konokenj.cdk-api-mcp-server 0.31.0__py3-none-any.whl → 0.57.0__py3-none-any.whl

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/custom-resources/README.md

@@ -121,6 +121,9 @@ def is_complete(event, context):
 > Do not use this library if your threat model requires that you cannot trust actors who are able
 > to list StepFunction executions in your account.
 
+
+> **Default behaviour change Note**: the Custom Resource Provider doesn't log anything by default. To enable logging for the Provider framework, toggle `disableWaiterStateMachineLogging` and `disableFrameworkLambdaLogging` depending on you requirement to see waiter state machine logs or provider framework lambda logs
+
 ### Handling Lifecycle Events: onEvent
 
 The user-defined `onEvent` AWS Lambda function is invoked whenever a resource
@@ -828,6 +831,62 @@ new cr.AwsCustomResource(this, 'CrossAccount', {
 });
 ```
 
+#### Using External IDs for Enhanced Security
+
+When assuming cross-account roles, you can specify an external ID to prevent the "confused deputy" problem. The external ID is a unique identifier provided by the third-party service that helps ensure the service is acting on behalf of the correct customer:
+
+```ts
+const crossAccountRoleArn = 'arn:aws:iam::OTHERACCOUNT:role/CrossAccountRoleName';
+const serviceExternalId = 'unique-secret-value-12345'; // External ID provided by the third party service. This value should be unique among the third-party service's customers.
+
+
+new cr.AwsCustomResource(this, 'SecureCrossAccount', {
+  onCreate: {
+    assumedRoleArn: crossAccountRoleArn,
+    externalId: serviceExternalId, // Prevents confused deputy attacks
+    service: 'sts',
+    action: 'GetCallerIdentity',
+    physicalResourceId: cr.PhysicalResourceId.of('id'),
+  },
+  policy: cr.AwsCustomResourcePolicy.fromStatements([iam.PolicyStatement.fromJson({
+    Effect: "Allow",
+    Action: "sts:AssumeRole",
+    Resource: crossAccountRoleArn,
+  })]),
+});
+```
+
+The external ID can also be different for each lifecycle operation:
+
+```ts
+declare const createRoleArn: string;
+declare const updateRoleArn: string;
+
+new cr.AwsCustomResource(this, 'MultiRoleSecure', {
+  onCreate: {
+    assumedRoleArn: createRoleArn,
+    externalId: 'create-secret-123',
+    service: 'ec2',
+    action: 'DescribeInstances',
+    physicalResourceId: cr.PhysicalResourceId.of('id'),
+  },
+  onUpdate: {
+    assumedRoleArn: updateRoleArn,
+    externalId: 'update-secret-456',
+    service: 'ec2',
+    action: 'DescribeInstances',
+  },
+  policy: cr.AwsCustomResourcePolicy.fromStatements([
+    new iam.PolicyStatement({
+      actions: ['sts:AssumeRole'],
+      resources: [createRoleArn, updateRoleArn],
+    }),
+  ]),
+});
+```
+
+For more information on external IDs and preventing confused deputy attacks, see the [AWS IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios_third-party.html).
+
 #### Custom Resource Config
 
 **This feature is currently experimental**

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/custom-resources/integ.aws-custom-resource.ts

@@ -121,7 +121,7 @@ const app = new cdk.App({
   },
 });
 const testStack = new AwsCdkSdkJsStack(app, 'aws-cdk-sdk-js-v3', {
-  runtime: lambda.Runtime.NODEJS_18_X,
+  runtime: lambda.Runtime.NODEJS_20_X,
 });
 const integTest = new integ.IntegTest(app, 'AwsCustomResourceTest', {
   testCases: [testStack],

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/custom-resources/integ.custom-resource-config-lambda-node-runtime.ts

@@ -29,7 +29,7 @@ new lambda.Function(stack, 'nonCrLambda', {
   runtime: lambda.Runtime.NODEJS_20_X,
 });
 
-CustomResourceConfig.of(app).addLambdaRuntime(lambda.Runtime.NODEJS_18_X);
+CustomResourceConfig.of(app).addLambdaRuntime(lambda.Runtime.NODEJS_20_X);
 
 new integ.IntegTest(app, 'integ-test-custom-resource-config-lambda-node-runtime', {
   testCases: [stack],

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/custom-resources/integ.external-id.ts

@@ -0,0 +1,80 @@
+#!/usr/bin/env node
+import * as iam from 'aws-cdk-lib/aws-iam';
+import * as cdk from 'aws-cdk-lib';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+import { AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId } from 'aws-cdk-lib/custom-resources';
+
+/**
+ * Integration test for AwsCustomResource External ID support.
