@alienplatform/core 1.0.1 → 1.3.3

package/dist/stack.js

@@ -1,4 +1,4 @@
-import { z } from "zod/v4";
+import * as z from "zod";
 //#region src/generated/zod/alien-error-schema.ts
 /**
 * Generated by Kubb (https://kubb.dev/).
@@ -9,12 +9,13 @@ import { z } from "zod/v4";
 */
 const AlienErrorSchema = z.object({
 	"code": z.string().max(128).describe("A unique identifier for the type of error.\n\nThis should be a short, machine-readable string that can be used\nby clients to programmatically handle different error types.\nExamples: \"NOT_FOUND\", \"VALIDATION_ERROR\", \"TIMEOUT\""),
-	"context": z.any().optional(),
-	"httpStatusCode": z.int().min(100).max(599).describe("HTTP status code for this error.\n\nUsed when converting the error to an HTTP response. If None, falls back to\nthe error type's default status code or 500.").optional().nullable(),
+	"context": z.optional(z.any().describe("Additional diagnostic information about the error context.\n\nThis optional field can contain structured data providing more details\nabout the error, such as validation errors, request parameters that\ncaused the issue, or other relevant context information.")),
+	"hint": z.string().describe("Optional human-facing remediation hint.").nullish(),
+	"httpStatusCode": z.int().min(100).max(599).describe("HTTP status code for this error.\n\nUsed when converting the error to an HTTP response. If None, falls back to\nthe error type's default status code or 500.").nullish(),
 	"internal": z.boolean().describe("Indicates if this is an internal error that should not be exposed to users.\n\nWhen `true`, this error contains sensitive information or implementation\ndetails that should not be shown to end-users. Such errors should be\nlogged for debugging but replaced with generic error messages in responses."),
 	"message": z.string().max(16384).describe("Human-readable error message.\n\nThis message should be clear and actionable for developers or end-users,\nproviding context about what went wrong and potentially how to fix it."),
 	"retryable": z.boolean().default(false).describe("Indicates whether the operation that caused the error should be retried.\n\nWhen `true`, the error is transient and the operation might succeed\nif attempted again. When `false`, retrying the same operation is\nunlikely to succeed without changes."),
-	"source": z.any().optional()
+	"source": z.optional(z.any().describe("The underlying error that caused this error, creating an error chain.\n\nThis allows for proper error propagation and debugging by maintaining\nthe full context of how an error occurred through multiple layers\nof an application."))
 }).describe("Canonical error container that provides a structured way to represent errors\nwith rich metadata including error codes, human-readable messages, context,\nand chaining capabilities for error propagation.\n\nThis struct is designed to be both machine-readable and user-friendly,\nsupporting serialization for API responses and detailed error reporting\nin distributed systems.");
 //#endregion
 //#region src/generated/zod/deployment-status-schema.ts
@@ -39,7 +40,8 @@ const DeploymentStatusSchema = z.enum([
 	"delete-pending",
 	"deleting",
 	"delete-failed",
-	"deleted"
+	"deleted",
+	"error"
 ]).describe("Deployment status in the deployment lifecycle");
 //#endregion
 //#region src/generated/zod/dev-resource-info-schema.ts
@@ -51,7 +53,7 @@ const DeploymentStatusSchema = z.enum([
 * @description Information about a deployed resource
 */
 const DevResourceInfoSchema = z.object({
-	"resourceType": z.string().describe("Resource type (\"function\" | \"container\")").optional().nullable(),
+	"resourceType": z.string().describe("Resource type (\"function\" | \"container\")").nullish(),
 	"url": z.string().describe("Resource URL (e.g., http://localhost:8080)")
 }).describe("Information about a deployed resource");
 //#endregion
@@ -64,14 +66,15 @@ const DevResourceInfoSchema = z.object({
 * @description Status of a single agent in the dev server
 */
 const AgentStatusSchema = z.object({
+	"commandsUrl": z.string().describe("Commands endpoint URL for the deployment").nullish(),
 	"createdAt": z.string().describe("ISO 8601 timestamp when agent was created"),
-	get error() {
+	get "error"() {
 		return z.union([AlienErrorSchema, z.null()]).optional();
 	},
 	"id": z.string().describe("Agent ID (e.g., ag_xyz123)"),
 	"name": z.string().describe("Agent name (from --agent-name flag)"),
-	"resources": z.object({}).catchall(DevResourceInfoSchema.describe("Information about a deployed resource")).describe("Resources deployed by this agent (keyed by resource name)"),
-	get status() {
+	"resources": z.object({}).catchall(z.lazy(() => DevResourceInfoSchema).describe("Information about a deployed resource")).describe("Resources deployed by this agent (keyed by resource name)"),
+	get "status"() {
 		return DeploymentStatusSchema.describe("Deployment status in the deployment lifecycle");
 	}
 }).describe("Status of a single agent in the dev server");
@@ -127,7 +130,7 @@ const ResourceTypeSchema = z.string().describe("Resource type identifier that de
 /**
 * @description Resource outputs that can hold output data for any resource type in the Alien system. All resource outputs share a common \'type\' field with additional type-specific output properties.
 */
-const BaseResourceOutputsSchema = z.object({ get type() {
+const BaseResourceOutputsSchema = z.object({ get "type"() {
 	return ResourceTypeSchema.describe("Resource type identifier that determines the specific kind of resource. This field is used for polymorphic deserialization and resource-specific behavior.");
 } }).catchall(z.any()).describe("Resource outputs that can hold output data for any resource type in the Alien system. All resource outputs share a common 'type' field with additional type-specific output properties.");
 //#endregion
@@ -141,7 +144,7 @@ const BaseResourceOutputsSchema = z.object({ get type() {
 */
 const BaseResourceSchema = z.object({
 	"id": z.string().describe("The unique identifier for this specific resource instance. Must contain only alphanumeric characters, hyphens, and underscores ([A-Za-z0-9-_]). Maximum 64 characters."),
-	get type() {
+	get "type"() {
 		return ResourceTypeSchema.describe("Resource type identifier that determines the specific kind of resource. This field is used for polymorphic deserialization and resource-specific behavior.");
 	}
 }).catchall(z.any()).describe("Resource that can hold any resource type in the Alien system. All resources share common 'type' and 'id' fields with additional type-specific properties.");
@@ -154,11 +157,7 @@ const BaseResourceSchema = z.object({
 /**
 * @description Describes the lifecycle of a resource within a stack, determining how it\'s managed and deployed.
 */
-const ResourceLifecycleSchema = z.enum([
-	"frozen",
-	"live",
-	"live-on-setup"
-]).describe("Describes the lifecycle of a resource within a stack, determining how it's managed and deployed.");
+const ResourceLifecycleSchema = z.enum(["frozen", "live"]).describe("Describes the lifecycle of a resource within a stack, determining how it's managed and deployed.");
 //#endregion
 //#region src/generated/zod/resource-ref-schema.ts
 /**
@@ -170,7 +169,7 @@ const ResourceLifecycleSchema = z.enum([
 */
 const ResourceRefSchema = z.object({
 	"id": z.string(),
-	get type() {
+	get "type"() {
 		return ResourceTypeSchema.describe("Resource type identifier that determines the specific kind of resource. This field is used for polymorphic deserialization and resource-specific behavior.");
 	}
 }).describe("New ResourceRef that works with any resource type.\nThis can eventually replace the enum-based ResourceRef for full extensibility.");
@@ -205,30 +204,30 @@ const ResourceStatusSchema = z.enum([
 * @description Represents the state of a single resource within the stack for a specific platform.
 */
 const StackResourceStateSchema = z.object({
-	"_internal": z.any().optional(),
-	get config() {
+	"_internal": z.optional(z.any().describe("The platform-specific resource controller that manages this resource's lifecycle.\nThis is None when the resource status is Pending.\nStored as JSON to make the struct serializable and movable to alien-core.")),
+	get "config"() {
 		return BaseResourceSchema.describe("Resource that can hold any resource type in the Alien system. All resources share common 'type' and 'id' fields with additional type-specific properties.");
 	},
-	get dependencies() {
+	get "dependencies"() {
 		return z.array(ResourceRefSchema.describe("New ResourceRef that works with any resource type.\nThis can eventually replace the enum-based ResourceRef for full extensibility.")).describe("Complete list of dependencies for this resource, including infrastructure dependencies.\nThis preserves the full dependency information from the stack definition.").optional();
 	},
-	get error() {
+	get "error"() {
 		return z.union([AlienErrorSchema, z.null()]).optional();
 	},
-	"isExternallyProvisioned": z.boolean().describe("True if the resource was provisioned by an external system (e.g., CloudFormation).\nDefaults to false, indicating dynamic provisioning by the executor.").optional(),
-	"lastFailedState": z.any().optional(),
-	get lifecycle() {
+	"isExternallyProvisioned": z.optional(z.boolean().describe("True if the resource was provisioned by an external system (e.g., CloudFormation).\nDefaults to false, indicating dynamic provisioning by the executor.")),
+	"lastFailedState": z.optional(z.any().describe("Stores the controller state that failed, used for manual retry operations.\nThis allows resuming from the exact point where the failure occurred.\nStored as JSON to make the struct serializable and movable to alien-core.")),
+	get "lifecycle"() {
 		return z.union([ResourceLifecycleSchema, z.null()]).optional();
 	},
-	get outputs() {
+	get "outputs"() {
 		return z.union([BaseResourceOutputsSchema, z.null()]).optional();
 	},
-	get previousConfig() {
+	get "previousConfig"() {
 		return z.union([BaseResourceSchema, z.null()]).optional();
 	},
-	"remoteBindingParams": z.any().optional(),
-	"retryAttempt": z.int().min(0).describe("Tracks consecutive retry attempts for the current state transition.").optional(),
-	get status() {
+	"remoteBindingParams": z.optional(z.any().describe("Binding parameters for remote access.\nOnly populated when the resource has `remote_access: true` in its ResourceEntry.\nThis is the JSON serialization of the binding configuration (e.g., StorageBinding, VaultBinding).\nPopulated by controllers during provisioning using get_binding_params().")),
+	"retryAttempt": z.optional(z.int().min(0).describe("Tracks consecutive retry attempts for the current state transition.")),
+	get "status"() {
 		return ResourceStatusSchema.describe("Represents the high-level status of a resource during its lifecycle.");
 	},
 	"type": z.string().describe("The high-level type of the resource (e.g., Function::RESOURCE_TYPE, Storage::RESOURCE_TYPE).")
@@ -243,11 +242,11 @@ const StackResourceStateSchema = z.object({
 * @description Represents the collective state of all resources in a stack, including platform and pending actions.
 */
 const StackStateSchema = z.object({
-	get platform() {
+	get "platform"() {
 		return PlatformSchema.describe("Represents the target cloud platform.");
 	},
 	"resourcePrefix": z.string().describe("A prefix used for resource naming to ensure uniqueness across deployments."),
-	"resources": z.object({}).catchall(StackResourceStateSchema.describe("Represents the state of a single resource within the stack for a specific platform.")).describe("The state of individual resources, keyed by resource ID.")
+	"resources": z.object({}).catchall(z.lazy(() => StackResourceStateSchema).describe("Represents the state of a single resource within the stack for a specific platform.")).describe("The state of individual resources, keyed by resource ID.")
