cdk-local 0.35.0 → 0.35.1

package/dist/{local-list-BvDCmBir.js → local-list-8fAEdzBb.js}

@@ -1,4 +1,4 @@
-import { a as runDockerStreaming, c as getEmbedConfig, i as runDockerForeground, n as formatDockerLoginError, o as spawnStreaming, r as getDockerCmd, s as getLogger, u as setEmbedConfig } from "./docker-cmd--8TRSn9z.js";
+import { a as runDockerStreaming, c as getEmbedConfig, i as runDockerForeground, n as formatDockerLoginError, o as spawnStreaming, r as getDockerCmd, s as getLogger, u as setEmbedConfig } from "./docker-cmd-voNPrcRh.js";
 import { cpSync, createWriteStream, existsSync, mkdirSync, mkdtempSync, readFileSync, rmSync, statSync, writeFileSync } from "node:fs";
 import { tmpdir } from "node:os";
 import * as path from "node:path";
@@ -313,9 +313,6 @@ function withErrorHandling(fn) {
 * Read the `aws:cdk:path` value that CDK encodes into every resource's
 * `Metadata`. Returns the empty string when not present so callers don't
 * have to special-case `undefined`.
-*
-* Hoisted out of `src/cli/commands/import.ts` so `cdkd orphan` can reuse the
-* same lookup without duplicating the metadata-walking code.
 */
 function readCdkPath(resource) {
 	const meta = resource.Metadata;
@@ -341,10 +338,9 @@ function readCdkPathOrUndefined(resource) {
 /**
 * Build a `Map<cdkPath, logicalId>` from a synthesized template.
 *
-* Used by `cdkd orphan <constructPath>` to translate user-supplied
-* construct paths (which mirror the upstream `cdk orphan` UX) back to the
-* logical IDs that the rest of the pipeline (state, dependency analysis,
-* provider lookup) is keyed on.
+* Translates user-supplied construct paths (which mirror the upstream
+* `cdk` construct-path UX) back to the logical IDs that the rest of the
+* pipeline (state, dependency analysis, provider lookup) is keyed on.
 *
 * `AWS::CDK::Metadata` resources are excluded — the synthesized
 * `<Stack>/CDKMetadata/Default` sentinel exists in every stack but is
@@ -356,7 +352,7 @@ function readCdkPathOrUndefined(resource) {
 *
 * In practice each path maps to a single logical ID. If the same path
 * happens to appear twice (which would itself be a bug in the synthesized
-* template), the last entry wins — `cdkd orphan` will still surface a
+* template), the last entry wins — callers still surface a
 * clean "path not found" diff against the indexed map rather than
 * silently grabbing both.
 */
@@ -2356,9 +2352,9 @@ function mapStackArtifact(stack) {
 //#endregion
 //#region src/synthesis/synthesizer.ts
 /**
-* Thin wrapper around {@link AssemblyReader} that mimics cdkd's
-* `Synthesizer` API so the ported `cdkl invoke` / `start-api` /
-* `run-task` / `start-service` source compiles without rewrites.
+* Thin wrapper around {@link AssemblyReader} exposing a `Synthesizer`
+* API used by the `cdkl invoke` / `start-api` / `run-task` /
+* `start-service` commands.
 *
 * When `app` resolves to an existing directory it is read as a
 * pre-synthesized cloud assembly (no subprocess synth); otherwise it is
@@ -2527,15 +2523,16 @@ function collectSsmParameterRefs(template) {
 * String parameters resolve too (matching how CloudFormation resolves
 * the `AWS::SSM::Parameter::Value<String>` type at deploy time).
 *
-* Security note: a decrypted SecureString value resolved here is then
-* baked into the container's `Environment` like any other resolved env
-* value, so it follows the standard plaintext-env exposure path — it can
-* appear on the `docker run -e KEY=VALUE` argv (visible in host `ps`) and
-* is not redacted by `redactAwsCredentialsInArgs` (which only covers
-* `SENSITIVE_ENV_KEYS`). This mirrors the deployed Lambda/ECS env and is
-* the same inherent exposure documented in `docker-runner`; routing
-* SecureString-resolved values through the value-from-process-env form is
-* tracked as a follow-up.
+* Security note (issue #99): a decrypted SecureString value resolved here
+* would otherwise be baked into the container's `Environment` like any
+* other resolved value and could appear on the `docker run -e KEY=VALUE`
+* argv (visible in host `ps`). To prevent that, the returned
+* {@link ResolvedSsmParameters.secureStringLogicalIds} flags every
+* SecureString parameter; downstream the consuming env keys are routed
+* through docker's value-from-process-env form (`-e KEY`, value supplied
+* via the spawned docker process's env) so the secret never lands on the
+* argv. The value still appears in `docker inspect` Config.Env, which is
+* inherent to container env and matches deployed behavior.
