@go-to-k/cdkd 0.7.0 → 0.9.0

package/dist/cli.js

@@ -3205,6 +3205,14 @@ import {
   ListObjectsV2Command,
   NoSuchKey
 } from "@aws-sdk/client-s3";
+
+// src/types/state.ts
+var STATE_SCHEMA_VERSION_LEGACY = 1;
+var STATE_SCHEMA_VERSION_CURRENT = 2;
+
+// src/state/s3-state-backend.ts
+var LEGACY_KEY_DEPTH = 2;
+var NEW_KEY_DEPTH = 3;
 var S3StateBackend = class {
   constructor(s3Client, config) {
     this.s3Client = s3Client;
@@ -3212,9 +3220,16 @@ var S3StateBackend = class {
   }
   logger = getLogger().child("S3StateBackend");
   /**
-   * Get the S3 key for a stack's state file
+   * Get the new (region-scoped) S3 key for a stack's state file.
    */
-  getStateKey(stackName) {
+  getStateKey(stackName, region) {
+    return `${this.config.prefix}/${stackName}/${region}/state.json`;
+  }
+  /**
+   * Get the legacy (pre-region-prefix) S3 key for a stack's state file.
+   * Used for backwards-compatible reads and for the migration delete.
+   */
+  getLegacyStateKey(stackName) {
     return `${this.config.prefix}/${stackName}/state.json`;
   }
   /**
@@ -3240,101 +3255,143 @@ var S3StateBackend = class {
     }
   }
   /**
-   * Check if state exists for a stack
-   */
-  async stateExists(stackName) {
-    const key = this.getStateKey(stackName);
-    try {
-      await this.s3Client.send(
-        new HeadObjectCommand2({
-          Bucket: this.config.bucket,
-          Key: key
-        })
-      );
+   * Check if state exists for a stack in the given region.
+   *
+   * Returns true for either layout: the new region-scoped key, or the legacy
+   * key when its embedded `region` matches the requested region. This lets
+   * `cdkd state rm <stack> --region X` and `cdkd destroy <stack>` see legacy
+   * state without forcing a write-through migration first.
+   */
+  async stateExists(stackName, region) {
+    const newKey = this.getStateKey(stackName, region);
+    if (await this.headObject(newKey)) {
       return true;
-    } catch (error) {
-      if (error instanceof NoSuchKey || error.name === "NotFound") {
-        return false;
-      }
-      throw new StateError(
-        `Failed to check if state exists for stack '${stackName}': ${error instanceof Error ? error.message : String(error)}`,
-        error instanceof Error ? error : void 0
-      );
     }
+    return this.legacyMatchesRegion(stackName, region);
   }
   /**
-   * Get state for a stack
+   * Get state for a stack, transparently falling back to the legacy key.
+   *
+   * Lookup order:
+   * 1. `{prefix}/{stackName}/{region}/state.json` (current `version: 2` key).
+   * 2. `{prefix}/{stackName}/state.json` (legacy `version: 1` key) — only
+   *    accepted if its embedded `region` matches the requested region.
    *
-   * Note: S3 returns ETag with surrounding quotes (e.g., "abc123").
-   * We preserve the quotes as they are required for IfMatch conditions.
+   * When a legacy hit is returned, `migrationPending` is `true`. Callers that
+   * subsequently `saveState` automatically migrate by writing the new key and
+   * deleting the legacy one (see `saveState`'s `legacyMigration` argument).
+   *
+   * Note: S3 returns ETag with surrounding quotes (e.g., `"abc123"`). We
+   * preserve the quotes — they are required for `IfMatch` conditions.
    */
-  async getState(stackName) {
-    const key = this.getStateKey(stackName);
+  async getState(stackName, region) {
+    const newKey = this.getStateKey(stackName, region);
     try {
-      this.logger.debug(`Getting state for stack: ${stackName}`);
+      this.logger.debug(`Getting state for stack: ${stackName} (${region})`);
       const response = await this.s3Client.send(
         new GetObjectCommand({
           Bucket: this.config.bucket,
-          Key: key
+          Key: newKey
         })
       );
       if (!response.Body) {
-        throw new StateError(`State file for stack '${stackName}' has no body`);
+        throw new StateError(`State file for stack '${stackName}' (${region}) has no body`);
       }
       if (!response.ETag) {
-        throw new StateError(`State file for stack '${stackName}' has no ETag`);
+        throw new StateError(`State file for stack '${stackName}' (${region}) has no ETag`);
       }
       const bodyString = await response.Body.transformToString();
-      const state = JSON.parse(bodyString);
-      this.logger.debug(`Retrieved state for stack: ${stackName}, ETag: ${response.ETag}`);
-      return {
-        state,
-        etag: response.ETag
-      };
+      const state = this.parseStateBody(bodyString, stackName);
+      this.logger.debug(`Retrieved state: ${stackName} (${region}), ETag: ${response.ETag}`);
+      return { state, etag: response.ETag };
     } catch (error) {
-      if (error instanceof NoSuchKey || error.name === "NoSuchKey") {
-        this.logger.debug(`No existing state for stack: ${stackName}`);
-        return null;
-      }
-      if (error instanceof StateError) {
-        throw error;
+      if (!isNoSuchKey(error)) {
+        if (error instanceof StateError)
+          throw error;
+        throw new StateError(
+          `Failed to get state for stack '${stackName}' (${region}): ${error instanceof Error ? error.message : String(error)}`,
+          error instanceof Error ? error : void 0
+        );
       }
-      throw new StateError(
-        `Failed to get state for stack '${stackName}': ${error instanceof Error ? error.message : String(error)}`,
-        error instanceof Error ? error : void 0
+      this.logger.debug(`No state at new key for stack: ${stackName} (${region})`);
+    }
+    const legacy = await this.tryGetLegacy(stackName, region);
+    if (legacy) {
+      this.logger.warn(
+        `Loaded legacy state for stack '${stackName}' from '${this.getLegacyStateKey(stackName)}'. It will be migrated to the region-scoped layout on next save.`
       );
+      return { ...legacy, migrationPending: true };
     }
+    return null;
   }
   /**
-   * Save state for a stack with optimistic locking
+   * Save state for a stack with optimistic locking.
+   *
+   * Always writes to the new region-scoped key. The state body is rewritten
+   * with `version: 2` and the supplied region.
+   *
+   * If the caller observed `migrationPending: true` from `getState`, it
+   * should pass the legacy ETag back via `expectedEtag` AND set
+   * `migrateLegacy: true`. After the new key is written successfully, the
+   * legacy key is deleted to complete migration. The legacy delete is a
+   * best-effort follow-up — a failure is logged but does not unwind the new
+   * write.
    *
    * @param stackName Stack name
+   * @param region Target region (load-bearing — part of the S3 key)
    * @param state State to save
-   * @param expectedEtag Expected ETag for optimistic locking (optional for new state).
-   *                     Must include quotes if provided (e.g., "abc123")
-   * @returns New ETag (with quotes, e.g., "abc123")
-   */
-  async saveState(stackName, state, expectedEtag) {
-    const key = this.getStateKey(stackName);
+   * @param options Optimistic-lock ETag + legacy-migration flag
+   * @returns New ETag (with quotes, e.g., `"abc123"`)
+   */
+  async saveState(stackName, region, state, options = {}) {
+    const newKey = this.getStateKey(stackName, region);
+    const { expectedEtag, migrateLegacy } = options;
+    const body = {
+      ...state,
+      version: STATE_SCHEMA_VERSION_CURRENT,
+      stackName,
+      region
+    };
     try {
       this.logger.debug(
-        `Saving state for stack: ${stackName}${expectedEtag ? `, expected ETag: ${expectedEtag}` : ""}`
+        `Saving state: ${stackName} (${region})${expectedEtag ? `, expected ETag: ${expectedEtag}` : ""}`
       );
-      const body = JSON.stringify(state, null, 2);
+      const bodyString = JSON.stringify(body, null, 2);
       const response = await this.s3Client.send(
         new PutObjectCommand2({
           Bucket: this.config.bucket,
-          Key: key,
-          Body: body,
-          ContentLength: Buffer.byteLength(body),
+          Key: newKey,
+          Body: bodyString,
+          ContentLength: Buffer.byteLength(bodyString),
           ContentType: "application/json",
-          ...expectedEtag && { IfMatch: expectedEtag }
+          // The legacy ETag is for a different key; only forward it when we're
+          // updating in-place at the new key.
+          ...!migrateLegacy && expectedEtag && { IfMatch: expectedEtag }
         })
       );
       if (!response.ETag) {
-        throw new StateError(`No ETag returned after saving state for stack '${stackName}'`);
+        throw new StateError(
+          `No ETag returned after saving state for stack '${stackName}' (${region})`
+        );
+      }
+      this.logger.debug(`State saved: ${stackName} (${region}), new ETag: ${response.ETag}`);
+      if (migrateLegacy) {
+        try {
+          await this.s3Client.send(
+            new DeleteObjectCommand({
+              Bucket: this.config.bucket,
+              Key: this.getLegacyStateKey(stackName)
+            })
+          );
+          this.logger.info(
+            `Migrated state for stack '${stackName}' to region-scoped layout (${region})`
+          );
+        } catch (deleteError) {
+          this.logger.warn(
+            `Migrated stack '${stackName}' to new key, but failed to delete legacy key: ${deleteError instanceof Error ? deleteError.message : String(deleteError)}`
+          );
+        }
       }
-      this.logger.debug(`State saved for stack: ${stackName}, new ETag: ${response.ETag}`);
       return response.ETag;
     } catch (error) {
       if (error.name === "PreconditionFailed") {
@@ -3343,63 +3400,230 @@ var S3StateBackend = class {
         );
       }
       throw new StateError(
-        `Failed to save state for stack '${stackName}': ${error instanceof Error ? error.message : String(error)}`,
+        `Failed to save state for stack '${stackName}' (${region}): ${error instanceof Error ? error.message : String(error)}`,
         error instanceof Error ? error : void 0
       );
     }
   }
   /**
-   * Delete state for a stack
+   * Delete state for a stack in the given region.
+   *
+   * Removes both the new key and the legacy key (if present). Legacy removal
+   * is region-conditional: a legacy state file with a different `region`
+   * field is left alone.
    */
-  async deleteState(stackName) {
-    const key = this.getStateKey(stackName);
+  async deleteState(stackName, region) {
     try {
-      this.logger.debug(`Deleting state for stack: ${stackName}`);
+      this.logger.debug(`Deleting state: ${stackName} (${region})`);
       await this.s3Client.send(
         new DeleteObjectCommand({
           Bucket: this.config.bucket,
-          Key: key
+          Key: this.getStateKey(stackName, region)
         })
       );
-      this.logger.debug(`State deleted for stack: ${stackName}`);
+      if (await this.legacyMatchesRegion(stackName, region)) {
+        await this.s3Client.send(
+          new DeleteObjectCommand({
+            Bucket: this.config.bucket,
+            Key: this.getLegacyStateKey(stackName)
+          })
+        );
+        this.logger.debug(`Deleted legacy state for stack: ${stackName}`);
+      }
+      this.logger.debug(`State deleted: ${stackName} (${region})`);
     } catch (error) {
       throw new StateError(
-        `Failed to delete state for stack '${stackName}': ${error instanceof Error ? error.message : String(error)}`,
+        `Failed to delete state for stack '${stackName}' (${region}): ${error instanceof Error ? error.message : String(error)}`,
         error instanceof Error ? error : void 0
       );
     }
   }
   /**
-   * List all stacks with state
+   * List all stacks with state in the bucket.
+   *
+   * Returns one `{stackName, region}` pair per state file. Both layouts
+   * are enumerated:
+   *
+   * - `{prefix}/{stackName}/{region}/state.json` (new) — `region` is the
+   *   path segment.
+   * - `{prefix}/{stackName}/state.json` (legacy) — `region` is read from the
+   *   state body when present, otherwise `undefined`.
+   *
+   * Pairs are deduplicated by `(stackName, region)` so a stack mid-migration
+   * shows up exactly once.
    */
   async listStacks() {
     try {
       this.logger.debug("Listing all stacks");
+      const prefix = `${this.config.prefix}/`;
+      const refs = [];
+      const seen = /* @__PURE__ */ new Set();
+      let continuationToken;
+      do {
+        const response = await this.s3Client.send(
+          new ListObjectsV2Command({
+            Bucket: this.config.bucket,
+            Prefix: prefix,
+            ...continuationToken && { ContinuationToken: continuationToken }
+          })
+        );
+        for (const obj of response.Contents ?? []) {
+          const key = obj.Key;
+          if (!key)
+            continue;
+          if (!key.endsWith("/state.json"))
+            continue;
+          const rest = key.slice(prefix.length);
+          const segments = rest.split("/");
+          if (segments.length === NEW_KEY_DEPTH) {
+            const [stackName, region] = segments;
+            if (!stackName || !region)
+              continue;
+            const dedupeKey = `${stackName}\0${region}`;
+            if (!seen.has(dedupeKey)) {
+              seen.add(dedupeKey);
+              refs.push({ stackName, region });
+            }
+            continue;
+          }
+          if (segments.length === LEGACY_KEY_DEPTH) {
+            const [stackName] = segments;
+            if (!stackName)
+              continue;
+            const region = await this.readLegacyRegion(stackName);
+            const dedupeKey = `${stackName}\0${region ?? ""}`;
+            if (!seen.has(dedupeKey)) {
+              seen.add(dedupeKey);
+              refs.push({ stackName, ...region ? { region } : {} });
+            }
+          }
+        }
+        continuationToken = response.IsTruncated ? response.NextContinuationToken : void 0;
+      } while (continuationToken);
+      this.logger.debug(`Found ${refs.length} stack(s) across regions`);
+      return refs;
+    } catch (error) {
+      throw new StateError(
+        `Failed to list stacks: ${error instanceof Error ? error.message : String(error)}`,
+        error instanceof Error ? error : void 0
+      );
+    }
+  }
+  /**
+   * HeadObject probe — returns true on 200, false on NotFound. Other errors
+   * propagate so we don't accidentally swallow IAM denials.
+   */
+  async headObject(key) {
+    try {
+      await this.s3Client.send(
+        new HeadObjectCommand2({
+          Bucket: this.config.bucket,
+          Key: key
+        })
+      );
+      return true;
+    } catch (error) {
+      if (isNoSuchKey(error) || error.name === "NotFound") {
+        return false;
+      }
+      throw error;
+    }
+  }
+  /**
+   * Read the legacy state's `region` field. Used for region matching during
+   * `stateExists` / `deleteState` and for assigning a region to legacy
+   * entries during `listStacks`.
+   */
+  async readLegacyRegion(stackName) {
+    try {
       const response = await this.s3Client.send(
-        new ListObjectsV2Command({
+        new GetObjectCommand({
           Bucket: this.config.bucket,
-          Prefix: `${this.config.prefix}/`,
-          Delimiter: "/"
+          Key: this.getLegacyStateKey(stackName)
         })
       );
-      if (!response.CommonPrefixes) {
-        return [];
+      if (!response.Body)
+        return void 0;
+      const bodyString = await response.Body.transformToString();
+      const state = JSON.parse(bodyString);
+      return typeof state.region === "string" ? state.region : void 0;
+    } catch (error) {
+      if (isNoSuchKey(error))
+        return void 0;
+      this.logger.debug(
+        `Could not read legacy state region for '${stackName}': ${error instanceof Error ? error.message : String(error)}`
+      );
+      return void 0;
+    }
+  }
+  async legacyMatchesRegion(stackName, region) {
+    const legacyRegion = await this.readLegacyRegion(stackName);
+    return legacyRegion === region;
+  }
+  /**
+   * Try to read the legacy `version: 1` state. Returns null when the legacy
+   * key is missing or its embedded region does not match the caller's region.
+   */
+  async tryGetLegacy(stackName, region) {
+    try {
+      const response = await this.s3Client.send(
+        new GetObjectCommand({
+          Bucket: this.config.bucket,
+          Key: this.getLegacyStateKey(stackName)
+        })
+      );
+      if (!response.Body || !response.ETag) {
+        return null;
+      }
+      const bodyString = await response.Body.transformToString();
+      const state = this.parseStateBody(bodyString, stackName);
+      if (state.region && state.region !== region) {
+        this.logger.debug(
+          `Legacy state for stack '${stackName}' has region '${state.region}', not '${region}' \u2014 skipping legacy fallback.`
+        );
+        return null;
       }
-      const stackNames = response.CommonPrefixes.map((prefix) => {
-        const prefixStr = prefix.Prefix || "";
-        const parts = prefixStr.split("/");
-        return parts[parts.length - 2];
-      }).filter((name) => Boolean(name));
-      this.logger.debug(`Found ${stackNames.length} stacks`);
-      return stackNames;
+      return { state, etag: response.ETag };
     } catch (error) {
+      if (isNoSuchKey(error))
+        return null;
       throw new StateError(
-        `Failed to list stacks: ${error instanceof Error ? error.message : String(error)}`,
+        `Failed to get legacy state for stack '${stackName}': ${error instanceof Error ? error.message : String(error)}`,
+        error instanceof Error ? error : void 0
+      );
+    }
+  }
+  /**
+   * Parse a state body and validate the schema version. Future-proofs against
+   * a binary that predates schema version `N` reading a `version: N+1` blob:
+   * the old binary would otherwise treat unknown fields as defaults and
+   * silently lose data on the next save.
