createLocalStartServiceCommand as t, resolveCfnStackName as u };
-//# sourceMappingURL=local-start-service-EZy1JNYK.js.map
+//# sourceMappingURL=local-start-service-DquKcP26.js.map