 *
 * Best-effort: a failed `GetParameters` chunk logs a warn and is skipped
 * (the other chunks still contribute their values); the function never
@@ -2547,7 +2544,10 @@ function collectSsmParameterRefs(template) {
 * Exported for unit testing.
 */
 async function resolveSsmParameters(client, refs, label) {
-	const out = {};
+	const out = {
+		values: {},
+		secureStringLogicalIds: []
+	};
 	if (refs.length === 0) return out;
 	const logger = getLogger();
 	const CHUNK = 10;
@@ -2577,7 +2577,11 @@ async function resolveSsmParameters(client, refs, label) {
 			if (typeof p.Name !== "string" || typeof p.Value !== "string") continue;
 			const requesters = byName.get(p.Name);
 			if (!requesters) continue;
-			for (const ref of requesters) out[ref.logicalId] = p.Value;
+			const isSecure = p.Type === "SecureString";
+			for (const ref of requesters) {
+				out.values[ref.logicalId] = p.Value;
+				if (isSecure) out.secureStringLogicalIds.push(ref.logicalId);
+			}
 		}
 	}
 	return out;
@@ -2712,7 +2716,10 @@ var CfnLocalStateProvider = class {
 	async resolveTemplateSsmParameters(template) {
 		if (this.disposed) throw new Error("CfnLocalStateProvider used after dispose()");
 		const refs = collectSsmParameterRefs(template);
-		if (refs.length === 0) return {};
+		if (refs.length === 0) return {
+			values: {},
+			secureStringLogicalIds: []
+		};
 		return resolveSsmParameters(this.getSsmClient(), refs, this.label);
 	}
 	/**
@@ -3001,8 +3008,8 @@ async function resolveProfileRegion(profile) {
 * Host-extensible state sources (via the `extraStateProviders` option):
 *
 *   - Hosts embedding cdk-local can register additional `LocalStateProvider`
-*     factories that respond to their own CLI flags (e.g. cdkd's
-*     `--from-state` for S3-backed cdkd state). Each entry is keyed by
+*     factories that respond to their own CLI flags (e.g. a host-registered
+*     `--from-state` backed by an S3 state store). Each entry is keyed by
 *     the camel-case Commander option name (e.g. `'fromState'`) so the
 *     dispatcher reads the corresponding boolean / string off the parsed
 *     options bag.
@@ -3126,7 +3133,7 @@ function rejectExplicitCfnStackWithMultipleStacks(options, routedStackCount) {
 * fallback for the CFn client when no explicit region override is set.
 *
 * `extraStateProviders` is the host-supplied registry of additional
-* state sources (e.g. cdkd's `--from-state` / `S3LocalStateProvider`).
+* state sources (e.g. a host's `--from-state` / S3-backed provider).
 * Each entry's key is the camel-case Commander option name; the
 * dispatcher activates the matching factory when the corresponding
 * options field is truthy.
@@ -3182,7 +3189,7 @@ function stackMatchesPattern(stack, pattern) {
 //#region src/local/intrinsic-image.ts
 /**
 * Derive the AWS pseudo parameters that are trivially knowable from the
-* deploy region alone, without any STS call or cdkd state load.
+* deploy region alone, without any STS call or state load.