 }).describe("Represents the collective state of all resources in a stack, including platform and pending actions.");
 //#endregion
 //#region src/generated/zod/alien-event-schema.ts
@@ -276,7 +275,7 @@ const AlienEventSchema = z.union([
 		"url": z.string().describe("URL being downloaded from")
 	}),
 	z.object({
-		"relatedResources": z.array(z.string()).describe("All resource names sharing this build (for deduped container groups)").optional(),
+		"relatedResources": z.optional(z.array(z.string()).describe("All resource names sharing this build (for deduped container groups)")),
 		"resourceName": z.string().describe("Name of the resource being built"),
 		"resourceType": z.string().describe("Type of the resource: \"function\", \"container\", \"worker\""),
 		"type": z.enum(["BuildingResource"])
@@ -287,7 +286,7 @@ const AlienEventSchema = z.union([
 	}),
 	z.object({
 		"image": z.string().describe("Name of the image being pushed"),
-		get progress() {
+		get "progress"() {
 			return z.union([PushProgressSchema, z.null()]).optional();
 		},
 		"type": z.enum(["PushingImage"])
@@ -308,14 +307,14 @@ const AlienEventSchema = z.union([
 	}),
 	z.object({
 		"language": z.string().describe("Language being compiled (rust, typescript, etc.)"),
-		"progress": z.string().describe("Current progress/status line from the build output").optional().nullable(),
+		"progress": z.string().describe("Current progress/status line from the build output").nullish(),
 		"type": z.enum(["CompilingCode"])
 	}),
 	z.object({
-		get nextState() {
+		get "nextState"() {
 			return StackStateSchema.describe("Represents the collective state of all resources in a stack, including platform and pending actions.");
 		},
-		"suggestedDelayMs": z.int().min(0).describe("An suggested duration to wait before executing the next step.").optional().nullable(),
+		"suggestedDelayMs": z.int().min(0).describe("An suggested duration to wait before executing the next step.").nullish(),
 		"type": z.enum(["StackStep"])
 	}),
 	z.object({ "type": z.enum(["GeneratingCloudFormationTemplate"]) }),
@@ -406,8 +405,8 @@ const AlienEventSchema = z.union([
 * @description Outputs generated by a successfully provisioned ArtifactRegistry.
 */
 const ArtifactRegistryOutputsSchema = z.object({
-	"pullRole": z.string().describe("Role/principal identifier for pull-only access.\n- AWS: IAM role ARN (e.g., \"arn:aws:iam::123456789012:role/my-stack-my-registry-pull\")\n- GCP: Service account email (e.g., \"my-stack-my-registry-pull@my-project.iam.gserviceaccount.com\")\n- Azure: Managed identity resource ID (e.g., \"/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-registry-pull\")").optional().nullable(),
-	"pushRole": z.string().describe("Role/principal identifier for push and pull access.\n- AWS: IAM role ARN (e.g., \"arn:aws:iam::123456789012:role/my-stack-my-registry-push\")\n- GCP: Service account email (e.g., \"my-stack-my-registry-push@my-project.iam.gserviceaccount.com\")\n- Azure: Managed identity resource ID (e.g., \"/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-registry-push\")").optional().nullable(),
+	"pullRole": z.string().describe("Role/principal identifier for pull-only access.\n- AWS: IAM role ARN (e.g., \"arn:aws:iam::123456789012:role/my-stack-my-registry-pull\")\n- GCP: Service account email (e.g., \"my-stack-my-registry-pull@my-project.iam.gserviceaccount.com\")\n- Azure: Managed identity resource ID (e.g., \"/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-registry-pull\")").nullish(),
+	"pushRole": z.string().describe("Role/principal identifier for push and pull access.\n- AWS: IAM role ARN (e.g., \"arn:aws:iam::123456789012:role/my-stack-my-registry-push\")\n- GCP: Service account email (e.g., \"my-stack-my-registry-push@my-project.iam.gserviceaccount.com\")\n- Azure: Managed identity resource ID (e.g., \"/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-registry-push\")").nullish(),
 	"registryEndpoint": z.string().describe("The registry endpoint for docker operations.\n- AWS: ECR registry URL (e.g., \"123456789012.dkr.ecr.us-west-2.amazonaws.com\")\n- GCP: Artifact Registry URL (e.g., \"us-central1-docker.pkg.dev/my-project\")\n- Azure: Container registry login server (e.g., \"myregistry.azurecr.io\")"),
 	"registryId": z.string().describe("The platform-specific registry identifier.\n- AWS: Account and region (e.g., \"123456789012:us-west-2\")\n- GCP: Full registry name (e.g., \"projects/my-project/locations/us-central1\")\n- Azure: Registry resource ID (e.g., \"/subscriptions/.../resourceGroups/.../providers/Microsoft.ContainerRegistry/registries/myregistry\")")
 }).describe("Outputs generated by a successfully provisioned ArtifactRegistry.");
@@ -420,7 +419,10 @@ const ArtifactRegistryOutputsSchema = z.object({
 /**
 * @description Represents an artifact registry for storing container images and other build artifacts.\nThis is a high-level wrapper resource that provides a cloud-agnostic interface over\nAWS ECR, GCP Artifact Registry, and Azure Container Registry.\n\n# Platform Mapping\n- **AWS**: Implicitly exists as the AWS account and region\n- **GCP**: Explicitly configured per project and location (Artifact Registry API enabled)\n- **Azure**: Explicitly provisioned Azure Container Registry instance\n\nThe actual repository management and permissions are handled through the bindings API.
 */
-const ArtifactRegistrySchema = z.object({ "id": z.string().describe("Identifier for the artifact registry. Must contain only alphanumeric characters, hyphens, and underscores ([A-Za-z0-9-_]).\nMaximum 64 characters.") }).describe("Represents an artifact registry for storing container images and other build artifacts.\nThis is a high-level wrapper resource that provides a cloud-agnostic interface over\nAWS ECR, GCP Artifact Registry, and Azure Container Registry.\n\n# Platform Mapping\n- **AWS**: Implicitly exists as the AWS account and region\n- **GCP**: Explicitly configured per project and location (Artifact Registry API enabled)\n- **Azure**: Explicitly provisioned Azure Container Registry instance\n\nThe actual repository management and permissions are handled through the bindings API.");
+const ArtifactRegistrySchema = z.object({
+	"id": z.string().describe("Identifier for the artifact registry. Must contain only alphanumeric characters, hyphens, and underscores ([A-Za-z0-9-_]).\nMaximum 64 characters."),
+	"replicationRegions": z.optional(z.array(z.string()).describe("AWS-only: regions to replicate container images to.\nECR private image replication ensures images pushed in the registry's home region\nare automatically available in these additional regions (required when Lambda or\nother compute runs in a different region from the registry)."))
+}).describe("Represents an artifact registry for storing container images and other build artifacts.\nThis is a high-level wrapper resource that provides a cloud-agnostic interface over\nAWS ECR, GCP Artifact Registry, and Azure Container Registry.\n\n# Platform Mapping\n- **AWS**: Implicitly exists as the AWS account and region\n- **GCP**: Explicitly configured per project and location (Artifact Registry API enabled)\n- **Azure**: Explicitly provisioned Azure Container Registry instance\n\nThe actual repository management and permissions are handled through the bindings API.");
 //#endregion
 //#region src/generated/zod/aws-custom-certificate-config-schema.ts
 /**
@@ -448,14 +450,14 @@ const AwsManagementConfigSchema = z.object({ "managingRoleArn": z.string().descr
 * @description Generic binding configuration for permissions
 */
 const BindingConfigurationAwsBindingSpecSchema = z.object({
-	"resource": z.object({
-		"condition": z.object({}).catchall(z.object({}).catchall(z.string())).describe("Optional condition for additional filtering (rare)").optional().nullable(),
+	"resource": z.optional(z.object({
+		"condition": z.object({}).catchall(z.object({}).catchall(z.string())).describe("Optional condition for additional filtering (rare)").nullish(),
 		"resources": z.array(z.string()).describe("Resource ARNs to bind to")
-	}).describe("AWS-specific binding specification").optional(),
-	"stack": z.object({
-		"condition": z.object({}).catchall(z.object({}).catchall(z.string())).describe("Optional condition for additional filtering (rare)").optional().nullable(),
+	}).describe("AWS-specific binding specification")),
+	"stack": z.optional(z.object({
+		"condition": z.object({}).catchall(z.object({}).catchall(z.string())).describe("Optional condition for additional filtering (rare)").nullish(),
 		"resources": z.array(z.string()).describe("Resource ARNs to bind to")
-	}).describe("AWS-specific binding specification").optional()
+	}).describe("AWS-specific binding specification"))
 }).describe("Generic binding configuration for permissions");
 //#endregion
 //#region src/generated/zod/permission-grant-schema.ts
@@ -467,9 +469,9 @@ const BindingConfigurationAwsBindingSpecSchema = z.object({
 * @description Grant permissions for a specific cloud platform
 */
 const PermissionGrantSchema = z.object({
-	"actions": z.array(z.string()).describe("AWS IAM actions (only for AWS)").optional().nullable(),
-	"dataActions": z.array(z.string()).describe("Azure actions (only for Azure)").optional().nullable(),
-	"permissions": z.array(z.string()).describe("GCP permissions (only for GCP)").optional().nullable()
+	"actions": z.array(z.string()).describe("AWS IAM actions (only for AWS)").nullish(),
+	"dataActions": z.array(z.string()).describe("Azure actions (only for Azure)").nullish(),
+	"permissions": z.array(z.string()).describe("GCP permissions (only for GCP)").nullish()
 }).describe("Grant permissions for a specific cloud platform");
 //#endregion
 //#region src/generated/zod/aws-platform-permission-schema.ts
@@ -481,10 +483,10 @@ const PermissionGrantSchema = z.object({
 * @description AWS-specific platform permission configuration
 */
 const AwsPlatformPermissionSchema = z.object({
-	get binding() {
+	get "binding"() {
 		return BindingConfigurationAwsBindingSpecSchema.describe("Generic binding configuration for permissions");
 	},
-	get grant() {
+	get "grant"() {
 		return PermissionGrantSchema.describe("Grant permissions for a specific cloud platform");
 	}
 }).describe("AWS-specific platform permission configuration");
@@ -505,8 +507,10 @@ const AzureCustomCertificateConfigSchema = z.object({ "keyVaultCertificateId": z
 * @description Azure management configuration extracted from stack settings
 */
 const AzureManagementConfigSchema = z.object({
-	"managementPrincipalId": z.string().describe("The principal ID of the service principal in the management account"),
-	"managingTenantId": z.string().describe("The managing Azure Tenant ID for cross-tenant access")
+	"managementPrincipalId": z.string().describe("Management service principal object ID for local development fallback").nullish(),
+	"managingTenantId": z.string().describe("The managing Azure Tenant ID for cross-tenant access"),
+	"oidcIssuer": z.string().describe("OIDC issuer URL for federated identity credential creation").nullish(),
+	"oidcSubject": z.string().describe("OIDC subject claim for federated identity credential creation").nullish()
 }).describe("Azure management configuration extracted from stack settings");
 //#endregion
 //#region src/generated/zod/binding-configuration-azure-binding-spec-schema.ts
@@ -518,8 +522,8 @@ const AzureManagementConfigSchema = z.object({
 * @description Generic binding configuration for permissions
 */
 const BindingConfigurationAzureBindingSpecSchema = z.object({
-	"resource": z.object({ "scope": z.string().describe("Scope (subscription/resource group/resource level)") }).describe("Azure-specific binding specification").optional(),
-	"stack": z.object({ "scope": z.string().describe("Scope (subscription/resource group/resource level)") }).describe("Azure-specific binding specification").optional()
+	"resource": z.optional(z.object({ "scope": z.string().describe("Scope (subscription/resource group/resource level)") }).describe("Azure-specific binding specification")),
+	"stack": z.optional(z.object({ "scope": z.string().describe("Scope (subscription/resource group/resource level)") }).describe("Azure-specific binding specification"))
 }).describe("Generic binding configuration for permissions");
 //#endregion
 //#region src/generated/zod/azure-platform-permission-schema.ts
@@ -531,10 +535,10 @@ const BindingConfigurationAzureBindingSpecSchema = z.object({
 * @description Azure-specific platform permission configuration
 */
 const AzurePlatformPermissionSchema = z.object({
-	get binding() {
+	get "binding"() {
 		return BindingConfigurationAzureBindingSpecSchema.describe("Generic binding configuration for permissions");
 	},
-	get grant() {
+	get "grant"() {
 		return PermissionGrantSchema.describe("Grant permissions for a specific cloud platform");
 	}
 }).describe("Azure-specific platform permission configuration");
@@ -561,18 +565,18 @@ const GcpConditionSchema = z.object({
 * @description Generic binding configuration for permissions
 */
 const BindingConfigurationGcpBindingSpecSchema = z.object({
-	"resource": z.object({
-		get condition() {
+	"resource": z.optional(z.object({
+		get "condition"() {
 			return z.union([GcpConditionSchema, z.null()]).optional();
 		},
 		"scope": z.string().describe("Scope (project/resource level)")
-	}).describe("GCP-specific binding specification").optional(),
-	"stack": z.object({
-		get condition() {
+	}).describe("GCP-specific binding specification")),
+	"stack": z.optional(z.object({
+		get "condition"() {
 			return z.union([GcpConditionSchema, z.null()]).optional();
 		},
 		"scope": z.string().describe("Scope (project/resource level)")
-	}).describe("GCP-specific binding specification").optional()
+	}).describe("GCP-specific binding specification"))
 }).describe("Generic binding configuration for permissions");
 //#endregion
 //#region src/generated/zod/presigned-operation-schema.ts
@@ -618,7 +622,7 @@ const PresignedRequestBackendSchema = z.union([z.object({
 	"url": z.string()
 }), z.object({
 	"filePath": z.string(),
-	get operation() {
+	get "operation"() {
 		return LocalOperationSchema.describe("Local filesystem operations");
 	},
 	"type": z.enum(["local"])
@@ -633,11 +637,11 @@ const PresignedRequestBackendSchema = z.union([z.object({
 * @description A presigned request that can be serialized, stored, and executed later.\nHides implementation details for different storage backends.
