@fjall/components-infrastructure 2.13.0 → 2.15.0

package/dist/lib/app.d.ts

@@ -72,10 +72,11 @@ export interface IAppOptions {
      *
      * - `name?` overrides the AWS `EventBus.Name` (defaults to the app name).
      * - `removalPolicy?` overrides the env-resolved default. Default resolves
-     *   via `env({ default: "DESTROY", production: "RETAIN" })` per D17 — NOT
-     *   `process.env.NODE_ENV` (which is not set during CDK synth in Fjall's
-     *   deployment paths). The shape is the normalised string union per
-     *   D18(d), NOT the raw CDK `RemovalPolicy` enum.
+     *   via `envAwareRemovalPolicyDefault()` per D17 (production → RETAIN,
+     *   other recognised stages → DESTROY, unrecognised values fail synth) —
+     *   NOT `process.env.NODE_ENV` (which is not set during CDK synth in
+     *   Fjall's deployment paths). The shape is the normalised string union
+     *   per D18(d), NOT the raw CDK `RemovalPolicy` enum.
      */
     eventBus?: {
         name?: string;
@@ -175,9 +176,8 @@ export declare class App extends CdkApp {
      * Buses are recreatable in non-prod; the env-resolved default keeps prod
      * history. The override (`App.getApp({ eventBus: { name?, removalPolicy? } })`)
      * is consulted first; absent override falls back to the app name and the
-     * `env({ default: "DESTROY", production: "RETAIN" })` resolution per D17.
-     * NODE_ENV is not consulted — it is not set during CDK synth in Fjall's
-     * deployment paths.
+     * `envAwareRemovalPolicyDefault()` resolution per D17. NODE_ENV is not
+     * consulted — it is not set during CDK synth in Fjall's deployment paths.
      */
     getEventBus(): EventBusMessaging;
     /**

package/dist/lib/app.js

@@ -277,9 +277,8 @@ export class App extends CdkApp {
      * Buses are recreatable in non-prod; the env-resolved default keeps prod
      * history. The override (`App.getApp({ eventBus: { name?, removalPolicy? } })`)
      * is consulted first; absent override falls back to the app name and the
-     * `env({ default: "DESTROY", production: "RETAIN" })` resolution per D17.
-     * NODE_ENV is not consulted — it is not set during CDK synth in Fjall's
-     * deployment paths.
+     * `envAwareRemovalPolicyDefault()` resolution per D17. NODE_ENV is not
+     * consulted — it is not set during CDK synth in Fjall's deployment paths.
      */
     getEventBus() {
         if (this.defaultEventBus) {

package/dist/lib/config/aws/accountMonitoringRole.js

@@ -1,3 +1,4 @@
+import { ACCOUNT_MONITORING_ROLE_NAME } from "@fjall/util/aws";
 import { CfnOutput } from "aws-cdk-lib";
 import { Role, AccountPrincipal, PolicyStatement, Effect } from "aws-cdk-lib/aws-iam";
 import { Construct } from "constructs";
@@ -16,7 +17,7 @@ export class AccountMonitoringRole extends Construct {
     constructor(scope, id, props) {
         super(scope, id);
         this.role = new Role(this, "Role", {
-            roleName: "FjallMonitoring",
+            roleName: ACCOUNT_MONITORING_ROLE_NAME,
             path: "/",
             assumedBy: new AccountPrincipal(FJALL_PLATFORM_ACCOUNT_ID),
             description: "Cross-account monitoring role for the Fjall platform. Grants read access to CloudWatch, ECS, RDS, S3, Lambda, ALB, Logs, and Cost Explorer.",

package/dist/lib/config/aws/scpPreset.js

@@ -29,7 +29,16 @@ function buildFoundationGuardrails(allowedRegions) {
             {
                 Sid: "DenyRootUserActions",
                 Effect: "Deny",
-                Action: "*",
+                // Deny + NotAction denies everything except the policy-management
+                // scopes a root-task unlock session needs; the AWS root-task policies
+                // constrain those sessions further.
+                NotAction: [
+                    "s3:GetBucketPolicy",
+                    "s3:PutBucketPolicy",
+                    "s3:DeleteBucketPolicy",
+                    "sqs:GetQueueAttributes",
+                    "sqs:SetQueueAttributes"
+                ],
                 Resource: "*",
                 Condition: {
                     StringLike: {

