fix(cli-internal): treat Add/Remove on nested stack wrappers as real drift

hasRealDrift silently skipped CloudFormation::Stack entries without
nestedChanges regardless of Action. If a nested stack was added or
removed outside Amplify, this produced a false negative allowing
rollback when it should be blocked.

Author: Benjamin Pace

packages/amplify-cli/src/__tests__/commands/gen2-migration/lock.test.ts

@@ -707,6 +707,70 @@ describe('AmplifyMigrationLockStep', () => {
       expect(valid).toBe(true);
     });
 
+    it('should fail validation when IAM Policy cascading change is from a non-table resource', async () => {
+      mockDetectTemplateDrift.mockResolvedValueOnce({
+        changes: [
+          {
+            Action: 'Modify',
+            LogicalResourceId: 'SomeLambdaPolicy',
+            ResourceType: 'AWS::IAM::Policy',
+            Scope: ['Properties'],
+            Details: [
+              {
+                ChangeSource: 'ResourceAttribute',
+                Evaluation: 'Dynamic',
+                Target: { Attribute: 'Properties', Name: 'PolicyDocument', RequiresRecreation: 'Never' },
+                CausingEntity: 'MyLambdaFunction.Arn',
+              },
+            ],
+          },
+        ],
+        skipped: false,
+      });
+
+      const plan = await lockStep.rollback();
+      const valid = await plan.validate();
+
+      expect(valid).toBe(false);
+    });
+
+    it('should fail validation when a nested stack is added (Add action on CloudFormation::Stack)', async () => {
+      mockDetectTemplateDrift.mockResolvedValueOnce({
+        changes: [
+          {
+            Action: 'Add',
+            LogicalResourceId: 'newUnexpectedStack',
+            ResourceType: 'AWS::CloudFormation::Stack',
+          },
+        ],
+        skipped: false,
+      });
+
+      const plan = await lockStep.rollback();
+      const valid = await plan.validate();
+
+      expect(valid).toBe(false);
+    });
+
+    it('should fail validation when a nested stack is removed (Remove action on CloudFormation::Stack)', async () => {
+      mockDetectTemplateDrift.mockResolvedValueOnce({
+        changes: [
+          {
+            Action: 'Remove',
+            LogicalResourceId: 'authStack',
+            ResourceType: 'AWS::CloudFormation::Stack',
+            PhysicalResourceId: 'arn:aws:cloudformation:us-east-1:123:stack/auth-stack/abc',
+          },
+        ],
+        skipped: false,
+      });
+
+      const plan = await lockStep.rollback();
+      const valid = await plan.validate();
+
+      expect(valid).toBe(false);
+    });
+
     it('should pass validation when CloudFormation::Stack wrapper has no nestedChanges', async () => {
       mockDetectTemplateDrift.mockResolvedValueOnce({
         changes: [

packages/amplify-cli/src/commands/gen2-migration/lock.ts

@@ -56,8 +56,9 @@ const ALLOW_ALL_POLICY = {
  * 1. Direct DeletionPolicy changes — Modify with Scope exactly `['DeletionPolicy']`
  * 2. Cascading IAM Policy changes — CFN flags IAM policies that reference the modified
  *    table's attributes (e.g., `TodoTable.Arn` in PolicyDocument) as Dynamic re-evaluations.
- *    These have `ChangeSource: ResourceAttribute`, `Evaluation: Dynamic`, and
- *    `RequiresRecreation: Never` — they are harmless re-evaluations, not actual changes.
+ *    These have `ChangeSource: ResourceAttribute`, `Evaluation: Dynamic`,
+ *    `RequiresRecreation: Never`, and `CausingEntity` matching `*Table.Arn` or
+ *    `*Table.StreamArn` — they are harmless re-evaluations, not actual changes.
  *
  * For lock rollback to determine whether the environment is safe to revert, these expected
  * changes must be filtered out so only real drift blocks the rollback.
@@ -100,6 +101,10 @@ function hasRealDrift(changes: ResourceChangeWithNested[]): boolean {
       if (hasRealDrift(change.nestedChanges)) return true;
     } else if (change.ResourceType !== 'AWS::CloudFormation::Stack') {
       if (!isExpectedLockDrift(change)) return true;
+    } else if (change.Action !== 'Modify') {
+      // Add/Remove on a CloudFormation::Stack without nestedChanges is real drift —
+      // an entire nested stack was added or deleted outside Amplify.
+      return true;
     }
   }
   return false;