+ *
+ * This test demonstrates the use of external IDs when assuming roles
+ * in cross-account scenarios to prevent "confused deputy" attacks.
+ *
+ * Note: This test may introduce destructive changes to CDK metadata
+ * and Lambda function assets due to CDK version updates. These changes
+ * are expected and safe for integration testing purposes.
+ */
+
+const app = new cdk.App({
+  postCliContext: {
+    // Disable CDK managed log groups to prevent Lambda changes
+    '@aws-cdk/aws-lambda:useCdkManagedLogGroup': false,
+    // Disable version reporting to prevent CDK metadata changes
+    '@aws-cdk/core:disableVersionReporting': true,
+    // Disable new style synthesis to maintain compatibility
+    '@aws-cdk/core:newStyleStackSynthesis': false,
+    // Use legacy asset bundling to prevent asset hash changes
+    '@aws-cdk/core:enableLegacyV2AssetKeys': true,
+    // Disable stack name validation to prevent naming conflicts
+    '@aws-cdk/core:stackRelativeExports': false,
+  },
+});
+
+const stack = new cdk.Stack(app, 'aws-custom-resource-external-id-test');
+
+// Create a role that requires an external ID
+const externalId = 'test-external-id-12345';
+const roleWithExternalId = new iam.Role(stack, 'RoleWithExternalId', {
+  // Use a principal that can be used in integration tests
+  assumedBy: new iam.AccountPrincipal(cdk.Stack.of(stack).account),
+  externalIds: [externalId],
+});
+
+// Add the necessary permissions as managed policies to reduce template variability
+roleWithExternalId.addToPolicy(
+  new iam.PolicyStatement({
+    actions: ['sts:GetCallerIdentity'],
+    resources: ['*'],
+  }),
+);
+
+// Test basic external ID usage
+new AwsCustomResource(stack, 'ExternalIdTest', {
+  installLatestAwsSdk: false,
+  onCreate: {
+    assumedRoleArn: roleWithExternalId.roleArn,
+    externalId: externalId,
+    service: 'STS',
+    action: 'GetCallerIdentity',
+    physicalResourceId: PhysicalResourceId.of('external-id-test'),
+  },
+  policy: AwsCustomResourcePolicy.fromSdkCalls({ resources: [] }),
+});
+
+new IntegTest(app, 'AwsCustomResourceTest', {
+  testCases: [stack],
+  diffAssets: true,
+  allowDestroy: ['AWS::CDK::Metadata'],
+  cdkCommandOptions: {
+    deploy: {
+      args: {
+        rollback: false,
+      },
+    },
+    destroy: {
+      args: {
+        force: true,
+      },
+    },
+  },
+});

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/custom-resources/integ.invoke-function-payload.ts

@@ -15,7 +15,7 @@ const stack = new cdk.Stack(app, 'AwsCustomResourceInvokePayloadStack');
 const fn = new lambda.Function(stack, 'Function', {
   code: lambda.Code.fromInline("exports.handler = async () => { return { statusCode: 200, body: 'Hello World' }; };"),
   handler: 'index.handler',
-  runtime: lambda.Runtime.NODEJS_18_X,
+  runtime: lambda.Runtime.NODEJS_20_X,
 });
 
 const testCr = new cr.AwsCustomResource(stack, 'ListLambdaFunctions', {

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/cx-api/FEATURE_FLAGS.md

@@ -38,7 +38,7 @@ Flags come in three types:
 | [@aws-cdk/core:enablePartitionLiterals](#aws-cdkcoreenablepartitionliterals) | Make ARNs concrete if AWS partition is known | 2.38.0 | fix |
 | [@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker](#aws-cdkaws-ecsdisableexplicitdeploymentcontrollerforcircuitbreaker) | Avoid setting the "ECS" deployment controller when adding a circuit breaker | 2.51.0 | fix |
 | [@aws-cdk/aws-events:eventsTargetQueueSameAccount](#aws-cdkaws-eventseventstargetqueuesameaccount) | Event Rules may only push to encrypted SQS queues in the same account | 2.51.0 | fix |
-| [@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName](#aws-cdkaws-iamimportedrolestacksafedefaultpolicyname) | Enable this feature to by default create default policy names for imported roles that depend on the stack the role is in. | 2.60.0 | fix |
+| [@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName](#aws-cdkaws-iamimportedrolestacksafedefaultpolicyname) | Enable this feature to create default policy names for imported roles that depend on the stack the role is in. | 2.60.0 | fix |