 */
 const PresignedRequestSchema = z.object({
-	get backend() {
+	get "backend"() {
 		return PresignedRequestBackendSchema.describe("Storage backend representation for different presigned request types");
 	},
-	"expiration": z.string().datetime().describe("When this presigned request expires"),
-	get operation() {
+	"expiration": z.iso.datetime().describe("When this presigned request expires"),
+	get "operation"() {
 		return PresignedOperationSchema.describe("The type of operation a presigned request performs");
 	},
 	"path": z.string().describe("The path this request operates on")
@@ -656,11 +660,11 @@ const BodySpecSchema = z.union([z.object({
 	"mode": z.enum(["inline"])
 }), z.object({
 	"mode": z.enum(["storage"]),
-	"size": z.int().min(0).describe("Size of the body in bytes").optional().nullable(),
-	get storageGetRequest() {
+	"size": z.int().min(0).describe("Size of the body in bytes").nullish(),
+	get "storageGetRequest"() {
 		return z.union([PresignedRequestSchema, z.null()]).optional();
 	},
-	"storagePutUsed": z.boolean().describe("Indicates storage upload was used for response submission").optional().nullable()
+	"storagePutUsed": z.boolean().describe("Indicates storage upload was used for response submission").nullish()
 })]).describe("Body specification supporting inline and storage modes");
 //#endregion
 //#region src/generated/zod/compute-type-schema.ts
@@ -688,10 +692,10 @@ const ComputeTypeSchema = z.enum([
 */
 const MonitoringConfigSchema = z.object({
 	"endpoint": z.string().describe("The monitoring endpoint URL (e.g., \"https://otel-collector.example.com:4318\")"),
-	"headers": z.object({}).catchall(z.string()).describe("Optional HTTP headers to include in requests to the monitoring endpoint").optional(),
-	"logsUri": z.string().describe("Optional URI path for logs (defaults to \"/v1/logs\")").optional(),
-	"tlsEnabled": z.boolean().describe("Whether to enable TLS/HTTPS (defaults to true)").optional(),
-	"tlsVerify": z.boolean().describe("Whether to verify TLS certificates (defaults to true)").optional()
+	"headers": z.optional(z.object({}).catchall(z.string()).describe("Optional HTTP headers to include in requests to the monitoring endpoint")),
+	"logsUri": z.optional(z.string().describe("Optional URI path for logs (defaults to \"/v1/logs\")")),
+	"tlsEnabled": z.optional(z.boolean().describe("Whether to enable TLS/HTTPS (defaults to true)")),
+	"tlsVerify": z.optional(z.boolean().describe("Whether to verify TLS certificates (defaults to true)"))
 }).describe("Configuration for monitoring and observability.");
 //#endregion
 //#region src/generated/zod/build-config-schema.ts
@@ -703,12 +707,12 @@ const MonitoringConfigSchema = z.object({
 * @description Configuration for starting a build.
 */
 const BuildConfigSchema = z.object({
-	get computeType() {
+	get "computeType"() {
 		return ComputeTypeSchema.describe("Compute type for build resources.").optional();
 	},
-	"environment": z.object({}).catchall(z.string()).describe("Key-value pairs to set as environment variables for the build.").optional(),
+	"environment": z.optional(z.object({}).catchall(z.string()).describe("Key-value pairs to set as environment variables for the build.")),
 	"image": z.string().describe("Base container image to use for the build environment."),
-	get monitoring() {
+	get "monitoring"() {
 		return z.union([MonitoringConfigSchema, z.null()]).optional();
 	},
 	"script": z.string().describe("Bash script to execute for the build."),
@@ -734,12 +738,12 @@ const BuildOutputsSchema = z.object({ "identifier": z.string().describe("The pla
 * @description Represents a build resource that executes bash scripts to build code.\nBuilds are designed to be stateless and can be triggered on-demand to compile,\ntest, or package application code.
 */
 const BuildSchema = z.object({
-	get computeType() {
+	get "computeType"() {
 		return ComputeTypeSchema.describe("Compute type for build resources.").optional();
 	},
-	"environment": z.object({}).catchall(z.string()).describe("Key-value pairs to set as environment variables for the build.").optional(),
+	"environment": z.optional(z.object({}).catchall(z.string()).describe("Key-value pairs to set as environment variables for the build.")),
 	"id": z.string().describe("Identifier for the build resource. Must contain only alphanumeric characters, hyphens, and underscores ([A-Za-z0-9-_]).\nMaximum 64 characters."),
-	get links() {
+	get "links"() {
 		return z.array(ResourceRefSchema.describe("New ResourceRef that works with any resource type.\nThis can eventually replace the enum-based ResourceRef for full extensibility.")).describe("List of resource references this build depends on.");
 	},
 	"permissions": z.string().describe("Permission profile name that defines the permissions granted to this build.\nThis references a profile defined in the stack's permission definitions.")
@@ -771,13 +775,13 @@ const BuildStatusSchema = z.enum([
 * @description Command response from deployment
 */
 const CommandResponseSchema = z.union([z.object({
-	get response() {
+	get "response"() {
 		return BodySpecSchema.describe("Body specification supporting inline and storage modes");
 	},
 	"status": z.enum(["success"])
 }), z.object({
 	"code": z.string().describe("Error code"),
-	"details": z.string().describe("Optional additional details").optional().nullable(),
+	"details": z.string().describe("Optional additional details").nullish(),
 	"message": z.string().describe("Error message"),
 	"status": z.enum(["error"])
 })]).describe("Command response from deployment");
@@ -788,7 +792,7 @@ const CommandResponseSchema = z.union([z.object({
 * Do not edit manually.
 */
 /**
-* @description Command states in the ARC protocol lifecycle
+* @description Command states in the Commands protocol lifecycle
 */
 const CommandStateSchema = z.enum([
 	"PENDING_UPLOAD",
@@ -797,7 +801,7 @@ const CommandStateSchema = z.enum([
 	"SUCCEEDED",
 	"FAILED",
 	"EXPIRED"
-]).describe("Command states in the ARC protocol lifecycle");
+]).describe("Command states in the Commands protocol lifecycle");
 //#endregion
 //#region src/generated/zod/command-status-response-schema.ts
 /**
@@ -810,11 +814,11 @@ const CommandStateSchema = z.enum([
 const CommandStatusResponseSchema = z.object({
 	"attempt": z.int().min(0).describe("Current attempt number"),
 	"commandId": z.string().describe("Command identifier"),
-	get response() {
+	get "response"() {
 		return z.union([CommandResponseSchema, z.null()]).optional();
 	},
-	get state() {
-		return CommandStateSchema.describe("Command states in the ARC protocol lifecycle");
+	get "state"() {
+		return CommandStateSchema.describe("Command states in the Commands protocol lifecycle");
 	}
 }).describe("Response to status queries");
 //#endregion
@@ -829,11 +833,11 @@ const CommandStatusResponseSchema = z.object({
 const ContainerAutoscalingSchema = z.object({
 	"desired": z.int().min(0).describe("Initial desired replicas at container creation"),
 	"max": z.int().min(0).describe("Maximum replicas under load"),
-	"maxHttpP95LatencyMs": z.number().describe("Maximum acceptable p95 HTTP latency in milliseconds").optional().nullable(),
+	"maxHttpP95LatencyMs": z.number().describe("Maximum acceptable p95 HTTP latency in milliseconds").nullish(),
 	"min": z.int().min(0).describe("Minimum replicas (always running)"),
-	"targetCpuPercent": z.number().describe("Target CPU utilization percentage for scaling (default: 70%)").optional().nullable(),
-	"targetHttpInFlightPerReplica": z.int().min(0).describe("Target in-flight HTTP requests per replica").optional().nullable(),
-	"targetMemoryPercent": z.number().describe("Target memory utilization percentage for scaling (default: 80%)").optional().nullable()
+	"targetCpuPercent": z.number().describe("Target CPU utilization percentage for scaling (default: 70%)").nullish(),
+	"targetHttpInFlightPerReplica": z.int().min(0).describe("Target in-flight HTTP requests per replica").nullish(),
+	"targetMemoryPercent": z.number().describe("Target memory utilization percentage for scaling (default: 80%)").nullish()
 }).describe("Autoscaling configuration for stateless containers.");
 //#endregion
 //#region src/generated/zod/toolchain-config-schema.ts
@@ -850,13 +854,13 @@ const ToolchainConfigSchema = z.union([
 		"type": z.enum(["rust"])
 	}),
 	z.object({
-		"binaryName": z.string().describe("Name of the compiled binary (defaults to package.json name if not specified)").optional().nullable(),
+		"binaryName": z.string().describe("Name of the compiled binary (defaults to package.json name if not specified)").nullish(),
 		"type": z.enum(["typescript"])
 	}),
 	z.object({
-		"buildArgs": z.object({}).catchall(z.string()).describe("Build arguments for docker build").optional().nullable(),
-		"dockerfile": z.string().describe("Dockerfile path relative to src (default: \"Dockerfile\")").optional().nullable(),
-		"target": z.string().describe("Multi-stage build target").optional().nullable(),
+		"buildArgs": z.object({}).catchall(z.string()).describe("Build arguments for docker build").nullish(),
+		"dockerfile": z.string().describe("Dockerfile path relative to src (default: \"Dockerfile\")").nullish(),
+		"target": z.string().describe("Multi-stage build target").nullish(),
 		"type": z.enum(["docker"])
 	})
 ]).describe("Configuration for different programming language toolchains.\nEach toolchain provides type-safe build configuration and auto-detection capabilities.");
@@ -874,7 +878,7 @@ const ContainerCodeSchema = z.union([z.object({
 	"type": z.enum(["image"])
 }), z.object({
 	"src": z.string().describe("The source directory to build from"),
-	get toolchain() {
+	get "toolchain"() {
 		return ToolchainConfigSchema.describe("Configuration for different programming language toolchains.\nEach toolchain provides type-safe build configuration and auto-detection capabilities.");
 	},
 	"type": z.enum(["source"])
@@ -918,7 +922,7 @@ const ContainerStatusSchema = z.enum([
 */
 const LoadBalancerEndpointSchema = z.object({
 	"dnsName": z.string().describe("The DNS name of the load balancer endpoint (e.g., ALB DNS, API Gateway domain)."),
-	"hostedZoneId": z.string().describe("AWS Route53 hosted zone ID (for ALIAS records). Only set on AWS.").optional().nullable()
+	"hostedZoneId": z.string().describe("AWS Route53 hosted zone ID (for ALIAS records). Only set on AWS.").nullish()
 }).describe("Load balancer endpoint information for DNS management.\nThis is optional metadata used by the DNS controller to create domain mappings.");
 //#endregion
 //#region src/generated/zod/replica-status-schema.ts
@@ -930,10 +934,10 @@ const LoadBalancerEndpointSchema = z.object({
 * @description Status of a single container replica.
