feat: Add lstk cdk proxy command

[peter-smith-phd]

Summary

Adds lstk cdk, a proxy that runs the real AWS CDK CLI against a running LocalStack emulator — mirroring lstk aws / lstk terraform. This replaces the existing cdklocal command, with the one caveat that using and endpoint of http://127.0.01:4566 or http://localhost:4566 will NOT work correctly in some cases. A future solution is still required for this edge case.

Implementation

• See openspec/changes/add-cdk-proxy-command/ for the proposal, design, and spec.

• Endpoint via env vars (internal/iac/cdk/cli/): BuildEnv sets AWS_ENDPOINT_URL, the derived AWS_ENDPOINT_URL_S3, mock creds, and region on the cdk subprocess.

• Safety — strip ambient AWS config: AWS_PROFILE/AWS_DEFAULT_PROFILE/AWS_SESSION_TOKEN are removed so a user's real credentials can't redirect a deploy at real AWS. This is the safety-critical core, mirroring cdklocal.

• Version floor 2.177.0: older CDK ignores the endpoint env vars and would silently hit real AWS, so Run checks cdk --version up front and fails with an actionable error.

• Offline vs AWS-contacting gating: a fixed offline set (synth/ls/init/…) runs without a running emulator; everything else is gated on the AWS emulator, reusing terraform's "wrong emulator" messaging.

• S3 endpoint addressing (internal/endpoint): shared S3Addressing derives the s3.-prefixed virtual-host endpoint for *.localstack.cloud hosts. Path-style on the 127.0.0.1 DNS-rebind fallback is a known limitation (CDK exposes forcePathStyle only as a code-level arg, unreachable from a subprocess); lstk warns and the fix is out of scope for v1.

• Shared IaC helpers → cmd/iac.go: the command-boundary helpers (--region/--account parsing, requireRunningAWSEmulator, resolveAWSContainer, validation) moved out of cmd/terraform.go into a neutral file so cdk and terraform share them without one looking terraform-owned.

Testing

• cdk_cmd_test.go — stub-cdk integration tests: arg/exit-code passthrough, env construction (set + stripped), emulator gating, version floor, flag handling, LSTK_CDK_CMD.
• cdk_e2e_test.go — real cdk + real LocalStack: synth (offline), bootstrap, single-bucket deploy/destroy, and a Lambda fromAsset round-trip that guarantees a real asset PutObject across AWS_ENDPOINT_URL_S3 (the bucket-only stack's small template may be inlined and never touch S3). Gated on Docker + real cdk + npm + auth token.

Notes

• The Lambda e2e was validated locally via cdk synth (asset resolves to S3Bucket: cdk-hnb659fds-assets-…); the full deploy round-trip runs in CI where Docker + token are present.

Resolves DPX-505.

🤖 Generated with Claude Code