 | [@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy](#aws-cdkaws-s3serveraccesslogsusebucketpolicy) | Use S3 Bucket Policy instead of ACLs for Server Access Logging | 2.60.0 | fix |
 | [@aws-cdk/customresources:installLatestAwsSdkDefault](#aws-cdkcustomresourcesinstalllatestawssdkdefault) | Whether to install the latest SDK by default in AwsCustomResource | 2.60.0 | new default |
 | [@aws-cdk/aws-route53-patters:useCertificate](#aws-cdkaws-route53-pattersusecertificate) | Use the official `Certificate` resource instead of `DnsValidatedCertificate` | 2.61.0 | new default |
@@ -104,6 +104,12 @@ Flags come in three types:
 | [@aws-cdk/aws-s3:publicAccessBlockedByDefault](#aws-cdkaws-s3publicaccessblockedbydefault) | When enabled, setting any combination of options for BlockPublicAccess will automatically set true for any options not defined. | 2.196.0 | fix |
 | [@aws-cdk/aws-lambda:useCdkManagedLogGroup](#aws-cdkaws-lambdausecdkmanagedloggroup) | When enabled, CDK creates and manages loggroup for the lambda function | 2.200.0 | new default |
 | [@aws-cdk/aws-kms:applyImportedAliasPermissionsToPrincipal](#aws-cdkaws-kmsapplyimportedaliaspermissionstoprincipal) | Enable grant methods on Aliases imported by name to use kms:ResourceAliases condition | 2.202.0 | fix |
+| [@aws-cdk/core:explicitStackTags](#aws-cdkcoreexplicitstacktags) | When enabled, stack tags need to be assigned explicitly on a Stack. | 2.205.0 | new default |
+| [@aws-cdk/aws-signer:signingProfileNamePassedToCfn](#aws-cdkaws-signersigningprofilenamepassedtocfn) | Pass signingProfileName to CfnSigningProfile | 2.212.0 | fix |
+| [@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener](#aws-cdkaws-ecs-patternssecgroupsdisablesimplicitopenlistener) | Disable implicit openListener when custom security groups are provided | 2.214.0 | new default |
+| [@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId](#aws-cdkaws-ecs-patternsuniquetargetgroupid) | When enabled, ECS patterns will generate unique target group IDs to prevent conflicts during load balancer replacement | 2.221.0 | fix |
+| [@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint](#aws-cdkaws-stepfunctions-taskshttpinvokedynamicjsonpathendpoint) | When enabled, allows using a dynamic apiEndpoint with JSONPath format in HttpInvoke tasks. | 2.221.0 | fix |
+| [@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault](#aws-cdkaws-elasticloadbalancingv2networkloadbalancerwithsecuritygroupbydefault) | When enabled, Network Load Balancer will be created with a security group by default. | 2.222.0 | new default |
 
 <!-- END table -->
 
@@ -115,6 +121,8 @@ The following json shows the current recommended set of flags, as `cdk init` wou
 ```json
 {
   "context": {
+    "@aws-cdk/aws-signer:signingProfileNamePassedToCfn": true,
+    "@aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener": true,
     "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
     "@aws-cdk/core:checkSecretUsage": true,
     "@aws-cdk/core:target-partitions": [
@@ -167,6 +175,7 @@ The following json shows the current recommended set of flags, as `cdk init` wou
     "@aws-cdk/aws-ecs:removeDefaultDeploymentAlarm": true,
     "@aws-cdk/custom-resources:logApiResponseDataPropertyTrueDefault": false,
     "@aws-cdk/aws-s3:keepNotificationInImportedBucket": false,
+    "@aws-cdk/core:explicitStackTags": true,
     "@aws-cdk/aws-ecs:enableImdsBlockingDeprecatedFeature": false,
     "@aws-cdk/aws-ecs:disableEcsImdsBlocking": true,
     "@aws-cdk/aws-ecs:reduceEc2FargateCloudWatchPermissions": true,
@@ -191,7 +200,9 @@ The following json shows the current recommended set of flags, as `cdk init` wou
     "@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions": true,
     "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": true,
     "@aws-cdk/aws-s3:publicAccessBlockedByDefault": true,
-    "@aws-cdk/aws-lambda:useCdkManagedLogGroup": true
+    "@aws-cdk/aws-lambda:useCdkManagedLogGroup": true,
+    "@aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault": true,