package/dist/lib/patterns/aws/storage.d.ts

@@ -38,7 +38,7 @@ export interface S3Props {
     readonly backupVaultTier?: BackupTier;
     readonly cors?: CorsRule[];
     readonly deployment?: S3DeploymentConfig;
-    /** When true, sets RemovalPolicy.RETAIN and disables autoDeleteObjects. Used for imported buckets. */
+    /** When true, sets RemovalPolicy.RETAIN (overriding the env-aware default). Used for imported buckets. */
     readonly retain?: boolean;
 }
 export interface StorageBuildProps extends S3Props {

package/dist/lib/patterns/aws/storage.js

@@ -21,7 +21,11 @@ function toHttpMethod(method) {
         DELETE: HttpMethods.DELETE,
         HEAD: HttpMethods.HEAD
     };
-    return methodMap[method] ?? HttpMethods.GET;
+    const mapped = methodMap[method];
+    if (mapped === undefined) {
+        throw new Error(`Unsupported CORS method "${method}" — expected one of: ${Object.keys(methodMap).join(", ")}.`);
+    }
+    return mapped;
 }
 function toCorsRules(cors) {
     if (!cors)

package/dist/lib/resources/aws/logging/cloudTrail.d.ts

@@ -6,10 +6,10 @@ import { S3Bucket } from "../storage/index.js";
 interface CloudTrailProps extends CloudTrail.TrailProps {
     bucketName: string;
     /**
-     * Bucket + CMK survive stack deletion (RemovalPolicy.RETAIN, auto-delete
-     * off). The trail resource itself stays DESTROY regardless — a retained
-     * trail keeps logging (and charging) as an unmanaged orphan. Default false
-     * preserves the historical TrailStack behaviour.
+     * Bucket + CMK survive stack deletion (RemovalPolicy.RETAIN). The trail
+     * resource itself stays DESTROY regardless — a retained trail keeps
+     * logging (and charging) as an unmanaged orphan. Default false preserves
+     * the historical TrailStack behaviour.
      */
     retainAuditHistory?: boolean;
     /**
@@ -25,6 +25,28 @@ export declare class Trail extends Construct {
     readonly bucket: S3Bucket;
     readonly encryptionKey: CustomerManagedKey;
     constructor(scope: Construct, id: string, props: CloudTrailProps);
+    private trailArn;
+    /**
+     * Canonical CloudTrail delivery policy (ACL probe + log write), scoped to
+     * this trail's ARN via aws:SourceArn so no other trail — including one in
+     * another account — can deliver into or probe the bucket. Emitted from
+     * this construct rather than left to the L2 Trail because draining mode
+     * (omitTrail) skips the L2 construct while the trail being deleted may
+     * still deliver mid-update. Fjall-prefixed sids avoid colliding with the
+     * sid-less statements the L2 Trail adds when it is constructed.
+     */
+    private addAccountTrailBucketPolicy;
+    /**
+     * Conditioned replacement for the KMS half of the retired grantReadWrite:
+     * `Bucket.grantReadWrite` silently granted the CloudTrail principal
+     * unconditioned Encrypt/Decrypt/ReEncrypt on the CMK because the bucket
+     * carries an encryptionKey. CloudTrail's actual needs are
+     * kms:GenerateDataKey* + kms:DescribeKey (trail-side log encryption,
+     * validated at CreateTrail) plus digest delivery via the bucket's default
+     * SSE-KMS — without these, trail creation fails with
+     * InsufficientEncryptionPolicyException.
+     */
+    private addAccountTrailKeyPolicy;
     /**
      * The CDK L2 Trail contributes no KMS key-policy statements at all — it
      * only sets kmsKeyId on the CfnTrail (verified in aws-cdk-lib 2.251.0).