 */
 const ReplicaStatusSchema = z.object({
-	"containerIp": z.string().describe("Container IP address (for service discovery)").optional().nullable(),
+	"containerIp": z.string().describe("Container IP address (for service discovery)").nullish(),
 	"healthy": z.boolean().describe("Whether the replica is healthy"),
-	"machineId": z.string().describe("Machine ID the replica is running on").optional().nullable(),
-	"ordinal": z.int().min(0).describe("Ordinal (for stateful containers)").optional().nullable(),
+	"machineId": z.string().describe("Machine ID the replica is running on").nullish(),
+	"ordinal": z.int().min(0).describe("Ordinal (for stateful containers)").nullish(),
 	"replicaId": z.string().describe("Replica ID (e.g., \"api-0\", \"api-1\")")
 }).describe("Status of a single container replica.");
 //#endregion
@@ -949,17 +953,17 @@ const ContainerOutputsSchema = z.object({
 	"currentReplicas": z.int().min(0).describe("Number of current replicas"),
 	"desiredReplicas": z.int().min(0).describe("Desired number of replicas"),
 	"internalDns": z.string().describe("Internal DNS name (e.g., \"api.svc\")"),
-	get loadBalancerEndpoint() {
+	get "loadBalancerEndpoint"() {
 		return z.union([LoadBalancerEndpointSchema, z.null()]).optional();
 	},
 	"name": z.string().describe("Container name in Horizon"),
-	get replicas() {
+	get "replicas"() {
 		return z.array(ReplicaStatusSchema.describe("Status of a single container replica.")).describe("Status of each replica");
 	},
-	get status() {
+	get "status"() {
 		return ContainerStatusSchema.describe("Container status in Horizon.");
 	},
-	"url": z.string().describe("Public URL (if exposed publicly)").optional().nullable()
+	"url": z.string().describe("Public URL (if exposed publicly)").nullish()
 }).describe("Outputs generated by a successfully provisioned Container.");
 //#endregion
 //#region src/generated/zod/expose-protocol-schema.ts
@@ -981,7 +985,7 @@ const ExposeProtocolSchema = z.enum(["http", "tcp"]).describe("Protocol for expo
 * @description Container port configuration.
 */
 const ContainerPortSchema = z.object({
-	get expose() {
+	get "expose"() {
 		return z.union([ExposeProtocolSchema, z.null()]).optional();
 	},
 	"port": z.int().min(0).describe("Port number")
@@ -996,11 +1000,11 @@ const ContainerPortSchema = z.object({
 * @description HTTP health check configuration.
 */
 const HealthCheckSchema = z.object({
-	"failureThreshold": z.int().min(0).describe("Number of consecutive failures before marking replica unhealthy").optional(),
-	"method": z.string().describe("HTTP method to use for health check").optional(),
-	"path": z.string().describe("HTTP endpoint path to check (e.g., \"/health\", \"/ready\")").optional(),
-	"port": z.int().min(0).describe("Port to check (defaults to container port if not specified)").optional().nullable(),
-	"timeoutSeconds": z.int().min(0).describe("Request timeout in seconds (1-5)").optional()
+	"failureThreshold": z.optional(z.int().min(0).describe("Number of consecutive failures before marking replica unhealthy")),
+	"method": z.optional(z.string().describe("HTTP method to use for health check")),
+	"path": z.optional(z.string().describe("HTTP endpoint path to check (e.g., \"/health\", \"/ready\")")),
+	"port": z.int().min(0).describe("Port to check (defaults to container port if not specified)").nullish(),
+	"timeoutSeconds": z.optional(z.int().min(0).describe("Request timeout in seconds (1-5)"))
 }).describe("HTTP health check configuration.");
 //#endregion
 //#region src/generated/zod/persistent-storage-schema.ts
@@ -1012,11 +1016,11 @@ const HealthCheckSchema = z.object({
 * @description Persistent storage configuration for stateful containers.
 */
 const PersistentStorageSchema = z.object({
-	"iops": z.int().min(0).describe("IOPS (for storage types that support it)").optional().nullable(),
+	"iops": z.int().min(0).describe("IOPS (for storage types that support it)").nullish(),
 	"mountPath": z.string().describe("Mount path inside the container"),
 	"size": z.string().describe("Storage size (e.g., \"100Gi\", \"500Gi\")"),
-	"storageType": z.string().describe("Storage type (e.g., \"gp3\", \"io2\" for AWS, \"pd-ssd\" for GCP)").optional().nullable(),
-	"throughput": z.int().min(0).describe("Throughput in MiB/s (for storage types that support it)").optional().nullable()
+	"storageType": z.string().describe("Storage type (e.g., \"gp3\", \"io2\" for AWS, \"pd-ssd\" for GCP)").nullish(),
+	"throughput": z.int().min(0).describe("Throughput in MiB/s (for storage types that support it)").nullish()
 }).describe("Persistent storage configuration for stateful containers.");
 //#endregion
 //#region src/generated/zod/resource-spec-schema.ts
@@ -1041,42 +1045,42 @@ const ResourceSpecSchema = z.object({
 * @description Container resource for running long-running container workloads.\n\nA Container defines a deployable unit that runs on a ContainerCluster.\nHorizon handles scheduling replicas across machines, autoscaling based on\nvarious metrics, and service discovery.\n\n## Example\n\n```rust\nuse alien_core::{Container, ContainerCode, ResourceSpec, ContainerAutoscaling, ContainerPort, ExposeProtocol};\n\nlet container = Container::new(\"api\".to_string())\n    .cluster(\"compute\".to_string())\n    .code(ContainerCode::Image {\n        image: \"myapp:latest\".to_string(),\n    })\n    .cpu(ResourceSpec { min: \"0.5\".to_string(), desired: \"1\".to_string() })\n    .memory(ResourceSpec { min: \"512Mi\".to_string(), desired: \"1Gi\".to_string() })\n    .port(8080)\n    .expose_port(8080, ExposeProtocol::Http)\n    .autoscaling(ContainerAutoscaling {\n        min: 2,\n        desired: 3,\n        max: 10,\n        target_cpu_percent: Some(70.0),\n        target_memory_percent: None,\n        target_http_in_flight_per_replica: Some(100),\n        max_http_p95_latency_ms: None,\n    })\n    .permissions(\"container-execution\".to_string())\n    .build();\n```
 */
 const ContainerSchema = z.object({
-	get autoscaling() {
+	get "autoscaling"() {
 		return z.union([ContainerAutoscalingSchema, z.null()]).optional();
 	},
-	"cluster": z.string().describe("ContainerCluster resource ID that this container runs on.\nIf None, will be auto-assigned by ContainerClusterMutation at deployment time.").optional().nullable(),
-	get code() {
+	"cluster": z.string().describe("ContainerCluster resource ID that this container runs on.\nIf None, will be auto-assigned by ContainerClusterMutation at deployment time.").nullish(),
+	get "code"() {
 		return ContainerCodeSchema.describe("Specifies the source of the container's executable code.");
 	},
-	"command": z.array(z.string()).describe("Command to override image default").optional().nullable(),
-	get cpu() {
+	"command": z.array(z.string()).describe("Command to override image default").nullish(),
+	get "cpu"() {
 		return ResourceSpecSchema.describe("Resource specification with min/desired values.");
 	},
-	"environment": z.object({}).catchall(z.string()).describe("Environment variables").optional(),
-	"ephemeralStorage": z.string().describe("Ephemeral storage requirement (e.g., \"10Gi\")").optional().nullable(),
-	get gpu() {
+	"environment": z.optional(z.object({}).catchall(z.string()).describe("Environment variables")),
+	"ephemeralStorage": z.string().describe("Ephemeral storage requirement (e.g., \"10Gi\")").nullish(),
+	get "gpu"() {
 		return z.union([ContainerGpuSpecSchema, z.null()]).optional();
 	},
-	get healthCheck() {
+	get "healthCheck"() {
 		return z.union([HealthCheckSchema, z.null()]).optional();
 	},
 	"id": z.string().describe("Unique identifier for the container.\nMust be DNS-compatible: lowercase alphanumeric with hyphens."),
-	get links() {
+	get "links"() {
 		return z.array(ResourceRefSchema.describe("New ResourceRef that works with any resource type.\nThis can eventually replace the enum-based ResourceRef for full extensibility.")).describe("Resource links (dependencies)");
 	},
-	get memory() {
+	get "memory"() {
 		return ResourceSpecSchema.describe("Resource specification with min/desired values.");
 	},
 	"permissions": z.string().describe("Permission profile name"),
-	get persistentStorage() {
+	get "persistentStorage"() {
 		return z.union([PersistentStorageSchema, z.null()]).optional();
 	},
-	"pool": z.string().describe("Capacity group to run on (must exist in the cluster)\nIf not specified, containers are scheduled to any available group.").optional().nullable(),
-	get ports() {
+	"pool": z.string().describe("Capacity group to run on (must exist in the cluster)\nIf not specified, containers are scheduled to any available group.").nullish(),
+	get "ports"() {
 		return z.array(ContainerPortSchema.describe("Container port configuration.")).describe("Container ports to expose (at least one required)");
 	},
-	"replicas": z.int().min(0).describe("Fixed replica count (for stateful containers or stateless without autoscaling)").optional().nullable(),
-	"stateful": z.boolean().describe("Whether container is stateful (gets stable ordinals, optional persistent volumes)").optional()
+	"replicas": z.int().min(0).describe("Fixed replica count (for stateful containers or stateless without autoscaling)").nullish(),
+	"stateful": z.optional(z.boolean().describe("Whether container is stateful (gets stable ordinals, optional persistent volumes)"))
 }).describe("Container resource for running long-running container workloads.\n\nA Container defines a deployable unit that runs on a ContainerCluster.\nHorizon handles scheduling replicas across machines, autoscaling based on\nvarious metrics, and service discovery.\n\n## Example\n\n```rust\nuse alien_core::{Container, ContainerCode, ResourceSpec, ContainerAutoscaling, ContainerPort, ExposeProtocol};\n\nlet container = Container::new(\"api\".to_string())\n    .cluster(\"compute\".to_string())\n    .code(ContainerCode::Image {\n        image: \"myapp:latest\".to_string(),\n    })\n    .cpu(ResourceSpec { min: \"0.5\".to_string(), desired: \"1\".to_string() })\n    .memory(ResourceSpec { min: \"512Mi\".to_string(), desired: \"1Gi\".to_string() })\n    .port(8080)\n    .expose_port(8080, ExposeProtocol::Http)\n    .autoscaling(ContainerAutoscaling {\n        min: 2,\n        desired: 3,\n        max: 10,\n        target_cpu_percent: Some(70.0),\n        target_memory_percent: None,\n        target_http_in_flight_per_replica: Some(100),\n        max_http_p95_latency_ms: None,\n    })\n    .permissions(\"container-execution\".to_string())\n    .build();\n```");
 //#endregion
 //#region src/generated/zod/create-command-request-schema.ts
@@ -1085,17 +1089,17 @@ const ContainerSchema = z.object({
 * Do not edit manually.
 */
 /**
-* @description Request to create a new ARC command
+* @description Request to create a new command
 */
 const CreateCommandRequestSchema = z.object({
 	"command": z.string().describe("Command name (e.g., \"generate-report\", \"sync-data\")"),
-	"deadline": z.string().datetime().describe("Optional deadline for command completion").optional().nullable(),
+	"deadline": z.iso.datetime().describe("Optional deadline for command completion").nullish(),
 	"deploymentId": z.string().describe("Target deployment identifier"),
-	"idempotencyKey": z.string().describe("Optional idempotency key").optional().nullable(),
-	get params() {
+	"idempotencyKey": z.string().describe("Optional idempotency key").nullish(),
+	get "params"() {
 		return BodySpecSchema.describe("Body specification supporting inline and storage modes");
 	}
-}).describe("Request to create a new ARC command");
+}).describe("Request to create a new command");
 //#endregion
 //#region src/generated/zod/storage-upload-schema.ts
 /**
@@ -1106,8 +1110,8 @@ const CreateCommandRequestSchema = z.object({
 * @description Storage upload information
 */
 const StorageUploadSchema = z.object({
-	"expiresAt": z.string().datetime().describe("Expiration time for upload URL"),
-	get putRequest() {
+	"expiresAt": z.iso.datetime().describe("Expiration time for upload URL"),
+	get "putRequest"() {
 		return PresignedRequestSchema.describe("A presigned request that can be serialized, stored, and executed later.\nHides implementation details for different storage backends.");
 	}
 }).describe("Storage upload information");
@@ -1124,10 +1128,10 @@ const CreateCommandResponseSchema = z.object({
 	"commandId": z.string().describe("Unique command identifier"),
 	"inlineAllowedUpTo": z.int().min(0).describe("Maximum inline body size allowed"),
 	"next": z.string().describe("Next action for client: \"upload\" | \"poll\""),
-	get state() {
-		return CommandStateSchema.describe("Command states in the ARC protocol lifecycle");
+	get "state"() {
+		return CommandStateSchema.describe("Command states in the Commands protocol lifecycle");
 	},
-	get storageUpload() {
+	get "storageUpload"() {
 		return z.union([StorageUploadSchema, z.null()]).optional();
 	}
 }).describe("Response to command creation");
@@ -1148,13 +1152,13 @@ const GcpCustomCertificateConfigSchema = z.object({ "certificateName": z.string(
 * @description Platform-specific certificate references for custom domains.