+   */
+  parseStateBody(bodyString, stackName) {
+    let parsed;
+    try {
+      parsed = JSON.parse(bodyString);
+    } catch (error) {
+      throw new StateError(
+        `State file for stack '${stackName}' is not valid JSON: ${error instanceof Error ? error.message : String(error)}`,
         error instanceof Error ? error : void 0
       );
     }
+    const v = parsed.version;
+    if (v !== STATE_SCHEMA_VERSION_LEGACY && v !== STATE_SCHEMA_VERSION_CURRENT && v !== void 0) {
+      throw new StateError(
+        `Unsupported state schema version ${String(v)} for stack '${stackName}'. This cdkd binary supports versions ${String(STATE_SCHEMA_VERSION_LEGACY)} and ${String(STATE_SCHEMA_VERSION_CURRENT)}. Upgrade cdkd to a version that supports schema ${String(v)}.`
+      );
+    }
+    return parsed;
   }
 };
+function isNoSuchKey(error) {
+  if (error instanceof NoSuchKey)
+    return true;
+  const name = error?.name;
+  return name === "NoSuchKey";
+}
 
 // src/state/lock-manager.ts
 import {
@@ -3420,10 +3644,24 @@ var LockManager = class {
   logger = getLogger().child("LockManager");
   ttlMs;
   /**
-   * Get the S3 key for a stack's lock file
+   * Get the S3 key for a stack's lock file.
+   *
+   * Locks are region-scoped, mirroring the state key layout
+   * (`{prefix}/{stackName}/{region}/lock.json`). Two regions of the same
+   * stackName can therefore be operated on in parallel without contention,
+   * matching cdkd's parallel execution model.
+   *
+   * The `region` argument is required for new callers; for backwards
+   * compatibility with `state list --long` (which only sees stack names),
+   * passing `undefined` falls back to the legacy `{prefix}/{stackName}/lock.json`
+   * key — that mode is purely for legacy lock cleanup and is NOT used by
+   * deploy / destroy / diff anymore.
    */
-  getLockKey(stackName) {
-    return `${this.config.prefix}/${stackName}/lock.json`;
+  getLockKey(stackName, region) {
+    if (region === void 0) {
+      return `${this.config.prefix}/${stackName}/lock.json`;
+    }
+    return `${this.config.prefix}/${stackName}/${region}/lock.json`;
   }
   /**
    * Get default lock owner identifier
@@ -3462,11 +3700,12 @@ var LockManager = class {
    * If an expired lock exists, it will be cleaned up and re-acquired.
    *
    * @param stackName Stack name
+   * @param region Target region (lock key is region-scoped)
    * @param owner Lock owner identifier (defaults to user@hostname:pid)
    * @param operation Operation being performed (e.g., "deploy", "destroy")
    */
-  async acquireLock(stackName, owner, operation) {
-    const key = this.getLockKey(stackName);
+  async acquireLock(stackName, region, owner, operation) {
+    const key = this.getLockKey(stackName, region);
     const lockOwner = owner || this.getDefaultOwner();
     const now = Date.now();
     const lockInfo = {
@@ -3476,7 +3715,7 @@ var LockManager = class {
       ...operation && { operation }
     };
     try {
-      this.logger.debug(`Attempting to acquire lock for stack: ${stackName}`);
+      this.logger.debug(`Attempting to acquire lock for stack: ${stackName} (${region})`);
       const lockBody = JSON.stringify(lockInfo, null, 2);
       await this.s3Client.send(
         new PutObjectCommand3({
@@ -3489,17 +3728,17 @@ var LockManager = class {
           // Only succeed if object doesn't exist
         })
       );
-      this.logger.debug(`Lock acquired for stack: ${stackName}, owner: ${lockOwner}`);
+      this.logger.debug(`Lock acquired for stack: ${stackName} (${region}), owner: ${lockOwner}`);
       return true;
     } catch (error) {
       if (error instanceof S3ServiceException && error.name === "PreconditionFailed") {
-        this.logger.debug(`Lock already exists for stack: ${stackName}`);
-        const existingLock = await this.getLockInfo(stackName);
+        this.logger.debug(`Lock already exists for stack: ${stackName} (${region})`);
+        const existingLock = await this.getLockInfo(stackName, region);
         if (existingLock && this.isLockExpired(existingLock)) {
           this.logger.info(
-            `Expired lock detected for stack: ${stackName} (owner: ${existingLock.owner}, expired ${this.formatDuration(now - existingLock.expiresAt)} ago). Cleaning up...`
+            `Expired lock detected for stack: ${stackName} (${region}, owner: ${existingLock.owner}, expired ${this.formatDuration(now - existingLock.expiresAt)} ago). Cleaning up...`
           );
-          await this.deleteLock(stackName);
+          await this.deleteLock(stackName, region);
           try {
             const retryBody = JSON.stringify(lockInfo, null, 2);
             await this.s3Client.send(
@@ -3513,13 +3752,13 @@ var LockManager = class {
               })
             );
             this.logger.debug(
-              `Lock acquired for stack: ${stackName} after expired lock cleanup, owner: ${lockOwner}`
+              `Lock acquired for stack: ${stackName} (${region}) after expired lock cleanup, owner: ${lockOwner}`
             );
             return true;
           } catch (retryError) {
             if (retryError instanceof S3ServiceException && retryError.name === "PreconditionFailed") {
               this.logger.debug(
-                `Lock was acquired by another process during expired lock cleanup for stack: ${stackName}`
+                `Lock was acquired by another process during expired lock cleanup for stack: ${stackName} (${region})`
               );
               return false;
             }
@@ -3529,16 +3768,20 @@ var LockManager = class {
         return false;
       }
       throw new LockError(
-        `Failed to acquire lock for stack '${stackName}': ${error instanceof Error ? error.message : String(error)}`,
+        `Failed to acquire lock for stack '${stackName}' (${region}): ${error instanceof Error ? error.message : String(error)}`,
         error instanceof Error ? error : void 0
       );
     }
   }
   /**
-   * Get current lock information
+   * Get current lock information.
+   *
+   * `region` is required for the new region-scoped lock layout. Pass
+   * `undefined` only to inspect a legacy `{prefix}/{stackName}/lock.json`
+   * file (e.g. for state-listing tools that don't yet know the region).
    */
-  async getLockInfo(stackName) {
-    const key = this.getLockKey(stackName);
+  async getLockInfo(stackName, region) {
+    const key = this.getLockKey(stackName, region);
     try {
       this.logger.debug(`Getting lock info for stack: ${stackName}`);
       const response = await this.s3Client.send(
@@ -3576,27 +3819,27 @@ var LockManager = class {
    * not for acquisition decisions — use `acquireLock` for that, which has its
    * own expired-lock cleanup logic.
    */
-  async isLocked(stackName) {
-    const lockInfo = await this.getLockInfo(stackName);
+  async isLocked(stackName, region) {
+    const lockInfo = await this.getLockInfo(stackName, region);
     return lockInfo !== null;
   }
   /**
    * Release a lock for a stack
    */
-  async releaseLock(stackName) {
-    const key = this.getLockKey(stackName);
+  async releaseLock(stackName, region) {
+    const key = this.getLockKey(stackName, region);
     try {
-      this.logger.debug(`Releasing lock for stack: ${stackName}`);
+      this.logger.debug(`Releasing lock for stack: ${stackName} (${region})`);
       await this.s3Client.send(
         new DeleteObjectCommand2({
           Bucket: this.config.bucket,
           Key: key
         })
       );
-      this.logger.debug(`Lock released for stack: ${stackName}`);
+      this.logger.debug(`Lock released for stack: ${stackName} (${region})`);
     } catch (error) {
       throw new LockError(
-        `Failed to release lock for stack '${stackName}': ${error instanceof Error ? error.message : String(error)}`,
+        `Failed to release lock for stack '${stackName}' (${region}): ${error instanceof Error ? error.message : String(error)}`,
         error instanceof Error ? error : void 0
       );
     }
@@ -3606,23 +3849,28 @@ var LockManager = class {
    *
    * This is intended for CLI usage (e.g., --force-unlock flag) when a lock
    * is stuck and needs manual intervention.
+   *
+   * Pass `region: undefined` to operate on a legacy
+   * `{prefix}/{stackName}/lock.json` file.
    */
-  async forceReleaseLock(stackName) {
-    const lockInfo = await this.getLockInfo(stackName);
+  async forceReleaseLock(stackName, region) {
+    const lockInfo = await this.getLockInfo(stackName, region);
     if (!lockInfo) {
-      this.logger.warn(`No lock to force release for stack: ${stackName}`);
+      this.logger.warn(
+        `No lock to force release for stack: ${stackName}${region ? ` (${region})` : ""}`
+      );
       return;
     }
     this.logger.warn(
-      `Force releasing lock for stack: ${stackName}, owner: ${lockInfo.owner}${lockInfo.operation ? `, operation: ${lockInfo.operation}` : ""}, expired: ${this.isLockExpired(lockInfo)}`
+      `Force releasing lock for stack: ${stackName}${region ? ` (${region})` : ""}, owner: ${lockInfo.owner}${lockInfo.operation ? `, operation: ${lockInfo.operation}` : ""}, expired: ${this.isLockExpired(lockInfo)}`
     );
-    await this.deleteLock(stackName);
+    await this.deleteLock(stackName, region);
   }
   /**
    * Internal method to delete the lock file from S3
    */
-  async deleteLock(stackName) {
-    const key = this.getLockKey(stackName);
+  async deleteLock(stackName, region) {
+    const key = this.getLockKey(stackName, region);
     await this.s3Client.send(
       new DeleteObjectCommand2({
         Bucket: this.config.bucket,
@@ -3643,28 +3891,28 @@ var LockManager = class {
    * @param maxRetries Maximum number of retries (default: 3)
    * @param retryDelay Delay between retries in milliseconds (default: 2000)
    */
-  async acquireLockWithRetry(stackName, owner, operation, maxRetries = 3, retryDelay = 2e3) {
+  async acquireLockWithRetry(stackName, region, owner, operation, maxRetries = 3, retryDelay = 2e3) {
     for (let attempt = 0; attempt <= maxRetries; attempt++) {
-      const acquired = await this.acquireLock(stackName, owner, operation);
+      const acquired = await this.acquireLock(stackName, region, owner, operation);
       if (acquired) {
         return;
       }
-      const lockInfo2 = await this.getLockInfo(stackName);
+      const lockInfo2 = await this.getLockInfo(stackName, region);
       if (lockInfo2) {
         const remainingMs = lockInfo2.expiresAt - Date.now();
         if (attempt < maxRetries) {
           this.logger.info(
-            `Stack '${stackName}' is locked by ${lockInfo2.owner}${lockInfo2.operation ? ` (operation: ${lockInfo2.operation})` : ""}. Lock expires in ${this.formatDuration(remainingMs)}. Retrying in ${this.formatDuration(retryDelay)}... (attempt ${attempt + 1}/${maxRetries})`
+            `Stack '${stackName}' (${region}) is locked by ${lockInfo2.owner}${lockInfo2.operation ? ` (operation: ${lockInfo2.operation})` : ""}. Lock expires in ${this.formatDuration(remainingMs)}. Retrying in ${this.formatDuration(retryDelay)}... (attempt ${attempt + 1}/${maxRetries})`
           );
           await new Promise((resolve4) => setTimeout(resolve4, retryDelay));
           continue;
         }
       }
     }
-    const lockInfo = await this.getLockInfo(stackName);
+    const lockInfo = await this.getLockInfo(stackName, region);
     const expiresIn = lockInfo ? this.formatDuration(lockInfo.expiresAt - Date.now()) : "unknown";
     throw new LockError(
-      `Failed to acquire lock for stack '${stackName}' after ${maxRetries + 1} attempts. ` + (lockInfo ? `Locked by: ${lockInfo.owner}${lockInfo.operation ? `, operation: ${lockInfo.operation}` : ""}, expires in: ${expiresIn}. Use --force-unlock to manually release the lock.` : "Lock exists but could not read lock info.")
+      `Failed to acquire lock for stack '${stackName}' (${region}) after ${maxRetries + 1} attempts. ` + (lockInfo ? `Locked by: ${lockInfo.owner}${lockInfo.operation ? `, operation: ${lockInfo.operation}` : ""}, expires in: ${expiresIn}. Use --force-unlock to manually release the lock.` : "Lock exists but could not read lock info.")