 * `urlSuffix` and `partition` follow the canonical AWS partition rules:
 *
 *   - region prefix `cn-*`        → partition `aws-cn`,     urlSuffix `amazonaws.com.cn`
@@ -3239,7 +3246,7 @@ function derivePseudoParametersFromRegion(region, accountId) {
 * nested `Fn::Select` / `Fn::Split` over an `Fn::GetAtt: [<Repo>, 'Arn']`
 * plus a `Ref` to the same `AWS::ECR::Repository` and a
 * `Ref: AWS::URLSuffix`. For SAME-STACK references the account-id +
-* region only exist in cdkd's S3 state (recorded at deploy time on the
+* region only exist in the host's S3 state (recorded at deploy time on the
 * Repository's `Arn` attribute), so the resolver inherently requires
 * `--from-state` (Tier 2) for that variant. For IMPORTED repositories
 * the URI components are flat strings + `Ref: AWS::URLSuffix` and
@@ -4258,10 +4265,13 @@ function resolveRef(arg, context) {
 		value: resource.physicalId
 	};
 	const parameterValue = context.parameters?.[arg];
-	if (parameterValue !== void 0) return {
-		kind: "literal",
-		value: parameterValue
-	};
+	if (parameterValue !== void 0) {
+		if (context.sensitiveParameters?.has(arg)) context.onSensitiveParameterConsumed?.(arg);
+		return {
+			kind: "literal",
+			value: parameterValue
+		};
+	}
 	return {
 		kind: "unresolved",
 		reason: `Ref '${arg}': no record in the state source (was the resource deployed, or is it a CloudFormation parameter that could not be resolved — e.g. an SSM-backed AWS::SSM::Parameter::Value parameter whose SSM value was not readable?)`
@@ -4737,7 +4747,8 @@ function substituteEnvVarsFromState(templateEnv, contextOrResources) {
 	const env = {};
 	const audit = {
 		resolvedKeys: [],
-		unresolved: []
+		unresolved: [],
+		sensitiveKeys: []
 	};
 	if (!templateEnv) return {
 		env,
@@ -4749,10 +4760,11 @@ function substituteEnvVarsFromState(templateEnv, contextOrResources) {
 			env[key] = value;
 			continue;
 		}
-		const result = substituteAgainstState(value, context);
+		const { result, consumedSensitive } = resolveWithSensitivity(value, context);
 		if (result.kind === "literal") {
 			env[key] = result.value;
 			audit.resolvedKeys.push(key);
+			if (consumedSensitive) audit.sensitiveKeys.push(key);
 		} else audit.unresolved.push({
 			key,
 			reason: result.reason
@@ -4764,6 +4776,53 @@ function substituteEnvVarsFromState(templateEnv, contextOrResources) {
 	};
 }
 /**
+* Resolve a single intrinsic value while detecting whether its resolution
+* consumed a sensitive (SecureString) parameter — including refs nested in
+* `Fn::Join` / `Fn::Sub`, since the combinators recurse through the same
+* per-key context. Installs a per-call sink on a shallow context copy so
+* the shared input context is never mutated. Used by both the sync and
+* async env-var helpers (the async path delegates these intrinsics to the
+* sync resolver, so the sink fires identically).
+*/
+function resolveWithSensitivity(value, context) {
+	if (!context.sensitiveParameters || context.sensitiveParameters.size === 0) return {
+		result: substituteAgainstState(value, context),
+		consumedSensitive: false
+	};
+	let consumedSensitive = false;
+	return {
+		result: substituteAgainstState(value, {
+			...context,
+			onSensitiveParameterConsumed: () => {
+				consumedSensitive = true;
+			}
+		}),
+		consumedSensitive
+	};
+}
+/**
+* Async sibling of {@link resolveWithSensitivity}. Routes through
+* {@link substituteAgainstStateAsync} (for `Fn::ImportValue` /
+* `Fn::GetStackOutput`), which delegates SSM-parameter-bearing intrinsics
+* to the sync resolver — so the sensitivity sink fires the same way.
+*/
+async function resolveWithSensitivityAsync(value, context) {
+	if (!context.sensitiveParameters || context.sensitiveParameters.size === 0) return {
+		result: await substituteAgainstStateAsync(value, context),
+		consumedSensitive: false
+	};
+	let consumedSensitive = false;
+	return {
+		result: await substituteAgainstStateAsync(value, {
+			...context,
+			onSensitiveParameterConsumed: () => {
+				consumedSensitive = true;
+			}
+		}),
+		consumedSensitive
+	};
+}
+/**
 * Async sibling of {@link substituteEnvVarsFromState}. Routes every
 * intrinsic-valued entry through {@link substituteAgainstStateAsync} so
 * `Fn::ImportValue` / `Fn::GetStackOutput` resolve via the context's
@@ -4781,7 +4840,8 @@ async function substituteEnvVarsFromStateAsync(templateEnv, contextOrResources)
 	const env = {};
 	const audit = {
 		resolvedKeys: [],
-		unresolved: []
+		unresolved: [],
+		sensitiveKeys: []
 	};
 	if (!templateEnv) return {
 		env,
@@ -4793,10 +4853,11 @@ async function substituteEnvVarsFromStateAsync(templateEnv, contextOrResources)
 			env[key] = value;
 			continue;
 		}
-		const result = await substituteAgainstStateAsync(value, context);
+		const { result, consumedSensitive } = await resolveWithSensitivityAsync(value, context);
 		if (result.kind === "literal") {
 			env[key] = result.value;
 			audit.resolvedKeys.push(key);
+			if (consumedSensitive) audit.sensitiveKeys.push(key);
 		} else audit.unresolved.push({
 			key,
 			reason: result.reason
@@ -5117,7 +5178,7 @@ function parseEcsTarget(target) {
 * available task definition in the matched stack) on any miss.