package/dist/lib/resources/aws/logging/cloudTrail.js

@@ -41,6 +41,7 @@ export class Trail extends Construct {
             removalPolicy: storagePolicy,
             lifecycleRules: [{ expiration: Duration.days(365), enabled: true }]
         });
+        const effectiveTrailName = props.trailName || `${id}Trail`;
         if (props.isOrganizationTrail === true) {
             // The L2 Trail emits the organisation-wide bucket policy itself
             // (AWSLogs/<orgId>/* delivery); granting read/write here would shadow
@@ -48,7 +49,9 @@ export class Trail extends Construct {
             this.addOrganisationTrailKeyPolicy(props, bucketName);
         }
         else {
-            this.bucket.grantReadWrite(new ServicePrincipal("cloudtrail.amazonaws.com"));
+            const accountTrailArn = this.trailArn(effectiveTrailName);
+            this.addAccountTrailBucketPolicy(accountTrailArn);
+            this.addAccountTrailKeyPolicy(accountTrailArn, bucketName);
         }
         if (omitTrail === true) {
             return;
@@ -56,22 +59,92 @@ export class Trail extends Construct {
         this.trail = new CloudTrail.Trail(this, `${id}CloudTrail`, {
             ...trailProps,
             bucket: this.bucket,
-            trailName: props.trailName || `${id}Trail`,
+            trailName: effectiveTrailName,
             encryptionKey: this.encryptionKey.key
         });
         // Always DESTROY even when storage is retained: a RETAINED trail would
         // keep logging (and charging) as an unmanaged orphan after stack
         // deletion. Audit durability lives on the bucket + CMK removal policies.
         this.trail.applyRemovalPolicy(RemovalPolicy.DESTROY);
-        // Ensure the autoDeleteObjects custom resource is fully provisioned before
-        // the trail starts writing to the bucket. Without this, a create-rollback
-        // leaves the bucket non-empty (CloudTrail writes logs immediately) and the
-        // auto-delete Lambda was never created — causing ROLLBACK_FAILED.
-        // (No-op in retain mode: auto-delete is off, so the child is absent.)
-        const autoDeleteResource = this.bucket.node.tryFindChild("AutoDeleteObjectsCustomResource");
-        if (autoDeleteResource) {
-            this.trail.node.addDependency(autoDeleteResource);
-        }
+    }
+    trailArn(trailName) {
+        const { partition, region, account } = Stack.of(this);
+        return `arn:${partition}:cloudtrail:${region}:${account}:trail/${trailName}`;
+    }
+    /**
+     * Canonical CloudTrail delivery policy (ACL probe + log write), scoped to
+     * this trail's ARN via aws:SourceArn so no other trail — including one in
+     * another account — can deliver into or probe the bucket. Emitted from
+     * this construct rather than left to the L2 Trail because draining mode
+     * (omitTrail) skips the L2 construct while the trail being deleted may
+     * still deliver mid-update. Fjall-prefixed sids avoid colliding with the
+     * sid-less statements the L2 Trail adds when it is constructed.
+     */
+    addAccountTrailBucketPolicy(trailArn) {
+        const { account } = Stack.of(this);
+        const cloudTrailPrincipal = new ServicePrincipal("cloudtrail.amazonaws.com");
+        this.bucket.addToResourcePolicy(new PolicyStatement({
+            sid: "FjallCloudTrailAclCheck",
+            principals: [cloudTrailPrincipal],
+            actions: ["s3:GetBucketAcl"],
+            resources: [this.bucket.bucketArn],
+            conditions: {
+                StringEquals: { "aws:SourceArn": trailArn }
+            }
+        }));
+        this.bucket.addToResourcePolicy(new PolicyStatement({
+            sid: "FjallCloudTrailWrite",
+            principals: [cloudTrailPrincipal],
+            actions: ["s3:PutObject"],
+            resources: [this.bucket.arnForObjects(`AWSLogs/${account}/*`)],
+            conditions: {
+                StringEquals: {
+                    "aws:SourceArn": trailArn,
+                    "s3:x-amz-acl": "bucket-owner-full-control"
+                }
+            }
+        }));
+    }
+    /**
+     * Conditioned replacement for the KMS half of the retired grantReadWrite:
+     * `Bucket.grantReadWrite` silently granted the CloudTrail principal
+     * unconditioned Encrypt/Decrypt/ReEncrypt on the CMK because the bucket
+     * carries an encryptionKey. CloudTrail's actual needs are
+     * kms:GenerateDataKey* + kms:DescribeKey (trail-side log encryption,
+     * validated at CreateTrail) plus digest delivery via the bucket's default
+     * SSE-KMS — without these, trail creation fails with
+     * InsufficientEncryptionPolicyException.
+     */
+    addAccountTrailKeyPolicy(trailArn, bucketName) {
+        const { partition } = Stack.of(this);
+        const cloudTrailPrincipal = new ServicePrincipal("cloudtrail.amazonaws.com");
+        this.encryptionKey.key.addToResourcePolicy(new PolicyStatement({
+            sid: "FjallCloudTrailKeyUse",
+            principals: [cloudTrailPrincipal],
+            actions: ["kms:GenerateDataKey*", "kms:DescribeKey"],
+            resources: ["*"],
+            conditions: {
+                StringEquals: { "aws:SourceArn": trailArn }
+            }
+        }));
+        this.encryptionKey.key.addToResourcePolicy(new PolicyStatement({
+            sid: "FjallCloudTrailDigestDelivery",
+            principals: [cloudTrailPrincipal],
+            actions: ["kms:GenerateDataKey*", "kms:Decrypt"],
+            resources: ["*"],
+            conditions: {
+                // Digest files arrive via the bucket's default SSE-KMS. Two exact
+                // entries (bucket-level context + per-object contexts) — a bare
+                // `${bucketName}*` would also match sibling bucket NAMES sharing
+                // the prefix.
+                StringLike: {
+                    "kms:EncryptionContext:aws:s3:arn": [
+                        `arn:${partition}:s3:::${bucketName}`,
+                        `arn:${partition}:s3:::${bucketName}/*`
+                    ]
+                }
+            }
+        }));
     }
     /**
      * The CDK L2 Trail contributes no KMS key-policy statements at all — it