     );
   }
 };
@@ -5447,35 +5695,45 @@ var IntrinsicFunctionResolver = class {
     }
     this.logger.debug(`Resolving Fn::ImportValue: ${exportName}`);
     const allStacks = await context.stateBackend.listStacks();
-    this.logger.debug(`Found ${allStacks.length} stacks to search for export: ${exportName}`);
-    for (const stackName of allStacks) {
-      if (context.stackName && stackName === context.stackName) {
-        this.logger.debug(`Skipping current stack: ${stackName}`);
+    this.logger.debug(
+      `Found ${allStacks.length} state record(s) to search for export: ${exportName}`
+    );
+    for (const ref of allStacks) {
+      const { stackName: refStack, region: refRegion } = ref;
+      if (context.stackName && refStack === context.stackName) {
+        this.logger.debug(`Skipping current stack: ${refStack}`);
         continue;
       }
       try {
-        const stateData = await context.stateBackend.getState(stackName);
+        const lookupRegion = refRegion ?? this.resolverRegion ?? "";
+        if (!lookupRegion) {
+          this.logger.debug(
+            `No region available for stack '${refStack}' \u2014 skipping (cdkd cannot read state without a region)`
+          );
+          continue;
+        }
+        const stateData = await context.stateBackend.getState(refStack, lookupRegion);
         if (!stateData) {
-          this.logger.debug(`No state found for stack: ${stackName}`);
+          this.logger.debug(`No state found for stack: ${refStack} (${lookupRegion})`);
           continue;
         }
         const { state } = stateData;
         if (state.outputs && exportName in state.outputs) {
           const value = state.outputs[exportName];
           this.logger.info(
-            `Resolved Fn::ImportValue: ${exportName} = ${JSON.stringify(value)} (from stack: ${stackName})`
+            `Resolved Fn::ImportValue: ${exportName} = ${JSON.stringify(value)} (from stack: ${refStack} / ${lookupRegion})`
           );
           return value;
         }
       } catch (error) {
         this.logger.warn(
-          `Failed to read state for stack ${stackName}: ${error instanceof Error ? error.message : String(error)}`
+          `Failed to read state for stack ${refStack}: ${error instanceof Error ? error.message : String(error)}`
         );
         continue;
       }
     }
     throw new Error(
-      `Fn::ImportValue: export '${exportName}' not found in any stack. Searched ${allStacks.length} stacks. Make sure the exporting stack has been deployed and the Output has an Export.Name property.`
+      `Fn::ImportValue: export '${exportName}' not found in any stack. Searched ${allStacks.length} state record(s). Make sure the exporting stack has been deployed and the Output has an Export.Name property.`
     );
   }
   /**
@@ -5938,6 +6196,29 @@ var JsonPatchGenerator = class {
   }
 };
 
+// src/provisioning/region-check.ts
+function assertRegionMatch(clientRegion, expectedRegion, resourceType, logicalId, physicalId) {
+  if (!expectedRegion) {
+    return;
+  }
+  if (!clientRegion) {
+    throw new ProvisioningError(
+      `Refusing to treat NotFound as idempotent delete success for ${logicalId} (${resourceType}): AWS client region is unknown but stack state expects ${expectedRegion}. The resource may exist in ${expectedRegion} and would be silently removed from state if this NotFound were trusted.`,
+      resourceType,
+      logicalId,
+      physicalId
+    );
+  }
+  if (clientRegion !== expectedRegion) {
+    throw new ProvisioningError(
+      `Refusing to treat NotFound as idempotent delete success for ${logicalId} (${resourceType}): AWS client region ${clientRegion} does not match stack state region ${expectedRegion}. The resource likely still exists in ${expectedRegion}; rerun the destroy with the correct region (e.g. --region ${expectedRegion}).`,
+      resourceType,
+      logicalId,
+      physicalId
+    );
+  }
+}
+
 // src/provisioning/cloud-control-provider.ts
 var JSON_STRING_PROPERTIES = {
   "AWS::Events::Rule": /* @__PURE__ */ new Set(["EventPattern"])
@@ -6113,7 +6394,7 @@ var CloudControlProvider = class {
   /**
    * Delete a resource using Cloud Control API
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(
       `Deleting resource ${logicalId} (${resourceType}), physical ID: ${physicalId}`
     );
@@ -6140,6 +6421,14 @@ var CloudControlProvider = class {
     } catch (error) {
       const err = error;
       if (err.name === "ResourceNotFoundException" || err.message?.includes("does not exist") || err.message?.includes("not found") || err.message?.includes("NotFound")) {
+        const clientRegion = await this.cloudControlClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Resource ${logicalId} already deleted (not found), treating as success`);
         return;
       }
@@ -6704,7 +6993,7 @@ var CustomResourceProvider = class _CustomResourceProvider {
   /**
    * Delete a custom resource by invoking its Lambda handler
    */
-  async delete(logicalId, physicalId, resourceType, properties) {
+  async delete(logicalId, physicalId, resourceType, properties, _context) {
     this.logger.debug(`Deleting custom resource ${logicalId}: ${physicalId} (${resourceType})`);
     if (!properties) {
       this.logger.warn(
@@ -7526,13 +7815,21 @@ var IAMRoleProvider = class {
    * 3. Remove role from all instance profiles
    * 4. Delete the role itself
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting IAM role ${logicalId}: ${physicalId}`);
     try {
       try {
         await this.iamClient.send(new GetRoleCommand({ RoleName: physicalId }));
       } catch (error) {
         if (error instanceof NoSuchEntityException) {
+          const clientRegion = await this.iamClient.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`Role ${physicalId} does not exist, skipping deletion`);
           return;
         }
@@ -8027,13 +8324,23 @@ var IAMPolicyProvider = class {
   /**
    * Delete an IAM inline policy
    */
-  async delete(logicalId, physicalId, resourceType, properties) {
+  async delete(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting IAM policy ${logicalId}: ${physicalId}`);
     const policyName = physicalId.includes(":") ? physicalId.split(":")[0] : physicalId;
     if (!policyName) {
       this.logger.warn(`Invalid physical ID format: ${physicalId}, skipping deletion`);
       return;
     }
+    const onNotFound = async (target) => {
+      const clientRegion = await this.iamClient.config.region();
+      assertRegionMatch(
+        clientRegion,
+        context?.expectedRegion,
+        resourceType,
+        logicalId,
+        `${physicalId} (${target})`
+      );
+    };
     try {
       const roles = properties?.["Roles"];
       const groups = properties?.["Groups"];
@@ -8050,7 +8357,9 @@ var IAMPolicyProvider = class {
             );
             this.logger.debug(`Deleted inline policy ${policyName} from role ${firstRole}`);
           } catch (error) {
-            if (!(error instanceof NoSuchEntityException2)) {
+            if (error instanceof NoSuchEntityException2) {
+              await onNotFound(`role ${firstRole}`);
+            } else {
               throw error;
             }
           }
@@ -8067,7 +8376,9 @@ var IAMPolicyProvider = class {
             );
             this.logger.debug(`Deleted inline policy ${policyName} from role ${roleName}`);
           } catch (error) {
-            if (!(error instanceof NoSuchEntityException2)) {
+            if (error instanceof NoSuchEntityException2) {
+              await onNotFound(`role ${roleName}`);
+            } else {
               throw error;
             }
           }
@@ -8084,7 +8395,9 @@ var IAMPolicyProvider = class {
             );
             this.logger.debug(`Deleted inline policy ${policyName} from group ${groupName}`);
           } catch (error) {
-            if (!(error instanceof NoSuchEntityException2)) {
+            if (error instanceof NoSuchEntityException2) {
+              await onNotFound(`group ${groupName}`);
+            } else {
               throw error;
             }
           }
@@ -8101,7 +8414,9 @@ var IAMPolicyProvider = class {
             );
             this.logger.debug(`Deleted inline policy ${policyName} from user ${userName}`);
           } catch (error) {
-            if (!(error instanceof NoSuchEntityException2)) {
+            if (error instanceof NoSuchEntityException2) {
+              await onNotFound(`user ${userName}`);
+            } else {
               throw error;
             }
           }
@@ -8259,7 +8574,7 @@ var IAMInstanceProfileProvider = class {
    *
    * Before deleting, removes all roles from the instance profile.
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting IAM instance profile ${logicalId}: ${physicalId}`);
     try {
       let roles = [];
@@ -8272,6 +8587,14 @@ var IAMInstanceProfileProvider = class {
         ) || [];
       } catch (error) {
         if (error instanceof NoSuchEntityException3) {
+          const clientRegion = await this.iamClient.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`Instance profile ${physicalId} does not exist, skipping deletion`);
           return;
         }
@@ -8298,6 +8621,14 @@ var IAMInstanceProfileProvider = class {
       this.logger.debug(`Successfully deleted IAM instance profile ${logicalId}`);
     } catch (error) {
       if (error instanceof NoSuchEntityException3) {
+        const clientRegion = await this.iamClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Instance profile ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -8417,14 +8748,20 @@ var IAMUserGroupProvider = class {
         );
     }
   }
-  async delete(logicalId, physicalId, resourceType, properties) {
+  async delete(logicalId, physicalId, resourceType, properties, context) {
     switch (resourceType) {
       case "AWS::IAM::User":
-        return this.deleteUser(logicalId, physicalId, resourceType);
+        return this.deleteUser(logicalId, physicalId, resourceType, context);
       case "AWS::IAM::Group":
-        return this.deleteGroup(logicalId, physicalId, resourceType);
+        return this.deleteGroup(logicalId, physicalId, resourceType, context);
       case "AWS::IAM::UserToGroupAddition":
-        return this.deleteUserToGroupAddition(logicalId, physicalId, resourceType, properties);
+        return this.deleteUserToGroupAddition(
+          logicalId,
+          physicalId,
+          resourceType,
+          properties,
+          context
+        );
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -8627,13 +8964,21 @@ var IAMUserGroupProvider = class {
       );
     }
   }
-  async deleteUser(logicalId, physicalId, resourceType) {
+  async deleteUser(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting IAM user ${logicalId}: ${physicalId}`);
     try {
       try {
         await this.iamClient.send(new GetUserCommand({ UserName: physicalId }));
       } catch (error) {
         if (error instanceof NoSuchEntityException4) {
+          const clientRegion = await this.iamClient.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`User ${physicalId} does not exist, skipping deletion`);
           return;
         }
@@ -8973,7 +9318,7 @@ var IAMUserGroupProvider = class {
       );
     }
   }
-  async deleteGroup(logicalId, physicalId, resourceType) {
+  async deleteGroup(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting IAM group ${logicalId}: ${physicalId}`);
     try {
       await this.detachAllGroupPolicies(physicalId);
@@ -8983,6 +9328,14 @@ var IAMUserGroupProvider = class {
       this.logger.debug(`Successfully deleted IAM group ${logicalId}`);
     } catch (error) {
       if (error instanceof NoSuchEntityException4) {
+        const clientRegion = await this.iamClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Group ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -9257,7 +9610,7 @@ var IAMUserGroupProvider = class {
       );
     }
   }
-  async deleteUserToGroupAddition(logicalId, physicalId, resourceType, properties) {
+  async deleteUserToGroupAddition(logicalId, physicalId, resourceType, properties, _context) {
     this.logger.debug(`Deleting IAM UserToGroupAddition ${logicalId}`);
     if (!properties) {
       this.logger.debug(`No properties for UserToGroupAddition ${logicalId}, skipping deletion`);
@@ -10131,12 +10484,20 @@ var S3BucketProvider = class {
    *
    * Note: The bucket must be empty before deletion.
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting S3 bucket ${logicalId}: ${physicalId}`);
     try {
       await this.deleteBucketWithEmptyRetry(logicalId, physicalId);
     } catch (error) {
       if (error instanceof NoSuchBucket) {
+        const clientRegion = await this.s3Client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Bucket ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -10331,7 +10692,7 @@ var S3BucketPolicyProvider = class {
   /**
    * Delete an S3 bucket policy
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting S3 bucket policy ${logicalId}: ${physicalId}`);
     try {
       try {
@@ -10343,10 +10704,26 @@ var S3BucketPolicyProvider = class {
         this.logger.debug(`Successfully deleted S3 bucket policy ${logicalId}`);
       } catch (error) {
         if (error instanceof NoSuchBucket2) {
+          const clientRegion = await this.s3Client.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`Bucket ${physicalId} does not exist, skipping policy deletion`);
           return;
         }
         if (error instanceof Error && (error.name === "NoSuchBucketPolicy" || error.message.includes("does not have"))) {
+          const clientRegion = await this.s3Client.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`Bucket policy for ${physicalId} does not exist, skipping`);
           return;
         }
@@ -10536,13 +10913,21 @@ var SQSQueueProvider = class {
   /**
    * Delete an SQS queue
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting SQS queue ${logicalId}: ${physicalId}`);
     try {
       await this.sqsClient.send(new DeleteQueueCommand({ QueueUrl: physicalId }));
       this.logger.debug(`Successfully deleted SQS queue ${logicalId}`);
     } catch (error) {
       if (error instanceof QueueDoesNotExist) {
+        const clientRegion = await this.sqsClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`SQS queue ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -10691,7 +11076,7 @@ var SQSQueuePolicyProvider = class {
   /**
    * Delete an SQS queue policy
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting SQS queue policy ${logicalId}: ${physicalId}`);
     try {
       await this.sqsClient.send(
@@ -10705,6 +11090,14 @@ var SQSQueuePolicyProvider = class {
       this.logger.debug(`Successfully deleted SQS queue policy ${logicalId}`);
     } catch (error) {
       if (error instanceof Error && (error.name === "QueueDoesNotExist" || error.message.includes("does not exist"))) {
+        const clientRegion = await this.sqsClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Queue ${physicalId} does not exist, skipping policy deletion`);
         return;
       }
@@ -10985,13 +11378,21 @@ var SNSTopicProvider = class {
   /**
    * Delete an SNS topic
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting SNS topic ${logicalId}: ${physicalId}`);
     try {
       await this.snsClient.send(new DeleteTopicCommand({ TopicArn: physicalId }));
       this.logger.debug(`Successfully deleted SNS topic ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException) {
+        const clientRegion = await this.snsClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`SNS topic ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -11110,7 +11511,7 @@ var SNSSubscriptionProvider = class {
   /**
    * Delete an SNS subscription
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting SNS subscription ${logicalId}: ${physicalId}`);
     try {
       await this.snsClient.send(
@@ -11121,6 +11522,14 @@ var SNSSubscriptionProvider = class {
       this.logger.debug(`Successfully deleted SNS subscription ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException2) {
+        const clientRegion = await this.snsClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Subscription ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -11241,7 +11650,7 @@ var SNSTopicPolicyProvider = class {
    *
    * Removes the policy from each topic by setting an empty policy.
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting SNS topic policy ${logicalId}: ${physicalId}`);
     const topicArns = physicalId.split(",");
     for (const topicArn of topicArns) {
@@ -11250,6 +11659,14 @@ var SNSTopicPolicyProvider = class {
         this.logger.debug(`Removed policy from topic ${topicArn}`);
       } catch (error) {
         if (error instanceof Error && (error.name === "NotFoundException" || error.name === "NotFound" || error.message.includes("not found") || error.message.includes("does not exist") || error.message.includes("Invalid parameter"))) {
+          const clientRegion = await getAwsClients().sns.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            topicArn
+          );
           this.logger.debug(`Topic ${topicArn} not found or policy already removed, skipping`);
           continue;
         }
@@ -11514,7 +11931,7 @@ var LambdaFunctionProvider = class {
    * security groups, we poll DescribeNetworkInterfaces for the function's
    * managed ENIs and only return once they are gone (or the timeout elapses).
    */
-  async delete(logicalId, physicalId, resourceType, properties) {
+  async delete(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting Lambda function ${logicalId}: ${physicalId}`);
     const hasVpcConfig = this.hasVpcConfig(properties?.["VpcConfig"]);
     if (hasVpcConfig) {
@@ -11528,6 +11945,14 @@ var LambdaFunctionProvider = class {
         this.logger.debug(`Detached VPC config from Lambda ${physicalId} before deletion`);
       } catch (error) {
         if (error instanceof ResourceNotFoundException) {
+          const clientRegion = await this.lambdaClient.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           return;
         }
         this.logger.warn(
@@ -11541,6 +11966,14 @@ var LambdaFunctionProvider = class {
       this.logger.debug(`Successfully deleted Lambda function ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException) {
+        const clientRegion = await this.lambdaClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Lambda function ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -12007,7 +12440,7 @@ var LambdaPermissionProvider = class {
   /**
    * Delete a Lambda permission
    */
-  async delete(logicalId, physicalId, resourceType, properties) {
+  async delete(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting Lambda permission ${logicalId}: ${physicalId}`);
     const functionName = properties?.["FunctionName"];
     if (!functionName) {
@@ -12030,6 +12463,14 @@ var LambdaPermissionProvider = class {
       this.logger.debug(`Successfully deleted Lambda permission ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException2) {
+        const clientRegion = await this.lambdaClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Lambda permission ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -12146,7 +12587,7 @@ var LambdaUrlProvider = class {
   /**
    * Delete a Lambda Function URL
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting Lambda URL ${logicalId}: ${physicalId}`);
     try {
       await this.lambdaClient.send(
@@ -12155,6 +12596,14 @@ var LambdaUrlProvider = class {
       this.logger.debug(`Successfully deleted Lambda URL ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException3) {
+        const clientRegion = await this.lambdaClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Lambda URL ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -12365,13 +12814,21 @@ var LambdaEventSourceMappingProvider = class {
   /**
    * Delete a Lambda Event Source Mapping
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting event source mapping ${logicalId}: ${physicalId}`);
     try {
       try {
         await this.lambdaClient.send(new GetEventSourceMappingCommand({ UUID: physicalId }));
       } catch (error) {
         if (error instanceof ResourceNotFoundException4) {
+          const clientRegion = await this.lambdaClient.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`Event source mapping ${physicalId} does not exist, skipping deletion`);
           return;
         }
@@ -12381,6 +12838,14 @@ var LambdaEventSourceMappingProvider = class {
       this.logger.debug(`Successfully deleted event source mapping ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException4) {
+        const clientRegion = await this.lambdaClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Event source mapping ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -12494,7 +12959,7 @@ var LambdaLayerVersionProvider = class {
   /**
    * Delete a Lambda layer version
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting Lambda layer version ${logicalId}: ${physicalId}`);
     const arnParts = physicalId.split(":");
     if (arnParts.length < 8) {
@@ -12517,6 +12982,14 @@ var LambdaLayerVersionProvider = class {
       this.logger.debug(`Successfully deleted Lambda layer version ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException5) {
+        const clientRegion = await this.lambdaClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Lambda layer version ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -12693,13 +13166,21 @@ var DynamoDBTableProvider = class {
   /**
    * Delete a DynamoDB table
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting DynamoDB table ${logicalId}: ${physicalId}`);
     try {
       await this.dynamoDBClient.send(new DeleteTableCommand({ TableName: physicalId }));
       this.logger.debug(`Successfully deleted DynamoDB table ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException6) {
+        const clientRegion = await this.dynamoDBClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`DynamoDB table ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -12928,13 +13409,21 @@ var LogsLogGroupProvider = class {
   /**
    * Delete a CloudWatch Logs log group
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting log group ${logicalId}: ${physicalId}`);
     try {
       await this.logsClient.send(new DeleteLogGroupCommand({ logGroupName: physicalId }));
       this.logger.debug(`Successfully deleted log group ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException7) {
+        const clientRegion = await this.logsClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Log group ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -13065,7 +13554,7 @@ var CloudWatchAlarmProvider = class {
   /**
    * Delete a CloudWatch alarm
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting CloudWatch alarm ${logicalId}: ${physicalId}`);
     try {
       await this.cloudWatchClient.send(
@@ -13076,6 +13565,14 @@ var CloudWatchAlarmProvider = class {
       this.logger.debug(`Successfully deleted CloudWatch alarm ${logicalId}`);
     } catch (error) {
       if (error instanceof Error && error.name === "ResourceNotFound") {
+        const clientRegion = await this.cloudWatchClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Alarm ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -13369,7 +13866,7 @@ var SecretsManagerSecretProvider = class {
   /**
    * Delete a Secrets Manager secret
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting secret ${logicalId}: ${physicalId}`);
     try {
       await this.smClient.send(
@@ -13381,6 +13878,14 @@ var SecretsManagerSecretProvider = class {
       this.logger.debug(`Successfully deleted secret ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException8) {
+        const clientRegion = await this.smClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Secret ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -13625,7 +14130,7 @@ var SSMParameterProvider = class {
   /**
    * Delete an SSM parameter
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting SSM parameter ${logicalId}: ${physicalId}`);
     try {
       await this.ssmClient.send(
@@ -13636,6 +14141,14 @@ var SSMParameterProvider = class {
       this.logger.debug(`Successfully deleted SSM parameter ${logicalId}`);
     } catch (error) {
       if (error instanceof ParameterNotFound) {
+        const clientRegion = await this.ssmClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Parameter ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -13854,7 +14367,7 @@ var EventBridgeRuleProvider = class {
    *
    * Before deleting, removes all targets (required by EventBridge API).
