tukue · tukue · Apr 13, 2026 · Apr 10, 2026 · Apr 13, 2026 · Apr 13, 2026
diff --git a/README.md b/README.md
@@ -72,6 +72,22 @@ See detailed architecture and workflows in:
 - `templates/service-catalog/template.yaml`
 
 
+## Implemented platform product guardrails
+
+The CDK app now applies two productized guardrails from the platform review recommendations:
+
+- **Typed environment configuration** via `lib/platform-config.ts` with explicit `dev|stage|prod` validation and fail-fast errors for missing or invalid values.
+- **Mandatory governance tags** standardized at stack level and validated in tests for key resources: `environment`, `project`, `owner`, `cost-center`, and `data-classification`.
+
+Set the environment explicitly with either CDK context or environment variable:
+
+```bash
+npm run synth                 # defaults to dev when PLATFORM_ENV is unset
+PLATFORM_ENV=stage npm run synth
+# or, direct CDK command
+npm run cdk -- synth -c platformEnv=prod
+```
+
 ## Code review resolution
 
 Review feedback and implemented fixes are tracked in:

diff --git a/bin/app.ts b/bin/app.ts
@@ -2,15 +2,16 @@
 import 'source-map-support/register';
 import * as cdk from 'aws-cdk-lib';
 import { CdkAppStack } from '../lib/cdk-app-stack';
-
-// initialize the CDK app
+import { loadPlatformConfig } from '../lib/platform-config';
 
 const app = new cdk.App();
+const platformEnv = app.node.tryGetContext('platformEnv') ?? process.env.PLATFORM_ENV;
+const platformConfig = loadPlatformConfig(platformEnv);
 
-// deploy the clouformation stack to the default account and region
 new CdkAppStack(app, 'CdkAppStack', {
-  env: { 
-    account: process.env.CDK_DEFAULT_ACCOUNT, 
-    region: process.env.CDK_DEFAULT_REGION 
+  env: {
+    account: process.env.CDK_DEFAULT_ACCOUNT,
+    region: process.env.CDK_DEFAULT_REGION,
   },
+  platformConfig,
 });
diff --git a/lib/cdk-app-stack.ts b/lib/cdk-app-stack.ts
@@ -13,9 +13,14 @@ import * as logs from 'aws-cdk-lib/aws-logs';
 import * as cloudwatch from 'aws-cdk-lib/aws-cloudwatch';
 import * as cwActions from 'aws-cdk-lib/aws-cloudwatch-actions';
 import * as sns from 'aws-cdk-lib/aws-sns';
+import { PlatformConfig } from './platform-config';
+
+export interface CdkAppStackProps extends cdk.StackProps {
+  readonly platformConfig: PlatformConfig;
+}
 
 export class CdkAppStack extends cdk.Stack {
-  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+  constructor(scope: Construct, id: string, props: CdkAppStackProps) {
     super(scope, id, props);
 
     const encryptionKey = new kms.Key(this, 'PlatformDataKey', {
@@ -274,7 +279,10 @@ export class CdkAppStack extends cdk.Stack {
     });
 
     //  Optional: Add Tags to Resources
-    cdk.Tags.of(this).add('Environment', 'Development');
-    cdk.Tags.of(this).add('Project', 'DemoAPI');
+    cdk.Tags.of(this).add('environment', props.platformConfig.environment);
+    cdk.Tags.of(this).add('project', props.platformConfig.project);
+    cdk.Tags.of(this).add('owner', props.platformConfig.owner);
+    cdk.Tags.of(this).add('cost-center', props.platformConfig.costCenter);
+    cdk.Tags.of(this).add('data-classification', props.platformConfig.dataClassification);
   }
 }
diff --git a/lib/platform-config.ts b/lib/platform-config.ts
@@ -0,0 +1,57 @@
+export type PlatformEnvironment = 'dev' | 'stage' | 'prod';
+
+export interface PlatformConfig {
+  readonly environment: PlatformEnvironment;
+  readonly owner: string;
+  readonly costCenter: string;
+  readonly dataClassification: 'public' | 'internal' | 'confidential' | 'restricted';
+  readonly project: string;
+}
+
+const CONFIG_BY_ENV: Record<PlatformEnvironment, Omit<PlatformConfig, 'environment'>> = {
+  dev: {
+    owner: 'platform-engineering',
+    costCenter: 'ENG-PLATFORM',
+    dataClassification: 'internal',
+    project: 'DemoAPI',
+  },
+  stage: {
+    owner: 'platform-engineering',
+    costCenter: 'ENG-PLATFORM',
+    dataClassification: 'confidential',
+    project: 'DemoAPI',
+  },
+  prod: {
+    owner: 'platform-engineering',
+    costCenter: 'ENG-PLATFORM',
+    dataClassification: 'confidential',
+    project: 'DemoAPI',
+  },
+};
+
+export const resolvePlatformEnvironment = (value?: string): PlatformEnvironment => {
+  const normalized = value?.trim().toLowerCase();
+
+  if (!normalized) {
+    throw new Error(
+      'Platform environment must be explicitly specified via platformEnv context or PLATFORM_ENV. Allowed values: dev, stage, prod.',
+    );
+  }
-  if (!normalized) {
-    return 'dev';
-  }
+  if (!normalized) {
+    throw new Error(
+      'Platform environment must be explicitly specified via platformEnv context or PLATFORM_ENV. Allowed values: dev, stage, prod.',
+    );
+  }
-  if (!normalized) {
-    return 'dev';
-  }
+  if (!normalized) {
+    throw new Error(
+      'Platform environment must be explicitly specified via platformEnv context or PLATFORM_ENV. Allowed values: dev, stage, prod.',
+    );
+  }
+
+  if (normalized === 'dev' || normalized === 'stage' || normalized === 'prod') {
+    return normalized;
+  }
+
+  throw new Error(
+    `Invalid platform environment \"${value}\". Allowed values: dev, stage, prod.`,
+  );
+};
+
+export const loadPlatformConfig = (environmentValue?: string): PlatformConfig => {
+  const environment = resolvePlatformEnvironment(environmentValue);
+
+  return {
+    environment,
+    ...CONFIG_BY_ENV[environment],
+  };
+};
diff --git a/package.json b/package.json
@@ -11,7 +11,7 @@
     "cdk": "cdk",
     "deploy": "cdk deploy",
     "destroy": "cdk destroy",
-    "synth": "cdk synth"
+    "synth": "bash -lc \"cdk synth -c platformEnv=${PLATFORM_ENV:-dev}\""
   },
   "devDependencies": {
     "@types/aws-lambda": "^8.10.122",