package/dist/lib/resources/aws/messaging/eventbridge.d.ts

@@ -14,8 +14,9 @@ export interface EventBridgeBusProps {
     /** Override the default description ("EventBus <appName> — Fjall app event bus"). */
     description?: string;
     /**
-     * Removal policy. Default resolves via the `env()` helper (production →
-     * RETAIN; non-prod → DESTROY) — D17 explicitly rejects `process.env.NODE_ENV`
+     * Removal policy. Default resolves via `envAwareRemovalPolicyDefault()`
+     * (production → RETAIN; other recognised stages → DESTROY; unrecognised
+     * values fail synth) — D17 explicitly rejects `process.env.NODE_ENV`
      * because it is not set during CDK synth in Fjall's deployment paths.
      * Buses are recreatable in non-prod; production keeps history.
      */

package/dist/lib/resources/aws/messaging/eventbridge.js

@@ -1,7 +1,7 @@
 import { Construct } from "constructs";
 import { CfnOutput } from "aws-cdk-lib";
 import { EventBus } from "aws-cdk-lib/aws-events";
-import { env } from "../../../utils/env.js";
+import { envAwareRemovalPolicyDefault } from "../../../utils/removalPolicy.js";
 import { toRemovalPolicy } from "./utils.js";
 export class EventBridgeBus extends Construct {
     id;
@@ -17,7 +17,7 @@ export class EventBridgeBus extends Construct {
             (props.appName
                 ? `EventBus ${props.appName} — Fjall app event bus`
                 : undefined);
-        const removalPolicyValue = props.removalPolicy ?? env({ default: "DESTROY", production: "RETAIN" });
+        const removalPolicyValue = props.removalPolicy ?? envAwareRemovalPolicyDefault();
         const ownedBus = new EventBus(this, `${id}EventBus`, {
             eventBusName: props.eventBusName,
             description