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting EventBridge rule ${logicalId}: ${physicalId}`);
     const ruleName = this.extractRuleNameFromArn(physicalId);
     try {
@@ -13866,6 +14379,14 @@ var EventBridgeRuleProvider = class {
         targetIds = (targetsResponse.Targets || []).map((t) => t.Id).filter((id) => id !== void 0);
       } catch (error) {
         if (error instanceof ResourceNotFoundException9) {
+          const clientRegion = await this.eventBridgeClient.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`Rule ${ruleName} does not exist, skipping deletion`);
           return;
         }
@@ -13884,6 +14405,14 @@ var EventBridgeRuleProvider = class {
       this.logger.debug(`Successfully deleted EventBridge rule ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException9) {
+        const clientRegion = await this.eventBridgeClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Rule ${ruleName} does not exist, skipping deletion`);
         return;
       }
@@ -14069,7 +14598,7 @@ var EventBridgeBusProvider = class {
     }
     return { physicalId, wasReplaced: false, attributes: {} };
   }
-  async delete(logicalId, physicalId, resourceType) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting EventBus ${logicalId}: ${physicalId}`);
     try {
       await this.cleanupRulesOnBus(physicalId);
@@ -14077,11 +14606,27 @@ var EventBridgeBusProvider = class {
       this.logger.debug(`Successfully deleted EventBus ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException10) {
+        const clientRegion = await this.eventBridgeClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`EventBus ${physicalId} does not exist, skipping`);
         return;
       }
       const msg = error instanceof Error ? error.message : String(error);
       if (msg.includes("does not exist")) {
+        const clientRegion = await this.eventBridgeClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`EventBus ${physicalId} does not exist, skipping`);
         return;
       }
@@ -14381,32 +14926,38 @@ var EC2Provider = class {
         );
     }
   }
-  async delete(logicalId, physicalId, resourceType, properties) {
+  async delete(logicalId, physicalId, resourceType, properties, context) {
     switch (resourceType) {
       case "AWS::EC2::VPC":
-        return this.deleteVpc(logicalId, physicalId, resourceType);
+        return this.deleteVpc(logicalId, physicalId, resourceType, context);
       case "AWS::EC2::Subnet":
-        return this.deleteSubnet(logicalId, physicalId, resourceType);
+        return this.deleteSubnet(logicalId, physicalId, resourceType, context);
       case "AWS::EC2::InternetGateway":
-        return this.deleteInternetGateway(logicalId, physicalId, resourceType);
+        return this.deleteInternetGateway(logicalId, physicalId, resourceType, context);
       case "AWS::EC2::VPCGatewayAttachment":
-        return this.deleteVpcGatewayAttachment(logicalId, physicalId, resourceType);
+        return this.deleteVpcGatewayAttachment(logicalId, physicalId, resourceType, context);
       case "AWS::EC2::RouteTable":
-        return this.deleteRouteTable(logicalId, physicalId, resourceType);
+        return this.deleteRouteTable(logicalId, physicalId, resourceType, context);
       case "AWS::EC2::Route":
-        return this.deleteRoute(logicalId, physicalId, resourceType);
+        return this.deleteRoute(logicalId, physicalId, resourceType, context);
       case "AWS::EC2::SubnetRouteTableAssociation":
-        return this.deleteSubnetRouteTableAssociation(logicalId, physicalId, resourceType);
+        return this.deleteSubnetRouteTableAssociation(logicalId, physicalId, resourceType, context);
       case "AWS::EC2::SecurityGroup":
-        return this.deleteSecurityGroup(logicalId, physicalId, resourceType);
+        return this.deleteSecurityGroup(logicalId, physicalId, resourceType, context);
       case "AWS::EC2::SecurityGroupIngress":
-        return this.deleteSecurityGroupIngress(logicalId, physicalId, resourceType, properties);
+        return this.deleteSecurityGroupIngress(
+          logicalId,
+          physicalId,
+          resourceType,
+          properties,
+          context
+        );
       case "AWS::EC2::Instance":
-        return this.deleteInstance(logicalId, physicalId, resourceType);
+        return this.deleteInstance(logicalId, physicalId, resourceType, context);
       case "AWS::EC2::NetworkAcl":
-        return this.deleteNetworkAcl(logicalId, physicalId, resourceType);
+        return this.deleteNetworkAcl(logicalId, physicalId, resourceType, context);
       case "AWS::EC2::NetworkAclEntry":
-        return this.deleteNetworkAclEntry(logicalId, physicalId, resourceType);
+        return this.deleteNetworkAclEntry(logicalId, physicalId, resourceType, context);
       case "AWS::EC2::SubnetNetworkAclAssociation":
         this.logger.debug(`SubnetNetworkAclAssociation ${logicalId} delete is a no-op`);
         return;
@@ -14547,7 +15098,7 @@ var EC2Provider = class {
       );
     }
   }
-  async deleteVpc(logicalId, physicalId, resourceType) {
+  async deleteVpc(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting VPC ${logicalId}: ${physicalId}`);
     const maxAttempts = 10;
     for (let attempt = 1; attempt <= maxAttempts; attempt++) {
@@ -14557,6 +15108,14 @@ var EC2Provider = class {
         return;
       } catch (error) {
         if (this.isNotFoundError(error)) {
+          const clientRegion = await this.ec2Client.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`VPC ${physicalId} does not exist, skipping deletion`);
           return;
         }
@@ -14662,7 +15221,7 @@ var EC2Provider = class {
     this.logger.debug(`Updating Subnet ${logicalId}: ${physicalId} (no-op, immutable properties)`);
     return Promise.resolve({ physicalId, wasReplaced: false });
   }
-  async deleteSubnet(logicalId, physicalId, resourceType) {
+  async deleteSubnet(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting Subnet ${logicalId}: ${physicalId}`);
     const maxAttempts = 10;
     for (let attempt = 1; attempt <= maxAttempts; attempt++) {
@@ -14672,6 +15231,14 @@ var EC2Provider = class {
         return;
       } catch (error) {
         if (this.isNotFoundError(error)) {
+          const clientRegion = await this.ec2Client.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`Subnet ${physicalId} does not exist, skipping deletion`);
           return;
         }
@@ -14790,7 +15357,7 @@ var EC2Provider = class {
     this.logger.debug(`Updating InternetGateway ${logicalId}: ${physicalId} (no-op)`);
     return Promise.resolve({ physicalId, wasReplaced: false });
   }
-  async deleteInternetGateway(logicalId, physicalId, resourceType) {
+  async deleteInternetGateway(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting InternetGateway ${logicalId}: ${physicalId}`);
     try {
       await this.ec2Client.send(
@@ -14799,6 +15366,14 @@ var EC2Provider = class {
       this.logger.debug(`Successfully deleted InternetGateway ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.ec2Client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`InternetGateway ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -14852,7 +15427,7 @@ var EC2Provider = class {
     this.logger.debug(`Updating VPCGatewayAttachment ${logicalId}: ${physicalId} (no-op)`);
     return Promise.resolve({ physicalId, wasReplaced: false });
   }
-  async deleteVpcGatewayAttachment(logicalId, physicalId, resourceType) {
+  async deleteVpcGatewayAttachment(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting VPCGatewayAttachment ${logicalId}: ${physicalId}`);
     const parts = physicalId.split("|");
     if (parts.length !== 2) {
@@ -14874,6 +15449,14 @@ var EC2Provider = class {
       this.logger.debug(`Successfully deleted VPCGatewayAttachment ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.ec2Client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`VPCGatewayAttachment ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -14924,13 +15507,21 @@ var EC2Provider = class {
     this.logger.debug(`Updating RouteTable ${logicalId}: ${physicalId} (no-op)`);
     return Promise.resolve({ physicalId, wasReplaced: false });
   }
-  async deleteRouteTable(logicalId, physicalId, resourceType) {
+  async deleteRouteTable(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting RouteTable ${logicalId}: ${physicalId}`);
     try {
       await this.ec2Client.send(new DeleteRouteTableCommand({ RouteTableId: physicalId }));
       this.logger.debug(`Successfully deleted RouteTable ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.ec2Client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`RouteTable ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -15010,7 +15601,7 @@ var EC2Provider = class {
       );
     }
   }
-  async deleteRoute(logicalId, physicalId, resourceType) {
+  async deleteRoute(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting Route ${logicalId}: ${physicalId}`);
     const parts = physicalId.split("|");
     if (parts.length !== 2) {
@@ -15033,6 +15624,14 @@ var EC2Provider = class {
       this.logger.debug(`Successfully deleted Route ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.ec2Client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Route ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -15090,13 +15689,21 @@ var EC2Provider = class {
     );
     return Promise.resolve({ physicalId, wasReplaced: false });
   }
-  async deleteSubnetRouteTableAssociation(logicalId, physicalId, resourceType) {
+  async deleteSubnetRouteTableAssociation(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting SubnetRouteTableAssociation ${logicalId}: ${physicalId}`);
     try {
       await this.ec2Client.send(new DisassociateRouteTableCommand({ AssociationId: physicalId }));
       this.logger.debug(`Successfully deleted SubnetRouteTableAssociation ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.ec2Client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(
           `SubnetRouteTableAssociation ${physicalId} does not exist, skipping deletion`
         );
@@ -15227,7 +15834,7 @@ var EC2Provider = class {
       );
     }
   }
-  async deleteSecurityGroup(logicalId, physicalId, resourceType) {
+  async deleteSecurityGroup(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting SecurityGroup ${logicalId}: ${physicalId}`);
     const maxAttempts = 10;
     for (let attempt = 1; attempt <= maxAttempts; attempt++) {
@@ -15237,6 +15844,14 @@ var EC2Provider = class {
         return;
       } catch (error) {
         if (this.isNotFoundError(error)) {
+          const clientRegion = await this.ec2Client.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`SecurityGroup ${physicalId} does not exist, skipping deletion`);
           return;
         }
@@ -15394,7 +16009,7 @@ var EC2Provider = class {
       );
     }
   }
-  async deleteSecurityGroupIngress(logicalId, physicalId, resourceType, properties) {
+  async deleteSecurityGroupIngress(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting SecurityGroupIngress ${logicalId}: ${physicalId}`);
     const parts = physicalId.split("|");
     if (parts.length !== 4) {
@@ -15421,6 +16036,14 @@ var EC2Provider = class {
       this.logger.debug(`Successfully deleted SecurityGroupIngress ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.ec2Client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`SecurityGroupIngress ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -15537,7 +16160,7 @@ var EC2Provider = class {
       );
     }
   }
-  async deleteInstance(logicalId, physicalId, resourceType) {
+  async deleteInstance(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Terminating EC2 Instance ${logicalId}: ${physicalId}`);
     try {
       await this.ec2Client.send(new TerminateInstancesCommand({ InstanceIds: [physicalId] }));
@@ -15549,6 +16172,14 @@ var EC2Provider = class {
       this.logger.debug(`EC2 Instance ${logicalId} terminated: ${physicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.ec2Client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(
           `EC2 Instance ${physicalId} already terminated (not found), treating as success`
         );
@@ -15784,13 +16415,21 @@ var EC2Provider = class {
       );
     }
   }
-  async deleteNetworkAcl(logicalId, physicalId, resourceType) {
+  async deleteNetworkAcl(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting NetworkAcl ${logicalId}: ${physicalId}`);
     try {
       await this.ec2Client.send(new DeleteNetworkAclCommand({ NetworkAclId: physicalId }));
       this.logger.debug(`Successfully deleted NetworkAcl ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.ec2Client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`NetworkAcl ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -15860,7 +16499,7 @@ var EC2Provider = class {
       );
     }
   }
-  async deleteNetworkAclEntry(logicalId, physicalId, resourceType) {
+  async deleteNetworkAclEntry(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting NetworkAclEntry ${logicalId}: ${physicalId}`);
     const parts = physicalId.split("|");
     if (parts.length < 3) {
@@ -15881,6 +16520,14 @@ var EC2Provider = class {
       this.logger.debug(`Successfully deleted NetworkAclEntry ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.ec2Client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`NetworkAclEntry ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -16123,20 +16770,20 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
   /**
    * Delete a resource
    */
-  async delete(logicalId, physicalId, resourceType, properties) {
+  async delete(logicalId, physicalId, resourceType, properties, context) {
     switch (resourceType) {
       case "AWS::ApiGateway::Account":
         return this.deleteAccount(logicalId, physicalId, resourceType);
       case "AWS::ApiGateway::Authorizer":
-        return this.deleteAuthorizer(logicalId, physicalId, resourceType, properties);
+        return this.deleteAuthorizer(logicalId, physicalId, resourceType, properties, context);
       case "AWS::ApiGateway::Resource":
-        return this.deleteResource(logicalId, physicalId, resourceType, properties);
+        return this.deleteResource(logicalId, physicalId, resourceType, properties, context);
       case "AWS::ApiGateway::Deployment":
-        return this.deleteDeployment(logicalId, physicalId, resourceType, properties);
+        return this.deleteDeployment(logicalId, physicalId, resourceType, properties, context);
       case "AWS::ApiGateway::Stage":
-        return this.deleteStage(logicalId, physicalId, resourceType, properties);
+        return this.deleteStage(logicalId, physicalId, resourceType, properties, context);
       case "AWS::ApiGateway::Method":
-        return this.deleteMethod(logicalId, physicalId, resourceType);
+        return this.deleteMethod(logicalId, physicalId, resourceType, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -16358,7 +17005,7 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
   /**
    * Delete an API Gateway Authorizer
    */
-  async deleteAuthorizer(logicalId, physicalId, resourceType, properties) {
+  async deleteAuthorizer(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting API Gateway Authorizer ${logicalId}: ${physicalId}`);
     const restApiId = properties?.["RestApiId"];
     if (!restApiId) {
@@ -16379,6 +17026,14 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
       this.logger.debug(`Successfully deleted API Gateway Authorizer ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException3) {
+        const clientRegion = await this.apiGatewayClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`API Gateway Authorizer ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -16483,7 +17138,7 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
   /**
    * Delete an API Gateway Resource
    */
-  async deleteResource(logicalId, physicalId, resourceType, properties) {
+  async deleteResource(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting API Gateway Resource ${logicalId}: ${physicalId}`);
     const restApiId = properties?.["RestApiId"];
     if (!restApiId) {
@@ -16504,6 +17159,14 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
       this.logger.debug(`Successfully deleted API Gateway Resource ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException3) {
+        const clientRegion = await this.apiGatewayClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`API Gateway Resource ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -16587,7 +17250,7 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
   /**
    * Delete an API Gateway Deployment
    */
-  async deleteDeployment(logicalId, physicalId, resourceType, properties) {
+  async deleteDeployment(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting API Gateway Deployment ${logicalId}: ${physicalId}`);
     const restApiId = properties?.["RestApiId"];
     if (!restApiId) {
@@ -16608,6 +17271,14 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
       this.logger.debug(`Successfully deleted API Gateway Deployment ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException3) {
+        const clientRegion = await this.apiGatewayClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`API Gateway Deployment ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -16745,7 +17416,7 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
   /**
    * Delete an API Gateway Stage
    */
-  async deleteStage(logicalId, physicalId, resourceType, properties) {
+  async deleteStage(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting API Gateway Stage ${logicalId}: ${physicalId}`);
     const restApiId = properties?.["RestApiId"];
     if (!restApiId) {
@@ -16766,6 +17437,14 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
       this.logger.debug(`Successfully deleted API Gateway Stage ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException3) {
+        const clientRegion = await this.apiGatewayClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`API Gateway Stage ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -16885,7 +17564,7 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
    * Parses the composite physicalId (`restApiId|resourceId|httpMethod`) and
    * calls DeleteMethodCommand. Handles NotFoundException gracefully.