+    "@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId": true
   }
 }
 ```
@@ -239,6 +250,7 @@ are migrating a v1 CDK project to v2, explicitly set any of these flags which do
 | [@aws-cdk/core:aspectStabilization](#aws-cdkcoreaspectstabilization) | When enabled, a stabilization loop will be run when invoking Aspects during synthesis. | config |  | `false` | `true` |
 | [@aws-cdk/pipelines:reduceStageRoleTrustScope](#aws-cdkpipelinesreducestageroletrustscope) | Remove the root account principal from Stage addActions trust policy | new default |  | `false` | `true` |
 | [@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope](#aws-cdkpipelinesreducecrossaccountactionroletrustscope) | When enabled, scopes down the trust policy for the cross-account action role | new default |  | `false` | `true` |
+| [@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint](#aws-cdkaws-stepfunctions-taskshttpinvokedynamicjsonpathendpoint) | When enabled, allows using a dynamic apiEndpoint with JSONPath format in HttpInvoke tasks. | fix |  | `false` | `true` |
 
 <!-- END diff -->
 
@@ -867,7 +879,7 @@ always apply, regardless of the value of this flag.
 
 ### @aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName
 
-*Enable this feature to by default create default policy names for imported roles that depend on the stack the role is in.*
+*Enable this feature to create default policy names for imported roles that depend on the stack the role is in.*
 
 Flag type: Backwards incompatible bugfix
 
@@ -890,7 +902,7 @@ This new implementation creates default policy names based on the constructs nod
 
 Flag type: Backwards incompatible bugfix
 
-Enable this feature flag to use S3 Bucket Policy for granting permission fo Server Access Logging
+Enable this feature flag to use S3 Bucket Policy for granting permission for Server Access Logging
 rather than using the canned `LogDeliveryWrite` ACL. ACLs do not work when Object Ownership is
 enabled on the bucket.
 
@@ -1270,7 +1282,7 @@ Set this flag to false for existing mount targets.
 Flag type: New default behavior
 
 If this is set, and a `runtime` prop is not passed to, Lambda NodeJs
-functions will us the latest version of the runtime provided by the Lambda
+functions will use the latest version of the runtime provided by the Lambda
 service. Do not use this if you your lambda function is reliant on dependencies
 shipped as part of the runtime environment.
 
@@ -1492,7 +1504,7 @@ When this feature flag is disabled, it will keep the root account principal in t
 
 Flag type: New default behavior
 
-When this featuer flag is enabled, remove the default deployment alarm settings when creating a AWS ECS service.
+When this feature flag is enabled, remove the default deployment alarm settings when creating a AWS ECS service.
 
 
 | Since | Unset behaves like | Recommended value |
@@ -1743,8 +1755,8 @@ the latest Amazon Linux 2023 version will be used instead of Amazon Linux 2.
 
 Flag type: Configuration option
 
-Currently, when Aspects are invoked in one single pass of the construct tree.
-This means that the Aspects that create other Aspects are not run and Aspects that create new nodes of the tree sometimes do not inherit their parent Aspects.
+Previously, Aspects were invoked in a single pass of the construct tree.
+This meant that Aspects which created other Aspects were not run, and Aspects that created new nodes in the tree sometimes did not inherit their parent Aspects.
 
 When this feature flag is enabled, a stabilization loop is run to recurse the construct tree multiple times when invoking Aspects.
 
@@ -1983,7 +1995,7 @@ When enabled, table replica will be default to the removal policy of source tabl
 
 Flag type: New default behavior
 
-When this feature flag is enabled, the SDK API call response to desribe user pool client values will be logged in the custom
+When this feature flag is enabled, the SDK API call response to describe user pool client values will be logged in the custom
 resource lambda function logs.