package/dist/lib/resources/aws/networking/ipamPool.js

@@ -8,8 +8,11 @@ import { CustomResource } from "../utilities/customResource.js";
 import getAccountId from "../../../utils/getAccountId.js";
 import { accountConstructKey, findAccountNameCollision } from "../../../utils/capitaliseString.js";
 import { FjallLogger } from "../../../utils/validationLogger.js";
+import { formatIpamPairTagValue, IPAM_OPERATIONS_POOL_TAG_KEY } from "@fjall/util/aws";
 const IPAM_TAGS = {
-    OPERATIONS_POOL: "fjall:operations:pool",
+    // Shared with the deploy-core readiness probe, which matches pools by this
+    // key + the pair value format — see @fjall/util/aws ipamTags.
+    OPERATIONS_POOL: IPAM_OPERATIONS_POOL_TAG_KEY,
     COST_ALLOCATION_ENVIRONMENT: "fjall:costAllocation:environment",
     COST_ALLOCATION_ACCOUNT_NAME: "fjall:costAllocation:accountName"
 };
@@ -134,14 +137,14 @@ export class IpamPool extends Construct {
                     allocationResourceTags: [
                         {
                             key: IPAM_TAGS.OPERATIONS_POOL,
-                            value: `${accountId}-${region}`
+                            value: formatIpamPairTagValue(accountId, region)
                         }
                     ],
                     autoImport: true,
                     tags: [
                         {
                             key: IPAM_TAGS.OPERATIONS_POOL,
-                            value: `${accountId}-${region}`
+                            value: formatIpamPairTagValue(accountId, region)
                         },
                         {
                             key: IPAM_TAGS.COST_ALLOCATION_ACCOUNT_NAME,

package/dist/lib/resources/aws/networking/serviceDiscovery.d.ts

@@ -18,9 +18,10 @@ export interface ServiceDiscoveryNamespaceProps {
     /** Override the default description (`"ServiceDiscovery <name> — Fjall private DNS namespace"`). */
     description?: string;
     /**
-     * Removal policy. Default resolves via the `env()` helper (production →
-     * RETAIN; non-prod → DESTROY) — matches the convention codified in D17 of
-     * the EventBridge promotion design. NODE_ENV is intentionally NOT consulted
+     * Removal policy. Default resolves via `envAwareRemovalPolicyDefault()`
+     * (production → RETAIN; other recognised stages → DESTROY; unrecognised
+     * values fail synth) — matches the convention codified in D17 of the
+     * EventBridge promotion design. NODE_ENV is intentionally NOT consulted
      * because it is unset during CDK synth in Fjall's deployment paths.
      */
     removalPolicy?: "DESTROY" | "RETAIN";

package/dist/lib/resources/aws/networking/serviceDiscovery.js

@@ -1,8 +1,7 @@
 import { Construct } from "constructs";
 import { CfnOutput, Duration } from "aws-cdk-lib";
 import { PrivateDnsNamespace, DnsRecordType } from "aws-cdk-lib/aws-servicediscovery";
-import { env } from "../../../utils/env.js";
-import { toRemovalPolicy } from "../../../utils/removalPolicy.js";
+import { envAwareRemovalPolicyDefault, toRemovalPolicy } from "../../../utils/removalPolicy.js";
 export class ServiceDiscoveryNamespace extends Construct {
     id;
     #namespace;
@@ -12,7 +11,7 @@ export class ServiceDiscoveryNamespace extends Construct {
         this.id = id;
         const description = props.description ??
             `ServiceDiscovery ${props.name} — Fjall private DNS namespace`;
-        const removalPolicyValue = props.removalPolicy ?? env({ default: "DESTROY", production: "RETAIN" });
+        const removalPolicyValue = props.removalPolicy ?? envAwareRemovalPolicyDefault();
         const namespace = new PrivateDnsNamespace(this, `${id}Namespace`, {
             vpc: props.vpc,
             name: props.name,

package/dist/lib/resources/aws/storage/s3.d.ts

@@ -1,10 +1,18 @@
 import { Bucket, type BucketProps } from "aws-cdk-lib/aws-s3";
 import { type Construct } from "constructs";
 import { type BackupTier } from "../../../utils/backupTierMapping.js";
+export { SDK_PRE_EMPTY_TAG_KEY } from "@fjall/util/aws";
 export interface WebsiteHostingConfig {
     readonly indexDocument: string;
     readonly errorDocument?: string;
 }
+/**
+ * Props for {@link S3Bucket}.
+ *
+ * `autoDeleteObjects` is accepted for source compatibility but always
+ * overridden to `false` (ADR D4.3) — passing `true` raises a synth-time
+ * warning rather than a compile error so older scaffolds keep building.
+ */
 export interface S3BucketProps extends BucketProps {
     backupVaultTier?: BackupTier;
     publicReadAccess?: boolean;