    */
-  async deleteMethod(logicalId, physicalId, resourceType) {
+  async deleteMethod(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting API Gateway Method ${logicalId}: ${physicalId}`);
     const parts = physicalId.split("|");
     if (parts.length !== 3) {
@@ -16908,6 +17587,14 @@ var ApiGatewayProvider = class _ApiGatewayProvider {
       this.logger.debug(`Successfully deleted API Gateway Method ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException3) {
+        const clientRegion = await this.apiGatewayClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`API Gateway Method ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -17048,18 +17735,18 @@ var ApiGatewayV2Provider = class {
       attributes: {}
     });
   }
-  async delete(logicalId, physicalId, resourceType, properties) {
+  async delete(logicalId, physicalId, resourceType, properties, context) {
     switch (resourceType) {
       case "AWS::ApiGatewayV2::Api":
-        return this.deleteApi(logicalId, physicalId, resourceType);
+        return this.deleteApi(logicalId, physicalId, resourceType, context);
       case "AWS::ApiGatewayV2::Stage":
-        return this.deleteStage(logicalId, physicalId, resourceType, properties);
+        return this.deleteStage(logicalId, physicalId, resourceType, properties, context);
       case "AWS::ApiGatewayV2::Integration":
-        return this.deleteIntegration(logicalId, physicalId, resourceType, properties);
+        return this.deleteIntegration(logicalId, physicalId, resourceType, properties, context);
       case "AWS::ApiGatewayV2::Route":
-        return this.deleteRoute(logicalId, physicalId, resourceType, properties);
+        return this.deleteRoute(logicalId, physicalId, resourceType, properties, context);
       case "AWS::ApiGatewayV2::Authorizer":
-        return this.deleteAuthorizer(logicalId, physicalId, resourceType, properties);
+        return this.deleteAuthorizer(logicalId, physicalId, resourceType, properties, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -17130,13 +17817,21 @@ var ApiGatewayV2Provider = class {
       );
     }
   }
-  async deleteApi(logicalId, physicalId, resourceType) {
+  async deleteApi(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting API Gateway V2 Api ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(new DeleteApiCommand({ ApiId: physicalId }));
       this.logger.debug(`Successfully deleted API Gateway V2 Api ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException4) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`API Gateway V2 Api ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -17193,7 +17888,7 @@ var ApiGatewayV2Provider = class {
       );
     }
   }
-  async deleteStage(logicalId, physicalId, resourceType, properties) {
+  async deleteStage(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting API Gateway V2 Stage ${logicalId}: ${physicalId}`);
     const apiId = properties?.["ApiId"];
     if (!apiId) {
@@ -17209,6 +17904,14 @@ var ApiGatewayV2Provider = class {
       this.logger.debug(`Successfully deleted API Gateway V2 Stage ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException4) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`API Gateway V2 Stage ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -17270,7 +17973,7 @@ var ApiGatewayV2Provider = class {
       );
     }
   }
-  async deleteIntegration(logicalId, physicalId, resourceType, properties) {
+  async deleteIntegration(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting API Gateway V2 Integration ${logicalId}: ${physicalId}`);
     const apiId = properties?.["ApiId"];
     if (!apiId) {
@@ -17288,6 +17991,14 @@ var ApiGatewayV2Provider = class {
       this.logger.debug(`Successfully deleted API Gateway V2 Integration ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException4) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(
           `API Gateway V2 Integration ${physicalId} does not exist, skipping deletion`
         );
@@ -17349,7 +18060,7 @@ var ApiGatewayV2Provider = class {
       );
     }
   }
-  async deleteRoute(logicalId, physicalId, resourceType, properties) {
+  async deleteRoute(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting API Gateway V2 Route ${logicalId}: ${physicalId}`);
     const apiId = properties?.["ApiId"];
     if (!apiId) {
@@ -17365,6 +18076,14 @@ var ApiGatewayV2Provider = class {
       this.logger.debug(`Successfully deleted API Gateway V2 Route ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException4) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`API Gateway V2 Route ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -17429,7 +18148,7 @@ var ApiGatewayV2Provider = class {
       );
     }
   }
-  async deleteAuthorizer(logicalId, physicalId, resourceType, properties) {
+  async deleteAuthorizer(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting API Gateway V2 Authorizer ${logicalId}: ${physicalId}`);
     const apiId = properties?.["ApiId"];
     if (!apiId) {
@@ -17447,6 +18166,14 @@ var ApiGatewayV2Provider = class {
       this.logger.debug(`Successfully deleted API Gateway V2 Authorizer ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException4) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(
           `API Gateway V2 Authorizer ${physicalId} does not exist, skipping deletion`
         );
@@ -17554,7 +18281,7 @@ var CloudFrontOAIProvider = class {
    *
    * Requires fetching the ETag first, then passing it as IfMatch for deletion.
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting CloudFront OAI ${logicalId}: ${physicalId}`);
     try {
       let etag;
@@ -17565,6 +18292,14 @@ var CloudFrontOAIProvider = class {
         etag = getResponse.ETag;
       } catch (error) {
         if (error instanceof NoSuchCloudFrontOriginAccessIdentity) {
+          const clientRegion = await this.cloudFrontClient.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`OAI ${physicalId} does not exist, skipping deletion`);
           return;
         }
@@ -17579,6 +18314,14 @@ var CloudFrontOAIProvider = class {
       this.logger.debug(`Successfully deleted CloudFront OAI ${logicalId}`);
     } catch (error) {
       if (error instanceof NoSuchCloudFrontOriginAccessIdentity) {
+        const clientRegion = await this.cloudFrontClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`OAI ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -17752,7 +18495,7 @@ var CloudFrontDistributionProvider = class {
    * 2. If Enabled, update to Enabled=false and wait
    * 3. Delete with the latest ETag
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting CloudFront Distribution ${logicalId}: ${physicalId}`);
     try {
       let etag;
@@ -17765,6 +18508,14 @@ var CloudFrontDistributionProvider = class {
         config = getConfigResponse.DistributionConfig;
       } catch (error) {
         if (error instanceof NoSuchDistribution) {
+          const clientRegion = await this.cloudFrontClient.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(`Distribution ${physicalId} does not exist, skipping deletion`);
           return;
         }
@@ -17796,6 +18547,14 @@ var CloudFrontDistributionProvider = class {
       this.logger.debug(`Successfully deleted CloudFront Distribution ${logicalId}`);
     } catch (error) {
       if (error instanceof NoSuchDistribution) {
+        const clientRegion = await this.cloudFrontClient.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Distribution ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -18215,7 +18974,7 @@ var AgentCoreRuntimeProvider = class {
   /**
    * Delete a BedrockAgentCore Runtime
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting BedrockAgentCore Runtime ${logicalId}: ${physicalId}`);
     try {
       await this.client.send(
@@ -18226,6 +18985,14 @@ var AgentCoreRuntimeProvider = class {
       this.logger.debug(`Successfully deleted BedrockAgentCore Runtime ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException11) {
+        const clientRegion = await this.client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Runtime ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -18421,13 +19188,21 @@ var StepFunctionsProvider = class {
   /**
    * Delete a Step Functions state machine
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting Step Functions state machine ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(new DeleteStateMachineCommand({ stateMachineArn: physicalId }));
       this.logger.debug(`Successfully deleted Step Functions state machine ${logicalId}`);
     } catch (error) {
       if (error instanceof StateMachineDoesNotExist) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(
           `Step Functions state machine ${physicalId} does not exist, skipping deletion`
         );
@@ -18594,14 +19369,14 @@ var ECSProvider = class {
         );
     }
   }
-  async delete(logicalId, physicalId, resourceType, properties) {
+  async delete(logicalId, physicalId, resourceType, properties, context) {
     switch (resourceType) {
       case "AWS::ECS::Cluster":
-        return this.deleteCluster(logicalId, physicalId, resourceType);
+        return this.deleteCluster(logicalId, physicalId, resourceType, context);
       case "AWS::ECS::TaskDefinition":
-        return this.deleteTaskDefinition(logicalId, physicalId, resourceType);
+        return this.deleteTaskDefinition(logicalId, physicalId, resourceType, context);
       case "AWS::ECS::Service":
-        return this.deleteService(logicalId, physicalId, resourceType, properties);
+        return this.deleteService(logicalId, physicalId, resourceType, properties, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -18702,7 +19477,7 @@ var ECSProvider = class {
       );
     }
   }
-  async deleteCluster(logicalId, physicalId, resourceType) {
+  async deleteCluster(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting ECS cluster ${logicalId}: ${physicalId}`);
     const client = this.getClient();
     try {
@@ -18710,6 +19485,14 @@ var ECSProvider = class {
       this.logger.debug(`Successfully deleted ECS cluster ${logicalId}`);
     } catch (error) {
       if (this.isClusterNotFoundException(error)) {
+        const clientRegion = await client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`ECS cluster ${physicalId} not found, skipping deletion`);
         return;
       }
@@ -18809,7 +19592,7 @@ var ECSProvider = class {
       attributes: result.attributes ?? {}
     };
   }
-  async deleteTaskDefinition(logicalId, physicalId, resourceType) {
+  async deleteTaskDefinition(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting ECS task definition ${logicalId}: ${physicalId}`);
     const client = this.getClient();
     try {
@@ -18817,6 +19600,14 @@ var ECSProvider = class {
       this.logger.debug(`Successfully deregistered ECS task definition ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundException(error)) {
+        const clientRegion = await client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`ECS task definition ${physicalId} not found, skipping deletion`);
         return;
       }
@@ -18955,7 +19746,7 @@ var ECSProvider = class {
       );
     }
   }
-  async deleteService(logicalId, physicalId, resourceType, properties) {
+  async deleteService(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting ECS service ${logicalId}: ${physicalId}`);
     const client = this.getClient();
     const cluster = properties?.["Cluster"];
@@ -18971,6 +19762,14 @@ var ECSProvider = class {
         this.logger.debug(`Scaled down ECS service ${physicalId} to 0`);
       } catch (error) {
         if (this.isServiceNotFoundException(error)) {
+          const clientRegion = await client.config.region();
+          assertRegionMatch(
+            clientRegion,
+            context?.expectedRegion,
+            resourceType,
+            logicalId,
+            physicalId
+          );
           this.logger.debug(
             `ECS service ${physicalId} not found during scale down, skipping deletion`
           );
@@ -18988,6 +19787,14 @@ var ECSProvider = class {
       this.logger.debug(`Successfully deleted ECS service ${logicalId}`);
     } catch (error) {
       if (this.isServiceNotFoundException(error)) {
+        const clientRegion = await client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`ECS service ${physicalId} not found, skipping deletion`);
         return;
       }
@@ -19286,14 +20093,14 @@ var ELBv2Provider = class {
         );
     }
   }
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
       case "AWS::ElasticLoadBalancingV2::LoadBalancer":
-        return this.deleteLoadBalancer(logicalId, physicalId, resourceType);
+        return this.deleteLoadBalancer(logicalId, physicalId, resourceType, context);
       case "AWS::ElasticLoadBalancingV2::TargetGroup":
-        return this.deleteTargetGroup(logicalId, physicalId, resourceType);
+        return this.deleteTargetGroup(logicalId, physicalId, resourceType, context);
       case "AWS::ElasticLoadBalancingV2::Listener":
-        return this.deleteListener(logicalId, physicalId, resourceType);
+        return this.deleteListener(logicalId, physicalId, resourceType, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -19394,13 +20201,21 @@ var ELBv2Provider = class {
       );
     }
   }
-  async deleteLoadBalancer(logicalId, physicalId, resourceType) {
+  async deleteLoadBalancer(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting LoadBalancer ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(new DeleteLoadBalancerCommand({ LoadBalancerArn: physicalId }));
       this.logger.debug(`Successfully deleted LoadBalancer ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`LoadBalancer ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -19510,13 +20325,21 @@ var ELBv2Provider = class {
       );
     }
   }
-  async deleteTargetGroup(logicalId, physicalId, resourceType) {
+  async deleteTargetGroup(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting TargetGroup ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(new DeleteTargetGroupCommand({ TargetGroupArn: physicalId }));
       this.logger.debug(`Successfully deleted TargetGroup ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`TargetGroup ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -19612,13 +20435,21 @@ var ELBv2Provider = class {
       );
     }
   }
-  async deleteListener(logicalId, physicalId, resourceType) {
+  async deleteListener(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting Listener ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(new DeleteListenerCommand({ ListenerArn: physicalId }));
       this.logger.debug(`Successfully deleted Listener ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Listener ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -19768,14 +20599,14 @@ var RDSProvider = class {
         );
     }
   }
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
       case "AWS::RDS::DBSubnetGroup":
-        return this.deleteDBSubnetGroup(logicalId, physicalId, resourceType);
+        return this.deleteDBSubnetGroup(logicalId, physicalId, resourceType, context);
       case "AWS::RDS::DBCluster":
-        return this.deleteDBCluster(logicalId, physicalId, resourceType);
+        return this.deleteDBCluster(logicalId, physicalId, resourceType, context);
       case "AWS::RDS::DBInstance":
-        return this.deleteDBInstance(logicalId, physicalId, resourceType);
+        return this.deleteDBInstance(logicalId, physicalId, resourceType, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -19846,7 +20677,7 @@ var RDSProvider = class {
       );
     }
   }
-  async deleteDBSubnetGroup(logicalId, physicalId, resourceType) {
+  async deleteDBSubnetGroup(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting DBSubnetGroup ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(
@@ -19857,6 +20688,14 @@ var RDSProvider = class {
       this.logger.debug(`Successfully deleted DBSubnetGroup ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error, "DBSubnetGroupNotFoundFault")) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`DBSubnetGroup ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -19979,7 +20818,7 @@ var RDSProvider = class {
       );
     }
   }
-  async deleteDBCluster(logicalId, physicalId, resourceType) {
+  async deleteDBCluster(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting DBCluster ${logicalId}: ${physicalId}`);
     try {
       try {
@@ -20006,6 +20845,14 @@ var RDSProvider = class {
       await this.waitForClusterDeleted(physicalId);
     } catch (error) {
       if (this.isNotFoundError(error, "DBClusterNotFoundFault")) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`DBCluster ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -20099,7 +20946,7 @@ var RDSProvider = class {
       );
     }
   }
-  async deleteDBInstance(logicalId, physicalId, resourceType) {
+  async deleteDBInstance(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting DBInstance ${logicalId}: ${physicalId}`);
     try {
       try {
@@ -20127,6 +20974,14 @@ var RDSProvider = class {
       await this.waitForInstanceDeleted(physicalId);
     } catch (error) {
       if (this.isNotFoundError(error, "DBInstanceNotFoundFault")) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`DBInstance ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -20340,12 +21195,12 @@ var Route53Provider = class {
         );
     }
   }
-  async delete(logicalId, physicalId, resourceType, properties) {
+  async delete(logicalId, physicalId, resourceType, properties, context) {
     switch (resourceType) {
       case "AWS::Route53::HostedZone":
-        return this.deleteHostedZone(logicalId, physicalId, resourceType);
+        return this.deleteHostedZone(logicalId, physicalId, resourceType, context);
       case "AWS::Route53::RecordSet":
-        return this.deleteRecordSet(logicalId, physicalId, resourceType, properties);
+        return this.deleteRecordSet(logicalId, physicalId, resourceType, properties, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -20479,7 +21334,7 @@ var Route53Provider = class {
       );
     }
   }
-  async deleteHostedZone(logicalId, physicalId, resourceType) {
+  async deleteHostedZone(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting Route 53 hosted zone ${logicalId}: ${physicalId}`);
     try {
       await this.deleteQueryLoggingConfigForZone(physicalId, logicalId);
@@ -20487,6 +21342,14 @@ var Route53Provider = class {
       this.logger.debug(`Successfully deleted hosted zone ${logicalId}`);
     } catch (error) {
       if (error instanceof Error && error.name === "NoSuchHostedZone") {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Hosted zone ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -20599,7 +21462,7 @@ var Route53Provider = class {
       );
     }
   }
-  async deleteRecordSet(logicalId, physicalId, resourceType, properties) {
+  async deleteRecordSet(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting Route 53 record set ${logicalId}: ${physicalId}`);
     const parts = physicalId.split("|");
     if (parts.length !== 3) {
@@ -20637,6 +21500,14 @@ var Route53Provider = class {
       this.logger.debug(`Successfully deleted record set ${logicalId}`);
     } catch (error) {
       if (error instanceof Error && (error.name === "InvalidChangeBatch" || error.message.includes("it was not found"))) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Record set ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -21077,7 +21948,7 @@ var WAFv2WebACLProvider = class {
    * DeleteWebACL requires LockToken obtained from GetWebACL.
    * WAFNonexistentItemException is treated as success (idempotent delete).
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting WAFv2 WebACL ${logicalId}: ${physicalId}`);
     try {
       const { id, name, scope } = parseWebACLArn(physicalId);
@@ -21103,6 +21974,14 @@ var WAFv2WebACLProvider = class {
       this.logger.debug(`Successfully deleted WAFv2 WebACL ${logicalId}`);
     } catch (error) {
       if (error instanceof WAFNonexistentItemException) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`WAFv2 WebACL ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -21387,7 +22266,7 @@ var CognitoUserPoolProvider = class {
    *
    * If DeletionProtection is ACTIVE, it is automatically disabled before deletion.