 *
 * Optional `context` (issue #264): when the caller can supply AWS
-* pseudo-parameter values (Tier 1) and / or cdkd state-recorded resources
+* pseudo-parameter values (Tier 1) and / or host state-recorded resources
 * (Tier 2), `Fn::Sub`-shaped ECR image URIs that reference
 * `${AWS::AccountId}` / `${AWS::Region}` / a same-stack
 * `AWS::ECR::Repository` are substituted before classification.
@@ -5218,6 +5279,7 @@ function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack, con
 	const workingDirectory = pickString(c["WorkingDirectory"]);
 	const subContext = buildSubstitutionContextFromImageContext(context);
 	const environment = {};
+	const sensitiveEnvKeys = [];
 	const droppedEnvKeys = [];
 	if (Array.isArray(c["Environment"])) for (const entry of c["Environment"]) {
 		if (!entry || typeof entry !== "object") continue;
@@ -5230,9 +5292,10 @@ function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack, con
 			continue;
 		}
 		if (subContext) {
-			const sub = substituteAgainstState(value, subContext);
+			const { result: sub, consumedSensitive } = resolveWithSensitivity(value, subContext);
 			if (sub.kind === "literal") {
 				environment[key] = String(sub.value);
+				if (consumedSensitive) sensitiveEnvKeys.push(key);
 				continue;
 			}
 			droppedEnvKeys.push({
@@ -5357,6 +5420,7 @@ function parseContainerDefinition(raw, idx, taskLogicalId, resources, stack, con
 		name,
 		image,
 		environment,
+		sensitiveEnvKeys,
 		secrets,
 		portMappings,
 		mountPoints,
@@ -5386,6 +5450,7 @@ function buildSubstitutionContextFromImageContext(context) {
 	const subContext = { resources: context.stateResources };
 	if (context.pseudoParameters) subContext.pseudoParameters = { ...context.pseudoParameters };
 	if (context.stateParameters) subContext.parameters = { ...context.stateParameters };
+	if (context.stateSensitiveParameters?.length) subContext.sensitiveParameters = new Set(context.stateSensitiveParameters);
 	return subContext;
 }
 /**
@@ -5748,10 +5813,11 @@ async function applyCrossStackResolverToTask(task, context) {
 			if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") continue;
 			if (key in container.environment) continue;
 			if (!isCrossStackIntrinsic(value)) continue;
-			const sub = await substituteAgainstStateAsync(value, context);
+			const { result: sub, consumedSensitive } = await resolveWithSensitivityAsync(value, context);
 			if (sub.kind === "literal") {
 				container.environment[key] = String(sub.value);
 				resolvedEnvKeys.add(key);
+				if (consumedSensitive && !container.sensitiveEnvKeys.includes(key)) container.sensitiveEnvKeys.push(key);
 			}
 		}
 		if (Array.isArray(c["Secrets"])) for (const entry of c["Secrets"]) {
@@ -6059,7 +6125,8 @@ async function runDetached(opts) {
 		const ro = mount.readOnly ? ":ro" : "";
 		args.push("-v", `${mount.hostPath}:${mount.containerPath}${ro}`);
 	}
-	const passthroughEnv = appendEnvFlags(args, opts.env, SENSITIVE_ENV_KEYS);
+	const sensitiveKeys = opts.sensitiveEnvKeys && opts.sensitiveEnvKeys.size > 0 ? new Set([...SENSITIVE_ENV_KEYS, ...opts.sensitiveEnvKeys]) : SENSITIVE_ENV_KEYS;
+	const passthroughEnv = appendEnvFlags(args, opts.env, sensitiveKeys);
 	if (opts.tmpfs) args.push("--tmpfs", `${opts.tmpfs.target}:rw,size=${opts.tmpfs.sizeMb}m`);
 	if (opts.workingDir) args.push("--workdir", opts.workingDir);
 	let entryPointTail = [];
@@ -6517,8 +6584,8 @@ async function assumeRoleForEcr(roleArn, callerRegion, profile, logger) {
 }
 /**
 * Authenticate the local docker daemon against the target ECR registry.
-* Mirrors `DockerAssetPublisher.ecrLogin` but stays in this module so the
-* local-invoke path doesn't depend on the publisher's larger surface area.
+* Self-contained in this module so the local-invoke path stays
+* independent of any full asset-publish path's larger surface area.