package/dist/lib/resources/aws/storage/s3.js

@@ -1,7 +1,10 @@
-import { CfnOutput, Duration, RemovalPolicy } from "aws-cdk-lib";
+import { SDK_PRE_EMPTY_TAG_KEY } from "@fjall/util/aws";
+import { Annotations, CfnOutput, Duration, RemovalPolicy, Tags } from "aws-cdk-lib";
 import { BlockPublicAccess, Bucket } from "aws-cdk-lib/aws-s3";
 import { RegionInfo } from "aws-cdk-lib/region-info";
 import { toPascalCase } from "../../../utils/capitaliseString.js";
+import { envAwareRemovalPolicyDefault, toRemovalPolicy } from "../../../utils/removalPolicy.js";
+export { SDK_PRE_EMPTY_TAG_KEY } from "@fjall/util/aws";
 function shouldAutoVersion(tier) {
     return tier === "resilient" || tier === "enterprise";
 }
@@ -10,13 +13,16 @@ export class S3Bucket extends Bucket {
     constructor(scope, id, props = {}) {
         const { websiteHosting, backupVaultTier, ...cdkProps } = props;
         const isPublic = props.publicReadAccess === true || websiteHosting !== undefined;
-        const isRetained = props.removalPolicy === RemovalPolicy.RETAIN;
         const versioned = props.versioned ?? shouldAutoVersion(backupVaultTier);
+        const removalPolicy = props.removalPolicy ?? toRemovalPolicy(envAwareRemovalPolicyDefault());
         super(scope, id, {
             ...cdkProps,
             enforceSSL: true,
-            autoDeleteObjects: !isRetained,
-            removalPolicy: props.removalPolicy ?? RemovalPolicy.DESTROY,
+            // autoDeleteObjects retired (ADR D4.3): the CDK custom resource's deny
+            // policy is the quarantine mechanism — destroy-time emptying is done
+            // SDK-side by deploy-core's pre-empty pass, keyed off the marker tag.
+            autoDeleteObjects: false,
+            removalPolicy,
             publicReadAccess: isPublic,
             ...(isPublic && {
                 blockPublicAccess: new BlockPublicAccess({
@@ -36,6 +42,15 @@ export class S3Bucket extends Bucket {
                 : props.lifecycleRules
         });
         this.backupVaultTier = backupVaultTier;
+        if (props.autoDeleteObjects === true) {
+            Annotations.of(this).addWarningV2("@fjall/components-infrastructure:s3:autoDeleteObjectsIgnored", "autoDeleteObjects: true is ignored — the CDK auto-delete custom " +
+                "resource is retired (ADR D4.3). DESTROY buckets are emptied " +
+                "SDK-side by deploy-core's pre-empty pass via the " +
+                `${SDK_PRE_EMPTY_TAG_KEY} marker tag. Remove the prop.`);
+        }
+        if (removalPolicy === RemovalPolicy.DESTROY) {
+            Tags.of(this).add(SDK_PRE_EMPTY_TAG_KEY, "true");
+        }
         if (websiteHosting) {
             const safeBucket = toPascalCase((props.bucketName ?? id).replace(/[^A-Za-z0-9-]/g, ""));
             new CfnOutput(this, `${safeBucket}WebsiteEndpoint`, {