    */
-  async delete(logicalId, physicalId, resourceType, properties) {
+  async delete(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting Cognito User Pool ${logicalId}: ${physicalId}`);
     try {
       const deletionProtection = properties?.["DeletionProtection"];
@@ -21419,6 +22298,14 @@ var CognitoUserPoolProvider = class {
           }
         } catch (descError) {
           if (descError instanceof ResourceNotFoundException12) {
+            const clientRegion = await this.getClient().config.region();
+            assertRegionMatch(
+              clientRegion,
+              context?.expectedRegion,
+              resourceType,
+              logicalId,
+              physicalId
+            );
             this.logger.debug(`Cognito User Pool ${physicalId} does not exist, skipping deletion`);
             return;
           }
@@ -21431,6 +22318,14 @@ var CognitoUserPoolProvider = class {
       this.logger.debug(`Successfully deleted Cognito User Pool ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException12) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Cognito User Pool ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -21533,12 +22428,12 @@ var ElastiCacheProvider = class {
         );
     }
   }
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
       case "AWS::ElastiCache::SubnetGroup":
-        return this.deleteSubnetGroup(logicalId, physicalId, resourceType);
+        return this.deleteSubnetGroup(logicalId, physicalId, resourceType, context);
       case "AWS::ElastiCache::CacheCluster":
-        return this.deleteCacheCluster(logicalId, physicalId, resourceType);
+        return this.deleteCacheCluster(logicalId, physicalId, resourceType, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -21609,7 +22504,7 @@ var ElastiCacheProvider = class {
       );
     }
   }
-  async deleteSubnetGroup(logicalId, physicalId, resourceType) {
+  async deleteSubnetGroup(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting CacheSubnetGroup ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(
@@ -21620,6 +22515,14 @@ var ElastiCacheProvider = class {
       this.logger.debug(`Successfully deleted CacheSubnetGroup ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error, "CacheSubnetGroupNotFoundFault")) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`CacheSubnetGroup ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -21753,7 +22656,7 @@ var ElastiCacheProvider = class {
       );
     }
   }
-  async deleteCacheCluster(logicalId, physicalId, resourceType) {
+  async deleteCacheCluster(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting CacheCluster ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(
@@ -21765,6 +22668,14 @@ var ElastiCacheProvider = class {
       await this.waitForClusterDeleted(physicalId);
     } catch (error) {
       if (this.isNotFoundError(error, "CacheClusterNotFoundFault")) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`CacheCluster ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -21923,12 +22834,12 @@ var ServiceDiscoveryProvider = class {
         );
     }
   }
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
       case "AWS::ServiceDiscovery::PrivateDnsNamespace":
-        return this.deleteNamespace(logicalId, physicalId, resourceType);
+        return this.deleteNamespace(logicalId, physicalId, resourceType, context);
       case "AWS::ServiceDiscovery::Service":
-        return this.deleteService(logicalId, physicalId, resourceType);
+        return this.deleteService(logicalId, physicalId, resourceType, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -22006,7 +22917,7 @@ var ServiceDiscoveryProvider = class {
       }
     });
   }
-  async deleteNamespace(logicalId, physicalId, resourceType) {
+  async deleteNamespace(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting private DNS namespace ${logicalId}: ${physicalId}`);
     const client = this.getClient();
     try {
@@ -22018,6 +22929,14 @@ var ServiceDiscoveryProvider = class {
       this.logger.debug(`Successfully deleted private DNS namespace ${logicalId}`);
     } catch (error) {
       if (error instanceof NamespaceNotFound) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Namespace ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -22101,7 +23020,7 @@ var ServiceDiscoveryProvider = class {
       }
     });
   }
-  async deleteService(logicalId, physicalId, resourceType) {
+  async deleteService(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting service discovery service ${logicalId}: ${physicalId}`);
     const client = this.getClient();
     try {
@@ -22109,6 +23028,14 @@ var ServiceDiscoveryProvider = class {
       this.logger.debug(`Successfully deleted service discovery service ${logicalId}`);
     } catch (error) {
       if (error instanceof ServiceNotFound) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Service ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -22255,19 +23182,19 @@ var AppSyncProvider = class {
     this.logger.debug(`Update for ${resourceType} ${logicalId} (${physicalId}) - no-op, immutable`);
     return Promise.resolve({ physicalId, wasReplaced: false });
   }
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
       case "AWS::AppSync::GraphQLApi":
-        return this.deleteGraphQLApi(logicalId, physicalId, resourceType);
+        return this.deleteGraphQLApi(logicalId, physicalId, resourceType, context);
       case "AWS::AppSync::GraphQLSchema":
         this.logger.debug(`Schema ${logicalId} is deleted with its API, skipping`);
         return;
       case "AWS::AppSync::DataSource":
-        return this.deleteDataSource(logicalId, physicalId, resourceType);
+        return this.deleteDataSource(logicalId, physicalId, resourceType, context);
       case "AWS::AppSync::Resolver":
-        return this.deleteResolver(logicalId, physicalId, resourceType);
+        return this.deleteResolver(logicalId, physicalId, resourceType, context);
       case "AWS::AppSync::ApiKey":
-        return this.deleteApiKey(logicalId, physicalId, resourceType);
+        return this.deleteApiKey(logicalId, physicalId, resourceType, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -22341,13 +23268,21 @@ var AppSyncProvider = class {
       );
     }
   }
-  async deleteGraphQLApi(logicalId, physicalId, resourceType) {
+  async deleteGraphQLApi(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting GraphQL API ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(new DeleteGraphqlApiCommand({ apiId: physicalId }));
       this.logger.debug(`Successfully deleted GraphQL API ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`GraphQL API ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -22467,7 +23402,7 @@ var AppSyncProvider = class {
       );
     }
   }
-  async deleteDataSource(logicalId, physicalId, resourceType) {
+  async deleteDataSource(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting DataSource ${logicalId}: ${physicalId}`);
     const [apiId, name] = physicalId.split("|");
     if (!apiId || !name) {
@@ -22479,6 +23414,14 @@ var AppSyncProvider = class {
       this.logger.debug(`Successfully deleted DataSource ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`DataSource ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -22559,7 +23502,7 @@ var AppSyncProvider = class {
       );
     }
   }
-  async deleteResolver(logicalId, physicalId, resourceType) {
+  async deleteResolver(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting Resolver ${logicalId}: ${physicalId}`);
     const parts = physicalId.split("|");
     if (parts.length < 3) {
@@ -22572,6 +23515,14 @@ var AppSyncProvider = class {
       this.logger.debug(`Successfully deleted Resolver ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Resolver ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -22625,7 +23576,7 @@ var AppSyncProvider = class {
       );
     }
   }
-  async deleteApiKey(logicalId, physicalId, resourceType) {
+  async deleteApiKey(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting ApiKey ${logicalId}: ${physicalId}`);
     const [apiId, apiKeyId] = physicalId.split("|");
     if (!apiId || !apiKeyId) {
@@ -22637,6 +23588,14 @@ var AppSyncProvider = class {
       this.logger.debug(`Successfully deleted ApiKey ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`ApiKey ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -22717,12 +23676,12 @@ var GlueProvider = class {
         );
     }
   }
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, properties, context) {
     switch (resourceType) {
       case "AWS::Glue::Database":
-        return this.deleteDatabase(logicalId, physicalId, resourceType);
+        return this.deleteDatabase(logicalId, physicalId, resourceType, properties, context);
       case "AWS::Glue::Table":
-        return this.deleteTable(logicalId, physicalId, resourceType);
+        return this.deleteTable(logicalId, physicalId, resourceType, properties, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -22780,7 +23739,7 @@ var GlueProvider = class {
       );
     }
   }
-  async deleteDatabase(logicalId, physicalId, resourceType, properties) {
+  async deleteDatabase(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Deleting Glue Database ${logicalId}: ${physicalId}`);
     try {
       const catalogId = properties?.["CatalogId"];
@@ -22793,6 +23752,14 @@ var GlueProvider = class {
       this.logger.debug(`Successfully deleted Glue Database ${logicalId}`);
     } catch (error) {
       if (error instanceof EntityNotFoundException) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Glue Database ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -22904,7 +23871,7 @@ var GlueProvider = class {
       );
     }
   }
-  async deleteTable(logicalId, physicalId, resourceType) {
+  async deleteTable(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting Glue Table ${logicalId}: ${physicalId}`);
     const [databaseName, tableName] = physicalId.split("|");
     if (!databaseName || !tableName) {
@@ -22921,6 +23888,14 @@ var GlueProvider = class {
       this.logger.debug(`Successfully deleted Glue Table ${logicalId}`);
     } catch (error) {
       if (error instanceof EntityNotFoundException) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Glue Table ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -23106,12 +24081,12 @@ var KMSProvider = class {
         );
     }
   }
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
       case "AWS::KMS::Key":
-        return this.deleteKey(logicalId, physicalId, resourceType, _properties);
+        return this.deleteKey(logicalId, physicalId, resourceType, _properties, context);
       case "AWS::KMS::Alias":
-        return this.deleteAlias(logicalId, physicalId, resourceType);
+        return this.deleteAlias(logicalId, physicalId, resourceType, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -23275,7 +24250,7 @@ var KMSProvider = class {
       );
     }
   }
-  async deleteKey(logicalId, physicalId, resourceType, properties) {
+  async deleteKey(logicalId, physicalId, resourceType, properties, context) {
     this.logger.debug(`Scheduling deletion for KMS Key ${logicalId}: ${physicalId}`);
     const pendingWindowInDays = properties?.["PendingWindowInDays"] ?? 7;
     try {
@@ -23288,6 +24263,14 @@ var KMSProvider = class {
       this.logger.debug(`Successfully scheduled deletion for KMS Key ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException5) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`KMS Key ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -23374,7 +24357,7 @@ var KMSProvider = class {
       );
     }
   }
-  async deleteAlias(logicalId, physicalId, resourceType) {
+  async deleteAlias(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting KMS Alias ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(
@@ -23385,6 +24368,14 @@ var KMSProvider = class {
       this.logger.debug(`Successfully deleted KMS Alias ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException5) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`KMS Alias ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -23631,7 +24622,7 @@ var KinesisStreamProvider = class {
   /**
    * Delete a Kinesis stream
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting Kinesis stream ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(
@@ -23643,6 +24634,14 @@ var KinesisStreamProvider = class {
       this.logger.debug(`Successfully deleted Kinesis stream ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException13) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Kinesis stream ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -23759,14 +24758,14 @@ var EFSProvider = class {
     }
     return Promise.resolve({ physicalId, wasReplaced: false });
   }
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
       case "AWS::EFS::FileSystem":
-        return this.deleteFileSystem(logicalId, physicalId, resourceType);
+        return this.deleteFileSystem(logicalId, physicalId, resourceType, context);
       case "AWS::EFS::MountTarget":
-        return this.deleteMountTarget(logicalId, physicalId, resourceType);
+        return this.deleteMountTarget(logicalId, physicalId, resourceType, context);
       case "AWS::EFS::AccessPoint":
-        return this.deleteAccessPoint(logicalId, physicalId, resourceType);
+        return this.deleteAccessPoint(logicalId, physicalId, resourceType, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -23815,7 +24814,7 @@ var EFSProvider = class {
       );
     }
   }
-  async deleteFileSystem(logicalId, physicalId, resourceType) {
+  async deleteFileSystem(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting EFS FileSystem ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(
@@ -23826,6 +24825,14 @@ var EFSProvider = class {
       this.logger.debug(`Successfully deleted EFS FileSystem ${logicalId}`);
     } catch (error) {
       if (error instanceof FileSystemNotFound) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`EFS FileSystem ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -23941,7 +24948,7 @@ var EFSProvider = class {
       mountTargetId
     );
   }
-  async deleteMountTarget(logicalId, physicalId, resourceType) {
+  async deleteMountTarget(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting EFS MountTarget ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(
@@ -23953,6 +24960,14 @@ var EFSProvider = class {
       this.logger.debug(`Successfully deleted EFS MountTarget ${logicalId}`);
     } catch (error) {
       if (error instanceof MountTargetNotFound) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`EFS MountTarget ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -24051,7 +25066,7 @@ var EFSProvider = class {
       );
     }
   }
-  async deleteAccessPoint(logicalId, physicalId, resourceType) {
+  async deleteAccessPoint(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting EFS AccessPoint ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(
@@ -24062,6 +25077,14 @@ var EFSProvider = class {
       this.logger.debug(`Successfully deleted EFS AccessPoint ${logicalId}`);
     } catch (error) {
       if (error instanceof AccessPointNotFound) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`EFS AccessPoint ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -24299,7 +25322,7 @@ var FirehoseProvider = class {
   /**
    * Delete a Firehose delivery stream
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting Firehose delivery stream ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(
@@ -24310,6 +25333,14 @@ var FirehoseProvider = class {
       this.logger.debug(`Successfully deleted Firehose delivery stream ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException14) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(
           `Firehose delivery stream ${physicalId} does not exist, skipping deletion`
         );
@@ -24641,7 +25672,7 @@ var CloudTrailProvider = class {
       );
     }
   }
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting CloudTrail Trail ${logicalId}: ${physicalId}`);
     try {
       try {
@@ -24652,6 +25683,14 @@ var CloudTrailProvider = class {
       this.logger.debug(`Successfully deleted CloudTrail Trail ${logicalId}`);
     } catch (error) {
       if (error instanceof TrailNotFoundException) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`CloudTrail Trail ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -24903,13 +25942,21 @@ var CodeBuildProvider = class {
       );
     }
   }
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting CodeBuild Project ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(new DeleteProjectCommand({ name: physicalId }));
       this.logger.debug(`Successfully deleted CodeBuild Project ${logicalId}`);
     } catch (error) {
       if (error instanceof ResourceNotFoundException15) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`CodeBuild Project ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -24975,10 +26022,10 @@ var S3VectorsProvider = class {
         );
     }
   }
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
       case "AWS::S3Vectors::VectorBucket":
-        return this.deleteVectorBucket(logicalId, physicalId, resourceType);
+        return this.deleteVectorBucket(logicalId, physicalId, resourceType, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -25029,7 +26076,7 @@ var S3VectorsProvider = class {
       );
     }
   }
-  async deleteVectorBucket(logicalId, physicalId, resourceType) {
+  async deleteVectorBucket(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting S3 VectorBucket ${logicalId}: ${physicalId}`);
     try {
       await this.emptyVectorBucket(logicalId, physicalId);
@@ -25041,6 +26088,14 @@ var S3VectorsProvider = class {
       this.logger.debug(`Successfully deleted S3 VectorBucket ${logicalId}`);
     } catch (error) {
       if (this.isNotFoundError(error)) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`S3 VectorBucket ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -25237,7 +26292,7 @@ var S3DirectoryBucketProvider = class {
    * Must empty the bucket before deletion. Directory buckets do not support
    * versioning, so only current objects need to be deleted.
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting S3 Express Directory Bucket ${logicalId}: ${physicalId}`);
     try {
       await this.emptyBucket(physicalId);
@@ -25249,6 +26304,14 @@ var S3DirectoryBucketProvider = class {
       this.logger.debug(`Successfully deleted S3 Express Directory Bucket ${logicalId}`);
     } catch (error) {
       if (error instanceof Error && (error.name === "NoSuchBucket" || error.name === "BucketNotFound")) {
+        const clientRegion = await this.s3Client.config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`Bucket ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -25343,14 +26406,14 @@ var S3TablesProvider = class {
     this.logger.debug(`Update is no-op for ${resourceType} ${logicalId}`);
     return Promise.resolve({ physicalId, wasReplaced: false });
   }
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     switch (resourceType) {
       case "AWS::S3Tables::TableBucket":
-        return this.deleteTableBucket(logicalId, physicalId, resourceType);
+        return this.deleteTableBucket(logicalId, physicalId, resourceType, context);
       case "AWS::S3Tables::Namespace":
-        return this.deleteNamespace(logicalId, physicalId, resourceType);
+        return this.deleteNamespace(logicalId, physicalId, resourceType, context);
       case "AWS::S3Tables::Table":
-        return this.deleteTable(logicalId, physicalId, resourceType);
+        return this.deleteTable(logicalId, physicalId, resourceType, context);
       default:
         throw new ProvisioningError(
           `Unsupported resource type: ${resourceType}`,
@@ -25396,7 +26459,7 @@ var S3TablesProvider = class {
       );
     }
   }
-  async deleteTableBucket(logicalId, physicalId, resourceType) {
+  async deleteTableBucket(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting S3 Table Bucket ${logicalId}: ${physicalId}`);
     try {
       await this.emptyTableBucket(physicalId);
@@ -25408,6 +26471,14 @@ var S3TablesProvider = class {
       this.logger.debug(`Successfully deleted S3 Table Bucket ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException6) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`S3 Table Bucket ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -25531,7 +26602,7 @@ var S3TablesProvider = class {
       );
     }
   }
-  async deleteNamespace(logicalId, physicalId, resourceType) {
+  async deleteNamespace(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting S3 Tables Namespace ${logicalId}: ${physicalId}`);
     const [tableBucketARN, namespaceName] = physicalId.split("|");
     if (!tableBucketARN || !namespaceName) {
@@ -25552,6 +26623,14 @@ var S3TablesProvider = class {
       this.logger.debug(`Successfully deleted S3 Tables Namespace ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException6) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`S3 Tables Namespace ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -25626,7 +26705,7 @@ var S3TablesProvider = class {
       );
     }
   }
-  async deleteTable(logicalId, physicalId, resourceType) {
+  async deleteTable(logicalId, physicalId, resourceType, context) {
     this.logger.debug(`Deleting S3 Tables Table ${logicalId}: ${physicalId}`);
     const parts = physicalId.split("|");
     if (parts.length < 3) {
@@ -25651,6 +26730,14 @@ var S3TablesProvider = class {
       this.logger.debug(`Successfully deleted S3 Tables Table ${logicalId}`);
     } catch (error) {
       if (error instanceof NotFoundException6) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`S3 Tables Table ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -25877,7 +26964,7 @@ var ECRProvider = class {
    * Uses `force: true` to delete the repository even if it contains images.