 */
 const CustomCertificateConfigSchema = z.object({
-	get aws() {
+	get "aws"() {
 		return z.union([AwsCustomCertificateConfigSchema, z.null()]).optional();
 	},
-	get azure() {
+	get "azure"() {
 		return z.union([AzureCustomCertificateConfigSchema, z.null()]).optional();
 	},
-	get gcp() {
+	get "gcp"() {
 		return z.union([GcpCustomCertificateConfigSchema, z.null()]).optional();
 	}
 }).describe("Platform-specific certificate references for custom domains.");
@@ -1168,7 +1172,7 @@ const CustomCertificateConfigSchema = z.object({
 * @description Custom domain configuration for a single resource.
 */
 const CustomDomainConfigSchema = z.object({
-	get certificate() {
+	get "certificate"() {
 		return CustomCertificateConfigSchema.describe("Platform-specific certificate references for custom domains.");
 	},
 	"domain": z.string().describe("Fully qualified domain name to use.")
@@ -1208,9 +1212,9 @@ const DevStatusStateSchema = z.enum([
 * @description Overall status of the dev server
 */
 const DevStatusSchema = z.object({
-	"agents": z.object({}).catchall(AgentStatusSchema.describe("Status of a single agent in the dev server")).describe("Agents being managed by this dev server (keyed by agent name)"),
+	"agents": z.object({}).catchall(z.lazy(() => AgentStatusSchema).describe("Status of a single agent in the dev server")).describe("Agents being managed by this dev server (keyed by agent name)"),
 	"apiUrl": z.string().describe("Dev server API URL (e.g., http://localhost:9090)"),
-	get error() {
+	get "error"() {
 		return z.union([AlienErrorSchema, z.null()]).optional();
 	},
 	"lastUpdated": z.string().describe("ISO 8601 timestamp of last status update"),
@@ -1219,7 +1223,7 @@ const DevStatusSchema = z.object({
 	"stackId": z.string().describe("Stack ID (always \"dev\" for dev server)"),
 	"startedAt": z.string().describe("ISO 8601 timestamp when dev server started"),
 	"stateDir": z.string().describe("Path to state directory"),
-	get status() {
+	get "status"() {
 		return DevStatusStateSchema.describe("Overall dev server status");
 	}
 }).describe("Overall status of the dev server");
@@ -1232,7 +1236,7 @@ const DevStatusSchema = z.object({
 /**
 * @description Domain configuration for the stack.\n\nWhen `custom_domains` is set, the specified resources use customer-provided\ndomains and certificates. Otherwise, Alien auto-generates domains.
 */
-const DomainSettingsSchema = z.object({ "customDomains": z.object({}).catchall(CustomDomainConfigSchema.describe("Custom domain configuration for a single resource.")).describe("Custom domain configuration per resource ID.").optional().nullable() }).describe("Domain configuration for the stack.\n\nWhen `custom_domains` is set, the specified resources use customer-provided\ndomains and certificates. Otherwise, Alien auto-generates domains.");
+const DomainSettingsSchema = z.object({ "customDomains": z.object({}).catchall(z.lazy(() => CustomDomainConfigSchema).describe("Custom domain configuration for a single resource.")).describe("Custom domain configuration per resource ID.").nullish() }).describe("Domain configuration for the stack.\n\nWhen `custom_domains` is set, the specified resources use customer-provided\ndomains and certificates. Otherwise, Alien auto-generates domains.");
 //#endregion
 //#region src/generated/zod/response-handling-schema.ts
 /**
@@ -1244,7 +1248,7 @@ const DomainSettingsSchema = z.object({ "customDomains": z.object({}).catchall(C
 */
 const ResponseHandlingSchema = z.object({
 	"maxInlineBytes": z.int().min(0).describe("Maximum response body size that can be submitted inline"),
-	get storageUploadRequest() {
+	get "storageUploadRequest"() {
 		return PresignedRequestSchema.describe("A presigned request that can be serialized, stored, and executed later.\nHides implementation details for different storage backends.");
 	},
 	"submitResponseUrl": z.string().describe("URL where deployments submit responses")
@@ -1256,22 +1260,22 @@ const ResponseHandlingSchema = z.object({
 * Do not edit manually.
 */
 /**
-* @description ARC envelope sent to deployments
+* @description Commands envelope sent to deployments
 */
 const EnvelopeSchema = z.object({
 	"attempt": z.int().min(0).describe("Attempt number (starts at 1)"),
 	"command": z.string().describe("Command name (e.g., \"generate-report\", \"sync-data\")"),
 	"commandId": z.string().describe("Unique command identifier"),
-	"deadline": z.string().datetime().describe("Command deadline").optional().nullable(),
+	"deadline": z.iso.datetime().describe("Command deadline").nullish(),
 	"deploymentId": z.string().describe("Target deployment identifier"),
-	get params() {
+	get "params"() {
 		return BodySpecSchema.describe("Body specification supporting inline and storage modes");
 	},
 	"protocol": z.string().describe("Protocol version identifier"),
-	get responseHandling() {
+	get "responseHandling"() {
 		return ResponseHandlingSchema.describe("Response handling configuration for deployments");
 	}
-}).describe("ARC envelope sent to deployments");
+}).describe("Commands envelope sent to deployments");
 //#endregion
 //#region src/generated/zod/event-state-schema.ts
 /**
@@ -1282,7 +1286,7 @@ const EnvelopeSchema = z.object({
 * @description Represents the state of an event
 */
 const EventStateSchema = z.union([
-	z.object({ "failed": z.object({ get error() {
+	z.object({ "failed": z.object({ get "error"() {
 		return z.union([AlienErrorSchema, z.null()]).optional();
 	} }).describe("Event failed with an error") }),
 	z.enum(["none"]),
@@ -1300,32 +1304,32 @@ const EventStateSchema = z.union([
 */
 const EventChangeSchema = z.union([
 	z.object({
-		"createdAt": z.string().datetime().describe("Timestamp when the event was created"),
-		get event() {
+		"createdAt": z.iso.datetime().describe("Timestamp when the event was created"),
+		get "event"() {
 			return AlienEventSchema.describe("Represents all possible events in the Alien system");
 		},
 		"id": z.string().describe("Unique identifier for the event"),
-		"parentId": z.string().describe("Parent event ID if this is a child event").optional().nullable(),
-		get state() {
+		"parentId": z.string().describe("Parent event ID if this is a child event").nullish(),
+		get "state"() {
 			return EventStateSchema.describe("Represents the state of an event");
 		},
 		"type": z.enum(["created"])
 	}),
 	z.object({
-		get event() {
+		get "event"() {
 			return AlienEventSchema.describe("Represents all possible events in the Alien system");
 		},
 		"id": z.string().describe("Unique identifier for the event"),
 		"type": z.enum(["updated"]),
-		"updatedAt": z.string().datetime().describe("Timestamp when the event was updated")
+		"updatedAt": z.iso.datetime().describe("Timestamp when the event was updated")
 	}),
 	z.object({
 		"id": z.string().describe("Unique identifier for the event"),
-		get newState() {
+		get "newState"() {
 			return EventStateSchema.describe("Represents the state of an event");
 		},
 		"type": z.enum(["stateChanged"]),
-		"updatedAt": z.string().datetime().describe("Timestamp when the state changed")
+		"updatedAt": z.iso.datetime().describe("Timestamp when the state changed")
 	})
 ]).describe("Represents a change to an event");
 //#endregion
@@ -1342,7 +1346,7 @@ const FunctionCodeSchema = z.union([z.object({
 	"type": z.enum(["image"])
 }), z.object({
 	"src": z.string().describe("The source directory to build from"),
-	get toolchain() {
+	get "toolchain"() {
 		return ToolchainConfigSchema.describe("Configuration for different programming language toolchains.\nEach toolchain provides type-safe build configuration and auto-detection capabilities.");
 	},
 	"type": z.enum(["source"])
@@ -1357,12 +1361,13 @@ const FunctionCodeSchema = z.union([z.object({
 * @description Outputs generated by a successfully provisioned Function.
 */
 const FunctionOutputsSchema = z.object({
+	"commandsPushTarget": z.string().describe("Push target for commands delivery. Platform-specific:\n- AWS: Lambda function name or ARN\n- GCP: Full Pub/Sub topic path (projects/{project}/topics/{topic})\n- Azure: Service Bus \"{namespace}/{queue}\"").nullish(),
 	"functionName": z.string().describe("The name of the function."),
-	"identifier": z.string().describe("The ARN or platform-specific identifier.").optional().nullable(),
-	get loadBalancerEndpoint() {
+	"identifier": z.string().describe("The ARN or platform-specific identifier.").nullish(),
+	get "loadBalancerEndpoint"() {
 		return z.union([LoadBalancerEndpointSchema, z.null()]).optional();
 	},
-	"url": z.string().describe("The invocation URL (if applicable, e.g., for public ingress or specific platforms).").optional().nullable()
+	"url": z.string().describe("The invocation URL (if applicable, e.g., for public ingress or specific platforms).").nullish()
 }).describe("Outputs generated by a successfully provisioned Function.");
 //#endregion
 //#region src/generated/zod/function-trigger-schema.ts
@@ -1375,20 +1380,20 @@ const FunctionOutputsSchema = z.object({
 */
 const FunctionTriggerSchema = z.union([
 	z.object({
-		get queue() {
+		get "queue"() {
 			return ResourceRefSchema.describe("New ResourceRef that works with any resource type.\nThis can eventually replace the enum-based ResourceRef for full extensibility.");
 		},
 		"type": z.enum(["queue"])
 	}),
 	z.object({
 		"events": z.array(z.string()).describe("Events to trigger on (e.g., [\"created\", \"deleted\"])"),
-		get storage() {
+		get "storage"() {
 			return ResourceRefSchema.describe("New ResourceRef that works with any resource type.\nThis can eventually replace the enum-based ResourceRef for full extensibility.");
 		},
 		"type": z.enum(["storage"])
 	}),
 	z.object({
-		"cron": z.string().describe("Cron expression for scheduling"),
+		"cron": z.string().describe("Cron expression for scheduling (standard 5-field unix cron)"),
 		"type": z.enum(["schedule"])
 	})
 ]).describe("Defines what triggers a function execution");
@@ -1430,10 +1435,10 @@ const HttpMethodSchema = z.enum([
 * @description Configuration for HTTP-based readiness probe.\nThis probe is executed after function provisioning/update to verify the function is ready to serve traffic.\nOnly works with functions that have Public ingress.
 */
 const ReadinessProbeSchema = z.object({
-	get method() {
+	get "method"() {
 		return HttpMethodSchema.describe("HTTP method for readiness probe requests.").optional();
 	},
-	"path": z.string().describe("Path to request for the probe (e.g., \"/health\", \"/ready\").\nDefault: \"/\"").optional()
+	"path": z.optional(z.string().describe("Path to request for the probe (e.g., \"/health\", \"/ready\").\nDefault: \"/\""))
 }).describe("Configuration for HTTP-based readiness probe.\nThis probe is executed after function provisioning/update to verify the function is ready to serve traffic.\nOnly works with functions that have Public ingress.");
 //#endregion
 //#region src/generated/zod/function-schema.ts
@@ -1445,26 +1450,26 @@ const ReadinessProbeSchema = z.object({
 * @description Represents a serverless function that executes code in response to triggers or direct invocations.\nFunctions are the primary compute resource in serverless applications, designed to be stateless and ephemeral.