 */
 async function ecrLogin(client, accountId, region) {
 	getLogger().child("ecr-puller").debug(`ECR login (account=${accountId}, region=${region})`);
@@ -7416,7 +7483,8 @@ async function localInvokeCommand(target, options, extraStateProviders) {
 				}
 				if (envHasIntrinsicValue$1(templateEnv) && stateProvider.resolveTemplateSsmParameters) {
 					const ssmParams = await stateProvider.resolveTemplateSsmParameters(lambda.stack.template);
-					if (Object.keys(ssmParams).length > 0) subContext.parameters = ssmParams;
+					if (Object.keys(ssmParams.values).length > 0) subContext.parameters = ssmParams.values;
+					if (ssmParams.secureStringLogicalIds.length > 0) subContext.sensitiveParameters = new Set(ssmParams.secureStringLogicalIds);
 				}
 				if (envHasCrossStackIntrinsic(templateEnv)) {
 					const resolver = await stateProvider.buildCrossStackResolver(loaded.region);
@@ -7443,7 +7511,8 @@ async function localInvokeCommand(target, options, extraStateProviders) {
 				}
 				stateAudit = {
 					resolvedKeys,
-					unresolved
+					unresolved,
+					sensitiveKeys: audit.sensitiveKeys
 				};
 				for (const { key, reason } of unresolved) logger.warn(`${label}: could not substitute env var ${key} (${reason}). Override it via --env-vars or it will be dropped.`);
 			}
@@ -7523,6 +7592,7 @@ async function localInvokeCommand(target, options, extraStateProviders) {
 			mounts: imagePlan.mounts,
 			extraMounts: extraMountsWithProfile,
 			env: dockerEnv,
+			...stateAudit && stateAudit.sensitiveKeys.length > 0 && { sensitiveEnvKeys: new Set(stateAudit.sensitiveKeys) },
 			cmd: imagePlan.cmd,
 			hostPort,
 			host: containerHost,
@@ -10489,6 +10559,7 @@ function createContainerPool(specs, options) {
 				}],
 				extraMounts,
 				env: spec.env,
+				...spec.sensitiveEnvKeys !== void 0 && { sensitiveEnvKeys: spec.sensitiveEnvKeys },
 				cmd: [spec.lambda.handler],
 				hostPort,
 				host: spec.containerHost,
@@ -10506,6 +10577,7 @@ function createContainerPool(specs, options) {
 				readOnly: true
 			}] },
 			env: spec.env,
+			...spec.sensitiveEnvKeys !== void 0 && { sensitiveEnvKeys: spec.sensitiveEnvKeys },
 			cmd: spec.command,
 			hostPort,
 			host: spec.containerHost,
@@ -14723,9 +14795,9 @@ function groupRoutesByServer(routes) {
 *      exact match on the resource's `aws:cdk:path` metadata.
 *   4. **CDK Construct path prefix** — when the input is a strict
 *      ancestor of the resource's `aws:cdk:path` (i.e.
-*      `cdkPath.startsWith(input + '/')`). Mirrors the prefix rule
-*      `cdkd orphan` uses so an L2 wrapper path resolves to its L1
-*      child (`MyStack/MyHttpApi` matches `MyStack/MyHttpApi/Resource`).
+*      `cdkPath.startsWith(input + '/')`). Mirrors the upstream CDK
+*      construct-path prefix rule so an L2 wrapper path resolves to its
+*      L1 child (`MyStack/MyHttpApi` matches `MyStack/MyHttpApi/Resource`).
 *
 * Routes discovered before this field set was added (or routes where
 * the synthesized template doesn't carry `aws:cdk:path` metadata —
@@ -15864,6 +15936,7 @@ async function buildContainerSpec(args) {
 		const context = { resources: stateBundle.state.resources };
 		if (stateBundle.pseudoParameters) context.pseudoParameters = stateBundle.pseudoParameters;
 		if (stateBundle.ssmParameters) context.parameters = stateBundle.ssmParameters;
+		if (stateBundle.ssmSecureStringLogicalIds?.length) context.sensitiveParameters = new Set(stateBundle.ssmSecureStringLogicalIds);
 		const { env, audit } = substituteEnvVarsFromState(templateEnv, context);
 		templateEnv = env;
 		for (const key of audit.resolvedKeys) getLogger().debug(`Lambda ${logicalId}: state source substituted env var ${key}`);
@@ -15881,7 +15954,8 @@ async function buildContainerSpec(args) {
 		}
 		stateAudit = {
 			resolvedKeys,
-			unresolved
+			unresolved,
+			sensitiveKeys: audit.sensitiveKeys
 		};
 		for (const { key, reason } of unresolved) getLogger().warn(`Lambda ${logicalId}: state source could not substitute env var ${key} (${reason}). Override it via --env-vars or it will be dropped.`);
 	}
@@ -15934,11 +16008,13 @@ async function buildContainerSpec(args) {
 		target: "/tmp",
 		sizeMb: lambda.ephemeralStorageMb
 	} : void 0;
+	const sensitiveEnvKeys = stateAudit && stateAudit.sensitiveKeys.length > 0 ? new Set(stateAudit.sensitiveKeys) : void 0;
 	if (lambda.kind === "zip") return {
 		kind: "zip",
 		lambda,
 		codeDir,
 		env: dockerEnv,
+		...sensitiveEnvKeys && { sensitiveEnvKeys },
 		containerHost,
 		...optDir !== void 0 && { optDir },
 		...debugPort !== void 0 && { debugPort },
@@ -15957,6 +16033,7 @@ async function buildContainerSpec(args) {
 		...lambda.imageConfig.entryPoint !== void 0 && lambda.imageConfig.entryPoint.length > 0 && { entryPoint: lambda.imageConfig.entryPoint },
 		...lambda.imageConfig.workingDirectory !== void 0 && { workingDir: lambda.imageConfig.workingDirectory },
 		env: dockerEnv,
+		...sensitiveEnvKeys && { sensitiveEnvKeys },
 		containerHost,
 		...debugPort !== void 0 && { debugPort },
 		...tmpfs !== void 0 && { tmpfs },
@@ -16318,10 +16395,10 @@ function forwardAwsEnv(env) {
 * AWS SDK call fails with `Could not load credentials from any providers`.