    * This supports CDK's `emptyOnDelete: true` / `removalPolicy: DESTROY` pattern.
    */
-  async delete(logicalId, physicalId, resourceType, _properties) {
+  async delete(logicalId, physicalId, resourceType, _properties, context) {
     this.logger.debug(`Deleting ECR Repository ${logicalId}: ${physicalId}`);
     try {
       await this.getClient().send(
@@ -25889,6 +26976,14 @@ var ECRProvider = class {
       this.logger.debug(`Successfully deleted ECR Repository ${logicalId}`);
     } catch (error) {
       if (error instanceof RepositoryNotFoundException) {
+        const clientRegion = await this.getClient().config.region();
+        assertRegionMatch(
+          clientRegion,
+          context?.expectedRegion,
+          resourceType,
+          logicalId,
+          physicalId
+        );
         this.logger.debug(`ECR Repository ${physicalId} does not exist, skipping deletion`);
         return;
       }
@@ -26256,7 +27351,11 @@ var DeployEngine = class {
   logger = getLogger().child("DeployEngine");
   resolver;
   interrupted = false;
-  /** Target region for this stack (saved in state for cross-region destroy) */
+  /**
+   * Target region for this stack. Required — load-bearing for the
+   * region-prefixed S3 state key and recorded in state.json for
+   * cross-region destroy.
+   */
   stackRegion;
   /**
    * Deploy a CloudFormation template
@@ -26265,7 +27364,7 @@ var DeployEngine = class {
     const startTime = Date.now();
     this.logger.debug(`Starting deployment for stack: ${stackName}`);
     setCurrentStackName(stackName);
-    await this.lockManager.acquireLockWithRetry(stackName, void 0, "deploy");
+    await this.lockManager.acquireLockWithRetry(stackName, this.stackRegion, void 0, "deploy");
     const renderer = getLiveRenderer();
     renderer.start();
     this.interrupted = false;
@@ -26279,16 +27378,17 @@ var DeployEngine = class {
     };
     process.on("SIGINT", sigintHandler);
     try {
-      const currentStateData = await this.stateBackend.getState(stackName);
+      const currentStateData = await this.stateBackend.getState(stackName, this.stackRegion);
       const currentState = currentStateData?.state ?? {
-        version: 1,
-        ...this.stackRegion && { region: this.stackRegion },
+        version: STATE_SCHEMA_VERSION_CURRENT,
+        region: this.stackRegion,
         stackName,
         resources: {},
         outputs: {},
         lastModified: Date.now()
       };
       const currentEtag = currentStateData?.etag;
+      const migrationPending = currentStateData?.migrationPending ?? false;
       this.logger.debug(
         `Loaded current state: ${Object.keys(currentState.resources).length} resources`
       );
@@ -26374,9 +27474,10 @@ var DeployEngine = class {
         parameterValues,
         conditions,
         currentEtag,
-        progress
+        progress,
+        migrationPending
       );
-      const newEtag = await this.stateBackend.saveState(stackName, newState);
+      const newEtag = await this.stateBackend.saveState(stackName, this.stackRegion, newState);
       this.logger.debug(`State saved (ETag: ${newEtag})`);
       const durationMs = Date.now() - startTime;
       const unchangedCount = this.diffCalculator.filterByType(changes, "NO_CHANGE").length + actualCounts.skipped;
@@ -26392,7 +27493,7 @@ var DeployEngine = class {
       renderer.stop();
       process.removeListener("SIGINT", sigintHandler);
       try {
-        await this.lockManager.releaseLock(stackName);
+        await this.lockManager.releaseLock(stackName, this.stackRegion);
         this.logger.debug("Lock released");
       } catch (lockError) {
         this.logger.warn(
@@ -26410,11 +27511,12 @@ var DeployEngine = class {
    * - DELETE follows reverse dependency order (a node starts as soon as all
    *   resources that depend ON it have finished deleting)
    */
-  async executeDeployment(template, currentState, changes, dag, executionLevels, stackName, parameterValues, conditions, currentEtag, progress) {
+  async executeDeployment(template, currentState, changes, dag, executionLevels, stackName, parameterValues, conditions, currentEtag, progress, migrationPending = false) {
     const concurrency = this.options.concurrency;
     const newResources = { ...currentState.resources };
     const actualCounts = { created: 0, updated: 0, deleted: 0, skipped: 0 };
     const completedOperations = [];
+    let pendingMigration = migrationPending;
     let saveChain = Promise.resolve();
     const saveStateAfterResource = (logicalId) => {
       if (currentEtag === void 0)
@@ -26422,14 +27524,23 @@ var DeployEngine = class {
       saveChain = saveChain.then(async () => {
         try {
           const partialState = {
-            version: 1,
-            ...this.stackRegion && { region: this.stackRegion },
+            version: STATE_SCHEMA_VERSION_CURRENT,
+            region: this.stackRegion,
             stackName: currentState.stackName,
             resources: newResources,
             outputs: currentState.outputs,
             lastModified: Date.now()
           };
-          currentEtag = await this.stateBackend.saveState(stackName, partialState, currentEtag);
+          const migrate = pendingMigration;
+          const expectedEtag = migrate ? void 0 : currentEtag;
+          currentEtag = await this.stateBackend.saveState(
+            stackName,
+            this.stackRegion,
+            partialState,
+            { ...expectedEtag !== void 0 && { expectedEtag }, migrateLegacy: migrate }
+          );
+          if (migrate)
+            pendingMigration = false;
           this.logger.debug(`State saved after ${logicalId}`);
         } catch (error) {
           this.logger.warn(
@@ -26563,14 +27674,23 @@ var DeployEngine = class {
     } catch (error) {
       try {
         const preRollbackState = {
-          version: 1,
-          ...this.stackRegion && { region: this.stackRegion },
+          version: STATE_SCHEMA_VERSION_CURRENT,
+          region: this.stackRegion,
           stackName: currentState.stackName,
           resources: newResources,
           outputs: currentState.outputs,
           lastModified: Date.now()
         };
-        currentEtag = await this.stateBackend.saveState(stackName, preRollbackState, currentEtag);
+        const migrate = pendingMigration;
+        const expectedEtag = migrate ? void 0 : currentEtag;
+        currentEtag = await this.stateBackend.saveState(
+          stackName,
+          this.stackRegion,
+          preRollbackState,
+          { ...expectedEtag !== void 0 && { expectedEtag }, migrateLegacy: migrate }
+        );
+        if (migrate)
+          pendingMigration = false;
         this.logger.debug("Partial state saved before rollback (orphaned resource tracking)");
       } catch (saveError) {
         this.logger.warn(
@@ -26591,31 +27711,35 @@ var DeployEngine = class {
       }
       try {
         const postRollbackState = {
-          version: 1,
-          ...this.stackRegion && { region: this.stackRegion },
+          version: STATE_SCHEMA_VERSION_CURRENT,
+          region: this.stackRegion,
           stackName: currentState.stackName,
           resources: newResources,
           outputs: currentState.outputs,
           lastModified: Date.now()
         };
-        await this.stateBackend.saveState(stackName, postRollbackState, currentEtag);
+        await this.stateBackend.saveState(stackName, this.stackRegion, postRollbackState, {
+          ...currentEtag !== void 0 && { expectedEtag: currentEtag }
+        });
         this.logger.debug("State saved after deployment failure");
       } catch (saveError) {
         this.logger.debug(
           `Retrying state save after rollback (ETag mismatch): ${saveError instanceof Error ? saveError.message : String(saveError)}`
         );
         try {
-          const freshState = await this.stateBackend.getState(stackName);
+          const freshState = await this.stateBackend.getState(stackName, this.stackRegion);
           const freshEtag = freshState?.etag;
           const postRollbackState = {
-            version: 1,
-            ...this.stackRegion && { region: this.stackRegion },
+            version: STATE_SCHEMA_VERSION_CURRENT,
+            region: this.stackRegion,
             stackName: currentState.stackName,
             resources: newResources,
             outputs: currentState.outputs,
             lastModified: Date.now()
           };
-          await this.stateBackend.saveState(stackName, postRollbackState, freshEtag);
+          await this.stateBackend.saveState(stackName, this.stackRegion, postRollbackState, {
+            ...freshEtag !== void 0 && { expectedEtag: freshEtag }
+          });
           this.logger.debug("State saved after deployment failure (retry succeeded)");
         } catch (retryError) {
           this.logger.warn(
@@ -26634,8 +27758,8 @@ var DeployEngine = class {
     );
     return {
       state: {
-        version: 1,
-        ...this.stackRegion && { region: this.stackRegion },
+        version: STATE_SCHEMA_VERSION_CURRENT,
+        region: this.stackRegion,
         stackName: currentState.stackName,
         resources: newResources,
         outputs,
@@ -26764,7 +27888,9 @@ var DeployEngine = class {
             `  Rollback: Deleting created resource ${op.logicalId} (${op.resourceType})`
           );
           const provider = this.providerRegistry.getProvider(op.resourceType);
-          await provider.delete(op.logicalId, op.physicalId, op.resourceType, op.properties);
+          await provider.delete(op.logicalId, op.physicalId, op.resourceType, op.properties, {
+            expectedRegion: this.stackRegion
+          });
           delete stateResources[op.logicalId];
           this.logger.info(`  Rollback: ${op.logicalId} deleted successfully`);
           break;
@@ -26906,7 +28032,8 @@ var DeployEngine = class {
                   logicalId,
                   currentResource.physicalId,
                   resourceType,
-                  currentResource.properties
+                  currentResource.properties,
+                  { expectedRegion: this.stackRegion }
                 );
                 this.logger.info(`  \u2713 Old resource deleted`);
               } catch (deleteError) {
@@ -26955,7 +28082,8 @@ var DeployEngine = class {
                     logicalId,
                     currentResource.physicalId,
                     resourceType,
-                    currentProps
+                    currentProps,
+                    { expectedRegion: this.stackRegion }
                   );
                 } catch (deleteError) {
                   const deleteMsg = deleteError instanceof Error ? deleteError.message : String(deleteError);
@@ -27026,7 +28154,8 @@ var DeployEngine = class {
                 logicalId,
                 currentResource.physicalId,
                 resourceType,
-                currentResource.properties
+                currentResource.properties,
+                { expectedRegion: this.stackRegion }
               ),
               logicalId,
               3,
@@ -27642,19 +28771,18 @@ async function diffCommand(stacks, options) {
       logger.info(`
 Calculating diff for stack: ${stackInfo.stackName}`);
       const template = stackInfo.template;
-      let currentState;
-      const stateResult = await stateBackend.getState(stackInfo.stackName);
-      if (stateResult) {
-        currentState = stateResult.state;
-      } else {
-        logger.debug(`No existing state for ${stackInfo.stackName}`);
-        currentState = {
-          stackName: stackInfo.stackName,
-          resources: {},
-          outputs: {},
-          version: 1,
-          lastModified: Date.now()
-        };
+      const stackRegion = stackInfo.region || region;
+      const stateResult = await stateBackend.getState(stackInfo.stackName, stackRegion);
+      const currentState = stateResult ? stateResult.state : {
+        stackName: stackInfo.stackName,
+        region: stackRegion,
+        resources: {},
+        outputs: {},
+        version: STATE_SCHEMA_VERSION_CURRENT,
+        lastModified: Date.now()
+      };
+      if (!stateResult) {
+        logger.debug(`No existing state for ${stackInfo.stackName} (${stackRegion})`);
       }
       const diffResolveFn = (value) => intrinsicResolver.resolve(value, {
         template,
@@ -27776,19 +28904,27 @@ async function destroyCommand(stackArgs, options) {
         });
         appStacks = result.stacks.map((s) => ({
           stackName: s.stackName,
-          displayName: s.displayName
+          displayName: s.displayName,
+          ...s.region && { region: s.region }
         }));
       } catch {
         logger.debug("Could not synthesize app, falling back to state-based stack list");
       }
     }
-    const allStateStacks = await stateBackend.listStacks();
+    const allStateRefs = await stateBackend.listStacks();
     let candidateStacks;
     if (appStacks.length > 0) {
-      const stateSet = new Set(allStateStacks);
-      candidateStacks = appStacks.filter((s) => stateSet.has(s.stackName));
+      const stateNames = new Set(allStateRefs.map((r) => r.stackName));
+      candidateStacks = appStacks.filter((s) => stateNames.has(s.stackName));
     } else if (stackArgs.length > 0 || options.stack || options.all) {
-      candidateStacks = allStateStacks.map((name) => ({ stackName: name }));
+      const seen = /* @__PURE__ */ new Set();
+      candidateStacks = [];
+      for (const ref of allStateRefs) {
+        if (seen.has(ref.stackName))
+          continue;
+        seen.add(ref.stackName);
+        candidateStacks.push({ stackName: ref.stackName });
+      }
     } else {
       throw new Error(
         "Could not determine which stacks belong to this app. Specify stack names explicitly, use --all, or ensure --app / cdk.json is configured."