 
 When this feature flag is disabled, the SDK API call response to describe user pool client values will not be logged in the custom
@@ -2162,7 +2174,7 @@ When this feature flag is disabled, a loggroup is created by Lambda service on f
 of the function (existing behavior).
 LogGroups created in this way do not support Tag propagation, Property Injectors, Aspects.
 
-DO NOT ENABLE: If you have and existing app defining a lambda function and
+DO NOT ENABLE: If you have an existing app defining a lambda function and
 have not supplied a logGroup or logRetention prop and your lambda function has
 executed at least once, the logGroup has been already created with the same name
 so your deployment will start failing.
@@ -2196,4 +2208,134 @@ When disabled, grant calls on imported aliases will be dropped (no-op) to mainta
 **Compatibility with old behavior:** Remove calls to the grant* methods on the aliases referenced by name
 
 
+### @aws-cdk/core:explicitStackTags
+
+*When enabled, stack tags need to be assigned explicitly on a Stack.*
+
+Flag type: New default behavior
+
+Without this feature flag enabled, if tags are added to a Stack using
+`Tags.of(scope).add(...)`, they will be added to both the stack and all resources
+in the stack template.
+
+That leads to the tags being applied twice: once in the template, and once
+again automatically by CloudFormation, which will apply all stack tags to
+all resources in the stack. This leads to loss of control, as the
+`excludeResourceTypes` option of the Tags API will not have any effect.
+
+With this flag enabled, tags added to a stack using `Tags.of(...)` are ignored,
+and Stack tags must be configured explicitly on the Stack object.
+
+
+| Since | Unset behaves like | Recommended value |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| 2.205.0 | `false` | `true` |
+
+**Compatibility with old behavior:** Configure stack-level tags using `new Stack(..., { tags: { ... } })`.
+
+
+### @aws-cdk/aws-signer:signingProfileNamePassedToCfn
+
+*Pass signingProfileName to CfnSigningProfile*
+
+Flag type: Backwards incompatible bugfix
+
+When enabled, the `signingProfileName` property is passed to the L1 `CfnSigningProfile` construct,
+which ensures that the AWS Signer profile is created with the specified name.
+
+When disabled, the `signingProfileName` is not passed to CloudFormation, maintaining backward
+compatibility with existing deployments where CloudFormation auto-generated profile names.
+
+This feature flag is needed because enabling it can cause existing signing profiles to be
+replaced during deployment if a `signingProfileName` was specified but not previously used
+in the CloudFormation template.
+
+
+| Since | Unset behaves like | Recommended value |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| 2.212.0 | `false` | `true` |
+
+
+### @aws-cdk/aws-ecs-patterns:secGroupsDisablesImplicitOpenListener
+
+*Disable implicit openListener when custom security groups are provided*
+
+Flag type: New default behavior
+
+ApplicationLoadBalancedServiceBase currently defaults openListener to true, which creates
+security group rules allowing ingress from 0.0.0.0/0. This can be a security risk when
+users provide custom security groups on their load balancer, expecting those to be the
+only ingress rules.
+
+If this flag is not set, openListener will always default to true for backward compatibility.
+If true, openListener will default to false when custom security groups are detected on the
+load balancer, and true otherwise. Users can still explicitly set openListener: true to
+override this behavior.
+
+
+| Since | Unset behaves like | Recommended value |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| 2.214.0 | `false` | `true` |
+
+**Compatibility with old behavior:** You can pass `openListener: true` explicitly to maintain the old behavior.
+
+
+### @aws-cdk/aws-ecs-patterns:uniqueTargetGroupId
+
+*When enabled, ECS patterns will generate unique target group IDs to prevent conflicts during load balancer replacement*
+
+Flag type: Backwards incompatible bugfix
+
+When this feature flag is enabled, ECS patterns will generate unique target group IDs that include
+both the load balancer type (public/private) and load balancer name. This prevents CloudFormation
+conflicts when switching between public and private load balancers or when changing load balancer names.
+
+Without this flag, target groups use generic IDs like 'ECS' which can cause conflicts when the
+underlying load balancer is replaced due to changes in internetFacing or loadBalancerName properties.
+
+This is a breaking change as it will cause target group replacement when the flag is enabled.
+
+
+| Since | Unset behaves like | Recommended value |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| 2.221.0 | `false` | `true` |
+
+
+### @aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint
+
+*When enabled, allows using a dynamic apiEndpoint with JSONPath format in HttpInvoke tasks.*
+
+Flag type: Backwards incompatible bugfix
+
+When this feature flag is enabled, the JSONPath apiEndpoint value will be resolved dynamically at runtime, while slightly increasing the size of the state machine definition.