 *
 * This helper constructs a transient `STSClient({ profile })` to drive
-* the SDK's default credential provider chain — same code path cdkd's
-* own CFn / CC API clients use when `--profile` is set, so SSO / IAM
+* the SDK's default credential provider chain — same code path the
+* host's own AWS SDK clients use when `--profile` is set, so SSO / IAM
 * Identity Center / role-assumption profiles all resolve the same way
-* they already do for cdkd's outbound calls. We then extract the
+* they already do for the host's outbound calls. We then extract the
 * resolved `AwsCredentialIdentity` via `sts.config.credentials()` and
 * return the underlying `{ accessKeyId, secretAccessKey, sessionToken? }`
 * for env-var injection.
@@ -16675,7 +16752,8 @@ async function loadStateForRoutedStacks(stacks, routes, routesWithAuth, options,
 			}
 			if (stackHasIntrinsicEnv(stackName) && provider.resolveTemplateSsmParameters) {
 				const ssmParameters = await provider.resolveTemplateSsmParameters(stack.template);
-				if (Object.keys(ssmParameters).length > 0) bundle.ssmParameters = ssmParameters;
+				if (Object.keys(ssmParameters.values).length > 0) bundle.ssmParameters = ssmParameters.values;
+				if (ssmParameters.secureStringLogicalIds.length > 0) bundle.ssmSecureStringLogicalIds = ssmParameters.secureStringLogicalIds;
 			}
 			out.set(stackName, bundle);
 			logger.debug(`${provider.label}: loaded state for ${stackName} (${loaded.region})`);
@@ -17724,6 +17802,7 @@ function buildDockerRunArgs(opts) {
 	}
 	const sensitiveEnvKeys = new Set(SENSITIVE_ENV_KEYS);
 	for (const s of secrets) sensitiveEnvKeys.add(s.name);
+	for (const k of container.sensitiveEnvKeys) sensitiveEnvKeys.add(k);
 	const sensitiveEnv = appendEnvFlags(args, finalEnv, sensitiveEnvKeys);
 	if (container.user) args.push("--user", container.user);
 	if (container.privileged) args.push("--privileged");
@@ -17840,6 +17919,7 @@ async function localRunTaskCommand(target, options, extraStateProviders) {
 				resources: imageContext?.stateResources ?? {},
 				...imageContext?.pseudoParameters && { pseudoParameters: imageContext.pseudoParameters },
 				...imageContext?.stateParameters && { parameters: imageContext.stateParameters },
+				...imageContext?.stateSensitiveParameters?.length && { sensitiveParameters: new Set(imageContext.stateSensitiveParameters) },
 				consumerRegion,
 				crossStackResolver: resolver
 			});
@@ -17979,7 +18059,8 @@ async function buildEcsImageResolutionContext$1(candidate, stateProvider, option
 		if (loaded) ctx.stateResources = loaded.resources;
 		if (needs.needsEnvOrSecretSubstitution && stateProvider.resolveTemplateSsmParameters) {
 			const ssmParameters = await stateProvider.resolveTemplateSsmParameters(candidate.template);
-			if (Object.keys(ssmParameters).length > 0) ctx.stateParameters = ssmParameters;
+			if (Object.keys(ssmParameters.values).length > 0) ctx.stateParameters = ssmParameters.values;
+			if (ssmParameters.secureStringLogicalIds.length > 0) ctx.stateSensitiveParameters = ssmParameters.secureStringLogicalIds;
 		}
 	} else if (!stateProvider && needs.needsStateResources) logger.warn("Container Image references a same-stack AWS::ECR::Repository. Pass a state-source flag (e.g. --from-cfn-stack or a host-provided extension) to substitute the deployed repository URI. Otherwise the resolver will surface its existing error.");
 	else if (!stateProvider && needs.needsEnvOrSecretSubstitution) logger.warn("Container Environment / Secrets entries contain CloudFormation intrinsics (Ref / Fn::GetAtt / Fn::Sub / Fn::Join). Pass a state-source flag (e.g. --from-cfn-stack or a host-provided extension) to substitute them against deployed state. Without a state source these entries are dropped (per-key warnings will follow).");
@@ -18028,7 +18109,7 @@ function readEnvOverridesFile$1(filePath) {
 	return parsed;
 }
 /**
-* cdkd#658: pick the credentials forwarded to the AWS-published
+* Pick the credentials forwarded to the AWS-published
 * `amazon-ecs-local-container-endpoints` sidecar. Precedence:
 *   1. `--assume-task-role <arn>` (or bare `--assume-task-role` against
 *      a resolvable `TaskRoleArn`) → STS-assumed temp creds. Highest
@@ -18044,7 +18125,7 @@ function readEnvOverridesFile$1(filePath) {
 *
 * Extracted as an exported helper so a unit test can exercise every
 * branch without having to mock the full Synth + Docker + AWS pipeline
-* (the strategy cdkd#655 used for the Lambda container path).