 */
 const FunctionSchema = z.object({
-	"arcEnabled": z.boolean().default(false).describe("Whether the function can be invoked via ARC (Alien Remote Call) protocol from the control plane.\nWhen enabled, the necessary queue infrastructure is automatically created for the target platform."),
-	get code() {
+	get "code"() {
 		return FunctionCodeSchema.describe("Specifies the source of the function's executable code.\nThis can be a pre-built container image or source code that the system will build.");
 	},
-	"concurrencyLimit": z.int().min(0).describe("Maximum number of concurrent executions allowed for the function.\nNone means platform default applies.").optional().nullable(),
-	"environment": z.object({}).catchall(z.string()).describe("Key-value pairs to set as environment variables for the function.").optional(),
+	"commandsEnabled": z.optional(z.boolean().default(false).describe("Whether the function can receive remote commands via the Commands protocol.\nWhen enabled, the runtime polls the manager for pending commands and executes registered handlers.")),
+	"concurrencyLimit": z.int().min(0).describe("Maximum number of concurrent executions allowed for the function.\nNone means platform default applies.").nullish(),
+	"environment": z.optional(z.object({}).catchall(z.string()).describe("Key-value pairs to set as environment variables for the function.")),
 	"id": z.string().describe("Identifier for the function. Must contain only alphanumeric characters, hyphens, and underscores ([A-Za-z0-9-_]).\nMaximum 64 characters."),
-	get ingress() {
-		return IngressSchema.default("private");
+	get "ingress"() {
+		return IngressSchema.default("private").optional();
 	},
-	get links() {
+	get "links"() {
 		return z.array(ResourceRefSchema.describe("New ResourceRef that works with any resource type.\nThis can eventually replace the enum-based ResourceRef for full extensibility.")).describe("List of resource references this function depends on.");
 	},
-	"memoryMb": z.int().min(0).default(256).describe("Memory allocated to the function in megabytes (MB).\nConstraints: 128‑32768 MB (platform-specific limits may apply)\nDefault: 256"),
+	"memoryMb": z.optional(z.int().min(0).default(256).describe("Memory allocated to the function in megabytes (MB).\nConstraints: 128‑32768 MB (platform-specific limits may apply)\nDefault: 256")),
 	"permissions": z.string().describe("Permission profile name that defines the permissions granted to this function.\nThis references a profile defined in the stack's permission definitions."),
-	get readinessProbe() {
+	get "readinessProbe"() {
 		return z.union([ReadinessProbeSchema, z.null()]).optional();
 	},
-	"timeoutSeconds": z.int().min(0).default(180).describe("Maximum execution time for the function in seconds.\nConstraints: 1‑3600 seconds (platform-specific limits may apply)\nDefault: 30"),
-	get triggers() {
+	"timeoutSeconds": z.optional(z.int().min(0).default(180).describe("Maximum execution time for the function in seconds.\nConstraints: 1‑3600 seconds (platform-specific limits may apply)\nDefault: 30")),
+	get "triggers"() {
 		return z.array(FunctionTriggerSchema.describe("Defines what triggers a function execution")).describe("List of triggers that define what events automatically invoke this function.\nIf empty, the function is only invokable directly via HTTP calls or platform-specific invocation APIs.\nWhen configured, the function will be automatically invoked when any of the specified trigger conditions are met.");
 	}
 }).describe("Represents a serverless function that executes code in response to triggers or direct invocations.\nFunctions are the primary compute resource in serverless applications, designed to be stateless and ephemeral.");
@@ -1488,10 +1493,10 @@ const GcpManagementConfigSchema = z.object({ "serviceAccountEmail": z.string().d
 * @description GCP-specific platform permission configuration
 */
 const GcpPlatformPermissionSchema = z.object({
-	get binding() {
+	get "binding"() {
 		return BindingConfigurationGcpBindingSpecSchema.describe("Generic binding configuration for permissions");
 	},
-	get grant() {
+	get "grant"() {
 		return PermissionGrantSchema.describe("Grant permissions for a specific cloud platform");
 	}
 }).describe("GCP-specific platform permission configuration");
@@ -1505,10 +1510,6 @@ const GcpPlatformPermissionSchema = z.object({
 * @description How heartbeat health checks are handled.
 */
 const HeartbeatsModeSchema = z.enum(["off", "on"]).describe("How heartbeat health checks are handled.");
-z.object({
-	"password": z.string().describe("Password for the container registry"),
-	"username": z.string().describe("Username for the container registry")
-}).describe("Image pull credentials for container registries");
 //#endregion
 //#region src/generated/zod/kv-outputs-schema.ts
 /**
@@ -1519,8 +1520,8 @@ z.object({
 * @description Outputs generated by a successfully provisioned KV store.
 */
 const KvOutputsSchema = z.object({
-	"endpoint": z.string().describe("Platform-specific endpoint URL for direct access (if applicable).").optional().nullable(),
-	"identifier": z.string().describe("Platform-specific identifier (e.g., DynamoDB table ARN, Redis endpoint).").optional().nullable(),
+	"endpoint": z.string().describe("Platform-specific endpoint URL for direct access (if applicable).").nullish(),
+	"identifier": z.string().describe("Platform-specific identifier (e.g., DynamoDB table ARN, Redis endpoint).").nullish(),
 	"storeName": z.string().describe("The name of the KV store (may be platform-specific).")
 }).describe("Outputs generated by a successfully provisioned KV store.");
 //#endregion
@@ -1545,10 +1546,10 @@ const KvSchema = z.object({ "id": z.string().describe("Identifier for the KV sto
 const LeaseInfoSchema = z.object({
 	"attempt": z.int().min(0).describe("Attempt number"),
 	"commandId": z.string().describe("Command identifier"),
-	get envelope() {
-		return EnvelopeSchema.describe("ARC envelope sent to deployments");
+	get "envelope"() {
+		return EnvelopeSchema.describe("Commands envelope sent to deployments");
 	},
-	"leaseExpiresAt": z.string().datetime().describe("When lease expires"),
+	"leaseExpiresAt": z.iso.datetime().describe("When lease expires"),
 	"leaseId": z.string().describe("Unique lease identifier")
 }).describe("Lease information");
 //#endregion
@@ -1562,8 +1563,8 @@ const LeaseInfoSchema = z.object({
 */
 const LeaseRequestSchema = z.object({
 	"deploymentId": z.string().describe("Deployment identifier"),
-	"leaseSeconds": z.int().min(0).describe("Lease duration in seconds").optional(),
-	"maxLeases": z.int().min(0).describe("Maximum number of leases to acquire").optional()
+	"leaseSeconds": z.optional(z.int().min(0).describe("Lease duration in seconds")),
+	"maxLeases": z.optional(z.int().min(0).describe("Maximum number of leases to acquire"))
 }).describe("Request for acquiring leases");
 //#endregion
 //#region src/generated/zod/lease-response-schema.ts
@@ -1574,7 +1575,7 @@ const LeaseRequestSchema = z.object({
 /**
 * @description Response to lease acquisition
 */
-const LeaseResponseSchema = z.object({ get leases() {
+const LeaseResponseSchema = z.object({ get "leases"() {
 	return z.array(LeaseInfoSchema.describe("Lease information")).describe("Acquired leases (empty array if none available)");
 } }).describe("Response to lease acquisition");
 //#endregion
@@ -1588,14 +1589,14 @@ const LeaseResponseSchema = z.object({ get leases() {
 */
 const LifecycleRuleSchema = z.object({
 	"days": z.int().min(0).describe("Number of days after which objects matching the rule expire."),
-	"prefix": z.string().describe("Optional prefix to filter objects the rule applies to. If None, applies to all objects.").optional().nullable()
+	"prefix": z.string().describe("Optional prefix to filter objects the rule applies to. If None, applies to all objects.").nullish()
 }).describe("Defines a rule for managing the lifecycle of objects within a storage bucket.");
 z.union([
-	AwsManagementConfigSchema.and(z.object({ "platform": z.enum(["aws"]) })),
-	GcpManagementConfigSchema.and(z.object({ "platform": z.enum(["gcp"]) })),
-	AzureManagementConfigSchema.and(z.object({ "platform": z.enum(["azure"]) })),
+	z.lazy(() => AwsManagementConfigSchema).and(z.object({ "platform": z.enum(["aws"]) })),
+	z.lazy(() => GcpManagementConfigSchema).and(z.object({ "platform": z.enum(["gcp"]) })),
+	z.lazy(() => AzureManagementConfigSchema).and(z.object({ "platform": z.enum(["azure"]) })),
 	z.object({ "platform": z.enum(["kubernetes"]) })
-]).describe("Management configuration for different cloud platforms.\n\nPlatform-derived configuration for cross-account/cross-tenant access.\nThis is NOT user-specified - it's derived from the Agent Manager's ServiceAccount.");
+]).describe("Management configuration for different cloud platforms.\n\nPlatform-derived configuration for cross-account/cross-tenant access.\nThis is NOT user-specified - it's derived from the Manager's ServiceAccount.");
 //#endregion
 //#region src/generated/zod/platform-permissions-schema.ts
 /**
@@ -1606,14 +1607,14 @@ z.union([
 * @description Platform-specific permission configurations
 */
 const PlatformPermissionsSchema = z.object({
-	get aws() {
-		return z.array(AwsPlatformPermissionSchema.describe("AWS-specific platform permission configuration")).describe("AWS permission configurations").optional().nullable();
+	get "aws"() {
+		return z.array(AwsPlatformPermissionSchema.describe("AWS-specific platform permission configuration")).describe("AWS permission configurations").nullish();
 	},
-	get azure() {
-		return z.array(AzurePlatformPermissionSchema.describe("Azure-specific platform permission configuration")).describe("Azure permission configurations").optional().nullable();
+	get "azure"() {
+		return z.array(AzurePlatformPermissionSchema.describe("Azure-specific platform permission configuration")).describe("Azure permission configurations").nullish();
 	},
-	get gcp() {
-		return z.array(GcpPlatformPermissionSchema.describe("GCP-specific platform permission configuration")).describe("GCP permission configurations").optional().nullable();
+	get "gcp"() {
+		return z.array(GcpPlatformPermissionSchema.describe("GCP-specific platform permission configuration")).describe("GCP permission configurations").nullish();
 	}
 }).describe("Platform-specific permission configurations");
 //#endregion
@@ -1628,7 +1629,7 @@ const PlatformPermissionsSchema = z.object({
 const PermissionSetSchema = z.object({
 	"description": z.string().describe("Human-readable description of what this permission set allows"),
 	"id": z.string().describe("Unique identifier for the permission set (e.g., \"storage/data-read\")"),
-	get platforms() {
+	get "platforms"() {
 		return PlatformPermissionsSchema.describe("Platform-specific permission configurations");
 	}
 }).describe("A permission set that can be applied across different cloud platforms");
@@ -1641,7 +1642,7 @@ const PermissionSetSchema = z.object({
 /**
 * @description Reference to a permission set - either by name or inline definition
 */
-const PermissionSetReferenceSchema = z.union([PermissionSetSchema, z.string()]).describe("Reference to a permission set - either by name or inline definition");
+const PermissionSetReferenceSchema = z.union([z.lazy(() => PermissionSetSchema), z.string()]).describe("Reference to a permission set - either by name or inline definition");
 //#endregion
 //#region src/generated/zod/permission-profile-schema.ts
 /**
@@ -1651,7 +1652,7 @@ const PermissionSetReferenceSchema = z.union([PermissionSetSchema, z.string()]).