@@ -27815,10 +28951,38 @@ async function destroyCommand(stackArgs, options) {
       return;
     }
     logger.info(`Found ${stackNames.length} stack(s) to destroy: ${stackNames.join(", ")}`);
+    const stateRefsByName = /* @__PURE__ */ new Map();
+    for (const ref of allStateRefs) {
+      const arr = stateRefsByName.get(ref.stackName) ?? [];
+      arr.push(ref);
+      stateRefsByName.set(ref.stackName, arr);
+    }
     for (const stackName of stackNames) {
       logger.info(`
 Preparing to destroy stack: ${stackName}`);
-      const stateResult = await stateBackend.getState(stackName);
+      const refs = stateRefsByName.get(stackName) ?? [];
+      const synthStack = appStacks.find((s) => s.stackName === stackName);
+      const synthRegion = synthStack?.region;
+      let stackTargetRegion;
+      if (refs.length === 0) {
+        logger.warn(`No state found for stack ${stackName}, skipping`);
+        continue;
+      } else if (refs.length === 1) {
+        const onlyRegion = refs[0]?.region;
+        if (!onlyRegion) {
+          stackTargetRegion = region;
+        } else {
+          stackTargetRegion = onlyRegion;
+        }
+      } else if (synthRegion && refs.some((r) => r.region === synthRegion)) {
+        stackTargetRegion = synthRegion;
+      } else {
+        const regions = refs.map((r) => r.region ?? "(legacy)").join(", ");
+        throw new Error(
+          `Stack '${stackName}' has state in multiple regions: ${regions}. Use 'cdkd state rm ${stackName} --region <region>' to remove cdkd's record for one region, or run destroy from a CDK app whose env.region matches one of them.`
+        );
+      }
+      const stateResult = await stateBackend.getState(stackName, stackTargetRegion);
       if (!stateResult) {
         logger.warn(`No state found for stack ${stackName}, skipping`);
         continue;
@@ -27827,7 +28991,7 @@ Preparing to destroy stack: ${stackName}`);
       const resourceCount = Object.keys(currentState.resources).length;
       if (resourceCount === 0) {
         logger.info(`Stack ${stackName} has no resources, cleaning up state...`);
-        await stateBackend.deleteState(stackName);
+        await stateBackend.deleteState(stackName, stackTargetRegion);
         logger.info("\u2713 State deleted");
         continue;
       }
@@ -27852,7 +29016,7 @@ Are you sure you want to destroy stack "${stackName}" and delete all ${resourceC
           continue;
         }
       }
-      const stackRegion = currentState.region;
+      const stackRegion = stackTargetRegion;
       let destroyProviderRegistry = providerRegistry;
       let destroyAwsClients;
       if (stackRegion && stackRegion !== region) {
@@ -27870,7 +29034,7 @@ Are you sure you want to destroy stack "${stackName}" and delete all ${resourceC
       }
       logger.info(`
 Acquiring lock for stack ${stackName}...`);
-      await lockManager.acquireLock(stackName, "destroy");
+      await lockManager.acquireLock(stackName, stackRegion, void 0, "destroy");
       const renderer = getLiveRenderer();
       renderer.start();
       try {
@@ -27946,7 +29110,8 @@ Acquiring lock for stack ${stackName}...`);
                     logicalId,
                     resource.physicalId,
                     resource.resourceType,
-                    resource.properties
+                    resource.properties,
+                    { expectedRegion: currentState.region }
                   );
                   lastDeleteError = null;
                   break;
@@ -27985,7 +29150,7 @@ Acquiring lock for stack ${stackName}...`);
           await Promise.all(deletePromises);
         }
         if (errorCount === 0) {
-          await stateBackend.deleteState(stackName);
+          await stateBackend.deleteState(stackName, stackRegion);
           logger.debug("State deleted");
         } else {
           logger.warn(`${errorCount} resource(s) failed to delete. State preserved.`);
@@ -27997,7 +29162,7 @@ Acquiring lock for stack ${stackName}...`);
       } finally {
         renderer.stop();
         logger.debug("Releasing lock...");
-        await lockManager.releaseLock(stackName);
+        await lockManager.releaseLock(stackName, stackRegion);
         if (destroyAwsClients) {
           destroyAwsClients.destroy();
           process.env["AWS_REGION"] = region;
@@ -28058,7 +29223,7 @@ function createPublishAssetsCommand() {
 }
 
 // src/cli/commands/force-unlock.ts
-import { Command as Command8 } from "commander";
+import { Command as Command8, Option as Option3 } from "commander";
 init_aws_clients();
 async function forceUnlockCommand(stackArgs, options) {
   const logger = getLogger();
@@ -28082,17 +29247,33 @@ async function forceUnlockCommand(stackArgs, options) {
       prefix: options.statePrefix
     };
     const lockManager = new LockManager(awsClients.s3, stateConfig);
+    const stateBackend = new S3StateBackend(awsClients.s3, stateConfig);
     for (const stackName of stackPatterns) {
-      logger.info(`Force-unlocking stack: ${stackName}`);
-      try {
-        await lockManager.forceReleaseLock(stackName);
-        logger.info(`\u2713 Lock released for stack: ${stackName}`);
-      } catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        if (message.includes("No lock found") || message.includes("NoSuchKey")) {
-          logger.info(`No lock found for stack: ${stackName}`);
+      let regionsToTry;
+      if (options.stackRegion) {
+        regionsToTry = [options.stackRegion];
+      } else {
+        const refs = await stateBackend.listStacks();
+        const matched = refs.filter((r) => r.stackName === stackName);
+        if (matched.length === 0) {
+          regionsToTry = [region];
         } else {
-          logger.error(`Failed to unlock stack ${stackName}: ${message}`);
+          regionsToTry = matched.map((r) => r.region);
+        }
+      }
+      for (const r of regionsToTry) {
+        const where = r ? `${stackName} (${r})` : `${stackName} (legacy lock key)`;
+        logger.info(`Force-unlocking stack: ${where}`);
+        try {
+          await lockManager.forceReleaseLock(stackName, r);
+          logger.info(`\u2713 Lock released for stack: ${where}`);
+        } catch (error) {
+          const message = error instanceof Error ? error.message : String(error);
+          if (message.includes("No lock found") || message.includes("NoSuchKey")) {
+            logger.info(`No lock found for stack: ${where}`);
+          } else {
+            logger.error(`Failed to unlock stack ${where}: ${message}`);
+          }
         }
       }
     }
@@ -28101,15 +29282,47 @@ async function forceUnlockCommand(stackArgs, options) {
   }
 }
 function createForceUnlockCommand() {
-  const cmd = new Command8("force-unlock").description("Force-release a stale lock on a stack").argument("[stacks...]", "Stack name(s) to unlock").action(withErrorHandling(forceUnlockCommand));
+  const cmd = new Command8("force-unlock").description("Force-release a stale lock on a stack").argument("[stacks...]", "Stack name(s) to unlock").addOption(
+    new Option3(
+      "--stack-region <region>",
+      "Stack region whose lock to release (use when the same stack name has locks in multiple regions). Defaults to all regions where the stack has state."
+    )
+  ).action(withErrorHandling(forceUnlockCommand));
   [...commonOptions, ...stateOptions, ...stackOptions].forEach((opt) => cmd.addOption(opt));
   return cmd;
 }
 
 // src/cli/commands/state.ts
 import * as readline2 from "node:readline/promises";
-import { Command as Command9 } from "commander";
+import { Command as Command9, Option as Option4 } from "commander";
 init_aws_clients();
+function formatStackRef(ref) {
+  return ref.region ? `${ref.stackName} (${ref.region})` : ref.stackName;
+}
+function resolveSingleRegion(stackName, refs, requestedRegion) {
+  const matches = refs.filter((r) => r.stackName === stackName);
+  if (matches.length === 0) {
+    throw new Error(
+      `No state found for stack '${stackName}'. Run 'cdkd state list' to see available stacks.`
+    );
+  }
+  if (requestedRegion) {
+    const ref = matches.find((r) => r.region === requestedRegion);
+    if (!ref) {
+      const seen = matches.map((r) => r.region ?? "(legacy)").join(", ");
+      throw new Error(
+        `No state found for stack '${stackName}' in region '${requestedRegion}'. Available regions: ${seen}.`
+      );
+    }
+    return ref;
+  }
+  if (matches.length === 1)
+    return matches[0];
+  const regions = matches.map((r) => r.region ?? "(legacy)").join(", ");
+  throw new Error(
+    `Stack '${stackName}' has state in multiple regions: ${regions}. Re-run with --region <region> to disambiguate.`
+  );
+}
 async function setupStateBackend(options) {
   const awsClients = new AwsClients({
     ...options.region && { region: options.region },
@@ -28131,34 +29344,52 @@ async function setupStateBackend(options) {
     dispose: () => awsClients.destroy()
   };
 }
+function sortRefs(refs) {
+  return refs.slice().sort((a, b) => {
+    if (a.stackName < b.stackName)
+      return -1;
+    if (a.stackName > b.stackName)
+      return 1;
+    const ar = a.region ?? "\uFFFF";
+    const br = b.region ?? "\uFFFF";
+    if (ar < br)
+      return -1;
+    if (ar > br)
+      return 1;
+    return 0;
+  });
+}
 async function stateListCommand(options) {
   const logger = getLogger();
   if (options.verbose)
     logger.setLevel("debug");
   const setup = await setupStateBackend(options);
   try {
-    const stackNames = (await setup.stateBackend.listStacks()).slice().sort();
+    const refs = sortRefs(await setup.stateBackend.listStacks());
     if (!options.long && !options.json) {
-      for (const name of stackNames) {
-        process.stdout.write(`${name}
+      for (const ref of refs) {
+        process.stdout.write(`${formatStackRef(ref)}
 `);
       }
       return;
     }
     if (options.json && !options.long) {
-      process.stdout.write(`${JSON.stringify(stackNames, null, 2)}
+      const payload = refs.map((r) => ({ stackName: r.stackName, region: r.region ?? null }));
+      process.stdout.write(`${JSON.stringify(payload, null, 2)}
 `);
       return;
     }
     const details = await Promise.all(
-      stackNames.map(async (stackName) => {
+      refs.map(async (ref) => {
+        const lookupRegion = ref.region ?? "";
         const [stateResult, locked] = await Promise.all([
-          setup.stateBackend.getState(stackName),
-          setup.lockManager.isLocked(stackName)
+          lookupRegion ? setup.stateBackend.getState(ref.stackName, lookupRegion) : Promise.resolve(null),
+          setup.lockManager.isLocked(ref.stackName, ref.region)
         ]);
         const state = stateResult?.state;
         return {
-          stackName,
+          stackName: ref.stackName,
+          region: ref.region ?? null,
           resourceCount: state ? Object.keys(state.resources).length : 0,
           lastModified: state && typeof state.lastModified === "number" ? new Date(state.lastModified).toISOString() : null,
           locked
@@ -28172,7 +29403,13 @@ async function stateListCommand(options) {
     }
     const lines = [];
     for (const detail of details) {
-      lines.push(detail.stackName);
+      lines.push(
+        formatStackRef({
+          stackName: detail.stackName,
+          ...detail.region ? { region: detail.region } : {}
+        })
+      );
+      lines.push(`  Region: ${detail.region ?? "(legacy)"}`);
       lines.push(`  Resources: ${detail.resourceCount}`);
       lines.push(`  Last Modified: ${detail.lastModified ?? "unknown"}`);
       lines.push(`  Lock: ${detail.locked ? "locked" : "unlocked"}`);
@@ -28200,10 +29437,17 @@ async function stateResourcesCommand(stackName, options) {
     logger.setLevel("debug");
   const setup = await setupStateBackend(options);
   try {
-    const stateResult = await setup.stateBackend.getState(stackName);
+    const refs = await setup.stateBackend.listStacks();
+    const ref = resolveSingleRegion(stackName, refs, options.stackRegion);
+    if (!ref.region) {
+      throw new Error(
+        `Stack '${stackName}' has only a legacy state record without a region. Run 'cdkd deploy ${stackName}' (or any cdkd write) to migrate it to the region-scoped layout, then re-run this command.`
+      );
+    }
+    const stateResult = await setup.stateBackend.getState(stackName, ref.region);
     if (!stateResult) {
       throw new Error(
-        `No state found for stack '${stackName}' in s3://${setup.bucket}/${setup.prefix}/. Run 'cdkd state list' to see available stacks.`
+        `No state found for stack '${stackName}' (${ref.region}) in s3://${setup.bucket}/${setup.prefix}/. Run 'cdkd state list' to see available stacks.`
       );
     }
     const resources = stateResult.state.resources ?? {};
@@ -28286,7 +29530,7 @@ function formatLockSummary(lockInfo) {
   return `locked by ${lockInfo.owner}${opStr}, ${expiresStr}`;
 }
 function createStateResourcesCommand() {
-  const cmd = new Command9("resources").description("List resources recorded in a stack's state").argument("<stack>", "Stack name (physical CloudFormation name)").option("-l, --long", "Include dependencies and attributes per resource", false).option("--json", "Output as JSON", false).action(withErrorHandling(stateResourcesCommand));
+  const cmd = new Command9("resources").description("List resources recorded in a stack's state").argument("<stack>", "Stack name (physical CloudFormation name)").option("-l, --long", "Include dependencies and attributes per resource", false).option("--json", "Output as JSON", false).addOption(stackRegionOption()).action(withErrorHandling(stateResourcesCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   return cmd;
 }
@@ -28296,13 +29540,20 @@ async function stateShowCommand(stackName, options) {
     logger.setLevel("debug");
   const setup = await setupStateBackend(options);
   try {
+    const refs = await setup.stateBackend.listStacks();
+    const ref = resolveSingleRegion(stackName, refs, options.stackRegion);
+    if (!ref.region) {
+      throw new Error(
+        `Stack '${stackName}' has only a legacy state record without a region. Run 'cdkd deploy ${stackName}' (or any cdkd write) to migrate it to the region-scoped layout, then re-run this command.`
+      );
+    }
     const [stateResult, lockInfo] = await Promise.all([
-      setup.stateBackend.getState(stackName),
-      setup.lockManager.getLockInfo(stackName)
+      setup.stateBackend.getState(stackName, ref.region),
+      setup.lockManager.getLockInfo(stackName, ref.region)
     ]);
     if (!stateResult) {
       throw new Error(
-        `No state found for stack '${stackName}' in s3://${setup.bucket}/${setup.prefix}/. Run 'cdkd state list' to see available stacks.`
+        `No state found for stack '${stackName}' (${ref.region}) in s3://${setup.bucket}/${setup.prefix}/. Run 'cdkd state list' to see available stacks.`
       );
     }
     if (options.json) {
@@ -28366,7 +29617,7 @@ async function stateShowCommand(stackName, options) {
   }
 }
 function createStateShowCommand() {
-  const cmd = new Command9("show").description("Show the full cdkd state record for a stack (metadata, outputs, resources)").argument("<stack>", "Stack name (physical CloudFormation name)").option("--json", "Output the raw state and lock as JSON", false).action(withErrorHandling(stateShowCommand));
+  const cmd = new Command9("show").description("Show the full cdkd state record for a stack (metadata, outputs, resources)").argument("<stack>", "Stack name (physical CloudFormation name)").option("--json", "Output the raw state and lock as JSON", false).addOption(stackRegionOption()).action(withErrorHandling(stateShowCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   return cmd;
 }
@@ -28379,24 +29630,36 @@ async function stateRmCommand(stackArgs, options) {
   }
   const setup = await setupStateBackend(options);
   try {
+    const refs = await setup.stateBackend.listStacks();
     for (const stackName of stackArgs) {
-      const exists = await setup.stateBackend.stateExists(stackName);
-      if (!exists) {
+      const stackRefs = refs.filter((r) => r.stackName === stackName);
+      if (stackRefs.length === 0) {
         logger.info(`No state found for stack: ${stackName}, skipping`);
         continue;
       }
+      const targets = options.stackRegion ? stackRefs.filter((r) => r.region === options.stackRegion) : stackRefs;
+      if (targets.length === 0) {
+        const seen = stackRefs.map((r) => r.region ?? "(legacy)").join(", ");
+        throw new Error(
+          `No state found for stack '${stackName}' in region '${options.stackRegion}'. Available regions: ${seen}.`
+        );
+      }
       if (!options.force) {
-        const locked = await setup.lockManager.isLocked(stackName);
-        if (locked) {
-          throw new Error(
-            `Stack '${stackName}' is locked. Run 'cdkd force-unlock ${stackName}' first, or pass --force to remove anyway.`
-          );
+        for (const target of targets) {
+          const locked = await setup.lockManager.isLocked(stackName, target.region);
+          if (locked) {
+            const where = target.region ?? "(legacy)";
+            throw new Error(
+              `Stack '${stackName}' (${where}) is locked. Run 'cdkd force-unlock ${stackName}${target.region ? ` --stack-region ${target.region}` : ""}' first, or pass --force to remove anyway.`
+            );
+          }
         }
       }
       if (!options.yes && !options.force) {
+        const targetList = targets.map((t) => formatStackRef(t)).join(", ");
         process.stdout.write(
           `
-WARNING: This removes cdkd's state record for '${stackName}' only. AWS resources will NOT be deleted.
+WARNING: This removes cdkd's state record for [${targetList}] only. AWS resources will NOT be deleted.
 Use 'cdkd destroy ${stackName}' if you want to delete the actual resources.
 
 `
@@ -28406,7 +29669,7 @@ Use 'cdkd destroy ${stackName}' if you want to delete the actual resources.
           output: process.stdout
         });
         const answer = await rl.question(
-          `Remove state for stack '${stackName}' from s3://${setup.bucket}/${setup.prefix}/? (y/N): `
+          `Remove state for ${targetList} from s3://${setup.bucket}/${setup.prefix}/? (y/N): `
         );
         rl.close();
         const trimmed = answer.trim().toLowerCase();
@@ -28415,16 +29678,28 @@ Use 'cdkd destroy ${stackName}' if you want to delete the actual resources.
           continue;
         }
       }
-      await setup.stateBackend.deleteState(stackName);
-      await setup.lockManager.forceReleaseLock(stackName);
-      logger.info(`\u2713 Removed state for stack: ${stackName}`);
+      for (const target of targets) {
+        if (target.region) {
+          await setup.stateBackend.deleteState(stackName, target.region);
+          await setup.lockManager.forceReleaseLock(stackName, target.region);
+        } else {
+          await setup.lockManager.forceReleaseLock(stackName, void 0);
+        }
+        logger.info(`\u2713 Removed state for stack: ${formatStackRef(target)}`);
+      }
     }
   } finally {
     setup.dispose();
   }
 }
+function stackRegionOption() {
+  return new Option4(
+    "--stack-region <region>",
+    "Region of the stack record to operate on. Required when the same stack name has state in multiple regions."
+  );
+}
 function createStateRmCommand() {
-  const cmd = new Command9("rm").description("Remove cdkd state for one or more stacks (does NOT delete AWS resources)").argument("<stacks...>", "Stack name(s) to remove from state").option("-f, --force", "Skip confirmation and remove even if the stack is locked", false).action(withErrorHandling(stateRmCommand));
+  const cmd = new Command9("rm").description("Remove cdkd state for one or more stacks (does NOT delete AWS resources)").argument("<stacks...>", "Stack name(s) to remove from state").option("-f, --force", "Skip confirmation and remove even if the stack is locked", false).addOption(stackRegionOption()).action(withErrorHandling(stateRmCommand));
   [...commonOptions, ...stateOptions].forEach((opt) => cmd.addOption(opt));
   return cmd;
 }
@@ -28462,7 +29737,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command10();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.7.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.9.0");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());