+* (the strategy used for the Lambda container path).
 */
 async function resolveSidecarCredentials(options, assumedCredentials) {
 	if (assumedCredentials) return assumedCredentials;
@@ -18797,7 +18878,7 @@ function pickEssentialContainerId(instance, service) {
 const defaultWaitForExitImpl = async (containerId) => {
 	const { execFile } = await import("node:child_process");
 	const { promisify } = await import("node:util");
-	const { getDockerCmd } = await import("./docker-cmd--8TRSn9z.js").then((n) => n.t);
+	const { getDockerCmd } = await import("./docker-cmd-voNPrcRh.js").then((n) => n.t);
 	const { stdout } = await promisify(execFile)(getDockerCmd(), ["wait", containerId], { maxBuffer: 1024 * 1024 });
 	const code = parseInt(stdout.trim(), 10);
 	return Number.isFinite(code) ? code : -1;
@@ -18817,7 +18898,7 @@ const EXIT_LOG_TAIL_LINES = 50;
 const defaultReadContainerLogsImpl = async (containerId) => {
 	const { execFile } = await import("node:child_process");
 	const { promisify } = await import("node:util");
-	const { getDockerCmd } = await import("./docker-cmd--8TRSn9z.js").then((n) => n.t);
+	const { getDockerCmd } = await import("./docker-cmd-voNPrcRh.js").then((n) => n.t);
 	const { stdout, stderr } = await promisify(execFile)(getDockerCmd(), [
 		"logs",
 		"--tail",
@@ -19320,6 +19401,7 @@ async function runOneTarget(target, runState, stacks, options, discovery, skipPu
 				resources: imageContext?.stateResources ?? {},
 				...imageContext?.pseudoParameters && { pseudoParameters: imageContext.pseudoParameters },
 				...imageContext?.stateParameters && { parameters: imageContext.stateParameters },
+				...imageContext?.stateSensitiveParameters?.length && { sensitiveParameters: new Set(imageContext.stateSensitiveParameters) },
 				consumerRegion,
 				crossStackResolver: resolver
 			};
@@ -19436,7 +19518,8 @@ async function buildEcsImageResolutionContext(target, stacks, options, stateProv
 		if (loaded) ctx.stateResources = loaded.resources;
 		if (needs.needsEnvOrSecretSubstitution && stateProvider.resolveTemplateSsmParameters) {
 			const ssmParameters = await stateProvider.resolveTemplateSsmParameters(candidate.template);
-			if (Object.keys(ssmParameters).length > 0) ctx.stateParameters = ssmParameters;
+			if (Object.keys(ssmParameters.values).length > 0) ctx.stateParameters = ssmParameters.values;
+			if (ssmParameters.secureStringLogicalIds.length > 0) ctx.stateSensitiveParameters = ssmParameters.secureStringLogicalIds;
 		}
 	} else if (!stateProvider && needs.needsStateResources) logger.warn("Container Image references a same-stack AWS::ECR::Repository. Pass a state-source flag (e.g. --from-cfn-stack or a host-provided extension) to substitute the deployed repository URI.");
 	else if (!stateProvider && needs.needsEnvOrSecretSubstitution) logger.warn("Container Environment / Secrets entries contain CloudFormation intrinsics. Pass a state-source flag (e.g. --from-cfn-stack or a host-provided extension) to substitute them against the deployed state.");
@@ -19500,7 +19583,7 @@ function parseRestartPolicy(raw) {
 	throw new LocalStartServiceError(`--restart-policy must be one of 'on-failure', 'always', or 'none' (got '${raw}').`);
 }
 /**
-* cdkd#658: pick the credentials forwarded to the AWS-published
+* Pick the credentials forwarded to the AWS-published
 * `amazon-ecs-local-container-endpoints` sidecar. `cdkl start-service`'s
 * sidecar is SHARED across every replica boot in one CLI invocation, so
 * this resolves ONCE at startup. Precedence:
@@ -19521,7 +19604,7 @@ function parseRestartPolicy(raw) {
 *
 * Extracted as an exported helper so a unit test can exercise both
 * branches without having to mock the full Synth + Docker + AWS
-* pipeline (the strategy cdkd#655 used for the Lambda container path).