+When disabled, the JSONPath apiEndpoint property will only support a static string value.
+
+
+| Since | Unset behaves like | Recommended value |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| 2.221.0 | `true` | `true` |
+
+
+### @aws-cdk/aws-elasticloadbalancingv2:networkLoadBalancerWithSecurityGroupByDefault
+
+*When enabled, Network Load Balancer will be created with a security group by default.*
+
+Flag type: New default behavior
+
+When this feature flag is enabled, Network Load Balancer will be created with a security group by default.
+
+
+| Since | Unset behaves like | Recommended value |
+| ----- | ----- | ----- |
+| (not in v1) |  |  |
+| 2.222.0 | `false` | `true` |
+
+**Compatibility with old behavior:** Disable the feature flag to create Network Load Balancer without a security group by default.
+
+
 <!-- END details -->

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/cx-api/README.md

@@ -760,4 +760,58 @@ _cdk.json_
   "context": {
     "@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway": true
   }
-}
+}
+```
+
+* `@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint`
+
+When this feature flag is enabled, the JSONPath apiEndpoint value will be resolved dynamically at runtime, while slightly increasing the size of the state machine definition.
+When disabled, the JSONPath apiEndpoint property will only support a static string value.
+
+_cdk.json
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-stepfunctions-tasks:httpInvokeDynamicJsonPathEndpoint": true
+  }
+}
+```
+
+* `@aws-cdk/aws-signer:signingProfileNamePassedToCfn`
+
+When this feature flag is enabled, the `signingProfileName` property is passed to the L1 `CfnSigningProfile` construct,
+which ensures that the AWS Signer profile is created with the specified name.
+
+When this feature flag is disabled, the `signingProfileName` is not passed to CloudFormation, maintaining backward
+compatibility with existing deployments where CloudFormation auto-generated profile names.
+
+This feature flag is needed because enabling it can cause existing signing profiles to be
+replaced during deployment if a `signingProfileName` was specified but not previously used
+in the CloudFormation template.
+
+_cdk.json_
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-signer:signingProfileNamePassedToCfn": true
+  }
+}
+```
+
+* `@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId`
+
+When enabled, ECS patterns will generate unique target group IDs that include the load balancer name and type (public/private). This prevents CloudFormation conflicts when switching between public and private load balancers.
+
+Without this flag, switching an ApplicationLoadBalancedFargateService from public to private (or vice versa) fails with "target group cannot be associated with more than one load balancer" error.
+
+_cdk.json_
+
+```json
+{
+  "context": {
+    "@aws-cdk/aws-ecs-patterns:uniqueTargetGroupId": true
+  }
+}
+```

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/interfaces/README.md

@@ -0,0 +1,33 @@
+CDK Resource Interfaces
+=======================
+
+This module contains resource interfaces for all AWS service resources.
+
+These are interfaces that look like this:
+
+```
+/**
+ * Indicates that this resource can be referenced as a Bucket.
+ */
+interface IBucketRef {
+  /**
+   * A reference to a Bucket resource.
+   */
+  readonly bucketRef: BucketReference;
+}
+
+interface BucketReference {
+  /**
+   * The BucketName of the Bucket resource.
+   */
+  readonly bucketName: string;
+
+  /**
+   * The ARN of the Bucket resource.
+   */
+  readonly bucketArn: string;
+}
+```
+
+These are in a separate submodule so that they can be referenced from all other
+service submodules without introducing cyclic dependencies between them.