 /**
 * @description Permission profile that maps resources to permission sets\nKey can be \"*\" for all resources or resource name for specific resource
 */
-const PermissionProfileSchema = z.object({}).catchall(z.array(PermissionSetReferenceSchema.describe("Reference to a permission set - either by name or inline definition"))).describe("Permission profile that maps resources to permission sets\nKey can be \"*\" for all resources or resource name for specific resource");
+const PermissionProfileSchema = z.object({}).catchall(z.array(z.lazy(() => PermissionSetReferenceSchema).describe("Reference to a permission set - either by name or inline definition"))).describe("Permission profile that maps resources to permission sets\nKey can be \"*\" for all resources or resource name for specific resource");
 //#endregion
 //#region src/generated/zod/management-permissions-schema.ts
 /**
@@ -1662,10 +1663,10 @@ const PermissionProfileSchema = z.object({}).catchall(z.array(PermissionSetRefer
 * @description Management permissions configuration for stack management access
 */
 const ManagementPermissionsSchema = z.union([
-	z.object({ get extend() {
+	z.object({ get "extend"() {
 		return PermissionProfileSchema.describe("Permission profile that maps resources to permission sets\nKey can be \"*\" for all resources or resource name for specific resource");
 	} }),
-	z.object({ get override() {
+	z.object({ get "override"() {
 		return PermissionProfileSchema.describe("Permission profile that maps resources to permission sets\nKey can be \"*\" for all resources or resource name for specific resource");
 	} }),
 	z.enum(["auto"])
@@ -1692,14 +1693,14 @@ const MessagePayloadSchema = z.union([z.object({ "type": z.enum(["json"]) }), z.
 const NetworkSettingsSchema = z.union([
 	z.object({ "type": z.enum(["use-default"]) }),
 	z.object({
-		"availability_zones": z.int().min(0).describe("Number of availability zones (default: 2).").optional(),
-		"cidr": z.string().describe("VPC/VNet CIDR block. If not specified, auto-generated from stack ID\nto reduce conflicts (e.g., \"10.{hash}.0.0/16\").").optional().nullable(),
+		"availability_zones": z.optional(z.int().min(0).describe("Number of availability zones (default: 2).")),
+		"cidr": z.string().describe("VPC/VNet CIDR block. If not specified, auto-generated from stack ID\nto reduce conflicts (e.g., \"10.{hash}.0.0/16\").").nullish(),
 		"type": z.enum(["create"])
 	}),
 	z.object({
 		"private_subnet_ids": z.array(z.string()).describe("IDs of private subnets"),
 		"public_subnet_ids": z.array(z.string()).describe("IDs of public subnets (required for public ingress)"),
-		"security_group_ids": z.array(z.string()).describe("Optional security group IDs to use").optional(),
+		"security_group_ids": z.optional(z.array(z.string()).describe("Optional security group IDs to use")),
 		"type": z.enum(["byo-vpc-aws"]),
 		"vpc_id": z.string().describe("The ID of the existing VPC")
 	}),
@@ -1726,10 +1727,10 @@ const NetworkSettingsSchema = z.union([
 * @description Combined permissions configuration that contains both profiles and management
 */
 const PermissionsConfigSchema = z.object({
-	get management() {
+	get "management"() {
 		return ManagementPermissionsSchema.describe("Management permissions configuration for stack management access").optional();
 	},
-	"profiles": z.object({}).catchall(PermissionProfileSchema.describe("Permission profile that maps resources to permission sets\nKey can be \"*\" for all resources or resource name for specific resource")).describe("Permission profiles that define access control for compute services\nKey is the profile name, value is the permission configuration")
+	"profiles": z.object({}).catchall(z.lazy(() => PermissionProfileSchema).describe("Permission profile that maps resources to permission sets\nKey can be \"*\" for all resources or resource name for specific resource")).describe("Permission profiles that define access control for compute services\nKey is the profile name, value is the permission configuration")
 }).describe("Combined permissions configuration that contains both profiles and management");
 //#endregion
 //#region src/generated/zod/queue-message-schema.ts
@@ -1741,15 +1742,15 @@ const PermissionsConfigSchema = z.object({
 * @description Standardized queue message structure used by alien-runtime\n\nThis structure contains commonly available metadata across all platforms\nand a JSON-first payload that handles both structured data and plain text.
 */
 const QueueMessageSchema = z.object({
-	"attemptCount": z.int().min(0).describe("Delivery attempt count (from ApproximateReceiveCount/deliveryCount, if available)").optional().nullable(),
-	"attributes": z.object({}).catchall(z.string()).describe("Message attributes/properties (flattened from messageAttributes/attributes/properties)").optional(),
+	"attemptCount": z.int().min(0).describe("Delivery attempt count (from ApproximateReceiveCount/deliveryCount, if available)").nullish(),
+	"attributes": z.optional(z.object({}).catchall(z.string()).describe("Message attributes/properties (flattened from messageAttributes/attributes/properties)")),
 	"id": z.string().describe("Unique message identifier (from messageId/ce-id)"),
-	get payload() {
+	get "payload"() {
 		return MessagePayloadSchema.describe("JSON-first message payload that supports both structured JSON and UTF-8 text");
 	},
 	"receiptHandle": z.string().describe("Platform-specific receipt handle for acknowledgment"),
 	"source": z.string().describe("Source queue/topic name (derived from ARN/source/topic)"),
-	"timestamp": z.string().datetime().describe("Message timestamp (from SentTimestamp/ce-time/enqueuedTimeUtc)")
+	"timestamp": z.iso.datetime().describe("Message timestamp (from SentTimestamp/ce-time/enqueuedTimeUtc)")
 }).describe("Standardized queue message structure used by alien-runtime\n\nThis structure contains commonly available metadata across all platforms\nand a JSON-first payload that handles both structured data and plain text.");
 //#endregion
 //#region src/generated/zod/queue-outputs-schema.ts
@@ -1761,7 +1762,7 @@ const QueueMessageSchema = z.object({
 * @description Outputs generated by a successfully provisioned Queue.
 */
 const QueueOutputsSchema = z.object({
-	"identifier": z.string().describe("Platform-specific identifier or URL (e.g., SQS URL, Pub/Sub topic/subscription).").optional().nullable(),
+	"identifier": z.string().describe("Platform-specific identifier or URL (e.g., SQS URL, Pub/Sub topic/subscription).").nullish(),
 	"queueName": z.string().describe("The name of the queue (platform-specific physical name).")
 }).describe("Outputs generated by a successfully provisioned Queue.");
 //#endregion
@@ -1794,8 +1795,8 @@ const ReleaseRequestSchema = z.object({ "leaseId": z.string().describe("Lease id
 * @description Resource outputs for RemoteStackManagement.\nDifferent platforms will provide different outputs based on their implementation.
 */
 const RemoteStackManagementOutputsSchema = z.object({
-	"accessConfiguration": z.string().describe("Platform-specific access configuration\nFor AWS: The role ARN to assume\nFor GCP: The service account email to impersonate\nFor Azure: The lighthouse registration assignment ID"),
-	"managementResourceId": z.string().describe("Platform-specific management resource identifier\nFor AWS: The ARN of the created cross-account role\nFor GCP: The email of the created service account\nFor Azure: The resource ID of the lighthouse registration")
+	"accessConfiguration": z.string().describe("Platform-specific access configuration\nFor AWS: The role ARN to assume\nFor GCP: The service account email to impersonate\nFor Azure: JSON containing the target managed identity client ID and tenant ID"),
+	"managementResourceId": z.string().describe("Platform-specific management resource identifier\nFor AWS: The ARN of the created cross-account role\nFor GCP: The email of the created service account\nFor Azure: The resource ID of the target user-assigned managed identity")
 }).describe("Resource outputs for RemoteStackManagement.\nDifferent platforms will provide different outputs based on their implementation.");
 //#endregion
 //#region src/generated/zod/remote-stack-management-schema.ts
@@ -1804,9 +1805,9 @@ const RemoteStackManagementOutputsSchema = z.object({
 * Do not edit manually.
 */
 /**
-* @description Represents cross-account management access configuration for a stack deployed\non AWS, GCP, or Azure platforms. This resource sets up the necessary IAM/RBAC\nconfiguration to allow another cloud account to manage the stack.\n\nMaps to:\n- AWS: Cross-account IAM role with management permissions\n- GCP: Service account with management permissions and impersonation rights\n- Azure: Lighthouse registration definition and assignment\n\nThis resource is automatically created for AWS, GCP, and Azure platforms\nwhen the stack needs to be managed by another account. The management account\nand identity information comes from the platform configuration.
+* @description Represents cross-account management access configuration for a stack deployed\non AWS, GCP, or Azure platforms. This resource sets up the necessary IAM/RBAC\nconfiguration to allow another cloud account to manage the stack.\n\nMaps to:\n- AWS: Cross-account IAM role with management permissions\n- GCP: Service account with management permissions and impersonation rights\n- Azure: User-assigned managed identity with federated credential and custom RBAC\n\nThis resource is automatically created for AWS, GCP, and Azure platforms\nwhen the stack needs to be managed by another account. The management account\nand identity information comes from the platform configuration.
 */
-const RemoteStackManagementSchema = z.object({ "id": z.string().describe("Identifier for the remote stack management. Must contain only alphanumeric characters, hyphens, and underscores ([A-Za-z0-9-_]).\nMaximum 64 characters.") }).describe("Represents cross-account management access configuration for a stack deployed\non AWS, GCP, or Azure platforms. This resource sets up the necessary IAM/RBAC\nconfiguration to allow another cloud account to manage the stack.\n\nMaps to:\n- AWS: Cross-account IAM role with management permissions\n- GCP: Service account with management permissions and impersonation rights\n- Azure: Lighthouse registration definition and assignment\n\nThis resource is automatically created for AWS, GCP, and Azure platforms\nwhen the stack needs to be managed by another account. The management account\nand identity information comes from the platform configuration.");
+const RemoteStackManagementSchema = z.object({ "id": z.string().describe("Identifier for the remote stack management. Must contain only alphanumeric characters, hyphens, and underscores ([A-Za-z0-9-_]).\nMaximum 64 characters.") }).describe("Represents cross-account management access configuration for a stack deployed\non AWS, GCP, or Azure platforms. This resource sets up the necessary IAM/RBAC\nconfiguration to allow another cloud account to manage the stack.\n\nMaps to:\n- AWS: Cross-account IAM role with management permissions\n- GCP: Service account with management permissions and impersonation rights\n- Azure: User-assigned managed identity with federated credential and custom RBAC\n\nThis resource is automatically created for AWS, GCP, and Azure platforms\nwhen the stack needs to be managed by another account. The management account\nand identity information comes from the platform configuration.");
 //#endregion
 //#region src/generated/zod/resource-entry-schema.ts
 /**
@@ -1814,16 +1815,16 @@ const RemoteStackManagementSchema = z.object({ "id": z.string().describe("Identi
 * Do not edit manually.
 */
 const ResourceEntrySchema = z.object({
-	get config() {
+	get "config"() {
 		return BaseResourceSchema.describe("Resource that can hold any resource type in the Alien system. All resources share common 'type' and 'id' fields with additional type-specific properties.");
 	},
-	get dependencies() {
+	get "dependencies"() {
 		return z.array(ResourceRefSchema.describe("New ResourceRef that works with any resource type.\nThis can eventually replace the enum-based ResourceRef for full extensibility.")).describe("Additional dependencies for this resource beyond those defined in the resource itself.\nThe total dependencies are: resource.get_dependencies() + this list");
 	},
-	get lifecycle() {
+	get "lifecycle"() {
 		return ResourceLifecycleSchema.describe("Describes the lifecycle of a resource within a stack, determining how it's managed and deployed.");
 	},
-	"remoteAccess": z.boolean().describe("Enable remote bindings for this resource (BYOB use case).\nWhen true, binding params are synced to StackState's `remote_binding_params`.\nDefault: false (prevents sensitive data in synced state).").optional()
+	"remoteAccess": z.optional(z.boolean().describe("Enable remote bindings for this resource (BYOB use case).\nWhen true, binding params are synced to StackState's `remote_binding_params`.\nDefault: false (prevents sensitive data in synced state)."))
 });
 //#endregion
 //#region src/generated/zod/scheduled-event-schema.ts
@@ -1834,7 +1835,7 @@ const ResourceEntrySchema = z.object({
 /**
 * @description Represents a scheduled event trigger, typically from a cron job or timer.\n\nThis struct aims to provide a common representation for scheduled events\nacross different providers like AWS CloudWatch Events, Google Cloud Scheduler,\nand Azure Timer Triggers.