+* pipeline (the strategy used for the Lambda container path).
 */
 async function resolveSharedSidecarCredentials(options) {
 	if (options.profile) return resolveProfileCredentials(options.profile);
@@ -19610,4 +19693,4 @@ function createLocalListCommand(opts = {}) {
 
 //#endregion
 export { ConnectionRegistry as $, computeRequestIdentityHash as A, collectSsmParameterRefs as At, matchRoute as B, resolveLambdaArnIntrinsic as Bt, defaultCredentialsLoader as C, createLocalStateProvider as Ct, verifyCognitoJwt as D, resolveCfnRegion as Dt, createJwksCache as E, resolveCfnFallbackRegion as Et, applyCorsResponseHeaders as F, discoverWebSocketApis as Ft, evaluateResponseParameters as G, applyAuthorizerOverlay as H, buildCorsConfigByApiId as I, discoverWebSocketApisOrThrow as It, tryParseStatus as J, pickResponseTemplate as K, buildCorsConfigFromCloudFrontChain as L, parseSelectionExpressionPath as Lt, invokeRequestAuthorizer as M, resolveWatchConfig as Mt, invokeTokenAuthorizer as N, countTargets as Nt, verifyJwtAuthorizer as O, resolveCfnStackName as Ot, attachAuthorizers as P, listTargets as Pt, bufferToBody as Q, isFunctionUrlOacFronted as R, discoverRoutes as Rt, resolveServiceIntegrationParameters as S, LocalStateSourceError as St, buildJwksUrlFromIssuer as T, rejectExplicitCfnStackWithMultipleStacks as Tt, buildHttpApiV2Event as U, translateLambdaResponse as V, LocalInvokeBuildError as Vt, buildRestV1Event as W, HOST_GATEWAY_MIN_VERSION as X, VtlEvaluationError as Y, probeHostGatewaySupport as Z, filterRoutesByApiIdentifiers as _, resolveEnvVars as _t, CloudMapRegistry as a, buildMessageEvent as at, startApiServer as b, substituteImagePlaceholders as bt, createLocalStartApiCommand as c, buildContainerImage as ct, createAuthorizerCache as d, resolveRuntimeImage as dt, buildMgmtEndpointEnvUrl as et, createFileWatcher as f, EcsTaskResolutionError as ft, filterRoutesByApiIdentifier as g, substituteEnvVarsFromStateAsync as gt, availableApiIdentifiers as h, substituteEnvVarsFromState as ht, buildCloudMapIndex as i, buildDisconnectEvent as it, evaluateCachedLambdaPolicy as j, resolveSsmParameters as jt, buildMethodArn as k, CfnLocalStateProvider as kt, createWatchPredicates as l, resolveRuntimeCodeMountPath as lt, buildStageMap as m, substituteAgainstStateAsync as mt, formatTargetListing as n, parseConnectionsPath as nt, getContainerNetworkIp as o, createLocalInvokeCommand as ot, attachStageContext as p, substituteAgainstState as pt, selectIntegrationResponse as q, createLocalStartServiceCommand as r, buildConnectEvent as rt, createLocalRunTaskCommand as s, architectureToPlatform as st, createLocalListCommand as t, handleConnectionsRequest as tt, resolveApiTargetSubset as u, resolveRuntimeFileExtension as ut, groupRoutesByServer as v, materializeLayerFromArn as vt, buildCognitoJwksUrl as w, isCfnFlagPresent as wt, resolveSelectionExpression as x, tryResolveImageFnJoin as xt, readMtlsMaterialsFromDisk as y, derivePseudoParametersFromRegion as yt, matchPreflight as z, pickRefLogicalId as zt };
-//# sourceMappingURL=local-list-BvDCmBir.js.map
+//# sourceMappingURL=local-list-8fAEdzBb.js.map