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/pipelines/README.md

@@ -739,6 +739,10 @@ new pipelines.CodeBuildStep('Synth', {
   buildEnvironment: {
     computeType: codebuild.ComputeType.LARGE,
     privileged: true,
+    dockerServer: {
+      computeType: codebuild.DockerServerComputeType.SMALL,
+      securityGroups: [mySecurityGroup],
+    },
   },
   timeout: Duration.minutes(90),
   fileSystemLocations: [

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/pipelines/integ.newpipeline-reduce-stagerole-scope.ts

@@ -53,8 +53,11 @@ class PipelineStack extends Stack {
       dockerEnabledForSynth: true,
       codeBuildDefaults: {
         buildEnvironment: {
-          buildImage: codebuild.LinuxArmBuildImage.AMAZON_LINUX_2_STANDARD_3_0,
+          buildImage: codebuild.LinuxBuildImage.AMAZON_LINUX_2023_5,
           computeType: codebuild.ComputeType.SMALL,
+          dockerServer: {
+            computeType: codebuild.DockerServerComputeType.SMALL,
+          },
         },
         cache: codebuild.Cache.local(codebuild.LocalCacheMode.DOCKER_LAYER),
       },

cdk_api_mcp_server/resources/aws-cdk/constructs/aws-cdk-lib/pipelines/integ.pipeline-with-customsynthesizer.ts

@@ -0,0 +1,105 @@
+import { App, Stack, StackProps, DefaultStackSynthesizer, Stage, StageProps, RemovalPolicy } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import * as path from 'path';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+import * as pipelines from 'aws-cdk-lib/pipelines';
+import * as lambda from 'aws-cdk-lib/aws-lambda';
+import { IntegTest } from '@aws-cdk/integ-tests-alpha';
+
+/**
+ * Notes on how to run this integ test
+ * Replace 123456789012 with your own account number
+ * Your account should be bootstrapped for us-east-1 with a custom qualifier 'dev'
+ * cdk bootstrap aws://123456789012/us-east-1 --qualifier dev --toolkit-stack-name CDKToolkitDev
+ **/
+
+export class PipelineStack extends Stack {
+  constructor(scope: Construct, id: string, props: StackProps) {
+    super(scope, id, props);
+
+    const bucket = new s3.Bucket(this, 'assetsBucket', {
+      removalPolicy: RemovalPolicy.DESTROY,
+      autoDeleteObjects: true,
+    });
+
+    const pipeline = new pipelines.CodePipeline(
+      this,
+      'Pipeline', {
+        synth: new pipelines.ShellStep('Synth', {
+          input: pipelines.CodePipelineSource.s3(
+            bucket,
+            'cdk-sample.zip',
+          ),
+          commands: ['npm ci', 'npm run build', 'npx cdk synth'],
+        }),
+        crossAccountKeys: true,
+      });
+
+    const stagingStage = new DeploymentStage(
+      this, 'Staging', {
+        environmentAbbreviation: 'dev',
+        region: 'us-east-1',
+      });
+    pipeline.addStage(stagingStage);
+
+    const productionStage = new DeploymentStage(
+      this, 'Production', {
+        environmentAbbreviation: 'prd',
+        region: 'us-east-1',
+      });
+    pipeline.addStage(productionStage);
+  }
+}
+
+export class LambdaStack extends Stack {
+  constructor(scope: Construct, id: string, props?: StackProps) {
+    super(scope, id, props);
+    new lambda.Function(this, 'LambdaFN', {
+      runtime: lambda.Runtime.PYTHON_3_10,
+      handler: 'index.handler',
+      code: lambda.Code.fromAsset(path.join(__dirname, 'testhelpers', 'assets')),
+    });
+  }
+}
+
+export interface DeploymentStageProps extends StageProps {
+  environmentAbbreviation: string;
+  region: string;
+}
+
+export class DeploymentStage extends Stage {
+  constructor(scope: Construct, id: string, props: DeploymentStageProps) {
+    super(scope, id, props);
+
+    var synth = new DefaultStackSynthesizer();
+    if (props.environmentAbbreviation == 'dev') {
+      synth = new DefaultStackSynthesizer({
+        qualifier: 'dev',
+      });
+    }
+    new LambdaStack(
+      this, `${props.environmentAbbreviation}-lambda-stack`, {
+        env: {
+          region: props.region,
+        },
+        synthesizer: synth,
+      },
+    );
+  }
+}
+
+const app = new App({
+  postCliContext: {
+    '@aws-cdk/core:newStyleStackSynthesis': '1',
+    '@aws-cdk/aws-codepipeline:defaultPipelineTypeToV2': true,
+    '@aws-cdk/pipelines:reduceStageRoleTrustScope': true,
+  },
+});
+const env = { region: 'us-east-1' };
+const stack = new PipelineStack(app, 'pipeline-asset-stack', { env });
+new IntegTest(app, 'PipelineAssetsTest', {
+  testCases: [stack],
+  diffAssets: true,
+});
+
+app.synth();