 */
-const ScheduledEventSchema = z.object({ "timestamp": z.string().datetime().describe("The timestamp when the event was scheduled or triggered.") }).describe("Represents a scheduled event trigger, typically from a cron job or timer.\n\nThis struct aims to provide a common representation for scheduled events\nacross different providers like AWS CloudWatch Events, Google Cloud Scheduler,\nand Azure Timer Triggers.");
+const ScheduledEventSchema = z.object({ "timestamp": z.iso.datetime().describe("The timestamp when the event was scheduled or triggered.") }).describe("Represents a scheduled event trigger, typically from a cron job or timer.\n\nThis struct aims to provide a common representation for scheduled events\nacross different providers like AWS CloudWatch Events, Google Cloud Scheduler,\nand Azure Timer Triggers.");
 //#endregion
 //#region src/generated/zod/service-account-outputs-schema.ts
 /**
@@ -1859,7 +1860,7 @@ const ServiceAccountOutputsSchema = z.object({
 */
 const ServiceAccountSchema = z.object({
 	"id": z.string().describe("Identifier for the service account. Must contain only alphanumeric characters, hyphens, and underscores ([A-Za-z0-9-_]).\nMaximum 64 characters."),
-	get stackPermissionSets() {
+	get "stackPermissionSets"() {
 		return z.array(PermissionSetSchema.describe("A permission set that can be applied across different cloud platforms")).describe("Stack-level permission sets that apply to all resources in the stack.\nThese are derived from the \"*\" scope in the permission profile.\nResource-scoped permissions are handled by individual resource controllers.");
 	}
 }).describe("Represents a non-human identity that can be assumed by compute services\nsuch as Lambda, Cloud Run, ECS, Container Apps, etc.\n\nMaps to:\n- AWS: IAM Role\n- GCP: Service Account\n- Azure: User-assigned Managed Identity\n\nThe ServiceAccount is automatically created from permission profiles in the stack\nand contains the resolved permission sets for both stack-level and resource-scoped access.");
@@ -1875,10 +1876,10 @@ z.union([z.object({ "external": z.string().describe("Reference to another stack
 */
 const StackSchema = z.object({
 	"id": z.string().describe("Unique identifier for the stack"),
-	get permissions() {
+	get "permissions"() {
 		return PermissionsConfigSchema.describe("Combined permissions configuration that contains both profiles and management").optional();
 	},
-	"resources": z.object({}).catchall(ResourceEntrySchema).describe("Map of resource IDs to their configurations and lifecycle settings")
+	"resources": z.object({}).catchall(z.lazy(() => ResourceEntrySchema)).describe("Map of resource IDs to their configurations and lifecycle settings")
 }).describe("A bag of resources, unaware of any cloud.");
 //#endregion
 //#region src/generated/zod/telemetry-mode-schema.ts
@@ -1901,9 +1902,9 @@ const TelemetryModeSchema = z.enum([
 * Do not edit manually.
 */
 /**
-* @description How updates are delivered to the agent.
+* @description How updates are delivered to the deployment.
 */
-const UpdatesModeSchema = z.enum(["auto", "approval-required"]).describe("How updates are delivered to the agent.");
+const UpdatesModeSchema = z.enum(["auto", "approval-required"]).describe("How updates are delivered to the deployment.");
 //#endregion
 //#region src/generated/zod/stack-settings-schema.ts
 /**
@@ -1911,28 +1912,29 @@ const UpdatesModeSchema = z.enum(["auto", "approval-required"]).describe("How up
 * Do not edit manually.
 */
 /**
-* @description User-customizable deployment settings specified at deploy time.\n\nThese settings are provided by the customer via CloudFormation parameters,\nTerraform attributes, CLI flags, or Helm values. They customize how the\nagent is deployed and what capabilities are enabled.\n\n**Key distinction**: StackSettings is user-customizable, while ManagementConfig\nis platform-derived (from the Agent Manager\'s ServiceAccount).
+* @description User-customizable deployment settings specified at deploy time.\n\nThese settings are provided by the customer via CloudFormation parameters,\nTerraform attributes, CLI flags, or Helm values. They customize how the\ndeployment runs and what capabilities are enabled.\n\n**Key distinction**: StackSettings is user-customizable, while ManagementConfig\nis platform-derived (from the Manager\'s ServiceAccount).
 */
 const StackSettingsSchema = z.object({
-	get deploymentModel() {
+	get "deploymentModel"() {
 		return DeploymentModelSchema.describe("Deployment model: how updates are delivered to the remote environment.").optional();
 	},
-	get domains() {
+	get "domains"() {
 		return z.union([DomainSettingsSchema, z.null()]).optional();
 	},
-	get heartbeats() {
+	"externalBindings": z.object({}).describe("External bindings for pre-existing infrastructure.\nAllows using existing resources (MinIO, Redis, shared Container Apps\nEnvironment, etc.) instead of having Alien provision them.\nRequired for Kubernetes platform, optional for cloud platforms.").nullish(),
+	get "heartbeats"() {
 		return HeartbeatsModeSchema.describe("How heartbeat health checks are handled.").optional();
 	},
-	get network() {
+	get "network"() {
 		return z.union([NetworkSettingsSchema, z.null()]).optional();
 	},
-	get telemetry() {
+	get "telemetry"() {
 		return TelemetryModeSchema.describe("How telemetry (logs, metrics, traces) is handled.").optional();
 	},
-	get updates() {
-		return UpdatesModeSchema.describe("How updates are delivered to the agent.").optional();
+	get "updates"() {
+		return UpdatesModeSchema.describe("How updates are delivered to the deployment.").optional();
 	}
-}).describe("User-customizable deployment settings specified at deploy time.\n\nThese settings are provided by the customer via CloudFormation parameters,\nTerraform attributes, CLI flags, or Helm values. They customize how the\nagent is deployed and what capabilities are enabled.\n\n**Key distinction**: StackSettings is user-customizable, while ManagementConfig\nis platform-derived (from the Agent Manager's ServiceAccount).");
+}).describe("User-customizable deployment settings specified at deploy time.\n\nThese settings are provided by the customer via CloudFormation parameters,\nTerraform attributes, CLI flags, or Helm values. They customize how the\ndeployment runs and what capabilities are enabled.\n\n**Key distinction**: StackSettings is user-customizable, while ManagementConfig\nis platform-derived (from the Manager's ServiceAccount).");
 //#endregion
 //#region src/generated/zod/stack-status-schema.ts
 /**
@@ -1978,20 +1980,20 @@ const StorageEventTypeSchema = z.enum([
 */
 const StorageEventSchema = z.object({
 	"bucketName": z.string().describe("The name of the bucket or container where the event occurred."),
-	"contentType": z.string().describe("Optional content type (MIME type) of the object.").optional().nullable(),
-	"copySource": z.string().describe("Optional information about the source object for copy events.").optional().nullable(),
-	"currentTier": z.string().describe("Optional current storage tier for TierChanged or Restored events.").optional().nullable(),
-	"etag": z.string().describe("Optional ETag or hash of the object content.").optional().nullable(),
-	get eventType() {
+	"contentType": z.string().describe("Optional content type (MIME type) of the object.").nullish(),
+	"copySource": z.string().describe("Optional information about the source object for copy events.").nullish(),
+	"currentTier": z.string().describe("Optional current storage tier for TierChanged or Restored events.").nullish(),
+	"etag": z.string().describe("Optional ETag or hash of the object content.").nullish(),
+	get "eventType"() {
 		return StorageEventTypeSchema.describe("Represents the type of storage event that occurred.");
 	},
-	"metadata": z.object({}).catchall(z.string()).describe("Optional metadata associated with the object.").optional(),
+	"metadata": z.optional(z.object({}).catchall(z.string()).describe("Optional metadata associated with the object.")),
 	"objectKey": z.string().describe("The key or path of the object involved in the event."),
-	"previousTier": z.string().describe("Optional previous storage tier for TierChanged or Restored events.").optional().nullable(),
-	"region": z.string().describe("Optional region where the event originated.").optional().nullable(),
-	"size": z.int().min(0).describe("Optional size of the object in bytes.").optional().nullable(),
-	"timestamp": z.string().datetime().describe("The timestamp when the event occurred."),
-	"versionId": z.string().describe("Optional version or sequencer identifier for the event or object state.").optional().nullable()
+	"previousTier": z.string().describe("Optional previous storage tier for TierChanged or Restored events.").nullish(),
+	"region": z.string().describe("Optional region where the event originated.").nullish(),
+	"size": z.int().min(0).describe("Optional size of the object in bytes.").nullish(),
+	"timestamp": z.iso.datetime().describe("The timestamp when the event occurred."),
+	"versionId": z.string().describe("Optional version or sequencer identifier for the event or object state.").nullish()
 }).describe("Represents an event triggered by an action in an object storage service.\n\nThis struct provides a generic representation for events from services like\nAWS S3, Google Cloud Storage (GCS), and Azure Blob Storage.");
 //#endregion
 //#region src/generated/zod/storage-events-schema.ts
@@ -2002,7 +2004,7 @@ const StorageEventSchema = z.object({
 /**
 * @description A wrapper type for a list of storage events.
 */
-const StorageEventsSchema = z.array(StorageEventSchema.describe("Represents an event triggered by an action in an object storage service.\n\nThis struct provides a generic representation for events from services like\nAWS S3, Google Cloud Storage (GCS), and Azure Blob Storage.")).describe("A wrapper type for a list of storage events.");
+const StorageEventsSchema = z.array(z.lazy(() => StorageEventSchema).describe("Represents an event triggered by an action in an object storage service.\n\nThis struct provides a generic representation for events from services like\nAWS S3, Google Cloud Storage (GCS), and Azure Blob Storage.")).describe("A wrapper type for a list of storage events.");
 //#endregion
 //#region src/generated/zod/storage-outputs-schema.ts
 /**
@@ -2024,11 +2026,11 @@ const StorageOutputsSchema = z.object({ "bucketName": z.string().describe("The g
 */
 const StorageSchema = z.object({
 	"id": z.string().describe("Name of the the storage bucket.\nFor names with dots, each dot-separated label must be ≤ 63 characters."),
-	get lifecycleRules() {
+	get "lifecycleRules"() {
 		return z.array(LifecycleRuleSchema.describe("Defines a rule for managing the lifecycle of objects within a storage bucket.")).describe("List of rules for automatic object management (e.g., expiration).\nDefault: `[]` (empty list)").optional();
 	},
-	"publicRead": z.boolean().describe("Allows public read access to objects without authentication.\nDefault: `false`").optional(),
-	"versioning": z.boolean().describe("Enables object versioning.\nDefault: `false`").optional()
+	"publicRead": z.optional(z.boolean().describe("Allows public read access to objects without authentication.\nDefault: `false`")),
+	"versioning": z.optional(z.boolean().describe("Enables object versioning.\nDefault: `false`"))
 }).describe("Represents an object storage bucket.");
 //#endregion
 //#region src/generated/zod/submit-response-request-schema.ts
@@ -2039,7 +2041,7 @@ const StorageSchema = z.object({
 /**
 * @description Request to submit a command response (from deployment)
 */
-const SubmitResponseRequestSchema = CommandResponseSchema.describe("Request to submit a command response (from deployment)");
+const SubmitResponseRequestSchema = z.lazy(() => CommandResponseSchema).describe("Request to submit a command response (from deployment)");
 //#endregion
 //#region src/generated/zod/upload-complete-request-schema.ts
 /**
@@ -2061,8 +2063,8 @@ const UploadCompleteRequestSchema = z.object({ "size": z.int().min(0).describe("
 */
 const UploadCompleteResponseSchema = z.object({
 	"commandId": z.string().describe("Command identifier"),
-	get state() {
-		return CommandStateSchema.describe("Command states in the ARC protocol lifecycle");
+	get "state"() {
+		return CommandStateSchema.describe("Command states in the Commands protocol lifecycle");
 	}
 }).describe("Response to upload completion");
 //#endregion