package/dist/lib/utils/env.d.ts

@@ -16,6 +16,12 @@
 type EnvConfig<T> = {
     default: T;
 } & Partial<Record<string, T>>;
+/**
+ * Sentinel returned by `getEnvironment()` when no environment signal exists.
+ * Consumers that need to distinguish "no signal" from "unrecognised value"
+ * (e.g. `envAwareRemovalPolicyDefault()`) compare against this.
+ */
+export declare const UNKNOWN_ENVIRONMENT = "unknown";
 /**
  * Resolve the current deployment environment without App dependency.
  *
@@ -33,6 +39,14 @@ type EnvConfig<T> = {
  * ENVIRONMENT as the dominant ambient signal.
  */
 export declare function getEnvironment(): string;
+/**
+ * True when the environment came from an explicit operator signal
+ * (`ENVIRONMENT` env var or `-c environment=`) rather than account-lookup
+ * inference or the no-signal fallback. Lets consumers distinguish an
+ * explicitly-supplied literal "unknown" from the `UNKNOWN_ENVIRONMENT`
+ * sentinel meaning "no signal at all".
+ */
+export declare function hasExplicitEnvironmentSignal(): boolean;
 /**
  * Resolve an environment-specific value at CDK synth time.
  *

package/dist/lib/utils/env.js

@@ -1,6 +1,12 @@
 import { CDK_CONTEXT_KEYS } from "./cdkContext.js";
 import { parseOrgConfig, resolveSynthEnvironment } from "./orgConfigParser.js";
 import { FjallLogger } from "./validationLogger.js";
+/**
+ * Sentinel returned by `getEnvironment()` when no environment signal exists.
+ * Consumers that need to distinguish "no signal" from "unrecognised value"
+ * (e.g. `envAwareRemovalPolicyDefault()`) compare against this.
+ */
+export const UNKNOWN_ENVIRONMENT = "unknown";
 let cachedEnvironment;
 /**
  * Resolve the current deployment environment without App dependency.
@@ -54,9 +60,23 @@ export function getEnvironment() {
     // 5. Fallback
     FjallLogger.warn("[fjall] Could not determine environment. " +
         "Set ENVIRONMENT env var or pass -c environment=<value>.");
-    cachedEnvironment = "unknown";
+    cachedEnvironment = UNKNOWN_ENVIRONMENT;
     return cachedEnvironment;
 }
+/**
+ * True when the environment came from an explicit operator signal
+ * (`ENVIRONMENT` env var or `-c environment=`) rather than account-lookup
+ * inference or the no-signal fallback. Lets consumers distinguish an
+ * explicitly-supplied literal "unknown" from the `UNKNOWN_ENVIRONMENT`
+ * sentinel meaning "no signal at all".
+ */
+export function hasExplicitEnvironmentSignal() {
+    const envVar = process.env.ENVIRONMENT;
+    if (envVar !== undefined && envVar !== "")
+        return true;
+    const ctxValue = parseContextArg("environment");
+    return ctxValue !== undefined && ctxValue !== "";
+}
 /**
  * Resolve an environment-specific value at CDK synth time.
  *

package/dist/lib/utils/removalPolicy.d.ts

@@ -1,2 +1,17 @@
 import { RemovalPolicy } from "aws-cdk-lib";
 export declare function toRemovalPolicy(value?: "DESTROY" | "RETAIN" | "SNAPSHOT"): RemovalPolicy;
+/**
+ * Resolve the env-aware removal-policy default (D17): production → RETAIN,
+ * every other recognised environment → DESTROY.
+ *
+ * Unlike the generic `env()` resolver (where unrecognised → default is
+ * benign), an unrecognised value here throws at synth: silently landing a
+ * typo like `ENVIRONMENT=prod` on DESTROY deletes data when the stack is
+ * deleted. The accept-set derives from `ACCOUNT_STAGES_WITH_ROOT` so a new
+ * stage added in `@fjall/util` widens it automatically. The no-signal
+ * sentinel keeps the historical warn-and-DESTROY behaviour — raw `cdk synth`
+ * without context and null-stage cascade synths rely on it. An explicitly
+ * supplied `ENVIRONMENT=unknown` collides with the sentinel string and would
+ * otherwise ride the silent-DESTROY path, so it is treated as unrecognised.
+ */
+export declare function envAwareRemovalPolicyDefault(): "DESTROY" | "RETAIN";

package/dist/lib/utils/removalPolicy.js

@@ -1,4 +1,6 @@
+import { ACCOUNT_STAGES_WITH_ROOT } from "@fjall/util";
 import { RemovalPolicy } from "aws-cdk-lib";
+import { getEnvironment, hasExplicitEnvironmentSignal, UNKNOWN_ENVIRONMENT } from "./env.js";
 export function toRemovalPolicy(value) {
     switch (value) {
         case "DESTROY":
@@ -10,3 +12,33 @@ export function toRemovalPolicy(value) {
             return RemovalPolicy.RETAIN;
     }
 }
+const REMOVAL_DEFAULT_ENVIRONMENTS = new Set(ACCOUNT_STAGES_WITH_ROOT);
+/**
+ * Resolve the env-aware removal-policy default (D17): production → RETAIN,
+ * every other recognised environment → DESTROY.
+ *
+ * Unlike the generic `env()` resolver (where unrecognised → default is
+ * benign), an unrecognised value here throws at synth: silently landing a
+ * typo like `ENVIRONMENT=prod` on DESTROY deletes data when the stack is
+ * deleted. The accept-set derives from `ACCOUNT_STAGES_WITH_ROOT` so a new
+ * stage added in `@fjall/util` widens it automatically. The no-signal
+ * sentinel keeps the historical warn-and-DESTROY behaviour — raw `cdk synth`
+ * without context and null-stage cascade synths rely on it. An explicitly
+ * supplied `ENVIRONMENT=unknown` collides with the sentinel string and would
+ * otherwise ride the silent-DESTROY path, so it is treated as unrecognised.
+ */
+export function envAwareRemovalPolicyDefault() {
+    const environment = getEnvironment();
+    if (environment === UNKNOWN_ENVIRONMENT && !hasExplicitEnvironmentSignal()) {
+        return "DESTROY";
+    }
+    if (!REMOVAL_DEFAULT_ENVIRONMENTS.has(environment)) {
+        throw new Error(`Unrecognised environment "${environment}" — refusing to resolve the ` +
+            `env-aware removal-policy default (non-production environments ` +
+            `default to DESTROY, which deletes data when the stack is deleted). ` +
+            `Valid values: ${ACCOUNT_STAGES_WITH_ROOT.join(", ")}. ` +
+            `Set ENVIRONMENT or pass -c environment=<value>, or set an explicit ` +
+            `removalPolicy on the construct.`);
+    }
+    return environment === "production" ? "RETAIN" : "DESTROY";
+}

package/dist/lib/utils/standardTagsAspect.js

@@ -1,5 +1,6 @@
 import { CfnResource, Stack, Tags } from "aws-cdk-lib";
 import { BACKUP_TIER_TAG_KEY, BACKUP_TIER_TAG_MAP } from "./backupTierMapping.js";
+import { formatIpamPairTagValue, IPAM_OPERATIONS_POOL_TAG_KEY } from "@fjall/util/aws";
 /**
  * Aspect to apply special Fjall tags to specific resource types.
  *
@@ -49,7 +50,7 @@ export class StandardTagsAspect {
             process.env.CDK_DEFAULT_ACCOUNT;
         const region = stack.region || process.env.CDK_DEFAULT_REGION;
         if (accountId && region) {
-            Tags.of(vpc).add("fjall:operations:pool", `${accountId}-${region}`);
+            Tags.of(vpc).add(IPAM_OPERATIONS_POOL_TAG_KEY, formatIpamPairTagValue(accountId, region));
         }
     }
     /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fjall/components-infrastructure",
-  "version": "2.13.0",
+  "version": "2.15.0",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",
   "bin": {
@@ -63,8 +63,8 @@
   },
   "dependencies": {
     "@aws-sdk/client-organizations": "^3.1038.0",
-    "@fjall/generator": "^2.13.0",
-    "@fjall/util": "^2.13.0",
+    "@fjall/generator": "^2.15.0",
+    "@fjall/util": "^2.15.0",
     "constructs": "^10.0.0",
     "uuid": "^14.0.0"
   },
@@ -79,5 +79,5 @@
   "engines": {
     "node": ">=18.0.0"
   },
-  "gitHead": "5b16c5731256628f829d4168c65cf165b3516f9a"
+  "gitHead": "b2223855907cb6d467e47df073b2a5b28c684ede"
 }